In The Next Week Or So | The Cat Herder, Volume 2, Issue 35

The PSC clowning around continues. The timelines are stretched yet again. 😼   September 15 · Issue #51 · View online The PSC clowning around continues. The timelines are stretched yet again. 😼 Jeroen Terstegge @PrivaSense Nice to read that even the @EU_Commission acknowledges the fact that small and medium enterprises are suffering from bad advice by consultancies spreading incorrect information about the #GDPR and from additional national requirements. Now what are we going to do about that? https://t.co/TSGZGFbVQ2 7:26 PM - 11 Sep 2019 The clown car of government response to the ballooning Public Services Card disaster was driven down ever more fanciful avenues of whimsy this week. It stopped off at Dermot Ahern’s gate long enough for Regina Doherty to make a bizarre attempt to deliver the blame to him in a box with an outsize polka dot bow on top. Mr. Ahern retired from politics in February 2011. With a joyous honk, Paschal Donohoe pulled the car over to deliver a letter to the Oireachtas Finance Committee, informing them that he would not be appearing in front of the committee next week to answer questions about his department’s involvement in the series of increasingly poor decisions which has led us here. Minister Donohoe “wrote a letter to the chair of the committee to say that it would be inappropriate for him to comment on the matter when the Government is appealing the findings of the Data Protection Commissioner.” To date, the government has not appealed anything. It has huffed and puffed about appealing, certainly, but no less a person than An Taoiseach himself confirmed this lack of appeal yesterday, presumably while adjusting a colourful spinning bowtie and producing a bunch of flowers from his sleeve. He then reached up his other sleeve to produce “the law brought in by Fianna Fáil back in 1998”. That’s, umm, twenty one years ago. Joking aside, the State’s efforts to undermine the findings of what is arguably the most important regulator in the European Union will not go unnoticed outside this country. The giant transnational social surveillance companies the DPC is responsible for supervising may have lobbied hard against the parts of the GDPR they didn’t like but that’s long in the past. What those companies who have opted to headquarter themselves in Ireland want is a clear understanding of how the DPC will enforce data protection law now and into the future. The State’s chaotic and incoherent reaction to adverse findings against one of its own pet projects, no matter how comical individual responses might appear, is deeply damaging. More The Journal put together a thirty minute podcast with Simon McGarr in which they “explore the development of the PSC over the past decade, how the cracks started to appear in the scheme, and why the public should be mindful of how their data is being used.” ‘Minister to publish Commission’s PSC report ’ in the next week or so’, The Journal. The report in question was delivered to the Department of Employment Affairs and Social Protection on the 16th August with a request that the department publish it within seven days i.e. on or before the 22nd August. The 22nd August is twenty five days ago. Tomorrow marks a full calendar month since Minister Doherty’s department began this “will they, won’t they?” publication pantomime. ‘Passport Office deciding 'on an ad hoc basis’ whether to renew documents without Public Services Card’, Irish Examiner Just because it’s publicly available doesn’t mean it isn’t personal data and data protection rules don’t apply. He and his team scraped YouTube videos to build a database, repurposing the clips as valuable analytic data. Some of the videos were uploaded by autism advocacy groups; others were uploaded by parents. Mandal notes that although children’s faces appear in the database, the software doesn’t scan their faces or identify them; it just uses machine learning to read their body language. But the children—and their parents—did not opt in to having their home videos used for scientific research. Just because you’ve given your processing of special categories of personal data for profiling purposes a fancy name (“digital phenotyping”) doesn’t mean it isn’t personal data and data protection rules don’t apply. Using passive social-media or smartphone data to infer someone’s health status or to study health dynamics broadly is called digital phenotyping, and it’s a growing field of study. Researchers are now using the great wealth of information that users provide to Facebook, Twitter, YouTube, and