![[2025] UKUT 319 (AAC)](https://backend.juristeca.com/files/emisores/logo_3a2BKne.png){kind=logo}
The Travaux in respect of the GDPR
The Travaux in respect of the GDPR
In Secretary of State for Environment, Food and Rural Affairs v (1) Pickering Fishery Association and (2) Environment Agency [2025] EWCA Civ 378 (“Pickering”), the Court of Appeal proceeded on the basis that the Travaux prepared by the EU Commission, including a water policy document, were relevant to interpreting the approach envisaged under an EU Directive (see [124] to [127] of the judgment).
In 2012, before the Member States legislated the GDPR, the EU Commission identified policy objectives to address. These were to: (a) enhance the internal market dimension of data protection, (b) increase the effectiveness of the fundamental right to data protection and (c) establish a comprehensive EU data protection framework and enhance the coherence and consistency of EU data protection rules. The Commission Staff Working Paper Impact Assessment (Brussels, 25.01.2012, SEC (2012) 72 FINAL), set out a range of policy options to address these policy objectives and associated problems.
One problem identified in the Impact Assessment was gaps in current harmonisation causing harmful fragmentation. The Impact Assessment included the following (with the words relied upon by Clearview italicised):
“b) if the new instrument is a Regulation, the latter would be the law applicable throughout the EU. The Regulation would also be applicable to data controllers outside the EU if they offer goods and services (including information society services) to data subjects in the EU or monitor their behaviour.”
The EU Commission produced a communication to the European Parliament and the Council in 2016 regarding Transatlantic Data Flows: Restoring Trust through Strong Safeguards (Brussels, 29.02.16 COM (2016) 117 Final). In section 2, the Commission dealt with the EU Data Protection reform. It described the GDPR, and stated the following about territorial scope at section 2.2 (with the words relied upon by Clearview italicised):
“2.2 What has changed?
The Regulation updates, modernises and in some cases strengthens the data protection principles enshrined in the 1995 Data Protection Directive to guarantee privacy rights. It focuses on reinforcing individuals’ rights, deepening the EU internal market, ensuring stronger enforcement of the rules, streamlining international transfers of personal data and setting global data protection standards. The rules are designed to make sure that EU individuals’ personal data are protected – no matter where they are sent, processed or stored - even outside the EU, as may often be the case in the digital world. A number of features in the reform are particularly relevant to highlight.
First, territorial scope: the Regulation makes clear that it also applies to companies established in a third country if they are offering goods and services, or monitoring the behaviour of individuals, in the EU. Companies based outside the EU will have to apply the same rules as companies based in the EU. This ensures the comprehensive protection of EU individuals’ rights. It also creates a level playing field between EU and foreign companies, thereby avoiding competitive imbalances between EU and foreign companies when operating in the EU or targeting consumers in the EU.”
- Heading
- The decision of the Upper Tribunal is to allow the appeal The decision of the First-tier Tribunal made on 17 October 2023 was materially in error of law. It is SET ASIDE under section 12(2)(a) of the Tribunals, Courts and Enforcement Act 2007 (“TCEA
- REASONS FOR DECISION
- Introduction
- The decision under appeal
- A summary of the relevant factual background
- The FTT’s decision
- The FTT’s findings of fact
- The FTT’s conclusions
- The issues in this appeal
- Appeal ground 1
- Appeal ground 2
- Appeal ground 4
- Additional Reason 1
- The scope of the appeal - admitting the additional reasons arguments for consideration
- Permitting Privacy International to intervene in the appeal
- Permitting Clearview to rely on a written reply to Privacy International’s skeleton argument
- Reliance on the evidence filed by Privacy International
- Reliance on legal arguments not raised before the FTT
- Legal framework
- Relevant legislative provisions
- The GDPR
- The UK GDPR
- “Article 2 This Regulation applies to the automated or structured processing of personal data, including
- 1A. This Regulation also applies to the manual unstructured processing of personal data held by an FOI public authority This Regulation does not apply to
- “Article 3
- The 95 Directive
- The Law Enforcement Directive
- State immunity and foreign act of state
- Material scope: the caselaw
- Territorial scope: the caselaw
- The Travaux in respect of the GDPR
- The EDPB Guidelines
- Data subjects in the Union
- The burden of proof in appeals against ICO Notices
- Analysis
- The parties’ positions on material scope in brief
- What the FTT decided in relation to Article 2(2)(a)
- General approach to construction of the GDPRs
- Domestic authorities on comity, extra-territoriality and utility
- EU authorities on extra-territorial effect and comity
- Certainty and foreseeability
- Proportionality
- EU law authorities on the construction of Article 2(2)(a) of the GDPR
- Relevant comity principles
- Our construction of Article 2(2)(a)
- Analysis of Clearview’s proposed intersectional construction
- Alternative analysis based on the ICO’s construction
- Would regulation of Clearview’s data processing breach comity principles?
- Article 3(2)(b) GDPR: territorial scope
- What was the policy objective behind Article 3(2)(b)?
- The meaning of “related to” in Article 3(2)(b)
- The meaning of “behavioural monitoring” in Article 3(2)(b)
- Ground 1
- Ground 2
- Ground 3
- Ground 4
- Clearview’s Additional Reasons
- Additional Reason 1
- Additional Reason 2
- Additional Reason 3
- Additional Reason 4
- Conclusions