Adequacy decisions adopted

Adequacy decisions adopted for EU-UK data transfers

Adequacy decisions adopted by the European Union for the UK regarding data transfers.

 

The European Commission has recently adopted adequacy decisions for the United Kingdom. Since Brexit there has been some question as to the UK’s adequacy, or rather the level of protection afforded to data transfers between the EU and the UK. With the adoption of these adequacy decisions- one under the General Data Protection Regulation or GDPR, and the other for the Law Enforcement Directive, data transfers can now freely flow between the European Union and the United Kingdom. This data will be considered as having the equivalent level of protection that is guaranteed under EU law when being transferred to the UK.

 

The adequacy decisions adopted came after a thorough assessment process, during which data transfers occurred based on a Trade and Cooperation agreement. 

 

Since the draft adequacy decisions for the UK were published in February, the UK’s practices and laws regarding personal data protection have been carefully assessed. In April, the EDPB gave its opinion on UK adequacy, which was then followed by a comitology procedure which included a vote from EU Member States. In the absence of an adequacy decision, and while in the process of establishing one, data transfers flowed between the EU and the UK, based on a Trade and Cooperation agreement. This agreement expired on June 30, 2021, and provided that, in the absence of an adequacy decision, all data transfers carried out in the context of its implementation would comply with the GDPR and Law Enforcement Directive. 

 

UK data protection laws still very much resemble the laws under which the country operated as an EU Member State.

 

The UK, as a former EU Member State, had a data protection system which was still based on the very same rules under which UK data protection functioned while the UK was still an EU Member State. The principles, rights and obligations of the GDPR and Law Enforcement Directive have been fully incorporated into UK law. This has made, not only the Trade and Cooperation agreement, but also the adequacy decisions easier and more feasible.  The UK provides strong safeguards regarding access to personal data by public authorities. In principle, The collection of data by intelligence authorities is subject to prior authorization by an independent judicial body. 

 

The adequacy decisions include a sunset clause which causes them to expire after four years.

 

These adequacy decisions include a ‘sunset clause’. This is the first of its kind and strictly limits the duration of the validity of these adequacy decisions. What this means is that these decisions will automatically expire in four years, after which adequacy findings may be renewed. However, this is subject to the UK continuing to ensure an adequate level of data protection. The European Commission will continue to monitor the legal situation in the UK and at any point, reserves the right to intervene if the UK deviates from the current level of data protection provided. After the four year duration of these recently adopted adequacy decisions, if the European Commission decides to renew the adequacy decisions, the adoption process would start over.

 

GDPR adequacy related to immigration control has been excluded from this decision, to be reassessed pending judgments from the England and Wales Court of Appeal.

 

Due to a recent judgment of the England and Wales Court of Appeal, data transfers for the purposes of UK immigration control have been excluded from the scope of the GDPR adequacy decision. The judgment affects the validity and interpretation of certain data protection rights related to immigration and control and therefore the Commision, once this matter has been dealt with under UK law, will reassess the necessity of this exclusion. 

 

Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Call for a ban on facial recognition

Call for a ban on facial recognition: EDPB and EDPS release a joint statement

The EDPB and EDPS have made a collaborative call for a ban on facial recognition for automated recognition in public spaces. 

 

 The EDPB and EDPS call for a ban on the use of AI for biometric identification in publicly accessible spaces. This includes facial recognition, fingerprints, DNA, voice recognition and other biometric or behavioral signals. This call comes after the European Commission outlined harmonized rules for artificial intelligence earlier this year. While the EDPB and EDPS embrace the introduction of rules addressing the use of AI systems in the EU, by institutions, bodies or agencies, the organizations have expressed concern over the exclusion, from the proposal, of cooperation from international law enforcement. The EDPB and EDPS also stress that it is necessary to clarify that the existing data protection regulation within the EU applies to any and all personal data processing under the scope of the draft AI regulation. 

 

The EDPB and EDPS call for a general ban on the use of AI in public spaces, particularly in ways which might lead to discrimination. 

