In the past two years, most recently on May 10, 2023, when the Austrian Datenschutzbehörde issued its decision, supervisory authorities in several European countries declared the processing of personal data by the company Clearview AI to be contrary to the GDPR. To determine whether GDPR applied to the processing of personal data by the company based in the United States, the authorities had to interpret the concepts of “monitoring”, “tracking”, and “profiling”.
This blog post explores how the recent Clearview decisions interpreted “monitoring”, “tracking”, and “profiling”, as that interpretation may impact future application of those concepts in other contexts.
How Clearview AI processes personal data
Clearview AI has created a gigantic database with billions of images and related metadata and URLs, all “scraped” from the internet, including from social media websites. A customer of Clearview AI – as a rule a law enforcement agency – uploads an image of a suspect in a criminal investigation, or an image showing an individual taking part in apparent criminal activity. Clearview AI compares the uploaded image with the Clearview database to effectuate facial recognition based on the reference image. The customer receives a list with thumbnail search results, with a link in each case to the URL where the image from the Clearview database appears online. The customer may decide to examine the URLs for those images.
“Related to” monitoring sufficient to trigger the application of GDPR
The decisions of the supervisory authorities in the UK, France, Greece, Italy, and Austria have in common the conclusion that the activity of Clearview is “related to” the “monitoring of the data subjects’ behaviour in the Union”, and that GDPR applies to Clearview on that basis.
Under Article 3.2(b) of the GDPR, a controller or processor not established in the European Union does not have to carry out the monitoring of the data subjects’ behaviour in the Union for the Regulation to apply. It suffices, for the applicability of the GDPR, that the processing by the controller or processor is related to the monitoring of the behaviour in the Union.
Who does the monitoring? Amorphous concepts lead to divergent views
On the specific question of what amounts to “monitoring” of the data subjects, and who conducts it, the UK supervisory authority (ICO) seems to have parted ways with the supervisory authorities in Italy (Garante) and France (CNIL). ICO explicitly states that monitoring is done by Clearview AI’s customer, whereas Garante and CNIL, although not explicit in their assessment, appear to consider the activity of Clearview AI itself to amount to monitoring.
The difference may be a result of the lack of clarity as to the meaning of “monitoring”, “tracking”, and “profiling” in the operative provisions and recitals of the GDPR. A recital in the GDPR describes “monitoring” via the notion of “tracking” which, however, is not defined. GDPR defines “profiling”, but in a situation in which more than one actor is involved it might be unclear who carries out the profiling and how that reflects on the meaning of “monitoring”.
According to recital 24 of the GDPR,
“In order to determine whether a processing activity can be considered to monitor the behaviour of data subjects, it should be ascertained whether natural persons are tracked on the internet including potential subsequent use of personal data processing techniques which consist of profiling a natural person, particularly in order to take decisions concerning her or him or for analysing or predicting her or his personal preferences, behaviours and attitudes.”
“Profiling”, the only term of the three that is defined (in Article 4 of the GDPR) is
“any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements”.
A search results in the creation of a “profile”, but who does the profiling?
It is not in dispute that the use of Clearview AI software entails the profiling of data subjects located in the European Union. It is less clear, however, who carries out the profiling.
As explained by CNIL and by the Greek supervisory authority, when the customer carries out a Clearview search by uploading an image, the result of the search is a profile of the behaviour of the given individual. That profile consists of four segments: all the photographs, collected by the company, with a biometric template sufficiently close to the uploaded image; the URL address of all the web pages on which these photographs are located; metadata (such as geolocation metadata) which may be contained in the photographs or videos; and information about the behaviour of the data subject (primarily the level of exposure that they wish to give to elements of their private or professional life).
Clearview AI argued that its software does not evaluate, judge, or predict the behaviour of data subjects, therefore Clearview AI does not carry out profiling. To the extent any identification of characteristics of present or future behaviour of a data subject takes place, such identification is done by the customer (the law enforcement agency) which uses the information from third-party sources for that purpose.
According to Italian Garante, both Clearview AI and its customers independently carry out the profiling. Clearview AI profiles the data subjects when the customer carries out the search and Clearview AI extracts the result. The biometric comparison activity that occurs at that point of the process amounts to an evaluation and it “belongs to Clearview”, as Garante put it. The customer may conduct further evaluation, based on the results of the biometric comparison. Further profiling is carried out by the customer.
CNIL is not explicit about who carries out the profiling, and how that reflects on who carries out the monitoring. A sentence from CNIL’s decision of 17 October 2022 does not offer a response, even though it employs the two concepts in the same sentence (in paragraph 40):
“[T]he fact that an ad hoc search makes it possible, at any time, to access an individual’s profile as described above should be considered as monitoring the behaviour of individuals.”
According to the ICO, monitoring is done by Clearview AI’s customers. ICO does not break down the concept of “monitoring” into the building blocks – “tracking” and “profiling” – but it can only be concluded from ICO’s pronouncement that it is Clearview AI that carries out the profiling. ICO mentions the words “tracked” and “profiling” in passing but leaves it out completely from the substantive analysis. Instead, ICO explicitly states that, by seeking to match the uploaded images with the images in the Clearview database, customers are monitoring the behaviour of the individuals who appear in both sets of images (Enforcement Notice of 18 May 2022, paragraphs 49-50). As for Clearview AI, its processing of the personal data – the creation, development and maintenance of the Clearview Database, the matching of the uploaded image against the Clearview database, and the provision of search results to Clearview AI’s customers – is related to the monitoring that is carried out by the customers (ibid.).
“Tracking”: Done by Clearview AI, according to CNIL and (arguably) Garante
Garante and CNIL used substantially the same argument to conclude that the activity of Clearview AI, contrary to the claim of the company, constitutes tracking on the internet.
According to Clearview AI, the word tracking must be understood in the sense that an individual is followed over time. Clearview AI’s software does not follow a person over time. Instead, Clearview AI only allows the user to receive a search result available at the time of the search.
The supervisory authorities in Italy and France, however, stated that Clearview AI updates the database regularly and that the search of the database can be repeated over time. That makes it possible to follow the physical changes undergone by the individual over time, as well as the evolution of the other information relating to that person. CNIL explicitly stated that Clearview AI’s automated processing of data must be qualified as tracking on the internet. The same conclusion, although not put in express terms, logically follows from Garante‘s analysis.
As explained above, ICO did not devote any time to analyzing the role of “tracking” in the context of the Clearview AI tool. ICO’s assertion that monitoring is done by Clearview AI’s customers might make it difficult to then claim in the same breath that tracking is done – as Garante and CNIL conclude – by Clearview AI.
So long as the “monitoring” is relevant only to determine whether the GDPR applies, it might not be critically important to establish who carries the “profiling” and “tracking” as the constituent elements of the monitoring. GDPR applies in any event, assuming the processing by a non-European entity is “related to” the monitoring. However, “monitoring” appears dozens of times in the text of the GDPR, in the contexts unrelated to GDPR’s territorial scope, and so does “profiling”. For that reason, supervisory authorities and courts in the countries applying the GDPR are likely to be invited again to determine who carries out monitoring or profiling. To the decision-making authorities, the Clearview AI decisions will have something to offer, but not a definitive guidance or a final answer.