Back

The decision, in favour of the Nightmare-Tech company which is ClearviewAI, was based on submissions by it that
1) All its clients are outside the EU (now)
2) All its clients are only using it for law enforcement/national security purposes.
3) Therefore they’re outside the scope of the GDPR.

The First-Tier Tribunal found that Clearview had built a Database of every image it could scrape on the Internet, with a face, and run biometric analysis on those faces.

“In October 2022 it was estimated that the Database included over 20 billion images and increasing as new images are scraped. We were provided with an estimate of a growth rate of 75 million images per day.”
Para 40

The Tribunal defined two sets of data processing activities- Activity 1 and Activity 2 processes. It said that ClearviewAI was the controller of the Activity 1 list (building the database to sell) and then was Joint Controller for the use of the database with its law enforcement customers.

Now pause here with me.

I contend that all the Activity 1 actions, which it was accepted without argument that Clearview AI were the data controller for, are unlawful processing.

The Tribunal found otherwise, based on an examination of Article 2 and Article 3 of the GDPR and the U.K. GDPR.

In doing so the Tribunal demonstrated itself an ideal mark for Three Card Monty.

Come with me while we follow the game of Find the Lady, eagerly being played by a Tribunal, apparently fresh off the boat.

(I am not blind to the longstanding attractions of surveillance and state power to the U.K. judiciary, given its status as one of the Five Eyes surveillance network) But let us take the Tribunals arguments on their face and debate them on their merits.

The heart of the Tribunal’s reasoning is set out in Paragraph 129.

In effect, it contends that grabbing photos of identified people as they go up on the Internet, running biometric scans on their faces and then putting them into a contextual database for the purposes of being looked up, traced, identified and watched by state surveillance and law enforcement forces around the world isn’t monitoring, because *it’s just done by computers*.

This echoes the exasperated position of Facebook’s DPO when I suggested their facial scanning tech might represent a GDPR breach- “It’s all just ones and zeros!”

This is, I suggest, what Sir Humphrey Appleby would have described as “a position both courageous and novel”.

It introduces an exciting alignment between English law and cutting-edge quantum physics, where only the intervention of the sentient observer can collapses the waveforms of potential states of monitoring and not monitoring.

If it’s automated surveillance it’s just sparking monitoring.

@rotan The difficulty was that they had only relied on the activity of monitoring in the sanction decision.

@Tupp_ed @rotan An excellent example of why Regulators shouldn’t go off half-cocked and should take great care in establishing clearly the basis for decisions. Also: importance of hitting every important angle in your decisions to reduce risk of the whole thing collapsing.