I was surprised by the recent Tribunal Decision (the “Decision”) which quashed Clearview’s £7.5 million fine on the grounds the UK_GDPR did not apply. My puzzlement has given rise to several important questions about the Decision. These questions need an urgent answer; hence this blog.
Clearview is a USA company which has scraped billions of photos and personal data from the Internet and used them to sell services to law enforcement/national security agencies and similar agencies in other countries (e.g. notably in USA and in South America) but not the EU or UK (wonder why?).
Clearview’s idea is that if, for example, a USA law enforcement agency is looking for a suspect or witness and have a blurry photograph, then they can scour Clearview’s databases to identify possible matches for that suspect or witness and/or their location.
Facial recognition and AI techniques are used in such matches. Clearview do not initiate a search but provide the personal data and the processing means by which a match is undertaken. Note that Clearview retains much personal data that will NOT be used by, or disclosed to, its law enforcement clients (as such law enforcement bodies are unlikely to be searching for individuals unconnected with a police inquiry).
The more personal data Clearview scrapes from the Internet, the better chance that their clients score a “hit”. Equally, however, the more personal data Clearview will store on data subjects who are of NO interest to their clients. The Decision reports that there are three billion images on Clearview’s databases.
GDPR did not apply; ICO powerless
The Decision concluded (at para 157) that the UK_GDPR “can apply where the monitoring of behaviour is carried out by a third party rather than the data controller” (i.e. the UK_GDPR applied even though Clearview’s law enforcement clients were performing the monitoring).
However, “the processing is outside material scope of the Regulation as provided for in Article 2 of the GDPR [as] it is not "relevant processing” for the purposes of Article 3 UK GDPR, as defined in Article 3(2A) [of the UK_GDPR] thereby removing the processing from the scope of UK” (para 157).
I have read this paragraph zillions of times but it is difficult to follow (mainly because the Decision says so little about how it came to its critical conclusions about relevant processing. See “Actions of a Foreign Government” below).
However, it is clear from para 157 that Article 3(2A) and its definition of "relevant processing” caused the ICO to lose the argument. This gives rise to four important questions which are:
- Does the UK_GDPR’s lack of jurisdiction also apply to the unadulterated EU_GDPR? If the answer to Q1 is “yes”, then there is a pan-European problem that should be considered by the European Data Protection Board.
- If “no” to Q1, does the lack of jurisdiction issue apply just to the UK_GDPR because of a drafting issue?
- If “yes” to Q2, was this drafting problem accidental (i.e. “stuff happened” because of the haste associated with UK’s wonderful “oven ready Brexit deal”). If so, will the Government commit to correcting this drafting error in the DPDI No 2 Bill or will it prefer to do nothing in order to curry favour with USA high tech involved with AI?
- If “no” to Q2, was the drafting problem a deliberate In which case: “Why was Parliament not informed by DCMS Ministers of this important change?”.
Finally consider the consequences of a private USA company, scraping the Internet for billions of photographs and other personal data to be used by foreign law enforcement agencies, where millions of EU/UK citizens have no DP rights. Does this set of circumstances influence the answer to question: “Does the USA offer an adequate level of protection?”.
In short, from the UK perspective alone, the Decision appears to provide evidence that the USA does not offer an adequate level of protection for personal data transfers from the UK/EU to the USA.
Actions of a Foreign Government
I was struck by the following when reading the Decision:
“14. In oral submissions it was accepted by the Commissioner that processing by a foreign government would not be within the scope of the Regulations due to the principles of international law that mean that one state cannot seek to bind another. The actions of a foreign state are out of scope, by application of Article 2(2)(a) GDPR and Article 3(2A) UK GDPR” (para 14)
So, the foreign government issue, which is crucial to the outcome of the Decision, was settled orally (i.e. possibly not written down).
The importance of this issue was repeated at the end of the judgement:
"153. Therefore, the question for us remains the same. It is foremost a question of fact as neither party contends that the acts of foreign governments would be within the material/territorial scope of the Regulations because the activities of foreign governments fall outside the scope of Union law. It is not for one government to seek to bind or control the activities of another sovereign state". (para 153)
The police service in the USA comprises 18,000 organisations at federal, state, municipal and sheriff level; there are also policing oddities as there is in the UK (e.g. park or transport police). These organisations may be funded by government but are not an executive arm of the government in the sense that politicians in power arbitrarily choose who to arrest or who to prosecute. This is unlike, for example, law enforcement in Putin’s Russia or other autocratic states.
I wonder therefore whether the use of Clearview’s services by USA law enforcement agencies comprise “actions of a foreign state” given the sheer number of independent policing agencies in the USA? If the use was by say, the Department for Homeland Security, then one could argue this foreign government point.
However, the actions in question are not of one Department of State; the actions are of a devolved policing service involving thousands of bodies. In other words, I am unsure whether these thousands of bodies can be viewed as “actions of a foreign state”.
Clearview is monitoring
In addition, unlike the Decision, I think that Clearview itself is monitoring behaviour of data subjects residing in the UK/EU.
Most personal data are NOT used by foreign police forces etc because they relate to data subjects who are NOT of interest to the police, and never shall be. Such personal data are “retained” by Clearview (for a long time, one assumes) and retention is a processing operation, undertaken by Clearview, where there is no prospect of “actions of a foreign state”. The personal data are retained by Clearview until their deletion.
The Decision asserts that there is monitoring of behaviour by Clearview’s clients but not by Clearview itself. I think this is an error.
To facilitate monitoring, Clearview retains bulk personal data in case some of these data become of later interest to the police. Note that the personal data do not change when they are actually used or disclosed to the police.
If there is monitoring by the police (as the Decision states) when they initiate a search, it follows that the personal data must be organised in a structure that permits such monitoring, prior to that search. As this structure is arranged by Clearview (“organisation and structuring” being two processing operations as defined), it follows that Clearview is also monitoring by pre-structuring the data in anticipation of a search by one of its law enforcement clients.
In my humble view, even if the foreign state point is lost, Clearview is retaining scraped personal data of those NOT of interest to the police for law enforcement and national security purposes as a controller, and is also monitoring behaviour as described in the Decision.
Conclusion
In other words, I need to be convinced that the Decision is correct.
Hence the interesting question: “does the current ICO have the stomach for an Appeal?”. It is this final question that has to be answered soon.
References
Clearview AI Inc v The Information Commissioner [2023] UKFTT 819 (GRC) https://caselaw.nationalarchives.gov.uk/ukftt/grc/2023/819
Forthcoming Data Protection Courses
Our well received, all-day Zoom workshop (10.00-4.30) on the Data Protection and Digital Information No 2 Bill will be held on Thursday 7 December 2023. The fee will be £250+VAT. Email [email protected] for workshop agenda or to reserve a place on this session.
The following BCS Practitioner or Foundation courses can be attended in person, or via Zoom, or as a mixture (i.e. part Zoom, part attendance just in case “stuff happens on the day”).
- Data Protection PRACTITIONER Course is in London on Monday, 20 November 2023 to Friday, 24 November 2023 (5 days: 9.30am to 5.30pm).
- Data Protection FOUNDATION Course is in London on (December 12-14, 2023: Tuesday to Thursday, 3 days: 9.45am to 5.00pm) or
Full details on Amberhawk’s website (www.amberhawk.com) or obtained by emailing info@amberhawk.com.