August 7, 2022
Enhanced Contextual Data | The Cat Herder, Volume 5, Issue 30
|
August 7 · Issue #192 · View online |
|
A significant CJEU judgment involving context, what the London authorities call enhanced contextual data, a whole lot of Hikvision cameras, and a hefty adtech fine. 😼
|
|
|
There are quite a lot of Hikvision cameras in Ireland too …
|
Chinese state-owned cameras in schools, hospitals & on high streets across the UK
|
There are more than a million of Hikvision’s cameras installed across the UK – monitoring every aspect of our lives. But Channel 4 News has learned that there are growing concerns within the government about the Chinese state-owned tech company. It is already blacklisted in the US over security fears, and its links to the suppression of Uyghur Muslims in northern China.
|
|
The UK is really quite determined to make sure its current adequacy decision with the EU doesn’t last beyond 2025 when it’s due for review.
|
Facial recognition smartwatches to be used to monitor foreign offenders in UK | Home Office | The Guardian
Home Office and MoJ plans will require migrants convicted of crimes to take photos up to five times a day
|
|
Everyone who uses facial recognition to unlock their phone knows that sometimes it just doesn’t work. This is both dehumanising and an inefficient use of public money. https://t.co/kTq69VvEws
|
|
|
|
|
|
“It’s kind of terrifying,” says London Assembly member Sian Berry, who along with privacy campaigners the Open Rights Group is bringing a legal challenge against the mayor’s decision. They warn that although scans of car number plates may seem innocent, they are not. Firstly, because a record of a vehicle’s journey is an intimate insight into a driver or passenger’s movements. Secondly, because ANPR cameras do not just scan for numbers and letters, they also take pictures, including a “front of vehicle photo” taking in everything that happens to be around when the image is snapped. This includes the colour and make of vehicles, and potentially the faces of drivers and passing pedestrians - what is known by the London authorities as “enhanced contextual data”.
|
Sadiq Khan issued with legal challenge after 'terrifying' number plate camera decision | UK News | Sky News
The mayor of London has given the Metropolitan Police access to more data from a larger number of ANPR cameras around London.
|
|
|
In Case C‑184/20, OT v Vyriausioji tarnybinės etikos komisija the CJEU held that processing personal data which is likely to indirectly reveal the sexual orientation of a data subject constitutes processing of special categories of personal data. So we can probably add another clause to the only slightly tongue-in-cheek aphorism ‘Depending on context, all data could be personal data’ to give us ‘Depending on context, all data could be personal data and all personal data could be special categories of personal data’. This is going to cause data controllers a lot of headaches.
|
|
“However, what this ruling highlights is how broadly personal data is defined in the EU, since it captures any information relating to an identified or identifiable natural person, who can be identified, directly or indirectly. By extension, if it is possible to indirectly deduce sensitive characteristics about a person from a reading of other personal data, the personal data in question will qualify as special category data – and no amount of risk mitigation measures to that data can remove its classification as special category data, meaning businesses will need an Article 9 exception to process that data lawfully”
|
EU court: data attributes revealing sensitive personal data can be ‘special category’ data
Publication of widely used personal data attributes, such as a person’s name, can reveal sensitive personal information about someone else and their disclosure can therefore be prohibited under EU data protection law, according to a new ruling.
|
The CJEU, in answering yes to both, found: • The reference was admissible, despite the relevant law having been amended in 2020. • Personal data is still personal data notwithstanding that it was processed in the context of a “professional activity”. • Article 6(1) is both an “exhaustive and restrictive” list. • The processing is undeniably in the public interest and legitimate. • Proportionality in this context is subjective to the specific member state. • Lack of resources cannot constitute a legitimate ground to justify interference with a right under the Charter. • Certain information to be published goes beyond what is sufficient to achieve its purpose and should be regarded as a serious interference. • Such publication is “liable… to expose the persons concerned to repeated targeted advertising and commercial sales canvassing, or even to risks of criminal activity”. • There should be no distinction between “reveal” and “concerning” in Article 9 and it should be interpreted widely. • Such publishing, of the spouse/partner’s name is “liable indirectly to reveal sensitive information” and specifically “liable to disclose indirectly the sexual orientation” and must therefore be protected under Article 9. This is vital reading for all controllers.
|
Daragh Troy BL: Does your spouse’s name reveal your sexual orientation? | Irish Legal News
Daragh Troy BL summarises the outcome of a recent court ruling with significance for data controllers in the EU. Does your spouse’s name reveal your sexual orientation? The Court of Justice of the European Union has delivered judgment and, unsurprisingly, again given the broadest possible interpreta
|
|
Very significant judgment today from the Grand Chamber on the interpretation of special categories of personal data under the : processing personal data liable to disclose indirectly sexual orientation constitutes processing of special categories of personal data 1/
|
|
|
|
|
The CNIL fined Criteo €60 million. For what exactly isn’t clear yet. “The publicly-traded adtech company said in a financial filing today that it has been hit with a proposed fine of roughly $65.4m for alleged breaches of the EU’s sweeping General Data Protection Regulation (GDPR). The news comes some two years after France’s data privacy body Commission Nationale de l’Informatique et des Libertés (CNIL) launched an investigation into the company’s data practices.”
|
|
|
|
A former health adviser pleaded guilty in Coventry Magistrates Court “to 6 counts of unlawfully obtaining personal data, in breach of s170 of the Data Protection Act 2018. He was ordered to pay £250 compensation to each data subject, totalling £3,000.”
|
|
|
-
“Monitoring is often not limited to school hours despite parent and student concerns: Students and parents are the most comfortable with monitoring being limited to when school is in session, but monitoring frequently occurs outside of that time frame. Stakeholders demonstrate large knowledge gaps in how monitoring software functions: There are significant gaps between what teachers report is communicated about student activity monitoring, often via a form provided along with a school-issued device, and what parents and students retain and report about it.” From ‘Hidden Harms The Misleading Promise of Monitoring Students Online’, a report by Elizabeth Laird, Hugh Grant-Chapman, Cody Venzke and Hannah Quay-de la Vallee for the Center for Democracy & Technology.
