ICO Fines “World’s Largest Facial Network”

The Information Commissioner’s Office has issued a Monetary Penalty Notice of £7,552,800 to Clearview AI Inc for breaches of the UK GDPR. 

Clearview is a US based company which describes itself as the “World’s Largest Facial Network”. It allows customers, including the police, to upload an image of a person to its app, which is then checked against all the images in the Clearview database. The app then provides a list of matching images with a link to the websites from where they came from. 

Clearview’s online database contains 20 billion images of people’s faces and data scraped from publicly available information on the internet and social media platforms all over the world. This service was used on a free trial basis by a number of UK law enforcement agencies. The trial was discontinued and the service is no longer being offered in the UK. However Clearview has customers in other countries, so the ICO ruled that is still processing the personal data of UK residents.

The ICO was of the view that, given the high number of UK internet and social media users, Clearview’s database is likely to include a substantial amount of data from UK residents, which has been gathered without their knowledge. It found the company had breached the UK GDPR by:

• failing to use the information of people in the UK in a way that is fair and transparent, given that individuals are not made aware or would not reasonably expect their personal data to be used in this way;
• failing to have a lawful reason for collecting people’s information;
• failing to have a process in place to stop the data being retained indefinitely;
• failing to meet the higher data protection standards required for biometric data (Special Category Data):
• asking for additional personal information, including photos, when asked by members of the public if they are on their database. This may have acted as a disincentive to individuals who wish to object to their data being collected and used.

The ICO has also issued an enforcement notice ordering Clearview to stop obtaining and using the personal data of UK residents that is publicly available on the internet, and to delete the data of UK residents from its systems.

The precise legal basis for the ICO’s fine will only be known when (hopefully not if) it decides to publish the Monetary Penalty Notice. The information we have so far suggests that it considered breaches of Article 5 (1^st and 5^th Principles – lawfulness, transparency and data retention) Article 9 (Special Category Data) and Article 14 (privacy notice) amongst others.  

Whilst substantially lower than the £17 million Notice of Intent, issued in November 2021, this fine shows that the new Information Commissioner, John Edwards, is willing to take on at least some of the big tech companies. 

The ICO enforcement action comes after a joint investigation with the Office of the Australian Information Commissioner (OAIC). The latter also ordered the company to stop processing citizens’ data and delete any information it held. France, Itlay and Canada have also sanctioned the company under the EU GDPR. 

So what next for Clearview? The ICO has very limited means to enforce a fine against foreign entities.  Clearview has no operations or offices in the UK so it could just refuse to pay. This may be problematic from a public relations perspective as many of Clearview’s customers are law enforcement agencies in Europe who may not be willing to associate themselves with a company that has been found to have breached EU privacy laws. 

When the Italian DP regulator fined Clearview €20m (£16.9m) earlier this year, it responded by saying it did not operate in any way that brought it under the jurisdiction of the EU GDPR. Could it argue the same in the UK, where it also has no operations, customers or headquarters? Students of our  UK GDPR Practitioner certificate course will know that the answer lies in Article 3(2) which is sets out the extra territorial effect of the UK GDPR:

This Regulation applies to the relevant processing of personal data of data subjects who are in the United Kingdom by a controller or processor not established in the United Kingdom where the processing activities are related to:

1. the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the United Kingdom; or
2. the monitoring of their behaviour as far as their behaviour takes place within the United Kingdom. [our emphasis]

Whilst clearly Clearview (no pun intended) is not established in the UK, the ICO is of the view it is covered by the UK GDPR due to Article 3(2). See the statement of the Commissioner, John Edwards:

“Clearview AI Inc has collected multiple images of people all over the world, including in the UK, from a variety of websites and social media platforms, creating a database with more than 20 billion images. The company not only enables identification of those people, but effectively monitors their behaviour and offers it as a commercial service. That is unacceptable. That is why we have acted to protect people in the UK by both fining the company and issuing an enforcement notice.”

If Clearview does appeal, we will hopefully receive judicial guidance about the territorial scope of the  UK GDPR.   

This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop. We also have a few places left on our Advanced Certificate in GDPR Practice course starting in July.

The Data Reform Bill: What changes can we expect to the UK GDPR?

