Included in this edition of Data & Privacy News: ICO confirms investigation into leak of DHSC CCTV footage, EDPB adopts first urgent binding decision on Facebook investigation and more...

ICO confirms investigation into leak of DHSC CCTV footage

The Information Commissioner's Office (ICO) has confirmed that it has opened an investigation into alleged breaches of section 170 of the Data Protection Act 2018, involving CCTV footage recorded at the Department of Health and Social Care (DHSC). The investigation follows the submitting of a breach report by EMCOR Group (UK) plc as the processor of personal data, relating to CCTV images published by The Sun newspaper on 25 June 2021. The EMCOR Group (UK) plc provides facilities management and CCTV services for the DHSC.

As part of the investigation, the ICO searched two residential properties in the south of England on Thursday 15 July 2021 and sized personal computer equipment and electronic devices. 

EDPB published guidelines on the concepts of controller and processor in the GDPR

The European Data Protection Board (EDPB) has published the finalised version of Guidelines 07/2020 on the concepts of controller and processor in the GDPR. The Guidelines, which were first released for public consultation in September 2020, cover the concepts of controller and processor based on the rules on definitions in the EU's General Data Protection Regulation (EU GDPR).

The Guidelines cover, among other things:

• the concept of a controller, as well as their roles and responsibilities;
• the concept of joint controllers, as well as their roles and responsibilities;
• the concept of processors, as well as their roles and responsibilities;
• the relationship between a controller and processor; and
• the relationship among joint controllers.

The guidelines were adopted on 7 July 2021.

ICO release toolkit for organisations using AI to process personal data

The Information Commissioner's Office (ICO) has published a blog detailing a new toolkit available for organisations using AI to process personal data.  The blog post introduces a new beta version of the ICO's AI and Data Protection Risk Toolkit, which is designed to help organisations understand the associated risks of data processing and ensure that they processing data in line with the with data protection law.

The new toolkit utilises previous ICO work including their Guidance on AI and Data Protection and guidance on Explaining Decisions Made With AI, as well as the feedback received from the launch of the alpha version in March 2021.

The next stage of the toolkit's development will involve testing it on live examples of AI systems that process personal data in order to assess its practicality and useful for organisations. The ICO plan to release the finalised version of the toolkit in December 2021.

EDPB adopts first urgent binding decision on Facebook investigation

The European Data Protection Board (EDPB) has published its first urgent binding decision under Article 66(2) of the EU's General Data Protection Regulation (EU GDPR). The decision follows a request from the Hamburg supervisory authority (DE-HH SA), after the SA had adopted provisional measures towards Facebook Ireland Ltd (Facebook IE) on the basis of Article 66 (1) of the EU GDPR. The DE-HH SA ordered a ban on processing WhatsApp user data by Facebook IE for their own purposes following a change in the Terms of Service and Privacy Policy applicable to European users of WhatsApp Ireland Ltd.

The EDPB has decided that there is a "high likelihood" that Facebook IE is already engaged in the processing of WhatsApp IE user data as a (joint) controller, however that there are several contradictions, ambiguities and uncertainties in WhatsApp’s user-facing information. Consequently, the EDPB are currently not in a position to determine which processing operations are actually being carried out and in which capacity.

In ordering the urgent binding decision, the EDPB seek to verify if, in practice, "Facebook Companies are carrying out processing operations which imply the combination or comparison of WhatsApp IE’s user data with other data sets processed by other Facebook Companies in the context of other apps or services offered by the Facebook Companies, facilitated inter alia by the use of unique identifiers".

The EDPB requires the Ireland SA to carry out a statutory investigation to determine whether such processing activities are taking place or not, and if it is the case, whether they have a proper legal basis under Article 5(1)(a) and Article 6(1) GDPR. This investigation is to take place as a matter of priority.

EDPB announced German investigation of international data transfers

The European Data Protection Board (EDPB) has announced that the German data protection supervisory authorities are to undertake a nationwide assessment of companies' policies relating to the transfers of personal data outside the European Economic Area (EEA). The investigation aim's to ensure compliance with the European Court of Justice's decision in Schrems II, which ruled that data transfers to the U.S. can no longer be made on the basis of the Privacy Shield adequacy decision.

The German data protection authorities participating in the inspection have contacted companies individually with a series of questions designed to assess, among other things:

• the use of third-party providers for web tracking or managing applicant data; and
• intra-Group exchanges of customer and employee data within companies.

DVLA and Home Office introduce technology to allow police to confirm a driver’s identity at the roadside

The Driver and Vehicle Licensing Agency (DVLA) and the Home Office have announced the development of new technology which will allow police to gain instant roadside access to a driver’s photo held on DVLA’s driver database. The process, which is solely for motoring offences, is designed to speed up the process of confirming the correct identity of a driver, which could previously take up to 16 minutes.

The checks are enabled under provisions of The Criminal Justice and Court Services Act 2000 and The Motor Vehicles (Access to Driver Licensing Records) Regulations 2001, which allow police officers to gain access to driving licence records for the purpose of enforcing road traffic offences. The technology was first piloted in August 2019 and is currently being used by 18 police forces across the UK. The DLVA and Home Office plan to roll out the scheme to a further 10 police forces across the UK in the coming weeks and are currently working on rolling the scheme out further to a total of 46 police forces across the UK.