The French Data Protection Authority,  CNIL, has prohibited the use of facial recognition to control entry into a school as disproportionate saying that alternative less intrusive means are available, such as badge control.

Key takeaways:

  • Processing of biometric data is of particular sensitivity, justifying enhanced protection of individuals.
  • Facial recognition devices are particularly intrusive and present major risks to the privacy and personal freedoms of those concerned.
  • They are also likely to create a sense of reinforced surveillance.
  • Risks are increased when facial recognition devices are applied to minors, who are subject to special protection in national and European legislation.
  • Strict vigilance is necessary in view of the damage that could result from possible security incidents on such biometric data.

Read the full opinion.

According to the NewEurope newspaper, “Sweden’s data protection authority has approved the use of facial recognition technology by the police, to help identify criminal suspects.”

“The new application of facial biometric screening will allow Swedish police to compare facial images from closed-circuit TV footage to an existing biometric database of over 40,000 pictures.”

“According to the Swedish authority, the processing and storage measures comply with Sweden’s Crime Data Act and the EU’s Data Protection Law Enforcement Directive (GDPR)”

Details from NewEurope.

The UK’s Information Commissioner’s Office has issued an opinion on the use of Live Facial Recognition technology by law enforcement.

Key takeaways:

  • The use of Live Facial Recognition (LFR) involves processing of personal data and therefore data protection law applies.
  • The use of LFR for law enforcement purposes constitutes “sensitive processing.”  As such, a Data Protection Impact Assessment (DPIA) and an “appropriate policy document” must be in place.
  • Sensitive processing occurs irrespective of whether that image yields a match to a person on a watch list, or the biometric data of unmatched persons is subsequently deleted within a short space of time.
  • Controllers must identify a lawful basis for the use of LFR.
  • The most likely applicable lawful basis may be “processing being ‘strictly necessary’ for the law enforcement purpose.”
  • Controllers must adopt Privacy by Design and by Default when designing and implementing FLR strategy.
  •  A statutory binding Code of Practice should be introduced to address LFR.
  • LFR may be likelier to meet the requirements of strict necessity and proportionality where it is deployed on a targeted or smaller-scale basis and for a narrowly defined purpose.
  • The inclusion of an image on a watch list should meet the same high threshold for processing, ie, strict necessity.

Read the full text of the guidance.

On November 1st of last year, businesses became subject to new mandatory breach reporting regulations under Canada’s federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA).

Since November 1st, 2018, the Canadian government received 680 breach reports. That is six times the volume received during the same period one year earlier.

Key takeaways from OPC report:

  • Know what personal information you have, where it is, and what you are doing with it. You must understand your data before you can protect it!
  • Know your vulnerabilities. Conduct risk and vulnerability assessments and/or penetration tests. Identify your organizations’ weak points before a breach identifies them for you!
  • Be aware of breaches in your industry.
  • The majority of reported breaches — 58 percent — involved unauthorized access.
  • Employee snooping and social engineering hacks are key factors behind breaches resulting from unauthorized access.

Read the full report.

Ireland’s Data Protection Commission has issued a guidance note on the right of access under the General Data Protection Regulation.

Key takeaways:

  • Requests to access data are the majority of complaints received.
  • If reasonably necessary to clarify the request, you may request that the requester specify the information or processing activities they want access to.
  • A request may be made in writing or verbally. For a verbal request:
    • record the time and date
    • follow up in writing
  • Even if you have a designated method or contact person for submission of requests, an individual may use another method or contact person, or contact any member of staff.
  • A request does not need to contain any specific text to be valid.
  • Request proof of identity only when reasonable and proportionate to do so.
  • Only request the minimum amount of further information necessary and proportionate in order to prove the requester’s identity
  • Keep requesters regularly updated on the progress of their request, and give them sufficient notice in advance of any potential delays.
  • Respond to a request in the same way it was made, or the requester specifically asked. If making a verbal response, retain records.

Read the full text of the guidance.

The California Consumer Privacy Act (CCPA) takes effect in January, imposing strict new data privacy mandates on many companies headquartered inside — and outside — the state’s borders. Is your company among them?

Fox Rothschild’s Privacy & Data Security team has developed a free, easy-to-use online tool — CCPA Scope Adviser — that can help you answer this important question while there is still time to create a compliance plan.

The CCPA is scheduled to take effect in just two months.

Don’t assume you’re outside the scope. CCPA carries significant penalties for noncompliance and includes a private right of action that poses the threat of consumer lawsuits over data breaches.

For a thorough overview of the law, register for our free Ten Commandments of CCPA  webinar, scheduled for Nov. 11.

Try CCPA Scope Adviser.

Register for the free Ten Commandments of CCPA webinar.

The Polish data protection authority has fined a public authority 40,000 Euros for violations of GDPR including:

  • failure to execute Article 28 data processing agreements with its service providers
  • retaining personal data for longer than required by law
  • storing official videos only on YouTube in violation of the obligation to ensure availability, integrity and continuity

Read the agency’s official statement on the fine.


“Manufacturers of smart microwaves, light bulbs, and other connected devices will face new security requirements in California and Oregon next year,”  Reports Sara Merken for Bloomberg Law.

“The two states are the first ones to specifically regulate the security of internet of things devices, with laws taking effect Jan. 1. Other states are likely to follow.”

“The laws include different definitions for connected devices. California’s law applies to any device or object that connects directly or indirectly to the internet and is assigned an internet protocol or Bluetooth address. The Oregon law similarly covers devices or objects with those requirements, but only those that are used ‘primarily for personal, family, or household purposes.'”

“Connected devices sold in California and Oregon will have to be equipped with reasonable security features that are appropriate to the device’s nature, function, and data it collects or transmits, and be designed to protect the device and the information from unauthorized access, use, or disclosure.”

Details from Bloomberg Law.

The United Kingdom’s Information Commissioner’s Office has launched a public consultation on how to create a toolkit to help organizations assess whether they have appropriate and effective internal data protection governance arrangements in place and to help them demonstrate their compliance with the General Data Protection Regulation (GDPR).

Per the GDPR accountability principle, data controllers must demonstrate their compliance through internal data protection measures and practices.

For Example:

  • implementing data protection policies
  • recording the processing
  • taking a data protection by design and by default approach
  • having written contracts in place with processors
  • implementing appropriate security measures
  • recording and, where necessary, reporting data breaches
  • appointing a data protection officer
  • establishing processes for handling data subjects’ rights requests
  • carrying out data protection impact assessments

The ICO wants to hear from those who have responsibility for data protection and particularly about:

  • current practices regarding accountability
  • what might lead to improvements
  • how the ICO can support companies
  • what scope and structure may be most helpful

Read the ICO notice and submit comments.

The Austrian Data Protection Authority has imposed an 18 Million Euro fine on Post AG for violating GDPR by processing personal information of individuals to create statistical probabilities about political party affinity and using them for marketing purposes.

Under GDPR. political affiliation is a “special category” personal data, the processing of which is deemed more sensitive and is subject to additional obligations.

Processing political information in the context of marketing has been addressed in depth recently both by the United Kingdom’s Information Commissioner’s Office and by the European Data Protection Board. Both state that in most circumstances, you should not use special category data, inferred or otherwise, to target individuals with political messaging without the explicit consent of the individual.

Details from the Kurier newspaper.