 

In a recently released joint statement, the EDPB & EDPS recognize that extremely high risks are posed by remote biometric identification of individuals in public spaces, particularly the use of AI systems using biometrics to categorize individuals based on ethnicity, gender, political or sexual orientation, or other grounds on which discrimination is prohibited. According to Article 21 of the Charter of Fundamental Rights, “Any discrimination based on any ground such as sex, race, colour, ethnic or social origin, genetic features, language, religion or belief, political or any other opinion, membership of a national minority, property, birth, disability, age or sexual orientation shall be prohibited.” In addition the organizations are calling for a prohibition on the use of AI to deduce the emotional state of natural persons except in specific cases. One example of this in the field of health includes cases where patient emotion recognition is relevant and important. However the EDPB and EDPS maintain that any use of this sort of AI for any type of social classification or scoring should be strictly prohibited. “One should keep in mind that ubiquitous facial recognition in public spaces makes it difficult to inform the data subject about what is happening, which also makes it all but impossible to object to processing, including profiling” comments Dr Bostjan Makarovic, Aphaia’s Managing Partner

 

The EDPB and EDPS call for greater clarity on the role of the EDPS as competent and market surveillance authority. 

 

The organizations in their joint opinion, embrace the fact that the European Commission proposal designates the EDPS as the market surveillance authority and competent authority for the supervision of institutions, agencies and bodies within the European Union. However the organisations are also calling for further clarification on the specific tasks of the EDPS within that role. The EDPB and EDPS acknowledge that data protection authorities are already enforcing the GDPR and LED in the context of AI involving personal data. However the organizations are suggesting a more harmonized regulatory approach, involving the DPAs as designated national supervisory authorities, as well as  consistent interpretation of data processing provisions across the EU. In addition, the statement calls for greater autonomy to be given to the European Artificial Intelligence Board, in order to avoid conflict and create an atmosphere for an  AI European body free from political influence. 

 

Do you want to learn more about facial recognition in public spaces? Check our vlog.

Do you use AI in your organisation and need help ensuring compliance with AI regulations? We can help you. Aphaia provides EU AI Ethics Assessments, Data Protection Officer outsourcing and ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments. We can help your company get on track towards full compliance.

The ICO has fined three companies for nuisance marketing

The ICO has fined three companies for a total of £415,000 due to nuisance marketing practices after receiving several complaints.

 

The ICO has fined three companies a total of £415,000 for nuisance marketing. Colour Car Sales Limited, Solarwave, and LTH Holdings were fined for various offenses including unsolicited calls and spam text messages. Many of the individuals receiving phone calls complained that they had been on the telephone preference service and should not have been receiving them. In all cases, the companies lacked the valid consent required in order to send direct marketing to customers. This is a violation of the Privacy and Electronic Communications Regulations (PECR). Under the PECR, the ICO has the power to impose a fine of up to £500,000 on a data controller for various violations of privacy rights in relation to electronic communications.

 

Colour Car Sales Ltd was found to have been sending spam text messages directing people to various car finance websites.

 

A credit intermediary for used car finance, Colour Car Sales Limited of Stroke-on-Trent was found to have sent several spam text messages between October 2018 and January 2020. These messages were sent to numerous people directing them to various car finance websites. Several complaints were made by the recipients of those text messages, to the ICO. This was a violation of regulation 22 of the PECR. Regulation 22 applies to the transmission of unsolicited communications via electronic mail to individual subscribers. This regulation prohibits the sending or initiating of unsolicited communications for the purposes of direct marketing by email. This form of communication is only allowed in instances where the contact information was received from the individual during the course of negotiations or a sale, and the recipient has been given a free and simple means of refusing the use of their contact details for those purposes.

 

Solarwave Ltd was fined for making unsolicited marketing calls about solar panel maintenance to people registered with the TPS.

 

Solarwave Limited, a Solar energy company in Grays, Essex was found to have made over 73,000 unsolicited marketing phone calls. These calls were made between January and October 2020. These calls were made to people who should not have been receiving phone calls at all, as they were all registered with the Telephone Preference Service (TPS) list. This list clearly outlines those individuals who have rightfully opted out of receiving unsolicited marketing calls and it is imperative to ensure that this list is adhered to, so as to avoid violating that right. Various complaints were made against the company, claiming that the company consistently called customers and even ignored stop requests. The company was found to have violated regulation 21 of the GDPR. This regulation applies to the making of unsolicited calls which can only be made if an individual has given their consent to that company to receive such calls, if the number is registered with the Telephone Preference Service.

 

Over the course of a year, LTH Holdings was found to have been making unsolicited calls selling funeral plans to people who are registered with the TPS.

