[2025] UKUT 319 (AAC)

We also heard extensive submissions as to what amounts to “behavioural monitoring” for the purposes of the GDPRs. As the FTT pointed out in its decision, there is no definition in either of the GDPRs of “behavioural monitoring”.

Mr Susskind, for the ICO, said Clearview’s mass collection of data (via deployment of its “crawlers” to search the public facing internet for “every single picture that exists of every single person”, collecting those images, together with other personal information from the websites on which the images are found), and its ordering of that data by mapping it, assigning vectors, and arranging the data according to similarity of facial vectors, must itself amount to behavioural monitoring so as to engage Article 3(2)(b). He said this was the way the ICO put his case before the FTT, but the FTT misunderstood it and mischaracterised his case at [129] of its decision, wrongly focusing only on the gathering of the facial vectors and the indexing of the data according to the similarities in those vectors, which in fact represents only a part of Clearview’s Activity 1 processing.

He drew our attention to Recitals 6, 7 and 24 (set out in [53] above) which explain the backdrop to the GDPR, and which Mr Susskind said should inform our understanding of the term “behavioural monitoring”.

Recitals 6 and 7 establish the GDPR as a response to the challenges posed by the new scale of collection and use of personal data, including by private companies, in the modern world. It is a regime born in the age of “Big Data” and designed to address its challenges. Mr Susskind encouraged us to interpret the GDPRs in a way that reflects that legislative purpose, and does not undermine it.

Mr Susskind also took us to Recital 24, the opening sentence of which traverses the terms of Article 3(2)(b), before giving guidance on what amounts to “behavioural monitoring”.

Mr Susskind encouraged us to take from this Recital not only that it provides an example of an indicator of behavioural monitoring (i.e. whether a natural person is being tracked on the internet), but also indicates that where there is “potential subsequent use of personal data processing techniques” it is not necessary for there to be actual profiling for the definition of “monitoring behaviour” to be engaged.

He highlighted that Clearview’s crawlers search the public-facing internet (or in the case of proprietary crawlers, search the platforms which they are deployed to search) on an indiscriminate and almost constant rolling basis. Once they have collected a facial image of a natural person, assigned it vectors, sorted it and stored it, the crawlers do not stop there. They continue scraping the internet for other facial images and will collect, map, sort and store further images, including images of the same individual, as and when they are encountered with the result that for every person whose image has been scraped, mapped, sorted and stored, there may well be a collection of multiple images captured at different times and in different contexts, together with associated personal data collected from the webpages from which the images were collected, which information the FTT found to be “behaviourally rich”. While the crawlers are deployed to collect facial images to which they can assign vectors, the data collected goes far beyond facial images.

Mr Susskind said these images tell stories of where people work, what they like, what they dislike, with whom they associate, their family and friends, their interests and their history. He submitted that this must, on any common sense view, amount to “behavioural monitoring”, and was precisely the kind of activity that the legislators intended to catch when they enacted the GDPRs.

Ms Proops argued that for an activity to amount to behavioural monitoring there must be more than simply the mass harvesting of data and its sorting and indexing by person: the data had to be further analysed or interrogated or otherwise utilised in some way. For this proposition, she placed reliance on the Court of Appeal’s decision in Soriano.

However, Sorianois not authority for all that Clearview requires of it. While Warby LJ said (at [103]) that the mere fact that the defendants in that case had created a collection of personal data related to the claimant’s behaviour “might not” be sufficient to amount to behavioural monitoring, he did not say that it could never be sufficient, and he said it was “arguable” that the activities of assembling, analysing, sorting and reconfiguring such data, and then publishing the result in articles, did fall within the meaning of “monitoring” and within the scope of the EDPB’s notions of “behavioural analysis and profiling”. We also accept Mr Susskind’s submission regarding the relevance of “potential subsequent use” of the personal data as indicated in Recital 24. In this regard, we note that the discussion at page 20 of the EDPB Guidelines also places emphasis on the subsequent use of the data.

Mr Susskind maintained that Ms Proops’ interpretation of “behavioural monitoring” was predicated on an interpretation of behavioural monitoring that required the monitoring to be “active”, and there was no warrant for such a requirement either in the wording of the GDPR or in what the Court of Appeal said in Soriano. Mr Susskind argued that monitoring could just as well be a “passive” affair. He gave the example of a hotel placing a CCTV camera in its lobby, and leaving it to record the comings and goings of staff, residents and members of the public. The making of such a recording must, Mr Susskind said, amount to monitoring the behaviour of natural persons, and this is so even if no one ever watches the recording or subjects it to any analysis.

