The UK Upper Tribunal’s decision on 07 October 2025 in ICO v Clearview AI marks a pivotal moment in the evolution of data protection enforcement. While the case concerns a U.S.-based facial recognition company with no UK establishment, its implications extend far beyond Clearview itself. At its core, the judgment reinforces a central regulatory message: GDPR’s territorial reach is wide, its interpretation is purposive, and enforcement appetite is very real, even for organisations operating entirely outside Europe.

For global organisations that rely on large-scale data collection, AI-driven analytics, or data supplied to third parties, this decision should prompt a reassessment of long-held assumptions about jurisdiction, behavioural monitoring, and regulatory exposure.

Background

Clearview AI is a Delaware-based company that scraped billions of facial images from the public internet, including images of UK residents. It provided facial recognition services to law enforcement and national security agencies outside the UK and EU, enabling them to upload images and receive matches from its database.

In 2022, the ICO fined Clearview £7.55 million and ordered it to stop processing UK residents’ data. Clearview appealed and initially won before the First-Tier Tribunal (FTT), which ruled the processing was outside the scope of the GDPR.

In October 2025, the Upper Tribunal overturned that decision. It held that Clearview’s activities were firmly within the material and territorial scope of the GDPR, even though Clearview was not established in the UK and even though its clients were foreign state bodies. In doing so, the Tribunal aligned the UK position with the approach already taken by multiple EU supervisory authorities, including those in France, the Netherlands, Italy, Austria and Hamburg.

Behavioural monitoring is a broader concept than many expect

Perhaps the most significant aspect of the decision is the Tribunal’s interpretation of “behavioural monitoring” under Article 3(2)(b) GDPR.

Clearview argued for a narrow understanding of monitoring, one that would require active observation, human involvement, or direct decision-making. The Upper Tribunal firmly rejected this approach. Instead, it adopted a functional and technology-aware interpretation, holding that behavioural monitoring can include:

  • passive, automated collection of personal data
  • classification, sorting and storage of data
  • processing carried out with a view to potential future profiling or analysis
  • processing intended to enable behavioural monitoring by a third party

Crucially, the Tribunal confirmed that actual use of the data is not required. It is sufficient that the data is collected and made available for behavioural monitoring should the need arise. This interpretation is particularly relevant for organisations that collect personal data to train AI models, develop analytics capabilities, or support downstream use by clients or partners.

Suppliers are not shielded by their customers’ activities

Another important takeaway is the Tribunal’s rejection of arguments based on “comity of nations” and national security exemptions.

Clearview contended that regulating a private contractor supplying services to foreign law enforcement would amount to impermissible interference with sovereign state activity. The Tribunal disagreed, holding that private companies do not automatically inherit the immunity of their state clients, even where services relate to law enforcement or national security.

This finding has direct implications for technology vendors, AI providers, data analytics firms, and other suppliers whose services support sensitive public-sector functions. Being one step removed from the end use does not remove GDPR obligations where personal data processing is concerned.

A reaffirmation of GDPR’s global reach

Taken together, the Clearview decision reinforces three core principles that organisations should not ignore:

  • GDPR’s territorial scope is deliberately expansive. Organisations outside the UK or EU can still be subject to enforcement where their processing relates to the monitoring of individuals’ behaviour in those jurisdictions 
  • Behavioural monitoring is interpreted broadly, reflecting modern data practices rather than analogue concepts of surveillance. Passive data collection and preparatory processing can be enough to trigger scope
  • Regulators are willing to pursue enforcement against non-domestic organisations, particularly where processing is large-scale, intrusive, or enabled by advanced technologies such as AI

The ICO has been explicit in its response to the judgment, supporting the decision which clarifies that organisations wishing to monitor the behaviour of UK residents will be in scope of UK data protection law regardless of where they are based. 

What organisations should be doing now

For organisations operating globally, the Clearview decision should act as a catalyst for reassessing risk exposure. Organisations should be:

  • reviewing whether any processing activities, including passive data collection, model training, or data aggregation, could be characterised as behavioural monitoring of UK or EU individuals
  • reassessing assumptions about jurisdiction, particularly where data is collected for potential future use or supplied to third parties
  • mapping data flows and purposes more rigorously, ensuring that the intended and potential downstream uses of data are clearly understood and documented
  • evaluating whether existing governance frameworks adequately address AI-driven and large-scale data processing risks
  • ensuring that accountability measures, DPIAs and documentation would withstand regulatory scrutiny if challenged

The role of the DPO in navigating an expanding scope 

As interpretations of GDPR scope continue to evolve, the DPO function plays a critical role in helping organisations adapt without over-correcting or under-estimating risk.

A well-embedded DPO function helps organisations identify where processing activities may unexpectedly fall within scope, particularly in relation to AI, analytics and third-party data sharing. The DPO also supports risk-based decision-making by guiding DPIAs, advising on lawful bases, and ensuring governance measures reflect both current enforcement trends and future regulatory direction.

Importantly, the DPO acts as a bridge between legal interpretation and operational reality, helping organisations demonstrate accountability, evidence compliance, and respond credibly to regulators when jurisdictional questions arise.

Looking ahead 

The recent Clearview decision is not the end of the story. Further appeals may follow, and the substantive GDPR issues in the case remain to be determined. But the jurisdictional message is already clear. For organisations operating at the intersection of AI, data analytics and digital services, this is the clearest signal yet that privacy risk has become a global board-level issue, and that the era of “out-of-scope by default” is over.

At HewardMills, we support organisations as an external, independent DPO, helping them assess regulatory exposure, strengthen governance frameworks, and respond confidently to evolving enforcement expectations. If your organisation is reassessing its GDPR risk posture in light of recent decisions, our team is here to help. Get in touch today.