Lincolnshire Police Trial CCTV

Lincolnshire Police Trial CCTV: this technology can even detect moods!

Lincolnshire police trial CCTV technology which can detect moods, eyewear and headgear, but not  before a human rights and privacy assessment is carried out.


Lincolnshire police will soon debut their trial of CCTV cameras in Gainsborough. This is a new, more complicated and potentially controversial type of Surveillance technology. Although the funding for this project has been approved and received, due to privacy concerns surrounding the use of this technology, the implementation of the new equipment is at a standstill. Key legal considerations need to be made before this could be released and used in the general public, as this technology has the ability to search for persons using parameters surrounding their mood, or their apparel such as hats or sunglasses. Due to the fact that the police have full control of the search parameters; the technology is inherently problematic, as was in case of court rulings as recently as 2018. 


A Welsh national had brought a legal case against the authorities for their use of a very similar facial recognition technology, and this has raised the specter of many ideological and privacy concerns when it comes to the Police having unquestionable access to intrusive means of surveillance, and monitoring persons who may not be suspected or involved in any crimes. Although Mr. Bridges did not have instant success with his claim, as his first petition to the High Court was denied, in his subsequent Court of Appeal claim; three out of five of the unconstitutional breaches of privacy Mr. Bridges presented were ratified as legally valid in the court. 


The police have acknowledged, and made attempts at addressing the public’s privacy concerns regarding the use of this technology.


Privacy concerns are a very important consideration prior to the establishment of this new technology for everyday use. The police have tried to give some assurance to the public that their rights are of paramount importance  in the means and the protocols surrounding this technology and how it is used. The local police have also released some preliminary information which may ease public anxiety around the implementation of this technology; the scans are not being done in live time and also, all footage is deleted after 31 days. 


Legislation continues to be introduced regarding privacy and surveillance.


There are also larger debates surrounding the appropriate search terms allowed and under what circumstances they can be implemented in a situation where this new surveillance technology is to be in use. Legislation around government surveillance also has seen changes in recent years since the Ed Bridges case, and it continues to be reformed, in an attempt to encompass everyone’s well-being without stripping them of the fundamental privacies and rights allotted to them. 


According to Cristina Contero Almagro, partner at Aphaia, ‘The risk is twofold: first, the police using the technology without the appropriate safeguards and second, the information being compromised and used maliciously by third-parties which may access it unlawfully. Considering the nature of the data involved, it is essential to put in place strong security measures which ensure the data will be adequately protected. It is important to note that once that biometric information has been exposed, the damage to the rights and freedoms of the affected data subjects is incalculable, as it is not something that can be changed like a password’.


‘Any facial recognition that includes profiling should be viewed with suspicion,’ comments Dr Bostjan Makarovic, Aphaia’s Managing Partner. ‘The challenge is that there is no way to object to such profiling because it takes place in real time as one enters a certain area. Law enforcement and public safety are important reasons but should not be used as a blanket justification without further impact assessment.’  

Does your company utilize facial recognition or process other biometric data? If yes, failure to adhere fully to the guidelines and rules of the GDPR and Data Protection Act 2018 could result in a hefty financial penalty. Aphaia provides both GDPR adaptation consultancy services and CCPA compliance, including data protection impact assessments, EU AI Ethics assessments and Data Protection Officer outsourcing. Contact us today.

EU-US Privacy Shield invalidation

EU-US Privacy Shield invalidation business implications

On 16th July, the Court of Justice of the EU delivered a ruling in the case known as Schrems II by which it invalidated EU-US Privacy Shield and confirmed the validity of Standard Contractual Clauses, with caveats.

After the CJEU’s Advocate General Henrik Saugmandsgaardøe published his opinion in the so-called ‘Schrems II’ in January, now the CJEU has delivered their judgement, pursuant which Privacy Shield is declared invalid and SCC remain valid but can only be used under strict conditions.

What did the Court say?

Two important outcomes derive from the judgement issued by the CJEU:

1.The EU-US Privacy Shield is no longer a valid mechanism for international data transfers from the EU to the US.

It is important to note that it was invalidated with immediate effect. The main reason are US surveillance programmes. According to the CJEU, US surveillance programs are not limited to what is strictly necessary and proportional as required by EU law, plus there are no effective legal remedies in the US to ensure compliance with provisions of EU law when EU data subjects’ data is used for national surveillance programs.

2.SCC but with some important caveats.

