July 26, 2020
"a whole new level of bad" | The Cat Herder, Volume 3, Issue 28
|
July 26 · Issue #92 · View online |
|
This week the analysis of the Schrems II judgment continued, with some of the wishful thinking about doing some cosmetic work to SCCs seen in the immediate aftermath beginning to recede. 😼
|
|
|
So *that's* how Breitbart is still making money - BRANDED
It turns out Breitbart has continued to collect your ad dollars through a shady ad revenue-sharing ring of propaganda sites.
|
|
In response, Open Rights Group executive director Jim Killock told Decision Marketing: “We are very concerned by the ICO’s seeming reluctance to use its enforcement powers to correct widespread abuses in the adtech industry. It is wholly clear to the ICO from its own work that these systemic abuses of the law exist, are taking place and will not be addressed by the minimal changes suggested by the industry.
|
|
|
|
“This is a whole new level of bad,” Leah Larkin, a genealogist in Livermore, California, who is an outspoken advocate for genetic privacy, told BuzzFeed News.
|
A Security Breach Exposed More Than One Million DNA Profiles On A Major Genealogy Database
First GEDmatch, the DNA database that helped identify the Golden State Killer, was hacked. Then email addresses from its users were used in a phishing attack on another leading genealogy site.
|
|
|
By the end of the week the European Data Protection Board had published a Frequently Asked Questions document ( direct link to PDF) relating to the Schrems II judgment.
|
Noyb had, as is now almost customary, got there before them. On Monday Max Schrems sent a personal letter to Helen Dixon inquiring about the next steps the DPC would be taking.
|
|
|
That’s what they call driving the conversation.
|
|
the ruling effectively invalidates surveillance capitalism as the baseline structure of so many powerful corporations, and even small start-ups. And it exposes the interrelationship between state-driven surveillance and surveillance capitalism.
|
|
The judgment will also put DPAs under pressure to take enforcement actions against companies that rely on the SCCs, even though under the GDPR the DPAs do not approve the SCCs and generally will not even know that they are being used. This standard presumably also applies to other appropriate safeguards under Art. 46 (such as BCRs), which will raise the bar for them as well. The judgment will also make it more difficult to reach agreement on a possible adequacy decision for the UK post-Brexit.
|
|
|
|
The effectiveness or otherwise of the HSE’s Covid Tracker app remains a mystery. Despite the headline on this Business Insider piece the latest position from those involved appears to be ‘anything is better than nothing’. It’s questionable whether this passes muster as a necessity and proportionality analysis.
|
In its first two weeks, the app has already been used to detect positive cases of the virus, Fran Thompson, chief information officer at the HSE, told Business Insider in a statement. Harte said it’s still too early to tell how much impact the app will have on curbing the spread of the virus, but even if it detects only a small number of cases, that’s better than nothing, he said.
|
|
|
The issue here is the way Android works. Google’s appetite for personal data is voracious because that’s where it makes its money. The paper ( direct link to PDF) questions whether the Irish state should be aggressively promoting use of the app without performing a DPIA on the Google element of the service and providing information to data subjects on the personal data Google is able to collect.
|
|
The CNIL wrote to the French health ministry asking for some fixes to the Stop Covid app. These are mostly small iterative fixes as larger fixes in a previous submission by the CNIL have already been implemented.
|
— The UK government’s response was that “there is no evidence of data being used unlawfully.”
|
This isn’t hard to understand. Carrying out a DPIA in advance of any processing is a legal requirement for a system such as this. Not doing a DPIA, as the Department of Health has admitted, makes the processing unlawful. This admission is the evidence of unlawful processing.
|
Data protection law does not just cover what happens after a data controller has acquired personal data.
|
|
|
The officials running the Public Services Card system appear determined to secure their project a place in future case studies on the sunk cost fallacy.
|
€210k to be spent on technical support for public services card
€210k to be spent on technical support for public services card
|
|
|
In a move which should sound some alarm bells in the Department of Education in Ireland, the Norwegian DPA sent a big ol’ list of questions ( direct link to PDF) to the International Baccalaureate Organization asking for more information on their calculated grades system. As Information Notices go this one was on the urgent side of things. Sent on Monday 20th, answers required Friday 24th.
|
|
The Spanish DPA fined Iberia Lae €40,000, reduced to €24,000 for failing to comply with a subject access rights request.
|
|
The Spanish DPA fined Esplora Proyectos €10,000, reduced to €6,000 for unlawful cookie deployments on three websites. Since the DPC has indicated that enforcement for non-compliant cookie practices is coming in October of this year Irish data controllers should perhaps be keeping an eye on developments like this around Europe.
