Overview
Clearview AI Inc.’s facial recognition technology has been subject to regulatory scrutiny from the privacy sector worldwide, including the UK Information Commissioner who issued the US company with monetary penalty and enforcement notices (the Notices) for alleged violations of GDPR/UK GDPR (the Regulations). In a judgment dated 17 October 2023 (the Judgment), the First-tier Tribunal (FTT) upheld, on jurisdictional grounds, Clearview’s appeal of the Notices. The Commissioner sought permission to appeal on 17 November 2023. This matter underscores the zeitgeist debate pitting technological advancement against the safeguarding of personal information in a digital world and will remain of keen interest as the matter proceeds through the English Court system.
In Depth
Background
Clearview is a US company providing facial recognition services to criminal law enforcement and national security agencies (and/or their contractors) outside of the UK and EU. In short, Clearview deploys web-based robots to ‘crawl’ the internet and ‘scrape’ images of faces, which are compiled into a database, containing over 20 billion images at the time of the November hearing (the Database). Clearview’s software then creates a mathematical ‘vector’ of those faces, such that they can be indexed and searched against.
Clearview’s clients are able to upload an image (known as a ‘probe image’) to their private Clearview platform, which image will be transposed into a vector and then compared to the Database images. Clearview’s algorithmic software will return images of sufficient similarity, without declaring whether a given image from the Database is a match or not. The client is able to use the information provided by Clearview as part of its investigative efforts to seek to identify the person shown in the probe image.
The Commissioner issued the Notices in May 2022 for Clearview’s alleged breaches of the Regulations in respect of it collecting web-based (publicly available) images of data subjects without consent. Clearview in turn appealed the Notices on substantive, as well as jurisdictional grounds, with the latter being heard as a preliminary issue in November 2022 and to which the Judgment relates. Insofar as jurisdiction is concerned, Clearview contended: (i) that its processing fell outside the territorial scope of the Regulations; and (ii) alternatively, that its processing was in the context of activities that fell outside the Regulations’ material scope. We address these arguments in turn below.
Territorial scope
As Clearview is a US entity, the Commissioner relied on the extra-territorial force of the Regulations conferred under Article 3(2)(b), which requires that, in order for the Regulations to apply, the processing in question must be in the context of activities related to the monitoring of behaviour of data subjects, as far as that behaviour takes place within the Union/United Kingdom. Clearview argued that its activities were simply not engaged in such monitoring.
The FTT determined that the images on the Database constituted ‘personal data’ (indeed the facial ‘vectors’ constitute biometric information and therefore special category data), and that Clearview was processing such personal data in the following two ways:
- Activity 1 processing, which covers the creation, development and maintenance of the Database; and
- Activity 2 processing, being the process of matching a probe image against the Database, and then providing the search results to the relevant client.
Clearview was deemed to be the sole controller insofar as activity 1 processing was concerned and a joint controller (together with any given client) in respect of activity 2. The FTT further found that – given the volume of images processed by Clearview – the Database most likely contained images of UK data subjects, which would, in turn, likely display behavioural characteristics. Whether such images included such characteristics required more than a revelation of a person’s features (hair colour, height etc.). It required information as to what a person may or may not do (for example, an image of a person playing football might be indicative of that person’s propensity to play the sport).
As to the issue of ‘monitoring’, paragraph 122 of the Judgment concluded that “monitoring” can occur on just a “single incidence”. In reaching that conclusion, the FTT relied, in part, on the language of Recital 24 to the Regulations, which refers to individuals being “tracked” as an indicator of behavioural monitoring: “[it] is important to note that the word is “tracked” as opposed to “tracking” which would imply a continuous or repeated activity”. At paragraph 123 of the Judgment, the FTT held that Clearview’s client organisations would utilise all information available for its investigations, which means (the FTT found, inferentially) that a Clearview client would use the service for more than the mere identification of individuals: it would use the service to monitor those individuals.
Crucially, paragraph 138 of the Judgment states that the Regulations do not exclude processing by one controller from being ‘related to’ the behavioural monitoring of another. In particular, the FTT focused on the use of “the monitoring” instead of “their monitoring” in the Regulations as demonstrating the legislator’s intent to regulate the monitoring activity itself (i.e., there was less concern about who was doing the monitoring). Therefore, although Clearview is not itself engaged in behavioural monitoring, its processing is “related to” the behavioural monitoring activities of its clients (either as a joint controller or distinct controller), thereby territorially catching Clearview within Article 3(2)(b). Accordingly, it was held that Clearview’s processing was, prima facie, within the territorial scope of the Regulations. The Court then turned to the question of whether the processing nonetheless fell outside of the material scope of the Regulations.
Material scope
Article 2(2)(a) GDPR/ Article 3(2A) read with Article 2(1)(a) UK GDPR, establish that data processing occurring in the course of activities falling outside the scope of Union law is not subject to the Regulations (insofar as the UK GDPR is concerned, to the extent that such activities fell outside the scope of Union law before the exit from the EU on 31 December 2020). Importantly, it was not contested that the acts of foreign governments would constitute such out of scope activities, based on international principles of comity: “it is not for one government to seek to bind or control the activities of another sovereign state” (paragraph 153).
Clearview’s unchallenged evidence was that its clients are exclusively foreign government bodies (or their contractors) exercising criminal law enforcement and/or national security functions, which are out of scope of Union law. Clearview argued, therefore, that if the Commissioner were correct that Article 3(2)(b) applied to Clearview by virtue of the supposed behavioural monitoring activities of its clients, such activities constituted the sovereign acts of foreign governments, meaning that Clearview’s processing was ‘related to’ out of scope activities and therefore Clearview could not itself be within scope. Accordingly, the prima facie applicability of Article 3(2)(b) was disapplied.
Accepting Clearview’s evidence as to its client base, the FTT agreed with Clearview’s position, thereby ruling that the Commissioner lacked jurisdiction to issue the Notices.
Conclusion and comment
Notwithstanding that a judgment of the FTT is not binding on other UK courts (much less those of the EU), the upshot of the Judgment for non-UK/EU companies concerning Article 3(2)(b) of the Regulations is that: (i) your processing might be caught by the Regulations if it is sufficiently related to the behavioural monitoring activities of a third party; and (ii) ‘monitoring’ will be interpreted widely, such that a “single incidence” might suffice. The material scope argument seized upon by Clearview was specific to its business, and will unlikely be available to the vast majority of foreign companies.
Despite the favourable findings given to the Commissioner in respect of Article 3(2)(b), it is not surprising that he has sought permission to appeal given the attention this case has received. The Commissioner has already given us a general flavour of his posturing:
“I fully respect the role of the Tribunal to provide scrutiny of my decisions – but as the defender of the public’s privacy, I need to challenge this judgment to clarify whether commercial enterprises profiting from processing digital images of UK people, are entitled to claim they are engaged in “law enforcement”.
As a final remark, in addition to action taken by the UK’s Information Commissioner, Clearview has been subject to international regulatory scrutiny, including in France, Italy, Greece and Australia. As regulators worldwide grapple with the challenges of data protection and technological advancement, the fate of Clearview in the ongoing UK appellate process will be held close to the microscope.
If you are a foreign company and have any concerns as to the applicability of GDPR to your operations, please reach out to McDermott’s data protection specialists.