On 17 October 2023, the First-Tier Tribunal of the General Regulatory Chamber – Information Rights (the Tribunal) handed down its decision in Clearview AI Inc v The Information Commissioner  UKFTT 819, overturning the £7.5 million fine levied on Clearview AI Inc. (Clearview) by the ICO last year.
The Tribunal found that, although the data processing activities carried out by Clearview constituted the monitoring of the behaviour of UK data subjects (and therefore fell within the territorial scope of Article 2 UK General Data Protection Regulation (UK GDPR).), its processing did not constitute ‘relevant processing of personal data’ and therefore fell outside the material scope of Article 3 UK GDPR.
Clearview’s processing activities
Clearview has created a database of more than 20 billion images collected from the internet and social media platforms. These images are collected and stored together with various categories of metadata. Clearview offers a service to its customers that operates much like a search engine for faces. It enables customers to upload an image of an individual, which is then checked against the database.
Once the customer has uploaded the image, Clearview uses biometric processing to match the customer’s image with an image in its database, providing the customer with an indexed list of images that have similar characteristics to the uploaded image. The list consists of a set of thumbnail search results, each with a link to the URL where the image appears online.
Background: The fine and enforcement notice
On 18 May 2022, the ICO fined Clearview for breaching various provisions of the UK GDPR. In addition, the ICO issued an enforcement notice, (i) prohibiting the company from obtaining and using publicly available personal data of UK residents; and (ii) ordering that it delete the data of UK residents from its systems.
The Tribunal concluded that, although Clearview carried out data processing in relation to monitoring the behaviour of people in the UK under Article 3(2)(b) of the UK GDPR, Clearview’s processing activities fell outside the material scope of the UK GDPR under Article 3(2A) because such processing did not constitute ‘relevant processing of personal data’. Since Clearview exclusively provides services to non-UK law enforcement and national security agencies in relation to the performance of their law enforcement and national security functions, such activities fall outside the scope of the UK GDPR.
When the Tribunal handed down its decision, the ICO announced in a statement that “this judgment does not remove the ICO’s ability to act against companies based internationally who process data of people in the UK, particularly businesses scraping data of people in the UK”, highlighting that the Tribunal’s decision owed to “a specific exemption around foreign law enforcement.” Therefore, if the processing had been conducted for commercial purposes, or for UK law enforcement purposes, the outcome of this case may have been very different.
In any event, the ICO has sought permission to appeal claiming “the Tribunal incorrectly interpreted the law when finding Clearview’s processing fell outside the reach of UK data protection law on the basis that it provided its services to foreign law enforcement agencies. The Commissioner’s view is that Clearview itself was not processing for foreign law enforcement purposes and should not be shielded from the scope of UK law on that basis.”