The ICO issued an enforcement notice against Clearview and fined it. I blogged about this before. Clearview has now overturned that ruling.

Clearview provides a facial recognition service. It has a database that contains billions of images scraped from the internet. Those images are from “publicly available” sites uploaded without privacy restrictions. In October 2022 it was estimated that the database included over 20 billion images and was growing by 75 million images per day. Its clients can upload a photo of a face for a comparison search on the database and it is 99%+ accurate. Clearview accepted that some of those photos will be of UK individuals. As such Clearview’s service might affect UK residents even though it is not used by UK customers.

Clearview has it’s based in the USA and has no establishment in the UK or EU, nor any servers or any IP addresses. It has no UK customers, although it ran a short trial in the UK for law enforcement/government organisations. It only provides services to non-UK/EU law enforcement or national security bodies in support of their criminal law enforcement and national security functions.

The Tribunal noted there was no dispute that the images and additional information held in Clearview’s database were not only personal data. In fact, it is “special category” data as it consists of biometric data. The Tribunal agreed that Clearview was a controller and processor of personal data. The Tribunal held that criminal law enforcement and national security functions are functions outside the material scope of GDPR. Therefore, it is not “relevant processing” under Article 3(2) GDPR and the ICO had no jurisdiction.

Thus, the enforcement notice and fine were repealed.

If you need advice, contact me f.jennings@teacherstern.com or +44 (0) 20 7611 2338.