With ChatGPT and artificial intelligence (AI) programs on the rise, it’s important to understand your business’ privacy obligations. On May 30, 2023, the Administrative Appeals Tribunal (ATT) confirmed that the Privacy Act 1988 (Cth) applied to Clearview AI, an AI company based in the United States. This article explains the implications of the Clearview decision for foreign entities operating in Australia.
Who is Clearview AI?
Clearview AI is an American facial recognition company. It provides software to companies, law enforcement, universities, and individuals.
Why does the Privacy Act apply to Clearview AI?
The ATT used a two-pronged examination to determine whether the Privacy Act applied to Clearview AI. This test determined whether Clearview AI had an ‘Australian Link’ by looking at whether the business:
1. carried on a business in Australia; and
2. collected or held personal information in Australia.
The second prong of this test was removed following the enactment of the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022. As such, it was only relevant whether the company was carrying on a business in Australia.
The ATT concluded that although Clearview AI is a US-based business without a presence in Australia, it has a strong enough ‘Australian Link’ to fall under the Privacy Act. This ‘Link’ was attributed to the company ‘carrying on a business’ in Australia by routinely collecting personal information from Australian servers. Moreover, the Tribunal determined that Clearview AI had violated numerous Australian Privacy Principles by collecting images of Australian faces from publicly available sources on the internet and using them for biometric identification.
What should I know as an overseas entity?
As a foreign business owner, it is crucial to understand whether you are carrying on a business in Australia. The ATT acknowledges that as a result of changing business models and technologies, it is no longer necessary to be based in Australia for a corporation to be deemed ‘carrying on a business’ in Australia. This creates a certain obstacle for businesses using online commerce or artificial intelligence.
- The ATT’s decision demonstrates the extraterritorial reach of privacy laws and the consequences for companies collecting personal information that is in the public domain.
- The ATT emphasises that the repeated collection of personal information from Australian servers is alone, sufficient to establish that a foreign entity is ‘carrying on a business’ in Australia.
- Foreign businesses that interact with Australia or have some interconnectivity with Australian servers should consider whether they are within the scope of the Privacy Act and adapt their practices accordingly.