New York-based facial recognition software company Clearview AI has had a $9.1 million fine and order to delete UK citizen data reversed by Britain’s General Regulatory Tribunal. The case against Clearview was brought by the UK Information Commissioner’s Office, which scored a victory round in May 2022, claiming Clearview violated privacy laws under the General Data Protection Regulation because it did not inform or gain consent of UK citizens before collecting their data. Clearview appealed, and the tribunal found that the selfie-scraping AI firm was not subject to the ICO’s jurisdiction due to a loophole for firms servicing foreign law enforcement.

“Clearview AI’s facial recognition technology is used by law enforcement and national security agencies to help solve crimes and conduct investigations after-the-fact by quickly and accurately matching photos of suspects, persons of interest and potential victims against a database of more than 30 billion publicly available facial images,” the company said in a press release lauding its victory.

“The ICO will take stock of today’s judgment and carefully consider next steps,” the group wrote in a statement, adding that “this judgment does not remove the ICO’s ability to act against companies based internationally who process data of people in the UK, particularly businesses scraping data of people in the UK, and instead covers a specific exemption around foreign law enforcement.”

“The UK’s GDPR stipulates that the processing of personal data by competent authorities for law enforcement purposes is outside its scope — and is instead subject to rules in Part 3 of the Data Protection Act 2018 (which brought the EU Law Enforcement Directive EU2016/680 into UK law, post-Brexit),” TechCrunch reports, suggesting “it’s not clear why the ICO did not bring a claim against the Clearview under the DPA 2018, rather than the UK GDPR.”

“Data protection authorities in France, Italy and Greece have found the U.S. firm in breach of the EU’s GDPR — which the UK’s domestic data protection framework is based on,” notes TechCrunch, adding that it remains unclear whether the UK ruling will have spillover influence in the EU.

Clearview AI has been operating since 2017, “founded by Australian entrepreneur Hoan Ton-That and U.S. politician Richard Schwartz,” according to SiliconANGLE, which writes that “the company managed to keep under the radar for a couple of years, until 2019, when it was discovered that it had been scraping images from the Internet without the consent of the public and the companies whose websites were used.”