Privacy Laws & Business International Report

ANALYSIS

Clearview AI revelations spark action on use of facial recognition Sam Jungyun choi , hannah Lepow , christopher Lin , and Ian macdonald of Covington & Burling LLP discuss legislative and regulatory developments following publication of news that searchable faceprints were being generated from billions of online images. ince the New York Times article on the United States and in the EU as well Clearview violated the CCPA Clearview AI (Clearview) in Janu - as the legal challenges facing Clearview. because it failed to give proper ary 2020, 1 the company has come notice to consumers of its data under scrutiny from legislators, regula - sCrUtiny in the Us C oUrts collection before scraping their S 10 tors, and the public for its use of facial Eight putative class actions were filed biometric data. The CCPA’s pri - recognition technology (FRT). As a within days of publication of the Times vate right of action is very limited, refresher—because January feels like article, and more have followed. The and does not extend to the years ago—the New York Times article cases plead claims under a variety of statute’s notice requirements. described how Clearview sells access to state and federal laws, including: Plaintiffs assert that California’s a database of faceprints, developed from • illinois Biometric information Unfair Competition Law provides scraping billions of images from web - privacy act (BIPA). Seven of the them with a private right of action sites such as Google, Facebook, and putative class actions allege that with respect to the alleged CCPA Twitter and then using FRT to map the Clearview violated BIPA, the Illi - violation. faces in those images to create searchable nois statute that regulates the col - • state Consumer protection faceprints. Users can then upload photos lection and use of biometric infor - statutes . Two private plaintiffs are to find matches; a service popular with mation. Plaintiffs Mutnick, 2 Hall, 3 seeking class certification in suits law enforcement. Calderon, 4 Burke, 5 Broccolino, 6 against Clearview with discrete In the US, parties ranging from the McPherson, 7 and John 8 allege that claims under Californian and Vir - ACLU to the Attorney General of Ver - Clearview’s use of FRT on images ginian consumer protection mont have taken Clearview to court on of class members constitutes the statutes, and the Vermont Attorney various legal theories. In the legislative capture of biometric identifiers General has brought a suit against sphere, sparked by the protests against under BIPA, and that Clearview did the company under that state’s con - police misconduct in the United States, not obtain consent or meet the sumer protection law. John, who a new bill proposed in Congress would other requirements of the statute. also brought claims under BIPA, impose a moratorium on law enforce - The ACLU of Illinois has sued asserts that Clearview violated the ment’s use of FRT. Similar rumblings Clearview on similar grounds. 9 No California Business and Profes - can be seen across the Atlantic in the court has yet issued a substantive sional Code, alleging that EU as well. EU data protection author - opinion in these cases. Clearview’s alleged theft and use of ities have announced investigations • California Consumer privacy photographs constituted an unfair into the company’s compliance with act (CCPA). Burke, one of the business practice. 11 A complaint in the GDPR. In this article, we highlight plaintiffs who sued Clearview Virginia alleges that the company’s new developments relating to FRT in under BIPA, also asserted that use of FRT on class members’

UK IcO AND AUSTRALIA’S DPA TO INvESTIGATE cLEARvIEw AI INc The UK’s Data Protection Authority (the on the Facebook/Cambridge Analytica In Canada, the focus of the investigation by ICO) announced, on 9 July, that it will open investigation. However, both parties have the Privacy Commissioners at national level a joint investigation with its Australian left the door open to cooperate with other and those in Alberta, British Columbia and colleagues (the OAIC), into the personal DPAs, as the issues are similar in every Quebec is on the use by the Royal information handling practices of Clearview country. Accordingly, the ICO states “The Canadian Mounted Police (RCMP) of AI Inc., focusing on the company’s use of OAIC and ICO will engage with other data Clearview services. Responding to these ‘scraped’ data and biometrics of individuals. protection authorities who have raised events, on 6 July, the company announced It is reported that Clearview’s system similar concerns, where relevant and that, as a result of this investigation, it had includes a database of more than three appropriate.” As Clearview has announced stopped providing a service to the RCMP billion images that Clearview claims to have that it also provides its services to financial which anyway was its last client in Canada. taken or “scraped” from various social services companies and retailers, the focus media platforms and other websites. in other countries could be on different Stewart Dresner Reflecting the fact that Elizabeth Denham is sectors. The investigation highlights the the Chair of the Global Privacy Assembly, importance of enforcement cooperation in • See ico.org.uk/about-the-ico/news-and- the ICO is choosing to work with a non- protecting the personal information of events/news-and-blogs/2020/07/oaic-and- European country on this Clearview Australian and UK citizens in a globalised ico-open-joint-investigation-into-clearview- investigation, as it did with Canadian DPAs data environment, the ICO says. ai-inc/

