Illegal In Illinois | The Cat Herder, Volume 2, Issue 24

Plans, enforcement notices and some fines from supervisory authorities, gaslighting from Google, and   June 30 · Issue #40 · View online Plans, enforcement notices and some fines from supervisory authorities, gaslighting from Google, and a cute robot dog which collects enough biometric information to make it illegal in Illinois. 😼 For the second week in a row Google gets the coveted top spot in this newsletter, again awarded for sheer brazenness rather than spectacular stupidity. Because the folks at Google certainly aren’t stupid. Lawmakers expressed disbelief on Tuesday when a Google executive told a Senate panel that the company does not use persuasive techniques targeted at its users. Maggie Stanphill, Google’s director of user experience, during a Senate Commerce technology subcommittee hearing, told the panel, “No, we do not use persuasive technology at Google.” Senators spar with Google exec over use of 'persuasive technology' | TheHill thehill.com – Share There’s a video clip of one of these exchanges here. Audrey Watters @audreywatters Gmail literally has a feature Google describes as “Nudging” https://t.co/J63S2AjuLU 5:12 PM - 25 Jun 2019 The NAIH in Hungary imposed a couple of fines, one small one of ~€310 for late notification of a data breach and one far more significant one of ~€100,000 to a festival organiser for extremely disproportionate screening of attendees, including photographing attendees and photocopying identification documents. The data controller was relying on legitimate interests for some of this processing and a balancing test of sorts appears to have been carried out, but the NAIH found this test to be entirely inadequate. Remember kids, saying “legitimate interests” isn’t a magic incantation which allows you ignore your data protection obligations. — The ICO issued a brace of enforcement notices to the Metropolitan Police over their subject access request backlog. There are over 1,100 open requests and almost 680 of these are over three months old. — The CNIL has “decided to make targeted online advertising a priority topic for 2019.” New guidelines on consent to accept cookies will be out next month. Data controllers will have twelve months to bring their activities into line with these. The TL;DR version is that taking an action such as scrolling, browsing, or swiping to continue use of a website or app is no longer an acceptable means of acquiring consent for any data controller. A stakeholder consultation will run throughout the rest of 2019 “to outline practical arrangements for collecting consent”. The CNIL hopes to make the outputs of these consultations available as recommendations for public consultation by the end of the year. — The Swedish Data Protection Authority published a supervisory plan for 2019-2020. Areas of focus include The controller - processor relationship How the GDPR interacts with national legislation governing processing of sensitive data Data processing in the employer - employee relationship Processing of children’s data by educational institutions and educational service providers Retail sector loyalty programs Mobile location data processing — The Garante issued a €1 million fine to Facebook over the Cambridge Analytica affair. This is the largest fine Facebook has been hit with thus far over that particular incident. — The Data Protection Commission of Ireland updated their ‘Five Steps to Secure Cloud-based Environments’ guidance note. It will. It probably already is. “They need to do more. They should be addressing this up front. That’s why they approached me at the beginning of this operation to be their consultant and embed privacy by design into this new smart city. I told them I would be a thorn in their side if they didn’t offer the strongest privacy protections. They said that was okay…and then they walked away from it. That’s what bothers me.” Sidewalk Labs decision to offload tough decisions on privacy to third party is wrong, says its former consultant | IT World Canada News www.itworldcanada.com – Share After over two years of controversy, Sidewalk Labs finally presented a 1,500-page draft master smart city plan for a government-owned stretch of Toronto’s Yes they did. Google’s appetite for data is insatiable. Any opportunity to acquire any data will be taken. That’s all anyone needs to know. On Wednesday, the University of Chicago, the medical center and Google were sued in a potential class-action lawsuit accusing the hospital of sharing hundreds of thousands of patients’ records with the technology giant without stripping identifiable date stamps or doctor’s notes. Google and the University of Chicago Are Sued Over Data Sharing - The New York Times www.nytimes.com – Share The lawsuit demonstrates the tension between building A.I. systems and protecting the privacy of patients. — A cute robot dog with a camera in its nose which “can take photos of the inside of your home and store them in Sony’s cloud.” Can’t believe nobody foresaw there might be problems with that. Yes, the robot dog ate your privacy - CNET www.cnet.com – Share The $2,900 Sony Aibo comes equipped with facial recognition cameras and always-listening microphones. So just how much of your personal data is it lapping up? “A privacy notice is NOT A SODDING CONTRACT!! It should not look like, read like, or give the impression of being a contract. Privacy information is not a fig-leaf behind which the unsightly intimacies of data processing can be hidden, it’s a vehicle for the communication of important information about autonomy, rights, and responsibilities.” Miss IG Geek write an open letter to lawyers. If you’ve only time to read one thing this week, make it this one. “Online, advertisers show us ourselves. You’ve been categorised. The question you need to answer is: are you happy with the box someone else has put you in?”. In ‘Online you’re being weighed and measured and your data spread around’ Rowland Manthorpe provides an accessible summary of the implications and consequences of adtech and an industry powered by surveillance and inference. On a similar theme - “the children were generally mystified as to why tech companies were interested in personal information they saw as quickly going out of date as they grew up.” Mike Wright covers the London School of Economics research project ‘Growing up in a digital age’ for The Telegraph. As part of the project the LSE has developed a comprehensive privacy toolkit for children, parents and educators which is available here. Although our pals at Google insist they don’t do this, a Princeton University study titled ‘Dark Patterns at Scale: Findings from a Crawl of 11K Shopping Websites’ found abundant evidence of  “user interface design choices that benefit an online service by coercing, steering, or deceiving users into making unintended and potentially harmful decisions” being deployed. The New York Times had a piece on the study’s findings. —— Endnotes & Credits The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds. As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”. The image used in the header is by Krystian Tambur on Unsplash. Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running. Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can. Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn. Barring a disaster we’ll be in your inbox again next weekend. If you know someone who might enjoy this newsletter do please forward it on to them. Did you enjoy this issue? In order to unsubscribe, click here. If you were forwarded this newsletter and you like it, you can subscribe here. Powered by Revue Privacy Kit, Made with 💚 in Dublin, Ireland

