See below for the latest Data Blast from our legal team: Facial recognition technology continues to stir debate; Ransomware warning as public transport in Toronto falls prey to cyber attack; Yahoo ceases Chinese operations as new data protection law comes into effect; Scottish charity fined for data breach after exposing recipients’ email addresses…

Facial recognition technology continues to prove controversial

Following considerable public concern, and discussions with the ICO, numerous schools in Scotland have moved away from using facial recognition technology to validate students’ identities for school lunches. The Financial Times had reported that a number of schools in North Ayrshire were planning to introduce facial recognition cameras in order to take student payments for school lunches.

Schools in the UK have used other biometric technologies for processing lunch payments, such as fingerprint scanners, but the move to facial recognition provoked widespread concern that it was excessive and would serve to ‘normalise’ such technologies. The local council stated that 97% of affected pupils, or their parents, had provided consent to the use of the new technology for processing the lunch payments. Shortly after the new payment system was put into service, the council announced that it was reverting to the previous system for processing payments using a PIN number.

Another move away from the use of facial recognition was announced this week by Facebook, which stated that it was shutting down its Face Recognition tool on its social network. For users who had opted in to Face Recognition, the system would automatically recognise those users’ faces in photos posted on the site. As part of shutting down the tool, Facebook noted that the facial recognition templates used to identify those who had opted into Face Recognition – numbering more than 1 billion – will also be destroyed. Facebook noted that the abandonment of facial recognition technology would also impact its Automatic Alt Text (AAT) accessibility tool, which recognized faces in photos and produced text descriptions of the photos for those with visual impairments.

The use of automated facial recognition technology has also become one of the central points of debate for the European Commission’s proposed Artificial Intelligence Act which was published in April 2021. Civil society and human rights organisations, in particular, are calling for a complete ban on the use of AI for real-time remote biometric identification systems. We have previously reported on some controversial uses for facial recognition technology by law enforcement, here and here. A closer look at the proposed AI Act will appear in our next edition of Inside IP, which will be published later this month.

Critical infrastructure increasingly at risk of ransomware attacks

The Toronto public transport system, the TTC, continued to recover from a ransomware attack first reported on October 28th. The attack reportedly affected the TTC’s communication systems, trip planning apps, booking systems for its accessible transportation services, and real-time information displays on subway platforms and at bus stops. The TTC reported that core transportation services were not materially affected by the attack, and that it continued to work with IT and cybersecurity experts, as well as law enforcement, to regain control of the impacted services.

The attack on the TTC came just days before the US Federal Trade Commission (‘FTC’) issued another warning on the risk of cyberattacks on critical infrastructure; the latest warning focussing particularly on water and wastewater facilities. The FTC alert highlights the most often used tactics for gaining access to and control over critical IT systems: ‘spearfishing’ using malicious links sent to facility staff; exploiting out of date operating systems and software; exploiting connected Internet of Things (IOT) devices; insider threats from current staff or former employees whose credentials have not been properly disabled; and ransomware attacks.

We previously reported on a cyberattack on a Florida city’s water facility which had aimed to introduce chemicals into the water supply here. We also previously reported on the Irish Health Service ransomware attack in May 2021 (here), recovery from which took several months. Local councils in the UK have also been impacted by ransomware attacks in the past year, with Hackney Council requiring more than 6 months to recover fully from an attack on its systems, and Redcar & Cleveland Council reporting the cost of its recovery from an attack to be £3.7 million.

European legislators have also taken steps to counter the rising threat of cyberattacks, with the adoption of a new draft directive on cybersecurity for critical sectors. The new draft directive, adopted on October 28th by the European Parliament’s Industry Committee, would replace the existing Network and Information Security (‘NIS’) directive covering sectors such as energy, transport, banking, health and digital infrastructure; the updated law would seek to narrow gaps in harmonisation between Member States and to increase cooperation and information sharing.

Yahoo pulls out of ‘challenging’ Chinese market

Yahoo announced that it had ceased operations in China as of November 1st, citing an ‘increasingly challenging business and legal environment.’ Similar concerns were expressed by Microsoft in its announcement last month that its LinkedIn service ceased to be available in China. The new Chinese data protection Act, known as PIPL, came into effect on November 1st; we previously covered key aspects of the new law here. PIPL came into force after a remarkably short period of time from its initial draft published in October 2020, which has left organisations with little time to consider and adapt their services where necessary.

The new law requires a separate form of consent for controller-to-controller data transfers, potentially requiring many businesses to contact individuals ahead of the November 1st entry into force of the law. PIPL also contains strict rules around cross-border data transfers, with a requirement for pre-approval by the Cyberspace Administration of China. Those rules, together with limitations on automated decision making which are likely to have a significant impact on targeted advertising, have left many organisations based outside China struggling to meet the requirements of the new framework. PIPL also contains significant enforcement powers, including increased fines of up to 5% of an organisation’s previous year’s revenue.

Charity HIV Scotland fined after data breach

The ICO issued at £10,000 fine to HIV Scotland following an investigation of an email sent by the charity which inadvertently identified at least 65 individuals by using the ‘cc’ field in a mass email, rather than ‘bcc.’ The error meant that 105 email addresses were visible to all recipients; 65 of those addresses contained the names of the individuals concerned. The email contained an invitation to a meeting being organised by the charity; the ICO noted in its fining decision that assumptions about the HIV status of individual recipients of the email could result from the breach.

The ICO investigation found that staff training was lacking and the charity’s data protection policy was inadequate. In addition, the charity had previously identified that its email procedures were inadequate, and had commenced migrating data to a Mailchimp system for securely sending bulk emails; the data of the affected individuals had not been migrated at the time of the breach. The simplicity of the human error leading to the data breach in this case serves as a reminder to all organisations of the importance of reviewing procedures to identify risks, and conducting regular staff training on data protection compliance.