"deploying phrenology onto the British internet" | The Cat Herder, Volume 5, Issue 23

Some watching as well as some reading. A facial recognition story from the world of Australian retail   June 19 · Issue #185 · View online Some watching as well as some reading. A facial recognition story from the world of Australian retail this week, because there’s always a facial recognition story. Facebook’s prying pixel. Replacing one type of surveillance with another in the UK. 😼 Major Australian retailers have been secretly capturing the faces of their customers without their knowledge, a consumer group investigation has found. The Choice investigation examined 25 of the country’s biggest retailers and revealed Bunnings, The Good Guys and Kmart have been analysing CCTV footage to create profiles or “face prints” of their customers, including children, without their knowledge. Facial recognition technology: Major retailers secretly creating “face prints” of their customers, says Choice www.smh.com.au – Share It’s been revealed Bunnings, Kmart and The Good Guys have been creating “face prints” of their customers, including children, without their knowledge. Under the deal, the scheme is set to stay in place for another year in case it is needed. Member states should not restrict the free movement of EUDCC holders in a way that is disproportionate or discriminatory. The European Commission will assess the impact of the EUDCC on free movement and fundamental rights by the end of 2022, and can propose its repeal, if the sanitary situation allows.  EU COVID Certificate: committee confirms extension | News | European Parliament www.europarl.europa.eu – Share The EP Civil Liberties committee has endorsed the deal with member states to extend the legal framework of the EU Digital COVID Certificate for another 12 months. The Data Reform Bill was unveiled in the UK during the week. Heather Burns has by far the best piece on it. (And you may ask yourself, how did I get here? Have we really gone from a referendum on bendy bananas to deploying phrenology onto the British internet? Yes. Yes we have.) Regardless of whether you choose to deploy a third-party age verification provider, which hoovers up your visitors’ passport and credit card data, or a third-party age assurance solution, which hoovers up your visitors’ cranial measurements (particularly if they are undesirable ethnic minorities), in order to meet your imminent compliance obligations under the Online Safety Bill: your compliance costs will be staggering. Pop-ups are dead, long live pop-ups: or, the bait-and-switch hidden in today’s cookie announcement – Hi, I'm Heather Burns webdevlaw.uk – Share Today is going to be the day that you read a lot about the UK’s intention to kill cookie pop-ups as part of its post-Brexit Data Reform Bill. By now you should have somehow realised that there’s a bit more to it than that, and that your work is not set to get any easier. The safety tech boosters are already getting airtime in Ireland. Expect more of it to come. More than a third of the websites sent data to Facebook when someone made an appointment for an “abortion consultation” or “pre-termination screening.” And at least 39 sites sent Facebook details such as the person’s name, email address or phone number. Facebook takes in data from crisis pregnancy centers through a tracking tool called the Meta Pixel that works whether or not a person is logged in to their Facebook account. The Pixel is largely an advertising tool that allows businesses to do things like buy Facebook ads targeted to people who have visited their website or to people who share similar interests or demographics with their site’s other visitors. This is a mostly automated process in which the business does not have access to information about the specific users being targeted. It’s not clear how this data is later used. Facebook and Anti-Abortion Clinics Are Collecting Highly Sensitive Info on Would-Be Patients - Reveal revealnews.org – Share The social media giant gathers data from crisis pregnancy centers through a tracking tool that works whether or not a person is logged in to their Facebook account. — The Markup also found the Meta Pixel installed inside the password-protected patient portals of seven health systems. On five of those systems’ pages, we documented the pixel sending Facebook data about real patients who volunteered to participate in the Pixel Hunt project, a collaboration between The Markup and Mozilla Rally. The project is a crowd-sourced undertaking in which anyone can install Mozilla’s Rally browser add-on in order to send The Markup data on the Meta Pixel as it appears on sites that they visit. The data sent to hospitals included the names of patients’ medications, descriptions of their allergic reactions, and details about their upcoming doctor’s appointments. Facebook Is Receiving Sensitive Medical Information from Hospital Websites – The Markup themarkup.org – Share Experts say some hospitals’ use of an ad tracking tool may violate a federal law protecting health information — Here’s what’s going on: A company called Phreesia makes software used by more than 2,000 clinics and hospitals across the United States to streamline check-ins, replacing the clipboard and photocopied forms with screens on a website or app. The company says it was used for more than 100 million check-ins in the past year. Some patients use Phreesia’s software to do early digital check-in at home, while others use it on a tablet at the clinic. But Phreesia doesn’t just make money by selling its software to doctor’s offices. It also has a business in selling ads to pharmaceutical companies that it displays after you fill in your forms. And it wants to use all that information you entered — what drugs you take, what illnesses you’ve had in the past — to tailor those ads to your specific medical needs. Can your medical records be used for marketing? Yes, if you agree to this - The Washington Post www.washingtonpost.com – Share A consent form from Phreesia gives it permission to use your data for marketing. → text-only version The EDPB adopted guidelines on certification as a tool for transfers and an Article 65 decision regarding French hospitality multinational Accor. — Watching rather than reading: The European Data Protection Supervisor organised a conference on titled “The future of data protection: effective enforcement in the digital world” which took place earlier this week. Recordings of some of the sessions are up on the website now. “First, whose privacy? Today’s digitalised society of course affects the rights to privacy and data protection, but it does so unevenly. This unevenness is a function of the vast and growing inequalities within and between societies. The Global South is unfortunately often absent from these discussions, which is inexcusable given the growing body of scholarship now available – Achille Mbembe or Nanjala Nyabola to cite just two – plus the empirical analyses contained in the UNCTAD Digital Economy Reports of recent years. They reveal populations of poorer countries being farmed for their data by Chinese and US tech companies in exchange for connectivity, electronic IDs and various other gadgets and services. Migrants are the objects of tracking and biometrics technology and will become more so our environment deteriorates and geopolitics become increasingly volatile in the coming decades.” From ‘Whose privacy’ by Christian D'Cunha. “The judgment in Doolin has application to all processing of CCTV footage. Controllers in general should ensure that data subjects, whose personal data may be captured by CCTV, are made aware of all purposes for which the CCTV footage may be used and that all policies in place reflect this. Employers in particular should ensure that their data protection policy, data protection notices, CCTV policy and signs accompanying CCTV cameras list all the purposes of processing. Employers should also be wary of using CCTV footage in a disciplinary process unless employees have previously been informed that this may occur and if they do so, employers should ensure that the further processing of the personal data for disciplinary procedures is not incompatible with the original purposes for which it was collected (e.g. security purposes).” From ‘At Cross-Purposes Data Protection Commissioner v Cormac Doolin’ on the McCann Fitzgerald blog. — Endnotes & Credits The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds. As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”. The image used in the header is by Krystian Tambur on Unsplash. Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running. Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can. Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn. If you know someone who might enjoy this newsletter do please forward it on to them. Did you enjoy this issue? In order to unsubscribe, click here. If you were forwarded this newsletter and you like it, you can subscribe here. Powered by Revue Privacy Kit, Made with 💚 in Dublin, Ireland

