Data Protection #1: 1-7 March 2021 | UK Immigration Exemption, Facebook SEER AI, Apple Antitrust Probe

UK's GDPR "Immigration Exemption" | Facebook's "SEER" AI fed Instagram photos | Apple UK Antitrust Investigation | Facebook Questioned in South Africa | Virginia's CDPA vs California's CPRA | NYT |

Here are six interesting stories from the past week in data protection, privacy, and related fields.

Robert Bateman

Privacy and Data Protection Writer

Share Data Protection

UK Government Denies Thousands of Migrants Access to Personal Data

The UK’s Home Office used the “immigration exemption” to deny over 14,000 subject access requests in 2020

The UK's Home Office used the "immigration exemption" to deny people access to their personal data over 14,000 times in 2020 — to deny over 72% of subject access requests.

The subject access request is the backbone of data protection law. It lets you see who is holding your data and what they're doing with it.

In the UK, migrants and their lawyers routinely use subject access requests to view data held by the Home Office. This data can form the basis of life-or-death deportation orders — it's crucial that it's correct.

When the government passed the GDPR into UK law, via the Data Protection Act 2018 it included a get-out clause. Any subject access request could be denied if complying with it would "prejudice" the "maintenance of effective immigration control".

The government insisted this exemption would be in a proportionate way and in "relatively limited circumstances".

We now know it's used nearly to deny nearly three-quarters of subject access requests to the Home Office.

How could each of these 14,027 subject access requests possibly have presented a "prejudice" to the "maintenance of effective immigration control"? What does this phrase even mean?

The government has never justified its use of this overly broad exemption.

For an upcoming article, I spoke to representatives from two UK charities — Open Rights Group and the3million — who are taking the government to court over the immigration exemption.

They told me how much pain this provision is causing migrants dealing with residency and deportation issues.

There’s still a chance that their case against the government can overturn this bad law on human rights grounds.

Facebook Training Its AI Using a Billion Non-Europeans’ Instagram Photos

Team Zukerberg’s “SEER” might be learning via your holiday photos — unless you’re protected by the GDPR.

Facebook has announced an AI breakthrough: its slightly-terrifyingly-named “SEER” (SElf-supERvised) AI model has been trained using unlabelled photos, supposedly removing the requirement for human intervention.

But Facebook chose to exclude EU users (and presumably those from the UK and the wider EEA), due to protections afforded by the GDPR.

This is a noteworthy decision. Tech firms often claim this type of aggregate data processing doesn’t constitute an invasion of privacy.

So why exclude those people protected by the world’s most powerful privacy law?

Non-Europeans should be asking whether this is what they reasonably expected when they signed up for Instagram.

Apple Under Antitrust Investigation in the UK

Apple is facing a probe over its App Store rules. The company’s dominance reinforces — and further necessitates — its strict grip on iOS developers.

The UK's antitrust regulator is investigating Apple over its app store terms. We need big tech firms to strictly regulate content on their platforms. But we only "need" this because these platforms are so dominant.

The Competition and Markets Authority (CMA) says it is concerned that Apple's Terms and Conditions for app developers are "unfair and anti-competitive".

The CMA's investigation will consider whether developers should have to agree to certain terms before launching their apps in the App Store, and Apple's rules on in-app payments.

The CMA cites the fact that App Store apps are subject to pre-approval by Apple as a matter that is pertinent to the investigation.

These rules benefit Apple. But they also, to some extent, benefit consumers. Many iPhone users like the fact that App Store apps tend to be of reasonable quality and tend to have strong security.

The CMA is also investigating Google's phasing out of third-party cookies. I'm all for this change — third-party cookies are bad for privacy (although I have my reservations about Google’s new advertising method).

But Google is so huge that many thousands of its competitors are dependent on its policies, making this an antitrust issue.

If Apple and Google weren't such dominant market players, this stuff wouldn't matter so much. Developers could find another app store. Advertisers could use other networks.

But regulators have let these companies get so huge that everything they do matters disproportionately.

