As we reported in May 2022, the IC issued an enforcement notice and monetary penalty notice (in the sum of £7.5m) to ClearviewAI, a US company without an establishment in the EU or UK. It offered a facial recognition service to customers involving the submission by customers of an image, and then ClearviewAI comparing that against a database of images scraped from the internet. This was to enable its customers to carry out their law enforcement or national security functions. None of its customers were based in the UK or EU.
The notices were issued on the basis that ClearviewAI’s processing of (special category) personal data fell within the territorial scope of the (UK) GDPR as defined in Article 3(2)(b), in that it related to the monitoring of data subjects’ behaviour in the UK. ClearviewAI appealed against the notices to the FTT, taking a jurisdictional point that their activities did not fall within the (UK) GDPR’s territorial scope (or, for good measure, their material scope).
The FTT concluded that ClearviewAI’s database would include images taken in the UK of UK residents. That means that its facial recognition service ‘could have an impact on UK residents even though it is not used by UK customers’.
But the FTT concluded, following detailed analysis of Articles 2 and 3 of both the EU and UK GDPR, that the processing of personal data by ClearviewAI did not constitute monitoring the behaviour of the data subjects. ‘It seems to us that the word behaviour indicates something more than simply being alive. […] We have concluded that a description of a person’s behaviour will include a verb.’ It goes beyond mere identifying detail. Simply identifying an individual would not be enough to qualify as ‘monitoring of the person’s behaviour’. Despite this finding, the FTT concluded that ClearviewAI’s clients are monitoring a data subject’s behaviour: the photographs provided by the facial recognition service go beyond just providing an identification, but assist with other aspects of what a person is doing at a given time. While ClearviewAI’s indexing of the images scraped from the internet is not monitoring, it is related to the monitoring carried out by their clients. On that basis, if the processing was within the material scope of the UK/EU GDPR, then territorial jurisdiction would be made out.
All of this however led nowhere: the processing was held to be outside the scope of EU law, which put it outside the material scope of both the UK and EU GDPRs. On that basis, the EU/UK GDPR did not apply, and the notices were issued without jurisdiction. The basis for this was that one government cannot bind another, so Clearview’s service being offered only to foreign law enforcement/national security organisations mean it fell outside the scope of Union law.
It has to be said that the FTT, having spent 144 paragraphs establishing whether or not the processing was within territorial scope, then disposes of the material scope issue within 14 paragraphs, and its reasoning is not especially clear. It appears to be based on the inability of one sovereign state to bind another: ‘the activities of foreign governments fall outside the scope of Union law’, therefore the EU GDPR does not apply by virtue of Article 2(2)(a). And by virtue of UK GDPR Article 3(2A) read with UK GDPR Article 2(1)(a), that also takes it out of the scope of the UK GDPR. But Clearview is not a foreign government, though its customers may well be foreign government agencies. It will be interesting to see if the Information Commissioner mounts an appeal.
Regardless, the discussion of territorial jurisdiction in many ways expands (or at least confirms the breadth of) the scope of the IC’s jurisdiction relating to companies based overseas. It was only the fact that ClearviewAI’s customers worked solely in overseas law enforcement/national security functions that appears to have enabled it to avoid jurisdiction in this case. That said – ClearviewAI has also been the subject of adverse findings and monetary penalties from other European data protection regulators. By all accounts, they are finding it difficult to enforce those decisions.
A monthly data protection bulletin from the barristers at 5 Essex Chambers