What does this mean around the world?

Countries such as the United States and United Kingdom are increasingly moving towards reliance on these technologies. Countries in the EU are also recording findings of some trial projects related to the use of Facial Recognition Technology. However, as the technology continues evolving and becomes increasingly more widespread, concerns arise in relation to potential consequences of using said technologies. A majority of concerns focus on biases and consequences in relation to law enforcement. In addition, concerns with regard to all individuals’ privacy rights are also at the forefront of the discussion, including: 

• Whether an indiscriminate recording of all individuals captured by cameras is aligned with the principle of data minimization;
• Concerns on the lawfulness and transparency of the use of said technology, as further discussed below; and
• Appropriate processing of special categories of personal data in accordance with legal requirements. 

Both the GDPR and its UK equivalent (the ‘UK-GDPR’) provide for some legal framework setting standards for the use of this technology. However, the departure of the UK from the EU in 2020 means that the two jurisdictions are now implementing entirely different approaches when it comes to the use of Artificial Intelligence. This blog post analyses said differences, and the implications thereof, with a focus on FRTs.

The history of public surveillance systems in the EU and the UK

Looking at the history of implementation of public surveillance systems in the EU and in the UK, sets the stage to highlight the difference in framework that applies to this day. 

Public authorities and private actors have implemented video surveillance as one of the measures to ensure security since the middle of the 20th century. Camera systems such as CCTV have been increasingly appearing in UK cities since the 1950s, and have progressively evolved technologically. As a result, we are now at the point where South London will be installing its first permanent facial recognition cameras.

Similarly, Germany saw its first shift in the usage of cameras for public security reasons in the 1960s.  By the 2000s, the majority of large European cities were deploying CCTV systems.

However, based on this history and according to researchers, the evolution in technical capabilities of CCTV and its respective use in the EU has always lagged behind that of the UK. One of the reasons for this was a lack of constitutional protections for the right of privacy. Meanwhile, EU countries have demonstrably had a stricter approach to privacy even prior to the Data Protection Directive passed in 1995. The EU has implemented further protective measures since, such as the AI Act. 

How does the use of facial recognition change between the EU and the UK?

While both jurisdictions use Facial Recognition Technology with the goal of enhancing public and national security, they differ vastly in how extensively they have applied it in practice.

The main difference is in its application, which is in turn related to the current regulatory differences. In the EU, current deployments of RBI systems are primarily experimental and localised. Examples of case studies include Facial Recognition Cameras at Brussels Airport, Facial Recognition at Hamburg G20, and the DragonFly Project in Hungary. There is currently no example of fully implemented and permanent FRT or RBI systems in the EU.

Additionally, the UK’s implementation of such systems is a current point of discourse across the country. As an example, part of MET police deployment policy for overt implementation of live facial recognition to locate people on a Watchlist is to be able to implement Live Facial Recognition onto “hotspots” for a number of crimes, ranging from theft and drugs to terrorism and human trafficking. 

Additionally, the use has extended to private companies, such as the retail and hospitality sector, to take advantage of the technology to enhance security and prevent theft and revenue loss.

Regulatory similarities

In both the EU and the UK, the GDPR regulates the usage of all data processing technologies, including Facial Recognition Technology. The UK also implemented the regulation at national level with the Data Protection Act 2018. Therefore, a number of legal requirements, and issues of public concern are common for both jurisdictions:

• Data needs to be processed lawfully, fairly and in a transparent manner. Where public interest can be an applicable legal base for public authorities and law enforcement (albeit not without justification). However, private companies are required to jump through more hurdles to justify the necessity and proportionality, and outright lawfulness, of the use of FRTs, typically under legitimate interest;
• Processing of biometric data means that Art. 9 special categories of personal data are being processed, adding an extra layer to the lawfulness argument. Such categories of data can only be processed pursuant to one of the exceptions listed in the Article 9. Again, reliance on substantial public interest could be an option, but not without having to make a balancing exercise, which leads to: the requirement to carry out a Data Protection Impact Assessment in accordance with Art. 35.3, where the usage of said technology arguably meets all 3 criteria;
• Further considerations and concerns include breaches to the principles of purpose and storage limitation, and data minimisation. 

What is the regulatory approach to facial recognition in the EU?

However, in the EU, the newly implemented AI Act regulates the specific usage of real-time remote biometric identification systems in its Article 5. The article outright bans the use of AI systems that create or expand facial recognition databases through the untargeted scraping of facial images from the internet or CCTV footage and the use of ‘real-time’ remote biometric identification systems in publicly accessible spaces for the purposes of law enforcement, although the latter comes with exceptions. These include:

• Search for abducted individuals, and victims of human trafficking and sexual exploitation;
• Prevention of a specific, substantial and imminent threat to life or threat of terrorism; and
• Localisation of a person suspected to have committed a criminal offence listed in Annex 2 of the Act (which does not include property damage, theft and/or burglary). 

Said exceptions, however, must still take into account rights and freedoms of the individuals involved. Additionally, Article 27 of the AI Act require a fundamental rights impact assessment and law enforcement authorities registering the system in the EU database according to Article 49.

How does the regulation framework differ in the UK?

Since its departure from the EU due to Brexit, the regulation of such technologies in the UK is entirely different. There is currently no AI-specific regulation in place. UK Parliament is currently discussing the only related legislation for the usage of such technologies, namely the Data Protection and Digital Information Bill.

Importantly, the draft of this bill demonstrates how the UK’s approach is opposite to that of the EU, possibly leading to less regulation. For example, through the abolishment of the Biometrics and Surveillance Camera Commissioner (BSCC). The underlying argument is that the removal of this office, in a period of fast technological change, will result in the loosening of safeguards designed to raise standards and protect citizens, and may ultimately result in the deployment of technologies that are not in the public interest. 

