New Guidance on AI Risk Management

The development, procurement and deployment of AI systems involving the processing of personal data raises significant risks to data subjects’ fundamental rights and freedoms, including but not limited to privacy and data protection. The principle of accountability enshrined in the UK GDPR and the EU GDPR require Data Controllers to identify and mitigate these risks, as well as to demonstrate how they did so. This is especially important for AI systems that are the product of intricate supply chains often involving multiple actors processing personal data in different capacities.

The European Data Protection Supervisor (EDPS) has just released an important new guidance document to help organisations conduct data protection risk assessments when developing, procuring, or deploying AI systems.  It focuses on the risk of non-compliance with certain data protection principles for which the mitigation strategies that controllers must implement can be technical in nature – namely fairness, accuracy, data minimisation, security and data subjects’ rights. 

Key sections of the document address:

  • the risk management methodology according to ISO 31000:2018
  • the typical development lifecycle of AI systems as well as the different steps involved in their procurement 
  • the notions of interpretability and explainability 
  • an analytical framework for identifying and treating risks that may arise in AI systems, structured according to the data protection principles potentially affected. 

The EDPS has issued this guidance in his role as a data protection supervisory authority for EU institutions. However it is a very useful document for any organisation deploying AI and which requires guidance on how to systematically  assess the risks from a data protection perspective. 

Our AI Governance Practitioner Certificate course, is designed to equip Information Governance professionals with the essential knowledge and skills to management the risk of AI deployment within their organisations. This year 50 delegates, from a variety of backgrounds, have successfully completed the course, giving great feedback

The first course of 2026 starts on 8th January. Places are limited so book early to avoid disappointment. If you require an introduction to AI and information governance, please consider booking on our one day workshop

ICO Enforcement Guidance Consultation Launched 

The Information Commissioner’s Office has launched a consultation on new guidance setting out how it approaches investigations and takes enforcement action. Among other things, the guidance explains:  

  • How the ICO decides whether to open an investigation and the other ways it may instead seek to resolve any concerns. 
  • What to expect from the ICO during an investigation. 
  • How it will use its information gathering powers, including new powers under the Data (Use and Access) Act 2025 to require people to answer questions and organisations to provide reports.  
  • How the ICO decides on the outcome of an investigation and use of its enforcement powers, such as warnings, reprimands, and enforcement and penalty notices. 
  • When it considers settlement with a reduced fine is appropriate and the process involved.  

The new guidance, once finalised, will sit alongside the ICO’s Data Protection Fining Guidance published last year. Together they will replace the statutory guidance currently set out in the Regulatory Action Policy.  

The Data (Use and Access) Act 2025 also includes provisions that will bring the ICO’s investigatory and enforcement powers under the Privacy and Electronic Communications Regulations 2003 (PECR) broadly into line with its powers under the data protection legislation.  While there remain some differences, the ICO proposes to generally take the same approach to the use of its powers in relation to PECR as set out in the draft guidance in relation to the data protection legislation.  

The consultation will run for 12 weeks until Friday 23 January 2026.   

Revised GDPR Handbook 

The data protection landscape continues to evolve. With the Data (Use and Access) Act 2025 now in force, practitioners need to ensure their materials reflect the latest changes to the UK GDPR, Data Protection Act 2018, and PECR. 

The newly updated UK GDPR Handbook (2nd edition) brings these developments together in one practical reference. It includes all amendments introduced by the DUA Act, with colour-coded changes for easy navigation and links to relevant recitals, ICO guidance, and caselaw that help make sense of the reforms in context. We have included relevant provisions of the amended DPA 2018 to support a deeper understanding of how the laws interact. Delegates on our future GDPR certificate courses will receive a complimentary copy of the UK GDPR Handbook as part of their course materials.  

If you are looking to implement the changes made by the DUA Act to the UK data protection regime, consider our very popular half day workshop.  

