Clearview Case

As with any fines imposed by the ICO, organisations have 28 days to appeal against the Regulator’s ruling.  Well, that’s exactly what Clearview did.  And now news reaches URM that the UK’s First-tier Tribunal, which is the first court for appeals against enforcement action by the ICO and a number of other sector regulators, has found in favour of Clearview and set aside the ICO’s fine.

However, the appeal tribunal interestingly agreed with the ICO’s original judgement that Clearview’s processing amounted to monitoring of UK data subjects, which Clearview had disputed.  So how did the ICO lose?

It appears that the Regulator came to grief on a legal ground which, although it might be considered something of a technicality, is beloved of lawyers everywhere: namely, ‘want of jurisdiction’.  In other words, the ICO had unwittingly strayed outside the bounds of its legal remit to punish Clearview for processing which it, the ICO, did not actually have authority to regulate.

To understand the Tribunal’s ruling, we have to recall the data protection legislative arrangements which the UK put in place after the country left the EU.  Brexit resulted in a new UK-only version of the GDPR being introduced which protects the personal data of UK people, while the original EU GDPR continues to apply in the UK (as it does in the rest of the world) in relation to EU people’s data.  In addition, the UK has its own Data Protection Act 2018 (DPA 2018) which contains a large range of data privacy provisions covering matters and sectors that were not included in the EU GDPR.

The ICO’s fine and other enforcement action against Clearview were brought under the UK GDPR.  The part of the UK GDPR which enabled Clearview’s successful appeal is Article 2.2b, which states that the Regulation does not apply to “the processing of personal data by a competent authority for any of the law enforcement purposes” set out in Part 3 of the DPA 2018.

Clearview successfully argued that the processing by its foreign law enforcement clients of the data resulting from its monitoring, and therefore the monitoring by Clearview itself, should be considered as being for law enforcement purposes, and therefore it benefits from the exemption in Art. 2.2b of the UK GDPR.

As our previous blog on this subject noted, the ICO fine came after two other (bigger) fines were imposed on Clearview, for basically the same reasons, by the data protection authorities in France and Italy (Greece has since been added to that list).  How the First Tribunal’s decision (applying the UK GDPR, not the EU version remember) may affect the validity, and hence enforceability, of these three other penalties is unclear – they were decided under the EU GDPR of course (although the EU GDPR does have an exclusion for law enforcement processing, similar to the UK GDPR’s Art. 2.2b, in its Art. 2.2d).

It should be noted that Clearview has not paid any of the fines it received from the EU regulators, nor complied with the other enforcement actions the European authorities sought to deploy against it – e.g., data deletion orders and stop-processing injunctions.  URM will be following with interest the progress of the three EU supervisory authorities in recovering any money from Clearview, and their success or otherwise in applying these other sanctions against the US organisation.

In the meantime, the ICO has 28 days to appeal against the First-tier Tribunal’s ruling.  And it would appear that Clearview might still have case to answer: either the ICO could argue (on appeal to the Upper Tribunal) that it was not the processing by the exempt foreign law enforcement bodies (the ‘competent authorities’ to which Article 2.2b of the UK GDPR refers) that the UK Regulator took action against, but rather the non-exempt private US company’s processing that it was penalising; or the ICO could raise a fresh action against Clearview, for the same processing infringements, but brought under the ‘right law’ this time – the law enforcement provisions in Part 3 of the DPA 2018.  The ICO says it is ‘carefully’ considering its next steps; and, given these factors, together with the size of the fine and the high profile of the case, it is difficult to see how the regulator can simply let this matter lie.