back to article UK tribunal agrees with Clearview AI – Brit data regulator has no jurisdiction

A British tribunal yesterday ruled US selfie-scraper Clearview AI would not have to pay a £7.5 million ($9 million) privacy fine. The tribunal held that the Information Commissioner's Office (ICO), the UK's data regulator, didn't have the authority to fine ClearView, which scours the public web to collect images upon which it …

  1. cookieMonster Silver badge
    WTF?

    LOL

    Useless

    1. very angry man

      Re: LOL

      merkier prints money , buracautes the world over take money, sheepeople belive merkier is great and govt is good.

      thinking people laugh or cry depending on how deep the depresion is.

      1. LybsterRoy Silver badge

        Re: LOL

        Downvoted because you haven't used English or American - not sure what language it is.

        1. Sir Sham Cad

          Re: LOL

          Pretty sure that's the output of an LLM trained entirely on Twatter.

  2. Dan 55 Silver badge
    Flame

    The tribunal has just kneecaped UK-GDPR

    The original GDPR where the UK-GDPR came from applies to businesses wherever they are dealing with data from data subjects resident in the EU.

    CPRA applies to businesses wherever they are dealing with data from data subjects resident in California.

    The First-tier Tribunal (Information Rights) has just confirmed that if you take someone's data, store it outside the UK, and it ends up leaking or commercialised without your consent, nothing's going to happen.

    Just in time for Palantar to slurp up NHS data and do what they like with it.

    1. Helcat Silver badge

      Re: The tribunal has just kneecaped UK-GDPR

      You're missing a few points:

      If the data is obtained in the UK but stored outside of the UK, the entity doing so has to comply with GDPR for keeping the data secure and for its usage (same as with EU data).

      If the data was obtained and stored in the UK, it can only be transferred outside of the UK under the same conditions: Must be GDPR compliant.

      If the data was obtained from outside the UK - then UK law doesn't apply.

      For the latter, I do mean were people have volunteered their data to sites outside the UK. That seems to be what the tribunal referred to when mentioning there was a legitimate reason for non-UK organisations to hold data on UK citizens and that would not be protected by UK law. An example: Data collected by US border control on UK citizens visiting the US. But NHS data collected in the UK is very much protected by GDPR.

      1. Dan 55 Silver badge

        Re: The tribunal has just kneecaped UK-GDPR

        The law applies because the biometric data belongs to "data subjects" resident in the UK. In the original GDPR:

        Article 3, 2) This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to: a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or b) the monitoring of their behaviour as far as their behaviour takes place within the Union.

        The UK-GDPR version reads like this:

        Article 3, 2) This Regulation applies to the relevant processing of personal data of data subjects who are in the United Kingdom by a controller or processor not established in the United Kingdom where the processing activities are related to: a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the United Kingdom; or b) the monitoring of their behaviour as far as their behaviour takes place within the United Kingdom.

        Similar. However the UK has this as well:

        2A. In paragraph 2, “relevant processing of personal data” means processing to which this Regulation applies, other than processing described in Article 2(1)(a) or (b) or (1A).

        If we look at Article 2 1) we find clarifies what happens before and after Brexit day and if we look at 1A) it seems to clarify that public bodies using manual filing systems fall within scope of UK-GDPR.

        So clearly it doesn't matter where this data was collected, it matters where the data subjects are resident. Presumably originally to stop big tech arguing that data collection happens outside the EU.

        NHS data is within UK-GDPR but this judgement has just affirmed that if that data is processed by a company outside the UK then the UK's jurisdiction doesn't apply. However when reading Article 3 2) it seems pretty clear that the ICO's jurisdiction does apply and there are ways for laws to be applied abroad through international agreements, one of my posts further down mentions one way this can be done.

        1. Handlebars

          Re: The tribunal has just kneecaped UK-GDPR

          If we are thinking of palantir/Fedra then the law of contract applies independently of ico/gdpr.

          I've no great confidence in the department of health/nhse to get that watertight though

          1. Jimmy2Cows Silver badge

            Re: the law of contract applies independently of ico/gdpr

            That's just wrong. Contracts cannot override national laws. Contracts that try to do so are legally non-binding.

        2. Andy The Hat Silver badge

          Re: The tribunal has just kneecaped UK-GDPR

          I don't believe you final comment is correct. As I read the opinion of the Judges, if the data is being used by non-UK governments and/or for the purposes of law enforcement it does not fall under the remit of GDPR. Only if it's trawled by a commercial company is it subject to GDPR.

          Once the data has been used for "law enforcement" or "governmental" purposes it is not clear whether it's free rein time and the data can be passed to all and sundry as the database presumably belongs to the governmental organisation that legally trawled it.

          The FBI, CIA, NSA and Russian, Israeli and Chinese equivalents are all smiling at the wiggly contents of an open can ...

  3. Szymon Kosecki

    watershed moment for data slurping corpo machine

    jeez, this is bad... our judiciary is either very inept technologically or ...well you know what I was going to say....

