Privacy & Information Security Law Blog

On October 17, 2023, The First-tier Tribunal of the UK General Regulatory Chamber allowed an appeal by Clearview AI Inc. (“Clearview”) against an enforcement notice and fine issued by the UK’s Information Commissioner’s Office (“ICO”).

On May 18, 2022, the ICO issued an enforcement notice requiring that Clearview delete the personal data of UK individuals collected through the use of its facial recognition technology and held in its database (the “Notice”), as well as a fine of £7.5 million, alleging several violations under the EU and UK General Data Protection Regulations (“GDPR”). Clearview appealed the Notice and fine, disputing that it had infringed the GDPR, and that the ICO had jurisdiction to issue the Notice and fine. Among other submissions, Clearview, which is based in the U.S. and does not (and did not, at the time of the alleged infringements) have an establishment in the EU or UK for GDPR purposes, asserted that it was a foreign company acting on behalf of foreign law enforcement and therefore its processing fell outside of the scope of Article 2 of the EU GDPR and Article 3 of the UK GDPR.

The judge allowed the appeal, stating that although the processing did constitute monitoring of individuals in the UK for GDPR purposes, the processing was outside of the scope of the GDPR. The judge accepted Clearview’s submissions that its services are only provided to non-UK/EU law enforcement or national security bodies and their contractors, and confirmed that the activities of foreign governments fall outside the scope of both the EU and UK GDPR, since one government is not able to bind or control the activities of another sovereign state.

UPDATE: On November 17, 2023, the ICO announced that it was seeking permission to appeal the First Tier Tribunal’s judgment. The ICO welcomed the Tribunal’s clarification that Clearview was monitoring the behavior of individuals in the UK for UK GDPR purposes through the collection of facial images, but it disputed the Tribunal’s finding that Clearview was processing for foreign law enforcement purposes. The Information Commissioner stated: “I need to challenge this judgment to clarify whether commercial enterprises profiting from processing digital images of UK people, are entitled to claim they are engaged in 'law enforcement'…it is my view that there are too many who are being affected by the sheer scale and intrusiveness of Clearview’s mass scraping of personal information. This is an important issue within the AI sphere and whilst my office supports businesses that innovate with AI solutions, we will always take the appropriate action to protect UK people when we believe their privacy rights are not being respected.”