photographs violated both the Vir - In a court filing in May 2020, previously proposed bill prohibiting ginia Computer Crimes Act and Clearview, seeking dismissal in the the use of FRT in public housing Virginia Code § 8.01-40, which the Mutnick case in Illinois federal court, introduced by Sen. Booker in Octo - plaintiff asserts protect against the stated that it was taking “comprehen - ber 2019, 19 and a previous FRT mora - unauthorized use of name or pic - sive steps to prevent the collection of torium bill introduced by Sens. ture of any person. 12 (The Virginia facial vectors from photos associated Booker and Merkley (D-OR) in case is the only class action suit thus with Illinois, and to prohibit the February 2020. 20 far not to also invoke BIPA.) The searching of existing photos associated Some localities have also Vermont Attorney General is the with Illinois.” 14 In addition to ceasing advanced efforts to regulate FRT. In only US regulator to bring an operations in Illinois, Clearview June 2020, the Boston City Council action against the company so far. announced that it was “terminating voted unanimously to ban the use of The suit, in Vermont state court, access rights to its app for all account FRT by the city, following in the alleges three claims under the state’s holders based in Illinois and . . . the steps of San Francisco, Oakland, consumer protection law: that accounts of any non-law enforcement Cambridge, and other municipalities. Clearview’s alleged use of FRT on or government entity.” 15 Also in June 2020, the New york screen-scraped photos of Vermon - City Council voted to disclose the ters constituted an unfair act and developments in frt surveillance methods employed by practice in commerce; that legislation in the Us the New york Police Department, Clearview made false and mislead - The US Congress has introduced two which include FRT. ing statements about its business in new legislative proposals seeking to Vermont; and that Clearview bro - regulate government use of FRT. On 25 legal developments in the kered personal biometric informa - June 2020, the House of Representa - eUropean Union tion through fraudulent means. tives passed the George Floyd Justice in As was the case in the United States, • Common law Claims . In addition Policing Act, which would ban the use Clearview faced heightened regula - to alleging violations of state of real-time FRT on body cameras tory scrutiny in the EU following the statutes, plaintiffs in Mutnick, worn by federal law enforcement offi - New York Times article. A number of Burke, Broccolino, McPherson, and cials, and would require a warrant for data protection authorities, including John also claim that Clearview is the use of FRT on such footage at a in Sweden and Germany, launched guilty of unjust enrichment to the later time. 16 The bill would also pro - investigations of Clearview’s prac - extent that it allegedly profited hibit state and local law enforcement tices. In March 2020, Sweden’s data from scraping of the class members’ from using certain grants for FRT- protection authority began to investi - biometric markers and other data. related expenses. gate government use of Clearview • federal law Claims . Only one case Second, and far more sweeping, the technology and published plans to asserts federal claims. Plaintiff Mut - Facial Recognition and Biometric send inquiries to various departments, nick, who also filed a claim under Technology Moratorium Act—intro - e.g., police, Coast Guard, etc., to BIPA, claims that Clearview is a duced to Congress in late June 2020, in determine (1) whether they used the state actor by virtue of its selling its the House by Reps. Pramila Jayapal technology and (2) whether the use service to state agencies and police (D-WA) and Ayanna Pressley (D-MA) was justified under an appropriate departments. Under this theory, and in the Senate by Sens. Ed Markey legal basis. 21 Similarly, in March 2020, Mutnick alleges four constitutional (D-MA) and Jeff Merkley (D-OR)— the Hamburg data protection author - claims, under the First, Fourth, and would prohibit any federal agency or ity requested from Clearview infor - Fourteenth Amendments as well as official from using any biometric sur - mation regarding its business model, the Contracts Clause. 13 Mutnick veillance system, or any information sources of data, and scope of process - alleges that: (i) Clearview conspired derived from a biometric surveillance ing. 22 The Hamburg data protection with state officials to deny class system operated by another entity, sub - commissioner has since separately members’ access to the courts in ject to limited exceptions. 17 The bill noted that while use of Clearview may violation of the First Amendment; would also prevent local police depart - not be fundamentally problematic, (ii) Clearview’s alleged collation of ments who employ FRT from receiving storage of facial images requested by biometric identifiers constituted an certain federal funds. police on the servers of a private unlawful search and seizure under Sen. Markey also penned a public provider is likely to contravene the Fourth Amendment; (iii) letter to the Department of Justice national laws. 23 Clearview’s alleged actions violated prior to announcing the bill. 18 In June 2020, the European Data the Fourteenth Amendment’s right According to the letter, the Drug Protection Board (EDPB), the inde - to due process by exposing class Enforcement Agency; the Bureau of pendent European body that is man - members to various physical harms; Alcohol, Tobacco, Firearms, and dated by the GDPR to facilitate the and (iv) Clearview’s alleged scrap - Explosives; the Secret Service; and the consistent application of data protec - ing of biometric data from public Federal Bureau of Investigation are tion laws throughout the EU, specifi - websites violated class members’ all using Clearview’s product on a cally weighed in on Clearview. The contractual rights under the trial basis. EDPB released a statement noting, in Contracts Clause. These two proposals follow a relevant part, that it “has doubts as to

