When is a foreign company subject to Australian privacy law?

In Clearview AI Inc and Australian Information Commissioner [2023] AATA 1069 Clearview challenged the decision of the Australian Information Commissioner and Privacy Commissioner that notwithstanding that Clearview is based in the US, did not operate an office in Australia and had not generated revenue in Australia, it had the necessary ‘Australian link’ for the Privacy Act to apply. Background.

The Administrative Appeals Tribunal of Australia decided that Clearview is bound by the Privacy Act 1988 because it has an Australian link, and has had an Australian link since at least February 2020. Since that date Clearview has engaged in a practice that breaches Australian Privacy Principle (APP) 3.3. That practice is the collection of data which includes sensitive information about individuals, without the individual’s consent, from servers geographically located in Australia. The applicant has also breached APP 1.2.

The AAT concluded that so long as Clearview continues to obtain data from servers located in Australia it carries on business in Australia and has an Australian link. If it wishes to move beyond the reach of the Privacy Act it must cease the practice of collecting images from servers located in Australia.

Apart from servers in Australia receiving requests and responding, none of the manipulating, processing and storage of images occurs in Australia.

The AAT observed that it would not regard the collection of information from websites with Australian domain names, but which are hosted on servers located outside Australia as sufficient to ground a conclusion that Clearview is carrying on business in Australia.

AAT Senior Member O’Donovan concluded: 

“I am satisfied that the applicant is carrying on business in Australia for the purposes of the Privacy Act. Its business is based on three key elements. First, the collection of a large number of images and their associated metadata which constitute the raw materials for its Image Library and associated metadata database. Second, the development of software with the capacity to enable searching of those images in order to produce usable results consisting of images which match a Probe Image and the metadata associated with those images. Third, the business needs to acquire law enforcement clients which will pay licence fees in order to undertake searches of the images on the database by reference to the Probe Images they upload.

The harvesting of images is an essential part of the business. Without the harvesting there is no Image Library from which the business elements of the system can be built. While almost everything in relation to the business happens in the US, the applicant acquires its images from all over the world including from servers in Australia. The image acquisition transactions are the foundation of the business. They are properly characterised as transactions that make up or support the business.”

The Privacy Commissioner found that the Clearview system breached the Privacy Act in a number of ways. First, when it collected images of Australians from the internet (described in the decision as Scraped Images). Second, when it converted those images into machine readable form (described in the decision as Scraped Image Vectors). Third, when it received and stored the images of suspects provided by law enforcement agencies (described in the decision as Probe Images). Fourth, when it converted those images into machine readable form (described in the decision as Probe Image Vectors). Fifth, when it stored in machine readable form the images sent in by Australians seeking to opt out of the Clearview system (described in the decision as Opt-out Vectors).

If you found this article helpful, then subscribe to our news emails to keep up to date and look at our video courses for in-depth training. Use the search box at the top right of this page or the categories list on the right hand side of this page to check for other articles on the same or related matters.

David Jacobson

Author: David Jacobson
Principal, Bright Corporate Law
Email:
About David Jacobson
The information contained in this article is not legal advice. It is not to be relied upon as a full statement of the law. You should seek professional advice for your specific needs and circumstances before acting or relying on any of the content.

 

Your Compliance Support Plan

We understand you need a cost-effective way to keep up to date with regulatory changes. Talk to us about our fixed price plans.