Court of Appeal to hear facial recognition case, new ICO information rights blog, EDPB 3rd annual review of the Privacy Shield plus more in our weekly round-up of techlaw news snippets and links to our more in-depth news
Court of Appeal grants leave to appeal in facial recognition case
The Court of Appeal has granted leave to appeal the High Court decision in R (on the application of Bridges) v Chief Constable of South Wales Police (Information Commissioner and another intervening)  EWHC 2341, relating to South Wales’ police use of facial recognition technology. The appeal is unlikely to be heard before February/March 2020.
EDPB publishes its report on the third annual joint review of the EU–US privacy shield
The European Data Protection Board has adopted its report on the third annual joint review of the EU–US privacy shield. It welcomes efforts by the US to implement the privacy shield, in particular, ex officio oversight and enforcement actions. The EDPB also approves of the appointment of the permanent ombudsperson (although it does not think they are vested with sufficient powers) and the filling of the final two vacancies on the Privacy and Civil Liberties Oversight Board. It also highlights areas for improvement, including lack of oversight in substance, the application of the privacy shield requirements regarding onward transfers, human resources data and processors; and says the (re)certification process needs to be strengthened. In future, the EDPB considers that the members of the review team would benefit from broader access to non-public information; and it encourages the Privacy and Civil Liberties Oversight Board to issue and publish further reports to provide an independent assessment of surveillance programmes conducted outside the US regarding the collection of data by public authorities. The EDPB also noted several issues identified in the Article 29 Working Party’s Opinion 01/2016 that still need to be addressed.
ENISA launches report to promote security by design for Internet of Things
ENISA, the European Union Agency for Cybersecurity, has published the Good Practices for Security of IoT report. It focuses particularly on software development guidelines, a key aspect for achieving security by design. The study gives advice on how to securely collect requirements, design, develop, maintain, and dispose of IoT systems and services. In the context of IoT, a rapidly emerging set of technologies that needs to be holistically secured, such work aims to set the reference point for the development of secure by design solutions. It includes analysis of security concerns in all phases of IoT Software Development Life Cycle and key points to consider; detailed asset and threat taxonomies concerning the IoT secure SDLC; concrete and actionable good practices to enhance the cybersecurity of the IoT SDLC; and mapping of ENISA good practices to related existing standards, guidelines and schemes.
ICO appoints first adviser on data ethics
Simon McDougall, Executive Director – Technology Policy and Innovation, ICO, has written a blog post, announcing the appointment of Ellis Parry as the ICO’s first data ethics adviser. Increasingly the ICO sees broad ethical questions being raised around how data is being used. There is debate around when data protection and data ethics overlap, where they are separate, and where they may even conflict. Therefore, the aim of the role is to help ensure that the ICO contributes to data ethics discussions in a way that meets the aims of its Information Rights Strategic Plan, and in doing so helps to uphold information rights in the UK. The new role will consider questions such as how do we balance the interests of society against individual rights, on issues like facial recognition technology? How do we allocate rights and responsibilities in a world of connected devices and real-time automated decisions? How much thought does the law require organisations to put into what is ‘right’, and what their customers would reasonably expect to happen to their data?
ICO launches new information rights blog
The ICO has launched a series of blog posts covering regulation of access to information legislation. The first post is by Gill Bull, ICO’s Director of Freedom of Information Complaints and Compliance, who delivered the 2019 Bond Lecture at the British Records Association. In her lecture she reflected on how issues of trust and trustworthiness and the current public debate about the notion of kindness in public policy, relate to access to information. She spoke about the ICO’s call for contractors carrying out public services to be held accountable under the Freedom of Information Act and the Environmental Information Regulations. The law has not kept pace with the way services are provided or with public expectations. 2020 will be the fifteenth year since the legislation came into force. It is inevitable that the environment in which the legislation operates has changed. People must be able to feel that outsourced services are trustworthy. She questioned whether we need to develop some new framing for access to information rights and whether we need to start talking about a more fundamental duty to provide information.
In case you missed it
Links to other news published this week