[2025] UKUT 319 (AAC)

Ms Proops sought to persuade us that her intersectional construction, which we have summarised at [131] to [133] above, was the only interpretation that gave meaning to all the words of Article 2(2)(a).

She characterised the language of Article 2(2)(a) as “widely framed”, because it is not expressly limited to, for example, the national security activities of Member States. Had the EU legislators intended it to be so limited, Ms Proops said, they could and would have said so.

So, what was its purpose? As rehearsed above, Ms Proops said that since the bounds between the competence of the EU and the matters reserved to the national governments of its Member States were well-established, the purpose of Article 2(2)(a) could not have related to that issue. That would have no utility. Neither, she said, could its purpose be to exclude the processing activities of foreign states from the material scope of the GDPR, as Mr Pitt-Payne had argued, because that was a matter of public international law, and the EU would have no competence to regulate foreign states even if it wanted to. That too would have no utility.

This utility/futility argument is problematic for Clearview’s case because, for its interpretation of Article 2(2)(a) to achieve the utility described by Ms Proops, the regulation by the EU of the processing in question must be something that is within EU competence and must not be something that comity principles preclude it from regulating as a matter of public international law (whether by any statutory provision or by application of common law principles). Otherwise, Clearview’s reading of the provision makes it at least as futile as Ms Proops argued it would be on either the ICO’s or Privacy International’s preferred interpretations.

Clearview’s construction requires, therefore, that the purpose of the EU legislators was to shield from EU regulation the processing of personal data that public international law would permit the EU to regulate. In other words, for reasons of comity they made a policy choice to go further than comity principles required. We can find no support in the language of the GDPR for the EU legislators having had such a purpose.

Ms Proops sought to persuade us that Article 2(2)(a) must have been intended to deal with the situation of foreign data processors who are not themselves foreign states, but whose processing is so intertwined with their clients’ “quintessentially state activities” that to seek to regulate them would be deeply offensive to comity principles and would amount to regulation of foreign states “by the back door”.

Ms Proops explained to us that a client’s uploading of a ‘probe image’ initiates a search of Clearview’s databases, and conditions the delivery of search results by Clearview (i.e., the facial images with vectors which most closely match the vectors of the probe image, together with any additional information collected in relation to those images). Ms Proops said that at this point Clearview’s processing is, on any common-sense view, processing “in the course of” its clients’ discharge of their state functions. That is because Clearview’s processing intersects “perfectly and completely” with its clients’ processing such that the client’s processing in uploading the probe image and Clearview’s processing in searching its databases and delivering the search results, are “two sides of the same coin”.

We spent time at the hearing seeking to understand Clearview’s case on intersectional construction, and we are grateful to Ms Proops for her patience in answering our questions. We struggle to see why it would be appropriate to focus exclusively on the moment in time that data is transferred between Clearview and its client in the way that Ms Proops proposed, when there was clearly processing of data happening both before (Clearview’s Activity 1 processing) and after (the client’s use of the data in furtherance of its national security and/or law enforcement functions) the moment upon which the intersectional analysis fixed. It is unclear to us why the focus should only be on the moment when data was transferred between Clearview and its client.

Ms Proops accepted that ample processing took place by Clearview prior to the client’s uploading of a probe image. She accepted that there was no intersectionality there, but argued that because of the nature of the processing (i.e. it being ‘Activity 1’ processing only), it could not bring Clearview within the scope of the GDPR because on Clearview’s construction of Article 3(2)(b) (which we discuss in [264] to [275] and [307] to [320] below) that processing involves no behavioural monitoring.

Ms Proops also acknowledged that after the moment of transfer of the search results data, a client might carry out further processing of the data that might involve behavioural monitoring, but she maintained that, if it did, Clearview would no longer be “on the field”. It would play no part in any such behavioural monitoring, would have no control over it, and indeed it would have no knowledge of it. Those are points we grapple with in [346] to [351] below.

The temporal issue aside, we also struggle to see why the client’s transfer of the probe image data to Clearview’s system, and Clearview’s transfer of the search results to its client, were otherwise “inextricably intertwined” except in the sense that both parties’ activities were part of a common transaction (seeking a “match” between the client’s probe image and images on Clearview’s databases).

