Australia: Issued Administrative Appeals Tribunal of Australia ruling regarding the investigation into Clearview AI for failure to comply with privacy rules

On 8 May 2023, the Administrative Appeals Tribunal of Australia (AATA) upheld the OAIC’s decision that Clearview AI failed to take reasonable steps to implement the necessary procedures to ensure compliance with the Australian Privacy Principles contained in the Privacy Act 1988, and that, further, it has interfered with the privacy of Australians by failing to obtain consent for the collection of sensitive information, collect information by lawful means, give proper notification of the collection of data, and ensure that collected information was accurate and up-to-date. The OAIC has declared that Clearview AI must cease the collection of images in breach of APPs and delete existing images so collected from Australians. Clearview’s appeal argued that it is not subject to the Privacy Act because it lacks an “Australian link,” which is a prerequisite for the Act to apply to foreign corporations. Alternatively, Clearview claimed that if the Privacy Act does apply, it is exempt from the Australian Privacy Principles (APPs) since it operates as a small business. The AATA has determined that Clearview’s practice of harvesting images from servers in Australia is a critical aspect of its operations. The interactions between Clearview’s web crawler and Australian servers constitute business transactions that support and make up the company’s activities. Thus, AATA concluded that Clearview is conducting business in Australia and has an Australian Link, despite obtaining information surreptitiously without human intervention. Moreover, Clearview is not exempt from the Australian Privacy Principles under the “small business operator” classification since its revenue exceeds the 3 million AUD threshold. Even if it did qualify as a small business, it would still be excluded because it discloses personal information about third parties for profit.