What The Latest Clearview AI Judgment Tells Us About Behavioural Monitoring And Big Data Under The GDPR

Despite the fears of foreign organisations about the long-arm jurisdiction of European data protection laws, the extra-territorial application of the GDPR— and, subsequently the UK GDPR— has received relatively scant regulatory and judicial attention since those laws took effect in Britain, more than eight years and nearly four years ago, respectively.

• In mid-2018, the Information Commissioner's Office (ICO) issued two enforcement notices against AggregateIQ Data Services Ltd, a Canadian company that had targeted individuals in the UK with political advertising ahead of the 2016 Brexit referendum and continued to process the data after 18 May 2018, when the GDPR took effect in the UK. According to the ICO, AggregateIQ did not have an Article 6 GDPR lawful basis for processing the personal data and did not provide the individuals with a privacy notice containing the information required by Article 14 of the GDPR.
• In November 2018, the ICO reportedly issued a warning to The Washington Post in relation to its website cookie practices. According to reports, the ICO told a complainant about the practices that it had written to The Washington Post and "hope[s] that [it] will heed our advice, but if they choose not to, there is nothing more we can do in relation to this matter".
• In December 2021, the Court of Appeal held in Soriano v Forensic News LLC that the activities of US-based news services were arguably within scope of Article 3(2) of the GDPR for the purpose of service outside the jurisdiction. In doing so, the Court determined that, despite there being only six European subscribers to the news services, (1) this constituted a 'service' to European readers that was 'related to' the processing of personal data for journalistic purposes, and (2) compiling information about an individual (here, Mr Soriano), and publishing articles about that individual's behaviour, was sufficient for such activity to comprise 'monitoring of behaviour' for the purposes of Article 3(2)(b) of the GDPR. In March 2023, the parties settled the dispute.

Background to the Decision

Article 3(2) of the UK GDPR applies to controllers and processors not established in the UK where their processing of personal data is related to the offering of goods or services to, or the monitoring of behaviour of, individuals in the UK.

According to the ICO, Clearview AI, which collects and stores the images of millions of individuals globally to be used by its customers for facial recognition purposes, is one such business. Clearview AI, which does not have a corporate presence in the UK or EU, has in recent years been subject to a raft of regulatory interventions by European data protection regulators, including fines issued in France (€20 million), Greece (€20 million), Italy (€20 million) and the Netherlands (€30 million).

The ICO, which has issued a much smaller number of GDPR fines than each of those regulators, also took action against Clearview AI that started the chain of events that led to last week's Upper Tribunal decision.

• May 2022: The ICO issued an enforcement notice and penalty notice of £7.5 million to the company for a variety of infringements under the GDPR and UK GDPR. The ICO determined that Clearview AI was subject to the GDPR and UK GDPR, as a controller of personal data, on the basis that it monitored the behaviour of individuals in the UK.
• June 2022: Clearview AI appealed to the First-Tier Tribunal, including on the ground that it did not fall within the territorial scope of the GDPR and the UK GDPR. According to Clearview AI, this meant that the ICO did not have jurisdiction over the company.
• October 2023: The First-Tier Tribunal concluded that the ICO did not have jurisdiction to issue the notices, because although the company's processing activities were related to the monitoring of individuals' behaviour in the UK, Clearview AI's clients used its services for their criminal law enforcement and national security functions, which fell outside the material scope of the GDPR and the UK GDPR.

The Upper Tribunal was therefore asked to consider two main issues: (1) whether Clearview AI's processing fell outside the material scope of the GDPR and the UK GDPR; and (2) whether Article 3(2)(b) of the GDPR and the UK GDPR applied extra-territorially to its processing. Note that this article does not consider the first of those issues — which, although conceptually interesting, is unlikely to be of practical relevance to most readers.

The Upper Tribunal Decision

In short, the Upper Tribunal clarified the distinction between the processing of personal data by Clearview AI's clients, which the First-Tier Tribunal found was subject to the GDPR, and certain processing by Clearview AI itself, which the First-Tier Tribunal found was not subject to the GDPR. By contrast, the Upper Tribunal held that Clearview AI's processing of personal data relating to the indexing of facial images (i.e., the process of clustering similar facial vectors), did involve behavioural monitoring.

The specificity of Clearview AI's services means that the findings of the Upper Tribunal are, to a certain extent, fact-specific. That said, paragraphs 274 and 275 are relevant for all foreign organisations that monitor the behaviour of individuals in the UK — and particularly for those whose business models involve, or provide to other organisations, data processing activities that do not rely on human involvement.

"We agree with the ICO that Article 3(2) of the GDPR must be interpreted as a response to the challenges posed by the age of 'Big Data', which the Recitals show the EU legislators were keenly aware of and had in mind when deciding upon the terms of the regulation they were creating. It is important to approach the language of Article 3 with this in mind, and not to see it through the prism of analogue methods of monitoring and surveillance that require human involvement."

"We therefore adopt a broad interpretation of the words "behavioural monitoring" that encompasses "passive" collection, sorting, classification and storing of data by automated means with a view to potential subsequent use (including by another controller) of personal data processing techniques which consist of profiling a natural person. It does not require active "watchfulness" in the sense of human involvement, it does not require analysis beyond automated sorting and classification with a view to subsequent future use, and it does not require the data to be sorted and classified by reference to subjects' behaviour."

Next Steps

Clearview AI will reportedly appeal the Upper Tribunal's decision, so this is not yet the end of the story. In the meantime, one can envision the provision, and potentially the use, of a range of AI-enabled services that are likely to fall within the Upper Tribunal's expansionist view of extra-territorial application. And although it's tough to make predictions, especially about the future, it is difficult to see an appeal court materially narrowing this view.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.