Data Protection Update 22 May 2023

IGS
May 22, 2023

United States

TSA starts voluntary facial recognition pilot program

The U.S. Transportation Security Administration has now launched its facial recognition pilot program in sixteen international airports around the country.
The system scans a passenger’s identification and then captures a photo of the passenger and compares the two photos.
The voluntary program has led to claims that those who opt out may be subject to additional scrutiny when travelling in the future.
The system has also been criticized as being prone to biases.

American Civil Liberties Union claims online age verification could have broad privacy implications

States and countries are exploring age verification requirements as a measure to protect children online.
Meanwhile, Cody Venzke, the Senior Policy Counsel for American Civil Liberties Union, has claimed that privacy bills that explore these requirements are “trying to establish inferences about how old you are or who you are based on that already existing capitalistic surveillance” and “are just threatening to legitimize that surveillance”.

OCR reaches $350K settlement for HIPAA Rule violations

The U.S. Department of Health and Human Services’ Office for Civil Rights has reached a USD350,000 settlement with MedEvolve over a breach that exposes the health information of more than 200,000 people.
The OCR claimed potential violations of the Health Insurance Portability and Accountability Act Rules include “the lack of an analysis to determine risks and vulnerabilities to electronic protected health information across the organization, and the failure to enter into a business associate agreement with a subcontractor.”

Europe

CNIL assesses ‘strong impact’ of action plan on cookies

The Commission Nationale de L’informatique et des libertés, has said that its action plan on cookies “has a strong impact”.
The organization – which is France’s data protection authority – has claimed to have handed out eight sanctions between 2020 and 2022 related to cookies, making a total of EUR421 million.

EDPB finalizes guidelines on law enforcement’s biometric deployments

The EDPB has finalized its guidelines on the use of biometric technologies by law enforcement.
The board has said that the guidance highlights how facial recognition should “only be used in strict compliance with the Law Enforcement Directive” and only if “necessary and proportionate” in the context of the EU Charter of Fundamental Rights.
The EDPB further repeats its wish for a ban to be carried out on certain uses of facial recognition technology.

France’s constitutional court approves use of AI surveillance cameras for Olympics

France’s Constitutional Court has ruled that the government can proceed with installing AI-powered surveillance cameras ahead of the 2024 Olympics in Paris.
In the decision, the court ruled that this installation did not erode privacy rights because human operators with “permanently control (…) the development, implementation and possible evolution of algorithmic processing”.
The cameras will be trained to spot “suspicious behaviour” such as abandoned luggage or identify crowd stampedes.
The system would lawfully remain in place until March 2025.

International

Taiwan increases data breach fine

Taiwan has approved amendments to the Personal Data Protection Act’s financial penalty scheme for private entities that violate data security provisions.
The result is a new fine scale ranging between NTD20,000-2 million, according to the severity of the violation at hand.
Moreover, violations that do not rectify their shortcomings in a specified timeframe will be subjected to additional severe penalties ranging between NTD150,000 – 15 million, to be served on a case-by-case review.

Argentina’s AAPI publishes Annual Report 2022

Argentina’s data protection authority, the Agency of Access to Public Information, has published its Annual Report 2022 highlighting its accession to the Amending Protocol to Convention 108+, the only international instrument on the protection of personal data.
Argentina is the 23^rd state to ratify the protocol.
The protocol requires 38 states’ ratification in order to enter into force.

Meta opposes Australian Privacy Act reforms for targeted advertising

Meta has informed the Australian government that it “strongly opposes” Privacy act reforms that would hamper its ability to utilize direct marketing and targeted advertising.
To add, Meta opposes provisions that give citizens “an unqualified ‘opt out’ option” for personal advertising”, according to Melinda Claybaugh, Meta Global Privacy Policy Director.

United Kingdom

UK policing minister pushes for greater use of facial recognition

Chris Philips, policing minister for the UK, is pushing for facial recognition to be rolled out across police forces nationally.
This expansion would probably explore the “integration of this tech with police body-worn video”.
Last month, the Met police announced that it had conducted a review finding that the technology poses “no statistically significant bias in relation to race and gender”.
In 2020, appeal court judges ruled that previous trials by South Wales Police of facial recognition software were unlawful, although the force there continues to use the technology.

Google accused of illegally hoarding job candidates’ personal information for years

Google is under investigation by the UK ICO following complaints from a whistleblower who alleges it’s gHire recruitment system held onto personal details.
The personal details in case include names, phone numbers, emails, and CVs from applicants in the EU and UK from as far back as 2011.
If this is true, Google has failed to comply with the GDPR requirement for confidential and personal data to be erased as quickly as possible and within a maximum of one year.

UK biometrics, surveillance commissioner raises concerns over DPDI provisions

Fraser Sampson, the UK Biometrics and Surveillance Camera Commissioner has raised concerns around a lack of provisions for certain biometrics and “non-data protection issues” connected to public space surveillance within the Data Protection and Digital Information Bill.
Sampson says interim findings of an independent analysis he commissioned suggest that “they may be significant gaps were the Bill to proceed in its current form”.

Data Protection News Update 22 April 2024

United Kingdom ICO reprimands housing association for insufficient data security ICO publishes guidance to improve transparency in health and social care United States Change Healthcare’s

Data Protection News Update 15 April 2024

United Kingdom Information Commissioner’s Office seeks views on accuracy of generative AI models United States US Senator says TikTok divestiture deadline could be extended to

Asking (and answering) an obvious but important question: why does data confidentiality matter, ethically speaking?

In my last article, I focused on the ethical significance of one of the most prominent failure of data governance in recent times; namely, the

Data Protection News Update 08 April 2024

United Kingdom ICO sets out priorities to protect children’s privacy online ICO joins global data protection and privacy enforcement programme United States US and UK