whether any Union or Member State the use of FRT by law enforcement in the privacy space to track key law provides a legal basis for using a authorities. developments in FRT and take a service such as offered by Clearview proactive stance in adapting to AI. Therefore, as it stands and with - ConClUsion changes in policy and legislation. out prejudice to any future or pending FRT was already the subject of leg - investigation, the lawfulness of such islative interest before the New York use by EU law enforcement authori - Times article on Clearview AI, but AUThORS 24 ties cannot be ascertained.” The since then the topic has only gained Sam Jungyun Choi and Hannah Lepow EDPB further referred to its guide - more attention, among the public at are Associates, Christopher Lin is a Legal lines on the processing of personal large as well as legislators and regula - Intern, and Ian Macdonald is a Summer data through video devices, which tors. As public opinion moves and the Associate at Covington & Burling LLP. addresses the GDPR considerations litigations, bills, and other actions Emails: [email protected] [email protected] when deploying FRT, and announced mentioned in this article more for - [email protected] plans to undertake further work on ward, it remains important for those

REfERENcES 1 Kashmir Hill, The Secret Company that 1:20-cv-3104-CM (S.D. Cal. Feb. 27, 19 No Biometric Barriers to Housing Act of Might End Privacy as We Know It, N.Y. 2020). 2019, S. 2689, 116th Cong. (2020), Times , Jan. 18, 2020, 11 Complaint, John v. Clearview AI, Inc., No. available at: www.nytimes.com/2020/01/18/technolo 1:20-cv-3481-CM (S.D.N.Y. May 4, 2020). www.congress.gov/bill/116th- gy/clearview-privacy-facial- 12 Complaint, Roberson v. Clearview AI, congress/senate- recognition.html Inc., No. 20-cv-111-RDA-MSN (ED. Va. bill/2689?overview=closed 2 Complaint, Mutnick v. Clearview AI, Feb. 3, 2020) (Nos. 12-14). 20 Ethical Use of Facial Recognition Act, Inc., 1:20-cv-512-SC (N.D. Ill. Jan. 20, 13 Complaint, Mutnick v. Clearview AI, S. 3284, 116th Cong. (2020), available 2020) (No. 1). Inc., 1:20-cv-512-SC (N.D. Ill. Jan. 20, at: 3 Complaint, Hall v. Clearview AI, Inc., 2020) (No. 1). www.congress.gov/116/bills/s3284/BILL No. 20-846 (N.D. Ill. Feb. 5, 2020) (No. 14 Defendants’ Memorandum of Law in S-116s3284is.pdf 1). Opposition to Plaintiff’s Motion for 21 Swedish DPA Launches Investigation 4 Complaint, Calderon v. Clearview AI, Preliminary Injunction, Mutnick v. Into Use of Clearview AI, IAPP, Mar. 6, Inc., 1:20-cv-1296-CM (S.D.N.Y. Feb. Clearview AI, Inc., 1:20-cv-512-SC, at 1 2020, iapp.org/news/a/swedish-dpa- 13, 2020). (N.D. Ill. May 26, 2020) (No. 1). launches-investigation-into-use-of- 5 Complaint, Burke v. Clearview AI, Inc., 15 Defendants’ Memorandum of Law in clearview-ai 1:20-cv-3104-CM (S.D. Cal. Feb. 27, Opposition to Plaintiff’s Motion for 22 Hamburg’s Datenschützer leitet 2020). Preliminary Injunction, Mutnick v. Prüfverfahren gegen Clearview ein, 6 Complaint, Broccolino v. Clearview AI, Clearview AI, Inc., 1:20-cv-512-SC, at 1 Spiegel Netzwelt, Mar. 25, 2020, Inc., 1:20-cv-2222-CM (S.D.N.Y. Mar. (N.D. Ill. May 26, 2020) (No. 1). www.spiegel.de/netzwelt/web/clearview 12, 2020). 