ICO calls for review into use of messaging apps

What happened

• The Information Commissioner’s Office (ICO) has requested that the government conduct a review of the systemic risks and potential areas for improvement surrounding the use of personal email, WhatsApp, and other similar messaging apps. This comes after a year-long investigation into the use of private messaging channels by Ministers and officials at the Department of Health and Social Care (DHSC) during the pandemic.
• The inquiry discovered the possibility of vital information on the government’s response to the pandemic being lost or handled insecurely due to the absence of clear controls and the rapid increase in the usage of messaging apps and technology.
• An example of this included protectively marked information being located in non-corporate or private accounts outside of DHSC’s official systems. Consequently, the ICO stated that their findings revealed an oversight in the consideration of the risks associated with the improper storage and retention of information.
• The ICO came to the conclusion that there were legitimate threats to transparency and accountability within government, and it has called for a review of current procedures as well as action to be taken to ensure that improvements are made regarding how officials and ministers use private communication channels going forward.

Why it matters

• The ICO has issued the DHSC with a reprimand under the UK GDPR, requiring it to improve its processes and procedures around the handling of personal information through private communication channels and ensure information is kept secure.
• When it comes to the unauthorised use of messaging tools and apps for business-related purposes, organisations can be exposed to severe privacy and data protection issues.
• It is recommended that all organisations:
  • Assess and mitigate the data protection and privacy risks associated with the use of messaging tools by their employees both through the completion of Data Protection Impact Assessments (DPIAs) and third-party supplier due diligence processes. Risks will often differ depending on the specific messaging communication channel used. For instance, many of today’s apps do offer encryption and monitoring features, therefore it is recommended that businesses carefully examine which channels, if any, they may permit their staff to use.
  • Increase staff awareness through training and awareness exercises, as well as addressing the appropriate usage of messaging tools in a policy applicable to all staff, either as a standalone or part of a wider IT policy e.g. Acceptable Use Policy.
  • Consider the use of technology such as mobile device management (MDM) software, to assist in ensuring that company devices deployed to employees adhere to correct protocols, such as limiting what apps can be installed on company devices.

What happened

• Privacy campaign group Big Brother Watch has filed a complaint with the ICO regarding Southern Co-op’s use of facial recognition technology, which is present in 35 of its 200 stores, for the purpose of reducing crime.
• It is understood that the facial recognition tool, known as Facewatch, compares the biometric data of shoppers entering stores with a database of people known to have stolen or been violent in a Southern Co-op store in the past.
• A spokesperson for the retail chain said that the Facewatch system is in place protect its staff. They further confirmed that anyone flagged as having been previously banned would be asked to leave, and anyone flagged up as previously showing anti-social behaviour would be approached by staff and asked if they need any help.
• Big Brother Watch describes the technology as “Orwellian in the extreme”, and Silkie Carlo, the group’s director, said that the said the system and its biometric data collection allow Southern Co-op to allegedly add to “secret watch-lists” with “no due process”, describing it as “highly privacy-intrusive” for people on the watchlist.
• The group’s complaint to the ICO claims the system breaches data protection laws because the information is processed in ways which are not proportionate to the need to prevent crime.

Why it matters

• Biometric data is classified as special category personal data where it is used to uniquely identify a natural person, such as in this case. Special category data is considered to be especially sensitive, as its exposure could significantly impact the rights and freedoms of data subjects and potentially be used against them for unlawful discrimination.
• Although it has not yet been determined whether the use of surveillance cameras in Southern Co-op stores violates data protection law, the ICO’s response is likely to be eagerly anticipated by a number of other companies, including Nisa, Spar, Budgens, and Costcutter groups – who also use Facewatch’s services.
• Should the ICO find that Southern Co-op or Facewatch have breached data protection laws, they could a face regulatory fine or other enforcement measures, such prohibiting the retail chain’s use of facial recognition technology.
• Given that the ICO’s new three-year strategic plan (discussed in detail by Xcina Consulting in a post here) acknowledged that facial recognition technology is becoming more accessible, poses a risk to individuals, and may occasionally be used to discriminate against vulnerable groups, it is anticipated that the concerns raised will be thoroughly investigated by the regulator.
• The ICO, in their recently published plan, said that they would be collaborating with businesses to outline their expectations for the usage of such technologies and looking into how they are being implemented for any negative effects on vulnerable populations.
• It is further understood that the ICO plans to create further guidelines for the use of technologies such as AI and biometrics.

What happened

• In response to a statement made by Meta in February 2022 that warned that European citizens might no longer have access to its services, Meta has once again warned that if an EU-US data transfer deal isn’t finalised soon, EU services for Facebook and Instagram users may be suspended.
• Meta have said “we will likely be unable to offer a number of our most significant products and services, including Facebook and Instagram, in Europe, which would materially and adversely affect our business, financial condition, and results of operations”.
• The issue stems from the fact that the EU-US Privacy Shield, which had previously permitted the free flow of data between the two countries, was invalidated by the European Court of Justice in 2020 (commonly referred to as the “Schrems II” decision). This decision was made in response to concerns regarding US surveillance practices.
• The ruling raised questions about the legality of Standard Contractual Clauses (SCCs) for transfers to the US, even though Meta and many other US firms have continued to use them to send personal data across the Atlantic since the decision.
• As a result, an investigation was launched to determine if Meta’s data transfers to the US were legal by the Irish Data Protection Commission (DPC), which serves as the firm’s primary data protection authority.
• Subsequently, in a preliminary ruling, the Irish DPC stated that Meta’s transfers to the US made in accordance with SCCs should be halted.

Why it matters

• The Irish DPC serves as the primary EU regulatory body on data protection matters for many global tech firms, including Facebook, Twitter, Google, and Amazon. Consequently, regulatory decisions made by the Irish DPC often have a significant impact on both Europe and the rest of the world.
• The other 26 data protection authorities in the EU have one month to comment or raise objections to the DPC’s preliminary judgement, according to Article 60 of the EU GDPR, though an additional month may be granted for particularly complex cases.
• The decision must receive approval from two-thirds of the 26 authorities, therefore it could take a considerable amount of time to finalise the decision. If two-thirds of the authorities do not approve the decision at the initial vote, a further majority vote will be held after two weeks.
• Earlier this year, the EU and US were able to come to a tentative agreement on a new Trans-Atlantic Data Privacy Framework, which aims to enable safe and secure data transfers from the EU to participating US companies without the need for additional safeguards like SCCs and transfer risk assessments (TRAs), while adhering to the same principles as those outlined in the Privacy Shield when it was in effect.
• However, it is anticipated that the agreement will take some time to finalise and the Irish DPC may already have imposed their ban on the SCCs before such an agreement is formalised and transposed into legal documents.