On November 16, 2021, the Future of Privacy Forum (FPF) and the Brussels Privacy Hub of Vrije Universiteit Brussel (VUB) hosted the Brussels Privacy Symposium 2021 – The Age of AI Regulation: Global Strategic Directions. The event, convened by Jules Polonetsky, CEO of FPF, Christopher Kuner and Gianclaudio Malgieri, Co-Chairs of the Brussels Privacy Hub (BPH), brought together policymakers, academic researchers, civil society organizations and industry leaders from the European Union (EU), the Organization for Economic Cooperation and Development (OECD), the United States, Brazil, and Singapore to discuss the most recent trends in the governance of Artificial Intelligence (AI), with a focus on addressing the risks posed by AI systems to fundamental rights, while fostering their responsible development and uptake. A new report from FPF’s Sebastião Barros Vale, Katerina Demetzou and Lee Matheson summarizes and offers context to the discussions at the event.
The 2021 Brussels Privacy Symposium was the fifth-annual academic program jointly presented by the BPH and FPF. In this context, the Symposium’s panelists debated the proposal for a legal framework that the European Commission (EC) published in April 2021 (AI Act), a first-of-its-kind comprehensive law for AI systems, which comprises a risk-based approach by scaling legal obligations to the severity of risks that specific AI systems pose. Furthermore, speakers drew comparisons between the proposed EU model and different approaches to AI regulation that are surfacing elsewhere – such as the US, Brazil, Singapore, and China.
The keynote panel, which covered the EU’s road ahead to the proposed AI Act and was moderated by Gianclaudio Malgieri, BPH Co-Director and Associate Professor of Law at EDHEC Augmented Law Institute (Lille), counted on:
Brando Benifei, Member of the European Parliament, President of the Spinelli Group
Lucilla Sioli, Director for Artificial Intelligence and Digital Industry (CNECT.A), DirectorateGeneral CONNECT at the European Commission
The following panel saw a Global Comparative Discussion on Approaches to AI Regulation, Governance and Oversight, moderated by Dr. Gabriela Zanfir-Fortuna, Vice President for Global Privacy at FPF and Affiliated Researcher at the VUB’s Research Group on Law, Science, Technology & Society (LSTS). Speakers included:
Simon Chesterman, Dean and Provost’s Chair Professor of the National University of Singapore Faculty of Law and Senior Director of AI Governance at AI Singapore
Luca Belli, Professor of Internet Governance and Regulation at Fundação Getúlio Vargas (FGV) Law School
Audrey Plonk, Head of Digital Economy Policy Division – Directorate for Science, Technology and Innovation, OECD
Elham Tabassi, Chief of Staff, Information Technology Laboratory of the U.S. National Institute of Standards and Technology (NIST)
The last panel was titled Should Certain Uses of AI Be Banned?, and it was moderated by Ivana Bartoletti, Global Chief Privacy Officer at Wipro and Co-Founder of the Women Leading in AI Network. Speakers included:
Theodore Christakis, Professor of International and European Law at University Grenoble Alpes
Frank Pasquale, Professor of Law at Brooklyn Law School
Cornelia Kutterer, Senior Director, EU Government Affairs, AI, Privacy and Digital Policies, Microsoft
Ursula Pachl, Deputy Director General at the European Consumer Organisation (BEUC)
If you have any questions about the Report, contact Dr. Gabriela Zanfir-Fortuna at [email protected] or Dr. Rob van Eijk at [email protected].
Privacy Harms, Global Privacy Regulation, and Algorithmic Decision Making are Major Topics During Privacy Papers for Policymakers Event
For the 12th year, the Future of Privacy Forum (FPF) hosted its Privacy Papers for Policymakers event, honoring the 2021 Privacy Papers for Policymakers Award winners. This year’s event featured an opening keynote by Colorado Attorney General Phil Weiser and facilitated discussions between the winning authors – Daniel Solove, Ben Green, Woody Hartzog, Neil Richards, Joris van Hoboken, Ronan Ó Fathaigh, Jie Wang, Shikun Zhang, and Norman Sadeh – and leaders from the academic, industry, and policy landscape, including Maneesha Mithal, Sarah Holland, Travis Hall, Quentin Palfrey, Dr. Clarisse Girot, and John Howard, Ph.D.
In his keynote, AG Weiser outlined his approach for fostering conversations in the privacy space that bring together policymakers and academics while ensuring the integrity of the discussions, an approach Weiser called the “true north” of his career. Weiser spoke to the lack of dialogue within Congress and offered examples of how his home state of Colorado has facilitated productive conversations at the state level around data privacy. Weiser pointed to the recently passed Colorado Privacy Act as a testament to how bipartisanship is “still alive and well at the state level.”
AG Weiser stated that states considering privacy legislation must bring together “those who are practicing on the ground as well as those who are very gifted scholars.” With so many entities in the field, it is challenging to utilize a one size fits all solution or approach. Weiser noted, “we want to create a regulatory regime that is adaptable, and that can both protect data and consumers’ privacy while not getting in the way of innovation.” Through respectful and thoughtful collaboration, advances in data protection, security, and privacy can be achieved at the state and federal levels.
Weiser stressed the importance of collaboration and respect in conversations around privacy. He highlighted the Ginsburg/Scalia Initiative, a bi-partisan gathering of state AGs honoring the friendship of the two late Supreme Court Justices, which convenes to engage in dialogue to solve pressing issues. Weiser concluded his keynote by congratulating FPF on creating an event that followed in the spirit of Justices Scalia and Ginsburg. FPF’s PPPM event encourages all attendees to “think differently, to take different sorts of thoughts seriously, and to look at issues from different angles.”
Colorado Attorney General Phil Weiser
Following Attorney General Weiser’s keynote address, the event shifted to moderated discussions between the authors and leaders from the academic, industry, and policy communities. Click the links below to read each of the winning papers, or read the 2021 PPPM Digest, which includes summaries of the papers and more information about the authors and judges.
Daniel Solove kicked off the discussion section of the event by talking about his paper, Privacy Harms, with Maneesha Mithal, Cybersecurity Partner at Wilson Sonsini. This paper, co-authored by UVA School of Law Professor Danielle Citron, analyzed how courts define harm in cases involving privacy violations and how the requirement of proof of harm has impeded the enforcement of privacy law due to the dispersed and minor effects that most privacy violations have on individuals. “We think that harm should only be required when the goal is compensating people,” said Daniel Solove. “When the goal is deterrence, really the harm shouldn’t matter. The goal should be what’s the most effective deterrence.”
Daniel Solove and Maneesha Mithal
Next, Woody Hartzog, Northeastern University School of Law and Khoury College of Computer Sciences, Stanford Law School Center for Internet and Society; and Neil M. Richards, Washington University School of Law, Yale Information Society Project, Stanford Center for Internet and Society discussed their paper, The Surprising Virtues of Data Loyalty. The authors were joined by Sarah Holland, Public Policy Manager at Google. Professors Hartzog and Richards’ paper looked into criticisms of data loyalty, arguing that the concept of data loyalty has some surprising virtues, including checking power and limiting systemic abuse by data collectors. “We think that data loyalty actually gets you something that existing law does not. We think it’s able to cover a lot of new problems,” said Woody Hartzog. “We think that data loyalty is a way to firm up existing obligations.”
Woody Hartzog, Neil M. Richards, and Sarah Holland
Next, Ben Green, the University of Michigan at Ann Arbor, Gerald Ford School of Public Policy, Harvard University, Berkman Klein Center for Internet & Society, discussed his paper, The Flaws of Policies Requiring Human Oversight of Government Algorithms, with Travis Hall, Telecommunications Policy Analyst at the National Telecommunications and Information Administration (NTIA). His paper analyzed the use of human oversight of government algorithmic decisions and concluded that humans could not perform many of the desired oversight responsibilities. He argued that by continuing to use human oversight as a check on these algorithms, the government legitimizes the use of faulty algorithms without addressing the associated issues. “The vast majority of evidence shows that people are incapable of reliably performing exactly the roles that these policies are calling for. The problem is the regulation doesn’t actually address the underlying harm,” said Ben Green. “I think that gets us into this really gnarly situation where we have a false sense of security, that these algorithms are appropriate and legitimate to use, when in fact, the underlying concerns haven’t actually been resolved.”
Ben Green and Travis Hall
The next paper discussed was Smartphone Platforms as Privacy Regulators by Joris van Hoboken, Vrije Universiteit Brussels, Institute for Information Law, University of Amsterdam; and Ronan Ó Fathaigh, Institute for Information Law, University of Amsterdam. The authors were joined by Quentin Palfrey, President of the International Digital Accountability Council. The paper analyzed the role of online platforms and their impact on data privacy in today’s digital economy before providing an argument as to what platforms’ role should be in legal frameworks. “What we try to do is to build a disclosure model around the regulatory behavior that these [smartphone] platforms are engaging in,” said Ronan Ó Fathaigh. “We don’t make the claim that platforms are engaging in behavior that is anti-competitive, but there are a lot of different commentators that are making those allegations, and certain app companies are making allegations that privacy is being used as a tool in anti-competitive behavior. We give the platforms the benefit of the doubt.”
Joris van Hoboken, Ronan Ó Fathaigh, and Quentin Palfrey
Jie (Jackie) Wang, W&W International Legal Team, Kinding Partners, spoke next on her paper, Comparison of Various Compliance Points of Data Protection Laws in Ten Countries/Regions, with Dr. Clarisse Girot, Managing Director for Asia Pacific at the Future of Privacy Forum. Her paper compares China’s Personal Information Protection Law (PIPL) with data protection laws in nine regions to assist overseas Internet companies and personnel to better understand the similarities and differences in data protection and compliance between each country and region. “Helping ensure personal data compliance is part of my daily work, ” said Wang. “The best way to learn the PIPL is to digest it by writing an in-depth analysis of it.”
Jie (Jackie) Wang and Dr. Clarisse Girot
Shikun (Aerin) Zhang and Norman Sadeh, Carnegie Mellon University, closed the event discussing their paper, co-authored by Yuanyuan Feng, University of Vermont; Lujo Bauer, Carnegie Mellon University; Lorrie Faith Cranor, Carnegie Mellon University; and Anupam Das, North Carolina State University, “Did you know this camera tracks your mood?”: Understanding Privacy Expectations and Preferences in the Age of Video Analytics. Shikun Zhang and Norman Sadeh were joined by Dr. John J. Howard, Principal Data Scientist at Maryland Test Facility. The paper seeks to determine how individuals should be notified that they are being recorded by studying 123 individuals’ sentiments across 2,328 video analytics deployments scenarios. “People often don’t realize that many of these cameras are connected to video analytic capabilities,” said Professor Sadeh. “We believe that there’s really a need to better understand how people feel about these very diverse scenarios as they’re emerging today, and using that to inform the design idea as mechanisms to notify people and to give them, ideally, the ability to exercise those rights that, in principle, are now being made available to them.”
