Data protection: Guidance

There are a number of bodies that provide legal guidance as to the proper interpretation of the data protection legal framework.


European Data Protection Board

The European Data Protection Board recently replaced the Article 29 Data Protection Working Party. It issues general guidance to promote a common understanding of European data protection laws, both across the European Union and around the world. It also clarifies data protection provisions, advises the European Commission and provides the general public and stakeholders with its interpretation of their rights and obligations. It can issue guidelines, recommendations and best practices about the GDPR and the Law Enforcement Directive, as well as other documents.

Important documents relating to automated decision making that were produced by the now defunct Article 29 Data Protection Working Party, but which were endorsed by the European Data Protection Board in its First Plenary Session, are as follows:

  • Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679 is here.
  • On the 16th October 2019 the Board published its “Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects” and these can be found here.

At present, there is no guidance concerning the Law Enforcement Directive.


Information Commissioner’s Office (ICO)

As already alluded to above, in the United Kingdom, the ICO has already published significant guidance and material on algorithms and machine learning as follows:

  • “Right not to be subject to automated decision making”, which addresses the GDPR, is available here.
  • “Guide to Law Enforcement Proceedings”, which addresses the Law Enforcement Directive, is available here.
  • “Big data, artificial intelligence, machine learning and data protection” is available here.
  • The ICO’s response to the House of Commons Science and Technology Committee inquiry: Algorithms in decision-making is here.
  • The ICO’s interim report with the Turing Institute “Project ExplAIn” is available here.

The ICO has also published decisions in relation to the use of algorithms as follows:

  • The decision arising from the complainant requesting information relating to a solvability algorithm model utilised to help Norfolk Constabulary solve burglary crimes. Norfolk Constabulary provided part of the information (specifically how many burglary cases had been analysed by the solvability algorithm) is here.
  • The enforcement notice issued by the ICO following an investigation into the Metropolitan Police Service’s (MPS) use of the Gangs Matrix is available here.

The ICO has also recently published a series of blogs examining AI and data processing as follows:

  • “When it comes to explaining AI decisions, context matters”, 3 June 2019, available here.
  • “Known security risks exacerbated by AI”, 23 May 2019, available here.
  • “Automated Decision Making: the role of meaningful human reviews”, 12 April 2019, available here.
  • “Accuracy of AI system outputs and performance measures”, 2 May 2019, available here.
  • “A call for participation: Building the ICO’s auditing framework for Artificial Intelligence”, 18 March 2019, available here.


Surveillance Camera Commissioner

Surveillance Cameras are increasingly using AI in the form of facial recognition technology. In light of the data protection implications, the Surveillance Camera Commissioner’s guidance published, in March 2019, essential guidance entitled “The Police Use of Automated Facial Recognition Technology with Surveillance Camera Systems“.