Our increasingly Internet-centric lives create many possibilities for digital interaction and intrusion, which may be thrilling or troubling depending on one’s perspective.
Facial recognition technology is a particularly stark instance of those possibilities, and of the risks and benefits associated with them. There has been significant public debate concerning facial recognition technology in the UK. In some other countries, notably China, the technology is already in widespread use, and provides a simple, efficient and effective vector for biometric identification by the state and the private sector alike. The potential unlocked by a biometric identification vector which operates on faces (the primary means of direct human interaction with the physical world), for security purposes, targeted advertising, and much else besides, is obvious. The privacy and anonymity implications, and the risks of over-use of such technology, are also obvious.
The subject-matter of the First-tier Tribunal’s (“FTT”) decision in Clearview AI Inc v The Information Commissioner  UKFTT 00819 (GRC) is, therefore, topical. But the salience of the decision goes well beyond its subject-matter. It is a decision both of significant legal interest, and potential practical implications for data controllers well beyond the United Kingdom.
In very summary terms, Clearview maintains a database of images of human faces ‘scraped’ (ie., downloaded) from the Internet by web crawlers, together with linking information (eg., the url from which the download was taken.) The database contains billions of images, and grows at c. 75m images/day.
Those faces are processed to create a set of ‘vectors’ (mathematical representations of each face) and stored on a cloud database of images with images indexed, so that images that are more similar are stored closer together. A client of Clearview can access a (proprietary) search engine and upload an image (the “Probe Image”), with ancillary information such as the date and time of the Probe Image being uploaded as part of that image’s metadata. The search engine reduces that image to a set of vectors, and undertakes a data-matching process against Clearview’s database. Where one or more matches are obtained to a specified level of confidence, the corresponding images are provided to the client for review together with linking information (the URL). Clearview does not itself warrant that the face(s) are the same person; that conclusion will be drawn (if at all) by the client.
Clearview is a Delaware company. It has no establishment in the EU or UK for the purposes of the GDPR/UK GDPR. It does not provide its services to clients in the EU or UK (though there was previously a trial of its product in the UK), and it does not provide its services to commercial clients (and has not done so since 2020). On the evidence before the FTT, its services are only provided to clients which carry out criminal law enforcement and/or national security functions, and are used (by those clients) for those functions.
At the same time, given the size of its database, it is a reasonable inference (and the Tribunal found) that there will be images of UK residents within Clearview’s database, as well as images taken within the UK by or of persons resident elsewhere. It is not possible to assess the number of images of UK residents, as only a relatively small number of images retain geolocating data after the ‘scraping’ process. Accordingly (the Tribunal found), the service provided by Clearview could “have an impact on UK residents even though it is not used by UK customers.”
The Information Commissioner (“IC”) served an Enforcement Notice and Monetary Penalty Notice on Clearview in May 2022 (the “Notices”), alleging breaches of the GDPR/UK GDPR. Clearview has appealed these to the FTT, both on substantive grounds and on the question whether the IC had jurisdiction to issue the Notices.
The FTT’s decision concerned the question of jurisdiction, which was taken as a preliminary issue.
The GDPR / UK GDPR
The relevant period covered by the Notices straddled the transition period. It was common ground that during the transition period, the position was governed by the GDPR, and thereafter by the UK GDPR.
The dispute on jurisdiction was based on the proper interpretation of the material and territorial scope provisions in arts 2-3 of the GDPR and UK GDPR. These relevantly provide:
- Art 2(2)(a): “This Regulation does not apply to the processing of personal data … in the course of an activity which falls outside the scope of Union law.”
- 3(2)(b): “This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to … (b) the monitoring of their behaviour as far as their behaviour takes place within the Union.”
- 3(2)(b): “This Regulation applies to the relevant processing of personal data of data subjects who are in the United Kingdom by a controller or processor not established in the United Kingdom where the processing activities are related to: … the monitoring of their behaviour as far as their behaviour takes place within the United Kingdom.”
- 3(2A): In paragraph 2, “relevant processing of personal data” means processing to which this Regulation applies, other than processing described in Article 2(1)(a) …”
- Article 2(1)(a) of the UK GDPR refers to “processing in the course of an activity which, immediately before IP completion day, fell outside the scope of EU law.” The effect of art. 3(2A) with Article 2(1)(a) of the UK GDPR is that such processing is excluded from the ambit of art. 3(2), effectively mirroring the position under art. 2(2)(a) GDPR.
The FTT’s analysis
It was not in dispute that the information in Clearview’s database comprised personal data, and that the vectors were special category personal data. As already noted, the FTT found that Clearview’s dataset would include the personal data of UK data subjects.
The FTT found that Clearview was processing that data, essentially in two ways (paragraphs 98, 112-114):
- The creation, development, and maintenance of Clearview’s database (‘Activity 1’); and
- The receipt of the Probe Image from a client, matching the Probe Image against the database, and providing the search results to the client (‘Activity 2’).
The FTT identified the ‘heart of the case’, for the IC, as being that Clearview’s service was being used to monitor the behaviour of data subjects. The FTT sought to identify concepts that would come within the concept of information on “behaviour”, as information that “would reveal that the person is doing something” as opposed to a description of that person (paragraph 117).