Shikun (Aerin) Zhang, Norman Sadeh, and Dr. John J. Howard
Thank you to Attorney General Weiser and Honorary Co-Hosts Senator Edward Markey and Congresswoman Diana DeGette for their support and work around this event. We would also like to thank our winning authors, discussants, everyone who submitted papers, and event attendees for their thought-provoking work and support. Learn more about the event on the FPF website and watch a recording of the event on the FPF YouTube channel.
New FPF Report: Demystifying Data Localization in China – A Practical Guide
On February 21, 2022, FPF published a report detailing China’s data governance framework for data localization and cross-border transfers. The report outlines 10 steps organizations can take before deciding to localize or transfer data, with practical advice on how to carry out each of them. By examining provisions of relevant laws and administrative regulations passed by ministerial departments, it aims to give organizations a better understanding of how the transfers framework operates, the expectations of Chinese regulatory authorities with respect to such transfers, and the specific steps controllers can take for better compliance mapping. It is important to note that this report does not contain legal advice.
While the new data protection and data security legal framework solidified and added to pre-existing data localization requirements, it also clarified that data can be transferred or made accessible outside of China if specific conditions are met.
Under Chinese law, data localization is only required in certain circumstances framed around two distinct conceptual pillars: (1) which entity is processing the data; and 2) what type of data is being processed. With respect to the first pillar, certain special categories of controllers must store their data in China due to their importance to China’s national security and economy, and may only transfer data with the approval of regulatory authorities. For the second, controllers must store “important data” in China, and receive approval before transferring such data abroad.
In other circumstances, controllers do not need to store data locally in China but must comply with other transfer requirements. Article 38 of the Personal Information Protection Law (PIPL) sets forth these conditions for lawfully transferring data. Once a controller chooses a transfer mechanism, it must comply with additional transparency obligations. However, it is important to take both the PIPL and the Data Security Law (DSL) requirements into account when deciding whether to localize data or to transfer it.
In order to untangle this complex legal landscape, this Report proposes 10 steps that data controllers can take before deciding to localize or transfer data, with practical advice on how to carry them out:
Step 1 – Determine scope and when data is “transferred” overseas
Step 2 – Evaluate the type of data controller and whether it is a critical information infrastructure operator (CIIO) or a special controller
Step 3 – Determine the type of data to be transferred including whether it is important data
Step 4 – Evaluate whether a security assessment by the CAC is required
Step 5 – Determine whether a cybersecurity review is mandatory
Step 6 – Determine if an exception applies
Step 7 – Choose the transfer mechanism
Step 8 – Check whether an international treaty or agreement is applicable
Step 9 – Obligations for Entrusted Processors (委托处理)
Step 10 (bonus) – Determine whether the transfer is compelled by a foreign judicial or law enforcement body
The Report also contains an annexed Flowchart with a summary of the 10 steps.
BCI Technical and Policy Recommendations to Mitigate Privacy Risks
This is the final post of a four-part series on Brain-Computer Interfaces (BCIs), providing an overview of the technology, use cases, privacy risks, and proposed recommendations for promoting privacy and mitigating risks associated with BCIs.
Click here for FPF and IBM’s full report: Privacy and the Connected Mind. In case you missed them, read the first, second, and third blog posts in this series. The first post unpacks BCI technology. The second and third posts analyze BCI applications in healthcare and wellness, commercial, and government, the risks associated with these applications, and the implicated legal regimes. Additionally, FPF-curated resources, including policy & regulatory documents, academic papers, thought pieces, and technical analyses regarding brain-computer interfaces are here.
I. Introduction: What are BCIs?
BCIs are computer-based systems that directly record, process, or analyze brain-specific neurodata and translate these data into outputs. Those outputs can be used as visualizations or aggregates for interpretation and reporting purposes and/or as commands to control external interfaces, influence behaviors, or modulate neural activity. BCIs can be broadly divided into three categories: 1) those that record brain activity; 2) those that modulate brain activity; or 3) those that do both, also called bi-directional BCIs (BBCIs).
BCIs can be invasive or non-invasive and employ a number of techniques for collecting neurodata and modulating neural signals. Neurodata is data generated by the nervous system, which consists of the electrical activities between neurons or proxies of this activity. This neurodata may be “personal neurodata” if it is reasonably linkable to an individual.
II. Stakeholders Should Adopt Both Technical and Policy Guardrails to Promote Privacy and Responsible Use of BCIs
From healthcare to smart cities, BCI-facilitated data flows can augment society by improving operations and offering novel insights into long-term problems. However, this nascent technology also creates privacy risks and raises other concerns. As BCIs spread to new realms of activity, existing accountability and enforcement structures may not respond to the challenges raised by these novel BCI applications. Some regulators have already reacted to these perceived inadequacies by creating and reforming policy and legal frameworks. To promote privacy and responsible BCI use, novel technical and policy approaches may also be required to mitigate against potential risks.
A. Technical Recommendations
Providing On/Off and App Controls to Users: Privacy risks arise when a BCI device continuously collects data or is unintentionally switched on. These features may prevent users from exercising control over personal neurodata, because they are unaware that the collection is occurring in the first place. On/off and granular controls on devices and in companion apps can mitigate against these privacy risks by enhancing a user’s ability to manage neurodata flows.
End-to-End Encryption of Sensitive Neurodata and Privacy Enhancing Technologies: Developers should explore a variety of measures to promote privacy and protect neurodata during collection and processing. End-to-end encryption can be used to protect sensitive personal neurodata in transit and at rest. Privacy enhancing technologies (PETs) such as differential privacy and de-identification methods—Privacy Preserving Data Publishing (PPDP) for stored and shared data, to name one—can also help BCI developers maximize neurodata’s utility while protecting the identity of the person to whom the neurodata belongs.
B. Policy Recommendations
Rethinking Transparency and Control: A BCI’s technological capabilities, purposes, and user bases will impact the privacy risks these devices pose, and they may shift with changes in context. These variations will inform the appropriate levels and methods of transparency required to encourage informed consent and provide insights into device capabilities, data flows, data storage, and who controls and has access to the data.
Developers and regulators should therefore identify measures facilitating a level of transparency that both gives users meaningful control over personal neurodata and reflects a particular BCI application’s privacy risks. While privacy policies and similar documents are often required by law, these policies frequently fail to provide sufficient levels of transparency. Even if the document’s contents are accurate, users may not read them or, if they do, may still find it challenging to understand what is happening with their data. On-device indicators could be marshaled to ameliorate this notice problem; visual or audio indicators may improve transparency and control by informing users when neurodata collection or modulation occurs.
Institutional Review Boards, Ethical Review Boards, and Multi-Stakeholder Engagement: Collecting neurodata and deploying BCI technology may require review and/or approval. BCI providers that are gathering primary research data from human subjects or pre-registering clinical trials may need to complete an institutional review board (IRB) review. Other organizations may need to obtain approval from bodies, such as the Food and Drug Administration (FDA), before selling a BCI product. However, many consumer-facing BCIs are not subject to these requirements. Providers of consumer-facing BCIs that want to have strong privacy protections can still subject these BCIs to ethical review board (ERB) oversight. ERBs can consider questions, including those relating to neurodata collection, use, access—when neurodata is sought for research purposes, but obtaining user consent is impractical, for instance—and storage.
When appropriate, organizations developing BCIs should also facilitate multi-stakeholder engagement during the BCI’s development and deployment lifecycle. The consultations should consist of those affected BCIs, and not just researchers, policymakers, and initial adopters. Individuals who are impacted by BCIs include people from marginalized communities, such as the disabled and historically-surveilled populations. BCI developers should actively seek out and incorporate these communities’ feedback into product development and deployment decisions. Developers should also recognize that a product may need to be heavily altered or scrapped to respect community input or avoid harm.
Standards Setting and Other Agreements: Companies, research institutions, and policymakers should set policy and technical standards for BCI research, development, and use that can adapt to changes in the technology, user base, and applications. Some of these standards may be taken from existing policy frameworks, but the unique risks posed by BCIs may require novel approaches, too. As previous blog posts discuss, there is no consensus on the types of neurodata that can or will be interpreted as biometric data under current laws. This impacts whether some regulations apply to neurodata, resulting in categories of data such as Brittan Heller’s “biometric psychography” potentially lying outside any law. Policymakers may therefore need to re-evaluate conceptions of biometrics to account for BCI applications. Alongside technical and policy standards, industry and regulators should promote up-to-date training for developers around processes such as data handling and de-identification learned from academia.
Open Neurodata Standards and Open Licenses for De-Identified Data: There are large barriers affecting the deployment of BCIs due to the high cost of research and development. Proprietary systems may hinder the exchange of best practices and tools that are needed to fuel a thriving research and development environment. To prevent stagnation, stakeholders should collaborate to develop and adopt open neurodata standards and also consider whether using open licenses for de-identified neurodata research sets is possible and appropriate.
III. Conclusion: Balancing New Data Flows Against BCI Privacy Risks
As BCIs evolve and become more available across numerous sectors, stakeholders must understand the unique risks these technologies present. Key to this understanding is an assessment of how these technologies work and what data is necessary for them to function, as many risks attributed to BCI applications flow from these devices processing certain data.
The adoption of technical and policy recommendations that can make BCI data less identifiable, less potentially harmful, and more secure could minimize privacy and data governance risks. However, the evolution of BCIs will require developers, researchers, and policymakers to differentiate between the risks that exist now and those that may emerge in the future. Only though this careful assessment can stakeholders identify the issues that require immediate attention versus those that need proactive solutions.
BCIs will also likely augment and be combined with many existing technologies that are currently on the market. This means that new technical and ethical issues are likely to arise and existing issues could be compounded by one another. In the near future, BCI providers, neuroscience and neuroethics experts, policymakers, and societal stakeholders will need to come together to consider what constitutes high-risk use in the field and make informed decisions around whether certain BCI applications should be prohibited, a position around which more robust and critical discussion is needed.
Finally, and perhaps more fundamentally, it is also possible that the future of privacy itself and our notions of what it means to have or obtain privacy at basic human or societal levels could be challenged in ways that we cannot currently comprehend or anticipate. We hope this report and our ongoing work helps support the technical, legal, and policy developments that will be required to ensure the advances in this sector are implemented in ways that benefit society.
How the Kenyan High Court (temporarily) struck down the national digital ID Card: Context and Analysis
The High Court of Kenya, by virtue of a judicial review application, delivered a landmark judgment declaring the proposed national digital ID card (Huduma Card) unconstitutional on October 14, 2021 – a judgment that is now part of the growing data protection and privacy jurisprudence in the country.