South African Information Regulator Demands Answers From Facebook Over WhatsApp Terms

South Africa’s regulator wants to know why Facebook didn’t seek prior consultation over WhatsApp terms changes. Perhaps because the law isn’t yet in force…?

We all know WhatsApp is changing its terms. Thanks to the GDPR, European users are largely protected from these changes. But South Africa's Information Regulator is asking: Why aren't South Africans protected too?

The answer might actually be pretty straightforward.

South Africa's POPIA is a relatively strong privacy law with many similarities to the GDPR. In one area, it's actually even stricter.

Section 57 of the POPIA requires responsible parties (controllers) to seek prior authorization from the Information Regulator where they seek to process personal information:

• For purposes that were not specified at when the information was collected, and
• When they aim to link personal information with data from other responsible parties

This seems to be exactly what Facebook has planned for WhatsApp.

So the question is: Why didn't Facebook seek prior authorization from the South African Information Regulator?

Well, there might be a straightforward answer.

Most provisions of the POPIA — including the prior consultation rules —commenced from July 2020, but won't be enforced until July 2021.

So it's not clear that the Information Regulator has much of a case against Facebook, given that the prior consultation rules won't be in force when the changes to WhatsApp occur.

What’s the deal here? Am I confused about POPIA’s commencement schedule (I’ve double-checked)? Did the regulator not realise that South Africa law doesn’t apply here? Or is this a bluff?

I’ve asked the South African Information Regulator. No reply yet.

Virginia Passes Consumer Data Protection Act

Virginia’s new privacy law isn’t all that impressive from a European perspective. But, it just about places Virginia on an even footing with California.

The U.S. took another (small) step towards greater privacy protection this week when Virginia passed the Consumer Data Protection Act (CDPA).

The law has been criticised as a missed opportunity. Its consumer rights are strictly opt-out, except with regard to the collection and use of “sensitive” personal information.

But — for me — some progress is better than none.

The law has been compared to California’s privacy regime and (wrongly) to the GDPR.

Here are four important distinctions between Virgina’s brand-new CDPA and California's also-quite-new California Privacy Rights Act (CPRA).

1) The CDPA has no private right of action. You can’t take a company to court for violating the CDPA. This makes it more popular among industry players and less popular among lawyers.

2) The CDPA is more liberal in the area of non-discrimination. California’s “right to non-discrimination” prevents businesses from imposing a higher price for goods against customers who exercise their consumer privacy rights, This provision was watered down due to concerns from businesses that they would be unable to operate loyalty schemes. Subsequent amendments involved forcing businesses to demonstrate the value of personal information they received in exchange for discounts. The CDPA appears to have taken a less convoluted approach.

3) The CDPA requires businesses to conduct "data protection assessments" in many situations including when conducting targeted advertising. This is the most interesting provision, in my eyes. These assessments are similar to the GDPR’s Data Protection Impact Assessments (DPIAs).

4) The CDPA’s definition of “sensitive personal information” is slightly broader, as it includes data from children under 13 among its categories of "sensitive personal data".

Recommended Reading

America, Your Privacy Settings Are All Wrong — New York Times

A year or two ago, I wouldn’t have expected to read a high-profile Editorial Board piece in the New York Times advocating a federal, opt-in-consent-based privacy law.

This excellent piece takes a critical look at data collection in the U.S. and criticises Virginia’s new CPDA (which I discussed above).

Americans have become inured to the relentless collection of their personal information online. Imagine, for example, if getting your suit pressed at the dry cleaner's automatically and permanently signed you up to have scores of inferences about you — measurements, gender, race, language, fabric preferences, credit card type — shared with retailers, cleaning product advertisers and hundreds of other dry cleaners, who themselves had arrangements to share that data with others. It might give you pause.

That’s it! Thanks for reading. I’m been overwhelmed by the number of subscribers I’ve received today. See you next Sunday.

Robert Bateman


Share Data Protection

Follow me on Twitter

Follow me on LinkedIn