Data privacy digest series
In the latest edition of our Data Privacy Digest series, we look at some recent case law and ICO enforcement actions that impact the way that we assess and manage the risk of personal data.
Scope of the UK GDPR - controversial AI company wins appeal.
In 2022 the Information Commissioner's Office (ICO) ruled that Clearview AI (Clearview) (a US based tech company) had breached the UK GDPR by storing facial images of UK citizens for use in facial recognition technology. Clearview was fined £7.5m and ordered to delete personal data of UK citizens held by Clearview.
Clearview challenged this decision on the basis that the ICO did not have jurisdiction to levy the fine. In October 2023, Clearview's appeal was successful, and the UK General Regulatory Chamber’s First-tier Tribunal (FTT) overturned the ICO's fine.
What does this mean for non-UK based organisations and the risks of enforcement by the ICO?
Background
Clearview's business is maintaining a database of images of faces (along with the related URLs), sourced simply by downloading them from internet sites (also known as 'scraping'). This controversial database contains billions of images and is reported to be growing at around 75 million images per day. Clearview's clients can upload an image of a face and match it against the Clearview database. Clearview then supplies links to where this match can be found online so the client can identify the individual.
Despite holding images of data subjects based in the UK (although the exact number is impossible to estimate), in its ruling the FTT concluded that Clearview's activities fell outside the scope of the UK GDPR because the processing of personal data related to the law enforcement activities of foreign governments and agencies.
The judgment
In summary, the ICO had based its original decision on the fact that the UK GDPR governs the processing of personal data of data subjects in the UK by a controller or processor not established in the UK where the processing activities are related to monitoring the behaviour of UK data subjects. Therefore, it had been the ICO's position that Clearview enabled its clients to monitor the behaviour of UK data subjects which was therefore caught by the UK GDPR, and giving the ICO jurisdiction to take enforcement action against Clearview.
In its appeal to the FTT Clearview contested this. It argued that it was US company providing services to foreign clients purely for the public interest activities of foreign governments and government agencies, in particular in relation to "their national security and criminal law enforcement functions”. This was the crucial point as it would mean it fell outside the UK GDPR and could rely on the exemption in the Data Protection Act 2018.
Clearview successfully argued this. It produced evidence that all of its clients carried out criminal law enforcement/national security functions and used the service only for those functions. The ICO tried to argue that Clearview also had private sector clients but failed to provide compelling evidence.
Comment
Given the use of controversial facial recognition technology and potential for the images of millions of UK based individuals to be contained in Clearview's huge database, this judgment is particularly important and may be considered as a 'get out' for other non-UK entities, drastically reducing the territorial reach of the UK GDPR. However, whilst this judgment may allow other private technological companies the ability to use UK citizens personal data with no checks and balances as long as they are "acting for" foreign governments or similar agencies, this does not affect the general territorial scope of the UK GDPR.
The key takeaway is that Clearview escaped enforcement purely because it could demonstrate that the sole use of the personal data was in relation national security / law enforcement. This ruling does not change the position for all other entities who are monitoring/ providing goods and services to data subject in the UK. Accordingly, non-UK organisations must, of course, still carefully consider application of the UK GDPR and associated enforcement risks.
Updated guidance on Data Subject Access Requests (DSARs)
In the recent case of Harrison v Cameron, the High Court has given us useful guidance when dealing with third party rights which can sometimes be tricky to navigate in the context of DSARS.
The Court also made observations on the question of what amounts to processing personal data for 'domestic' purposes and on the issue of whether a director of a company is a joint controller of the personal data with that company. However, whilst interesting, both points provided nothing new in terms of developing the caselaw on these issues but given the tabloid worthy subject matter of the case, these points will reach a wider audience than the average case on data protection issues.
Background
This case involved a highly contentious dispute between a landscape gardener and a former client of that landscape gardener. The claimant (a Mr Harrison) had hired the landscape gardening company (the Company), to carry our work at his property and a Mr Cameron, was a director of the Company. Importantly, Mr Harrison is a director of a property development company.
In short, Mr Harrison and Mr Cameron fell out over the work being done to Mr Harrison's garden and matters turned very scour indeed. During the course of the dispute, Mr Cameron secretly recorded two telephone conversations with Mr Harrison. These conversations included statements that Mr Cameron claimed were of a threatening nature. Indeed, the Court ruled in its judgment that Mr Harrison's behaviour was seriously and persistently menacing and that he had resorted to threats of violence to intimidate Mr Cameron.
In light of the type of statements Mr Harrison made, Mr Cameron shared them with numerous people, employees, friends and family. Possibly unsurprisingly, and also crucially, the recordings spread around uncontrollably. The content of Mr Harrison's threats became known within the property development world and accordingly, Mr Harrison claimed that this had led to his business losing opportunities.
As part of the very bitter dispute Mr Harrison made DSARs against both Mr Cameron personally and the Company. He wanted to know who the recordings had been sent to. Both Mr Cameron (and the Company) refused to provide these details and relying on the Article 15.4 of the UK GDPR (in relation to the rights of the third parties). Mr Harrison's solicitors had written to at least 23 employees (directing DSARs to each of them individually) and, even after Mr Cameron's solicitors had asked them to desist (on the basis that the Company was the sole controller), they continued to make threats against a number of employees. Notably, Mr Harrison's solicitors did not just write to individuals connected to the Company but had also written to a friend of Mr Cameron (and godmother to one of his children) making similar allegations.
The judgment
Whilst Mr Cameron's solicitors had tried to argue that the matter was not caught by the UK GDPR as the recording of Mr Harrison had been for domestic purpose only (and therefore it did not fall within UK GDPR and the Data Protection Act 2018) the Judge did not agree. It was held that the recordings clearly related to the breakdown of a business relationship (therefore not domestic). However, the Court did agree that Mr Cameron was not a joint controller of Mr Harrison's personal data. Following previous case law looking at the same point, the Court stated that he was not a controller, he was acting in his capacity as a director of the Company. The Company was the sole controller.
It was in relation to the rights of third parties that the Court made more interesting observations. The Court confirmed that Article 15 of UK GDPR requires a controller to specifically disclose the identities of the recipients of any personal data (and that it is not adequate to just state the categories of recipients). However, given the actions of Mr Harrison (and then the later the threats made by his solicitors), the Court agreed there were concerns for the welfare and wellbeing of the relevant individuals and therefore, held that the refusal to disclose the identities of those who had been sent the recordings was not a breach of Article 15 of UK GDPR.
Comment
The case serves as an important reminder that the UK GDPR requires controllers to provide specific details on the recipients of personal data and not just broad categories (which is often provided instead) and that the specific details can only be withheld if exemptions are correctly applied. Whilst that was clearly the case here given Mr Harrison's behaviour, a broad-brush approach cannot be taken.
There is a lesson for the legal profession too when acting on client's wishes, as it is worth noting that the Judge was seemingly unimpressed with the way Mr Harrison's solicitors had conducted the matter (although noting it was on his instructions) and called the DSAR letters at to "least" 23 employees of Company "intimidating and unwarranted".
Recent enforcement action by the ICO
The dangers of not BCCing
Central YMCA was given a fine of £7,500 (along with being reprimanded) after it sent an email to individuals participating in a programme for people living with HIV using “CC” rather than “BCC”.
By using CC, it meant that all 166 individuals could either be identified (or potentially identified) and given the subject matter of the email it could then be inferred that these individuals were probably living with HIV. The ICO had considered imposing a much bigger fine, of £300,000, given the serious nature of the incident however, in light of the remedial steps taken by the Central YMCA it decided the smaller fine of £7,500 was more appropriate.