The Schrems II case- EU-US data transfers left in question

The European Court of Justice has handed down its highly anticipated ruling in the Schrems II case. The case considered the validity of the EU-US Privacy Shield and the efficacy of Standard Contractual Clauses (“SCC”) as data transfer protection mechanisms.

In this landmark case it was found that the EU Commission’s adequacy decision around the EU-US Privacy Shield framework was invalid. The leaves the mechanism for conducting EU-US data transfers in question. This matter maybe covered by recent discussions between the UK and US around entering into a seperate data sharing agreement. However, in the interim a transitional mechanism is sorely needed alongside guidance for data processors to give clarity to how data sharing between the countries can be regulated and data subjects rights safeguarded.

The SCC regime was affirmed to be valid however, it was suggested that companies and regulators enter into a case by case basis analysis of risk. In particular, it was highlighted that such an assessment should take place where government access to data is mandated. This is a highly topical issue in the US given current efforts to put in place a federal data protection regime.

For more details on the Schrems II case see-

The IAPP

INFORRM

Law firm Bird & Bird

The ICO‘s press release

UK government releases NHS covid-19 data sharing agreements

Following significant pressure from groups such as OpenDemocracy and Foxglove the UK government has released its data sharing contracts with companies such as Amazon, Google and Microsoft for the creation of a cloud database for sharing covid-19 related data. Contracts with AI firms Planatir and Faculty were also released.

This promotes transparency and accountability around efforts to establish contract tracing technology and centralised databases to combat covid-19. The potential access to high volumes of healthcare data via these databases merits high levels of scrutiny under privacy and data protection laws. However, groups such as openDemocracy raised concerns around sharing high volumes of NHS data and the risk posed by significant third party exposure. In particular, it criticized the credibility of AI firms Planatir and Faculty.

In a recent press release from openDemocracy the contracts were made public:

View Google NHS agreements (PDF, 0.7 MB)

View Faculty NHS agreements (PDF, 0.9 MB)

View Palantir NHS agreements (PDF, 11.6 MB)

View Microsoft NHS agreements (PDF, 1.5 MB)

NHS England has also released the Data Protection Impact Assessment which was undertaken prior to forming a centralised data storage facility for covid-19 related data. This database holds data ranging from regional infection maps to 911 call data and bed capacities.

The NHS uses a ‘cloud first’ approach to ensuring that data is leveraged most effectively. All data is collated in a cloud database allowing for security and accessibility.

Parts of Meghan Markle’s claim against Associated Newspapers struck out following preliminary hearing

On 1 May 2020 Mr Justice Warby handed down judgment concerning a pre-trial application by Associated Newspapers in its ongoing defence of claims of misuse of private information, copyright infringement, and breach of data protection rights by Meghan Markle, HRH The Duchess of Sussex. Continue reading

Privacy protection in practice: The coronavirus and healthcare data

TTP extends its best wishes to all those impacted by the coronavirus and hopes that all are safe and well. For those readers based in the UK the NHS coronavirus guidance can be found here and Government guidance here. Stay home, stay safe.   Continue reading

Top 10 Defamation Cases 2019

Happy New Year readers!

This year we again are publishing our thoughts on the Top 10 Defamation cases of the year.

This covers the top 10 defamation cases jurisdictionally from across the UK, US, Canada, Australia and New Zealand.

Case will be ranked on the strength of the precedence they set, including thier impact on the jurisdictions legal framework.

Many thanks to INFORRM for orginally agreeing to post this article.

Citation: Privacy International: Amazon’s contract with the NHS raises data privacy concerns

Privacy International (“PI”) has scrutinized Amazon’s contact with the Department of Health to harvest data for Alexa services.  The contract started from 14 December 2018 and will be in effect till 15 October 2024.

The contract covers Amazon using the data of the NHS website and integrating it with Alexa, allowing Alexa to better respond to medical questions. This permits Alexa to better respond to a range of medical questions with the vetted information available from the NHS website. Readers should note that the arrangement DOES NOT SHARE THIRD-PARTY HEALTHCARE DATA. The focus is permitting Alexa to access the NHS website’s publically available data to enhance its response to heathcare questions. Patient data, as far as we know, was not part of the agreement.

PI then goes on to scrutinize the contract in detail giving an overview of the key terms and conditions. The article also covers the commercial vs public interest issues arising from the redaction of parts of the contract, raising matters of transparency in government contracting.

The sharing of data under this agreement permits Alexa to use data gathered from the NHS website. This is for informational purposes as the site is typically a first port of call for those concerned about symptoms. By integrating this data Amazon helps Alexa enhance its service offering. It has notably been said, by the Guardian, that such accessibility was granted free of charge.