On 17 October 2023, the UK First-Tier Tribunal (General Regulatory Chamber) (hereafter: “the FTT”) held that prior to the completion of the Brexit implementation period on 31 December 2020 (“IP completion day”) – until when the EU General Data Protection Regulation (EU GDPR) still applied in the UK – the use of the surveillance system offered by the US company Clearview by non-UK law enforcement and intelligence agencies constituted “an activity which, immediately before IP completion day, fell outside the scope of EU law”, and thus also outside the EU GDPR (para 154); and that after that date, when the modified UK GDPR applied, it was also outside the scope of the latter instrument (para. 156) – in spite of the fact that the FTT also held that the system was also, “inevitably”, used to monitor the behaviour of UK residents (para. 103).
Below, at 2, I summarise the Clearview system and its uses (which are described in some detail in the decision itself, to which I therefore simply cross-refer). At 3, I look at the reason why the FTT came to this conclusion, and show that that conclusion is actually fundamentally flawed. I provide some final comments at 4.