Prince Charles has outlined the government’s priorities for the year ahead, as he delivered the Queen’s Speech. The speech highlighted some of the 38 laws that ministers intend to pass in the coming year. This includes a new Data Protection Reform Bill which is predicted to make sweeping changes to the UK GDPR. The draft bill will published this summer but you don’t have to look too far back for clues about its contents.

On 10th September 2021, the UK Government launched a consultation entitled “Data: A new direction” intended “to create an ambitious, pro-growth and innovation-friendly data protection regime that underpins the trustworthy use of data.” Cynics will say that it is an attempt to water down the UK GDPR just a few months after the UK received adequacy status from the European Union. 

Back in May, the Prime Ministerial Taskforce on Innovation, Growth, and Regulatory Reform (TIGRR) published a 130-page report setting out a “new regulatory framework” for the UK. Saying that the current data protection regime contained too many onerous compliance requirements, it suggested that the government: 

“Replace the UK GDPR with a new, more proportionate, UK Framework of Citizen Data Rights to give people greater control of their data while allowing data to flow more freely and drive growth across healthcare, public services and the digital economy.” 

Many of the recommendations made in the TIGRR Report can be found in the latest consultation document. The government believes the reforms will benefit the U.K. economy, but should the reforms go too far, they could risk the U.K.’s adequacy status with the EU.

So what can we expect in the Data Reform Bill? Page 57 of the press briefing accompany the Queen’s Speech sets out the main elements of the Bill are:

• Ensuring that UK citizens’ personal data is protected to a gold standard while enabling public bodies to share data to improve the delivery of services.

• Using data and reforming regulations to improve the everyday lives of people in the UK, for example, by enabling data to be shared more efficiently between public bodies, so that delivery of services can be improved for people.

• Designing a more flexible, outcomes-focused approach to data protection that helps create a culture of data protection, rather than “tick box” exercises.

At the very least we can expect the Accountability requirements to be relaxed as has been trailed in the Consultation document. The Government wants to allow data controllers to implementing a more “flexible and risk-based accountability framework”, which is based on privacy management programmes, that reflects the volume and sensitivity of the personal information they handle, and the type(s) of data processing they carry out.  To support the implementation of the new accountability framework we think the government will, amongst other things, remove the requirement to:

• Designate a data protection officer

• The requirement to undertake a data protection impact assessment

• Consult the ICO in relation to high-risk personal data processing that cannot be mitigated (Article 36)

• The record keeping requirements under Article 30

• The need to report a data breach where the risk to individuals is “not material”

Act Now will of course keep you informed about the proposed changes via this blog as well as our programme of GDPR workshops. Fasten your seatbelts!

Act Now Announces New EU GDPR Practitioner Certificate

Act Now is pleased to announce the launch of its new EU GDPR Practitioner Certificate course.

This new course is specially designed for Data Protection Officers and privacy practitioners, based in the EU and internationally, whose role involves advising on the EU GDPR and associated privacy legislation. The content of the course has been developed after analysing all the knowledge, practical skills and competencies required for the EU DPO to successfully navigate the European data protection landscape. 

This course builds on Act Now’s very popular UK GDPR Practitioner certificate course which has been attended by hundreds of DPOs throughout the UK and abroad since its launch in 2017.  Our teaching style is based on practical and engaging workshops covering theory alongside hands-on application using case studies that equip delegates with knowledge and skills that can be used immediately. Personal tutor support throughout the course will ensure the best opportunity for success. Delegates will also receive a comprehensive set of course materials, including our very popular EU GDPR Handbook (RRP £34.99), as well as access to our online Resource Lab, which includes over 20 hours of videos on key aspects of the syllabus.

The EU GDPR Practitioner Certificate course takes place over four days (one day per week) and involves workshops, case studies and exercises. This is followed by a written assessment. Delegates are then required to complete a practical project (in their own time) to achieve the certificate. Whether delivered online or in the classroom, delegates will receive all the fantastic features of the course specifically tailored for each learning environment. 

