[2025] UKUT 319 (AAC)

Clearview’s case on the construction of Article 3(2)(b) is that it is clear on its face that the legislature’s aim was to capture intrusive behavioural monitoring where the sights of the person doing the behavioural monitoring are trained on the behaviours of EU data subjects in the EU. It is the behavioural monitoring activity, and the intrusion that results from that activity, that is the “mischief” the legislators sought to tackle.

This understanding is consistent with the ICO’s case, as expressed in his Skeleton Argument at [167]):

“The point of 3(2)(b) is to ensure that EU data subjects have protection against being monitored by processing of their personal data. Having one’s behaviour monitored is inherently objectionable and merits protection.”

Ms Proops submitted that once one appreciates the mischief the provision is aimed at is the monitoring, it becomes clear that Article 3(2)(b) must be construed to apply to the person doing the monitoring, and therefore responsible for the mischief. Regulating the person doing the monitoring means, Ms Proops says, that you “hit the policy nail on the head”.

Ms Proops invited us to look to the Travaux in respect of the GDPR as an aid to construing Article 3(2)(b), citing Pickering (see [115] above) as confirming the Court of Appeal’s approval of such a practice. She suggested the Travaux tell a clear story that is consistent with Clearview’s case that the legislators’ focus was always on capturing the person actually engaged in the monitoring. She took us to the Commission’s 2012 impact assessment which discussed different options for data reform where it appeared to contemplate the data controller and the person monitoring the behaviour being one and the same. A similar passage appears in the 2016 Commission communication to the European Parliament. We have set out the respective texts, italicising the passages that Ms Proops relied upon at [117] to [118] above.

Ms Proops said that these passages in the Travaux support her narrow interpretation of Article 3(2)(b). She argued that had the legislators envisaged the scope of regulation extending to companies outside the Union monitoring the behaviour of EU data subjects within the EU (and those who service such companies), who are not themselves engaged in behavioural monitoring, they would surely have said something about such a significant extension of extra-territorial regulation.

Mr Pitt-Payne maintained that the Travaux relied upon by Clearview were of little assistance. He said that the two passages referred to are simply brief statements that do not directly address the question in issue in the appeal, namely whether Article 3(2)(b) applies to a single party situation or a multi-party situation. He argued that the Travaux did not rule out a multi-party situation.

Having read the Travaux, we observe that the Commission’s 2012 impact assessment is a relatively brief, high level explanation of different options for regulation, produced some years before the GDPR was legislated. The focus of the Commission’s subsequent communication to the European Parliament was on the transfer and exchange of personal data between the EU and the US. The purpose of the communication was to confirm what had happened since a 2013 communication on rebuilding trust in EU-US data flows. One element of that was the data reform package that would become the GDPR. The wording about territorial scope is, again, in the nature of a high level explanation. The wording relied on by Ms Proops amounts to individual sentences within high level explanations. For these reasons, we consider they are of limited significance.

The ICO relied on the EDPB Guidelines. We have set out the material parts at [119] above. Having read these in detail, we note that they focus directly on Article 3 and the territorial scope of the GDPR. The introduction to the EDPB Guidelines explains that the territorial scope of the GDPR represented a significant evolution of EU data protection law compared with the previous framework in the 95 Directive. The introduction explains the purpose of the EDPB Guidelines as being to ensure a consistent application of the GDPR about territorial scope, and that they set out, and clarify, the criteria for determining the application of territorial scope.

While Ms Proops commended the Travaux as a more reliable aid to construction than the EDPB Guidelines upon which the ICO relied, we note that the Court of Appeal said in Sorianothat the EDPB Guidelines are relevant to the exercise of construction, albeit not binding (see [101] above). We approach the EDPB Guidelines in the spirit suggested by the Court of Appeal in Soriano, and we have found them to be of assistance. As explained above, they are directed expressly at the question of how territorial scope of the GDPR is to be interpreted, and applied, both within and outside the EU.

At page 20 of the EDPB Guidelines in the section headed “d) Processor not established in the Union” it is stated:

“The EDPB considers there needs to be a connection between processing activity and the offering of good or service, but both processing by a controller and a processor are relevant and to be taken into account.”

Further, Example 20, set out at page 21 of the EDPB Guidelines, concerns a distinct processor and controller.

Ms Proops dismissed this example on the basis that it lacked equivalence to Clearview’s situation because, while it was right that an agent of a controller acting on behalf of that controller and subject to the controller’s direction would fall within the scope of regulation, the same should not apply to an independent third-party controller like Clearview. This was especially so, Ms Proops argued, because, as a result of the limited functionality of the Service, Clearview had no insight into the onward use of the data it supplies to its clients, with the consequence that it cannot know in any particular case whether any of its clients have ever used the data acquired via the Service to monitor the behaviour of any data subject in the UK. We accept that there are factual differences between Example 20 and the present case. Nonetheless, it provides a clear instance of a situation where activities undertaken by one party (the processor) are said to come within Article 3(2)(b) on the basis of their relationship to the behavioural monitoring carried out by another party (the controller).

While we agree with Ms Proops that the policy objective behind Article 3(2)(b) was to address the “mischief” of behavioural monitoring, and the intrusiveness that results from such monitoring, we are not persuaded that it was aimed only at the controller conducting the behavioural monitoring.