Australia: OAIC and Clearview AI
The OAIC's enforcement against Clearview AI found that collecting facial images of Australians without consent breached the Privacy Act. The Administrative Appeals Tribunal upheld the OAIC's findings in 2023. The "publicly available" defence was rejected. The enforcement order required Clearview to cease collecting data about Australians and delete existing data. Practical implication: physical presence in Australia is not required for Privacy Act obligations.
EU: ChatGPT and DPA enforcement
The Italian DPA's temporary suspension of ChatGPT in March 2023 established the EU enforcement template — concerns including no clear legal basis for training data collection, no effective age verification, and absence of a compliant Data Processing Agreement. OpenAI's negotiations to restore service set the template subsequently adopted in France, Spain, and Ireland.
UK: ICO and live facial recognition
The ICO's enforcement notices against Southern Co-op and Facewatch in 2023-24 established that LFR in retail requires a DPIA, a high-bar legitimate interests justification, specific transparency, and documented accuracy and bias testing. The ICO has signalled most current retail LFR deployments fall short of required standards.
US: FTC and Rite Aid
The FTC's December 2023 settlement with Rite Aid banned the pharmacy chain from using facial recognition for five years after finding: deployment with high false positive rates; disproportionate misidentification of women and people of colour; and use of AI alerts to surveil individuals who had committed no offence. The enforcement signal: deploying AI without documented accuracy and bias testing is an unfair trade practice.
