Face value: data scraping, AI, accountability and the GDPR's global reach

This article explores how the UK GDPR applies to AI‑driven data scraping and biometric data, drawing on the Upper Tribunal’s decision in ICO v Clearview AI. We highlight what the judgment means for international data transfers, behavioural monitoring and AI governance.

A tech company based outside the UK 'scrapes' the internet for images of UK residents' faces. It then collects, algorithmically maps and stores the images in a database, making it available for national security or criminal law enforcement purposes. Is that company excluded from the reach of UK and EU data protection law because it is outside the UK?

The UK's Upper Tribunal recently decided such data processing by US tech company, Clearview AI Inc (Clearview) is within scope of the GDPR, meaning an ICO fine of £7.5 million could still be on the cards. The decision underscores the regulatory risk of non-compliant processing of UK residents' personal data outside UK and Europe. This was the case even where the processing was carried out by the company for the national enforcement or criminal law enforcement purposes of its client.

This important UK appellate tribunal decision highlights the relevance of careful data mapping and cross-border data flow management in contracts. In its clarification of the material and territorial scope provisions of the GDPR and UK GDPR, the judgment re-affirms the extraterritorial bite of UK data protection law.

Where modern profiling techniques are deployed, UK courts will not shy away from examining how biometric personal data is processed by a business - and its clients. Here, the tribunal decided there does not need to be "active watchfulness" for data processing to amount to "behavioural monitoring" under UK GDPR, recognising that such activity today is increasingly algorithmic. This part of the decision is significant for businesses deploying facial recognition databases and profiling systems, and in contexts where AI is trained on scraped data. More generally, the decision reflects why good AI governance is key for managing regulatory risk where AI solutions are adopted.

What were Clearview's activities in the UK?

Clearview supports clients in criminal law enforcement and national security functions. It deploys facial recognition technology which compares an image submitted by its clients against a database of images copied or 'scraped' from the internet and saved. Clearview provided a trial service to some UK clients and did not have a corporate presence in the UK in the relevant timeframe.

What is the ICO fine for?

The Information Commissioner's Office (ICO) investigated Clearview's activities in the UK. It decided Clearview had breached the General Data Protection Regulation (GDPR) and the UK GDPR (together referred to here as 'the GDPRs'^[1]) in its processing of personal data of UK residents. In May 2022 it imposed an enforcement notice and monetary penalty of just over £7.5 million.

What was decided at the First Tier Tribunal stage?

Clearview appealed the notices challenging not only the identified GDPR breaches but also whether the ICO had jurisdiction to issue them. Clearview argued that because it is a foreign company and because of the nature of the service it offered and its clients, it did not fall within the territorial scope of the GDPR.

In 2023, the UK's First-tier tribunal (General Regulatory Chamber) (FTT) decided in Clearview's favour, ruling that the ICO had not had jurisdiction to issue the notices. It said that the processing was beyond the material scope of the GDPRs and was not relevant processing for the purposes of the UK GPDR.

The ICO appealed the FTT decision to the Upper Tribunal (Administrative Appeals Chamber) (UT).

In the UT decision handed down in October 2025, the three-judge panel found that the FTT was wrong to find that processing by Clearview and its private sector clients was outside the material scope of the GDPR by operation of Article 2(2)(a). It also found that whilst the FTT had been right to find that Clearview's processing fell within the territorial scope of the GDPRs, the UT approached the same conclusion with different reasoning.

The UT allowed the ICO's appeal and set aside the FTT decision. On a proper construction of the GDPRs, the ICO had jurisdiction to issue the notices. The case is remitted to a new FTT to decide the substantive appeal.

Material scope: Did exclusions in Article 2(2) GPDR apply to take Clearview's processing outside the material scope of regulation?

Article 2(2)(a) GPDR provides for an exclusion from the material scope of the GDPR. It excludes processing "in the course of an activity which falls outside the scope of Union law".  The meaning of that phrase was key.

The ICO argued that the FTT was wrong to decide that Clearview's clients were excluded from the material scope of the GPDR under Article 2(2)(a). It said that the FTT should not have equated Clearview's private sector contractor clients with the foreign states to whom they were supplying services.

The UT ruled that it could not ascertain how the FTT had reached its decision on the application of the exception in Article 2(2)(a) due to the FTT's "very sparse" reasoning. The UT acknowledged that there is no authority directly determinative of the issue of the proper reading of Article 2(2)(a). It went on to construe Article 2(2)(a) itself.

It rejected Clearview's argument for an "intersectional construction" of the provision. Clearview's assertion was that the intention of the provision was to avoid regulation of foreign states by regulating private sector contractors, whose processing intersects to such an extent with that of their states' clients that the processing streams were indiscernible from each other. It argued that to override that intention would offend international law principles of comity between sovereign states.

The UT was not convinced, commenting that, "the activities of [Clearview's] clients are no more "merged" or "fundamentally intersected" than the activities of parties to any transaction that involves transfers between them of electronic data."

