Free Coffee And A Doughnut | The Cat Herder, Volume 5, Issue 29

Lots of regulatory bits and bobs, cops and DNA, whatever became of the largest fine imposed to date u   August 1 · Issue #191 · View online Lots of regulatory bits and bobs, cops and DNA, whatever became of the largest fine imposed to date under the GDPR, and data brokers say ‘if you don’t do it, someone else probably will’. So that’s why they do it. 😼 Presented without comment. Toronto Star @TorontoStar Tim Hortons has reached a proposed settlement in multiple class action lawsuits alleging the restaurant’s mobile app violated customer privacy, which would see the restaurant offer a free coffee and doughnut to affected users. https://t.co/UgMUIorZqx 1:05 PM - 31 Jul 2022 The settlement, negotiated with the legal teams involved in the lawsuits, still requires court approval. The coffee and doughnut chain would also permanently delete any geolocation information it may have collected between April 1, 2019 and Sept. 30, 2020, and direct third-party service providers to do the same. “We think that it’s a favourable settlement because it offers compensation that has a real value,” said Joey Zukran, a lawyer with the Montreal-based law firm LPC Avocat Inc., which filed the class action in Quebec. “Privacy cases across Canada are never guaranteed a win,” he said. “Here we have some form of guarantee, some form of recovery … as opposed to uncertainty that could last.” Tim Hortons offers coffee and doughnut as proposed settlement in class action lawsuit | The Star www.thestar.com – Share Tim Hortons says it has reached a proposed settlement in multiple class action lawsuits alleging the restaurant’s mobile app violated customer privacy which would see the restaurant offer a free coffee and doughnut to affected users. Big stores of personal data are almost irresistibly attractive to law enforcement agencies. “The New Jersey Monitor believe the public would be shocked by what has occurred in OPD’s client’s case and that law enforcement agencies are skirting warrant requirements in this way,” a section of the lawsuit reads. “It also believes that parents in particular would be shocked to learn that their children’s blood samples are being stored by the Department of Health for more than twenty years and are being accessed by law enforcement agencies without their knowledge or consent so that their DNA could be analyzed.” NJ police used baby DNA to investigate crimes, lawsuit claims - The Verge www.theverge.com – Share A lawsuit claims that New Jersey State Police are using blood samples drawn from newborn babies under medical screening laws to perform DNA analysis used to link suspects to crimes. The Irish Government is going to appoint two new commissioners to the Data Protection Commission. — In other DPC news “the EDPB adopted a dispute resolution decision on the basis of Art. 65 GDPR. The binding decision seeks to address the lack of consensus on certain aspects of a draft decision issued by the Irish SA as lead supervisory authority (LSA) regarding Instagram (Meta Platforms Ireland Limited (Meta IE)) and the subsequent objections expressed by some of the concerned supervisory authorities (CSAs).” — The EDPB also adopted letters in response to BEUC and Access Now concerning TikTok. “In these letters, the EDPB highlights the swift action taken by the Irish, Italian and Spanish Supervisory Authorities (SAs) following TikTok’s announcement that it would no longer seek users’ consent to send personalised advertisements, but that the legal basis for this would be the legitimate interest of TikTok and its partners. As a result of these actions, TikTok announced that it would pause the change in the legal basis used for personalised ads.” — The EDPB and EDPS issued a Joint Opinion on the Council’s client-side scanning proposal [direct link to PDF]. They’re not huge fans of the proposal. “While the EDPB and EDPS welcome the Commission’s efforts to ensure effective action against child sexual abuse online, they consider that the Proposal raises serious data protection and privacy concerns. Therefore, the EDPB and EDPS would invite the co-legislators to amend the proposed Regulation, in particular to ensure that the envisaged detection obligations meet the applicable necessity and proportionality standards and do not result in the weakening or degrading of encryption on a general level.” — The CNIL fined car rental firm UBEEQO International €175,000 for “failure to comply with the obligation to ensure data minimisation (Article 5.1.c of the GDPR), failure to define and respect a proportionate data retention period (Article 5.1.e of the GDPR) and failure to inform individuals (Article 12 of the GDPR).” — On a related note the supervisory authorities of Latvia, Lithuania and Estonia announced a “coordinated inspection of the compliance of personal data processing in the field of short-term vehicle rental”. — The Lower Saxony data protection commissioner fined Hannoversche Volksbank €900,000 for profiling of customers without a lawful basis. ‘Ultimately though, these minor hurdles can be bypassed by just cutting Liveramp out of the equation entirely and going directly to the smaller broker selling that data instead. This approach is “a zillion times easier,” said a product manager working for one popular data broker, who spoke on the condition of anonymity. Pregnancy data is poised to be a huge boon for law enforcement in the post-Roe era. If you’re a cop, the product manager said, it’s as easy as “filling out [a broker’s] ‘contact us’ form and ask how much it costs. Maybe they say ‘ACAB, pound sand!’ But more likely, they’ll say ‘Put another zero after it, and see if we say yes.’” “This is purely speculative, but there’s clearly precedent in this industry for selling to law enforcement,” he went on. “And if you don’t do it, someone else probably will.”’ From ‘These Companies Know When You’re Pregnant—And They’re Not Keeping It Secret’ by Shoshana Wodinsky and Kyle Barr. This Twitter thread by Alex Seabrook about “Bristol council staff monitoring the social media of parents of children with special needs. A dossier sent to council chiefs included critical posts, and even personal wedding photos.” (Nitter link should you wish to avoid Twitter’s tracking etc.) “It is up to the discretion of DPAs if they want to publish the decisions they make—it is not mandatory. Some DPAs that do publish have expressed frustration with those that do not, claiming the lack of disclosure leads to a lack of transparency and confusion about how individual EU states interpret and enforce the GDPR. The CNPD did not respond to a request for comment.“ From ‘One year later, Amazon GDPR fine details remain clouded’ by Neil Hodge for Compliance Week. — Endnotes & Credits The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds. As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”. The image used in the header is by Krystian Tambur on Unsplash. Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running. Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can. Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn. If you know someone who might enjoy this newsletter do please forward it on to them. Did you enjoy this issue? In order to unsubscribe, click here. If you were forwarded this newsletter and you like it, you can subscribe here. Powered by Revue Privacy Kit, Made with 💚 in Dublin, Ireland

