On October 31, 2019, Elizabeth Denham, the UK’s Information Commissioner issued an Opinion and an accompanying blog urging police forces to slow down adoption of live facial recognition technology and take steps to justify its use.  The Commissioner calls on the UK government to introduce a statutory binding code of practice on the use of biometric technology such as live facial recognition technology.  The Commissioner also announced that the ICO is separately investigating the use of facial recognition by private sector organizations, and will be reporting on those findings in due course.

The Opinion follows the ICO’s investigation into the use of live facial recognition technology in trials conducted by the Metropolitan Police Service (MPS) and South Wales Police (SWP).  The ICO’s investigation was triggered by the recent UK High Court decision in R (Bridges) v The Chief Constable of South Wales (see our previous blog post here), where the court held that the use of facial recognition technology by the South Wales Police Force (“SWP”) was lawful.

The ICO had intervened in the case.  In the Opinion, the Commissioner notes that, in some areas, the High Court did not agree with the Commissioner’s submissions.  The Opinion states that the Commissioner respects and acknowledges the decision of the High Court, but does not consider that the decision should be seen as a blanket authorization to use live facial recognition in all circumstances.

Continue Reading AI/IoT Update: UK’s Information Commissioner Issues Opinion on Use of Live Facial Recognition Technology by Police Forces

On July 24, 2019, the European Parliament published a study entitled “Blockchain and the General Data Protection Regulation: Can distributed ledgers be squared with European data protection law?”  The study explores the tension between blockchain technology and compliance with the General Data Protection Regulation (the “GDPR”), the EU’s data protection law.  The study also explores how blockchain technology can be used as a tool to assist with GDPR compliance.  Finally, it recommends the adoption of certain policies to address the tension between blockchain and the GDPR, to ensure that “innovation is not stifled and remains responsible”.  This blog post highlights some of the key findings in the study and provides a summary of the recommended policy options.

Continue Reading European Parliament Publishes Study on Blockchain and the GDPR

On July 25, 2019, the UK’s Information Commissioner’s Office (“ICO”) published a blog on the trade-offs between different data protection principles when using Artificial Intelligence (“AI”).  The ICO recognizes that AI systems must comply with several data protection principles and requirements, which at times may pull organizations in different directions.  The blog identifies notable trade-offs that may arise, provides some practical tips for resolving these trade-offs, and offers worked examples on visualizing and mathematically minimizing trade-offs.

The ICO invites organizations with experience of considering these complex issues to provide their views.  This recent blog post on trade-offs is part of its on-going Call for Input on developing a new framework for auditing AI.  See also our earlier blog on the ICO’s call for input on bias and discrimination in AI systems here.

Continue Reading ICO publishes blog post on AI and trade-offs between data protection principles

On November 6, 2018, the French data protection authority (the “CNIL”) published a report that discusses some of the questions raised by the use of blockchain technology and perceived tensions between it and foundational principles found in the General Data Protection Regulation (the “GDPR”).  As we noted in an earlier blog post on this topic, some pundits have claimed that certain features of blockchain technology, such as its reliance upon a de-centralised network and an immutable ledger, pose GDPR compliance challenges.  The CNIL has attempted to address some of these concerns, at least in a tentative manner, and further guidance from EU privacy regulators can be expected in due course.

De-centralised network

The CNIL acknowledges that EU data protection principles have been designed “in a world in which data management is centralised,” and where there is a clear controller of the data (“data controller”) and defined third parties who merely process the data (“data processors”).  Applying these concepts to a de-centralised network such as blockchain, where there are a multitude of actors, leads to a “more complex definition of their role.”  In brief, EU data privacy rules are the square peg to blockchain’s round hole.

Notwithstanding this, the CNIL considers that participants on a blockchain network, who have the ability to write on the chain and send data to be validated on the network, must be considered data controllers.  This is the case, for instance, where the participant is registering personal data on the blockchain and it is related to a professional or commercial activity.  By contrast, according to the CNIL, the miners, who validate the transactions on the blockchain network, can in certain cases be acting as data processors.  As a consequence, data processing agreements would need to be in place between the data controllers and the data processors on any blockchain network.

