Locations
It was also ordered to cease processing images and related data of UK individuals, and refrain from offering its services to UK customers without first carrying out a data protection impact assessment and providing a copy to the Information Commissioner.
Clearview had collected (or "scraped") images from the web and social media sites.
It then allowed law enforcement to check for matches with their own images, and see the link to the website from which Clearview had obtained the image. This allowed ClearView's customers to learn information about the identity, attributes, location, movements and behaviour of the matched individuals.
What was particularly interesting about this decision was not that the ICO would fine a company for failing to meet transparency, retention and lawfulness requirements, but the ICO's interpretation of the GDPR and UK GDPR's territorial scope provisions (the relevant facts overlapping Brexit).
In particular, the ICO took a broad view on whether the processing activities of Clearview (a US company with no presence in the EU or UK) are "related to" the monitoring of a UK data subject's behaviour within the UK and thus subject to EU/UK law.
Is the processing "related to" monitoring?
As a brief reminder, one way in which the (UK) GDPR may apply to non-EEA/UK established companies is where the processing activities "are related to" the monitoring of data subjects' behaviour as far as their behaviour takes place within the EEA/UK.
Those familiar with EDPB's 2019 guidelines on territorial scope, may have understood Art 3(2)(b) to focus on analysing or predicting a data subject's behaviour through activities such as behavioural advertising, personalised health analytics and geolocation. Recital 24 also refers to profiling "in order to take decisions". Clearview argued it wasn't doing anything of the sort – rather any monitoring was undertaken by its customers.
The ICO found this to be irrelevant. Even though it was Clearview's customers, rather than Clearview that was conducting analysis and taking decisions about individuals, Clearview's processing was, by it collecting the images in the database and providing them to its customers, "related to" the monitoring activities undertaken by its customers. Clearview's own activities were therefore subject to GDPR.
This is a step further than the examples given by the EDPB's guidelines which focus on a non-EEA/UK processor becoming subject to Art 3(2) when acting on the instructions of the "monitoring" controller. The difference here was that Clearview was a controller.
To cap it all off, the ICO showed that it was unwilling to allow an organisation established outside of the jurisdiction to "evade effective regulatory scrutiny" by basing itself in a jurisdiction with lower protections for individuals.
What does this mean?
Controllers (and also processors), based outside of the EU and UK should take stock - they may no longer be able to hide behind the "but it's my customer that's doing the monitoring" excuse.
For controllers, this could have consequences for core GDPR responsibilities, such as giving notice to data subjects, implementing retention periods and allowing data subjects to exercise their rights.
Notably, it will also have a knock on effect for data transfers, since as the EDPB (un)helpfully reminded us in its recent Q&A, the new EU SCCs are not designed for use by organisations who are directly subject to GDPR.
Definitely one for us all to keep an eye on...