Kenya enacted its first Data Protection Act (KDPA) in 2019, as part of a growing wave of privacy and data protection laws being adopted across African jurisdictions. While discussions of data protection and privacy in Africa are still at their infancy stage, they are constantly developing. Cape Verde was the first country to enact a data protection law in 2001. Countries such as Zimbabwe enacted their data protection law as recently as December 2021. This blog analyzes the landmark judgment of the High Court of Kenya in the Huduma Card case, putting it in context with regard to broader privacy and data protection law developments in the country and the continent.
1. Background of the case and brief history
The matter, Republic v Joe Mucheru, Cabinet Secretary Ministry of Information Communication and Technology and others ex parte Katiba Institute and Yash Pal Ghai concerned the process of launching the “Huduma Card”, Kenya’s proposed first national digital ID card. According to the applicants, Katiba Institute, a constitutional research, policy and litigation institute in Kenya, and Yash Pal Ghai, a ‘data subject’ as defined by the KDPA, the process of launching the Huduma Card was done in violation of the KDPA.
Specifically, they argued that the executive order adopted on November 18, 2020 by the country’s Ministry of Interior, the body in charge of rolling out Huduma Cards to registered persons, violated section 31 of the KDPA. Section 31 provides that “where a processing operation is likely to result in high risk to the rights and freedoms of a data subject, by virtue of its nature, scope, context and purposes, a data controller or data processor shall, prior to the processing, carry out a data protection impact assessment”. The KDPA describes processing as “any operation or sets of operations which are performed on personal data or on sets of personal data whether or not by automated means”. It includes activities such as:
collection, recording, organisation, structuring;
storage, adaptation or alteration;
retrieval, consultation or use;
disclosure by transmission, dissemination, or otherwise making available; or
alignment or combination, restriction, erasure or destruction.
On November 24, 2020, the applicants filed for judicial review of the executive order launching the Huduma Card. In the motion, the applicants asked the court to grant three orders:
To prohibit the rolling out of Huduma Cards.
To reverse the decision to roll out Huduma Cards.
To issue an order compelling the respondents to conduct a data protection impact assessment before processing of data and rolling out Huduma Cards.
The court granted the last two orders.
2. Putting the Huduma Card into Context
For purposes of clarity, it is fundamental to locate Huduma Card in the larger context within which it exists. Huduma Card, akin to India’s Aadhaar Card, is the final step in the process of registration in Kenya’s proposed digital identification system – the National Identity Integrated Management System (NIIMS). NIIMS was introduced through the Statute (Miscellaneous Amendments) Act, No. 18 of 2018 which amended Kenya’s civil registration law, the Registration of Persons Act (RPA) in 2018. The amendment involved introduction of a new section, section 9A that established NIIMS.
On January 18, 2019, the RPA amendment came into force. Pursuant to the introduction of NIIMS, the government began a nationwide exercise of collection of personal data including biometric data on March 15, 2019. Soon after, the legal validity of NIIMS and its subsequent implementation were challenged before the High Court. One of the grounds for challenging the implementation included that, in its original state, NIIMS would pose a threat to rights and freedoms protected under the Constitution. Specific to the right to privacy guaranteed under article 31 of the Constitution, issues raised by the different petitioners included the fact that:
There was no law to guarantee the privacy provisions under the Constitution. At the time, the KDPA was not yet enacted.
Collection of GPS coordinates, DNA and other forms of biometric data would violate the privacy rights of registrants. This was a concern since at the time, GPS coordinates and DNA were a registration requirement.
On January 30, 2020, the High Court rendered a decision on this petition. It held that:
Implementation of NIIMS would proceed. Processing and use of data collected in NIIMS would proceed on the condition that an appropriate and comprehensive regulatory framework on the implementation of NIIMS that is compliant with the applicable Constitution requirements as identified in the judgment is first enacted.
Collection of DNA and GPS coordinates was found to be intrusive and unnecessary as it violated the right to privacy under the Constitution.
While the above petition was pending determination, the KDPA was enacted and became applicable in November 2019. The court directed that processing of data collected under NIIMS should not happen before the KDPA is operationalized and a regulatory framework put in place. The KDPA is now in operation with the creation of the Office of the Data Protection Commissioner.
In October 2020, the government published two regulations specifically for NIIMS; Registration of Persons (National Integrated Identity Management System) Rules (2020) and the Data Protection (Civil Registration) Regulations. The former recognizes NIIMS as the primary source of identification in Kenya while the latter creates a legitimate basis for processing NIIMS data. The Huduma Bill, a comprehensive national digital ID law was also proposed as another regulation measure to guide the implementation of NIIMS. Therefore, protection of data collected under NIIMS is presently governed by the Constitution of Kenya, the KDPA, the Registration of Persons Act, the Registration of Persons (National Integrated Identity Management System) Rules (2020), and Data Protection (Civil Registration) Regulations. It is under these circumstances that the Ministry of Interior through an executive order announced the rollout of the Huduma Card, which led to the judicial review before the High Court.
3. Understanding Kenya’s Automated Processing of Personal Data Ecosystem
Before delving into the impact of this recent decision, a brief overview of Kenya’s automated processing of personal data ecosystem is necessary. From a consumer perspective, Kenya’s internet connectivity is growing. As of January 2021, it was reported to be at 40%. This has created a market for internet supported applications such as digital finance applications, and social media applications among many others. Most of these applications collect personal data in the course of usage or require personal data to operate. Of particular interest is the proliferation of digital finance applications in Kenya. This has created a market for more sophisticated, personal data reliant digital finance applications. A number of these financial service providers rely on alternative scoring models to provide credit. Many of these models rely on highly personal data to determine loan eligibility. Some applications require constant permission to location data while another requires access to the microphone.
At the government level, the concept of digitization of information systems is close to the heart of the Kenyan government as seen in large scale projects such as NIIMS and the National IT policies. Other government maintained information systems that contain personal data include the biometric voter registration system, electronic voter identification system and health information systems in public health facilities. In a bid to conduct these data processing activities, some data controllers rely on third party data processors to conduct processing activities. A good example is Kenya’s election management body which outsources election kits and the systems used to run them.
All these commercial and government systems hold personal data that now fall within the scope of the KDPA. It is for these reasons that a landmark decision on the enforcement of the KDPA bears relevance.
4. Key Issues for Analysis in the Huduma Card Case
The questions of whether to conduct a data protection impact assessment (DPIA) or not as well as the procedure of handling complaints are key issues in the judgment that have the ability of influencing data protection expectations for both data subjects and data controllers/processors handling personal data that falls under the KDPA’s scope.
4.1 Conducting a DPIA
In the judicial review application, Katiba Institute (the applicant) submitted that the respondents did not conduct a DPIA which was in violation of the KDPA and Order III of the 2020 petition. In rebutting this, the respondents argued that the KDPA was not envisaged to apply to data under NIIMS. The court upheld the applicant’s arguments and ordered for a DPIA to be conducted before any further steps to issue Huduma Cards are undertaken. This decision was upheld, partly due to the fact that some of the parties in the 2020 petition who were also respondents in this matter, submitted to the court that there were legal safeguards underway to ensure protection of data under NIIMS. The legal safeguard, in this case, was the Data Protection Bill, now the KDPA. The court, therefore, did not see why the Bill which is now law should not apply in the present matter.
The question of whether or not to conduct a DPIA remains a subjective one, at least for civil registration entities. The Data Protection (Civil Registration) Regulations, adopted in the implementation of the KDPA but only relating to public bodies with a civil registration function, do not state whether it is mandatory to conduct a DPIA for information systems held by civil registration entities such as NIIMS and its components. Under Regulation 19, it provides that a data protection impact assessment may be conducted on condition it is required in accordance with section 31 of the KDPA. On the other hand, Section 31(6) of KDPA provides that: “The Data Commissioner shall set out guidelines for carrying out an impact assessment under this section”. While indeed the Data Commissioner did develop the Data Protection (General) Regulations, 2021 that attempts to set the criteria of conducting a DPIA by delineating processing activities that would amount to “high risk, the Regulations are not applicable to civil registration entities where NIIMS falls under. Regulation 3 of the General Regulations provides that: “These Regulations shall not apply to civil registration entities specified under the Data Protection (Civil Registration) Regulations, 2020”.
Interestingly, the High Court did not make any findings with regard to what specifically constitutes “high risk” processing of personal data related to the Huduma Card in this judgment. However, when adjudicating on the initial 2020 petition, the Court implied an overall high risk of the entire NIIMS system. For instance, in prohibiting collection of GPS coordinates and DNA data, the Court stated that collection of such data would be intrusive and carries with it the risk of privacy violations and surveillance.
However, there have been attempts elsewhere to make the DPIA triggering criteria objective through denoting situations that amount to “high risk”. Kenya’s KDPA adheres to the “high risk” criteria, similar to EU’s General Data Protection Regulation (GDPR).
Beyond the scope of NIIMS, the fact that the data protection regulations have not yet come into force to provide clarity around the situations that necessitate a DPIA as well as how to proceed with carrying out a DPIA, could negatively affect other data controllers and processors and consequently, the data subjects. The Regulations are currently before the Delegated Legislation Committee in Parliament awaiting comments. These Regulations will be deemed to have been approved after 28 days from the publication date. Nevertheless, the fact that the conditions triggering the obligation to carry out a DPIA have not yet come into force does not diminish the data controllers’ general obligation to implement measures to appropriately manage risks for the rights and freedoms of data subjects. Even without the explicit requirement to conduct a DPIA, controllers must continuously assess the risks created by their processing so as to identify when a processing is likely to result in a high risk to rights and freedoms of data subjects.
In light of the present judgment, it will be interesting to see whether data collected and held in information systems created before the KDPA came into force and after the Constitution was adopted in 2010 will be subjected to DPIAs, if they meet the criteria for conducting a DPIA. This is crucial as the Huduma Card case shows that the KDPA could act retroactively. If the court’s rationale in the Huduma Card case is anything to go by, it is likely that the KDPA could apply retroactively for such information systems. The court in its analysis stated: “it is clear that the Act was intended to be retrospective to such an extent or to such a time as to cover any action taken by the state or any other entity or person that may be deemed to affect, in one way or the other, the right to privacy under Article 31 (c) and (d) of the Constitution”.
4.2 Dispute Resolution in Data Protection Cases
In addition to the issue of conducting a DPIA that formed the main argument, the court also deliberated on the issue of handling complaints under the KDPA that could have persuasive impact on future data protection cases. In deciding whether to give an audience to the applicants, the court dealt with the issue of whether it had jurisdiction to hear the matter. The question of jurisdiction, as presented by the interested party (the Data Protection Commissioner) arose from the fact that one of the applicants, Yash Pal Ghai, described in the matter as an affected data subject, claimed that rolling out Huduma Cards without a DPIA would prejudice his rights as a data subject under the KDPA.