That is not to say that the use of said technologies will go entirely unchecked. The Information Commissioner Office made a statement about the usage of said technologies and calls for the responsible and lawful use of Facial Recognition Technology, and published guidance on appropriate use of Biometric recognition systems. However, the guidance still relies on mostly GDPR-based principles and rules. It does not add anything new to the conversation on the increased use of FRTs by law enforcement agencies or private companies, which might have legal implications for individuals. Therefore, the status quo remains that in comparison with the EU, the UK remains a regulatory sandbox for the use of such technologies. As a result, concerns arise about the ways this compliance vacuum could be exploited and relevant risk for individuals. 

Looking forward

Despite the technology being substantially more regulated in the EU, there is still criticism on the general use of FRTs, even with the existence of the GDPR and AIA rules in relation to the technologies. The vagueness of the definitions in the AI act, the changes made to the AI Act draft from an outright ban for the technologies to an approach with “exceptions” and the lack of clarity on the implementation of these technologies by private companies outside of law enforcement agencies.

The post Comparing the UK and EU’s framework on facial recognition technology appeared first on TechGDPR.

Understanding the CIPP/E Exam Structure

The CIPP/E exam consists of 90 multiple-choice questions. Candidates are given 2.5 hours (150 minutes) to complete the test. The exam assesses both one’s knowledge of data protection concepts and one’s ability to apply them in real-world scenarios.

The questions range from straightforward knowledge checks to more complex, scenario-based challenges designed to evaluate analytical thinking and comprehension. For this reason, preparation should go beyond memorization and aim for a deeper understanding of the principles behind European data protection law. With the following tips, one will be able to optimize one’s preparation and have a structured approach to passing the CIPP/E exam. 

Align Study Time with the Body of Knowledge (BoK) and CIPP/E Exam Blueprint

The IAPP provides a detailed Body of Knowledge and Exam Blueprint, which outline the topics covered in the exam and the importance of each section within the exam respectively. These documents should serve as one’s primary guides when structuring one’s study plan. Especially as they allow one to focus one’s time according to the relative weight and complexity of each section. When using said study materials, consider: 

1. Creating a structured study plan through the BoK by breaking down one’s preparation by topic, allocate specific time blocks, and stick to a schedule.
2. When allocating time, prioritize foundational chapters such as of the data subject rights, security of processing and accountability requirements.
3. With that in mind, do not overlook smaller sections, such as understanding the scope of the GDPR, both material and territorial, and obligations with data transfers. These areas are frequently tested and will actually play a bigger role when applying these concepts in practice, especially when working in data protection.

Spending equal amounts of time on all sections might end up being a disadvantage in the end. Instead, determine which subsections to focus on, by considering one’s strengths, previous knowledge and experience. For example, individuals with a legal background are more likely to not need as much time focusing on the history of data protection law or the function of EU institutions. Instead, they might wish to focus more on the application of the GDPR in practice, as it relates to the implementation of security measures. A balanced approach that ensures complete coverage of all topics is essential. 

Focus on Comprehension, Not Just Memorization

While it’s important to be familiar with definitions, timelines, and regulatory structures, understanding the main GDPR principles, including the why and how these are applied, is crucial. That is because the exam includes numerous scenario-based questions that test one’s ability to interpret and apply legal concepts in practice.

Candidates who approach the exam with a purely rote memorization strategy often find themselves unprepared for this type of questions. Making individuals prone to misinterpreting the practical questions. Meanwhile, a more high level, but focused understanding will not only help one pass the exam but will also strengthen one’s professional ability to apply privacy principles in real-world situations.

Practice with Mock CIPP/E Exams and Learn from Them

One of the most effective ways to prepare is by practicing with mock exams and sample questions. This serves multiple purposes:

• It helps one become familiar with the structure, format, and pace of the actual exam.
  
• It sharpens one’s attention to question phrasing, including common pitfalls like double negatives and subtly misleading answer choices. Ambiguous phrasing tends to be common in the IAPP exam format.
  
• It allows one to identify knowledge gaps and adjust one’s study plan accordingly. 

One way to also learn more from mock exams, is to approach each question as if it were not multiple choice. When reading the question, think of a response that a person would have actually provided. Next, determine which option comes closest to that answer. While doing this, however, consider the rationale behind each answer choice that the exam provides. 

Additionally, a helpful tip when getting closer to the time of the exam is to mimic the real environment to build focus and time management skills.

Go Beyond the IAPP Materials 

While the official IAPP training material is a necessary foundation, the exam often assumes a broader understanding of the GDPR and its practical implications. It is best to supplement one’s learning with external reading. Such as:

• The full text of the GDPR;
  
• Guidance documents from data protection authorities (e.g., the EDPB); and
  
• Articles, case law, and real-world commentary from respected privacy professionals.

This broader perspective can clarify complex topics and help one grasp how GDPR principles are applied in varying contexts. This also helps when answering scenario-based questions.

Conclusion

Preparing for the CIPP/E exam requires a strategic, well-rounded approach. Using the Body of Knowledge to structure one’s study plan will ensure full coverage of all topics based on one’s own strengths and weaknesses. Prioritize understanding the concepts, not just memorizing definitions. Many exam questions test an individual’s ability to apply the principles of the GDPR in real-life scenarios.

Regular practice with mock exams is also essential for building familiarity with the format. It also helps refine one’s time management and to learn to navigate the often complicated questions. In addition, broadening one’s preparation through further reading will provide valuable context. This context helps to strengthen one’s ability to tackle more complex scenario-based questions. 

TechGDPR also offers CIPP/E training either in-person or online to help one succeed. By combining focused study, conceptual comprehension, and consistent practice, one will be well-equipped to pass the CIPP/E exam. 

The post Preparing for the CIPP/E Exam: Tips and Best Practices appeared first on TechGDPR.

Prepare for the CIPP/E Certification Exam with Expert Training

TechGDPR offers comprehensive training designed to help you pass the CIPP/E exam. Our expert instructors have hands-on experience in the field and have earned the certification themselves. This training covers the full Body of Knowledge (BoK) and aligns with the official IAPP Exam Blueprint, ensuring you’re prepared for the certification exam.

