Holding Redlich Sydney held a privacy and data roundtable lunch to celebrate Privacy Awareness Week (2-8 May 2022) and this years’ theme of 'Privacy: The Foundation of Trust'.
The key takeaways from the discussions were that privacy continues to be an evolving area, and that technology is inextricably bound up with privacy and can be a tool to assist organisations meet their compliance obligations.
We briefly considered three privacy determinations issued by the Office of the Australian Information Commissioner (OAIC) over the last year which the OAIC referred to in its launch of Privacy Awareness Week. This included the OAIC’s determinations on:
Clearview’s facial recognition database essentially allows law enforcement to identify individuals in security camera footage using personal information, circumventing the need for search warrants.
In late 2021, the OAIC published a determination which concluded that Clearview had engaged in multiple contraventions of the Privacy Act in relation to the collection of the images which were determined to be biometric information, a type of sensitive information.
The Clearview case illustrates the danger of:
Regulators in jurisdictions across the world are seeking to put an end to Clearview’s data practices but have had little success thus far.
The OAIC, as well as privacy regulators in Canada, UK, Germany, France and some US states, have ordered Clearview to stop collecting, using and disclosing the images (and the associated biometric information), and to delete all images from its databases. Those orders seem to have had little effect on Clearview.
In another case of surveillance gone too far, 7-Eleven was also recently found to have breached the Privacy Act.
Over a 14 month period, 7-Eleven had been collecting facial images and fingerprints via a tablet device used to obtain customer feedback in stores. The feedback survey had been completed by over 1.6 million customers in the first nine months.
The facial recognition information was used to detect whether a customer had left multiple responses to the customer feedback survey within a short period of time, in which case the feedback may not have been genuine. The technology also allowed 7-Eleven to collect demographic information about its customer base.
The OAIC’s findings against 7-Eleven are a good reminder for businesses to:
The OAIC found that, while improving customers’ in store experience was a legitimate function of 7-Eleven, the collection of customer’s biometric information was not reasonably necessary for that purpose.
It seems even the AFP can’t seem to get it right! For two months, in 2019/2020, an AFP department used Clearview AI’s facial recognition tool on a trial basis to determine whether it could assist in the investigation of child exploitation offences.
To test the efficacy of the database, AFP trial participants uploaded images of possible persons of interest, an alleged offender, victims, members of the public and members of the AFP. The OAIC subsequently investigated this trial and found that the AFP had interfered with the privacy of individuals whose images it uploaded to Clearview database.
No privacy impact assessment had been undertaken in relation to the trial despite the fact that government agencies are required to undertake privacy impact assessments in relation to any “high privacy risk project” and to take other reasonable steps to mitigate privacy risks.
Our guests also considered how cyber security impacts, overlaps, and extends privacy obligations and Ashwin Pal from RSM spoke to some of the strategies that can be used to protect data and improve privacy compliance.
We also heard a short presentation from Ryan Morrell of Daisee as to how Daisee’s artificial intelligence and software can assist in compliance and in monitoring contact centre calls. You can visit their website here.
The discussion around where privacy goes from here focused on the evolving nature of privacy and privacy harms, and the importance of privacy considerations being included at the beginning of any new project or software as the cost of building it into a project at a later stage is inhibitive.
Our privacy team has experience in reviewing privacy risks across a range of projects and can assist in such matters. Please contact us below or send us an enquiry if you would like to get in touch.
Author: Lyn Nicholson
Disclaimer
The information in this article is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this article is accurate at the date it is received or that it will continue to be accurate in the future.
Published by: