[2025] UKUT 319 (AAC)

Applying the principles discussed above, the binding authorities of Lindqvist and Schrems II,and the persuasive authorities of Latvijas and WK(summarised at [95] to [96] above), we conclude that the phrase “an activity which falls outside the scope of Union law” in Article 2(2)(a) GDPR must be construed strictly. The exception created by this wording cannot be interpreted to apply more broadly than the exception given in the 95 Directive.

There is nothing in Latvijas(or indeed in any of the other authorities to which our attention was drawn) to indicate that the CJEU intended to suggest that the requirement for a strict construction of the exception in Article 2(2)(a) was limited to identifying the division of activities between the Union and Member States, as Ms Proops suggested. Rather, we consider the issue whether the exception created by Article 2(2)(a) is to be given a narrow or a wide meaning to be binary - either the exception is to be construed narrowly, or it is not. On that basis, we consider that the CJEU’s decision that the exception bears a narrow construction is applicable in all circumstances.

Ms Proops pointed out that there was no authority before us concerning the interpretation of Article 2(2)(a) specifically in the context of foreign state activities. She suggested the reason there were authorities about which Member State activities fell within scope of Union law, and which fell outside it (and so within the exception in 2(2)(a)), was because the “carve up” of powers between the EU and Member States was a “tricky matter”. Ms Proops suggested the reason there were no authorities about foreign state activities was because it was obvious that all foreign state activities fall outside the scope of Union law, so it did not provide fertile ground for litigation. We do not consider that the absence of any such cases permits an inference that Privacy International’s interpretation is likely to be wrong. It just means that the issue has not come before the CJEU.

We acknowledge that there is no authority that is directly determinative of the issue of the proper reading of Article 2(2)(a). We accept that the fact that the authorities dealing with its interpretation concern the division of responsibilities between the Union and its Member States does not necessarily preclude it applying in other circumstances. However, neither is there any authority supporting either Mr Pitt-Payne’s or Ms Proops’ interpretations. We have already noted that in the Advocate General’s opinion in Schrems II, where he observed (at [104]) that subsequent processing by the US State would be excluded from the GDPR, he referred to Article 3, and not to Article 2(2)(a). This suggests that he did not read the exception in Article 2(2)(a) as referring, and applying, to foreign states (see [86] above).

We are persuaded that Privacy International’s interpretation is to be preferred. That reading is consistent with the characterisation that Ms Proops herself favoured of the EU as a members’ club, whose legislation establishes the rules by which its members have agreed to act. Seen through that prism, it would be strange were the club rules to include a provision that deals with the situation of non-members, who have not signed up to the club rules, and who are not bound by them.

We accept Ms Demetriou’s submission that by the time the GDPR was enacted, the phrase “outside the scope of Union law” already had a recognised meaning in EU legislation. That meaning was not the literal meaning for which Ms Proops advocated (i.e. anything beyond the legislative competence of the Union, howsoever excluded). Rather, it referred to matters reserved to national governments of Member States.

We have considered the principle that Parliament does not legislate in vain. Privacy International’s construction does not offend against that principle: Article 2(2)(a) serves to confirm, for the reassurance of Member States, that the ambit of the regulation respects the established division of responsibility between the Union and its Member States. That is a legitimate purpose, albeit a modest one, and we note that declaratory provisions with no operative element are by no means unknown in EU legislation.

Neither does this construction offend against comity principles in any way, because on this reading, the EU does not presume to interfere with the activities of foreign states at all.

By contrast, Clearview’s rejection of Privacy International’s construction proceeds from the dissonant starting point that the words “processing in the course of an activity which falls outside the scope of Union law” (our emphasis added) can only refer to processing that is within the scope of Union law, and any other interpretation must be rejected. While this logic may appeal to devotees of structural linguistics, it is not by any means an obvious reading and it does not sit well with the principles of certainty and foreseeability that Ms Proops enjoined us to follow when construing these provisions. We consider Privacy International’s submitted construction to be a far more natural interpretation of the words of the provision, and the one most consistent with what is said in the GDPR’s Recitals (particularly Recital 16).

It follows from all of this that we do not accept that the processing activities of Clearview or its clients are excluded by operation of Article 2(2)(a) of the GDPR or Article 3(2A) of the UK GDPR. To decide whether such processing activity is excluded requires consideration of the law relating to comity principles. We discuss this in [216] to [219] below.

It is implicit in our adoption of Privacy International’s preferred construction that we reject Clearview’s intersectional construction. Because Ms Proops’ submissions were so focused on this proposed construction, we now explain why we were not persuaded by it.