The Information Commissioner v Clearview AI Incorporated [2025] UKUT 319 (AAC)
The extra-territorial reach provided for by the UK's data protection regime under UK GDPR is relatively unusual and is a reflection of the interconnected world of data and electronic processing which we now inhabit and of the EU GDPR from which it derives.
If you are a business located outside the UK and happen to have data about UK data subjects, should you be concerned about the UK GDPR? The long running enforcement battle between the UK Information Commissioner's Office ("ICO") and US company Clearview AI Inc ("Clearview") over its facial recognition technology and services has considered these issues. Clearview has also faced similar battles with data regulators across the EU and elsewhere including Australia.
The longstanding dispute been Clearview and the ICO has recently taken a new turn, with the Upper Tribunal handing down its judgment on the ICO's appeal against a 2023 First-tier Tribunal ("FTT") decision.
The FTT had held that the ICO did not have jurisdiction to issue enforcement and monetary notices to Clearview on the basis that the processing undertaken by Clearview was beyond the scope of UK GDPR. The ICO appealed to the Upper Tribunal, which upheld three of the four grounds of appeal. This article discusses the background to the case, the decision and implications going forward.
Context of the case
UK GDPR applies to controllers and processors of personal data established in the UK, irrespective of whether the processing occurs within the United Kingdom. However, it also applies to processing of personal data by a controller or processer located outside the jurisdiction of the United Kingdom but only where the processing activities concern the offering of goods and services to data subjects within the UK or the monitoring of the behaviour of data subjects within the UK.
Clearview is a technology company located in the United States which employs technology to search the internet for freely available images of human faces. Where relevant images are collected, they are mapped with algorithms and given facial vectors. Images with similar vectors are grouped together. The information is then stored in a database. In colloquial terms, the search technology is known as a "crawler" and the process of collecting images "scraping".
Access to the database is made available to both private and public sector clients of Clearview, working within the fields of national security and criminal law enforcement. Clients are able to upload images to the database to search for those with similar facial vectors. This may lead to identified of the individual including location and other data about them gleaned from the source of the image.
Clearview has no presence in the UK and UK law enforcement is not one of its clients, but the scraping process can collect images which relate to individuals in the UK.
As noted above, Clearview was issued with an enforcement notice and a £7.5m monetary penalty notice by the ICO in May 2022. Clearview challenged those decisions at the FTT. In October 2023, the FTT ruled that Clearview did not fall under the jurisdiction of the UK GDPR and therefore the ICO. On 6 October 2025, the Upper Tribunal issued its decision following an appeal by the ICO against the FTT decision. The Upper Tribunal decision found in favour of the ICO on three out of the four grounds of appeal.
Issues
The appeal raised a number of legal issues. These can be summarised into two key questions. Firstly, whether Clearview's processing or its client's processing was part of an activity which falls outside of the scope of European Union law. The EU GDPR excludes such matter from its ambit. The EU does not have competence to legislate about criminal law enforcement or national security. If the answer to this was yes, then the ICO had no jurisdiction to take the action it had against Clearview.
Secondly, whether Clearview's processing activity of collecting and collating images amounted to monitoring the behaviour of data subjects in the United Kingdom. Alternatively, if Clearview's client were monitoring behaviour by obtaining image matches and background data then was Clearview's processing "related to" that activity and caught by the GDPR.
Decisions
Considering the first question, the Upper Tribunal found that that Clearview's processing was not outside the scope of EU law and excluded by Article 2(2)(a) of GDPR. It held that an error of law had been made by the FTT in this regard.
The Upper Tribunal found that Article 2(2)(a) only acts to exclude functions reserved solely to themselves by member states of the EU. Private companies which provide information in relation to law enforcement and national security operations of foreign states were not excluded from the scope of the UK GDPR. Clearview's processing was therefore within the scope of the UK GDPR in principle. It remained to be seen if it was caught by the extra-territorial provisions.
As to the second question, the Upper Tribunal found the scope of Article 3(2)(b) of UK GDPR to be wide, and the processing of Clearview was found to constitute behavioural monitoring. The mere collection and holding of data might not amount to monitoring, however the data collected included behavioural material. The purpose for which the data was being collected by the data controller was also a relevant factor in any analysis. The fact that monitoring was not actively taking place when the data was collected and held did not mean the data was not related to monitoring activity as that is what the data was to be used for. The Tribunal there concluded that collecting, sorting, classifying and storing data for later profiling was in itself monitoring under the GDPR.
The Upper Tribunal also addressed the issue assuming that Clearview's own processing was in fact monitoring. The question was did the GDPR's use of the phrase "relating to…the monitoring of behaviour" mean that the activity of another data controller using the data had to be taken into account? The Tribunal decided that the related activity did not have to be by the same data controller. So, where Clearview collected data for its clients to use for monitoring Clearview's activity was "related to" that monitoring.
The Upper Tribunal allowed the Information Commissioner's appeal on three of four grounds. The decision of the FTT was set aside. The matter has been remitted to the FTT to determine whether the Information Commission was right to issue the enforcement and monetary penalty notices on the basis of breaches of the requirements GDPR by Clearview. The dispute will therefore continue, and in any event, it has also been reported that Clearview are likely to appeal the findings of the Upper Tier Tribunal decision to the Court of Appeal.
Implications
This decision has significant implications for companies located outside the UK monitoring the behaviour of UK data subjects. Companies will potentially be within the scope of UK GDPR if their processing assists the monitoring of UK individuals in any manner.
The processing does not need to be performed by the company itself and does not require a UK presence. "Behavioural monitoring" is also deemed to have a wide scope. UK GDPR could therefore apply to a large number of data collecting and sorting operations. Companies outside of the UK jurisdiction engaging in the handling of UK data subjects' data would be advised to review their practices to ensure compliance with UK GDPR.
