Data Governance Act agreed upon by Council of the EU

The Data Governance Act is expected to give the EU a competitive advantage in a world that is becoming increasingly data-driven.

 

A mandate for a Data Governance Act has recently been agreed upon by the Council of the EU, and this is expected to make data sharing easier, leading to several other benefits by extension. In an October 1st press release, the Council announced that Member States had agreed upon a negotiating mandate on a proposal for a Data Governance Act or DGA. This act is intended to promote certain data sharing mechanisms, like facilitating the reuse of certain categories of protected public-sector data, improving public confidence in data intermediation services and promoting data altruism.

 

The Data Governance Act will promote the reuse of public sector data while preserving privacy and confidentiality.

 

The Open Data Directive, which does not cover data from public sector bodies, will soon be complemented by the proposed DGA, allowing safer sharing of this category of data. The DGA will cover categories of public-sector data that are subject to the rights of others. This includes data protected by intellectual property rights, as well as trade secrets and personal data. The allowance of this manner of reuse will require the technical capabilities to maintain privacy and confidentiality. The Council’s stance on this will promote greater flexibility which respects any pre-existing national specificities of the various EU Member States.

 

The DGA is expected to foster the creation of a new business model – data intermediation.

 

Data intermediation services can help facilitate sharing by providing secure environments for companies and individuals to share data. This may take the form of digital platforms and would help individuals exercise their rights under the GDPR, while facilitating voluntary data sharing by companies. This may include features such as personal data spaces or data wallets, which would allow people to have full control over their data while sharing with companies that they trust.

 

Service providers will need to be kept in a register which individuals can refer to, to ensure that they are sharing with providers they can safely depend on. In addition these providers will only be able to use the data for the intended purposes. The data can not be sold or used for any alternative purpose. As part of their process the Council of the EU has clarified which types of companies can function as data intermediation service providers.

 

Data altruism is expected to be made more feasible by the Data Governance Act, allowing companies and individuals to share data for the common good.

 

For the purposes of research and other public interest, individuals and companies may want, or need to share data. The proposal for data governance is expected to make it easier to make data voluntarily available for these purposes. Organizations will be able to request to be registered to collect data for objectives of general interest. Organizations who register will be recognized across all EU Member States. The trust created by their being registered is expected to encourage individuals and companies to voluntarily share data with these organizations, and this data can then be used to benefit the wider society. There will also be a compliance code of conduct to which these organizations must adhere. This code of conduct will be created with the cooperation of data altruism organisations and relevant stakeholders.

 

 

A European Data Innovation Board will be created to ensure consistency in practice for all organizations involved.

 

The introduction of the DGA will usher in a new structure, called the European Data Innovation Board, which will be tasked with maintaining a level of consistency for organizations involved in the data sharing process. This Board will be expected to advise and assist the Commission in enhancing the interoperability of data intermediation services. In addition, it will ensure consistency in the processing of requests for public sector data. These changes are expected to all foster increased sharing by reassuring the public that data sharing can indeed be safe and maintain the protection of their rights and freedoms.

 

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today

Retrospective facial recognition to be used by the London police

Retrospective facial recognition to be used by London police starting late this year or early next year.

 

 

The UK’s Metropolitan Police Service (MPS) has gotten authorization to use retrospective facial recognition technology, and will likely begin buying and using the technology as early as the end of this year. This technology has been tried and tested by the South Wales police force and has already proven how useful it can be to law enforcement.  We recently published an article on the use of facial recognition technology by various government agencies in the United States, however it is important to note that unlike some of the US agencies mentioned, the London Metropolitan Police will not be using live facial recognition.

 

A four-year contract signed recently will deploy the use of retrospective facial recognition in London in the coming months.

 

A four-year contract has recently been signed with Northgate Public Services, worth £3,084,000 to deploy the use of this technology in the coming months. This technology is expected to result in a significant amount of time saved in officers being able to reconcile an image of a person with their identity. Images that have been captured by cameras at crime scenes like burglaries, assaults, shootings or images shared or submitted by members of the public, will soon be used to identify persons, using retrospective facial recognition. This is expected to help make significant progress in solving crime and keeping citizens of London safe.

 

While retrospective facial recognition is less controversial than live facial recognition, the Metropolitan police will undergo consultations on governance before using this technology.

 

Unlike live facial recognition which compares live images with those on a specific watchlist, retrospective facial recognition will allow matching with a much broader list. Live facial recognition is considered a lot more controversial and has received quite a bit of backlash, including from the Information Commissioner. Her remarks were recently quoted on Forbes regarding live facial recognition. She commented that “We should be able to take our children to a leisure complex, visit a shopping centre or tour a city to see the sights without having our biometric data collected and analysed with every step we take.” Although retrospective facial recognition is less controversial, the Metropolitan Police Service is consulting with the London Policing Ethics Panel (LPEP) about governance, and is expected to meet the panel to discuss the project next month.

 

“Even though it is retrospective facial recognition, photographs and videos are processed for the purpose of uniquely identifying an individual, therefore the additional requirements for carrying out sensitive processing should be observed and a DPIA might be required”, points out Cristina Contero Almagro, Partner in Aphaia.