Seeking to apply that approach, the FTT found that the search results revealed aspects of the behaviour of individuals presented in the images (essentially, the images told you something about the things that the person did): paragraph 119. A picture of someone smoking will tell you that they smoke or have smoked, and so on.
The FTT also found that the use of the service could comprise monitoring. In this context, the FTT found that “monitoring will include a single incidence” in which a person’s behaviour is assessed (paragraphs 121-122). The FTT placed weight on the indication in recital 24 to the GDPR that it is relevant, when assessing monitoring, whether “natural persons are tracked on the internet.” So, for the FTT, “[e]stablishing where a person is/was at a particular point in time”, on a single occasion, could constitute the monitoring of their behaviour on the Internet.
The FTT then concluded that Clearview’s clients were monitoring behaviour “because they are seeking to identify facts about the individuals who appear in the Probe Images” beyond the simple identification of that person (paragraphs 126-127). It was, at least, possible to use the service to monitor the behaviour of data subjects (paragraph 128).
The FTT however found against the IC on an alternative monitoring case, to the effect that Clearview was itself monitoring behaviour by creating vectors and indexing the images by vector. The FTT decided that that processing did not involving using the data subject’s behaviour, and did not reveal anything about the data subject’s behaviour, so did not comprise monitoring (paragraph 129).
Clearview was a sole controller for the purposes of the Activity 1 processing, and a joint controller with each client for the purposes of the Activity 2 processing (paragraphs 135-136). Even if the FTT was wrong about the latter conclusion, however, it considered that it would not matter, because “nothing within the Regulation prevents the processing of data by a controller being related to the monitoring of behaviour by another distinct controller” (paragraph 138).
On the facts, the FTT found that the processing by Clearview was “related to” the monitoring of UK data subjects in relation to their behaviour in the UK: paragraphs 139-144.
So far, so good for the IC.
At this point in the FTT’s analysis, however, the implications of Clearview’s client base came into view. Clearview had filed evidence that all its clients carried out criminal law enforcement/national security functions, and used the service only for those functions. No contrary evidence was presented; while the IC submitted that the clients used contractors who were private sector bodies, there was insufficient evidence (the FTT found) to support any conclusion that they were not carrying out such functions (paragraphs 145-146).
The FTT considered whether (as the IC submitted) the fact that this was simply a choice by Clearview, which it could alter at any time, was of relevance, but concluded that the FTT had to consider matters as they stood when the Notices were issued (paragraphs 147-148).
Having identified the common ground that the acts of foreign governments would not be within the scope of Union law (paragraph 153), the FTT concluded that the IC did not have jurisdiction to issue the Notices. Clearview’s “processing was in the course of an activity which, immediately before IP completion day, fell outside the scope of EU law”, namely law enforcement/national security functions (paragraph 154). It followed that the Notices were not in accordance with the law (paragraph 158).
A lengthy and detailed judgment from the FTT, albeit one which seems unlikely (given the issues) to be the last word on the subject.
A couple of thoughts.
Firstly, despite the result, this judgment takes a wide approach to the extra-territorial scope of the UK GDPR. The FTT’s approach to the meaning of both ‘monitoring’ and ‘behaviour’ are very broad. On that approach, access to a search engine for the purposes of identifying something about the actions of an individual, on a single occasion, comprises monitoring of behaviour. So does the creation, development and maintenance of the search engine for the purposes of such searches. While closely-reasoned, that conclusion is hardly incontestable: ‘monitoring’, for example, might alternatively be thought to mean an ongoing process of observation.
That breadth is also underscored by the FTT’s willingness to make inferences and assumptions both about the UK content of the dataset (perhaps inevitable, given the numbers involved) and (perhaps less inevitable) the motives and intentions of Clearview’s clients: not just using Clearview’s services to identify individuals, but also to understand things about those individuals’ behaviour.
Accordingly, while Clearview was saved by the nature of its client base, many other controllers, without that client base, will not be. The decision this has potentially significant implications for the commercial use of large-scale identifying databases. On the FTT’s analysis, if (say) targeted advertising to individuals in the US is selected based on a database which contains the data of UK data subjects in the UK, using those data subjects’ behaviour as an indicium of (say) likely spending habits, that database may, depending on the facts, be subject to the UK GDPR and the jurisdiction of the IC.
Secondly, the FTT’s reasoning on the question of ‘scope of Union law’ is also broad, and also not incontestable. As with many complex activities, there are a number of different processing activities which make up the Clearview service: most obviously, processing in the operation of the service both by Clearview, and by its client. The FTT found that Clearview and its clients were joint controllers for those purposes, but also (paragraph 138) that this did not matter for the purposes of the statute. It is a nice question whether the processing by Clearview – an act of service provision undertaken for commercial activities – should be treated as being undertaken “in the course of an activity which falls outside the scope of Union law”, even if that processing by the client is undoubtedly undertaken in the course of such an activity, and even if the processing is the same processing. And if that is the case as regards ‘Activity 2’ processing, the question might be thought even more acute in the context of ‘Activity 1’ processing, where the client has no role at all.