The UK’s data protection regulator produces more draft guidance on data anonymisation
The Information Commissioner’s Office in the UK has published the second chapter to its draft guidance on anonymisation, pseudonymisation and privacy enhancing technologies.
This section of the guidance looks at identifiability risk, identifiability assessments and the ‘motivated intruder’ test.
Chapter 1 and chapter 2 of the draft guidance can be found here.
Why it matters
Effective anonymisation can remove data protection compliance obligations altogether as the UK GDPR and the Data Protection Act 2018 only applies to data that relates to and identifies a living individual.
The key word here however is ‘identifies’.
Identifiability exists on a spectrum and depends on both the content of the dataset and the context to determine whether individuals can be singled out from the information.
Judge rules that the installation of security cameras and a Ring doorbell invaded the privacy of a neighbour
The defendant had installed security cameras and a smart doorbell on their house.
The smart doorbell is able to record both audio and video of the claimant’s house and garden.
The claimant argued that the installation of these security devices infringed data protection laws and contributed to harassment.
The judge upheld these claims and stated that the devices “unjustifiably invaded” the privacy of a neighbour.
The defendant now faces a potentially significant fine.
Why it matters
Article 2 of the UK GDPR states that data protection law does not apply to the processing of personal data by an individual in the course of a purely personal or household activity.
An example could be someone taking pictures of family members and sharing these with their friends on a social media platform.
However, in the case of domestic CCTV systems, this exemption only applies to the person’s own private property and garden and not outside the property boundary e.g. public footpaths and shared spaces.
Footballers seek compensation for the trading of their performance data over the past six years
A group of 850 professional footballers are preparing to sue companies using their personal playing data for commercial gain.
The betting industry for example, relies on the personal data of players as the basis for determining their odds.
This includes performance metrics such as average goals per game.
The group states that consent should be sought from the players before it is used as well as reimbursement.
Why it matters
Legal action in this area has the potential to significantly reshape how personal data is used in football and competitive sports more generally.
As well as ensuring that consent is given before their personal data is used, players are looking for more general changes to how their data is processed including the opportunity to rectify their data if it feels it mispresents them.