Last year’s UK court decision involving Clearview AI, the US-based facial recognition company, has sparked widespread comment in the data protection community. Clearview AI, which collects billions of images to build a vast facial recognition database, was previously fined over £7.5 million by the UK’s Information Commissioner’s Office (ICO) for allegedly violating UK data protection laws. The ICO argued that Clearview AI had processed images of UK residents without their consent, raising serious privacy concerns. However, Clearview AI challenged the fine, and the case has since become a touch point for understanding how UK data protection laws can apply to overseas companies.
At the heart of the dispute was whether the UK General Data Protection Regulation (UK GDPR) applies to companies like Clearview AI that are based outside the UK and provide their services as part of foreign law enforcement activities. Clearview AI maintained that its activities fell outside the reach of UK law because it did not offer services to or monitor UK data subjects itself, nor did it process data in the context of a UK establishment. The company’s clients were exclusively foreign law enforcement bodies, so it argued that UK GDPR should not apply to its operations.
Initially, in 2023 the UK’s Information Rights Tribunal sided with Clearview AI, concluding that the company’s activities were outside the scope of UK GDPR. The Tribunal found that Clearview AI’s processing was for law enforcement purposes by non-UK authorities, and therefore, UK data protection law did not apply. This decision was significant because it appeared to limit the ability of UK regulators to enforce data protection rules against overseas companies, even when those companies process data relating to UK residents.
However, the ICO appealed the Tribunal’s decision, and the case was reconsidered. In a significant development, the Upper Tribunal overturned the earlier ruling, clarifying that UK GDPR can apply to overseas companies if their processing activities are “related to” the offering of goods or services to individuals in the UK, or to the monitoring of their behaviour within the UK.
The Upper Tribunal found that Clearview AI’s collection and processing of images from UK-based individuals played a significant role in the monitoring of the behaviour of individuals in the UK. This meant that Clearview AI was subject to UK data protection law, regardless of the fact that it was not carrying out such monitoring itself, merely facilitating it. Neither was it relevant that Clearview’s clients were overseas law enforcement and government agencies.
The Upper Tribunal rejected the First-tier Tribunal’s narrow reading of “material scope” of the UK GDPR, clarifying that the law’s security-related exclusions apply only to activities reserved for Member States, not to private companies merely serving foreign authorities. The case, which was sent back to the First-tier Tribunal to determine the appeal, clarifies an important point on UK data protection law. It signals that this law can apply to an overseas company that processes the personal data of UK residents for its own commercial purposes, even if it does not directly sell to or monitor UK customers. The ruling also confirms that “behavioural monitoring” encompasses both active and passive automated data-collecting and profiling, without requiring “’watchfulness’ in the sense of human involvement”. This is particularly important with new and emerging technologies such as facial recognition and increasingly sophisticated artificial intelligence tools, where data is often scraped and processed across borders.
In December 2025, the Upper Tribunal granted Clearview AI to appeal its decision to the Court of Appeal, so the case has not yet reached its final conclusion. However, for companies without a presence in the UK, the judgment is a reminder that they should not simply assume that UK data protection law does not apply if they do not monitor or sell to the UK themselves. They should assess whether their behaviours may be “related to” such activities done by others. For individuals, the case is a reminder of the challenges posed by the global flow of personal data. While the ruling arguably strengthens protections for UK residents, it also illustrates the complexity of enforcing privacy rights in a connected world.
Katie Hewson is a partner and head of data protection, and Alison Llewellyn a senior knowledge lawyer, at Stephenson Harwood LLP.
The post Guest post: Clearview AI’s UK ruling – What it means for overseas data controllers appeared first on Legal IT Insider.