Clearview AI Inc., a U.S.-based tech firm, recently won an appeal against an enforcement notice and fine levied by the UK’s Information Commissioner’s Office (ICO). The dispute traces back to May 18, 2022, when the ICO issued a notice for Clearview to delete the personal data of UK individuals collected through its facial recognition technology. The notice also included a hefty fine of £7.5 million on the grounds of multiple violations under the EU and UK General Data Protection Regulations (GDPR).
Clearview was quick to challenge the notice and fine, arguing that it hadn’t violated the GDPR regulations. Moreover, Clearview contended that the ICO lacked jurisdiction to issue the notice and fine, given that it is a U.S. company and didn’t have an establishment in the EU or UK at the time of the alleged infringements. Clearview further defended its position by stating that it serves as a foreign entity acting on behalf of foreign law enforcement, thereby placing its processing activities outside the scope of Article 2 of the EU GDPR and Article 3 of the UK GDPR.
The judge presiding over the case sided with Clearview, ruling that even though the processing could be seen as monitoring of individuals in the UK under GDPR, it was outside the scope of the GDPR. The judge agreed with Clearview’s argument that its services are exclusively provided to non-UK/EU law enforcement or national security bodies and their contractors.
This ruling clarifies that the activities of foreign governments are beyond the reach of both the EU and UK GDPR. It underscores the principle that one government cannot bind or control the activities of another sovereign state, thereby setting a significant precedent in the realm of data privacy regulations.