The EU GDPR Practitioner Certificate course builds on Act Now’s track record for delivering innovative and high quality practical training for information governance professionals:

• In December 2012 we were the first company in the UK to launch a dedicated Freedom of Information qualification for the Scottish public sector. 
• In April 2014 we launched the highly successful Data Protection Practitioner Certificate, the first course to teach essential knowledge and practical DPO skills. 
• In May 2016 we launched the Foundation Certificate in Information Governance. This was the first fully online certificated course covering data protection, information security, freedom of information and records management.
• In December 2016  we launched the GDPR Practitioner Certificate, now one of the UK’s leading DPO qualifications. 
• In December 2018, we launched the FOI Practitioner Certificate, the first such course to use modern assessment methods rather than rote learning.
• In April 2020, at the start of the Pandemic, we launched our new online GDPR Practitioner Certificateto enable DPOs working from home to gain a qualification.
• In November 2020, we launched of the Advanced Certificate in GDPR Practice which is the first advanced qualification specifically designed for DPOs.
• In November 2021 we won the Information and Records Management Society (IRMS) Supplier of the year award. 

The course director for the EU GDPR Practitioner Certificate, Ibrahim Hasan, says:

“We have looked at every aspect of this course to ensure it equips EU Data Protection Officers with the knowledge and skills they need to implement the EU GDPR in a practical way. Because of its emphasis on practical skills, and the success of our UK GDPR Practitioner certificate course, we are confident that this course will become the qualification of choice for current and future EU Data Protection Officers.”

New Isle of Man GDPR Practitioner Certificate

Act Now is pleased to announce the launch of its new Isle of Man GDPR Practitioner Certificate course.

This new course is specially designed for Data Protection Officers and privacy practitioners, based in the Isle of Man and internationally, whose role involves advising on the GDPR as applies to the Isle of Man(the Applied GDPR) and associated privacy legislation. The content of the course has been developed after analysing all the knowledge, practical skills and competencies required for the DPO to successfully navigate the IoM data protection landscape. 

This course builds on Act Now’s very popular UK GDPR Practitioner certificate course which has been attended by hundreds of DPOs throughout the UK and abroad since its launch in 2017.  Our teaching style is based on practical and engaging workshops covering theory alongside hands-on application using case studies that equip delegates with knowledge and skills that can be used immediately. Personal tutor support throughout the course will ensure the best opportunity for success. Delegates will also receive a comprehensive set of course materials, including our very popular Isle of Man GDPR Handbook (RRP £54.95),as well as access to our online Resource Lab, which includes over 20 hours of videos on key aspects of the syllabus.

The Isle of Man GDPR Practitioner Certificate course takes place over four days (one day per week) and involves workshops, case studies and exercises. Delegates are then required to complete a practical project (in their own time) to achieve the certificate. Whether delivered online or in the classroom, delegates will receive all the fantastic features of the course specifically tailored for each learning environment. 

The Isle of Man GDPR Practitioner Certificate course builds on Act Now’s track record for delivering innovative and high quality practical training for information governance professionals:

• In December 2012 we were the first company in the UK to launch a dedicated Freedom of Information qualification for the Scottish public sector. 
• In April 2014 we launched the highly successful Data Protection Practitioner Certificate, the first course to teach essential knowledge and practical DPO skills. 
• In May 2016 we launched the Foundation Certificate in Information Governance. This was the first fully online certificated course covering data protection, information security, freedom of information and records management.
• In December 2016  we launched the GDPR Practitioner Certificate, now one of the UK’s leading DPO qualifications. 
• In December 2018, we launched the FOI Practitioner Certificate, the first such course to use modern assessment methods rather than rote learning.
• In April 2020, at the start of the Pandemic, we launched our new online GDPR Practitioner Certificateto enable DPOs working from home to gain a qualification.
• In November 2020, we launched of the Advanced Certificate in GDPR Practice which is the first advanced qualification specifically designed for DPOs. 
• In November 2021 we won the Information and Records Management Society (IRMS) Supplier of the year award for 2021.

The course director for the Isle of Man GDPR Practitioner Certificate course, Ibrahim Hasan, says:

“With its emphasis on practical skills we are confident that this course will become the qualification of choice for current and future IoM Data Protection Officers. We have looked at every aspect of this course to ensure it equips Isle of Man Data Protection Officers with the knowledge and skills they need to implement the Applied GDPR in a practical way.”

