Record Keeping | The Cat Herder, Volume 5, Issue 10

Metabook is fined for record keeping, or so it claims. The Ad Lads pretend to struggle with the meani   March 20 · Issue #172 · View online Metabook is fined for record keeping, or so it claims. The Ad Lads pretend to struggle with the meaning of consent, Google makes changes. 😼 The Ad Lads continue to live in a world mostly untroubled by any outside reality. Wolfie Christl @WolfieChristl The German industry lobbying organization BVDW published a misleading guide to 'consent management' that tells businesses that the TCF is currently being made "even more legally compliant", "under the leadership of the Belgian data protection authority" 🤡 https://t.co/Bf21liVG0A https://t.co/6IwyGmfmGF 8:30 PM - 16 Mar 2022 For more obfuscation, timewasting and faux ignorance from the extended Ad Lad universe, try this. As I think I did indicate when we spoke, it is still unclear whether the term “freely-given” is to be interpreted as conferring a general entitlement in law to access to valuable digital content at no cost and without advertising. ‘It was surprising’: IAB Europe’s CEO on the uncertain future of third-party addressability digiday.com – Share Digiday caught up with the IAB Europe’s CEO Townsend Feehan to get her take on the future of its GDPR guardrails, also known as the Transparency & Consent Framework. Since the creation of confusion allowing current practices to continue unchecked for as long as possible is important to the member organisaitons of the IAB it is of little surprise that the IAB is appealing the Belgian DPA’s decision and kicking up large amounts of dust along the way. — Google, caught with it’s hand in the cookie jar, “has committed to making a number of changes to its texting and phone call apps after an Irish study revealed that reams of personal information were being collated by the tech giant.” The DPC fined - deep breath - Meta Platforms Ireland Limited (formerly Facebook Ireland) €17m for infringing Articles 5 and 24 of the GDPR. Techcrunch: ‘Facebook fined $18.6M over string of 2018 breaches of EU’s GDPR’ — Also this week the DPC published a statistical report on the DPC’s handling of cross-border complaints under the GDPR’s One-Stop-Shop (OSS) mechanism. Press release | Direct link to report [PDF] — Johnny Ryan of the ICCL has been given leave to take a High Court challenge against the DPC, alleging the DPC has failed to fully investigate his complaint about the processing of personal data by Google and IAB Europe. — The Polish DPA issued its highest fine to date, PLN 4.9 million (~€1,080,000), to a data controller and also a fine of PLN 250,000 (~€ 55,000) to one of the data controllers data processors. — The Spanish DPA fined PageGroup Europe €300,000 for violations of Articles 5 and 12 of the GDPR. There are several interesting points to note in this decision. The Spanish DPA, as Lead Supervisory Authority and which has been held up in certain quarters recently as a model of energetic and rapid regulatory action, initially “considered that there were no indications of infringement and that no further action was necessary.” The sanction to the controller was only applied after the Portugese and Berlin DPAs disagreed with the Lead Supervisory Authority’s conclusions as part of the Article 60 process. The case is a cross border one which was opened in September 2018 and was concluded in February 2022. Quite lengthy from start to finish. — The EDPB adopted guidelines on Article 60, guidelines on dark patterns in social media interfaces, a toolbox on essential data protection safeguards for enforcement cooperation between EEA and third country SAs and, in a publication with the EDPS, a joint opinion on the extension of the EU Digital Covid Certificate Regulation. “Crisis Text Line described one of the primary motivations for the retention, sharing and reuse of its users’ data to be, broadly, “research.” While “research and experimentation” is important, especially in emergent fields, it’s also an abstraction so broad that it’s often used to justify overtly inappropriate behaviour — especially from digital platform providers — that in no way attempts to replicate the requirements that typically accompany professional research involving human subjects. Based on the small amount of independent review that’s been done, there isn’t much interrogation of or concern about how Crisis Text Line shared data for research; rather, the majority of inquiry has been around whether to do it at all.” From ‘A Crisis of Loyalty’ by Sean McDonald for the Center for International Governance Innovation. “This is a good reminder that explicit disclosures of purpose limitations at the time of collection will be seen by regulators as superseding general privacy policy language. If you tell your customers that you will only use a data field for a certain purpose, it’s important to verify that this statement is true. If you create an opt-in option, whether to comply with legal requirements or just to provide consumers with more control, make sure it functions as expected.” From ‘Hidden privacy lessons in the FTC’s CafePress security enforcement’ by Cobun Zweifel-Keegan for the IAPP. “Jewish privacy recognizes that, together, the related behaviors of surveillance threaten fundamental human dignity. Surveillance, or the capacity for surveillance, is a form of theft that destabilizes the ability to live in a modest and empowered manner. Aggregation of data facilitates the construction of narratives that manipulate one’s behavior, and diminish the essence of humanity: individual choice and personal growth. This process, the stories in the sources illustrate, is objectifying and dehumanizing; a form of death. Rather than abandoning each individual to a lonely personal Sisyphean task of averting these harms, Jewish law suggests that the burden should be shared, and that societal power should be marshalled to address power imbalances and collective action problems by constructing a social framework that largely takes on the responsibility for individual privacy protection.” From ‘Pre-Modern Insights for Post-Modern Privacy: Jewish Law Lessons for the Big Data Age’ by Kenneth Bamberger and Ariel Evan Mayse. — Endnotes & Credits The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds. As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”. The image used in the header is by Krystian Tambur on Unsplash. Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running. Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can. Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn. If you know someone who might enjoy this newsletter do please forward it on to them. Did you enjoy this issue? In order to unsubscribe, click here. If you were forwarded this newsletter and you like it, you can subscribe here. Powered by Revue Privacy Kit, Made with 💚 in Dublin, Ireland

Metabook is fined for record keeping, or so it claims. The Ad Lads pretend to struggle with the meaning of consent, Google makes changes.