In case you missed it… 

In October, Capita was fined £14 million following a cyber-attack in March 2023 which saw hackers gain access to 6.6 million people’s personal data; from pension and staff records to the details of customers of organisations Capita supports. For some people, this included details of criminal records and financial data. This and other recent cyber-attacks has increased the importance of cyber security training. We have two workshops coming up (How to Increase Cyber Security in your Organisation and Cyber Security for DPOs) which are ideal for organisations who wish to up skill their employees about cyber security. See also our Managing Personal Data Breaches Workshop. 

Also in October, the BBC reported that Gregg Wallace, the former MasterChef presenter, has issued proceedings against the BBC and BBC Studios for failing to respond to his subject access requests (SAR) in accordance with the UK GDPR.  Wallace was sacked by the BBC in July following an inquiry into alleged misconduct. As the saying goes, “Revenge is a dish best served cold!” Any BBC Executives reading this (if you are not too busy at the moment), are advised to attend ourHow to Handle a Subject Access Request workshop. No doubt there will be a few more SARs to the BBC in the coming weeks… 

The Information Commissioner, John Edwards, recently gave evidence to the House of Commons  Science, Innovation and Technology Committee.   Mr Edwards faced some tough questions about his response to the Afghan data breach, in which a Ministry of Defence (MoD) official mistakenly emailed a spreadsheet containing personal details of over 18,000 Afghan nationals who had applied to move to the UK under the Afghan Relocations and Assistance Policy (ARAP). The breach was only discovered in August 2023, when excerpts of the data appeared on Facebook. By then, the damage was done. A new resettlement scheme for those on the leaked list was set up and has seen 4,500 Afghans arrive in the UK so far. The Afghan Relocation Route has cost £400m so far, and the Government has said it is expected to cost a further £450m.  This and other data protection developments will be discussed in detail on our forthcoming  GDPR Update  workshop 

Finally, there are only two FOI Practitioner Certificate courses left till Christmas! This foundation course is designed for those wishing to acquire detailed knowledge of the FOI and develop the practical skills to enable them to become a more effective FOI Officer.  The syllabus has been developed by FOI experts after analysing all the skills, knowledge and competencies required for the FOI Officer role. By the end of the course, you will be able to practically handle FOI requests, apply the exemptions and draft Refusal Notices. You will also be able to differentiate between FOI requests and requests under the Environmental Information Regulations. 

Staying Up to Date: The UK GDPR Handbook (2nd Edition) 

The data protection landscape continues to evolve. With the Data (Use and Access) Act 2025 now in force, practitioners need to ensure their materials reflect the latest changes to the UK GDPR, Data Protection Act 2018, and PECR.

The newly updated UK GDPR Handbook (2nd edition) brings these developments together in one practical reference. It includes all amendments introduced by the DUA Act, with colour-coded changes for easy navigation and links to relevant recitals, ICO guidance, and caselaw that help make sense of the reforms in context.

This edition also covers the amendments made to Article 17 (right to erasure) under the Victims and Prisoners Act 2024, ensuring readers have a complete view of the current regime.

Act Now has included relevant provisions of the amended DPA 2018 to support a deeper understanding of how the laws interact. As before, the aim is clarity and usability, helping practitioners work confidently within a complex framework.

And for each handbook sold, £1 is donated to the Rainfall Foundation, supporting the reintegration of prison leavers into society, a reminder that compliance and community impact can go hand in hand.

If you’re revisiting your data protection resources this year, this updated edition is a good place to start. Order your copy here.

Information Commissioner Grilled in Parliament 

Last week the Information Commissioner, John Edwards, gave evidence to the House of Commons  Science, Innovation and Technology Committee.  

Mr Edwards faced some tough questions about his response to the Afghan data breach, in which a Ministry of Defence (MoD) official mistakenly emailed a spreadsheet containing personal details of over 18,000 Afghan nationals who had applied to move to the UK under the Afghan Relocations and Assistance Policy (ARAP). The breach was only discovered in August 2023, when excerpts of the data appeared on Facebook. By then, the damage was done. A new resettlement scheme for those on the leaked list was set up and has seen 4,500 Afghans arrive in the UK so far. The Afghan Relocation Route has cost £400m so far, and the Government has said it is expected to cost a further £450m.  

