Data Protection Update 22 May 2023

United States

TSA starts voluntary facial recognition pilot program

  • The U.S. Transportation Security Administration has now launched its facial recognition pilot program in sixteen international airports around the country.
  • The system scans a passenger’s identification and then captures a photo of the passenger and compares the two photos.
  • The voluntary program has led to claims that those who opt out may be subject to additional scrutiny when travelling in the future.
  • The system has also been criticized as being prone to biases.

American Civil Liberties Union claims online age verification could have broad privacy implications

  • States and countries are exploring age verification requirements as a measure to protect children online.
  • Meanwhile, Cody Venzke, the Senior Policy Counsel for American Civil Liberties Union, has claimed that privacy bills that explore these requirements are “trying to establish inferences about how old you are or who you are based on that already existing capitalistic surveillance” and “are just threatening to legitimize that surveillance”.

OCR reaches $350K settlement for HIPAA Rule violations

  • The U.S. Department of Health and Human Services’ Office for Civil Rights has reached a USD350,000 settlement with MedEvolve over a breach that exposes the health information of more than 200,000 people.
  • The OCR claimed potential violations of the Health Insurance Portability and Accountability Act Rules include “the lack of an analysis to determine risks and vulnerabilities to electronic protected health information across the organization, and the failure to enter into a business associate agreement with a subcontractor.”


CNIL assesses ‘strong impact’ of action plan on cookies

  • The Commission Nationale de L’informatique et des libertés, has said that its action plan on cookies “has a strong impact”.
  • The organization – which is France’s data protection authority – has claimed to have handed out eight sanctions between 2020 and 2022 related to cookies, making a total of EUR421 million.

EDPB finalizes guidelines on law enforcement’s biometric deployments

  • The EDPB has finalized its guidelines on the use of biometric technologies by law enforcement.
  • The board has said that the guidance highlights how facial recognition should “only be used in strict compliance with the Law Enforcement Directive” and only if “necessary and proportionate” in the context of the EU Charter of Fundamental Rights.
  • The EDPB further repeats its wish for a ban to be carried out on certain uses of facial recognition technology.

France’s constitutional court approves use of AI surveillance cameras for Olympics 

  • France’s Constitutional Court has ruled that the government can proceed with installing AI-powered surveillance cameras ahead of the 2024 Olympics in Paris.
  • In the decision, the court ruled that this installation did not erode privacy rights because human operators with “permanently control (…) the development, implementation and possible evolution of algorithmic processing”. 
  • The cameras will be trained to spot “suspicious behaviour” such as abandoned luggage or identify crowd stampedes.
  • The system would lawfully remain in place until March 2025.


Taiwan increases data breach fine

  • Taiwan has approved amendments to the Personal Data Protection Act’s financial penalty scheme for private entities that violate data security provisions.
  • The result is a new fine scale ranging between NTD20,000-2 million, according to the severity of the violation at hand.
  • Moreover, violations that do not rectify their shortcomings in a specified timeframe will be subjected to additional severe penalties ranging between NTD150,000 – 15 million, to be served on a case-by-case review.

Argentina’s AAPI publishes Annual Report 2022

  • Argentina’s data protection authority, the Agency of Access to Public Information, has published its Annual Report 2022 highlighting its accession to the Amending Protocol to Convention 108+, the only international instrument on the protection of personal data.
  • Argentina is the 23rd state to ratify the protocol.
  • The protocol requires 38 states’ ratification in order to enter into force.

Meta opposes Australian Privacy Act reforms for targeted advertising 

  • Meta has informed the Australian government that it “strongly opposes” Privacy act reforms that would hamper its ability to utilize direct marketing and targeted advertising.
  • To add, Meta opposes provisions that give citizens “an unqualified ‘opt out’ option” for personal advertising”, according to Melinda Claybaugh, Meta Global Privacy Policy Director.

United Kingdom

UK policing minister pushes for greater use of facial recognition

  • Chris Philips, policing minister for the UK, is pushing for facial recognition to be rolled out across police forces nationally.
  • This expansion would probably explore the “integration of this tech with police body-worn video”.
  • Last month, the Met police announced that it had conducted a review finding that the technology poses “no statistically significant bias in relation to race and gender”.
  • In 2020, appeal court judges ruled that previous trials by South Wales Police of facial recognition software were unlawful, although the force there continues to use the technology.

Google accused of illegally hoarding job candidates’ personal information for years

  • Google is under investigation by the UK ICO following complaints from a whistleblower who alleges it’s gHire recruitment system held onto personal details.
  • The personal details in case include names, phone numbers, emails, and CVs from applicants in the EU and UK from as far back as 2011.
  • If this is true, Google has failed to comply with the GDPR requirement for confidential and personal data to be erased as quickly as possible and within a maximum of one year.

UK biometrics, surveillance commissioner raises concerns over DPDI provisions

  • Fraser Sampson, the UK Biometrics and Surveillance Camera Commissioner has raised concerns around a lack of provisions for certain biometrics and “non-data protection issues” connected to public space surveillance within the Data Protection and Digital Information Bill.
  • Sampson says interim findings of an independent analysis he commissioned suggest that “they may be significant gaps were the Bill to proceed in its current form”.


More Posts

Send Us A Message