Clearview AI helps foreign governments find people in photos. The UK government tried to fine them, but a court said they couldn't because the foreign governments' actions are outside UK law. It's like trying to make a different country follow your rules.
Key Facts
- •Clearview AI Inc. (CV) is a Delaware-incorporated company providing a facial recognition service to primarily foreign law enforcement and national security agencies.
- •The service involves scraping images from the internet, creating facial vectors, and allowing clients to search for matches using a probe image.
- •The Information Commissioner (ICO) issued an Enforcement Notice (EN) and a Monetary Penalty Notice (MPN) alleging GDPR/UK GDPR violations.
- •CV appealed, challenging the ICO's jurisdiction.
- •CV does not have a UK establishment and its clients are primarily foreign government agencies.
- •The ICO argued that CV's processing was 'related to' the monitoring of behaviour in the UK, even though CV's service is not used by UK clients.
Legal Principles
Territorial scope of GDPR/UK GDPR (Article 3)
GDPR/UK GDPR
Material scope of GDPR/UK GDPR (Article 2)
GDPR/UK GDPR
Definition of 'processing', 'personal data', 'controller', etc.
GDPR/UK GDPR and DPA 2018
ICO's powers to issue EN and MPN
DPA 2018
Tribunal's powers on appeal
DPA 2018
Soriano v Forensic News LLC
[2021] EWCA Civ 1952
International Law principles regarding state sovereignty
Outcomes
Appeal allowed.
The ICO lacked jurisdiction to issue the EN and MPN because CV's processing, while related to monitoring of behaviour in the UK by its clients, fell outside the material scope of the GDPR and UK GDPR due to the fact that it was provided to foreign law enforcement and national security agencies and contractors.