Included in this edition of data & privacy news: Court of Appeal hands down judgment in facial recognition case; Social media data leak raises concerns over data scraping; and more...

Data Download webinar on Tuesday 8 September 

Join our Data Management Team on Tuesday 8 September at Midday as they give an update on navigating the rules of cookies and adtech. Sign up here. 

Court of Appeal hands down judgment in facial recognition case

The Court of Appeal has handed down judgment in R (Bridges) v CC South Wales [2020] EWCA Civ 1058 on the use of facial recognition technology by South Wales Police. The court found that:

South Wales Police's Data Protection Impact Assessment (DPIA) was deficient (in part because it didn't address the processing of biometric data relating to people who weren't on police watch lists – the technology scans everyone's face);

the use of facial recognition technology in the circumstances was a breach of the claimants ECHR Art 8 right; and

South Wales Police hasn't sufficiently looked into the way in which facial recognition technology can be discriminatory under the Equality Act (and therefore its Equality Act Assessment was inadequate).

Social media data leak raises concerns over data scraping

According to Bob Diachenko at Comparitech, a data brokerage company left an unsecured database pulled from 235 million Instagram, TikTok and YouTube profiles exposed on the web, raising concerns over the ethics of data scraping from social media sites. 

Three identical copies of datasets were found to be publically available on the Internet at the beginning of August containing information such as names, profile photos, phone numbers and email addresses. 

Experts have warned of the risks associated with this type of breach for users (making them more open to phishing campaigns, creation of imitation accounts prompting scams or misinformation and photos being used to train facial recognition algorithms) and for companies considering scraping data (IP infringement claims and claims resulting from infringement of the relevant social media site's terms).

Collective Action Lawsuit being brought against Marriott 

Marriott International is facing a lawsuit in the High Court for its failure to secure and keep control of the personal information which guests gave when they made a booking online. Hackers gained access to the database and ex-filtrated millions of guest records. Approximately 7 million UK guest records were affected by the Marriott data breach and approximately 339 million guest records globally were exposed.

The ICO is still in the process of finalising what enforcement action it wishes to take after issuing a notice of its intention to fine Marriott International £99,200,396 in July 2019.

Martin Bryant, 41, a technology journalist, has filed a representative action on behalf of victims in England and Wales whose personal data was exposed. 

NHS Test and Trace App DPIA 

The government has published its DPIA for the Early Adopter Trial of the NHS Test and Trace App. 

The GDPR requires data controllers to conduct a DPIA before introducing data processing which could be of high risk to individuals if appropriate controls are not in place. 

MPs challenge ICO over failure to enforce data protection standards in Test and Trace programme

A cross-party group of MP's, backed by privacy campaigners the Open Rights Group, have accused the ICO of failure to enforce data protection standards over the contract-tracing data app. 

The Department for Health and Social Care did not complete a mandatory DPIA on the Test and Trace programme when it begun.

The MP's have sent an open letter to the ICO, calling on Information Commissioner Elizabeth Denham to "properly act" and urge the government to make changes to the Test and Trace programme so that the public can see that their data is been processed safely and legally.