Facial Recognition firm Clearview AI overturns data privacy fine

Background

Clearview AI (the "Company") is a company which enables its users to search a database of billions of images scraped from the internet for matches to a particular image and face.

As we previously reported, in 2021 the Information Commissioner's Office (the "ICO") announced its provisional notice of intent to impose a fine on Clearview AI. Additionally, the ICO had also issued a preliminary enforcement notice requiring Clearview AI to cease further processing of the personal data of data subjects in the UK and delete the data it currently holds.

In 2022, the ICO fined the Company £7.5 million for unlawfully storing facial images (the "Fine"). The Fine followed alleged serious breaches of the UK GDPR and the Data Protection Act 2018 by the Company with its biometric data collection and facial recognition app. The ICO claimed that Clearview AI was processing its database of more than 20 billion images without informing users or obtaining consent for images to be collected or used in that way. The Company has collected billions of images of people's faces and data from publicly available information on the internet, including social media platforms, for use in facial recognition services.

Appeal

Clearview AI appealed the enforcement notice and the Fine to the First-tier Tribunal (Information Rights), and on the 23rd of October 2023 won the appeal.

Clearview AI argued that the data processing undertaken was outside the territorial scope of the GDPR and UK GDPR, and that the ICO had no jurisdiction to issue the notices.

The issue under consideration for the tribunal was solely relating to the jurisdictional challenge brought by Clearview AI, as to:

  1. whether as a matter of law, Article 3(2)(b) GDPR can apply where the monitoring of behaviour is carried out by a third party rather than the data controller;
  2. whether processing of data by Clearview AI was related to monitoring by either Clearview AI itself or by its customers; or
  3. whether the processing by Clearview AI was beyond the material scope of the GDPR by operation of Article 2(2)(a) GDPR and/or was not relevant for the purposes of Article 3 of the UK GDPR thereby removing the processing from the material scope of the UK GDPR.

The Tribunal considered that the Company's database of personal data would contain the images of UK residents and/or images taken within the UK, and therefore such processing could have an impact on UK residents, irrespective of whether it was used by UK customers.

However, although the Clearview AI service was used by customers for commercial purposes prior to 2020, Clearview AI does not have UK or EU clients currently. Its customers are based in the US and in other countries including Panama, Brazil, Mexico, and the Dominican Republic. The tribunal ruled the ICO did not have the jurisdiction to issue its Fine and enforcement notice because Clearview AI's system was only used by law enforcement agencies based outside the UK.

Clearview AI had offered its service on a trial basis to law enforcement and government organisations within the UK between June 2019 and March 2020. An overseas law enforcement agency could use the service as part of an investigation into the alleged criminal activity of a UK resident.

The Tribunal considered that Clearview AI did not monitor behaviour of data subjects itself (as submitted by the ICO) but that its customers used the service to monitor the behaviour of data subjects. Consequently, for the purposes of Article 3(2)(b) GDPR, Clearview AI's services were related to the monitoring of the behaviour of data subjects.

It was further concluded that while the processing activities may in theory have been within the territorial scope of the UK GDPR, they fell outside of its material scope. The Tribunal viewed that Clearview AI offered its services exclusively to non-UK/EU law enforcement and national security agencies, which fall outside of the scope of the GDPR and the UK GDPR. The UK data protection regimes only bind processing activities relating to UK law enforcement or intelligence agencies. The tribunal also decided that processing was in the course of an activity which, immediately before the Brexit implementation period ended on 31 December 2020, fell outside the scope of EU law.

Judgment Takeaways

The judgment shows that activities carried out for law enforcement purposes will fall outside of the scope of the UK GDPR if those law enforcement agencies are outside of the UK. Under Article 3.2 of the UK GDPR and the GDPR, an entity may be caught under the extra-territorial scope of the UK GDPR on the basis that its processing activities relate to the monitoring, or the enabling of monitoring, of the behaviour of data subjects in the UK. However, the appeal turned exclusively on the fact that processing activities were carried out for, or connected to, law enforcement purposes, which rendered the law enforcement agencies outside of the scope of the UK GDPR. The appeal should not be interpreted as granting a blanket permission for such scraping activities more generally.

An ICO spokesperson said the ICO will "carefully consider next steps" and that "It is important to note that this judgment does not remove the ICO's ability to act against companies based internationally who process data of people in the UK, particularly businesses scraping data of people in the UK, and instead covers a specific exemption around foreign law enforcement".

Related content

See more about the 2021 ICO notice here.

See the full judgment in Clearview AI Inc v The Information Commissioner [2023] UKFTT 00819 (GRC) here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.