[2025] UKUT 319 (AAC)

The FTT concluded that the ICO did not have jurisdiction to issue the Notices because although the processing undertaken by Clearview was related to the monitoring of data subjects’ behaviour in the United Kingdom, the processing was beyond the material scope of the GDPR and was not relevant processing for the purposes of Article 3 of the UK GDPR. See paragraph 1 of the FTT’s Decision Notice.

To convey the FTT’s reasoning on these issues, it is necessary to set it out in full:

“111.

We agree, and there was no dispute, that the images and additional information that are held in the [Clearview] Database constitute personal data. Vectors derived from images of a face would constitute special category data within the meaning of Article 4(14) GDPR and UK GDPR. Thus, not only does a Probe Image constitute personal data of the individual shown in that image, but the vectors derived from the face(s) shown in the Probe Image constitute special category data as they are biometric data falling within the definition in Article 4(14) to which Article 9(1) would apply.

112.

[Clearview] are carrying out processing of personal data in the provision of the Service. The following functions are forms of that processing within the definition in Article 4(2), that are carried out to enable a client to search the [Clearview] Database to seek a match of a Probe Image against the Stored Images:

a.

scraping the images from the internet, this is collection;

b.

holding/storing the images;

c.

identifying those images which include a face and discarding images without a face;

d.

creating vectors from the stored images;

e.

creation/use of the blob ID;

f.

indexing/clustering of the stored images.

113.

We find that c-f would be forms of organisation or structuring, adaptation or alteration, or retrieval and that all of the above forms of processing are encompassed in Activity 1 processing.

114.

Activity 2 processing by [Clearview] includes the following types of processing that would fall within the definition provided in Article 4(2):

a.

upload of probe image to [Clearview];

b.

holding/storage of probe image;

c.

creation of vectors from probe image;

d.

matching of vectors of probe image against database of vectors;

e.

production of results;

f.

attachment via the use of the blob ID of the URL etc to the results;

g.

revelation of search results to client;

h.

attachment of an alert to the probe image;

i.

the client having uploaded their gallery of images, search of gallery images as against the [Clearview] database.

Behavioural monitoring

115.

The heart of this case, in the Commissioner’s submissions, is that the Service is being used to monitor the behaviour of data subjects. If we are not satisfied about that his case will fail, therefore we consider that aspect first.

116.

It is necessary to decide what is meant by “behaviour” in this context because there is no definition. Every photographic image of a person will inevitably reveal something about them even, at the most basic level, that they had a photo taken or were standing up or were smiling, or simply that they were breathing, alive at the moment the photograph was taken.

117.

It seems to us that the word behaviour indicates something more than simply being alive. We could not and do not purport to define everything that might come within the definition of behaviour. We consider that language is a tool that may be employed to determine (albeit not definitively) whether something is aptly described as behaviour. We have concluded that a description of a person’s behaviour will include a verb. Such a description would reveal that the person is doing something, rather than the language solely communicating something about the person’s characteristics. In other words behaviour goes beyond mere identification or descriptive terms such as the person’s height hair colour, age, name or date of birth.

118.

We are of the view that a person’s behaviour would include:

a.

Where they are;

b.

What they are doing – including what they are saying/have said or what they have written as well as their employment or playing of a sport or their pastimes;

c.

Who they associate with in terms of relationships;

d.

What they are holding or carrying;

e.

What they are wearing – including any items indicating cultural or religious background or belief.

119.

As set out above in our findings of fact the search results provided as examples to us revealed aspects of the behaviour of the individual(s) in the image including the person’s:

a.

relationship status;

b.

parental status;

c.

associates;

d.

location or residence;

e.

use of social media;

f.

habits e.g. whether they smoke/drink alcohol;

g.

occupation or pastime(s);

h.

ability to drive a car;

i.

activity and whether that is legal and;

j.

whether the person has been arrested.

120.

We also need to decide what “monitoring” means but once again we could not and do not purport to define everything that might come within the definition of monitoring as it will be intensely fact specific. We have had regard to Recital 24 and the need to ascertain whether natural persons are “tracked” on the internet including potential subsequent use of certain processing techniques which consist of profiling a natural person to take decisions about them; predicting or analysing, inter alia, their behaviour.

121.

Thus, in the context of this case monitoring of a person’s behaviour by a [Clearview] client using its Service could include:

a.

Establishing where a person is/was at a particular point in time;

b.

Watching an individual data subject over time by repeated submission of the same Probe Image of a known person;

c.

Using the matched images produced in response to a single search of a Probe Image to provide a narrative about the person in the images at the different times shown in those search results;

d.

Combining these results with information obtained from other forms of monitoring or surveillance.

122.

These are all types of monitoring consistent with Recital 24 and in particular the reference to a person being “tracked” and thus monitoring will include a single incidence. It is important to note that the word is tracked as opposed to “tracking” which would imply a continuous or repeated activity. The verb “to track” is capable of bearing two meanings – the first being synonymous with hunting or searching for someone to establish their position at a fixed point in time and the second being the pursuit of a person over time, trailing them to identify where they are on more than one occasion.

123.

We agree that the monitoring in this case is being done to identify a person but that is not the sole reason. [Clearview]’s clients use the Service to try to find out not only who a person is, but also with a view to taking decisions about them, predicting or analysing the person’s behaviour in order to apprehend them/gather evidence about what they have done or to prevent illegal activity. We are satisfied that [Clearview]’s client organisations will use every piece of information they can gather to advance an investigation (that is their duty). Therefore, as in the example of the person who was located as a result of a search using [Clearview], the Service was used to glean information about where that person would be at a given time in order to apprehend them. That person was tracked on the internet and [Clearview]’s client took a decision about them, predicting their behaviour using the search results and any other information they had gathered to enable the person’s apprehension.

124.

The Commissioner’s primary case is not that [Clearview] is monitoring the behaviour of data subjects but that its processing (in particular Activity 2 processing) is related to the monitoring of the behaviour of data subjects including those in the UK, through which the Commissioner’s jurisdiction is said to be engaged.

125.

The secondary case is that [Clearview] itself monitors behaviour, that is a view that was not relied upon in the notices, this is the “indexing case” which is dealt with later in this decision.

126.

We have concluded that by using the [Clearview] Service as described above [Clearview]’s clients are “monitoring the behaviour” of those who appear in the Probe Images because they are seeking to identify facts about the individuals who appear in the Probe Images such as the examples given above, however the sole act of identification would not, in our view, be sufficient to constitute monitoring of the person’s behaviour.

127.

By considering the search results from the [Clearview] Database, and/or by considering those search results in conjunction with the Probe Image, or other information gathered as part of their investigation, [Clearview]’s clients may be able to ascertain information about a person’s behaviour, either at a particular point of time, or extending over a period of time, however short that period. Obtaining or seeking to obtain information of this nature constitutes monitoring of the person’s behaviour.

128.

Reliance was placed by the Commissioner on the alert function within the Service. However, in our view the use of the alert function is not determinative of the existence of the monitoring of behaviour as the alert is given when the scrapers copy an image that matches the facial vectors of the Probe Image to which the alert has been attached. The scraped image may have been on the internet for some time and not copied into the system due to how the web crawlers function, thus the provision of the alert, of itself, tells the client nothing more than that the image has been found. However, if the alert is used to track the appearance of such images on the internet over time it could amount to monitoring of behaviour. This demonstrates the way the Service can be used by clients to monitor the behaviour of data subjects.

129.

As to the indexing case, we find that this processing would not amount to the monitoring of behaviour. The Commissioner’s case is that the activity of gathering the facial vectors created from personal data and indexing it according to the similarity in those vectors is comparable to a form of state surveillance and that [Clearview] is monitoring behaviour in this way. We find that the indexing case fails because the behaviour of a data subject is not used in the creation of the vectors or the indexing of the images according to those facial vectors. That processing in itself reveals nothing about the behaviour of a person because it is an automated, mathematical exercise. For this reason we conclude that [Clearview] does not monitor the behaviour of data subjects in its own right. However, their processing of data when indexing facilitates the efficiency of the Service and as we conclude later is processing that is related to the monitoring of behaviour by [Clearview]’s clients.

130.

As set out above there are four elements to be satisfied for the successful application of the criterion under Article 3(2)(b). We are satisfied that the first element is satisfied as there has been processing of personal data as described above, which was not in dispute.

131.

We are further satisfied that the personal data that was subject to processing was that of data subjects in the UK and so we are satisfied about the second element. We conclude as set out in our factual conclusions above that the Database will include images of data subjects in the UK. We take the view that it is inevitable that the vectors from the UK data subject’s images (personal biometric data) within the Database will be processed during the comparison of the Probe Image to the Database as part of the matching process. However, it is less likely that an image of a UK data subject will be produced as a successful match/partial match where the clients are investigating alleged crimes/threats within their jurisdiction (i.e. not within the UK). That is unless the UK data subject is an international criminal, has become involved in activity the subject of investigation, or the client is investigating a multinational threat.

132.

The third element that must be satisfied is that the processing must be carried out by a controller or processor not established in the UK. As already stated it is agreed that [Clearview] is not established in the UK, neither are their clients, so far as the case is put to us by the parties.

133.

