Tribunal Rules Company’s AI’s Activity Beyond Material Scope of GDPR

 In what will come as a relief to AI focused technology companies, the First Tier Tribunal (FTT) has overturned the Information Commissioner’s fine and enforcement notice issued to Clearview AI Inc (Clearview) on the basis that the Information Commissioner (ICO) did not have jurisdiction to issue the notices[1]. This case highlights the limits of the GDPR[2] and coincides with the European Data Protection Supervisor’s (EDPS) publishing its opinion on the Artificial Intelligence Act (AI Act) which is entering the final stages of negotiations between the EU’s co-legislators.

What was the Clearview case about?

Clearview AI, which is incorporated in the US state of Delaware, specialises in developing facial recognition software. It has built a substantial database of human faces which it used to create its facial recognition network. Up until 2020, commercial clients were using the service, however, the product is now used only by law enforcement agencies and public bodies involved in national security. Clearview AI does not currently have any clients in the UK nor in the EU, but there was a trial provided to law enforcement/government organisations within the UK between June 2019 and March 2020. 

Clearview AI’s database was created by ’scraping’ photo images available publicly on the internet. No privacy controls were used when conducting the automated scraping. However, if a webpage employs password protection, Clearview AI’s scrapers (both in-house and external) cannot access that page.

The ICO ruled that Clearview AI’s facial recognition practices were “unacceptable” and that the company had breached the GDPR by failing to have a lawful reason to collect personal data and not meeting the standards required under the regulations for biometric data. It issued a fine of £7.5 million and an enforcement notice.

Clearview AI appealed to the FTT challenging the ICO’s right to issue the Enforcement Notice and the Monetary Penalty Notice. The ICO’s main argument was that Clearview AI provided a “service [which] is being used to monitor the behaviour of data subjects” which is covered by the GDPR by virtue of Article 3(2)(b). The FTT acknowledged that the term ‘behaviour’ lacked definition in this context. It could be stated that an image does, by its very nature, show a behaviour, for example a smile or frown to indicate happiness or misery. At the very least, it shows the person is alive.

The FTT reasoned that the word ‘behaviour’ is a verb and therefore the person must be doing something in the image.

 “We are of the view that a person’s behaviour would include:

1. Where they are;
2. What they are doing – including what they are saying/have said or what they have written as well as their employment or playing of a sport or their pastimes;
3. Who they associate with in terms of relationships;
4. What they are holding or carrying;
5. What they are wearing – including any items indicating cultural or religious background or belief.” At para 118.

Elements of a person whose image had been scraped from the internet and included in the database did provide aspects of behaviour, including their relationship status, whether they smoked or drank alcohol, their ability to drive a car, and their location.

Ultimately, the FTT did find that the processing undertaken by Clearview AI was related to the monitoring of data subjects’ behaviour in the UK and that Article 3(2)(b) can apply where the monitoring of behaviour is carried out by a third party rather than the controller. However, it ruled that the processing by Clearview was beyond the material scope of the GDPR and did not constitute relevant processing for the purposes of Article 3 because the activities of foreign governments fall outside the scope of EU law (and, in relation to the UK GDPR, EU law as it applied before IP completion day). As mentioned above, Clearview AI exclusively sold to foreign law enforcement agencies and their contractors.

What does this case mean for UK AI and technology companies?

One thing that has always been clear is that AI technology is advancing far faster than AI laws and regulations. For example, the UK’s Online Safety Act 2023 has only just become law, almost two decades after the launch of Facebook. However, the EU is now within “touching distance” of passing the world’s first comprehensive AI Act that will give Brussels the power to shut down services that threaten harm to society.

With 60-70% of the AI Act text agreed, one of the most contentious issues remains facial recognition technology. Member states want to retain this right, arguing it is vital for security on borders but also to avert public disorder. But MEPs have called for a total ban on facial recognition databases like the ones developed by Clearview AI as well as social scoring systems, such as the ones launched by China that rate citizens’ trustworthiness based on their behaviour.

The UK, on the other hand, is diverging from the EU in that the Home Office plans to extend the use of facial recognition software. According to the Financial Times:

“…the Home Office is highlighting its interest in novel artificial intelligence technologies that could process facial data efficiently to identify individuals, and software that could be integrated with existing technologies deployed by the department and with CCTV cameras”

Wrapping up

Although it still lags behind development, the law around AI facial recognition is approaching a precipice for organisations operating in the EU. Technology companies need to keep abreast of the changes to ensure they do not breach compliance and risk their R&D capital and commercial reputation.

To find out more about any matters discussed in this article, please email us at [email protected] or phone 0121 249 2400.

The content of this article is for general information only.  It is not, and should not be taken as, legal advice.  If you require any further information in relation to this article, please contact 43Legal.

[1] Clearview AI Inc v Information Commissioner [2023] UKFTT 819 (GRC) [2023] 10 WLUK 155

[2] In this article GDPR refers to both the UK GDPR and EU GDPR.