Inline's Data Policy Tracker, July 2019
by Conor Brennan on 03 Jul 2019
Inline’s Data Policy Tracker covers the key political and regulatory changes, trends and developments impacting the data sector. We look at the latest interventions from regulators, policymakers and politicians within the context of this evolving data policy landscape.
In this month's Data Policy Tracker, we highlight:
- Adtech industry on red alert after UK data regulator issues warning;
- Expert Group calls for policymakers to ban AI-enabled mass surveillance in Europe;
- The European Data Protection Board finalise code of conduct guidelines; and
- The UK Government launches a National Data Strategy, bringing together several policy streams.
The UK Information Commissioner's Office claims adtech practices are flouting GDPR rules
The data regulator has published a new report arguing that the use of Real-Time Bidding (RTB) by the adtech industry is undermining important legal and regulatory provisions. In particular, the ICO found that personal data is widely used in the process without a sufficient legal basis for processing the data.
The ICO's damning report on the adtech industry follows attempts earlier this year to engage with the industry on these crucial issues, launching a 'fact finding forum' entitled "Advancing the adtech debate from a data protection perspective". These events brought adtech companies to the table to discuss the sophistication of the technology used to sell online adverts to the highest bidder in real time. Despite these efforts, the ICO has pressed ahead with publicly calling for the the industry to make changes to its fundamental business processes.
The ICO’s main point of contention is that the personal data used by the majority of adtech companies is sensitive information or constitutes “special category data”. For this reason, it concludes that scenarios where a ‘legitimate interest’ could apply are limited and therefore it requires the explicit consent of the data subject. Although it will seek to gather further information, it believes that explicit consent is not being adequately sought for the purposes of RTB.
The ICO will now go straight to the source, investigating the schema used by Interactive Advertising Bureau (IAB) Europe members and Google to calculate which information is necessary for the operations of online advertising. The Regulator will identify whether specific data fields are excessive and intrusive, and if so, order providers to change practices. Attention will also turn to other European regulators to see if they will back-up the ICO's position.The French data regulator CNIL has already issued a statement confirming that online advertising targeting is a priority topic for the rest of the year.
European Expert Group warns against AI for mass surveillance and 'social scoring' of individuals
The High Level Expert Group (HLEG) for AI, set up last year and tasked with advising the European Commission, has published its latest policy and investment recommendations. The report gives a clear warning against commercial and government actors building, with it called, “a pervasive surveillance system based on AI systems”.
The AI HLEG makes an outright recommendation to ban AI-enabled mass scale scoring of individuals and set strict rules for surveillance for national security purposes and other purposes claimed to be in the public interest, in line with EU law. The recommendation can be seen as a response to developments in China where individual credit scoring of individuals activities online is becoming more prevalent.
The Expert Group also believes that AI and advanced machine learning has a greater role to play in implementing the aims of GDPR. For instance, it states that AI systems should support technological development of anonymisation and encryption techniques and develop standards for secure data exchange based on personal data control. More emphasis should be placed on creating technology solutions to provide individuals with control over how their data is being used, for example on consent management across European borders, it added.
The AI HLEG will, in the second half of 2019, run a piloting phase of the guidelines it has drawn up to enable secure adoption of certain practices within nominated sectors. The Expert Group also propose to instigate a limited number of sectorial AI ecosystem analyses to help expand on its guidelines.
EDPB finalises its code of conduct guidelines, urging individual sectors to push ahead with adoption
The European Data Protection Board has adopted a final version of the Guidelines on Codes of Conduct. Industry or sector-specific bodies are expected to develop and submit Codes for regulatory approval. The inclusion of Codes in the text of the GDPR was seen as a mechanism to help to bridge the gaps that may exist between Member States in their application of data protection law.
Following public consultation, the publication of these guidelines intends to help clarify the procedures and the rules involved in the submission, approval and publication of codes of conduct at both the national and the European level. These guidelines also act as a framework for regulatory authorities, the EDPB and the Commission to evaluate codes of conduct in a consistent and uniform manner.
In the publication, the EDPB called on Member States, data regulatory authorities, and the European Commission to encourage the drawing up of codes to contribute to the proper application of GDPR. It stressed that these bodies are obliged to promote the adoption of Codes for individual sectors, now over one year after the implementation of the requirement under GDPR.
UK Government launches a National Data Strategy in a bid to increase data sharing in safe and fair manner
In launching a new National Data Strategy, the Government is trying to reconcile to huge social and economic opportunities of increased data sharing, with the growing unease over its impact on social harms, cybersecurity, privacy and unfair market practices.
The UK Department for Digital, Culture, Media & Sport has called on the public, businesses and organisations to submit their thoughts and opinions on how the UK policy should evolve to enable the UK to build a “world-leading data economy”. Its initial consultation for the National Data Strategy covers a broad, wide-reaching remit and is the beginning of a continual process of engagement. The call for evidence covers the various actors (government, businesses, public) and the key topics (fairness & ethics, governing rules, inclusivity, carbon neutrality).
Although it does not appear focused at this point, the guiding principles which emerge from the National Data Strategy will underpin the key UK data policy agendas. These include the Centre for Data Ethics and Innovation; Code of Conduct for Data-Driven Health and Care Technology; Smart Data Review; Geospatial Commission; and monitoring of Big Data markets. Inline summarised each policy stream in its report on how the UK was shaping the ethical use of data.
An increasingly politicised issue, the Parliamentary Committee for Human Rights has already begun an inquiry into the right to privacy, as it conflicts with the 'digital revolution'. As part of a series of hearings it will bring various stakeholders in front of its members for questioning, including academics, journalists and data-driven marketing companies such as Axciom. The UK Government's pursuit of supporting a new framework for safe data sharing has not eased off but by the same token the perceived risks are under enormous scrutiny.
Written by Conor Brennan
Conor is an experienced consultant who advises clients in the data economy, insur-tech, and energy sectors.