It Should Be Required Reading | The Cat Herder, Volume 5, Issue 01

Happy New Year all. Hopefully you all had a good break over the holiday period. There's been a surpri   January 16 · Issue #163 · View online Happy New Year all. Hopefully you all had a good break over the holiday period. There’s been a surprising amount of regulatory action over the past two weeks so the Regulators section is higher up than usual this week. The Department of Children’s fanciful attempt at creating an alternative to the wheel has not gone well. 😼 It’s not really a very dissuasive-to-others sanction if nobody else knows about it … It appears this policy allows the ICO to issue slaps on the wrist in private mainly to public-sector organisations and big business. Meanwhile, SMEs’ data protection law infringements earn them well-publicized fines and directorial disqualifications in some cases. UK watchdog's punishment for Blackbaud, Easyjet, other big privacy lawbreakers was slap on the wrist in private www.theregister.com – Share Is this what they call light-touch regulation? — Kim Wallace @lateonsetlawyer I cannot imagine a worthwhile use case for facial recognition in fried chicken ordering. At least there's an opt out. https://t.co/zoolRJgbCZ 12:25 AM - 22 Dec 2021 The DPC published its decision after its investigation of Limerick City and County Council’s use of CCTV and other surveillance technologies. Rossa McMahon @rossamcmahon This is a thread with some reactions to reading the DPC decision on Limerick's CCTV systems. A few points: - the decision is comprehensive and methodical; - it should be required reading for legislators and large data controllers (particularly State bodies) - it is damning. https://t.co/rikBZgaj3w 4:42 PM - 13 Jan 2022 If you have the time the decision is well worth reading in full. Practically everything that could have gone wrong did go wrong. Much of it could have been prevented if the data controller had actually completed the required DPIAs before starting processing. Coverage Deputy Commissioner Tony Delaney, who led the three-year investigation, says just 44 of the 401 cameras operated by the local authority are fully compliant with GDPR and data protection regulations. “What we found is that of the 401 cameras only 44 have proper authorisation so Limerick City and County Council have broken the law. They have gone and put up cameras and put up ANPR (automatic number plate recognition) with no legal basis,” he said. Limerick Leader: ‘Data Protection Commission says unlawful use of CCTV in Limerick is 'disturbing’‘ Limerick solicitor Rossa McMahon, a partner at PG McMahon solicitors in Newcastle West, had first raised his concerns regarding the council’s usage of CCTV in 2017, with the subject subsequently taken up by the DPC in the context of all 31 local authorities. Mr McMahon described the DPC’s published findings as “damning and comprehensive”, though he said the fine imposed “could have been a lot worse”. “They [the council] seem to have gotten almost everything wrong, from DPIAs to transparency, and even basic things like access requests,” he said. Irish Examiner: ‘Limerick council fined for installing CCTV cameras with no lawful basis’ — The DPC also published its decision after an inquiry into the Teaching Council. As above it is a comprehensive and well reasoned document which should be read by all data controllers. The sanctions issued by the DPC were a fine of €60,000, a reprimand and an order to bring its processing operations into compliance with Articles 5(1) & 32(1) of the GDPR. — The Austrian DPA has upheld a complaint brought by Noyb about a website’s use of Google Analytics. “The decision raises a big red flag over routine use of tools that require transferring Europeans’ personal data to the US for processing — with the watchdog finding that IP address and identifiers in cookie data are the personal data of site visitors, meaning these transfers fall under the purview of EU data protection law.” — This prompted the Dutch DPA to issue emergency guidance on the use of Google Analytics. “Please note: use of Google Analytics may soon not be allowed.” [guidance in Dutch | machine translation] — The EDPS sanctioned the European Parliament “for a series of breaches of the bloc’s data protection rules”. The full decision is here [direct link to PDF]. — The EDPS also ordered Europol “to delete data concerning individuals with no established link to a criminal activity”. Coverage Experts’ concerns are not confined to Europol’s flouting of rules on data retention. They also see a law enforcement agency that aspires to conduct mass surveillance operations. Members of the civil liberties, justice and home affairs committee of the European parliament during a hearing in June 2021 compared the agency to the NSA. Wiewiórowski surprised attenders by endorsing the comparison in relation to Europol’s practice of retaining data. He pointed out that Europol was using similar arguments to those used by the NSA to defend bulk data collection operations and mass surveillance as revealed by Snowden. The Guardian: ‘A data ‘black hole’: Europol ordered to delete vast store of personal data’ The Minister for Children published the Birth Information and Tracing Bill. This is a highly important piece of legislation for many reasons, the most prominent obviously being its aim of giving people access to their own information, access which they have been wrongfully and extremely hurtfully denied for their entire lives. For the purposes of this newsletter it is of great interest because it is a significant test of the Irish State’s ability to produce domestic legislation covering data processing and data protection which does not conflict with superior EU law. Unfortunately what has emerged reads almost exactly as you’d expect if the instructions given to the drafters were ‘Reinvent the wheel for me. My design spec for this has only three requirements: the new wheel cannot be round, it must be confusing and it has to be unnecessarily complicated!’ Reading and re-reading the Bill is a disorientating experience. A Data Protection Impact Assessment was published alongside the Bill [direct link to PDF]. The DPIA declares the Article 15 Right of Access is not being restricted. The Bill then proceeds to liberally and arbitrarily sprinkle restrictions on the Right of Access throughout. Some of these include - While accepting the definition of personal data is the same as that used in the GDPR the Bill slices and dices personal data into categories, each of which must be applied for using a different process. The Bill divides up data subjects into categories and assigns different mechanisms and processes by which they can make applications for their personal data. The Bill prescribes an option in certain circumstances for the data controllers to “provide the relevant person with a statement setting out the … [personal data] .. to which the application relates that is contained in the records”. A subjective statement is not access. In some circumstances the Bill even makes the Right of Access to an individual’s own personal data contingent on other people being deceased. Should the Bill go forward in its present state the absolutely inevitable consequence is that people will simultaneously make Subject Access Requests to the data controllers involved, primarily the Adoption Authority of Ireland and Tusla. The Right of Access - which is not restricted, remember - entitles them to access all their personal data rather than the subsets prescribed by the Bill. The absolutely inevitable consequence of this is that based on past performance, which is in the case of public sector bodies in Ireland a very reliable predictor of future performance, these Subject Access Requests will not be fulfilled properly. The agencies involved will favour the new domestic legislation with its narrower requirements over the EU legislation, despite their obligation to do the very opposite. The absolutely inevitable consequence of this will be a barrage of complaints to the DPC. Most of which could be avoided if the Minister hadn’t decided to build an entire access system from scratch which must exist in parallel with the extant one established by the GDPR and Data Protection Act 2018. The Oireachtas Children’s Committee published its report and recommendations on this legislation shortly before Christmas. It contains the following observation about optimism from the DPC: “the DPC advised that they are cautiously optimistic that the finalised Bill will be GDPR compliant, although they cannot say for sure until it is published.” (page 37) An update on the levels of optimism will no doubt come along soon. (These are far from being the only problems with the Bill, just the most glaringly obvious systemic ones.) “It is great that there are papers analysing the impact of the GDPR; but to the extent that they equate the GDPR with privacy, they are extending themselves beyond their empirical reach. The GDPR did not significantly and durably reduce the fluidity of data flows but it did increase the overhead of data processing in a way that favours companies with greater cover-your-ass expertise. Even if these papers do not, in fact, support the theory that improved privacy harms competition, they do strengthen the case against transparency and choice regimes.” From ‘Competition & Privacy: It’s Both Or Nothing’ by Robin Berjon. “The pandemic obliterated many of the obstacles standing in the way of the adoption of mass biometric data collection, and the consequences will be disastrous for civil liberties if it’s allowed to continue in this manner. The intensity of surveillance is ramping up in record time, making governments and for-profit corporations privy to that most private minutiae of our lives and bodies.” From ‘The road to disastrous biometric data collection is paved with good intentions’ by Leif-Nissen Lundbæk for Techcrunch. “Caitlin Seeley George, a campaign director at nonprofit Fight for the Future, finds the spread of face recognition in airports and other areas of daily life concerning. “We need to ban all facial recognition, because the harms of this technology far outweigh any benefits,” she says. George considers seemingly benign or careful uses of the technology dangerous because they help normalize collection of personal and biometric data that can be hacked or exploited. “The more places people see it, the more comfortable people feel,” she says. “When we do things for convenience we may not be thinking through all the repercussions.” From ‘Face Recognition Is Being Banned—but It’s Still Everywhere’ by Tom Simonite for Wired. — Endnotes & Credits The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds. As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”. The image used in the header is by Krystian Tambur on Unsplash. Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running. Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can. Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn. If you know someone who might enjoy this newsletter do please forward it on to them. Did you enjoy this issue? In order to unsubscribe, click here. If you were forwarded this newsletter and you like it, you can subscribe here. Powered by Revue Privacy Kit, Made with 💚 in Dublin, Ireland

