Data Blast: European Commission says auto facial recognition not compliant; Canadian Government handling errors; Scottish nuisance calls fined; Financial Conduct Authority reveals complainant data; and Italy’s big fine.

EC digital chief states automated facial recognition not GDPR compliant

In an interview of February 17th, the European Commission’s digital and competition chief, Margrethe Vestager, said that automated facial recognition breaches GDPR, as it fails to meet the regulation’s requirement for consent.

GDPR classifies facial features used to identify individuals as biometric data, which is special category (sensitive) personal data. Use of sensitive personal data requires consent from the data subject unless the processing falls within certain closed categories of exceptions, including where it is necessary for public security. In the UK, the ICO has permitted police use of live facial recognition technology, as it has been deemed necessary for law enforcement purposes.

Vestager suggested that the EC will consider automated facial recognition further prior to introducing related legislation, but that Member States will be allowed to make domestic decisions as they see fit in the meantime.

These comments are in line with the EC’s stated policy, as it was announced that the EC recently backtracked on government plans to introduce a 5 year moratorium on the technology.

Canadian federal government reports personal data incidents affecting nearly 150,000

On February 14th, the Canadian government confirmed that several federal departments and agencies had mishandled the personal data of at least 144,000 Canadians over the past 2 years, in contravention of Canada’s Privacy Act.

The figures were disclosed as part of an 800 page written response to an Order Paper filed by Conservative MP Dean Allison late last month. The report detailed privacy law breaches resulting from careless data sharing by email, employee misconduct and theft of computer equipment. The mishandling errors range from relatively minor infractions to serious breaches exposing sensitive personal data; the report noted roughly 8,000 privacy breaches occurring at 10 different agencies and departments.

The Canadian Revenue Agency (CRA) was the worst offender, with over 3,000 incidents affecting roughly 60,000 individuals, from January 1st 2018 – December 10th 2019. The CRA blamed the breaches on employee misconduct, misdirected mail and security incidents, stating that ‘two-thirds of the total individuals affected were as a result of three unfortunate, but isolated incidents.’ In one of those cases, CRA employees were accidentally given access to a drive containing the personal data of 11,780 Canadians, though the CRA stated that no evidence was uncovered suggesting that any of the files had actually been accessed. In a separate case, a CRA employee did improperly access the accounts of two individuals, and was briefly (and improperly) able to access the personal information of nearly 12,000 individuals.

Over the same period, Health Canada reported 122 privacy breaches affecting roughly 24,000 individuals; the most serious of which involved a government employee mistakenly receiving an email containing the sensitive personal data of others. In May 2018, over 20,000 employees of the Canadian Broadcasting Corporation saw their personal information improperly disclosed, including in an incident involving the theft of CBC computer equipment.

Of all the agencies and departments that suffered breaches, many did not know how many people were affected, nor how many of those potentially affected were subsequently contacted or warned about the breaches.

The Canadian Office of the Privacy Commissioner said it is still reviewing the written response, particularly in light of the under-reporting of government data breaches in the past. As far as recourse available to victims is concerned, they may file complaints under the Privacy Act, which may be followed up for investigation. Canadians are increasingly looking to the courts for redress following serious data breaches, as the Privacy Commissioner lacks the fining powers of UK and European regulators, though, as we previously reported here that appears set to change with the government’s plan to modernise Canadian data protection laws.

ICO fines Scottish company for nuisance calls

On March 2nd, the ICO announced that it had fined a Scottish company, CRDNN Limited, £500,000 for making over 193 million nuisance calls.

The ICO raided the company’s offices in March 2018, seizing computer equipment and documentation in order to analyse the scale of the nuisance call operation. It was subsequently found that CRDNN was making roughly 1.6 million calls a day regarding debt management, window scrappage and boiler sales between June and October 2018. It was also found that some of the calls could have put peoples’ safety at risk, as the calls clogged up Network Rail’s Banavie Control Centre, which provides inquiry information to pedestrians and drivers at unmanned crossing.

The nuisance calls were made from a spoof phone number, meaning the call recipients were unable to identify the caller.

Specifically, CRDNN broke the law by failing to gain consent of the call recipients, and therefore their use of personal data did not comply with the Privacy and Electronic Communications Regulations (PECR). PECR prohibits organisations from sending unsolicited communications to consumers for direct marketing, by phone or email, unless that person has given prior consent to that effect.

Companies engaging in direct marketing should keep in mind that, unless PECR-compliant consent is given by recipients, such marketing campaigns may result in fines from the ICO.

Financial Conduct Authority admits to complainant data breach

On February 25th 2020, the Financial Conduct Authority (FCA) admitted that it had inadvertently revealed the personal data of roughly 1,600 individuals who had filed complaints about the FCA.

In a statement, the FCA explained that in responding to a Freedom of Information Act request, it had accidentally published names, addresses and phone numbers in a document on its official website.  The response related to the volume and content of complaints between January 2018 and July 2019.

Fortunately for the FCA, over half of the 1,600 complainants had only their names compromised, while others also had their addresses and phone numbers disclosed. The FCA stated that no other identity information, and no financial information, was included in the accidentally disclosed document. The FCA referred itself and the matter to the ICO.

The breach is particularly embarrassing for the FCA, given that it issued a fine against Tesco Bank for £16.4 million in 2018 for failing to protect customer data.

Italian DPA issues multi-million euro fine

On February 1st, the Italian Data Protection Authority (the Garante) issued two fines totalling €11.5million to Italian energy company Eni Gas e Luce (EGL) for violations of the GDPR.

The fines, a Garante statement explains, related to unlawful personal data processing for promotional reasons, as well as unsolicited contracting.

The first fine, for €8.5million, relates to unlawful telemarketing activities, discovered upon investigation after the Garante received numerous consumer complaints. In addition to the fine, the Garante ha ordered EGL to implement procedures for consent verification of those individuals in its contact list.

The second fine, for €3million, is in relation to breaches from unsolicited contracts for gas and electricity supply on ‘free market’ terms. A Garante spokesperson explained that ‘many individuals complained to the Authority that they learned about the conclusion of a new contract only on receiving the letter of termination of the contract with the previous supplier or else the first EGL bills.’ In certain cases, consumers reported that there new contracts contained incorrect personal data and, in the worst cases, forged signatures.

In total, roughly 7,200 consumers were impact by EGL’s unlawful actions, and they have been forced to correct various procedural concerns that may have enabled the unsolicited contracting.

For more information please contact Partner, James Tumbridge at