The Information Commissioner's Office v Clearview AI Inc (Privacy International intervening): [2025] UKUT 319 (AAC)
Upper Tribunal Administrative Appeals Chamber decision by Mrs Justice Heather Williams, Judge Church and Judge Butler on 6 October 2025.
Read the full decision in .
Judicial Summary
This appeal is about the reach of data protection regulation under European Union and United Kingdom law, and about whether the Information Commissioner had jurisdiction to issue an enforcement notice and a monetary penalty notice to the Respondent.
The Respondent is a United States technology company which utilises ‘crawlers’ to ‘scrape’ the public-facing internet for images of human faces. When a facial image is identified, the image is collected (together with additional data), mapped using algorithms, assigned facial vectors, and stored in a searchable database that the Respondent maintains, comprising tens of billions of such mapped images. The Respondent’s business involves selling access to its database to public and private sector clients operating in the fields of national security or criminal law enforcement. A client accesses the database by uploading a facial image to the Respondent’s system, which initiates a search of the database for images with the same or similar facial vectors. A successful search results in the production of a report including images with facial vectors with a high degree of similarity to the vectors in the image uploaded by the client, together with other related data, that the client can use in furtherance of its national security or criminal law enforcement activities.
The appeal raises the issue of the extent to which processing of the personal data of UK data subjects by a private company based outside the UK is excluded from the scope of regulation, including where such processing is carried out in the context of its foreign clients’ national security or criminal law enforcement activities.
The three-judge panel of the Upper Tribunal considered the proper interpretation of domestic and EU legislation (the UK General Data Protection Regulation (“GDPR”) and the General Data Protection Regulation (“GDPR”)), and decided that:
(1) the words “in the course of an activity which falls outside the scope of Union law” in Article 2(2)(a) of the GDPR (which provides for an exclusion from the material scope of the GDPR) refer only to those activities in respect of which Member States have reserved control to themselves and not conferred powers on the Union to act, and not to all matters without the competence of the Union (as the Information Commissioner’s Office argued) or to the activities of third parties whose processing “intersects” with their clients’ processing in the course of “quintessentially state functions” which would offend against comity principles (as the Respondent argued);
(2) the words “behavioural monitoring” in Article 3(2)(b) GDPR are to be interpreted broadly, as a response to the challenges posed by ‘Big Data’ in the digital age, and they can encompass passive collection, sorting, classification and storing of data by automated means with a view to potential subsequent use, including use by another controller, of personal data processing techniques which consist of profiling a natural person. “Behavioural monitoring” does not require an element of active “watchfulness” in the sense of human involvement; and
(3) the words “related to” in Article 3(2) of the GDPR, as applied to Article 3(2)(b), have an expansive meaning, and apply not only to controllers who themselves conduct behavioural monitoring, but also to controllers whose data processing is related to behavioural monitoring carried out by another controller.
The Upper Tribunal found that the First-tier Tribunal erred materially in law in finding that the Respondent’s processing was outside the material scope of the GDPRs by operation of Article 2(2)(a).
The Upper Tribunal decided that the First-tier Tribunal was right to find that the Respondent’s processing fell within the territorial scope of the GDPRs, albeit that it differed in its reasoning.
The Upper Tribunal allowed the appeal, set aside the decision of the First-tier Tribunal, and remitted the matter to the First-tier Tribunal to decide the substantive appeal on the basis that the Information Commissioner had jurisdiction to issue the notices.