Clearview Case

Stuart Skelly
|
Senior Consultant at URM
|
PUBLISHED on
27 Nov
2023

Table of Contents

In June 2022, URM wrote about the £7.5m + fine handed down by the Information Commissioner’s Office (ICO), UK’s privacy regulator, to US-based company Clearview AI (back then we didn’t really understand the significance of those ominous initials ‘AI’ – how times have changed in the intervening months!) Inc.  It is understood that Clearview is the world’s biggest facial image digital library, storing the mugshots and other personal data of literally billions of people.   The US company licenses this vast database to law enforcement agencies in the US and around the world (but not, significantly as it turns out, in the UK or EU) for the purposes of ‘matching’ the faces with images of alleged criminals caught on security CCTV footage, doorbell cameras, police ANPR systems etc.  Clearview claims to be a major force in the global fight against crime, although has been described less flatteringly in another blog as an online ‘selfie-scraper’.

As with any fines imposed by the ICO, organisations have 28 days to appeal against the Regulator’s ruling.  Well, that’s exactly what Clearview did.  And now news reaches URM that the UK’s First-tier Tribunal, which is the first court for appeals against enforcement action by the ICO and a number of other sector regulators, has found in favour of Clearview and set aside the ICO’s fine.

However, the appeal tribunal interestingly agreed with the ICO’s original judgement that Clearview’s processing amounted to monitoring of UK data subjects, which Clearview had disputed.  So how did the ICO lose?

It appears that the Regulator came to grief on a legal ground which, although it might be considered something of a technicality, is beloved of lawyers everywhere: namely, ‘want of jurisdiction’.  In other words, the ICO had unwittingly strayed outside the bounds of its legal remit to punish Clearview for processing which it, the ICO, did not actually have authority to regulate.

To understand the Tribunal’s ruling, we have to recall the data protection legislative arrangements which the UK put in place after the country left the EU.  Brexit resulted in a new UK-only version of the GDPR being introduced which protects the personal data of UK people, while the original EU GDPR continues to apply in the UK (as it does in the rest of the world) in relation to EU people’s data.  In addition, the UK has its own Data Protection Act 2018 (DPA 2018) which contains a large range of data privacy provisions covering matters and sectors that were not included in the EU GDPR.

The ICO’s fine and other enforcement action against Clearview were brought under the UK GDPR.  The part of the UK GDPR which enabled Clearview’s successful appeal is Article 2.2b, which states that the Regulation does not apply to “the processing of personal data by a competent authority for any of the law enforcement purposes” set out in Part 3 of the DPA 2018.

Clearview successfully argued that the processing by its foreign law enforcement clients of the data resulting from its monitoring, and therefore the monitoring by Clearview itself, should be considered as being for law enforcement purposes, and therefore it benefits from the exemption in Art. 2.2b of the UK GDPR.

As our previous blog on this subject noted, the ICO fine came after two other (bigger) fines were imposed on Clearview, for basically the same reasons, by the data protection authorities in France and Italy (Greece has since been added to that list).  How the First Tribunal’s decision (applying the UK GDPR, not the EU version remember) may affect the validity, and hence enforceability, of these three other penalties is unclear – they were decided under the EU GDPR of course (although the EU GDPR does have an exclusion for law enforcement processing, similar to the UK GDPR’s Art. 2.2b, in its Art. 2.2d).

It should be noted that Clearview has not paid any of the fines it received from the EU regulators, nor complied with the other enforcement actions the European authorities sought to deploy against it – e.g., data deletion orders and stop-processing injunctions.  URM will be following with interest the progress of the three EU supervisory authorities in recovering any money from Clearview, and their success or otherwise in applying these other sanctions against the US organisation.

In the meantime, the ICO has 28 days to appeal against the First-tier Tribunal’s ruling.  And it would appear that Clearview might still have case to answer: either the ICO could argue (on appeal to the Upper Tribunal) that it was not the processing by the exempt foreign law enforcement bodies (the ‘competent authorities’ to which Article 2.2b of the UK GDPR refers) that the UK Regulator took action against, but rather the non-exempt private US company’s processing that it was penalising; or the ICO could raise a fresh action against Clearview, for the same processing infringements, but brought under the ‘right law’ this time – the law enforcement provisions in Part 3 of the DPA 2018.  The ICO says it is ‘carefully’ considering its next steps; and, given these factors, together with the size of the fine and the high profile of the case, it is difficult to see how the regulator can simply let this matter lie.

Stuart Skelly
Senior Consultant at URM
Stuart is a highly experienced and knowledgeable GRC consultant at URM who has specialised in data protection law for 25 years.
Read more

Do you need assistance in improving your GDPR compliance position?

URM can offer a host of consultancy services to improve your DP policies, privacy notices, DPIAs, ROPAs, privacy notices, data retention schedules and training programmes etc.
Thumbnail of the Blog Illustration
Data Protection
Published on
25/7/2022
What is the UK International Data Transfer Agreement and What Are the Implications?

On 2 February 2022, the Information Commissioner’s Office (ICO) laid before Parliament changes around restricted international personal data transfers.

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
25/7/2022
In-house Resource vs Virtual DPO

This blog takes a look at DPOs and considers when to look in-house and when a virtual, external resource or hybrid resource may be a better option.

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
19/1/2024
Analysis of Fines Imposed by the Information Commissioner’s Office in 2023

URM’s blog breaks down the fines issued by the ICO in 2023 for data protection breaches, highlighting emerging trends in their approach to enforcing compliance.

Read more
Complicated topic summarised really simply making GDPR accessible. I would love a recording as was distracted part way through and would like to re-enforce my knowledge by listening again (possibly a couple of times just to get it to sink in......)
Webinar 'GDPR - Back to Basics'
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.