Mapping to the CIPP/E Body of Knowledge (BoK)

Our training structure directly follows the CIPP/E Body of Knowledge (BoK). This ensures the course is current, relevant, and aligned with the official exam requirements. There are three key sections in this training:

1. Introduction to European Data Protection
   Gain a foundational overview of the historical, institutional, and legal roots of privacy in the EU.
2. European Data Protection Law and Regulation
   Dive deep into the GDPR’s core principles, including key definitions, rights, obligations, and enforcement.
3. Compliance with European Data Protection Law and Regulation
   Learn how to apply the GDPR in specific contexts, such as employment, marketing, and modern tech environments.

Introduction to European Data Protection

Our training begins with a look at the historical and legal framework that shaped data protection in Europe. Understanding the evolution of privacy regulation, from early directives to today’s robust legislation, gives context to the GDPR. We’ll explore the role of EU institutions in creating and enforcing data protection laws, which is especially useful for professionals without a legal background.

European Data Protection Law and Regulation

The majority of the course focuses on the GDPR itself, which forms the heart of the certification. You will explore key GDPR concepts, such as:

• Personal data, controllers, and processors
• Material and territorial scope of the Regulation
• Core principles like data minimization, purpose limitation, and accountability

The heart of the course lies in a thorough breakdown of the GDPR itself.

Focusing on the GDPR

Participants will first gain a solid understanding of key terms such as personal data, controller, and processor, and the material and territorial scope of the Regulation. From there, the course dives into the core principles of data processing. These principles include purpose limitation, data minimization, and accountability, what these mean and the requirements in practice.

The training will also explore the six legal bases for processing personal data. One will learn when and how to apply them. A special focus is placed on dispelling common misconceptions, particularly around consent. Consent is often misunderstood as the only valid justification for processing. On the other hand, the course will look in depth into how consent can be appropriately implemented through its numerous requirements. The course also looks into the exceptions. Together with legal bases, exceptions are required in order to process special categories of personal data. 

Some more key topics that will be looked into will be data subject rights, including access, rectification, erasure, and portability. It is not enough to just explain what these rights are, but how organizations can operationalize processes to meet their obligations efficiently. Additionally, we discuss security incidents and data breaches. This includes similarities and differences.  Based on this,  the training will also go in detail on how to appropriately respond in accordance with the GDPR, and setting up an appropriate incident response protocol to mitigate risks. Including those arising prior, during and after an incident, data breach, or both, have occurred. 

Last but certainly not least, the course also explores the controversial yet crucial topic of international transfers. Namely, how organisations can be empowered to transfer personal data securely outside of the EU. The training looks at addressing these with a compliance-focused approach that removes the hassle from catching up with regulations and gathering all required documentation at a later stage. This includes a section looking into the ongoing issue of transfers to the United States and how to effectively prepare for an ever-changing framework in this context.

Compliance with European Data Protection Law and Regulation

The final section of the course addresses how GDPR applies in specific real-world contexts. These include:

• Employee Data Handling: Lawfully processing and storing personal data, managing BYOD policies, and mitigating employee monitoring risks.
• Direct Marketing Campaigns: Telemarketing, online direct marketing, and online behavioral marketing requirements.
• Internet Technology and Communications: Understanding cloud computing, web cookies, social media platforms, and artificial intelligence.
• Surveillance and Biometrics: Public authority surveillance, telecommunications interception, CCTV in public spaces, and the use of biometrics like facial recognition.

This practical approach helps you not only understand the law but also confidently apply it in everyday business operations.

Beyond the CIPP/E Certification Exam: Practical Value for Professionals

Our CIPP/E training offers more than just exam preparation. It provides lasting value for professionals in legal, compliance, HR, IT, or marketing roles. You’ll gain practical insights into GDPR obligations specific to your role, empowering you to proactively engage with privacy considerations and confidently support compliance initiatives.

Whether you’re preparing for the CIPP/E certification exam or simply want to enhance your understanding of European data protection, our training offers a structured, practical approach to mastering GDPR.

The post What to Expect When Taking the CIPP/E Certification Exam appeared first on TechGDPR.

Enforcement from authorities for violations of rights in relation to children

In recent years, several significant fines have been issued to tech giants over their mishandling of children’s data. Among these are:

2022

• The Dutch Supervisory authority fined TikTok in 2022 for €750,000,. The fine was for violations concerning children’s privacy. The specific concerns were due to the lack of transparency and information only being provided in English; and
• Meta was fined by the UK Information Commissioner Office (ICO) for €405 million in 2022 for setting profiles as public by default. This included children aged 13 to 17. It allowed the same age range to set up “business profiles.” A “business profile” makes their email address and phone number publicly available.

2023

• In 2023 was fined by both UK and Ireland commissioners for £12.7 million and €350 million respectively. The ICO found TikTok guilty of having a vast number of accounts tied to children under 13. Senior employees at TikTok were already aware of this. Additionally, the ICO considered that the measures in place to verify age and ask parental consent were not appropriate. The ICO claimed that information on the processing was not provided in a transparent manner. The Irish Data Protection Commissioner (DPC)’s concern mirrored the concern of the ICO for Meta. It found accounts from minors were publicly available;

• OpenAI also saw a fine in 2023, this time from the Italian authority. The fine was for €15 million, related to, amongst other issues, lack of age verification concerns; and
• In 2023, Meta was under fire again, subject to a €251 million fine from the Irish DPC. The fine followed a data breach that impacted approximately 29 million users including, amongst others, children and their data.

2025

• Most recently in March 2025, articles have come out suggesting a new investigation on TikTok’s practices, meaning that scrutiny over the platform’s handling of children’s data remains ongoing.

Despite these substantial penalties, being some of the highest since the GDPR has taken effect, the effectiveness of these authorities intervening remains questionable. This is due to the lack of visible active changes to the platforms. 

New AI Age Verification Measures: What’s Changing?