It’s fair to say that overall the committee was not impressed with the ICO’s approach and John Edwards’ answers to some of their questions. Kit Malthouse’s claimed that the Afghan data breach was dealt with through “a few unrecorded meetings and a handshake”. 

Mr Edwards also answered questions about his wider remit. He slipped in that he has served a Notice of Intent on a social media company (Reddit), but did not give any details. If you missed the live session,  you can still watch the recording.
The Information Commissioner’s session start at 9:46 on the recording here.
If you prefer to read an account of his performance, the Independent covers it here

This and other data protection developments will be discussed in detail on our forthcoming  GDPR Update  workshop.The new (2nd) edition of the UK GDPR Handbook has been published. It contains all the changes made by the Data (Use and Access) Act 2025.  

FOI Practitioner Certificate: Final Two Courses for 2025 

There are only two FOI Practitioner Certificate courses left till Christmas!  

This foundation course is designed for those wishing to acquire detailed knowledge of the FOI and develop the practical skills to enable them to become a more effective FOI Officer.  The syllabus has been developed by FOI experts after analysing all the skills, knowledge and competencies required for the FOI Officer role. By the end of the course, you will be able to practically handle FOI requests, apply the exemptions and draft Refusal Notices. You will also be able to differentiate between FOI requests and requests under the Environmental Information Regulations. 

The course takes place over four days followed by an assessment. Our teaching style is based on practical and engaging workshops covering the theory alongside hands-on application using real life case studies and exercises. Personal tutor support throughout the course, detailed course materials and a comprehensive online resource lab, ensure the best opportunity for success. 

The FOI Learning Pathway  

The updated FOI Practitioner Certificate is part of our learning pathway for FOI Officers. Once completed they can move on to the Intermediate FOI Certificate. This strengthens the foundations established by the FOI Practitioner Certificate. Topics include interpreting information requests, navigating data repositories for relevant information, handling vexatious requests and applying the exemptions. Time will also be spent discussing the historical development and transformative impact of FOI on transparency, accountability and citizen empowerment. International comparisons with the FOI Act will broaden delegates’ perspectives, while critically evaluating its impact and effectiveness will assist them to appreciate the importance of transparency and accountability. By the end of the course, delegates will gain skills in, amongst other things, effectively interpreting information requests, assessing their scope, retrieving relevant information, overcoming challenges in organisational compliance, applying exemptions and crafting clear Refusal Notices.   
 
If you would like a chat to discuss your suitability for any of our certificate courses, please get in touch. 

Prince Andrew: The Data Protection Angle 

Over the weekend, the Mail on Sunday piled more pressure on Prince Andrew.  

It alleged that he asked his police protection officer to investigate his accuser, Virginia Giuffre,  just before the newspaper published a photo of Ms Giuffre’s first meeting with the prince in February 2011. The Mail alleges that Prince Andrew gave the officer her date of birth and social security number. The Sunday Telegraph also claimed that he “sought to dig up dirt” on Ms Giuffre. 

Ms Giuffre, who took her own life earlier this year, said she was among the girls and young women sexually exploited by convicted sex offender Jeffrey Epstein and his wealthy circle. Prince Andrew has consistently denied all allegations against him. 

The Metropolitan Police said on Sunday, “We are aware of media reporting and are actively looking into the claims made.” Of course we don’t have detailed information about the circumstances around latest allegations against Prince Andrew, but (if true) there is a possible breach of Section 170 of the Data Protection Act 2018 (DPA). This makes it a criminal offence for a person to knowingly or recklessly:  

(a) obtain or disclose personal data without the consent of the controller,  

(b) procure the disclosure of personal data to another person without the consent of the controller, or  

(c) after obtaining personal data, to retain it without the consent of the person who was the controller in relation to the personal data when it was obtained. 

