Tribunal Overturns UK ICO’s Enforcement Action Against Clearview AI

 
November 08, 2023

Key Takeaways

  • Clearview AI was issued with an enforcement action including a fine of around £7.5million and an order to delete certain data by the ICO for breaches of the UK GDPR in relation to its facial recognition data. The Tribunal overturned the action on Clearview’s appeal, holding that the ICO lacked jurisdiction under the UK GDPR because US-based Clearview offered its services exclusively to non-UK law enforcement agencies, which is not in scope of the UK GDPR under the law enforcement exception.
  • Although the Tribunal ultimately overturned the action based on the material scope of the UK GDPR, the decision also offers helpful analysis and insights regarding the territorial scope of the legislation and the concept of joint controllership.
  • Non-UK established companies that engage in any monitoring-type activities, or that provide services that enable their customers to conduct monitoring, will want to conduct a careful analysis of their activities to determine the extent to which those activities may fall directly within the scope of the UK GDPR.

Clearview’s Activities

By 2022, Clearview AI Inc (“Clearview”) had amassed a global online image database of over 20 billion images of individuals’ faces and related data, without their knowledge. This database was licensed to its clients which consisted of foreign government agencies and government contractors assisting them in conducting criminal investigations, identifying criminal suspects, national security threats and victims of crime.

Clearview created its database by scraping images published on the internet, copying related information and using an AI machine learning facial recognition algorithm to create, store and index images with similar facial vectors together (“Activity 1”).

The company also kept “probe images” uploaded by clients who wished to use the service. Clients would upload a probe image which would be compared against Clearview’s existing image database using the algorithm with the aim to provide clients with images that had matching facial vectors. The comparison results, based on the degree of facial similarities, would then be delivered to clients along with thumbnails of up to 120 results from each search (“Activity 2”).

The ICO’s Decision

On 18 May 2022, the UK Information Commissioner’s Office (“ICO”) issued Clearview with (i) a Monetary Penalty Notice, and (ii) an Enforcement Notice, for breaching the UK General Data Protection Regulation (“UK GDPR”)1 by misusing people’s biometric data for facial recognition and data scraping from the internet. The penalty notice included a fine of around £7.5 million and an order requiring Clearview to stop obtaining and using the personal data of UK residents that was publicly available on the internet, and to delete the personal data of UK individuals from its database (the “Notices”).

The following month, Clearview appealed the ICO’s decision to the First-tier Tribunal (“Tribunal”) (i) arguing that there were no breaches of the UK GDPR, (ii) contesting the ICO’s description of its services, and (iii) disputing the ICO’s jurisdiction to issue the Notices.

The Tribunal’s Decision

The headline of the decision was the Tribunal’s finding that Clearview’s processing activities were outside the material scope of the UK GDPR because Clearview only provided its services in relation to criminal law and national security functions of non-UK/EU government authorities. The Tribunal stated that “[i]t is not for one government to seek to bind or control the activities of another sovereign state.” The specific limitations of Clearview’s field of activity were critical.

Of more general interest though is the Tribunal’s analysis of the UK GDPR’s territorial scope provisions in Article 3, which have received little judicial attention to date. The ICO had relied on Article 3(2)(b) to bring US-based Clearview within scope. Under Article 3(2)(b), the UK GDPR applies to the processing of personal data of UK individuals by a non-UK established controller/processor, where the processing activities are related to the monitoring of such individuals’ behaviour in the UK. The ICO’s argument was not that Clearview itself was monitoring the behaviour of data subjects, but rather that its processing was related to the monitoring of the behaviour of data subjects in the UK by its law enforcement clients.

The Tribunal clarified that:

  • an individual’s behaviour is something that an individual does, rather than their characteristics. It includes actions that reveal details such as where they are, what they are doing, what they are saying, who they associate with, what they are holding, and what they are wearing;

  • the definition of monitoring is highly fact specific, but in this context, it could include establishing a location at a specific time, watching an individual over a period of time and using information to produce a narrative about a person. Monitoring does not have to be continuous and could include a single incidence; and

  • the meaning of related to implies a connection between the processing of an individual’s personal data and the monitoring of behaviour that is in issue, meaning that monitoring would not have to be carried out by a controller itself and could be carried out by third parties.

Ultimately, the Tribunal concluded that, based on the facts, Article 3(2)(b) was applicable, because Clearview’s clients were monitoring the behaviour of UK individuals through seeking to ascertain details about what they were doing. Given the close connection between Clearview’s processing and such monitoring (as such processing enabled the monitoring), this meant that Clearview’s processing was within the territorial scope of the UK GDPR. However, since all of Clearview’s customers were foreign law enforcement agencies, its processing activities fell outside the material scope of the UK GDPR.

Finally, the Tribunal also held that Clearview acted as a sole controller with regards to Activity 1 processing and as a joint controller with its clients with regards to Activity 2 processing. This latter determination was on the basis that (i) Clearview determined the purposes of the processing, as it only provided its services to those who wished to use them for law enforcement and national security purposes, as set out in its terms and conditions, and (ii) both Clearview and its clients determined the means of processing, with the clients uploading probe images and Clearview conducting the matching process and providing the clients with matched images and additional information. Clearview was also held to be a processor for both Activity 1 and Activity 2 processing.

Comment

At the date of writing, the ICO has not confirmed whether it will appeal the Tribunal’s decision, but an ICO spokesperson said in a statement that:

“The ICO will take stock of today’s judgment and carefully consider next steps. It is important to note that this judgment does not remove the ICO’s ability to act against companies based internationally who process data of people in the UK, particularly businesses scraping data of people in the UK, and instead covers a specific exemption around foreign law enforcement.” [emphasis added]

The Tribunal’s analysis of the territorial scope provisions follows the expansive approach taken in Soriano v Forensic News LLC (see our previous OnPoint here). Non-UK established companies that engage in any monitoring-type activities, as well as those that do not undertake monitoring themselves but that provide services enabling their customers to conduct monitoring, will want to conduct a careful analysis of their activities and the extent to which those activities may fall directly within the scope of the UK GDPR.

Moreover, service providers that restrict the purpose of use of their services should consider whether such restrictions could be deemed as them determining the purposes of processing, and whether this could lead to a risk of joint controllership status with their customers. Joint controllership has traditionally been avoided because of the implications of joint and several liability, so companies in this position may wish to revisit their contractual liability position with their customers.

Footnotes

1. For ease of reading, this OnPoint refers only to the UK GDPR but the ICO’s notices and the Tribunal’s decision referred also to the EU GDPR prior to the UK’s exit from the EU.

Subscribe to Dechert Updates