Blog
Business Development: Playing The Right Card
Leor Franks
In a recent decision on the UK GDPR’s global scope, the Upper Tribunal in The Information Commissioner v Clearview AI Incorporated and Privacy International [2025] UKUT 319 (AAC) confirmed that the UK’s data protection regime can extend well beyond its borders.
The Tribunal overturned the earlier First-tier decision and confirmed that the Information Commissioner’s Office (ICO) does have jurisdiction over US-based Clearview AI, whose facial recognition database includes billions of images scraped from the open internet, including many of UK residents.
Why it matters
This decision reaffirms that the UK GDPR follows the data, not the business location. Even if an organisation has no establishment, clients or servers in the UK, it may still fall within scope if it processes personal data relating to people in the UK.
The Tribunal found that Clearview’s large-scale scraping and profiling of UK individuals constituted “monitoring of behaviour” under Article 3(2)(b) UK GDPR, rejecting the company’s argument that only its law enforcement clients engaged in such monitoring.
Key takeaways
- Monitoring of behaviour can include automated data collection (such as web crawlers), even without active human tracking.
- Foreign state exemptions under Article 2(2)(a) are narrowly construed. Private companies cannot claim them unless genuinely acting on behalf of a state authority.
- The ICO’s enforcement powers extend globally, enabling enforcement against non-UK entities that handle personal data of UK residents.
- The ruling highlights that the UK GDPR’s reach is indeed “all singing and all dancing”, in the Tribunal’s words, leaving little room for jurisdictional escape.
- Whilst this blog focuses on the UK GDPR, the EU GDPR contains broadly similar provisions.
Practical implications for global businesses
This judgment sends a clear warning: geography alone offers no shield from regulatory scrutiny. Organisations processing UK (or EU) personal data, including through AI, biometric tools or large-scale data aggregation, must assess whether their operations involve or affect UK (or EU) data subjects, even indirectly. If so, they must have:
- a lawful basis for processing under GDPR;
- robust data protection impact assessments; and
- appropriate privacy governance and transparency measures.
Final thoughts
The Clearview decision cements the expansive extraterritorial reach of UK data protection law. For tech companies and service providers worldwide, it underscores a simple message: if your technology touches UK personal data, UK regulators are within reach.
If your organisation operates internationally or uses AI-driven data analytics, now is the time to revisit your GDPR and AI compliance strategies.
Further information
Get in touch with Christopher Perrin to discuss how this decision may impact your business.
About the author
Christopher Perrin is a highly experienced solicitor who leads the Corporate, Commercial and Finance team’s general Commercial & Technology Contracts, Outsourcing & Data legal advisory services.
Latest blogs & news
Business Development: Playing The Right Card
The professional services industry faces rapid change
2026 brand threats that could be opportunities: Polarisation, AI, NextGen, and Saturation
What are these megatrends that could pose a threat to brands in 2026?
Companies House security issue: What your business should do now
A serious security vulnerability affecting the five million registered companies on Companies House was recently discovered. More on this below, but we would urge all companies to check their records carefully and ensure there is nothing unexpected in their Companies House filings and dashboard.
What tech businesses need to know in 2026
At our recent Tech Briefing, 'What tech businesses need to know in 2026', we explored how the EU’s Digital Omnibus package and the UK’s Employment Rights Act will reshape compliance for UK tech SMEs.
Five common contract weaknesses – and how to fix them
Most commercial disputes don’t come from exotic legal issues - they come from everyday contract weaknesses that could have been avoided with a few smart tweaks
2026 marks a turning point for data governance in the UK
2026 is shaping up to be the most consequential year for UK data protection enforcement since the introduction of the EU/UK GDPR regime. With record fines issued in late 2025, a new enforcement playbook on the horizon, and shifting legislative and regulatory expectations, the Information Commissioner’s Office (“ICO”) is signalling a marked transformation in how it supervises, and sanctions, organisations.
Why limitation of liability clauses deserve more attention than they get
Too often, limitation of liability clauses are treated as standard boilerplate - something to tidy up at the end of a negotiation once the “real” commercial points are agreed.
From Seed to Series A and Beyond: 7 Key Insights for Tech Founders
In this article, we share 7 key considerations to help tech founders navigate the journey from seed funding to Series A and beyond.
Biggest EU Digital Shake-Up Since GDPR? What Businesses Need To Know
In November 2025, the European Commission unveiled its Digital Omnibus package – a set of proposals aimed at simplifying (not deregulating) EU rules on data protection, cybersecurity and AI.
Clearview AI ruling confirms UK GDPR applies beyond borders
In a recent decision on the UK GDPR’s global scope, the Upper Tribunal in The Information Commissioner v Clearview AI Incorporated and Privacy International [2025] UKUT 319 (AAC) confirmed that the UK’s data protection regime can extend well beyond its borders.
UK Tech SMEs & the November Budget
Founders and teams across the country are looking for signals that the UK still backs its innovators. Here’s what’s top of the wish-list:
Why does software ownership matter? Six key legal takeaways for tech businesses
For founders, investors and anyone involved in the tech sector, understanding who owns your software and how to prove it is critical. Whether you’re seeking investment, planning an exit or simply aiming to protect your IP, clarity on ownership can make or break a deal
Court of Appeal clarifies data protection claims for non-material damage: A win for claimants - But what are the implications for controllers and processors?
The Court of Appeal has recently handed down an important decision in respect of data protection law considerations in Farley & Others v Paymaster (trading as Equiniti) [2025] EWCA Civ 1117, providing clarity on the scope of infringement and compensation data protection claims under the UK GDPR and Data Protection Act 2018 (“DPA”). The judgment will be of particular interest to any service provider dealing with and processing large volumes of customer personal data.
5 Reasons Why Fundraising can Go Wrong
At some point in their history, businesses commonly have need for external funding to help their growth trajectory.
Three Cautionary Tales for UK Tech Companies
In tech, the law often arrives after something has gone wrong. Here are three cautionary tales* and the lessons every founder, CTO and in-house counsel should take away.
Top five takeaways from the Data (Use and Access) Act 2025
The Data (Use and Access) Act 2025 (the “DUAA”), which received Royal Assent on 19 June 2025, introduces targeted reforms to the UK data protection legal framework — particularly the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (“PECR”).
Modern industrial strategy: updates to National Security and Investment Act under review
Many of you will know that the Government published, on 23 June, its Modern Industrial Strategy paper and, with it, committed to creating a “predictable, proportionate, and transparent investment screening framework” and launching a 12-week consultation on updating the definitions of the 17 sensitive sectors of the economy as set out in the National Security and Investment Act 2021 (NSIA).
A game changer for data processors? The ICO issues a significant fine against a processor
The recent cyberattacks on major UK retailers have put cybersecurity back in the spotlight. But a more significant development for data protection practitioners has been flying under the radar: the Information Commissioner’s Office (ICO) has issued a notable fine directly against a data processor for breaching UK GDPR security obligations - an important shift in enforcement focus.
Basis Period Adjustments
The 2023/24 tax year marks a major shift in the way unincorporated businesses are taxed. It is a transition year, with HMRC moving from the traditional “current year basis” to a “tax year basis” from 6 April 2024. While this change is intended to simplify the system in the long run, it introduces some short-term complexities (and often tax expense) during the transition year which partners and other sole traders ought to be alive to.
Angel investing and how we can help
We have a wealth of experience acting for high net worth individuals at the outset of their angel investing journey and for seasoned angel investors who need the occasional bit of legal input.
Share insightLinkedIn X Facebook Email to a friend Print