So if the latest allegations are true, Prince Andrew and/or his police protection officer at the time, could have committed a criminal offence under the DPA 2018. Unlike the other allegations against him, this offence does not carry a prison term; just a fine. Successive Information Commissioners have argued that a custodial sentence under S.170 would be a better deterrent (but to no avail).  

Will the Information Commissioner’s Office be knocking on Prince Andrew’s door? In June 2023, the ICO disclosed that, since 1stJune 2018, 92 cases involving S.170 offences were investigated by its Criminal Investigations Team. There have been a number of more recent S.170 prosecutions. These often involve people accessing/disclosing confidential information for financial gain.  

Depending again on the circumstances, there may also be an offence under section 1 of the Computer Misuse Act 1990 which carries tougher sentences including a maximum of 2 years imprisonment on indictment.  In July 2022, a woman who worked for Cheshire Police pleaded guilty to using the police data systems to check up on ex-partners and in August 2022, the ICO commenced criminal proceedings against eight individuals over the alleged unlawful accessing and obtaining of customers’ personal data from vehicle repair garages to generate potential leads for personal injury claims.  

This and other data protection developments will be discussed in detail on our forthcoming  GDPR Update  workshop.The new (2nd) edition of the UK GDPR Handbook has been published. It contains all the changes made by the Data (Use and Access) Act 2025. 

UK GDPR Handbook Updated: Now Includes DUA Act Amendments 

Act Now Training is pleased to announce the launch of the 2nd edition of the UK GDPR Handbook

The handbook is designed for data protection practitioners and legal advisers who require a complete guide to the UK Data Protection regime following the changes introduced by the Data (Use and Access) Act 2025 (“DUA Act”). 

The DUA Act received Royal Assent on 19th June 2025. It amends the UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications (EC Directive) Regulations 2003.  

This handbook sets out the full text of the amended UK GDPR. Amendments, insertions and deletions made by the DUA Act are referenced in colour to allow users to easily identify what has been changed. It also cross references relevant recitals of the EU GDPR which are still part of the UK GDPR pursuant to section 3 of the European Union (Withdrawal) Act 2018.  
 
Relevant provisions of the amended DPA 2018 have also been included where they contribute to the further understanding of the UK GDPR. Guidance from the (soon to be) Information Commission, the European Data Protection Board and relevant caselaw is signposted to assist users in interpreting the legislation. 

Act Now sold over 5,000 copies of the first edition of the handbook. This new publication will be a valuable addition to data protection practitioners’ libraries. Ibrahim Hasan, the editor of the handbook, said: 

“I am really pleased with the publication of the second edition of the UK GDPR handbook. My team and I have tried to produce a clear and easy to follow publication which will help practitioners navigate their way around this complex legislation.” 

Delegates on our future GDPR certificate courses will receive a complimentary copy of the UK GDPR Handbook as part of their course materials. 

The Rainfall Foundation 

The handbook also contains amendments made to Article 17 (the right to erasure) by section 31 of the Victims and Prisoners Act 2024.  

At Act Now we want to see a world where every individual, regardless of their past, has the opportunity to thrive; a community where everyone can contribute meaningfully and live with dignity. That is why we are partnering with Rainfall Foundation; a charity which works to support the reintegration of prison leavers into society. It provides tailored support that addresses prison leavers’ unique needs and helps them overcome the barriers they face in building a stable, rewarding life.  For each handbook sold, Act Now will be donating £1 to Rainfall Foundation.

Capita Fined £14m for GDPR Data Breach 

The Information Commissioner’s Office (ICO) has issued a £14m fine under the UK GDPR to professional and outsourcing services company Capita. This follows a cyber-attack in March 2023 which saw hackers gain access to 6.6 million people’s personal data; from pension and staff records to the details of customers of organisations Capita supports. For some people, this included details of criminal records and financial data. 

The ICO said Capita “failed to ensure the security of processing of personal data which left it at significant risk”. Capita plc has been fined £8m and Capita Pension Solutions Limited has been fined £6m, giving a combined total of £14m. The original notice of intent totalled £45m. The ICO and Capita have now agreed to a “voluntary settlement” whereby Capita has admitted liability and agreed to pay the fine without appealing.  

