A complaint from the Big Brother Watch instigated an investigation into HMRC’s Voice ID service. The ICOs investigation mainly dealt with the voice authentication for customer verification on some of HMRC’s helplines since January 2017.
Customers were given insufficient information when it came to how their biometric data would be processed. Biometric data is considered special category information and is subject to stricter conditions. They were also denied the opportunity to give or withhold consent, which is a breach of GDPR.
Steve Wood, Deputy Commissioner at the ICO, said:
“We welcome HMRC’s prompt action to begin deleting personal data that it obtained unlawfully. Our investigation exposed a significant breach of data protection law – HMRC appears to have given little or no consideration to it with regard to its Voice ID service”. “Innovative digital services help make our lives easier but it must not be at the expense of people’s fundamental right to privacy. Organisations must be transparent and fair and, when necessary, obtain consent from people about how their information will be used. When that doesn’t happen, the ICO will take action to protect the public.”
By now the ICO have issued its final enforcement notice, giving HMRC 28 days from that date to complete deletion of relevant biometric data records, held under the Voice ID system for which it does not have explicit consent.
The Dutch data protection authority has recently published its fining policy for violations of GDPR and the Dutch law implementing GDPR. When it comes to cookies, the Dutch DPA’s conclusion is that it is not compliant with GDPR for website pop-ups to block users from access to the site unless they consent to the use of tracking cookies.
Websites that only give visitors access to their site if they agree to place so-called ‘tracking cookies’ or other similar ways of tracking and recording behaviour through software or other digital methods do not comply with GDPR, according to the DPA.
“The digital tracking and recording of surfing behaviour on the Internet via tracking software or other digital methods is one of the largest processing of personal data, because almost everyone is active on the Internet. To protect privacy, it is therefore important that parties request permission from website visitors in a good way, ”says Aleid Wolfsen, chairman of the Dutch DPA.
“In this way people can make conscious and correct use of their right to the protection of personal data. If a website asks for permission for tracking cookies and if it is refused access to the website or service is not possible, people give up their personal data under pressure and that is unlawful. ”
If an individual cannot decide not to give permission without facing any consequences then it is not real free choice.
Letters have been sent out to businesses who had the most complaints against them and the Dutch DPA will intensify its monitoring to see whether the standard is being applied correctly in the interest of protecting privacy.
Furthermore, a guidanceregarding cookie walls has been published by the Dutch DPA.
Pursuant to GDPR Recital 32, “Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data”. According to the Dutch DPA, the freely given requirement would not be met by a cookie wall, as it means that the user has no choice but to consent in order to access the website. In this case consent would be an imposition instead of an alternative. The Dutch DPA suggests websites should offer meaningful options for users to access a website without consenting to tracking cookies, such as a on the basis of a payment for access model.
EU Parliament agreed to interconnect a series of border-control, migration, and law enforcement systems into a gigantic, biometrics-tracking, searchable database of EU and non-EU citizens called the Common Identity Repository (CIR).
Combining biometric samples of persons to enable biometric identifications, the Common Identity Repository would combine biographical identities of persons (name, gender, date of birth) to unify records on over 350 million people.
“The systems covered by the new rules would include the Schengen Information System, Eurodac, the Visa Information System (VIS) and three new systems: the European Criminal Records System for Third Country Nationals (ECRIS-TCN), the Entry/Exit System (EES) and the European Travel Information and Authorisation System (ETIAS),” EU officials said. All of this data will be made available to all law enforcement agencies from the 27 EU member states, simplifying the jobs of EU border and law enforcement officers who will be able to search a unified system much faster, rather than search through separate databases individually.
“Whereas security concerns represent a genuine public interest, combining data from various previously independent sources always increases the risks for rights and freedoms,” comments Dr Bostjan Makarovic, Aphaia Managing Partner.
The European Parliament and the European Council promised “proper safeguards” to protect people’s right to privacy and regulate officers’ access to data. If the European Council approves the law passed by the European Parliament, then all member states will have to implement it within two years.
A data breach has taken place in the system that allows EU citizens in the UK before Brexit to apply for settled status in order to continue to live and work there afterwards. Details of hundreds of EU citizens requesting their stay in the country have been accidentally disclosed.
Administrative error has been identified as the reason why 240 personal email addresses were released. The Home Office sent the email on Sunday 7 April asking applicants, who had already struggled with technical problems, to resubmit their information. However, the email addresses were included in carbon copy (CC), instead of a blind carbon copy (BCC), which would have prevented the data from being visible to all recipients.
The Home Office has apologised to citizens for mistakenly sharing their details plus has asked them to delete the email: “The deletion of the email you received from us on 7 April 2019 would be greatly appreciated.”
“Additional care should be taken when sharing personal information via email. First of all, it is essential ensuring the different recipients are added in BCC instead of CC where relevant, as the latter would reveal the email addresses to all of them and there would be no legitimate basis for that data sharing. Secondly, and according to GDPR data minimisation principle, emails should only include the strictly necessary information, and one should primarily aim at sharing personal data in encrypted files or with any other security measure”. Warns Cristina Contero Almagro, Aphaia Partner.
This is not the first time this has occurred. The government made a similar error with emails sent to 500 members of the Windrush generation.