On the 25 May 2018, the General Data Protection Legislation ("GDPR") came into effect in the EU. Since then, the global data protection stage has seen many key developments. Four years on, the GDPR has become the new world standard for privacy and data protection, with as many as 20 countries around the world introducing new legislation that uses the GDPR as a model to shape their own data protection principles. On this anniversary, we look back at the key privacy milestones since 2018 and consider what the future of the GDPR looks like for UK businesses.
On 10 May 2022, it was announced in the Queen's Speech that the UK's data protection regime will be reformed through the introduction of the Data Reform Bill (the "Bill"). This follows the Government's consultation paper on reforms to the UK's data protection regime last September.
The Ukrainian government is reportedly using software developed by Clearview AI Inc. ("Clearview") to identify the bodies of Russian soldiers, killed in combat, to inform their family of their death.
On 18 November 2021, the European Data Protection Board (the "EDPB") adopted guidelines (the "Guidelines") on the interplay between Article 3 and Chapter V of the EU General Data Protection Regulation ("GDPR"). The objective of the Guidelines is to assist data controllers and data processors, especially those within the EU, with identifying an international transfer. The Guidelines are also intended to address uncertainties that have emerged following the European Commission's new standard contractual clauses, published in June 2021.
An employment tribunal claim has been filed against Uber by one of its drivers over its use of allegedly racially discriminatory facial-verification software.
Facebook has said it will delete more than 1 billion people’s individual facial recognition data in light of concerns around data protection and ethics. Concerns had been raised that facial recognition technology could compromise privacy, target marginalised groups and normalise intrusive surveillance.
Judge holds that it was "not appropriate" for parties to make claims in the High Court for data protection breaches which were "frankly, trivial".
The Information Commissioner's Office announced on 18 October that it would be in contact with North Ayrshire Council after it was reported that nine North Ayrshire schools had introduced facial recognition technology to allow pupils to pay for their school lunches. The proposed use of facial recognition technology would involve the processing of biometric personal data, which should be treated as a special category of personal data under the UK GDPR where it is used to uniquely identify a data subject.
Over 850 professional football players from mid-tier and premier league clubs are seeking compensation from the data collection industry over the unconsented use of up to six years' worth of performance data, in a legal action referred to as Project Red Card.