Clearview AI cleared of £7.5m ICO fine for processing data outside the UK
The question
Just how did the processing of personal data by Clearview AI (Clearview) fall outside the scope of UK GDPR?
The key takeaway
The decision of the First-tier Tribunal (General Regulatory Chamber) (the Tribunal) stated that, while Clearview was processing personal data related to the monitoring of UK data subjects, because Clearview was not processing the personal data for commercial purposes and Clearview’s client base was exclusively comprised of non-UK criminal law enforcement agencies, national security agencies, and contractors associated with those agencies, Clearview’s processing of personal data fell outside the scope of UK GDPR.
The background
On 18 May 2022, the Information Commissioner’s Office (ICO) issued an enforcement notice and a monetary penalty notice against Clearview for numerous alleged breaches of GDPR and UK GDPR and imposed a fine on Clearview of over £7.5m.
The ICO’s notices related to Clearview’s compilation and operation of a database of over 20 billion images of individuals’ faces which were automatically scraped from the internet. These scraped images enabled Clearview to generate coordinates (vectors) of individuals’ faces. Clearview’s clients could then upload an image of an individual to Clearview’s system. Clearview’s system would generate vectors of that individual’s face from the uploaded image and use a facial recognition system to find similarities between the uploaded image and other images scraped from the internet to deliver comparisons to Clearview’s clients.
This enabled Clearview’s clients to identify an individual or to assess what an individual was doing at a particular moment in time (ie the time the image was scraped) through the objects or activities which appeared in the image. Clearview’s clients could also undertake successive searches of the same image over time which, the ICO argued, provided Clearview’s clients with the potential to monitor the behaviour of the pictured individuals.
The development
The Tribunal found, given the size of the database, and that between June 2019 and March 2020 Clearview had offered its service to law enforcement and government agencies in the UK, that it was reasonable to infer that some images of UK residents were contained in Clearview’s system. Further, it was found that the images held in Clearview’s database constitute personal data and the vectors derived from the image of an individual’s face constitute special category data under UK GDPR.
Additionally, the Tribunal found that, while every photographic image of an individual will reveal something about that individual (eg that they were alive when it was taken), “monitoring” of an individual by Clearview’s clients could include:
- establishing where an individual was a particular point in time
- watching an individual over time by repeated uploading of the same image
- using the results produced to provide a narrative about the person in the images at the different times
- combining the results with information obtained from other forms of monitoring or surveillance.
The Tribunal also stated that an image which revealed an individual’s “behaviour” could include:
- where they are
- what they are doing (including what they are saying/have said, what they have written, their employment or their pastimes)
- who they associate with in terms of relationship
- what they are holding or carrying
- what they are wearing (including items indicating cultural or religious background or belief).
Given the above, the Tribunal found that Clearview’s service itself did not monitor the behaviour of individuals because generating vectors of individuals’ faces from their scraped images did not monitor the behaviour of those individuals.
However, the Tribunal determined that, as there was such a close connection between the creation, maintenance and operation of Clearview’s database, and the monitoring of the behaviour of individuals which was being undertaken by Clearview’s clients, Clearview’s activities were “related to” the monitoring of individuals’ behaviour. Further, the Tribunal found that, even though it was unlikely that UK data subjects’ images would be produced as part of a search carried out by Clearview’s clients related to crimes which occurred in their respective jurisdictions, Clearview’s system would nonetheless process the personal data of UK individuals.
Nonetheless, the Tribunal was satisfied that all of Clearview’s clients carried out criminal law enforcement or national security functions. As such, the Tribunal found that, as the acts of foreign governments fell outside the scope of European Union (EU) law, and it was not for one government to bind or control the activities of a foreign state, Clearview’s processing fell outside the scope of EU law before the UK’s exit from the EU, and therefore it did not constitute “relevant processing” as required under Article 3(2) UK GDPR for the UK GDPR to apply.
As such, the UK GDPR did not apply to Clearview’s processing of personal data in this case and the ICO did not have jurisdiction to issue the enforcement notice or monetary penalty notice against Clearview.
Why is this important?
On 17 November 2023, the ICO released a statement announcing that it sought permission to appeal the Tribunal’s decision. The basis for the ICO’s appeal is that the Tribunal erred in finding that “Clearview’s processing fell outside the reach of UK data protection law”. Notwithstanding the ICO’s appeal, the decision nonetheless reinforces the position that, where an organisation is not established in the UK and has no clients in the UK, if it provides commercial services which are related to the monitoring of the behaviour of individuals living in the UK, it will fall within the territorial scope of UK GDPR and the jurisdiction of the ICO.
Any practical tips?
It’s rare for any organisation which processes the personal data of UK individuals to avoid the scope of the UK GDPR, particularly where an element of the processing is for commercial purposes. The factual matrix behind this decision – the processing of data by companies outside the UK for purposes related to foreign criminal law enforcement or national security functions – is narrow, but it is nonetheless interesting to see where a gap in the reach of the UK GDPR may be. It is of course safest always to consider the processing to be caught and work backwards from there, rather than the other way round.
Winter 2023
Stay connected and subscribe to our latest insights and views
Subscribe Here