In October, the U.K.'s First-tier Tribunal overturned the Information Commissioner's Office May 2022 fine and enforcement notice issued against Clearview AI. Clearview AI has no presence in the U.K., but its database includes images of individuals in the country scraped from public sites.
The ICO issued the fine on the basis that Clearview AI was processing personal data related to the monitoring of the behavior of individuals in the U.K., which triggered the extraterritorial application of U.K. data protection law. The FTT concluded the processing did not itself amount to monitoring but that U.K. data protection law could (in principle) apply to this processing because it was "related to" monitoring carried out by Clearview AI's clients. However, all of Clearview AI's clients were foreign government agencies carrying out criminal law enforcement and national security functions, with no U.K. or European Economic Area clients.
The FTT held that U.K. data protection law could not have extraterritorial effect in this specific situation. While the provisions on processing in connection with acts of foreign governments may only be of relevance to some readers, the conclusions on the breadth of the extraterritorial scope of data protection laws will be of wider interest, in particular as the U.K. General Data Protection Regulation is still in identical terms to the EU GDPR on this point.
Recap
Clearview AI is incorporated in Delaware, U.S., and does not have an establishment in the EU or U.K. It offers a service to clients where they can upload a photo, which matches against a database containing billions of photos obtained from scraping publicly available websites using automated programs.
Depending on the source of the image, additional information will also be collected by the company's scrapers as metadata, such as a link to the associated social media profile, HTML "hover text" associated with that image and a static URL.
In creating the database, Clearview AI created a set of vectors for each facial image using their machine learning facial recognition algorithm and sent these to be stored in a database. If faces are similar, the vectors will be stored closer together within the digital space, creating clustering. This clustering process is referred to as "indexing" in the decision. Given the vast size of this database, the tribunal found it reasonable to infer that images of U.K. residents are held within the database as well as images taken while in the country.
In May 2020, a decision was made to stop commercial clients using Clearview AI. This means the service is now only available to non-U.K./EU criminal law enforcement and national security agencies (and their contractors) to aid national security and criminal law enforcement.
In July 2020, the ICO began a joint investigation into the company with the Office of the Australian Information Commissioner into the company, and in May 2022, the ICO fined Clearview 7.5 million GBP and issued an enforcement notice.
What was in issue before the FTT?
The EU and U.K. GDPR both apply, on an extraterritorial basis, when a controller or processor outside the U.K. processes personal data relating to individuals in the U.K., where those processing activities relate to monitoring the behavior of the individuals within the country.
Meaning of 'relating to' the 'monitoring' of 'behavior'
The FTT held that the processing Clearview AI carried out was "related to" the monitoring of behavior that its clients carried out, as there was a very close connection between the creation, maintenance and operation of the database and the clients' monitoring. This gives a very broad territorial scope to the U.K. GDPR: it can apply to controllers or processors outside the U.K. who do not themselves monitor the behavior of individuals in the U.K. if their processing is "related to" monitoring of behavior carried out by others. The FTT noted "there must be a relationship between the processing of the individual's personal data and the monitoring of behaviour that is in issue."
The FTT said that behavior "indicates something more than simply being alive;" this would reveal that a person is doing something as opposed to language relating to a person's characteristics. The FTT gave examples: where someone is, what they are doing, or what they are holding/carrying. Clearview AI's images showed its clients information such as relationship status and occupation or pastime(s) — i.e., "behavior."
The FTT accepted that Clearview AI's creation of the vectors and clusters of images did not constitute monitoring. However, the FTT found Clearview AI's clients would be able to use the company's images to establish where a person was at a particular time, to watch a person over time by submitting images of the same person at different times, and to combine this with other surveillance they may be carrying out. The FTT concluded this amounted to monitoring.
The FTT drew attention to the use of the word "tracked" in Recital 24. In the FTT's view, the verb "to track" can bear two meanings: one pursuit of a person over time and the other being establishing a position at a fixed period. This interpretation seems incorrect to us. For example, the Oxford English Dictionary's definition of "track" as a verb only includes examples of usage that show tracking over a period of time.
Processing of personal data
The FTT agreed that the images and additional information in Clearview AI's database — such as name, relationship status, where the person is based, occupation or pastimes — constitute "personal data."
The FTT also confirmed that Clearview AI's activities amounted to "processing" — for example, scraping the images from the internet (collection), holding/storing the images and creating vectors from the stored images.
Scope of the EU GDPR and UK GDPR
The ICO took action in relation to some processing by Clearview AI that preceded Brexit and some that took place post-Brexit. Article 2(2)(a) GDPR makes clear the GDPR does not apply to processing that falls outside EU law. In oral arguments, the ICO accepted that this provision would cover processing carried out by overseas governments.
The FTT concluded Clearview AI's processing related exclusively to acts carried out by or for overseas governments, such that GDPR was not applicable. Post-Brexit, the U.K. GDPR provides that its extraterritorial provisions only apply to processing, which, pre-Brexit, would have been subject to the GDPR. Accordingly, the processing post-Brexit was also out of scope. As a result, the ICO had no jurisdiction to issue the monetary penalty notice or enforcement notice.
The decision, therefore, seems to turn on the parties' acceptance that acts of foreign governments fall beyond the scope of GDPR. Public international law is complex, and the principle is more nuanced than the tribunal suggested. It is not clear to what extent this was argued before the FTT.
Even if this principle is correct regarding acts taken by or on behalf of foreign governments, it is not clear if it should extend to the actions of a commercial organization, carried out speculatively, with the intent to develop a business providing services to foreign governments. The 2006 Court of Justice of the European Union decision invalidating the EU-U.S. Passenger Name Records Agreement decision (C-317/04 and C-318/04) from 30 May 2006 concluded the European Commission's adequacy decision was invalid because the decision concerned the processing of personal data outside the scope of Union law (namely, transfer of PNR data to U.S. authorities by airlines for security purposes, in line with U.S. statutes) (para.59).
The CJEU did note, however, that the initial collection of data by the airlines to sell tickets would be subject to Union law (para.57). This decision is not identical to the Clearview AI situation: the airlines had their own independent purposes for processing the data prior to transfer. As Clearview AI has no commercial purpose aside from the use by overseas authorities, the case could possibly offer some justification for the approach taken by the FTT.
Clearview as a controller
As a final point of interest, the FTT found there were two activities of processing — creation of the database and matching with client images. The FTT then held that Clearview AI was a controller for the first activity and a joint controller with its clients for the second activity. The FTT further held that Clearview AI was also a processor for both activities. The FTT stated that Clearview AI determines the purpose of processing and that both the company and its clients determine the means of processing by uploading images. The FTT stated these conclusions without presenting any legal analysis of the terms controller, joint controller and processor.
The conclusion that Clearview AI is both controller and processor for the same processing activities is inconsistent with guidance from both the European Data Protection Board and the ICO. The conclusion that Clearview AI and its clients can be joint controllers where only the company determines the purpose of processing and where a decision to use technology is treated as a determination of means of processing is inconsistent with CJEU case law and the guidance mentioned above. This suggests a lack of analysis by the FTT, which may affect the weight that should be given to the other, more central, aspects of the decision.
It is worth noting that FTT decisions do not constitute binding authority, and therefore, while the decision is clearly of wider interest any future Tribunal would not be bound to follow it. Whether the ICO seeks to pursue any further avenue of appeal against the decision remains to be seen. However, given that Clearview AI does not now operate or offer its services in the U.K., and this case dates back some time to the tenure of the previous commissioner, it may be that the ICO considers that there is little merit in pursuing the matter further.