BCR Changes for Brexit

BCR Changes for Brexit: EDPB releases statement guiding enterprises.

The European Data Protection Board (EDPB) released a statement of guidance on Binding Corporate Rules (BCRs), for groups of undertakings, or enterprises which have the UK ICO as their lead supervisory authority (BCR Lead SA).


The EDPB released a statement of guidance on Binding Corporate Rules (BCRs), for groups of undertakings, or enterprises which have the UK ICO as their lead supervisory authority (BCR Lead SA). As shifts are made towards the official implementation of Brexit, many structural and procedural changes are being made for businesses. One such change, adopted on July 22, 2020, based on the analysis currently undertaken by the EDBP on the consequences of the CJEU judgment,  Data Protection Commissioner v Facebook Ireland, and Schrems, regarding BCRs as transfer tools. The EDPB recently released a statement outlining BCR changes for Brexit implementation, complete with a table guide regarding the criteria for a BCR Lead SA change, how and why, and referencing the legislation for each criteria. 


Procedural Changes for Authorized BCR Holders


Enterprise holders with the ICO as their competent Supervisory Authority (BCR Lead SA) will need to arrange for a new BCR Lead in the EEA, according to Article 29 Working Party, Working Document Setting Forth a Co-Operation Procedure for the approval of BCRs for controllers and processors under the GDPR, WP263 rev.01, endorsed by the EDPB. This change in BCR Lead will need to take place before the end of the Brexit transition period. For BCRs already approved under the GDPR, the new BCR Lead SA in the EEA will have to issue a new approval decision following an opinion from the EDPB. However, no approval by the new BCR Lead SA is necessary for BCRs for which the ICO acted as their BCR Lead SA under Directive 95/46/EC. 


Content Changes for Authorized BCR Holders.


Before the end of the Brexit transition period, BCR holders with the UK’s ICO as their BCR Lead SA will need to amend their BCRs, referencing the EEA legal order. Without these changes (or a new approval, where applicable), by the end of the transition period, these enterprises or groups of undertakings will no longer be able to use their BCRs for transfers of data outside the EEA beyond the transition period.


Procedural Changes for BCR Applications Before the ICO.


Any groups of undertakings of enterprises with BCRs at the review stage with the ICO are encouraged to identify a new BCR Lead SA according to the guidance of the WP263 rev.01 before the end of the Brexit transition period. They will need to contact the new SA and provide the necessary information to apply to have the SA considered as the new BCR Lead SA. The new BCR Lead SA will then take over the application process and begin the aproval procedure, subject to an opinion of the EDPB. 


Groups of undertakings or enterprises may choose to transfer their application to a new BCR Lead SA after approval by the ICO, in which case, the new BCR Lead SA will need to approve this new application before the end of the transition period, as the new competent SA, according to Article 47.1 GDPR.


Content Changes for BCR Applications Before the ICO.


Groups of undertakings or enterprises with BCRs in the process of approval by the ICO must make sure that their BCRs refer to the EEA legal order with information on expected changes, before the end of the Brexit transition period. 


General Changes for BCR Applications 


Any Supervisory Authority in the EEA, approached to act as the new BCR Lead SA, will consider whether it is indeed the appropriate SA on a case by case basis, based on the criteria of the WP263 and in collaboration with any other concerned Supervisory Authorities. The EDPB has provided a checklist of elements for Controller and Processor BCRs which need to be changed due to Brexit, as part of this statement released last month. 


Does your company have the UK ICO as their lead supervisory authority? If so, you may be required to make significant changes before the end of the Brexit transition period. Aphaia’s data protection impact assessments, GDPR and Data Protection Act 2018 consultancy services and Data Protection Officer outsourcing will assist you with ensuring compliance.

European Commission on Transition

European Commission Released Communication on transition between EU and UK.

The European Commission released a statement detailing the implications of the transition between the EU and UK. 


As the UK comes to the end of its transitory period from the EU to the end of this year, the European Commission has released communication assessing the country’s readiness for separation from the region. The withdrawal agreement which was entered into on February 1st, 2020 secured the UK’s departure, and stated that the laws of the Union would continue to apply until the end of the transition period ending on December 31st, 2020. The UK continues to participate in Union programmes, the EU’s single market and Customs Union and to abide by Union policies and any international agreements which include the EU. All of this is due to change come January 1st, 2021 when the transition period has ended and the Withdrawal Agreement comes into effect. The transition period therefore serves as a period of continuity to ensure readiness for the implementation of all necessary measures and arrangements and to facilitate negotiation of a new partnership between the EU and the UK by January 1st, 2021. 


