ICO issues guidance on workplace coronavirus testing

It has been 64 days since the UK officially went into lockdown due to the COVID-19 crisis, with many ‘non-essential’ workers vacating their workplace. In preparation for sending the UK back to work, the Information Commissioner’s Office (ICO) has issued FAQ-style guidance to assist employers wishing to track and test employees’ symptoms (available here).

Health data is ‘special category data’ under the General Data Protection Regulation (GDPR) and is therefore subject to greater restrictions. Nonetheless, the ICO makes it clear that data protection law does not prevent employers from taking necessary steps to ensure the safety of staff and the public, provided that personal data is handled responsibly and carefully in accordance with the law.

The guidance covers the following specific activities:

  • Testing employees for symptoms of COVID-19
  • Compiling lists of employees with symptoms or positive diagnoses
  • Disclosing positive cases to other employees
  • Using temperature checks or thermal cameras in the workplace

Continue Reading

Key considerations for businesses in the Asia-Pacific region managing data privacy risks

Company investigations (whether self-initiated or required by regulators) generally require the collection, review, and analysis of data to identify documents and other materials that are relevant to the investigation. An investigation may result in the need to access sensitive personal data or, frequently, involve the review of other materials that happen to include personal data even when such personal data is not relevant to the investigation.

Given the diversity of data protection and privacy laws in the Asia-Pacific region and the consequences from violating such laws, companies should consider developing a strategy to manage data risks before conducting corporate investigations.

Our recent client alert will provide you with the key considerations for managing data privacy risks when conducting corporate investigations in the Asia-Pacific region.

The Commission’s eHealth Network looks to develop the interoperability framework for contact tracing apps

On 13th May, the European Commission’s eHealth Network published its interoperability guidelines for approved contact tracing mobile applications in the EU, guiding developers when designing and implementing applications and backend solutions to ensure efficient tracing of cross-border infection chains. These guidelines serve as a follow-up action to their previously published ‘Common EU Toolbox for Member States’ on mobile applications to support contact tracing in the EU’s fight against COVID-19 on 15th April.

Why are interoperable apps considered important in the fight again COVID-19? It is almost inevitable that in today’s day and age we would look to technology to be part of the solution. The hope is that interoperable apps will facilitate the tracing of cross-border infection chains, which is particularly valuable for cross-border workers, tourism, business trips and neighbouring countries. Continue Reading

No, we haven’t forgotten about Brexit: UKTF publishes a draft agreement for the future EU-UK partnership

On 18 March, the Task Force for Relations with the United Kingdom (UKTF) of the European Commission published its Draft Text of the Agreement on the New Partnership with the United Kingdom (Draft Agreement). It translates the negotiating directives, approved by Member States, into a legal text, in line with the Political Declaration agreed between the EU and the UK. The Draft Agreement was sent to the UK following consultation with the European Parliament and the Council of the European Union, and aims to provide a tool to support the negotiations and enable progress with the UK’s relationship with the EU.

The Draft Agreement covers all areas of the negotiations. Most importantly for us, the Draft Agreement includes provisions around the digital economy and data protection. These draft provisions ensure that the parties commit to a high level of data protection and recognise the importance of promoting and protecting the fundamental rights of privacy and data protection. The parties also agree to cooperate (as much as national laws permit) at bilateral and multilateral levels, which may include dialogue, exchange of expertise, and cooperation on enforcement with respect to personal data protection. Continue Reading

The 7-Step Ad Tech Guide – New guidance issued by industry bodies on programmatic advertising

The Data & Marketing Association and the Incorporated Society of British Advertisers have published a “Seven-Step Ad Tech Guide” (the Guide) to help address the privacy challenges of Real Time Bidding (RTB) in programmatic advertising.

RTB is an automated auction process that allows advertising space to be bought and sold on a per-impression basis. When a user visits a publisher’s property (usually a website or app), this triggers a bid request that usually contains personal data (such as the user’s demographic information, browsing history, location and the page being loaded). The bid request goes from the publisher’s property to an ad exchange. It is then submitted to multiple advertisers who can automatically submit bids to place their adverts on the publisher’s property so that it can be viewed by the user in real time, and the ad impression goes to the highest bidder.

As the provision of targeted, personalised advertising through RTB relies on the use of personal data (particularly as more detailed bid requests are deemed to be more attractive to advertisers), various data protection issues and challenges arise in relation to RTB, which have concerned the UK’s Information Commissioner’s Office (ICO).