16 H.R. 7120, 116th Cong. (2020), -hamburgs-datenschuetzer-leitet- 7 Complaint, McPherson v. Clearview AI, available at: pruefverfahren-ein-a-0ec1870d-c2a5- Inc., 1:20-cv-3053-CM (S.D.N.Y. Apr. www.congress.gov/bill/116th- 4ea1-807b-ac5c385ae165 15, 2020). congress/house-bill/7120 23 Matthias Monroy, Clearview AI: What 8 Complaint, John v. Clearview AI, Inc., 17 S. ___, 116th Cong. (2020), at: does Interpol Use Face Recognition No. 1:20-cv-3481-CM (S.D.N.Y. May 4, www.markey.senate.gov/imo/media/doc For?, Mar. 9, 2020, 2020). /acial%20Recognition%20and%20Biom digit.site36.net/2020/03/09/clearview- 9 Complaint, A.C.L.U. v. Clearview AI, etric%20Technology%20Moratorium%2 ai-what-does-interpol-use-face- Inc. (N.D. Ill. May 28, 2020), available 0Act.pdf recognition-for at: https://www.aclu.org/legal- 18 www.markey.senate.gov/imo/media/ 24 edpb.europa.eu/sites/edpb/files/files document/aclu-v-clearview-ai-complaint doc/DOJ%20Protest%20Surveillance.p /file1/edpb_letter_out_2020- 10 Complaint, Burke v. Clearview AI, Inc., df 0052_facialrecognition.pdf

EU to deploy ‘controversial’ traveller screening Statewatch has released a report, Auto - watchlist operated by Europol. the authorities through the use of mated suspicion: The EU’s new travel “Before visitors arrive in the Schen - “screening rules” and “risk indicators” surveillance initiatives, according to gen area, during their stay and after relating to factors such as age range, which travellers’ privacy will be they leave, their data will be held in nationality, country and city of residence, infringed by the use of surveillance tech - enormous centralised databases acces - destination, purpose of travel and occu - nologies. The report examines how all sible by thousands of officials, and pation. The new systems that underpin applicants for short-stay Schengen visas made available for a variety of uses such these changes are meant to be in place by and new “travel authorisations” will be as identity checks and law enforcement the end of 2022, as part of the EU’s plans checked against millions of files in police investigations,” Statewatch says. to make policing and migration databases databases, screened by automated pro - Statewatch reports that the new pro - “interoperable”, the report says. filing tools, and have their names filing tools will try to detect potentially checked against a new “pre-crime” “risky” individuals who are unknown to • See statewatch.org/automatedsuspicion