Happy New Year all. Hopefully you all had a good break over the holiday period. There’s been a surprising amount of regulatory action over the past two weeks so the Regulators section is higher up than usual this week. The Department of Children’s fanciful attempt at creating an alternative to the wheel has not gone well.

😼

It’s not really a very dissuasive-to-others sanction if nobody else knows about it …

Is this what they call light-touch regulation?

—

The DPC published its decision after its investigation of Limerick City and County Council’s use of CCTV and other surveillance technologies.

If you have the time the decision is well worth reading in full. Practically everything that could have gone wrong did go wrong. Much of it could have been prevented if the data controller had actually completed the required DPIAs before starting processing.

Coverage

Limerick Leader: ‘Data Protection Commission says unlawful use of CCTV in Limerick is 'disturbing’‘

Irish Examiner: ‘Limerick council fined for installing CCTV cameras with no lawful basis’

—

The DPC also published its decision after an inquiry into the Teaching Council. As above it is a comprehensive and well reasoned document which should be read by all data controllers. The sanctions issued by the DPC were a fine of €60,000, a reprimand and an order to bring its processing operations into compliance with Articles 5(1) & 32(1) of the GDPR.

—

The Austrian DPA has upheld a complaint brought by Noyb about a website’s use of Google Analytics. “The decision raises a big red flag over routine use of tools that require transferring Europeans’ personal data to the US for processing — with the watchdog finding that IP address and identifiers in cookie data are the personal data of site visitors, meaning these transfers fall under the purview of EU data protection law.”

—

This prompted the Dutch DPA to issue emergency guidance on the use of Google Analytics. “Please note: use of Google Analytics may soon not be allowed.” [guidance in Dutch | machine translation]

—

The EDPS sanctioned the European Parliament “for a series of breaches of the bloc’s data protection rules”. The full decision is here [direct link to PDF].

—

The EDPS also ordered Europol “to delete data concerning individuals with no established link to a criminal activity”.

Coverage

The Guardian: ‘A data ‘black hole’: Europol ordered to delete vast store of personal data’

The Minister for Children published the Birth Information and Tracing Bill. This is a highly important piece of legislation for many reasons, the most prominent obviously being its aim of giving people access to their own information, access which they have been wrongfully and extremely hurtfully denied for their entire lives.

For the purposes of this newsletter it is of great interest because it is a significant test of the Irish State’s ability to produce domestic legislation covering data processing and data protection which does not conflict with superior EU law.

Unfortunately what has emerged reads almost exactly as you’d expect if the instructions given to the drafters were ‘Reinvent the wheel for me. My design spec for this has only three requirements: the new wheel cannot be round, it must be confusing and it has to be unnecessarily complicated!’

