Canada’s privacy commissioner office has concluded its investigation into a law enforcement agency’s use of controversial facial recognition technology, finding that the Royal Canadian Mounted Police (RCMP) violated Canadian privacy law.
“A government institution simply cannot collect personal information from a third party agent if that third party’s collection was unlawful in the first place.”
The conclusion comes nearly a year after Clearview AI, an American facial recognition tech company, pulled its service out of Canada in response to a joint investigation from Canadian privacy authorities involving the company. The investigation related to the RCMP’s use of Clearview’s data bank, which Daniel Therrien, the Privacy Commissioner of Canada, said contained billions of images that were scraped from internet websites without users’ consent.
Therrien said in February Clearview AI unlawfully violated the privacy rights of Canadians by creating its database of images. This week, Therrien said by using Clearview’s data, the RCMP was also acting in contravention of Canadian privacy law.
“In our view, a government institution simply cannot collect personal information from a third party agent if that third party’s collection was unlawful in the first place,” Therrien said in his statement this week.
Clearview AI allows users to take a photograph of a person, and if the photo matches a face in its image database, the company may be able to provide information about that person, including names.
The photos in Clearview AI’s database are obtained from public platforms such as Google, Venmo, and YouTube, all three of which filed cease-and-desist letters asking Clearview AI to stop scraping their users’ images. The RCMP initially denied using Clearview AI, but later confirmed it did use the software last year, following news that the company’s client list had been hacked.
Law enforcement’s use of facial recognition technologies raises the potential for serious privacy harms unless certain privacy protections are in place, Therrien said, adding that these kinds of technologies can “disrupt anonymity in public spaces, and enable mass surveillance.”
The privacy commissioner highlighted several other concerns raised during the investigation, notably that there were “serious” gaps in the RCMP’s policies and systems to track, identify, assess, and control new collections of personal information through new technologies.
“Common privacy principles enshrined in both our public and private sector privacy laws would help address gaps in accountability where the sectors interact,” Therrien said.
Therrien’s office has submitted proposals to Bill C-11, which was first introduced in late 2020. The bill seeks to modernize Canada’s current privacy laws, which include the Privacy Act, and notably the Personal Information Protection and Electronic Documents Act (PIPEDA), which governs how private sector organizations collect, use, and disclose personal information.
Last month, Therrien called Bill C-11 a “step back” from current laws, noting significant changes are required to the bill in order to effectively protect the privacy rights of Canadians. He specifically recommended that federal privacy laws share a “rights-based foundation,” and that the law should clarify that publicly available personal information is not exempt from privacy legislation when an individual has a reasonable expectation of privacy.
“This is particularly critical in the case of facial recognition technology, which relies on massive databases of images that Canadians do not always consider public,” Therrien said.
Image source Mike MacKenzie via Flickr.