Investigation into Clearview Inc, Law Society digital futures report, notice on Brexit and data protection, study on GDPR and AI, study on GDPR and genomic data and more in this week’s round-up of techlaw news from the past week.
Australian Information Commissioner and the UK’s ICO open joint investigation into Clearview AI Inc.
The Office of the Australian Information Commissioner and the UK’s Information Commissioner’s Office have opened a joint investigation into the personal information handling practices of Clearview AI Inc., focusing on the company’s use of ‘scraped’ data and biometrics of individuals. Clearview’s facial recognition app allows users to upload a photo of an individual and match it to photos of that person collected from the internet. It then links to where the photos appeared. It is reported that the system includes a database of more than three billion images that Clearview claims to have taken or ‘scraped’ from various social media platforms and other websites. No further comment will be made while the investigation is ongoing.
Law Society publishes digital futures report
The Law Society has published a horizon scanning digital futures report. The report states that to date, a number of factors have been cited as barriers to the successful adoption of technology in the legal environment. Those factors include, among others: existing culture, hierarchical structures of decision-making and deciding what is ‘right’ are often based on old thinking and lack of willingness to learn, and resistance to change. There is currently wide variation in firms’ adoption and harnessing of digital technologies, usually depending on and illustrative of senior management’s ability to embrace change and forward focus. The report covers technology and access to justice; digital transformation in the legal profession and emerging technologies.
European Commission issues notice on data protection and Brexit
The European Commission has issued a Notice to Stakeholders about data protection in the context of the UK’s withdrawal from the EU. The notice considers the options for transfers of data to and from the UK after the end of the transition period, including standard data protection clauses, binding corporate rules and codes of conduct and certification.
European parliament issues study and options brief on impact of GDPR on AI
The European parliament’s Scientific Foresight Unit has published a study and options brief on the impact of the GDPR on AI. Although AI is not explicitly mentioned in the GDPR, many of its provisions are relevant to the use of AI, and face challenges posed by the new ways of processing personal data that are enabled by AI. A tension exists between traditional data protection principles – purpose limitation, data minimisation, special treatment of 'sensitive data', limitations on automated decisions– and the full deployment of the power of AI. However, it is possible to interpret, apply and develop those data protection principles that are consistent with beneficial uses of AI. A number of AI-related data-protection issues are not explicitly answered in the GDPR, where provisions are often vague and open-ended. The study says that controllers and data subjects should be provided with guidance on how AI can be applied to personal data in conformity with the GDPR, and on the available technologies for doing so. A broad social, political and legal debate is needed on what standards should apply to processing of personal data using AI, particularly to ensure the explanation, acceptability, fairness and reasonableness of decisions about individuals. The debate should also address the question of which applications are to be barred unconditionally, and which ones may instead be admitted only under specific circumstances and controls.
Research report published on the GDPR and genomic data
The PHG foundation has published a report on its research assessing the current and likely near future impact of the GDPR and UK Data Protection Act 2018 on uses of genetic/genomic data in healthcare and health research. In particular, it addresses three linked research questions with significant practical importance for regulators, health services, clinical professionals, scientists, patients and public: to what extent do genetic/genomic data used for healthcare and medical research in England and Wales count as personal data under the GDPR; to the extent that they are personal data, what is the impact likely to be on the delivery of health and social care in the short-to-medium term (up to five years); and what can be done to mitigate or reduce any negative effects. The report provides a detailed legal analysis of the many ways in which the GDPR affects genomic healthcare and research, highlights areas for urgent attention, and makes recommendations for the genomics community, regulators and policy makers to maintain the flow of genomic data for healthcare and scientific research.
Launch of Global Partnership on AI
Fourteen countries and the EU, including the UK, have launched the Union the Global Partnership on AI (GPAI) to support and guide the responsible development of AI. The GPAI will aim to bring together leading experts from industry, civil society, governments, and academia to collaborate across four working group themes: responsible AI; data governance; the future of work; and innovation and commercialisation. It will also investigate how AI can be leveraged to better respond to and recover from the current pandemic.
ICPEN adopts best practice principles for advertising to children online
The International Consumer Protection and Enforcement Network (ICPEN), is a network of consumer protection authorities from over 65 countries who work together to tackle problems faced by consumers across the globe by sharing information and common actions. It has now formally adopted Best Practice Principles for Marketing Practices directed towards Children Online. The Principles have been developed and agreed by ICPEN members who are united in their view that adherence to the Principles will help traders to address the negative consequences of harmful marketing practices that children encounter online. The principles are: traders should make clear what is and what is not marketing; traders should not use marketing techniques that exploit children’s naivety, credulity, or lack of commercial knowledge; traders should not engage in the deceptive or harmful collection and use of children’s data; and traders should not market inappropriate products or services online to children.
The E-commerce Directive after the transition period
The UK government has issued guidance on the application of the E-commerce Directive in the UK after the Brexit transition period ends. At the end of the transition period, the E-commerce Directive will no longer apply to the UK. The guidance says that businesses should begin to prepare for these changes now. Rules relating to online activities in EEA countries may newly apply to UK online service providers who operate in the EEA from 1 January 2021. The E-commerce Directive currently allows EEA online service providers to operate in any EEA country, while only following relevant rules in the country in which they are established. This framework will no longer apply to UK providers as the UK will have left the EEA. Businesses should consider whether their services are currently in scope of the Directive, and if so, ensure compliance with relevant requirements in each EEA country in which they operate. Depending on the nature of their online services businesses may already comply with these requirements. This could mean that there are little or no immediate changes needed to be compliant from 1 January 2021.
Ofcom publishes report on net neutrality rules
The EU Regulation 2015/2120 on open internet access requires national regulatory authorities such as Ofcom to monitor and ensure compliance with the net neutrality rules and to promote the availability of non-discriminatory internet access services at levels of quality that reflect advances in technology. Ofcom has now published its report to the European Commission and BEREC on its approach to monitoring and ensuring compliance, covering the period from May 2019 to April 2020. The reports covers monitoring the quality of internet access services; safeguarding open internet access and traffic management; transparency measures; and complaints and remedies. Although this will be the last report Ofcom produces for the EU, it will publish reports in future under UK law. Therefore, Ofcom will continue to monitor compliance and publish its findings on a yearly basis.