Clearview AI sees red as UK tribunal sides with regulator over $10M GDPR fine

The UK General Regulatory Chamber's Upper Tribunal (UT) has ruled in favor of the Information Commissioner's Office (ICO), which appealed against a 2023 decision that it could not fine Clearview AI over GDPR violations.

In what some Reg commenters called a "knee-capping of the UK GDPR" at the time, the First-tier Tribunal (FTT) decided in October 2023 that the ICO did not have the territorial scope to issue the £7.5 million fine (c $10 million) it planned for the US-based AI company.

The case relates to an ICO fine issued in May 2022 after the regulator accused Clearview of scraping Brits' images uploaded to social media before adding them to a database used to train its AI algorithms.

As we reported at the time, the FTT accepted that it was reasonable to expect UK residents' faces to appear in Clearview's database, given the size of the country and the ample access to the internet most people enjoy.

However, on Tuesday, the UT upheld most of the grounds on which the ICO based its appeal, crucially ruling [PDF] that Clearview's data processing fell within the territorial scope of the UK GDPR.

It also ruled that the FTT incorrectly applied the law when deciding that Clearview's data processing fell out of scope based on the fact that it was doing so as a competent authority for the purposes of assisting law enforcement clients.

In its appeal of the ICO's decision to fine it £7.5 million ($10 million, or $9.43 million at the time) in 2022, Clearview heavily leaned on Article 2(2)(a) of the UK GDPR to clear its data processing activities.

This is the provision that precludes foreign data processing for law enforcement purposes from regulatory penalties.

Clearview said when appealing against the fine that its service is an internet search engine offered only to non-UK/EU law enforcement and national security agencies, whose uses are out of scope of the regulations per Article 2(2)(a).

The Information Commissioner accepted this was valid. Under the principles of international law, one state cannot seek to compel another to meet a legal demand, i.e. a foreign power investigating a Brit for a crime committed on its own soil should not attract interference from the UK, or penalties under the UK GDPR.

The UT's decision this week, however, overturned the FTT's previous decision and this crucial aspect of Clearview's appeal against the ICO's fine.

It ruled that Clearview's processing was related to behavior monitoring of UK residents, per Article 3(2)(b), and was still bound by UK GDPR regulation despite being carried out on behalf of its foreign law enforcement clients.

The UT, citing case law and previous statements from the EU's Advocate General, said that this exclusion only applies to the UK state itself, and not a commercial entity such as Clearview selling services to foreign governments.

• Founder of facial-rec controversy biz Clearview AI booted from board
• Data watchdog fines Clearview AI $33M for 'illegal' data collection
• Clearview AI reaches 'creative' settlement with privacy suit plaintiffs: A conditional IOU
• Watchdog bites back against blockage of $9M fine on US selfie-scraper Clearview AI

Even if the data is, or can be used by a government in the interests of its national security, the data processing still falls within the scope of the GDPR.

The latest ruling, which New York-based Clearview can also appeal against, means that the case will be sent back to the FTT to decide whether the ICO can, in fact, impose the fine.

This case was solely focused on determining the UK GDPR's territorial scope, not the fine, although the ruling suggests the ICO's decision to issue a fine was valid.

The FTT will then decide again whether, in light of the UT's decision, Clearview contravened the UK GDPR.

John Edwards, the UK's Information Commissioner, said: "The UT's decision has upheld our ability to protect UK residents from having their data, including images, unlawfully scraped and then used in a global online database without their knowledge.

"The ruling also gives greater confidence to people in the UK that we can and will act on their behalf, regardless of where the company handling their personal information is based. It is essential that foreign organisations are held accountable when their technologies impact the information rights and freedoms of individuals in the UK."

Jack Mulcaire, chief legal officer at Clearview AI, told The Register: "Clearview AI is disappointed by this ruling which misapplied the law to improperly seek to regulate how American companies serve the US government. We do not offer any product or do any business in the United Kingdom. We intend to file an appeal."

On that point, Jon Baines, Senior Data Protection Specialist at Mishcon de Reya LLP, commented: "It's worth noting that it was a very strong, three-judge bench (with President of the Chamber Mrs Justice Heather Williams DBE as lead judge) and the judgment very much has the feel of one the bench has tried to make as 'appeal-proof' as possible." ®