Tribunal Confirms Clearview AI Bound by GDPR

On 7th October, the UK Upper Tribunal (UT) confirmed that Clearview AI’s controversial facial recognition business is subject to the EU and UK GDPRs.

Clearview had argued that its scraping of billions of online images to produce facial recognition services for sale to foreign law enforcement agencies placed it outside of GDPR’s material and territorial scope. The Tribunal rejected that claim, agreeing with the Information Commissioner’s Office (ICO) and our interpretation.

The tribunal also made clear that Clearview’s activities involve ‘behavioural monitoring’. Clearview sought a narrow interpretation of that term so as to escape the application of the UK GDPR, but the tribunal rightly adopted a broader one that clearly encompasses automated processing. That’s an important finding - especially as we see more use of AI and biometrics to track people both on - and offline.

This decision follows our intervention in the ICO’s appeal against a 2023 First Tier Tribunal (FTT) ruling that had quashed Clearview’s £7,552,800 fine. We were represented by AWO, and had previously filed a complaint about Clearview’s processing with the ICO in 2021.

The Upper Tribunal’s judgment recognises that exemptions from the law for national security or law enforcement bodies must not be overly interpreted as this can undermine the purpose and effectiveness of the laws in question. Relying on the services of private businesses for state surveillance and data analysis cannot result in that processing being done without accountability.

Tom West, Programme Director, Privacy International:

“This judgment confirms that private companies cannot escape data protection law just because they work closely with foreign law enforcement or national security agencies. It would be a massive problem if those agencies could outsource intrusive processing activities to private actors who were outside the scope of the law.”

Lucie Audibert, Solicitor, AWO: 

“We are so pleased that our client’s intervention in this important appeal was influential on the outcome. The case had evolved to raise fundamental issues of international and EU law and their impact on the extraterritorial reach of EU and UK data protection law, such that our client was ideally placed to make its contributions. This decision will have important implications for the accountability of foreign companies when they process the data of UK data subjects. It rectifies the dangerous position the FTT had set – intrusive surveillance technology is still very much subject to the protection of our laws, whether sold to foreign state authorities or not.”

Clearview is an AI company that trawls through sites like Instagram, YouTube and Facebook, as well as personal blogs and professional websites, and saves a copy of public photos that contain a face as well as related identifying information. Clearview then uses facial recognition technology to extract the unique features of people’s faces, effectively building a gigantic database of our biometrics. Mass scraping of personal data like this constitutes a form of surveillance that inherently undermines people’s privacy and freedom on the internet and can result in technology that creates further risks to people’s rights.

The UT have remitted the case back to the FTT to consider whether Clearview’s processing is in fact in breach of the GDPR. Clearview’s processing has previously been found to be in breach of the GDPR in France, Italy, Austria and Greece, resulting in fines totalling €65,200,000. PI’s understanding is that none of these fines have been paid.

Further background and documents are available here:

• Upper Tribunal Ruling Summary (AWO)
• PI Legal Action Against Clearview AI