Reading and re-reading the Bill is a disorientating experience. A Data Protection Impact Assessment was published alongside the Bill [direct link to PDF]. The DPIA declares the Article 15 Right of Access is not being restricted. The Bill then proceeds to liberally and arbitrarily sprinkle restrictions on the Right of Access throughout.

Some of these include -

• While accepting the definition of personal data is the same as that used in the GDPR the Bill slices and dices personal data into categories, each of which must be applied for using a different process.

• The Bill divides up data subjects into categories and assigns different mechanisms and processes by which they can make applications for their personal data.

• The Bill prescribes an option in certain circumstances for the data controllers to “provide the relevant person with a statement setting out the … [personal data] .. to which the application relates that is contained in the records”. A subjective statement is not access.

• In some circumstances the Bill even makes the Right of Access to an individual’s own personal data contingent on other people being deceased.

Should the Bill go forward in its present state the absolutely inevitable consequence is that people will simultaneously make Subject Access Requests to the data controllers involved, primarily the Adoption Authority of Ireland and Tusla. The Right of Access - which is not restricted, remember - entitles them to access all their personal data rather than the subsets prescribed by the Bill.

The absolutely inevitable consequence of this is that based on past performance, which is in the case of public sector bodies in Ireland a very reliable predictor of future performance, these Subject Access Requests will not be fulfilled properly. The agencies involved will favour the new domestic legislation with its narrower requirements over the EU legislation, despite their obligation to do the very opposite.

The absolutely inevitable consequence of this will be a barrage of complaints to the DPC. Most of which could be avoided if the Minister hadn’t decided to build an entire access system from scratch which must exist in parallel with the extant one established by the GDPR and Data Protection Act 2018.

The Oireachtas Children’s Committee published its report and recommendations on this legislation shortly before Christmas. It contains the following observation about optimism from the DPC: “the DPC advised that they are cautiously optimistic that the finalised Bill will be GDPR compliant, although they cannot say for sure until it is published.” (page 37)

An update on the levels of optimism will no doubt come along soon.

(These are far from being the only problems with the Bill, just the most glaringly obvious systemic ones.)

• “It is great that there are papers analysing the impact of the GDPR; but to the extent that they equate the GDPR with privacy, they are extending themselves beyond their empirical reach. The GDPR did not significantly and durably reduce the fluidity of data flows but it did increase the overhead of data processing in a way that favours companies with greater cover-your-ass expertise. Even if these papers do not, in fact, support the theory that improved privacy harms competition, they do strengthen the case against transparency and choice regimes.” From ‘Competition & Privacy: It’s Both Or Nothing’ by Robin Berjon.
• “The pandemic obliterated many of the obstacles standing in the way of the adoption of mass biometric data collection, and the consequences will be disastrous for civil liberties if it’s allowed to continue in this manner. The intensity of surveillance is ramping up in record time, making governments and for-profit corporations privy to that most private minutiae of our lives and bodies.” From ‘The road to disastrous biometric data collection is paved with good intentions’ by Leif-Nissen Lundbæk for Techcrunch.
• “Caitlin Seeley George, a campaign director at nonprofit Fight for the Future, finds the spread of face recognition in airports and other areas of daily life concerning. “We need to ban all facial recognition, because the harms of this technology far outweigh any benefits,” she says. George considers seemingly benign or careful uses of the technology dangerous because they help normalize collection of personal and biometric data that can be hacked or exploited. “The more places people see it, the more comfortable people feel,” she says. “When we do things for convenience we may not be thinking through all the repercussions.” From ‘Face Recognition Is Being Banned—but It’s Still Everywhere’ by Tom Simonite for Wired.

—

Endnotes & Credits

• The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
• As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
• The image used in the header is by Krystian Tambur on Unsplash.
• Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
• Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

If you know someone who might enjoy this newsletter do please forward it on to them.