Privacy and AI weekly - Issue 14

This Friday on Privacy and AI weekly

Privacy

? ICO fines Clearview

? The Italian Data Protection Authority fines Uber

? EU Commission Q&A on Standard Contractual Clauses

? FTC settles dispute with Twitter

Artificial Intelligence

? Singapore releases an AI Governance Testing Framework and Toolkit

? 7 Revealing Ways AIs Fail

? State-by-State Artificial Intelligence Legislation Tracker

Personal note

Before starting, I'd like to share with you that I've recently joined White Label Consultancy as a senior consultant to support their data protection services for their global clients. I will also contribute to the content creation for the company, so you may consider following the White Label Consultancy LinkedIn page as well

I'm very happy about this new step in my professional career since I'm joining an awesome team driven by the values of quality and expertise and, most importantly, a friendly and supportive work environment.?

I'll do my best to continue working on this newsletter, but I expect that I should make some changes, maybe concerning the frequency of the releases.

PRIVACY

Another fine on Clearview AI

The Information Commissioner’s Office make public a ￡7.5m fine against Clearview AI for using images of people in the UK that were collected from the web and social media to create a global online database that could be used for facial recognition.

In general Clearview failed to:?

? use individual’s information in a fair and transparent manner: DS were not aware of the use, nor they had reasonable expectations of the use

? have a lawful reason to process the biometric information

? have reasonable retention periods?

? meet the standards required for the protection of biometric data

Clearview AI processing activities have been called the attention of regulators worldwide. For instance:?

? France ordered to cease the illegal processing and delete the data (Dec 2021)

? Italy imposed a €20m fine and ordered the company to cease its activities (March 2022)?

? Australia found illegal the activities carried out by the company (Nov 2021, joint investigation with UK ICO)

? Canada (provinces of Quebec, British Columbia and Alberta) required the company to cease the illicit processing activities and delete the data (Feb 2021)

? In the USA, the state of Illinois and ACLU settled a dispute with Clearview. As part of the settlement in ACLU v. Clearview AI, the company is permanently banned, nationwide, from making its faceprint database available to most businesses and other private actors (May 2022)

It’s worth noticing that facial recognition is not forbidden in itself. But these practices are highly privacy intrusive and should be carried out following the legal requirements and in a responsible manner.

Press release here

The Italian Data Protection Authority fines Uber

After a data breach that Uber suffered in 2016, the IT SA started investigations.

It found that the information provided to data subjects in the privacy notice was insufficient and incorrect. E.g. it omitted to mention Uber Technologies Inc as joint controller (around 1.5m data subjects affected, including both drivers and users)

It failed to obtain specific consent in relation to the processing carried out for the evaluation of the "Risk of fraud": around 1.4m Uber users affected

It failed to notify the IT SA to the processing of geolocation data (mandatory at that time, pre-gpdr)

It imposes a fine on Uber BV (NL) and another on the parent company Uber Technologies Inc (USA) for EUR 2.120.000

Press release here (EN)

EU Commission Q&A on Standard Contractual Clauses

Last year, the European Commission adopted two sets of standard contractual clauses, one for the use between controllers and processors within the European Economic Area (EEA) and one for the transfer of personal data to countries outside of the EEA.

Due to the difficulties in the interpretation and implementation of the SCCs, the EC published the Q&As to provide practical guidance on the use of the SCCs to assist stakeholders with their compliance efforts.

The Q&A are divided in three parts (general inquiries about SCCs, SCC between controllers and processors and SCC for international transfers). Concerning the SCCs for the transfer of data to third countries, the Q&A addresses:

• reasons for modernisationa and main novelties
• scope of application and transfer scenarios
• general issues about the protection of individual rights
• obligations of data exporters and importers
• local laws and government access

Access the link to the Q&A here

FTC settles dispute with Twitter

From 2014 to 2019, more than 140 million Twitter users provided their phone numbers or email addresses after the company told them this information would help secure their accounts. Twitter, however, failed to mention that it also would be used for targeted advertising. Twitter used the phone numbers and email addresses to allow advertisers to target specific ads to specific consumers by matching the information with data they already had or obtained from data brokers.

Twitter’s deception?violates a 2011 FTC order ?that explicitly prohibited the company from misrepresenting its privacy and security practices.

Under the proposed order, Twitter must pay a $150 million penalty and is banned from profiting from its deceptively collected data.

In addition to the $150 million penalty, other provisions of the proposed order would:

• prohibit Twitter from profiting from deceptively collected data;
• allow users to use other multi-factor authentication methods such as mobile authentication apps or security keys that do not require users to provide their telephone numbers;
• notify users that it misused phone numbers and email addresses collected for account security to also target ads to them and provide information about Twitter’s privacy and security controls;
• implement and maintain a comprehensive privacy and information security program that requires the company, among other things, to examine and address the potential privacy and security risks of new products;
• limit employee access to users’ personal data; and
• notify the FTC if the company experiences a data breach.

Side note: note the differences between the press release issued by the company and the FTC

Source Twitter blog

FTC press releases

ARTIFICIAL INTELLIGENCE

Singapore releases an AI Governance Testing Framework and Toolkit

A.I. Verify is an initiative developed by the?Personal Data Protection Commission (PDPC) ?and?IMDA ?which was launched yesterday at the?World Economic Forum

The idea is to help businesses that make use of AI self-assess their AI systems in an objective and verifiable manner. It is also a method for organisations to demonstrate responsible implementation of their AI systems

A.I. Verify also provides a window of opportunity to help businesses bridge different AI governance frameworks and build benchmarks to develop international standards on AI governance.

Press release and framework

7 Revealing Ways AIs Fail

This IEEE Spectrum article explains the most common ways AI projects fail and the reasons for it.

? Brittleness

? Embedded bias

? Catastrophic Forgetting

? Explainability

? Quantifying uncertainty

? Common sense

? Math

State-by-State Artificial Intelligence Legislation Tracker

The US Chamber of Commerce has published an interactive map that shows states' actions to legislate artificial intelligence

Source here

Audit of 9 government algorithms finds 6 do not meet basic requirements

The Dutch Court of Auditors performed audits on 9 algorithms used by governmental entities and they found that 6 out of 9 do not meet basic requirements for the responsible use of AI. They found risks concerning inadequate control over the algorithm’s performance and impact to bias, data leaks and unauthorised access.

The summary in the table below

Source here