This Privacy Regulation Roundup summarizes the latest major global privacy regulatory development, announcements, and changes. This report is updated on a monthly basis. For each relevant regulatory activity, you can find actionable Info-Tech analyst insights and links to useful Info-Tech research that can assist you with becoming compliant. Regulatory activities are ordered by their effective date.

The Politics and Perils of Facial Recognition Technology

Canada USA Europe Rest of World

Type: Development
Date: January 9, 2020

Summary: After the Capitol riot in early January, Clearview AI experienced a large spike in usage rates. Following the riots, a multitude of photos, videos, and posting of participants were displayed online. Subsequently, the FBI has used these photos and posted in their requests to identify the participants from the riot.

Facial recognition databanks have been used in the past by law enforcement via government-provided databases to harvest data such as drivers’ license photos, mug shots, etc. Clearview AI, however, does not use government databases but instead uses over three billion photos collected from social media networks and any other sources to comprise their facial database. As a result, Clearview AI’s methodology has been called into question as to the legitimacy of leveraging biometric data without first obtaining the individual’s consent. Not only does this present a threat to privacy rights, but it also presents challenges from a human rights perspective.

Analyst Perspective: Facial recognition technology proves time and time again the importance of conducting a privacy impact assessment (PIA) or privacy risk assessment when leveraging new technology. The Capitol riots are just one example of the perils that technology exerts on privacy rights when not properly assessed from a risk perspective. While the intention of the product may not be nefarious, as with anything, put in the wrong hands or used without appropriate governance and training, it has the potential to infringe on privacy rights and human rights and set a worrisome precedent for the use of emerging technologies in society.

Clearview AI’s technology does a lot more than simply provide interesting insight and intelligence as it relies on collecting large volumes of sensitive data on individuals and using that without the explicit knowledge or informed consent of the individuals. The many instances of the company’s name emerging in headlines and being put under scrutiny of privacy advocates suggests a lack of careful consideration of the harmful privacy impacts of the technology, much of which would have been identified through the performance of a PIA. Already we have seen cases of false identification due to bad recognition matches and the resulting consequences. And so, the question must be asked, do the ends in this situation justify the means?

Analyst: Isaac Kinsella, Research Specialist – Security, Risk & Compliance

More Reading:

EDPB Launches Open-Source Privacy Evidence Collector Tool

Canada USA Europe Rest of World

Type: Development
Date: January 2021

Summary: The European Data Protection Supervisor (EDPS) has rolled out open-source software tools for automating the task of inspecting websites for private and personal data. Dubbed “Website Evidence Collector,” the tools have been published on Github and are freely downloadable and usable by the public within the terms of the European Union Public License (EUPL-1.2).

The tool serves the purpose of collecting evidence of personal data collection and processing, such as cookies and requests to third-party sites. The tool allows for parameters to be configured in advance, which suggests that it can be fine-tuned to suit the nature of the respective investigative process. The output is rendered in human and machine-readable format.

Written for use with the Chromium web engine, the tool has been designed to be multi-platform and will work in Windows, MacOS, Linux, and platforms that support the NodeJS JavaScript runtime and Chromium.

Analyst Perspective: The introduction of the Website Evidence Collector tool may be the push that laggard companies and organizations need to ensure compliance with the obligations and directions of global data protection regulations. The availability of the tool in the public domain will assist businesses in conducting a self-assessment of their compliance with GDPR in advance of an audit, enabling them to take appropriate and proactive action to avoid non-compliance findings and penalties.

It will be interesting to see how the tool fares in terms of the inter-connected nature of websites and web parts such as banners or embedded code by hosting providers. From a more long-term perspective, it will be important to watch how widely the tool influences webpage development, particularly websites that collect personal information for eCommerce transactions.

That the tool has been distributed as open source speaks to the transparency of the process and should offer some peace of mind to organizations whose websites are being inspected by the tool.

