This is an interesting data protection case in which the First-tier Tribunal (Information Rights) (tribunal), the body responsible for considering appeals related to data protection enforcement actions, looked at the extra-territorial effect of the UK GDPR* under Article 3. The tribunal also made some observations on processors, controllers and joint controllers.
In summary, the tribunal decided to overturn the Information Commissioner’s Office (ICO) enforcement action against Clearview AI Inc (Clearview) for breaches of relevant data protection laws on the basis that the commissioner did not have jurisdiction in respect of Article 3 (territorial scope) to take enforcement action against Clearview. The Information Commissioner (commissioner) is now seeking to appeal the decision made by the tribunal to the Upper Tribunal.
Background
Clearview is incorporated in Delaware in the United States and does and did not have an establishment in the United Kingdom at any point. Clearview’s activities that were the subject of the ICO’s enforcement action were the provision of facial recognition services to clients using data scraped by Clearview from web pages using web crawlers. Clearview’s database contained billions of images (including those of UK data subjects) allowing service users to upload “probe images” which would then be compared against Clearview’s database. However, importantly, Clearview’s services were not used by clients in the United Kingdom and services were provided only to foreign law enforcement agencies.
The ICO’s original enforcement action against Clearview included a fine in the region of £7.5m and an order against Clearview to delete certain data for breaches of the UK GDPR, including the misuse of biometric data. The commissioner relied on Article (3)(2) of the UK GDPR, which provides that the UK GDPR applies where the processing activities are related to the monitoring of data subjects’ behaviour in the United Kingdom.
Clearview appealed the ICO’s enforcement action for alleged breaches on a number of grounds, but also averred that the commissioner lacked jurisdiction, arguing that Clearview was providing its services to “foreign clients, using foreign IP addresses, and in support of the public interest activities of foreign governments and government agencies, in particular in relation to their national security and criminal law enforcement functions”, such functions being targeted at behaviour within their jurisdiction and outside of the UK for the purposes of Article 3.
Tribunal decision
The tribunal agreed with Clearview that the commissioner lacked jurisdiction to take enforcement action on the basis that although the processing undertaken by Clearview was related to the monitoring of data subjects’ behaviour in the United Kingdom, the processing was beyond the material scope of the UK GDPR and was not “relevant processing” for the purposes of Article 3 of the UK GDPR. This was because Clearview’s clients were foreign law enforcement agencies and so did not have sufficient connection with the UK. The tribunal noted that it was not for one government to seek to bind the activities of another sovereign state and the conclusion to be drawn seems to be that the UK GDPR will not apply to the actions of a foreign state. The tribunal did not consider whether Clearview had in fact breached the relevant provisions of the UK GDPR.
The tribunal also held that Clearview acted as a separate controller in relation to collecting and maintaining its image database, and as a joint controller with its clients in relation to the provisions of its services. This determination was because, in the tribunal’s view (i) Clearview determined the purposes of the processing as it only provided services to those who wished to use it for purposes agreeable to Clearview within its terms and conditions, for example not for any other purpose than matters of law enforcement and national security; and (ii) both Clearview and the client determined the means of processing, the client uploaded the search image and Clearview conducted the matching process and provided the client with the matched images and additional information. The tribunal also held that each of the client and Clearview were also processors for the other in relation to each purpose.
Commissioner's appeal
The commissioner is now seeking to appeal the tribunal’s decision to the Upper Tribunal on the basis that the tribunal incorrectly interpreted the law. It does not appear that it has commented on the Tribunal’s determination in respect of the Clearview’s role as controller, joint controller and processor.
The ICO now awaits the tribunal’s decision in respect of the appeal.
Comment
It is worth noting at the outset that decisions of First Tier Tribunals are not binding decisions on other tribunals, although they can be persuasive.
This particular case raises a fundamental question as to whether or not, and in which circumstances, overseas entities who process personal data of UK data subjects are out of the scope of the UK GDPR. The facts in this case are highly specific and it raises the issue as to whether this same conclusion could be drawn if the particular case related to a commercial entity and not a foreign state. Since the tribunal decision, The Information Commissioner has pointed out that Clearview itself was not processing for foreign law enforcement purposes and on that basis Clearview “should not be shielded from the scope of UK law on that basis”. Interestingly, other data protection regulators have taken successful action against Clearview in the past. For example, CNIL, the French data protection regulator, fined Clearview EUR 20m in May 2023 and we are not aware that this enforcement action has been appealed. Clearview was also ordered by the Office of the Australian Information Commissioner (OAIC) to "cease collecting facial images and biometric templates from individuals in Australia, and to destroy existing images and templates collected from Australia."
The tribunal’s finding that each of Clearview and its clients were both processors and controllers in relation to the same processing activities is also noteworthy and is perhaps surprising as it appears to be inconsistent with previous guidance issued by the ICO on this point. The ICO’s guidance provides that although an organisation could be a controller and a processor of the same personal data, it would only be where the processing was for a different purpose, which does not appear to be the case with Clearview. Whether this position will be followed or clarified in any subsequent tribunal hearing is not known but it would appear to add additional complexity to controller/processor/joint controller analysis if the principle was followed in other cases.
*We have referred to the UK GDPR in this article for readability but the tribunal also considered the applicability of EU GDPR, which applied in the UK prior to Brexit.
Beverley Flynn
Guy Cartwright