Australia: Upper Tribunal determined Clearview AI’s processing of UK residents’ personal data fell within scope of UK GDPR and confirmed ICO’s authority to issue penalties

On 6 October 2025, the Upper Tribunal (UT) ruled that Clearview AI’s processing of UK residents’ personal data fell within the scope of the UK GDPR and confirmed the Information Commissioner’s Office (ICO) authority to issue the monetary penalty and enforcement notices. The case arose after the ICO fined Clearview GBP 7.5 million and issued an Enforcement Notice in May 2022 for scraping images of UK residents from the internet and social media, uploading them to a global facial recognition database, and offering monitoring services commercially. Clearview appealed to the FTT, which in 2023 ruled that the ICO had acted outside its jurisdiction, holding that the processing did not constitute “relevant processing” under the UK General Data Protection Regulation (UK GDPR). The ICO challenged that finding, renewing its application to the UT in October 2024. In its October 2025 ruling, the UT upheld three of the ICO’s four grounds of appeal, concluding that Clearview’s processing of personal information related to monitoring UK residents, that it was not excluded from UK GDPR solely because services were provided to foreign law enforcement or government agencies, and that the FTT had applied the law incorrectly in finding the processing outside the material scope of Article 2(1)(a) UK GDPR. The UT confirmed that the ICO had jurisdiction to issue the Monetary Penalty Notice and Enforcement Notice, remitted the case to the FTT for substantive determination, and noted that Clearview may seek permission to appeal.