Biometrics, codes, certification and post-Brexit trends



As PL&B’s contribution to European Data Protection Day, our first event of 2020 is Balancing privacy with biometric techniques in a commercial context, a one day roundtable in London on 29 January. Very few places remain if we are all to actually fit around the table. Participants will share examples of the introduction of biometric identification in companies while attempting to achieve a balance with privacy principles and the law.

By attending this event you will be in a much more secure position to assess the risks and gain insights to organise a credible Data Protection Impact Assessment. You will become confident that you will be closer to achieving a defensible balance between introducing and/or deploying biometric identification techniques with the privacy values, your staff, customers, shareholders and regulators expect.

The ICO is planning to produce guidance on the processing of biometric data (p.15) following its publication of its Opinion on facial recognition (PL&B UK Report November 2019 p.8). We will pass on the conclusions of the group and any recommendations to the ICO.

Codes and certification

Codes of conduct (p.1) and certification schemes (p.7) are now gathering pace and are expected to start to become commonly used forms of co-regulation this year. While both are recognised as useful instruments to demonstrate GDPR accountability, they could provide a useful bridging mechanism for Data Protection Officers in the UK who want and need their companies to comply with both the Data Protection Act 2018 and the GDPR.

PL&B will continue to monitor the ICO’s certification programme and has put several questions to the ICO, for example:

  1. When will the UK Accreditation Service (UKAS) start accrediting certification bodies?
  2. What will be the stages of the accreditation process?
  3. How long does the ICO expect the application and accreditation process to take?
  4. What will be the ICO’s continuing oversight and policy roles?
  5. Regarding the scope of a certification process, and appreciating that the certification process will be a learning curve for all parties, what will be the first types of certification schemes to be published by the ICO and when?

If you have questions which you would like PL&B to put to the ICO and/or UKAS on a named or anonymous basis, please send them to info@privacylaws.com.

Reciprocal recognition of data adequacy between the UK and the EU

There is a strong commercial incentive towards reciprocal recognition of data adequacy between the UK and the European Union so codes of conduct and certification schemes could play a useful role for some highly regulated sectors as an adjunct to the law.

But would the UK government in its first flush of enthusiasm to negotiate trade deals with countries outside the EU go so far as to align itself with the APEC Cross-Border Privacy Rules (CBPRs)? To do so would set up a two-tier system with some personal data being transferred abroad using recognised EU instruments, such as Standard Contractual Clauses, and others in conformity with the much looser CBPRs.

Choosing the less rigorous option may appeal to UK policy makers using the argument that it would encourage faster growth of innovative products and services. But this path is only superficially attractive because sentiment against profligate use of personal data in adtech (p.21) and AI (p.15) directed “smart” gadgets and services might lead to a reduction in support for some tech companies’ products and services when they abuse people’s trust.

There is no doubt that the fast growth of many state privacy laws in the United States in a race to catch up California (PL&B International Report p.1) reflects a trend towards greater privacy protections and disenchantment to some extent with the exploitation of personal data for commercial purposes. In many states, sentiment in the state congresses is to compare privacy law in the US unfavourably with that in Europe. It would be ironic if the UK government weakened its stance on privacy at the very time when it is firming up in the US.

By the time of the March edition of PL&B UK Report, the way ahead for data protection post Brexit should be clearer.

Regards,

Stewart Dresner, Publisher

 

UK 102

UK Report 107

Lead story:

The ICO urgently needs enhanced confiscation powers

Personal data can be laundered like money, so the ICO is seeking powers under the Proceeds of CrimeAct. By Paul May of WebXray.

Contents also include:

  • Comment: End of an era: What’s next for UK data protection?
  • Codes of Conduct under the GDPR: Business opportunities?
  • Privacy preferences tool developed for health care
  • Protecting children online: Content, age and responsibility
  • EU Council publishes position on the application of the GDPR
  • Territorial scope and the GDPR: When does it apply?
  • Right to be forgotten: EU court limits the right to de-referencing
  • How compliant can you be in the ad tech industry?
  • ICO’s certification scheme closer
  • Scottish Parliament progresses Biometrics Commissioner Bill
  • Steve Wood appointed as Chair of the OECD privacy working party
  • Privacy International challenges government Amazon/Alexa deal
  • ICO delays BA, Marriott fines
  • New Year Honours data breach
  • ICO launches AI consultation
  • ICO guidance: Special category data
  • ICO issues draft direct marketing code
  • EU Commission task force hopeful for UK adequacy by end of the year