Information Commissioner lacks jurisdiction over US corporation monitoring behaviour of data subjects in the UK for foreign law enforcement

Context

Clearview AI Inc (“Clearview”), a corporation registered in Delaware with no establishment in the UK, appealed a Monetary Penalty Notices (“MPN”) and Enforcement Notice (“EN”) imposed by the Information Commissioner’s Office’s (“ICO”). The First Tier Tribunal was required to determine Clearview’s challenge to the ICO’s jurisdiction.

The Tribunal determined that the ICO did not have jurisdiction because the processing to which the MPN related was not within the material or territorial scope of the UK GDPR.

Background

Clearview’s principal place of business is in New York City. It is not established in the UK. In the relevant period it provided services only to non-UK/EU criminal law enforcement and national security agencies, and their contractors, in the support of their law enforcement and national security functions. Clearview’s limitation of its client base in that way is a matter of choice not a binding legal restriction.

The Tribunal found that Clearview operates an automated process of scraping images from websites, storing harvested facial images in a database and generating ‘vectors’ from those images in a processing of ‘indexing’ based on those vectors. This Tribunal referred to this as ‘Activity 1’. Activity 1 is directed at facilitating matches against images submitted by clients, a process which the Tribunal referred to as ‘Activity 2’.

Controllership

The Tribunal determined that Clearview was the data controller in respect of Activity 1 and a joint controller, with its client(s), in respect of Activity 2.

‘Monitoring’

The Tribunal was required to consider whether the processing undertaken by Clearview constituted ‘monitoring’ of data subjects. The Tribunal found that monitoring did not require a process conducted incrementally overtime but could include the determination of an individual’s location at a single point in time. The Tribunal determined that Activity 2 involved monitoring of the behaviour of data subjects in the UK but that Activity 1 did not.

“We find that the indexing case fails because the behaviour of a data subject is not used in the creation of the vectors or the indexing of the images according to those facial vectors.”

Although the Tribunal concluded that ‘CV does not monitor the behaviour of data subjects in its own rights’ it found that Activity 1 was ‘related to’ the monitoring of behaviour by CV’s clients.

Those determinations were important in determining whether the processing could fall within the territorial scope of the UK GDPR by virtue of Article 3(2)(b).

The Crux of the jurisdiction issue

The Tribunal found that Activity 2 – in respect of which Clearview and its law enforcement clients were joint controllers – constituted monitoring of the behaviour of data subjects in the UK but that, because the processing was ‘in the course of’ law enforcement/national security activities of foreign governments it was outside the scope of the UK GDPR.  The definition of ‘relevant processing’ excludes processing in the course of an activity which, immediately before IP completion day, fell outside the scope of EU law.

Schrödinger’s Dossier?

Clearview’s database includes approximately 20 billion images and is growing by approximately 75 million images a day. Those images are not harvested on the basis of any evidence of suspicion. The images are indexed on the basis of facial vectors, on the premise that those vectors are effective in discriminating between individuals. By implication, for some unique set of vectors, Clearview’s database will contain a range of images captured over time, including information about location and behaviour overtime – a profile.

It appears likely that most of the individuals whose images are stored in the database will never have their data returned in a search (Activity 2) and their data will only be processed as part of Activity 1.

The Tribunal determined that the processing in Activity 1 was not monitoring. They observed:

“We find that the indexing case fails because the behaviour of a data subject is not used in the creation of the vectors or the indexing of the images according to those facial vectors. For this reason we conclude that CV does not monitor the behaviour of data subjects in its own right.”

The Tribunal did not expressly address the alternative view, that the indexing by vectors - which permits multiple data points about a single individual to be collated – is a step in the process of monitoring behaviour.

However, by implication, the Tribunal would have rejected that contention on the basis that, until Activity 2 commences, the process is automated and mathematical. In setting out their reasons why vector creation and indexing by vectors were not ‘monitoring of behaviour’ they said:

“That processing in itself reveals nothing about the behaviour of a person because it is an automated, mathematical process.”

There is a tension between that view and the Tribunal’s earlier analysis of the concept of tracking. Does the creation of a person-specific portfolio, of data gathered through automatic tracking, only become ‘monitoring of behaviour’ when viewed by a human? The Tribunal’s answer is in the affirmative.

Unanswered questions

If Activity 1 had been found to constitute ‘monitoring of the behaviour’ of data subjects in the UK the Tribunal would have been required to determine whether Activity 1, in respect of which Clearview was the controller, was processing ‘in the course of’ the acts of a foreign government. Would the answer to that question have been ‘yes’? Would the answer be the same in respect of the period when the database was being developed, prior to commercialisation, or when the database is not being searched, or in respect of vector specific – and therefore person specific - portfolios that are stored but never searched, or in periods when Clearview has no active clients? This judgement leaves those questions unanswered.