September 26, 2021
"a recipe for salmon and avocado salad" | The Cat Herder, Volume 4, Issue 37
| |
| September 26 · Issue #150 · View online |
|
|
The Department of Children must have the most well-staffed and well-trained information unit in the entire Irish civil service by now. But the Department of Children doesn’t seem to understand the definition of personal data. Which is usually the first thing they teach you on any data protection training course. It’s the first definition to appear in the text of the GDPR. 😼
|
|
|
This year, at the influential annual Consumer Electronics Show, the Japanese manufacturer Toto announced its “wellness toilet”– a concept, but something it is working on (it previously developed a toilet that analyses urine flow). Its sensors – including one for scent – would aim to detect health problems and conditions such as stress, but also make lifestyle suggestions. In one image provided by the company, it envisioned the toilet sending you a recipe for salmon and avocado salad.
|
The smart toilet era is here! Are you ready to share your analprint with big tech? | Life and style | The Guardian
Loo design has barely changed in 150 years – until now. Will people trade their privacy for the chance to find out exactly what is in their waste?
|
|
|
The Guardian now understands that French company Teleperformance, which has attracted criticism in the UK over working conditions, uses an opaque chain of subcontractors to perform similar work under two contracts worth £35m. The NHS app, which is separate from the Covid-19 app, can be used for anything from booking GP appointments to ordering repeat prescriptions. But one feature has driven rapid take up since travel restrictions were lifted in May: the app is the easiest means of accessing the NHS certificate proving an individual’s Covid-19 vaccination status.
|
Undisclosed private companies analysing facial data from NHS app | NHS | The Guardian
Fresh privacy concerns raised after NHS refuses to reveal firms used for ID verification process
|
|
|
Pixalate: 59% of kids' apps removed from Apple Store didn't have a privacy policy | VentureBeat
Apps can be delisted for a variety of reasons, from relatively nefarious to benign causes. The report doesn’t list reasons for any delisting.
|
|
|
European data protection law applies only to personal data. What constitutes personal data is extremely broad. The definition of personal data is contained in Article 4 of the GDPR.
|
|
The boundaries of this definition have been further clarified by almost two decades of the case law of the CJEU, in matters both specific and general, small and large. A reasonably comprehensive list - courtesy of the very useful dpcuria.eu - would include C-345/17 (Buivids), C-434/16 (Peter Nowak v Data Protection Commissioner), C-13/16 (Rīgas satiksme), C-582/14 (Breyer), C-212/13 (Ryneš), C-141/12 (YS and Others), C-342/12 (Worten), C-524/06 (Huber), C-73/07 (Satakunnan Markkinapörssi and Satamedia), C-275/06 (Promusicae), C-101/01 (Bodil Lindqvist), and C-465/00 (Österreichischer Rundfunk and Others). |
All of the above appears to have escaped the notice of the Department of Children, Equality, Disability, Integration and Youth.
|
|
|
Oh hey guys, my client's given permission to discuss the latest twist in this.
Guess what? It turns out the Minister has been using the wrong definition of 'personal data' all this time.
As I discovered when they told me what they think it means by letter, today. https://t.co/YMySeHbfbH
|
|
|
|
The department appears to be asking entirely the wrong question when attempting to assess whether something is personal data. It seems to be looking at individual records in isolation and asking “Is this person identifiable to me, right here, right now, from this record?” rather than “Can this person be identified or singled out from others by any entity with ‘the legal means which enable it to identify the data subject with additional data’ (Breyer)?”
|
This time last year the department was sending its minister out to flatly deny the GDPR applied to the material in the archive of the Mother and Baby Homes Commission of Investigation. This insistence ran from the moment the minister published the Heads of a Bill on September 15th 2020 which attempted to seal the records in the archive for thirty years, until a scant few days after the Act was signed into law by the President on October 25th 2020. Three days later the minister performed an inelegant 180 degree turn. |
The Attorney General’s office had advised Minister O'Gorman that an amendment to Section 39 of the 2004 Commissions of Investigation Act - put in place following the introduction of GDPR regulations in 2018 - effectively prevents survivors from accessing their personal stories.
|
|
|
(It’s still unclear whether this advice emanated from the Attorney General’s office or from some people who had once worked in the Attorney General’s office.)
|
PRESIDENT MICHAEL D Higgins has signed the Mother and Baby Homes Bill into law after he “considered all the options available to him”.
|
|
|
In a statement issued this evening, the government said that it has agreed to the rights of all citizens to access personal information about themselves, under data protection legislation and the GDPR are fully respected and implemented.
