The Upper Tribunal (UT) has handed down judgment in The Information Commissioner v Clearview AI Incorporated [2025] UKUT 319 (AAC), reversing the decision of the First-Tier Tribunal (FTT) and finding that the ICO did have jurisdiction to issue Monetary Penalty and Enforcement Notices to a US-based company specialising in facial recognition services for foreign law enforcement agencies. The judgment provides important clarification about the material and territorial scope of the GDPR and UK GDPR, as well as helpful guidance on what constitutes “behavioural monitoring”.

Background

The case concentrated on the activities of Clearview AI Inc (Clearview), a US-based company which offers a highly sophisticated facial recognition service to its clients, all of whom carry out criminal law enforcement and/or national security functions. In broad terms, these clients upload a facial image of an individual to Clearview’s service which in turn creates vectors for the face in the image. Those vectors are then compared to the vectors created from the images stored in Clearview’s database (estimated to be in the region of 20 billion images scraped from online sources) using a machine learning facial recognition algorithm.

On 18 May 2022, the ICO determined that Clearview had committed various breaches of the UK GDPR and GDPR (the Regulations) and issued a Monetary Penalty Notice of £7.5 million alongside an Enforcement Notice ordering that the company stop obtaining the personal data of UK residents that is publicly available on the internet and to delete the data of UK residents from its systems.

First Tier Tribunal

Clearview appealed the Notices, both as to their merit and on the basis that the Commissioner did not have jurisdiction to issue them. In particular, Clearview argued that its service was offered exclusively to foreign law enforcement and national security agencies and aimed to support them in discharging functions which are outside the material scope of Article 2 of the Regulations. Furthermore, Clearview argued that its service was not capable of analysing behaviour, nor was it aware of any of its clients using the service in the context of behavioural monitoring, which therefore took it outside the territorial scope of the Regulations as expressed in Article 3(2)(b) UK GDPR.

The FTT considered the question of jurisdiction as a preliminary issue and found in favour of Clearview. Whilst it found that the service did come within the territorial scope of Article 3 (finding that Article 3(2)(b) can apply when the monitoring of behaviour is carried out by a third party (i.e. Clearview’s clients)), the Tribunal nonetheless determined that the processing was outside the material scope of the Regulations as provided by Article 2.

Upper Tribunal

The ICO appealed the FTT’s decision both on the material and territorial scope of the Regulations.

On the question of the material scope in Article 2, the Upper Tribunal (UT) explained that its position was made more difficult as the FTT “set out its conclusion on the application of Article 2(2)(a) but did not provide reasons that are adequate to explain how or why it reached that key conclusion”. This alone amounted to an error of law, but nonetheless put the UT in the position of having first to determine what it was that the FTT held (and why), before determining if it had erred in its judgment.

As for what the FTT held, the UT determined that it was that Clearview’s clients use its services “exclusively in furtherance of” their criminal law enforcement and/or national security function. This finding, the UT explained, provided a potential foundation for the FTT’s conclusion that the processing of personal data by Clearview’s clients was “in the course of an activity which… fell outside the scope of Union law”. However, it did not explain how or why the FTT concluded that Clearview’s own processing was not caught.

To this, Clearview offered a purposive construction of Article 2(2) which argued that it was intended to avoid “a kind of back door regulation” of foreign states by regulating third parties (such as Clearview) whose processing occurs “in the course of” activities that are state functions and, as such, outside the scope of the Regulations. As the UT explained, Clearview’s position was that its processing “intersects so fundamentally with its clients’ processing that Clearview’s processing and its clients’ discharge of its state functions are “effectively merged” such that they cannot be disentangled”.

The UT was unpersuaded by this argument. Among other things, it pointed to the fact that Clearview’s processing was distinct and separate from that of its clients and that “the relationship between the activities of Clearview and the activities of its clients are no more “merged” or “fundamentally intersected” than the activities of parties to any transaction that involves transfers between them of electronic data”.

Instead, having considered the case law on the construction of Article 2(2), the UT held that its proper interpretation was a much narrower one which meant that neither the processing activities of Clearview or its clients were excluded by its operation, since it was concerned “only with the division of responsibilities as between the Union and its Member States. It had no need to say anything about the activities of foreign states, because the GDPR is not concerned with the activities of foreign states at all”.

It followed that whether the processing activities of Clearview or its clients were excluded from regulation required consideration of the law relating to comity, not the construction of Article 2.

As for Clearview’s foreign state clients, it was agreed by the parties that their processing fell outside the scope of the Regulations. However, on the suggestion that regulation of Clearview’s own data processing would breach comity principles, the UT stated that “we have been directed to no specific authority for the proposition that any species of comity principle extends more generally to provide immunity to a private company providing a service to a state body, even in the course of “quintessentially state activities” such as national security or criminal law enforcement, where those services are provided independently on a commercial basis, and not as a servant or agent of the state, or otherwise in exercise of sovereign authority”.

The UT also agreed with the ICO that “the FTT effectively assimilated processing by Clearview with processing by its clients…[and] effectively jumped without explanation from reasoning that Clearview’s clients were outside the material scope of the GDPR, to concluding that Clearview’s own processing was outside scope”.

Turning to the question of territorial scope, the UT contended with the proper construction of Article 3(2) UK GDPR which provides as follows:

This Regulation applies to the relevant processing of personal data of data subjects who are in the United Kingdom by a controller or processor not established in the United Kingdom where the processing activities are related to:

• (a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the United Kingdom; or
• (b) the monitoring of their behaviour as far as their behaviour takes place within the United Kingdom.

Having considered the authorities, the UT held that Article 3(2)(b) should be given an expansive meaning and read as applying “not only to controllers who themselves conduct behavioural monitoring, but also to controllers whose data processing is related to behavioural monitoring carried out by another controller”.

Applying this to the facts, the UT held that the words ‘related to’ in Article 3(2) require a relationship between the processing of the individuals’ personal data and the monitoring of the behaviour, and there is (as the FTT was entitled to find) “such a close connection between the creation, maintaining and operation of [Clearview’s] Database and the monitoring of behaviour undertaken by the clients that Clearview’s processing activities are related to that monitoring”.

In fact, the UT went further, finding that Clearview itself was also involved in behavioural monitoring, rejecting Clearview’s arguments that the term should be narrowly construed to require, among other things, “active” monitoring as wells as the sorting and indexing of data by reference to behaviour. Instead, the UT adopted a broad interpretation of the term, explaining that it “encompasses “passive” collection, sorting, classification and storing of data by automated means with a view to potential subsequent use (including by another controller) of personal data processing techniques which consist of profiling a natural person. It does not require active “watchfulness” in the sense of human involvement, it does not require analysis beyond automated sorting and classification with a view to subsequent future use, and it does not require the data to be sorted and classified by reference to subjects’ behaviour”.

Having allowed the ICO’s appeal, the case has now been remitted to a new FTT for consideration of the substantive appeal. Clearview has already indicated its intention to appeal the UT’s decision, although some have pointed out that this may prove difficult as the judgment was particularly thorough and delivered by a three-judge panel that included the President of the Upper Tribunal.

To read the judgment in full, click here.