Three New GDPR Workshops from Act Now Training

Act Now Training is pleased to announce three new additions to our GDPR workshop series. 

Data ethics is increasingly relevant to the role of information professionals. Just because the processing of personal data is lawful does not make it fair or ‘ethical’. And indeed, where something is fair it does not always mean it is lawful. Whilst the UK GDPR gives us some structure for working out what is a fair and proportionate use of personal data (and thus ethical), there can be a wide range of issues outside of the law to consider.  

Our Data Ethics workshop will explore what the term ‘Data Ethics’ actually means, the role it plays in the use of personal data (and indeed other data) and what practical steps information professionals can take to embed and promote data ethics within their organisations. From how to consider data ethics in DPIAs and sharing requests, through to embedding a practical data ethics framework in your organisation, we will pose questions, share experiences and best practice and where to find further guidance and support. 

A subject which has many ethical considerations is the use of Artificial Intelligence (also known as AI) and Machine Learning. AI is not coming; it is here. Whether ordering a taxi or submitting your tax return, AI is operating in the background. AI and Machine Learning have the capacity to improve our lives but, like all technologies, they have the potential to ruin lives too.  

Our new workshop, How to implement Good Information Governance into Artificial Intelligence & Machine Learning Projects, will explore exactly what ‘AI’ and ‘Machine Learning’ are and how they are starting to appear in the working environment. We will also explore the common challenges that these present focussing on GDPR as well as other information governance and records management issues.  Delegates will leave the workshop with practical ideas for how to approach Machine Learning and AI as well as awareness of key resources, current best practice and how they can keep up to date about a fast-developing area of technology. Think that AI is something for future generations to deal with? This workshop will make you think again!

The concepts of controller, joint controller and processor play a crucial role in the application of GDPR. They determine who is responsible for compliance with different data protection rules and how data subjects can exercise their rights in practice.  The precise meaning of these concepts and the criterion for their correct interpretation is the subject of much confusion. Incorrect interpretation can lead to the wrong allocation of data protection responsibilities leading to disputes when things go wrong. 

Our new workshop, Data Controller, Processor or Joint Controller: What am I?, will help both controllers and processors to understand their responsibilities and liabilities under GDPR and how to structure their relationships. This interactive workshop will explain the key differences between data controllers, joint controllers and data processors and what the roles and responsibilities are for each. By the end of this workshop, delegates will gain the confidence to decide on what an organisation’s role is under GDPR and how to manage the different relationships.

At Act Now we are always keen to hear from information governance professionals. If you have ideas for new workshops, or are interested in running one, please get in touch.

Google Analytics and GDPR Compliance: What next?

Google Analytics is a popular tool used by website owners across the world to observe and measure user engagement. In February 2022, the French Data Protection Regulator, CNIL, ruled that use of Google Analytics was a breach of GDPR. This followed a similar decision by Austrian Data Protection Authority in January. 

Is a website owner processing personal data by making use of Google Analytics? On the face of it, the answer should be no. Google Analytics only collects information about website visitors, such as which pages they access and where they link from. The website owners do not see any personal data about visitors. However, Google does assign a unique user identification number to each visitor which it can use to potentially identify visitors by combining it with other internal resources (just think of the vast amount of information which is collected by Google’s other services). 

The fact that the above mentioned French and Austrian decisions ruled that analytics information is personal data under GDPR does not in its itself make the use of Google Analytics unlawful. Of course website owners need to find a GDPR Article 6 condition for processing (Lawfulness) but this is not an insurmountable hurdle. Legitimate interests is a possibility although the UK Information Commissioner’s Office (ICO) holds the view that use of analytics services is not “strictly necessary” in terms of the PECR cookie rules and its own cookie banner, adopts the express consent approach.  

