AI, data protection and the extraterritorial effect of the UK GDPR

Helen Bourne, partner and Harriet Davies, senior associate, at Clyde & CoFebruary 12, 2024

Artificial Intelligence (AI),machine learning with data mining technology on virtual dachboard.Double Exposure,Businessman hand working concept. Documents finance graphic chart. — Credit: Shutterstock/everything possible

On 15 January 2024, the UK Information Commissioner’s Office (ICO) launched its consultation series on generative AI and data protection, which is due to close on 1 March 2024. The first chapter of this consultation process and call for evidence covers the lawful basis for training generative AI models on web-scraped data.

Consultation – lawful basis

The ICO’s consultation includes important considerations for developers using web-scraped data to train generative AI models, highlighting the importance that these models need to be able to:

Identify and evidence a valid and clear legitimate interest for processing the web-scraped personal data;
Consider whether web scraping is necessary to achieve the interest identified in the purpose test; and
Assess the impact on individuals by applying a balancing test: do the interests, rights and freedoms of those individuals override those pursued by the controller or third parties?

Web scraping-related processing of personal data has been a particular focus of the ICO, which was highlighted last year in Clearview AI Inc v The Information Commissioner [2023] UKFTT 819 (GRC).

Clearview AI case

Towards the end of 2023, the ICO announced it is seeking permission to appeal the judgment of the first-tier tribunal (Tribunal) on Clearview AI (Clearview) and we await confirmation as to whether this permission will be granted.

The Tribunal ruled that the ICO did not have jurisdiction to issue an enforcement notice and monetary penalty notice to Clearview because although the processing undertaken by Clearview was related to the monitoring of data subjects’ behaviour in the UK, the processing was beyond the scope of the GDPR. The decision provides helpful guidance as to the extent of the ICO’s jurisdiction over a company with no establishment in the UK or EU.

ICO’s original enforcement notice

Clearview is an American-based facial recognition software company, which collects and uses images of people scraped from the internet to create an online database. This database could then be used by law enforcement and government agencies, as well as other organisations.

The ICO’s May 2022 Enforcement Notice that was the subject of the appeal fined Clearview £7.5m ($9.4m) for breaching data protection laws and ordered the company to delete images of UK citizens from its database. The ICO determined that Clearview was a controller under the UK GDPR, and its processing of personal data of UK residents came within the scope of the GDPR (in relation to processing taking place before 11PM on 31 December 2020); and the UK GDPR (in relation to subsequent processing), by virtue of Article 3(2)(b) GDPR and Article 3(2)(b) UK GDPR.

While Clearview was no longer offering services to UK clients at the time the enforcement notice was issued, the ICO determined that its database still contained images of UK residents, which could be seen by overseas customers of the company and was therefore effectively monitoring the behaviour of UK residents within Article 3(2)(b) GDPR and UK GDPR.

Clearview’s appeal

Clearview challenged the enforcement notice on the basis that it is a foreign company, providing its service to “foreign clients, using foreign IP addresses, and in support of the public interest activities of foreign governments and government agencies, in particular in relation to their national security and criminal law enforcement functions”. Clearview argued that the functions being targeted were within their jurisdiction and outside of the UK, and therefore beyond the territorial scope of Article 3 of the GDPR and/or UK GDPR.

The questions before the Tribunal were:

As a matter of law, can Article 3(2)(b) apply where the monitoring of behaviour is carried out by a third party rather than the data controller;
As a matter of fact, whether Clearview’s processing of data was related to monitoring by either Clearview itself or by its customers;
Whether the processing by Clearview was beyond the material scope of the GDPR by operation of Article 2(2)(a) GDPR and/or is not relevant processing for the purposes of the territorial scope of Article 3 UK GDPR.

Since the ICO held that Clearview’s conduct spanned a period of time when the GDPR was binding on the UK, as well as after the completion of the Brexit implementation period on 31 December 2020, the Tribunal analysed both the GDPR and UK GDPR.

Tribunal judgment

In evidence, the Tribunal found that the Clearview database containing facial images in photographs was copied or scraped from the public internet via web crawling. By October 2022, the database was estimated to include 20 billion images, with an estimated growth rate of 75 million images per day. While the Tribunal concluded that there must be some images of UK residents within the database given its size, Clearview did not use any website scrapers directed at websites with any particular connection to the UK.

Additionally, while Clearview offered its service on a trial basis to law enforcement/government organisations within the UK between June 2019-March 2020 (i.e. before the end of the Brexit transition period to the UK GDPR), there has been no offering of the service to customers established within the UK since that time.

