Information Commissioner v Clearview AI Inc: UK GDPR applies to overseas provider of facial recognition tech
Introduction
The Upper Tribunal (UT) delivered a significant judgment this month in Information Commissioner v Clearview AI Inc [2025] UKUT 319 (AAC); overturning the previous decision made by the First-tier Tribunal (FTT) in 2023. In that earlier decision, Clearview AI Inc (“Clearview”) had successfully appealed a 2022 fine issued by the Information Commissioner’s Office (“ICO”) for alleged breaches of the General Data Protection Regulation (“GDPR”) and UK General Data Protection Regulation (“UK GDPR”).
This UT decision offers an interesting insight into the reach of the UK GDPR in cases involving overseas companies processing the personal data of data subjects in the UK, including where they are facilitating processing by their customers. This ruling is noteworthy as it addresses the scope of the UK GDPR’s material and territorial scope.
Legal background
Clearview is a US-based provider of facial recognition technology to law enforcement agencies. Its system compares images uploaded by clients against a vast image database of billions of images scraped from the internet, often without a lawful basis. When a match is found, the system provides similar images, along with links to their original sources, related social media profiles and technical metadata.
In May 2022, the ICO determined that Clearview was failing to process personal data (including biometric data) fairly, lawfully and transparently. The ICO issued Clearview with: (i) a Monetary Penalty Notice, requiring it to pay a £7,552,800 fine; and (ii) an Enforcement Notice, requiring it to delete and refrain from processing the personal data of any data subject resident in the UK.
Clearview appealed this significant fine, arguing that it had no UK presence or clients and only provided services to non-UK law enforcement bodies and, accordingly, the ICO did not have jurisdiction to issue the notices. The FTT overturned the fine in October 2023. As covered in our previous Insight, the FTT decided that Clearview’s processing activities were outside the scope of the GDPR and the UK GDPR because, in essence, it considered the processing, carried out as part of national security or criminal law enforcement activities, was “beyond the material scope of the GDPR and was not relevant processing for the purposes of Article 3 of the UK GDPR”. Essentially, this was for the technical reason that security-related processing fell outside of the scope of EU law, which formed the basis of the UK GDPR when it was imported into domestic law post-Brexit. In broad terms, the argument was that, because security-related processing was outside the scope of the EU GDPR, so it should also be outside the scope of the UK GDPR.
The FTT’s narrow interpretation of what was considered in “material scope” of the UK GDPR raised concerns about the practical reach of the UK GDPR’s extraterritorial provisions, and the ICO’s ability to regulate foreign tech companies providing services to non-UK/EU law enforcement bodies, even where the personal data of UK data subjects was being processed.
The UT’s October 2025 Judgment
The ICO appealed the decision of the FTT on four grounds, arguing that the FTT had misinterpreted the UK GDPR’s material and territorial scope. In its October 2025 judgment. The UT set aside the FTT’s decision and upheld three of the ICO’s grounds of appeal. The UT determined that:
(1) Clearview’s processing of personal information is related to monitoring of behaviour of UK residents;
(2) Clearview’s processing does not fall outside the reach of UK data protection law even if its services are only being provided to foreign law enforcement and government agencies; and
(3) the FTT had incorrectly found, as a material error of law, that Clearview’s processing of personal information was outside the material scope of the UK GDPR under Article 2(2)(a).
The UT rejected the FTT’s narrow reading of “material scope”, clarifying that the security-related exclusions apply only to activities reserved for Member States, not to private companies merely serving foreign authorities. This approach was guided by CJEU case law; namely Schrems II and Latvijas. The UT also adopted an expansive view of Article 3(2)(b), concerning territorial scope; holding that the UK GDPR applies to controllers (i.e. Clearview) whose data processing is “related to” behavioural monitoring, even if that monitoring is conducted by others.
The UT further clarified that “behavioural monitoring” encompasses both active and passive automated data-collecting and profiling. It confirmed that behavioural monitoring can be satisfied without requiring “’watchfulness’ in the sense of human involvement”, reflecting the realities of “’Big Data’ in the digital age”. The UT’s position here aligns with the EDPB Guidelines (3/2018) on the broad territorial scope of the GDPR (Article 3) (version 2.1) (“the EDPB Guidelines”), as well as the Court of Appeal’s decision in Soriano v Forensic News LLC, and others [2021] EWCA Civ 1952, [2022] QB 533.
The case will now be remitted back to the FTT to determine the substantive appeal as to whether Clearview’s processing was in breach of UK data protection law.
Practical implications for reach of UK GDPR
The UT’s decision clarifies the broad extraterritorial reach of the UK GDPR, confirming that foreign companies can be subject to UK data protection law if their processing even merely facilitates the monitoring of UK individuals, regardless of the fact that they are not carrying it out themselves and of whether they have any physical presence in the UK.
The UT’s broad interpretation of “monitoring of behaviour” means that a wide range of automated data collection and profiling activities (such as facial recognition, biometric analysis and other forms of surveillance) could trigger UK GDPR compliance obligations, particularly where AI tools are being developed and trained using data scraped from the internet that includes UK/EU individuals’ personal data.
Companies engaging in such activities should review their data practices to ensure that they are not inadvertently caught by these far-reaching provisions. This interpretation should also be carefully noted by technology providers and data brokers who may have previously structured their operations to avoid UK regulatory scrutiny by serving only non-UK clients or law enforcement agencies.
However, while the ICO’s jurisdiction over these entities has now been clearly affirmed, practical enforcement remains a challenge. The ICO’s ability to compel compliance or impose penalties on overseas organisations will often depend on international cooperation and the willingness of foreign parties to engage with UK proceedings; a process that can be particularly difficult when non-UK companies attempt to resist regulatory action.
Takeaways and looking ahead
The UT’s decision marks a clear departure from the restrictive approach taken by the FTT in 2023. The UT decision appears to recognise that modern data risks, such as large-scale automated profiling and cross-border data flows, require a robust and expansive interpretation of the law. This judgment aligns more closely with the UK GDPR’s protective aims, aiming to ensure that individuals’ rights are safeguarded even in complex, international digital environments and closing loopholes that might have limited the ICO’s ability to act against foreign data-driven businesses.
For overseas companies, the UT’s decision is a warning that processing UK residents’ personal data, even indirectly or via online tracking, can potentially trigger UK GDPR compliance obligations regardless of physical presence. This outcome underscores the need for organisations to adopt comprehensive, cross-border compliance strategies and to regularly review how their data practices may trigger the application of UK law, particularly as automated profiling, international data sharing and leveraging AI technologies become more commonplace in an increasingly global digital environment.
