DPAS Data Protection Bulletin – October 2022

Here is our round-up of the most significant data protection developments in the UK and overseas in recent weeks.

Categorised into:

  • Key Insights
  • Government Regulatory Activity
  • Enforcement Actions

KEY INSIGHTS

There are approximately six million surveillance cameras in operation around the UK according to the British Security Industry Association (BSIA). This figure does not account for the number of ‘Ring’ cameras in use in the UK, which qualify as surveillance when they are not being used for a ‘purely personal or household’ purpose. 

Everyone who operates such systems must comply with data protection laws, but the exact rules can often be quite complex. That’s why we’ve published a blog with an overview of the most important things to bear in mind If you or your organisation currently operates or plan to operate a CCTV system.

Curious to know more? 
Read our blog, Why Does CCTV Require Compliance?

GOVERNMENT AND REGULATORY ACTIVITY

EU US Framework

On the 7th of October, the US government released the EU-U.S. Data Privacy Framework, which is intended to provide a new, GDPR-compliant medium through which organisations in the EEA can transfer personal data to the US. This comes after the Privacy Shield framework; and before it, the Safe Harbor arrangement, were invalidated by the Court of Justice of the European Union for not providing an adequate level of protection for the rights of data subjects.

The new DPF includes three components: commercial data protection principles to which U.S. organisations may self-certify, a presidential executive order, and DOJ regulations which are intended to provide a means for aggrieved data subjects to seek remedy for abuses of their privacy rights. Several concerns have been raised and it is almost a certainty that this new framework will be tested in court, just as with previous iterations.

ICO issues guidance on Privacy-Enhancing Technologies

Last month, the Information Commissioner’s Office (“ICO”) released the fifth chapter in its draft anonymisation, pseudonymisation, and privacy enhancing technologies guidance (the “Draft Guidance”). The Draft Guidance explains that PETs could allow companies to share and collaborate on the analysis of data, including sensitive data, whilst still maintaining privacy. That would provide a significant opportunity for big-data innovation without compromising on the legal responsibilities of such a company.

The ICO’s consultation on the Draft Guidance is open until 31 December 2022.

ICO Commences Public Consultation on Guidance Relating to Employee Monitoring

Before drafting the guidance, the ICO issued a call for views between August and October 2021. The draft guidance aims to provide practical guidance about monitoring workers in accordance with data protection legislation and to promote good practice, and the ICO is currently seeking input from stakeholders including employers and employees, unions, recruitment agencies and professional bodies. The consultation is set to close on the 11th of January 2023

ENFORCEMENT ACTIONS

Clearview AI gets third €20million fine for illegal data collection

France’s data protection authority (CNIL) has fined American AI facial recognition company Clearview AI with €20 million for illegal collection and processing of biometric data belonging to French citizens, which is the maximum financial penalty the company could receive as per GDPR Article 83. The company had earlier received fines of the same amount from the Italian and Greek data protection authorities, for the same violations in March and July. In addition to the fines, the company has been mandated to delete all the images it had unlawfully collected.

ICO fines Interserve Group

The ICO announced on the 24th of October that it had fined Interserve Group Ltd £4.4 million for failing to take crucial measures to keep people’s data safe following a cyber-attack. The incident affected 113,000 current and former employees. According to the ICO, their investigation found out that Interserve failed to follow-up on the original alert of a suspicious activity, used outdated software systems and protocols, and had a lack of adequate staff training and insufficient risk assessments, which ultimately left them vulnerable to a cyber-attack.

ICO fines Easylife

The Information Commissioner’s Office (ICO) has fined Easylife Ltd £1,350,000 for using personal information of 145,400 customers to predict their medical condition and target them with health-related products without their consent. The company was also fined £130,000 for making 1,345,732 predatory direct marketing calls.

The ICO found that significant profiling of customers and ‘invisible’ processing of health data took place. It is ‘invisible’ because people were unaware the company was collecting and using their personal data for that purpose. This is against data protection law.

ICO Issues Formal Reprimand to Home Office following Lost-and-found Documents

The ICO issued a reprimand to the Home Office after the recovery of documents which included two Extremism Analysis Unit Home Office reports and a Counter Terrorism Policing report at a London venue, and which contained personal data, including that of Metropolitan Police staff. According to the ICO, their investigation found that the Home Office had failed to ensure an appropriate level of security of personal data, including where documents were classified as ‘Official Sensitive’.

The investigation also found that the Home Office did not have a specific sign-out process for the removal of documents from the premises, and the incident was not reported to the ICO within the 72-hour time limit.

RECENT POSTS