Owing to objections raised by the interested party, the Data Protection Commissioner (DPC), the court found that the applicant could not, in the given circumstances, approach the court directly. To obtain redress, the data subject was required to first exhaust all other available dispute resolution means as stipulated in the KDPA and the Data Protection (Civil Registration) Regulations before seeking court intervention. The Data Protection (Civil Registration) Regulations provides an internal complaint handling procedure. Regulation 23(1) provides that an aggrieved data subject may lodge a complaint with the civil registration entity.
Further, Regulation 23(6) provides that a data subject has a right to appeal to the Data Commissioner if the data subject is dissatisfied with the decision of the civil registration entity.Section 56(1) of the KDPA provides that “A data subject who is aggrieved by a decision of any person under this Act may lodge a complaint with the Data Commissioner in accordance with this Act”. If the data subject wanted to opt out of dispute resolution mechanisms under the KDPA and the Data Protection (Civil Registration) Regulations, they had to make an application to court explaining why such mechanisms are not efficient. The court upheld this objection. Katiba Institute, however, was allowed to bypass the dispute resolution mechanisms provided under the KDPA and the Data Protection Regulations for two reasons:
They do not fall under the category of a data subject. The KDPA describes a data subject as an identified or identifiable natural person who is the subject of personal data.
Their application was based on grounds of public interest. Article 22(2)(c) of the Constitution permits instituting court proceedings by a person acting in the public interest.
The court thus found that Katiba Institute had sufficient interest in decisions made by any person under the KDPA despite not being a data subject.
Effective handling of complaints related to data protection is crucial for consumers and businesses. As personal data processing activities in Kenya are now subject to the KDPA unless they fall under exemptions (even then there are minimum requirements of processing) it is important that institutions involved are clear on their respective obligations. This decision is a good starting point on who and when a data protection dispute can be brought to court. With respect to maintaining institutional autonomy, this is a significant move as it indicates the court’s intention to not interfere with nascent administrative bodies with quasi-judicial functions.
While the Office of the Data Protection Commissioner (DPC) and the civil registration entities are being granted independence to oversee enforcement of the KDPA and related regulations, it will be important to further delineate how far such bodies can go with regards to dispute resolution. When can an aggrieved data subject or data controller bypass the DPC and approach the court where their rights and freedoms under the DPA are violated or obligations are under threat respectively? This begs the question, how will the DPC interact with the courts? To explore this, it is crucial to first highlight the role of the court in data protection dispute resolution as per the KDPA:
Issuing a search warrant to enter a premise for the purpose of discharging any function (including dispute resolution) or power under the KDPA.[1]
Hearing appeals against administrative actions such as enforcement and penalty notices taken by the DPC.[2]
Issuing preservation orders to preserve personal data that is vulnerable to loss or modification.[3] This is useful during investigations.
Thus far, the role of the court appears to be secondary in first instance dispute resolution with the DPC having priority to determine the existence of an infringement. This can be justified under the Fair Administration Act (FAA), the legislation that deals with administrative action.[4] On the other hand, the Constitution provides citizens with the right to approach courts where their rights and freedoms are violated.[5] This includes the Constitutionally protected right of privacy from which the KDPA emanates. As for judicial and quasi-judicial decisions, the Constitution provides that “the High Court has supervisory jurisdiction over the subordinate courts and over any person, body or authority exercising a judicial or quasi-judicial function, but not over a superior court”. Based on these court findings, the court appears to recognize the importance of a data protection authority. However, it shall have to balance this against the Constitutionally protected right to institute court proceedings by anyone whose rights and freedoms are affected.
Conclusion
Pursuant to the High Court order for a DPIA to be conducted, the relevant ministry complied and conducted the assessment pointing to an acknowledgment of the importance of accountability with regards to sensitive citizen data. The assessment is not yet public. As the DPIA was the sole requirement to proceed with issuing the Huduma Card, it is expected that the rollout will continue, unless further challenges are successfully made.
Case law is key in providing guidance on interpreting statutes. It is for this reason that this latest judgment is of great significance to both the future of government led digital ID initiatives such as Huduma Namba, data subjects and businesses as it could shape how the implementation of the KDPA proceeds in the future. Given that a key focus in data protection now is initial implementation of the KDPA, clarity in issues such as whether to conduct DPIAs and forum for dispute resolution will be crucial in ensuring that data processing activities are performed in compliance with the law.
BCI Commercial and Government Use: Gaming, Education, Employment, and More
This post is the third in a four-part series on Brain-Computer Interfaces (BCIs), providing an overview of the technology, use cases, privacy risks, and proposed recommendations for promoting privacy and mitigating risks associated with BCIs.
Click here for FPF and IBM’s full report: Privacy and the Connected Mind. In case you missed them, read the first and second blog posts in this series. The first post unpacks BCI technology, while the second analyzes BCI applications in healthcare and wellness, the risks associated with these applications, and the implicated legal regimes. Additionally, FPF-curated resources, including policy & regulatory documents, academic papers, thought pieces, and technical analyses regarding brain-computer interfaces are here.
I. Introduction: What are BCIs?
BCIs are computer-based systems that directly record, process, or analyze brain-specific neurodata and translate these data into outputs. Those outputs can be used as visualizations or aggregates for interpretation and reporting purposes and/or as commands to control external interfaces, influence behaviors or modulate neural activity. BCIs can be broadly divided into three categories: 1) those that record brain activity; 2) those that modulate brain activity; or 3) those that do both, also called bi-directional BCIs (BBCIs).
BCIs can be invasive or non-invasive and employ a number of techniques for collecting neurodata and modulating neural signals. Neurodata is data generated by the nervous system, which consists of the electrical activities between neurons or proxies of this activity. This neurodata may be “personal neurodata” if it is reasonably linkable to an individual.
II. BCIs are Entering into the Commercial and Enterprise Market in the Fields of Gaming, Employment, Education, and other Future-Facing Areas.
Gaming: BCIs could augment existing gaming platforms and offer players new ways to play using devices that record and interpret their neural signals. Current examples of BCI gaming combine neurotechnology with existing gaming devices or platforms. These devices attempt to record the user’s electrical impulses, collecting and interpreting the player’s brain signals during play. While most gaming BCIs are single-player, researchers are exploring whether BCIs can provide multiplayer experiences using multi-person non-invasive brain-to-brain interfaces (BBIs). One example of a multiplayer BCI is BrainNet, where three participants exchange neural singles to play a Tetris-like game. BCI can also be applied to augment games on extended reality (XR) devices.
Today’s BCI games are not fully immersive experiences. Players can use neurotechnology to perform only discrete actions. Future BCI games may offer greater immersion by combining neurodata with other biometric and psychological information, which could allow players to control in-game actions using their conscious thoughts.
Employment: BCIs can monitor worker engagement to improve safety, alert workers or supervisors of dangerous situations, and help make operational or employment decisions. Life and AttentivU are examples of BCIs that track and promote worker attentiveness during tasks. These BCIs can also provide notifications when an employee exhibits fatigue or drowsiness. Other employment BCIs measure neurodata to determine a worker’s emotional state. Management could choose to use this neurodata to gauge efficiency, manage workloads, determine worker happiness levels, or make hiring, firing, or promotion decisions.
Employment BCIs can also be used to modulate workers’ brain activity for purposes of improving performance. Transcranial direct current stimulation (tDCS) could be used to promote multitasking with this goal in mind. Invasive BCIs, such as Elon Musk’s Neuralink, are also being evaluated for their potential to increase efficiency during high-pressure and time-sensitive tasks.
Education: BCI technology could be implemented in learning environments to gather student neurodata. This neurodata could reveal whether a student is finding an assignment challenging, which creates opportunities to moderate the amount and level of work, or help teachers and parents assess and improve classroom engagement.
Researchers have used neurotechnology to record physiological and neural signals with varying degrees of accuracy. Recorded neurodata can reveal a consumer’s mood, motivations, and preferences when they buy and use a product or service. Product makers and advertisers can utilize this data to better understand consumer choices.
III. Privacy and Other Risks Associated With BCIs in Gaming, Employment, Education, and Future-Facing Fields: From Profiling to Neurodata-based Decision Making.
BCI applications in these spaces present common and area-specific risks and considerations.
Powered-up Profiling: Gaming and neuromarketing BCIs involve neurodata collection, including user reactions to content in a virtual world. AI and machine learning models can be trained on this neurodata, in combination with other biological changes in response to content, to associate user-specific changes in neural signals to certain physiological states. Neurodata could therefore facilitate the creation of granular profiles on individuals. Since neurodata can capture an individual’s reactions to sensitive content, these profiles may offer intimate portraits into the user’s health, sexual preferences, and even vices.
Organizations could use these profiles to make inferences and decisions. Recognizing this neurodata’s value, organizations collecting and retaining neurodata across sectors may also be incentivized to share or sell it with advertisers. Advertisers could take this information and use it to create more directed behavioral ads, which could encourage unhealthy habits.
Lack of Transparency and Control Over Disclosure: Unlike some other personal information sources, users cannot control the electrical impulses that create neurodata. Whether participating in BCI games or acting online more generally, users are therefore often unaware of neurodata tracking. This means users have less control over personal neurodata flows, which increases the likelihood that this data will be used for purposes unrelated to those it was collected for. Even when a person has control—by requiring opt-in consent, for example—over neurodata monitoring, the individual may feel compelled to share neurodata with someone (e.g., an employer) to avoid retaliation or disparate treatment.
Neurodata-Based Decision Making and BCI Accuracy: The amount and sensitive nature of some neurodata generated in entertainment, employment, education and neuromarketing could inform important decisions. These decisions could impact a person’s life, from the content a user receives in virtual game worlds to whether an employee is promoted or discharged. Concerns about neurodata informing decisions are exacerbated by BCIs collecting inaccurate data. Decisions informed by inaccurate neurodata may contribute to diverse harms, including the perpetuation of feedback loops that fuel societal division.
Chilling Speech and Creating Distrust in Institutions: BCI-enabled monitoring may chill speech and reduce trust in institutions among employees, students, and the general public. Employees who know that they are constantly monitored may place less trust in their employer, lose morale, or refrain from certain behavior. Monitoring may cause students, especially those from communities that have been historically targeted by surveillance or suffer from learning differences, to refrain from certain speech and thoughts in order to avoid retaliation or stigmatization. BCIs incorporated into smart city infrastructure could generate new sources of personal data and enable more invasive surveillance.
IV. Regulations that Might Cover BCIs and Neurodata Include Comprehensive Privacy Laws, Sectoral Privacy Laws, and Self-Regulatory Frameworks.