-
“(1) Criteo creates highly invasive, granular profiles of people without telling them. That’s unlawful. (2) It considers that pseudonymising people’s data means they can’t know who individuals are and therefore it’s all fine. That’s not true - they know exactly who people are, because at the heart of their services is "individual shopper level” prediction. (3) They do cross-device tracking and get more from other data brokers, developing an incredibly fine-grained view of most of an individual’s activities through the day. That’s also unlawful, as no one’s told where all this data comes from.“ From this thread on Twitter from Privacy International on the Criteo fine mentioned above.
-
“Apple’s privacy changes and Google’s upcoming deprecation of third-party cookies have had a huge impact on the viability of many ad-targeting mechanisms – even if the more cynical of us may say that, given the scale of these businesses’ access to first-party data, their true aim is less altruistic and more akin to a power grab,” Evans adds. “But, in any case, hopefully we can soon all welcome a world in which a privacy-aware public can enjoy greater transparency and a fairer value exchange, the results of a kinder, fairer means of marketing.” From ‘What is AdTech and why is it at the heart of a regulation storm?’ by Carly Page for ITPro.
—
|
|
|
If you know someone who might enjoy this newsletter do please forward it on to them.
|
Did you enjoy this issue?
|
|
|
|
In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
|
|
Privacy Kit, Made with 💚 in Dublin, Ireland
|
|
|
A significant CJEU judgment involving context, what the London authorities call enhanced contextual data, a whole lot of Hikvision cameras, and a hefty adtech fine.
😼
There are quite a lot of Hikvision cameras in Ireland too …
—
The UK is really quite determined to make sure its current adequacy decision with the EU doesn’t last beyond 2025 when it’s due for review.
Home Office and MoJ plans will require migrants convicted of crimes to take photos up to five times a day
The mayor of London has given the Metropolitan Police access to more data from a larger number of ANPR cameras around London.
In Case C‑184/20, OT v Vyriausioji tarnybinės etikos komisija the CJEU held that processing personal data which is likely to indirectly reveal the sexual orientation of a data subject constitutes processing of special categories of personal data. So we can probably add another clause to the only slightly tongue-in-cheek aphorism ‘Depending on context, all data could be personal data’ to give us ‘Depending on context, all data could be personal data and all personal data could be special categories of personal data’. This is going to cause data controllers a lot of headaches.
Comment
Publication of widely used personal data attributes, such as a person’s name, can reveal sensitive personal information about someone else and their disclosure can therefore be prohibited under EU data protection law, according to a new ruling.
Daragh Troy BL summarises the outcome of a recent court ruling with significance for data controllers in the EU. Does your spouse’s name reveal your sexual orientation? The Court of Justice of the European Union has delivered judgment and, unsurprisingly, again given the broadest possible interpreta
The CNIL fined Criteo €60 million. For what exactly isn’t clear yet. “The publicly-traded adtech company said in a financial filing today that it has been hit with a proposed fine of roughly $65.4m for alleged breaches of the EU’s sweeping General Data Protection Regulation (GDPR). The news comes some two years after France’s data privacy body Commission Nationale de l’Informatique et des Libertés (CNIL) launched an investigation into the company’s data practices.”
—
“On 26 July 2022, the Lower Saxony data protection authority announced that it has imposed a fine of 1.1 million euros on Volkswagen due to GDPR violations.”
—
A former health adviser pleaded guilty in Coventry Magistrates Court “to 6 counts of unlawfully obtaining personal data, in breach of s170 of the Data Protection Act 2018. He was ordered to pay £250 compensation to each data subject, totalling £3,000.”
-
“Monitoring is often not limited to school hours despite parent and student concerns: Students and parents are the most comfortable with monitoring being limited to when school is in session, but monitoring frequently occurs outside of that time frame. Stakeholders demonstrate large knowledge gaps in how monitoring software functions: There are significant gaps between what teachers report is communicated about student activity monitoring, often via a form provided along with a school-issued device, and what parents and students retain and report about it.” From ‘Hidden Harms The Misleading Promise of Monitoring Students Online’, a report by Elizabeth Laird, Hugh Grant-Chapman, Cody Venzke and Hannah Quay-de la Vallee for the Center for Democracy & Technology.
-
“(1) Criteo creates highly invasive, granular profiles of people without telling them. That’s unlawful. (2) It considers that pseudonymising people’s data means they can’t know who individuals are and therefore it’s all fine. That’s not true - they know exactly who people are, because at the heart of their services is "individual shopper level” prediction. (3) They do cross-device tracking and get more from other data brokers, developing an incredibly fine-grained view of most of an individual’s activities through the day. That’s also unlawful, as no one’s told where all this data comes from.“ From this thread on Twitter from Privacy International on the Criteo fine mentioned above.
-
“Apple’s privacy changes and Google’s upcoming deprecation of third-party cookies have had a huge impact on the viability of many ad-targeting mechanisms – even if the more cynical of us may say that, given the scale of these businesses’ access to first-party data, their true aim is less altruistic and more akin to a power grab,” Evans adds. “But, in any case, hopefully we can soon all welcome a world in which a privacy-aware public can enjoy greater transparency and a fairer value exchange, the results of a kinder, fairer means of marketing.” From ‘What is AdTech and why is it at the heart of a regulation storm?’ by Carly Page for ITPro.
—
Endnotes & Credits
Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.
If you know someone who might enjoy this newsletter do please forward it on to them.