Earlier this month, the Upper Tribunal (UT) delivered its decision, in the latest instalment of the long-running attempt by the ICO to sanction facial-recognition database provider Clearview AI Incorporated (Clearview) for data protection failings. This decision relates to one of the ICO’s most significant fines to date (£7.5 million) and has been seen as an important test case for the GDPR’s ability to bite on non-UK companies. While this is still a mid-point in this case’s saga, there are number of important takeaways, particularly for organisations developing AI systems outside the UK.
Background
In 2022, the ICO issued Clearview with a £7.5 million penalty for extensive data protection failings (discussed in our blog at the time), including in relation to lawfulness, transparency and individuals’ rights. In addition to the fine, the ICO ordered Clearview to stop processing UK individuals’ data. Clearview challenged the penalty in the First Tier Tribunal (FTT) and succeeded, with the FTT concluding the ICO lacked jurisdiction because Clearview’s processing was outside the material scope of the GDPRs (both the EU and UK GDPR versions (together the GDPRs) are relevant as the processing in question overlapped the UK’s EU exit). This finding was, in essence, based on the fact that Clearview was only offering its services for law enforcement by foreign governments, which was found to fall outside the material scope of the GDPRs (under Article 2) (see our 2023 blog for more on this).
The ICO subsequently appealed that decision to the UT:
The Upper Tribunal’s decision
The UT decided with the ICO, finding it did have jurisdiction to enforce against Clearview, as (in summary):
- Clearview’s processing was within the material scope of the GDPRs
The UT held that Clearview’s processing should be treated separately from the processing activities of its clients, rather than fundamentally intersecting with them, as put forward by Anya Proops KC for Clearview. As such, it fell within the scope of the GDPRs.
- Clearview’s processing was within the territorial scope of the GDPRs
The UT adopted a broad interpretation of what amounts to behavioural monitoring (under Article 3(2)(b)) and held that Clearview’s own processing fell within behavioural monitoring. They rejected Clearview’s arguments that such monitoring needed to have an additional element of ‘watchfulness’ or further analysis and accepted that the processing that Clearview did in gathering, sorting and storing “behaviourally rich” personal data was enough to count as monitoring. The purpose of the activity was still seen as important, however. The decision made reference to an analogy (put forward by Jamie Susskind for the ICO) that a video camera recording activity in a hotel lobby would be seen as ‘monitoring’ even if the video wasn’t actually being watched – the fact that it was available to be accessed if needed was sufficient. In a similar way, Clearview’s processing activity was for the purpose of facilitating monitoring by its clients. As an alternative argument, the UT accepted that Clearview’s processing could be seen as ‘related to’ the behavioural monitoring carried out by Clearview’s clients, which would be enough to bring Clearview’s processing as a separate controller within the scope of the GDPR’s territorial reach.
Impact and outlook
This decision confirms a broad understanding of the behavioural monitoring aspect of the GDPR’s extraterritorial reach, going even further than the FTT in viewing that Clearview’s own processing could amount to such monitoring, as well as confirming the FTT’s view (although following different reasoning) that Clearview’s processing could be caught through its connection to its clients’ monitoring. Overseas entities potentially caught by the GDPRs, particularly in the context of AI development should take particular note. Other forms of AI training and development involving web scraping UK/EU individuals’ personal data may well now be held to amount to monitoring and bring entities across the AI supply chain within the GDPR’s reach. This is significant, as data protection regulators across Europe are enforcing against AI providers and deployers, particularly where the risks to individuals are highest (as we discuss in this blog).
With the question of jurisdiction answered, the UT has directed the case be sent back to the FTT for them to determine the substantive issues in the appeal: whether Clearview’s processing breached the GDPRs. However, there is good chance that Clearview seeks to appeal the UT’s decision on jurisdiction first. So, either way, the saga is set to continue and we will welcome the learnings that follow. It is, however, unsurprising that the ICO has looked to avoid such resource intensive appeals processes in its most recent enforcement actions - as we have seen through its settlements with Advanced (see this blog), and most recently with Capita.
/Passle/5badda5844de890788b571ce/SearchServiceImages/2025-10-17-17-24-17-983-68f27bc1c139972c5e75428a.jpg)
/Passle/5badda5844de890788b571ce/SearchServiceImages/2025-10-15-15-58-14-348-68efc496c41ada49fb85901b.jpg)
/Passle/5badda5844de890788b571ce/SearchServiceImages/2025-10-15-18-53-31-688-68efedab376027c8589b9b15.jpg)
/Passle/5badda5844de890788b571ce/SearchServiceImages/2025-10-09-14-26-10-023-68e7c6025a0c9201fc8310f0.jpg)