First-tier Tribunal dismisses UK ICO's Clearview enforcement and monetary penalty notices on jurisdictional grounds
In its judgment dated 17 October 2023, the First-tier Tribunal held that the UK Information Commissioner's Office (ICO) did not have jurisdiction to issue its 18 May 2022 enforcement and monetary penalty notices, which alleged breaches of the UK and EU General Data Protection Regulations (together, GDPR), to Clearview AI Inc (Clearview).
The decision was reached on technical grounds relating to the material and/or territorial scope of the GDPR, without considering whether Clearview's substantive processing would have breached the GDPR had it fallen within its scope.
The direct implications of the decision for other data controllers may be limited, because of the Tribunal's reliance on the close relationship of Clearview's processing to the activities of foreign law enforcement and national security agencies. However, the decision does make several interesting points regarding the scope of the GDPR and related matters.
We reported on the facts of the case in our post on the ICO's intention to issue the notices, and an article published by techUK on Clearview's intention to appeal. Briefly, Clearview, a company incorporated in Delaware and with no establishment in the UK, created a substantial database of facial images obtained from the public internet. Its clients can upload images of individuals to Clearview's service, which uses AI technology to identify and return similar images in the database, assisting Clearview's clients in identifying and assessing the individuals captured in the images. The ICO's enforcement notices divided Clearview's processing activities into two types: "Activity 1" being the personal data processing involved in creating, developing and maintaining the database, and indexing the images within it, and "Activity 2" being the personal data processing involved in matching the images submitted by clients with the images in the database and providing the search results to the clients.
The ICO concluded that Clearview's processing of personal data breached the GDPR and issued the notices in response. By notice of appeal dated 29 June 2022, Clearview appealed to the Tribunal, the first-instance tribunal to which ICO decisions are appealed. The appeal was heard between 21 and 23 November 2022.
The decision given on 17 October 2023
In considering the facts of the case, the Tribunal assumed or decided that:
- Clearview has no establishment in the UK (and the Tribunal was not considering issues that might arise if Clearview had an establishment in the EU)
- all of Clearview's clients are foreign law enforcement and national security agencies, using its service for their respective law enforcement and national security purposes (this point was accepted on the basis of Clearview's unchallenged evidence – there was no evidence submitted by the ICO contesting that Clearview's service was only provided to non-UK/EU law enforcement or national security bodies and their contractors, all of whom use the service in the furtherance of criminal law enforcement and/or national security functions)
- the law enforcement and national security activities of foreign governmental agencies fall outside the scope of EU law
- the images within the database, and the images uploaded by clients to the database, both include at least some images of individuals in the UK
- the relevant processing was carried both before and after the end of the Brexit transitional period and was therefore potentially subject (at different times) to both the UK and the EU GDPR.
The Tribunal also bifurcated Clearview's processing on the basis of the ICO's division of Clearview's processing into "Activity 1" (creating, developing and maintaining the database, and indexing the images within it) and "Activity 2" (matching of images submitted by clients with the images in the database and providing the search results to the clients).
Against this background, the Tribunal decided that:
- Given that Clearview has no UK establishment, the only basis on which Clearview's processing could be within the territorial scope of the GDPR was that set out in Article 3(2)(b), which (for the purposes of UK law) engages where there is processing of personal data related to the monitoring of the behaviour of UK data subjects.
- Neither the Activity 1 nor the Activity 2 processing amounted to monitoring of the behaviour of UK data subjects by Clearview.
- However, Clearview's clients monitor the behaviour of UK data subjects using images and other information obtained from the Clearview service.
- Both the Activity 1 and the Activity 2 processing are related to that monitoring, and are therefore potentially within the territorial scope of the GDPR.
- Clearview's processing falls outside the territorial scope of the UK GDPR, based on Articles 3(2A) and 2(1)(a), which together reduce the scope of Article 3(2)(b) by excluding processing carried out "in the course of an activity [foreign law enforcement or national security] which, immediately before [the end of the Brexit transitional period], fell outside the scope of EU law".
- While the processing is within the territorial scope of the (pre-Brexit) EU GDPR, based on Article 3(2)(b), it is outside its material scope on the basis of the exception in Article 2(2)(a), which, similarly, excludes processing carried out "in the course of an activity [namely, foreign law enforcement or national security] which falls outside the scope of [EU] law".
The Tribunal therefore concluded that Clearview's processing falls outside the scope of the GDPR, and allowed Clearview's appeal, based on factors relating to the specific nature of Clearview's client base (foreign law enforcement and national security agencies).
Processing related to the monitoring of behaviour
Article 3(2)(b) of the GDPR is an extra-territorial scope provision, applying the GDPR to processing carried out by persons not established in the UK (or EU) if the processing is:
"…of personal data of data subjects who are in the [UK (or EU)] by a controller or processor not established in the [UK (or EU)], where the processing activities are related to … the monitoring of [the] behaviour [of those data subjects] as far as their behaviour takes place within the [UK (or EU)]."
