August 29, 2021
"get used to living in a regulatory crisis" | The Cat Herder, Volume 4, Issue 33
| |
| August 29 · Issue #146 · View online |
|
|
Another investigation into the PSC, the UK diverges, there’ll be a response “in due course”. 😼
|
|
|
|
|
You won't get a clearer example of why the UK still needs robust privacy regulations, and enforcement, than the fact that sloppy data security on a gun aficionados' site has caused a database of gun owners, mapped to home addresses, to fall into the hands of people who want guns. https://t.co/Oh8DKrJZlV
|
|
|
|
|
|
|
Bad news about the Guntrader hack. Somebody has plotted the list of 111,000 UK firearms owners' addresses as a Google Earth file - on a site for hunt saboteurs. This is a worst case scenario.
|
|
|
|
|
|
An interesting thread from Philip Boucher-Hayes about a carefully-worded statement from the Garda Press Office in February 2020 concerning the use of Clearview AI by An Garda Síochána.
|
|
|
|
Someone in An Garda Siochana has got a bit of explaining to do. Short thread.
In Feb 2020 I asked @ if they were using the Artificial Intelligence facial recognition app Clearview.
They said … https://t.co/N9i9fkzTt6
|
|
|
|
The response the Garda Press Office gave to Buzzfeed News was, well, not a response.
|
|
Clearview AI Offered Free Facial Recognition Trials To Police All Around The World
As of February 2020, 88 law enforcement and government-affiliated agencies in 24 countries outside the United States have tried to use controversial facial recognition technology Clearview AI
|
So we await the response to the questions Boucher-Hayes has raised about the response and also the response to Buzzfeed News which will issue “in due course”. We may be waiting quite some time.
|
|
|
|
|
Dowden has said that the emergency data sharing that was waived through during the pandemic — when the government used the pressing public health emergency to justify handing NHS data to a raft of tech giants — should be the “new normal” for a post-Brexit U.K. So, tl;dr, get used to living in a regulatory crisis. The lurking iceberg for government is of course that if it wades in and rips up a carefully balanced, gold standard privacy regime on a soundbite-centric whim — replacing a pan-European standard with “anything goes” rules of its/the market’s choosing — it’s setting the U.K. up for a post-Brexit future of domestic data misuse scandals.
|
|
|
|
|
The DPC announced it had opened another investigation into the Public Services Card system.
|
The new complaints to the Data Protection Commission were made by Digital Rights Ireland. It alleges that the database underpinning the Public Services Card was unlawfully made available to DPER and is being used by DPER in a manner that is not consistent with data protection rights. The complaints also alleges that DPER has no lawful basis to process individuals personal data and that DPER is carrying out this processing without transparency. In a letter to Digital Rights Ireland on 21 July, the Data Protection Commission confirmed it had decided to begin an inquiry centering on the processing activities undertaken by DPER via the Single Customer View and MyGovID.
|
|
|
|
|
For any of you who may have forgotten just how aggressively stubborn the State has been when it comes to the PSC it’s worth revisiting a pair of pieces by Karlin Lillington. One from September 2019 -
|
the State has long-term form in bone-headedly pursuing massive data collection projects that it insists are just fine, despite threats and rulings from the regulator, and despite warnings from people who are more familiar with data protection and privacy law than Ministers, the civil service or the attorney general (numerous international experts also have criticised the card).
|
Public Services Card debacle headed for legal slapdown at our expense
Ireland has been here before, and it seems the State took nothing from the lesson
|
and one from January 2020 -
|
Notably, other departments beyond the PSC’s two most ardent advocates – social protection, and public expenditure and reform – have quietly abandoned use of the card in line with the DPC’s findings. It is worth noting that social protection has not challenged the factual basis for the findings in the report, but only the enforcement notice that has followed months later. Wilfully or not, the department failed to bring a judicial appeal to dispute the report’s findings within the required three-month deadline.
|
Government is hanging taxpayers out to dry in row over public services card
Net Results: Department’s legal challenge to enforcement order on the card is crass
|
There is a reasonably straightforward way out of this for the State. It could legislate to provide a proper lawful basis for the whole Public Services Card-MyGovID-Single Customer View system, since it seems determined to retain it in its misshapen and mostly purposeless form. This has been an option for as long as the system has been in existence. It has been an option for the four years since the DPC opened its first (still incomplete) investigation. But officials and ministers have preferred instead to scry their way through existing legislation seeking out promising-looking clauses and sentences here and there which they feel might provide a lawful basis.
|
In August 2019, just after the first DPC investigation report was delivered to the Department of Social Protection, Leo Varadkar, then Taoiseach and currently minister for good vibes and Electric Picnics, made some noises about doing this. |
|
Questioned during a weekend visit to the Fleadh Cheoil na hÉireann in Drogheda, the Taoiseach said: “There will need to be some changes around the retention of data, transparency and strengthening the legal basis of the Public Services Card.”
|
Curiously enough this was the last we heard about strengthening the legal basis.
|
Since legislation has been an obvious option for many years it seems reasonable to conclude that nobody involved in the ill-starred project is confident that such legislation would be passed by the Oireachtas.
|
|
|
|
|
The IE SA shall adopt its final decision, addressed to the controller, on the basis of the EDPB decision, without undue delay and at the latest one month after the EDPB has notified its decision. The EDPB will publish its decision on its website without undue delay after the IE SA has notified their national decision to the controller.
|
Today is August 29th. Tick-tock.
|
|
|
-
“Of these issues, perhaps the most surprising to find still unsolved is privacy. Outside of the digital realm, we make multiple privacy decisions a day and typically find them obvious enough that we barely notice they’re there. Is it okay to read that stranger’s DMs over their shoulder? Can I recount that intimate detail that a friend shared with me? Will my doctor repeat what I tell them of my symptoms to my boss?” From ‘Pushing Back Against Privacy Infringement On The Web’ by Robin Berjon for Smashing Magazine.
-
“The European Commission has earmarked October 2022 as the time by which EU nations should agree on the technical details of the European Digital Wallet, as well as the standards to be put in place to ensure that the initiative is in no way abused. In this context, questions remain as to how the eventual uptake of the European Digital Wallet can be fostered at a time in which the hazards of online identity tools have been brought to the fore, particularly in terms of how such verification systems could be used against the interests of consumers in the social media space, as well as the pitfalls of identification databases falling into the wrong hands, such as in Afghanistan.” From ‘The rocky road to European digital identities’ by Samuel Stolton for tech.eu.
-
“I encourage everyone to set aside personal feelings around January 6 for a moment and once again look at the amount of power an angry government can bring to bear on a protest movement retroactively, using the permanent record created by social media surveillance as a weapon.” A Twitter thread by Maciej Cegłowski about state surveillance capabilities in the age of the permanent social media record.
|
|
|
|
|
If you know someone who might enjoy this newsletter do please forward it on to them.
|
|
Did you enjoy this issue?
|
|
|
|
In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
|
|
|
|
Privacy Kit, Made with 💚 in Dublin, Ireland
|
|
|
Another investigation into the PSC, the UK diverges, there’ll be a response “in due course”.
😼
—
An interesting thread from Philip Boucher-Hayes about a carefully-worded statement from the Garda Press Office in February 2020 concerning the use of Clearview AI by An Garda Síochána.
The response the Garda Press Office gave to Buzzfeed News was, well, not a response.
As of February 2020, 88 law enforcement and government-affiliated agencies in 24 countries outside the United States have tried to use controversial facial recognition technology Clearview AI
So we await the response to the questions Boucher-Hayes has raised about the response and also the response to Buzzfeed News which will issue “in due course”. We may be waiting quite some time.
The UK has rather unsubtly signalled that it’ll be watering down data protection rights in favour of innovation. Innovation is industry shorthand for getting rid of pesky regulation. In announcing this move the Secretary of State for Digital, Culture, Media and Sport Oliver Dowden took aim at cookie consent banners. Which have not a huge amount to do with the GDPR, but whatever. This UK government and reality have long since parted company.
Techcrunch: ‘UK names John Edwards as its choice for next data protection chief as gov’t eyes watering down privacy standards’
The DPC announced it had opened another investigation into the Public Services Card system.
RTE: ‘Watchdog opens new investigation into Public Services Card’
Simon McGarr has a thread on Twitter explaining the ins and outs of this latest investigation.
For any of you who may have forgotten just how aggressively stubborn the State has been when it comes to the PSC it’s worth revisiting a pair of pieces by Karlin Lillington. One from September 2019 -
Ireland has been here before, and it seems the State took nothing from the lesson
and one from January 2020 -
Net Results: Department’s legal challenge to enforcement order on the card is crass
There is a reasonably straightforward way out of this for the State. It could legislate to provide a proper lawful basis for the whole Public Services Card-MyGovID-Single Customer View system, since it seems determined to retain it in its misshapen and mostly purposeless form. This has been an option for as long as the system has been in existence. It has been an option for the four years since the DPC opened its first (still incomplete) investigation. But officials and ministers have preferred instead to scry their way through existing legislation seeking out promising-looking clauses and sentences here and there which they feel might provide a lawful basis.
In August 2019, just after the first DPC investigation report was delivered to the Department of Social Protection, Leo Varadkar, then Taoiseach and currently minister for good vibes and Electric Picnics, made some noises about doing this.
Curiously enough this was the last we heard about strengthening the legal basis.
Since legislation has been an obvious option for many years it seems reasonable to conclude that nobody involved in the ill-starred project is confident that such legislation would be passed by the Oireachtas.
On the July 28th of this year the EDPB adopted an Article 65 decision regarding WhatsApp Ireland. The last paragraph of the press release reads
Today is August 29th. Tick-tock.
-
“Of these issues, perhaps the most surprising to find still unsolved is privacy. Outside of the digital realm, we make multiple privacy decisions a day and typically find them obvious enough that we barely notice they’re there. Is it okay to read that stranger’s DMs over their shoulder? Can I recount that intimate detail that a friend shared with me? Will my doctor repeat what I tell them of my symptoms to my boss?” From ‘Pushing Back Against Privacy Infringement On The Web’ by Robin Berjon for Smashing Magazine.
-
“The European Commission has earmarked October 2022 as the time by which EU nations should agree on the technical details of the European Digital Wallet, as well as the standards to be put in place to ensure that the initiative is in no way abused. In this context, questions remain as to how the eventual uptake of the European Digital Wallet can be fostered at a time in which the hazards of online identity tools have been brought to the fore, particularly in terms of how such verification systems could be used against the interests of consumers in the social media space, as well as the pitfalls of identification databases falling into the wrong hands, such as in Afghanistan.” From ‘The rocky road to European digital identities’ by Samuel Stolton for tech.eu.
-
“I encourage everyone to set aside personal feelings around January 6 for a moment and once again look at the amount of power an angry government can bring to bear on a protest movement retroactively, using the permanent record created by social media surveillance as a weapon.” A Twitter thread by Maciej Cegłowski about state surveillance capabilities in the age of the permanent social media record.
Endnotes & Credits
Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.
If you know someone who might enjoy this newsletter do please forward it on to them.
