EU Parliament agreed to interconnect a series of border-control, migration, and law enforcement systems into a gigantic, biometrics-tracking, searchable database of EU and non-EU citizens called the Common Identity Repository (CIR).
Combining biometric samples of persons to enable biometric identifications, the Common Identity Repository would combine biographical identities of persons (name, gender, date of birth) to unify records on over 350 million people.
“The systems covered by the new rules would include the Schengen Information System, Eurodac, the Visa Information System (VIS) and three new systems: the European Criminal Records System for Third Country Nationals (ECRIS-TCN), the Entry/Exit System (EES) and the European Travel Information and Authorisation System (ETIAS),” EU officials said. All of this data will be made available to all law enforcement agencies from the 27 EU member states, simplifying the jobs of EU border and law enforcement officers who will be able to search a unified system much faster, rather than search through separate databases individually.
“Whereas security concerns represent a genuine public interest, combining data from various previously independent sources always increases the risks for rights and freedoms,” comments Dr Bostjan Makarovic, Aphaia Managing Partner.
The European Parliament and the European Council promised “proper safeguards” to protect people’s right to privacy and regulate officers’ access to data. If the European Council approves the law passed by the European Parliament, then all member states will have to implement it within two years.
A data breach has taken place in the system that allows EU citizens in the UK before Brexit to apply for settled status in order to continue to live and work there afterwards. Details of hundreds of EU citizens requesting their stay in the country have been accidentally disclosed.
Administrative error has been identified as the reason why 240 personal email addresses were released. The Home Office sent the email on Sunday 7 April asking applicants, who had already struggled with technical problems, to resubmit their information. However, the email addresses were included in carbon copy (CC), instead of a blind carbon copy (BCC), which would have prevented the data from being visible to all recipients.
The Home Office has apologised to citizens for mistakenly sharing their details plus has asked them to delete the email: “The deletion of the email you received from us on 7 April 2019 would be greatly appreciated.”
“Additional care should be taken when sharing personal information via email. First of all, it is essential ensuring the different recipients are added in BCC instead of CC where relevant, as the latter would reveal the email addresses to all of them and there would be no legitimate basis for that data sharing. Secondly, and according to GDPR data minimisation principle, emails should only include the strictly necessary information, and one should primarily aim at sharing personal data in encrypted files or with any other security measure”. Warns Cristina Contero Almagro, Aphaia Partner.
This is not the first time this has occurred. The government made a similar error with emails sent to 500 members of the Windrush generation.
The US is lagging behind when it comes to privacy and the role of big data tech giants.
5G networks, IoT, artificial intelligence and other related technologies are all based on a massive processing and transfer of personal data, between both devices and countries. The latter are deemed as a global scenario for these purposes. However, how could these technologies work without equivalent privacy laws?
GDPR protect people’s data while also allowing companies to thrive and reap the benefits of digitalization. Since the privacy law came into effect in May 2018, both citizens and businesses have felt the positive impact of it. The essence of the law is it give people have more control over their personal data. They have the right to access the data, amend it and decide who and how can use it, among others.
GDPR works because companies have reported that the rollout of the new rules was an opportunity for them to put their house in order when it comes to the data they hold, and increase its security. It also helped them build trust with their customers and offer innovative, more privacy-friendly services.
There have been calls for Washington and the European Union to move closer on privacy issues and become global leaders for free and secure data flows. Beyond the security of data, privacy rules also play a crucial role in debates on the development of artificial intelligence, 5G networks and competition rules.
EU Commissioner for Justice, Consumers and Gender Equality Věra Jourová notes tech companies in the U.S. have already voiced their support for stronger legislation. “It’s time for America to join us, Japan and many others in our work, and be part of setting the global standards on privacy,” Jourová writes. “We should be building a global coalition to tackle the challenge together and promote free trade based on respect of strong privacy rules.”
If the EU and U.S. can find a common ground on how to legislate privacy, an environment where businesses can send data freely and citizens regain trust in the digital world can be realised.
What should UK business do when it comes to GDPR if no deal Brexit actually takes place?
At first glance, no deal Brexit should not pose a major problem for UK businesses. The UK applies GDPR and will continue to apply it, either directly or based on Data Protection Act 2018. There are no major plans to change the principles or even the rules of GDPR. It could be business as usual. But not quite.
No deal data transfers EU-UK
The transfers of personal data from the EU to the UK will be deemed transfers to a third country. Whereas one could expect the European Commission to issue an adequacy decision for the UK based on the UK’s law being based on EU GDPR, this decision might not be timely. Accordingly, businesses might need to cover such transfers, most likely using Standard Contractual Clauses (SCC). The ICO has decided to help them out with this tool: https://ico.org.uk/for-organisations/data-protection-and-brexit/standard-contractual-clauses-for-transfers-from-the-eea-to-the-uk-interactive-tool/y
The good news is that the UK government has stated that, when the UK exits the EU, transfers to the EEA from the UK will not be restricted. There will be transitional provision for a UK adequacy decision to cover these transfers. This means you will able to continue to send personal data from the UK to the EEA without any additional requirements.
Appointing a data protection representative in the EU
Depending on what you do, you may need to appoint a data protection representative in the EU. This will most likely be the case if you are offering goods or services, irrespective of whether a payment of the data subject is required, to data subjects in the EU, for example via a website. Similarly, this will apply to your online or offline monitoring of people’s behaviour as far as this behaviour takes place within the EU. Where you have a subsidiary in the EU, they can act as your representative, and if you have a branch established in the EU, no representative would be required.