Clearview AI overturns UK privacy enforcement as court opens questions on GDPR jurisdiction

Facial-recognition technology company Clearview AI has won its appeal against a UK data protection authority fine of 7.55 million pounds and processing ban over online image scraping. Judges said the regulator does not have jurisdiction to enforce against the US-based company, and that it is Clearview’s clients that process data for behavior monitoring, not the firm itself.

Read on for the story from MLex®, or start your 14-day free trial now to access more specialist news and in-depth analysis in real time.

17 October 2023
By Frank Hersey and Sam Clark

Facial-recognition technology company Clearview AI has won its appeal against a UK data protection authority fine and processing ban over online image scraping. Judges said the regulator does not have jurisdiction to enforce against the US-based company.

The First-Tier Tribunal found today that the processing in the US of the behavior of UK data subjects is beyond the scope of the UK General Data Protection Regulation, despite it having extraterritorial powers, that it is beyond the overall GDPR as the service is used by law enforcement, and that it is Clearview’s clients that process data for behavior monitoring, not the firm itself.

The tribunal, which handles appeals against the Information Commissioner’s Office, or ICO, dismissed the watchdog’s May 2022 enforcement, including its fine of 7.55 million pounds ($9.4 million), which followed a joint probe with the Australian Information Commissioner.

The ICO said that when processed, UK individuals’ photos were in Clearview’s database of more than 20 billion images without lawful reason and that the company effectively monitors people’s behavior as a commercial service.

Clearview is based in the US and has no UK or EU presence. The ICO relied on the General Data Protection Regulation's “extraterritoriality” rules.

At the time, the ICO said Clearview’s activities fell under its jurisdiction, because the New York-based firm processes UK residents’ personal data and because it monitors their behavior, under Article 3 of the General Data Protection Regulation.

But judges said today that the processing in the US of the behavior of UK data subjects was “beyond the material scope” of UK GDPR. They also said that Clearview’s clients, not the firm itself, processes data for behavioral monitoring, a requirement for the GDPR to apply in this case.

Behavior monitoring

The regulator argued at court last year that Clearview AI “enables” behavioral monitoring of UK residents by its clients and so shouldn’t be able to escape data protection enforcement.

But the judges said today: “Although the processing undertaken by Clearview was related to the monitoring of data subjects’ behavior in the United Kingdom, the processing is beyond the material scope of the GDPR and is not relevant processing for the purposes of Article 3 UK GDPR.”

The "material scope" ruling refers to arguments made by Clearview that it was subject to a carveout in the GDPR for law enforcement and national security data processing.

The judges accepted Clearview’s argument that it is not itself providing behavior monitoring services. Such an application of the company’s resources is down to Clearview’s clients, typically law enforcement agencies in the US.

The judges did not consider relevant case law from elsewhere in the EU presented by the ICO to highlight the widespread concern over Clearview’s service. They noted that in those jurisdictions, enforcement followed complaints by individuals, which was not the process used by the ICO.

Clearview has welcomed the decision. “We are pleased with the tribunal's decision to reverse the UK ICO's unlawful order against Clearview AI,” Jack Mulcaire, the company's general counsel told MLex.

Interviewed in Bermuda at a meeting of the world's data protection regulators,* Information Commissioner John Edwards said the ICO has not yet determined its next steps.**

"I think we just need to take the time to think through, to take some advice on, and to think about whether it's going to be a useful use of resources to seek further clarification of the law,” he said.

*45th Global Privacy Assembly 2023, Bermuda; Oct. 15-20, 2023.

**Updated Oct. 17, 2023, at 21:51 GMT; adds comment from Commissioner Edwards.

To get the inside track on developments in data privacy and tech regulation, from specialist journalists across the globe, start your free trial today.