June 1, 2020
Civic Duty | The Cat Herder, Volume 3, Issue 20
|
June 1 · Issue #84 · View online |
|
Another locked down Bank Holiday edition. The General Data Protection regulation turned two. The authorities in the UK have abandoned even making an effort to appear to be complying with the law. The HSE’s contact tracing (and unspecified other things) app is being tested this week. 😼
|
|
|
If you visit the eBay website, it’ll port-scan your device and share that information with third parties.
|
Security expert John Opdenakker agrees. “I don’t expect a website to start scanning on my local computer,” he says, “and sharing my data with third parties without consent.” That third-party would, in this case, be LexisNexis Risk Solutions via the ThreatMetrix product. “Implementing this kind of behavior by default,” Opdenakker says, “without users being clearly informed and having a choice to opt-out to me seems like a serious infringement of privacy regulations.”
|
|
|
|
As we blow past the two month anniversary of the HSE declaring it had a contact tracing app ready to launch within ten days, there’s still no app, there’s still no information about what the app will do and how it will do whatever it is it’s doing, who the data controller is, how long the data will be retained for or what other entities the data will be shared with. Anecdotally it seems the data protection impact assessment has not made it as far as the Data Protection Commission yet either.
|
RTE reported that testing is due to begin this week. The HSE said in a statement to RTE that the full launch would be when the app “is fully operational and the necessary approvals have been received from the Data Protection Commissioner, NPHET, HSE and Government.”
|
|
Before a public launch the HSE and Waterford-based developer Nearform will also submit a Data Protection Impact Assessment to the Data Protection Commissioner.
|
A few points about this, yet again.
|
- A DPIA has to be carried out before any processing of personal data takes place. A live test using real people and real personal data requires a DPIA.
- The Data Protection Commission does not approve projects. It is a supervisory authority.
- If both the HSE and the developer of the app are submitting a DPIA to the DPC under the prior approval mechanism in Article 36 of the GDPR then are they joint controllers, since the controller is responsible for carrying out the DPIA?
- For lovers of the bureaucratically absurd, why is the HSE submitting something to itself for approval?
|
Meanwhile in the UK Politico reported that the overall tracing system which went live on Thursday did so- wait for it - before a DPIA had been carried out.
|
Today the Guardian reports that Open Rights Group is preparing a legal challenge addressing the failure to complete a DPIA, the alarmingly long retention periods and the lack of safeguards around the sharing of this data.
|
Matt Hancock and Boris Johnson have been trying to persuade us that it’s our civic duty to take part in their ‘test and track’ programme, including the use of their previously much vaunted contact tracing app. In practice, in relation in particular to that app, the opposite may well be the case: it’s your civic duty not to download, let alone use, the app. Indeed, it’s your civic duty to resist it actively.
|
|
|
This, for one.
|
Law enforcement in the US were extremely quick to adopt the language of public health and announce they were using “contact tracing” to see who people arrested during protests in Minnesota are associated with.
|
|
Genuinely startled to see how quickly the term "contract tracing" hopped from a public health context to a justification for surveilling political activists. https://t.co/hn9MSTTnZA
|
|
|
When the term has been appropriated by law enforcement it makes it easier for the technology and the data to be appropriated too.
|
|
|
Authorities in the city of Hangzhou, a tech hub home to e-commerce giant Alibaba where the app was first launched, have announced they will seek to launch a broader version to monitor people’s health. Sun Yongrong, the director of the Hangzhou health commission, told a meeting on Friday a number of advancements in healthcare administration had already been achieved through the health code app, and proposed integrating the data with more health indicators to develop individual index rankings.
|
|
|
|
The Finnish DPA imposed fines on three data controllers. The misdemeanours included, coincidentally, failing to carry out a DPIA and unnecessary and excessive collection of personal data.
|
|
It is two years since the GDPR came into effect and over four years since the text was finalised. Which is plenty of time for data controllers to have familiarised themselves with their obligations. Especially those planning population-scale surveillance systems.
|
There were plenty of reflections on what was good and what was not so good and there are some highlights of these below.
|
Max Schrems took the opportunity to publish an open letter alleging the DPC had “confidential” dealings with Facebook ahead of the GDPR becoming enforceable.
|
|
|
The European Consumer Association (BEUC) also published an open letter warning of the emergence of an enforcement gap, and the difficulty in bringing legal action against controllers, explicitly provided for in the GDPR as a parallel to complaints to data protection suthorities.
|
But procedural rules for dealing with complaints are not harmonised in the EU. As a result it becomes more complicated for data subjects – and those (like BEUC’s members) who represent them – to bring legal action. For instance, national laws about who can represent consumers differ which is a risk in case complaints end up being handled by a foreign data protection authority. Complainants also become subject to a different legal system they are not familiar with and may be hampered by high legal costs. This puts them at a disadvantage and hinders effective access to justice.
|
|
|
Karlin Lillington suggested that some enforcement issues could be resolved if multinationals above a certain size were regulated at pan-EU-level by a new and well enough resourced body.
