Clearview AI Inc v The Information Commissioner: Clearview AI successfully overturns ICO fine

Background

Clearview is a provider of facial recognition software. This software matches an image of a person who a customer is trying to identify (a 'probe image') to images in Clearview's database and provides certain information about any matching image, for example the URL² at which the image was located, any text associated with the image and any EXIF³ data. The images in Clearview's database are scraped from the public internet worldwide, including social media and news sites.

In May 2022, the ICO issued Clearview with: (i) a Monetary Penalty Notice, requiring it to pay a £7,552,800 fine; and (ii) an Enforcement Notice, requiring it to delete and refrain from processing the personal data of any data subject resident in the UK.

The ICO based these notices on its finding that Clearview had breached the GDPR and UK GDPR by processing UK residents' personal data without any lawful basis by obtaining UK residents' images and associated information, holding this data in its database and matching it to probe images.

Clearview appealed this decision, arguing that the ICO did not have jurisdiction to issue the notices.

Judgment

The First-tier Tribunal overturned the notices issued by the ICO, holding that ICO did not in fact have jurisdiction to issue them.

It was common ground between the parties that Clearview was not established in the EU or UK and therefore the GDPR and UK GDPR only applied to Clearview's activities to the extent they came within the extraterritorial effect of the Regulations (set out in Article 3(2) of each Regulation).

In issuing the notices to Clearview, the ICO had relied on part (b) of Article (3)(2) GDPR/UK GDPR. This provides that the relevant Regulation applies to the:

'processing of personal data of data subjects who are in the [jurisdiction] by a controller or processor not established in the [jurisdiction], where the processing activities are related to … the monitoring of their behaviour as far as their behaviour takes place within the [jurisdiction]'.

Article 3(2) UK GDPR contains an additional requirement that the processing be 'relevant processing' as defined in Article 3(2A) UK GDPR. This is discussed further in section 4 below.

The Tribunal therefore considered whether the various elements of Article 3(2)(b) had been satisfied:

1. Monitoring of behaviour

The Tribunal began by considering whether the behaviour of UK data subjects in the UK had been monitored.

It noted that the monitoring did not need to be carried out by Clearview itself. This was clear from the wording of Article 3(2)(b) which referred to 'the monitoring' rather than 'their monitoring' and the Court of Appeal decision in Soriano v Forensic News LLC and others [2021] EWCA Civ 1952.

Regarding the meaning of 'behaviour' and 'monitoring', it held that it could not
exhaustively define either term but explained that:

• 'Behaviour' relates to the doing of something by a person, rather than simply their characteristics. Identification of a person's name, hair colour or age would not amount to 'monitoring of behaviour' but identification of where they are, what they are wearing or who they associate with could do so.
• 'Monitoring' could include establishing where a person is or was at a particular point of time, watching a person over time by repeatably submitting probe images or combining data from probe search results with information from other forms of surveillance. Monitoring did not have to be a repeated action; it included a single incidence.

Taking this all into account, the Tribunal concluded that:

• Clearview itself was not monitoring behaviour. The ICO had argued that by gathering 'facial vectors' from images and indexing the images according to the similarity in those vectors, Clearview was monitoring behaviour, but the Tribunal found that this process 'reveal[ed] nothing about the behaviour of a person because it is an automated, mathematical exercise'.
• However, Clearview's customers were monitoring behaviour, specifically that of the individuals who appeared in probe images, as they were seeking to identify facts about where those individuals were and who they associated with (among other things). The Tribunal did note, however, that the mere identification of individuals by Clearview's customers would not have amounted to monitoring of their behaviour.

The Tribunal also held that it was more likely than not that this monitoring related to the behaviour of UK data subject in the UK on the basis that Clearview's customers could be investigating international activities. This element of Article (3)(2)(b) was therefore satisfied.

2. Processing personal data of UK data subjects

The Tribunal then considered whether Clearview was processing the personal data of UK data subjects.

In relation to the 'processing' element, the Tribunal accepted the ICO's argument that Clearview processed personal data through two types of activities: (i) creating and maintaining its database of images; and (ii) receiving probe images from clients, matching these images to images in its database and providing search results to clients.

It also accepted ICO's argument that this processing was of personal data of UK data subjects, finding that: (i) Clearview's database contained personal data of UK data subjects, and (ii) vectors created from the images of UK residents and processed as part of the matching process were personal biometric data.

3. Data processing by Clearview 'related to' the monitoring of behaviour by its customers

Finally, the Tribunal considered whether Clearview's data processing was 'related to' the relevant monitoring of behaviour by its customers.

The Tribunal noted that there was no legislative definition of 'related to' but that the Court of Appeal in Soriano had held that it meant that there was a relationship between the processing of the individual’s personal data and the monitoring of behaviour that was in issue.

The Tribunal found that such a relationship existed between Clearview's processing and the monitoring by its customers as:

• Clearview's customers could not carry out their monitoring without the processing carried out by Clearview in creating and maintaining the database.
• The purpose of the processing involved in Clearview receiving probe images, matching these images to images in its database and providing search results was to enable Clearview's customers to carry out their monitoring.

4. Out of scope?

Although on the face of it the requirements of Article 3(2)(b) were therefore satisfied, the Tribunal ultimately concluded that Clearview's data processing did not fall within the scope of the GDPR or UK GDPR as the GDPR did not apply to data processing carried out as part of foreign law enforcement activities.

In relation to the GDPR, the Tribunal found:

• Article 2(2) GDPR operates to exclude from the scope of the GDPR certain types of data processing to which the Regulation would otherwise apply.
• One such type of excluded data processing is 'the processing of personal data … in the course of an activity which falls outside the scope of Union law' (Article 2(2)(a) GDPR).
• It was common ground between the parties that acts of foreign governments fell outside the scope of EU law.
• In light of Clearview's uncontested evidence that it only provided its services to non-UK/EU law enforcement bodies and their contractors for the purposes of criminal law enforcement and/or national security functions, its data processing was outside the scope of the GDPR⁴.

The Tribunal reached the same conclusion in relation to the UK GDPR, but by a slightly different route (given the differences between the Regulations):

• As noted above, Article 3(2) UK GDPR contains an additional requirement which must be satisfied for it to apply, namely that the processing is 'relevant processing'.
• Article 3(2A) UK GDPR explains that 'relevant processing' means 'processing to which this Regulation applies other than processing described in Article 2(1)(a) or (b) or (1A)'.
• Article 2(1)(a) UK GDPR states that '[UK GDPR] applies to the automated or structured processing of personal data, including … processing in the course of an activity which, immediately before IP completion day, fell outside the scope of EU law'.
• As Clearview's processing was processing in the course of an activity which fell outside the scope of EU law immediately before IP completion day, it came within the scope of Article 2(1)(a) UK GDPR. By virtue of Article 3(2A) UK GDPR, it did not therefore amount to 'relevant processing' for the purposes of Article 3(2)(b) UK GDPR. The UK GDPR therefore also did not apply.

5. Observations

This decision should be carefully considered by entities outside the UK which process the personal data of UK data subjects as part of their activities. If this processing relates to the either: (i) the monitoring of the behaviour of data subjects in the UK; or (ii) the offering of goods or services to such data subjects (irrespective of whether a payment is required), either by entity itself or by a third party, the UK GDPR could apply to the relevant activities. This will be of particular interest to service providers, who could find themselves liable under the UK GDPR as a result of the activities of their customers.

The decision also provides useful guidance on key concepts relevant to determining the extraterritorial application of the UK GDPR: namely, what constitutes 'monitoring' and 'behaviour' and when data processing will be 'related to' such monitoring.