In a recent decision on the UK GDPR’s global scope, the Upper Tribunal in The Information Commissioner v Clearview AI Incorporated and Privacy International [2025] UKUT 319 (AAC) confirmed that the UK’s data protection regime can extend well beyond its borders.
The Tribunal overturned the earlier First-tier decision and confirmed that the Information Commissioner’s Office (ICO)does have jurisdiction over US-based Clearview AI, whose facial recognition database includes billions of images scraped from the open internet, including many of UK residents.
Why it matters
This decision reaffirms that the UK GDPR follows the data, not the business location. Even if an organisation has no establishment, clients or servers in the UK, it may still fall within scope if it processes personal data relating to people in the UK.
The Tribunal found that Clearview’s large-scale scraping and profiling of UK individuals constituted “monitoring of behaviour” under Article 3(2)(b) UK GDPR, rejecting the company’s argument that only its law enforcement clients engaged in such monitoring.
Key takeaways
- Monitoring of behaviour can include automated data collection (such as web crawlers), even without active human tracking.
- Foreign state exemptions under Article 2(2)(a) are narrowly construed. Private companies cannot claim them unless genuinely acting on behalf of a state authority.
- The ICO’s enforcement powers extend globally, enabling enforcement against non-UK entities that handle personal data of UK residents.
- The ruling highlights that the UK GDPR’s reach is indeed “all singing and all dancing”, in the Tribunal’s words, leaving little room for jurisdictional escape.
- Whilst this blog focuses on the UK GDPR, the EU GDPR contains broadly similar provisions.
Practical implications for global businesses
This judgment sends a clear warning: geography alone offers no shield from regulatory scrutiny. Organisations processing UK (or EU) personal data, including through AI, biometric tools or large-scale data aggregation, must assess whether their operations involve or affect UK (or EU) data subjects, even indirectly. If so, they must have:
- a lawful basis for processing under GDPR;
- robust data protection impact assessments; and
- appropriate privacy governance and transparency measures.
Final thoughts
The Clearview decision cements the expansive extraterritorial reach of UK data protection law. For tech companies and service providers worldwide, it underscores a simple message: if your technology touches UK personal data, UK regulators are within reach.
If your organisation operates internationally or uses AI-driven data analytics, now is the time to revisit your GDPR and AI compliance strategies.
