Legal Tech News Review Week 7-13 September 2020, by Eleni Kozari

ICO issues Accountability Framework

ICO has launched an Accountability Framework tool in order to facilitate organisations embed accountability into their daily business practice and culture. Acknowledging that data protection compliance is not ‘one size fits’ all, the tool aims to help any organisation, regardless of its size, in mapping the necessary compliance steps and actions.

The Framework is articulated in ten categories and it sets the expectations and examples of proof of compliance in the light of the accountability obligations. These categories are: leadership and oversight, training and awareness, transparency, contracts and data sharing, records management and security, policies and procedures, individuals’ rights, records of processing and lawful basis, risks and data protection impact assessments, breach response and monitoring.

Given the increasing public’s awareness regarding the use of its personal data, effective accountability practices can empower the organisations’ reputation. To this end, the Accountability framework, by setting questions, it raises the organisations’ awareness as regards its compliance status and provides guidance in respect to next steps and best practices. In addition, it provides clarifications and proposals in the form of tools and reports, in order to facilitate the organisations’ attempts to enhance their data governance practices.

The Accountability Framework is currently running in its beta phase and the ICO is consulting with stakeholders. The first stage of the beta phase closes on 2 November 2020.

See more here


Council of Europe’s calls for wider adoption and implementation of the Convention 108+

On 7th September 2020, the Chair of the Committee of Convention 108 and the Data Protection Commissioner of the Council of Europe published a Joint Statement. Through the latter, they called states to join the Convention 108+, to safeguard data protection against national surveillance activities and to pursue an international data protection standard.

Convention 108+ (i.e. Convention for the protection of Individuals with regard to Automatic Processing of Personal Data), constitutes the only legally binding instrument as regards data protection, which is open for signature by the EU Member States but also for accession by non-Member States. To date, it has been ratified by 55 countries while others have deployed it as the basis for their national data protection legislation.

In 2018, the Convention 108 was updated by an amending protocol (currently Convention 108+), in order to remain aligned with the state-of-the-art and current tools and practices. Inter alia, the Convention stipulates the need for independent and effective supervision of restrictions to data protection, afforded for national security purposes.

Pointing to Schrems II decision and its global-wide implications, the Statement underlines that the countries should cease the opportunity and pursue a universal data protection framework, whereby the states should agree the extend to which national surveillance practices should be authorised and under which conditions and safeguards. Accordingly, the framework should effectively address the cross-border flow of data. To this end, the Statement points out the significant role that the Convention 108+ can play given its global-wide legal binding nature. Albeit the latter does not explicitly deal with the challenges arising from mass surveillance capabilities at international level, this caveat can be addressed by the purported international legal standard.

See more here


EDPS summarizes its key considerations to AI and Data Strategy

The prevailing position of AI among the data protection hot topics of 2020 and its capability to trigger fierce competition about technological leadership, confirm the predictions for the increasing use of AI. EU has already declared its commitment to be at the front line of the competition, while respecting and preserving its European principles at the same time.

To this end, the EU Commission issued earlier this year its Data Strategy and the White Paper on AI. Although the European Data Protection Supervisor has already provided its opinion regarding the latter, it now summarizes its key considerations regarding AI and Data Strategy. As regards the former, the EDPS highlights that any regulatory framework or new legislation on AI should equally concern EU Member States and EU institutions and bodies.

It also clarifies that, albeit its multiple benefits, AI does not constitute panacea. On the contrary, the risks associated with AI applications mandate a prior thorough assessment, including cost-benefit assessment, in particular when adopted by public administrations. As regards, in particular, automated recognition in public spaces through processing of biometric data (e.g. facial, gaits, fingerprints, DNA etc.), the EDPS recommends the adoption of a moratorium. In any case, the EDPS underlines the necessity that AI should be deployed merely as a tool, serving human societies.

Regarding Data Strategy, the European Data Protection Supervisor reiterates that EU data spaces, that preserve the European values, could indeed constitute the required medium for individuals to share data in a manner that secures transparent overview over the data uses. However, ‘Data Altruism’ and relative concepts, included in the Strategy, were not clarified while the fundamental right to data protection, cannot be waived through ‘donation’ or ‘data sale’. Hence, even in case the data subject has consented to (“donated”), data controller remains subject to data protection principles and obligations.

See more here

See more about the European Data Strategy here

See the White Paper on AI here


Facebook appealing Ireland DPC’s order to suspend data transfer to the US

Following the CJEU’s decision on Schrems II, invalidating the Privacy Shield, the Irish DPC had ordered, last month, Facebook, to suspend data transfers between the EU and the US. Apart from the invalidation of the Privacy Shield, the CJEU’s decision upheld the validity of Standard Contractual Clauses (SCC) for data transfers.

However, according to Facebook’s allegations, from the DPC’s preliminary order derives that, in essence, SCCs can’t be used for EU-US data transfers, resulting in far reaching effects not only for social media companies but also for businesses, in general. The DPC’s order aims to protect EU residents data from being stored in the US, given the findings of the CJEU regarding US surveillance programs. On the other hand, Facebook argues that such an order would hinder not only Facebook’s operation in the EU but also other American social media companies present in the EU.

Hence, according to the company’s request for judicial review, the DPC proceeded with the issuance of the order while the expected EDPB’s guidance has still not been published. Pursuant to the GDPR, in case Facebook does not comply with the Authority’s order (i.e. DPC), it could face a fine up to 4% of its annual revenue.

See more here


UK’s National Data Strategy

Following last July’s guidance to the Strategy by the Department for Digital, Culture, Media &Sport, the British government published the National Data Strategy. The latter aims to empower UK’s economic growth and innovation.

The Strategy includes many plans and actions enabling the government, businesses and organisations to innovate and expand. The Strategy provides, inter alia, the enactment of primary legislation to facilitate smart data initiatives, such as the individuals’ capability to deploy their data in order to explore alternative and cheaper solutions in telecom services, energy etc. (smart data initiatives).

In addition, the Strategy provides the designation of a Government Chief Data Officer, whose primary role is the transformation of the governmental uses of data. Along with the Strategy, a £2.6 million project has been announced. The latter will be based upon enhanced data classification and sharing systems in order to contribute to the combatting of online harm, such as cyber bulling and harassment.

Currently, the Strategy is still in progress and the British government is open to consultation for the delineation and determination of the Strategy’s principles.

See more here