 

1.4 million calls were made between May 2019 and May 2020 by LTH Holdings, a telephone marketing company from Cardiff. The ICO also received 41 complaints against this company and has reported that the company’s marketing techniques had become persuasive, aggressive and coercive which raised much concern. What was found to be of particular concern is the fact that the target market possibly included people who tend to have been more vulnerable. LTH holdings was also found to be in violation of regulation 21 of the PECR. The ICO commissioner maintains a list of registered numbers belonging to subscribers who have notified them that they do not wish to receive unsolicited calls at the moment, under regulation 26 of the PECR. The TPS is a limited company who operates on the commissioners behalf maintaining this register. Businesses a.m. to make direct marketing phone calls can subscribe to the TPS for a fee, and stay up-to-date on this list to ensure that they do so within regulation.

 

The companies were fined a total of £415,000 for the various offenses.

 

After receiving several complaints of misconduct against the three companies the ICO issued enforcement notices ordering them to stop marketing until consent has been obtained. A fine of 170,000 pounds was imposed on Colour Car Sales Limited for the spam text messages, while Solarwave and LTH Holdings were fined £100,000 and £145,000 respectively, for making unsolicited phone calls. This is a total of £415,000 which the ICO has fined and will be working to recover from the three companies. Under the PECR, the ICO has the power to impose a fine on a data controller of up to £500,000 on individual companies.

 

Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.

Amazon faces possible fines

Amazon faces possible fines for alleged GDPR violations

Amazon faces possible fines totaling €350 million for alleged GDPR violations.

 

Luxembourg’s privacy regulator, the CNPD is proposing a fine of at least €350 million on Amazon.com Inc, relating to alleged violations of the GDPR. Before this draft decision can become final, it must first be approved by other EU privacy regulators. A final decision could take months and may result in a fine higher or lower than the proposed amount. This possible fine has the potential to be the bloc’s biggest penalty yet. While the amount is roughly 2% of the company’s reported net income for 2020, and the latest proposed sanction this far, some other EU regulators argue that it may not be enough. The alleged violations are related to Amazon’s collection and use of personal data. 

 

The alleged violations by Amazon are related to the company’s collection and use of personal data. 

 

The draft decision for the sanction has been circulated among the bloc’s 26 other authorities. Because Amazon’s EU headquarters is based in the Grand Duchy, the CNPD, Luxembourg’s data protection commission is the lead authority issuing this fine. The proposed fine is related to alleged violations of the EU’s GDPR, with regard to Amazon’s collection and use of personal data, however this is not linked to his cloud computing business, or Amazon Web services. Months ago, whistles were blown on the tech giant regarding privacy and compliance issues from former information security employees. According to Politico, three individuals were anonymously interviewed and identified as former high level employees of the company, who raised flags over issues relating to the security of customers’ information not being prioritized as it should. Due to the status of legal proceedings however, the privacy regulator was unable to provide very many details on the specifics of the alleged violations being brought against the tech giant. 

 

According to the whistle-blowing former information-security employees, data stored by Amazon is at risk, as there is a lack of clarity on what data is being stored, where it is stored and who can access it. As a result it would be severely difficult for Amazon to fulfill a request from a customer wanting to exercise their right to erasure,as it would be impossible for the company to identify all of the places where every bit of information is stored. Article 17 of the GDPR states that data subjects have the right to request that all their personal data be erased by a data controller, and to have that request fulfilled without delay. Representatives from Amazon maintain that the privacy of its customers is a priority and that it complies with the laws of the countries where it operates. 

 

Amazon faces possible fines of record-breaking status, which could possibly climb higher by the time a final decision is reached. 

 

While the proposed amount of this fine would be a record-breaking fine for EU regulators, due to the size of the company among other factors some regulators feel that this may not be enough. According to the GDPR, a fine of up to 4% of the company’s annual revenue may be imposed for violations. The proposed fine is only 2% of Amazons reported net income for 2020, which totaled approximately €17.5 billion. While the final decision may feature a higher or lower fine, the decision making process, which could take several months, does have the potential to double the proposed fine amount, according to the GDPR. This draft decision is one of many privacy enforcement above being taken against tech giants like Amazon. Ireland’s privacy regulator has also expressed intent to make draft decisions against other tech giants, the likes of which may include Facebook, Google and Apple, which are all headquartered in Ireland. 

 

Does your company have all of the mandated safeguards in place to ensure compliance with the ePrivacy, GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides ePrivacy, GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, EU AI Ethics Assessments and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.