United Kingdom
Apple takes legal action in UK data privacy row
- In January, the UK government demanded access to Apple’s user data encrypted by the Advanced Data Protection (ADP) feature, citing national security concerns. One month later, Apple decided to remove the data security tool from the UK market rather than comply with the notice.
- Apple is now reportedly taking legal action to overturn the demand, appealing to the Investigatory Powers Tribunal, an independent court with the power to investigate claims against the Security Service.
- It is the latest development in an unprecedented row between one of the world’s biggest tech firms and the UK government over data privacy. Apple said at the time that it would never compromise its security features, and it was disappointed at having to take the action in the UK.
- The dispute has encountered repercussion in the US, with US head of intelligence Tulsi Gabbard claiming it is an “egregious violation” of US citizens’ rights to privacy. Gabbard also stated that she intended to find out whether it breached the terms of a legal data agreement between the US and the UK.
- The ICO has announced three investigations looking into how platforms TikTok, Reddit and Imgur protect the privacy of their child users in the UK.
- The investigation into TikTok considers how the platform uses personal information of 13-17-year-olds in the UK to make recommendations to them and deliver suggested content to their feeds. This is due to growing concerns about how content recommendation systems could lead to young people being served inappropriate or harmful content.
- The investigations into Imgur and Reddit consider how the platforms use age assurance measures to verify or estimate a child’s age, which then allow services to be tailored to their needs or access to be restricted.
- At this stage, the ICO is investigating whether there have been any infringements of data protection legislation. If there is sufficient evidence of non-compliance, the ICO will bring it forward to the organisations and obtain their representations before reaching a conclusion.
United States
Deafening Commission silence with no credible EU-US data oversight left
- The Trump administration is on its way to abandon the US side of the EU-US Data Protection Framework (DPF), by attacking the judiciary and independent agencies in the US government, in addition to pushing Democrats out of at least three of the five such institutions that ensure US compliance with the DPF.
- The current DPF relies on a Biden-era Executive Order establishing oversight and redress mechanisms. Its main body is the Privacy and Civil Liberties Oversight Board (PCLOB), which is complemented by a Civil Liberties Protection Officer (CLPO) for internal oversight and a Data Protection Review Court (DPRC) as an appeal body.
- Trump ignited concerns over the DPF by firing non-Republican members from the PCLOB, leaving the five-person board with only one Republican, short of the three needed for it to formally make decisions. Members of the DPRC are also either resigning in protest or being pushed out, as part of a wider trend of the Trump administration’s mass firing of federal workers.
- It is possible that Trump may simply revoke the Executive Order on which the DPF is based. Immediately after taking office, he ordered a review of all Biden national security decisions within 45 days (ended on 6th March). Although a repeal of the order would not automatically kill the DPF, it would force the EU to annul it.
- 19 Members of the European Parliament have called on the European Commission to address whether the DPF is still viable. The Commission has until 19th March to respond in writing.
Europe
Voss and Schrems team up to propose three-layered GDPR revision
- Member of the European Parliament Axel Voss and privacy activist Max Schrems have jointly proposed a three-layer targeted revision of the GDPR to differentiate big and small firms.
- In the proposed regime, the legal burden of GDPR compliance would be adjusted by the size of the company, akin to how the Digital Services Act singles out very large online platforms (VLOPs) for higher scrutiny.
- This would consist of three different layers: a) a “mini-GDPR layer” covering around 90% of businesses, with simplified transparency and no need for data protection officers; b) a “normal GDPR layer” maintaining most existing rules and applicable to companies that process sensitive personal data or operate at a larger scale; and c) a “GDPR plus layer” covering VLOPs and companies whose business model is built fundamentally on the processing of personal data, like advertisers, subject to mandatory external audits.
- Although the current “one size fits all” approach of the GDPR raises questions about the Regulation’s real effectiveness, several objections were raised with worries that reopening the GDPR could jeopardise its accomplishments. A significant concern is that reopening discussions could open the door to lobbyists to water down current obligations.
- Another point of contention is that the GDPR’s strong Brussels effect would lead to risks of jeopardising international privacy standards as well as other interacting digital laws. According to this argument, the GDPR has given an element of stability which should not be challenged at a moment where the enforcement of EU digital laws is being openly chastised by the US administration and major tech companies.
What consequences will the EU entry/exit system have on travellers?
- On 5th March, European ministers gave the go-ahead for the gradual launch of the EU’s digital border management system, known as the entry/exit system (EES), which will register the biometric data of non-European visitors on arrival. Third-country nationals will need to scan their fingerprints and have a photograph of their face taken when arriving in the European Union.
- According to Magnus Brunner, European Commissioner for Home Affairs and Migration, the EES would make it possible to strengthen “the effectiveness of border controls,” to “detect and prevent crime and terrorist acts” and to “combat illegal migration.”
- The upcoming launch, scheduled for this autumn, is raising concerns about data protection. More specifically, the processing of biometric data may widen the power imbalance between data subjects and the state.
- People of colour are particularly more vulnerable, as research has shown that biometric processing does not work as well for them. In addition, there’s no age limit for the facial images, meaning children under 12 would also be subject to the processing.
International
Notes from the Asia-Pacific region: AI, data landscape ‘evolving rapidly’
- Some significant advancements are taking place in artificial intelligence and data regulation across Asia.
- In the end of February, Japan’s Cabinet approved the Bill on the Promotion of Research, Development, and Utilization of Artificial Intelligence-Related Technologies, which is now expected to pass in Parliament. A major feature of the Japanese Bill is that it does not define high-risk AI applications or impose specific penalties. This is part of an intentional balanced approach to avoid excessive regulation that could stifle innovation.
- In China, AI is expected to remain a key focus as the National People’s Congress’ Two Sessions – the country’s most significant annual policy summit – kicked off in Beijing on March 5th, bringing together lawmakers and top advisors to shape economic and social policies for the year ahead.
- The Chinese government is committed to integrating AI with its industrial and market strengths, expanding AI applications in connected renewable vehicles, smartphones, computers, and robotics.
- While these regulatory changes present significant opportunities, businesses must stay vigilant. The AI and data landscape in the APAC region is evolving rapidly, requiring companies to track developments and adapt compliance strategies accordingly.
