[2025] UKUT 319 (AAC)

Clearview’s Additional Reason 2 raises the issue whether Article 3(2)(b) can apply to processing by a controller on the grounds that such processing is “related to” behavioural monitoring carried out by another party where that other party’s behavioural monitoring is itself outside the scope of the GDPR.

Success on this ground can only assist Clearview if we are wrong to allow the ICO’s Ground 3 (i.e. if we are wrong to conclude that Clearview’s processing itself amounts to “behavioural monitoring”).

Further, it can only assist Clearview in relation to its processing for its private sector contractor clients if we are also wrong to allow Ground 1 (i.e. if we are wrong to conclude that the FTT materially erred in finding that Clearview’s contractor clients are beyond the material scope of the GDPR whether under Article 2(2)(a) or by independent operation of public international law).

While it is apparent from the pleadings and the transcript of the proceedings below that Clearview argued this issue before the FTT, unfortunately the FTT’s decision is entirely silent on it. We cannot know whether the FTT considered it and rejected it, or whether it simply failed to reach any decision on it.

Clearview’s case was that, because the “mischief” in the legislators’ crosshairs was behavioural monitoring, if the only behavioural monitoring taking place was itself beyond the material scope of the GDPR, that behavioural monitoring must be ignored when the application of Article 3(2)(b) is being considered. If Clearview did not conduct behavioural monitoring itself, and if its clients’ behavioural monitoring was outside scope, there was no “hook” to bring Clearview’s processing within the territorial scope of the GDPR under Article 3.

The ICO’s case was that Clearview’s approach requires words to be read into Article 3 that the legislators have not chosen to include. Mr Pitt-Payne argued that had the legislators intended to restrict the application of the GDPR in the way suggested by Clearview, they could and would have said in terms that the related behavioural monitoring must itself be within the material scope of the GDPR.

Ms Proops said that, on the contrary, when the GDPR is read as a whole, it is apparent that there is no intention to extend the reach of regulation to behavioural monitoring carried out by a party who is out of scope.

We were not directed to any authorities to support either party’s case in this regard.

The “mischief” at which Article 3(2) is aimed is behavioural monitoring. Its focus is on processing related to behavioural monitoring of data subjects and on the location of the data subjects being monitored. It is not on whomever is conducting the behavioural monitoring. Jurisdiction under the GDPR operates in two stages: first one must ascertain whether the processing in question is within the material scope of the GDPR under Article 2. That establishes whether or not the processing is of a kind that is of interest to the regulatory regime. Once material scope has been determined, one moves to the second stage, which is to consider whether the processing falls within territorial scope under Article 3.

In analysing this issue it is important to keep in mind that the Notices in this case were issued to Clearview, not its clients, and we have explained in [186] to [194] and [216] to [219] abovewhy neither Article 2(2)(a) nor the independent operation of international law by reason of comity considerations takes Clearview’s processing outside the material scope of the GDPR. Additional Reason 2 is really the counterpart to Clearview’s case resisting ICO’s Ground 2 (which we rejected for the reasons set out in[299] to [301] above). Given that we have rejected Clearview’s intersectional analysis of Clearview’s processing, there is no reason in principle why Clearview’s processing related to its clients’ behavioural monitoring should be excluded from the scope of regulation.

Ms Proops described Mr Pitt-Payne’s interpretation as involving a kind of “jurisdictional hokey-cokey”, meaning processing excluded at the first (material scope) stage in Article 2 is brought back in at the second (territorial) scope stage under Article 3. We disagree with this characterisation because the interpretation of Article 3 favoured by the ICO does not bring processing by a foreign state (or any other party enjoying immunity in accordance with comity principles) within the scope of regulation at the second stage, having been excluded under the first stage. It goes out at the first stage, and it stays out, without proceeding to the second stage under Article 3 at all. We consider that a natural interpretation of the provisions requires that where processing comes within material scope under Article 2, the issue whether the jurisdiction of the GDPR applies, depends only on whether the processing comes within territorial scope. That is determined by applying the test in Article 3 on its own, and it is impermissible to reopen the issue of material scope at the second stage.

Mr Pitt-Payne suggested that if we agree with Clearview that any behavioural monitoring excluded from material scope under Article 2 must be ignored for the purposes of ascertaining whether processing satisfies the Article 3 test, this would lead to absurd results, as described at paragraph [303] above. Mr Pitt-Payne argued that, following Clearview’s approach, any behavioural monitoring by Clearview’s UK competent authority client would have to be deemed not to exist for the purposes of applying the test under Article 3(2)(b) to Clearview, so Clearview’s processing could not be brought within the territorial scope of the GDPR. In these circumstances, the processing by the client conducting the behavioural monitoring (that falls to be ignored for the purposes of Article 3(2)(b)) falls to be regulated under the Law Enforcement Directiveand Part 3 of the DPA 2018. However, Clearview’s processing on its behalf would be regulated under neither the GDPR, nor the Law Enforcement Directivenor the DPA 2018.

We are not persuaded by Clearview’s proposed approach. While we have not found it necessary to determine whether this gives rise to absurdity, Mr Pitt-Payne’s example of Clearview’s processing related to the behavioural monitoring of a competent authority client demonstrates that it could give rise to surprising results.

Clearview’s contended approach is not supported by the wording of Article 3. Furthermore, it is by no means necessary to infer from the words of Article 3 (or the GDPR read as a whole), any legislative intent to restrict the effect of Article 3(2)(b) by treating any processing falling outside scope under Article 2 as if it did not exist when considering whether either test in Article 3(2) is satisfied. Had that been the intention, it could have been written by the legislators into the Articles in a straightforward way, for example, by making Article 3 subject to Article 2. Neither is there anything to support it in the Recitals, the EDPB Guidelines or the Travaux. For these reasons, we dismiss Additional Reason 2.