It is no longer sufficient for a data exporter and data importer to just sign the agreement, the exporting party must do a factual assessment of whether the contract can actually be complied with in practice. Companies must verify, on a case-by-case basis, whether the law in the recipient country ensures adequate protection for personal data transferred under SCC. Where this is not the case, as it happens in the US, supplementary measures and additional safeguards should be implemented in order to attain the required level of protection; otherwise the transfer should be ceased. 

National Data Protection Authorities may suspend or prohibit transfers to third country if appropriate safeguards cannot be ensured. Based on the CJEU findings in respect of the Privacy Shield, it is difficult to see how supervisory authorities would be able to avoid such a conclusion in the case of transfers to the US. National Data Protection Authorities responses to this decision are yet to be seen.

What does the EDPS say?

On 17th July and following the CJEU ruling, the EDPS, which together with the EDPB had previously expressed their criticisms of the Privacy Shield, released their statement where they welcomed the Court reaffirmation of the importance of maintaining a high level of protection of personal data transferred from the European Union to third countries. However, they trust that “the United States will deploy all possible efforts and means to move towards a comprehensive data protection and privacy legal framework, which genuinely meets the requirements for adequate safeguards reaffirmed by the Court”.

What does the UK Government say?

The UK government intervened in the case, arguing in support of the validity of standard contractual clauses. In their response, they point out their commitment to ensuring “high data protection standards and supporting UK organisations on international data transfer issues”. They have announced that they are working alongside the ICO and international counterparts with the purpose of addressing the impacts of the judgment and ensuring that updated guidance on international data transfers will be provided soon.

EU Data Protection Authorities like Irish Data Protection Commissioner and three in Germany (Federal DPA, DPA of Hamburg and DPA of Rheinland-Pfalz) have also issued their statements. Other European DPAs are expected to do it soon.

What should I do now when transferring data from the EU to the US?

Where relying on the Privacy Shield:

  • Do not enter into any new agreement governed by the Privacy Shield.
  • Review all your current contracts, especially legacy ones, with your providers, clients or third-party processors and identify those that rely on the Privacy Shield. They should be amended to add SCC or any other valid safeguard covered by the GDPR for international data transfers.

Where relying on SCC:

Although the ICO and other national Data Protection Authorities are expected to produce detailed guidance soon, according to CJEU, when transferring personal data to third countries relying on SCC you should:

  • Make sure that security and technical measures which provide an adequate level of protection of personal data are actually implemented. You may need to review or at least ask for further information about the data importer’s technical and security measures plus consider whether additional measures should be specified to strengthen security, like tokenization and encryption.
  • Reinforce your accountability processes. Do not simply sign an appendix to your contracts including SCC, rather but have a closer look at the actual security measures and other mechanisms used by the importer, plus the actual situation in the importing country, especially regarding surveillance.

What can we expect in the near future?

It is expected that guidance will be issued from the European Commission as well as the European Data Protection Board. Apart from that, the EU may decide to renegotiate a new version of Privacy Shield that gives EU data subjects stronger privacy rights under US surveillance laws. Likewise the US came up with the Privacy Shield ten months after the Safe Harbor was declared invalid, so one could now hope for them to put in place a new mechanism which to address the CJEU’s concerns. On another note, SCC may be updated for GDPR soon.

Do you make international data transfers to third countries? Are you affected by Schrems II decision? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We also offer CCPA compliance servicesContact us today.

EasyJet Customers Hacked

Approximately Nine Million EasyJet Customers Hacked

EasyJet reveals that some nine million of its customers have been affected by a “highly sophisticated cyber-attack” 


Nine million EasyJet customers have been hacked according to  a recent BBC news article. In January this year EasyJet became aware of a cyber attack which had affected millions of its customers and  is now, based on the advice of the ICO—coming public in order to minimize potential phishing attempts. So far it has been noted that email addresses and travel details have been stolen and that 2,208 customers also had their credit card details accessed.


Although investigations are still underway, EasyJet reportedly told the BBC that it was only able to notify customers whose credit card details were stolen in early April.


“This was a highly sophisticated attacker. It took time to understand the scope of the attack and to identify who had been impacted. We could only inform people once the investigation had progressed enough that we were able to identify whether any individuals have been affected, then who had been impacted and what information had been accessed.” The BBC article quotes EasyJet. 


At present, EasyJet has found no evidence that any personal information has been misused, although the ICO is investigating the breach and may take action accordingly. One should note that, regardless how the attackers use the personal data compromised in a breach, the risk to the rights and freedoms of the data subjects involved plays a key role when assessing the consequences of the incident and deciding the measures that should be implemented


What should be the response from EasyJet upon the breach?


