Reverse GDPR | The Cat Herder, Volume 2, Issue 6

In the very first issue of this newsletter we mentioned what the New Ross Standard described as a mov   February 17 · Issue #22 · View online In the very first issue of this newsletter we mentioned what the New Ross Standard described as a move by New Ross councillors to “reverse ‘criminal’ GDPR”. That was at the end of July of last year and we haven’t been able to find any information on what progress the councillors are making with their reversal plans. Perhaps they could join forces with their counterparts in Limerick City and County Council. 😼 Limerick City and County Council brought the world this little gem last month: “We do have to question the law regarding access to this imagery,” Cllr Adam Teskey commented. “We can all blame GDPR. If GDPR is on the side of criminality, then we have a massive problem.” This week we were blessed with another memorable quote from the same august debating chamber Simon McGarr @Tupp_Ed Head of Digital Strategy at Limerick City and County Council Mihai Bilauca admits to Councillors that the €350,000 CCTV system they installed can’t be used unless the GDPR & Irish Law is changed. A Data Protection Impact Assessment before you start your project is good value. https://t.co/GZO1RXR3EL 7:02 PM - 15 Feb 2019 There are many things to unpack here. Mr Bilauca mentions “GDPR guidelines”. This may be where the confusion began. We propose a short remedial course for those tasked with managing and spending large sums of public money, a course which explains the differences between guidelines and laws. Rather than starting with a “conversation … at national level” perhaps a local conversation, one very specifically localised to the council chamber could happen first. This conversation could focus on just how Limerick City and County Council allowed this to happen. The Data Protection Commission issued guidance on the data protection aspects of such schemes last year. The Commission was at pains to point out that the “fundamental principles of data protection under the GDPR, while enhanced, are very similar to those that existed under the Data Protection Acts, 1988 & 2003.” The Commission goes on to say it “would expect all local authority data controllers who operate Community based CCTV systems to be fully aware of their responsibilities with regard to safeguarding the data protection rights of individuals, including the requirement to conduct, where necessary, Data Protection Impact Assessments.” Last year Limerick City and County Council stated that a Data Protection Impact Assessment had not been carried out. Rossa McMahon @rossamcmahon I didn't get a PIA because one hasn't been done. Why? "the project for the senors around Limerick City & County has not yet been initiated or approved" https://t.co/AwWzbYi6Qh 9:35 PM - 10 Oct 2018 At another point last year the Council thought it was reasonable to suggest the impact assessment be carried out after the system had been designed, installed and switched on. Simon McGarr @Tupp_Ed This piece by @rossamcmahon on how CCTV surveillance is breaking, not enforcing, the law is excellent. But this statement on when it’s appropriate to do a PIA- from Limerick Council- is all-time gold. https://t.co/BY1AVzjn6F https://t.co/wyxhttq1c7 8:24 AM - 14 Jun 2018 One doesn’t have to be an expert in this or any other field to appreciate that this is not the optimal sequence in which to arrange things. The GDPR says that a DPIA must be carried out “prior to the processing”. Good financial planning would dictate that this “prior to the processing” point in time should be located as early as possible in the lifecycle of any project. Certainly long before cameras have been purchased and stuck up on poles. However, we wish Mr Bilauca, the Don Quixote of Shannonside, the very best of luck in his quest to change the most significant piece of European data protection law in a generation in order to save the blushes of Limerick City and County Council. West Limerick Gardaí have no problem accessing CCTV data www.limerickpost.ie – Share Ring stands alone as a tech company for which hyperconnected vigilance isn’t just a byproduct, but the product itself — an avowed attempt to merge 24/7 video, ubiquitous computer sensors, and facial recognition, and deliver it to local police on a platter Amazon’s Home Surveillance Chief Declared War on “Dirtbag Criminals” as Company Got Closer to Police theintercept.com – Share Video and internal emails show how Amazon’s Ring has blurred line between private innovation and public law enforcement. In related Amazon news, they bought mesh routing company Eero during the week. Dieter Bohn covered this acquisition for The Verge. Consternation. Specifically that an independent company was once again snapped up by one of the big tech giants. We all feel trapped — or maybe captured — by the various ecosystems we live in. We all use excellent products every day made by behemoth companies, but increasingly only made by those companies. This consolidation of power in the hands of a number of giant social surveillance companies via personal data acquisition and processing is alarming. The Data Protection Commission issued new guidance on transfers of personal data from Ireland to the UK in the event of a No-Deal Brexit. The Bavarian DPA is mulling over what sanctions to apply to the owners of 40 websites from a wide range of industries with a whole load of third party tracking tools on them. As noted in this piece, data controllers who may have done some box-checking and accepted the assurances of their third party advertising and marketing partners should be concerned. In fact, these data controllers should be reviewing all of the cruft they’re serving up to site visitors as a matter of urgency. Apropos of nothing, our German compound word for the week is Weltpolitikfähigkeitsverlustvermeidungsstrategie. The inspection report itself raises concerns about data sharing plans for immigration enforcement purposes. “Parliament and the public will want to be reassured that any inter-departmental data sharing is not only legal, but that it is also demonstrably proportionate and necessary, that the data is accurate, and that safeguards are in place to prevent it being misapplied,” the Chief Inspector writes in the foreword. The Home Office Is Building A Massive Database Of Migrants www.buzzfeed.com – Share Shadow home secretary Diane Abbott said without proper scrutiny the project could lead to “the same discriminatory mistakes that saw Windrush citizens wrongly labelled as illegal.” This very readable and not overly lawyerly introduction to the GDPR for non-geeks by Chris Hoofnagle, Bart van der Sloot and Frederik Borgesius - ‘The European Union general data protection regulation: what it is and what it means’. Karlin Lillington‘s column on what the German competition authority’s ruling on Facebook - covered in last week’s Cat Herder - could mean for individuals. —- Endnotes & Credits The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds. As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”. The image used in the header is by Krystian Tambur on Unsplash. Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running. Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can. Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn. Barring a disaster this newsletter will be in your inbox again next weekend. See you then. If you know someone who might enjoy this newsletter do please forward it on to them. Did you enjoy this issue? In order to unsubscribe, click here. If you were forwarded this newsletter and you like it, you can subscribe here. Powered by Revue Privacy Kit, Made with 💚 in Dublin, Ireland