We agree that the making of a recording in the circumstances Mr Susskind describes must amount to behavioural monitoring, regardless of whether the recording is ever accessed. What is important is not that the recording is accessed, but that it is made with a view to it being available to be accessed in the future should that be needed, consistent with the assessment of whether it amounts to behavioural monitoring reflecting the “potential subsequent use of personal data processing techniques which consist of profiling a natural person” (per Recital 24).

Ms Proops’ “active” understanding of behavioural monitoring is also somewhat at odds with the EDPB’s citing of “online tracking through the use of cookies” (at page 20 of the EDPB Guidelines) as an example of monitoring in the digital age.

Ms Proops argued that Clearview’s data collection and sorting activities could not amount to “behavioural monitoring” because the data was not sorted and indexed by reference to behaviour. We consider this argument to be misconceived because if one is interested in monitoring the behaviour of natural persons, one does not organise the data by reference to the behaviour it reveals, but rather by the identity of those whose behavioural data has been collected. It is Clearview’s capability for identifying individuals that makes its Service such an ideal tool for behavioural monitoring.

The ability to map internet images of an individual’s face and assign unique vectors to them facilitates the efficient mining of Clearview’s extensive database. A Clearview client could have an image of a person’s face, with no name, and no other information about them. Clearview’s data collection and sorting means that it might have pulled together a substantial amount of behaviourally rich information about that person, which it argues is highly likely to be accurate about them (because the information has been sifted and stored by reference to unique facial features that are turned into digital vectors).

The EDPB Guidelines say that the word “monitoring” implies that the controller has a specific purpose in mind for the collection and subsequent reuse of the data about an individual’s behaviour within the EU, and they say that when considering whether processing involves the monitoring of a data subject’s behaviour, the controller’s purpose for processing the data and potential subsequent use of profiling techniques are relevant considerations (see page 20 of the EDPB Guidelines).

While Ms Proops was somewhat coy about what Clearview’s clients might do with the search results they receive from Clearview, it is apparent from the ‘Lunch and Learn’ marketing materials that Clearview put into evidence that the Service was marketed as a valuable tool both for identifying, and for learning about, individuals in a way that can significantly assist national security and criminal law enforcement investigations. The further use, interrogation and analysis to which the data is subjected by Clearview’s clients does not indicate that the behavioural monitoring occurs only after Clearview has transmitted the search results to the client. Rather, before a client even submits a probe image, Clearview has obtained and arranged information about an individual that would, or might, confirm details such as their name, the activities they undertake, both for work and leisure, whether they are married or in a relationship, whether they have children, and whether they have been arrested for, or convicted of, criminal offences. This information will already be contained and arranged within the Service even if a probe image of that individual is never submitted by a client. This, together with the potential for further use of it by Clearview’s clients, further strengthens the case for Clearview’s Activity 1 processing amounting to behavioural monitoring (per page 20 of the EDPB Guidelines).

There is force in Mr Susskind’s argument that the language Ms Proops used in her submissions about monitoring having to be active or watchful in terms of it needing to demonstrate “looking at”, “watching, “scrutinising”, and “learning”, was apt to mislead. This is language about what humans do, but “monitoring” for the purposes of the GDPRs is not confined to that. Mr Susskind submitted that at the stage when Clearview gathers information about people, this does not require a person to sit down and trawl the internet to find images: this is done digitally by Clearview’s crawlers. Mr Susskind argued that, if “watchful” is stripped of its anthropomorphic connotations, the Clearview crawlers are actually extremely watchful. Their actions in crawling through a range of websites on a virtually constant basis, mean they will “watch” or “see” far more than any human could.

We agree with the ICO that Article 3(2) of the GDPR must be interpreted as a response to the challenges posed by the age of ‘Big Data’, which the Recitals show the EU legislators were keenly aware of and had in mind when deciding upon the terms of the regulation they were creating. It is important to approach the language of Article 3 with this in mind, and not to see it through the prism of analogue methods of monitoring and surveillance that require human involvement.

We therefore adopt a broad interpretation of the words “behavioural monitoring” that encompasses “passive” collection, sorting, classification and storing of data by automated means with a view to potential subsequent use (including by another controller) of personal data processing techniques which consist of profiling a natural person. It does not require active “watchfulness” in the sense of human involvement, it does not require analysis beyond automated sorting and classification with a view to subsequent future use, and it does not require the data to be sorted and classified by reference to subjects’ behaviour.

In the light of what we have decided about the proper construction of Articles 2(2)(a) and 3(2)(b) GDPR we can now deal with the ICO’s grounds of appeal more succinctly.