In some recent news, however, there have been pledges to make improvements in this sector starting 2025. Both Google, specifically for its Youtube service, and TikTok, suggest that they will be using machine learning in order to help estimate users’ age based on their interactions with the platforms. Meanwhile, Meta deems sufficient that Apple and Google app stores have implemented guardrails which prevent underage users from downloading apps scored above their age range. These proposed measures, whilst a potential improvement from no age assurance at all, still raise questions. One of the most pressing being as to whether this is really the most compliant way forward to avoid further fines related to the use of children’s data.

Flaws in Current Age Verification Methods

The current state of these platforms suggests that their approach to age verification remains flawed. Many still rely on basic verification methods, such as asking users to input their birth date instead of merely ticking a box confirming they are over 13. While this method may encourage slightly greater honesty from children, it remains easily bypassed without additional safeguards.

TikTok has taken a step toward since the fall of 2020 by applying more robust verification. This requires users who wish to go live to be over 18 and confirm their age. This is done through facial age estimation, ID photo submission, or bank account verification. While this is a move in the right direction and aligns with age assurance mechanisms endorsed by Ofcom, it is still limited in scope. It also does not seem to be used when it comes to verifying users’ age in case parental consent is needed.

Parental Controls vs. Platform Responsibility

App stores like Google Play and Apple’s App Store allow parents to set restrictions on their children’s devices. This prevents the download of age-restricted apps. However, this shifts the responsibility onto parents rather than the platforms themselves. Notably, many social media platforms, including Facebook, Instagram, TikTok, and YouTube, are rated as 12+, despite the GDPR’s Article 8 establishing the minimum age for parental consent at 13. This discrepancy allows children to still access these platforms without parental approval.

The Push for Stricter Age Verification Laws

Some countries, like France, are considering following Australia’s example by proposing a complete ban on social media usage for children under 13. However, enforcing such a ban remains a challenge. Without effective age verification mechanisms, prohibiting access becomes difficult. Moreover, some critics argue that such restrictions may be unconstitutional or infringe upon children’s rights.

Research conducted by Ofcom in the UK indicates a rising trend in social media usage among children compared to previous years. While comparable EU-wide statistics are less readily available, it is reasonable to assume that similar trends apply globally. This growing demographic highlights the urgency of implementing effective protections, however, the solutions that have been proposed seem to also come with further risk. Therefore, these promises can be argued to be less geared towards the protection of children’s data, and more so related to avoiding further enforcement actions. 

Is AI Really the Solution?

As mentioned earlier, TikTok and Youtube plan to use machine learning algorithms to infer users’ ages, specifically targeting those who may be under 13. While this approach seems promising, it also introduces compliance risks.

The European Data Protection Board (EDPB) has issued a statement, effective from February 2025. The statement outlines the need for age assurance mechanisms to be effective, secure, and compliant with the GDPR principles. Among the key considerations is the right to avoid automated decision-making. The use of machine learning for age verification must be assessed on a case-by-case basis. It must include appropriate redress mechanisms, including the ability to request human intervention.

Additionally, the statement emphasizes that platforms processing children’s data must fully adhere to GDPR principles. This includes conducting a Data Protection Impact Assessment (DPIA) to evaluate risks and mitigation measures. Given that machine learning is considered high-risk processing and children’s data is inherently more sensitive, platforms must take extra precautions. AI-driven age verification is not outright prohibited. It is crucial that companies deploying such technologies do so with full compliance in mind.

Yoti and Third-Party AI Age Verification Solutions

That is not to say that it is impossible to carry out age verification safely while using AI. One of the providers that has garnered attention by major platforms such as Meta, and OpenAI is UK-based Yoti Ltd.. Yoti is an age verification provider that also makes use of AI when carrying out selfie age-estimation. It provides guarantees that none of the data used for said verification is shared with their controller. Relying on a third party solution, especially one that is based in Europe and may be more aware of GDPR restrictions and subject to more stringent requirements, could help with mitigating some of the risks that have been mentioned so far. 

Meta has provided no news on the use of the provider since 2023, and the result of its use for OpenAI is yet to be seen. Meanwhile, the statements from YouTube and TikTok remain vague on what exactly they mean when they say they will use AI or machine learning. Considering the past violations of the companies proposing these AI-driven solutions, it is fair to question whether they will implement them in a genuinely GDPR-compliant manner. Given the history of non-compliance, skepticism remains warranted. These platforms are looking into compliance from the enforcement point of view, as opposed to focusing on the protection of data subjects. 

Conclusion

Failure to implement effective age assurance mechanisms in line with GDPR’s Article 8 has been a common issue. It has resulted in many of the largest GDPR fines issued to social media platforms over the past three years. Despite this, platforms continue to lag in their efforts to protect children’s data. This continues even as the number of young users continues to grow.

While some governments advocate for stricter bans, platform providers are making promises to implement improved verification methods. The improved verification methods include the use of AI to estimate users’ ages. This concept is not entirely new, TikTok already employs AI-driven age verification for its Live feature. Meta is currently also listed as a client of the UK-based age verification provider Yoti. Notably, Yoti has also been named as the provider required to verify the age of OpenAI’s users. This is a requirement resulting in response to a fine from the Italian DPA. As concerns surrounding AI, machine learning, and data privacy remain pressing, the methodology proposed by large social media platforms remains a cause of concern for the privacy of child users. 

The post AI Age Verification: Big Tech’s Risky Fix for GDPR Violations appeared first on TechGDPR.

Risks of using AI

Although the use of AI shows a great deal of potential, it has also been proven to cause a number of harms. For example, the Future of Privacy Forum 2017 identified the possibility of two main categories of harm: individual and collective/societal harms. These are further subdivided into whether they are deemed unfair or downright illegal. Categories of examples are also identified e.g. loss of opportunity, including mostly instances of discrimination, such as the case of the Amazon AI tool, resulting in employment discrimination for women. In addition to harm to the person, AI could also cause harm to the environment due to the high consumption of energy, and organizational harms to those companies that might incur penalties, financial losses and a damage to reputation due to the unlawful or wrong use of AI systems.