  4. Anonymous Coward
    Anonymous Coward

    So the way for the UK Government to spy on its subjects

    is to outsource its surveillance to a US corporate?

    1. Yet Another Anonymous coward Silver badge

      Re: So the way for the UK Government to spy on its subjects

      No, the government gets to ignore the law anyway. This is a way for UK companies / local authorities / some bloke down the pub - to spy on UK subjects by just using a website in Jersey

    2. Helcat Silver badge

      Re: So the way for the UK Government to spy on its subjects

      They already do. And the US outsources spying on its own citizens to other countries in return.

      1. Roland6 Silver badge

        Re: So the way for the UK Government to spy on its subjects

        I had always thought this arms length spying on their own citizens was at the heart of the “special relationship”.

      2. Anonymous Coward
        Anonymous Coward

        Re: So the way for the UK Government to spy on its subjects

        Alice Springs.

  5. Anonymous Coward
    Anonymous Coward

    lol

    did anyone think that rules are designed to help the little people and plebs.

    All laws are written in ways that benefit the rich and powerful.

    All punishment is much higher for small crimes of the poor.

    the rich just buy their way out.

    1. Eclectic Man Silver badge

      Re: lol

      AC: "All laws are written in ways that benefit the rich and powerful."

      Not entirely true, one of Tony Blair's biggest regrets (no I'm not discussing the invasion of Iraq) was the Freedom of Information Act, which allowed us plebs, but mostly annoying journalists, to obtain government information and then have the temerity to ask questions about why things were not as 'the people' had been told.

      Every now and then a piece of legislation which actually benefits 'the people' gets through. That Magna Carta* set a dangerous precedent about diluting the absolute power of the Monarchy here in the UK, but don't hold your breath for the next one.

      * JOKE ALERT: "Did she die in vain?' Hancock's Half Hour, BBC radio comedy

  6. Doctor Syntax Silver badge

    Did nobody here read the report? They rely on the law enforcement exception for law enforcement that is part of GDPR. Whether they are correct in doing so might, i suppose, be challenged if it gets appealed.

    1. Dan 55 Silver badge

      Odd then, that France has repeatedly fined them over the same issue.

      Also, Palantir could cite the same defence and sell DNA data from their NHS slurp to US law/intelligence agencies and all that's going to happen is a bunch of judges in a tribunal in deepest darkest London will just shrug.

      1. LybsterRoy Silver badge

        I've just had a read of the article on techcrunch. This bit

        -- “The CNIL is questioning the way in which personal data is collected by the company, i.e. without any legal basis, by sucking up publicly accessible photographs on the Internet in order to feed its tool,” the spokesperson added. --

        I find interesting. If its publicly accessible on the internet doesn't that mean that they can be accessing them from the US without being in the EU at all? Also whilst IANAL doesn't the fact that they are publicly accessible mean that anyone can access them? Not sure about being allowed to process them but the amount of junk mail (before the advent of spam) I used to get to my publicly accessible address indicates someone somewhere was processing somehow.

        To my IANAL eyes it looks like France thinking it can get some easy money.

        1. Dan 55 Silver badge

          I find interesting. If its publicly accessible on the internet doesn't that mean that they can be accessing them from the US without being in the EU at all?

          It doesn't matter, they're processing biometric data of people resident in France and selling it on, and not allowing subject access rights.

          To my IANAL eyes it looks like France thinking it can get some easy money.

          As well as Italy, Greece, the UK (before this nonsense judgement), Australia, Canada...?

      2. theblackhand

        France have fined Clearview and Clearview have not paid as France has no jurisdiction to impose the fine until Clearview either has an entity within French territory or a French entity starts working with them.

        I would argue this is the difference between how the French and English feel laws should be interpreted rather than a failing of data protection laws when there is no jurisdiction.

        1. Dan 55 Silver badge

          The belief that "they're from abroad therefore we have no jurisdiction" is absolutely wrong. There are tried and tested ways to cooperate internationally, including bringing a case to the federal courts in the US and as there is the almost-similar CCPA now, there is little reason to reject a case just because the GDPR is from abroad.

          1. Anonymous Coward
            Anonymous Coward

            Just send a Red Notice to Interpol for the board of directors of that company...

          2. Anonymous Coward
            Anonymous Coward

            Sorry for late response.

            What you say is true in theory. It is unlikely to be tested in reality as arguing for extradition would likely amount to "no laws were broken in the defenders home country and the defendant has never entered the country where they will be prosecuted"

            The counter-examples would be attempted extortion from corrupt countries. Not suggesting that France are corrupt, just the ease at which foreign countries laws can be ignored.

            Let's see if France ever gets any money from Clearview but I expect the UK and French responses are practically identical.

    2. TheMaskedMan Silver badge

      "Did nobody here read the report?"

