Standard Post with Image

Modelling contract – processing based on contract, not consent:

The Danish Data Protection Authority has published a decision in which the Authority examined the legal basis for a photographer’s processing of a model’s personal data in the form of photos, some of which were intimate photos. The case concerned a young model’s complaint to the Authority after she had requested a photographer to delete the photographs of her, and the photographer had refused on the basis that he was entitled to keep processing the photos because they had entered into a business contract. The Authority examined the facts of the case and concluded that the parties had entered into a binding contract and that that photographer’s processing of the model’s personal data (in the form of the photographic images) was based on that contract rather than a revocable consent. The Danish Data Protection Authority noted that the correct forum for a decision as to the validity of the contract was the civil courts.

For more information on this or any other data protection issue in Denmark, please contact Ruth Caddock Hansen at [email protected] 

Standard Post with Image

UK government publishes initial code of conduct for data-driven health and care technology

On September 5, at the NHS Expo in Manchester, UK health minister James O’Shaughnessy announced the launch of a code of conduct for data-driven health and care technology. The latter was issued in order to encourage companies to “meet a gold-standard set of principles” to protect patient data. It aims to create a trustworthy structure held strong by 10 principles, which contains guidelines on how NHS data should be protected: “10 principles which set out the rules of engagement between industry and the health and care system. These principles provide a basis to deepen the trust between patients, clinicians, researchers and innovators”. Other major topics include using artificial intelligence and machine learning to fight against diseases. The code is only at its initial stage and it will develop over time through feedback from the public.

Link to the UK government code of conduct publication
Standard Post with Image

Barbados government presents its Data Protection Act draft

The Barbados government has published a draft of its Data Protection Act seeking public comment before it will pass into law. The bill represents the government’s second effort to pass data protection legislation, after a prior draft was issued without positive results in 2005. The draft contains clarifications on Barbados’ data protection rules’ limited scope of application and highlights important key features. The latter provides an interesting perspective on the data protection provisions chosen to be part of the Bill. Some aspects of the Act tend to be similar to the provisions of the EU General Data Protection Regulation. For instance, between the eight data principles covered, the data processing is limited to certain specified and lawful purposes; personal data must be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed; it must also be accurate and, where necessary, kept up-to-date. As with the GDPR, any transfer of personal data is forbidden unless an adequate level of protection of the rights and freedoms of data subjects is ensured.

A link to the Barbados governments’ draft is available here
Standard Post with Image

Italian government, Italian privacy decree for adaptation to the GDPR to be implemented from September 19, 2018

On September 4, the Italian government published the text of the decree for adaptation to the GDPR, which will come into force on September 19, 2018, and represents a work of harmonization to create a text that does not conflict with the GDPR. According to the decree, on one hand, the Italian Data Protection Authority has kept its primary role and, in some cases, still must be consulted. On the other hand, the decree aims to promote simplified procedures for the fulfilment of the obligations of the data controller. Some provisions were eagerly anticipated, such as the obligations of the data controller in cases of receipt of a CV for the purpose of establishing an employment relationship. If that is the case, clarifies the decree, the information to be provided according to article 13 of the GDPR must be provided at the time of the first useful contact after sending. Other relevant novelties include disposition on deceased persons’ data and the age limit for consent.

A link to the decree text (in Italian language) is attached below
Standard Post with Image

Facebook, Twitter and Google to go before U.S. Senate Intelligence Committee

September kicks off a series of critical congressional hearings for Facebook, Twitter and Google focused on how these companies intend to protect against foreign meddling during the 2018 midterm elections and beyond. The tech companies will also be questioned by the Senate Intelligence Committee and the Senate Judiciary subcommittee about their plans to more broadly protect consumer data and privacy by more responsibly controlling content on their platforms, increasing transparency to the consumer and allowing for competition among internet providers. While both Facebook Inc. COO Sheryl Sandberg and Twitter Inc. CEO Jack Dorsey attended the Sept. 5th Senate Intelligence Committee hearing, Google, a unit of Alphabet Inc., left its chair empty, refusing to send its CEO Sundar Pichao or its co-founder and Alphabet CEO Larry Page.  In a letter sent to the Federal Trade Commission in late August 2018, Sen. Orrin G. Hatch (R., Ut.), a member of the Senate Judiciary Committee and its antitrust subcommittee, defined Google’s anti-competitive conduct as “disquieting.”  Consumer data breaches and/or perceived lack of protection by these platforms have caused sufficient concern that it is believed Congress could follow EU lawmakers by creating more stringent online privacy laws to protect users later this year, as the state of California has already done.

A link to the WSJ original article is available here (subscription needed)