Mitigating the risks

Each risk identified above might have its own individual mitigation strategy. However, one all-encompassing way to ensure that an AI system is developed or used causing the least amount of harm possible is building trustworthy and ethical AI from the get-go, and in turn, only use systems guaranteed to be ethical and trustworthy.

A common problem with AI and its associated risk is the fact that it might operate as a black-box, without any transparency and/or fairness in its decision making and ultimately, its output. Overtime, a multitude of supervisory bodies and organizations have developed frameworks and standards in order to define what it means for an AI system to be ethical.

Ethical AI

There are a multitude of frameworks that highlight what is required for an AI system to be ethical. Some of these include, the UNESCO Recommendation on the Ethics of AI, the Council of Europe’s Report “Towards Regulation of AI Systems”, the NIST guidance and the OECD AI Principles, amongst many others. Taking the latter as an example, the list of principles to uphold in order to ensure that an AI system is operating ethically include: 

• Inclusive growth, sustainable development and well-being,
• Human-centered values and fairness,
• Transparency and explainability,
• Robustness, security and safety, and
• Accountability.

In order to follow these principles, an organization needs to consider, among others: 

• Establishing policies and procedures in order to ensure legal review of the development and/or use of the AI system, ensuring fairness, transparency and accountability. For example, policies that cover unfair bias. 
• Implementing principles and processes related to privacy and data protection, such as obtaining consent from individuals whose data is processed by AI, indicating this information in the privacy notice, implementing technical safeguards for the data etc., ensuring transparency and security. 
• Ensuring the quality and integrity of data through the implementation of a data governance system, as it relates to the data used to train the models.

This is also only based on ethical frameworks and guidance published by international bodies and organizations. Additional legal requirements are also anticipated in this regard, especially within the EU market, in light of the EU AI Act, which has been passed and set to come into force starting August 1st, 2024.  Organizations have, therefore, a long way to go to prepare for ensuring that their AI system, or one they are using, is up to code with these requirements and ethical principles.

Efficiently operating an ethical AI system

Navigating all the required best practices, guidance and soon-to-come legally binding regulations can be a daunting task, especially on top of developing and/or utilizing new AI systems. Many departments need to be involved in the process of ensuring that policies and procedures are in place, that they are implemented in practice and monitored to ensure they actually have the intended effect of creating and/or utilizing AI systems in the most ethical way possible.

Adding these requirements on top of existing regulations related to privacy, data protection, information security, and data management, means adding additional load to individuals responsible for the management of compliance. However, TechGDPR can support lightening that load by entrusting it with your compliance needs and appointing it as your externally-sourced Data Officer.

A Data Officer merges the roles in data protection, compliance, ethics, and privacy into one dynamic position. This role also transcends traditional boundaries, ensuring your organization’s data practices adhere to legal standards like GDPR and CCPA, while aligning with ethical guidelines, especially in AI. With a Data Officer, organizations are able to navigate complex data landscapes with ease, transforming data challenges into strategic opportunities.

What the Data Officer can do to ensure ethics are always considered in the use of AI

The Data Officer service by TechGDPR is designed to provide your organization with the expertise and support necessary to navigate the stringent requirements in using personal data, Artificial Intelligence and other EU-based data requirements by integrating responsibilities in data protection, compliance, ethics, and privacy into a multifaceted role.

This position ensures that organizations’ data practices comply with regulations such as GDPR and CCPA, while also adhering to ethical standards, particularly in AI. In fact, our service provides comprehensive supervision over AI ethics and regulatory compliance, ensuring that your AI implementations adhere to the highest standards of responsibility and legality, such as the ethical regulatory requirements of the EU AI Act.

TechGDPR continuously keeps up-to-date with and makes use of guidelines and assessments provided by supervisory authority such as the pilot Trustworthy AI Assessment List by Spain’s AEPD, which includes sections assessing explainability, non-discrimination, environmental sustainability and accountability, amongst others, covering all relevant principles of Ethical AI as listed in the previous paragraphs. Therefore, as a Data Officer, it is the best position to understand and assess all regulatory requirements related to the use of Artificial Intelligence.

Conclusion

While AI presents immense opportunities for businesses, it also brings significant risks that require careful management. Ensuring ethical and trustworthy AI systems is crucial to mitigating potential harms, including discrimination, environmental impact, and regulatory penalties. Organizations can navigate this complex landscape by adhering to established ethical frameworks and leveraging the expertise of TechGDPR as a Data Officer, who can integrate compliance, data protection, and ethical considerations. By doing so, businesses not only comply with emerging regulations, but can also position themselves as responsible and forward-thinking leaders in the AI space.

The post The Intersection of AI and Ethics: Why Your Organization Needs a Data Officer appeared first on TechGDPR.

Due to their age and general level of maturity and education, children are considered to be vulnerable and granted special rights in the eyes of the majority of jurisdictions. This is internationally recognised through, for example, the United Nations’ Convention on the Rights of the Child. This vulnerability is considered across different areas of legislation, including data protection, leading to specific provisions being included in the GDPR, such as Art. 8, laying the conditions for information society services to process children’s data.

Art. 8 GDPR’s requirements and the age of digital consent

Art. 8 of the GDPR is the only article that regulates the processing of children’s personal data specifically. It provides that the processing of personal data of children is lawful when the child is at least 16 years old (age of digital consent), or, if below that age, only where consent has been given by the holder of parental responsibility for said child. The GDPR also allows for the individual member state to independently legislate on whether the age limit can be lower than 16, so long as it is no lower than 13. Countries such as Germany and the Netherlands have opted to stick to the standard already established by the GDPR, while others, including Belgium and the UK prior to its departure from the EU, have lowered the threshold to the lowest possible age of 13. Notably, the UK’s current data protection provision still maintains that the age of digital consent is 13.

