Ducks overlooking outside scenery on bridge.

Clearview AI cleared of £7.5m ICO fine for processing data outside the UK

Published on 11 December 2023

The question

Just how did the processing of personal data by Clearview AI (Clearview) fall outside the scope of UK GDPR?

The key takeaway

The decision of the First-tier Tribunal (General Regulatory Chamber) (the Tribunal) stated that, while Clearview was processing personal data related to the monitoring of UK data subjects, because Clearview was not processing the personal data for commercial purposes and Clearviews client base was exclusively comprised of non-UK criminal law enforcement agencies, national security agencies, and contractors associated with those agencies, Clearviews processing of personal data fell outside the scope of UK GDPR.

The background

On 18 May 2022, the Information Commissioners Office (ICO) issued an enforcement notice and a monetary penalty notice against Clearview for numerous alleged breaches of GDPR and UK GDPR and imposed a fine on Clearview of over £7.5m.

The ICOs notices related to Clearviews compilation and operation of a database of over 20 billion images of individuals faces which were automatically scraped from the internet. These scraped images enabled Clearview to generate coordinates (vectors) of individuals faces. Clearviews clients could then upload an image of an individual to Clearviews system. Clearviews system would generate vectors of that individuals face from the uploaded image and use a facial recognition system to find similarities between the uploaded image and other images scraped from the internet to deliver comparisons to Clearviews clients.

This enabled Clearviews clients to identify an individual or to assess what an individual was doing at a particular moment in time (ie the time the image was scraped) through the objects or activities which appeared in the image. Clearviews clients could also undertake successive searches of the same image over time which, the ICO argued, provided Clearviews clients with the potential to monitor the behaviour of the pictured individuals.

The development

The Tribunal found, given the size of the database, and that between June 2019 and March 2020 Clearview had offered its service to law enforcement and government agencies in the UK, that it was reasonable to infer that some images of UK residents were contained in Clearviews system. Further, it was found that the images held in Clearviews database constitute personal data and the vectors derived from the image of an individuals face constitute special category data under UK GDPR.

Additionally, the Tribunal found that, while every photographic image of an individual will reveal something about that individual (eg that they were alive when it was taken), monitoring of an individual by Clearviews clients could include:

  • establishing where an individual was a particular point in time
  • watching an individual over time by repeated uploading of the same image
  • using the results produced to provide a narrative about the person in the images at the different times
  • combining the results with information obtained from other forms of monitoring or surveillance.

    The Tribunal also stated that an image which revealed an individuals behaviour could include:

  • where they are
  • what they are doing (including what they are saying/have said, what they have written, their employment or their pastimes)
  • who they associate with in terms of relationship
  • what they are holding or carrying
  • what they are wearing (including items indicating cultural or religious background or belief).

Given the above, the Tribunal found that Clearviews service itself did not monitor the behaviour of individuals because generating vectors of individuals faces from their scraped images did not monitor the behaviour of those individuals.

However, the Tribunal determined that, as there was such a close connection between the creation, maintenance and operation of Clearviews database, and the monitoring of the behaviour of individuals which was being undertaken by Clearviews clients, Clearviews activities were “related to” the monitoring of individuals behaviour. Further, the Tribunal found that, even though it was unlikely that UK data subjects images would be produced as part of a search carried out by Clearviews clients related to crimes which occurred in their respective jurisdictions, Clearviews system would nonetheless process the personal data of UK individuals.

Nonetheless, the Tribunal was satisfied that all of Clearviews clients carried out criminal law enforcement or national security functions. As such, the Tribunal found that, as the acts of foreign governments fell outside the scope of European Union (EU) law, and it was not for one government to bind or control the activities of a foreign state, Clearviews processing fell outside the scope of EU law before the UKs exit from the EU, and therefore it did not constitute relevant processing as required under Article 3(2) UK GDPR for the UK GDPR to apply.

As such, the UK GDPR did not apply to Clearviews processing of personal data in this case and the ICO did not have jurisdiction to issue the enforcement notice or monetary penalty notice against Clearview.

Why is this important?

On 17 November 2023, the ICO released a statement announcing that it sought permission to appeal the Tribunals decision. The basis for the ICOs appeal is that the Tribunal erred in finding that Clearviews processing fell outside the reach of UK data protection law. Notwithstanding the ICOs appeal, the decision nonetheless reinforces the position that, where an organisation is not established in the UK and has no clients in the UK, if it provides commercial services which are related to the monitoring of the behaviour of individuals living in the UK, it will fall within the territorial scope of UK GDPR and the jurisdiction of the ICO.

Any practical tips?

Its rare for any organisation which processes the personal data of UK individuals to avoid the scope of the UK GDPR, particularly where an element of the processing is for commercial purposes. The factual matrix behind this decision – the processing of data by companies outside the UK for purposes related to foreign criminal law enforcement or national security functions – is narrow, but it is nonetheless interesting to see where a gap in the reach of the UK GDPR may be. It is of course safest always to consider the processing to be caught and work backwards from there, rather than the other way round.

Winter 2023