Issue 166 AUGUST 2020

EU-US Privacy Shield is invalid COMMENT says European Court of Justice 2-Guidance needed from the EDPB Although Standard Contractual Clauses remain valid, the decision NEWS creates uncertainty for companies which have been relying on the Shield for their EU-US transfers. By Laura Linkomies . 1- EU-US Privacy Shield is invalidated 9- The EU is forming its AI policy he EU-US Privacy Shield was data by the US surveillance commu - declared invalid by the Court nity, and that there are faults in the 15 - UN on children’s right to privacy of Justice of the European US Ombudsman system. The US 24 - GDPR cross-border improvements? TUnion (CJEU) on 16 July. The court Department of Commerce, which 26 - Privacy and Covid-19 in Korea said that the agreement does not administers the programme, was ANALYSIS provide equivalence of protection to EU citizens due to access to personal Continued on p.3 10 - Germany rules on cookie consent and third party advertising 16 - Clearview facial recognition backlash 28 - Implementing Convention 108+ Jamaica adopts a post-GDPR – observer and NGO contributions LEGISLATION data privacy law 1- Jamaica adopts data privacy law Graham Greenleaf asks whether Jamaica’s law is strong 22 - South Africa’s DP Law in force enough to mark the start of a different direction for data privacy in the Caribbean. MANAGEMENT amaica’s Data Protection Act within the anglophone Caribbean. 13 - Apple makes privacy pips squeak 1 2020 , enacted on 19 May but There are now 15 Caribbean data 19 - Buying data from consumers not yet in force, provides for a privacy laws: the Bahamas (2003), St NEWS IN BRIEF J transitional period of two years. Vincent & Grenadines (2003), BES The Jamaican Information Commis - Islands (the Netherlands municipali ties 8- California’s CCPA now enforceable sioner, once appointed, should be 8- Microsoft will honour California’s influential in the region, at least Continued on p.5 privacy rights throughout the US 8- EDPB issues One-Stop-Shop register 12 - New Zealand strengthens DP law PL&B Resources 14 - Belgium’s 600,000 fine on Google € • PL&B’s Data Protection Clinic: • PL&B’s Privacy Paths podcasts are 14 - Dutch DPA issues a record fine Book a 30 minute consultation to available at 18 -EU to step up traveller screening help resolve your Data Protection www.privacylaws.com/ podcasts issues. The clinic will support you and from podcast directories, 21 - German court confirms Facebook’s in identifying your key priorities including Apple, Alexa, Spotify, abuse of market power and much more. Sticher and Buzzsprout. Recent 27 - EU update on Brexit and adequacy topics include ‘Adtech’ and a www.privacylaws.com/clinic 31 - UK responds to adequacy concerns Brexit update. privacylaws.com 31 - Seamless data transfers crucial 31 - Easyjet faces UK ‘class action’

PL&B Services: Conferences • Roundtables • Content Writing Recruitment • Consulting • Training • Compliance Audits • Research • Reports COMMENT

ISSUE NO 166 AUGUST 2020

PUBLISHER Stewart H Dresner Guidance needed from the [email protected] . EDITOR European Data Protection Board Laura Linkomies The decision from the Court of Justice of the European Union [email protected] (CJEU) on the adequacy failings of the protection provided by the DEPUTY EDITOR EU-US Privacy Shield has left organisations in confusion. While the Tom Cooper Shield is out and Standard Contractual Clauses remain, organisations [email protected] will have to satisfy themselves about the level of the data protection ASIA-PACIFIC EDITOR law in the country where they transfer data. National EU DPAs need Professor Graham Greenleaf to unite now in terms of their response ( p.1 ). [email protected] REPORT SUBSCRIPTIONS Clearview’s practices processing facial recognition data have been K’an Thomas attracting the attention of individual DPAs, and collectively as the [email protected] European Data Protection Board (EDPB). The EDPB is doubtful CONTRIBUTORS whether a legal basis can be found for using Clearview AI services in Katharina Weimer the EU ( p.16 ). Fieldfisher, Germany Phil Lee As Amazon issues a one-year moratorium for police use of its facial Fieldfisher, UK recognition tech, the EU Commission ponders whether legislation is Sam Jungyun Choi, Hannah Lepow, Christopher Lin and Ian Macdonald needed for AI ( p.9 ). It is not expected that the GDPR will be Covington & Burling LLP, US amended in light of new technologies now that the Commission has Elizabeth Coombs made its and stakeholders’ views clear in its review ( p.24 ). UN programme on the Right to Privacy Sanna Toropainen Last year, the Planet-49 case on cookies made organisations aware of Muna.io, Belgium the tricky issue of cookie consent. What has happened in Germany Nerushka Bowan with this ruling of the CJEU, and how does it impact cookie The LITT Institute, South Africa compliance? Read our correspondent’s analysis on p.10 . Professor Nohyoung Park University of Korea After a long wait, many parts of South Africa’s privacy law are now in force ( p.22 ), and Jamaica has legislated, mostly in GDPR-style (p.1 ). Both laws have GDPR-influenced definitions of common Published by Privacy Laws & Business, 2nd Floor, terms. Monument House, 215 Marsh Road, Pinner, Middlesex HA5 5NE, United Kingdom As the pandemic has put a strain on everyone’s personal and Tel: +44 (0)20 8868 9200 Email: [email protected] professional life, what lessons can be learned on managing the crisis? Website: www.privacylaws.com Our contributor from Korea says that while his country is regarded Subscriptions: The Privacy Laws & Business International Report is produced six times a year and is available on an as a successful in containing the spread of Covid-19, its actions have annual subscription basis only. Subscription details are at the been criticised by privacy activists ( p.26 ). Please send me back of this report. ([email protected]) your views on returning to the workplace Whilst every care is taken to provide accurate information, the after the pandemic ( p.26 ). publishers cannot accept liability for errors or omissions or for any advice given. Design by ProCreative +44 (0)845 3003753 Laura Linkomies, Editor Printed by Rapidity Communications Ltd +44 (0)20 7689 8686 PRIVACy LAWS & BUSINESS ISSN 2046-844X