In the case of the UK GDPR, this is subject to the Article 3(2A) exception discussed briefly above. Article 2(2)(a) of the EU GDPR has an equivalent effect.
On monitoring of behaviour, the Tribunal took the view that:
- Monitoring involves the assessment of information about an individual's behaviour, but this does not require the ongoing collection and assessment of information about them. A one-off assessment will be sufficient providing it amounts to an assessment of behaviour, including individuals' activities – although this could include mere location – rather than mere identifiers such as height or hair colour. Even quite limited assessments through the use of facial recognition software appear to be sufficient. Clients would not monitor behaviour if their use of Clearview's service was limited to identifying individuals, but in practice they will sometimes also be using the service to gather further information about individuals' behaviour, to be used with the identifying images to take decisions about them, which does amount to monitoring.
- On the other hand, processing which allows a client to monitor is not in itself monitoring - Clearview engages in what the Tribunal referred to as merely an "automated, mathematical exercise", facilitating monitoring (and other activities) by its clients, but does not itself monitor the data subjects.
The Tribunal went on to conclude that both the Activity 1 and the Activity 2 processing were "related to" Clearview's clients monitoring: "there is "such a close connection between the creation, maintenance and operation of [Clearview's] database and the monitoring of behaviour undertaken by the clients that [Clearview's] processing activities are related to that monitoring". Clearview performs its processing in order to allow its clients to carry out their monitoring (and other) activities, so the former is related to the latter.
The Tribunal also dismissed the ICO's argument that Clearview's Activity 1 processing might be considered to be related to monitoring that might be carried out by possible new commercial clients in the future, bringing it within the scope of the GDPR. In this case, the link between the processing and the putative monitoring was considered too speculative and remote to amount to the former being "related to" the latter.
In the course of reaching these conclusions, the Tribunal took the view that:
- Clearview acts as a sole controller when conducting its Activity 1 processing, but a joint controller, with its client, when conducting its Activity 2 processing. A contractual prohibition on the client using data from the Clearview service other than for law enforcement or national security purposes was considered sufficient to amount to joint determination of the purposes of processing. The Tribunal emphasised, however, that this did not ultimately determine either whether Clearview was itself engaged in monitoring or whether its processing was related to its clients' monitoring – the result would be the same if the parties acted as independent controllers.
- Clearview also acts as a processor in relation to both Activity 1 and Activity 2 processing – this is not explained in the decision and it is not clear how the Tribunal reached this view.
Processing in the course of an activity outside the scope of EU law
As it was common ground that the law enforcement and national security activities of Clearview's clients fall outside the scope of EU law, the Tribunal concluded that Clearview's Activity 1 and Activity 2 processing both fall outside the scope of the GDPR. This appears to be based on a view that processing (Activity 1 or 2) being "related to" an activity (out-of-scope monitoring) is the same as it being "in the course of" that activity. The decision does not address this equation explicitly, however, and of course it is not entirely self-explanatory, particularly regarding Activity 1 processing conducted for the purposes of Clearview's law enforcement clients as a whole rather than for any particular client.
We have noted the difference between the EU and UK versions of the GDPR in their treatment of the material vs. territorial scope issue. On the facts in this case, the different treatments did not result in different outcomes. In principle, however, there would be a material difference if the factual background were different. If Clearview has been carrying out its Activity 1 and/or 2 processing in the context of the activities of a UK establishment, within the territorial scope of Article 3(1) of the UK GDPR, Article 3(2A) would not have applied and the processing would have been subject to the UK GDPR. If Clearview had been carrying out the activities in the context of the activities of an EU establishment, however, and assuming that the EU authorities and courts followed the rationale of the Tribunal's decision, Article 2(2)(a) of the EU GDPR would apply in full and regulation of the processing would be left to the national law of the relevant Member State. The rationale for the difference, introduced through the Brexit process, appears to be that the relevant UK national laws, other than the UK GDPR itself, only regulate the activities of the UK law enforcement agencies and security services and would not apply to Clearview.
The scope issues discussed in the decision, while helpful for organisations playing a similar role to Clearview, are limited to processing which: (i) is closely related to foreign law enforcement or national security activities outside the scope of EU law; and (ii) conducted outside the UK. In wider contexts, however, organisations outside the UK engaged in the creation of databases which include the personal data of UK-based individuals and/or other online collection of personal data should consider carefully whether their activities, or those of their clients, might be considered to amount to "monitoring of the behaviour of UK individuals" and therefore unexpectedly fall within the scope of the UK GDPR.
We use the term "GDPR" throughout this article to refer to the pre-Brexit EU GDPR and/or the post-Brexit UK GDPR. The EU GDPR of course also applied (and continues to apply) in the laws of the other EU Member States and may apply by virtue of processing of personal data in the context of the activities of an EU establishment or relating to data subjects located in the EU, but that falls outside the scope of the decision.