"Google hasn’t done that because it would look creepy" | The Cat Herder, Volume 2, Issue 26

A busy week so let's get straight into it. 😼   July 14 · Issue #42 · View online A busy week so let’s get straight into it. 😼 An LPR-based startup called 5Thru told the Times that its cameras and technology were being trialled in the drive-thrus of several restaurant chains, and it expects to have its first major contract “by the end of next year.” Fast Food Restaurants Might Start Scanning Customers' License Plates - VICE www.vice.com – Share We’ve seen every episode of ‘Black Mirror’ and have a feeling this won’t end well. From a story about the difficulties the legal system in Ireland is having in issuing penalty points for speeding, we discover the Department of Transport, Tourism and Sport is “developing the licence record project which will provide a link between vehicle registration numbers and driving licence numbers.” Even after several days of head-scratching and chin-rubbing we haven’t a clue what the department is hoping to achieve with this. Anyone? Yes they did. Surprise! The revelations that an internet-enabled device with a microphone in it may be recording things you mightn’t have expected it to and then sharing these recordings with employees of a large social surveillance company continue. It’s Google this week. Google employees are eavesdropping, even in your living room, VRT NWS has discovered | Flanders News www.vrt.be – Share VRT NWS has discovered that Google employees listen to audio picked up by smart speakers and Google Assistant, even when it was never intended for Google. Wired did a bit of follow-up reporting. Google don’t appear to be meeting the transparency requirements of the GDPR at all here. Michael Veale, a technology policy researcher at the Alan Turing Institute in London, says those disclosures don’t appear to meet GDPR requirements even for data not considered sensitive. The group of national data protection regulators in charge of applying GDPR has said companies must be transparent about data they collect and how it is processed. “You have to be very specific on what you’re implementing and how,” Veale says. “I think Google hasn’t done that because it would look creepy.” Google has “activated” their impressive-sounding “Security and Privacy Response teams” to identify the source of the leak of “confidential Dutch audio data.” They also notified the Data Protection Commission of a data breach on Thursday evening, which may prompt an investigation of a different sort. Some of the long awaited massive fines finally arrived. Rossa McMahon @rossamcmahon 2016: #DataProtection is getting serious! There will be enforcement & fines! 2017: Data protection is getting serious! Enforcement & fines! 2018: Data protection is serious now, enforcement & fines! 2019: Golly, enforcement & fines! GDPR has unintended consequences. 12:39 PM - 10 Jul 2019 The ICO issued a notice of intent to fine British Airways £183.39m under GDPR for a data breach which impacted around half a million data subjects. More: ‘Looking beyond the hype of the BA fine’, Des Ward — The ICO issued a notice of intent to fine Marriott International, Inc more than £99 million under GDPR for a data breach in which “339 million guest records globally were exposed by the incident, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA).” More: ‘GDPR fines: where will BA and Marriott’s £300m go?’, Mark Sweney, The Guardian — Based on the level of fine the ICO has indicated, Marriott will presumably be feeling they got off lightly with a fine of 1.5 million Turkish Lire (circa €232,610) from the Turkish Personal Data Protection Board. — As if it wasn’t a busy enough week already, the ICO also published their annual report for the twelve months to 31st March 2019. — The twelfth plenary session of the European Data Protection Board took place during the week. Guidelines on video surveillance and a number of other topics were adopted and discussed. — According to multiple reports the FTC will fine Facebook $5 billion for various privacy violations. Facebook’s stock immediately went up on this news. As Nilay Patel put it in The Verge, “the biggest FTC fine in United States history increased Mark Zuckerberg’s net worth.” Bloomberg reports that DNA-testing service Vitagene Inc. left thousands of client health reports exposed online for years, the kind of incident that privacy advocates have warned about as gene testing has become increasingly popular. More than 3,000 user files remained accessible to the public on Amazon Web Services cloud-computer servers until July 1, when Vitagene was notified of the issue and shut down external access to the sensitive personal information, according to documents obtained