Data Scraping & GDPR — UK Upper Tribunal Confirms ICO Jurisdiction over Clearview AI (October 2025)
The UK Upper Tribunal (Administrative Appeals Chamber) has handed down judgment in The Information Commissioner’s Office v Clearview AI Inc ([2025] UKUT 319 (AAC)), a major decision for organisations that scrape or reuse online data for analytics or AI training, and for rights-holders seeking to protect their content.
Official sources (public links)
- Upper Tribunal judgment page on GOV.UK (Find Case Law)
- ICO news release – “UK Upper Tribunal hands down judgment on Clearview AI Inc” (8 Oct 2025)
- Full judgment PDF (hosted by ICO)
- 11KBW analysis of territorial/material scope
Background & procedural history
Clearview scraped billions of facial images from public websites and social media to build a facial-recognition database. In 2022 the ICO issued a Monetary Penalty Notice and Enforcement Notice. The First-tier Tribunal (Information Rights) later held that the ICO lacked jurisdiction because Clearview’s services were aimed at foreign law-enforcement bodies. The ICO appealed. On 6 October 2025, the Upper Tribunal allowed the ICO’s appeal and remitted the case to the FTT to consider the merits in light of the UT’s findings.
Key holdings (plain English)
- Territorial scope: Processing that relates to monitoring UK residents’ behaviour can bring a foreign controller within the UK GDPR (Art. 3(2)(b)), even if end-users are overseas.
- Material scope: Processing is not excluded merely because clients are law-enforcement bodies abroad; the FTT’s contrary view was an error of law.
- Jurisdiction: The ICO did have jurisdiction to issue its 2022 enforcement and penalty notices; the case returns to the FTT on substance.
- Biometrics: Facial images/vectors are special-category data, demanding heightened compliance controls.
What this means — actions for PAIL® clients
| Stakeholder | Recommended actions |
|---|---|
| Content owners & media brands | Deploy bot-management and TOU clauses that prohibit scraping/AI-training reuse; monitor and enforce. Consider database-right and contract claims alongside data-protection strategy. |
| AI/data teams using scraped datasets | Run GDPR-first assessments (lawful basis, transparency, minimisation, DPIA, special-category handling). Check site terms/licensing—“publicly available” is not a defence. |
| Cross-border operations | Map territorial scope where UK/EU residents may be monitored. Include robust provenance warranties/indemnities in vendor contracts. |
| Governance & record-keeping | Maintain data-mapping and audit trails; document necessity/proportionality and technical safeguards for biometric/special-category data. |
For tailored advice on scraping, AI training datasets, or enforcement strategy, contact:
Peter Adediran — IP, Digital Media and Commercial Lawyer, PAIL Solicitors Limited
📞 0207 305 7491 ✉️ peter@pailsolicitors.co.uk 🌐 pailsolicitors.co.uk
Our digital technology lawyer advises on AI governance, SaaS licensing, software development, and data-driven innovation agreements.