Data Blast: Facial recognition under review in the UK; Facebook’s record fine; Belgium Mayor fined for campaign messages; China update…

UK ICO to investigate use of facial recognition at King’s Cross

Following media reports regarding the use of facial recognition at King’s Cross in London, the UK ICO has announced that they will be investigating whether the technology’s use is in breach of data protection law. After being reported in the Financial Times, Argent (the main real estate developer of the King’s Cross area) stated facial recognition was ‘one of a number of detection and tracking methods’ used to ensure public safety. Argent has yet to confirm the legal basis on which it is putting the technology to use, the systems it has put in place in order to safeguard the collected data, or even for how long the system has been in use. Not only does Argent need to establish a lawful basis for processing under the GDPR, it must also meet one of the additional conditions for processing ‘special category’ data, assuming the facial recognition data collected is categorised as biometric data under the GDPR. The ICO has stated that ‘any organisation wanting to use facial recognition technology must comply with the law – and they must do so in a fair, transparent and accountable way.’ Similar issues have recently been raised regarding the use of the technology, particularly as it relates to use by the police (as previously report here).

Facebook issued record $5billion fine

The US Federal Trade Commission (FTC) has announced that Facebook will pay a record $5 billion fine to settle a variety of data privacy issues. The company is also required to establish an independent privacy committee separate from company management. The fine comes after the FTC investigated allegations that Cambridge Analytica improperly obtained the data of up to 87 million users, as well as other issues including Facebook’s facial recognition program. The investigation began in March 2018 after it was revealed that personal data was illegally harvested from an online personality quiz and sold to Cambridge Analytica, and after claims that the data was used to influence the 2016 US presidential election and the Brexit referendum. The FTC has confirmed that Facebook violated rules against deceptive practices, and fell afoul of the regulator by not revealing that the telephone numbers it collected for 2-factor authentication would be used for advertising. The fine is the largest ever enacted for violating user privacy.

Belgian Data Protection Authority issues first GDPR-era fine

On May 28th 2019, the Belgian Data Protection Authority (DPA) issued its first fine under the GDPR. The €2,000 fine, imposed on a municipal mayor, related to the abusive use of personal data for the purposes of the mayor’s election campaign. The fine stemmed from complaints received from data subjects, claiming that their personal data, which was ostensibly collected only for local administrative purposes, was further used for campaign purposes. In deciding to impose the fine and issue a formal reprimand, the DPA took into consideration the limited number of affected data subjects, as well as the nature, gravity and duration of the infringement. While the fine was modest, particularly compared to recent GDPR-related fines elsewhere in the EU, the decision represents the first financial penalty imposed by the Belgian DPA. Please find a link to a Dutch version of the decision here.

Chinese Cybersecurity Draft Regulations enhance protection for minors

The Cyberspace Administration of China (CAC) published Draft Regulations in May, and the associated consultation closed in July. We await the update but summarise here the regulations: They seek to increase the protection afforded to minors’ (those under 14 years of age) personal information. The Draft Regulations require network operators (including the owners and administrators of networks and network service providers) to notify a minor’s guardian of the purpose, scope, method of and duration of data collection; as well as how that data is to be stored, transferred and disclosed. Operators must provide guardians an option to withhold consent, explain the consequences of doing so, and must conduct security assessments of any third-party processors of minors’ data. Such third-parties also have heightened processing obligations under the Draft Regulations. In cases of data breach that could result in ‘serious consequences’ for minors’ data, operators must notify affected minors and their guardians by email, letter, phone or by push notification. Lastly, operators will be required to publicise the security measures used for safeguarding minors’ personal data, and provide simple and easily understood user agreements for minors and their guardians. We have a fuller article here.

For more information please contact Partner, James Tumbridge at