UK tribunal fundamentally wrong on Clearview
On 17 October 2023, the UK First-Tier Tribunal (General Regulatory Chamber) (hereafter: “the FTT”) held that prior to the completion of the Brexit implementation period on 31 December 2020 (“IP completion day”) – until when the EU General Data Protection Regulation (EU GDPR) still applied in the UK – the use of the surveillance system offered by the US company Clearview by non-UK law enforcement and intelligence agencies constituted “an activity which, immediately before IP completion day, fell outside the scope of EU law”, and thus also outside the EU GDPR (para 154); and that after that date, when the modified UK GDPR applied, it was also outside the scope of the latter instrument (para. 156) – in spite of the fact that the FTT also held that the system was also, “inevitably”, used to monitor the behaviour of UK residents (para. 103).
Below, at 2, I summarise the Clearview system and its uses (which are described in some detail in the decision itself, to which I therefore simply cross-refer). At 3, I look at the reason why the FTT came to this conclusion, and show that that conclusion is actually fundamentally flawed. I provide some final comments at 4.
As they apply the “foreign government” principle, it amounts to saying that the activities of a private company fall out of scope of DP law (and EU law) entirely if its clients are foreign governments. That cannot be right.
I am surprised the FTT did not consider case law such as Latvijas Republikas Saeima C-439/19 (see 62ff) where it is quite clear that the exclusion in A2(2)(a) is restricted to the protection of national security (or similar activities) by States (i.e. by member states). This is post-Brexit, but it builds on some fairly clear pre-existing EU law and the FTT should have at least had regard to it (and for that matter recital 16).