The UT preferred the construction put forward by Privacy International (an intervening party in the litigation). It concluded that the provision deals only with the division of responsibility between the Union and its Member States. It decided that it is not about foreign states or private bodies providing services to foreign states at all. The UT considered this construction was a more natural interpretation of the words and the one most consistent with what is set out in the GDPR's Recitals.

Behavioural monitoring: Did Clearview undertake behavioural monitoring of UK residents within the meaning of Article 3(2)(b)?

Article 3(2)(b) extends the territorial scope of the GPDR to the processing of personal data of UK residents by "a controller or processor not established in the [UK / EU], where the processing activities are related to the monitoring of their behaviour as far as their behaviour takes place within the [UK / EU]."

The FTT had found that, while Clearview's processing facilitated efficiency and is processing "related to" behavioural monitoring by its clients, Clearview itself did not undertake monitoring of UK data subjects within the meaning of Article 3(2)(b) GDPR.

The UT was persuaded that the FTT based its finding on a misunderstanding of the proper meaning of "behavioural monitoring" for the purposes of Article 3(2) and an unduly narrow consideration of Clearview's processing activities. It relied on Recital 24 and the EDPB Guidelines to highlight the relevance of the potential use of the data, including its use by another controller.

The UT observed (as the FTT also had) that Clearview "does a lot more than simply gather data: it [….] analyses it, sorts it and stores it, and it does so with a view to permitting clients to upload images to the Service to initiate a search of the database and potentially to engage in further processing…"^[2].

The UT ruled that Clearview's processing is "digital, automated and passive […] achieved by applying algorithms to the collected data and [involving] no human intervention"^[3]. It found that there is nothing in the wording of Article 3, the Recitals or the EDPB Guidelines to indicate any requirement for "seeing" or "watching" to establish behavioural monitoring. Using the ICO's analogy of CCTV surveillance, the UT observed: "The key to establishing monitoring is not that someone or something actually accesses the output; it is that the data is available to be accessed should access be needed, and the data has been gathered in contemplation of that potential eventuality."

The UT also decided also that Clearview itself undertook behavioural monitoring within Article 3(2)(b). Clearview's own gathering, sorting and storing in a filing system organised person-by-person of "behaviourally rich" data about natural persons amounted to "behavioural monitoring".

In addition, the UT decided the words "related to" in Article 3(2) should be read broadly. Clearview's processing was "related to" the behavioural monitoring carried out by its clients within the meaning of Article 3(2)(b) GDPR. The provision could therefore apply not only to controllers who themselves conduct behavioural monitoring but also to controllers whose data processing is related to behavioural monitoring carried out by another controller.

The UT concluded that if the FTT had applied the proper construction of "behavioural monitoring" to the facts it found, it would have decided that Clearview's processing involved "behavioural monitoring". Its processing was therefore within the territorial scope of the GDPR on the basis above, rather than on the basis decided by the FTT. Consequently, the UT found that the FTT made a material error of law.

Key takeaways

1. Behavioural monitoring: Digital automated and passive data processing, achieved by algorithmic application to collected data, with no human intervention, can amount to "behavioural monitoring" under EU and UK data protection law. The data doesn’t actually have to be 'used' in an anthropomorphic sense - collecting data with the ability to allow access or with intention to offer subsequent access is enough to be caught. Courts will analyse what is happening 'under the bonnet' of tech and AI applications as a response to challenges posed by 'Big Data' in the digital AI age to protect data protection rights of citizens.
2. GDPR's Global Reach: The decision re-affirms that the UK GDPR applies extraterritorially. Organisations monitoring the behaviour of UK residents will be in scope of UK data protection law, regardless of where the company is based in the world. Non-UK service providers cannot assume they are outside the GDPR on the basis that they serve foreign public authorities. Third party controllers who do not engage in behavioural monitoring but whose personal data processing relates to behavioural monitoring of UK individuals will still be caught.
3. International data transfers and AI governance: The decision highlights the significance of assessing risk in cross-border data flows, particularly where new tech – especially AI applications - are introduced. Added to that, well designed AI governance is important for data risk management, to avoid regulatory scrutiny, especially where biometric data is processed.

For a deeper look at the legal risks of biometric data and what businesses can do to stay compliant, listen to Loretta Pugh and Jocelyn Paulley break it all down in their podcast Data privacy: the legal challenges of biometrics.

For practical guidance on managing AI governance and GDPR compliance, get in touch with Loretta Pugh or Jocelyn Paulley.

Footnotes

[1]  Whilst the UK GDPR is now the applicable law in the UK (post-Brexit), because of the timeframe, both the GPDR and UK GDPR are relevant. The UT commented at para 57 that for the purposes of the appeal, there is no material difference between the provisions of GPDR and the UK GDPR and their analysis therefore focuses on the GDPR provisions.

[2]  Para 130, UT decision

[3] Para 311, UT decision