Tag Archives: eu gdpr

Sweden issues first fine under GDPR for the use of facial recognition technology in a school

Previously on this blog, we discussed the UK Information Commissioner’s Office (ICO) investigation into the planned rollout of facial recognition software for a large site around King’s Cross in London. This investigation has renewed scrutiny of the technology among data protection observers, particularly in its relation to privacy rights.

Facial recognition technology for use in schools and on campuses has taken off in the United States and elsewhere, and there are even tech companies dedicated specifically to this section of the security industry. Amid understandable concerns of security at schools in the US, companies offer fairly comprehensive ‘biometric security platforms’ for schools, colleges and universities. Such services claim to identify unauthorised visitors, alert school personnel and secure campus events.

Despite the industry’s seemingly unstoppable uptake, Sweden’s Data Protection Authority (DPA) has issued its first monetary punitive measure to date for the use of this technology in a school. The DPA found a local authority to be in breach of the EU’s General Data Protection Regulation (GDPR), which the Swedish Rijksdag adopted as the Data Protection Act in April last year.

The local authority, the Skellefteå municipality in the north, was trialling facial recognition on secondary school students for the purpose of tracking attendance. Pupils faces would be scanned and registered remotely as they entered the classroom. Consent from the parents of the twenty-two students who participated in the trial in autumn 2018 had been sought, but this was not deemed sufficient reason to collect the special category (biometric) data: the DPA saw no adequate reason for the municipality to process and control this sensitive and potentially risky data. They took into consideration the students’ privacy expectations, as well as the fact that there are many less intrusive means of automating or economising on attendance tracking. As stated clearly by GDPR, ‘personal data shall be adequate, relevant and not excessive in relation to the purpose of purposes for which they are processed.’

In February, the local authority had told SVT Nyheter, the state broadcaster, that teachers were spending 17,000 hours a year reporting attendance, which is how facial recognition as a time- and cost-effective replacement for human labour, as so often the case with new tech, came to the table.

Countdown to Brexit… 69 days to go

The new Parliamentary session starts on 3rd September. Inevitably the session will be, once again, dominated by Brexit. With so little time between the start of the session and the Brexit deadline of Hallowe’en (31st October) there will be little Parliamentary time given over to any issues other than the terms of the UK’s exit from the EU. Parliamentary time is limited further by the Party Conference season with a further recess between 14th September and 9th October.

The Conservative Party Conference runs from 29th September to 2nd October in Manchester.  Members of Cabinet will be expected to attend and no doubt their speeches from the platform and on the fringe will be scrutinised for new policy initiatives and especially the direction of policy post Brexit. 

Over the summer the political agenda was dominated by possibility of a “No Deal” Brexit with MPs from all parties floating a variety plans for how such an eventuality could be prevented. Prime Minister Johnson has been resolute in his belief that the No Deal option cannot be removed from the table.     

Data Protection Implications

The new Prime Minister wasted no time in assembling his new Cabinet, making his intentions very clear by appointing, with few exceptions, long-standing Brexit supporters. Notable among the exceptions were the appointment of Amber Rudd to the Work & Pensions brief she has held since November 2018 and Nicky Morgan who assumes a Cabinet role as Secretary of State for Digital, Culture, Media and Sport. This is of particular interest because the brief includes Data Protection regulation and writing the “UK GDPR” into UK law.

When the UK exits the EU, as is planned, the EU GDPR will no longer be  applicable in the UK (although the Data Protection Act 2018 which references the GPDR will still apply). The UK government intends to write the GDPR into UK law, with changes to tailor it for the UK.The government has already published the – ‘Keeling Schedule’ for the GDPR, which shows the planned amendments. It can be found here http://bit.ly/2Nsy9sw 

The amendments primarily relate to references to the European Parliament, EU Member States, and the EU Commission.

What Next?

Deal or No Deal on the exit date, the UK will become a ‘third country’ (to use the jargon).  It has been suggested that there will be a period of at least 2 years of negotiations to finalise the full terms of the divorce arrangements.  During this time the UK Government will continue to allow transfers to the EU.  This will be kept under review by the new Secretary of State.  Watch this space!

Gareth Evans 23.08.2019

New GDPR Guidance in the Data Compliant Data Protection Roundup

Leave a reply

The Information Commissioner’s Office (ICO) releases GDPR guidance on “contracts and liabilities between controllers and processors.”

GDPR 7 Months and Counting

Organisations only have until May 2018 to review, redraft and negotiate controller / processor contracts

Ahead of the May 2018 deadline for GDPR enforcement, the ICO has released a 28-page document providing “detailed, practical guidance for UK organisations on contracts between controllers and processors under the GDPR.” The document aims to explain the requirements and responsibilities of data controllers as well as the new liabilities of processors. The document points out that many of the requirements may already be covered by existing contracts, but that the expansion and clarification of contractual clauses to evidence compliance with all aspects of the new regulations will likely be necessary.

