April 18, 2021
False Or Misleading | The Cat Herder, Volume 4, Issue 14
| |
| April 18 · Issue #127 · View online |
|
|
Finally, some Article 80 action. Finally, some movement towards improved transparency and accessibility in data protection notices. 😼
|
|
|
|
|
I missed this tragicomic news:
Apparently Zuckerberg joined (perhaps, he does not agree with ’s privacy policy update)
Researchers were able to identify him on Signal because his phone number and are among the 533 million leaked by … https://t.co/3hmTMFpYZR
|
|
|
|
|
|
Article 80 allows a “not-for-profit body, organisation or association” which “is active in the field of the protection of data subjects’ rights and freedoms with regard to the protection of their personal data” to lodge complaints with a supervisory authority (already done) and to seek an effective judicial remedy against a data controller including compensation for material and non-material damage on behalf of a single data subject or a group of data subjects.
|
This is another mechanism by which individuals can attempt to hold data controllers to account and is entirely separate and without prejudice to any sanction which may be issued by the supervisory authority.
|
|
|
|
|
|
|
It is unclear for what purpose the more historic of the data is being held, given the relatively short period of infection of coronavirus. Details held for all contacts include name, phone number, address and eircode, and mother’s maiden name, while data for positive cases includes occupation, ethnic background, underlying conditions, pregnancy, and international travel history.
|
This is a lot of personal information which is “expected to be held until at least the end of the pandemic”. As well as the purpose being unclear, the full list of entities the personal data may be being shared wath is also vague
|
Ms O’Beirne said that the data collected via the contact management programme is “being used to provide information and insights to support the work of the National Public Health Emergency Team, the Health Protection Surveillance Centre, the Department of Health, and other key decision-making forums”.
|
Over 5.1m records on HSE's contact tracing database
The information on the database is expected to be held until at least the end of the pandemic
|
|
|
I might as well simply repeat here what was in last week’s newsletter since another week has gone by and the Department of Health has not published the Independent Expert Review. Nor has it made any further statements about the entire issue of compiling and updating dossiers on autistic children and their families.
|
|
|
The department is committed to publishing the Independent Expert Review by an external Senior Counsel, that was commissioned after allegations were brought to the attention of the department last year. Due to legal implications, including protocols around publishing a protected disclosure and the department’s desire to protect the rights of the discloser, the department is continuing to engage with legal counsel and aims to publish the report next week.
|
Perhaps this commitment was a prank because there has been no sign of the publication of the Independent Expert Review in the interim. Nor has there been any further communication from the Department about its “normal practice” of compiling dossiers on autistic children and their families.
|
|
|
An update to England and Wales’s contact tracing app has been blocked for breaking the terms of an agreement made with Apple and Google. The plan had been to ask users to upload logs of venue check-ins - carried out via poster barcode scans - if they tested positive for the virus. This could be used to warn others. The update had been timed to coincide with the relaxation of lockdown rules. But the two firms had explicitly banned such a function from the start. Under the terms that all health authorities signed up to in order to use Apple and Google’s privacy-centric contact-tracing tech, they had to agree not to collect any location data via the software.
|
NHS Covid-19 app update blocked for breaking Apple and Google's rules - BBC News
Apple and Google’s rules state that no location data from app users can be shared.
|
Of concern here is the broader issue that data protection and privacy standards are now being enforced by multinational corporations, when it suits them, and for as long as it suits them.
|
|
|
The government has been warned by its own equalities watchdog that covid-status certificate schemes or “vaccine passports” could be discriminatory, it has been reported. Ministers are considering whether the documents could be required as a condition for entry for public spaces such as sports events or – despite significant opposition from Tory MPs as well as Labour and the Lib Dems. The certificates are expected to allow users to display whether they have received a vaccine, undertaken a recent test or have antibodies. However, the Equality and Human Rights Commission is reported to have told the Cabinet Office that such a measure would create a “two-tier society” in the UK.
|
Covid: Government ‘told vaccine passports could be unlawful by rights watchdog’ | The Independent
Risk of discrimination is a sticking point as ministers consider schemes for protecting public spaces such as sports stadiums
|
|
Misleading? Confusing? Surely not
|
The Court ruled that when consumers created a new Google Account during the initial set-up process of their Android device, Google misrepresented that the ‘Location History’ setting was the only Google Account setting that affected whether Google collected, kept or used personally identifiable data about their location. In fact, another Google Account setting titled ‘Web & App Activity’ also enabled Google to collect, store and use personally identifiable location data when it was turned on, and that setting was turned on by default.
|
In a court decision announced during the week in a case taken against Google by the Australian Consumer Competition & Consumer Commission the “Federal Court found that a number of representations published by Google LLC to Australian consumers between January 2017 and December 2018 were false or misleading and that Google LLC engaged in misleading or deception [sic] conduct, in contravention of the Australian Consumer Law.” |
|
|
- “The current UI feels like it is designed to make things possible, yet difficult enough that people won’t figure it out.”