|
|
|
|
|
-
“However, guidance for retail protection in preparation for phase 3 of the lockdown seems to have taken the opposite direction. The document features a questionnaire that was incorporated into sectoral body guidance (at p. 17), to the effect that those wanting a much-needed haircut are facing medical screening through written questionnaire. The questionnaire raises fundamental data protection issues. As they currently stand, these questionnaires fail to meet all principles laid down in Art. 5 GDPR, such as lawfulness, minimisation, storage limitation, integrity and confidentiality. They lack information notices, in defiance of the principle of transparency (Art. 5, 12 and 13 GDPR); as a result, data subjects are not informed of their rights, which form part and parcel of the definition of the right to the protection of personal data. This is all the more worrying as the questionnaire collects data concerning health, which are special categories of personal data deserving reinforced protection (Art. 9 GDPR).” Maria Grazia Porcedda of Trinity College Dublin writing for the Covid-19 Law and Human Rights Observatory on the haphazard approach to guidance offered to accidental data controllers such as hairdressers who now find themselves processing special categories of personal data without a lawful basis.
-
“While the commission is an independent national authority, its work cannot be entirely independent of the government. After all, it is the government that provides its budget and so ensures (or not) if it has adequate staff and resources to carry out its work – work which has just become significantly more complicated. Moving forward, it is vital that we ensure that the DPC is adequately funded and is provided with the staff and resources to act and deal with the seriousness and complexity of the work it is required to do, now more so than ever. We also need to look very seriously at the consequences of the most recent ruling.” Green Party TD Patrick Costello writing in the Business Post. Deputy Costello also raised this issue in the Dáil during the week and video of this is available here.
-
“Key to the court’s analysis was that, while the Memoranda related to a complaint generated by the data subject, the subject matter of that complaint related to compliance by PwC with its professional and accountancy standards rather than anything related to the data subject, such as an assessment of his work as a trainee accountant. The decision also demonstrates a reluctance of the courts to look behind findings of fact made by the Data Protection Commission and is a reminder for both data subjects and data controllers of the need to raise all relevant arguments and facts at the investigation phase or upon first appeal.” John Magee and Clodagh Butler on the DLA Piper data protection blog with some analysis of the latest Nowak case.
-
“Perhaps most damning of all, the total number of fines issued in the period (£2,409,000) was less than half what it was in 2018 – 2019 (£5,436,000). There are people who praise the ICO for their guidance and conference appearances, but this is like measuring the police for their road safety demonstrations in schools. The ICO isn’t a “proportionate and practical regulator” – it’s far from where it should be, achieving nothing but emissions of hot air.” Tim Turner had some stark commentary on the ICO’s annual report.
|
|
|
If you know someone who might enjoy this newsletter do please forward it on to them.
|
Did you enjoy this issue?
|
|
|
|
In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
|
|
Privacy Kit, Made with 💚 in Dublin, Ireland
|
|
|
This week the analysis of the Schrems II judgment continued, with some of the wishful thinking about doing some cosmetic work to SCCs seen in the immediate aftermath beginning to recede.
😼
It turns out Breitbart has continued to collect your ad dollars through a shady ad revenue-sharing ring of propaganda sites.
Rather Directly Related
Decision Marketing: ‘Privacy groups hit out at fresh delay to adtech probe’
First GEDmatch, the DNA database that helped identify the Golden State Killer, was hacked. Then email addresses from its users were used in a phishing attack on another leading genealogy site.
By the end of the week the European Data Protection Board had published a Frequently Asked Questions document (direct link to PDF) relating to the Schrems II judgment.
Noyb had, as is now almost customary, got there before them. On Monday Max Schrems sent a personal letter to Helen Dixon inquiring about the next steps the DPC would be taking.
Also on Monday Noyb published ‘Next Steps for EU companies & FAQs’.
By Friday Noyb had ‘Next Steps for users & FAQs’ up on their site.
That’s what they call driving the conversation.
More Commentary
Karlin Lillington in The Irish Times: ‘Schrems II: there’s no way to transfer data to US and comply with EU law’
Christopher Kuner on the European Law Blog: ‘The Schrems II judgment of the Court of Justice and the future of data transfer regulation’
The effectiveness or otherwise of the HSE’s Covid Tracker app remains a mystery. Despite the headline on this Business Insider piece the latest position from those involved appears to be ‘anything is better than nothing’. It’s questionable whether this passes muster as a necessity and proportionality analysis.
Business Insider: ‘How Ireland built its COVID-19 contract tracing app, which is so successful that US states want to use it’
Nuance was also lost in this headline in The Irish Independent, ‘Trinity study slams 'troubling’ Google privacy on tracker app’.
