In October 2025, the UK’s Upper Tribunal (UT) delivered a landmark decision in The Information Commissioner v Clearview AI Incorporated [2025] UKUT 319 (AAC), allowing the ICO’s appeal against an earlier ruling of the First-tier Tribunal (FTT). The appeal concerned whether UK data protection law could apply to a company based outside of the UK that collected and used personal data of UK residents.
The case arose after the ICO investigated Clearview AI, a U.S. facial recognition company, that scraped billions of images from publicly accessible websites and created a searchable database used primarily by law enforcement agencies.
When the investigation began, the EU GDPR was still in force in the UK. Following the end of the Brexit transition period, it was replaced by the UK GDPR. The ICO found that Clearview’s activities fell within the scope of both regimes – the EU GDPR for processing carried out before December 2020 and the UK GDPR for processing after that date.
The three-judge UT panel considered the proper interpretation of these data protection laws in the context of a company with no physical presence in the UK. For the purposes of this blog, we refer to both EU GDPR and UK GDPR collectively as the ‘GDPR.’
In this blog, we explain the background to the case, set out the legal framework, summarise the UT’s findings and highlight the practical implications for UK-based organisations and international data processors.
Background
Clearview AI offers facial recognition technology that allows clients to upload a photo of an unknown individual and receive matches from a database of images scraped from public websites, including social media. The ICO took action against Clearview in 2022 after concluding that the company was unlawfully processing images of people in the UK. Clearview was ordered to stop collecting the personal data of UK data subjects, delete existing records and issued a £7.5 million fine.
Clearview appealed, arguing that GDPR did not apply. It claimed its services were used exclusively by foreign law enforcement and national security bodies – activities it said were outside the scope. Clearview also denied engaging in any ‘monitoring’ of individuals in the UK, which would be necessary to trigger GDPR’s reach over overseas companies.
In 2023, the FTT agreed with Clearview on the first point, ruling that its activities were exempt from the GDPR because they supported foreign state functions. The ICO challenged that interpretation and the matter was brought before the UT.
Legal background
To understand the UT’s findings in the section below, it is important to look at two key parts of the GDPR: what kinds of activities it covers (material scope) and who it applies to (territorial scope).
Material scope refers to the types of data processing the law covers. The GDPR generally applies to any use of personal data, but it makes exceptions for a few specific areas. One important exception is processing done for national security or criminal law enforcement by governments. These kinds of activities are treated as outside the reach of data protection. However, this exception usually applies only to state bodies like police or intelligence services – not to private companies.
Territorial scope covers where and to whom the law applies. The GDPR does not just apply to UK-based companies. It can also apply to foreign organisations if they either offer services to people in the UK or monitor their behaviour. Monitoring can include profiling, analysing or collecting data about individuals’ actions online.
In this case, Clearview argued that its work supported foreign law enforcement and national security and was therefore excluded from GDPR. It also said that it did not monitor people – it just collected publicly available images. The ICO disagreed. It said Clearview was a private company compiling huge volumes of personal data about UK individuals and making the data available for profiling and identification. The UT had to decide whether these actions brought Clearview within the reach of GDPR.
The UT’s findings
The UT overturned the FTT’s decision. The UT also clarified how the law should be interpreted on both the material and territorial scope questions:
1. Material scope
The UT firmly rejected Clearview’s argument that Clearview’s processing was exempt from GDPR due to its connection with foreign law enforcement. The judges emphasised that the phrase ‘activity which falls outside the scope of Union law’ in Article 2(2)(a) GDPR has a very narrow meaning. It refers to those core state activities by EU member states (like national security or criminal justice) which the EU treaties leave to national governments. It does not refer to anything and everything a private party might do that involves government functions.
The UT noted that GDPR is not concerned with regulating activities of foreign states, it is about protecting individuals’ data in relation to the organisations that process it. In this case, Clearview AI is a private, commercial company. Even if its clients are government agencies engaged in national security, Clearview’s own acts of scraping, analysing and selling personal data are distinct, commercial processing activities that do not become ‘state functions’ just by association.
The UT used a helpful analogy. Clearview’s role is no more merged with its clients’ state functions than that of any ordinary supplier supplying services to a government. In other words, providing a service that a law enforcement body uses does not transform Clearview into an arm of the state carrying out core state business – Clearview remains a separate data controller bound by normal data protection law.
The UT also addressed the international comity argument – the idea that one country’s laws should not intrude on another’s sovereign acts. Clearview argued that applying GDPR to its operations would interfere with foreign states’ sovereignty, since its services intersect with those state’s security operations. The UT found no legal basis for this. There is no principle of law granting a private company immunity from regulation simply because it supplies a foreign government. Clearview was not acting as a law enforcement authority or as an agent of a foreign state’s sovereign power. It was an independent contractor offering a product globally for profit. Accordingly, concerns of comity did not exempt it from complying with data protection law.
