Clearview AI is the world's largest collector of personal photos. After the British privacy regulator (ICO) fined the company millions last year and ordered it to remove all photos of British citizens, Clearview appealed. On Tuesday, the judge declared that the ICO had no jurisdiction in this situation.
In 2020, the New York Times reported that the American software company Clearview AI, which specializes in developing facial recognition technology, had collected billions of photos of social media users with web scraping. The photos were stored in a database without permission(1). As a result of this scandal, the company withdrew from EU and UK markets and stopped providing its services to commercial entities.
British privacy regulator Information Commissioner's Office (ICO) decided last year to fine Clearview £7.5 million for collecting the data. The ICO argued that the company had unlawfully collected personal data of British data subjects for the purpose of monitoring their behavior. In addition, the ICO ordered Clearview to remove all photos of British individuals from its database. Clearview appealed the ICO's decision . And rightly so, as Tuesday's ruling by the court of first instance showed....
Last May, the ICO issued a Monetary Penalty Notice (MPN) and Enforcement Notice (EN) against Clearview for several violations of UK privacy laws by the software company. These violations include lack of a legal basis and Data Protection Impact Assessment (DPIA) when processing biometric personal data of UK citizens.
Clearview challenged not only the alleged violations, but also the legality of the orders and the ICO's authority to impose the MPN and EN on Clearview. The court had to decide the latter point.
Clearview's core business has to do with helping law enforcement and intelligence agencies identify suspected criminals and threats to national security. The company provides software to customers (governments of non-European countries) that allows them to compare photos of suspects and victims against the Clearview database.
In its arguments, the ICO distinguished two processing activities by Clearview: web scrapping and collection of personal photos and comparing photos entered by customers with other images in the database. Since the data processing in both cases is carried out only by entities without a UK establishment, namely Clearview and foreign governments, the question arose as to the territorial and substantive application of the UK General Data Protection Regulation (UK AVG).
On the one hand, the judges had to assess whether the processing activities of Clearview and its clients were considered "behavioral monitoring of data subjects, to the extent that such conduct takes place in the UK. This is one of the exceptions where the UK AVG has extraterritorial effects (i.e., outside the UK). In this case, the judges answered in the affirmative: the data processing by Clearview is essential for its customers' monitoring tasks and thus falls within the territorial scope of the AVG.
Regarding material scope, the judges acknowledged that there is likely to be British personal data in the database, meaning that British privacy laws would in principle apply. On the other hand, Clearview claimed that all of its customers are foreign governments that use the database for national criminal justice and security purposes.
Under both the European Union (EU) AVG, to which the UK was bound until its legal departure from the Union in 2020, and the UK AVG, such activities are outside the scope of application of EU law and therefore outside the AVG itself. The court agreed. The fact that Clearview might offer its services again to commercial parties in the future was not an independent reason to bring the intended processing activities within the material scope of the AVG. The judges thus concluded that the ICO exceeded its jurisdiction by issuing the two orders.
A spokesperson for the ICO told U.S. Forbes Magazine that the regulator will investigate follow-up action (2). "The ruling does not prevent the ICO's power to investigate international companies that process data of British citizens, particularly through commercial web scraping. It merely concerns a specific exception relating to the activities of foreign enforcement authorities," the spokesperson added.
https://www.nytimes.com/2020/01/18/technology/clearview-privacy-facial-recognition.html;
https://www.forbes.com/sites/emmawoollacott/2023/10/19/uk-privacy-watchdog-cant-sanction-clearview-ai-court-rules/.
