The UK’s data protection authority has lodged an appeal against a tribunal ruling that found it did not have the power to take enforcement action against facial recognition software developer Clearview AI.

Clearview AI scrapes images and biometric data from the internet. Its service allows its customers, which include law enforcement agencies, to upload their own images to see if they return a match against the images on Clearview AI’s database.

The Information Commissioner’s Office (ICO) fined Clearview AI more than £7.5 million in May 2022, and further ordered the company to stop obtaining and using the personal data of people in the UK sourced from the public internet, and to delete the data it has already gathered of UK residents from its systems too.

The ICO took the action following a joint investigation conducted with its Australian counterpart, the Office of the Australian Information Commissioner (OAIC). It considered the company was responsible for a series of data protection failings, including rules on fair and lawful processing of personal data, and on the retention of such data.

However, in October this year, Clearview AI successfully appealed against the ICO’s enforcement action before the UK’s information rights tribunal, on jurisdictional grounds. The ICO has now announced that it has raised an appeal against the tribunal’s decision.

The ICO said: “The ruling makes clear that even if a company is not established in the UK, it is subject to UK data protection law that is related to the monitoring of people living in the UK. As such, where Clearview provides its services commercially, it will be subject to the ICO's jurisdiction.”

“The commissioner considers the tribunal incorrectly interpreted the law when finding Clearview’s processing fell outside the reach of UK data protection law on the basis that it provided its services to foreign law enforcement agencies. The commissioner's view is that Clearview itself was not processing for foreign law enforcement purposes and should not be shielded from the scope of UK law on that basis,” it said.

Emily Cox of Pinsent Masons said it is unsurprising that the ICO has sought leave to appeal given the potential implications of facial recognition technology.

“The regulator will want absolute clarity as to an interpretation of GDPR which allows a commercial enterprise to benefit from an exemption for the law enforcement agencies which it serves,” Cox said. “It will also be conscious of the divergent regulatory outcome thus far when compared with other jurisdictions in the EU.”

Data protection authorities in France, Italy and Greece have all issued fines against Clearview AI.

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.