Instagram to create algorithms that might detect HIV, obesity, Parkinson’s disease, and suicide risk, allowing, they hope, for preventative interventions. Breakthrough Autism Research Uses Social-Media Videos - The Atlantic www.theatlantic.com – Share “Digital exhaust” from online life could be transformed into health insights. Should it be? Oh yes it could Surveillance As A Service. If the software is available there, it’s available here. Nearby, on a dual-screen setup in the basement of his hillside home, Robert Shontell pulls up hundreds of snippets of footage captured by the cameras earlier that day. Each shows a car, time-stamped and tagged with the make, model, paint color and license plate. Flock Safety makes license plate cameras that track every car in a neighborhood - Los Angeles Times www.latimes.com – Share Neighborhoods around Los Angeles are signing up for a new service: security cameras that automatically read the license plates of every car that drives by from a company called Flock Safety More than 15,000 complaints were lodged with the Dutch DPA in the first six months of this year, an increase of 60% on the second half of 2018. English via Google Translate Original, in Dutch — The Latvian DPA fined an online retailer €7,000 for failing to comply with an Article 17 right to erasure request from a data subject and failing to cooperate with the DPA. ‘Data State Inspectorate of Latvia imposes a financial penalty of 7000 euros against online retailer’, European Data Protection Board — German DPAs have apparently agreed on a new way to calculate administrative fines which will hopefully lead to greater clarity and consistency. — The Austrian DPA fined a data controller €55,000 for quite a litany of shortcomings. No DPO appointed, no contact details, invalid consent, incomplete Article 14 and 14 information, no DPIA. ‘Austrian DPA fines controller in the medical sector’, European Data Protection Board “ The paragraph on "Third party data” suggests a rule against providing mixed data in a SAR response. In fact, what’s required is assessing case-by-case whether disclosure adversely affects the rights and freedoms of others. See Article 15(4)“ A short post on LinkedIn by Niall Rooney points out some potential issues with the latest data protection guidance issued by the Association of Compliance Officers of Ireland when it comes to third-party data and releasing this as part of a response to a subject access request. This interpretation may have originated with the Data Protection Commission’s own guidance on this topic, which seems to find a blanket exemption in the GDPR which does not exist in the text of the regulation itself. ‘“Move fast and break things” is an abomination if your goal is to create a healthy society.’ Danah Boyd‘s acceptance speech at the EFF’s 2019 Barlow/Pioneer Award deserves ten minutes of your time. "Our data protection rules already give Europeans control over their own data. They allow me to stop companies misusing my data in a way that’s bad for me. But they don’t help me, if the problems come from the way that they use other people’s data, to draw conclusions about me or to undermine democracy. So we may also need broader rules to make sure that the way companies collect and use data doesn’t harm the fundamental values of our society.” Executive Vice President-Designate of the European Commission Margrethe Vestager’s remarks to the standing committee of the Council of Bars and Law Societies of Europe in Copenhagen. 'No Body’s Business But Mine: How Menstruation Apps Are Sharing Your Data’, Privacy International‘s alarming look at the amount of sensitive data being shared by apps which “collect information about your health, your sexual life, your mood and more – all in exchange for telling you what day of the month you’re most fertile or the date of your next period.” —— Endnotes & Credits The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds. As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”. The image used in the header is by Krystian Tambur on Unsplash. Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running. Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can. Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn. Barring a disaster we’ll be in your inbox again next weekend. If you know someone who might enjoy this newsletter do please forward it on to them. Did you enjoy this issue? In order to unsubscribe, click here. If you were forwarded this newsletter and you like it, you can subscribe here. Powered by Revue Privacy Kit, Made with 💚 in Dublin, Ireland

