Clearview AI: Tribunal Takes a “Clear View” on ICO’s Jurisdiction

On 7 October 2025, the Upper Tribunal (“UT”) handed down a significant judgment in favour of the Information Commissioner’s Office (“ICO”), ruling against Clearview AI (“Clearview”), a US-based facial recognition company. The case focused on whether the ICO had jurisdiction under the UK GDPR to pursue enforcement against Clearview AI, which scraped billions of publicly available images from the public-facing internet (including those of UK residents) to build a global facial recognition database for foreign clients’ national security and criminal law enforcement operations. The ICO deemed this activity unlawful under UK data protection law.

This decision reverses the earlier finding of the First-Tier Tribunal (“FTT”), which, on 17 October 2023, concluded that the ICO lacked jurisdiction under the UK GDPR to take enforcement action against Clearview. We previously commented on the FTT’s decision in this article.

In an increasingly interconnected digital landscape, the UT’s ruling is a pivotal moment for UK data protection enforcement. It affirms that the UK GDPR can apply extraterritorially where their processing targets UK residents; even to companies with no UK establishment. This creates a particularly interesting dynamic at a time when the UK’s data protection framework is evolving towards greater flexibility, with the Data (Use and Access) Act 2025 introducing reforms to the UK GDPR designed to facilitate more agile and innovation-friendly data use by organisations. The decision also reinforces the position that automated data collection and indexing, even without human involvement, can amount to behavioural monitoring.

Background

Clearview AI’s business model involved the large-scale collection of publicly accessible images from websites and social media platforms (such as Facebook). The model worked by identifying facial images and collecting them along with additional data. These were processed using algorithms to generate facial vectors, which were then stored in a searchable facial recognition database maintained by Clearview, containing tens of billions of such mapped images. This database was designed to assist law enforcement and security agencies in identifying individuals. Crucially, this processing was conducted without the knowledge or consent of the data subjects, raising substantive concerns under UK data protection law, particularly in relation to the principles of transparency, lawfulness, and fairness under the UK GDPR.

In May 2022, the ICO issued a £7.5 million fine to Clearview AI for breaches of the UK GDPR, marking the third-largest monetary penalty ever imposed by the regulator at the time. The ICO also served an enforcement notice, requiring Clearview to cease processing the personal data of UK residents and to delete any such data already collected.

Clearview appealed the decision to the FTT, which ultimately found in its favour; holding that the ICO lacked jurisdiction under the UK GDPR. The crux of this argument lay in the fact that Clearview’s services were directed at foreign law enforcement bodies and therefore fell outside the material scope of the regulation.

However, on 7 October 2025, the UT overturned the FTT’s decision, concluding that the FTT had materially erred in law. The UT found that Clearview’s processing activities, particularly the monitoring of UK individuals’ behaviour, did fall within the scope of the UK GDPR. As a result, the ICO’s jurisdiction was reinstated, and the matter has now been remitted to the FTT for substantive reconsideration.

Unpicking the UT’s Decision

In its October 2023 decision, the FTT allowed Clearview AI’s appeal against the ICO, concluding that the ICO fundamentally lacked jurisdiction under the UK GDPR to issue a monetary penalty and enforcement notice. The FTT’s reasoning examined two key concepts under the UK GDPR: “territorial scope” and “material scope”:

1. material scope (Article 2(1)(a)) and Article 3(2A) excludes from the UK GDPR any processing of personal data carried out “in the course of an activity which falls outside the scope of EU law” (note under the GDPR this is referenced as Article 2(2)(a) and “Union” law); and 

2. territorial scope (Article 3(2)(b)) extends the UK GDPR to controllers or processors not established in the UK where their processing relates to the monitoring of behaviour of data subjects located in the UK.

The FTT accepted that Clearview’s activities fell within the territorial scope of the UK GDPR because its processing related to monitoring of UK residents’ behaviour under Article 3(2)(b) by its customers. However, it held that the processing was outside the material scope of the regulation under Article 2(1)(a), as its services were provided exclusively to foreign law enforcement and national security agencies, which the FTT considered to be engaged in activities falling outside the scope of Union law. It also concluded that Clearview did not carry out behavioural monitoring itself; it simply enabled its users to do so.