|
|
|
Now we find the department responsible for ensuring this access may have been using an incorrect and restrictive definition of the most basic concept in data protection law ever since the archive transferred to it at the end of February.
|
This raises serious questions about the completeness of the responses to Subject Access Requests the department has provided to date.
|
|
|
We are very concerned that the Scheme defines information under multiple categories. This is not only likely to cause significant confusion amongst applicants (because the definitions are narrow and open to interpretation), there is also a significant risk of other types of data falling through the net. Worryingly, while most of the categories of information fall under the definition of personal data, the Bill does not define personal data at all. [3.3 - Definitions of information in the Scheme, page 24]
|
|
|
Meanwhile, mandatory but not compulsory has made it as far as the Caribbean. The officials who coined that phrase for Regina Doherty must be proud.
|
While the Jamaican bill stipulates that digital ID enrollment is voluntary, Arroyo and Quarrie fear that it could end up as a functionally mandatory system. Both believe that the system has the potential to prevent people who have not signed up from accessing vital social services — a concern borne out in research examining the impact of digital ID systems in other countries around the world.
|
Jamaica's biometric collection plans are poised to end data privacy - Coda Story
In Jamaica, a new digital ID bill that would store citizens’ biometric information presages a worrying trend across the Caribbean
|
|
|
|
|
|
|
-
“… amazingly, public relations has gotten even worse for Facebook this month. The precipitating event was the emergence of a Snowden-style trove of documents—“The Facebook Files”—that appear to have been leaked to The Wall Street Journal reporter Jeff Horwitz. In a five-part series, The Wall Street Journal used those documents to reveal that not only was Facebook fueling teenage self-harm and enabling human trafficking, but that Facebook itself also knew that its platform contributed to those problems and chose to ignore it.” From ‘Facebook and the Terrible, Horrible, No Good, Very Bad Month’, the latest edition of Julia Angwin‘s Hello World newsletter.
-
“The software, put out by a Wyoming company called ShadowDragon, allows police to suck in data from social media and other internet sources, including Amazon, dating apps, and the dark web, so they can identify persons of interest and map out their networks during investigations. By providing powerful searches of more than 120 different online platforms and a decade’s worth of archives, the company claims to speed up profiling work from months to minutes … “Social media surveillance technologies, such as the software acquired by Michigan State Police, are often introduced under the false premise that they are public safety and accountability tools. In reality, they endanger Black and marginalized communities,” Arisha Hatch, vice president and chief of campaigns at civil rights nonprofit Color of Change, wrote in an email.” From 'ShadowDragon: Inside the Social Media Surveillance Software That Can Watch Your Every Move’ by Michael Kwet for The Intercept.
-
“The lengthy process to agree to a majority decision has led some experts to believe EU data protection regulators must get better at working in concert on cross-border investigations if they are going to hold large companies and Big Tech firms to account. “Some of these companies have the power and resources of a nation state. It is simply unrealistic to expect any one national data regulator to be able to bring them to heel,” says Will Richmond-Coggan, director at law firm Freeths.” From ‘WhatsApp GDPR fine fallout: EDPB actions shift enforcement landscape’ by Neil Hodge for Compliance Week.
—
|
|
|
|
|
If you know someone who might enjoy this newsletter do please forward it on to them.
|
|
Did you enjoy this issue?
|
|
|
|
In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
|
|
|
|
Privacy Kit, Made with 💚 in Dublin, Ireland
|
|
|
The Department of Children must have the most well-staffed and well-trained information unit in the entire Irish civil service by now. But the Department of Children doesn’t seem to understand the definition of personal data. Which is usually the first thing they teach you on any data protection training course. It’s the first definition to appear in the text of the GDPR.
😼
Loo design has barely changed in 150 years – until now. Will people trade their privacy for the chance to find out exactly what is in their waste?
Fresh privacy concerns raised after NHS refuses to reveal firms used for ID verification process
Apps can be delisted for a variety of reasons, from relatively nefarious to benign causes. The report doesn’t list reasons for any delisting.
European data protection law applies only to personal data. What constitutes personal data is extremely broad. The definition of personal data is contained in Article 4 of the GDPR.