Copyright : No part of this publication in whole or in part may be reproduced or transmitted in any form without the prior written permission of the publisher. Contribute to PL&B reports Do you have a case study or opinion you wish us to publish? Contri butions to this publication and books for review are always welcome. If you wish to offer reports or news items, © 2020 Privacy Laws & Business please contact Laura Linkomies on Tel: +44 (0)20 8868 9200 or email [email protected] .

O======^rdrpq=OMOM======PRIVACY LAWS & BUSINESS INTERNATIONAL REPORT © 2020 PRIVACY LAWS & BUSINESS Join the Privacy Laws & Business community The PL&B International Report , published six times a year, is the world’s longest running international privacy laws publication. It provides comprehensive global news, on 165+ countries alongside legal analysis, management guidance and corporate case studies. PL&B’s International Repo rt will help you to: Stay informed of data protection legislative Find out about future regulatory plans. developments in 165+ countries. Understand laws, regulations, court Learn from others’ experience and administrative decisions and what through case studies and analysis. they will mean to you. Incorporate compliance solutions Be alert to future privacy and data into your business strategy. protection law issues that will affect your organisation’s compliance and reputation.

Included in your subscription: 1. six issues published annually 4. paper version also available 7. events documentation Postal charges apply outside the UK. Access events documentation such 2. online search by keyword as PL&B Annual International Search for the most relevant content 5. news Updates Conferences , in July, Cambridge. from all PL&B publications and Additional email updates keep you events. you can then click straight regularly informed of the latest 8. helpline enquiry service through from the search results into developments in Data Protection Contact the PL&B team with the PDF documents. and related laws. questions such as the current status of legislation, and sources for specific 3. electronic version 6. Back issues texts. This service does not offer legal We will email you the PDF edition Access all PL&B International advice or provide consultancy. which you can also access via the Report back issues. PL&B website. privacylaws.com/reports

Privacy Laws & Business helps me keep pace with the latest discussions on the topical issues in data protection. A critical resource at a time when there is continuous development in our understanding of the law as well as a shift in how businesses are using data. Rachael Annear, Senior Associate, Freshfields Bruckhaus Deringer LLP

UK Report Subscriptions Privacy Laws & Business also publishes Subscription licences are available: PL&B UK Report six times a year, covering • Single use the Data Protection Act 2018, the Freedom • Multiple use of Information Act 2000, Environmental • Enterprise basis Information Regulations 2004 and Electronic • Introductory, two and three years discounted Communications Regulations 2003. options Stay informed of data protection legislative developments, learn from others’ Full subscription information is at privacylaws.com/subscribe experience through case studies and analysis, and incorporate compliance solutions into your business strategy. Satisfaction Guarantee If you are dissatisfied with the Report in any way, the unexpired portion of your subscription will be repaid.