In its recent judgment, the Upper Tribunal has found that the UK ICO does have jurisdiction to fine US-based Clearview for processing UK residents' personal data.

In its judgment dated 7 October 2025, the Upper Tribunal has found that the UK Information Commissioner's Office (ICO) did have jurisdiction to issue its 18 May 2022 enforcement and monetary penalty notices against Clearview AI Inc (Clearview) regarding data protection law breaches.

In doing so, the Upper Tribunal has overturned the decision of the First-Tier Tribunal (FTT).  Now that the jurisdictional issue has been resolved, the FTT will consider the rest of the appeal again, although Clearview has indicated its intention to appeal the Upper Tribunal decision. The binding decision has important implications for non-UK companies processing UK residents' personal data. In particular, organisations should note that 'behavioural monitoring' (which can bring data processing activities within the scope of the UK GDPR) can include passive collection of data with a view to enabling a third party to monitor UK individuals.

The decision brings the UK back in line with five European supervisory authorities (France, Hamburg, Netherlands, Italy, and Austria) which each considered Clearview's processing to be within the scope of the EU GDPR.

Background

We reported on the facts of the case in our post on the ICO's intention to issue the notices and our post on Clearview's successful appeal to the FTT. In summary, Clearview, a Delaware company with no establishment in the UK, created a vast database of facial images obtained from the public internet, including images of UK residents. Clearview's clients are non-UK/EU law enforcement or national security bodies and their contractors. They upload images to Clearview's service, which uses AI technology to return similar images in the database, assisting Clearview's clients to identify and assess the individuals in the images.

The relevant processing was carried out both before and after the end of the Brexit transitional period and was therefore potentially subject (at different times) to both the UK GDPR and the EU GDPR (pre-Brexit). The ICO concluded that Clearview's processing of personal data breached the UK GDPR and, pre-Brexit, the EU GDPR (together, GDPR) and issued the notices in response, including a fine of £7,552,800. 

Clearview appealed the notices to the FTT, the first-instance tribunal to which ICO decisions are appealed.  On 17 October 2023 the FTT held that Clearview's processing was outside the scope of the GDPR. The ICO then appealed to the Upper Tribunal (Administrative Appeals Chamber), which heard the appeal between 9 and 11 June 2025 before a panel of three judges.

Ahead of the appeal hearing, Privacy International, a charity that promotes the right to privacy, was granted permission to intervene in the proceedings.

The appeal

The ICO succeeded on three grounds of appeal:

1. The FTT was wrong to hold that the behavioural monitoring carried out by Clearview’s clients fell outside the scope of Union law.
2. Irrespective of what it decided about Clearview’s clients, the FTT made an error of law in holding that Clearview’s own processing fell outside the scope of Union law.
3. The FTT was wrong to hold that Clearview itself did not carry out behavioural monitoring.

Material scope

The first two grounds of appeal concern the exception in Article 2(2)(a) GDPR, which takes data processing "in the course of an activity which falls outside the scope of Union law" outside the material scope of the legislation.

Clearview argued that the provision was intended to avoid “back door regulation” of foreign states by regulating private sector contractors whose processing intersects so fundamentally with their state clients' processing that the contractors' processing and their clients' discharge of state functions are inextricably merged. This, it was argued, would seriously offend international law principles of comity between sovereign states.

The Upper Tribunal rejected Clearview's interpretation and also rejected that any such merging took place.  Instead, the Upper Tribunal held that Article 2(2)(a) should be construed narrowly. It adopted Privacy International's interpretation that the provision was not concerned with foreign states or their private contractors, and that "an activity which falls outside the scope of Union law" simply means an activity within the control of Member States not the Union. It also considered that, even if it is wrong to accept Privacy International's interpretation and Article 2(2)(a) also deals with activities of foreign states with which neither the EU nor its Member States presume to interfere for reasons of comity, this makes no material difference to the outcome of the appeal. This is because the Upper Tribunal did not consider that the comity principle generally grants immunity to a private company independently supplying services to a state entity on a commercial basis, even when those services relate to national security or enforcing criminal law.

In respect of Grounds 1 and 2, the Upper Tribunal held that the FTT had not adequately explained how or why it concluded that the Article 2(2)(a) exception applied to Clearview's clients or Clearview itself.

Territorial scope

Ground 3 concerned Article 3(2)(b), which extends the territorial scope of the GDPR to the processing of personal data of data subjects in the UK (or, in respect of EU GDPR, the EU) by "a controller or processor not established in the [UK (or EU)], where the processing activities are related to the monitoring of their behaviour as far as their behaviour takes place within the [UK (or EU)]."

Regarding Ground 3, Clearview argued for a narrow interpretation of Article 3(2)(b). It said that the only controllers caught by the provision are the controllers who are conducting behavioural monitoring themselves (and not third party controllers providing services), and that an activity qualifies as behavioural monitoring only if it goes beyond merely collecting large amounts of data and indexing it; there must also be additional analysis, examination, or use of the data in some form.

