The outcome to overturn the decision will come as a surprise to many, particularly given the controversial nature of the facial recognition service that Clearview offers. However, it is important to understand that the decision turned on the fact that Clearview's use of the data was for law enforcement purposes which took it outside the scope of the GDPR. Had it not been for this, all of Clearview's activities would have been caught by the GDPR and enforcement permissible.

In fact, the judgment actually provides useful guidance on the scope of the UK GDPR's application to data controller and processors established outside of the UK, and in particular what activities constitute the "monitoring the behaviour" of individuals within the UK.

Background

Clearview AI is an American facial recognition business, incorporated in Delaware, describing itself as a "revolutionary, all-in-one, facial recognition platform designed to support federal, state, and local law enforcement"¹ The Tribunal described Clearview's service ("the Service") as "an internet search engine [or otherwise identified as a database] to which only the clients of Clearview have access."

The Service is structured around an image database formed of over 20 billion publicly available facial images scraped from the internet. Clearview then uses machine learning to create a set of vectors against which customers can upload facial images of individuals of interest to be matched across the database.

Clearview's client base was limited to non-UK/non-EU criminal law enforcement and/or national security functions. Clearview AI did provide services to commercial clients but crucially, a decision was taken in May 2020 to deactivate any remaining users that were not affiliated with government agencies in support of criminal law enforcement and national security functions.

In July 2020, the UK Information Commissioner's Office opened a joint investigation with the Australian Information Commissioner into the personal information handling practices of Clearview. The investigation was directed at Clearview's use of data scraped from the internet and use of biometrics for facial recognition.

At the conclusion of the investigation, the ICO determined that Clearview had breached UK data protection laws by failing to use the information of people in the UK in a way that was fair and transparent, as individuals were not made aware or would not reasonably have expected their personal data to be used in this way. In addition, Clearview failed to have a lawful reason for collecting people’s information, a process in place to stop the data being retained indefinitely and also failing to meet the higher data protection standards required for biometric data.

Clearview was fined £7.5 million in a Monetary Penalty Notice ("MPN"). In addition, an Enforcement Notice ("EN") was issued ordering "the company to stop obtaining and using the personal data of UK residents that is publicly available on the internet, and to delete the data of UK residents from its systems”.

Clearview appealed the MPN and EN, arguing that no breaches had occurred, and that the Notices also lacked legality. The characterisation of Clearview's service and the jurisdiction of the Commissioner over Clearview as a foreign company, was also challenged.

The company argued that Article (3)(2)(b) UK GDPR did not apply to the Service as it was "not capable of recognising or analysing behaviours," and that it supported "third party activities entirely outside the material scope of the Regulations." Clearview denied knowledge of whether their clients used their Service in the context of behavioural monitoring, and stated that "if the search results were being used in this way it does not detract from the primary value of the Service as a tool for swiftly identifying an individual."

Finally Clearview argued that the Service was used for "predominantly domestically focused" law enforcement and national security functions for non-UK/non-EU clients, which were outside of the scope of the appropriate Articles of the GDPR and/or UK GDPR.

Whether Clearview breached the GDPR and/or UK GDPR would have been the subject of a further substantive hearing if the initial element of the appeal was unsuccessful.

Judgment

The judgment might essentially be summaries as dependent on two aspects:

(1) Do the processing activities of the Service fall within the geographical scope of the UK GDPR?

(2) Do the processing activities of the Services fall within the legal scope of the UK GDPR?

Question (1) turns on Art 3(3)(b) of UK GDPR:

"This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to … (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.”

The judgment provides very useful guidance on what "behaviour" and "monitoring" includes in the context of overseas processors of personal data and potentially affirms a wide scope. The Tribunal found that Clearview was monitoring (for example, because Clearview could establish where a person is/was at a particular point in time) behaviour (for example, because Clearview's scraped pictures would reveal that person was doing something).

In respect of Clearview's database, Clearview was a controller. In respect of the matching service for customers, Clearview was a joint controller with its customer.

Question (2) turns on whether the processing activity fell inside or outside the scope of the GDPR. At the relevant time, Art (2)(2)(a) of GDPR provided:

“This Regulation does not apply to the processing of personal data … in the course of an activity which falls outside the scope of Union law."

The FTT accepted Clearview's position that it was only processing personal data for the purposes of law enforcement which fell outside the scope of Union law (i.e. law enforcement). A similar provision was included in UK GDPR meaning that the extra-scope state was carried forward.

So whilst on the face of the judgment, one might be forgiven that Clearview has notched up a victory for those processing personal data of UK individuals outside of the UK, in fact the judgment clarified an arguably wider scope than previously appreciated. It is only due to the narrow use case for UK law enforcement that Clearview escaped sanction.

A key question that remains unanswered, is what would have happened if Clearview did not have law enforcement UK customers for its service or, at some stage in the future, retains commercial customers in the UK? Surely then the ICO may come knocking again.