Background 

The cyber- attack began when a malicious file was unintentionally downloaded onto an employee device. Despite a high priority security alert being raised within 10 minutes of the breach and some immediate automated action being taken, Capita did not quarantine the device for 58 hours, during which the attacker was able to exploit its systems. Nearly one terabyte of data was exfiltrated. On 31st March 2023, ransomware was deployed onto Capita systems and the hacker reset all user passwords, preventing Capita staff from accessing their systems and network.  

The ICO received at least 93 complaints in relation to this attack. In mitigation, Capita offered 12 months of credit monitoring to affected customers with Experian, as well as setting up a dedicated call centre for those people. It provided weekly updates to us on uptake, with over 260,000 people activating the credit monitoring service. 

ICO Findings 

The ICO investigation found that Capita failed to implement appropriate technical and organisational measures to safeguard the data they held. This included: 

  • Failure to prevent privilege escalation and unauthorised lateral movement: 
  • Capita did not implement a tiering model for administrative accounts. This allowed the attacker to escalate privileges, move laterally across multiple domains and compromise critical systems. 
  • These failings were flagged as a vulnerability on at least three separate occasions but were not remedied. 
  • Failure to respond appropriately to security alerts: 
  • A high priority security alert was raised within ten minutes of the breach, but Capita took 58 hours to respond appropriately, against a target response time of one hour. 
  • Capita’s Security Operations Centre was understaffed, and in at least six months before the incident fell well below the target response times for responding to security alerts. 
  • Inadequate penetration testing and risk assessment: 
  • Systems processing millions of records, including some sensitive data, were only subject to a penetration test upon being commissioned and were not subject to any subsequent penetration test. 
  • Findings from penetration tests were siloed within business units. Risks identified that affected the wider Capita network were not universally addressed. 

The ICO has highlighted key areas where organisations should be taking proactive steps to reduce security risks, such as: 

  • Regularly monitoring for suspicious activity and responding to initial warnings and alerts in a timely manner; 
  • Sharing the findings from penetration testing across the whole organisation so risks can be universally addressed; 
  • Prioritising investment in key security controls to ensure that they are operating effectively; and 
  • Checking agreements and responsibilities between data controllers and data processors. 

Capita Pension Solutions Limited was fined as a data processor. It processes personal data on behalf of over 600 organisations providing pension schemes, with 325 of these organisations also impacted by the data breach. This is only the second time a data processor has been fined by the ICO. In March 2025, Advanced Computer Software Group Ltd, a key IT and software provider for the NHS and other healthcare organisations, was fined £3,076,320. Hackers exploited a vulnerability through a customer account that lacked multi-factor authentication, gaining access to multiple health and care systems operated by Advanced. The ICO investigation found that personal data belonging to 79,404 people was taken. This included phone numbers, medical records, and even details on how to access the homes of 890 individuals receiving at-home care. 

This is the fifth GDPR fine issued by the ICO in 2025; four of these have been in relation to cyber security incidents.  In March an NHS IT supplier was fined £3million, in April a £60,000 fine was issued to a law firm and in June 23andMe, a US genetic testing company, was fined £2.31 million

We have two workshops coming up (How to Increase Cyber Security in your Organisation and Cyber Security for DPOs) which are ideal for organisations who wish to up skill their employees about cyber security. See also our Managing Personal Data Breaches Workshop.

A Pinch of GDPR: Gregg Wallace Serves Up a Data Rights Claim 

Gregg Wallace, the former MasterChef presenter, has issued proceedings against the BBC and BBC Studios for failing to respond to his subject access requests (SAR) in accordance with the UK GDPR.  Wallace was sacked by the BBC in July following an inquiry into alleged misconduct. As the saying goes, “Revenge is a dish best served cold!”  

