Is Facial Recognition Technology Breaching Your Privacy?
Facial recognition technology (FRT) is now utilised across many industries and businesses. While FRT is becoming increasingly easier to implement, it is crucial that business’s adhere to privacy laws when using this technology.
The Office of the Australian Information Commissioner (OAIC) has notified organisations that they must ensure biometric information is not unlawfully collected through FRT. Moreover, the OAIC has determined that the information collected by organisations must be stored and used in a manner that is consistent with the requirements of the Privacy Act 1988 (Cth) (Privacy Act).
Recent determinations by the court established that the use of FRT contravenes the Privacy Act, and records collected using this technology were required to be destroyed.
The OAIC defined personal information to include a broad range of information, or an opinion, that could identify an individual. What is personal information will vary, depending on whether a person can be identified or is reasonably identifiable in the circumstances. For example, personal information may include an individual’s:
name;
signature;
address;
phone number;
date of birth;
credit information;
employee record information;
photographs;
IP addresses;
voice print;
facial recognition biometrics; and
location information from a mobile device.
Recent OAIC determinations
Clearview AI
The OAIC recently determined that a facial recognition software company, Clearview AI, breached the Privacy Act by collecting sensitive information without consent. Clearview AI’s facial recognition system includes a database of more than three billion images taken from social media platforms and other publicly available websites.
The OAIC ordered that Clearview AI immediately cease accumulating information on Australians and destroy any information that had already been collected.
This determination was the result of a joint investigation between the OAIC and the UK Information Commissioner’s Office (ICO) into Clearview AI. However, the ICO has yet to make a determination or make formal regulatory action under UK data protection laws.
Clearview AI’s database is offered to law enforcement agencies globally, permitting users to upload an image of an individual’s face and locate other facial images of that person collected from the internet. Clearview AI provided trials of its product to Australian Federal and State law enforcement agencies in 2019 and 2020. The OAIC’s investigation into the Australian Federal Police’s trial use of the technology is yet to conclude. However, the OAIC does not have jurisdiction to investigate State law enforcement agencies.
7-Eleven
In October this year, the OAIC also issued a determination in relation to 7-Eleven’s use of “faceprints”. The OAIC found that the convenience store group improperly collected faceprint information in a manner that was no reasonably necessary for its functions and without individuals’ consent.
The determination followed an investigation by the OAIC into 7-Eleven using FRT to collect facial images across 700 stores while surveying customers about their in-store experience. Between June 2020 and August 2021, approximately 1.6 million customers completed the survey on tablets with built-in cameras. These cameras illicitly took facial images of the customer as they took the survey. These images were uploaded by a third-party providing the service to a centralised server. The third-party then processed the images to ensure that the same person wasn’t leaving multiple responses, the images were also analysed to determine the gender and age of survey respondents.
7-Eleven asserted that the images were not considered “personal information” and that it had disclosed the recording in notices posted at the entrance of its stores. However, these notices only depicted an image of a surveillance camera or text stating that “by entering the store you consent to facial recognition cameras capturing and storing your image.”
The OAIC firmly disagreed with 7-Eleven, finding that the images were personal information (covered by additional protecting under the Privacy Act) and that the signage was insufficient for obtaining consent. The OAIC held that express consent was required and could not be implied as a result of an individual entering the premises of the store after reading the notice.
How can consent reasonably be obtained?
The OAIC has provided guidelines on ensuring that consent is validly obtained when gathering sensitive personal information. According to the OAIC, businesses should not generally rely on implied consent when collecting sensitive information but should obtain explicit consent. Notwithstanding, if consent were implied, businesses must adhere to the below steps to ensure validly:
consent should not be ambiguous and should be clear and concise - any communication should clearly set out exactly what information is being collected;
information should be provided in the vicinity of the collection point as part of the process of collecting the information;
information should be current and specific - a general blanket statement or policy is insufficient; and
bundling requests for consent may undermine the validity of consent as customers are not able to choose which collections they have agreed to.
Takeaways
While advances technologies make it possible for businesses to unlawfully collect information without duly informing customers and stakeholders, they risk legal action by the OAIC or other regulatory bodies such as the Australian Competition and Consumer Commission for adopting such practices. In all circumstances, it is important that proper consent is obtained.
For more information please contact:
Paul Gray
Principal
T: 03 5225 5231 | M: 0414 195 886
E: pgray@ha.legal
Hugo Le Clerc
Lawyer
T: 03 5225 5213
E: hleclerc@ha.legal
Ryan Popovski
Graduate Lawyer
T: 03 5226 8572
E: rpopovski@ha.legal