Benediction | The Cat Herder, Volume 2, Issue 29

Bank Holiday edition. It was a busy week so let's crack on. 😼   August 5 · Issue #45 · View online Bank Holiday edition. It was a busy week so let’s crack on. 😼 The Sunday Business Post reports that our old friends in Genomics Medicine Ireland have been seeking “benediction” from the Taoiseach. When questioned about this, public relations representatives of GMI claimed their quest for blessing wasn’t lobbying. It certainly does seem to go beyond the worldly business of making representations to public figures. It even raises questions as to whether the prime minister of a secular republic is the appropriate person to approach for benediction. Perhaps a bishop would be a better choice. — Capital One is a large North American financial services company. Per Wikipedia it is “the eighth-largest commercial bank in the United States when ranked by assets and deposits.” On 29th July it announced its systems had been breached and that about 100 million individuals in the US and 6 million in Canada. Then things got weird. Kevin Beaumont @GossiTheDog Capital One's breach response is pretty wild and evolving. Aside from claiming in bold there was no PII and then immediately contradicting that in non-bold, it also now says data was encrypted in bold... then in non-bold mentions it wasn't encrypted. 4:53 PM - 30 Jul 2019 A tip for anyone involved in communications relating to data protection: don’t ever do this. — Futuendi gratia indeed. Investigation launched after patient details leaked to funeral directors timesofmalta.com – Share Last week we wrote, somewhat tongue in cheek, “At the intersection of state surveillance and surveillance capitalism it turns out an incentivised police force can be a motivated sales force.” This was in reference to the blossoming relationship between police forces in the United States and Amazon. Further reporting from Motherboard during the week revealed that not only are the police forces encouraged to promote Amazon’s camera-enabled doorbell Ring, but that Amazon have also helpfully provided a script for the police to use. Everything Cops Say About Amazon's Ring Is Scripted or Approved by Ring gizmodo.com – Share Amazon’s home security company Ring has garnered enormous control over the ways in which its law enforcement partners are allowed to portray its products, going as far as to review and even author statements attributed to police in the press, according to emails and documents obtained by Gizmodo. The UN’s Special Rapporteur on Extreme Poverty and Human Rights, Philip Alston was invited to Dublin by the Irish Council of Civil Liberties to give a talk during the week. Professor Alston is preparing a report on Digital Technology, Social Protection, and Human Rights which he will present to the UN in October of this year. Social protection bureaucracies are typically the part of the state apparatus with the most regular and extensive interaction with a significant part of the population, meaning that innovation in this area is likely to have a direct impact on the human rights of many. Yet, there has been surprisingly little systematic research of the human rights implications of technological change in the area of social protection given the fact that human rights are both relevant and important in the context of social protection systems. This is especially (although not exclusively) the case for those who are poor, vulnerable and subject to discrimination. Alston discussed the Department of Employment Affairs and Social Protection’s development of a biometric identity register and its disproportionate effect on those living in poverty. He said the government is taking “hugely consequential decisions which will have huge potential consequences for governance in the future without any transparency or public debate”. More ‘Public services card carries 'big risk’, says UN poverty envoy’, Irish Times ‘Grave concerns about the Public Services Card are being ignored’, Irish Times ‘Spark public debate’: Spotlight on Public Services Card as data watchdog probe at ‘advanced stage’, The Journal ‘Public Services Card an example of 'how technology can be used against people living in poverty’‘ , Irish Examiner 'ICCL: The poor are being forced to trade data for public services’, Irish Times — In a separate but very much related matter, the Department of Employment Affairs and Social Protection sought a judicial review of a decision by the Data Protection Commission. The Journal quotes solicitor Rossa McMahon as saying The DPC found that the request for information did not appear to be justified or necessary, that they were unfair and the Department was not transparent about the uses to which the information would be put. The job of the independent supervisory authority is to make sure that all processing of personal data which is carried out by the data controllers it is responsible for supervising is compliant with the GDPR and local data protection laws. The typical and expected response of a data controller which has been told by the supervisory authority that it is not being transparent enough in its processing operations is to increase its levels of transparency. This is usually not a particularly difficult or onerous task to complete. It would typically involve doing simple things such as telling people why you want their personal data and what you plan to do with it. Article 5.1(a) of the GDPR states that “Personal data shall be: processed lawfully, fairly and in a transparent manner in relation to the data subject” (emphasis mine). The department appears to be seeking clarification through this judicial review as to whether it really has to take steps to bring its processing into line with this first principle of data protection. Which suggests the department would prefer to continue processing personal data unfairly and opaquely. More ‘Data body faces High Court over child benefit ruling’, Sunday Business Post The Hellenic Data Protection Authority fined PwC €150,000 for processing the personal data of its own employees using an inappropriate legal basis. PwC was relying on consent as a legal basis - you can’t do this. To repeat, employers generally cannot rely on consent as a legal basis to process employee data as the consent cannot be said to have been freely given, such is the power imbalance between an employer and an employee. Presumably some of PwC’s clients are currently wondering whether they should get a second opinion on any data protection advice PwC may have given them over the last few years. — The Hamburg Data Protection Authority invoked Article 66 of the GDPR (the “Urgency procedure”) to compel Google to stop listening to audio recordings from its home surveillance devices. Google responded by stopping this processing for all of the EU. Is this a rebuke from Hamburg to Dublin? Certainly seems like one. The long awaited judgment of the Court of Justice of the European Union in Fashion ID (Case C-40/17) arrived. In summary, the court ruled that the operator of a website which features embedded third party content such as Facebook’s ‘Like’ button should be considered a joint data controller with the third party as both are involved in determining the means and purpose of the processing consent to this processing of personal data must be acquired by the operator of the website before any disclosure of data, to Facebook in this case the operator of a website with embedded content such as Facebook’s ‘Like’ button is not considered a data controller for any further processing carried out by Facebook or other third parties More ‘Europe’s top court sharpens guidance for sites using leaky social plug-ins’, Techcrunch ‘CJEU rules that Facebook and website operators are joint controllers if the website embeds Facebook’s “Like” button’, Inside Privacy, Covington & Burling ‘The Data Protection Officer Handbook’ by Douwe Korff and Marie Georges. “Although produced for the T4DATA programme that focusses on DPOs in the public sector, it is hoped that the Handbook will be useful also to anyone else interested in the application of the GDPR, including DPOs in the private sector.” “Clinical consent is informed consent for a clinical course of action, such as “Yes, you can amputate my arm”. If doctors don’t get clinical consent from a conscious patient, it’s GBH. Sharing the medical records required for direct care is implicit from the clinically-consented decision, but that isn’t a GDPR consent – though it is part of the public task of the NHS body providing that surgery. Both of these situations use the ‘consent’ word, but they actually mean very different things. (We agree that’s not entirely helpful.)” ‘Public bodies, GDPR and consent’, from MedConfidential. —— Endnotes & Credits The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds. As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”. The image used in the header is by Krystian Tambur on Unsplash. Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running. Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can. Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn. Barring a disaster we’ll be in your inbox again next weekend. If you know someone who might enjoy this newsletter do please forward it on to them. Did you enjoy this issue? In order to unsubscribe, click here. If you were forwarded this newsletter and you like it, you can subscribe here. Powered by Revue Privacy Kit, Made with 💚 in Dublin, Ireland

