Clearview AI: the First-Tier Tribunal decision provides a clearer view on behavioural monitoring

The First-Tier Tribunal (FTT) has allowed the appeal of the ICO’s fining and enforcement notices against Clearview AI Inc (Clearview). The FTT held that the ICO had no jurisdiction over Clearview as the use of its services by its clients for criminal law enforcement or national security functions were activities that fell outside the scope of the UK/EU GDPR. 

As part of the case, the FTT also had to consider the extraterritorial effect of the UK GDPR and the judgement therefore provides further interesting and welcome insights into the interpretation of these provisions, building on previous case law such as the Soriano case. 

Background

In May 2022, the ICO fined Clearview £7.55m for its use of images of UK residents that were collected from the internet and social media to create a global online database that could be used for facial recognition. The ICO also issued an enforcement notice ordering Clearview to stop obtaining and using the personal data of UK residents and to delete the data of UK residents from its systems. 

The ICO’s enforcement action against Clearview – a US company with no UK/EU establishment – was based on the extraterritorial reach of the UK GDPR (and because the original allegations straddle the date on which the UK GDPR came into force, the EU GDPR as well), with the ICO finding that Clearview’s processing related to the monitoring of the behaviour of individuals taking place in the UK.

Judgment

As Clearview’s services were only used by non-UK/EU criminal law enforcement and national security agencies and their contractors, the processing activities of Clearview’s clients was held to be beyond the material scope of the EU GDPR and was not considered “relevant processing” for the purpose of Article 3 of the UK GDPR. This is because the UK/EU GDPR does not apply to activities of foreign governments as those activities fall outside the scope of European law. On this basis, the FTT determined that the ICO did not have jurisdiction over Clearview. 

However, the FTT’s wide interpretation of processing ‘relating to’ the monitoring of behaviour is particularly interesting – and here the FTT agreed with the ICO’s view.

Although it was Clearview’s clients (rather than Clearview itself) that were monitoring the behaviour of individuals, the FTT concluded that Clearview’s processing was “related to” the monitoring activities of its clients – and therefore took the view that the UK/EU GDPR can apply to Clearview’s own activities. In its decision, the FTT acknowledged the persuasive weight of the findings of the Court of Appeal in Soriano and the need to look to the purpose for processing the personal data and conducting behavioural analysis. It also considered guidance issued by the European Data Protection Board which states that the language used in the GDPR implies that an element of targeting and intentionality is required. The FTT therefore held that Clearview’s creation, maintenance and operation of the database was to facilitate the monitoring of behaviour by its clients and that there was a “close connection” between Clearview’s processing and the monitoring of behaviour undertaken by its clients. 

Helpfully, the FTT also provides some guidance on the meaning of behaviour and monitoring, including clarifying that monitoring activities need not be a continuous or repeated activity. This will also be of interest to overseas controllers/processors assessing whether the UK GDPR applies to their processing activities.

What does this mean going forward?

It has been reported that the ICO is “carefully” considering next steps and whether appealing would be a good use of resources. Given the judgement supports a wide interpretation of the extraterritorial provisions of the UK GDPR, it is a clear warning to overseas controllers/processors who facilitate the monitoring of other controllers that they will be caught by the UK privacy regime.

In addition, the ICO has noted that “this judgement does not remove the ICO's ability to act against companies based internationally who process data of people in the UK…and instead covers a specific exemption around foreign law enforcement”, so there is no reason to believe that the ICO will significantly change it’s approach to international enforcement.