Skip to content Skip to sidebar Skip to footer
Menu
Menu
Data Protection & Cybersecurity

Clearview AI wins the appeal against the GDPR fine by the UK privacy authority, the ICO

October 22, 2023
3 minRead time
clearview ai ico
Share This Article
Share Post

Clearview AI has won its appeal against the GDPR fine issued by the UK data protection authority, the ICO, at the First Tier Tribunal (FTT), but the outcome seems rather complicated and did not go as many expected.

Clearview AI collects facial images from the web, derives biometric information from the images, and allows third parties (mostly police) to upload photos of people and then matches them to entries in its database.

The ICO fined Clearview AI more than ยฃ 7.5 million last year and several other regulators have also taken action against Clearview under the GDPR, including the Garante, which issued a penalty of โ‚ฌ 20 million as showed.

Clearview is a U.S. company that does not (currently) operate in the UK. To allow the UK GDPR to apply, Clearview must:

  • offer goods and services in the UK or
  • monitor people’s behavior in the UK.

The ICO argued that Clearview falls under the second point, which is found in Article 3 (2) (b) of the UK GDPR believing that while Clearview does not “per se” monitor the behavior of UK data subjects, it “allows its customers” to do so.ย  This circumstance, according to the ICO, brings the relevant activities conducted by Clearview within the scope of the UK GDPR.

The FTT appears to have agreed with this view in principle, and considered Clearview to be a joint controller with its customers for the processing of personal data. However, Clearview won because of an interaction between Article 2 (material scope) and Article 3 (territorial scope) of the UK GDPR. Apparently, the FTT believes that Clearview’s clients are “law enforcement agencies” and as such the processing does not fall under the GDPR.

Article 2 (1) (a) states that the UK GDPR applies to “processing in the course of an activity which, immediately before the IP completion day [i.e., the Brexit “implementation period”[ย was outside the scope of EU law.” So, in theory, the UK GDPR applies to Clearview’s activities. But such processing “outside EU law” is excluded by some other parts of the UK GDPR.

Consequently, it seems that Clearview could have been within the “territorial” scope of the GDPR, but was not, because its activities were outside EU law at the time of the UK’s exit from the EU.

It appears to be a decision that takes into account the peculiarities of the transitional regime in the UK following the Brexit. The questions is whether Clearview will be able to use the same arguments in other similar disputes that arose in the EU member states. On the topic, you can read the article “โ‚ฌ 20 million privacy fine against Clearview AI facial recognition system in Italy“.

(Visited 77 times, 1 visits today)
Tags:
0LikesShare Post