UK tribunal says ICO had no jurisdiction to rule on US tech group Clearview AI

The First Tier Tribunal has issued a judgment finding that the UK's data protection regulator, the Information Commissioner's Office (ICO), did not have jurisdiction to issue an enforcement notice or monetary penalty notice for £7.5 million to facial recognition technology provider Clearview AI Inc because the processing it carried out was beyond the material scope of the General Data Protection Regulation (GDPR).

What is Clearview and what does it do?

Clearview is a company based in the US, which does not have any establishment in the UK or the EU. Clearview's services were (at the relevant dates) offered exclusively to non-UK and EU criminal law enforcement and national security agencies and their contractors.

The service involves artificial intelligence (AI) technology that compares facial images provided by a client (a "probe image") to facial images stored on Clearview's databases. Clearview's systems creates its image database by scraping images from the internet and converting each image into a unique mathematical representation of the image's facial coordinates (known as a vector).

Clearview's databases contain billions of images and their vectors, together with metadata about the photograph (such as the internet address and a link to the related social media profile). Clearview's client uploads its probe image, and the system provides back a series of images that are possible matches, together with an indication of the likelihood that the returned images match the probe image.  This information can be used by Clearview's clients to infer an individual's identity and sometimes lifestyle and other behavioural information which is apparent from the image (for example, whether the individual is depicted smoking or drinking alcohol).

Clearview's database contains so many facial images in photographs that Clearview has copied or scraped from the public internet, it is reasonable to infer that images of UK or EU data subjects may be captured by Clearview's web-scraping and, therefore, used in its services.

Why were the notices issued to Clearview?

On 18 May 2022, the ICO issued the notices on the basis that Clearview, as a controller of personal data for the purposes of the GDPR, had infringed a number of provisions of the regulation, including parts of article 5 (principles relating to processing of personal data), article 6 (lawfulness of processing), article 14 (information to be provided where personal data has not been obtained from the data subject), and articles relating to data subject's rights.

Why did Clearview appeal?

The questions before the tribunal related to whether the processing carried out by Clearview was subject to the GDPR and in particular whether:

• the GDPR applied where monitoring of behaviour is carried out by a third party (in this case Clearview's clients) rather than the controller (Clearview).
•  processing by Clearview was related to monitoring by Clearview itself or its clients.
• whether the processing by Clearview was beyond the material scope of the GDPR, or not relevant.

The tribunal was not asked at this stage to give its judgment as to whether Clearview had committed the alleged infringements.

What did the tribunal find?

The tribunal found that the GDPR can apply when monitoring is carried out by a third party rather than the controller directly, because the mischief with which the GDPR is concerned is the monitoring not who is doing the monitoring.

The tribunal also found that the processing by Clearview was related to the monitoring of data subjects' behaviour by its clients. There was such a close connection between Clearview's database and its operation and the monitoring carried out by Clearview's clients that the activities were all related.

However, the tribunal held that Clearview's processing related to matters that were "outside the scope of EU law" (article 2(1)(a) of the UK GDPR), apparently because it was for the purposes of law enforcement and security activities by non-UK and EU governments. It was accepted that it "is not for one government to seek to bind or control the activities of another sovereign state"; in matters of national security, this is pertinent. This determination means that Clearview's processing was not "relevant processing" for the purpose of article 3(2) of the UK GDPR and hence Clearview's processing was outside the remit of the GDPR.

For that reason, the tribunal found that the ICO did not have jurisdiction to issue the notices to Clearview, so the notices would be revoked.

Will this decision affect other EU enforcement action?

While the exact wording of the EU GDPR differs from the provisions referred to in the UK GDPR (arising from the UK's adoption of the GDPR post-Brexit), the principles of law will likely be similar for now. Where EU data protection regulators have issued notices to Clearview, they do risk these notices facing challenge, particularly with the UK tribunal's decision now issued.

This said, each decision will be based on the facts of each case and there is always scope for differing interpretations.

Osborne Clarke comment

The case makes it clear that mere identification of an individual using a facial recognition system would not in itself constitute "monitoring", but it can amount to monitoring when it is applied in order to infer behaviours; for example, there is repeated use to check on individuals over time.

It is also important as it confirms that facial recognition AI systems are, in principle, caught by the UK GDPR, even if the system is not available for use in the UK, if the underlying database contains images of UK data subjects and it is used in relation to monitoring them.

This case is a useful reminder that, while the UK GDPR does have broad extra-territorial reach when it comes to processing data of UK subjects, it does not always catch all kinds of controllers or all types of processing.

This tribunal decision may still be subject to appeal and we await further developments both in the UK and the EU.