7 November 2023

General Data Protection Regulation Fine ... Overturned!

Brown Rudnick LLP


Brown Rudnick is an international law firm that serves clients around the world from offices in key financial centers in the United States and the United Kingdom. We combine ingenuity with experience to achieve great outcomes for our clients in high-stakes litigation and complex business transactions. We deliver partner-driven service; we incentivize our lawyers to collaborate in the client’s best interest; and we put excellence before scale, focusing on industry-driven, client-facing practices where we are recognized leaders.
In a surprising turn of events, on Oct. 18 a First-tier Tribunal in the U.K. overturned a fine previously issued by the U.K.
United States Privacy
To print this article, all you need is to be registered or login on

In a surprising turn of events, on Oct. 18 a First-tier Tribunal in the U.K. overturned a fine previously issued by the U.K. Information Commissioner's Office (ICO) against facial recognition company Clearview AI for failing to comply with the principles of the General Data Protection Regulation (GDPR), lacking a lawful basis to process personal data, and unlawful processing of special category and biometric data.

Clearview successfully argued that ICO has no authority over Clearview's data processing practices, or to fine Clearview for such practices despite some of the processed data belonging to U.K. residents. The Tribunal agreed with Clearview on the basis that Clearview is only providing its facial recognition services to law enforcement and government agencies based outside the U.K., and that the GDPR does not allow ICO to interfere with the policies and operations of other governments. Interestingly, processing of personal data by U.S. agencies was a point of central topic in the Schrems II case (which invalidated the Privacy Shield) and in the debate over whether to grant the United States an adequacy, and is now serving as Clearview's saving grace.

While having an extra £7.5M is certainly a win for venture-backed Clearview, the greater victory is its ability to continue operating its business, matching images of faces to a database of images collected from the internet, and thanks to this recent decision from the tribunal, even though such a business model triggers the U.K. GDPR when it involves images of U.K. residents, Clearview has little to fear from ICO as long as it is doing such processing on behalf of its law enforcement and other government agent customers. It appears Clearview's decision in May of 2022 to limit the sale of its software may have cost a short-term decrease in revenue, but yielded a more compliant and resilient business model, from a data privacy perspective.

This resiliency in business model could further improve if Clearview is able to successfully argue on appeal that the similar fines it has been issued in France (because the EU and U.K. versions of the GDPR are identical) and elsewhere should be overturned on the same basis, giving Clearview the keys to unlock a similar freedom to operate in the European Union and elsewhere.

With the future of artificial intelligence seeming uncertain overseas, Clearview's success in the U.K. could serve as the blueprint for the ideal customer base (government actors of the U.S. and perhaps other jurisdictions) for AI companies to pursue/target to avoid massive and systemic fines outside of the United States.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More