Clearview AI (Clearview) is one of the world’s most notable facial recognition companies. Yet, while its innovations have captured significant attention, they have also sparked controversy. This tension was underscored by a £7.5m fine from the UK Information Commissioner’s Office (ICO) last year. However, in a turn of events, that fine was recently upended by the First-tier Tribunal (Tribunal). The Tribunal determined that, despite the implications of Clearview’s technology for UK data subjects, Clearview’s processing activities ultimately sit beyond the material scope of the General Data Protection Regulation and UK General Data Protection Regulation (together, the GDPR).
Clearview Unmasked: The Tech Behind the Name
So, what exactly is Clearview? Launched in 2017, Clearview is a US-based tech company that specialises in facial recognition. Initially also envisaged for use by private businesses such as hotels and grocery stores, significantly, the company now restricts its services to foreign (ie non-UK or EU) criminal law enforcement and national security bodies. It is also crucial to note that Clearview does not offer its services to UK or EU users and has no establishment either here or in the EU.
Clearview helped unmask participants in the 2021 US Capitol riot. Its power lies in its wealth of open-source intelligence, which it can offer to police departments and other law enforcement bodies who historically only had access to tools that search government-provided images (such as mugshots and driver’s license photos). Such traditional technology inevitably leads to a dead-end where the perpetrator is a first-time offender. Clearview’s USP, therefore, is the ability to step in where traditional databases stumble.
Clearview’s data collection methods have not been without criticism, however. While Clearview does set ethical boundaries, like respecting "robot.txt" files and avoiding explicit adult sites, its collection of over 30 billion images from platforms like Facebook, Instagram and LinkedIn without explicit user permission has led critics (including privacy and civil liberties activists) to describe its service as a "perpetual police line-up”.
Clearview AI v Information Commissioner: breaking down the Tribunal’s decision:
In May 2022, the ICO served Clearview with Enforcement and a Monetary Penalty Notices. The notices cited infringements of various provisions of the GDPR, including the key obligation to have a lawful basis for processing personal data. A month later, Clearview responded with a notice of appeal disputing the breaches and challenging the notices’ legality. In summary, the First-Tier Tribunal (which heard the appeal) concluded that while Clearview’s activities fell within the territorial scope of the GDPR, they were not subject to the GDPR’s material scope.
The Tribunal first examined four pillars of the GDPR’s territorial scope (put simply, whether on the facts it applied to Clearview as a US company). Since Clearview does not have an establishment in the UK or EU, it could not be caught by Article 3(1) of the GDPR that deals with the processing of personal data in the context of a UK or EU establishment. Instead, the territorial argument was based on the claim that Clearview was processing personal data of individuals in the UK and that this processing was related to the monitoring of such individuals’ behaviour in the UK (this is under the provisions of Article 3(2)(b) GDPR).
- Processing personal data: It was universally acknowledged that the images in Clearview's database constitute personal data.
Further, the Tribunal considered there were two primary processing activities at play:
- Activity 1 processing, covering the creation, development, and maintenance of Clearview’s database, and
- Activity 2 processing, covering Clearview’s receipt from its client of a “probe image” (ie an image to search the database against), matching the probe image against the database, and then providing the search results to the client.
- Concerning UK data subjects: The Tribunal inferred from the sheer volume of Clearview’s (growing) database, and the extent of internet and social media usage in the UK, that UK residents' images must be present. The service, the Tribunal posited, also inevitably impacts UK residents due to the global nature of crime-solving.
- By a controller or processor not established in the UK: as we have explained, Clearview did not have an establishment in the UK.
Delving deeper, the Tribunal recognised Clearview as a data controller for its Activity 1 processes. As for Activity 2, the Tribunal viewed Clearview as a joint data controller with its clients because:
- Clearview determines the purpose of the processing via its terms, which restrict its use to the discharge of law enforcement and national security functions.
- Both Clearview and its clients determine the means of processing: clients upload images, and Clearview furnishes its clients with matching images and additional information.
- Related to monitoring behaviour: Clearview argued that it does not monitor the behaviour of data subjects because its service is not actually capable of analysing behaviour. The Tribunal considered that while every image can reveal a persons’ characteristics, the term "behaviour" is concerned with what that person is actually doing. The Tribunal accepted that Clearview does not directly monitor behaviour. For the Tribunal, the act of collecting facial vectors and indexing them is not “monitoring” as this is an automated mathematical task. However, citing reasoning from the Court of Appeal in a case called "Soriano", the Tribunal felt that Clearview's processing was “related to” the monitoring carried out by their clients, because:
- Such monitoring by Clearview’s clients could not take place without Clearview’s Activity 1 processing, and
- The purpose of Clearview’s Activity 2 processing is to provide Clearview’s image matching service to its clients, thereby enabling the monitoring of behaviour carried out by Clearview’s clients to take place.
This means that the Tribunal considered that, as a matter of law, Art 3(2)(b) GDPR can apply where the monitoring of behaviour is carried out by a third party rather than a data controller.
Finally, the Tribunal proceeded to consider whether the processing fell within the material scope of the GDPR. The processing of personal data in the course of an activity which falls outside the scope of EU law is not caught by the GDPR. Applying this principle to the facts, the Tribunal determined that the processing of personal data by Clearview related to an activity outside the scope of EU law, because Clearview’s services were only provided to non-EU and UK criminal law enforcement and national security entities. As a result, the Tribunal concluded the ICO had no jurisdiction to issue the two notices, and the fine should be overturned.
Beyond the Tribunal’s decision: implications and insights
The essence of the Tribunal’s decision is that Clearview’s operations fall outside of the GDPR’s ambit because of its exclusive association with (non-commercial) law enforcement clients outside the EU (and UK). If we accept that activities by foreign governments lie outside the purview of EU law, questions remain about whether Clearview’s processing occurs "in the course of" such government or law enforcement activities. Arguably, classifying the actions of a private commercial entity as being “in the course” of foreign government or law enforcement operations is a significant leap, potentially warranting further scrutiny.
Moreover, the Tribunal's stance that Clearview itself didn’t monitor the behaviour of its data subjects, but its clients did, raises concerns in suggesting that a company can establish a vast image database of UK residents without the ICO having any jurisdiction to intervene, given that database's ultimate users.
Given these considerations and the significant implications for technology involving UK data subjects, an appeal seems at least plausible. If the ICO chooses to go down this path, subsequent legal discourse might provide greater clarity on the reach of the GDPR and UK GDPR in situations such as this, and therefore on the balance to be afforded between cross-border technologies and individual privacy rights.
 The UK GDPR, which originates from and is materially identical to the EU version of the GDPR, is the principal legal framework (together with the Data Protection Act 2018) for the regulation of data privacy in the UK.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, November 2023