In Perspective: Association for Financial Markets in Europe releases new guidance on data sharing

Advocacy group publishes guidance on data sharing in European capital markets
What happened
- The Association for Financial Markets in Europe (AFME) has published a white paper listing the key principles to consider to enable greater data sharing in European capital markets.
- This includes ensuring that sensitive information is only accessible under robust oversight, security and data privacy measures and promoting the standardisation of data types, formats, and transfer mechanisms.
- Additionally, the AFME recommends that APIs should be used as a preferred mechanism to enable data transfers.
Why it matters
- Data sharing between market participants, public authorities and individuals, is essential to the smooth functioning of capital markets.
- AFME and its members see significant opportunities for greater and improved data sharing within European capital markets, to enable financial institutions to benefit from improved operational efficiencies and innovation.
- However, a number barriers have prevented private and public sector buy-in for further data sharing initiatives. These include a lack of standardised transfer and access mechanisms.
Joint investigation into facial recognition company concludes
What happened
- The UK’s Information Commissioner’s Office (ICO) and the Office of the Australian Information Commissioner (OAIC) opened a joint investigation into the personal information handling practices of Clearview AI Inc in July 2020.
- The joint investigation has finished and the ICO is considering its next steps and any formal regulatory action that may be appropriate under the UK data protection laws.
- The OAIC however, has released its determination and concludes that Clearview AI Inc failed to collect personal information lawfully and fairly and did not take reasonable steps to notify individuals of the collection of personal information.
- The OAIC has instructed the company to delete all associated personal information within 90 days.
Why it matters
- Clearview AI Inc provides a facial recognition search tool for registered users.
- This tool allows users to upload a digital image of an individual’s face and run a search against its database of more than 3 billion images. The tool displays likely matches and associated source information to the user, to enable identification of the individual.
- The OAIC and the UK’s ICO opened a joint investigation to examine the personal information handling practices of Clearview AI Inc with a focus on the company’s use of ‘scraped’ data and biometrics of individuals.
- Under the UK GDPR, biometric data can only usually be processed with the data subject’s explicit consent. Additionally, if the personal data is collected indirectly, such as when it is ‘scraped’ from public sources, the affected individuals must be informed of this data collection within one month.
Guidance issued in Ireland on vaccine certificate checks
What happened
- The data protection regulator in Ireland, the Data Protection Commission (DPC), has stated that it is the responsibility of the owners/operators of a premises, as a data controller, to establish whether it has a legal basis to ask for, and verify, the vaccination status of attendees or patrons.
- In its new guidance, the DPC has said that the processing of personal data in this context should be limited to verifying an individual’s vaccination status as there is no requirement for any further processing of the individual’s information for public health purposes.
- Examples of hospitality premises that this guidance applies to includes cinemas, museums and entertainment venues.
Why it matters
- Data relating to an individual’s COVID-19 vaccination status warrants special attention in data protection law as this information is considered more sensitive in nature.
- In Ireland, Section 53 of the Data Protection Act 2018 provides that special categories of personal data, which includes data revealing vaccination status, may be processed where necessary for public interest purposes in the area of public health.
- Additionally, businesses should also consider performing a Data Protection Impact Assessment to ensure only necessary and proportionate processing is carried out.