US-based Clearview AI is caught by the reach of UK data protection law

The question

How did the processing activities of Clearview AI (Clearview), a US-based company, come to be caught by the UK GDPR?

The key takeaway

The Upper Tribunal (UT) has held that Clearview’s processing of UK residents’ data falls within the scope of the UK GDPR (and, where relevant, the EU GDPR). It overturned the earlier finding of the First-tier Tribunal (FTT) that Clearview’s activities were outside the material scope of UK data protection law. The UT also confirmed that the ICO had jurisdiction to issue its enforcement notice and monetary penalty. However, the UT did not decide whether the findings or the £7.5 million fine should ultimately stand; instead, it remitted the substantive appeal back to the FTT for reconsideration on the basis that the ICO does have jurisdiction.

The background

Clearview is a US company that collects publicly available images from across the internet to build a large-scale facial recognition database. It provides services to US law-enforcement bodies and to US private-sector clients, some of whom support law-enforcement activities.

In May 2022, following an investigation into Clearview’s handling of UK residents’ personal data, the ICO issued an enforcement notice and a monetary penalty of approximately £7.5 million for breaches of the EU GDPR (pre-Brexit) and the UK GDPR. Clearview appealed the decision to the FTT.

The FTT accepted that Clearview’s activities related to individuals in the UK but held that the GDPRs did not apply because Clearview’s clients were foreign law-enforcement or national-security bodies. It treated the processing as falling within the material-scope exclusion in Article 2(2)(a), significantly limiting the ICO’s ability to act against Clearview.

The development

The ICO appealed the FTT’s jurisdiction decision to the Upper Tribunal. Clearview resisted that appeal and advanced additional arguments to try to uphold the FTT’s approach. The UT overturned key elements of the FTT’s reasoning. In particular, it found that:

• Clearview’s processing falls within the material scope of the UK GDPR, and the FTT had not provided adequate justification for finding otherwise;
• the material-scope exclusion in Article 2(2)(a) GDPR (and the UK equivalent) must be construed narrowly. It concerns the division of responsibilities between the EU and its Member States - not a general exemption for private companies providing services to foreign law-enforcement or national-security bodies;
• while processing by Clearview’s foreign state clients for criminal-law enforcement or national-security purposes would fall outside the scope of the GDPR, the FTT had insufficient evidence to conclude the same for Clearview’s private-sector clients, or for Clearview’s own processing activities;
• Clearview’s own processing amounts to “behavioural monitoring” of UK residents under Article 3(2)(b) UK GDPR. The concept of behavioural monitoring is broad and can cover passive scraping, indexing, sorting and storing of data for potential profiling, even where monitoring is ultimately carried out by others;
• the ICO therefore does have jurisdiction to issue its enforcement notice and monetary penalty.

The UT did not determine whether the ICO’s findings of breach or the level of the fine should stand. It remitted the substantive appeal - covering both liability and penalty - back to the FTT for reconsideration.

Why is this important?

The ruling confirms that overseas companies cannot assume immunity from the UK GDPR merely because their services relate to criminal-law enforcement or national-security organisations abroad. Private-sector providers supporting such organisations must still assess their own exposure under UK GDPR. The judgment also provides important clarification on the narrow reading of Article 2(2)(a) and the broad interpretation of “behavioural monitoring” under Article 3(2)(b) - an area where there was previously no direct UK authority.

At the same time, the ruling highlights the complexities of applying UK data protection law to foreign companies. Even with jurisdiction confirmed, enforcement remains challenging, and the final outcome for Clearview will depend on the FTT’s fresh determination of the ICO’s enforcement action.

For digital platforms and AI businesses in particular, this decision underscores that scraping or aggregating publicly available data about UK users can trigger UK GDPR obligations, even where a business is based entirely overseas and markets its services to non-UK clients. AI and platform companies that collect, classify, embed or profile public data at scale should expect regulators to treat such processing as behavioural monitoring - and therefore within jurisdiction. If your business model involves large datasets, identity tools, computer-vision systems or user-profiling outputs supplied to third parties, this ruling makes the need for territorial-scope assessments more important than ever.

Finally, and topically, recent media reports have suggested that the UK government is considering plans to expand use of facial-recognition technology by UK police forces. If this does come to fruition, demand for service-provider tools (such as scanning, matching, database-hosting, indexing of images) may well rise - likely provided by firms such as Clearview. This ruling makes it clear that these third-party providers cannot assume immunity from UK data protection law.

Any practical tips?

Overseas organisations - particularly those in AI, data analytics, digital platforms or social-media ecosystems - should:

• assess whether their processing of UK residents’ data brings them within the scope of the UK GDPR, even without any UK establishment;
• recognise that private-sector providers do not share the limited immunity available to foreign state authorities;
• ensure that, if they intend to rely on any exclusion linked to law-enforcement or national-security purposes, they can produce sufficient evidence demonstrating the nature of their activities;
• evaluate activities such as scraping, large-scale data aggregation, model training and API-based identity services, all of which may trigger territorial scope and behavioural-monitoring provisions. 

Winter 2025