The CNIL further considers that where there are multiple participants who decide to carry out processing activities via a blockchain network, they will most likely be considered “joint controllers,” unless they identify and designate their roles and responsibilities in advance.   Individuals who use the blockchain for personal use (i.e., individuals who access the network to buy and sell a virtual currency), however, would not be data controllers as they can rely on the “purely personal or household activity” exception.  
Continue Reading The CNIL Publishes Report On Blockchain and the GDPR

Senator Ron Wyden last week released a discussion draft of a federal privacy bill that would amend Section 5 of the Federal Trade Commission Act to expand the FTC’s authority, create significant civil fines, and enforce certain provisions through criminal penalties.

The draft Consumer Data Protection Act is among a growing number of proposals for federal privacy legislation in the United States.  (See our related coverage here and here.)  These federal proposals follow on the EU’s enactment of the General Data Privacy Regulation (“GDPR”), which took effect in May, and the June enactment of the California Consumer Privacy Act (“CCPA”).  The Wyden measure has not yet been introduced in the Senate.

Below we highlight key aspects of the draft legislation.

Continue Reading Wyden Releases Draft Privacy Bill Increasing FTC Authority, Providing for Civil Fines and Criminal Penalties

Less than three months ago, California enacted the California Consumer Privacy Act of 2018 (“CCPA”). Industry and privacy watch groups alike have scrutinized the law. This summer saw fierce negotiations all in the name of improving the CCPA. Last Friday, on August 31, 2018, the California legislature passed SB 1121 to amend the CCPA.

The CCPA applies to for-profit entities that conduct business in California. It has an expansive definition of personal information, and grants California residents a number of new rights, including rights to request access to and deletion of certain data, and to opt-out of the sale of data. For a more detailed summary of the CCPA, please see our previous blog post.

SB 1121 largely preserves the substance of the CCPA, but it contains the following technical edits:
Continue Reading California Legislature Passes Amendments to Expansive Consumer Privacy Law

On August 14, Brazilian President Michel Temer signed into law the new General Data Privacy Law (Lei Geral de Proteção de Dados Pessoais or “LGPD”) (English translation), making Brazil the latest country to implement comprehensive data privacy regulation.

The law’s key provisions closely mirror the European Union’s General Data Privacy Regulation (“GDPR”), including significant extraterritorial application and vast fines of up to two percent of the company’s previous year global revenue (the GDPR allows for up to four percent in certain aggravated circumstances).

Continue Reading Brazil’s New General Data Privacy Law Follows GDPR Provisions

On June 28, 2018, California enacted the California Consumer Privacy Act of 2018 (“CCPA”), which is aimed at strengthening consumer privacy rights and data security protections.  The CCPA takes effect on January 1, 2020 and is considered the most stringent privacy law in the country.

The CCPA applies to for-profit entities that conduct business in

Covington will be hosting a book launch for the 2014 title ‘Data Protection & Privacy Law 2nd Edition’, edited by Monika Kuschewsky, in partnership with The European Lawyer (Thomson Reuters) on September 23, 2014 in Brussels. The event will comprise a half-day workshop followed by a drinks reception. We are pleased to confirm

On December 28, 2012, China’s national legislature enacted a new law to further regulate the collection and use of online personal information and to require certain network service providers to implement real name registration for all users. 

As described below, the new law may affect all businesses handling an individual’s “personal electronic information” in China, even if that information is not necessarily processed over the internet.  For many companies operating websites hosted in China, the new law will require only slight modifications to existing data handling practices, as many of the new law’s provisions reflect or only slightly modify other provisions found in existing law.  However, websites providing “internet publication services” such as blogs, microblogs, or online forum providers, will be required to implement a real name registration system for their users.  The specifics of the real name registration system have not been announced and will likely come from China’s principal internet regulator, the Ministry of Industry and Information Technology (“MIIT”), which is drafting regulations in furtherance of the new law. 

Continue Reading China’s New Data Privacy Legislation Targets “Personal Electronic Information” And Implements Real Name Registration for Certain Websites