|
Only 231 fines and sanctions have been issued under the GDPR, the report notes. In particular, it highlights that neither Luxembourg nor Ireland (the two EU nations tasked with the GDPR oversight of nearly all EU-operating tech multinationals) had issued a single fine against such companies. Here, in a nutshell, is the huge regulatory failure at the heart of the GDPR. For political and financial reasons, it is comically tragic and functionally pointless to pitch individual EU nations against these global companies.
|
|
|
The IAPP collected up the thoughts of an ensemble cast in ‘The GDPR at Two: Expert Perspectives’. The slow pace of enforcement crops up regularly. But it cannot be disputed that the GDPR has, in the words of Gabriela Zanfir-Fortuna “brought data protection issues from the fringe to the spotlight.”
|
However, awareness of the law is only a small preliminary step, as Eduardo Ustaran hints at when he says “The law is well known — although not always well understood”.
|
Lee Bygrave’s piece paints a vivid picture of problems with a piece of legislation which was intended to return control to individuals. What he describes as
|
the evermore self-referential thrust of the EU data protection system. It is a system increasingly turned in on itself. Large parts of it are essentially engaged in a conversation with other parts of it.
|
|
Our data protection laws have resulted in what Professor Corien Prins and I have coined “mechanical proceduralism”, whereby organizations go through the mechanics of notice and consent without any reflection on whether the relevant use of data is legitimate in the first place. In other words, the current preoccupation with what is legal is distracting us from asking what is legitimate to do with data. We even see this reflected in the highest EU court having to decide whether a pre-ticked box constitutes consent (surprise: it does not).
|
|
|
-
“The DPC has fined, as an opening position, 2.5% of the maximum penalty per individual data subject affected by the conduct complained of. It’s not a lot, but it can add up quickly. For Facebook or Google or any other non-public sector data controller that could be €50,000 per data subject, double the penalty levied on a Public Sector body. I’d put the opening threshold as being between €25,000 (the current fine) and €50,000 (2.5% of €20 million) depending on the severity of the issue and the other mitigating factors that the DPC might take into consideration.” Daragh O Brien of Castlebridge does the numbers on one of the DPC’s recently announced fines.
- A very detailed examination of the legal and other issues around online proctoring of exams by universities by Rosalie Salameh, ‘Is Online Exam Surveillance during COVID-19 Lawful, Effective & Desirable?’ Primarily relating to the Netherlands, though of interest to a broader audience. “Given the overlap and distinction between the right to privacy and the right to data protection, one may conclude that online exam surveillance is located at the exact injunction of their overlap. This is because online proctoring is, at its core, the collection of (special category) data and using it to make automated decisions affecting people’s lives. At the other hand, the data generated by online proctoring provides exactly that information on surroundings and habits of everyday life, that they infringe on students’ privacy. This is important as students’ – just like everyone else – currently spend the majority of their time at home and can, therefore, not be expected to make special arrangements for online proctored exams.”
-
“It would be a step back if the crisis ushered in a permanent return to micromanagement of teams. Research suggests sustained staff surveillance increases stress and undermines performance. The safeguards that must apply to government contact-tracing technology should also apply to companies. Notably, a sunset clause should require them to offer staff the right to opt out once the pandemic emergency has eased and insist on regular review of data collection. Otherwise, measures to help workers stay healthy and businesses recover could well end up making both sicker.” A Financial Times editorial (€) warns of the dangers of creeping workplace surveillance and a return of Taylorism as a result of the pandemic.
|
|
|
If you know someone who might enjoy this newsletter do please forward it on to them.
|
Did you enjoy this issue?
|
|
|
|
In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
|
|
Privacy Kit, Made with 💚 in Dublin, Ireland
|
|
|
Another locked down Bank Holiday edition. The General Data Protection regulation turned two. The authorities in the UK have abandoned even making an effort to appear to be complying with the law. The HSE’s contact tracing (and unspecified other things) app is being tested this week.
😼
If you visit the eBay website, it’ll port-scan your device and share that information with third parties.
Forbes: ‘Did You Know eBay Is Probing Your Computer? Here’s How To Stop It’
As we blow past the two month anniversary of the HSE declaring it had a contact tracing app ready to launch within ten days, there’s still no app, there’s still no information about what the app will do and how it will do whatever it is it’s doing, who the data controller is, how long the data will be retained for or what other entities the data will be shared with. Anecdotally it seems the data protection impact assessment has not made it as far as the Data Protection Commission yet either.
RTE reported that testing is due to begin this week. The HSE said in a statement to RTE that the full launch would be when the app “is fully operational and the necessary approvals have been received from the Data Protection Commissioner, NPHET, HSE and Government.”
The story continues
A few points about this, yet again.
- A DPIA has to be carried out before any processing of personal data takes place. A live test using real people and real personal data requires a DPIA.
- The Data Protection Commission does not approve projects. It is a supervisory authority.
- If both the HSE and the developer of the app are submitting a DPIA to the DPC under the prior approval mechanism in Article 36 of the GDPR then are they joint controllers, since the controller is responsible for carrying out the DPIA?