Under the new regulations, contracts will be required between data controllers (the organisations responsible for the holding and use of the data) and data processors (those involved in the collection and ‘processing’ of data). This written contract or “other legal act” is to “evidence and govern” the working relationship of both parties. Under the current rules, these contracts are only advised as a measure to demonstrate compliance when necessary.

iStock_000030770786Medium

EU Commission encourages standard contractual clauses and certification schemes (yet to be drafted)

It is noted that “standard contractual clauses” as well as certification schemes for contractual codes of conduct provided by the EU Commission or a supervisory authority such as the ICO will be allowed and encouraged by the GDPR, but that as yet none have been drafted.

Emphasis is given to the GDPR’s expansion of liability to include data processors as well as controllers, the former now liable to pay damages or become subject to penalties if not found compliant. On top of this, processors will need to have contracts with other processors (sub-processors) if they are to utilise their services, with written authorisation from the controller.

What needs to be included in the contract:

Contracts must explain:

Contract

Contracts must explain several key points – if not, you will be fined!

  • The subject matter and duration of the processing
  • The nature and purpose of the processing
  • The type of personal data and categories of data subject
  • The obligations and rights of the controller

Contracts must, as a minimum, require the processor to:

  • Only act on the written instructions of the controller
  • Ensure that people processing the data are subject to a duty of confidence
  • Take appropriate measures to ensure the security of processing
  • Only engage sub-processors with the prior consent of the controller and under a written contract
  • Assist the controller in providing subject access and allowing data subjects to exercise their rights under the GDPR
  • Assist the controller in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments
  • Delete or return all personal data to the controller as requested at the end of the contract
  • Submit to audits and inspections, provide the controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.

Common Thread Network (CTN) announces Patricia Poku as new co-chair alongside Information Commissioner Elizabeth Denham

The CTN, the forum for data protection and privacy authorities among Commonwealth countries, has appointed a new co-chair to sit alongside the incumbent UK Information Commissioner. The decision was made at the CTN Annual General Meeting on 25th September. The organisation promotes cross-border co-operation for data security and privacy objectives.

Patricia Poku, also recently appointed as Executive Director and Member of the Board for the Data Protection Commission of Ghana, has worked as Head of Data Protection for the 2012 London Olympic Games and Global Director for Data Protection & Privacy at World Vision International.

cyber attack

Increasing cybercrime is driving transational cooperation

With the rise of cybercrime and data abuse as international phenomena, not only on the level of government operative activities but also syndicate-level action usually involving the use of malware and the new universal digital currency Bitcoin, transnational co-operation is more important than ever, and gaining in participants. In July, South Africa joined the CTN and in August, the Cayman Islands issued its first Data Protection Bill, working for “adequacy with the EU directive,” the GDPR.

Policies and Procedures Cropped

Global traction for best-practice polices

That the GDPR necessitates organisations outside the EU fulfilling data protection adequacy standards with EU member states if they wish to do business or in any way process data in Europe indicates that the best-practice policies encouraged by the GDPR may find global traction – and organisations such as the CTN have an important role to play in these processes. GDPR-level policies and practices will be especially desirable given the emphasis the ICO has been putting on the benefits to consumer trust that robust data protection provides. It should be viewed that in a global digital economy, data protection best-practice makes commercial sense.

Written by Harry Smithson

Queen’s Speech Confirms New Bill to Replace Data Protection Act 1998

1 Reply

As part of several of measures aimed at “making our country safer and more united,” a new Data Protection Bill has been announced in the Queen’s Speech.

The Bill, which follows up proposals in the Conservative manifesto ahead of the election in June, is designed to make the UK’s data protection framework “suitable for our new digital age, allowing citizens to better control their data.”

The intentions behind the Bill are to:

  • Give people more rights over the use and storage of their personal information. Social media platforms will be required to delete data gathered about people prior to them turning 18. The ‘right to be forgotten’ is enshrined in the Bill’s requirement of organisations to delete an individual’s data on request or when there are “no longer legitimate grounds for retaining it.”
  • Implement the EU’s General Data Protection Regulation, and the new Directive which applies to law enforcement data processing. This meets the UK’s obligations to international law enforcement during its time as an EU member state and provides the UK with a system to share data internationally after Brexit is finalised.
  • To update the powers and sanctions available to the Information Commissioner.
  • Strengthen the UK’s competitive position in technological innovation and digital markets by providing a safe framework for data sharing and a robust personal data protection regime.
  • Ensure that police and judicial authorities can continue to exchange information “with international partners in the fight against terrorism and other serious crimes.”

Ultimately, the Bill seeks to modernise the UK’s data protection regime and to secure British citizens’ ability to control the processing and application of their personal information. The Queen’s Speech expressed the Government’s concern not only over law enforcement, but also the digital economy: over 70% of all trade in services are enabled by data flows, making data protection critical to international trade, and in 2015, the digital sector contributed £118 billion to the economy and employed over 1.4 million people across the UK.

Written by Harry Smithson, 22nd June 2017