Plans, enforcement notices and some fines from supervisory authorities, gaslighting from Google, and a cute robot dog which collects enough biometric information to make it illegal in Illinois.

😼

For the second week in a row Google gets the coveted top spot in this newsletter, again awarded for sheer brazenness rather than spectacular stupidity. Because the folks at Google certainly aren’t stupid.

There’s a video clip of one of these exchanges here.

https://twitter.com/audreywatters/status/1143552625687744513

The NAIH in Hungary imposed a couple of fines, one small one of ~€310 for late notification of a data breach and one far more significant one of ~€100,000 to a festival organiser for extremely disproportionate screening of attendees, including photographing attendees and photocopying identification documents. The data controller was relying on legitimate interests for some of this processing and a balancing test of sorts appears to have been carried out, but the NAIH found this test to be entirely inadequate. Remember kids, saying “legitimate interests” isn’t a magic incantation which allows you ignore your data protection obligations.

—

The ICO issued a brace of enforcement notices to the Metropolitan Police over their subject access request backlog. There are over 1,100 open requests and almost 680 of these are over three months old.

—

The CNIL has “decided to make targeted online advertising a priority topic for 2019.”

New guidelines on consent to accept cookies will be out next month. Data controllers will have twelve months to bring their activities into line with these. The TL;DR version is that taking an action such as scrolling, browsing, or swiping to continue use of a website or app is no longer an acceptable means of acquiring consent for any data controller.

A stakeholder consultation will run throughout the rest of 2019 “to outline practical arrangements for collecting consent”. The CNIL hopes to make the outputs of these consultations available as recommendations for public consultation by the end of the year.

—

The Swedish Data Protection Authority published a supervisory plan for 2019-2020. Areas of focus include

• The controller - processor relationship
• How the GDPR interacts with national legislation governing processing of sensitive data
• Data processing in the employer - employee relationship
• Processing of children’s data by educational institutions and educational service providers
• Retail sector loyalty programs
• Mobile location data processing

—

The Garante issued a €1 million fine to Facebook over the Cambridge Analytica affair. This is the largest fine Facebook has been hit with thus far over that particular incident.

—

The Data Protection Commission of Ireland updated their ‘Five Steps to Secure Cloud-based Environments’ guidance note.

After over two years of controversy, Sidewalk Labs finally presented a 1,500-page draft master smart city plan for a government-owned stretch of Toronto’s

Google’s appetite for data is insatiable. Any opportunity to acquire any data will be taken. That’s all anyone needs to know.

The lawsuit demonstrates the tension between building A.I. systems and protecting the privacy of patients.

—

A cute robot dog with a camera in its nose which “can take photos of the inside of your home and store them in Sony’s cloud.” Can’t believe nobody foresaw there might be problems with that.

The $2,900 Sony Aibo comes equipped with facial recognition cameras and always-listening microphones. So just how much of your personal data is it lapping up?

• “A privacy notice is NOT A SODDING CONTRACT!! It should not look like, read like, or give the impression of being a contract. Privacy information is not a fig-leaf behind which the unsightly intimacies of data processing can be hidden, it’s a vehicle for the communication of important information about autonomy, rights, and responsibilities.” Miss IG Geek write an open letter to lawyers. If you’ve only time to read one thing this week, make it this one.
• “Online, advertisers show us ourselves. You’ve been categorised. The question you need to answer is: are you happy with the box someone else has put you in?”. In ‘Online you’re being weighed and measured and your data spread around’ Rowland Manthorpe provides an accessible summary of the implications and consequences of adtech and an industry powered by surveillance and inference.
• On a similar theme - “the children were generally mystified as to why tech companies were interested in personal information they saw as quickly going out of date as they grew up.” Mike Wright covers the London School of Economics research project ‘Growing up in a digital age’ for The Telegraph. As part of the project the LSE has developed a comprehensive privacy toolkit for children, parents and educators which is available here.
• Although our pals at Google insist they don’t do this, a Princeton University study titled ‘Dark Patterns at Scale: Findings from a Crawl of 11K Shopping Websites’ found abundant evidence of  “user interface design choices that benefit an online service by coercing, steering, or deceiving users into making unintended and potentially harmful decisions” being deployed. The New York Times had a piece on the study’s findings.

——

Endnotes & Credits

• The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
• As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
• The image used in the header is by Krystian Tambur on Unsplash.
• Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
• Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

Barring a disaster we’ll be in your inbox again next weekend.

If you know someone who might enjoy this newsletter do please forward it on to them.