Join our email list today to receive alerts, articles, invitations to events and more!
2 min read
Overview
In Clearview AI Inc. v. British Columbia (Information and Privacy Commissioner), 2026, the BC Court of Appeal has confirmed that U.S.-based Clearview AI Inc. (Clearview) contravened BC’s Personal Information Protection Act (PIPA) through the use of its facial recognition tool in Canada.
This long-running case arose from Clearview's practice of scouring the internet for facial images, including images of individuals in Canada, to feed its searchable biometric database. Facial data, including facial images, associated metadata, and vectors, are stored indefinitely on Clearview’s servers. According to the judgment, in 2017, Clearview’s database contained facial data for some 3 billion individuals, which ballooned to 30 billion by 2023.
In 2021, the Privacy Commissioners of Canada, Alberta, and Quebec joined forces to investigate and issue orders against Clearview based on breaches of provincial privacy laws.
In BC, the Commissioner ordered Clearview to cease offering any facial recognition services in the province where those services were based on the collection, use, and disclosure of images and biometric facial arrays collected from individuals in British Columbia without their consent. Clearview was also ordered to cease further collection, use, and disclosure of such images and biometric facial arrays, and to delete the images and biometric facial arrays collected from individuals in British Columbia without their consent.
The Legal Issue: Does PIPA Apply to a U.S. Company?
Clearview challenged these orders. Clearview argued that provincial privacy laws do not apply to it as a matter of constitutional law, leading to this appeal. The BC Court of Appeal reaffirmed the quasi-constitutional status of privacy laws and upheld the Commissioner's findings, concluding that provincial privacy laws do apply to U.S. companies like Clearview where there is a real and substantial connection between the company's online activities and the province.
Interestingly, the court reviewed the evolution of the concept of a “sufficient” or “real and substantial” connection to the province. "Prior to the internet," the court reasoned, "the focus was on physical connections with the jurisdiction. Courts considered factors such as the location of the head office, employees, and assets, where services or products were offered, and where the impugned conduct physically occurred." Technological advances have significantly reduced the importance of physical location. According to the court's analysis, "servers do not have to be located in territorial proximity to the companies that own them, and some servers are virtual."
Takeaways
The court's decision makes clear that the privacy of individual residents of BC will be governed by local laws, even if the data collector is “located” out of province. What does this mean for service providers like Clearview? It shows that provincial privacy laws will apply where the personal information of residents is collected, used, or disclosed, regardless of whether the provider has any physical presence, services, offices, or employees in the province.
Organizations operating across borders should carefully assess whether their activities create a real and substantial connection to Canadian jurisdictions. Collecting, using, or disclosing personal information of Canadian residents may trigger the application of provincial privacy laws, even without a physical presence in Canada. For guidance on cross-border data practices and compliance, please contact Richard Stobbe or any member of our Privacy + Data Management Team.
Related Reading:
