A Lot Of Article 65 | The Cat Herder, Volume 5, Issue 47
Yet more Facebook with the promise of even more next week, and the Sideshow Bob Rake Department returns with an end-of-year reprise of some of its greatest hits.
😼
--------
Futuendi Gratia
Recently (2022-12-01), the European Commission published an article about their planned legislation (called chatcontrol by critics). While the Commission has in the past cited statistics which are wrong, the published article is so stunningly bad in that almost every single sentence is strongly misleading, a blatant lie or flat out wrong. As it’s rather short, I’ll fully cite the article and explain what’s wrong with each part. I assume you have some familiarity with chatcontrol. If not, you may want to read about what it is before reading this post.
Maxim.tips: ‘Lies about Chatcontrol, Part 1’
Mandatory But Not Compulsory
The Sideshow Bob Rake Department, AKA the Department of Social Protection makes its triumphant return to this newsletter courtesy of an appearance by Secretary General John McKeon in front of the Public Accounts Committee during the week.
The department is still very opposed to saying the words “biometric” and “processing”. Some of you may recall the department spent several years denying it processed biometric data. The then minister even said as much in the Dáil. When that minister lost her seat in an election in 2020 and was therefore no longer the minister, the department promptly changed its data protection notice to state that it did process biometric data.
(As a brief aside, in July 2018 the Secretary General had ordered that an acknowledgement his department processed biometric data be removed from its website.)
However, the department’s appetite for doing battle with reality appears as strong now as it was then.
This time around the department is using the word “tracking” to avoid saying it processes biometric data.
The word track appears only once in the GDPR, in Recital 24, in a context with no relevance whatsoever to the processing of biometric data by the department.
The department’s Secretary General insisted to the Public Accounts Committee that his department does not track biometric data. This is the same Secretary General who ordered the references to biometrics to be removed from the department’s website in July 2018.
Secretary general of the Department of Social Protection John McKeon told the Public Accounts Committee “there is no biometric information on the card, we don’t track biometric information”.
Irish Examiner: ‘Department behind Public Services Card insists it does not track biometric data’
Mr McKeon later says “We generate it from a photo, it’s stored on the department’s system”.
This, as Mr McKeon must surely know by now, is processing as defined by the GDPR. It’s right there at the beginning of the Regulation, in the Article helpfully titled “Definitions”.
processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; — Article 4(2), GDPR
Why the Sideshow Bob Rake Department continues to engage in this kind of childish behaviour is anyone’s guess, but it’s very much in line with past performance.
It Could Never Happen Here
Human Rights Watch found that the government repurposed data it had collected from people who signed up for the Covid-19 vaccine, applied for tax benefits, or registered for mandatory membership in a professional association to spread Fidesz’s campaign messages. For example, people who submitted their personal data to a government-run website to register for the Covid-19 vaccine received political messages intended to influence the elections in support of the ruling party.
Human Rights Watch: ‘Hungary Data Misused for Political Campaigns ‘
Regulators
The DPC sanctioned Facebook for infringement of Articles 25.1 and 25.2 of the GDPR (Data Protection by Design and Default), “imposing a fine of €265 million and a range of corrective measures”.
—
The EDPB has its next plenary on Monday. The agenda is here [direct link to PDF]. That’s a lot of Article 65 decisions for companies in the Meta family.
Apparently Meta’s Irish subsidiary has set aside €3 billion for data protection fines in 2022 and 2023.
—
The DPC also had some other ‘smaller’ fines ratified in court during the week. A mere €18 million.
—
The CNIL fined EDF (Électricité de France) €600,000 for failing to “comply with its obligations provided for by the General Data Protection Regulation (GDPR) and the French Postal and Electronic Communications Code”. The utility company was found to have breached Articles 7, 13, 14 and 32 of the GDPR.
What We’re Reading
-
“This all makes the position of the Department of Health and Social Care (DHSC) rather odd. Because, in response to a Freedom of Information Act (FOIA) request for disclosure of its ROPA, it stated that the request was “vexatious” on the grounds of the time and costs it would have to incur to respond … the ICO accepted that compliance with the request would be “grossly oppressive” and this, taken with other factors, meant that the FOIA request was indeed vexatious.” From a blog post on Information Rights And Wrongs by Jon Baines .
-
“The system that StopNCII.org and Meta came up with evolved from the anxiety-provoking practice of sending Facebook one’s nudes. Instead, it provides a central place, run by independent intimate image abuse experts, where victims or potential victims can convert their photos or videos into hashes within their own browser, so the originals don’t leave their device. Only the hashed versions are shared with industry partners. ” From ‘TikTok and Bumble Join Fight to Stop Spread of ‘Revenge Porn’ by Olivia Solon for Bloomberg.
-
“The tech giant’s attempt to deflect German regulators’ concerns leans heavily on a couple of things that don’t actually exist yet — with Microsoft referencing “important” changes incoming via an agreement for a new data transfer deal between the EU and the U.S., which it suggests the DSK’s report “fails to reflect” — claiming the expected deal will “provide greater privacy protections for data flows between the EU and U.S.”” From ‘Microsoft 365 faces darkening GDPR compliance clouds after German report ‘ by Natasha Lomas for Techcrunch.