😼

The Ad Lads continue to live in a world mostly untroubled by any outside reality.

For more obfuscation, timewasting and faux ignorance from the extended Ad Lad universe, try this.

Digiday caught up with the IAB Europe’s CEO Townsend Feehan to get her take on the future of its GDPR guardrails, also known as the Transparency & Consent Framework.

Since the creation of confusion allowing current practices to continue unchecked for as long as possible is important to the member organisaitons of the IAB it is of little surprise that the IAB is appealing the Belgian DPA’s decision and kicking up large amounts of dust along the way.

—

Google, caught with it’s hand in the cookie jar, “has committed to making a number of changes to its texting and phone call apps after an Irish study revealed that reams of personal information were being collated by the tech giant.”

The DPC fined - deep breath - Meta Platforms Ireland Limited (formerly Facebook Ireland) €17m for infringing Articles 5 and 24 of the GDPR.

Techcrunch: ‘Facebook fined $18.6M over string of 2018 breaches of EU’s GDPR’

—

Also this week the DPC published a statistical report on the DPC’s handling of cross-border complaints under the GDPR’s One-Stop-Shop (OSS) mechanism. Press release | Direct link to report [PDF]

—

Johnny Ryan of the ICCL has been given leave to take a High Court challenge against the DPC, alleging the DPC has failed to fully investigate his complaint about the processing of personal data by Google and IAB Europe.

—

The Polish DPA issued its highest fine to date, PLN 4.9 million (~€1,080,000), to a data controller and also a fine of PLN 250,000 (~€ 55,000) to one of the data controllers data processors.

—

The Spanish DPA fined PageGroup Europe €300,000 for violations of Articles 5 and 12 of the GDPR. There are several interesting points to note in this decision. The Spanish DPA, as Lead Supervisory Authority and which has been held up in certain quarters recently as a model of energetic and rapid regulatory action, initially “considered that there were no indications of infringement and that no further action was necessary.” The sanction to the controller was only applied after the Portugese and Berlin DPAs disagreed with the Lead Supervisory Authority’s conclusions as part of the Article 60 process. The case is a cross border one which was opened in September 2018 and was concluded in February 2022. Quite lengthy from start to finish.

—

The EDPB adopted guidelines on Article 60, guidelines on dark patterns in social media interfaces, a toolbox on essential data protection safeguards for enforcement cooperation between EEA and third country SAs and, in a publication with the EDPS, a joint opinion on the extension of the EU Digital Covid Certificate Regulation.

• “Crisis Text Line described one of the primary motivations for the retention, sharing and reuse of its users’ data to be, broadly, “research.” While “research and experimentation” is important, especially in emergent fields, it’s also an abstraction so broad that it’s often used to justify overtly inappropriate behaviour — especially from digital platform providers — that in no way attempts to replicate the requirements that typically accompany professional research involving human subjects. Based on the small amount of independent review that’s been done, there isn’t much interrogation of or concern about how Crisis Text Line shared data for research; rather, the majority of inquiry has been around whether to do it at all.” From ‘A Crisis of Loyalty’ by Sean McDonald for the Center for International Governance Innovation.
• “This is a good reminder that explicit disclosures of purpose limitations at the time of collection will be seen by regulators as superseding general privacy policy language. If you tell your customers that you will only use a data field for a certain purpose, it’s important to verify that this statement is true. If you create an opt-in option, whether to comply with legal requirements or just to provide consumers with more control, make sure it functions as expected.” From ‘Hidden privacy lessons in the FTC’s CafePress security enforcement’ by Cobun Zweifel-Keegan for the IAPP.
• “Jewish privacy recognizes that, together, the related behaviors of surveillance threaten fundamental human dignity. Surveillance, or the capacity for surveillance, is a form of theft that destabilizes the ability to live in a modest and empowered manner. Aggregation of data facilitates the construction of narratives that manipulate one’s behavior, and diminish the essence of humanity: individual choice and personal growth. This process, the stories in the sources illustrate, is objectifying and dehumanizing; a form of death. Rather than abandoning each individual to a lonely personal Sisyphean task of averting these harms, Jewish law suggests that the burden should be shared, and that societal power should be marshalled to address power imbalances and collective action problems by constructing a social framework that largely takes on the responsibility for individual privacy protection.” From ‘Pre-Modern Insights for Post-Modern Privacy: Jewish Law Lessons for the Big Data Age’ by Kenneth Bamberger and Ariel Evan Mayse.

—

Endnotes & Credits

• The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
• As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
• The image used in the header is by Krystian Tambur on Unsplash.
• Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
• Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

If you know someone who might enjoy this newsletter do please forward it on to them.