Some watching as well as some reading. A facial recognition story from the world of Australian retail this week, because there’s always a facial recognition story. Facebook’s prying pixel. Replacing one type of surveillance with another in the UK.

😼

It’s been revealed Bunnings, Kmart and The Good Guys have been creating “face prints” of their customers, including children, without their knowledge.

The EP Civil Liberties committee has endorsed the deal with member states to extend the legal framework of the EU Digital COVID Certificate for another 12 months.

The Data Reform Bill was unveiled in the UK during the week. Heather Burns has by far the best piece on it.

Today is going to be the day that you read a lot about the UK’s intention to kill cookie pop-ups as part of its post-Brexit Data Reform Bill. By now you should have somehow realised that there’s a bit more to it than that, and that your work is not set to get any easier.

The safety tech boosters are already getting airtime in Ireland. Expect more of it to come.

The social media giant gathers data from crisis pregnancy centers through a tracking tool that works whether or not a person is logged in to their Facebook account.

—

Experts say some hospitals’ use of an ad tracking tool may violate a federal law protecting health information

—

A consent form from Phreesia gives it permission to use your data for marketing.

→ text-only version

The EDPB adopted guidelines on certification as a tool for transfers and an Article 65 decision regarding French hospitality multinational Accor.

—

• Watching rather than reading: The European Data Protection Supervisor organised a conference on titled “The future of data protection: effective enforcement in the digital world” which took place earlier this week. Recordings of some of the sessions are up on the website now.
• “First, whose privacy? Today’s digitalised society of course affects the rights to privacy and data protection, but it does so unevenly. This unevenness is a function of the vast and growing inequalities within and between societies. The Global South is unfortunately often absent from these discussions, which is inexcusable given the growing body of scholarship now available – Achille Mbembe or Nanjala Nyabola to cite just two – plus the empirical analyses contained in the UNCTAD Digital Economy Reports of recent years. They reveal populations of poorer countries being farmed for their data by Chinese and US tech companies in exchange for connectivity, electronic IDs and various other gadgets and services. Migrants are the objects of tracking and biometrics technology and will become more so our environment deteriorates and geopolitics become increasingly volatile in the coming decades.” From ‘Whose privacy’ by Christian D'Cunha.
• “The judgment in Doolin has application to all processing of CCTV footage. Controllers in general should ensure that data subjects, whose personal data may be captured by CCTV, are made aware of all purposes for which the CCTV footage may be used and that all policies in place reflect this. Employers in particular should ensure that their data protection policy, data protection notices, CCTV policy and signs accompanying CCTV cameras list all the purposes of processing. Employers should also be wary of using CCTV footage in a disciplinary process unless employees have previously been informed that this may occur and if they do so, employers should ensure that the further processing of the personal data for disciplinary procedures is not incompatible with the original purposes for which it was collected (e.g. security purposes).” From ‘At Cross-Purposes Data Protection Commissioner v Cormac Doolin’ on the McCann Fitzgerald blog.

—

Endnotes & Credits

• The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
• As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
• The image used in the header is by Krystian Tambur on Unsplash.
• Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
• Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

If you know someone who might enjoy this newsletter do please forward it on to them.