Note that the judgment draws on principles from the EU GDPR, which the UK GDPR mirrors post-Brexit, to interpret key terms like “behavioural monitoring” and “outside the scope of Union law”; for consistency, we have referred to the UK GDPR in our analysis.

The ICO appealed the FTT’s decision; accordingly, the UT upheld three out of four of the ICO’s grounds of appeal:

1. Misapplication of Article 2(1)(a) – Material Scope

The first ground of appeal concerned whether the FTT erred in law by finding that Clearview’s clients were excluded from the material scope of the UK GDPR pursuant to Article 2(1)(a) and Article 3(2A) (i.e. constituted an activity which “falls outside of the scope of EU law”). The UT clarified that this exclusion applies strictly to activities reserved to Member States, such as national security, and did not extend to foreign governments or private entities working in law enforcement. The exclusion is intended to reflect the EU’s internal division of responsibilities and ensures that the UK GDPR does not intrude into areas where the EU has no legislative competence. Accordingly, as a privately operated company, Clearview could not invoke this exemption solely on the basis that its clients were foreign law enforcement bodies. 

The UT concluded that the FTT had misapplied the law by conflating the commercial data processing that Clearview’s clients were benefitting from with state functions and had failed to establish a sufficient factual foundation to treat Clearview’s clients as exempt under principles of international comity.

 2. Clearview’s Own Processing

The second ground of appeal addressed whether the FTT erred in law by concluding that Clearview’s own processing was excluded from the material scope of the UK GDPR under Article 2(1)(a). It is important to understand that this was a standalone issue, separate from the UT’s findings under Ground 1 above in respect of Clearview’s clients.  

The UT rejected the FTT’s conclusion, finding that Clearview’s processing was not conducted “in the course of an activity which falls outside the scope of Union law.” As a private commercial entity, Clearview could not claim exemption merely because its services were used by foreign law enforcement bodies; nothing in the processing that Clearview itself carried out made it suitable only for being used in conjunction with state functions. The UT re-emphasised (in line with the argument under the first ground as above) that the material scope exclusion under Article 2(1)(a) applies only to activities reserved to Member States, such as national security, and not to private companies or foreign governments.

The ICO advanced four sub-grounds under the second ground, each of which the UT considered in detail:

1. Focus on Clearview’s own processing
   The FTT failed to recognise that the ICO’s enforcement notices were directed at Clearview’s own processing, not its clients’. The UT agreed that the FTT had inadequately addressed Clearview’s specific activities and had instead relied on reasoning applicable to its clients in its decision. As a related element, the UT rejected Clearview’s “intersectional” argument (i.e. that its processing was so intertwined with its clients’ state functions that it should be excluded).
2. Failure to analyse Clearview’s activities
   The FTT did not properly assess the nature of Clearview’s processing, including its automated scraping, indexing, and database creation (this was addressed in the UT’s consideration of the third ground of appeal, as below). The UT found that the FTT’s reasoning lacked clarity and failed to explain how these activities could be considered outside the scope of EU law.
3. Improper interpretation of GDPR provisions
   The UT held that the FTT’s interpretation of Article 2 and/or Article 3 of UK GDPR effectively inserted additional wording into the regulation, suggesting that Clearview’s processing could only fall within scope if its clients’ processing did. This was legally unsound and created an artificial dependency between the two.
4. Anomalies in the data protection framework
   The UT noted that the FTT’s construction of Article 2(1)(a) would lead to anomalies in the data protection framework. For example, if Clearview provided services to a UK law enforcement body, the data processing of that body would be regulated under the Law Enforcement Directive, but Clearview’s own processing would fall outside any regulatory regime. This would create a regulatory gap, undermining the coherence of the GDPR.

3. Behavioural Monitoring

Finally, the third ground concerned whether the FTT had incorrectly determined that Clearview’s own activities did not constitute “behavioural monitoring”. In contrast to the FTT, the UT adopted a broad interpretation of “behavioural monitoring” under Article 3(2)(b) of the UK GDPR, intended to recognise the realities of data processing as a response to the challenges posed by ‘Big Data’. 

