Share this
By Dr Asress Adimi Gikay, bpp
20 Feb 2025
In his latest EUobserver article, ‘What is the EU doing on AI facial-scraping recognition – and is it enough?’, Dr Asress Adimi Gikay examines the activities of facial recognition tech firms that scrape images from the web in violation of data privacy laws.
Below, we publish a summary of the EUobserver piece, originally published here. You can also read the full article, available in open access here: What is EU doing on AI facial-scraping recognition — and is it enough?
The ICO sanctioned Clearview AI in 2022 for indiscriminately scraping photos and metadata of UK residents, but this was overturned by the First-Tier Tribunal. Clearview AI argued that it falls outside the ICO’s jurisdiction because (a) it does not process personal data of UK residents in connection with behavioural monitoring, and (b) even if it does, its provision of services to foreign law enforcement and intelligence agencies excludes it from UK GDPR’s scope.
The ICO, correctly concluded that both the creation of facial recognition profiles (indexing) and the subsequent use of the database to identify individuals constitute behavioural monitoring. However, the First-Tier Tribunal ruled that the creation of the profiles alone does not qualify as behavioural monitoring. Per the ruling, the automated generation of biometric profiles, even when paired with metadata, does not reveal anything about the subject’s behaviour. While it acknowledged that subsequent use of the database could involve behavioural monitoring, the Tribunal maintained that the ICO lacks jurisdiction, as UK GDPR does not apply to activities of foreign government agencies.
In contrast, the French Data Protection Authority takes a broader view. It considers behavioural monitoring to include profiling techniques that assess personal aspects such as preferences, behaviour, or location. Under this interpretation, creating the biometric facial profiles itself constitutes behavioural monitoring. EU authorities don’t consider the end users of the database(gov't agencies) to be relevant to determining their jurisdictions. This approach seems more reasonable.
While the First-Tier-Tribunal’s analysis of case law was commendable, its interpretation of the UK GDPR’s provisions on behavioural monitoring is flawed. It disregards the contextual meaning of monitoring in the UK GDPR [recital 24 and article 4(4)], that include profiling, which Clear View's activity is.
The GDPR’s exclusion of foreign government activities was not designed to allow commercial firms to bypass compliance by posing as foreign government agencies. The principle behind this is gov'ts don't bind other gov'ts through their domestic laws.
As a quick fix, the UK should extend GDPR to cover foreign firms conducting scraping in the UK, regardless of whether behavioural monitoring is involved, making it irrelevant the service may be offered to foreign governments.
Read the full article: What is EU doing on AI facial-scraping recognition — and is it enough?