Privacy Commissioner says RCMP broke the law with facial recognition software

Use of FRT by the RCMP presents a "serious violation of privacy."

Canada’s privacy watchdog says the RCMP’s use of facial recognition technology (FRT) violated Canada’s federal private sector privacy law by creating a databank of more than three billion images scraped from internet websites without users’ consent.

In a report released Thursday by the Office of the Privacy Commissioner of Canada (OPC), Commissioner Daniel Therrien said the use of FRT by the RCMP presents a “serious violation of privacy.”

Therrien says a government institution cannot collect personal information from a third-party agent if that third-party agent collected the information unlawfully.

“The use of FRT by the RCMP to search through massive repositories of Canadians who are innocent of any suspicion of crime presents a serious violation of privacy,” Therrien said in his report.

Therrien says the RCMP failed to ensure compliance with the Privacy Act before gathering information from Clearview AI.

The RCMP is no longer using Clearview AI, but the RCMP did not agree with OPC’s conclusion that it contravened the Privacy Act.

The RCMP argued that ensuring the database it was using was compiled legally, “would have created an unreasonable obligation and that the law does not expressly impose a duty to confirm the legal basis for the collection of personal information by its private sector partners.”

Therrien says this is just another example of how public-private partnerships and contracting relationships involving digital technologies are creating new complexities and risks for privacy.

“The data involved in FRT speaks to the very core of individual identity and as both commercial and government use of the technology expands, it raises important questions about the kind of society we want to live in,” Therrien wrote.