Privacy Kit

Subscribe
Archives
September 6, 2020

Somebody Else's Problem | The Cat Herder, Volume 3, Issue 34

ID cards are back, as is Tony Blair. The statutory body tasked with monitoring the safety and quality
 
September 6 · Issue #98 · View online
The Cat Herder
ID cards are back, as is Tony Blair. The statutory body tasked with monitoring the safety and quality of the healthcare system in Ireland either doesn’t know or doesn’t care about data protection and data subject rights. Substantial meals.
😼

Everyone’s accustomed to ill-informed calls to allow law enforcement to access encrypted communications by now, usually via some unspecified magical mechanism characterised as a key. But to hear the same coming from the judge appointed to provide independent oversight of the Irish state’s surveillance powers is new.
New laws 'urgently required' to spy on criminals says judge
www.irishexaminer.com – Share
New laws ‘urgently required’ to spy on criminals says judge
—-
In Scotland the police made a database but forgot to create any mechanism to remove people from the database and so, by rough calculation, appear to have ended up with somewhere north of 10% of the population of the entire country in the database, identified as Vulnerable Persons ¯\_(ツ)_/¯
Nearly 500,000 Scots removed from police database - BBC News
www.bbc.com – Share
Police Scotland was told to remove names after the information commissioner said it could breach data protection rules.
This week the Law Society presented us with a good case study on appropriate legal bases for the processing of personal data.
‘Track and trace’ obligations for practitioners in force from today
www.lawsociety.ie – Share
If processing of personal data is based on the consent of the data subject then that consent must be as easy to withdraw as it was to give. So I can visit my solicitor on a Tuesday, give my consent, then ring up and withdraw that consent the following day. Rendering this instruction from the Law Society somewhat useless.
Also, “data privacy” regulations do not exist. There is data protection and there is privacy. The Law Society should probably know this.
Thereafter, the data should be safely disposed of, in line with data privacy regulations.
They're not interested in your browsing history for no reason
They're not interested in your browsing history for no reason
Effectively, the study comes to dispel an online myth that browsing history, even the anonymized one, isn’t useful for online advertisers. In reality, the study shows that even a small list of 50 to 150 of the user’s favorite and most accessed domains can let advertisers create a unique tracking profile.
Mozilla research: Browsing histories are unique enough to reliably identify users | ZDNet
www.zdnet.com – Share
Online advertisers don’t need huge lists of the sites we access. Just 50-150 of our favorite sites are enough.
There's still an ongoing investigation into the PSC ...
There's still an ongoing investigation into the PSC ...
Former enthusiastic advocate for ID cards is still an enthusiastic advocate for ID cards, but for yet another different reason this time. Which does nothing to dispel the notion that, a decade after they were scrapped in the UK, this is still a solution in search of a problem.
Tony Blair: It is common sense to move toward digital IDs - BBC News
www.bbc.com – Share
The ex-PM said coronavirus vaccination records kept by government would help “restore confidence”.
Data protection cannot be an ‘afterthought’ in plans for electronic patient records, says watchdog 
www.irishexaminer.com – Share
Hiqa seeking submissions from members of the public on the plans by September 11
Digital Rights Ireland, granted the status of watchdog by this headline, “said current proposals for an electronic patient record were “wide of the mark” and failed to consider the data protection ramifications of recording and sharing patient information across the health service.” You can say that again.
When questioned about this HIQA opined that it was somebody else’s problem.
A spokesperson for HIQA said the authority expects the HSE to carry out a Data Protection Impact Assessment (DPIA) as it is the agency rolling out the record: “We would expect the HSE to undertake a DPIA in relation to this as they are the implementation body and will have data process/controller responsibilities.”
Coincidentally the European Data Protection Board held a public consultation on Data Protection by Design and by Default, a legal requirement under the GDPR, which closed earlier this year. Here’s a quick extract
The whole consultation document is here. HIQA would be well advised to consult it.
Data protection is not something only to be considered during implementation.
The DPC was uncharacteristically quick out of the blocks to give the Irish government’s extremely confused and confusing plans to compel pubs to keep a record of “substantial meals” served a thumbs up as legally sound. We eagerly await sight of the thorough necessity and proportionality assessment which must have underpinned this approval.
—
The European Data Protection Supervisor published guidance relating to thermal scanning: ‘Orientations from the EDPS: Body temperature checks by EU institutions in the context of the COVID-19 crisis’
—
At its thirty-seventh plenary session the European Data Protection Board
  • adopted guidelines on the concepts of data controller and data processor in the GDPR
  • adopted guidelines on the targeting of social media users
  • created a taskforce “to look into complaints filed in the aftermath of the CJEU Schrems II judgement”
  • created a taskforce which “will prepare recommendations to assist controllers and processors with their duty to identify and implement appropriate supplementary measures to ensure adequate protection when transferring data to third countries”
It’s unclear whether these are two entirely separate Schrems II taskforces or if there’ll be some overlap.
—
The Spanish DPA fined mobile operator Telefónica Móviles España €75,000 (reduced to €45,000) for processing without a legal basis and unsolicited telemarketing.
—
The Polish DPA fined the Surveyor General of Poland 100,000 Zloty (~€22,500) for processing without a lawful basis. This concerned making land registry numbers available on the web without a lawful basis.
  • “The Code and its drivers hijacked the ICO’s remit from a DP regulator to a child safety think tank, to the point where its statutory remit and law enforcement obligations were sidelined and ignored. You got your Code. Now’s the reckoning.” A Twitter thread about the ICO’s Children’s Code by Heather Burns.
  • “A common theme emerges around all such tools: while marketed as necessary tools in “going back to normal”, what they do in reality is trying to impose — with no evidence whatsoever as to their effectiveness — a new normal based on pervasive and health-based surveillance. This socio-technical apparatus — as shown in many examples already, most notably in the Chinese city of Hangzhou — may be born out of a public health emergency, but is definitely here to stay, adding to the already concerning arsenal of surveillance devices deployed before the SARS-CoV-2 outbreak.” From ‘AMD Systems In The Covid-19 Pandemic: A European Perspective’ by Fabio Chiusi for Algorithm Watch.
  • “Ms Humphreys initially doubled down on her officials’ zeal for reducing the numbers on the payment, before doing a u-turn the Dukes of Hazzard would have been proud of after it was pointed out that, by aligning her regulations with the travel advice of the Department of Foreign Affairs, banning travel was essentially in itself illegal. This, lest we forget, is a department which has displayed a stellar recent pedigree in obfuscation and swearing that black is white until its blue in the face, before throwing up its hands in despair and taking everyone to court instead. Remember the PSC anyone?” Cianan Brennan poses a list of questions for the Sideshow Bob Rake Department, most of which will more than likely not be answered.
  • “While data-protection laws have made fundamental shifts in the way companies and government approach the collection, retention, and use of personal data, there are clear limitations on their ability to address the full spectrum of potential harms produced by new forms of data-driven technology, like biometric identification and analysis. Their focus on individual (rather than group) conceptions of harm fails to meaningfully address questions of discrimination and algorithmic profiling.” From ‘Regulating Biometrics: Global Approaches and Urgent Questions’(direct link to PDF), published by the AI Now Institute and edited by Amba Kak.
—
Endnotes & Credits
  • The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
  • As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
  • The image used in the header is by Krystian Tambur on Unsplash.
  • Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
  • Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.
Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.
If you know someone who might enjoy this newsletter do please forward it on to them.
Did you enjoy this issue?
In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue
Privacy Kit, Made with 💚 in Dublin, Ireland

