December 19, 2021
That's A Wrap | The Cat Herder, Volume 4, Issue 49
| |
| December 19 · Issue #162 · View online |
|
|
As promised last week, here’s a collection of highs and lows from the last year in rough chronological order with a few callbacks here and there and some news items from this very week. Thank you all for reading and a special thank you to everyone who got in touch during the year and said nice things about this newsletter. Have a great holiday and see you in 2022!
|
|
|
|
January brought vaccines and the publication of the final report of the Commission of Investigation into Mother and Baby Homes. The Minister for Children put down in writing something which the Irish State has long been reluctant to formally acknowledge. the GDPR is directly applicable … in case of conflict, EU law would prevail over any inconsistent domestic law in accordance with the principle of primacy of EU law. The Norwegian DPA announced its intention to fine Grindr 100 million krone (~€10 million) for invalid consent. If upheld this decision sets a strong precedent for many other data controllers who also rely on consent which is not “freely given, specific, informed and unambiguous”. More on this later. |
|
|
|
|
As the pandemic raged on into a new calendar year, public health experts began to publicly voice less enthusiastic opinions. Late last year, the poor execution of the contact tracing feature led Monica Castro, director of epidemiological surveillance at Uruguay’s Ministry of Public Health, to publicly assert that Covid apps overall had been less successful than technologists claimed.
|
Why Uruguay’s “miracle” Covid-19 app failed to deliver - Rest of World
The techno-optimism that fueled the tracking app’s creation fizzled due to privacy worries, technical bugs, and the fact that hardly anyone used it as intended.
|
|
|
|
|
|
|
|
|
By the following week this appeared to be no longer normal practice. Or so the Taoiseach said. ( ‘No Longer Normal Practice’, 4.12, April 5th.) We haven’t heard anything at all since about the DPC’s statutory investigation. Which the Secretary General of the Department of Health welcomed while describing it as a “review” which would issue “recommendations”. That’s not how it works Bob. The DPC wrote to Sinn Féin with some questions about what it might or might not be doing with the personal data of voters in Ireland. It’ll be interesting to see where this goes as these things have a habit of rapidly broadening out from an examination of the use of personal data by one political party into an examination of the use of personal data by all of ‘em.
This is another DPC inquiry we haven’t heard much about since.
|
Today's headlines: All political parties in State face probe over voter data use - Independent.ie
|
|
|
The Oireachtas Joint Committee on Justice held a hearing during the week. The topic was unmanageably broad. “General Data Protection Regulation (GDPR)”. Amidst quite a lot of noise some good points were made. Many salient issues were not addressed. Unsubtle attempts to score domestic political points were made. Flights of fancy about a discussion draft of a possible draft Bill currently being circulated in Washington somehow crashing the Irish economy were indulged in. The idea that the DPC carries the burden of preventing “a slide towards a dystopia” was floated. The implausible theory that the DPC is sufficiently well funded was aired. In the same week that many of the companies supervised by the DPC reported extraordinary results. For reference, Facebook now has a market cap of approximately 930 billion; Alphabet now has a market cap of approximately $1.6 trillion. The DPC has the power to make decisions which will threaten aspects of the business models of these organisations. Tinkering around the edges by increasing funding and conducting external reviews is unlikely to noticeably change this mismatch in resources. This remains the case. Except the market caps of the companies have increased since then. And it turns out Senator Ron Wyden never did get around to banning the export of Americans’ personal data to Ireland. Maybe it’s on his to-do list for next year. it’s illegal for any state body to try to apply any piece of domestic legislation that clashes with EU law. The Court of Justice of the European Union (CJEU), the EU’s top court, confirmed that again recently when the Department of Justice tried to deny it. We have not yet seen the final draft of the Birth Information and Tracing Bill so we don’t know whether the drafters will take onboard the large volume of submissions pointing out the flaws in the General Scheme, and the strong recommendations in the report of the Oireachtas Joint Committee on Children, Equality, Disability, Integration and Youth, published earlier this week after extensive pre-legislative scrutiny. (I was extremely proud to have been able to contribute to the Clann Project’s submission to the Comittee on the General Scheme, which you can read here.) “Even the most benign parent will eventually lose their patience,” he said of the DPC’s tolerance for State bodies’ intransigence on GDPR compliance.