Comprehensive Privacy Laws and Agency Authority: Both US and foreign comprehensive privacy laws may regulate BCI use and the processing of neurodata. The EU’s General Data Protection Regulation (GDPR) and the California Privacy Rights Act (CPRA) define biometric information broadly, meaning that neurodata may fall within these laws’ scope. However, both laws are framed in terms of whether the data is actually used to or could be used to single out an individual. Concepts such as Brittan Heller’s “biometric psychography”—information from the body used to determine interests, not identity—may not be interpreted as covered, because this information is neither used nor could be used to facilitate identification.
If triggered, the GDPR and CPRA impose obligations on regulated organizations and grant rights to data subjects. Neurodata processing may implicate special rules under these laws. For example, an organization using personal neurodata in marketing would trigger CPRA’s opt out right for “cross-contextual advertising.” While US law generally gives companies significant discretion when writing privacy policies affecting at-will employees, the GDPR indicates that a worker’s consent cannot serve as a lawful basis for processing the employee’s personal data. US Administrative Agencies may also have powers enabling the policing of certain BCI applications. The Federal Trade Commission (FTC) has authority to investigate and enforce penalties against organizations for unfair and deceptive practices, such as those related to advertising, for example.
Sectoral Privacy Laws: The Children’s Online Privacy Protection Act (COPPA) may apply to game operators if they collect, use, or disclose “personal information,” and either target games toward children under 13 or have actual knowledge that such children are using the game. Whether gaming BCIs are regulated under COPPA in part depends on the meaning of “personal information.” Neurodata collected by gaming BCIs could be “personal information” under COPPA if it is considered a “persistent identifier”—a kind of personal information—or if the FTC changes “personal information” to cover biometric data. COPPA gives rights to parents and guardians over their children’s personal information, including access and deletion rights. The statute also imposes obligations on operators, such as obtaining parental consent before collecting information from the child.
Biometric-specific state laws in the US, such as Illinois’ Biometric Information Privacy Act (BIPA), may impact neurodata processing across sectors. Whether these laws apply, however, depends on the meaning of “biometric identifiers.” Under BIPA, this term is important, as it affects what “biometric information” can be based on. While other state biometric laws, such as Washington’s statute, contain broad definitions, BIPA defines “biometric identifier” narrowly to include “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.” Neurodata-based information used as an identifier will therefore more likely fall outside of BIPA’s scope, since it is not considered a “biometric identifier.”
BCIs used to monitor workers may implicate employment law. The Electronic Communications Privacy Act (ECPA) limits some types of employee monitoring. However, ECPA permits employers to monitor workplace communications, especially when those conversations take place on company devices like company-owned computers and telephones. Anti-discrimination laws, like the Americans with Disabilities Act (ADA), may stop employers from using BCI results in hiring and firing decisions if the results reflect a disability.
Federal, state, and local student data laws may grant rights to students and parents while imposing requirements on schools and neurotech companies with respect to the processing of personal neurodata. BCI use may be impacted by the Family Educational Rights and Privacy Act (FERPA), which protects education records—including biometric education records—at schools that receive federal funding. A student’s personal neurodata could be part of this record and would therefore receive FERPA protections. These protections include rights for parents and children over 17 years, and obligations on schools. All 50 states and Washington, DC have introduced student privacy legislation, and some could impact BCI use in schools. District and school-level rules may also affect neurodata collection and processing.
Self-regulatory initiatives: Beyond laws and agency enforcement, voluntary self-regulation also impacts the use of BCIs. Neuromarketing is an example of this, where the Neuromarketing Science & Business Association’s (NMSBA’s) Code of Ethics identifies several commitments ranging from consent and transparency that organizations should follow when using BCIs for neuromarketing purposes.
V. Conclusion
Commercial and government BCIs could deliver dividends ranging from novel gaming experiences to more efficient workforces. However, such applications also create privacy risks. While the law could affect how these technologies are used, the scope of existing rules means that certain applications of BCIs are not addressed by current regulatory structures.
Privacy Best Practices for Rideshare Drivers Using Dashcams
FPF & Uber Publish Guide Highlighting Privacy Best Practices for Drivers who Record Video and Audio on Rideshare Journeys
FPF and Uber have created a guide for US-based rideshare drivers who install “dashcams” – video cameras mounted on a vehicle’s dashboard or windshield. Many drivers install dashcams to improve safety, security, and accountability; the cameras can capture crashes or other safety-related incidents outside and inside cars. Dashcam footage can be helpful to drivers, passengers, insurance companies, and others when adjudicating legal claims. At the same time, dashcams can pose substantial privacy risks if appropriate safeguards are not in place to limit the collection, use, and disclosure of personal data.
Dashcams typically record video outside a vehicle. Many dashcams also record in-vehicle audio and some record in-vehicle video. Regardless of the particular device used, ride-hail drivers who use dashcams must comply with applicable audio and video recording laws.
The guide explains relevant laws and provides practical tips to help drivers be transparent, limit data use and sharing, retain video and audio-only for practical purposes, and use strict security controls. The guide highlights ways that drivers can employ physical signs, in-app notices, and other means to ensure passengers are informed about dashcam use and can make meaningful choices about whether to travel in a dashcam-equipped vehicle. Drivers seeking advice concerning specific legal obligations or incidents should consult legal counsel.
Privacy best practices for dashcams include:
Give individuals notice that they are being recorded
Place recording notices inside and on the vehicle.
Mount the dashcam in a visible location.
Consider, in some situations, giving an oral notification that recording is taking place.
Determine whether the ride sharing service provides recording notifications in the app, and utilize those in-app notices.
Only record audio and video for defined, reasonable purposes
Only keep recordings for as long as needed for the original purpose.
Inform passengers as to why video and/or audio is being recorded.
Limit sharing and use of recorded footage
Only share video and audio with third parties for relevant reasons that align with the original reason for recording.
Thoroughly review the rideshare service’s privacy policy and community guidelines if using an app-based rideshare service, and be aware that many rideshare companies maintain policies against widely disseminating recordings.
Safeguard and encrypt recordings and delete unused footage
Identify dashcam vendors that provide the highest privacy and security safeguards.
Carefully read the terms and conditions when buying dashcams to understand the data flows.
Uber will be making these best practices available to drivers in their app and website.
Many ride-hail drivers use dashcams in their cars, and the guidance and best practices published today provide practical guidance to help drivers implement privacy protections. But driver guidance is only one aspect of ensuring individuals’ privacy and security when traveling. Dashcam manufacturers must implement privacy-protective practices by default and provide easy-to-use privacy options. At the same time, ride-hail platforms must provide drivers with the appropriate tools to notify riders, and carmakers must safeguard drivers’ and passengers’ data collected by OEM devices.
In addition, dashcams are only one example of increasingly sophisticated sensors appearing in passenger vehicles as part of driver monitoring systems and related technologies. Further work is needed to apply comprehensive privacy safeguards to emerging technologies across the connected vehicle sector, from carmakers and rideshare services to mobility services providers and platforms. Comprehensive federal privacy legislation would be a good start. And in the absence of Congressional action, FPF is doing further work to identify key privacy risks and mitigation strategies for the broader class of driver monitoring systems that raise questions about technologies beyond the scope of this dashcam guide.
The Children’s Online Privacy Protection Act (COPPA), enacted by Congress in 1998, aims to give parents more control over the information collected about their children online. The law requires operators of games, websites, apps, and other online services catered to users under the age of 13 to obtain permission from a child’s parent before collecting information about them. Protected data includes a child’s personal details, such as name, home address, email address, and phone number; geo-location information; online activity tracking data; and photo, video, and audio files.
Interest in children’s online privacy and safety is high and likely to continue to grow in the coming months. Congressional activityis picking up, and the FTC’s latest review of the COPPA rule is ongoing, with a draft rule expected at some point in 2022. Policymakers must understand the current state of play for kids online as they continue to have these important discussions, and we welcome the opportunity to discuss these issues further. Please feel free to contact us here at any time.
BCIs & Data Protection in Healthcare: Data Flows, Risks, and Regulations
This post is the second in a four-part series on Brain-Computer Interfaces (BCIs), providing an overview of the technology, use cases, privacy risks, and proposed recommendations for promoting privacy and mitigating risks associated with BCIs.
Click here for FPF and IBM’s full report: Privacy and the Connected Mind. In case you missed it, read the first blog post in this series, which unpacks BCI technology. Additionally, FPF-curated resources, including policy & regulatory documents, academic papers, thought pieces, and technical analyses regarding brain-computer interfaces are here.
I. Introduction: What are BCIs?
BCIs are computer-based systems that directly record, process, or analyze brain-specific neurodata and translate these data into outputs. Those outputs can be used as visualizations or aggregates for interpretation and reporting purposes and/or as commands to control external interfaces, influence behaviors or modulate neural activity. BCIs can be broadly divided into three categories: 1) those that record brain activity; 2) those that modulate brain activity; or 3) those that do both, also called bi-directional BCIs (BBCIs).
BCIs can be invasive or non-invasive and employ a number of techniques for collecting neurodata and modulating neural signals. Neurodata is data generated by the nervous system, which consists of the electrical activities between neurons or proxies of this activity. This neurodata may be “personal neurodata” if it is reasonably linkable to an individual.
II. Health-related BCIs Diagnose Medical Conditions, Modulate Brain Activity for Cognitive Disorder Management, and Promote Accessibility
Facilitating Diagnoses: BCIs can be used to help make certain diagnoses by providing a means for practitioners to quantify fatigue, identify depression, and measure stress. Diagnostic BCIs can also assist even when a patient is unable to provide responses. These situations may occur when patients experience disorders of consciousness, such as locked-in syndrome, whereby individuals are fully conscious but unable to move, speak, or explain how they are feeling. Additionally, current research efforts focus on BCI applications that diagnose the stage and advancement of progressive conditions, such as glaucoma.
Modulating the Brain to Treat or Overcome Conditions: While diagnosis typically involves simply recording brain activity, other health-related BCI uses may actively modulate patients’ brains and nervous systems. For example, brain modulation can be used to disrupt seizures for epilepsy patients. Recent advances in interventive BCI modulation include a vision restoration study in which the image bypasses the eye and the optic nerve in order to feed directly to the brain—resulting in low-resolution vision capabilities.
Improving Accessibility and Rehabilitation Opportunities: The latest prosthetic limbs (i.e., neuroprosthetics) rely on BCIs, which enable the limbs to move in response to thought stimuli. Examples of this BCI application include robotic arms, as well as BCI-powered automatic wheelchairs. User control over neuroprosthetics and personal devices are operated by BCIs collecting neurodata about intended limb movements or an activity associated with what the user wants to do. An example of the latter involves users thinking of physical activities like “eating,” rather than specific words like “table,” to direct their chair to a nearby object. BCIs can also act as the channel for providing haptic feedback or haptic sensory replacement within prosthetics and exoskeletons for purposes of patient rehabilitation, regaining sensation, and an increased ability for patients to perform previously inaccessible tasks.