The issue here is the way Android works. Google’s appetite for personal data is voracious because that’s where it makes its money. The paper (direct link to PDF) questions whether the Irish state should be aggressively promoting use of the app without performing a DPIA on the Google element of the service and providing information to data subjects on the personal data Google is able to collect.
—
The CNIL wrote to the French health ministry asking for some fixes to the Stop Covid app. These are mostly small iterative fixes as larger fixes in a previous submission by the CNIL have already been implemented.
—
In the UK the “Department of Health has conceded the initiative to trace contacts of people infected with Covid-19 was launched without carrying out an assessment of its impact on privacy.”
The UK government’s response was that “there is no evidence of data being used unlawfully.”
This isn’t hard to understand. Carrying out a DPIA in advance of any processing is a legal requirement for a system such as this.
Not doing a DPIA, as the Department of Health has admitted, makes the processing unlawful. This admission is the evidence of unlawful processing.
Data protection law does not just cover what happens after a data controller has acquired personal data.
The officials running the Public Services Card system appear determined to secure their project a place in future case studies on the sunk cost fallacy.
€210k to be spent on technical support for public services card
In a move which should sound some alarm bells in the Department of Education in Ireland, the Norwegian DPA sent a big ol’ list of questions (direct link to PDF) to the International Baccalaureate Organization asking for more information on their calculated grades system. As Information Notices go this one was on the urgent side of things. Sent on Monday 20th, answers required Friday 24th.
—
The Spanish DPA fined Iberia Lae €40,000, reduced to €24,000 for failing to comply with a subject access rights request.
—
The Spanish DPA fined Esplora Proyectos €10,000, reduced to €6,000 for unlawful cookie deployments on three websites. Since the DPC has indicated that enforcement for non-compliant cookie practices is coming in October of this year Irish data controllers should perhaps be keeping an eye on developments like this around Europe.
—
The ICO published its annual report.
-
“However, guidance for retail protection in preparation for phase 3 of the lockdown seems to have taken the opposite direction. The document features a questionnaire that was incorporated into sectoral body guidance (at p. 17), to the effect that those wanting a much-needed haircut are facing medical screening through written questionnaire. The questionnaire raises fundamental data protection issues. As they currently stand, these questionnaires fail to meet all principles laid down in Art. 5 GDPR, such as lawfulness, minimisation, storage limitation, integrity and confidentiality. They lack information notices, in defiance of the principle of transparency (Art. 5, 12 and 13 GDPR); as a result, data subjects are not informed of their rights, which form part and parcel of the definition of the right to the protection of personal data. This is all the more worrying as the questionnaire collects data concerning health, which are special categories of personal data deserving reinforced protection (Art. 9 GDPR).” Maria Grazia Porcedda of Trinity College Dublin writing for the Covid-19 Law and Human Rights Observatory on the haphazard approach to guidance offered to accidental data controllers such as hairdressers who now find themselves processing special categories of personal data without a lawful basis.
-
“While the commission is an independent national authority, its work cannot be entirely independent of the government. After all, it is the government that provides its budget and so ensures (or not) if it has adequate staff and resources to carry out its work – work which has just become significantly more complicated. Moving forward, it is vital that we ensure that the DPC is adequately funded and is provided with the staff and resources to act and deal with the seriousness and complexity of the work it is required to do, now more so than ever. We also need to look very seriously at the consequences of the most recent ruling.” Green Party TD Patrick Costello writing in the Business Post. Deputy Costello also raised this issue in the Dáil during the week and video of this is available here.
-
“Key to the court’s analysis was that, while the Memoranda related to a complaint generated by the data subject, the subject matter of that complaint related to compliance by PwC with its professional and accountancy standards rather than anything related to the data subject, such as an assessment of his work as a trainee accountant. The decision also demonstrates a reluctance of the courts to look behind findings of fact made by the Data Protection Commission and is a reminder for both data subjects and data controllers of the need to raise all relevant arguments and facts at the investigation phase or upon first appeal.” John Magee and Clodagh Butler on the DLA Piper data protection blog with some analysis of the latest Nowak case.
-
“Perhaps most damning of all, the total number of fines issued in the period (£2,409,000) was less than half what it was in 2018 – 2019 (£5,436,000). There are people who praise the ICO for their guidance and conference appearances, but this is like measuring the police for their road safety demonstrations in schools. The ICO isn’t a “proportionate and practical regulator” – it’s far from where it should be, achieving nothing but emissions of hot air.” Tim Turner had some stark commentary on the ICO’s annual report.
Endnotes & Credits
Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.
If you know someone who might enjoy this newsletter do please forward it on to them.