The judgment, issued by the three-member tribunal at the First-tier Tribunal, agreed with Clearview’s assertion that the ICO lacked jurisdiction in the case because the data processing in question was carried out on behalf of foreign government agencies.
Yeah, I'm going to take the judgement as the truth over your opinion of a fictional ECJ judgement, especially as the UK GDPR law is exactly the same as the EU one.
For starters, we're talking about the exact same ruling. And I think the snippet you posted will help me explain the issue.
GDPR is an EU law. It applies to all companies collecting data on EU citizens. If a company does, it falls under the jurisdiction of the GDPR and European (member state) courts (in this case a UK court). The UK court clearly held that it has jurisdiction, and could apply a penalty if Clearview were to be in breach of the law.
However, the court is not normally the one to hand out these fines. Instead, that is delegated to each country's data protection agency, which in the UKs case is the ICO. Now, the exact conditions under which the ICO is allowed to fine a company is defined in the GDPR. It defines the jurisdiction of the data protection agencies.
One of those conditions states that the ICO is not to have jurisdiction over data collection done for foreign law enforcement (that's usually covered by international treaties instead). The ICO for example can't fine the FBI or NSA or something.
In the case of Clearview, the ICO argued that sinced Clearview is a private company, they were not covered by this exclusion. Clearview argues that the sole purpose of the data collection is for foreign law enforcement, so that they are covered by that exclusion. Note that Clearview didn't argue that they can't be fined because they're not an EU company.
The court has ruled that yes, the GDPR applies to Clearview, but also that Clearview is covered by the exclusion outlined in the GDPR for foreign law enforcement, and thus that the ICO does not have the jurisdiction to fine them (again, note the difference between the jurisdiction of the law/court and that of the ICO). So GDPR applies, but Clearview is not in breach.
Hypothetically, had Clearview sold this data to other private companies instead of law enforcement agencies, then Clearview could not have argued that they were covered by the GDPR exemption, and thus the court would have ruled that the ICO does have the jurisdiction to fine them.
So in conclusion:
The EU can and has fined companies that are not in the EU for breaches of the GDPR.
The GDPR does apply to Clearview.
The UK court does have jurisdiction.
The ICO does not have jurisdiction on Clearview specifically, due to the aforementioned provision in the GDPR.
The ICO can not fine Clearview for this activity, for reasons outlined in the GDPR.
Ok, I think I get where you are coming from, but your conclusion still doesn't argue the original point imo.
The GDPR law on the UK statute books is the exact same law as the EU one, it has not been amended. It's just that the ECJ is no longer the highest court. The UK supreme court is again supreme following brexit.
Please provide an example of where the EU has taken action successfully against a conpany that has no base in the EU though. I've not seen anything like that bef
The original point was that the UK was somehow in a worse position because of brexit, this is not true. The UK is no weaker legally because of exiting the EU. The law is identical.
This is an international agreement between the EU and the US. When the UK Brexited, I believe (but not 100% sure) they were no longer part of that agreement, meaning the UK lost the ability to efficiently go after companies without a base in the UK even if the law remained identical.
Yeah, I'm going to take the judgement as the truth over your opinion of a fictional ECJ judgement, especially as the UK GDPR law is exactly the same as the EU one.
Please provide a link that shows otherwise
I think I understand your confusion now.
For starters, we're talking about the exact same ruling. And I think the snippet you posted will help me explain the issue.
GDPR is an EU law. It applies to all companies collecting data on EU citizens. If a company does, it falls under the jurisdiction of the GDPR and European (member state) courts (in this case a UK court). The UK court clearly held that it has jurisdiction, and could apply a penalty if Clearview were to be in breach of the law.
However, the court is not normally the one to hand out these fines. Instead, that is delegated to each country's data protection agency, which in the UKs case is the ICO. Now, the exact conditions under which the ICO is allowed to fine a company is defined in the GDPR. It defines the jurisdiction of the data protection agencies.
One of those conditions states that the ICO is not to have jurisdiction over data collection done for foreign law enforcement (that's usually covered by international treaties instead). The ICO for example can't fine the FBI or NSA or something.
In the case of Clearview, the ICO argued that sinced Clearview is a private company, they were not covered by this exclusion. Clearview argues that the sole purpose of the data collection is for foreign law enforcement, so that they are covered by that exclusion. Note that Clearview didn't argue that they can't be fined because they're not an EU company.
The court has ruled that yes, the GDPR applies to Clearview, but also that Clearview is covered by the exclusion outlined in the GDPR for foreign law enforcement, and thus that the ICO does not have the jurisdiction to fine them (again, note the difference between the jurisdiction of the law/court and that of the ICO). So GDPR applies, but Clearview is not in breach.
Hypothetically, had Clearview sold this data to other private companies instead of law enforcement agencies, then Clearview could not have argued that they were covered by the GDPR exemption, and thus the court would have ruled that the ICO does have the jurisdiction to fine them.
So in conclusion:
I hope this makes a bit more sense now.
Ok, I think I get where you are coming from, but your conclusion still doesn't argue the original point imo.
The GDPR law on the UK statute books is the exact same law as the EU one, it has not been amended. It's just that the ECJ is no longer the highest court. The UK supreme court is again supreme following brexit.
Please provide an example of where the EU has taken action successfully against a conpany that has no base in the EU though. I've not seen anything like that bef
The original point was that the UK was somehow in a worse position because of brexit, this is not true. The UK is no weaker legally because of exiting the EU. The law is identical.
Finding examples is difficult, as most articles tend to be about the big tech companies that have bases globally. But I can point you towards the legal mechanism the EU uses in the case of the US, which is the EU-US Data Protection Umbrella agreement, see here: "Law enforcement cooperation: EU-US Umbrella Agreement" https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/eu-us-data-transfers_en#:~:text=Law enforcement cooperation%3A EU-US Umbrella Agreement
This is an international agreement between the EU and the US. When the UK Brexited, I believe (but not 100% sure) they were no longer part of that agreement, meaning the UK lost the ability to efficiently go after companies without a base in the UK even if the law remained identical.
Ah ok. Yeah they just did a thing to replicate it recently. Not sure if that means there was a period when that ability was lost though
https://dpnetwork.org.uk/international-data-transfers-data-bridge
deleted by creator