The boundaries of this definition have been further clarified by almost two decades of the case law of the CJEU, in matters both specific and general, small and large. A reasonably comprehensive list - courtesy of the very useful dpcuria.eu - would include C-345/17 (Buivids), C-434/16 (Peter Nowak v Data Protection Commissioner), C-13/16 (Rīgas satiksme), C-582/14 (Breyer), C-212/13 (Ryneš), C-141/12 (YS and Others), C-342/12 (Worten), C-524/06 (Huber), C-73/07 (Satakunnan Markkinapörssi and Satamedia), C-275/06 (Promusicae), C-101/01 (Bodil Lindqvist), and C-465/00 (Österreichischer Rundfunk and Others).
All of the above appears to have escaped the notice of the Department of Children, Equality, Disability, Integration and Youth.
The department appears to be asking entirely the wrong question when attempting to assess whether something is personal data. It seems to be looking at individual records in isolation and asking “Is this person identifiable to me, right here, right now, from this record?” rather than “Can this person be identified or singled out from others by any entity with ‘the legal means which enable it to identify the data subject with additional data’ (Breyer)?”
This time last year the department was sending its minister out to flatly deny the GDPR applied to the material in the archive of the Mother and Baby Homes Commission of Investigation. This insistence ran from the moment the minister published the Heads of a Bill on September 15th 2020 which attempted to seal the records in the archive for thirty years, until a scant few days after the Act was signed into law by the President on October 25th 2020. Three days later the minister performed an inelegant 180 degree turn.
‘Minister says not 'morally feasible’ to deny mother and baby home survivors access to data’, RTÉ, 23rd October 2020
(It’s still unclear whether this advice emanated from the Attorney General’s office or from some people who had once worked in the Attorney General’s office.)
‘President Higgins signs Mother and Baby Homes Bill into law’, The Journal, 26th October 2020
“Two tests’ to be applied for Mother and Baby Home survivors to seek access to records’, The Journal, 28th October 2020
Now we find the department responsible for ensuring this access may have been using an incorrect and restrictive definition of the most basic concept in data protection law ever since the archive transferred to it at the end of February.
This raises serious questions about the completeness of the responses to Subject Access Requests the department has provided to date.
It also raises serious questions about the assumptions underpinning the department’s Birth Information and Tracing Bill which is currently in committee stage. As noted in the Clann Project’s initial ‘Submission to the Committee on Children, Disability, Equality and Integration on the General Scheme of the Birth Information and Tracing Bill 2021’ [direct link to PDF]
—
Meanwhile, mandatory but not compulsory has made it as far as the Caribbean. The officials who coined that phrase for Regina Doherty must be proud.
In Jamaica, a new digital ID bill that would store citizens’ biometric information presages a worrying trend across the Caribbean
The Norwegian DPA published an English language summary of its DPIA and risk assessment of whether it should use Facebook Pages as a communications tool. It’s a very good read.
-
“… amazingly, public relations has gotten even worse for Facebook this month. The precipitating event was the emergence of a Snowden-style trove of documents—“The Facebook Files”—that appear to have been leaked to The Wall Street Journal reporter Jeff Horwitz. In a five-part series, The Wall Street Journal used those documents to reveal that not only was Facebook fueling teenage self-harm and enabling human trafficking, but that Facebook itself also knew that its platform contributed to those problems and chose to ignore it.” From ‘Facebook and the Terrible, Horrible, No Good, Very Bad Month’, the latest edition of Julia Angwin‘s Hello World newsletter.
-
“The software, put out by a Wyoming company called ShadowDragon, allows police to suck in data from social media and other internet sources, including Amazon, dating apps, and the dark web, so they can identify persons of interest and map out their networks during investigations. By providing powerful searches of more than 120 different online platforms and a decade’s worth of archives, the company claims to speed up profiling work from months to minutes … “Social media surveillance technologies, such as the software acquired by Michigan State Police, are often introduced under the false premise that they are public safety and accountability tools. In reality, they endanger Black and marginalized communities,” Arisha Hatch, vice president and chief of campaigns at civil rights nonprofit Color of Change, wrote in an email.” From 'ShadowDragon: Inside the Social Media Surveillance Software That Can Watch Your Every Move’ by Michael Kwet for The Intercept.
-
“The lengthy process to agree to a majority decision has led some experts to believe EU data protection regulators must get better at working in concert on cross-border investigations if they are going to hold large companies and Big Tech firms to account. “Some of these companies have the power and resources of a nation state. It is simply unrealistic to expect any one national data regulator to be able to bring them to heel,” says Will Richmond-Coggan, director at law firm Freeths.” From ‘WhatsApp GDPR fine fallout: EDPB actions shift enforcement landscape’ by Neil Hodge for Compliance Week.
—
Endnotes & Credits
Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.
If you know someone who might enjoy this newsletter do please forward it on to them.