A bigger obstacle to the use of Google Analytics in Europe is the fact that website users’ personal data is being passed back to Google’s US servers. In GDPR terms that is a “restricted transfer” (aka international transfer). Following the judgment of the European Court of Justice (ECJ) in “Schrems II”, such transfers have been problematic to say the least.  In Schrems, the ECJ concluded thatorganisations that transfer personal data to the USA can no longer rely on the Privacy Shield Framework. They must consider using the Article 49 derogations or standard contractual clauses(SCCs). If using the latter, whether for transfers to the USA or other countries, the ECJ placed the onus on the data exporters to make a complex assessment about the recipient country’s data protection legislation, and to put in place “additional measures” to those included in the SCCs. The problem with the US is that it has stringent surveillance laws which give law enforcement agencies access to personal data without adequate safeguards (according to the ECJ in Schrems).

In France, the CNIL has ordered the website which was the subject of its ruling about Google Analytics to comply with the GDPR and “if necessary, to stop using this service under the current conditions”, giving it a deadline of one month to comply. The press release, announcing the decision, stated:

“Although Google has adopted additional measures to regulate data transfers in the context of the Google Analytics functionality, these are not sufficient to exclude the accessibility of this data for U.S. intelligence services.”

“There is therefore a risk for French website users who use this service and whose data is exported.”

The CNIL decision does leave open the door to continued use of Google Analytics but only with substantial changes that would ensure only “anonymous statistical data” gets transferred. It also suggests use of alternative toosl which do not involve a transfer outside the EU. Of course the problem will be solved if there is a new agreement between the EU and U.S. to replace the Privacy Shield. Negotiations are ongoing.

In the meantime, what can UK based website owners do. Should they stop using Google Analytics? Some may decide to adopt a “wait and see” approach. The ICO has not really shown any appetite to enforce the Schrems decision concentrating instead on alternative transfer tools including International Data Transfer agreement which comes into force tomorrow. Perhaps a better way is to assess which services, not just analytics services, involve transfers to the US and switch to EU based services instead.  

This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop on Wednesday. We also have a few places left on our Advanced Certificate in GDPR Practice course starting in April.

https://www.actnow.org.uk/advancedcert

The New Isle of Man GDPR Handbook

Act Now Training is pleased to announce the launch of the new Isle of Man GDPR Handbook. The handbook is designed for data protection practitioners and legal advisers who require a reference guide to the Isle of Man Data Protection regime. It has been published following the success of the Act Now UK GDPR and EU GDPR handbooks.

The IoM GDPR handbook sets out the full text of the EU GDPR as it applies to the Isle of the Man (Applied GDPR) together with cross referenced recitals. Isle of Man specific amendments, insertions and deletions are clearly indicated to allow users to easily identify what has been changed from the original EU text. Relevant provisions of the Implementing Regulations have been included where they contribute to the further understanding of the Applied GDPR. Guidance from the Isle of Man Information Commissioner and the European Data Protection Board is also signposted to assist users when interpreting the legislation. 

Ibrahim Hasan, the editor of the IoM GDPR Handbook, said:

“I am really pleased with the publication of the Isle of Man GDPR Handbook. We wanted to fulfil the need of data protection practitioners in the Ise of Man to have access to a clear and easy to follow publication to help them navigate their way around this complex legislation.”

Isle of Man delegates who book our new IoM GDPR Practitioner Certificate course will receive a complimentary copy of this handbook as part of their course materials. 

EARLY BIRD DISCOUNT

The RRP of the Isle of Man GDPR handbook is £54.99 (plus postage and packing). There is an early bird discount of 15% off the RRP until 3pm on 17^th March 2022. Please quote the discount code “IoM15” when placing your order here. 

Act Now in Dubai

Last week the Act Now team returned from a trip to the United Arab Emirates to promote our Middle East training programme. It was a great opportunity to better understand the UAE privacy framework and the needs of businesses faced with the challenge of implementing new laws (as well as get some sun!) 

The Middle East is fast catching up with Europe when it comes to data protection law.
The UAE recently enacted a federal law to comprehensively regulate the processing of personal data in all seven emirates. This will sit alongside current data protection laws regulating businesses in the various financial districts such as the Dubai International Financial Centre (DIFC) Data Protection Law No. 5 of 2020 and the Abu Dhabi Global Market (ADGM) Data Protection Regulations 2021. In addition there are a number of sector specific laws in the UAE which address personal privacy and data security.
Saudi Arabia, Bahrain and Qatar also now have comprehensive data protection laws. 

