AI Regulation Tracker / Court ruling
UK Upper Tribunal Confirms ICO Jurisdiction Over Foreign Facial-Recognition Scrapers
The Upper Tribunal ruled that the UK data regulator can enforce against a wholly overseas company that scraped UK residents' facial data. It is an important jurisdiction test for whether US biometric-AI vendors fall under UK law.
The UK's Upper Tribunal has confirmed that the Information Commissioner's Office can enforce data-protection law against a company that operates wholly outside the United Kingdom, provided that company processes the personal data of people who are in the UK. The ruling, handed down in October 2025 in the ICO's appeal in the Clearview AI Inc matter, is not fresh news. It matters because it is the jurisdiction test that decides whether a US facial-recognition vendor answers to a British regulator at all.
What the tribunal actually decided
The case turned on a narrow but decisive question: does the ICO have jurisdiction under UK GDPR over Clearview, given that the company scraped billions of publicly available images, including those of UK residents, and processed them entirely abroad to serve foreign clients? The Upper Tribunal answered yes. It upheld three of the Commissioner's four grounds of appeal and found that Clearview's activity is caught by the "monitoring of behaviour" limb of the extraterritorial reach in UK GDPR.
That reverses the First-tier Tribunal, which had earlier concluded that the ICO could not act because Clearview's clients were foreign law-enforcement and national-security bodies. The higher tribunal took a broader view of what monitoring means. It held that behavioural monitoring can include the passive collection, classification, sorting, and storage of data by automated means, done with a view to potential later use, including use by a different controller applying profiling techniques. In plain terms, building and holding the database can itself amount to monitoring, even before anyone runs a search.
The underlying enforcement that this protects
The jurisdiction fight sits on top of the ICO's original action. In 2022 the Commissioner issued Clearview an enforcement notice and a monetary penalty reported at about 7.5 million pounds, on the basis that scraping UK residents' facial images into a searchable biometric database breached UK data-protection duties. Clearview appealed, the First-tier Tribunal set the action aside on jurisdiction grounds, and the ICO appealed that up to the Upper Tribunal. The October 2025 result reinstates the regulator's ability to pursue the penalty and the notice.
Professionals should note the exact fine figure against the ICO's own record before repeating it, and treat the amount as the reported penalty rather than a settled recovery.
What it does not do
The ruling decides jurisdiction, not the final merits. The Upper Tribunal returned the case to the First-tier Tribunal to determine the substantive appeal on the footing that the ICO did have jurisdiction to issue both the penalty notice and the enforcement notice. So this is a green light for enforcement, not the last word on whether every element of the original penalty stands. It also does not create a new statutory duty. It interprets the existing territorial-scope provisions of UK GDPR and applies them to automated biometric processing.
Why a US professional should read it
For a US facial-recognition or biometric-AI vendor, the practical message is direct. A business model that keeps servers, staff, and customers outside the UK does not, by itself, place the company beyond the ICO's reach when the data belongs to people in the UK. The decision also gives UK buyers a reason to push harder in procurement, because a foreign supplier's offshore posture is no longer a clean answer to a lawful-basis or fairness question. The wider signal is that the UK reads "behavioural monitoring" expansively for AI systems that ingest and profile people at scale, which is the operating pattern of most facial-recognition products.
The safest reading for any organization touching biometric data of UK residents is to assume UK law can apply, and to hold a documented lawful basis, a fairness assessment, and special-category safeguards ready before deployment rather than after a complaint.
Frequently Asked Questions
What changed with the October 2025 Clearview ruling?
The Upper Tribunal held that the ICO has jurisdiction under UK GDPR over Clearview AI even though the company processes data wholly outside the UK, reversing an earlier tribunal decision and sending the substantive case back to be decided on that basis.
Who does this affect?
Facial-recognition and biometric-AI vendors that scrape or process images of people in the UK, and the UK firms, agencies, and enterprises that buy or deploy those tools.
Is this binding law?
It is a court ruling on jurisdiction, not a new statute. It authoritatively interprets the territorial-scope and behavioural-monitoring provisions of UK GDPR and clears the ICO to proceed with its enforcement notice and penalty.
Does a US company avoid the ICO by keeping all processing abroad?
No. The tribunal found that processing UK residents' data offshore does not remove the ICO's jurisdiction where the activity amounts to monitoring the behaviour of people in the UK.
Sponsored Training
Browse the full AI Regulation News tracker
Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel.