Clearview AI Inc. v. British Columbia (Information and Privacy Commissioner): The Application of PIPA to Extraterritorial Entities

Overview

Three Canadian provinces, namely British Columbia, Alberta and Quebec, have enacted privacy legislation that regulates the collection of an individuals' personal information that is substantially similar to Canada's federal Personal Information Protection and Electronic Documents Act ("PIPEDA"). In those provinces with substantially similar privacy legislation to PIPEDA, the applicable privacy legislation is enforced by a Privacy Commissioner appointed by the provincial government. These statutes raise fundamental questions of significant importance to many Canadians and Canadian businesses: to what extent does facial recognition software violate Provincial privacy legislation, and does a provincially-appointed Privacy Commissioner have the constitutional authority to issue regulatory orders against U.S.-based companies collecting personal information of Canadians and offering facial recognition databases to its customers?

The British Columbia Court of Appeal (the "B.C. Court of Appeal") recently dealt with this thorny issue in the case of Clearview AI Inc. v. British Columbia (Information and Privacy Commissioner, 2026 BCCA 67. In 2021, the British Columbia Information and Privacy Commissioner (the "B.C. Commissioner") issued an order against Clearview AI Inc. ("Clearview") a U.S.-based company offering facial recognition software and databases to its customers. Clearview's databases include billions of images scraped from the Internet, including social media platforms such as YouTube, Instagram and Facebook. This personal information was collected without regard for the location of the individuals and without their consent. The B.C. Commissioner found that Clearview had contravened B.C.'s Protection of Information and Privacy Act ("PIPA") by scraping facial images of British Columbians from social media without their consent for commercial use in its commercial operations.

Clearview appealed that decision, and the case eventually wound its way up to the B.C. Court of Appeal, which released its decision in the Clearview case on February 18, 2026. The B.C. Court of Appeal upheld the decisions of the B.C. Commissioner. The Court found that Canadian constitutional law did not exempt Clearview from the ambit of PIPA or from the regulatory jurisdiction of the B.C. Commissioner, because its online activities have a real and substantial connection to B.C. The B.C. Court of Appeal also found that the B.C. Commissioner reasonably determined that the collected information was not "publicly available", that no statutory exception eliminated the need for consent and that Clearview lacked a reasonable purpose for its collection and use. Finally, the B.C. Court of Appeal upheld the B.C. Commissioner's remedial order as enforceable and a proper exercise of discretion.

Background

Clearview is a U.S.-based company offering facial recognition software and databases to its customers. Its databases include billions of images scraped from the Internet, including social media platforms such as YouTube, Instagram and Facebook. This data collection occurs without regard for the location of the individuals and without their consent.

In February 2021, the B.C. Commissioner and the information and privacy commissioners of Alberta, Quebec and Canada issued a joint report concluding that Clearview violated privacy laws in all four jurisdictions.

In December 2021, the B.C. Commissioner issued an order under Section 36(1)(b) of PIPA prohibiting Clearview from offering facial recognition services in the province of British Columbia that relied on images or biometric facial data collected without consent. It also required Clearview to make its best efforts to cease the collection, use and disclosure of such data of British Columbians, and to make its best efforts to delete any images or biometric facial arrays already in its possession that had been collected without consent.

Clearview subsequently filed a judicial review application, which was dismissed in 2024: Clearview AI Inc. v. Information and Privacy Commissioner for British Columbia, 2024 BCSC 2311. Clearview subsequently appealed that dismissal to the B.C. Court of Appeal.

Issue

The B.C. Court of Appeal opined on:

1. Is PIPA constitutionally applicable to Clearview?
2. Did the B.C. Commissioner unreasonably interpret and apply PIPA in concluding that:
   1. the "publicly available" exception did not apply; and
   2. Clearview did not have a reasonable purpose for its collection, use and disclosure of personal information.
3. Is the B.C. Commissioner's remedial Order unreasonable because it includes terms that are unnecessary, unenforceable or overbroad?

Outcome

The Constitutionality of PIPA

The B.C. Court of Appeal held that PIPA is constitutionally applicable to Clearview, as its activities have a real and substantial connection to the province of British Columbia.

Prior to 2020, the B.C. Court of Appeal found that Clearview's marketing and provision of services to entities in British Columbia, was sufficient to establish a real and substantial connection.

Post 2020, although Clearview stopped marketing its services in the province of British Columbia, it continued to scrape facial data of British Columbians from global online sources. The B.C. Court or Appeal adapted the "sufficient connection" test for the digital age, recognizing that physical location is less determinative in the context of internet-based activities, which are inherently borderless. Clearview's continued global scraping of facial data, which included British Columbians, reinforced the province's connection to Clearview as substantial rather than incidental.

The B.C. Court of Appeal further underscored that privacy protection constitutes a matter of fundamental public interest, affirming that each jurisdiction may legitimately regulate conduct that results in harm within its territory.

The Publicly Available Information Exception

The B.C. Court of Appeal denied Clearview's argument that information scraped from publicly available sources, such as blogs, social media and other websites, fell within the "publicly available" exception. The B.C. Court of Appeal rejected this argument, noting that because privacy protection is quasi-constitutional, exceptions must be narrowly construed. In particular, social media platforms do not constitute a "publication" in the same sense as a magazine, book or newspaper.

Reasonable Purpose

The B.C. Court of Appeal further found that Clearview's collection of facial data was not for purposes a reasonable person would consider appropriate, as it involved the mass, systematic gathering and surveillance of individuals' personal information for commercial gain. The scale and intrusiveness of these activities, combined with the potential for harm to individuals' privacy, rendered the purposes disproportionate and inappropriate in the circumstances.

Was the Commissioner's Order unnecessary, unenforceable or overbroad

The B.C. Court of Appeal rejected the argument that the B.C. Commissioner's Order was unnecessary, unenforceable or overly broad, finding that its Order was reasonable and aligned with the objectives of PIPA. The B.C. Court of Appeal emphasized that the terms of the Order reflected a proportionate exercise of the B.C. Commissioner's remedial authority, balancing enforceability with practical flexibility in accordance with PIPA's regulatory framework.

Key Takeaways

The decision confirms that PIPA applies to foreign organizations when their activities have a real and substantial connection to the province of British Columbia and that such organizations cannot avoid privacy obligations simply by operating without a physical presence in the province. Data obtained from publicly available online sources does not automatically fall within the statutory exception. Noncompliance can result in regulatory consequences, including orders to cease collection, delete data and implement ongoing compliance measures. Extraterritorial businesses must carefully assess their data collection, use and retention practices to ensure compliance with PIPA's requirements for consent, purpose and accountability.

Organizations deploying AI should conduct careful due diligence before implementation, including reviewing how personal information is sourced and whether third-party vendors engage in practices such as large scale data scraping. Reliance on a service provider will not insulate an organization from regulatory scrutiny, damages or reputational harm if the underlying data practices of one of its vendors is not compliant with applicable law. Consulting counsel to review AI deployment strategies and AI vendor agreements can help identify compliance risks and ensure appropriate contractual protections are in place before issues arise.

For more information about AI and privacy compliance in Canada, please contact Roland Hung or Laura Crimi of Torkin Manes' Technology and Privacy & Data Management Groups.

The authors would like to acknowledge Torkin Manes' Articling Student Kayla Oliveira for her invaluable contribution in drafting this bulletin.