Clearview AI Inc.’s facial recognition technology has been subject to regulatory scrutiny from the privacy sector worldwide, including the UK Information Commissioner who issued the US company with monetary penalty and enforcement notices (the Notices) for alleged violations of GDPR/UK GDPR (the Regulations).
In a judgment dated October 17, 2023 (the Judgment), the UK’s First-tier Tribunal (FTT) (being the first level of regulatory appeals) upheld, on jurisdictional grounds, Clearview’s appeal of the Notices. The Commissioner sought permission to appeal on November 17, 2023. This blog piece is a reduced version of our wider commentary on the case, which is available here.
Background
Clearview is a US company providing facial recognition services to criminal law enforcement and national security agencies (and/or their contractors) outside of the United Kingdom and the European Union. In short, Clearview collects publicly available images of faces from the internet, which are compiled into a database (the Database). Clearview’s software then creates a mathematical ‘vector’ of those faces, such that they can be indexed and searched against. Clearview’s clients are able to upload their own images onto their private Clearview platform and compare those images against the Database. Clearview’s algorithmic software will return images of sufficient similarity (without declaring whether a given image from the Database is a match or not) and this information can be used by Clearview’s clients in their investigative efforts.
The Commissioner issued the Notices in May 2022 for Clearview’s alleged breaches of the Regulations in respect of it collecting web-based (publicly available) images of data subjects without consent. Clearview in turn appealed the Notices on substantive, as well as jurisdictional grounds, with the latter being heard as a preliminary issue in November 2022 and to which the Judgment relates. Insofar as jurisdiction is concerned, Clearview contended: (i) that its processing fell outside the territorial scope of the Regulations; and (ii) alternatively, that its processing was in the context of activities that fell outside the Regulations’ material scope.
Territorial Scope
As Clearview is a US entity, the Commissioner relied on the extra-territorial force of the Regulations conferred under Article 3(2)(b), which requires that, in order for the Regulations to apply, the processing in question must be in the context of activities related to the monitoring of behaviour of data subjects, as far as that behaviour takes place within the European Union/United Kingdom. Clearview argued that its activities were simply not engaged in such monitoring.
The FTT determined that the images on the Database constituted ‘personal data’, and that Clearview was processing such personal data in the following two ways:
- Activity 1 processing, which covers the creation, development and maintenance of the Database; and
- Activity 2 processing, being the process of matching a client image against the Database, and then providing search results to the client.
The FTT further concluded that – given the volume of images processed by Clearview – the Database most likely contained images of UK data subjects, which would, in turn, likely display behavioural characteristics. As to whether that behaviour was being ‘monitored’, it was held that “monitoring” can occur on just a “single incidence”. On that monitoring determination, the FTT inferred that, as Clearview’s clients would leverage all information available to their investigation, they would use the Clearview service for monitoring purposes (that is, beyond the mere identification of individuals).
Significantly in that regard, the Judgment states that the Regulations do not exclude processing by one controller from being “related to” the behavioural monitoring of another. Therefore, the FTT concluded that although Clearview is not itself engaged in behavioural monitoring, its processing is “related to” the behavioural monitoring activities of its clients, thereby territorially catching Clearview within Article 3(2)(b). Accordingly, it was held that Clearview’s processing was, prima facie, within the territorial scope of the Regulations.
Material Scope
Article 2(2)(a) GDPR/ Article 3(2A) read with Article 2(1)(a) UK GDPR, establish that data processing occurring in the course of activities falling outside the scope of Union law is not subject to the Regulations. It was not contested that the acts of foreign governments would constitute such out of scope activities, based on international principles of comity: “it is not for one government to seek to bind or control the activities of another sovereign state” (paragraph 153 of the Judgment).
Clearview’s unchallenged evidence was that its clients are exclusively foreign government bodies (or their contractors) exercising criminal law enforcement and/or national security functions, which are out of scope of Union law. Clearview argued, therefore, that the activities of its clients constituted the sovereign acts of foreign governments, meaning that Clearview’s processing was ‘related to’ out of scope activities such that Clearview could not itself be within scope. Accordingly, the prima facie applicability of Article 3(2)(b) was disapplied.
Accepting Clearview’s evidence as to its client base, the FTT agreed with Clearview’s position, thereby ruling that the Commissioner lacked jurisdiction to issue the Notices.
Conclusion and Comment
Notwithstanding that a judgment of the FTT is not binding on other UK courts (much less those of the European Union), the upshot of the Judgment for non-UK/EU companies concerning Article 3(2)(b) of the Regulations is that: (i) your processing might be caught by the Regulations if it is sufficiently related to the behavioural monitoring activities of a third party; and (ii) ‘monitoring’ will be interpreted widely, such that a “single incidence” might suffice. The material scope argument seized upon by Clearview was specific to its business and will unlikely be available to the vast majority of foreign companies.
Despite the favourable findings given to the Commissioner in respect of Article 3(2)(b), it is not surprising that permission has been sought to appeal given the attention this case has received. The Commissioner has already given us a general flavour of his posturing: “[…] as the defender of the public’s privacy, I need to challenge this judgment to clarify whether commercial enterprises profiting from processing digital images of UK people, are entitled to claim they are engaged in “law enforcement”.”