Are opinions about someone personal data?


Key takeaways:
  • An opinion can include personal data.
  • If the opinion is not recorded — GDPR does not apply.
  • If made or recorded for someone’s “purely personal or household” activities, with no connection to a professional or commercial activity, GDPR doesn’t apply.
  • GDPR may apply if the opinion was recorded or published on a medium which falls outside this exemption (such as a public comment on a social media site or commercial publication).
  • Data protection law many not apply to an opinion being expressed about them in a newspaper article or other media — as the publisher may be able to rely on a “journalistic exemption” which allows for publication of the personal data in question.
  • The Data Protection Act 2018 sets out some rules limiting the exercise of an person’s data protection rights regarding opinions about them which are given “in confidence.”
  • Where an opinion is recorded clearly as an opinion, such the recording of a participant’s attitude in someone’s notes of a meeting, then rectification may not be necessary or may simply involve the addition of a clarification.

Speak to me in algorithms.

The European Data Protection Board (EDPB) has issued a letter on the appropriateness of the GDPR as a legal framework to protect citizens from unfair algorithms.

“Considering the already extensive existing legal framework, the EDPB considers additional legislation in the area of data protection aimed at a specific technology [such as algorithms] as premature at this time.”

“[The] focus at this time lies on the development of existing norms, specifically the requirements of transparency, accountability and the [Data Protection Impact Assessments] in the context of machine learning algorithms. In the future, this may lead to the development of guidelines.”

“In order to protect individuals from unfair or discriminatory outcomes of algorithms an interdisciplinary approach is needed… ”

“This enforcement can take many forms, including:

  • actively informing the public regarding their rights
  • engaging with stakeholders
  • informing and guiding organizations
  • assessing prior consultations and
  • carrying out investigations, which may lead to enforcement actions.”

Read the full letter.

The European Data Protection Board (EDPB) has issued final guidance for using video surveillance under GDPR. Hear are some high-level takeaways:

  • You must have a legal basis.
  • Legitimate interest could work, BUT…
  • You have to balance carefully, and putting up a sign may not be enough.
  • You have to be transparent about what you do.
  • You must respond to data subject requests, even if it’s not easy to do so.

For a deep dive, read my detailed analysis.

  1. Yes, CCPA can apply to you even if you have no physical presence in California.
  2.  Yes, if you have done some GDPR compliance you are in better shape for CCPA.
  3. No, your GDPR compliance work is NOT sufficient for CCPA compliance and there are still things to do.
  4. Yes, if you are a non EU controller you may be able to take advantage of some of the things CCPA does differently than GDPR.
  5. Yes, you will need to amend your privacy notice even if it is GDPR Article 13/14 compliant.
  6. Yes, you will likely need to amend your GDPR Art 28 Data Processing Agreements.
  7. Yes, if you have re-targeting cookies you will need a CCPA solution for them as well.
  8. Yes, if you collect information of children under 16 you have things to think about under CCPA as well.
  9. Yes, if you have loyalty programs and financial incentives you may need to address them under CCPA.
  10. No, CCPA is not the last we have heard of U.S. state privacy laws and many are on the horizon.

For a deeper dive into this topic, check out this webinar, created in partnership between Fox Rothschild LLP and SPIRIT LEGAL.

Tell me don’t sell me.

“As defined by the CCPA, a sale refers to the ‘selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.’ The broad definition has left companies hanging on a clear-cut answer to if their business activities count as a sale. The lack of clarity ultimately puts the sale provision up for interpretation for companies.”

Some companies are adopting a wait-and-see approach, others are providing a mechanism for opt out but not calling it a “sale,” yet others are trying to avoid the definition of sale by acquiring an opt-in up front.

Details from the International Association of Privacy Professionals.

Bang for your privacy compliance spend buck.

For every $1 an organization spends on privacy compliance, they receive a $2.70 return on investment, finds a recent survey conducted by Cisco.

The study also found that the more mature privacy programs were seeing much better ROI. Companies that had scores above four on a scale of 1 to 5 ranking progress on key privacy objectives saw a $3.10 return on investment compared to $2.30 estimated by organizations that scored between one and three.

Details from the International Association of Privacy Professionals.

“The European Commission has revealed it is considering a ban on the use of facial recognition in public areas for up to five years.

Regulators want time to work out how to prevent the technology being abused. The technology allows faces captured on CCTV to be checked in real time against watch lists, often compiled by police. Exceptions to the ban could be made for security projects as well as research and development.

The Commission set out its plans in an 18-page document, suggesting that new rules will be introduced to bolster existing regulation surrounding privacy and data rights. During the ban, which would last between three and five years, ‘a sound methodology for assessing the impacts of this technology and possible risk management measures could be identified and developed’.”

Details from the BBC.

Say what you do (yes, really).
Do what you say.
In an academic study published last year, researchers created a tool that analyzed the language used in the privacy policies of 11,430 Play Store apps. They found that 14.2% (1,618 apps) contained a privacy policy with logical contradicting statements about data collection.
Examples include privacy policies that stated in one section that they do not collect personal data, only to contradict themselves in subsequent sections, where they state they collect emails or customer names, which are clearly personally-identifiable information.
Self-contradictions can lead to the identification of deceptive statements, which are enforceable by the FTC and the DPAs (data protection authorities) of the EU. 

“In an age where children learn how to use an iPad before they ride a bike, it is right that organizations designing and developing online services do so with the best interests of children in mind,” said UK Information Commissioner, Elizabeth Denham. “Children’s privacy must not be traded in the chase for profit.”

The UK ICO unveiled a set of rules known as the “Age Appropriate Design Code.”

“The Code outlines 15 standards online services should follow to protect children’s privacy … It also provides guidance on data protection safeguards aimed at ensuring online services are appropriate for children’s use.”

The code includes requirements for platforms to:
  • set privacy settings to “high” by default
  • minimize data collection and sharing
  • turn off by-default location tracking and targeted advertising
  • not use “nudge techniques” to encourage children to provide unnecessary personal information
  • conduct data protection impact assessments
  • provide transparency in privacy and data policies

If passed by Parliament, the Code will take effect around fall 2021.

Details from the International Association of Privacy Professionals.

Privacy notices should be a “man for all seasons,” write Cameron Kerry and Caitlin Chin of The Brookings Institution.

“The most detailed and honest privacy disclosure could be a silver bullet of transparency for regulators but utterly useless for the majority of consumers.” Therefore, they should multiple formats and contexts.

  • a detailed version for the regulators, privacy experts and others interested.
  • a user-friendly version that allows the general public to get the information they need. (For this, formats like pop up notices or hover over explanations can work.)
  • different format that allows for obtaining actual informed consent, if such is required.

“A one-size-fits-all disclosure requirement can undermine the contextual relevance that makes consent meaningful.” they write.

“By making information available in multiple forms, the concept of “notice” can shift to allow more meaningful and true transparency.”

Details from Brookings.