The Upper Tribunal preferred the ICO's broad interpretation. It held that "behavioural monitoring" includes passive collection, classification, sorting and storing of data by automated means with a view to potential subsequent use, including by a different controller, of processing techniques that profile a natural person. The Upper Tribunal held that behavioural monitoring does not require 'watchfulness' in the sense of human involvement – it should not be seen through the prism of analogue methods of monitoring and surveillance that require human involvement. It adopted the ICO's example of a CCTV camera in a hotel lobby: "One does not have to wait until the recording is viewed for it to amount to monitoring, and it may amount to monitoring even if the recording is never viewed. The key to establishing monitoring is not that someone or something actually accesses the output; it is that the data is available to be accessed should access be needed, and the data has been gathered in contemplation of that potential eventuality." It considered that Recital 24 and the EDPB Guidelines assist in highlighting the relevance of the controller’s purpose in processing the data and the relevance of the potential subsequent use of the data, including its use by another.

The Upper Tribunal also found that Clearview itself undertook behavioural monitoring within Article 3(2)(b), on the basis that the data it collects goes beyond facial images, providing insights into, for example, employment, family and friends, likes and dislikes.

Given the findings above, the decision did not turn on the issue of whether Article 3(2)(b) applies to a person that carries out no behavioural monitoring itself, but their processing is “related to” behavioural monitoring carried out by another person. However, the decision notes that the Upper Tribunal was not persuaded that Article 3(2)(b) was aimed only at the controller conducting the behavioural monitoring. It considered that, had legislators intended a narrowing of the scope of Article 3(2)(b) this could have been achieved by omitting the words "related to" altogether, and that there was no requirement to interpret the words artificially so as to restrict the extent of the provision's extra-territorial effect. It therefore read Article 3(2)(b) as applying also to controllers whose data processing is related to behavioural monitoring carried out by another controller.

Because it did not consider that Clearview or Clearview's clients' processing fell within the Article (2)(2)(a) material scope exemption, the Upper Tribunal also did not need to address the argument that GDPR cannot apply to processing that is “related to” behavioural monitoring carried out by another party if that other party’s behavioural monitoring is itself outside the scope of the GDPR. However, it noted that it is not necessary to infer any legislative intent to restrict the effect of Article 3(2)(b) by treating any processing falling outside scope under Article 2 as if it did not exist.

Key takeaways

AI is becoming increasingly embedded in how businesses operate.  The ICO's investigation into Clearview is one of the first actions focusing on AI techniques and whether they comply with data protection law.  It is unlikely to be the last.

The wide interpretation of "behavioural monitoring" for the purposes of Article 3(2)(b) can capture foreign companies who passively collect UK residents' data by automated means with a view to potential subsequent use by themselves or another controller for profiling. Anthropomorphised concepts of 'watchfulness' are considered inappropriate to an analysis of digital surveillance. Actual use of that data is not necessarily a requirement – it can be enough that the data is available to be accessed for behavioural monitoring should access be needed, and the data has been gathered in contemplation of that potential eventuality. This is particularly relevant to foreign companies who use UK residents' behavioural data to train their models.

Another key takeaway is that private contractors involved in state-level activities such as national security or law enforcement can still be subject to the GDPR. As private companies leverage their tech expertise and work increasingly closely with governments and law enforcement agencies, they cannot expect to necessarily benefit from data protection law exclusions or 'comity of nations' principles.

More broadly this decision confirms that, if an organisation (public or private) is carrying out behavioural monitoring of individuals in the UK, suppliers whose personal data processing relates to those activities will also be caught by the UK GDPR – even if they are third party controllers and do not engage is such monitoring themselves.

Importantly, this case reiterates that the GDPR has global reach and the ICO has the appetite for enforcement against non-UK businesses. The ICO commented that the Upper Tribunal's decision "reaffirms that companies that wish to monitor the behaviour of UK residents will be in scope of UK data protection law, regardless of where the company is based in the world".  In practice, this means that companies based outside the UK, but processing data of UK residents, will need to comply with the UK GDPR if their processing activities are related to the offering of goods or services to such UK residents or to the monitoring of their behaviour that takes place in the UK.

Note

We use the term "GDPR" throughout this article to refer to the pre-Brexit EU GDPR and/or the post-Brexit UK GDPR. The EU GDPR of course also applied (and continues to apply) in the laws of the other EU Member States and may apply by virtue of processing of personal data in the context of the activities of an EU establishment or relating to data subjects located in the EU, but this case concerned UK residents.

For the EU GDPR, the Court of Justice of the European Union (CJEU) is the ultimate court responsible for interpreting its provisions. Interestingly, the Upper Tribunal aligned closely with the CJEU caselaw providing for a strict interpretation of Article 2(2) as regards material scope, and relied heavily on the EDPB guidelines and recitals to the GDPR for interpreting Article 3(2)(b) as regards territorial scope. Given the enforcement actions of the five European supervisory authorities, the Upper Tribunal’s decision mirrors the European position on the broad material and territorial scope of the EU GDPR.