      Apparently not. I'm not particularly familiar with the gdpr, but I have to say the finding is a bit disappointing. I would have assumed (probably without justification) that any law enforcement exemption would have applied in a much more focused manner - say, to suspects, witnesses, victims and other persons of interest to a specific investigation. I would not have thought that it permitted a random company to scoop up vast swathes of personal data belonging to people who have no connection to investigations, on the basis that it might be useful one day to their law enforcement clients. As a reason for processing / retaining personal data, that seems ridiculously broad and permissive.

      Still, there doesn't seem to be much we can do about it for the moment, short of stocking masks at all times. It's time someone came up with a way of preventing facial recognition from working on any given image, though I'm buggered if I know how that could be done.

      1. LybsterRoy Silver badge

        I find it an interesting philosophical question. If a company based in the US uses a bot to scrape websites that are public and they do it from the US and the site is a .co.uk then no matter where its hosted are they scraping from the US, the UK or where the physical host is?

        1. Ken Hagan Gold badge

          Substitute "Iran" for the "UK" and ask yourself whether a US citizen would be happy to be subject to Iranian law.

          I think it makes a huge difference that the data could be scraped from the US rather than having to be scraped in the UK and then transferred.

          1. Dan 55 Silver badge

            It doesn't matter where the data is scraped from, all that matters is who the data belongs to and where they're resident, to try and stop the kind of handwaving that Clearview is engaging in and the judges appear to be entertaining.

        2. TheMaskedMan Silver badge

          "are they scraping from the US, the UK or where the physical host is?"

          Hmmm. I would guess that the location of the scraped material is irrelevant for these purposes. The bot, wherever it lives, is controlled by the US company - scraping doesn't happen until the company sets it running. Therefore, scraping happens in the US, for the duration of the bot's activity.

          Imagine that the company created a website, hosting it in, say, Australia. The content of the site is illegal in the US, but not in Australia. Will US law enforcement bods come calling at the company? You bet they will! Of course, that could get you into complex arguments about when and where publication occurs - is it when the company uploads the content, or when someone views it? - but the company is going to be in hot water.

          With respect to the GDPR matter, it's not so much the scraping that bothers me - it's public information, after all - as the subsequent retention and processing. Grabbing and storing personal information on the offchance that it might be useful to their client one day doesn't seem proportionateto me. Presumably, their law-enforcing clients will be hoping to identify villains by searching the retained data, yet there is every chance that most of the data subjects will never commit a crime, and if they do it won't be within the jurisdiction of the client, so most of that retained data is being kept on very flimsy grounds.

          1. Roland6 Silver badge

            >” is it when the company uploads the content, or when someone views it?”

            There doesn’t seem to be a single solution.

            My view would be if the website is registered as being UK owned or domiciled according to either its domain name (.uk) or domain registration (.com etc operated by UK entity) then to access it you are effectively doing the online equivalent of walking down the street and looking into someone’s real world UK located property.

            1. Ken Hagan Gold badge

              My view would be that if your ".uk" domain allows clients in the US free access to the content then you can't hold them to UK law anymore than they can hold you to US law.

    3. doublelayer Silver badge

      We read it. Maybe the reason we don't entirely buy that is that Clearview AI is not law enforcement. It may sell some stuff to law enforcement, but what it is is a commercial company that uses the data it collects (illegally) for profit. That's commercial use, no matter what end the product is used for. For the same reason, I can't open a camera factory and claim that, because the police used my camera when they needed to surveil a criminal, that I'm now exempt from laws because I'm law enforcement. Every other law would agree; my camera factory wouldn't get to avoid paying tax because I'm part of the government. My camera factory would not get to ignore local regulations because I work with a higher level of government. Clearview isn't granted any special treatment by the United States government, so to be granted that from the UK is stupid.

    4. Roland6 Silver badge

      Agree the real issue is whether Clearview offering a service to say Oz law enforcement - so Clearview are both the service operators and data owners, is the same as Oz law enforcement running the same system “on prem” and thus wholly within their control. I suggest not, and thus the tribunal have got it wrong.

      1. Alan Brown Silver badge

        If it goes to an actual court it will be reassessed and likely by much sharper legal minds

        Tribunals are not the end of the line by any stretch of the imagination

    5. skwdenyer

      How does the firm invoke the Law Enforcement exemption? They’re not processing data as agents of foreign law enforcement agencies. They are processing data as a private company, that then (for now) offers services only to foreign (and maybe domestic) law enforcement agencies.

      The database doesn’t “belong” to those foreign law enforcement agencies.

      Did the ICO have especially poor lawyers on this one?

  7. Arthur the cat Silver badge

    If the server can identify the scraping bot

    replace all images with goatse.

    1. Ken Moorhouse Silver badge

      Re: replace all images with goatse.

      That will be a bit of a stretch.

      1. Roland6 Silver badge

        Re: replace all images with goatse.

        You are not kidding

  8. Strahd Ivarius Silver badge
    Facepalm

    How to get away with the UK-GDPR

    So if you want to be able to scrap data with full impunity, for the sole usage of your company, you just have to say that you'll provide it commercially to law-enforcement agencies only?

  9. This post has been deleted by its author

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like