Takeaways from Privacy Awareness Week

Holding Redlich Sydney held a privacy and data roundtable lunch to celebrate Privacy Awareness Week (2-8 May 2022) and this years’ theme of 'Privacy: The Foundation of Trust'.

The key takeaways from the discussions were that privacy continues to be an evolving area, and that technology is inextricably bound up with privacy and can be a tool to assist organisations meet their compliance obligations.

We briefly considered three privacy determinations issued by the Office of the Australian Information Commissioner (OAIC) over the last year which the OAIC referred to in its launch of Privacy Awareness Week. This included the OAIC’s determinations on:

1. Clearview AI, who had used web scrapping software to trawl online content for images which it compiles into a facial recognition database and provides to law enforcement agencies
2. 7-Eleven, who had been collecting and using biometric information without consent
3. the Australian Federal Police (AFP) and their trial of Clearview’s AI facial recognition tool without undertaking a privacy impact assessment in advance of the trial.

Clearview AI

Clearview’s facial recognition database essentially allows law enforcement to identify individuals in security camera footage using personal information, circumventing the need for search warrants.

In late 2021, the OAIC published a determination which concluded that Clearview had engaged in multiple contraventions of the Privacy Act in relation to the collection of the images which were determined to be biometric information, a type of sensitive information.

The Clearview case illustrates the danger of:

1. failing to obtain consent from users
2. collecting and using personal information for a purpose which no user would reasonably expect.

Regulators in jurisdictions across the world are seeking to put an end to Clearview’s data practices but have had little success thus far.

The OAIC, as well as privacy regulators in Canada, UK, Germany, France and some US states, have ordered Clearview to stop collecting, using and disclosing the images (and the associated biometric information), and to delete all images from its databases. Those orders seem to have had little effect on Clearview.

7-Eleven

In another case of surveillance gone too far, 7-Eleven was also recently found to have breached the Privacy Act.

Over a 14 month period, 7-Eleven had been collecting facial images and fingerprints via a tablet device used to obtain customer feedback in stores. The feedback survey had been completed by over 1.6 million customers in the first nine months.

The facial recognition information was used to detect whether a customer had left multiple responses to the customer feedback survey within a short period of time, in which case the feedback may not have been genuine. The technology also allowed 7-Eleven to collect demographic information about its customer base.

The OAIC’s findings against 7-Eleven are a good reminder for businesses to:

1. obtain consent from customers to collect their sensitive information
2. only collect sensitive information that is “reasonably necessary” for your businesses functions or activities.

The OAIC found that, while improving customers’ in store experience was a legitimate function of 7-Eleven, the collection of customer’s biometric information was not reasonably necessary for that purpose.

Australian Federal Police

It seems even the AFP can’t seem to get it right! For two months, in 2019/2020, an AFP department used Clearview AI’s facial recognition tool on a trial basis to determine whether it could assist in the investigation of child exploitation offences.

To test the efficacy of the database, AFP trial participants uploaded images of possible persons of interest, an alleged offender, victims, members of the public and members of the AFP. The OAIC subsequently investigated this trial and found that the AFP had interfered with the privacy of individuals whose images it uploaded to Clearview database.

No privacy impact assessment had been undertaken in relation to the trial despite the fact that government agencies are required to undertake privacy impact assessments in relation to any “high privacy risk project” and to take other reasonable steps to mitigate privacy risks.

Other themes from our Privacy Awareness Week lunch

Our guests also considered how cyber security impacts, overlaps, and extends privacy obligations and Ashwin Pal from RSM spoke to some of the strategies that can be used to protect data and improve privacy compliance.

We also heard a short presentation from Ryan Morrell of Daisee as to how Daisee’s artificial intelligence and software can assist in compliance and in monitoring contact centre calls. You can visit their website here.

The discussion around where privacy goes from here focused on the evolving nature of privacy and privacy harms, and the importance of privacy considerations being included at the beginning of any new project or software as the cost of building it into a project at a later stage is inhibitive. 

Our privacy team has experience in reviewing privacy risks across a range of projects and can assist in such matters. Please contact us below or send us an enquiry if you would like to get in touch.

Disclaimer
The information in this article is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this article is accurate at the date it is received or that it will continue to be accurate in the future.

Published by:

Lyn Nicholson

Share this