Bank Holiday edition. It was a busy week so let’s crack on.

😼

The Sunday Business Post reports that our old friends in Genomics Medicine Ireland have been seeking “benediction” from the Taoiseach. When questioned about this, public relations representatives of GMI claimed their quest for blessing wasn’t lobbying. It certainly does seem to go beyond the worldly business of making representations to public figures. It even raises questions as to whether the prime minister of a secular republic is the appropriate person to approach for benediction. Perhaps a bishop would be a better choice.

—

Capital One is a large North American financial services company. Per Wikipedia it is “the eighth-largest commercial bank in the United States when ranked by assets and deposits.” On 29th July it announced its systems had been breached and that about 100 million individuals in the US and 6 million in Canada. Then things got weird.

https://twitter.com/GossiTheDog/status/1156231443674214400

A tip for anyone involved in communications relating to data protection: don’t ever do this.

—

Futuendi gratia indeed.

Last week we wrote, somewhat tongue in cheek, “At the intersection of state surveillance and surveillance capitalism it turns out an incentivised police force can be a motivated sales force.” This was in reference to the blossoming relationship between police forces in the United States and Amazon.

Further reporting from Motherboard during the week revealed that not only are the police forces encouraged to promote Amazon’s camera-enabled doorbell Ring, but that Amazon have also helpfully provided a script for the police to use.

Amazon’s home security company Ring has garnered enormous control over the ways in which its law enforcement partners are allowed to portray its products, going as far as to review and even author statements attributed to police in the press, according to emails and documents obtained by Gizmodo.