The steps that should be taken upon a breach with the aim of reducing the impact of the potential harm are the following: 

  • Apply any necessary measures to contain the breach where possible.
  • Inform the DPO.
  • Assess the risk of the breach and identify relevant elements such as categories of data and data subjects affected plus remedial actions considered or taken.
  • Report the incident if necessary:
    • The ICO should have been notified within 72 hours after having become aware of the breach, unless it was unlikely to result in a risk to the rights and freedoms of natural persons.
    • The customers should be notified unless EasyJet has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialise. This is not the case because travel and credit cards details were involved, which may comprise sensitive data and address to further attacks such as phising. For example, under the current global health emergency, travel details may involve information about the customer testing positive for COVID-19.
  • Evaluate the response and recovery to prevent future breaches.


It should also be noted that the reason why most data breaches take place is human error, therefore providing training to the employees is paramount.


Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

AI and retail industry

AI and retail industry after COVID-19: opportunities, privacy, ethics (Part I)

Our lives will change after COVID-19, and AI can help the retail industry and provide opportunities to minimise the impact of the pandemic while respecting privacy and the ethical principles.

In the last two months, we have witnessed how the entire world has changed- from schools to factories, we all have replaced our usual practices and activities by pandemic-proof ones. We are now well aware of how we have to wash our hands, we have been instructed on how to secure our home network for homeworking and homeschooling and we are cautious when it comes to the use of our geolocation data by the Governments. One of the main industries that has been affected is retail, and AI can help to maximise the opportunities while respecting privacy and ethics.

What about the “new normal”? How our everyday life will look after COVID-19? We cannot predict it certainly, but we are quite sure that the AI will have a key role in defining it. In this article, we go through some uses of AI in retail which may become very relevant in the post-pandemic world, also considering how they should be applied ethically.

What changes will the retail industry face?

The COVID-19 pandemic is the first of its kind in the last hundred years. The effects of the disease will presumably result in changes in our habits: the way people buy, socialise, learn, work and set up their preferences will not be the same as before the COVID-19 outbreak. 

How will this impact retail? Let’s think about what could be a common Friday in the UK or Spain. You get up, take the bus or the train to the office, then you have lunch with your workmates and go shopping in the afternoon looking for your brother’s birthday present. After that, you meet him and all your friends in a restaurant for the celebration party. It does sound normal, right? Well, maybe it does not any longer.

While, unfortunately, many people will lose their jobs because of the COVID-19 pandemic, some other will avoid spending much money due to the uncertainty. Economical dilemmas will not be the only pitfall in the retail industry though, as the risk of infection will also limit our movements widely. Getting back to our example above, maybe your brother would have decided to invite his friends home rather than to a restaurant, minimizing the contact with other people. And you may have bought the gift via online while working from home, instead of going to the shop as such. 

It seems that our free time activities will move to an in-house fashion, which will also affect the type of products we buy. For example, premium food or beverages to consume at home may become more relevant, together with highest level appliances that make our lives easier in our “new normal”. 

What changes may come from the reinvention of the industry and how can AI help?

There are two main categories of changes, that we have sorted into “physical” and “digital”. A third one may be the combination of both.

Physical changes

Retailers will need to make their clients feel pandemic-safe when shopping in their stores, which require the implementation of a wide range of measures, such as: 

    • Line management. AI may help to count the number of people which is inside the store, plus control their movements and manage the waiting times in the lines. An app may be designed for this purpose, based on spots booking and SMS notifications.


  • Social distancing. Heatmaps may be useful when it comes to capacity control and minimum distance among the customers. AI could be helpful to identify those higher traffic areas and use the data to redesign the space. 


  • Temperature and symptoms control. Facial and emotion recognition plus temperature sensors may automate the identification of infected customers with the purpose of preventing their contact with other people.
  • Logistics and delivery. Drones built with AI systems can autonomously deliver orders to the customers based on a “zero contact” policy.
  • Self-payment. AI can definitely be key in the replacement of the traditional cashier staff by self-payment machines, or even payment with no checkout at all, using virtual cards via sensors and deep learning.
  • Product disinfection. One of the main obstacles to in-store shopping is that COVID-19 may remain on surfaces for days, which includes products such as clothes. One of the solutions to this issue might be the use of virtual fitting rooms: combining AI and virtual reality (VR), customer can virtually try clothes on their own body with their personal 3D body avatar. This may apply both to ecommerce and in-store shopping.