With this provision, the inevitable consequence is to first and foremost ensure that the age of a data subject is appropriately verified, in order to assess whether these rules apply and take the appropriate steps. However, recent cases and studies have shown that it is inherently difficult to gain consent of a parent or guardian, as there are no appropriate mechanisms in place to ensure that children are being truthful about their age.

Growing concerns about the processing of children’s data

One of the main issues that information society services face in regards to the processing of children’s data, is that these services are not aware that many of the users are actually under the age of digital consent. So far, the majority of these platforms have been relying on relatively lax forms of self declaration, meaning that the platforms offer services on the legal assumption that the user is responsible for declaring their age truthfully, which leads to users easily lying about their age to gain access to platforms where no extra assurance is required. 

UK’s Ofcom research has shown that for platforms such as TikTok and Facebook, which only required users to indicate their date of birth, the vast majority simply indicated a date of birth that would indicate that the user is older than they actually are. The main issue with this is that this may set up young users to be exposed to content that is not safe for their age, and also expose them to unlawful collection of their personal data from these platforms. 

It is therefore unsurprising that Meta and TikTok have been the two biggest companies being fined for violations in regards to misuse of children’s data by the Irish and UK’s data protection authorities respectively. In fact, the UK’s ICO noted that TikTok had been aware of the presence of under 13s in the platform but it had not taken the right steps to remove them. 

It becomes clear that the development and implementation of more stringent age assurance techniques is necessary to ensure that personal data of children is only processed in accordance with GDPR standards. Whilst the EU is yet to come up with specific guidelines in regards to this matter, the UK has published the Children’s Code, to be applied to online services likely to be accessed by children as a code of practice.

Age assurance mechanisms

Amongst 15 other standards that the Code implements, there is the need to ensure that the product and its features are age-appropriate based on the ages of the individual users. To be able to do so, the code requires that the age of users is established with the appropriate level of certainty, based on the risk level of the processing and taking into account the best interest of the child. Therefore, it is also crucial under the code, to carry out a Data Protection Impact Assessment (DPIA) prior to the processing of children’s data, to evaluate said risk level.

The code suggests some additional age assurance mechanisms that information society services may put in place, and the UK’s children’s rights foundation 5Rights has identified additional ones and its possible use cases, advantages and risks. Some of these include: 

• Hard Identifiers, such as sharing one’s ID or Passport or other identifying information. Those are considered to provide a high level of assurance, but raise concerns in regards to data minimisation and might otherwise lead to a disproportionate loss of privacy. Organizations are generally advised to implement appropriate storage limitation periods for those, limited to what is needed to verify an individual’s age once, making it tricky to demonstrate having checked that information, for compliance. Youtube and Onlyfans are examples of ISS that makes use of this mechanism to give access to age-restricted content.
• Biometric data relies on the use of artificial intelligence to scan for age-identifiers on a person’s face, natural language processing or behavioral patterns. It is more commonly used through facial recognition. However, it presents a high degree of risk due to the use of special categories of data, risk of discrimination by biased artificial intelligence and the effective profiling that takes place. Whilst it does provide a high level of assurance, it also requires a very stringent mechanism in place in order to ensure data is processed safely. GoBubble is a social network site made for children in schools that has been using this kind of age assurance technology, by requesting users to send a selfie upon sign up. Meta is also currently in the process of testing this method of age assurance, by working with Yoti, one of the leading age assurance technology developers.

• Capacity testing allows services to estimate a user’s age through an assessment of their capacity. For example, through a puzzle, language test or a task that might give an indication of their age or age range. Whilst this is a safe and engaging option for children, and does not require the collection of personal data, it might not be as efficient at determining the specific age of a user. The Chinese app developer BabyBus uses this type of methodology in its app, by providing a test where users are asked to recognise traditional Chinese characters for numbers.

More examples and use cases of age assurance mechanisms are provided in the 5Rights report. 

Therefore, although it may be difficult to strike a balance between appropriately verifying users’ age prior to sign up, and avoiding over-intrusive measures to do so, it is apparent that solely relying on the user being truthful about their age is no longer sufficient for the majority of platforms, especially when processing vast amounts of personal data, sensitive data or use personal data for targeted advertising. With the growing number of very young children accessing the internet, it is important to ensure that they are protected, their fundamental rights respected, and relevant data protection provisions are fulfilled. In recent years, large steps have been made in the development of alternative secure identity and age verification technologies. The tools are therefore available for organizations to ensure that their GDPR requirements are also met in this respect. 

TechGDPR is a consultancy based in Berlin offering GDPR compliance assessments, DPO-as-a-service retainers and hourly consulting. TechGDPR consultants help assess the vendors you wish to purchase your solutions from, navigate the complexity of international data transfers as well as guide you through the most compliant roll-out of the solutions you have purchased. TechGDPR routinely trains product development, HR, marketing, sales and procurement teams in understanding data protection requirements.  It offers an online training course for software developers, system engineers and product owners.

The post Processing children’s data and implementing age assurance mechanisms appeared first on TechGDPR.

Therefore, it is important to understand GDPR compliance. In most cases, the company that posts its vacancy and embarks on the recruitment process will be considered the data controller. This will make them responsible for adhering to several obligations.

Notably, here are some specific and recurrent instances, in the course of recruitment, headhunting and hiring, where a controller should look closely at the GDPR to make sure it is implementing the most appropriate and compliant solution. 

Legal bases: which is the most appropriate?

The lawfulness principle of the GDPR, first introduced in Article 5, requires that data is processed in a lawful manner, meaning that it must rely on at least one of the legal bases listed in the following Article 6. Not all legal bases are, however, always going to be applicable or the most appropriate choice, especially when dealing with candidates sourced online or applicants. The same holds true for current employees.

The imbalance of power when relying on consent

The European Data Protection Board (EDPB) acknowledges in their guidelines 05/2020 on consent, that there is a clear imbalance of power between an employer and their employee. Undeniably, the same is to be considered between a potential employer, and a prospective employee, or applicant. Although there is no dependency yet, one can still argue that an employer has a stronger bargaining position over a candidate that wishes to work for them. Therefore, the EDPB generally advises against the use of consent as a legal basis for processing activities carried out in this context. That is because, it would be difficult to prove that consent is freely given, as required by definition in Article 4 of the GDPR. In practice, it is likely that a candidate would feel obliged to provide their consent to any use of their data, as they might assume it gives them a better chance to get the job.

