It is in the news that Clearview AI has won an appeal against the UK Information Commissioner's Office (ICO). The reasons for judgment are here: Clearview AI Inc v The Information Commissioner [2023] UKFTT 819 (GRC). It was ruled that the the ICO "did not have jurisdiction" to take enforcement action or issue a fine.
What rules is the decision based on? If the government wanted to change this, could they by changing national laws or is this a question of international law?
The conclusion reached in this case was not general to all cases on the Internet. As explained in Paragraph 97 of the opinion, the attempt to impose sanctions for privacy violations was invalid because the territorial scope of the EU and UK privacy laws, by their own terms, didn't apply in this case, stating:
“Was the processing in the course of an activity that falls/fell outside the scope of EU (Union) law?”
We have concluded that if the answer is yes then either
a. GDPR Article 2(2)(a) disapplies the Regulation, taking the processing beyond the material scope of the Regulation (GDPR), or
b. In UK GDPR by application of the definition of “relevant processing” in Article 3(2A), the fifth element (as we have called it in paragraph 77) within Article 3(2) UK GDPR will not be satisfied and the processing will be beyond the scope of the Regulation (UK GDPR).
The followup question asked is:
If the government wanted to change this, could they by changing national laws or is this a question of international law?
The government of the U.K. could change this because, post-Brexit, it is a question of national law.
It's worth noting that there are actually several jurisdictional issues at play here: 1. the jurisdiction of the UKFTT to hear the case, and 2. the jurisdiction of the ICO to act in the way that it did. Both of these bodies are statutory creations: the FTT was created by the Tribunals, Courts and Enforcement Act 2007 and the ICO by the Data Protection Act 2018. Both are Acts of the UK Parliament assented to by the Sovereign, who collectively have jurisdiction to make law for the UK under the Constitution of the UK. This is the 3rd jurisdictional issue, albeit an uncontroversial one.
The UKFTT has jurisdiction to hear appeals from the decisions of the ICO because that is a power explicitly given to it by the legislation, so that's easy.
The ICO is an arm of executive government, and, like all executive actions, it must conduct its operations within the law, that is, within the jurisdiction granted to it by historical common law or by statute. As a creature of statute, there is little or no common law power to be considered, so it can only do things that it is legislatively empowered to do.
In this particular case, it is empowered to issue fines for breaches of the Data Protection Act 2018. This is uncontroversial and was not an issue in the case.
What was at issue was the 4th jurisdictional issue: that of the scope of the Data Protection Act 2018. The Act defines the entities and activities to which it applies - the jurisdiction of the Act itself. The FTT found that Clearview AI was not captured by that jurisdiction and that they couldn't have breached the Act since it did not apply to them.
The case had nothing to do with the Internet; it had to do with the scope of a particular Act of Parliament - who it covered and who it didn't. There are literally hundreds of pieces of legislation and they all define their own scope: for example, the Illegal Migration Act 2023 is unlikely to have any effect on you if you never leave the country and the Equipment Theft (Prevention) Act 2023 won't affect people who don't steal equipment (probably, I didn't read them).