There are also efforts to connect BCIs with smart devices and the Internet of things (IoT), which could provide individuals experiencing neurological disorders or motor impairments with greater independence in the ability to perform daily living activities. These efforts could improve or sustain a user’s quality of life through increased accessibility within their home environment.
Beyond Medicine – BCIs and Commercial Wellness: BCIs are also starting to emerge in the commercial wellness space as a method of personal data tracking, intended as a means of improving cognitive abilities (such as attention) and/or mental and physical health (such as sleep monitoring). Many of these wellness BCIs overlap with functions included in the gaming and toy space. The NeuroSky Mindwave Mobile 2: Brainwave Starter Kit provides the user with information about their brain’s electrical impulses when relaxing and when listening to music. The product includes an EEG-fitted headband and connects to companion apps via Bluetooth. The device also provides training games purported to help improve meditation, attention, and enhance the user’s learning effectiveness. Further, the device includes tools for players to create their own brain-training games.
III. Health-related BCI Risks Include Security Breaches, Infringement on Mental Privacy, and Data Inaccuracy
Security Breaches: Security breaches are some of the most prominent risks in the health BCI space. Like other technology-based medical devices, BCIs are vulnerable to cyber risks. Researchers recently showed that hackers, through imperceptible noise variations of an EEG signal, could force BCIs to spell out certain words that do not align with the wearer’s actual thoughts or intentions. The consequence of these security vulnerabilities can range from user frustration to severe misdiagnosis and physical harm. Breaches of BCIs may also compromise sensitive health information that could be captured or inadvertently shared.
BCI Accuracy: An equally important risk among health-related BCIs is the extent to which device accuracy is verifiable and sufficient. In many applications, high reliability of medical BCIs is critical because inaccurate interpretation or modulation of a patient’s brain could result in serious consequences, including death. Patients relying on modulating BCIs to help mitigate cognitive disorders, such as epilepsy, could suffer grave health consequences if the BCI failed to work as intended and anticipated. Risks are particularly acute when patients rely on BCIs to communicate crucial information, such as their choices regarding treatment or even end-of-life decisions. Accuracy is also crucial to reliable, continuous accessibility, as prosthetic limbs, wheelchairs, and other devices controlled via BCIs must operate correctly and safely according to users’ intentions.
Infringement on Mental Privacy and BCI-informed Decision Making: Finally, BCIs also present privacy risks. These risks refer to unauthorized access to personal information, including the inferences drawn from an individual’s conscious or unconscious behaviors and intentions. In addition to the existing privacy risks around all personal health data, BCIs raise new mental privacy risks due to the capacity of the neural networks underpinning many of these devices to associate certain thoughts and the ability of BCIs to define and interpret subconscious or causally-connected intentions on a wider scale. For example, a BCI-controlled wheelchair and its underlying neural network might not only deduce that the user is thinking about food, therefore directing the chair to move toward the table, but also draw other conclusions about the individual’s biology and preferences, such as whether or not an individual is hungry or thirsty and at what times. These additional inferences capture new information about an individual’s thoughts, intentions, or interests, many of which are related to an individual’s specific biology and unique preferences.
Privacy risks are magnified when these new inferences are combined with other personal information to make decisions that impact the person’s life, potentially without their knowledge or consent. Organizations collecting and processing brain signals, leading to granular inferences tied to an individual, could have incentives to repurpose this data for unrequested treatments or non-medical purposes, many of which may expose potentially sensitive biological information to third parties. Additionally, the sharing of patient data associated with BCI use could potentially disclose an individual’s medical condition to employers, private companies, public entities, or governments.
IV. Some Health BCIs are Subject to Common Rule Requirements, FCC Oversight, or International Frameworks
Common Rule: Some of the advancements in health BCIs involve human subject research, which is governed by a complex regulatory framework. U.S. researchers whose projects are federally funded are typically required to obtain subjects’ informed consent for data collection based on approval from a Common Rule-based Institutional Review Board (IRB) prior to undertaking studies.
FCC Oversight: Wireless IoT BCI devices are likely subject to Federal Communications Commission (FCC) oversight because of their designation as connected wearables. However, given the lack of regulations around consumer wellness technologies, devices marketed outside of the physician regulated context—such as brain training games and meditation-aiding devices—may lack strict oversight. For example, the Health Insurance Portability and Accountability Act (HIPAA) regulates covered entities such as physicians and health insurers that collect, use, process, and share health information, but does not usually apply to wellness device companies.
International Frameworks: In Europe, the Global Data Protection Regulation (GDPR) is the applicable framework for any processing of personal data for the purposes of scientific research, including where the research relies on special categories of personal data, such as data related to health, and biometric data processed for identification. There are several lawful grounds for processing under Article 6(1) that would allow the necessary processing of personal data for BCI research, as well as several permissions under Article 9(2) for the use of sensitive personal data. In some situations, this could allow data controllers to conduct this type of research even without individual consent for the processing of the data, specifically when sensitive data is necessary for public health purposes or for research in the public interest; however, there are many complexities surrounding this sort of processing, with the European Data Protection Board (EDPB) expected to adopt Guidelines on processing of personal data for scientific research purposes in the near future. Given the complexities surrounding privacy in human subject research, health researchers and other stakeholders seeking to develop or adopt BCIs must understand and verify how the product fits into this shifting regulatory landscape.
The EU’s recently proposed draft AI regulation covers all AI systems, including those relying on biometric data—and is likely to be relevant for future regulation of personal neurodata, significantly altering the regulatory landscape around BCIs and neurotech. It specifically focuses on AI systems that pose high risks to individuals’ “health, safety and fundamental rights.” BCIs that might be considered “high risk” AI systems under the proposed regulation could trigger requirements prior to entering the market, such as going through a conformity assessment, adoption of adequate risk assessment, security guarantees, and adequate notice to the user, among others. If considered a “low risk” system, organizations would still have to fulfill transparency requirements. The full scope and impact of the EU’s AI regulation on the development and use of BCIs remains subject to the ongoing legislative process.
V. Conclusion
Health BCIs are set to influence and potentially improve healthcare by expanding accessibility and rehabilitation opportunities, as well as by giving medical practitioners new ways to diagnose and treat conditions. However, these applications are not without risk. The data flows that underpin medical BCIs raise privacy considerations, as well as risks in regard to how neurodata is secured and whether such data is accurate. Companies dealing with medical BCIs must remain abreast of these challenges and analyze how medical BCIs interact with a dynamic, global body of regulation.
Understanding why the first pieces fell in the transatlantic transfers domino
The Austrian DPA and the EDPS decided EU websites placing US cookies breach international data transfer rules
Two decisions issued by Data Protection Authorities (DPAs) in Europe and published in the second week of January 2022 found that two websites, one run by a contractor of the European Parliament (EP), and the other one by an Austrian company, have unlawfully transferred personal data to the US merely by placing cookies (Google Analytics and Stripe) provided by two US-based companies on the devices of their visitors. Both decisions looked into the transfers safeguards put in place by the controllers (the legal entities responsible for the websites), and found them to be either insufficient – in the case against the EP, or ineffective – in the Austrian case.
Both decisions affirm that all transfers of personal data from the EU to the US need “supplemental measures” on top of their Article 46 GDPR safeguards, in the absence of an adequacy decision and under the current US legal framework for government access to personal data for national security purposes, as assessed by the Court of Justice of the EU in its 2020 Schrems II judgment. Moreover, the Austrian case indicates that in order to be effective, the supplemental measures adduced to safeguard transfers to the US must “eliminate the possibility of surveillance and access [to the personal data] by US intelligence agencies”, seemingly putting to rest the idea of the “risk based approach” in international data transfers post-Schrems II.
This piece analyzes the two cases comparatively, considering they have many similarities other than their timing: they both target widely used cookies (Google Analytics, in addition to Stripe in the EP case), they both stem from complaints where individuals are represented by the Austrian NGO noyb, and it is possible that they will be followed by similar decisions from the other DPAs that received a batch of 101 complaints in August 2020 from the same NGO, relying on identical legal arguments and very similar facts. This piece analyzes the most important findings made by the two regulators, showing how their analyses were in sync and how these analyses likely preface similar decisions for the rest of the complaints.
1.“Personal data” is being “processed” through cookies, even if users are not identified and even if the cookies are thought to be “inactive”
In the first decision, the European Data Protection Supervisor (EDPS) investigated a complaint made by several Members of the European Parliament against a website made available by the EP to its Members and staff in the context of managing COVID-19 testing. The complainants raised concerns with regard to transfers of their personal data to the US through cookies provided by US based companies (Google and Stripe) and placed on their devices when accessing the COVID-19 testing website. The case was brought under the Data Protection Regulation for EU Institutions (EUDPR), which has identical definitions and overwhelmingly similar rules to the GDPR.
One of the key issues that was analyzed in order for the case to be considered falling under the scope of the EUDPR was whether personal data was being processed through the website by merely placing cookies on the devices of those who accessed it. Relying on its 2016 Guidelines on the protection of personal data processed through Web Services, the EDPS noted in the decision that “tracking cookies, such as the Stripe and Google Analytics cookies, are considered personal data, even if the traditional identity parameters of the tracked users are unknown or have been deleted by the tracker after collection”. It also noted that “all records containing identifiers that can be used to single out users, are considered as personal data under the Regulation and must be treated and protected as such”.
The EP argued in one of its submissions to the regulator that the Stripe cookie “had never been active, since registration for testing for EU Staff and Members did not require any form of payment”. However, the EP also confirmed that the dedicated COVID-19 testing website, which was built by its contractor, copied code from another website run by the same contractor, and “the parts copied included the code for a cookie from Stripe that was used for online payment for users” of the other website. In its decision, the EDPS highlighted that “upon installation on the device, a cookie cannot be considered ‘inactive’. Every time a user visited [the website], personal data was transferred to Stripe through the Stripe cookie, which contained an identifier. (…) Whether Stripe further processed the data transferred through the cookie is not relevant”.
With regard to the Google Analytics cookies, the EDPS only notes that the EP (as controller) acknowledged that the cookies “are designed to process ‘online identifiers, including cookie identifiers, internet protocol addresses and device identifiers’ as well as ‘client identifiers’”. The regulator concluded that personal data were therefore transferred “through the above-mentioned trackers”.
In the second decision, which concerned the use of Google Analytics by a website owned by an Austrian company and targeting Austrian users, the DPA argued in more detail what led it to find that personal data was being processed by the website through Google Analytics cookies, under the GDPR.