Legitimate interest is a good option, but comes with requirements

Instead, relying on legitimate interest might be preferable. However, the controller must still be mindful that it will also come with requirements. Based on Article 6 of the GDPR, the legitimate interest of the controller, cannot override the interests or fundamental rights and freedoms of the data subject. Which means that to begin with, the organization will have to, first and foremost, identify what the specific legitimate interest pursued is. Generally, sourcing individuals online, perhaps on professional social networking platforms, to find suitable candidates for a specific position, can be in the interest of growing a team and overall bettering an organization. However, merely identifying the interest is not enough. One would have to also balance this interest with the rights and freedoms of the data subject, also known as a balancing test, by performing a legitimate interest assessment.

Performance of a contract can be relied upon, but with limitations

Similarly, the legal basis of necessity for the performance of a contract might actually be the most appropriate for the processing of data of individuals who apply for an open position. Specifically, when interpreting the Article 6(1)(b) provision: in order to take steps at the request of the data subject prior to entering a contract. However, this might require strict adherence to the definition. It would have to be a contract that the data subject has requested. Therefore, for processing activities in the context of online recruitment and headhunting, it is unlikely that this legal basis can be relied upon. Instead, as mentioned above, legitimate interest might be the only option.

Online recruitment and the duty to inform

On the topic of online scouting and headhunting, there are further legal obligations that controllers need to be mindful of, when processing personal data for this purpose. Those being, depending on how these activities are carried out, the requirements of Article 14.

Reaching out to the candidate in due time

First and foremost, it is crucial to actually contact the candidate, if their data has been processed. In fact, Article 14 requires this communication to be done within a reasonable period after obtaining the personal data and at the latest within one month. That time-frame should also serve as a retention period for the data processed for this purpose, should the candidate not respond, for example. 

The communication should also require all the information to ensure that the transparency principle is met. Therefore, ideally the candidate should be directly informed, or at the very least be provided with a specific privacy notice indicating all the information required by Article 14 e.g. the identity of controller, the purpose of processing, the categories of data processed, etc…

Honoring data protection principles and data subject rights

Needless to say, the controller should adhere to the other principles of the GDPR. Notably, data minimization, by processing only the information that is strictly required to source the ideal candidate.

Furthermore, a controller should also inform candidates of and be mindful of data subject rights. Specifically ensuring that mechanisms are in place to allow for candidates to exercise them, and ensuring that the data be processed for a specific purpose, so once that has been fulfilled, the data should no longer be processed. In practice: if the data is only processed to reach out to potential candidates, and they reject the offer but do not expressly request the data to be erased, their personal information should still be erased, unless it serves another explicitly indicated purpose.

Processing special categories of data in recruitment

In accordance with Article 9 of the GDPR, special categories of data include the following: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data and data related to sex life or sexual orientation.  As a general rule, processing data that falls under these categories is prohibited. However there are exceptions. Related to the context of hiring potential employees, two might be particularly relevant: explicit consent from the data subject and necessity to carry out legal obligations and exercising specific rights of the controller or the data subject in the field of employment and social security and social protection law, based on national law provisions.

How does this apply to recruitment?

There are several reasons. For example: a potential  employer might wish to request information about a candidate’s disability to make relevant adjustments, perhaps for interviews and, if relevant, for the work moving forward. Furthermore, many companies have established equal opportunity programs, dedicated for specific minorities and/or in a certain field. Alternatively, they wish to monitor whether they meet equal opportunity requirements. Some organizations might even get recognition for ensuring high standards for diversity e.g. Stonewall Top 100 employers in the UK, Human Rights Campaign Corporate Equality Index. However, in order to monitor those metrics and ensure diversity, they process special categories of data, such as race, disability (health data) and sexual orientation. 

Explicit consent or national law obligation?

As mentioned before, using explicit consent might be an issue, because it is hard to truly guarantee that it is freely given in this context. Especially when applying for an equal opportunity program, it is unlikely that the applicant has any choice but to disclose the relevant information, as that will be the deciding factor as to whether they meet the criteria to enter into the program. 

Instead, one can rely on the second exception, related to national legal obligations. In many countries, laws that ensure the equal treatment of minorities and penalize discrimination at work, often also include articles or sections that require positive action, in the field of employment. For example, in Germany, positive action is required by §5 of the Equal Treatment Act (AGG). In the UK, where the UK GDPR applies, this is provisioned in Article 159 of the Equality Act 2010. 

Organizations are left free to decide how to implement this, but this freedom has gradually led to defining metrics and equal employment opportunities. Since this is a way to exercise a legal right of the data subject, and a legal obligation of the controller, one could preferably rely on this exception, rather than explicit consent. 

In fact, best practice would be to rely on the national legal obligation exception where such exceptions apply, but request data subject’s explicit consent, which gives them the option not to reveal this information e.g. prefer not to say.

In conclusion…

Under the GDPR, controllers must process personal data of candidates and applicants lawfully. Not all legal bases are equally applicable: in the context of recruitment, relying on legitimate interest or performance of a contract might be more reliable than relying on the applicant’s consent, although those also have their rules and limitations too. 

Furthermore, a controller must ensure to note and follow the obligation to contact candidates that it scouts online, and keep in mind the one month deadline to get in touch.

Lastly, controllers might wish to get acquainted with national legal obligations in the scope of equal employment, as legal obligations in those frameworks provide them with a legal basis to process special categories of data, for the purpose of promoting diversity in the workplace. 