- For lovers of the bureaucratically absurd, why is the HSE submitting something to itself for approval?
Meanwhile in the UK Politico reported that the overall tracing system which went live on Thursday did so- wait for it - before a DPIA had been carried out.
Today the Guardian reports that Open Rights Group is preparing a legal challenge addressing the failure to complete a DPIA, the alarmingly long retention periods and the lack of safeguards around the sharing of this data.
Paul Bernal argues that the UK government requires a hefty nudge in the form of people not using the app. Only in this way can the authorities be compelled to make better decisions.
Law enforcement in the US were extremely quick to adopt the language of public health and announce they were using “contact tracing” to see who people arrested during protests in Minnesota are associated with.
https://twitter.com/EylerWerve/status/1266810110787162119
When the term has been appropriated by law enforcement it makes it easier for the technology and the data to be appropriated too.
Guardian: ‘Chinese city plans to turn coronavirus app into permanent health tracker’
New York Times: ‘China’s Virus Apps May Outlast the Outbreak, Stirring Privacy Fears’
The Finnish DPA imposed fines on three data controllers. The misdemeanours included, coincidentally, failing to carry out a DPIA and unnecessary and excessive collection of personal data.
The GDPR turns two
It is two years since the GDPR came into effect and over four years since the text was finalised. Which is plenty of time for data controllers to have familiarised themselves with their obligations. Especially those planning population-scale surveillance systems.
There were plenty of reflections on what was good and what was not so good and there are some highlights of these below.
Max Schrems took the opportunity to publish an open letter alleging the DPC had “confidential” dealings with Facebook ahead of the GDPR becoming enforceable.
Irish Times: ‘Schrems calls on EU authorities to intervene in ‘Kafkaesque’ DPC case’
Reuters: ‘Privacy activist Schrems calls on EU authorities to get Irish watchdog moving’
–
The European Consumer Association (BEUC) also published an open letter warning of the emergence of an enforcement gap, and the difficulty in bringing legal action against controllers, explicitly provided for in the GDPR as a parallel to complaints to data protection suthorities.
BEUC: ‘On second anniversary of EU data protection law, concerns about enforcement gap increase’
—
Karlin Lillington suggested that some enforcement issues could be resolved if multinationals above a certain size were regulated at pan-EU-level by a new and well enough resourced body.
Irish Times: ‘EU needs to rebuild GDPR after only two years’
—
The IAPP collected up the thoughts of an ensemble cast in ‘The GDPR at Two: Expert Perspectives’. The slow pace of enforcement crops up regularly. But it cannot be disputed that the GDPR has, in the words of Gabriela Zanfir-Fortuna “brought data protection issues from the fringe to the spotlight.”
However, awareness of the law is only a small preliminary step, as Eduardo Ustaran hints at when he says “The law is well known — although not always well understood”.
Lee Bygrave’s piece paints a vivid picture of problems with a piece of legislation which was intended to return control to individuals. What he describes as
Lokke Moerel echoes this
-
“The DPC has fined, as an opening position, 2.5% of the maximum penalty per individual data subject affected by the conduct complained of. It’s not a lot, but it can add up quickly. For Facebook or Google or any other non-public sector data controller that could be €50,000 per data subject, double the penalty levied on a Public Sector body. I’d put the opening threshold as being between €25,000 (the current fine) and €50,000 (2.5% of €20 million) depending on the severity of the issue and the other mitigating factors that the DPC might take into consideration.” Daragh O Brien of Castlebridge does the numbers on one of the DPC’s recently announced fines.
- A very detailed examination of the legal and other issues around online proctoring of exams by universities by Rosalie Salameh, ‘Is Online Exam Surveillance during COVID-19 Lawful, Effective & Desirable?’ Primarily relating to the Netherlands, though of interest to a broader audience. “Given the overlap and distinction between the right to privacy and the right to data protection, one may conclude that online exam surveillance is located at the exact injunction of their overlap. This is because online proctoring is, at its core, the collection of (special category) data and using it to make automated decisions affecting people’s lives. At the other hand, the data generated by online proctoring provides exactly that information on surroundings and habits of everyday life, that they infringe on students’ privacy. This is important as students’ – just like everyone else – currently spend the majority of their time at home and can, therefore, not be expected to make special arrangements for online proctored exams.”
-
“It would be a step back if the crisis ushered in a permanent return to micromanagement of teams. Research suggests sustained staff surveillance increases stress and undermines performance. The safeguards that must apply to government contact-tracing technology should also apply to companies. Notably, a sunset clause should require them to offer staff the right to opt out once the pandemic emergency has eased and insist on regular review of data collection. Otherwise, measures to help workers stay healthy and businesses recover could well end up making both sicker.” A Financial Times editorial (€) warns of the dangers of creeping workplace surveillance and a return of Taylorism as a result of the pandemic.
Endnotes & Credits
Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.
If you know someone who might enjoy this newsletter do please forward it on to them.