11 September 2018

Brexit, AI in law enforcement, and US Privacy Shield under threat…the summer was not quiet

Data Protection and Brexit

The Government will publish a technical notice on transfers of personal data later this year. Though it is hard to understand why, it appears the Government does not recognise that the UK having made the General Data Protection Regulation (GDPR) part of UK law in the 2018 Data Protection Act (DPA) means there should be no personal data issues post Brexit. This is worrying as it may mean other areas are similarly being looked at from a questionable perspective. Let us hope they are just cautious and wanting the EU to issue a competence recognition, which whilst welcome is not essential to data transfers.

Big Data and Law Enforcement: Justice by Algorithm

The Durham Police Constabulary has been criticised by the UK Information Commissioner (ICO) after announcing the potential use of an artificial intelligence tool for identifying offenders eligible for a deferred prosecution program, called Checkpoint, aimed at discouraging criminality among offenders. The ‘Harm Assessment Risk Tool’ (HART) utilises an advanced machine learning algorithm to calculate the probability that an offender will reoffend within the next two years.

The chief constable defended the program, arguing that it would never replace custody officer decision-making, and would ultimately serve a decision support function. The ICO points out that, solely automated decision-making that leads to adverse outcomes is currently rarely used in law enforcement. There is considerable concern that wide spread implementation of such systems, while potentially removing the human bias, may implant other biases depending on the data used during the programs. Such concerns have prompted calls for new regulations to oversee big data analytics, especially when such analytics make important decisions about people’s lives.

Under the 2018 DPA organisations may not make a significant decision (one which significantly affects or produces an adverse legal effect on an individual) based solely on automated processing, unless required or authorised by law. In order for law enforcement to be compliant, they must inform individuals if such a decision is made about them. That individual then has 21 days to request either a review of the decision or that a new decision be made that is not based solely on automated means.

Data Breach Notifications Come to Canada

In Canada, the 2015 Digital Privacy Act amended the Personal Information Protection and Electronic Documents Act (PIPEDA) by creating a notice requirement for reporting data breaches. Pursuant to an Order made early this year, the reporting provision is set to come into effect on November 1st 2018.

Sections 10.1 and 10.2 of PIPEDA details the notice requirements, and requires the following steps be taken if a breach creates a real risk of significant harm to an individual:

  1. A report to the Office if the Privacy Commissioner of Canada.
  2. A notice to the affected individuals, and
  3. A notice to other organisations.

The report, provided by the affected organisation, must contain the following: circumstances of the breach, when it happened, the number of individuals affected, a description of the personal information subject to the breach, a description of the actions taken by the organisation to reduce the risk of harm to affected individuals, and a contact number/email at which the individual can obtain further information.

The notice must be given as soon as possible once the organisation identifies that the breach has occurred, and non-compliant organisations may face fines of up to $100,000, depending on the circumstances surrounding the offence. Furthermore, organisations must keep a record of every breach they become aware of, regardless of the size and impact, and must provide it to the Privacy Commissioner upon request.

The breach notification approach taken by Canada is similar to those seen in other Commonwealth jurisdictions. In Australia, the 2017 Privacy Amendment introduced an obligation to notify the Australian Information Commissioner, and affected individuals, when a data breach occurs that is likely to result in serious harm. Earlier this year, the New Zealand Parliament passed the Privacy Bill, which introduced a similar notification mandate. Both the Australian and New Zealand notifications require reports similar to those established in the Canadian legislation.

EU Parliament and the Privacy Shield

Members of the European Parliament’s Civil Liberties Committee (LIBE) have stated that the EU-US Privacy Shield, the agreement regulating flows of data between the EU and US, does not adequately protect EU citizens. A narrowly passed motion on July 5th, 2018 called for the agreement to be suspended by the European Commission if US data privacy law fails to comply with the GDPR by September 1st; we wait to see what happens.     

The Privacy Shield, agreed in 2016, was established after a legal challenge invalidated its predecessor regulation, Safe Harbour, and is intended to provide essentially equivalent protection for EU resident data when transferred to the US. While deemed adequate during its first annual review last year, LIBE MEPs suggest a number of issues have yet to be resolved, including unfilled roles on the Oversight Board, certain executive orders issued by President Trump regarding immigration, and the lack of a permanent Privacy Shield ombudsman. They argue that failure to resolve these issues means the US has failed to comply with both the terms of Privacy Shield and GDPR.

LIBE Chairman Claude Moraes stated “it is up to US authorities to effectively follow the terms of the agreement, and for the Commission to take measures to ensure that it will fully comply with the GDPR.” LIBE also noted that Facebook and Cambridge Analytica, embroiled in a data privacy controversy since March, are still currently certified under the Shield agreement, and pressed American authorities on the need  to investigate these companies without delay.

LIBE also warned that the CLOUD (Clarifying Lawful Overseas Use of Data) Act, a new American law requiring US companies to divulge data to US authorities even if stored overseas, may not comply with the GDPR.

Despite these criticisms, the Commission will be hesitant to suspend the heavily relied upon agreement, and may leave such deliberation to the Court of Justice of the EU (CJEU). However, as the Privacy Shield’s adequacy has been referred to the CJEU due to a privacy challenge regarding the lawfulness of data flows under both the Privacy Shield and Standard Contractual Clauses, a decision on the Privacy Shield’s future could be handed down within the year.

Butlin’s and Superdrug customers hit by data breaches

Butlin’s has revealed that the data of up to 34,000 guests may have been recently hacked. Whilst it appears that no payment details were affected, the personal data affected includes postal and email addresses, guest names and holiday arrival dates. It appears that the breach may have been caused by a member of staff inadvertently responding to a phishing email. It is understood that the breach was reported within 72 hours of its discovery, as required by the GDPR.

Soon after the announcement of the Butlin’s breach, the Superdrug store warned its customers of a possible data breach. Up to 20,000 customers who have purchased products online were warned that their names, addresses, dates of birth and bonus card balances may have been stolen. A preliminary investigation by the company’s IT security advisor has revealed that Superdrug’s IT systems have not been compromised, and that hackers appear to have stolen the data from third-party platforms. The hacker then tried to extort a ransom from Superdrug.

Both of these data breaches highlight the need for ongoing staff training and the importance of continually monitoring security to identify any gaps that could make customers vulnerable.

Facebook refuses Subject Access Request

It has been reported that a researcher at University College London submitted a Subject Access Request (SAR) to Facebook on May 25th 2018 asking for all of the information held on his browsing behaviour and activities on Facebook. Facebook declined the request, stating that it would be too onerous to locate and identify the data. The SAR applicant has argued that such a response is unsatisfactory because as the data could be used to infer his religion, sexual orientation or medical history, it should be considered highly personal and sensitive data. The applicant has since made a complaint to the Irish Data Protection Commissioner as Facebook’s European headquarters are located in Ireland. The applicant states that his “concerns have been triggered and exacerbated by the way in which the Facebook platform targets adverts in highly granular ways, and I wish to understand fair processing.” It is understood that the Irish Data Protection Commissioner has opened a statutory inquiry into the matter and that the case will likely be referred to the EU’s Data Protection Board.