General Data Protection Regulation Fine ... Overturned!

In a surprising turn of events, on Oct. 18 a First-tier Tribunal in the U.K. overturned a fine previously issued by the U.K. Information Commissioner’s Office (ICO) against facial recognition company Clearview AI for failing to comply with the principles of the General Data Protection Regulation (GDPR), lacking a lawful basis to process personal data, and unlawful processing of special category and biometric data.

Clearview successfully argued that ICO has no authority over Clearview’s data processing practices, or to fine Clearview for such practices despite some of the processed data belonging to U.K. residents. The Tribunal agreed with Clearview on the basis that Clearview is only providing its facial recognition services to law enforcement and government agencies based outside the U.K., and that the GDPR does not allow ICO to interfere with the policies and operations of other governments. Interestingly, processing of personal data by U.S. agencies was a point of central topic in the Schrems II case (which invalidated the Privacy Shield) and in the debate over whether to grant the United States an adequacy, and is now serving as Clearview’s saving grace.

While having an extra £7.5M is certainly a win for venture-backed Clearview, the greater victory is its ability to continue operating its business, matching images of faces to a database of images collected from the internet, and thanks to this recent decision from the tribunal, even though such a business model triggers the U.K. GDPR when it involves images of U.K. residents, Clearview has little to fear from ICO as long as it is doing such processing on behalf of its law enforcement and other government agent customers. It appears Clearview’s decision in May of 2022 to limit the sale of its software may have cost a short-term decrease in revenue, but yielded a more compliant and resilient business model, from a data privacy perspective.

This resiliency in business model could further improve if Clearview is able to successfully argue on appeal that the similar fines it has been issued in France (because the EU and U.K. versions of the GDPR are identical) and elsewhere should be overturned on the same basis, giving Clearview the keys to unlock a similar freedom to operate in the European Union and elsewhere.  

With the future of artificial intelligence seeming uncertain overseas, Clearview’s success in the U.K. could serve as the blueprint for the ideal customer base (government actors of the U.S. and perhaps other jurisdictions) for AI companies to pursue/target to avoid massive and systemic fines outside of the United States.