Background 

According to court documents, seen by the PA news agency, in March 2025 Wallace made SARs to the BBC and its subsidiary BBC Studios for all personal data held about him. Both requests related to his “work, contractual relations and conduct” spanning 21 years. 

The BBC acknowledged the request and deemed it “complex”. They probably invoked  Article 12(3) of the UK GDPR which allows a Data Controller to extend the one month SAR time limit by a further two months where necessary “taking into account the complexity and number of the requests.” By August, the BBC had apologised for the delay and said it was taking “reasonable steps” to process the request,  but still no data had been provided. BBC Studios, meanwhile, said it would withhold parts of the data because of “freedom of expression.” 

The court documents assert that the defendants had “wrongly redacted” information and had “unlawfully failed to supply all of the claimant’s personal data”. Wallace seeks “up to £10,000” for distress and harassment and an order compelling both entities to comply with his SARs.   

Freedom of Expression Exemption 

BBC Studios’ reliance on “freedom of expression” invites scrutiny. The exemption in Schedule 2 Part 5 of Data Protection Act 2018 (DPA 2018) applies only to personal data processing carried out for the special purposes (journalistic, artistic, academic, or literary)  and only so far as compliance would be incompatible with those purposes. 

The special purposes exemption is interpreted quite narrowly by the courts. If the withheld data consists of production notes, editorial discussions, or source material for broadcast, BBC Studios’ argument has force. But if the data relates to HR investigations, conduct complaints, or contractual matters, the processing is unlikely to be “journalistic”.  

Distress and Damages 

Article 82 UK GDPR gives a data subject a right to compensation for material or non-material damage for any breach of the UK GDPR. Section 168 of the DPA 2018 confirms that “non-material damage” includes distress. However the relevant case law shows (1) the courts distinguishing trivial upset from genuine distress and (2) modest damages being awarded. A long delay in responding to a SAR, especially in the midst of reputational damage, is not trivial. However, if Wallace’s is successful in his claim he is unlikely to be awarded anything close to £10,000: typical awards for emotional harm in data-rights breaches sit between £500 and £2,500. (The excellent Panopticon blog is a must-read for anyone needing help in navigating causation and quantum in such cases.) Furthermore, by limiting his claim to £10,000, Wallace’s case will probably be allocated to the Small Claims track where minimal costs are recoverable.  

ICO Action 

This court action by Greg Wallace may also draw the attention of the Information Commissioner’s Office (ICO). In March 2025, the ICO issued reprimands to two Scottish councils for repeatedly failing to respond to SARs within the statutory timeframe.  There is also the theoretical possibility of a criminal prosecution if the ICO, upon investigation, finds that the BBC has deliberately frustrated the requests.   
 
Section 173 of the DPA 2028 makes it a criminal offence, where a person has made a SAR, to “alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure of all or part of the information that the person making the request would have been entitled to receive.” In September, Jason Blake, the director of a care home in Bridlington, was found guilty of an offence under S.173.  The court ordered him to pay a fine of £1,100 and additional costs of £5,440.   

Other Celebrity SARs 
 
This is not the first time a primetime BBC show has crossed paths with GDPR. A few years ago, some celebrity contestants on  Strictly Come Dancing alleged mistreatment by professional dancers and production staff. Lawyers acting on behalf of one of the dancers at the centre of the allegations, made a GDPR subject access request for, amongst other things, “all internal BBC correspondence related to the issue, including emails and text messages”.  

In July 2023, Dame Alison Rose, the then CEO of NatWest, resigned after Nigel Farage made a SAR which disclosed information that contradicted the bank’s justification for downgrading his account. There is potentially more SAR court drama to come. In March, the campaign group, Good Law Project(GLP),  “filed a trailblazing new group action” against Farage’s Reform UK at the High Court. GLP claims that Reform failed to comply with a number of SARs and is seeking damages on behalf of the data subjects.  

Whilst Greg Wallace’s case is unlikely to result in a groundbreaking legal judgment or a headline-making damages award, high-profile celebrities pursuing data protection claims are always a welcome development. They help raise awareness of data rights and, conveniently, give information governance professionals a perfect excuse to indulge in a reality TV binge, just in case any other interesting data protection issues arise! 

