UK GDPR still has extra-territorial scope despite Clearview AI ruling, firms warned

Earlier this month, the First Tier Tribunal of the General Regulatory Chamber held that the ICO did not have jurisdiction to issue an enforcement notice and a monetary penalty notice against the facial recognition software developer. In May 2022, the ICO found that Clearview infringed a number of articles under the UK’s General Data Protection Regulation (UK GDPR), issuing a £7.5 million fine and an enforcement notice requiring the company to delete the personal data of UK data subjects held in its database.

Emily Cox, litigation expert at Pinsent Masons, said: “This decision is limited in some respects to its facts, and Clearview’s uniquely law enforcement client base, but it will come as a real blow to the ICO which will have hoped this would be an easy ‘win’ in the technology sector following so soon after Experian’s successful appeal earlier this year.”

“Despite this, the decision was positive for the ICO in many respects. In particular, the regulator will take comfort from the fact that the tribunal confirmed its analysis regarding the extra-territorial reach of the UK GDPR, such that commercial businesses without a presence in the UK could still be caught within its regulatory scope,” Cox added.

The tribunal was satisfied that Clearview’s services met the territorial threshold under Article 3(2)(b) of the UK GDPR, which extends the scope of the regulation to controllers or processors that are not established in the UK if they process personal data of data subjects in the UK. It said the service Clearview provides to its clients includes the processing of personal data of data subjects in the UK, and that processing relates to the monitoring of data subjects’ behaviour in the UK as far as their behaviour takes place in the UK.

In addition, the tribunal concluded that there is a reasonable inference that there are images of UK residents in Clearview’s image database, given the size of the database, the heavy use of the internet and social media in the UK, and the wide extent of the resources copied and scraped to collate the data. As a result, the tribunal concluded, Clearview’s service does potentially impact data subjects in the UK despite the fact that Clearview does not have any clients in the UK and does not use any UK servers or IP addresses.

However, the tribunal ultimately decided that Clearview’s data processing was beyond the material scope of the UK GDPR by Article 2(2)(a) because the processing was in the course of an activity which, immediately before the Brexit implementation period ended on 31 December 2020, fell outside the scope of EU law.

The ICO did not challenge the fact that Clearview only provides its facial recognition service to criminal law enforcement and national security agencies territories outside of the UK and the EU, in support of the discharge of their respective functions. The tribunal held that the GDPR does not extend to such law enforcement activities of foreign governments.

Cox said: “The tribunal had the benefit of various EU Data Protection Agency (DPA) decisions, although it was not suggested these were binding. It did not dwell on the contents of these, but the analyses do not appear to consider the law enforcement aspect.”

“Accordingly, fines of €20m levelled in each of France, Italy and Greece in 2022 stand, as well as a further fine of €5.2m in France this year for lack of evidence of Clearview’s compliance. There are no reports at this time that these decisions have been appealed, which means a divergence of regulatory outcomes in those EU member states and the UK at this time,” Cox said.

Chelsea Clayton of Pinsent Masons said: “It remains to be seen whether the ICO will choose to appeal against the tribunal’s decision; it has said it is considering. What is more certain is that the spotlight on facial recognition and similar businesses is unlikely to diminish soon. Businesses outside of the UK but operating with those technologies with UK data subjects’ data should be mindful that the UK GDPR is likely to apply.”