In short, the UT held that Article 2(2)(a)’s exclusion did not apply to Clearview’s activities. The FTT had erred by effectively conflating Clearview’s processing with that of its clients. Although the foreign agencies’ own use of the data might fall outside the GDPR (for example, if FBI in the US uses personal data for national security, EU/UK law would not govern the FBI’s activities), Clearview’s collection and sale of UK individuals’ data falls squarely within the GDPR’s scope. Thus, the ICO can regulate Clearview’s handling of that data. This resolved the material scope issue in the ICO’s favour.
2. Territorial scope – ‘monitoring of behaviour’ (Article 3(2)(b) GDPR)
The UT also examined whether Clearview’s operations amounted to the ‘monitoring of the behaviour’ of data subjects in the UK, which would bring an overseas company within the scope of the GDPR. The UT adopted a broad interpretation of ‘behavioural monitoring,’ consistent with the GDPR’s purpose of addressing large-scale, automated data collection and profiling practices that characterise modern digital technologies.
Importantly, the UT made it clear that ‘monitoring’ is not limited to active tracking of individuals by humans, nor does it require evidence that people are being targeted with individualised analysis in real time. Even passive, automated collection and analysis of personal data can constitute monitoring if it is carried out with the intention of profiling individuals or using that data to learn about them.
The UT explicitly said that monitoring ‘encompass[es] passive collection, sorting, classification and storing of data by automated means with a view to potential subsequent use…of personal data processing techniques which consist of profiling a natural person. Behavioural monitoring does not require an element of active ‘watchfulness’ in the sense of human involvement.’
This captures what Clearview was doing – sweeping up people’s photos from across the internet and processing them into a database that can later reveal information about an individual (for example, where their image appeared or potentially linking it to their social media profiles). It is a form of profiling, even if Clearview itself is not directly following one individual’s every move day to day.
The UT agreed with the FTT’s finding that there was a ‘close connection’ between Clearview’s data processing and the monitoring of individuals’ behaviour by its clients in the UK. From the UT’s perspective, Clearview’s creation and maintenance of its facial recognition database was ‘related to’ the monitoring carried out by end users.
Article 3(2) provides that the GDPR applies to processing activities related to the offering of goods or services or monitoring of behaviour in the UK, and the UT held that this provision should be interpreted broadly. It covers not only a company that directly monitors individuals, but also one whose involvement forms an integral part of another party’s monitoring.
Even if Clearview was not carrying out the monitoring itself, it was providing the tools and data without which UK law enforcement clients could not have monitored individuals in the same way. That nexus was sufficient to bring Clearview under GDPR’s territorial scope.
Finally, the UT concluded that Clearview AI was itself engaging in behaviour monitoring of UK residents by compiling their images and personal information from across the internet. The company’s assertion that it was only collecting ‘public’ images and not really observing behaviour did not persuade the court. Gathering and analysing person’s publicly shared photographs can reveal patterns of that person’s life or behaviour (for instance, where they tend to go or who the associate with), especially when done at the scale. It is exactly the kind of activity – large-scale automated profiling – that the GDPR’s framers had in mind to regulate.
Whether on the ground of being related to its clients’ monitoring or through its own direct profiling, Clearview’s UK-linked processing falls under Article 3(2)(b). The UT explicitly concluded that Clearview’s processing of personal information was related to the monitoring of the behaviour of UK residents. The fact that Clearview is based in the United States is irrelevant – if an organisation monitors people in the UK, UK law will treat it as subject to its jurisdiction.
Outcome and conclusion
As a result of the above findings, the UT allowed the ICO’s appeal. It set aside the FTT’s previous decision and confirmed that the ICO has jurisdiction to enforce data protection law against Clearview AI. The case has been sent back to a new First-tier Tribunal panel to decide whether Clearview did in fact violate the law and whether the £7.5 million fine and enforcement notice should be upheld, now that the jurisdiction is no longer in doubt. The UT did not itself rule on the merits of the underlying GDPR breaches.
However, the UT’s legal determinations effectively clear the path for the ICO to hold Clearview accountable. Barring any successful appeal by Clearview, the message is that Clearview will face scrutiny under UK law for its treatment of UK citizens’ data.
The UT’s decision is binding and will serve as an important precedent for future cases about the extraterritorial application of data protection rules. It sends a strong message that if a company anywhere in the world harvests personal data from people in the UK or tracks them online, UK regulators can step in to protect those individuals’ privacy.
The ICO welcomed the UT’s decision, saying it ‘upheld our ability to protect UK residents from having their data, including images, unlawfully scraped and then used in a global online database without their knowledge’ and that it ‘gives greater confidence to people in the UK that we can and will act on their behalf, regardless of where the company handling their personal data is based.’
How EM Law can help
Our team advises organisations on data protection compliance and AI governance. We regularly support clients with drafting data sharing agreements, reviewing contracts with international tech suppliers and navigating cross-border data transfers under the UK GDPR.
Whether your business is exploring AI-powered tools or scraping technologies, we can help assess the risk and advise on compliance. We also assist with Data Protection Impact Assessments (DPIAs), ICO engagement and crafting practical internal policies.
If you are unsure whether your current data practices meet legal standards or if you are dealing with overseas providers – get in touch. You can contact us here or speak directly with our data protection and AI specialists, Neil Williamson or Colin Lambertus. We are here to support you.
