Clearview AI Appeals and Extraterritorial Application of Privacy Laws

Applications of AI
Michael LewisLeave a Comment on Clearview AI Appeals and Extraterritorial Application of Privacy Laws






AAT Confirms Expansion of ‘Business Continuity’ Scope in Australia



Read in 10 minutes


A landmark ruling in Australia confirms that Clearview AI has violated privacy laws despite having no physical presence or product or service offerings in the country, and extraterritorial scope of privacy laws and underscores the implications for companies that collect personal information in the public domain.

On May 8, the Administrative Appeals Tribunal (AAT) made the Clearview AI Inc decision (Clearview AI) bring the action1 Australian Information Commissioner ( OAIC) resolutions for 2021.2 The AAT process was eagerly awaited given that it was tasked with considering the thorny and important issue of extraterritorial application of the Act. Privacy Act 1988 (Cth) ( Personal Information Protection Law).

The AAT decided that: Repeatedly collect personal information from Australian servers That alone was enough to prove that it was a foreign corporation. do business in australia For purposes of the current extraterritorial application test in privacy law. The AAT has found this to be the case even if the foreign company does not have a physical presence in Australia and does not derive income from its commercial activities in Australia.

following the start of Privacy Act Amendments (Enforcement and Other Measures) Act 2022 ( 2022 Amendment), the “Continuity of Business in Australia Test” is the only requirement that a foreign company must establish in order to do business in Australia. Australian links And its global data processing practices must be bound by privacy laws.



important point

  • The test applied by the AAT to determine whether a business operates in Australia for privacy law purposes is a repetitive activity equivalent to or incidental to transactions that the business constitutes and supports in Australia. whether you are engaged in that business. Such acts need not be commercial per se, nor do they require human action.
  • As such, repeated collection of information from Australian servers may be sufficient to establish that a foreign company is doing business in Australia. This is the case even if the organization does not have a physical presence in Australia and does not derive revenue from its commercial activities in Australia.
  • This decision confirmed that the effect of the 2022 amendments would be to significantly expand the extraterritorial scope of the Privacy Act. Once a connection with Australia is established, there are acts and practices associated with it. all Personal information handled by foreign corporations is regulated by privacy laws all over the world. This includes personal information fully related to commercial activities in other jurisdictions unrelated to Australia.
  • Foreign-based organizations subject to the privacy law will have to wait for the Attorney General’s ongoing review of the privacy law before they can change their position.
  • Organizations based abroad, including:
    • Organizations that interact with organizations or individuals based in Australia.
    • Organizations that do not restrict the provision of services to Australians.and
    • Affiliates of Australian organizations that provide services or have technical exchanges with Australian group entities;

should review whether their activities may fall within the jurisdiction of privacy laws and, as a result, what steps may be required to comply with privacy laws or, alternatively, Measures that may be introduced (such as geolocation restrictions) should be considered. Prevent access to Australian servers.

Background

In 2021, the OAIC ruled that Clearview AI violated privacy laws in connection with collecting images from Australian servers for use in facial recognition technology.3 In determining that Clearview AI has violated the Privacy Laws, the OAIC has always considered that Clearview AI has: do business in australia Therefore, it had to comply with privacy laws (and the activities the company was doing were not compliant with privacy laws).Four For more information on the original 2021 OAIC Decision, see 2021 OAIC Decision. insight.

Clearview AI submitted this decision for review by the AAT, which issued this decision on May 8, 2023.

While the AAT ruled in favor of the OAIC, it made some broader and more interesting observations about the scope of extraterritorial application of the Privacy Act. This is summarized below.

Determination of AAT

A related issue for the AAT to consider was whether Clearview AI satisfactorily met the Australian link test under section 5B of the Privacy Act, given that Clearview AI does not have a business establishment in Australia.Five

This question was further complicated by the fact that following the original OAIC decision, s5B was amended by the 2022 Amendment.6 The AAT considered the application of s5B to Clearview AI’s business operations before and after the 2022 amendments.

“Australia Link” test

Previously, in order for a foreign company to be considered to have an ‘Australian connection’, the following conditions had to be met:

  1. Doing business in Australia. and
  2. collects or holds personal information in Australia;7

The 2022 Amendment removed the second part of that test.8

“Continuing business in Australia”

If the foreign company does not have a business establishment in Australia, the tests applied by the AAT to determine whether the company is carrying on business in Australia are: whether the company engages in repetitive activities in Australia that constitute or are incidental to transactions that constitute and support its business;.9 like that Actions need not be commercial itself and no human surrogate needed.Ten

AAT said OAIC in that retrieving images from servers located in Australia means that Clearview AI “continues to operate in Australia” (and will continue to do so) for the following reasons: agreed.