Whilst in Dubai we met with a number of potential clients, consultancies and law firms specialising in data protection. It was a great opportunity to discuss the changing privacy landscape and how Act Now can assist in developing the understanding of the legislation and its practical implementation. We had some interesting discussions about the changing privacy attitudes around the world, the power of Big Tech and increasing use of AI. 

We also had meetings with data protection regulators in Dubai and Abu Dhabi. We were impressed by their commitment to educating businesses about the new laws and their practical advice to reduce the burden of implementation. They emphasised the importance of embedding a privacy culture in organisations and an understanding of the UAE laws as standalone privacy laws and not just “importing of GDPR”. A special thank you to Lori Baker at the DIFC and Sayid Madar at the ADGM for taking time out of their busy schedules to meet us.  

During our last trip to Dubai in 2018 there was very little awareness of data protection law amongst businesses and compliance seemed to be geared around GDPR. This time on our travels (and shopping trips) we certainly noticed a more serious attitude amongst larger businesses to try and get data protection right. We saw  privacy notices in most official forms, CCTV signs in malls and even a privacy notice recording when ringing our hotel.  

The introduction and/or revision of privacy law in the Middle East is an important development which further proves that data protection is a truly global issue.
Many organisations may need to appoint a Data Protection Officer as part of the new legal framework. Even where they do not need a DPO they will certainly need someone to drive forward compliance and liaise with regulators. This opens up opportunities for UK and EU Data Protection professionals especially as the new laws have some alignment with  the EU General Data Protection Regulation (GDPR)  and the  UK GDPR. 
 

These are exciting times for data protection professionals. For those seeking a fresh new challenge and the opportunity to spread the data protection message to new jurisdictions, now is the time to brush up on Middle East data protection laws. See photos of our trip below. Sun, sea and subject access awaits! 

Cabinet Office Receives £500,000 GDPR Fine

The Information Commissioner’s Office (ICO) has fined the Cabinet Office £500,000 for disclosing postal addresses of the 2020 New Year Honours recipients online.

The New Year Honours list is supposed to “recognise the achievements and service of extraordinary people across the United Kingdom.” However in 2020 the media attention was on the fact that, together with the names of recipients, the Cabinet Office accidentally published their addresses; a clear breach of the General Data Protection Regulation (GDPR) particularly the sixth data protection principle and Article 32 (security).

The Honours List file contained the details of 1097 people, including the singer Sir Elton John, cricketer Ben Stokes, the politician Iain Duncan Smith and the TV cook Nadiya Hussain. More than a dozen MoD employees and senior counter-terrorism officers as well as holocaust survivors were also on the list which was published online at 10.30pm on Friday 26^th December 2019. After becoming aware of the data breach, the Cabinet Office removed the weblink to the file. However, the file was still cached and accessible online to people who had the exact webpage address.

The personal data was available online for a period of two hours and 21 minutes and it was accessed 3,872 times. The vast majority of people on the list had their house numbers, street names and postcodes published with their name. One of the lessons here is, always have a second person check the data before pressing “publish”.

This is the first ever GDPR fine issued by the ICO to a public sector organisation. A stark contrast to the ICO’s fines under the DPA 1998 where they started with a local authority. Article 82(1) sets out the right to compensation:

“Any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.”

It will be interesting to see how many of the affected individuals pursue a civil claim. 

(See also our blog post from the time the breach was reported.)

This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop. We have a one place left on our Advanced Certificate in GDPR Practice course starting in January.

Footballers’ Personal Data: Ibrahim Hasan’s BBC Interview

On Tuesday there was an interesting story in the media about a group of footballers threatening legal action and seeking compensation for the trade in their personal data. 

The use of data is widespread in every sport. It is not just used by clubs to manage player performance but by others such as betting companies to help them set match odds. Some of the information may be sold by clubs whilst other information may be collected by companies using public sources including the media.

Do footballers have rights in relation to this data? Can they use the GDPR to seek compensation for the use of their data?

On Tuesday, Ibrahim Hasan gave an interview to BBC Radio 4’s (PM programme) about this story. You can listen below:

This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop. We have a few places left on our Advanced Certificate in GDPR Practice course starting in November.