- “Some people (including even Googlers) don’t know that there is a global switch and a per-device switch.”
- “Indeed we aren’t very good at explaining this to users. Add me to the list of Googlers who didn’t understand how this worked and was surprised when I read the article … we shipped a UI that confuses users.”
- “I agree with the article. Location off should mean location off, not except for this case or that case.”
- “I thought I had location tracking turned off on my phone. So our messaging around this is enough to confuse a privacy focused (Google software engineer). That’s not good.”
|
|
|
On Tuesday the DPC announced an own-volition inquiry into the large Facebook data breach. The size of which still appears to be fluctuating and which Facebook maintains is not a data breach. |
|
|
The Hamburg authority—each German state has a privacy regulator, whereas other EU countries have only a national authority—initiated the GDPR’s seldom-used urgency procedure to “protect the rights and freedoms of German users.” It said it feared the changes would allow WhatsApp to “expand data transfers with Facebook for marketing purposes and direct advertising,” on top of the data sharing that already takes place for security and product improvement.
|
|
|
|
|
The information notices used by companies, public bodies, websites, social networks and search engines are often lengthy and complex and therefore cannot fulfil their essential function, which is informing data subjects about how their personal data will be used and allowing them where appropriate to give their free, informed consent to the processing of their data for whatever purpose – be it marketing, profiling, or the disclosure of information to third parties.
|
The Italian DPA announced a contest open to anyone to submit a set of symbols or icons “that can represent all the items that must be contained in an information notice under Articles 13 and 14 of the GDPR.” |
This move has been presumably prompted by Apple’s recent introduction of privacy ‘nutrition labels’. And is a very good thing which shouldn’t have taken almost three years since the introduction of the GDPR to happen as the GDPR explicitly mentions the use of icons to convey information in Article 12.7. |
|
|
The DPC wrote to Sinn Féin with some questions about what it might or might not be doing with the personal data of voters in Ireland. It’ll be interesting to see where this goes as these things have a habit of rapidly broadening out from an examination of the use of personal data by one political party into an examination of the use of personal data by all of ‘em. |
|
|
-
“Rather than thinking about vaccine passports as temporary, isolated, public health-related measures, we should view them as just one example of how the pandemic is accelerating the rollout of digital identity infrastructure.” Elizabeth Renieris looks at ‘What’s Really at Stake with Vaccine Passports’ for the Center for International Governance Innovation. In Ireland the personal data being collected and / or matched by the HSE’s vaccination portal which launched last week is going to form the basis of this new identity infrastructure.
-
“But at the same time, the tech and ad industries have taken a hands-on approach to shape state legislation. Mostly, industry has advocated for two provisions. The first is an opt-out approach to the sale of personal data or using it for targeted advertising, which means that tracking is on by default unless the customer finds a way to opt out of it. Consumer advocates prefer privacy to be the default setting, with users given the freedom to opt in to certain uses of their data. The second industry desire is preventing a private right of action, which would allow consumers to sue for violations of the laws.” From ‘Big Tech Is Pushing States to Pass Privacy Laws, and Yes, You Should Be Suspicious’ by Todd Feathers for The Markup.
-
“Data brokerage is a threat to democracy. Without robust national privacy safeguards, entire databases of citizen information are ready for purchase, whether to predatory loan companies, law enforcement agencies, or even malicious foreign actors. Federal privacy bills that don’t give sufficient attention to data brokerage will therefore fail to tackle an enormous portion of the data surveillance economy, and will leave civil rights, national security, and public-private boundaries vulnerable in the process.” From ‘Data Brokers Are a Threat to Democracy’ by Justin Sherman in Wired.
|
|
|
|
|
If you know someone who might enjoy this newsletter do please forward it on to them.
|
|
Did you enjoy this issue?
|
|
|
|
In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
|
|
|
|
Privacy Kit, Made with 💚 in Dublin, Ireland
|
|
|
Finally, some Article 80 action. Finally, some movement towards improved transparency and accessibility in data protection notices.
😼
If Mark was in the EU he could consider joining Digital Rights Ireland’s Article 80 action against Facebook.
Article 80 allows a “not-for-profit body, organisation or association” which “is active in the field of the protection of data subjects’ rights and freedoms with regard to the protection of their personal data” to lodge complaints with a supervisory authority (already done) and to seek an effective judicial remedy against a data controller including compensation for material and non-material damage on behalf of a single data subject or a group of data subjects.
This is another mechanism by which individuals can attempt to hold data controllers to account and is entirely separate and without prejudice to any sanction which may be issued by the supervisory authority.
