In the First-tier Tribunal (FTT) decision of 17 October 2023 Clearview AI (Clearview) won its appeal against its £7.5m UK GDPR fine imposed in 2022 by the UK Information Commissioner's Office (ICO). Last year, the ICO fined Clearview for storing facial images in breach of the UK GDPR and ordered it to delete information it held on UK citizens. The rationale for the FTT Decision is based on an interpretation of the material scope as well as the territorial scope of the UK GDPR. Clearview's activities were found to fall outside the scope of the UK GDPR because the processing relates to the law enforcement activities of foreign governments and agencies and that such customers are not based in the UK. Arguably, the decision gives a licence to Clearview to scrape personal data indiscriminately in the EU/UK, provided it is acting for foreign governments.
Behavioural monitoring: The First-tier Tribunal's decision in Clearview AI's successful appeal against the ICO sheds new light on the UK GDPR's scope
What is Clearview AI's business?
Clearview AI is a US-based company which provides facial recognition technology, primarily to law enforcement and government agencies, and is known to have developed a database of more than 20 billion images of faces, collected from the internet without consent. It then allows its clients to upload photos of people and search the database for a match. Clearview had initially accepted commercial clients but, following a settlement with US civil liberties campaigners in 2020, it now only offers its services to law enforcement or national security agencies in the US, Brazil, Mexico, Panama, etc...
ICO grounds for the 2022 fine
The ICO's monetary penalty notice and enforcement notice against Clearview released on 23 May 2022 hinged on Clearview's alleged breach of a number of provisions of the UK GDPR including failing to:
- process data in a fair and transparent way;
- meet the requirements for processing biometric data;
- maintain and implement an appropriate retention policy;
- allow data subjects to effectively exercise their rights; and
- conduct a Data Protection Impact Assessment (DPIA) in respect of its processing of the personal data of UK residents.
Key points of the FTT Decision
The decision is complex and sheds new light on the interpretation of the material and territorial scope of the UK GDPR when applied to data processing related to monitoring the behaviour of UK data subjects.
The UK GDPR governs the processing of personal data of data subjects in the UK by a controller or processor not established in the UK where the processing activities are related to monitoring the behaviour of UK data subjects. On that basis, the ICO successfully argued that because Clearview enables its clients to monitor the behaviour of data subjects, Clearview and its clients were joint controllers, and the data processing related to the monitoring of UK data subjects' behaviour.
However, Clearview's strong arguments centred around being a foreign company based in the US and providing services to foreign clients purely for the public interest activities of foreign governments and government agencies, in particular in relation to "their national security and criminal law enforcement functions”.
The UK GDPR states that the processing of personal data by competent authorities for national security and law enforcement purposes is outside its scope — and is instead subject to rules in Part 3 of the Data Protection Act 2018 (which post Brexit incorporates the EU Law Enforcement Directive EU2016/680 into UK. law). However, a conflict arose between the material scope of the UK GDPR - as there is no doubt that Clearview's monitoring activities (or rather those of its clients) are in breach, and the territorial scope of the UK GDPR – as Clearview's clients are based outside the UK/EU. This is where the FTT Decision clarified the limitation of the UK GDPR's scope and the exemption applicable to the processing by enforcement agencies based outside the UK/EU for law enforcement purposes. As a result, the ICO was found to have no jurisdiction, because the UK GDPR does not apply to the processing of personal data by authorities outside the UK for national security/law enforcement purposes. The FTT accepted Clearview's argument that its clients were foreign national security and law enforcement bodies, and accordingly outside the scope of the UK GDPR.
Other regulators in Canada, Australia, and South Africa, but also in the European Union including in France, Italy and Greece, have taken enforcement measures against Clearview. France's CNIL issued a €20 million fine in October 2022. The FTT Decision does not attempt to align with those of the CNIL and the other EU regulators who have issued fines, even though the ICO supplied the FTT with copies of those decisions. To date, Clearview has not paid the fines it has been issued, nor is it thought that it has complied with the orders to delete personal data. It is clear that regulators in the EU are struggling to enforce GDPR's extraterritorial rules against organisations operating from outside the EU. In the UK, the FTT Decision has further jeopardised any present and future oversight of Clearview's monitoring of UK data subjects unless the ICO decides to appeal.
If you would like data protection advice about the rules governing data scraping, behavioural monitoring and facial recognition technology, please contact one of our data protection specialists.
Partner, Commercial and Data Protection & Head of Data
To the Point
Subscribe for legal insights, industry updates, events and webinars to your inboxSign up now
Get up to date with our latest news on LinkedInFollow now