[2025] UKUT 319 (AAC)

The meaning of the phrase “in the course of an activity which falls outside the scope of Union law” lies at the heart of this appeal.

While the parties agreed that the ICO has no jurisdiction to take enforcement action against foreign states in respect of their data processing in the context of their national security or law enforcement functions, they disagreed as to the mechanism for that restriction.

Mr Pitt-Payne KC, for the ICO, argued that any proper interpretation of Article 2(2)(a) of the GDPR must be informed by the principles of public international law that govern the relationships between states. These principles were referred to by the parties variously in terms of “international comity”, “sovereign equality of states”, “state immunity”, and “act of state doctrine”. We use “comity principles” as an umbrella term to cover these principles. Mr Pitt-Payne maintained that, viewed through the lens of comity principles, the words “in the course of an activity which falls outside the scope of Union law” in Article 2(2)(a) refer to all matters that are without the competence of the Union: not only matters reserved to Member States, but also activitiesof foreign states with which neither the Union nor its Member States presume to interfere for reasons of comity.

Ms Demetriou KC, for Privacy International, argued for a much narrower interpretation: Article 2(2)(a) was concerned, she said, only with the division of responsibilities as between the Union and its Member States. It had no need to say anything about the activities of foreign states, because the GDPR is not concerned with the activities of foreign states at all. On Privacy International’s construction, the words “an activity which falls outside the scope of Union law” refer only to those activities in respect of which Member States have reserved control to themselves and conferred no powers on the Union to act. Examples of such activities are matters of national security, foreign policy and certain species of taxation.

Mr Pitt-Payne and Ms Demetriou both agreed, however, that their respective interpretations amounted to “different paths up the same mountain”, and whichever of their interpretations was correct, the outcome would be the same: data processing carried out by foreign states was beyond the ICO’s jurisdiction. Although they did not share the same analysis, they agreed that the issue whether Clearview or its private sector contractor clients were also excluded from regulation depended on the application of comity principles. The ICO’s analysis was that any exclusion would be under Article 2(2)(a). Ms Demetriou argued it would instead be on a freestanding basis.

Ms Proops KC, for Clearview, proposed a different explanation of what Article 2(2)(a) addresses, and how it should be interpreted. Ms Proops argued that the provision’s focus was neither on the activities of foreign states (which the Union was prevented from regulating both as a matter of competence and as a matter of public international law), nor on the national security activities of Member States (as these were reserved to the national governments of Member States by the terms of the TEU). Ms Proops invoked the principle that lawmakers do not legislate in vain. She said the EU legislators must have intended to achieve something more than simply confirming that the Regulation did not extend to activities that were already excluded from regulation.

Ms Proops said the key to unlocking what Article 2(2)(a) was about, was understanding the policy intent behind it. This policy intent was to avoid “a kind of back door regulation” of foreign states by regulating third parties whose processing occurs “in the course of” activities that are quintessentially state functions, such as matters of national security or law enforcement. She argued that such back door regulation would amount to “the most serious type of comity offence”.

Ms Proops submitted that, taking a purposive construction, Article 2(2)(a) must apply to remove Clearview’s processing from the material scope of the GDPR. This was because, at the point at which a client uploads a ‘probe image’ to initiate a search of Clearview’s databases for potentially matching vectors, Clearview’s processing “intersects so fundamentally” with its client’s processing that Clearview’s processing and its client’s discharge of its state functions are “effectively merged” such that they cannot be disentangled. Thus, Clearview’s processing is (in the words of Article 2(2)(a)) carried out “in the course of an activity which falls outside the scope of Union law”. Ms Proops referred to this as her “intersectional construction”, and we shall refer to it in the same terms.