1.1 Cookie identification numbers, by themselves, are personal data
The DPA found that the cookies contained identification numbers, including a UNIX timestamp at the end, which shows when a cookie was set. It also noted that the cookies were placed either on the device or the browser of the complainant. The DPA affirmed that relying on these identification numbers makes it possible for both the website and Google Analytics “to distinguish website visitors … and also to obtain information as to whether the visitor is new or returning”.
In its legal analysis, the DPA noted that “an interference with the fundamental right to data protection … already exists if certain entities take measures – in this case, the assignment of such identification numbers – to individualize website visitors”. Analyzing the “identifiability” component of the definition of “personal data” in the GDPR, and relying on its Recital 26, as well as on Article 29 Working Party Opinion 4/2007 on the concept of “personal data”, the DPA clarified that “a standard of identifiability to the effect that it must also be immediately possible to associate such identification numbers with a specific natural person – in particular with the name of the complainant – is not required” for data thus processed to be considered “personal data”.
The DPA also recalled that “a digital footprint, which allows devices and subsequently the specific user to be clearly individualized, constitutes personal data”. The DPA concluded that the identification numbers contained in the cookies placed on the complainant’s device or browser are personal data, highlighting their “uniqueness”, their ability to single out specific individuals and rebutting specifically the argument the respondents made that no means are in fact used to link these numbers to the identity of the complainant.
1.2 Cookie identification numbers combined with other elements are additional personal data
However, the DPA did not stop here and continued at length in the following sections of the decision to underline why placing the cookies at issue when accessing the website constitutes processing of personal data. It noted that the classification as personal data “becomes even more apparent if one takes into account that the identification numbers can be combined with other elements”, like the address and HTML title of the website and the subpages visited by the complainant; information about the browser, operating system, screen resolution, language selection and the date and time of the website visit; the IP address of the device used by the complainant. The DPA considers that “the complainant’s digital footprint is made even more unique following such a combination [of data points]”.
The “anonymization function of the IP address” – which is a function that Google Analytics provides to users if they wish to activate it – was expressly set aside by the DPA, considering that during fact finding it was shown the function was not correctly implemented by the website at the time of the complaint. However, later in the decision, with regard to the same function and the fact that it was not implemented by the website, the regulator noted that “the IP address is in any case only one of many pieces of the puzzle of the complainant’s digital footprint”, hinting therefore that even if the function would have been correctly implemented, it wouldn’t have necessarily led to the conclusion that the data being processed was not personal.
1.3 Controllers and other persons “with lawful means and justifiable effort” will count for the identifiability test
Drilling down even more on the notion of “identifiability” in a dedicated section of the decision, the DPA highlights that in order for the data processed through the cookies at issue to be personal, “it is not necessary that the respondents can establish a personal reference on their own, i.e. that all information required for identification is with them. […] Rather, it is sufficient that anyone, with lawful means and justifiable effort, can establish this personal reference”. Therefore, the DPA took the position that “not only the means of the controller [the website in this case] are to be taken into account in the question of identifiability, but also those of ‘another person’”.
After recalling that the CJEU repeatedly found that “the scope of application of the GDPR is to be understood very broadly” (e.g. C-439/19B, C-434/16Nowak, C-553/07Rijkeboer), the DPA nonetheless stated that in its opinion, the term “anyone” it referred to above, and thus the scope of the definition of personal data, “should not be interpreted so broadly that any unknown actor could theoretically have special knowledge to establish a reference; this would lead to almost any information falling within the scope of application of the GDPR and a demarcation from non-personal data would become difficult or even impossible”.
This being said, the DPA considers that the “decisive factor is whether identifiability can be established with a justifiable and reasonable effort”. In the case at hand, the DPA considers that there are “certain actors who possess special knowledge that makes it possible to establish a reference to the complainant and identify him”. These actors are, from the DPA’s point of view, certainly the provider of the Google Analytics service and, possibly the US authorities in the national security area. As for the provider of Google Analytics, the DPA highlights that, first of all, the complainant was logged in with his Google account at the time of visiting the website.
The DPA indicates this is a relevant fact only “if one takes the view that the online identifiers cited above must be assignable to a certain ‘face’”. The DPA finds that such an assignment to a specific individual is in any case possible in the case at hand. As such, the DPA states that: “[…] if the identifiability of a website visitor depends only on whether certain declarations of intent are made in the account (user’s Google account – our note), then, from a technical point of view, all possibilities of identifiability are present”, since, as noted by the DPA, otherwise Google “could not comply with a user’s wishes expressed in the account settings for ‘personalization’ of the advertising information received”. It is not immediately clear how the ad preferences expressed by a user in their personal account are linked to the processing of data for Google Analytics (and thus website traffic measurement) purposes, and it seems that this was used in the argumentation to substantiate the claim that the second respondent generally has additional knowledge across its various services that could lead to the identification or the singling out of the website visitor.
However, following the arguments of the DPA, on top of the autonomous finding that cookie identification numbers are personal data, it seems that even if the complainant wouldn’t have been logged into his account, the data processed through the Google Analytics cookies would have still been considered personal. In this context, the DPA “expressly” notes that “the wording of Article 4(1) of the GDPR is unambiguous and is linked to the ability to identify and not to whether identification is ultimately carried out”.
Moreover, “irrespective of the second respondent” – so even if Google admittedly did not have any possibility or ability to render the complainant identifiable or to single him out, other third parties in this case were considered to have the potential ability to identify the complainant: US authorities.
1.4 Additional information potentially available to US intelligence authorities, taken into account for the identifiability test
Lastly, according to the decision, the US authorities in the national security area “must be taken into account” when assessing the potential of identifiability of the data processed through cookies in this case. The DPA considers that “intelligence services in the US take certain online identifiers, such as the IP address or unique identification numbers, as a starting point for monitoring individuals. In particular, it cannot be ruled out that intelligence services have already collected information with the help of which the data transmitted here can be traced back to the person of the complainant.”
To show that this is not merely a “theoretical danger”, the DPA relies on the findings of the CJEU in Schrems II with regard to the US legal framework and the “access possibilities” it offers to authorities, and on Google’s Transparency Report, “which proves that data requests are made to [it] by US authorities.” The regulator further decided that even if it is admittedly not possible for the website to check whether such access requests are made in individual cases and with regard to the visitors of the website, “this circumstance cannot be held against affected persons, such as the complainant. Thus, it was ultimately the first respondent as the website operator who, despite publication of the Schrems II judgment, continued to use the Google Analytics tool”.
Therefore, based on the findings of the Austrian DPA in this case, at least two of the “any persons” mentioned in Recital 26 GDPR that will be considered when deciding who can have lawful means to identify data so that the data is deemed personal are the processor of a specific processing operation, as well as the national security authorities that may have access to that data, at least in cases where this access is relevant (like in international data transfers). This latter finding of the DPA raises questions whether national security agencies in general in a specific jurisdiction may be considered by DPAs as an actor who has “lawful means” and additional knowledge when deciding if a data set links to an “identifiable” person, also in cases where international data transfers are not at issue.
The DPA concluded that the data processed by the Google Analytics cookies is personal data and falls under the scope of the GDPR. Importantly, the cookie identification numbers were found to be personal data by themselves. Additionally, the other data elements potentially collected through cookies together with the identification numbers are also personal data.
2.Data transfers to the US are taking place by placing cookies provided by US-based companies on EU-based websites
Once the supervisory authorities established that the data processed through Google Analytics and, respectively, Stripe cookies, were personal data and were covered by the GDPR or EUDPR respectively, they had to ascertain whether an international transfer of personal data from the EU to the US was taking place in order to see whether the provisions relevant to international data transfers were applicable.
The EDPS was again concise. It stated that because the personal data were processed by two entities located in the US (Stripe and Google LLC) on the EP website, “personal data processed through them were transferred to the US”. The regulator strengthened its finding by stating that this conclusion “is reinforced by the circumstances highlighted by the complainants, according to which all data collected through Google Analytics is hosted (i.e. stored and further processed) in the US”. For this particular finding, the EDPS referred, under footnote 27 of the decision, to the proceedings in Austria “regarding the use of Google Analytics in the context of the 101 complaints filed by noyb on the transfer of data to the US when using Google Analytics”, in an evident indication that the supervisory authorities are coordinating their actions.
In turn, the Austrian DPA applied the criteria laid out by the EDPB in its draft Guidelines 5/2021 on the relationship between the scope of Article 3 and Chapter V GDPR, and found that all the conditions are met. The administrator of the website is the controller and it is based in Austria, and, as data exporter, it “disclosed personal data of the complainant by proactively implementing the Google Analytics tool on its website and as a direct result of this implementation, among other things, a data transfer to the second respondent to the US took place”. The DPA also noted that the second respondent, in its capacity as processor and data importer, is located in the US. Hence, Chapter V of the GDPR and its rules for international data transfers are applicable in this case.
However, it should also be highlighted that, as part of fact finding in this case, the Austrian DPA noted that the version of Google Analytics subject to this case was provided by Google LLC (based in the US) until the end of April 2021. Therefore, for the facts of the case which occurred in August 2020, the relevant processor and eventual data importer was Google LLC. But the DPA also noted that since the end of April 2021, Google Analytics has been provided by Google Ireland Limited (based in Ireland).
One important question that remains for future cases is whether, under these circumstances, the DPA would find that an international data transfer occurred, considering the criteria laid out in the draft EDPB Guidelines 5/2021, which specifically require (at least in the draft version, currently subject to public consultation) that “the data importer is located in a third country”, without any further specifications related to corporate structures or location of the means of processing.
2.1 In the absence of an adequacy decision, all data transfers to the US based on “additional safeguards”, like SCCs, need supplementary measures
After establishing that international data transfers occurred from the EU to the US in the cases at hand, the DPAs assessed the lawful ground for transfers used.
The EDPS noted that EU institutions and bodies “must remain in control and take informed decisions when selecting processors and allowing transfers of personal data outside the EEA”. It followed that, absent an adequacy decision, they “may transfer personal data to a third country only if appropriate safeguards are provided, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available”. Noting that the use of Standard Contractual Clauses (SCCs) or another transfer tool do not substitute individual case-by-case assessments that must be carried out in accordance with the Schrems II judgment, the EDPS stated that EU institutions and bodies must carry out such assessments “before any transfer is made”, and, where necessary, they must implement supplemental measures in addition to the transfer tool.
The EDPS recalled some of the key findings of the CJEU in Schrems II, in particular the fact that “the level of protection of personal data in the US was problematic in view of the lack of proportionality caused by mass surveillance programs based on Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order (EO) 12333 read in conjunction with Presidential Policy Directive (PPD) 28 and the lack of effective remedies in the US essentially equivalent to those required by Article 47 of the Charter”.