by Bloomberg. The genealogy reports included customers’ full names alongside dates of birth and gene-based health information, such as their likelihood of developing certain medical conditions, a review of the documents showed. Meanwhile, in Ireland, The Irish Times reports that Two senior US politicians have expressed national security concerns about a US-based company with links to China that owns the Irish business that wants to collect the DNA of 400,000 Irish citizens. GMI’s statement on data transfers in this story doesn’t appear to entirely agree with what’s contained in their privacy notice. Here’s what they told The Irish Times A spokesman for GMI said it collected data on a pseudonymous basis that was encrypted and stored in a database housed in Ireland. Here’s what their privacy notice says WILL YOUR DATA BE TRANSFERRED OUTSIDE OF THE EUROPEAN ECONOMIC AREA (EEA)? Some of our commercial partners and authorised research groups may be located outside the EEA. These approved third parties can remotely access and read select de-identified datasets to address a specific research question but never download any data. This is called a data transfer, even though no data actually moves outside of our database. We will implement technical and organisational measures to protect your personal data and ensure it is transferred in accordance with the requirements of the GDPR. This may involve the use of data transfer agreements in the form approved by the European Commission (known as standard contractual clauses) or the use of other mechanisms recognised by EU data protection law as ensuring protection for personal data transferred outside the EEA. We do not allow access to any data for marketing or insurance purposes. Intimating in your privacy notice that your data transfers aren’t realllly data transfers is an interesting approach to take and not one that’s likely to stand up to scrutiny. Rossa McMahon writes about a recent decision of the Data Protection Commissioner in relation to one aspect of the data processing operations of the Department of Employment Affairs and Social Protection The decision is very welcome and represents a significant challenge to the extensive and comprehensive data-gathering activities of DEASP and, indeed, other statutory bodies. It highlights the fact that the mere existence of a statutory provision or function is not sufficient to justify demands for personal data which go beyond that provision or which are not adequately explained or justified. While the decision concerns child benefit eligibility certificates in particular, it has relevance beyond those forms to many data-gathering activities of DEASP and other State bodies. When read alongside the commissioner’s recent remarks at an event in Israel, as reported in The Sunday Business Post last week, one can’t help feeling that the department is close to exhausting the commissioner’s patience. Schrems II landed in Luxembourg during the week. Jennifer Baker covered it for the IAPP. “As for the US, does it now take EU privacy seriously? Good question. This week, US state and business lawyers, including Facebook’s, still presented the usual circular argument that business shouldn’t be impeded by anti-surveillance privacy protections, because … they will impede business. As if the problem were the privacy safeguards, rather than the surveillance.” Karlin Lillington on the same subject for The Irish Times. “Life360, a location-sharing app aimed at families, is apparently ruining the lives of teenagers all across the United States. The service allows parents to track their kids’ whereabouts in real time, among other features. As one girl with long blond hair jokes in a popular TikTok clip, it’s set her summer vacation on fire.” Louise Matsakis reports for Wired. 🐦This Twitter thread by @Iwillleavenow on the latest dystopian employee surveillance toolkit to emerge from a research project that really shouldn’t have ever begun. Just because you can do it doesn’t mean that you should do it. —— Endnotes & Credits The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds. As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”. The image used in the header is by Krystian Tambur on Unsplash. Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running. Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can. Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn. Barring a disaster we’ll be in your inbox again next weekend. If you know someone who might enjoy this newsletter do please forward it on to them. Did you enjoy this issue? In order to unsubscribe, click here. If you were forwarded this newsletter and you like it, you can subscribe here. Powered by Revue Privacy Kit, Made with 💚 in Dublin, Ireland

