What data should a controller disclose under a data subject access request?

A recent decision from the Cologne Regional Court addresses whether individuals are entitled to receive emails and personal notes as part of a DSAR.

“I want access to all personal data you handle about me”. What should you do as the controller if you receive an email like this? According to GDPR, individuals have the right to obtain:

  • confirmation that you are processing their personal data;
  • a copy of their personal data; and
  • other supplementary information, which largely corresponds to the information that you should provide in the privacy policy.

What does “personal data” means in terms of a DSAR? Even though this concept is clear for some data categories like contact data, for some others it may be tricky, especially when it comes to information that might affect other people’s rights and freedoms.

GDPR states that the right of access “should not adversely affect the rights or freedoms of others, including trade secrets or intellectual property and in particular the copyright protecting the software”. However, expert opinions vary as to the data that should be actually considered to affect third-parties. The Data Protection Act 2018 settle this criterion on the likelihood that another individual could be identified from the information disclosed. On a related note, Cologne Regional Court has recently reached a decision where they assert that the right of access does not include all internal processes, such as notes. Moreover, they claim that the data subject is not entitled to receive all exchanged correspondence. Legal evaluations or analyses are also not considered personal data in these terms. This means that information as ratings and private notes about employees’ performance or appraisals should not necessarily be disclosed under a DSAR.

We think this is an accurate criterion that properly solves the data subject access request plus protects the controller’s interests. However, although this is a binding decision from the Cologne Regional Court, it does not generally apply to other countries that are subject to the GDPR, so it remains to be seen if this rule becomes a standard.

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.

Workplace collection of Biometric Data

Does the collection of biometric data by employer violate privacy?

For the first time in Australian history, an employee was fired for refusing to submit biometric finger scanning data required by his employer.

The employee believes that he had been wrongfully terminated. After he was denied an unfair dismissal claim by an Australia’s Fair Work commissioner, the employee appealed to the ​Australia’s Fair Work Commission (FWC) full bench. He argued that the FWC failed to consider whether the request to comply with the fingerprint scanning policy was lawful and reasonable, particularly when the employee refused to consent to the disclosure of his biometric data. The employee was concerned about the collection of sensitive data and a potential violation of the Australian Privacy Act.

The Fair Work Commission Full Bench granted permission to appeal, as it was satisfied that the matter raises “important, novel and emerging issues,” which the full bench has not previously considered. The FWC will consider current technology and privacy rights in its ruling, which could lead to future standoffs  between employers and employees over the collection of biometric information.

What if this happened in Europe?

According to EU GDPR, the processing of employees’ biometric data by an employer would normally require consent. “For consent to be valid, it must be freely given. Where the employer threatens to fire the employee if they do not give consent to process their biometric data, such consent is unlikely to be freely given,” comments Dr Bostjan Makarovic, Aphaia’s Managing Partner.

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.

Google’s Huawei ban

Google blocks Huawei access to Android after blacklisting due to some security and privacy concerns

The Trump administration adds Huawei to the U.S. Department of Commerce’s Entity List via executive order, thereby blacklisting the company as far as U.S. corporations are concerned.  The world’s second biggest smartphone maker, Huawei, has been barred by Google from some updates to the Android operating system. The US tech firm is suspending all business activity with Huawei related to “non-public” transfers of hardware, software and technical services.

Huawei CEO Ren Zhengfei had told reporters “we have already been preparing for this. It is expected that Huawei’s growth may slow, but only slightly. Policies that threaten trading partners one after another rob companies of risk-taking attitudes and the U.S. will lose credibility.”

Huawei’s phones are unavailable to buy in the US following concerns by the US government of the company’s links to the Chinese government, so a ban of this nature won’t really affect US consumers. Instead, it’s more likely to have an effect in the UK and Europe, some of Huawei’s biggest phone markets.

What does this mean for existing Huawei users?

Existing Huawei smartphone users will be able to update apps and push through security fixes, as well as update Google Play services. Unfortunately, when Google launches the next version of Android, it may not be available on Huawei devices. Alongside that, YouTube and Maps are some of the few apps that won’t be on any of the Huawei devices.

Why has this happened?

The Chinese tech giant has been accused of spying by the US Government. This is the reason why they have been banned, as part of the escalating cold war between the two countries.

When will the ban apply?

Even thought the ban has already come into force, the Trump administration has issued a licence that will allow US companies to keep doing business with Huawei for the next three months.

Huawei claims there is no spy software nor hardware. If this was confirmed, not only US ban would apply, but Huawei’s smartphones would also breach the GDPR privacy requirements.

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.

EU-Japan artificial intelligence cooperation

EU Vice-President Ansip and Japan Minister Hirai discussed bilateral cooperation to promote a human-centric approach to artificial intelligence (AI), building on the joint statement of the 26th EU-Japan summit.

European Commission Vice-President for the Digital Single Market, Andrus Ansip and Japan’s Minister of State for Science and Technology Policy, Takuya Hirai said after their meeting: “The speed of AI’s development and the global changes that it entails are at the heart of EU-Japan cooperation. It is not only important to advance and progress in AI, but also to develop and promote human-centric and ethical approaches in technologies as a basis for the development and deployment of AI. In this way, we can build trust, encourage people’s understanding and acceptance of AI and develop societies that embrace it.”

There are two publications available that are pronounced int his regard and show the direction that is intended to be adopted: “Japan’s “Social Principles of Human-Centric AI” and the European Commission’s Communication on Building Trust in Human-Centric AI.”

Both approaches share common values and aims. Japan has set out seven principles: (1) human-centric, (2) education, (3) privacy, (4) security, (5) fair competition, (6) fairness, accountability, transparency and (7) innovation. These will form the basis for creating a human-centric “Society 5.0” that can successfully combine cyber space with physical space. They go hand in hand with the seven key requirements that the Commission supports to develop AI that people can trust: (1) human agency and oversight, (2) technical robustness and safety, (3) privacy and data governance, (4) transparency, (5) diversity, non-discrimination and fairness, (6) environmental and societal well-being and (7) accountability.

“The EU is preparing to launch its new research and innovation programme, Horizon Europe. The new Japanese Moonshot Research & Development Programme, at the same time, promotes R&D for disruptive innovation and targets solutions to ambitious social and economic challenges. With the introduction of these new programmes on both sides, we expect EU-Japan cooperation in science, technology and innovation to increase in areas of mutual interest, in line with last year’s EU-Japan Strategic Partnership Agreement.” Said Commissioner Moedas and Minister Hirai.

They expect EU-Japan cooperation in science, technology and innovation to increase in areas of mutual interest.

If you need advice on your AI product, Aphaia offers both AI ethics and Data Protection Impact Assessments.