The PSC clowning around continues. The timelines are stretched yet again.

😼

The clown car of government response to the ballooning Public Services Card disaster was driven down ever more fanciful avenues of whimsy this week. It stopped off at Dermot Ahern’s gate long enough for Regina Doherty to make a bizarre attempt to deliver the blame to him in a box with an outsize polka dot bow on top.

Mr. Ahern retired from politics in February 2011.

With a joyous honk, Paschal Donohoe pulled the car over to deliver a letter to the Oireachtas Finance Committee, informing them that he would not be appearing in front of the committee next week to answer questions about his department’s involvement in the series of increasingly poor decisions which has led us here. Minister Donohoe “wrote a letter to the chair of the committee to say that it would be inappropriate for him to comment on the matter when the Government is appealing the findings of the Data Protection Commissioner.”

To date, the government has not appealed anything.

It has huffed and puffed about appealing, certainly, but no less a person than An Taoiseach himself confirmed this lack of appeal yesterday, presumably while adjusting a colourful spinning bowtie and producing a bunch of flowers from his sleeve. He then reached up his other sleeve to produce “the law brought in by Fianna Fáil back in 1998”. That’s, umm, twenty one years ago.

Joking aside, the State’s efforts to undermine the findings of what is arguably the most important regulator in the European Union will not go unnoticed outside this country. The giant transnational social surveillance companies the DPC is responsible for supervising may have lobbied hard against the parts of the GDPR they didn’t like but that’s long in the past. What those companies who have opted to headquarter themselves in Ireland want is a clear understanding of how the DPC will enforce data protection law now and into the future. The State’s chaotic and incoherent reaction to adverse findings against one of its own pet projects, no matter how comical individual responses might appear, is deeply damaging.

More

The Journal put together a thirty minute podcast with Simon McGarr in which they “explore the development of the PSC over the past decade, how the cracks started to appear in the scheme, and why the public should be mindful of how their data is being used.”

‘Minister to publish Commission’s PSC report ’ in the next week or so’, The Journal. The report in question was delivered to the Department of Employment Affairs and Social Protection on the 16th August with a request that the department publish it within seven days i.e. on or before the 22nd August. The 22nd August is twenty five days ago. Tomorrow marks a full calendar month since Minister Doherty’s department began this “will they, won’t they?” publication pantomime.

‘Passport Office deciding 'on an ad hoc basis’ whether to renew documents without Public Services Card’, Irish Examiner

Just because it’s publicly available doesn’t mean it isn’t personal data and data protection rules don’t apply.

Just because you’ve given your processing of special categories of personal data for profiling purposes a fancy name (“digital phenotyping”) doesn’t mean it isn’t personal data and data protection rules don’t apply.

“Digital exhaust” from online life could be transformed into health insights. Should it be?

Surveillance As A Service. If the software is available there, it’s available here.

Neighborhoods around Los Angeles are signing up for a new service: security cameras that automatically read the license plates of every car that drives by from a company called Flock Safety

More than 15,000 complaints were lodged with the Dutch DPA in the first six months of this year, an increase of 60% on the second half of 2018.

English via Google Translate

Original, in Dutch

—

The Latvian DPA fined an online retailer €7,000 for failing to comply with an Article 17 right to erasure request from a data subject and failing to cooperate with the DPA.

‘Data State Inspectorate of Latvia imposes a financial penalty of 7000 euros against online retailer’, European Data Protection Board

—

German DPAs have apparently agreed on a new way to calculate administrative fines which will hopefully lead to greater clarity and consistency.

—

The Austrian DPA fined a data controller €55,000 for quite a litany of shortcomings. No DPO appointed, no contact details, invalid consent, incomplete Article 14 and 14 information, no DPIA.

‘Austrian DPA fines controller in the medical sector’, European Data Protection Board

• “ The paragraph on "Third party data” suggests a rule against providing mixed data in a SAR response. In fact, what’s required is assessing case-by-case whether disclosure adversely affects the rights and freedoms of others. See Article 15(4)“ A short post on LinkedIn by Niall Rooney points out some potential issues with the latest data protection guidance issued by the Association of Compliance Officers of Ireland when it comes to third-party data and releasing this as part of a response to a subject access request. This interpretation may have originated with the Data Protection Commission’s own guidance on this topic, which seems to find a blanket exemption in the GDPR which does not exist in the text of the regulation itself.
• ‘“Move fast and break things” is an abomination if your goal is to create a healthy society.’ Danah Boyd‘s acceptance speech at the EFF’s 2019 Barlow/Pioneer Award deserves ten minutes of your time.
• "Our data protection rules already give Europeans control over their own data. They allow me to stop companies misusing my data in a way that’s bad for me. But they don’t help me, if the problems come from the way that they use other people’s data, to draw conclusions about me or to undermine democracy. So we may also need broader rules to make sure that the way companies collect and use data doesn’t harm the fundamental values of our society.” Executive Vice President-Designate of the European Commission Margrethe Vestager’s remarks to the standing committee of the Council of Bars and Law Societies of Europe in Copenhagen.
• 'No Body’s Business But Mine: How Menstruation Apps Are Sharing Your Data’, Privacy International‘s alarming look at the amount of sensitive data being shared by apps which “collect information about your health, your sexual life, your mood and more – all in exchange for telling you what day of the month you’re most fertile or the date of your next period.”

——

Endnotes & Credits

• The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
• As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
• The image used in the header is by Krystian Tambur on Unsplash.
• Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
• Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

Barring a disaster we’ll be in your inbox again next weekend.

If you know someone who might enjoy this newsletter do please forward it on to them.