Analyst: Jimmy Tom, Research Advisor – Security, Risk & Compliance

More Reading:

The Brexit Impact: What the UK’s Exit Means for International Data Transfers

Canada USA Europe Rest of World

Type: Regulation

Date: January 2021

Summary: After years of uncertainty and many a conversation around deal or no deal, the United Kingdom has officially separated from the European Union, presenting a number of challenges amidst a landscape complexified by the current global pandemic. One saving grace, however, is a temporary agreement, or bridging mechanism, agreed upon as part of the Trade and Cooperation Agreement signed between the EU and UK in late December 2020. This draft agreement provides up to six months of unrestricted data transfers between the UK and the EU prior to an adequacy decision from the European Commission, as informed by the European Data Protection Board. There are still additional measures that need to be considered and put in place, and this does not automatically indicate that an adequacy decision will be granted by the Commission come the end of the bridging period. It does, however, buy organizations a little more time and provide an opportunity to adopt appropriate data transfer mechanisms and safeguards over the upcoming months.

Analyst Perspective: As the privacy landscape changes and matures, so too must an organization’s approach to privacy strategy and operations. The summer 2020 invalidation of the EU-US Privacy Shield demonstrated that an increasingly complex technological and regulatory landscape cannot rest on dated agreements or stagnant safeguards to ensure privacy rights continue to be upheld. The UK GDPR, adopted in alignment with the existing EU GDPR following the UK’s exit on January 1, favorably positions the UK to be viewed as “adequate” by the European Commission, but should not be taken for granted by UK-based organizations. Frequent and regular reviews of the organization’s data privacy program should be in place, including transfer impact assessment, privacy risk and impact assessments, processing activities, and supporting technical and process controls. Privacy is dynamic, and as with the governing regulatory landscape, must be managed as such.

Analyst: Cassandra Cooper, Senior Research Analyst – Security, Risk, and Compliance

More Reading:

Digital Rights Groups Say South Africans’ Personal Data May Be Misused or Stolen

Canada USA Europe Rest of World

Type: Development
Date: January 7, 2021

Summary: South Africa is moving ahead with plans to collect biometric data (photos, fingerprints) from every newborn baby in the country so that a digital identity record of every person in the country can be established. This effort is meant to address the fact that a significant portion of South Africa’s residents do not have an official identity record, which can hinder access to education, healthcare, social programs, and even citizenship. Ironically, this move has been criticized for presenting a new risk of identity theft if such data is not adequately secured. South Africa’s Protection of Personal Information Act, established in 2013, should dictate regulations around such data collection; however, key sections of the law have just come into effect and have yet to be fully operationalized, which adds to the concerns about the proposed program.

Analyst Perspective: Integrate data protection by design (DPbD) into your workflows. The situation in South Africa is complex in that it is wrapped up in both privacy and humanitarian concerns. Yet it makes a compelling case for why we should all be following the principles of DPbD, which help us ensure that only necessary data is collected, it is adequately secured, and it is destroyed when no longer required. Following these basic principles helps to reduce risk and boost security for organizations and their clientele.

Analyst: Logan Rohde, Research Analyst – Security, Risk, and Compliance

More Reading:

Singapore Lost Trust on Contact Tracing Privacy

CanadaUSAEuropeRest of World

Type: Development

Date: January 2021

Summary: The Singapore Ministry of Home Affairs confirmed that contact tracing data – despite previous assurance that such data would only be used for contact tracing during the pandemic – could actually be accessed by the police for criminal investigations. A minister also revealed that such data had already been used in a murder investigation. In response to the public anger and criticism the revelation has wrought, the Singapore government has since announced the introduction of new legislation to limit law enforcement’s use of this data.

Analyst Perspective: Organizations must document the legitimacy of processes involving sensitive personal data and perform privacy impact assessments as needed to determine whether such processing violates the rules set forth by any regulations or policies that govern this data. The loss of citizen trust due to Singapore’s stance on law enforcement use of contact tracing data could impact the country’s ongoing fight with the COVID-19 pandemic, as citizens re-evaluate their own buy-in to this important, life-saving government program. Any other organizations found to misuse sensitive personal data for non-legitimate reasons could find eroded customer trust that can impact the organization’s objectives.

Analyst: Aaron Shum, Practice Lead – Security, Privacy, Risk, and Compliance

More Reading:

If you have a question or would like to receive these monthly briefings via email, submit a request here.

Related Content

Hide Details

Search Code: 87193
Published: December 11, 2018
Last Revised: February 1, 2021


Get Access

Get Instant Access
To unlock the full content, please fill out our simple form and receive instant access.
Visit our COVID-19 Resource Center and our Cost Management Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019