Significantly, the supervisory authority then affirmed that “transfers of personal data to the US can only take place if they are framed by effective supplementary measures in order to ensure an essentially equivalent level of protection for the personal data transferred”. Since the EP did not provide any evidence or documentation about supplementary measures being used on top of the SCCs it referred to in the privacy notice on the website, the EDPS found the transfers to the US to be unlawful.
Similarly, the Austrian DPA in its decision recalled that the CJEU “already dealt” with the legal framework in the US in its Schrems II judgment, as based on the same three legal acts (Section 702 FISA, EO 12333, PPD 28). The DPA merely noted that “it is evident that the second respondent (Google LLC – our note) qualifies as a provider of electronic communications services” within the meaning of FISA Section 702. Therefore, it has “an obligation to provide personally identifiable information to US authorities pursuant to 50 US Code §1881a”. Again, the DPA relied on Google’s Transparency Report to show that “such requests are also regularly made to it by US authorities”.
Considering the legal framework in the US as assessed by the CJEU, just like the EDPS did, the Austrian DPA also concluded that the mere entering into SCCs with a data importer in the US cannot be assumed to ensure an adequate level of protection. Therefore, “the data transfer at issue cannot be based solely on the standard data protection clauses concluded between the respondents”. Hence, supplementary measures must be adduced on top of the SCCs. The Austrian DPA relied significantly on the EDPB Recommendation 1/2020 on measures that supplement transfer tools when analyzing the available supplementary measures put in place by the respondents.
2.2 Supplementary measures must “eliminate the possibility of access” of the government to the data, in order to be effective
When analyzing the various measures put in place to safeguard the personal data being transferred, the DPA wanted to ascertain “whether the additional measures taken by the second respondent close the legal protection gaps identified in the CJEU [Schrems II] ruling – i.e. the access and monitoring possibilities of US intelligence services”. Setting this as a target, it went on to analyze the individual measures proposed.
The contractual and organizational supplementary measures considered in the case:
notification of the data subject about data requests (should this be permissible at all in individual cases),
the publication of a transparency report,
the publication of guidelines “for handling government requests”,
careful consideration of any data requests.
The DPA considered that “it is not discernable” to what extent these measures are effective to close the protection gap, taking into account that the CJEU found in the Schrems II judgment that even “permissible (i.e. legal under US law) requests from US intelligence agencies are not compatible with the fundamental right to data protection under Article 8 of the EU Charter of Fundamental Rights”.
The technical supplementary measures considered were:
the protection of communications between Google services,
the protection of data in transit between data centers,
the protection of communications between users and websites,
“on-site security”,
encryption technologies, for example encryption of data at rest in data centers,
processing pseudonymous personal data.
With regard to encryption as one of the supplementary measures being used, the DPA took into account that a data importer covered by Section 702 FISA, as is the case in the current decision, “has a direct obligation to provide access to or surrender such data”. The DPA considered that “this obligation may expressly extend to the cryptographic keys without which the data cannot be read”. Therefore, it seems that as long as the keys are kept by the data importer and the importer is subject to the US law assessed by the CJEU in Schrems II (FISA Section 702, EO 12333, PPD 28), encryption will not be considered sufficient.
As for the argument that the personal data being processed through Google Analytics is “pseudonymous” data, the DPA rejected it relying on findings made by the Conference of German DPAs that the use of cookie IDs, advertising IDs, and unique user IDs does not constitute pseudonymization under the GDPR, since these identifiers “are used to make the individuals distinguishable and addressable”, and not to “disguise or delete the identifying data so that data subjects can no longer be addressed” – which the Conference considers to be one of the purposes of pseudonymization.
Overall, the DPA found that the technical measures proposed were not enough because the respondents did not comprehensively explain (therefore, the respondents had the burden of proof) to what extent these measures “actually prevent or restrict the access possibilities of US intelligence services on the basis of US law”.
With this finding, highlighted also in the operative part of the decision, the DPA seems to de facto reject the “risk based approach” to international data transfers, which has been specifically invoked during the proceedings. This is a theory according to which, for a transfer to be lawful in the absence of an adequacy decision, it is sufficient to prove the likelihood of the government accessing personal data transferred on the basis of additional safeguards is minimal or reduced in practice for a specific transfer, regardless of the broad authority that the government has under the relevant legal framework to access that data and regardless of the lack of effective redress.
The Austrian DPA is technically taking the view that it is not sufficient to reduce the risk of access to data in practice, as long as the possibility to access personal data on the basis of US law is actually not prevented, or in other words, not eliminated. This conclusion is apparent also from the language used in the operative part of the decision, where the DPA summarizes its findings as such: “the measures taken in addition to the SCCs … are not effective because they do not eliminate the possibility of surveillance and access by US intelligence agencies”.
If other DPAs confirm this approach for transfers from the EU to the US in their decisions, the list of potentially effective supplemental measures for transfers of personal data to the US will remain minimal – prima facie, it seems that nothing short of anonymization (per the GDPR standard) or any other technical measure that will effectively and physically eliminate the possibility of accessing personal data by US national security authorities will suffice under this approach.
A key reminder here is that the list of supplementary measures detailed in the EDPB Recommendation concerns all international data transfers based on additional safeguards, to all third countries in general, in the absence of an adequacy decision. In the decision summarized here, the supplementary measures found to be ineffective concern their ability to cover “gaps” in the level of data protection of the US legal framework, as resulting from findings of the CJEU with regard to three specific legal acts (FISA Section 702, EO 12333 and PPD 28). Therefore, the supplementary measures discussed and their assessment may be different for transfers to another jurisdiction.
2.3 Are data importers liable for the lawfulness of the data transfer?
One of the most consequential findings of the Austrian DPA that may have an impact on international data transfers cases moving forward is that “the requirements of Chapter V of the GDPR must be complied with by the data exporter, but not by the data importer” – therefore, under this interpretation, the organizations that are on the receiving end of a data transfer, at least when they are a processor for the data exporter like in the present case, cannot be found in breach of the international data transfers obligations under the GDPR. The main argument used was that “the second respondent (as data importer) does not disclose the personal data of the complainant, but (only) receives them”. As a result, Google was found not to breach Article 44 GDPR in this case.
However, the DPA did consider that it is necessary to look further, and as part of separate proceedings, into how the second respondent complied with its obligations as a data processor, and in particular the obligation to process personal data on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organization, as detailed in Article 28(3)(a) and Article 29 GDPR.
3.Sanctions and consequences: Between preemptive deletion of cookies, reprimands and blocking transfers
Another commonality of the two decisions summarized is that neither of them resulted in a fine. The EDPS issued a reprimand against the European Parliament for several breaches of the EUDPR, including those related to international data transfers “due to its reliance on the Standard Contractual Clauses in the absence of a demonstration that data subjects’ personal data transferred to the US were provided an essential equivalent level of protection”. It is significant to mention that the EP asked the website service provider to disable both Google Analytics and Stripe cookies in a matter of days after being contacted by the complainants on October 27, 2020. The cookies at issue were active between September 30, when the website became available, and November 4, 2020.
In turn, the Austrian DPA found that “the Google Analytics tool (at least in the version of August 14, 2020) can thus not be used in compliance with the requirements of Chapter V GDPR”. However, as discussed above, the DPA found that only the website operator – as the data exporter – was in breach of Article 44 GDPR. The DPA decided not to issue a fine in this case.
However, the DPA pursues to impose a ban on the data transfers or a similar order against the website, with some procedural complications. In the middle of the proceedings, the Austrian company that was in charge of managing the website transferred the responsibility of operating it to a company based in Germany, therefore the website is not under its control any longer. But since the DPA noted that Google Analytics continued to be implemented on the website at the time of the decision, it resolved to refer the case to the competent German supervisory authority with regard to the possible use of remedial powers against the new operator.
Therefore, it seems that stopping the transfer of personal data to the US without appropriate safeguards seems to be the focus in these cases, rather than sanctioning the data exporters. The parties have the possibility to challenge both decisions before their respective competent Court and require a judicial review within a limited period of time, but there are no indications yet whether this will happen.
4. The big picture: 101 complaints and collaboration among DPAs
The decision published by the Austrian DPA is the first one in the 101 complaints that noyb submitted directly to 14 DPAs across Europe (EU and the European Economic Area) at the same time in August 2020, from Malta, to Poland, to Lichtenstein, with identical legal arguments centered on international data transfers to the US through the use of Google Analytics or Facebook Connect, and all against websites of local or national relevance – so most likely these complaints will be considered outside the One-Stop-Shop mechanism.
The bulk of the 101 complaints were submitted to the Austrian DPA (about 50), either immediately under its competence, as in the analyzed case, or as part of the One-Stop-Shop mechanism where the Austrian DPA acts as the concerned DPA from the jurisdiction where the complainant resides, which likely needed to forward the cases to the many lead DPAs in the jurisdictions were the targeted websites have their establishment. This way, even more DPAs will have to make a decision in these cases – from Cyprus, to Greece, to Sweden, Romania and many more. About a month after the identical 101 complaints were submitted, the EDPB decided to create a taskforce to “analyse the matter and ensure a close cooperation among the members of the Board”.
In contrast, the complaint against the European Parliament was not part of this set, it was submitted separately at a later date to the EDPS, but relying on similar arguments on the issue of international data transfers to the US through Google Analytics and Stripe cookies. Even if it was not part of the 101 complaints, it is clear that the authorities indeed cooperated or communicated, with the EDPS making a direct reference to the Austrian proceedings, as shown above.
In other signs of cooperation, both the Dutch DPA and the Danish DPA have published notices immediately after the publication of the Austrian decision to alert organizations that they may soon issue new guidance in relation to the use of Google Analytics, specifically referring to the Austrian case. Of note, the Danish DPA highlighted that “as a result of the decision of the Austrian DPA” it is now “in doubt whether – and how – such tools can be used in accordance with data protection law, including the rules on transfers of personal data to third countries”. It also called for a common approach of DPAs on this issue: “it is essential that European regulators have a common interpretation of the rules”, since data protection law “intends to promote the internal market”.
In the end, the DPAs are applying findings from a judgment made by the CJEU, which has ultimate authority in the interpretation of EU law that must be applied across all EU Member States. All this indicates that it is likely a series of similar decisions will be successively published in the short to medium future, with small chances of seeing significant variations. This is why these two cases summarized here can be seen as the first two pieces that fell in a domino.
This domino, though, will not only be about the 101 cases and the specific cookies they target – it eventually concerns all US based service providers and businesses that receive personal data from the EU potentially covered by the broad reach of FISA Section 702 and EO 12333; all EU based organizations, from website operators, to businesses, schools, and public agencies, that use the services provided by the former or engage them as business partners, and disclose personal data to them; and it might as well affect all EU based businesses that have offices and subsidiaries in the US and that make personal data available to these entities.