As referred to above there are two types of processing activity relied upon by the Commissioner; Activity 1 processing, covering the creation, development and maintenance of the Database and Activity 2 processing, covering [Clearview]’s receipt of the Probe Image from the client, matching the Probe Image against the Database, and then providing the search results to the client.

134.

A data controller determines the purposes and means of the processing of the processing ofdata, see Article 4(7).

135.

[Clearview] is a controller of the data as regards Activity 1 processing. This was not in dispute.

136.

We have concluded that [Clearview] is a joint data controller with their clients for Activity 2 processing. This is because:

a.

[Clearview] determines the purposes of the processing as it only provides the Service to those who wish to use it for purposes agreeable to [Clearview] within its terms and conditions, for example not for any other purpose than matters of law enforcement and national security;

b.

both [Clearview] and the client determine the means of processing; the client uploads the search image and [Clearview] conducts the matching process and provides the client with the matched images and additional information.

137.

[Clearview] is also a processor for the purposes of both Activity 1 and Activity 2 processing.

138.

We would add that even if we are wrong about our conclusions above about [Clearview] being a joint data controller nothing within the Regulation prevents the processing of data by a controller being related to the monitoring of behaviour by another distinct controller. This was the position in Soriano. We agree with the Commissioner on this issue. We agree that the use of the words “the monitoring” as opposed to “their monitoring” indicates that the mischief is the monitoring and not who is doing the monitoring. If that were the case and Article 3 were restricted in the way contended for by [Clearview] this would mean that it would be a simple matter for a controller/processor to avoid Article 3 by dividing/delegating their processing and monitoring activities to different legal persons; “outsourcing” it as described by the Commissioner in order to avoid liability.

139.

We are thus satisfied as to three of the four elements. The remaining common element is that the processing must be "related to" the monitoring of the behaviour of data subjects in the UK as far as their behaviour takes place within the UK.

140.

So far as the second limb of the fourth element is concerned we have already concluded that there will be some images within the Database of UK data subjects taken within the UK and we have concluded that, although less likely, those images may be provided to clients as a search result. We have also concluded that [Clearview]’s clients may be investigating international activities. On the basis of our factual findings and having applied the law we have concluded that there is, more likely than not, monitoring of the behaviour of data subjects in the UK as far as their behaviour takes place within the UK.

141.

Once again there is no definition of the phrase “related to” within the legislation or regulation(s). We respectfully agree with Warby LJ in Soriano that the phrase indicates that there must be a relationship between the processing of the individual’s personal data and the monitoring of behaviour that is in issue. The “compelling case” in Soriano was that information had been collected from the internet about a particular person and the data about that person had been assembled, analysed and ordered for the specific purpose of writing the article about that person’s behaviour which would be published. Publication was the processing that was complained about in the claim. The preparatory activities of collation and analysis were integral to the publication of the article and Warby LJ held that it was arguable that the preparatory activities fell within the meaning of monitoring and were related to the publication given that was the purpose for which they were undertaken. We would observe that there was, in Soriano, no other purpose for the collation, organisation and analysis of the data other than the publication. The whole purpose of the processing of data by [Clearview] is the provision of the Service to its Clients. There is no other purpose for the collation, organisation and analysis of the data in this case other than the use of that data by the clients using the Service.

142.

[Clearview] is not simply processing the personal data in relation to one data subject as in Soriano, but of millions if not billions of data subjects to facilitate the monitoring of behaviour by their clients.

143.

There is such a close connection between the creation, maintenance and operation of the Database and the monitoring of behaviour undertaken by the clients that [Clearview]’s processing activities are related to that monitoring.

144.

For all of these reasons we find that that [Clearview]’s processing is related to the monitoring carried out by the clients because:

a.

Such monitoring by [Clearview]’s clients could not take place without [Clearview]’s Activity 1 processing;

b.

The purpose of [Clearview]’s Activity 2 processing is to provide [Clearview]’s image matching service to its clients, thereby enabling the monitoring of behaviour carried out by [Clearview]’s clients to take place.

Was the processing in the course of an activity which falls/fell outside the scope of EU (Union) law?

145.

We have not decided this case on the basis of a failure to meet the applicable burden of proof by either party. However, we observe (as have others before us in this Tribunal), that where a regulator issues a notice or imposes a penalty notice because of a breach of a regulation, and there is an appeal against the notice(s) there will be an initial evidential burden imposed upon the decision maker who is required to prove that the infringement has taken place. Where an appellant raises the issue of jurisdiction the Tribunal will need to be satisfied that there was power to issue the notices, i.e. that the decision under appeal/notices relate to acts or omissions to which the Regulations applied.

146.