In the very first issue of this newsletter we mentioned what the New Ross Standard described as a move by New Ross councillors to “reverse ‘criminal’ GDPR”. That was at the end of July of last year and we haven’t been able to find any information on what progress the councillors are making with their reversal plans. Perhaps they could join forces with their counterparts in Limerick City and County Council.

😼

Limerick City and County Council brought the world this little gem last month:

This week we were blessed with another memorable quote from the same august debating chamber

There are many things to unpack here.

Mr Bilauca mentions “GDPR guidelines”. This may be where the confusion began. We propose a short remedial course for those tasked with managing and spending large sums of public money, a course which explains the differences between guidelines and laws.

Rather than starting with a “conversation … at national level” perhaps a local conversation, one very specifically localised to the council chamber could happen first. This conversation could focus on just how Limerick City and County Council allowed this to happen.

The Data Protection Commission issued guidance on the data protection aspects of such schemes last year. The Commission was at pains to point out that the “fundamental principles of data protection under the GDPR, while enhanced, are very similar to those that existed under the Data Protection Acts, 1988 & 2003.” The Commission goes on to say it “would expect all local authority data controllers who operate Community based CCTV systems to be fully aware of their responsibilities with regard to safeguarding the data protection rights of individuals, including the requirement to conduct, where necessary, Data Protection Impact Assessments.”

Last year Limerick City and County Council stated that a Data Protection Impact Assessment had not been carried out.

At another point last year the Council thought it was reasonable to suggest the impact assessment be carried out after the system had been designed, installed and switched on.

One doesn’t have to be an expert in this or any other field to appreciate that this is not the optimal sequence in which to arrange things. The GDPR says that a DPIA must be carried out “prior to the processing”. Good financial planning would dictate that this “prior to the processing” point in time should be located as early as possible in the lifecycle of any project. Certainly long before cameras have been purchased and stuck up on poles.

However, we wish Mr Bilauca, the Don Quixote of Shannonside, the very best of luck in his quest to change the most significant piece of European data protection law in a generation in order to save the blushes of Limerick City and County Council.

Video and internal emails show how Amazon’s Ring has blurred line between private innovation and public law enforcement.

In related Amazon news, they bought mesh routing company Eero during the week. Dieter Bohn covered this acquisition for The Verge.

This consolidation of power in the hands of a number of giant social surveillance companies via personal data acquisition and processing is alarming.

The Data Protection Commission issued new guidance on transfers of personal data from Ireland to the UK in the event of a No-Deal Brexit.

The Bavarian DPA is mulling over what sanctions to apply to the owners of 40 websites from a wide range of industries with a whole load of third party tracking tools on them. As noted in this piece, data controllers who may have done some box-checking and accepted the assurances of their third party advertising and marketing partners should be concerned. In fact, these data controllers should be reviewing all of the cruft they’re serving up to site visitors as a matter of urgency.

Apropos of nothing, our German compound word for the week is Weltpolitikfähigkeitsverlustvermeidungsstrategie.

Shadow home secretary Diane Abbott said without proper scrutiny the project could lead to “the same discriminatory mistakes that saw Windrush citizens wrongly labelled as illegal.”

• This very readable and not overly lawyerly introduction to the GDPR for non-geeks by Chris Hoofnagle, Bart van der Sloot and Frederik Borgesius - ‘The European Union general data protection regulation: what it is and what it means’.
• Karlin Lillington‘s column on what the German competition authority’s ruling on Facebook - covered in last week’s Cat Herder - could mean for individuals.

—-

Endnotes & Credits

• The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
• As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
• The image used in the header is by Krystian Tambur on Unsplash.
• Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
• Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

Barring a disaster this newsletter will be in your inbox again next weekend. See you then.

If you know someone who might enjoy this newsletter do please forward it on to them.