EU-US Data Privacy Framework Concerns and Clearview AI Violation

Table of Contents

1. Introduction
2. European Parliament's Resolution on EU-US Data Privacy Framework
3. Concerns Raised by the EU Parliament
4. Clearview AI Under Scrutiny for Violating GDPR
5. Order by Austrian Data Protection Authority to Clearview AI
6. European Court of Justice's Interpretation of the Right to Obtain Copy of Personal Data
7. New Privacy Notice Obligations under the Washington May Have My Data Act
8. Implications of the New Privacy Notice Requirements
9. Launch of New Website by the Federal Data Protection and Information Commissioner
10. Importance of Reporting Security Vulnerabilities

European Parliament's Resolution on EU-US Data Privacy Framework

The European Parliament, in a resolution adopted on May 11th, voiced its opposition to a potential adequacy decision between the EU and the US under the EU-US Data Privacy Framework (DPF). While the parliament acknowledged that the proposed framework is an improvement, it identified several concerns. The framework still allows for bulk collection of personal data in certain cases, lacks clear rules on data retention, and does not provide for independent authorization for bulk collection. Additionally, the parliament raised concerns regarding the secrecy of data protection review court (DPRC) decisions, the European Ombudsman's power over judges, and the need for a truly independent DPRC. Rather than adopting a decision Based on the Current framework, the EU Parliament emphasized the importance of negotiating a future-proof framework that ensures legal certainty for EU citizens and businesses.

Concerns Raised by the EU Parliament

The EU Parliament's concerns regarding the adequacy decision under the EU-US Data Privacy Framework encompass various aspects of data protection. One of the key concerns is the potential for bulk collection of personal data, which the parliament deems as infringing on individuals' privacy rights. The lack of clear rules on data retention also raises apprehensions about how long personal data can be stored and under what circumstances. Furthermore, the secrecy surrounding data protection review court (DPRC) decisions and the European Ombudsman's influence over judges undermine the perceived independence of the DPRC. Overall, the EU Parliament seeks a future-proof framework that addresses these concerns and provides robust safeguards for data transfers between the EU and the US.

Clearview AI Under Scrutiny for Violating GDPR

Clearview AI, a US-based company that utilizes facial recognition technology, has come under scrutiny for potentially violating the European General Data Protection Regulation (GDPR). It is alleged that Clearview AI collects images not only from its own biometric search engine but also from public online sources, such as news media and social media, without appropriate consent. This practice raises concerns as it involves the collection and potential sale of personal data belonging to European citizens, which is illegal under the GDPR.

Interestingly, Clearview AI has been found to monitor the behavior of individuals within Austria, despite not providing services within the country. The Austrian data protection authority has ruled that Clearview AI must delete all personal data of the complainant, as its processing lacks a legal basis. Furthermore, the authority has ordered the company to appoint a data protection representative within the European Union. This step aims to facilitate European citizens in exercising their data protection rights and provide a local contact point for data protection authorities.

European Court of Justice's Interpretation of the Right to Obtain Copy of Personal Data

On May 4th, the European Court of Justice provided an interpretation of the right to obtain a copy of personal data, specifically in the Context of medical files. The court addressed a proceeding in which the Austrian Federal Administrative Code sought clarification on whether transmitting data in the form of a summary table fulfills the right of access under Article 15(3) of the GDPR. The court ruled that the data subject is entitled to receive a faithful and intelligible reproduction of all their data, including copies of extracts from documents and databases that contain their personal data. This clarification highlights that the term "copy" pertains to the personal data itself rather than the format or document in which it is presented.