Negotiations pick up momentum this summer as the EU and the UK seek to reach an agreement on a future partnership before the January 1st 20201 implementation date.


While negotiations have been slow in moving during the earlier part of this year, as of June they have picked up, as the UK’s government has made a decision not to extend the transition period. The aim is to reach an agreement on an ambitious partnership covering all areas agreed with the United Kingdom in the Political Declaration by the end of 2020. The resulting agreement would create a relationship very different from the current UK participation in the EU single market and Customs Union, and in the VAT and excise duty area. It is expected that there will be resulting barriers to trade in goods and services and to cross-border mobility and exchanges. All this, compounded by the pressure that businesses are already under due to the COVID-19 pandemic, are expected to cause some disruptions as of January 1st 2021. 


Businesses are advised to revisit their existing preparedness plans which were drawn up in the event that the UK’s withdrawal from the Union happened without a withdrawal agreement. While negotiations are still underway, those preparedness plans may still be relevant for the changes at the end of the transition period.

The European Commission released information on the effects of those changes specific to various industries, and implores companies to implement actions to ensure readiness.


The European Commission communicated an outline of changes to be expected whether there is an agreement on a future partnership between the EU and the UK or not. As of 1 January 2021, the transition period allowing for the temporary participation of the United Kingdom in the EU Single Market and Customs Union will end, thereby putting a stop to the free movement of persons, goods and services. As a result there will be several automatic changes 


The European Commission, since March 2020, has been publishing notices of readiness specific to various industries. To date, there are 59 notices spanning a wide range of industries, and this list will be updated on a regular basis as new notices become available. The Commission calls on all national and European consumer, business and trade associations to ensure that their members are fully aware of the expected changes. The changes being implemented as of January 1st 2020 will be automatic, far reaching and unavoidable. Both logistical and legal changes are to be expected, the effects of which should not be underestimated. Ultimately, businesses still need to undergo their own risk assessments and implement actions to ensure their own readiness. 


What does this mean for data protection?


As we published in our blog in January, the ICO released an statement on the implications of Brexit on data protection, where they provided some guidance on this matter. That is:


During the transition period

  • The GDPR continues to apply in the UK.
  • There is no need for a European representative.
  • ICO GDPR guidance is still relevant.
  • Transfers of data from the UK to the EU and from the EU to the UK are not restricted.

After the transition period

  • The GDPR will be brought into UK law as the ‘UK GDPR’ but the UK will have the independence to keep the framework under review.
  • A European representative may be necessary from the end of the transition period.
  • The ICO will not be the regulator for any European-specific activities caught by the EU version of the GDPR.
  • The DPA 2018 will continue to apply.
  • The ICO will remain the independent supervisory body regarding the UK’s data protection legislation.
  • Data transfers between the UK and the EU may be restricted and adequate safeguards may be necessary.


Does your company process  personal information in the UK or transfer personal information between the EU and the UK? If so, Brexit may affect the way you process personal data. Aphaia’s data protection impact assessments, GDPR and Data Protection Act 2018 consultancy services and Data Protection Officer outsourcing will assist you with ensuring compliance.

AI Ethics and Real Estate

AI Ethics and Real Estate: Further considerations for best practices.

The importance of upholding AI ethics in the world of real estate is essential to maintaining integrity in the industry as AI systems are incorporated in its processes.


Earlier this month we explored the importance of AI ethics in the real estate industry in ensuring its ability to function within regulation, while being of benefit to buyers, sellers, the industry and society in general. Artificial intelligence has the ability to revolutionize the real estate industry, however, as with anything else, measures have to be put in place to ensure that this functions ethically, in order to be of true benefit. In this article, we seek to explore the ethical principles that should be applied in the real estate industry to ensure that AI is truly of benefit to the society at large, not just a small number of individuals.


With real estate being the second least digitised industry in the world, difficulties are clearly present in how best to incorporate artificial intelligence in this industry. There are many factors to be considered in approaching the use of AI in the world of real estate and construction. With the many categorisations of data that describe any property, there is a need to ensure that coding for any AI system to be applied to real estate is extremely thorough. There is also a need for extreme transparency in the process to ensure that these AI systems function within regulation, and avoid discrimination as far as possible.


