Questions | The Cat Herder, Volume 3, Issue 26
|
An app appears. The number of accidental data controllers grows. The things they’re doing become more intrusive.
😼
The Dublin Inquirer has a smart piece by Sean Finnan on the apparent use of thermal screening via surveillance camera by at least one property in the Mercantile Group. It’s a good piece because it asks the basic data protection questions that often aren’t asked by journalists.
First among these is usually “is the data being processed personal data?” In this case it is, and not only is it personal data, it is also special categories personal data. If an identifiable individual’s body temperature is being taken (covertly or overtly) and inferences are being drawn about their health status then this is processing of special categories of personal data. The conditions for processing this type of personal data are restrictive.
Next up is “who is the data controller?” If people don’t know who the data controller is then they can’t exercise any of the broad range of rights they have under European data protection law. Which applies on Dawson Street just as much as it applies in Denmark or Dusseldorf.
(One quick point here - the data controller is not a position to which an organisation or individual can be “designated”. It is based on the facts on the ground, whoever is responsible for determining the means and purposes of the processing.)
Then comes “what is the lawful basis?” A frequently forgotten, or not fully considered aspect of European data protection is that it starts with a ban. Personal data cannot be processed without a lawful basis. If special categories personal data is being processed the data controller cannot use legitimate interests as their lawful basis, which is usually the lawful basis relied on by controllers of CCTV systems.
Accountability And The Accidental Data Controller
It’s more than two years since the GDPR came into effect and many data protection practitioners are very tired of pointing out that much of what is contained in the regulation is not new. However, one absolutely brand spanking new element is the principle of accountability.
This principle is set out in Article 5.2 (“The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1”) and expanded on in Article 24 (“the controller shall … be able to demonstrate that processing is performed in accordance with this Regulation.”)
Not only does the accountability principle impose this new wide-ranging obligation on data controllers, it is also a tool which can help individuals and journalists seeking to discover more about a particular data processing operation.
Handbook on European Data Protection Law 2018, Fundamental Rights Agency, page 134 (link)
This requirement presents a problem for any data controller who wishes to try and use the old comms tactic of refusing to comment or answer questions in the hope that whoever is asking will get bored and stop asking. The failure to answer questions about how a particular processing operation is compliant with the GDPR does not sit comfortably with the principle of accountability.
So the longer these questions go unanswered the further from adhering to the accountability principle the data controller strays. Which is awkward.
—
The HSE’s Covid Tracker App got off to a good start with large numbers of downloads in the first few days after its release. There were issues with the app asking for location services to be switched on on some Android handsets but this appears to be a problem with the way permission are organised and grouped within Android rather than anything to do with the app itself.
Olga Cronin of the ICCL had an opinion piece in the Irish Examiner which reiterated many of the same points made here over the last number of weeks and months. There’s no evidence the Bluetooth proximity monitoring part works effectively enough to be of much use to the wider testing and tracing system. The symptom tracking aspect of the app is unnecessary and still looks like an attempt to gather location data manually and therefore avoid breaching the EDPB guidelines. The sharing of large amounts of data with the Central Statistics Office which has been deemed, on fairly shaky grounds, to be anonymous raises questions which remain unanswered.
—
In Singapore an app is no longer enough. The coronopticon expands. The government is now deploying wearable devices, in part because the app won’t work properly on Apple devices. Also of note that the app is no longer voluntary for some groups of individuals - “It is voluntary for everyone except migrant workers living in dorms, who account for the majority of Singapore’s 44,000-plus infections.”
The TraceTogether Token is designed to make an app more effective, but worries privacy campaigners.
I went to the pub the other day (it was empty and I sat outside) and got a free drink from the bartender and… he’s just messaged me on facebook pic.twitter.com/lwRBZJANsf
— rose ❤️🔥🗡 (@roselyddon) July 11, 2020
This probably has happened here already.
The Green Party dithers over its pre-election commitment to deal with the Public Services Card.
Meanwhile, the card continues to be unnecessary for the functioning of the social welfare system.
Confirm your eligibility today to continue to get the #COVID19 Unemployment Payment
— Department of Social Protection (@welfare_ie) July 9, 2020
To do this go to https://t.co/M2y3fHDfmA, create a basic MyGovID account & complete the form
For a basic MyGovID account all you need is an email address. You don't need a Public Services Card. pic.twitter.com/5D6n2yl9JW
“The Dutch Data Protection Authority (DPA) issued a EUR 830,000 (approximately USD 937,000) fine against the Dutch Credit Registration Bureau (BKR) for violating data subject rights. The fine stems from BKR’s practice of charging fees and discouraging individuals who wanted to access their personal data.” Joke Bodewits and Benjamino Blok with more detail on this fine from the Dutch DPA. It’s good to see attempts by data controllers to restrict access rights being punished by regulators.
- “Dataminr’s Black Lives Matter protest surveillance included persistent monitoring of social media to tip off police to the locations and activities of protests, developments within specific rallies, as well as instances of alleged “looting” and other property damage. According to the source with direct knowledge of Dataminr’s protest monitoring, the company and Twitter’s past claims that they don’t condone or enable surveillance are “bullshit,” relying on a deliberately narrowed definition. “It’s true Dataminr doesn’t specifically track protesters and activists individually, but at the request of the police they are tracking protests, and therefore protesters,” this source explained.” Sam Biddle for the Intercept, ‘Police Surveilled George Floyd Protests With Help From Twitter-Affiliated Startup Dataminr’. Much of what you post online is being stripped of context, in some cases reassigned a new and incorrect context, neatly packaged up and passed on to someone else.
- “As these represent novel technologies that could have a potentially significant impact on the rights and freedoms of employees or other categories of individual, it is essential that an appropriately rigorous DPIA is undertaken by any organisation adopting these technologies and appropriate mitigations be put in place to balance the impact on the data subject and also to avoid a false sense of security arising from the risk of false negatives from asymptomatic cases or individuals masking symptoms in order to return to work.” Castlebridge‘s 'Guidance on Temperature Scans in the Workplace’ is topical, as is the DPC’s guidance on the same subject.
- 📹 Kaarana, ‘The Rise of Techno-Solutionism’. “In this session, speaker Sean McDonald, shares his work on Ebola and COVID-19, mainly how use of Big Data to solve epidemics has not always yielded favourable results. In fact, techno-solutionism has put the marginalised at risk. Sean will present the learnings he has abstracted from documenting epidemics and the role that technology has actually played.” Video, 1 hour.
Endnotes & Credits
- The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
- As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
- The image used in the header is by Krystian Tambur on Unsplash.
- Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
- Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.
Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.
If you know someone who might enjoy this newsletter do please forward it on to them.