The decision is clear – the AAT confirms that the Privacy Act applies to Clearview AI’s conduct

As briefly noted in our Gadens Regulatory Recap on 30 May 2023, the Administrative Appeals Tribunal (AAT) has recently handed down its decision regarding the conduct of Clearview AI Inc (Clearview AI), confirming the applicability of the Privacy Act 1988 (Cth) (Privacy Act) to the conduct of entities overseas, and recent amendments to the Privacy Act which have the potential to bring many more overseas entities within the scope of the Act.

We have previously written about the original decision by the Office of the Australian Information Commissioner’s (OAIC) in 2021, in which the OAIC found that, despite Clearview AI being a US-based company without an Australian office, and without having generated revenue in Australia, Clearview AI fell within the scope of the Privacy Act as it had a sufficient ‘Australian link’. Clearview AI subsequently appealed to the AAT for a review of that decision.

The AAT has concluded that Clearview AI had a sufficient Australian link as it was ‘carrying on a business’ in Australia by repeatedly collecting personal information from Australian servers. It also found Clearview AI had breached multiple Australian Privacy Principles (APPs) by scraping images of Australians’ faces from publicly available sources on the internet, and then using these images for biometric identification.

Background

As outlined in our previous article, Clearview AI operates a facial recognition and identification platform that harvests images from the public internet and creates vectors – mathematical representations of a person’s face – that can be matched to target images. This technology had been trialled by Australian law enforcement agencies, who decided not to proceed beyond the initial trial period.

The OAIC was particularly concerned with the widespread collection of Australians’ sensitive information (i.e. biometric data) without their consent. Following its 2021 determination, the Commissioner made orders for Clearview AI to, among other things, delete the data it had already collected of Australians and to cease further collection activities.

Clearview AI sought review of this decision by the AAT arguing that:

1. the Privacy Act does not apply because Clearview does not have an ‘Australian link’; and
2. if the Privacy Act does apply, the APPs don’t apply because Clearview AI is a small business operator.

The AAT Decision

The AAT focussed its decision on whether Clearview AI satisfied the ‘Australian Link’ test in section 5B of the Privacy Act. This was initially a two limbed test, meaning a foreign corporation only had an ‘Australian link’ where it:

1. carried on a business in Australia; and
2. collected or held personal information in Australia.

The second limb of this test was removed by the amendments to the Privacy Act under the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (the 2022 Amendments).

Carrying on a business in Australia

Pragmatically, the AAT recognised that new technologies and ways of working mean that the mere fact that a company is based outside of Australia will not preclude the company from being considered to ‘carry on a business’ in Australia.

To that end, the AAT found Clearview AI was carrying on a business in Australia because its web-crawlers had sent requests to collect images from servers that were located in Australia. Specifically:

• Clearview AI was in the business of extracting value from information about people[1];
• harvesting images was an essential part of Clearview AI’s business[2];
• each interaction between Clearview AI’s web crawler and Australian servers constituted a transaction that is a part of Clearview AI’s business[3]; and
• so long as Clearview AI continued to acquire information from servers in Australia, those repeated transactions would continue to make up and support the business, and therefore the conclusion Clearview AI was carrying on a business in Australia.[4]

The AAT did not however find that collecting images that had originally been created by Australians, but that were subsequently stored on servers that were located outside of Australia, constituted the carrying on of a business in Australia, as this was an entirely overseas interaction.[5]

Similarly, the AAT concluded that the mere fact that images were being collected from a website that was hosting images and that used a ‘.au’ domain name was insufficient to suggest that the Clearview business was being carried on in Australia.[6]

For the purposes of Clearview AI’s actions prior to the 2022 Amendments coming into force, the AAT found there was also collection of personal information in Australia to the extent that information had been sent to Clearview AI’s systems from Australian servers.[7]

Application of the APPs

Unsurprisingly, the AAT then concluded that Clearview AI was not a small business operator because its turnover exceeded $3 million, and because it disclosed personal information to someone else (i.e. law enforcement) for a benefit.[8] Consequently, the AAT determined the APPs did apply to Clearview AI.

The Tribunal gave particular regard to APP 3.3 (and, by extension, APP 1.2) – which prohibits the collection of sensitive information without consent, unless an exception applies. It concluded Clearview AI had breached these in view of the fact that it had not obtained the affected individuals’ consent to collection of images that allowed the creation of biometric information, that became ‘sensitive information’ under the Privacy Act once they were used for biometric identification.[9]

Impacts of the 2022 Amendments

This decision highlights that the 2022 Amendments have substantially broadened the scope of the ‘Australian link’ test, extending the Privacy Act’s extra-territorial application to capture activities by organisations that would ordinarily be considered as operating outside Australia.

This highlights Government’s focus on broadening the scope of current protections to reflect the modern nature of businesses operating in Australia.

What’s next?

Given the proposed review and overhaul of the Privacy Act and proposals set out in the Attorney General’s Privacy Act Review Report published on 16 February 2023, there may be further changes to the extra-territorial reach of the Privacy Act on the horizon.

Proposal 23.1 of the Review Report suggested consultation on an additional requirement in subsection 5B(3) of the Privacy Act to demonstrate an ‘Australian link’ that is focussed on personal information being connected with Australia.

As set out in our submission to the Attorney General in relation to the Privacy Act Review Report, we consider the 2022 Amendments may have rendered the extraterritorial reach of the Act too broad and that some form of ‘connection’ with Australia should be retained.

The Attorney General may look to the law in other jurisdictions, such as the EU GDPR, as a template to further refine the definition of the ‘Australian link’ and provide a more nuanced approach to circumstances in which overseas entities would be bound by the Privacy Act.

We anticipate further changes and clarity in the anticipated reforms.

If you found this insight article useful and you would like to subscribe to Gadens’ updates, click here.

Authored by:

Antoine Pace, Partner
Dudley Kneller, Partner,
Eve Lillas, Associate
Chris Girardi, Lawyer

[1] [89], Clearview AI Inc and Australian Information Commissioner [2023] AATA 1069.

[2] [99]

[3] [101]

[4] [103]

[5] [94]

[6] [95]

[7] [164]

[8] [108], referring to the statutory exception in s 6D(4)(c) of the Privacy Act.

[9] [123]-[128].