Technical robustness and safety is AI system development.


Machine learning is currently the dominant approach to developing AI systems and contributes to all sorts of technologies including those used in the real estate sector. While this approach has been successful it can sometimes fail in unintuitive ways. If we are to use machine learning effectively and ethically, it is important to consider the possibility of erroneous processing, and work to limit its impact on the use of these systems. We must understand the strengths and limitations of this technology to ensure that it is being used to the best of its ability within reason and within policy.


The development of AI systems should consider environmental, social and societal impact.


When it comes to choosing the perfect home or the right home for oneself, there are several factors that come into play. Home specifications, neighborhood demographics, and several other factors are paramount to making a buying decision. The opportunity arises here, to develop AI which can differentiate and seek out properties which are best suited to a buyer based not only on price or location, but perhaps building materials or even proximity to certain essential services.


It is important to ensure AI systems are avoiding discrimination as far as possible.


In using AI systems in the real estate market, it is important to ensure that buyers are not being “algorithmically blackballed” based on factors like nationality, race or generally just not fitting in with the current demographic of a neighbourhood. It is likely that historic biases can be inadvertently built into algorithms and cause them to reflect human prejudices. While it is unlikely that an AI software would be intentionally developed to discriminate against certain demographics, it is possible that these systems discriminate based on the original data inputs, which may show biases based on human prejudices. Real estate companies using AI should test the algorithms often to ensure that any algorithmically biased processes are curtailed.


AI systems used in real estate must be developed, and function within regulation.


The data of both buyers and sellers needs to be protected throughout the process of the sale and beyond. All AI systems’ processes should be governed by the GDPR to ensure that this is the case. It can be argued that the GDPR poses significant challenges to AI development because AI startups rely on data to train machine learning algorithms. However, if AI systems are to function ethically, they must be used within regulation, including during the development phases. Running a Data Protection Impact Assessment (DPIA) and legitimate interest assessment are likely to be a must.


One of the aims of the GDPR is to ensure that people have the power to decide which of the information is used by third parties. This begins with the right to knowledge. In this regard transparency is key, as people have the right to information regarding how much of their data is being used and how. While it may be difficult to ensure full transparency with data subjects, data controllers need to ensure that they are compliant with the GDPR. Finding GDPR-friendly methods of AI development will benefit not just service providers but also data subjects, if done correctly.


We recently released a second vlog exploring the use of AI in the real estate sector as part of our series on AI within various Industries.

Subscribe to our YouTube channel to be updated on further content.

Do you have questions about how AI is transforming the real estate sector and the associated risks? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including Data Protection Impact Assessments, AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Biometric identification and authentication

Biometric identification and authentication: 14 common misconceptions debunked

Biometric identification and authentication, are often misconstrued, or mistakenly used interchangeably. A joint paper by the EDPS and the Spanish DPA, offers clarification on 14 common misconceptions on the two. 


Biometric identification and authentication, although sometimes linked, refer to two distinguishable concepts. Biometric Identification is the process of identifying an individual among a group using biometric data such as fingerprints or facial recognition, comparing the data to that of others within the group. Authentication, on the other hand, is the process of comparing the data of an individual with the data of a claimed identity in order to prove the identity claimed by the individual. The increase in popularity of the use of biometric data has uncovered several misconceptions on the technology. The EDPS and Spanish DPA have decided to clarify the fourteen most common misconceptions,of which we have provided a summary. 


 “Biometric information is stored in an algorithm”



An algorithm is not a means of storing information, rather a set of procedures or instructions. The information is stored within data records called  templates, patterns  or signatures, which differentiate persons from each other by numerically recording the physical characteristics. However some procedural knowledge can be passed down to some machines.


“The use of biometric data is as intrusive as any other identification/ authentication system”


Biometric data is actually more intrusive, as a lot more information can be involuntarily extracted from a small sample of data, including personal information which can easily single out the person and collect information on their state of being which may actually be irrelevant to the use of the data. Race, gender, substance use, diseases and even a person’s emotional state can be discerned from biometric data.


