Data Protection: An Overview of the General Data Protection Regulation Occurrences during the month of February
While the unfortunate turn of events regarding the global pandemic continued to shake up the world, the data protection was not put to rest in February. And so we have some noteworthy data protection developments to share to keep one’s mind occupied while we all stay at home. In February, we saw differing approaches to the eyebrow raising facial recognition technology adopted, as well as new EDPB guidelines for public consultation. Furthermore, UK provided a feedback on data protection adequacy in the post-Brexit era, and Max Schrems has started a campaign against Amazon.
French Administrative Court rules against facial recognition technology in schools
The French advocacy group for digital rights and freedoms La Quadrature du Nethas has succeeded in court case against the use of facial recognition technology in two high schools in Nice and Marseille, France. The ruling by the Administrative Court of Marseille is the first court decision to date in France regarding the biometric facial recognition technology.
Following the Danish Data protection authority’s imposed fine in a similar situation French data protection authority CNIL warned in October 2019 that the facial recognition gates in schools were not in line with the law. CNIL found that the purpose of the use of such technology to streamline student identification may be achieved by other, less intrusive means. However, the Southern Region did not agree with these findings and considering that opinion of CNIL was not binding went on to implement the facial recognition gates at two high schools. This project was labelled ‘’experimental’’.
The Administrative Court ruled against the initiative on the ground that only the schools themselves, no the regional bodies, can decide on implementing such measures in schools. In addition, the ruling was based on the findings that this project was itself in breach of GDPR. Namely, the students were not in a position to provide free consent for the processing as the school’s administration was in a higher position than the data subjects.
The French advocacy group, encouraged by this first victory, has claimed that it will go further and require the facial recognition technology to be completely banned in security and surveillance sectors.
London police to start using facial recognition technology
While France has taken measures to limit the use of facial recognition technology, in United Kingdom, the police has started to implement. Namely, the London police has begun to scan for people who are wanted for serious crimes, such as murder or grievous bodily harm. This was the first occasion the London Metropolitan police conducted live facial recognition in an operational deployment and was done after several trials.
The initial scanning took place in Stratford, in East London, where police vehicle was equipped with the cameras scanning individuals exiting a shopping mall.
Striving to ensure people’s rights to be aware of the data processing taking place, police had set up signs that warned about the scanning activity. Furthermore, the police officers offered interested individuals information on how the system works.
It must be noted that the Metropolitan police has been previously accused of ignoring negative feedback by many human rights groups, Information Commissioner, the Surveillance Camera Commissioner and the Biometrics Commissioner. Furthermore, it is said that it has defied the numerous and critical assessments of the effectiveness of the facial recognition technology done by the experts that were hired in the trials stage.
The European Data Protection Board releases for public consultation the consistency mechanism guidelines
The European Data Protection Board (EDPB) has released for public opinion the Guidelines on articles 46 (2) (a) and 46 (3) (b) of GDPR for transfers of personal data between EEA and non-EEA public authorities and bodies.
The guidelines provide guidance in regards to transfers of personal data from EEA public authorities or bodies to public bodies in third countries or to international organisations to extent these transfers are not covered by an adequacy decision taken by the European Commission. The data transfers that are covered by these guidelines are those that take place between public bodies for multiple administrative cooperation purposes falling under the scope of the GDPR. The guidelines, therefore, do not cover transfers related to public security, defense or state security.
The document strives to show what the EDPB expects in relation to the safeguards required to be in place by a legally binding and enforceable tool used between public bodies in accordance with Article 46 (2) of GDPR, or by provisions inserted into the administrative arrangements between public bodies in accordance with Article 46 (3) of GDPR and subject to an authorization of the supervisory authority.
The public bodies are urged to choose to use the mechanisms discussed in the paper which are more effective under the GDPR in the given situation, however, are also allowed to use other measures that provide for effective safeguards under the Article 46 of GDPR.
EDPB has advised to read these guidelines as a reference at an early stage planning the implementation of such arrangement, as well as to read them in conjunction with other material provided by EDPB.
The opinions of stakeholders are anticipated by not later than 18 May 2020.
UK publishes its official position on post-Brexit negotiations with the European Union
The 36 page report on ‘’The Future Relationship with the EU: The UK’s Approach to Negotiations’’ published by the UK Government among other matters tackles also with the issue of data adequacy.
The Government has stated that is intends to maintain high standards of data protection and employ an independent policy in regards to data protection after the one year transition period. During this period the free flow of data to and from EU member states shall remain, while the adequacy decision under GDPR and the Law Enforcement Directive is being discussed. This is to be discussed and implemented as separate topics from the rest of the future relationship and will not form a part of the trade agreements envisaged. In the meantime, the Government of UK will perform evaluations of the EEA states, as well as other countries under an independent international transfer regime. Lastly, the UK shall strive to implement appropriate arrangements that allow continuous cooperation between the UK’s Information Commissioner’s Office and EU Member state data protection authorities and a transparent framework to aid the future discussions on data protection matters.
Max Schrems is going after Amazon
Austrian privacy activist Max Schrems who is better known for his for campaigns for violations against Facebook that ended the Europe – US Safe Harbour data transfer arrangement and the non-profit group NOYB (None of Your Business) led by him has filed a complaint against Amazon. The complaint was lodged with the German data protection authority regarding the failure of Amazon to ensure proper data security standards. It was stated by NOYB that Amazon its email servers that are in place to support direct communication between individuals and third party sellers within the Amazon platform do not in all cases have a baseline industry encryption measures.
Considering the vast business size and turnover ($87.4 billion in 2019) of Amazon, it could face a fine of up to 4 billion Euros provided that the alleged accusations turned out to be true.