Included in this edition of Data & Privacy News: Updated Surveillance Camera Code laid before Parliament, Twitter announces an expansion to its private information policy and more

Clearview faces potential £17m privacy fine by ICO

The Information Commissioner’s Office (ICO) has announced its provisional intent to impose a fine of approximately £17 million on Clearview AI Inc. The ICO has also issued a provisional notice to prevent Clearview from processing the personal data of people in the UK and to force the company to delete its existing UK data.

The ICO decision follows a joint investigation between the ICO and the Office of the Australian Information Commissioner (OAIC) which we covered in our 17 November edition of Data & Privacy News. During the course of the investigation, the ICO concluded that Clearview failed to comply with UK data protection laws by:

• failing to process the information of people in the UK in a way they are likely to expect or that is fair;
• failing to have a process in place to stop the data being retained indefinitely;
• failing to have a lawful reason for collecting the information;
• failing to meet the higher data protection standards required for biometric data (classed as ‘special category data’ under the GDPR and UK GDPR);
• failing to inform people in the UK about what is happening to their data; and
• asking for additional personal information, including photos, which may have acted as a disincentive to individuals who wish to object to their data being processed.

Clearview has now been provided the opportunity to respond with the ICO expecting to make a final decision by mid-2022.

Updated Surveillance Camera Code laid before Parliament

An updated version of the Surveillance Camera Code has been laid before Parliament pursuant to Section 31(3) of the Protection of Freedoms Act 2012. The Code is designed to provide guidance on the appropriate use of surveillance camera systems by local authorities and the police in order to allow the use of technologies including biometrics and surveillance cameras to protect the public while maintaining their trust.

The revised Code includes updates to legislation references, in particular the Data Protection Act 2018, as well as reference to the Court of Appeal judgment on live facial recognition in Bridges v South Wales Police. The Code has also been shortened to make it easier to follow. It is not expected to place any additional burden on users.

The updated Code was laid before Parliament on 16 November 2021 and, subject to parliamentary approval, will come into force on 12 January 2022. An updated explanatory memorandum has also been published alongside a summary of responses to the consultation on the amended Surveillance Camera Code of Practice.

EDPB adopts Guidelines on the interplay between Art. 3 and Chapter V GDPR

The European Data Protection Board has adopted Guidelines clarifying the interplay between the territorial scope of GDPR Art. 3 and the provisions on international transfers in GDPR Chapter V. The Guidelines are now subject to public consultation until the end of January 2022.

The Guidelines seeks to assist EU controllers and processors identify whether a processing operation constitutes an international transfer and to provide a common understanding of the concept of international transfers. The Guidelines detail three cumulative criteria that qualify a processing as a transfer:

• the data exporter is subject to the GDPR for the given processing;
• the data exporter transmits or makes available the personal data to the data importer; and
• the data importer is in a third country or is an international organisation. 

Twitter announces an expansion to its private information policy

Twitter has announced an expansion to its private information policy to include "private media", allowing the company to take action on media that is shared without any explicit abusive content, provided it’s posted without the consent of the person depicted. This policy was enforced globally from 30 November 2021.

Under Twitter's updated private information policy, users are forbidden from sharing the below types of private information without the permission of the person who it belongs to:

• home address or physical location information;
• details of identity documents;
• contact information, including non-public personal phone numbers or email addresses; 
• financial account information;
• media of private individuals without the permission of the person(s) depicted; and
• other private information, including biometric data or medical records.

Government publishes response to consultation on amending the NIS regulations

The Department for Digital, Culture, Media & Sport has published a response to a call for views on amending the Security of Network and Information Systems (NIS) Regulations. The NIS Regulations seek to boost the level of cyber security and physical resilience in both digital services (online marketplaces, online search engines and cloud computing services) and essential services (transport, energy, water, health, and digital infrastructure services).

The call for views was launched in July 2021, with the government seeking feedback to its proposal to move incident reporting thresholds from legislation to Information Commissioner's Office (ICO) guidance. The government received 91 responses to the consultation, the majority of which were either positive or neutral towards the proposals. As a result, the government maintains its believe that the proposed changes will maintain and enhance the effectiveness of NIS legislation in protecting the security of network and information systems for digital service providers.

ICO responds to letter on breaches of the Children’s Code

The Information Commissioner’s Office (ICO) has published a letter by the UK Information Commissioner Elizabeth Denham to Baroness Kidron on the Age Appropriate Design Code (Children’s Code). The letter addresses research by the charity 5Rights Foundation into "systemic breaches" of the Children’s Code. The response seeks to provide context to the work currently underway at the ICO in relation to Children’s Code conformance but also promises that the ICO will write to the nine companies mentioned in the 5Rights Foundation to determine their standards of conformance individually since the end of the Code’s transition period.

European Parliament Committee adopts position on DMA proposal

The European Parliament's Internal Market and Consumer Protection Committee has adopted its position on the Digital Markets Act (DMA) proposal. The DMA proposals detail the rules on what companies with “gatekeeper” status will be allowed to do in the EU and will see centralised enforcement by the EU Commission, in cooperation with national authorities, enabling fines of between 4% and 20% of a company's total turnover.

The regulation will apply to major companies providing “core platform services” including social networks, search engines, cloud computing, online intermediation services, operating systems and online advertising services. The regulations also extended to video-sharing services meeting the relevant criteria to be designated as “gatekeepers”. For the purposes of the regulation “gatekeepers” are primarily (but not exclusively) classified as providing a core platform service in at least three EU countries and having at least 45 million monthly end users.

The DMA proposal is set to be voted on in plenary in December 2021.