Privacy News 10/09/2021

Sep 17, 2021

European Union :

European Parliament publishes study on biometric identification with recommendations for AI Regulation

The European Parliament published, on 2 September 2021, a study on biometric recognition and behavioural detection as requested by the Committee on Legal Affairs and Committee on Petitions.

The study assesses the ethical aspects of biometric recognition and behavioural detection techniques with a focus on their current and future use in public spaces. It also makes a number of suggested amendments to the European Commission’s Proposal for an AI Regulation.

Suggested amendments:

–        To include in the Proposal a new Title IIa devoted to restricted AI practices, including biometric techniques and inferences.

–        The list of prohibited AI practices in Article 5(1) of the Proposal should be enriched

–        The Commission should have the possibility to adapt the list of prohibited AI practices periodically;

–        To clarify that prohibitions following from other laws (data protection or consumer protection law) remain unaffected.

–        Annex III point 1 of the Proposal should be extended to cover emotion recognition systems.

You can read the study here.


UK: Government launches consultation on reforming UK data protection regime

The UK government announced, on 9 September 2021, that it had launched a public consultation, proposing reform to the UK’s data protection regime, aiming to deliver Mission 2 of the National Data Strategy to secure a pro-growth and trusted data regime.

The reform proposals include reforming the Accountability framework and related requirements established under the GDPR and changes to cookies.

Regarding the Accountability framework reform:

The accountability framework would be reformed by implementing a more flexible and risk-based approach based on privacy management programs.

Some specific compliance requirements in the UK GDPR would be amended or removed (such as the requirements to designate a DPO, the requirement for organisations to undertake a DPIA).

Regarding Cookies:

–         permitting organisations to use analytics cookies and similar technologies without the user’s consent.

–        extending the soft opt-in to electronic communications from organisations other than businesses where they have previously formed a relationship with the person (subscription…)

You can read the press releases here and the consultation document here,


National Authorities

France: CNIL releases data protection maturity self-assessment model

The CNIL published, on 9 September 2021, its data protection management maturity self-assessment model.

The model transposes the maturity levels defined in international standards to data protection management and describes 8 typical activities related to data protection in five maturity levels.The model will allow organisations to assess their level of maturity and determine how to improve their management of data protection.

However, according to the CNIL, the model is not intended to ensure de facto compliance.

You can read the press release here and the model here. both only available in French.