Last year, the Facial Recognition Firm Clearview AI was fined more than £7.5 million by the Information Commissioner’s Office (the ICO) on account of its alleged breaches of data protection and privacy laws. We previously reported on the fine here

On 17 October, this was overturned by the First-Tier Tribunal (FTT), who ruled that the ICO did not have jurisdiction to impose the penalty. This decision centred on the point that users of Clearview were primarily law enforcement agencies outside of the UK. 

 

Background

Clearview enables users to upload photos of individuals and match them to a database of over twenty billion facial images ‘scraped’ from the web. 

The software utilises biometric information derived from the images to find a match. Alongside the facial images, it scrapes associated metadata, such as social media data. The process is undertaken without the knowledge of these data subjects. 

Despite Clearview being a US company without UK operations, the ICO argued that it was covered by UK GDPR. The ICO reached this decision through its interpretation of Article 3(2)(b), which states that the Regulation applies to organisations which process personal data related to the monitoring the behaviour of individuals within the UK. 

The crux of the ICO’s argument relied on the point that whilst Clearview did not monitor UK data subjects itself, it enabled its users to do so. This ‘very close relationship’ brought Clearview within the scope of UK GDPR. 

 

FTT Decision

Whilst the FTT agreed that Article 3(2)(b) was applicable to Clearview, despite the data monitoring being carried out by its users, it stated that the ICO did not have jurisdictional authority to take enforcement action. 

The logic for this conclusion followed the provisions of UK GDPR. Article 2(2)(b) stipulates that the processing of personal data by competent authorities for law enforcement falls outside of its scope. This Article indicates that the scope for this issue falls under the authority of the the Data Protection Act 2018 (DPA). Part 3 of the DPA covers law enforcement processing of personal data. It is unclear why the ICO did not bring the action under the DPA, instead of relying on UK GDPR.  

Responding to the judgement, the ICO released the following statement:

‘It is important to note that this judgement does not remove the ICO's ability to act against companies based internationally who process data of people in the UK, particularly businesses scraping data of people in the UK, and instead covers a specific exemption around foreign law enforcement.’

 

Commentary 

This is a unique and complicated decision; the exact content of the FTT’s judgement (outlined here) should be carefully considered before predicting future data protection decisions based on this case. As the ICO highlights, this decision covered a very specific jurisdictional exemption.

Businesses should bear in mind that regulators have been increasingly stringent in their approach to data protection regulations in recent months. Snap has recently been issued with a preliminary enforcement notice on the basis of privacy concerns with its AI chatbot (detailed here), whilst the DPC’s hefty €345 million fine against TikTok (detailed here) was levied on the basis of its handling of children’s user accounts. These decisions should not be taken lightly when considering requirements regarding the personal data protection of users. 

The key takeaway is that Clearview’s winning appeal does not represent incoming leniency towards data protection regulations, but rather hinges on a jurisdictional technicality within UK GDPR. 

 

This article was written by Victoria McCarron.