ID cards are back, as is Tony Blair. The statutory body tasked with monitoring the safety and quality of the healthcare system in Ireland either doesn’t know or doesn’t care about data protection and data subject rights. Substantial meals.

😼

Everyone’s accustomed to ill-informed calls to allow law enforcement to access encrypted communications by now, usually via some unspecified magical mechanism characterised as a key. But to hear the same coming from the judge appointed to provide independent oversight of the Irish state’s surveillance powers is new.

New laws ‘urgently required’ to spy on criminals says judge

—-

In Scotland the police made a database but forgot to create any mechanism to remove people from the database and so, by rough calculation, appear to have ended up with somewhere north of 10% of the population of the entire country in the database, identified as Vulnerable Persons ¯\_(ツ)_/¯

Police Scotland was told to remove names after the information commissioner said it could breach data protection rules.

This week the Law Society presented us with a good case study on appropriate legal bases for the processing of personal data.

If processing of personal data is based on the consent of the data subject then that consent must be as easy to withdraw as it was to give. So I can visit my solicitor on a Tuesday, give my consent, then ring up and withdraw that consent the following day. Rendering this instruction from the Law Society somewhat useless.

Also, “data privacy” regulations do not exist. There is data protection and there is privacy. The Law Society should probably know this.

Online advertisers don’t need huge lists of the sites we access. Just 50-150 of our favorite sites are enough.