Do you use AI in your organisation and need help ensuring compliance with AI regulations? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including Data Protection Impact AssessmentsAI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Facebook View sunglasses questioned by Irish and Italian authorities

Facebook View sunglasses questioned by the Irish and Italian authorities, regarding whether they effectively notify data subjects that they are being recorded.

 

 

A new product by Facebook in collaboration with Ray Ban, is now coming under question by European data protection authorities. The product, called “Facebook View” was introduced to the general public with a short promotional video of Mark Zuckerberg speaking about these innovative glasses, which can take photos and record video. In the video, Mr. Zuckerberg made an attempt to appease possible qualms from the public on the privacy of this technology, citing that an LED light goes on, on the frame of these sunglasses, to notify those around when the glasses are recording. However this feature is now being called into question by the Irish and Italian regulators: the Irish DPC, and Garante respectively. Their main question: is a light on the frame enough to significantly notify people that they are being recorded?

 

 

Facebook View sunglasses are seen as much less conspicuous than a camera or cell phone, in communicating that recording is in progress.

 

It is important that when people are being recorded that they have a sense that this is happening. When someone pulls out a camera or a cell phone for example, the general assumption is that recording is in progress or a photo is being taken. People are not assuming automatically that they are being recorded when they see someone wearing a pair of Ray Bans. Most people are also not looking for a light on a pair of glasses under regular circumstances. The Irish and Italian authorities, according to this joint statement recently issued, do not believe that a pair of sunglasses can adequately give notice that recording is in progress.

 

 

The relevant authorities call on Facebook to demonstrate the effectiveness of the LED light to inform people that recording is in progress, as well as run an information campaign.

 

The Irish DPC and Garante claim that it has not been demonstrated to them that comprehensive testing was done by Facebook, to ensure that an LED light would effectively communicate to people that they are being recorded. Facebook is now being called to demonstrate the effectiveness of the LED light to inform people that they are being recorded. In addition, the authorities are asking Facebook to run an information campaign to adequately alert the public on how this new product may result in much less obvious recording of their images.

 

“Facebook should also explain whether there are any plans to combine the information recorded using the Facebook View sunglasses with Facebook existing databases. This scenario seems likely considering that Facebook core product consist on users sharing photos and videos on the social network, where they can tag their friends and contacts” points out Cristina Contero Almagro, Partner in Aphaia.

 

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today

Right to erasure: Controller ordered to delete photos

Right to erasure is behind Slovenia supervisory authority IPRS’s recent decision, ordering a controller to delete 88 photos.

 

Slovenian SA recently ordered a data controller to delete a collection of 88 photos of a data subject, taken over a period of time 7 to 15 years ago. The order, which came this July, was on the basis of the data subject’s right to erasure, as reported by the EDPB. Article 17 of the GDPR gives data subjects the right to obtain, from the controller, the erasure of personal data concerning him or her without undue delay, under certain conditions. The controller in this case, a content production agency, creating content on the topic of lifestyle, processed a collection with a total of 88 photos of the data subject, and complainant in this case. The data subject claimed she  did not give permission to have her personal data processed, and then explicitly objected to the processing of her personal data stating also that there were no compelling legitimate grounds for the processing of her data.

 

The controller declined the data subject’s demand to have the photos deleted, claiming that the processing was lawful.

 

The controller refused the data subject’s demands to have her photos removed claiming that the processing was lawful under Article (6) (1) (f) of the GDPR. However, controller’s claims that the processing was needed for exercising his freedom of expression with regard to media activities, as well as for the public’s right to information and on the basis of legitimate interests did not hold up. The Supervisory Authority maintained that the data subject in this case has the right to erasure of her personal data, and that the right to personal data protection needs to be balanced with the right to freedom of expression and information.

 

The photos and other data features on the website were organized in such a way that a profile could be created on the data subject through a search of her name.

 

The Slovenian Supervisory Authority found that all the photos indeed represented personal data which formed part of a filing system. The thumbnail and the description of the photos were accompanied by the first and last name of the individual. From the photos and the information provided,it was possible to determine which events she attended, who her company was, and also her personal characteristics. A search for the data subject’s name through the website’s search engine could create a profile highlighting the photos and data about her in particular. The content of the website cannot be understood as reporting on a specific event, because it enables a search on the basis of first and last name.

The Supervisory Authority ordered the removal of the photos and any related data, upholding the data subject’s right to erasure.

 

The Supervisory Authority ordered that  the controller must delete, not just the photos from the website, but also the name of the individual, URL address and any metadata that enabled access to photographs. Publications of this nature are usually intended only for revealing interesting information to satisfy the curiosity of members of the public who seek information about public events and on the personal lives of specific people. However, by the Slovenian Supervisory Authority’s measure, the data subject was not an absolute public figure, and the content of the website did not contribute to any debate of social importance nor did they relate to any topic of public interest. In addition, the controller failed to demonstrate its legitimate interests. As a result, the Slovenian SA decided to uphold the complaint.

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today