“Biometric identification / authentication is accurate”


It has a larger room for error than password/pin based systems as there are simply more variables that are involved. Biometric identification is based on probability, as compared to password or pin based systems which are either 100% correct, or processed as incorrect. Due to the nature of biological matter they are affected by the circumstances around them i.e humidity,refraction ,technical difficulties, age or any of these could skew the accuracy of the results of the input, resulting in false positives and negatives.


“Biometric identification/ authentication is precise enough to always differentiate between two people”


This is not always the case, and is particularly difficult in cases of twin siblings and in open areas where the facial recognition could be less than accurate. Also, obstructions on the face can also greatly reduce accuracy. Accuracy of biometric input is improving on an ongoing basis, as the technology continues to evolve.



 “Biometric identification/ authentication is suitable for all people”


Some physical impairments prevent all types of biometrics from being administered all the time. Whether it is a temporary state of being or a more permanent condition such as being paralysed, it causes there to be some difficulty in collecting or processing biometric data for some people.


 “The biometric identification/ authentication process cannot be circumvented”


This is not true. Some types of biometric identification or authentication are difficult to circumvent. However, over time many inexpensive means have come about  getting around these security measures. There are systems whose entire purpose is to defeat facial recognition software, while retinal and footprint scans can also be fooled with the right equipment and sufficient preparation.


 “Biometric information is not exposed”


The information provided to biometric scanners and databases are simply traits which are recognizable and easily identifiable. This is why they are indeed exposed. Infrared, high fidelity images and other equipment can easily extract biometric information from others without their consent or even their knowledge. Avoiding the unwanted reading or exposure of biometric information is actually a lot harder to prevent for the average citizen.


 “Any biometric processing involves identification/ authentication”



This is not the case. Authentication is not very strenuous, but simply meant to differentiate between eligible users and non-eligible. However, it is not an infallible system and cannot be bypassed without 100 percent accuracy. False readings are also not unheard of, so the authentications aren’t very stringent security protocols that one can depend on as a foolproof main source of security.


“Biometric identification/ authentication systems are safer for users”


It can actually be quite problematic having biometric information stored in a singular place as it cannot be changed like a pin or a password, once breached there are very few means of mitigating the possible damage. Typically most entities that hold biometric information tend to invest a bit more into security measures, due to the sensitivity of the information.


 “Biometric authentication is strong“


On its own biometrics is considered weak due to it being a single layered security protocol but typically it would be a prerequisite that some other form of identification would be required to access the biometric input e.g an employee ID badge to swipe into the room with a retinal scanner- The retinal scanner itself is weak on its own.


 “Biometric identification/ authentication is more user-friendly”


Depending on the implementation and the ease of enrolment and/ or inclusion into these biometric systems, the result could be very streamlined or it could be extremely tedious and with issues that are harder to rectify, particularly when compared to simply resetting a password or obtaining a new ID, and deactivating or making the old one invalid. Biometric data cannot be changed once collected.


 “Biometric information converted to a hash is not recoverable”


As an added layer of security to the processing of biometric data, it is recommended that the biometric pattern from which the “hash” or “biohash” was obtained be removed. However, some studies show that it is possible to reverse the biohash, and obtain the original biometric pattern, particularly if the secret key has been violated.


“Stored biometric information does not allow the original biometric information to be reconstructed from which it has been extracted”


Biometric pattern, or stored biometric information does allow the original biometric information to  be reconstructed (e.g generating a face from facial recognition biometric pattern). In some cases the biometric information reconstructed from the pattern is accurate enough to be recognized as the original information. The accuracy of the reconstruction depends on the amount of biometric information collected. 


 “Biometric information is not interoperable”


Biometric information processing systems are particularly developed to be interoperable. Systems that work by comparing the result of applying a hash function on biometric patterns can also be made interoperable by simply sharing the keys used during the hashing process.


What are the implications of this information for my business?


Understanding the concept and inner workings of processing biometric identification and authentication data is paramount to ensuring that that data is handled ethically if your business processes such data. In this way, a proper understanding lends itself to sufficient and appropriate data protection. It is important to note that the GDPR classes biometric data as special category data in the vast majority of cases, requiring extra protection in processing. Biometric data becomes classed as special category data the moment that it is used “for the purpose of uniquely identifying a natural person”.


Does your company process biometric identification data? Aphaia provides a number of services in relation to compliance with regard to data protection, including regarding biometric data: data protection impact assessments, Data Protection Officer outsourcing, and EU AI ethics assessments. Get in touch today to find out more.