The Upper Tribunal (UT) has handed down its judgment in the UK Information Commissioner’s appeal against the First-tier Tribunal (FTT) decision on Clearview AI Inc (Clearview).
In May 2022, the Commissioner fined US-based company Clearview £7.5m and issued an enforcement notice for scraping images of UK residents from the web and social media, and then uploading them into its global online database that could be used for facial recognition by any Clearview customer. The company not only enables identification of those people, but monitors their behaviour, offering it as a commercial service.
Clearview appealed the fine and enforcement notice to the FTT, with the ICO appealing the FTT’s decision to the UT.
In October 2025, the UT upheld three of the Commissioner’s four grounds of appeal, concluding that:
- Clearview’s processing of personal information is related to monitoring of behaviour of UK residents.
- Clearview’s processing does not fall outside the reach of UK data protection law on the basis that it provided its services to foreign law enforcement and government agencies.
- The FTT applied the law incorrectly in finding that Clearview’s processing of personal information was outside the material scope of the UK GDPR under Article 2(1)(a)*.
The Commissioner welcomes the UT decision, as it clarifies the material and territorial scope provisions of the UK GDPR. The ruling reaffirms that companies that wish to monitor the behaviour of UK residents will be in scope of UK data protection law, regardless of where the company is based in the world.
John Edwards, UK Information Commissioner, said:
“The UT’s decision has upheld our ability to protect UK residents from having their data, including images, unlawfully scraped and then used in a global online database without their knowledge.
“The ruling also gives greater confidence to people in the UK that we can and will act on their behalf, regardless of where the company handling their personal information is based. It is essential that foreign organisations are held accountable when their technologies impact the information rights and freedoms of individuals in the UK.”
The UT’s decision is legally binding and will guide future cases involving similar jurisdictional questions.
The UT directed that this case should be sent back to the FTT to determine the substantive appeal on the basis that the Commissioner had jurisdiction to issue the monetary penalty notice and enforcement notice.
Clearview can seek permission to appeal the UT’s decision.
Notes to editors
*UK GDPR Article 2(1)(a) establishes that the UK GDPR doesn’t apply to activities that were already outside the scope of the original EU data protection law.