Australia: Facial recognition technology - Can our privacy law cope?

As the increasing rate of technological innovation leads to a new world where cameras can be used to constantly track and navigate people as they go about their daily lives, the question must be asked about the invasiveness of such technology and whether our legal system is sufficiently equipped to deal with its implications for our concept of the right to privacy.

Concerns about technology & privacy are not new

Privacy is a concept that is generally now considered essential to ensuring human dignity, safety and self-determination. This concept of privacy, however, is something that has always sat uneasily with technological innovation.

In 1890, the United States jurists Samuel D. Warren and Louis Brandeis wrote "The Right to Privacy" which was a law review article published in the Harvard Law Review.¹ It is considered one of the earliest discussions of the need for a 'tort of privacy' to develop in the common law.

The article was a response to recent technological developments of the time, such as photography and sensationalist journalism, including the apparent intrusion by journalists on a society wedding.

As long ago as 1928 one of the authors of that article, Brandeis, expressed an opinion in the case of Olmstead v. United States² that;

"Discovery and invention have made it possible for the Government, by means far more effective than stretching upon the rack, to obtain disclosure in court of what is whispered in the closet."

Whilst Brandeis may have been concerned with the use of technology to encroach on our privacy by governments, evoking images of Orwell's 1984, in the fast-moving digital world that we now live in it is perhaps the use of technology by the corporation that we most fear.

Is there a right to privacy in Australia?

In Australia there is no constitutional right to privacy and there is also, arguably, no case law that sets a defined common law tort against invasions of privacy.

The Privacy Act 1988 (the Privacy Act) sets the national legislative framework for privacy in Australia and regulates the acts and practices of 'APP entities' which are defined in the Privacy Act to include Australian Government Agencies as well as many private Australian organisations and certain overseas organisations that carry on business in Australia or hold personal information in Australia.

Subsequently, the Office of the Australian Information Commissioner (OAIC) was also established in 2010, and part of its role is to oversee privacy functions, conferred by the Privacy Act.

Facial recognition & collection of biometric data in Australia

Facial recognition technology is at the forefront of the wave of digital innovation, and most people who own a relatively new smart phone would be aware of the capacity of such technology as well as travellers with a biometric passport. Facial recognition technology essentially collects biometric information, which is information regarding a person's physical characteristics including facial features but also things such as voice, fingerprints, and irises.

The Privacy Act defines biometric information that is used for specific purposes such as verification or identification as sensitive information and requires APP entities that use such sensitive information to adhere to certain policies.

In a decision dated 29 September 2021³ the OAIC determined that convenience store group 7-Eleven interfered with customers' privacy by collecting sensitive biometric information that was not reasonably necessary for its functions and without adequate notice or consent.

The biometric information collected was in the form of facial images taken from tablets with built - in cameras installed in 700 nationwide stores.

The OAIC found that individuals did not give either express or implied consent to the collection of their facial images or faceprints and that the large - scale collection of sensitive biometric material was not considered reasonably necessary for the purpose of understanding and improving customers in-store experience.

Further in a decision handed down on 14 October 2021 the OAIC⁴ determined that the corporation Clearview AI, Inc, a US based company, had breached the Privacy Act by collecting facial images from individuals in Australia without consent and for the purpose of financial gain.

In a joint investigation with the UK Information Commissions office it was found that Clearview had created a facial recognition tool that had been used to create a global database of more than 3 million images globally by taking data from social medial platforms and public websites.

In its determination the OAIC found Clearview collected personal information by unfair means, did not take reasonable steps to notify individuals that information was being collected and did not ensure information disclosed was accurate.

Clearview was ordered to cease collecting facial images and destroy Australian biometric information within 90 days.

Limitations of existing protections in Australia

So, is it the case then that the Privacy Act and the Commission have effectively safeguarded us from the use of facial recognition technology by those wanting to exploit its undoubted benefits and we have no cause for concern?

Unfortunately, there are some significant limitations to the protections that the Privacy Act affords.

There is an exception in the Privacy Act to the requirement of obtaining consent from individuals for 'enforcement bodies' which can include the Police, the immigration department and can also apply to Hospitals and Courts. This obviously raises concern amongst those who most fear the use of the technology by the government to monitor a civilian's behaviour like Brandeis foreshadowed all those years ago.

One of the other considerations in deciding whether an entity has used or obtain biometric information in a way that accords with its obligations pursuant to the Privacy Act is whether the information was reasonably necessary for its functions. However, who determines whether that purpose is itself reasonable?

It was recently revealed that several of Australia's major retail chains such as Bunnings, Kmart and the Good Guys were using facial recognition technology as a means of surveillance upon shoppers in order to identify persons of interest and keep stores safe. Whilst this may be on its face a reasonable intention, it does raise questions of possible misuse. An additional question is whether the technology is accurate enough to be used for its intended purpose or whether mistakes may be made, and people identified who should not be.

The concept of informed consent can of itself be somewhat problematic; what it if a company or institution makes it a condition of entry, or a condition of the ability to use their service, to provide biometric information? Unless there is a suitable alternative it may be that a person feels obligated or compelled to provide the necessary consent.

One of the biggest concerns with the rapid progression of digital technology is the ever-present threat of hackers and the theft of personal and sensitive information. Biometric information, like all other private data, can be used to impersonate and infiltrate a person's life if the information is stolen. The Privacy Act would appear to be unable to deal with the issues that arise with such stolen biometric information.

In Australia there are growing calls for national guidelines on facial recognition technology with an approach that follows the lead of the European Union. The European Data Protection Board recently issued Guidelines that explore the nuances of the technology and its application and there is a European Union Bill seeking to prohibit certain use of the technology and increase privacy protections while allowing low-risk use.

Facial recognition technology, like all technological innovation, offers benefits to society that can be easily measured. However, as the rate of technological development ever increases a robust and nuanced legislative framework must be implemented to properly handle the inroads that can be made on our concept of privacy.

In Australia we rely on a piece of legislation enacted over 30 years ago to deal with the privacy implications of a technology that, at that time, was the stuff of science fiction. A dedicated and nuanced legislative framework may assist in ensuring that governments and corporations do not abuse or mis - use facial recognition technology and help to ensure that our right to privacy is protected.

Footnotes

¹ Warren, Samuel D, Brandeis, Louis, "The Right to Privacy", Harvard Law Review, vol 4, No 5 (December 15 1890).

² Olmstead v United States, 277 US 438 per Brandeis JUS.

³ Commissioner initiated investigation into 7-Eleven Stores Pty Ltd (Privacy) [2021] AICmr50 (29 September 2021)

⁴ Commissioner initiated investigation into Clearview AI,Inc. (Privacy) [2021] AICmr 54 (14 October 2021)

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.