The past week in data protection

Time for another round up of the data protection news which caught my eye this week:

• The ICO has issued new guidance on how organisations can comply with data protection requirements when undertaking online content moderation. The guidance forms part of the ICO's collaboration with Ofcom (which regulates the UK’s Online Safety regime) and ought to be carefully considered by those who are balancing their distinct obligations under the online safety and data protection legislative regimes. 

Interestingly, the ICO's position is that content moderation undertaken using exact database matching tools won’t constitute automated decision making under Article 22 GDPR because the moderation tool is “operating according to specific, pre-defined parameters representing things that humans have already decided on.” This seems sensible but does beg the question of where the line is for Article 22 to apply given that even complex automated tools usually take “decisions” based on certain pre-defined parameters. If this is a topic of interest please do take a listen to the latest episode of the Legitimately Interesting podcast in which Hannah Crowther and I discuss this further.

• There was another development in the never ending saga of Meta’s international data transfers this week. The Irish High Court has given Max Schrems permission to participate in two separate but related High Court cases in which Meta is challenging a decision requiring it to suspend transfers of user data from the EU to the US. Interestingly the High Court held that Mr Schrems was “uniquely and directly affected” by the cases because of the history of his involvement with the issues and the proceedings. As a reminder, Max Schrems has also previously announced an intention to challenge the EU-US Data Privacy Framework, which is also the subject of a challenge by French MEP Philippe Latombe. This story is far from over. 
   
• The ICO has today (23 February) issued enforcement notices against Serco Leisure to stop them from using facial recognition and fingerprint scanning technologies for the purpose of monitoring employee attendance. The ICO found that the use of such technology was not necessary or proportionate because there were less intrusive means available to track attendance such as ID cards or fobs and employees were not proactively offered such alternatives. Organisations which wish to use such technologies therefore ought to carefully document in a DPIA the viability of a range of alternatives before proceeding.
   
• Finally, a date for your diaries - the CJEU will give its long anticipated judgment in the IAB Europe TCF case on 7 March. The outcome could have significant implications for the adtech industry and may also answer fundamental questions about the meaning of identifiability and the scope of the concept of joint controllership.