[co-authors: Rachel de Souza, Jules Toynton, Deborah Okanlawon]
Summary
The Upper Tribunal (UT) has handed down its judgment in the UK Information Commissioner’s (Information Commissioner) appeal against the First-tier Tribunal (FTT) decision on Clearview AI Inc (Clearview). The UT upheld three of the Commissioner’s four grounds of appeal, concluding that:
- Clearview’s processing of personal information is related to monitoring of behaviour of UK residents.
- Clearview’s processing does not fall outside the reach of UK data protection law on the basis that it provided its services to foreign law enforcement and government agencies.
- The FTT applied the law incorrectly in finding that Clearview’s processing of personal information was outside the material scope of the UK GDPR under Article 2(2)(a).
Background
Clearview collected images of people’s faces and associated data from publicly available information on the internet and social media platforms around the world and provided an online global database that could be used for facial recognition, allowing its customers to check images against all the images in the database. Individuals were not informed that their personal data was used in this way, and the database contained a substantial amount of data.
Following a series of complaints filed in May 2021 by privacy and digital rights organisations, several data protection supervisory authorities issued monetary penalties against Clearview, including the UK Information Commissioner, who imposed an Enforcement Notice and a Monetary Penalty Notice (MPN) of £7.5M on Clearview for alleged breaches of the GDPR and UK GDPR. Clearview lodged an appeal with the FTT, disputing both the Enforcement Notice and the MPN, and arguing that the Information Commissioner lacked jurisdiction. In October 2023, the FTT allowed Clearview’s appeal and reversed the MPN, on the basis that the GDPR and UK GDPR did not apply to the processing of personal data by Clearview. The FTT confirmed that as Clearview offered its services exclusively to non-UK/EU law enforcement and national security agencies and their contractors, these processing activities fell outside of the scope of the GDPR and UK GDPR. In response, the Information Commissioner raised an appeal to the UT against the FTT’s decision. Please see our previous blog post for more information on the FTT decision.
The UT Judgment
On 7th October 2025 the UT handed down its judgment overturning the decision of the FTT and finding that Clearview’s processing does not fall outside the reach of UK data protection law. The UT held that the FTT had applied the law incorrectly in finding that Clearview’s processing of personal information was outside the material scope of the GDPR and UK GDPR.
For the purposes of the appeal, the UT concluded that there was no “material difference between the GDPR and the UK GDPR”[1](both referred to interchangeably hereafter as “GDPR”) and concluded that:
- Clearview’s actions fell within the material scope of GDPR – a private company providing a commercial service to foreign states for national security or law enforcement purposes is not automatically excluded under Article 2(2)(a), This is because, contrary to the FTT’s view:
- The exclusion of activities “outside the scope of Union law” from the scope of GDPR (by virtue of Article 2(2)(a)) should be read narrowly, i.e. as excluding only those activities that are reserved to EU Member States (e.g. criminal law enforcement or national security). It does not exclude all matters outside EU legislative competence.
- The exclusion of activities “outside the scope of Union law” from the scope of GDPR (by virtue of Article 2(2)(a)) should be read narrowly, i.e. as excluding only those activities that are reserved to EU Member States (e.g. criminal law enforcement or national security). It does not exclude all matters outside EU legislative competence.
- Clearview’s processing is within the territorial scope of GDPR, as:
-
Contrary to the FTT’s decision, the concept of “behavioural monitoring” in GDPR Article 3(2)(b) should be interpreted broadly and includes “passive collection, sorting, classification and automated data storing” with a view to future use for profiling purposes (including by another controller) – active human involvement is not required.
Accordingly, Clearview’s automated collection of information about individuals through the creation and maintenance of its facial recognition database still constituted behavioural monitoring, regardless of the fact no active real time monitoring of the individuals occurred.
- The words “related to” should also be read broadly, and Article 3(2) therefore should be read as applying “not only to controllers who themselves conduct behavioural monitoring, but also to controllers whose data processing is related to behavioural monitoring carried out by another controller.” Clearview’s processing was “related to” the behavioural monitoring carried out by its clients within the meaning of Article 3(2) GDPR (notwithstanding the fact that its clients’ activities were themselves out of scope of GDPR). (The FTT also concluded that Clearview’s processing was ‘related to’ that of its clients but focussed on the “close connection” between Clearview’s processing activities and that of its clients).
Following the judgment, the UT has now referred the case back to the FTT to decide on the fate of the Enforcement Notice and the MPN.
Comment
The UT have confirmed that the Information Commissioner’s powers extend to entities outside the UK to protect the personal data of UK residents. John Edwards, the UK Information Commissioner, announced that the decision:
“...gives greater confidence to people in the UK that we can and will act on their behalf, regardless of where the company handling their personal information is based. It is essential that foreign organisations are held accountable when their technologies impact the information rights and freedoms of individuals in the UK.”
With the UT’s judgment confirming the extent of the Information Commissioner’s powers, we may see the Information Commissioner increasingly enforce against foreign organisations breaching UK residents’ personal data rights. We may also see foreign organisations thinking more carefully before engaging in activities that may infringe the data rights of UK residents.
[1] Paragraph 57.
[2] “Comity principles” is the term used throughout the judgment to cover the principles of public international law that govern the relationships between states.
[View source.]