For processing to fall within the territorial scope of Article 3(2)(b) GDPR, the Tribunal explored the four elements to be satisfied:

(1) That there has been processing of personal data;

(2) The personal data that was subject to processing was that of data subjects in the UK;

(3) The processing must be carried out by a controller or processor not established in the UK; and

(4) The processing must be “related to” the monitoring of the behaviour of data subjects in the UK as far as their behaviour takes place within the UK.

The first three elements were met without too much discussion, finding that Clearview is a controller for creating, developing, maintaining and indexing the database of images, as well as a joint controller with its customers for matching images to search results used by clients. As for the fourth element, the Tribunal commented that the language “monitoring” implies that an element of targeting and intentionality is required and suggests that a controller has in mind a specific purpose for the collection and reuse of the relevant data about an individual’s behaviour. While “behaviour” is not defined, the Tribunal found that the word “behaviour” indicates something more than simply being alive, and goes beyond mere identification or descriptive terms, to also include where they are, what they are doing, who they associate with, what they are holding or carrying, and what they are wearing.

Following an analysis of Clearview’s service, the Tribunal concluded that Clearview’s clients are “monitoring the behaviour” of those who appear in the images because they are seeking to identify facts about the individuals who appear in the images. The Tribunal was satisfied that Clearview’s processing was “related to” the monitoring carried out by its clients, because the clients’ monitoring couldn’t take place without Clearview’s processing, and the service itself enabled the monitoring of behaviour carried out by Clearview’s clients to take place.

As to whether the processing was in the course of an activity that fell outside of the scope of EU law, the Tribunal was satisfied with the evidence tendered by Clearview that the service was only provided to non-UK/EU law enforcement or national security bodies and their contractors. The Tribunal noted that the territorial scope of Article 3 GDPR is constructed in such a way that if the criteria are satisfied (as the Tribunal found), the GDPR will be engaged and the remaining provisions applicable to the processing of the data concerned. Conversely, the material scope of Article 2(2) GDPR sets out types of processing to which the GDPR does not apply (specifically activities which fall outside of the scope of EU law) excluding processing that would otherwise be caught by the territorial scope of the GDPR.

Accordingly, the Tribunal found that Clearview’s pre-Brexit processing was in the course of an activity, which fell within the territorial scope of the EU GDPR based on Article 3(2)(b), but nevertheless fell outside of the material scope of the EU GDPR because the activities of non-UK/EU law enforcement or national security bodies and their contractors fall outside the material scope.

As regards to the post-Brexit processing, the Tribunal noted that Article 3(2A) UK GDPR states that the Regulation will not apply to processing in the course of an activity that, immediately before the Brexit transition completion day, fell outside the scope of EU law. Since the Tribunal found the pre-Brexit processing was outside the material scope of the EU GDPR and therefore not “relevant processing” under the territorial scope of UK GDPR, post-Brexit processing would not be within the scope of the UK GDPR because the material scope provision is disapplied.

ICO permission to appeal

The ICO welcomed the Tribunal’s judgment noting that even if a company is not established in the UK, it is subject to UK data protection law that is related to the monitoring of people living in the UK.

However, the ICO considers that the Tribunal incorrectly interpreted the law when finding Clearview’s processing fell outside the reach of UK data protection law on the basis that it provided its services to foreign law enforcement agencies. The ICO’s view is that Clearview itself was not processing for foreign law enforcement purposes, but rather was a commercial enterprise offering access and analysis of digital images of UK people. Accordingly, the ICO argues Clearview should not be shielded from the scope of UK law on that basis.

Takeaways

It is important to note that the Tribunal’s decision was very fact specific to Clearview as an organisation; a similar organisation processing data in a similar way may find themselves within the scope of the UK GDPR by being caught by the territorial scope provisions.

The UK GDPR still has extra-territorial scope to issue fines to non-UK organisations; however, there are specific exemptions that may or may not apply depending on the processing activities taking place, e.g. processing for law enforcement purposes. Organisations operating outside of the UK should maintain an ongoing assessment of what processing activities are taking place both by themselves, and any clients that use their data.

Contributed by Helen Bourne, partner and Harriet Davies, senior associate, at Clyde & Co

Helen Bourne, partner and Harriet Davies, senior associate, at Clyde & CoFebruary 12, 2024

AI, data protection and the extraterritorial effect of the UK GDPR

Read Next

A different look for data protection litigation

Securing access to critical metals – AIG Global Trade Series

Using technology to reduce the renewal burden

Our future skies – with AIG

Multinational insights with AIG

A different look for data protection litigation

Securing access to critical metals – AIG Global Trade Series

Using technology to reduce the renewal burden

Our future skies – with AIG

Multinational insights with AIG

Read Next

A different look for data protection litigation

Securing access to critical metals – AIG Global Trade Series

Using technology to reduce the renewal burden

Our future skies – with AIG

Multinational insights with AIG

Related Articles