TechGDPR is a consultancy based in Berlin offering GDPR compliance assessments, DPO-as-a-service retainers and hourly consulting. TechGDPR consultants help assess the vendors you wish to purchase your solutions from, navigate the complexity of international data transfers as well as guide you through the most compliant roll-out of the solutions you have purchased. TechGDPR routinely trains product development, HR, marketing, sales and procurement teams in understanding data protection requirements.  It offers an online training course for software developers, system engineers and product owners.

The post Understanding GDPR Compliance in Recruitment appeared first on TechGDPR.

This is especially true after the GDPR came into effect, as it provides specific requirements for the legal basis of consent, which also applies to the processing of non-necessary cookies. Reason being, that these text files that our devices read and write upon interacting with a website, oftentimes include information that, once associated with your interactions, is categorised as personal data: such as IP addresses, username, unique identifier codes or even email addresses and metadata.  

That is where Consent Management Platforms (CMP) come into play. They can be described as systems by third-party vendors that help controllers manage users’ cookie preferences and help them meet their transparency obligations under data protection laws. It is thus very likely that when anyone visits any website and a cookie pop-up appears, that is managed by a CMP. You might be familiar with some of the following: OneTrust, Quantcast or Cookiebot.

What are dark patterns and how do they relate to cookies? 

A CMP that relies on the IAB Europe Transparency and Consent Framework Policies (IAB TCF) is required to meet several criteria. However, these mostly refer to the need to include the purposes and features of the cookies. Thus, they are provided a relative amount of freedom in terms of design of cookie banners and consent pop-ups. 

Several studies conducted on the standard templates that CMPs offer, show that many of the designs provided actually hide manipulative strategies intended to sway users into providing consent. These designs are often referred to as dark patterns. 

Some common types dark patterns in the context of cookie banners are known as interface interference and sneaking. An example for the former is presenting the “Accept all” option on top of a banner, whilst the “Reject all” option can only be found after scrolling down, also labelled as false hierarchy.

Another example of false hierarchy is drawing attention to the desired choice, in comparison to the opther options. For instance, the “Accept all” option might be brightly colored or stand out from the background. Meanwhile, the “Reject” or “Settings” options, will oftentimes the same color of the background of the cookie banner, rendering it less noticeable.

Meanwhile, sneaking refers to the hiding of the relevant information, usually behind a far less visible and unformatted link. This is commonly designed with a smaller text providing “more options” or “manage settings” in the corner of the banner, which then allows the user to gain more information and finally reject all cookies. 

Read more about other types of dark patterns in the article “The Dark (Patterns) Side of UX Design” from Purdue University, IN.

Does the GDPR or ePrivacy Directive prohibit the use of Consent Management Platforms? 

There is no direct mention of CMPs or dark patterns in the GDPR or the ePrivacy Directive, which directly governs the use of cookies. Nonetheless, one can still draw some conclusions based on the consent requirements under the GDPR. For example: Article 7(4) GDPR states that withdrawing consent should be as easy as providing it. Thus placing the options on unequal level, as for the case of false hierarchy designs, would be a non-compliant approach. Case law also confirms this: The Advocate General in the case of Planet49 specifically mentions that for consent to be valid, the options to reject and accept should be placed “optically on the same footing.”

Despite these academic findings and conclusions, the use of CMPs has but increased since the GDPR came into force. To add to that, data protection authorities deem CMPs an appropriate tool to use when a compliant design is rolled out. Important to note though, is that CMPs cannot be compliant until they start assuming their data controller or joint controller obligations (GDPR Art 24 and 26, respectively). This was highlighted in the recent €250.000 fine awarded by the Belgian supervisory authority to IAB Europe.

Thus, whilst the use of CMPs is not prohibited, it is always best to take into account that not all of their template designs might actually reflect the requirements for valid consent. Therefore, increasing the possibility that the cookie banner will be deemed non-compliant.

What does a compliant cookie banner look like? 

Under the the framework provided by GDPR Article 7 and Recital 32, consent must be “freely given, specific, informed and an unambiguous indication of agreement”. Ideally, a compliant cookie banner should reflect all of those exactly, and should avoid the dark patterns described above, which likely contradict the freely-given nature of consent. 

As a practical example, in 2022, NOYB, the non-profit presided by Max Schrems, the activist of international fame, placed 226 complaints with data controllers over cookie banners rich in dark patterns, arguing that the only compliant option was to outright offer a accept all and reject all button. Therefore, a good starting point would be to ensure both options are provided and equally accessible, by designing the “Accept” and “Reject” buttons to look identical and perhaps even placed side-by-side on the banner.

Lastly, when implementing a banner design, consider the more stringent requirements in terms of design, such as the prohibition of pre-ticked boxes, and the requirements around requesting unambiguous consent, rather than accepting scrolling as having accepted the use of cookies. 

To recap, when providing cookies, there are several interests and legal requirements that website operators, as data controllers, need to balance before considering Consent Management Platforms as the ideal solution. Studies have shown that many of the current cookie banner designs provided by these platforms, still place more weight on gaining consent rather than ensuring compliance. This is not surprising, considering that CMPs are in the business of selling software solutions to a problem many marketing teams refuse to fully grasp. 

The existence of “dark patterns” in consent pop-ups is perceived by everyone yet not often discussed. For implementers, it is understandably tempting to place full trust on a CMP’s design and overlook the details and turn on options that actually render their banner non-compliant. However, being mindful of the flaws in the designs that Consent Management Platforms offer, and knowing how to avoid dark patterns, might be the only way to ensure that a cookie banner or consent pop-up is fully compliant with the GDPR, that way, your time and money are not a complete waste.

TechGDPR is a consultancy based in Berlin offering GDPR compliance assessments, DPO-as-a-service retainers and hourly consulting. TechGDPR consultants help assess the vendors you wish to purchase your solutions from, navigate the complexity of international data transfers as well as guide you through the most compliant roll-out of the solutions you have purchased. TechGDPR routinely trains marketing and procurement teams in understanding data protection requirements and offers an online training course for software developers, system engineers and product owners.

The post Consent Management Platforms’ misleading cookie banner designs: how to recognize and avoid dark patterns appeared first on TechGDPR.