Minister to Minister | The Cat Herder, Volume 4, Issue 28

A report, an apparent leak of many, many phone numbers, a DPIA that's MIA. 😼   July 25 · Issue #141 · View online A report, an apparent leak of many, many phone numbers, a DPIA that’s MIA. 😼 Marc Ruef @mruef Full phone number database of #Clubhouse is up for sale on the #Darknet. It contains 3.8 billion phone numbers. These are not just members but also people in contact lists that were synced. Chances are high that you are listed even if you haven't had a Clubhouse login. https://t.co/PfAkUJ0BL5 11:04 PM - 23 Jul 2021 Has anybody seen the Data Protection Impact Assessment which must have surely been carried out before the publication of the guidelines for indoor dining? Anybody at all? The guidelines which require processing of special categories of personal data and collection of contact details for every individual who indulges in some indoor dining. On a closely related note … Michael Veale @mikarv Carmela's excellent thread on EU vaccine certs coming true bit by bit. Earlier this week much of Germany suspended cert creation as Handelsblatt showed forged docs could create non-existent web portal pharmacists who could mint irrevocable certificates. https://t.co/NR46ZHE6NG https://t.co/H4eqtYhq6I 9:58 AM - 24 Jul 2021 The DPC will “face a more emboldened and entrenched group of systematic infringers” of General Data Protection Regulation (GDPR) unless it moves to a tougher enforcement model, the committee concluded. It added that the Minister for Justice should take any necessary steps to ensure this can happen. This quote is from the Irish Times’ coverage of a mixed bag of a report produced by the Oireachtas Joint Committee on Justice [direct link to PDF]. The report makes recommendations which vary from the good to the peculiar to the questionable. The report is titled ‘Report on meeting on 27th April 2021 on the topic of GDPR’. So it would appear reasonable to interpret this as being a report which is only concerned with the two short public sessions held on 27th April 2021. In the introduction it is noted that “[t]he Joint Committee on Justice invited submissions from stakeholders on the topic of GDPR. On 27th April 2021, the Committee held a public engagement with several of these stakeholders.” It is unclear whether the stakeholders invited to the public meeting of the Committee were the only stakeholders who made submissions, or whether these were the only submissions considered. The quote above, taken from the introduction, implies that only some of the stakeholders who were invited to make submissions were invited to the two public sessions. However, the report itself contains only submissions from those who gave evidence during the two public sessions and makes no reference to any other submissions. It doesn’t seem possible that a report based on submissions and evidence from only four entities could be regarded as in any way definitive. The recommendations around clarification of the DPC’s processes, procedures and definitions are welcome. It seems questionable to me whether an Oireachtas Committee - a creation of Government - should be making recommendations to an independent Supervisory Authority on the specific type of sanctions it should use (“The Committee recommends that the DPC increases the use of its sanctioning powers under Article 58(2) of the GDPR, particularly orders stopping infringers from processing data, and dissuasive fines”). While the body of the report makes fleeting mention of data processing in the public sector (page 18 - “In addition, better knowledge and awareness of GDPR by governmental departments and state bodies was also recommended”) there is no further mention of this in the recommendations. Which brings us back to the quote at the start of this section, taken from the first of the Committee’s recommendations. The Committee “recommends … the Minister for Justice ensures the provision of whatever means may be necessary to support” the DPC moving “from emphasising guidance to emphasising enforcement as a matter of urgency” lest the DPC “face a more emboldened and entrenched group of systematic infringers”. It’s 675 days since the Department of Social Protection refused to comply with the DPC’s findings relating to the Public Services Card. The Department of Social Protection was last seen on this matter arguing in court about the number of paragraphs in an affidavit. As the Minister for Justice and the Minister for Social Protection are currently the same person one can only imagine this recommendation by the Committee will lead to some tense exchanges of letters between Heather Humphreys and Heather Humphreys. Because there isn’t a public sector data controller in the country which more aptly fits the description of systematic infringer than the Sideshow Bob Rake Department. — Rossa McMahon @rossamcmahon The insatiable appetite of the CSO for more