The UN’s Special Rapporteur on Extreme Poverty and Human Rights, Philip Alston was invited to Dublin by the Irish Council of Civil Liberties to give a talk during the week. Professor Alston is preparing a report on Digital Technology, Social Protection, and Human Rights which he will present to the UN in October of this year.

Alston discussed the Department of Employment Affairs and Social Protection’s development of a biometric identity register and its disproportionate effect on those living in poverty. He said the government is taking “hugely consequential decisions which will have huge potential consequences for governance in the future without any transparency or public debate”.

More

‘Public services card carries 'big risk’, says UN poverty envoy’, Irish Times

‘Grave concerns about the Public Services Card are being ignored’, Irish Times

‘Spark public debate’: Spotlight on Public Services Card as data watchdog probe at ‘advanced stage’, The Journal

‘Public Services Card an example of 'how technology can be used against people living in poverty’‘ , Irish Examiner

'ICCL: The poor are being forced to trade data for public services’, Irish Times

—

In a separate but very much related matter, the Department of Employment Affairs and Social Protection sought a judicial review of a decision by the Data Protection Commission.

The Journal quotes solicitor Rossa McMahon as saying

The job of the independent supervisory authority is to make sure that all processing of personal data which is carried out by the data controllers it is responsible for supervising is compliant with the GDPR and local data protection laws. The typical and expected response of a data controller which has been told by the supervisory authority that it is not being transparent enough in its processing operations is to increase its levels of transparency. This is usually not a particularly difficult or onerous task to complete. It would typically involve doing simple things such as telling people why you want their personal data and what you plan to do with it.

Article 5.1(a) of the GDPR states that “Personal data shall be: processed lawfully, fairly and in a transparent manner in relation to the data subject” (emphasis mine). The department appears to be seeking clarification through this judicial review as to whether it really has to take steps to bring its processing into line with this first principle of data protection. Which suggests the department would prefer to continue processing personal data unfairly and opaquely.

More

‘Data body faces High Court over child benefit ruling’, Sunday Business Post

The Hellenic Data Protection Authority fined PwC €150,000 for processing the personal data of its own employees using an inappropriate legal basis. PwC was relying on consent as a legal basis - you can’t do this. To repeat, employers generally cannot rely on consent as a legal basis to process employee data as the consent cannot be said to have been freely given, such is the power imbalance between an employer and an employee.

Presumably some of PwC’s clients are currently wondering whether they should get a second opinion on any data protection advice PwC may have given them over the last few years.

—

The Hamburg Data Protection Authority invoked Article 66 of the GDPR (the “Urgency procedure”) to compel Google to stop listening to audio recordings from its home surveillance devices. Google responded by stopping this processing for all of the EU. Is this a rebuke from Hamburg to Dublin? Certainly seems like one.

The long awaited judgment of the Court of Justice of the European Union in Fashion ID (Case C-40/17) arrived. In summary, the court ruled that

• the operator of a website which features embedded third party content such as Facebook’s ‘Like’ button should be considered a joint data controller with the third party as both are involved in determining the means and purpose of the processing
• consent to this processing of personal data must be acquired by the operator of the website before any disclosure of data, to Facebook in this case
• the operator of a website with embedded content such as Facebook’s ‘Like’ button is not considered a data controller for any further processing carried out by Facebook or other third parties

More

‘Europe’s top court sharpens guidance for sites using leaky social plug-ins’, Techcrunch

‘CJEU rules that Facebook and website operators are joint controllers if the website embeds Facebook’s “Like” button’, Inside Privacy, Covington & Burling

• ‘The Data Protection Officer Handbook’ by Douwe Korff and Marie Georges. “Although produced for the T4DATA programme that focusses on DPOs in the public sector, it is hoped that the Handbook will be useful also to anyone else interested in the application of the GDPR, including DPOs in the private sector.”
• “Clinical consent is informed consent for a clinical course of action, such as “Yes, you can amputate my arm”. If doctors don’t get clinical consent from a conscious patient, it’s GBH. Sharing the medical records required for direct care is implicit from the clinically-consented decision, but that isn’t a GDPR consent – though it is part of the public task of the NHS body providing that surgery. Both of these situations use the ‘consent’ word, but they actually mean very different things. (We agree that’s not entirely helpful.)” ‘Public bodies, GDPR and consent’, from MedConfidential.

——

Endnotes & Credits

• The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
• As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
• The image used in the header is by Krystian Tambur on Unsplash.
• Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
• Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

Barring a disaster we’ll be in your inbox again next weekend.

If you know someone who might enjoy this newsletter do please forward it on to them.