Digital changes

Even though retailers will do big efforts to make their shops as much attractive as possible for their customers, online shopping will inevitably become more popular, which may be a detriment to physical stores. In this context, the industry will need to improve the ecommerce in order to properly respond to the market demand. To make the most of this “new normal”, retailers may focus on:

  • Targeted advertising and offers. Considering there are few data about the new consumer habits, being able to tailor the offers individually becomes essential in order to survive in the “new normal”. Profiling is crucial to predict individual’s behaviour and maximise the chances to attract a customer to the business.
  • Design and usability of their ecommerce pages. Practices like keeping navigation simple, automating the search or providing relevant recommendations make the costumer feel comfortable within the ecommerce page, therefore the purchase possibilities increase.
  • Track and compare different markets. “Reinvent or die”. New times require adaptation, and where no enough historical data is available, using another techniques, such as comparing countries or matching data from other products or services, may be paramount for the purpose of drafting the new trend. 
  • Omnichannel marketing. Customer experience will be placed in the center of the business model, thus adjusting to the customer based on their behavior through the sales funnel is required to provide the ultimate personalized customer experience.
  • Product placement. When it comes to advertising, there may be new spaces to consider, such as Netflix films or series, which may now be more profitable than the traditional outdoor means.

There is a very thin line between physical and digital in an interconnected world though. While some examples may be clear, other ones may be a combination of both. For example, smart billboards work with data gathered from our physical presence plus information from our devices our digital fingerprint.

In this context, relevant business opportunities may come from the proper analysis of the data with the aim of figuring out the new customer behavior. However, considering the temporary nature of this “new normal”, caused by a pandemic, flexibility should remain in the top of our minds because being able to adapt as fast as possible to any changes in the demand will make the difference, in one direction or another.

Can we achieve all these changes ethically?

It seems that AI will play a key role in the adaptation of the retail industry to the evolution of consumer habits. The purpose businesses pursue with the implementation of changes is maintaining the turnover they had before the crisis, or even improving the rate, which can only be achieved by instilling confidence in the clients.  

All the measures described above relate to health risks management, but one should remember that, even though currently they may be the most important ones due to the COVID-19 outbreaks, there are also some other concerns that businesses should deal with, especially when the new measures may emphasise them. These are, among other, data protection, privacy and ethics concerns.

Customers will not be able to trust a business that uses AI which is not trustworthy. This is the reason why one should ensure that the AI systems are:

(1) lawful –  respecting all applicable laws and regulations.

(2) ethical – respecting ethical principles and values.

(3) robust – both from a technical perspective while taking into account its social environment.

A Data Protection Impact Assessment should be run before implementing any changes using AI systems, considering both data protection and ethical dilemmas. It should help to verify the following requirements are met:

  • Human agency and oversight. For example, a member of the staff should be able to intercede where a customer claims the price charged for a product in his virtual card is not correct.  
  • Technical Robustness and safety. For example, businesses should ensure that no physical violence is applied over a person by an AI system in order to block access to the shop where high temperature has been detected. 
  • Privacy and data governance. Full compliance with the GDPR and any other relevant laws should be guaranteed when using AI systems. For example, access to the data should be limited by user or role and pseudonymisation techniques should be applied where possible. 
  • Transparency. Traceability mechanisms should be provided and AI systems and their decisions should be explained. Customers need to be aware that they are interacting with an AI system, and must be informed of the system’s capabilities and limitations. For example, the controller should be able to explain the logic behind the access restriction to the store.
  • Diversity, non-discrimination and fairness. Any type of unfair bias should be avoided, either in the training dataset, the creation of the algorithm or its application. For example, stores should make sure that no one is banned from entering for any reason other than temperature or symptoms. This could be the case where someone living in a low income neighborhood quite affected by COVID-19 is banned from accessing a mall just for coming from said area. This could address to the marginalization of vulnerable groups, or to the exacerbation of prejudice and discrimination. 
  • Societal and environmental well-being. AI systems in this context are not only used for improving businesses’ turnover, but also to prevent the spread of the virus for the sake of public health. 
  • Accountability. Business should have measures like civil insurance in place to ensure responsibility and accountability for AI systems and their outcomes. 

Earlier this month the EU Parliament came up with research on AI new developments and innovations applied to ecommerce. We will go thoroughly through it and discuss their in-depth analysis in Part II. 

Subscribe to our YouTube channel to be updated on Part II. 

Are you facing challenges in the retail industry during this global coronavirus pandemic? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including Data Protection Impact Assessments, AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.