The era of international GDPR enforcement arrives

It's been just over six months since the General Data Protection Regulation (GDPR) came into force in the European Union. One of the key features of the GDPR is its extra-territorial application, set out in Article 3.

The world has been watching to see when, and to what extent European regulators would actually crack down on breaches of the GDPR by companies outside the EU.

A survey conducted by Reuters in May indicated that the majority of EU regulators believed they did not have either the necessary funding or the proper powers in place to enforce the new regulations.

But, spurred on by the Cambridge Analytica/Facebook scandal, UK's Information Commissioner's Office (ICO) has wasted no time stepping up to the plate and putting down a marker for the GDPR.

AggregateIQ is a Canadian data analytics company known for its work in the 2016 US presidential race and the Brexit referendum, in which it used data to micro-target voters and campaign to the benefit of President Trump and Vote Leave, respectively.

On 6 July 2018, the ICO quietly issued a notice against AggregateIQ ordering it to stop using personal data of EU citizens that had been "obtained from UK political organisations for the purposes of data analytics, political campaigning or any other advertising purposes."

AggregateIQ appealed the initial notice, on the basis that the scope and wording was too wide, but has since withdrawn that appeal after negotiating a reduced set of sanctions – including deleting the offending personal data - under a second notice issued by the ICO on 24 October 2018.

The validity and enforceability of the ICO's notice was never at issue. A triumph for the GDPR.

This should be a signal to New Zealand companies that the grace period for GDPR non-compliance is rapidly ending, if it hasn't already.

Microsoft reiterates calls for regulation of facial recognition

In July this year Microsoft made a surprise call for governments to regulate the use of facial recognition technology.

Facial recognition algorithms take visual images and convert them to geometric fingerprints which are increasingly capable of identifying individuals quickly and accurately from any image source.

The technology has the scope to be the equivalent of cookies for the real world, allowing companies or agencies to track behaviour across the physical world in the same way that cookies track you across the internet.

Chinese authorities have made headlines by deploying facial recognition technology as part of a "social credit" system which scores citizens on their real world behaviour.

Microsoft President Brad Smith said on 6 December 2018 that "[Microsoft] don't believe that the world will be best served by a commercial race to the bottom, with tech companies forced to choose between social responsibility and market success."

He goes on to call for regulation to be urgently installed to keep pace with advanced facial recognition technology and mitigate three key issues:

  1. That the technology "increase[s] the risk of decisions and, more generally, outcomes that are biased..."
  2. "New intrusions into people's privacy."
  3. Mass surveillance by governments which "encroach on democratic freedoms."

Read the full statement here.

New Zealand situation

New Zealand is well placed, with a revision of the Privacy Act 1993 underway, to step up to the plate and regulate this technology if there is the political will. Whether that is the case remains to be seen.

The select committee's report back on the Privacy Bill has been pushed back to 13 March 2019.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.