The Week In Perspective – Privacy regulators across the globe voice their expectations

What happened

• Following a statement of intent issued in July 2020, six data protection and privacy authorities from Australia, Canada, Gibraltar, Hong Kong SAR, China, Switzerland and the United Kingdom have provided their observations following a review of the practices of several companies providing video conferencing solutions.
• The platforms that were reviewed included those provided by Microsoft, Google, Cisco and Zoom.
• Good practices were observed in areas such as security, transparency and end-user control.
• However, improvements were recommended when it came to encryption, the location of data centres and secondary uses of data.

Why it matters

• This activity is an example of constructive engagement between the privacy regulatory community and the organisations they regulate.
• It has allowed the data protection authorities involved to engage, in a coordinated manner and with a uniform voice, with some of the largest and fastest growing technology companies, whose services are used worldwide.
• The report also provides a useful framework that developers of new data processing technologies should consider. This includes considering factors such as security, privacy by design and by default, knowing your audience, transparency, end-user control, encryption, secondary uses of data and data centre locations.

What happened

• Following a major public backlash on the use of facial recognition technology in schools to enable students to pay for meals in a ‘contactless’ (and therefore Covid-safe) way, nine schools in North Ayrshire in Scotland have paused the use of the technology with one school completely abandoning the initiative.
• The UK’s data protection regulator have also confirmed that they will contact North Ayrshire council to talk about the impact of data protection laws on children and to confirm whether a less privacy-intrusive payment option could be pursued instead.   

Why it matters

• Capturing biometric data (i.e. personal data that uniquely identifies someone based on their physical characteristics) requires extra considerations from a data protection perspective.
• This is because biometric data is considered special categories of personal data which, in most cases, requires the data subject’s explicit consent to process.
• Additionally, the Children’s Code issued by the UK’s Information Commissioners Office lists several standards that should be considered when delivering digital services to individuals aged 18 and under. This includes the need to ensure processing is necessary and proportionate and to conduct a risk assessment.

What happened

• After a number of queries received to their office, Cyprus’s Privacy Commissioner has provided some helpful guidance on the use of CCTV in public spaces.
• This includes performing a risk assessment where the use of CCTV can threaten the rights and liberties of individuals as well as displaying clear and unobstructed signs notifying people that CCTV recording is in operation.
• The Commissioner also stated that the use of CCTV in private properties is permissible as long as the processing of personal data is for personal or household use and the CCTV recording does not capture footage beyond the perimeter of the private property.

Why it matters

• The use of CCTV in private properties has been in the news recently due to a case in the UK involving a person installing security cameras on their property that were found to invade the privacy of a neighbour.
• The advice provided by Cyprus’s Privacy Commissioner offers a timely reminder for businesses to consider performing a Data Protection Impact Assessment before putting in place CCTV systems and to consider transparency and the provision of fair processing information to the individuals that may be filmed.