Privacy Transformation - Issue 57
PRIVACY
US Cloud Act may threaten UK data adequacy decision, warns EDPB
A powerful committee of data protection regulators has warned that the US Cloud Act could threaten Britain’s right to an EU data adequacy decision after Brexit.
The EDPB letter can be found here.
ICO releases findings on the use of mobile phone extraction by police forces
The UK Information Commissioner’s Office (ICO) has released an investigation report into the use of mobile phone extraction (MPE) by police forces when conducting criminal investigations in England and Wales.
The report is available here.
PwC under fire for tech that tracks traders’ loo breaks
The tool, which has been designed to monitor finance staff during the coronavirus lockdown, has sparked concerns over privacy.
Microsoft won’t sell police its facial-recognition technology
Microsoft will ban police use of its controversial facial-recognition systems, as the company awaits regulatory rules for how law enforcement agencies deploy the technology. Amazon and IBM also recently announced changes to their approaches to facial recognition technology.
In related news, the Dutch DPA has reminded supermarkets about facial recognition rules.
EDPB: 32nd Plenary Session
During its 32nd plenary session, the EDPB adopted a statement on the interoperability of contact tracing apps, as well as a statement on the opening of borders and data protection rights. The Board also adopted two letters to MEP Körner - on encryption and on Article 25 GDPR - and a letter to CEAOB on PCAOB arrangements.
EDPB: 31st Plenary Session: Adopted Documents
During its 31st Plenary Session, the EDPB adopted the following documents:
- EDPB response to MEP Körner regarding TikTok
- EDPB response to MEPs regarding Clearview AI
- EDPB response to ENISA regarding EDPB representative to the ENISA Advisory Group
- EDPB response to open letter from NYOB
The above documents can be accessed here.
SECURITY & TECH
How to approach an IoT project
For in-house privacy professionals, a new IoT project may present a range of legal and compliance issues, as existing laws might not be squarely suited to address privacy and security risks in the IoT environment. This article provides an overview of the current regulatory landscape and some practical tips on approaching IoT projects.
COVID-19 CONTACT TRACING APPS
EU sets framework for contact tracing apps that work across borders
The EU Commission has agreed on a set of technical specifications that will allow info to be exchanged between national contract tracing apps.
UK virus-tracing app switches to Apple-Google model
Government now intends to launch an app in the autumn but it may still lack contact-tracing tech.
Germany appeals to nation to download coronavirus app
The German government has appealed to its citizens to download a newly available coronavirus warning app as it launched what it insisted was its most sophisticated tool yet for tackling the pandemic.
NHS contact-tracing app cannot be used in crowded tower blocks, ministers warned
The troubled contact-tracing phone app to curb coronavirus will not be ready for use in crowded tower blocks until at least the autumn, a local authority leader has warned.
SPANISH DPA
ENFORCEMENT
SPANISH DPA
Twitter fined for invalid cookie practices
The AEPD has fined Twitter 30,000 EUR for violating regulations on the use of cookies. They held that Twitter’s cookie banner stated that, by using Twitter's services, the user would accept the cookie policy, and did not provide any further option within the banner to reject the use of cookies or direct the user to further options including the ability to manage preferences.
Notice is in Spanish
Insufficient fulfilment of data subjects rights
An individual requested deletion of his data from the file of the National Association of Financial Credit Institutions ("ASNEF"). Equifax Iberica replied that the exercise of the complainants request was excessive due to aving submitted a previous request, and so the deletion would not be carried out. This was seen as a breach of data subjects rights for erasure under the GDPR as well as a breach of blocking obligations under national data protection laws. A fine of 75,000 EUR has been imposed.
Notice is in Spanish
Lack of appointment of data protection officer
An organisation had not appointed a Data Protection Officer to whom requests from data subjects could be addressed, and the company's website did not contain information about an appointed DPO. A fine of 25,000 EUR has been imposed.
Notice is in Spanish
Belgian DPA - Fine imposed on local election candidate
The Belgian Data Protection Authority imposed a fine of 5,000 EUR on local election candidate for using the staff registry of a municipality to send election propaganda (in the form of a letter) to staff members. The Belgian municipality in question filed the complaint against the candidate.
More on the latest GDPR enforcement notices can be found on:
GUIDANCE
EDPS Opinion 3/2020 - European strategy for data
This Opinion presents the EDPS view on the Data Strategy as a whole, as well as on certain specific aspects, such as the notion of “public good”, Open Data, use of data for scientific research, data intermediaries, data altruism, international data sharing and others.
RESOURCES
Report: How concerned are Europeans about their personal data online?
As governments discuss using technology to stop the spread of COVID-19, many Europeans are unwilling to share data about themselves with public and private bodies. These findings emerged from a EU Agency’s Fundamental Rights (FRA) survey, carried out before the pandemic.
Infographic: Major topics related to COVID-19 and privacy
This IAPP infographic breaks down the major topics related to COVID-19 and privacy
THANKS
Thanks to David O'Sullivan for his contribution to this weeks edition with the EU Fundamental Rights Agency survey. All suggestions for inclusion are gratefully received. If you come across a privacy story or resource that readers would find value in, please do drop me a message.