data, more databases, knows no bounds. Now: the Central Credit Registry run by the Central Bank. "The transfer is also compliant with GDPR." https://t.co/XCZCk2wuP3 12:27 PM - 22 Jul 2021 The Central Statistics Office and the Central Credit Register - CSO - Central Statistics Office www.cso.ie – Share The Central Credit Register is a mandatory database of credit information established by the Central Bank, under the Credit Reporting Act 2013 as amended (“the Act”). Could it? You'd have to ask the Sideshow Bob Rake Department ... Xantura, a UK technology firm that provides “risk-based verification” to about 80 councils and has assessed hundreds of thousands of claimants, previously said it did not feed its algorithm any information protected under anti-discrimination laws. However, its chief executive, Wajid Shafiq, has now admitted it weighs a claimant’s age, which is a protected characteristic under the Equality Act 2010. That means less favourable treatment of someone on the basis of that trait amounts to direct discrimination and may be illegal. Xantura spoke to the Guardian after civil liberties campaign group Big Brother Watch obtained a cache of documents under the Freedom of Information Act providing a glimpse into how Xantura’s system has operated. Calls for legal review of UK welfare screening system which factors in age | Benefits | The Guardian www.theguardian.com – Share Exclusive: tech firm admits algorithm weighs claimants’ age, which is protected in equality law As travellers walked through the international arrivals border control area at Pearson’s Terminal 3, 31 cameras captured images of their faces. Whenever the system returned a match against a 5,000-person list of previously deported people, a border officer would review the data and pass the traveller’s information along to an officer on the terminal floor, who would track the traveller down and pull them into a “secondary inspection.” According to Face4 Systems’ presentation, the technology was used on 15,000 to 20,000 travellers a day, and the CBSA told The Globe that 2,951,540 travellers passed through border control at Pearson’s Terminal 3 between July and December, 2016, when the pilot project was running. Ottawa tested facial recognition on millions of travellers at Toronto’s Pearson airport in 2016 - The Globe and Mail www.theglobeandmail.com – Share Six-month initiative to identify potential deportees used technology that has come under intense scrutiny in recent years The Dutch DPA fined TikTok €750,000 for not providing a data protection notice in Dutch. “Metadata is a valuable tool to analyse the contacts between people, says Rowenna Fielding, founder and director of privacy consultancy Miss IG Geek. “When you look at metadata, it turns out a lot of the time you don’t even need message content, because patterns of activity tell you a lot about someone. This isn’t just, ‘X is on Y’s phone’, it is ‘X is on Y’s phone and they are messaging each other every evening at around 8pm for an hour’. You can then start extrapolating inferences or relationships and build social graphs.” From ‘All the data WhatsApp and Instagram send to Facebook’ by Kate O'Flaherty from Wired. “This week we got one of the most nightmarish tech privacy stories to rear its ugly head on the internet: an investigation into a trove of location data siphoned from a mobile device belonging to one of the Catholic Church’s top officials, Jeffrey Burrill. Like many stories about whatever’s lurking in the average person’s location data, some pretty sensitive details about Burrill’s life ended up unearthed in these datasets: visits to gay bars and nightclubs, among them. Burrill resigned not long after. Responses to the scoop—which came courtesy of the Pillar, a two-person digital outlet centered around stories on the Catholic church—were mixed. Some obvious bigots cheered on the effort to expunge “sinners” from their Christian institutions. Others decried the piece as a blatant invasion of a dude’s right to privacy. The one question both sides were asking—but nobody seemed to have an answer for—was where this data even came from in the first place.” From ‘A Priest Was Outed by His Phone’s Location Data. Anyone Could Be Next.’ by Shoshana Wodinsky for Gizmodo. Endnotes & Credits The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds. As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”. The image used in the header is by Krystian Tambur on Unsplash. Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running. Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can. Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn. If you know someone who might enjoy this newsletter do please forward it on to them. Did you enjoy this issue? In order to unsubscribe, click here. If you were forwarded this newsletter and you like it, you can subscribe here. Powered by Revue Privacy Kit, Made with 💚 in Dublin, Ireland