The Guide was produced in consultation with the ICO and seeks to address concerns that the ICO identified in its investigation into RTB and the ad-tech industry. The ICO announced in early May that this investigation is currently on hold during the COVID-19 pandemic, but it plans to restart work in the coming months as its concerns about ad-tech remain. Continue Reading

Singapore proposes significant changes to its data protection law

The Personal Data Protection (Amendment) Bill 2020 (the Bill) was published today for public consultation.

Key amendments proposed in the Bill include:

  1. Increased financial penalties for breaches of the Personal Data Protection Act (the Act) of up to 10 per cent of annual gross turnover in Singapore or S$1 million, whichever is higher.
  2. Mandatory data breach notification to Singapore’s Personal Data Protection Commission (the Commission) and affected individuals.
  • The timeline for notifying the Commission has been tweaked to within three calendar days from the day an organisation assesses that a breach is notifiable (this was previously 72 hours).
  • There will be regulations to prescribe the categories of personal data which, if compromised in a data breach, will be considered likely to result in significant harm to the individuals affected.
  • The exceptions to notifying affected individuals are: (a) where remedial actions have been taken; or (b) where the personal data is subject to technological protection measures (e.g., encryption), such that the breach is unlikely to result in significant harm to the affected individuals.
  • Please also refer to our earlier client alert here.

Digital contact tracing and coronavirus: The Council of Europe’s take

The chair of the Council of Europe’s data protection ‘Convention 108’ committee, Alessandra Pierucci, and the Council of Europe Data Protection Commissioner, Jean-Philippe Walter, have recently released a joint statement on digital contact tracing in the fight against coronavirus.

Digital contact tracing is being used in many countries to help control the spread of coronavirus by alerting individuals that may have come into contact with an infected person.  The UK government is gearing up to deploy its contact tracing app within the next few weeks (it is currently being tested on the Isle of Wight), which could help lift the lockdown measures further. However, as highlighted by the joint statement, it is crucial to ensure that the necessary data protection safeguards are implemented when adopting extraordinary measures to protect public health. Continue Reading

Seventh Circuit’s ruling in beer king’s dispute trumpets a cautionary note for false advertising claims between competitors

The Seventh Circuit’s recent decision on May 1, 2020 in the hotly contested dispute between Molson Coors Beverage Company USA LLC (Molson Coors) (maker of Miller Lite and Coors Light beers) and Anheuser-Busch Companies LLC (Anheuser-Busch) (maker of Bud Light beers) sounds a cautionary note for future parties contemplating a false advertising claim – look at yourself before judging others. Molson Coors Beverage Company USA LLC v. Anheuser-Busch Companies LLC, 2020 WL 2097557, — F.3d —- (May 1, 2020).

 Read more this case our recent client alert.

EU Blockchain Observatory and Forum explores the convergence of blockchain, AI, and the IoT

The European Union Blockchain Observatory and Forum, on 21 April, published a report examining how blockchain can be combined with two other important emerging technologies – the Internet of Things (IoT) and artificial intelligence (AI) – to complement each other and build new kinds of platforms, products, and services.

The report first looks at the interplay of blockchain with the IoT, addressing how blockchain can aid its functioning by providing a decentralised platform to the otherwise centralised approach of the IoT. This centralisation poses a number of challenges while monitoring, controlling, and facilitating communication between the millions of heterogeneous devices. The report highlights how blockchain can provide a more robust, more scalable, and more direct platform to overcome these challenges.

The report similarly delves into the potential relationship between blockchain and AI. It explains some concerns surrounding AI, like how it is currently concentrated in the hands of a few large companies due to the high cost of gathering, storing, and processing the large amounts of data, as well as engaging AI experts. It then illustrates how blockchain can mitigate such concerns so that access to AI models is more readily available to individuals and small companies.

Continue Reading

EDPB’s new guidelines relieve concerns over processing health data for scientific research

The novel coronavirus pandemic has created an immediate and immense need for scientific research. Amid this urgency, the European Data Protection Board (EDPB), during its twenty-third plenary session held on April 21, adopted guidelines to shed light on legal questions concerning the use of health data (pursuant to article 4(15) of the General Data Protection Regulation (GDPR)) for such research purposes.

The guidelines reiterate that data protection rules do not hinder measures taken to combat the coronavirus outbreak and in fact provide special rules for the processing of health data for the purpose of scientific research (for instance, in article 9(2)(j) and article 89(2)) that will be applicable in the current crisis.

Data controllers and processors must respect the data protection principles set out in article 5 of the GDPR, and all processing of health data must comply with one of the legal grounds and the specific derogations listed respectively in articles 6 and 9 of the GDPR for the lawful processing of this special category of data. The guidelines specifically address the rules concerning consent and respective national legislation. It also spells out the important aspects of the article 5 principles. Continue Reading

LexBlog