  • Collecting images for inclusion in the image library by Clearview AI’s web crawlers is an important part of Clearview AI’s business.11
  • As such, each instance that collects images worldwide, such as from servers in Australia, constitutes a transaction that constitutes or supports Clearview AI’s business.12
  • Data collection alone ‘is not enough to keep business in Australia’13specifically whether collecting images from Australian servers was “essential” to Clearview AI’s business.14
  • Rather, so long as Clearview AI continues to obtain information from servers in Australia, Clearview AI is conducting repetitive acts in Australia that amount to or are incidental to transactions that constitute and support its business and, therefore, It will meet the requirement of “continuation of business in Japan”. Australian test.15

However, the AAT did not consider the following transactions proposed by the OAIC to be “doing business in Australia”:

  • Retrieve images posted by Australians on global social networks that are stored on servers outside Australia from those global social networks.16
    • This is because at the time an offshore server fetches an image from another offshore server, the underlying individual is not involved in the transaction taking place between the two offshore servers, given that there is no geographical connection to Australia. Because it is impossible to know if there is server. This means that the “Continuing to do business in Australia” test has a temporary element associated with the particular transaction in question. It doesn’t matter what previous transaction was done for the offshore server to get the image (i.e. the Australian uploaded the image to the offshore server).
  • Collection of information from websites that have Australian domain names and are hosted on servers located outside Australia.17
    • Similarly, this type of transaction involves the transfer of information from one offshore server to another offshore server and is therefore not a transaction involving a physical connection to Australia.

This analysis changes when the transfer of information involves a person in Australia transferring data to a company overseas.18

These two clarifications highlight the importance of physical location to the “Continuing to Do Business in Australia” test. Importantly, for the purposes of that test, these transactions must either take place physically in Australia or involve participants physically located in Australia.19

“Collection of personal information in Australia”

Prior to the 2022 Amendment, you were also required to prove that Clearview AI was collecting or holding personal information. in australia To have a “connection with Australia”. The AAT’s decision clarifies that the transmission of information from Australian servers to offshore servers is collection of personal information in Australia. Clearview AI’s web crawlers engage in such activities.

Will off-site experiments be reviewed?

The AAT pointed out that the effect of the 2022 amendments would be to significantly expand the scope of extraterritorial application of the Privacy Act, and that once a link is established with Australia, relevant laws and practices would apply. bottom. all Personal information handled by foreign corporations is regulated by the Personal Information Protection Law.20

This is a commonly recognized unintentionally Impact of the 2022 Amendment. The purpose of this change was to ensure that organizations that do business in Australia but do not directly collect or hold personal information in Australia are still bound by privacy laws. An example of this could be where a particular offshore entity conducting business in Australia processes only personal information by receiving personal information from another group entity that is also located outside Australia.

But now the tests are much more extensive than that, all The conduct and practices of organizations regulated by privacy laws. In other words, global organizations must comply with privacy laws throughout their global operations, including relationships with individuals located in other jurisdictions. This creates a much broader extraterritorial scope than under the laws of other jurisdictions such as his GDPR, CCPA and PIPL in China.

Corrections may provide needed clarity

But there is hope on the horizon. Earlier this year, the Attorney General’s Office released its Privacy Law Review Report, which includes more than 100 of his recommendations to revise existing privacy laws. One of these recommendations was to (again) amend the extraterritorial application of privacy laws.twenty one

One of the government’s proposed proposals is to include additional language requiring that the conduct or practices of organizations conducting business must “relate to personal information relating to Australia”.twenty two This will bring the privacy law more in line with equivalent extraterritorial tests set by other laws, including Article 3 of the GDPR.

In our view, this is a very significant amendment to the current draft and will provide much-needed certainty for organizations operating globally.








Source link

Related Posts

The shape of the new AI-augmented workplace to come

Michael Lewis

Bloomberg Unveils AI Model Focused on GPT Finance

Michael Lewis

Lightning Labs Announces Tool to Enable AI Applications to Trade Bitcoin

Michael Lewis

Leave a Reply

Your email address will not be published. Required fields are marked *