Caution: certain facial recognition technology contravenes privacy law

5 minute read  17.11.2021 Susan Kantor, Humyara Mahbub

The use of facial recognition technology is on the rise, but the regulator cautions about privacy compliance requirements.


Key takeouts


  • Facial recognition technology is becoming easier to implement, and it's important to ensure you adhere to privacy laws when using this technology.
  • The Australian Information Commissioner has provided practical guidance on steps to take when using facial recognition technology.
  • A recent determination found that the use of facial recognition technology contravened the Privacy Act, and the records that were collected using the technology were required to be destroyed.

The use of facial recognition technology is now widespread across many industries as evolving technology facilitates its ready adoption.

However, the Office of the Australian Information Commissioner (OAIC) has put organisations on notice that they must ensure biometric information is not collected unlawfully or unnecessarily through the use of this technology. Further, all such information is required to be stored and used in a manner that is consistent with the requirements of the Privacy Act and general expectations of privacy.

Recent OAIC determination on the use of facial recognition technology

The OAIC recently determined that facial recognition software company, Clearview AI, breached the Privacy Act in several respects, including by collecting sensitive information without consent and by unfair means. The OAIC ordered the company to stop collecting information on Australians and to delete any information it has already collected.

The determination followed a joint investigation with the UK Information Commissioner's Office (ICO) into Clearview AI. However, the ICO is still considering its next steps and any formal regulatory action that may be taken under the UK’s data protection laws.

Clearview AI’s facial recognition system includes a database of more than three billion images taken from social media platforms and other publicly available websites. The system is offered to law enforcement agencies around the world and allows users to upload a photo of an individual’s face and locate other facial images of that person collected from the internet. It then links to where the photos appeared for identification purposes. Clearview AI provided trials of its product to Commonwealth and State law enforcement agencies in Australia in 2019 and 2020 and the OAIC's investigation into the Australian Federal Police's trial use of the technology, is still being finalised. The OAIC does not have jurisdiction to investigate State law enforcement agencies.

The decision follows another recent determination in which the Commissioner also found that the use of facial recognition technology did not meet the requirements of the Privacy Act to obtain consent to collect sensitive information.

Best practice for obtaining consent

The OAIC has provided helpful guidance on ensuring that consent is validly obtained when gathering sensitive personal information. According to the OAIC, entities should not generally rely on implied consent when collecting sensitive information.

However, if consent were to be implied, there are steps entities can take to meet best practice:

  • consent should not be ambiguous: any communication about the information should clearly set out exactly what information is being collected. Compound sentences and vague statements should be avoided, e.g. 'by entering the store you consent to facial recognition cameras capturing and storing your image' was considered unclear, as the statement could be interpreted to mean that the store's CCTV system was equipped with facial recognition;
  • information should be provided in the vicinity of the collection point, and as part of the process of collecting the information, e.g. if customers are filling out a survey, there should be a section or screen in the survey that explains exactly what information is being collected;
  • communications should be current and specific: a general blanket statement or policy should not be relied upon; and
  • bundling requests for consent may undermine the validity of consent as customers are not able to choose which collections they agreed to.

Generally, if an entity wishes to collect sensitive information, the request for consent should:

  • clearly identify the information to be collected; the recipients; and the purpose of collection;
  • be sought expressly and separately from a privacy policy, concurrently with the collection; and
  • be fully informed and freely given.

How the Privacy Act may affect your business

New technologies are making it easier than ever to gather, store and analyse vast amounts of data. While this may make it effortless (and tempting) for organisations to collect information without duly informing customers and stakeholders that they are doing so, or even to collect it 'just in case', organisations risk unwanted attention by the OAIC (and potentially other regulators, such as the Australian Competition and Consumer Commission) should they adopt such practices.

MinterEllison provides full-service IT legal and consultancy services with extensive experience in privacy, data protection and software and IT service procurement. Please contact us if you would like assistance with your organisation's privacy practices.

Contact

Tags

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1laWQiOiI5N2NjNTdkYS0yZTVkLTQzZDctYTBlYS0xYTY0YmYyOWE2MDciLCJyb2xlIjoiQXBpVXNlciIsIm5iZiI6MTczNzI2MDQ0MSwiZXhwIjoxNzM3MjYxNjQxLCJpYXQiOjE3MzcyNjA0NDEsImlzcyI6Imh0dHBzOi8vd3d3Lm1pbnRlcmVsbGlzb24uY29tL2FydGljbGVzL2NhdXRpb24tY2VydGFpbi1mYWNpYWwtcmVjb2duaXRpb24tdGVjaG5vbG9neS1jb250cmF2ZW5lcy1wcml2YWN5LWxhdyIsImF1ZCI6Imh0dHBzOi8vd3d3Lm1pbnRlcmVsbGlzb24uY29tL2FydGljbGVzL2NhdXRpb24tY2VydGFpbi1mYWNpYWwtcmVjb2duaXRpb24tdGVjaG5vbG9neS1jb250cmF2ZW5lcy1wcml2YWN5LWxhdyJ9.RUQSiow5FgDnhE_dQcUONYNCJ-5r8qiqIXV4xkE6K7I
https://www.minterellison.com/articles/caution-certain-facial-recognition-technology-contravenes-privacy-law

Point of View: insights into key issues and challenges facing business today.

In this series of interviews with MinterEllison partners we hear their perspective on key areas of interest to our clients and the business community.