Decision of the UK Information Commissioner’s Office Tribunal on Clearview AI

At a Glance

• Clearview AI is a U.S.-based technology company that offers a facial recognition service, primarily to law enforcement and national security agencies. The UK Information Commissioner’s Office (ICO) had issued Clearview enforcement notices and a monetary penalty for multiple breaches of the UK General Data Protection Regulation (GDPR) in relation to its processing of the data of UK data subjects.
• Clearview appealed the fine and notices, and the First-tier Tribunal (FTT) found for Clearview, holding that its processing was outside the material scope of the GDPR by virtue of Article 2(2)(a), as it was “in the course of an activity which falls outside the scope of Union law”.
• In October, the Upper Tribunal allowed the ICO’s appeal. It found that the ICO did have jurisdiction as Article 2(2)(a) doesn't exclude from the GDPR’s scope private companies processing personal data, even for foreign state clients. It adopted a broad interpretation of "behavioural monitoring" and argued that Clearview's processing also fell within the territorial scope of the GDPR under Article 3(2)(b). The Tribunal set aside the FTT’s decision and remitted the case to a new FTT to consider the substantive appeal.

Background of Clearview AI

Clearview AI is a U.S.-based technology company that offers a facial recognition service, primarily to law enforcement and national security agencies. The company’s principal service was previously described by the First-tier Tribunal (FTT) as: “[s]upporting clients in the discharge of their criminal law enforcement / national security functions … through the use of facial recognition technology that makes a comparison of an image submitted by the client against a database of images copied from the internet and saved by Clearview”.

The service works by scraping billions of publicly available images from the internet, extracting metadata (such as URLs and profile names), and storing these in a database that is vast and growing rapidly. Facial vectors (biometric data) are then extracted from these images and stored for rapid search and matching.

Law enforcement and national security clients use the service by uploading images of individuals, known as “probe images”. Clearview then uses its algorithm to match a probe to images in the database and returns potential matches with associated metadata to the client.

History of the Proceedings

The UK Information Commissioner’s Office (ICO) issued enforcement notices and a monetary penalty of £7,552,800 (around USD 10 million) to Clearview for multiple breaches of the UK General Data Protection Regulation (GDPR) in relation to its processing of the data of UK data subjects. The breaches included: breach of the data protection principles under Article 5, failure to have an appropriate legal basis under Articles 6 and 9, failure to provide appropriate notices to data subjects under Article 14, failure to give effect to data subjects’ rights under Articles 15 to 17, and failure to carry out a Data Protection Impact Assessment under Article 35.

• Clearview appealed to the FTT, challenging not only the identified breaches but also, and more fundamentally, arguing that the ICO lacked jurisdiction because its processing was for foreign law enforcement and national security bodies and therefore completely outside the GDPR’s scope.
• The FTT found for Clearview, holding that its processing was outside the material scope of the GDPR by virtue of Article 2(2)(a), as it was “in the course of an activity which falls outside the scope of Union law”.
• The ICO appealed to the Upper Tribunal (UT) on several grounds, including errors in the FTT’s interpretation of the GDPR’s material and territorial scope.

Key Findings of the Upper Tribunal

Material Scope — Article 2(2)(a)

The UT held that the FTT erred in law by finding that Clearview’s processing was outside the material scope of the GDPR. Clearview had argued that the policy intent behind Article 2(2)(a) was to “avoid ‘a kind of back door regulation’ of foreign states by virtue of regulating third parties whose processing occurs “in the course of” activities that are quintessentially state functions, such as matters of national security or law enforcement”. The UT disagreed and found that Article 2(2)(a) is only concerned with the division of responsibilities between the European Union and its member states, “and is not about foreign states or private bodies providing services to foreign states at all”. As a result, it did not exclude from the GDPR’s scope private companies processing personal data, even for foreign state clients.

The UT also rejected the “intersectional” argument put forth by Clearview that its processing was so merged with its clients’ state functions that they should be treated as one, and thus be excluded from the GDPR. It argued that “the relationship between the activities of Clearview and the activities of its clients are no more “merged or ‘fundamentally intersected’ than the activities of parties to any transaction that involves transfers between them of electronic data”. Therefore, the UT clarified that Clearview’s processing was distinct and subject to regulation, regardless of its clients’ activities as foreign sovereign states.

Territorial Scope — Article 3(2)(b)

The UT found that Clearview’s processing fell within the territorial scope of the GDPR for two reasons:

1. Clearview’s own activities amounted to “behavioural monitoring” of UK data subjects (including automated, algorithmic analysis and data structuring for later matching, even in the absence of human review). Recognising that they must be interpreted:
   
   

   “as a response to the challenges posed by the age of ‘Big Data’, it adopted a broad interpretation of the words ‘behavioural monitoring’. This encompassed ‘passive’ collection, sorting, classification and storing of data by automated means with a view to potential subsequent use (including by another controller) of personal data processing techniques which consist of profiling a natural person. It did not require:

   • active ‘watchfulness’ in the sense of human involvement,
   • analysis beyond automated sorting and classification with a view to subsequent future use, or
   • sorting and classification of the data by reference to subjects’ behaviour.”
   
   Ultimately, the UT made clear that “monitoring” under Article 3(2)(b) can include both active and passive, automated processing if it enables or facilitates tracking or profiling.
2. In any event, the UT held that Clearview’s processing was “related to” the behavioural monitoring carried out by its clients. Giving the provision an expansive meaning, it agreed with the FTT that there is “such a close connection between the creation, maintenance and operation of the Database and the monitoring of behaviour undertaken by the clients that Clearview’s processing activities are related to that monitoring”. It therefore extends the scope of the GDPR to service providers that provide data processing services which facilitate their clients’ behavioural monitoring.

Remittal to the FTT

The UT allowed the ICO’s appeal, found that the ICO did have jurisdiction, set aside the FTT’s decision, and remitted the case to a new FTT to consider the substantive appeal.