Data Protection: An Overview of the General Data Protection Regulation Occurrences during the month of May
This May came with news favourable to privacy for individuals, when Amazon took a decision to extend indefinitely the ban on police use of its controversial and potentially racially biased facial recognition technology. Meanwhile, Facebook failed to block Irish data protection authority’s preliminary order that would stop uncompliant data transfers to US, and ECHR passed a far reaching ruling on the failures of intelligence agency’s bulk surveillance.
Amazon extends ban on the use of its facial recognition technology
First launched in 2016 Amazon’s facial recognition technology named Rekognition was banned in 2020 by its owner during the time of protests against police brutality that were sparked by the murder of George Floyd. The International Business Machines Corporation, known as IBM, duly withdrew itself from the facial recognition business altogether in support of Black Lives Matter, following the pressure the tech companies felt and in June 2020 Amazon placed a one year ban on the use of its technology by law enforcement entities.
The reason for the said pressure was claims by lawmakers, employees and civil liberties advocates that the technology has led African-Americans to unfair treatment and wrongful arrests. This was backed by research done in the course of a project named “Gender Shades” that showed that Amazon’s technology had issues with determining correctly the sex of persons of darker skin tones. Amazon stood its ground and defended its technology by claiming that this was not the case.
According to Amazon representatives, Rekognition was suspended from further use to provide US legislators the time and opportunity to pass laws to regulate the use of facial recognition technology and ensure it is employed ethically. Amazon hoped that the one year moratorium might be enough time for Congress to provide for sufficient rules.
Notwithstanding the ban on the use by police forces, Amazon, however, continued to provide the service to organisations that fight human trafficking. Furthermore, Congress failed to ban the technology altogether or issue any significant regulations that would ensure ethical use of the technology.
Now less than a year later in May 2021, Amazon announced that it would ban for an indefinite period the use of Rekognition by police forces. Even though the ban is not permanent and is in force until further notice, this decision has been well celebrated by privacy and racial activists.
Facebook loses a procedural battle against Irish Data Protection Commissioner
In 2020, Facebook appealed before Ireland’s High Court a preliminary order by the Irish Data Protection Commissioner that envisaged the suspension of Facebook’s personal data transfer from EU to US. The order followed the inquiry that was made in response to the ‘’Schrems II’’ ruling that took down the EU-US Privacy Shield arrangement.
Considering the potential consequences of the order to Facebook (as well as other companies that are subject to US surveillance laws), and allegedly a potential hit to the European economy, Facebook requested a judicial review of the Commissioner’s procedures.
Facebook’s data centres that retain European data are located around the globe, including the US. Stopping the Transatlantic transfers would force Facebook to make sure that the EU users’ data is stored in Europe, which would imply extra costs and significant operational challenges.
Facebook argued that the regulator had not offered enough time to respond and that it passed the decision prematurely. In the opinion of the social media giant, the data protection authority had issued conclusions before it had received guidance from a body that represents all EU authorities, and urged the authorities to adopt a pragmatic and proportionate approach until a sustainable solution is reached.
The preliminary decision was stayed on the 14th of September 2020 by the High Court. However, Facebook failed to block the preliminary order as the High Court did not appreciate the arguments regarding the procedural shortcomings posed by Facebook, thus giving way for the Irish data protection authority to suspend the future Transatlantic data transfers not only in respect to Facebook but also by precedent to other actors such as email providers and cloud service providers.
The Commissioner’s decision is however still not final, as it is required to be assessed and reviewed by other EU data protection authorities. The finale may take months to be reached, for if the data protection authorities of EU cannot reach consensus on the lead supervisory authority’s decision, this matter shall be reconciled and reviewed also by European Data Protection Board. If no agreement can be reached even then, the Board might need to cast the deciding vote.
UK espionage services found to be in breach of privacy by the European Court of Human Rights
The British intelligence agency’s Government Communications Headquarters (GCHQ) interception regime was found by ECHR to be in breach of Article 8 of European Convention on Human Rights providing for rights to privacy.
The proceedings that lasted for eight years were sparked following the Edward Snowden’s revelation made in 2013 uncovering the GCHQ practice of intercepting and processing information of millions of persons’ private communications and internet data, regardless of the person’s relevance in any investigation.
The court’s Grand Chamber by a majority of five to two votes, decided that the interception regime had insufficient safeguards, as well as the rules that govern the selection of communication data are not adequate.
While failures were found as mentioned, ECHR did, however, not find that the intelligence agency had violated the Convention’s Article 8 and 10 (providing for freedom of speech) by sharing the information with foreign governments, and it was also not found that there had been any abuse of power.
The court held that bulk interception regimes are not necessarily illegal provided that they are found by the states too crucial for the national security. The judges had also commented that it should not be presumed that bulk interception carries a greater intrusion into the private life of a person than a targeted interception, as that may by its nature mean obtaining a large volume of the person’s communication data.
However, it opinioned that certain safeguards are to be put in place. These safeguards should take the form of legislation that describes the nature of offences which may prompt interception, puts forward limitations on the duration of such interceptions and examination procedures that need to be adhered to, as well as safeguards that must be taken when providing the information to other parties and names the circumstances under which the relevant data must be erased.
The ruling is celebrated as a victory by the 14 non-governmental organisations, among which are Privacy International, Amnesty International, Liberty and Big Brother Watch which sparked the legal battle over privacy. This was also a win for journalists, as the decisions provides for a higher levels of protection of journalist sources and material as the ruling requires that an independent approval must be obtained before the interception of journalist communications.