A busy week so let’s get straight into it.

😼

We’ve seen every episode of ‘Black Mirror’ and have a feeling this won’t end well.

From a story about the difficulties the legal system in Ireland is having in issuing penalty points for speeding, we discover the Department of Transport, Tourism and Sport is “developing the licence record project which will provide a link between vehicle registration numbers and driving licence numbers.”

Even after several days of head-scratching and chin-rubbing we haven’t a clue what the department is hoping to achieve with this. Anyone?

Surprise! The revelations that an internet-enabled device with a microphone in it may be recording things you mightn’t have expected it to and then sharing these recordings with employees of a large social surveillance company continue. It’s Google this week.

VRT NWS has discovered that Google employees listen to audio picked up by smart speakers and Google Assistant, even when it was never intended for Google.

Wired did a bit of follow-up reporting. Google don’t appear to be meeting the transparency requirements of the GDPR at all here.

Google has “activated” their impressive-sounding “Security and Privacy Response teams” to identify the source of the leak of “confidential Dutch audio data.”

They also notified the Data Protection Commission of a data breach on Thursday evening, which may prompt an investigation of a different sort.

Some of the long awaited massive fines finally arrived.

The ICO issued a notice of intent to fine British Airways £183.39m under GDPR for a data breach which impacted around half a million data subjects.

More:

‘Looking beyond the hype of the BA fine’, Des Ward

—

The ICO issued a notice of intent to fine Marriott International, Inc more than £99 million under GDPR for a data breach in which “339 million guest records globally were exposed by the incident, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA).”

More:

‘GDPR fines: where will BA and Marriott’s £300m go?’, Mark Sweney, The Guardian

—

Based on the level of fine the ICO has indicated, Marriott will presumably be feeling they got off lightly with a fine of 1.5 million Turkish Lire (circa €232,610) from the Turkish Personal Data Protection Board.

—

As if it wasn’t a busy enough week already, the ICO also published their annual report for the twelve months to 31st March 2019.

—

The twelfth plenary session of the European Data Protection Board took place during the week. Guidelines on video surveillance and a number of other topics were adopted and discussed.

—

According to multiple reports the FTC will fine Facebook $5 billion for various privacy violations. Facebook’s stock immediately went up on this news. As Nilay Patel put it in The Verge, “the biggest FTC fine in United States history increased Mark Zuckerberg’s net worth.”

Bloomberg reports that

Meanwhile, in Ireland, The Irish Times reports that

GMI’s statement on data transfers in this story doesn’t appear to entirely agree with what’s contained in their privacy notice. Here’s what they told The Irish Times

Here’s what their privacy notice says

Intimating in your privacy notice that your data transfers aren’t realllly data transfers is an interesting approach to take and not one that’s likely to stand up to scrutiny.

Rossa McMahon writes about a recent decision of the Data Protection Commissioner in relation to one aspect of the data processing operations of the Department of Employment Affairs and Social Protection

When read alongside the commissioner’s recent remarks at an event in Israel, as reported in The Sunday Business Post last week, one can’t help feeling that the department is close to exhausting the commissioner’s patience.

• Schrems II landed in Luxembourg during the week. Jennifer Baker covered it for the IAPP.
• “As for the US, does it now take EU privacy seriously? Good question. This week, US state and business lawyers, including Facebook’s, still presented the usual circular argument that business shouldn’t be impeded by anti-surveillance privacy protections, because … they will impede business. As if the problem were the privacy safeguards, rather than the surveillance.” Karlin Lillington on the same subject for The Irish Times.
• “Life360, a location-sharing app aimed at families, is apparently ruining the lives of teenagers all across the United States. The service allows parents to track their kids’ whereabouts in real time, among other features. As one girl with long blond hair jokes in a popular TikTok clip, it’s set her summer vacation on fire.” Louise Matsakis reports for Wired.
• 🐦This Twitter thread by @Iwillleavenow on the latest dystopian employee surveillance toolkit to emerge from a research project that really shouldn’t have ever begun. Just because you can do it doesn’t mean that you should do it.

——

Endnotes & Credits

• The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
• As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
• The image used in the header is by Krystian Tambur on Unsplash.
• Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
• Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

Barring a disaster we’ll be in your inbox again next weekend.

If you know someone who might enjoy this newsletter do please forward it on to them.