Lots of regulatory bits and bobs, cops and DNA, whatever became of the largest fine imposed to date under the GDPR, and data brokers say ‘if you don’t do it, someone else probably will’. So that’s why they do it.

😼

Presented without comment.

Tim Hortons says it has reached a proposed settlement in multiple class action lawsuits alleging the restaurant’s mobile app violated customer privacy which would see the restaurant offer a free coffee and doughnut to affected users.

Big stores of personal data are almost irresistibly attractive to law enforcement agencies.

A lawsuit claims that New Jersey State Police are using blood samples drawn from newborn babies under medical screening laws to perform DNA analysis used to link suspects to crimes.

The Irish Government is going to appoint two new commissioners to the Data Protection Commission.

—

In other DPC news “the EDPB adopted a dispute resolution decision on the basis of Art. 65 GDPR. The binding decision seeks to address the lack of consensus on certain aspects of a draft decision issued by the Irish SA as lead supervisory authority (LSA) regarding Instagram (Meta Platforms Ireland Limited (Meta IE)) and the subsequent objections expressed by some of the concerned supervisory authorities (CSAs).”

—

The EDPB also adopted letters in response to BEUC and Access Now concerning TikTok. “In these letters, the EDPB highlights the swift action taken by the Irish, Italian and Spanish Supervisory Authorities (SAs) following TikTok’s announcement that it would no longer seek users’ consent to send personalised advertisements, but that the legal basis for this would be the legitimate interest of TikTok and its partners. As a result of these actions, TikTok announced that it would pause the change in the legal basis used for personalised ads.”

—

The EDPB and EDPS issued a Joint Opinion on the Council’s client-side scanning proposal [direct link to PDF]. They’re not huge fans of the proposal. “While the EDPB and EDPS welcome the Commission’s efforts to ensure effective action against child sexual abuse online, they consider that the Proposal raises serious data protection and privacy concerns. Therefore, the EDPB and EDPS would invite the co-legislators to amend the proposed Regulation, in particular to ensure that the envisaged detection obligations meet the applicable necessity and proportionality standards and do not result in the weakening or degrading of encryption on a general level.”

—

The CNIL fined car rental firm UBEEQO International €175,000 for “failure to comply with the obligation to ensure data minimisation (Article 5.1.c of the GDPR), failure to define and respect a proportionate data retention period (Article 5.1.e of the GDPR) and failure to inform individuals (Article 12 of the GDPR).”

—

On a related note the supervisory authorities of Latvia, Lithuania and Estonia announced a “coordinated inspection of the compliance of personal data processing in the field of short-term vehicle rental”.

—

The Lower Saxony data protection commissioner fined Hannoversche Volksbank €900,000 for profiling of customers without a lawful basis.

• ‘Ultimately though, these minor hurdles can be bypassed by just cutting Liveramp out of the equation entirely and going directly to the smaller broker selling that data instead. This approach is “a zillion times easier,” said a product manager working for one popular data broker, who spoke on the condition of anonymity. Pregnancy data is poised to be a huge boon for law enforcement in the post-Roe era. If you’re a cop, the product manager said, it’s as easy as “filling out [a broker’s] ‘contact us’ form and ask how much it costs. Maybe they say ‘ACAB, pound sand!’ But more likely, they’ll say ‘Put another zero after it, and see if we say yes.’” “This is purely speculative, but there’s clearly precedent in this industry for selling to law enforcement,” he went on. “And if you don’t do it, someone else probably will.”’ From ‘These Companies Know When You’re Pregnant—And They’re Not Keeping It Secret’ by Shoshana Wodinsky and Kyle Barr.
• This Twitter thread by Alex Seabrook about “Bristol council staff monitoring the social media of parents of children with special needs. A dossier sent to council chiefs included critical posts, and even personal wedding photos.” (Nitter link should you wish to avoid Twitter’s tracking etc.)
• “It is up to the discretion of DPAs if they want to publish the decisions they make—it is not mandatory. Some DPAs that do publish have expressed frustration with those that do not, claiming the lack of disclosure leads to a lack of transparency and confusion about how individual EU states interpret and enforce the GDPR. The CNPD did not respond to a request for comment.“ From ‘One year later, Amazon GDPR fine details remain clouded’ by Neil Hodge for Compliance Week.

—

Endnotes & Credits

• The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
• As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
• The image used in the header is by Krystian Tambur on Unsplash.
• Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
• Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

If you know someone who might enjoy this newsletter do please forward it on to them.