Included in this edition of Data & Privacy News: Google updates timeline for Privacy Sandbox milestones, MEPs demand greater oversight of AI systems in policing and more...
Government amends data protection guidance following EU adequacy decisions
The Department for International Trade has updated its guidance on businesses using personal data, as well as its guidance on the data protection and copyright obligations for EU businesses transferring data to and from the UK.
The update follows the EU's formal adaptation of adequacy decisions for the UK, which allow for the ongoing free flow of personal data from the EU/EEA to the UK. All 12 of the third countries deemed adequate by the EU are also maintaining unrestricted personal data flows with the UK.
Google updates timeline for Privacy Sandbox milestones
Google has announced changes to the timeline of its Privacy Sandbox initiative, which aims to enable companies and developers to build web technologies, whilst also protecting people’s online privacy. The Privacy Sandbox includes an updated timeline for Chrome’s plan to phase out support for third-party cookies, creating more private approaches to areas including ad measurement, delivering relevant ads and content, and fraud detection.
Once the public development process has been completed and Google have engaged with the Competition and Markets Authority (CMA), the planned phase out of support for third party cookies will take place in two stages:
- Stage 1 will begin in late-2022 and is expected to last for nine months, during which time publishers and the advertising industry will be able to migrate their services.
- Stage 2 will then begin in mid-2023, with Chrome phasing out support for third-party cookies over a three-month period, finishing in late 2023.
This delay is designed to allow sufficient time for public discussion on the right solutions, engagement with regulators, and for publishers and the advertising industry to migrate their services. Google plans to publish a more detailed schedule to help developers and publishers plan their testing and migration schedules soon.
MEPs demand greater oversight of AI systems in policing
A draft report published by MEPs of the Civil Liberties Committee argues for the increase of democratic guarantees and accountability, in particular relating to safeguards and human oversight, for the use of Artificial Intelligence (AI) in law enforcement.
The report includes:
- concerns that the use of AI systems in policing could be re-purposed for mass surveillance;
- the potential for bias and discrimination in the algorithms on which AI and machine-learning systems are based, as well as the possibility of AI-powered predictions amplifying existing discrimination;
- the committee's calls for a permanent ban on the use of biometric details including gait, fingerprints, DNA or voice to recognise people in publicly accessible spaces;
- the committee's desire for a ban on the use of private facial recognition databases; and
- calls from MEPs for a ban on the use of facial recognition for identification until such systems comply with "fundamental rights".
The non-legislative report will be debated and voted upon during the September 2021 plenary session.
Norwegian DPA issues fine for e-mail related GDPR breach
The Norwegian Data Protection Authority (Norwegian DPA) has fined a company €15,000 for accessing and then failing to close a former employee’s e-mail account. The Norwegian DPA's investigation found that, after the employee had left the company, the company's manager had logged on to their e-mail account every day for six weeks and maintained access to the account for over five months.
The company claimed that the e-mail account had been maintained in order to follow up with customers and handle enquiries after the employee had left, however the Norwegian DPA concluded that the enterprise lacks a legal basis for accessing an e-mail account in this manner. The access to the former employee's account was also deemed to have bordered on monitoring an employee’s usage of electronic equipment, with the Norwegian DPA ruling that the company had violated:
- Article 13 of the GDPR, by failing in its duty to provide information;
- Article 17 of the GDPR, by failing in its duty to delete the contents of the former employee's e-mail account;
- Article 21 of the GDPR by failing in its duty to consider the former employee’s objections.
In addition to the fine, the Norwegian DPA also ordered the company to establish internal control measures and procedures for access to the e-mail accounts of employees and former employees, so as to create awareness and promote compliance with regulations.
ICO begin investigation into the Department of Health and Social Care's use of private correspondence channels
The Information Commissioner's Office (ICO) has launched a formal investigation into the use of private correspondence channels at the Department for Health and Social Care. The investigation will determine if such channels have been used and if so, whether their use led to breaches of freedom of information or data protection law. The ICO has served information notices on the department and others to preserve evidence relevant to the inquiry.
Whilst the use of private correspondence channels does not specifically break any data protection or freedom of information rules, the UK Information Commissioner has expressed concerns that information in private email accounts or messaging services is forgotten, overlooked, auto-deleted or otherwise not available when a freedom of information request is later made. This potential lack of transparency, as well as the security implications of personal detail not being properly secured in people’s personal email accounts, will form the basis of this ICO enquiry.
Lithuanian DPA issue fine for processing customers and employees' fingerprints
The State Data Protection Inspectorate (SDPI) has fined VS FITNESS UAB €20,000 for the processing of biometric personal data following an investigation. The SDPI investigation found that fingerprint scanning is mandatory in order to use the sports club's facilities and there are no alternative identification methods.
The company processed the customers’ fingerprint models on the basis of the data subject’s consent (set out in General Data Protection Regulation (GDPR) Article 9(2)(a)), however the SDPI investigation concluded that that the consent to processing of fingerprint models given by the customers is not voluntary and does not satisfy other requirements for the valid consent. In addition, the SDPI also concluded that an employee’s consent should not be considered as an appropriate personal data processing condition due to the imbalance of power.
The fine was imposed for breaches of GDPR Articles 5(1)(a); 5(1)(c); 9(1); 13(1); 13(2); 30; and 35(1).