[Clearview] submits that, as a matter of fact, the Service is only provided to non-UK/EU law enforcement or national security bodies and their contractors. There was no evidence to the contrary tendered on behalf of the Commissioner. We have accepted Mr Mulcaire’s unchallenged evidence that all of [Clearview]’s current clients carry out criminal law enforcement and/or national security functions, and use the Service in furtherance of those functions, see above factual findings. That is the evidence placed before us by [Clearview] and while the Commissioner submits that there is an indication (in other words an inference) that any such contractors engaged by the clients are private sector bodies we are satisfied that any such contractors themselves carry out criminal law enforcement and/or national security functions. There is insufficient evidence on which to suggest otherwise.

147.

The Commissioner is correct in submitting that the restriction upon who may use the Service only results from choices made by [Clearview] in how they offer the Service (at the time of the notices) and we agree that there is nothing that would prevent the Service being offered to commercial clients in the future but we are not satisfied that there is any present intention to do so. We conclude that the jurisdiction of the Commissioner to issue the notices falls to be decided on the Service at the time at which they were issued.

148.

In any event we have concluded that [Clearview] does not monitor behaviour itself and it seems to us that Article 3(2)(b) is concerned with processing activities that are related to the monitoring of behaviour not processing activities that may be related to behavioural monitoring should there be a change of circumstances. Thus we reject the Commissioner’s case that potential future processing brings the case within the material scope of the Regulations.

149.

There is a specific directive applicable to law enforcement (Directive (EU) 2016/679 (“Law Enforcement Directive” / “LED”)) which was not the subject of the case before the Tribunal. Action could be taken by the Commissioner pursuant to the Law Enforcement Directive (LED) against a UK established “competent authority” who used the Service were he to be of the opinion that such activity breached the LED. Whether or not in those circumstances [Clearview]’s processing would be beyond the material scope of the regulation is a distinct legal question that is not before us and does not assist us in deciding the issue that is before us which is based on other facts as we have found them.

150.

The “Regulation” referred to in the opening words of Articles 2 and 3, and repeated within them is the GDPR/UK GDPR not the Article.

151.

Article 3 GDPR is constructed such that if the criteria are satisfied the Regulation will be engaged and the remaining provisions applicable to the processing of the data concerned. Conversely Article 2(2) GDPR sets out types of processing to which the Regulation does not apply, excluding processing that would otherwise be caught by Article 3 from the application of the GDPR. In this case the relevant exemption that is relied upon is that processing was in the course of an activity which falls outside the scope of Union law.

152.

As we have pointed out above (in paragraph 97) the UK GDPR is constructed differently and it is Article 3(2A) that removes processing in the course of an activity which fell outside the scope of Union law before IP completion day from the scope of the Regulation by excluding such processing from the definition of relevant processing in Article 3 UK GDPR.

153.

Therefore, the question for us remains the same. It is foremost a question of fact as neither party contends that the acts of foreign governments would be within the material/territorial scope of the Regulations because the activities of foreign governments fall outside the scope of Union law. It is not for one government to seek to bind or control the activities of another sovereign state.

154.

We have concluded, for all these reasons and on the basis of the unchallenged evidence, that [Clearview]’s processing was in the course of an activity which, immediately before IP completion day, fell outside the scope of EU law.

155.

This is because Article 2(2)(a) GDPR operates to remove the processing with which we are concerned from the material scope of the Regulation in respect of the processing that took place before the exit of the UK from the European Union. So even though we have concluded that the terms of Article 3(2)(b) of GDPR brought the processing within the 'territorial' scope of the GDPR, the Regulation was disapplied to that processing as it was outside the material scope of the Regulation by virtue of Article 2(2)(a) GDPR for that processing that occurred before IP completion day.

156.

Furthermore as regards the processing since that date, because the processing was in the course of an activity which, immediately before IP completion date, fell outside the scope of EU law that processing is not “relevant processing” of personal data as required by Article 3(2) UK GDPR and defined in Article 3(2A) UK GDPR. Thus, Article 3(2) UK GDPR does not apply to that processing and the processing that occurred after IP completion date is not within the scope of the Regulation as the material scope provision is disapplied.

157.

Returning to the questions for us, we have concluded that:

a.

as a matter of law Art (3)(2)(b) can apply where the monitoring of behaviour is carried out by a third party rather than the data controller;

b.

as a matter of fact the processing of data by [Clearview] was related to the monitoring of behaviour by [Clearview]’s clients;

c.

the processing is outside material scope of the Regulation as provided for in Article 2 GDPR and is not "relevant processing” for the purposes of Article 3 UK GDPR, as defined in Article 3(2A) thereby removing the processing from the scope of UK GDPR.”