We do not see how the client’s activities and Clearview’s activities can be said to be “merged” at the point of transfer as Ms Proops suggested that they were. Our understanding is that use of the Service involves Clearview and its client each undertaking a distinct and separate task, and they carry out those tasks sequentially. The process necessarily starts with the client uploading a facial image to Clearview’s system. That upload initiates a search of Clearview’s system by reference to the facial vectors associated with the library of images stored in its databases, and the generation and transfer of a report of any search hits to the client. Clearview is not involved in the upload of the probe image, and the client is not involved in the searching of Clearview’s databases or the production of the report. The output is ultimately the product of a common endeavour, and that output cannot be achieved by either party alone, but the roles of the parties to the transaction remain distinct. They cannot properly be said to be “merged”.

Ms Proops argued her intersectional construction was “obvious” and applied as a matter of “common sense”. It is not, however, an obvious construction, since it focuses on one moment of processing to the exclusion of many others, without explanation of why that should be so. When asked by the panel to clarify the mechanism by which Clearview and its clients’ processing became so “inextricably intertwined”, Ms Proops could only repeat that the parties’ processing represent “two sides of the same coin”, they “perfectly and completely intersect”, and they are “merged” in the moment of exchange of data. The use of these amorphous concepts did not assist us in the exercise of statutory construction. The relationship between the activities of Clearview and the activities of its clients are no more “merged” or “fundamentally intersected” than the activities of parties to any transaction that involves transfers between them of electronic data.

Although she argued that Clearview’s processing was inextricably intertwined with the processing of its clients while they were exercising their state functions, Ms Proops accepted that foreign states could exercise their state functions without using Clearview’s service (and without interference from the ICO). She argued that regulation of Clearview’s service would amount to “back door” interference with foreign states’ discharge of their state functions because it would have the effect of compelling them to change the way they discharge their functions. Employing her “two sides of the same coin” metaphor, Ms Proops said that regulating Clearview’s side of the coin involves a reshaping of the tool in the hands of Clearview’s foreign state clients in a way that is profoundly offensive from a comity perspective.

Ms Proops sought support fromGoogle v CNIL (discussed above at [106] to [114] and at [165] to [167]), but that case was not about state activity, and neither was it about whether the processor was in territorial scope. As we have noted, Google was within the territorial scope of both the 95 Directive and the GDPR because it had an “establishment” in France (see [52] of Google v CNIL). We note the CJEU confirmed at [58] of its judgment that it considered the EU legislature had competence to impose an obligation on a search engine to de-reference across all its search engines. The CJEU’s decision in Google v CNIL turned on its interpretation of the substantive provisions about de-referencing, which it did not consider evinced an intention to confer a scope on the rights enshrined in those provisions that went beyond the borders of the territory of the Union. By contrast, the wording of Article 3(2)(b) GDPR expressly provides for extra-territorial effect.

While at times Ms Proops claimed Clearview’s intersectional interpretation to be “obvious” and a matter of “common sense”, she also made the less ambitious submission that it was “linguistically possible”. Because it was “linguistically possible”, she argued, it must be preferred because of the need to interpret the provision purposively and because of the principle of close confinement, which required the narrowest possible interpretation of the extent of the provision’s extra-territorial effect. Ms Proops insisted that, given the role already played by the Treaties that establish the bounds of competence of the EU and the rules of public international law, the purpose of the provision was to prevent “back door” regulation of foreign states through regulating those who are not foreign states but who process data in the course of foreign state functions.

For the reasons explained in [160] to [162] abovewe do not accept the argument that, even where the legislator has indicated expressly that it intends a provision to have extra-territorial effect, the extent of any such extra-territoriality must be interpreted strictly such that the narrowest possible reading must be given to it. We have engaged in a purposive interpretation. Applying that purposive interpretation, we consider that Article 2(2)(a) means what Privacy International says it means. Neither the words of the provision, nor the words of the relevant recitals, provide any indication that Article 2(2)(a) might have been enacted for the purpose suggested by Clearview, nor any suggestion that the legislators intended the words “in the course of” to bear the meaning for which Ms Proops argued.

For all of the reasons set out above, we reject the intersectional construction put forward by Clearview.