Photo of Daniel Millard

Daniel Millard

Subscribe to Daniel Millard's Posts

This week the EU’s independent data protection authority (DPA), the European Data Protection Supervisor (EDPS), published a preliminary opinion on data protection and scientific research subject to the General Data Protection Regulation 679/2016 (GDPR) and Regulation 1725/2018 governing data protection in EU institutions (Preliminary Opinion). Regulation 1725/2018 is very similar to the GDPR’s provisions in this area, and the EDPS states that the Preliminary Opinion may be regarded as relevant to data processing under both regulations.

The Preliminary Opinion builds on the work of the European Data Protection Board (EDPB) in promoting a dialogue between DPAs, ethical review boards and organisations conducting scientific research. Continue Reading EDPS, data protection and scientific research

On 19 November 2019, the European Union Agency for Network and Information Security (ENISA) released its report ‘Good practices for security of Internet of Things (IoT)’ (Report), providing a comprehensive analysis of security concerns surrounding IoT, secure Software Development Life Cycle (sSDLC) principles, and setting out best practices. Below, we highlight some of the key points. The Report can be read in full here.

Background

IoT refers to a network of internet-connected devices, ranging from microwaves to phones to smart homes. ENISA is tasked with improving the resilience of Europe’s critical information infrastructure and networks, and the Report focuses on establishing good practices for securing the IoT software development process. As a precursor to the Report, in 2017, ENISA released its study ‘Baseline Security Recommendations for IoT’ (here).
Continue Reading ENISA releases report detailing security guidelines for Internet of Things

Today, the Advocate General Henrik Saugmandsgaard Øe (AG) published his opinion on a case brought by privacy rights activist, Max Schrems (C-311/18, Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems) (Schrems II). The case concerns the validity of the standard contractual clauses (SCCs). The Court of Justice of the European Union (CJEU) press release can be found here, and the AG’s opinion here.

The General Data Protection Regulation (GDPR) provides that personal data may be transferred to a third country if that country ensures an adequate level of data protection. SCCs are one of several mechanisms approved by the European Commission for personal data transfers to countries not found to offer adequate protection for personal data. If the SCCs were invalidated, thousands of businesses would have to review their data transfer arrangements.

Below, we take a look at the AG opinion.
Continue Reading Advocate General gives opinion on Schrems II: an early Christmas present?

On 4 December 2019, the Information Commissioner’s Office (ICO) published draft guidance on data subject access requests (DSARs) (Guidance). This updated Guidance comes just 18 months after the current version was first published in April 2018. Previously, in June 2019, the ICO (here) criticised the Metropolitan Police for its handling of DSARs. The ICO also outlined some of the practical steps for responding to DSARs.

The new Guidance further recognises the importance of some of the issues organisations are facing when dealing with DSARs, while the consultation process seeks to refine this further by taking into account organisations’ experiences in dealing with DSARs made since May 2018, when the General Data Protection Regulation (GDPR) came into force.

Below, we take a look at some of the key, new provisions of the updated Guidance.Continue Reading ICO consultation on draft guidance on the right of access

Artificial intelligence (AI) is a key area of focus for the Information Commissioner’s Office (ICO). The ICO is already working on a related AI project that focuses on building the ICO’s Auditing Framework. One of the goals of the ICO is to increase the public’s trust and confidence in how data is used and made available. In line with this, on 2 December 2019, the ICO published a blog on explaining decisions made by AI (here). The ‘Explaining decisions made with AI’ guidance (Guidance) has been prepared in collaboration with the UK’s national institute for data science and artificial intelligence, the Alan Turing Institute. The Guidance seeks to help organisations explain how AI decisions are made to those affected by them.

We have outlined some of the key takeaways below. Continue Reading ICO publishes draft guidance on explaining decisions made with AI

The European Union Agency for Cybersecurity (ENISA) has been supporting the European Union (EU) Member States in developing, implementing and evaluating their cyber security strategies. Since 2012 and as part of this support, ENISA has been developing tools, studies and guidelines to help EU Member States build on their national cyber security strategies. The latest of these developments, launched on 28 November 2019, is a security mapping tool for operators of essential services (OES) and digital service providers (DSPs) in the energy, banking, health and digital infrastructure sectors, helping them comply with their obligations under the Network and Information Systems Directive 2016/1148 (NIS Directive).