Former enthusiastic advocate for ID cards is still an enthusiastic advocate for ID cards, but for yet another different reason this time. Which does nothing to dispel the notion that, a decade after they were scrapped in the UK, this is still a solution in search of a problem.

The ex-PM said coronavirus vaccination records kept by government would help “restore confidence”.

Hiqa seeking submissions from members of the public on the plans by September 11

Digital Rights Ireland, granted the status of watchdog by this headline, “said current proposals for an electronic patient record were “wide of the mark” and failed to consider the data protection ramifications of recording and sharing patient information across the health service.” You can say that again.

When questioned about this HIQA opined that it was somebody else’s problem.

Coincidentally the European Data Protection Board held a public consultation on Data Protection by Design and by Default, a legal requirement under the GDPR, which closed earlier this year. Here’s a quick extract

The whole consultation document is here. HIQA would be well advised to consult it.

Data protection is not something only to be considered during implementation.

The DPC was uncharacteristically quick out of the blocks to give the Irish government’s extremely confused and confusing plans to compel pubs to keep a record of “substantial meals” served a thumbs up as legally sound. We eagerly await sight of the thorough necessity and proportionality assessment which must have underpinned this approval.

—

The European Data Protection Supervisor published guidance relating to thermal scanning: ‘Orientations from the EDPS: Body temperature checks by EU institutions in the context of the COVID-19 crisis’

—

At its thirty-seventh plenary session the European Data Protection Board

  • adopted guidelines on the concepts of data controller and data processor in the GDPR
  • adopted guidelines on the targeting of social media users
  • created a taskforce “to look into complaints filed in the aftermath of the CJEU Schrems II judgement”
  • created a taskforce which “will prepare recommendations to assist controllers and processors with their duty to identify and implement appropriate supplementary measures to ensure adequate protection when transferring data to third countries”

It’s unclear whether these are two entirely separate Schrems II taskforces or if there’ll be some overlap.

—

The Spanish DPA fined mobile operator Telefónica Móviles España €75,000 (reduced to €45,000) for processing without a legal basis and unsolicited telemarketing.

—

The Polish DPA fined the Surveyor General of Poland 100,000 Zloty (~€22,500) for processing without a lawful basis. This concerned making land registry numbers available on the web without a lawful basis.

  • “The Code and its drivers hijacked the ICO’s remit from a DP regulator to a child safety think tank, to the point where its statutory remit and law enforcement obligations were sidelined and ignored. You got your Code. Now’s the reckoning.” A Twitter thread about the ICO’s Children’s Code by Heather Burns.
  • “A common theme emerges around all such tools: while marketed as necessary tools in “going back to normal”, what they do in reality is trying to impose — with no evidence whatsoever as to their effectiveness — a new normal based on pervasive and health-based surveillance. This socio-technical apparatus — as shown in many examples already, most notably in the Chinese city of Hangzhou — may be born out of a public health emergency, but is definitely here to stay, adding to the already concerning arsenal of surveillance devices deployed before the SARS-CoV-2 outbreak.” From ‘AMD Systems In The Covid-19 Pandemic: A European Perspective’ by Fabio Chiusi for Algorithm Watch.
  • “Ms Humphreys initially doubled down on her officials’ zeal for reducing the numbers on the payment, before doing a u-turn the Dukes of Hazzard would have been proud of after it was pointed out that, by aligning her regulations with the travel advice of the Department of Foreign Affairs, banning travel was essentially in itself illegal. This, lest we forget, is a department which has displayed a stellar recent pedigree in obfuscation and swearing that black is white until its blue in the face, before throwing up its hands in despair and taking everyone to court instead. Remember the PSC anyone?” Cianan Brennan poses a list of questions for the Sideshow Bob Rake Department, most of which will more than likely not be answered.
  • “While data-protection laws have made fundamental shifts in the way companies and government approach the collection, retention, and use of personal data, there are clear limitations on their ability to address the full spectrum of potential harms produced by new forms of data-driven technology, like biometric identification and analysis. Their focus on individual (rather than group) conceptions of harm fails to meaningfully address questions of discrimination and algorithmic profiling.” From ‘Regulating Biometrics: Global Approaches and Urgent Questions’(direct link to PDF), published by the AI Now Institute and edited by Amba Kak.

—

Endnotes & Credits

  • The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
  • As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
  • The image used in the header is by Krystian Tambur on Unsplash.
  • Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
  • Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

If you know someone who might enjoy this newsletter do please forward it on to them.

Don't miss what's next. Subscribe to Privacy Kit:
X
Powered by Buttondown, the easiest way to start and grow your newsletter.