Facial Recognition and the ICO: Clear insight from the Clearview case.

The Upper Tribunal (UT) has handed down its judgment in the UK Information Commissioner’s (ICO) appeal against the First-tier Tribunal (FTT) decision on Clearview AI Inc (Clearview).

Clearview is a US based company and facial recognition search engine. Clearview’s database held billions of images from publicly available sources found online.

The main clients of Clearview were law enforcement agencies based in the US; however, they also held data and images relating to individuals based in the United Kingdom.

Back in May 2022, the ICO fined Clearview, £7.5 million for breaching the EU General Data Protection Regulations (GDPR) when it obtained and processed the personal data of UK citizens without permission to do so. The ICO also instructed Clearview to delete all data relating to UK citizens that it held in its database.

Clearview successfully appealed the claim to the FTT in October 2023, where it was decided that:

• The GDPR regulations that the commissioner relied upon, must relate to processing data related to the monitoring of behaviour of data subjects and this must take place within the UK or EU.
• Clearview did not carry out the monitoring of behaviour of UK data subjects.
• It was acknowledged that UK residents’ data was in Clearview’s database, but the GDPR extra territorial provisions do not apply as Clearview is a US based company and does not have operations within the UK or the EU.
• The extraterritorial scope of the GDPR did not cover the processing of data by Clearview.

Why is all this important?

At the time this decision by the FTT was made, it was seen as a huge setback to the ICO and could show a weakening of GDPR enforcement (and subsequently UK GDPR enforcement) against overseas entities who are processing data belonging to EU data subjects.

The Upper Tribunal’s decision

The ICO successfully appealed the FTT’s decision to the UT on four grounds, as set out below:

1. “The FTT was wrong to hold that the behavioural monitoring carried out by Clearview’s clients fell outside the scope of EU law”.
2. “The FTT made an error of law in holding that Clearview’s own processing fell outside the scope of EU law”.
3. “The FTT was wrong to hold that Clearview itself did not carry out behavioural monitoring”.
4. “The FTT was wrong in failing to consider whether the ICO had jurisdiction in relation to Clearview’s activities during the UK test phase”

The UT panel decided that the ICO does have jurisdiction to enforce the GDPR against Clearview, even though they are a US based company. It was held that the extent of the extra-territorial effect of GDPR applies to foreign companies even if they do not provide services within the UK

The panel also found that the entire legislative objective of Article 3(2) of the GDPR is to ensure “EU data subjects have protection against being monitored by processing of their personal data. Having one’s behaviour monitored is inherently objectionable and merits protection”, thus, agreeing with the ICO’s argument.

It was held by the UT, that the decision of the FTT was “materially in error of law”. Consequently, the £7.5 million fine imposed by the ICO and the enforcement notice (to delete data relating to UK residents) were subsequently reinstated. The full decision can be found here.

To conclude

The UT has a binding nature, meaning its decisions can create legally binding precedent. This decision directly impacts international clients when it comes to their data processing activities relating to UK citizens.

If you have any questions, queries or concerns regarding data protection, our Geldards Commercial team are happy to assist.