© All rights reserved to Barnea Jaffa Lande Law offices

Together is powerful

Israeli Privacy Protection Authority Clarifies Scope of Duty to Inform on Collection and Use of Personal Information

Israel’s Privacy Protection Authority (PPA) recently published its position on the duty to inform when collecting and using personal data. This is an important position, as it clarifies how to design the interface with the customer through which he or she may have to furnish data.

 

The publication presents the PPA’s position on the duty to inform on the collection and use of personal data (as derived from the Privacy Protection Law), specifically highlighting the duty to inform when using algorithm-based or AI-based decision-making systems.

 

Duty to Inform

 

The duty to inform on the collection and use of personal data derives from section 11 of the Privacy Protection Law. According to this provision, contacting a person for the purpose of receiving, storing, or using data in a database must include a notice stating the purpose for such request, with whom the data will be shared and for what purposes, and if the person providing the data is legally obligated to do so or is providing it based on the person’s will and consent.

 

The duty to inform applies whether the collection or use of the data occurs with the person’s consent or pursuant to the law.

 

The duty to inform applies similarly when the data collection results from a person making contact to receive the service, and not at the service provider’s initiative.

 

Informed Consent

 

The required standard is the informed consent standard. This means the person giving the data must receive an explanation on the purposes of collecting and using the data, and accept such reasoning. The extent of the duty to inform stems from the parties’ relationship, for example, informing a customer versus informing an employee, the type of service the person receives, the data’s sensitivity, etc. Insufficient information affects the validity of the consent. In other words, if the explanation is unclear and does not describe the data collection process, the use of the data over time, the data storage, and the data subject’s rights, taking into account the subject’s age or country of origin as much as possible, the consent granted may be void.

 

This decision immediately affects the phrasing of privacy and disclosure policy documents, as well as the provision of information orally, if consent is the basis for processing the data when there is no legal duty to provide it.

 

The PPA even highlights that when a third party is collecting data via outsourcing, the notice regarding the collection of the data must include all purposes of use, including those that may deviate from the original purposes. Agreements vis-à-vis the third party should reflect this.

 

Use of Algorithm or AI-Based Systems

 

When algorithm-based and AI-based decision-making systems collect personal data, such as chat bots, the PPA emphasizes that such collection often involves insufficient notice or detail, and that the person giving the data cannot understand the purposes of such data collection and use. Thus, in these circumstances, there cannot be informed consent, which would harm the person’s ability to control his personal data. Therefore, collecting personal data in this way may prejudice privacy. An algorithm’s lack of transparency increases the risk of a breach of privacy, and disclosure of the very use of these systems is mandatory.

 

Accordingly, entities that collect personal data from individuals using algorithmic and artificial intelligence systems must inform the persons giving the data and provide them full details on the purpose of using the data, with whom it is shared, and to where it is transferred, as early as the data-collection stage.

 

Please note that WhatsApp-based tools or simple chat bots might fall under this category, so all businesses must consider their use of these tools.

 

This latest PPA position joins a series of previous positions, and obligates businesses to look into how they represent the way they collect, process, and store personal data to the persons providing such data.

 

***

Barnea Jaffa Lande law offices is at your disposal for further information on Privacy and Data Protection laws, as well as other regulatory issues

***

Tags: Data protection | PPA