New Privacy Notice Obligations under the Washington May Have My Data Act

In the 8th edition of the Washington May Have My Data Act, new privacy notice obligations are discussed. Upon implementation of the act, entities will be required to meet new privacy notice requirements, including the creation of a separate consumer health data privacy policy. This policy should provide a detailed description of the types of health data collected, how the data is used, the parties who will have access to the data, and how consumers can manage their own data. Additionally, the act requires entities to list specific affiliates with whom they share consumers' health data. The broad definition of consumer health data in the act may necessitate a reevaluation of how entities categorize and handle data. Notably, the act suggests that the new privacy policy should be a separate document, which may lead to potential consumer confusion with multiple overlapping privacy documents. Furthermore, the act demands that a link to the privacy policy be provided on every web page of the entity's website. As the timelines for the act's effective dates are not clearly defined, companies should initiate compliance efforts promptly.

Implications of the New Privacy Notice Requirements

The introduction of new privacy notice requirements under the Washington May Have My Data Act carries several implications for entities. With the need to Create a separate consumer health data privacy policy, organizations must devote resources to clearly Outline the types of health data collected and how it will be utilized. Identifying the parties involved in accessing the data and implementing mechanisms for consumers to manage their data becomes essential. Additionally, the act's emphasis on sharing consumer health data with specific affiliates may necessitate a thorough evaluation of privacy considerations associated with such collaborations. Companies must ensure that their privacy policies are easily accessible to consumers by providing a clear link on every web page. The overlapping of multiple privacy documents may pose challenges for consumer understanding and complicate compliance efforts. As effective dates for different parts of the act vary, entities are encouraged to initiate compliance work early to meet the forthcoming obligations.

Launch of New Website by the Federal Data Protection and Information Commissioner

The Federal Data Protection and Information Commissioner has recently launched a new website featuring the implementation of the temperature portal for reporting security vulnerabilities. This portal, developed under the new federal act on data protection, enables individuals to report security vulnerabilities digitally and securely. The website offers an online form to facilitate the reporting process. It is important to note that the evaluation and reporting of data breaches will commence when the revised federal act comes into force on September 1st. Until the act's implementation, reporting to the Federal Data Protection and Information Commissioner is voluntary.

Importance of Reporting Security Vulnerabilities

The implementation of the temperature portal by the Federal Data Protection and Information Commissioner highlights the significance of reporting security vulnerabilities. As organizations and individuals rely heavily on digital systems and data sharing, it becomes crucial to identify and address potential vulnerabilities promptly. The portal offers a secure Channel for reporting such vulnerabilities, ensuring that data breaches or weaknesses are promptly assessed and appropriate measures are taken. By encouraging individuals to report security vulnerabilities, the aim is to maintain the integrity and security of data in an increasingly interconnected digital world.

Highlights

• The European Parliament has opposed a potential adequacy decision under the EU-US Data Privacy Framework, raising concerns about bulk data collection, data retention, and the independence of data protection review courts.

• Clearview AI, a US-based company, is under scrutiny for potentially violating the GDPR by collecting and selling personal data of European citizens obtained from various online sources.

• The European Court of Justice has clarified that individuals have the right to obtain copies of personal data in the form of extracts from documents or databases.

• The Washington May Have My Data Act introduces new privacy notice requirements, including a separate consumer health data privacy policy and a list of specific affiliates sharing consumers' health data.

• The launch of a new website with a temperature portal for reporting security vulnerabilities aims to promote the reporting and evaluation of data breaches.

FAQs

Q: What is the EU-US Data Privacy Framework? A: The EU-US Data Privacy Framework is an agreement aimed at regulating the transfer of personal data between the European Union and the United States while ensuring adequate data protection measures are in place.

Q: Why is Clearview AI under scrutiny? A: Clearview AI is under scrutiny for potentially violating the GDPR by collecting personal data, including facial images, from various online sources without appropriate consent and selling it to third parties.

Q: What are the new privacy notice obligations under the Washington May Have My Data Act? A: The Washington May Have My Data Act requires entities to create a separate consumer health data privacy policy, provide detailed descriptions of the data collected and its usage, list affiliates sharing the data, and offer mechanisms for consumers to manage their own data.

Q: Why is reporting security vulnerabilities important? A: Reporting security vulnerabilities is crucial to address potential weaknesses in digital systems promptly. It helps prevent data breaches and ensures the overall security and integrity of data in an interconnected digital world.