A report, an apparent leak of many, many phone numbers, a DPIA that’s MIA.

😼

Has anybody seen the Data Protection Impact Assessment which must have surely been carried out before the publication of the guidelines for indoor dining? Anybody at all? The guidelines which require processing of special categories of personal data and collection of contact details for every individual who indulges in some indoor dining.

On a closely related note …

This quote is from the Irish Times’ coverage of a mixed bag of a report produced by the Oireachtas Joint Committee on Justice [direct link to PDF].

The report makes recommendations which vary from the good to the peculiar to the questionable.

The report is titled ‘Report on meeting on 27th April 2021 on the topic of GDPR’. So it would appear reasonable to interpret this as being a report which is only concerned with the two short public sessions held on 27th April 2021.

In the introduction it is noted that “[t]he Joint Committee on Justice invited submissions from stakeholders on the topic of GDPR. On 27th April 2021, the Committee held a public engagement with several of these stakeholders.” It is unclear whether the stakeholders invited to the public meeting of the Committee were the only stakeholders who made submissions, or whether these were the only submissions considered.

The quote above, taken from the introduction, implies that only some of the stakeholders who were invited to make submissions were invited to the two public sessions. However, the report itself contains only submissions from those who gave evidence during the two public sessions and makes no reference to any other submissions.

It doesn’t seem possible that a report based on submissions and evidence from only four entities could be regarded as in any way definitive.

The recommendations around clarification of the DPC’s processes, procedures and definitions are welcome. It seems questionable to me whether an Oireachtas Committee - a creation of Government - should be making recommendations to an independent Supervisory Authority on the specific type of sanctions it should use (“The Committee recommends that the DPC increases the use of its sanctioning powers under Article 58(2) of the GDPR, particularly orders stopping infringers from processing data, and dissuasive fines”).

While the body of the report makes fleeting mention of data processing in the public sector (page 18 - “In addition, better knowledge and awareness of GDPR by governmental departments and state bodies was also recommended”) there is no further mention of this in the recommendations.

Which brings us back to the quote at the start of this section, taken from the first of the Committee’s recommendations. The Committee “recommends … the Minister for Justice ensures the provision of whatever means may be necessary to support” the DPC moving “from emphasising guidance to emphasising enforcement as a matter of urgency” lest the DPC “face a more emboldened and entrenched group of systematic infringers”.

It’s 675 days since the Department of Social Protection refused to comply with the DPC’s findings relating to the Public Services Card.

The Department of Social Protection was last seen on this matter arguing in court about the number of paragraphs in an affidavit.

As the Minister for Justice and the Minister for Social Protection are currently the same person one can only imagine this recommendation by the Committee will lead to some tense exchanges of letters between Heather Humphreys and Heather Humphreys. Because there isn’t a public sector data controller in the country which more aptly fits the description of systematic infringer than the Sideshow Bob Rake Department.

—

The Central Credit Register is a mandatory database of credit information established by the Central Bank, under the Credit Reporting Act 2013 as amended (“the Act”).

Exclusive: tech firm admits algorithm weighs claimants’ age, which is protected in equality law

Six-month initiative to identify potential deportees used technology that has come under intense scrutiny in recent years

The Dutch DPA fined TikTok €750,000 for not providing a data protection notice in Dutch.

• “Metadata is a valuable tool to analyse the contacts between people, says Rowenna Fielding, founder and director of privacy consultancy Miss IG Geek. “When you look at metadata, it turns out a lot of the time you don’t even need message content, because patterns of activity tell you a lot about someone. This isn’t just, ‘X is on Y’s phone’, it is ‘X is on Y’s phone and they are messaging each other every evening at around 8pm for an hour’. You can then start extrapolating inferences or relationships and build social graphs.” From ‘All the data WhatsApp and Instagram send to Facebook’ by Kate O'Flaherty from Wired.
• “This week we got one of the most nightmarish tech privacy stories to rear its ugly head on the internet: an investigation into a trove of location data siphoned from a mobile device belonging to one of the Catholic Church’s top officials, Jeffrey Burrill. Like many stories about whatever’s lurking in the average person’s location data, some pretty sensitive details about Burrill’s life ended up unearthed in these datasets: visits to gay bars and nightclubs, among them. Burrill resigned not long after. Responses to the scoop—which came courtesy of the Pillar, a two-person digital outlet centered around stories on the Catholic church—were mixed. Some obvious bigots cheered on the effort to expunge “sinners” from their Christian institutions. Others decried the piece as a blatant invasion of a dude’s right to privacy. The one question both sides were asking—but nobody seemed to have an answer for—was where this data even came from in the first place.” From ‘A Priest Was Outed by His Phone’s Location Data. Anyone Could Be Next.’ by Shoshana Wodinsky for Gizmodo.

Endnotes & Credits

• The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
• As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
• The image used in the header is by Krystian Tambur on Unsplash.
• Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
• Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

If you know someone who might enjoy this newsletter do please forward it on to them.