Clearview AI succeeds in jurisdictional appeal before the First-tier Tribunal

The First-tier Tribunal has given judgment in Clearview AI Inc v The Information Commissioner [2023] UKFTT 00819 (GRC).


The case concerned an enforcement notice and a £7.5 million Penalty Notice issued by the Commissioner to Clearview AI, an American facial recognition company, in May 2022. The Tribunal found that the Commissioner had no jurisdiction to issue either notice, on the basis that the GDPR/UK GDPR did not apply to the processing in issue. Accordingly, the Tribunal overturned both notices.

A more detailed case report will follow on Panopticon. In the meantime, the judgment can be found here.


Anya Proops KC, Christopher Knight and I acted for Clearview AI, instructed by Jenner and Block London LLP.


Timothy Pitt-Payne KC and Jamie Susskind acted for the Information Commissioner, instructed by the Information Commissioner’s Office.


Raphael Hogarth

Art.10 rights attenuated by contract: R (Craighead) v Secretary of State for Defence [2023] EWHC 2413 (Admin)

Grabbing his ballistic body armour, Diemaco C8 assault rifle and Glock 9mm pistol, and with a balaclava pulled over his head to protect his identity, the soldier swept into the area where the firefight was going on, engaged the enemy and led several civilians to safety outside.”

In January 2019, five terrorists launched a major attack at a hotel complex in Nairobi, Kenya, killing at least 21 people. A then fully-badged SAS soldier, who goes by the pseudonym “Christian Craighead”, intervened, assisting the Kenyan authorities, and later earned an award for his conspicuous gallantry. Mr Craighead wishes to tell his story.

He wrote a book, which he wants to publish, providing “an insider’s account of how a young man with a difficult upbringing served his country and saved lives during the Incident”. He is bound, however, by a confidentiality contract providing that unless he obtains ‘express prior authority in writing’ (“EPAW”) he would not disclose any information about the work of the UK Special Forces. The Ministry of Defence refused EPAW on the basis of its assessment that the material in the book is covered by the confidentiality contract and its publication would cause damage to national security. Continue reading

Online safety – evening briefing on 3 October 2023

As foreshadowed in our post of 20 September 2023, we are pleased to announce an evening briefing session with leading data and internet specialists Anya Proops KC and Jamie Susskind on the Online Safety Act, arguably the most significant new law in a generation.

We have happily managed to secure a larger venue than expected for this event, and so there are still some places available. Please RSVP at if you wish to attend.

Date: Tuesday, 3rd October 2023
Time: 6:30 PM – 7:30 PM
Venue: IET London: Savoy Place, London WC2R 0BL
Delegate Charge: This event is free of charge

A Data Bridge over Troubled Waters?

On 12 October 2023, the Data Protection (Adequacy) (United States of America) Regulations 2023 will come into effect and the UK-USA ‘data bridge’ will be effected. This will mean that, under the terms of the revised EU-US Data Privacy Framework, and the UK Extension to it, transfers of personal data from the UK to a person in the USA on the Data Privacy Framework List, will be deemed to meet the test of adequacy for the purposes of the UK GDPR and the DPA 2018. Continue reading

Online safety – dawn of a new era

Yesterday the Online Safety Bill received assent in the House of Lords, meaning it is now ready to become law. It is anticipated that the Bill will receive Royal Assent in the course of October 2023. So it is that the UK stands on the brink of a new era in internet regulation, one which is intended fundamentally to improve the health and wellbeing of the nation by making the internet a safer, less hazardous environment for all.

And how, you may well ask, is this improvement to be achieved? Well, in the most basic terms, the Online Safety Bill (soon to be the Online Safety Act) seeks to make the internet a safer place by: (a) converting those online intermediaries who host and index online content – including most obviously social media providers and online search engines – into the digital caretakers of the online world, making them subject to a wide array of duties of care with respect to the content they respectively host or index and, further, (b) charging Ofcom with responsibility for ensuring that online intermediaries are discharging these duties of care in practice. Continue reading

As Meta awoke one day from uneasy dreams it found itself transformed…

It’s been a few days since the CJEU’s landmark 4th July decision in Meta Platforms v Bundeskartellamt (Case C-252/21). As readers of the blog will probably have seen elsewhere, this was no Independence Day victory for Meta. Instead, the CJEU Grand Chamber upheld the idiosyncratic blending of competition law and GDPR by the German competition regulator (the Federal Cartel Office, or FCO). Continue reading