Techlaw News Round-Up

February 14, 2020

EDPB consults on guidelines on processing personal data in the context of connected vehicles and mobility related applications

The European Data Protection Board has launched a consultation on processing personal data in the context of connected vehicles and mobility related applications. The consultation ends on 20 March 2020. The scope of the consultation focuses in particular on personal data processing in relation to the non-professional use of connected vehicles by data subjects, eg, drivers, passengers, vehicle owners. More specifically, it deals with the personal data (i) processed inside the vehicle, (ii) exchanged between the vehicle and personal devices connected to it (eg, the user’s smartphone) or (iii) collected within the vehicle and exported to external entities (eg, vehicle manufacturers, infrastructure managers, insurance companies, car repairers) for further processing. The guidance considers particular categories of data such as geolocation and biometric information, as well as five case studies.

European Parliament committee adopts resolution on AI risks for consumers

The European Parliament’s internal market and consumer protection committee has adopted a resolution urging the European Commission to examine whether additional measures are necessary to guarantee a strong set of rights to protect consumers in the context of AI and automated decision-making. AI applications have become increasingly common in various sectors. However, this carries risks, especially where decisions are made without human oversight. Machine learning relies on pattern-recognition within datasets. Problems arise when the available data reflects societal bias and perpetuates social divides. For example, some hiring algorithms have been found to be biased against women. The development of AI and automated decision-making processes also presents challenges for consumer trust and welfare. When consumers are interacting with such a system, they should be properly informed about how it functions. The Commission needs to clarify how it plans to: ensure that consumers are protected from unfair and discriminatory commercial practices as well as from risks entailed by AI-driven professional services; guarantee greater transparency in these processes; and ensure that only high-quality and non-biased datasets are used in algorithmic decision systems. MEPs will vote on the resolution in mid February. 

FCA, ICO and FSCS publish joint statement to insolvency practitioners and authorised firms

The Financial Conduct Authority, the Information Commissioner and the Financial Services Compensation Scheme have published a joint statement warning insolvency practitioners and FCA-authorised firms to be responsible when dealing with personal data. Some insolvency practitioners and FCA-authorised firms have attempted to sell clients’ personal data to claims management companies unlawfully. The terms of a standard contract are highly unlikely to constitute sufficient legal consent for personal data to be shared with CMCs to market their services, and may not be lawful. By passing on personal data, companies may be failing to meet their obligations under the Data Protection Act 2018 and the GDPR. Any subsequent direct marketing calls, texts or emails carried out by CMCs may breach the Privacy and Electronic Communications Regulations 2003. CMCs seeking to rely on legitimate interest grounds for processing such data are highly unlikely to meet the requirements of the GDPR. CMCs that intend to buy and use such personal data must be able to demonstrate how they have considered the fair treatment of customers and how their actions comply with privacy laws. Where the FCA or the ICO identify breaches of legal or regulatory requirements, they will take appropriate action.