Below we take a closer look at the new security mapping tool.Continue Reading ENISA launches security mapping tool

On 12 November 2019, at its 15th plenary meeting, the European Data Protection Board (EDPB) adopted final guidelines on the territorial scope of the General Data Protection Regulation (GDPR) (the guidelines) following public consultation.

We have previously considered the draft guidelines on our blog. The first of the two blogs considered the extra-territorial scope of the GDPR (here), and the second blog post considered the need for non-European Union (EU) controllers to designate a representative located in the EU (here).

The guidelines seek to provide a common interpretation of the GDPR Article 3 for data protection authorities when assessing whether processing by a controller or a processor falls within the territorial scope of the GDPR. The final guidelines maintain the interpretation adopted in the first draft of the guidelines but now include further explanations from the EDPB addressing comments received during the public consultation. Below, we consider some of the EDPB’s new additions in the final version of the guidelines available here.Continue Reading EDPB adopts final version of guidelines on the territorial scope of the GDPR

On 15 October 2019, the Information Commissioner’s Office (ICO) released the latest in its series of blogs on developing its framework for auditing artificial intelligence (AI). The blog (here) focuses on AI systems and how data subjects can exercise their rights of access, rectification and erasure in relation to such systems. Below, we summarise some of the key takeaways and our thoughts on the subject.

Rights relating to training data

Organisations need data in order to train machine learning models. While it may be difficult to identify the individual to whom the training data relates, it may still be personal data for the purposes of the General Data Protection Regulation (GDPR), and so will still need to be considered when responding to data subject rights requests under the GDPR. Provided no exception applies and reasonable steps have been taken to verify the identity of the data subject, organisations are obliged to respond to data subject access requests in relation to training data. The right of rectification may also apply but, as an individual inaccuracy is less likely to have a direct effect on an individual data subject that is part of a large data set, organisations should prioritise rectifying personal data that may have a direct effect on the individual.

Complying with requests from data subjects to erase training data may prove more challenging. If an organisation no longer needs the personal data as the machine learning model has already been trained, the ICO advises that the organisation must fulfil the request to erase. However, organisations may need to retain training data where the machine learning model has not yet been trained. The ICO advises that organisations should consider such requests on a case-by-case basis, but do not provide clarity on the factors organisations should consider.Continue Reading ICO blogs on AI and data subject rights

The General Data Protection Regulation (GDPR) has prompted a series of legislative proposals in Latin American countries to update data protection regulations, many of which reflect the higher standards of the GDPR. With a large number of European and U.S. companies operating in the region, we look at some of the latest developments below.

Argentina

Argentina was the first Latin American country to implement data protection laws and the first non-European country to be recognised by the European Commission as having adequate levels of data protection. The need to revisit the current legislation is a result of technological advances and the changed international landscape with the introduction of the GDPR since the Argentinian Personal Data Protection Act 2000 came into force.

Argentina’s new draft data protection bill proposes further changes to bring the country’s data protection law in line with the GDPR. The bill acknowledges the right to be forgotten and the right to data portability. Other changes include stricter provisions in the area of cross-border transfers to countries with inadequate levels of data protection, new legal bases for data processing other than data subject consent, including legitimate interests, and new definitions of biometric and genetic data.Continue Reading Latin America to bolster data protection in a legal overhaul

In its judgment of 1 October 2019, the European Court of Justice (ECJ) decided on cookie consent requirements under the General Data Protection Regulation 2016/679/EU (GDPR) and the Cookie Directive 2002/58/EC (Cookie Directive) (Case C-673/17, Planet49 GmbH v. Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband e.V. (the Judgment)).

The ECJ set clear requirements on what cookie consent must look like. However, the requirements for when websites must ask for cookie consent may vary from one EU member state to another as some member states, such as Germany, have not implemented the Cookie Directive and the Judgment, therefore, does not apply directly.

As a rule of thumb, it can be said that, at minimum, websites must ask for cookie consent for all cookies other than cookies that are technically required to operate the website or to provide the website service to the user. In other words, tracking, marketing and analytics cookies may only be used with explicit, clear, informed (Art. 13 GDPR) and prior consent.

Background

The case involved a promotional lottery, which was presented with two checkboxes:

  • A checkbox obtaining consent for marketing emails that was not pre-ticked, but was mandatory to tick in order to participate in the lottery (Marketing Checkbox)
  • A pre-ticked checkbox obtaining consent to cookies, which users could opt out of at any time (Cookie Checkbox)

Continue Reading Compliant use of cookies in the EU is still a secret recipe: ECJ decides on Planet49, but does not provide clarity