The First-tier Tribunal of the UK General Regulatory Chamber has overturned an enforcement notice and a £7.5 million fine which was issued against Clearview AI Inc. (Clearview). In May 2022 the ICO found that Clearview had collected publicly available images of individuals (some of whom were in the UK) from the internet and social media accounts and allowed its clients (entities engaged in law enforcement outside of the jurisdiction) to use the images for facial recognition purposes in a law enforcement context.
The notice was overturned following an appeal by Clearview. The court concluded that Clearview was monitoring the behaviour of individuals in the UK, (taking quite a broad interpretation of those concepts and others in the legislation) and so would, on that front, fall within the territorial scope of the UK GDPR (processing done by an entity not established in the UK, but who monitors the behaviour of individuals in the UK), but the processing was within the course of an activity which was outside of the material scope of the UK GDPR (foreign law enforcement) and therefore not “relevant processing” which it would have needed to be in order to fall within the territorial scope of the UK GDPR (the same conclusion was reached in relation to EU GDPR by slightly different means).
The inference to be drawn then, is that had the activities fallen within the material scope of the UK GDPR (for example commercial use of the technology) the processing would have been subject to UK GDPR.
This case may give some organisations, particularly those engaging in facial recognition, pause for thought in relation to whether their activities fall within the scope of UK/EU GDPR from an English law perspective.
A link to the case can be found here.
If you would like some assistance in assessing issues of the territorial application of the GDPR in light of this case, please get in touch with your usual contact or email firstname.lastname@example.org