ICO’s Appeal in Clearview AI Case Upheld

The case concerns Clearview scraping millions of photographs of people’s faces from the public-facing web without their knowledge (and therefore consent).  Acting on behalf of its law enforcement and national security clients (all now located outside of Europe, though this was not always the case), Clearview would use facial recognition software to compare those images to faces caught on CCTV surveillance footage or doorbell security cameras around the world, to assist in its law enforcement clients’ work preventing or detecting crime.  The UT confirmed that this processing counts as ‘monitoring’ for the purposes of the territorial scope of the UK GDPR in its Article 3.  Because this monitoring looks at the behaviour of UK people that occurs within the UK, Article 3.2b is engaged and the GDPR applies to that form of processing of UK people’s data, wherever it takes place in the world, and regardless of whether the entity processing the data has a physical ‘establishment’ in the UK.  This part of the UK GDPR is an important aspect of the Regulation’s so-called ‘extraterritorial effect’ – the idea and intention that organisations monitoring personal information about the behaviour of individuals in the UK are in scope of the GDPR, and must adhere to its principles and provisions protecting the privacy of people in the UK, even if those organisations are wholly based outside of it.

Second, and perhaps even more importantly, the UT agreed with the ICO that Clearview acting on behalf of law enforcement authorities did not mean it could apply one of the exemptions from the material scope of the UK GDPR (i.e., the types of processing which the Regulation does not cover) contained in its Article 2.  That is the provision in Art. 2.2b of the UK GDPR, which states that processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of crimes is excluded from the material scope of the Regulation; and therefore all processing by such competent authorities for those listed crime-fighting purposes is exempt.  As an aside, the processing of personal information in the UK for the purposes of law enforcement is governed by separate legislation from the UK GDPR, namely Part 3 of the Data Protection Act 2018.  

In the original hearing of the Clearview case by the FTT two years ago, it controversially decided that, despite not being a police force or similar organisation itself, Clearview was a ‘competent authority’ and therefore its activities with crime-fighting agencies benefited from the exemption.  That was widely viewed at the time (including by URM) as wrongly interpreted and a misapplication of the Art. 2(2)(b) exemption.

However, to the great relief of the ICO, that part of the FTT’s ruling has now been reversed; just working for a law enforcement authority does not make an organisation, such as Clearview, itself an anti-crime body.  It is not a public legal authority, but rather remains a private company charging a fee to police forces and others, and profiting from performing this sort of processing on their behalf.  So, the UT has remitted the case back to the FTT for the ICO’s original fine of £7.5m imposed on Clearview to be re-instated by the lower tribunal.   As we argued at the time, this was a case that the regulator couldn’t afford to lose, and the sense of relief was palpable in the Information Commissioner’s press release detailing the win.  Clearview has said that it will appeal against the UT’s judgement to a senior civil court (presumably the Court of Appeal of England and Wales), but it is unclear which aspect of the UT’s ruling can be appealed against successfully – it all seems logical and watertight.

However, as with all court or tribunal rulings, that is not the end of the story.  To have meaning, the UT’s judgement and the ICO’s upheld fine must be enforceable against the respondent company, Clearview.  This is where ruling of the UT could, in fact, be a hollow victory for the ICO and the UK GDPR generally.  As the Commissioner’s press release suggests, the ruling undoubtedly sets a valuable precedent on questions such as the definition of ‘monitoring’ for the purpose of Article 3.2b, and the interpretation of the law enforcement exemption in Art. 2.2b.  But what the statement did not make clear is the unpalatable fact that the ruling is only of use against organisations with a physical presence or assets in the UK, such as a bank account or property such as office equipment, computers, etc., against which it can be enforced.  Clearview, of course, has no such UK-based establishment or assets.

This is a much-underreported feature of both the UK GDPR and the original EU Regulation’s operation.  Recent years have seen numerous eye-catching headlines about enormous penalties imposed by European data protection authorities on the European headquarters of foreign-based global companies such as Meta, Amazon and Tik-Tok, penalties that were successfully enforced and paid, and sometimes ran into the billions of euros.  However, it is a little-known fact that there has never been a fine levied against a non-European organisation with no establishment or assets in the UK or EU that has been successfully enforced against such a company.  Not one, in the over 7 years since the GDPR came into effect.  Moreover, it is highly unlikely that there will be a case of successful enforcement in these circumstances, because the world currently lacks a method of enforcing administrative fines (such as data protection fines from national regulators) across borders.  This reality significantly undermines the GDPR’s widely publicised claim of having ‘long-arm jurisdiction’.  What value does an ‘international’ law hold if it cannot be effectively enforced against organisations that are based solely in foreign countries?  And, when those countries include places like the US and China, where vast amounts of personal data processing (including monitoring of the behaviour of people in the UK and EU) occur, can the GDPR really be accurately described as the ‘world’s first global data protection law’?

What evidence is there that Clearview AI, and other US businesses engaging in offshore monitoring of British people, will not simply flout any FTT decision upholding the ICO’s £7.5m fine from 2022? Clearview has already ignored much larger fines for exactly the same infringements from no fewer than four EU data protection bodies in recent years – Italy, Greece, France and the Netherlands – with fines ranging from €20m to €30.5m imposed, but not one cent collected, by those supervisory authorities.

It is not evident where the ICO goes from here on this issue, but in the absence of any special arrangement between the UK and US for the enforcement of administrative fines or other radical change, the UK privacy regulator does seem destined to face the same challenges faced by its European counterparts.

Despite this, there may be some hope on the horizon; very recently, it was publicised that Max Schrems, the Austrian who is probably the world’s most famous data protection rights activist, has been in contact with his local state prosecutor’s office with a view to exploring whether criminal charges available under Austrian national data protection legislation can be brought against Clearview and its directors personally.  Unlike for administrative fines, well-developed international systems are of course in place for enforcing criminal charges and fines across borders, such as extradition treaties and mutual recognition and enforcement of criminal penalties agreements.  So, such a move could prove more effective in bringing Clearview to justice, but whether Austrian prosecutors are prepared to pursue this course remains to be seen.

We at URM will be watching out for any announcements from Austria and Mr Shrems on this topic – it is a very recent development.  But it seems unlikely that we have heard the last of Clearview AI on this matter.  Although with this recent ruling of the UT the ICO might have felt that Clearview had lost the final decisive battle, the broader conflict appears to be far from over.