There are two branches to this argument: importantly, UT emphasised that monitoring need not be “active” or involve human scrutiny (the specific term used by the UT being “watchfulness”), determining that passive / automated collection and organisation of behaviourally rich data with a view to future use, including profiling, was sufficient to amount to behavioural monitoring. Clearview’s crawlers continuously scanned the public-facing internet, collecting multiple images of individuals over time and in varying contexts, along with associated metadata. This data was stored and arranged in a way that enabled identification and behavioural analysis.

Secondly, the UT confirmed that a party’s processing can fall within the scope of the UK GDPR if it is related to behavioural monitoring carried out by another. Under Article 3(2)(b) of the UK GDPR, the UK GDPR applies to processing of personal data by a controller or processor not established in the UK if the processing is “related to” the monitoring of behaviour of individuals located in the UK. The Upper Tribunal interpreted “related to” broadly, in line with the GDPR’s purpose of regulating modern data practices. In Clearview’s case, the Tribunal found that its processing was not only monitoring in its own right, but also directly enabled its clients’ monitoring activities. Specifically, what the UT deemed as Clearview’s “Activity 1” (scraping and mapping images) was essential to the monitoring process as the monitoring could not take place without it, while Clearview’s “Activity 2” (image matching and search functionality) provided clients with access to behaviourally rich data, thereby enabling the monitoring to take place. Clearview’s own marketing materials reinforced this, presenting the service as a tool for investigative use in national security and law enforcement. The Tribunal concluded that such processing aligns with the UK GDPR’s purpose; to regulate data practices that facilitate profiling and surveillance.

Ultimately, the UT determined that the words “related to” in Article 3(2) of the UK GDPR means the Regulation applies not only to controllers who themselves conduct behavioural monitoring, but also to controllers whose data processing is related to behavioural monitoring carried out by another controller.

Reactions and Regulatory Implications

John Edwards, UK Information Commissioner, welcomed the decision of the UT, stating:

“The UT’s decision has upheld our ability to protect UK residents from having their data, including images, unlawfully scraped and then used in a global online database without their knowledge. The ruling also gives greater confidence to people in the UK that we can and will act on their behalf, regardless of where the company handling their personal information is based.”

This decision is precedent-setting in affirming the jurisdictional reach of the UK’s data protection regulator. It confirms that organisations cannot avoid enforcement under the UK GDPR simply by operating overseas or serving foreign clients, where their activities involve the monitoring of UK residents’ behaviour. The ruling arrives at a time when UK data protection law is undergoing reform to promote innovation and regulatory flexibility, raising important questions about how jurisdictional principles will be interpreted in cross-border contexts. Additionally – organisations may fall within the scope of the UK GDPR even if they are not directly conducting behavioural monitoring themselves, where their processing activities are sufficiently connected to or enable monitoring carried out by others. 

From a broader perspective, this decision raises questions about how such enforcement will be received internationally, particularly in jurisdictions with differing legal frameworks or regulatory priorities. It also prompts consideration of how UK law will interact with foreign regimes in cases involving emerging technologies such as this. 

Finally, it is worth touching on the point that this decision reinforces the point that automated data collection and indexing can amount to behavioural monitoring. This has important implications, as it confirms that monitoring under the UK GDPR does not require human involvement or active observation. Passive, algorithm-driven processes (in this case, Clearview’s scraping, sorting, and storing of behaviourally rich data) can fall within scope where they are used to profile individuals or support behavioural analysis.

While the case has now been remitted to the FTT for substantive re-evaluation of the ICO’s enforcement action and monetary penalty on the basis that the ICO do have jurisdiction, it is widely expected that Clearview AI will appeal the UT’s decision. Organisations involved in the processing of UK personal data, particularly biometric and behavioural data, should closely monitor the case and consider the issues it raises.

If you have any questions or would otherwise like to discuss any issues raised in this article, please contact Hamish Corner, Tom Whittaker, Madelin Sinclair McAusland, Amanda Leiu or any other member in our Technology team. 

Written by Victoria McCarron