Out-Law News 2 min. read
The ICO won an appeal against Clearview AI. Leon Neal/Getty Images
15 Oct 2025, 2:29 pm
The UK’s data protection authority has won an appeal against a tribunal ruling which originally found it did not have the power to take enforcement action against an AI facial recognition software developer.
The Information Commissioner’s Office had fined US firm Clearview AI more than £7.5 million and ordered it to delete the data it had obtained from UK residents from its systems, banning it from adding further information from publicly available data.
Clearview had appealed the ruling, however, and a First Tier Tribunal had ruled in October 2023 that ICO did not have jurisdiction to issue an enforcement notice and financial penalty against the facial recognition software developer.
However, that has now been overturned, with the Upper Tribunal agreeing to three of ICO’s points of appeal: that the processing of personal information relates to monitoring the behaviour of UK residents; that it doesn’t fall outside the reach of data protection law in the UK as it provided services to foreign agencies; and that the law had been applied incorrectly by the First Tier Tribunal.
The Upper Tribunal has now ordered the case be sent back to the First Tier Tribunal to determine the appeal, based on the fact that the commissioner did indeed have jurisdiction – although Clearview can still appeal this decision.
Anna Flanagan, a data protection expert at Pinsent Masons, said: “The emphasis on article 3(2)(b) – which captures processing related to behavioural monitoring – underscores the need for organisations operating in cross-border data environments to assess not only territorial establishment but also the nature and purpose of data processing, in order to understand the extraterritorial applicability of the UK GDPR.”
The company offers facial recognition services to intelligence and investigative services, which allows users to find the identity of people in images based on a database of more than 30 billion photos scraped from the internet.
The people whose faces are scanned are not aware of this and have not given explicit consent to the processing of their personal data.
The UK information commissioner John Edwards said he welcomed the tribunal’s ruling.
"The UT’s decision has upheld our ability to protect UK residents from having their data, including images, unlawfully scraped and then used in a global online database without their knowledge,” he said.
"It is essential that foreign organisations are held accountable when their technologies impact the information rights and freedoms of individuals in the UK."
The ruling comes after data protection authorities in the Netherlands hit Clearview with a €30.5 million fine for its processing of a database of Dutch people.
Malcolm Dowden, a privacy expert at Pinsent Masons, added: “The UK Upper Tribunal ruling brings UK data protection law back into line with the approach taken under EU GDPR. Clearview’s processing of UK individuals’ images is within both the material and territorial scope of UK GDPR and so the ICO, like its EU counterparts, is entitled to pursue enforcement action even though Clearview’s processing occurs overseas and its services are sold to non-UK and non EU/EEA law enforcement bodies.”