Our How to Handle a Subject Access Request workshop will help you navigate complex Subject Access Requests.

Scope of the GDPR: ICO Wins Clearview Appeal  

The Information Commissioner has won his appeal (to the Upper Tribunal) against the First-tier Tribunal (FTT) decision involving Clearview AI Inc.  

Clearview is a US based company which describes itself as the “World’s Largest Facial Network”. Its online database contains 20 billion images of people’s faces and data scraped from the internet and social media platforms all over the world. It allows customers to upload an image of a person to its app; the person is then identified by the app checking against all the images in the Clearview database. The appeal raised the issue of the extent to which processing of the personal data of UK data subjects by a private company based outside the UK is excluded from the scope of the GDPR, including where such processing is carried out in the context of its foreign clients’ national security or criminal law enforcement activities. 

Background 

In May 2022 the ICO issued a Monetary Penalty Notice of £7,552,800 to Clearview for breaches of the UK GDPR including failing to use the information of people in the UK in a way that is fair and transparent. Although Clearview is a US company, the ICO ruled that the UK GDPR applied because of Article 3(2)(b) (territorial scope). It concluded that Clearview’s processing activities “are related to…the monitoring of [UK resident’s] behaviour as far as their behaviour takes place within the United Kingdom.” The ICO also issued an Enforcement Notice ordering Clearview to stop obtaining and using the personal data of UK residents that is publicly available on the internet, and to delete the data of UK residents from its systems.  

In October 2023, the FTT overturned the ICO’s enforcement and penalty notice against Clearview. It concluded that although Clearview did carry out data processing related to monitoring the behaviour of people in the UK (Article 3(2)(b) of the UK GDPR), the ICO did not have jurisdiction to take enforcement action or issue a fine. Both the GDPR and UK GDPR provide that acts of foreign governments fall outside their scope; it is not for one government to seek to bind or control the activities of another sovereign state. However the Tribunal noted that the ICO could have taken action under the Law Enforcement Directive (Part 3 of the DPA 2018 in the UK), which specifically regulates the processing of personal data in relation to law enforcement. 

The Upper Tribunal Judgement  

The Upper Tribunal allowed the appeal, set aside the decision of the FTT and remitted the matter to the FTT to decide the substantive appeal on the basis that the Information Commissioner had jurisdiction to issue the notices. It also decided that the FTT was right to find that Clearview’s processing fell within the territorial scope of the GDPRs, albeit that it differed in its reasoning. 

In its judgment, the Upper Tribunal ruled  that: 

(1) The words “in the course of an activity which falls outside the scope of Union law” in Article 2(2)(a) of the GDPR (which provides for an exclusion from the material scope of the GDPR) refer only to those activities in respect of which Member States have reserved control to themselves and not conferred powers on the Union to act, and not to all matters without the competence of the Union (as the ICO argued) or to the activities of third parties whose processing “intersects” with their clients’ processing in the course of “quintessentially state functions” which would offend against comity principles (as Clearview argued); 

(2) The words “behavioural monitoring” in Article 3(2)(b) are to be interpreted broadly, as a response to the challenges posed by ‘Big Data’ in the digital age, and they can encompass passive collection, sorting, classification and storing of data by automated means with a view to potential subsequent use, including use by another controller, of personal data processing techniques which consist of profiling a natural person. “Behavioural monitoring” does not require an element of active “watchfulness” in the sense of human involvement;  

(3) The words “related to” in Article 3(2)(b) of the GDPR, as applied to Article 3(2)(b), have an expansive meaning, and apply not only to controllers who themselves conduct behavioural monitoring, but also to controllers whose data processing is related to behavioural monitoring carried out by another controller. 

Data protection practitioners should read the judgement of the Upper Tribunal as it clarifies the material and territorial scope provisions of the UK GDPR. This and other GDPR developments will be discussed in our forthcoming GDPR Updateworkshop.