More
RTÉ: ‘Mass legal action against Facebook over data breach’
Irish Times: ‘Thousands urged to sue Facebook in mass action over leaked data’
This is a lot of personal information which is “expected to be held until at least the end of the pandemic”. As well as the purpose being unclear, the full list of entities the personal data may be being shared wath is also vague
The information on the database is expected to be held until at least the end of the pandemic
—
I might as well simply repeat here what was in last week’s newsletter since another week has gone by and the Department of Health has not published the Independent Expert Review. Nor has it made any further statements about the entire issue of compiling and updating dossiers on autistic children and their families.
Back on April Fools’ Day in his second open letter to unspecified “statekeholders” the interim Secretary General of the Department of Health wrote:
Perhaps this commitment was a prank because there has been no sign of the publication of the Independent Expert Review in the interim. Nor has there been any further communication from the Department about its “normal practice” of compiling dossiers on autistic children and their families.
Apple and Google’s rules state that no location data from app users can be shared.
Of concern here is the broader issue that data protection and privacy standards are now being enforced by multinational corporations, when it suits them, and for as long as it suits them.
—
Risk of discrimination is a sticking point as ministers consider schemes for protecting public spaces such as sports stadiums
In a court decision announced during the week in a case taken against Google by the Australian Consumer Competition & Consumer Commission the “Federal Court found that a number of representations published by Google LLC to Australian consumers between January 2017 and December 2018 were false or misleading and that Google LLC engaged in misleading or deception [sic] conduct, in contravention of the Australian Consumer Law.”
Now might be a good to to revisit some of the quotes from Google staff in relation to this, which were revealed in partially unredacted documents in a consumer fraud suit in Arizona last August.
- “The current UI feels like it is designed to make things possible, yet difficult enough that people won’t figure it out.”
- “Some people (including even Googlers) don’t know that there is a global switch and a per-device switch.”
- “Indeed we aren’t very good at explaining this to users. Add me to the list of Googlers who didn’t understand how this worked and was surprised when I read the article … we shipped a UI that confuses users.”
- “I agree with the article. Location off should mean location off, not except for this case or that case.”
- “I thought I had location tracking turned off on my phone. So our messaging around this is enough to confuse a privacy focused (Google software engineer). That’s not good.”
On Tuesday the DPC announced an own-volition inquiry into the large Facebook data breach. The size of which still appears to be fluctuating and which Facebook maintains is not a data breach.
—
The Hamburg DPA said it would be using the Article 66 urgency procedure mechanism for a second time in response to what it sees as an inadequate response from the DPC, this time to address the upcoming changes Facebook is making to to the WhatsApp terms of service.
—
The Italian DPA announced a contest open to anyone to submit a set of symbols or icons “that can represent all the items that must be contained in an information notice under Articles 13 and 14 of the GDPR.”
This move has been presumably prompted by Apple’s recent introduction of privacy ‘nutrition labels’. And is a very good thing which shouldn’t have taken almost three years since the introduction of the GDPR to happen as the GDPR explicitly mentions the use of icons to convey information in Article 12.7.
—
The DPC wrote to Sinn Féin with some questions about what it might or might not be doing with the personal data of voters in Ireland. It’ll be interesting to see where this goes as these things have a habit of rapidly broadening out from an examination of the use of personal data by one political party into an examination of the use of personal data by all of ‘em.
-
“Rather than thinking about vaccine passports as temporary, isolated, public health-related measures, we should view them as just one example of how the pandemic is accelerating the rollout of digital identity infrastructure.” Elizabeth Renieris looks at ‘What’s Really at Stake with Vaccine Passports’ for the Center for International Governance Innovation. In Ireland the personal data being collected and / or matched by the HSE’s vaccination portal which launched last week is going to form the basis of this new identity infrastructure.
-
“But at the same time, the tech and ad industries have taken a hands-on approach to shape state legislation. Mostly, industry has advocated for two provisions. The first is an opt-out approach to the sale of personal data or using it for targeted advertising, which means that tracking is on by default unless the customer finds a way to opt out of it. Consumer advocates prefer privacy to be the default setting, with users given the freedom to opt in to certain uses of their data. The second industry desire is preventing a private right of action, which would allow consumers to sue for violations of the laws.” From ‘Big Tech Is Pushing States to Pass Privacy Laws, and Yes, You Should Be Suspicious’ by Todd Feathers for The Markup.
-
“Data brokerage is a threat to democracy. Without robust national privacy safeguards, entire databases of citizen information are ready for purchase, whether to predatory loan companies, law enforcement agencies, or even malicious foreign actors. Federal privacy bills that don’t give sufficient attention to data brokerage will therefore fail to tackle an enormous portion of the data surveillance economy, and will leave civil rights, national security, and public-private boundaries vulnerable in the process.” From ‘Data Brokers Are a Threat to Democracy’ by Justin Sherman in Wired.
Endnotes & Credits
Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.
If you know someone who might enjoy this newsletter do please forward it on to them.
