Data Protection News Digest: in the headlines for February

Data Protection Digest: Our top three stories this month

From facial recognition to Vegas and Brexit, there has been a real variety of data privacy stories hitting the headlines during the past month.

Here are the top stories that have caught our attention, and the key learnings to take from each of them.

1.    Facial recognition technology in the spotlight with Clearview AI breach

Clearview AI, the facial recognition start-up that counts banks and law enforcement agencies among its clients, has been in the news again following a data breach that revealed its whole client database.  According to some reports, the data also included the number of accounts for each customer and the number of searches each of these accounts had made.

While the company was quick to fix the breach and said that there was “no compromise of Clearview AI’s systems or network”, it was another negative headline for a business under scrutiny - several major tech companies, including the likes of Google, Twitter, Facebook, and YouTube have already asked Clearview AI to stop its practices and have issued a cease and desist notice.

Our view

The Clearview AI case has once again put the spotlight on the growing debate around facial recognition technology and data protection.  It is now prevalent in many aspects of our lives, from unlocking our smart phones, through to police forces wanting to use it to assist with law enforcement efforts.

However, as with many emerging technologies, the law is often playing catch up. Earlier this month, EU Commission Vice-President for Digital, Margrethe Vestager said that automatic identification through facial recognition technology is illegal, and “as it stands right now, GDPR would say ‘don’t use it’, because you cannot get consent.”  In the UK, the ICO has conducted several investigations into its use, particularly for police forces. 

Any organisation seeking to use facial recognition technology should take specialist legal advice to ensure they are using it in an ethical way.

2.    Viva Las Vegas?  MGM hotel reports major breach

The phrase ‘what happens in Vegas stays in Vegas’ took a hit last month after it was revealed that the personal details of more than 10.6 million people who stayed at MGM Resorts hotels were published on a hacking forum, including high-profile names such as Twitter CEO Jack Dorsey and pop star Justin Bieber.

In a story broken by ZDNet, the leaked files included details such as full names, home addresses, phone numbers, emails and dates of birth.  MGM Resorts confirmed the breach was as a result of “unauthorized access to a cloud server that contained a limited amount of information for certain previous guests of MGM Resorts”, and that it was “confident that no financial, payment card or password data was involved in this matter”.  It also said it notified all impacted hotel guests when the breach occurred last summer, and that it had “strengthened and enhanced the security of our network to prevent this from happening again."

Our view

Although this breach happened in the US, the MGM attracts visitors from all over the world, so it is a global issue.  While it is encouraging that it took the appropriate steps to report the breach, inform the subjects involved, and use it as an opportunity to review its security systems, the fact that the data has reappeared on hacking forums shows that a breach can still have an impact some time after the initial event.

3.    Google’s post-Brexit data plans

There has been a lot written about the post-Brexit impact on data protection legislation in the UK, and the announcement by Google that it plans to move UK user accounts from Ireland to the US when Britain leaves the EU is a case in point.

In a story from Reuters, the reason behind the move centres around concerns from Google that the UK will loosen its data protection laws and fail to agree on a data-sharing agreement with the EU, potentially making it difficult to transfer data between Ireland – where Google has its HQ - and the UK. 

The migration will involve asking UK users to agree to new terms of service, which includes consent to holding their data under the new jurisdiction.  However, it also raises concerns over the US’s weaker data protection laws - while the Californian Consumer Privacy Act (CCPA), outlines some protections, there is no national federal data protection on a par with the GDPR. 

Our view

The question over data flow in a post-Brexit world has caused significant confusion among businesses, despite assurances from the ICO that the data flow between the UK and the EU will continue as normal.

In this case, many commentators have expressed little surprise that Google is looking to move UK user data from the EU.  However, the view that the UK’s data protection standards would not be as robust after the Brexit transition seems to go against government statements that the UK would continue to comply with the GDPR.  Also - for any business considering where to store data - it is also worth remembering that the GDPR applies to the user’s location, not just the data storage location.

For more information on The Compliance Space, or to book a demo, contact us at https://www.thecompliancespace.com/book-a-demo