|
|
|
The Department of Children maintains its posture of ‘nope’ when it comes to releasing medical records in the archive of the Mother and Baby Homes Commission; the UK government backs down (for a while) on the GP data grab. Yes, it’s the same two stories again this week in this section. And in both these stories we see organisations which have lost the trust of data subjects. In the case of the various parts of the Irish state which are involved in the ongoing shambolic, disrespectful and offensive mishandling of every aspect of the Mother and Baby Homes Commission report and what has come after, there’s little indication that the ability to regain that trust even exists. Children’s Minister Roderic O'Gorman has raised concerns about the continued redaction of records and is seeking the advice of the Data Protection Commissioner. On reading this you could easily be forgiven for thinking the minister wasn’t - at least nominally - in charge of his department. Because it’s his department which is carrying out the “continued redaction of records” and unlawful witholding of records.
|
|
|
The DPC will “face a more emboldened and entrenched group of systematic infringers” of General Data Protection Regulation (GDPR) unless it moves to a tougher enforcement model, the committee concluded. It added that the Minister for Justice should take any necessary steps to ensure this can happen. The report makes recommendations which vary from the good to the peculiar to the questionable. The report is titled ‘Report on meeting on 27th April 2021 on the topic of GDPR’. So it would appear reasonable to interpret this as being a report which is only concerned with the two short public sessions held on 27th April 2021. In the introduction it is noted that “[t]he Joint Committee on Justice invited submissions from stakeholders on the topic of GDPR. On 27th April 2021, the Committee held a public engagement with several of these stakeholders.” It is unclear whether the stakeholders invited to the public meeting of the Committee were the only stakeholders who made submissions, or whether these were the only submissions considered. The quote above, taken from the introduction, implies that only some of the stakeholders who were invited to make submissions were invited to the two public sessions. However, the report itself contains only submissions from those who gave evidence during the two public sessions and makes no reference to any other submissions. It doesn’t seem possible that a report based on submissions and evidence from only four entities could be regarded as in any way definitive. While the body of the report makes fleeting mention of data processing in the public sector (page 18 - “In addition, better knowledge and awareness of GDPR by governmental departments and state bodies was also recommended”) there is no further mention of this in the recommendations. Which brings us back to the quote at the start of this section, taken from the first of the Committee’s recommendations. The Committee “recommends … the Minister for Justice ensures the provision of whatever means may be necessary to support” the DPC moving “from emphasising guidance to emphasising enforcement as a matter of urgency” lest the DPC “face a more emboldened and entrenched group of systematic infringers”. As the Minister for Justice and the Minister for Social Protection are currently the same person one can only imagine this recommendation by the Committee will lead to some tense exchanges of letters between Heather Humphreys and Heather Humphreys. Because there isn’t a public sector data controller in the country which more aptly fits the description of systematic infringer than the Sideshow Bob Rake Department.
|
|
|
|
|
|
|
|
Yesterday we were gradually headed towards a future where less and less of our information had to be under the control and review of anyone but ourselves. For the first time since the 1990s we were taking our privacy back. Today we’re on a different path.
|
|
|
|
|
|
|
|
The questionable business model of harvesting DNA from Irish people on exceedingly shaky legal grounds accompanied by the equally questionable decision of the state’s investment vehicle to pour tens of millions into the entity operating said business model demands answers which, sadly, are unlikely to be forthcoming.
|
|
|
|
|
Today’s decision is also significant because it provides data controllers everywhere with fresh insight into what regulators are thinking about very specific issues, in this case transparency. Users do need to start paying more attention to what they are being told and more importantly what they aren’t about how their data is processed and used before signing up. Awareness is key. And a €225m fine is a pretty effective way of raising it.
|
WhatsApp fine offers pause for thought - between pinging messages
It is used by two billion people globally each month.
|
While the disagreement between the Irish DPC and the EDPB over the calculation of the fine took centre stage following the publication of the decision this week, the overwhelming majority of Dixon’s findings were uncontested by other European supervisory authorities on the board.The findings also seem to reveal plenty about WhatsApp Ireland’s approach to its transparency obligations under GDPR thus far — and leave no doubt about the gravity of the breaches involved…. the WhatsApp decision itself should make clear to businesses like Facebook what, exactly, their transparency obligations are under GDPR.
|
'Patent ambiguity': WhatsApp's record €225 million fine underlines grave transparency issues
The Data Protection Commission’s final 250-plus page decision could be significant for the application of GDPR.
|
|
|
Clearview AI spent the year getting kicked out of an increasing number of countries across the world, with various law enforcement agencies in Europe being fined and reprimanded for unlawfully using the company’s technology.
|
|
|
In this thread on Twitter Philip Boucher-Hayes outlines the latest developments in his efforts to get to the bottom of the use of Clearview by An Garda Síochána.
Spoiler: the Garda Press Office has a form of words it’s happy with which hinges on a vague phrase about the technology not being “deployed in this State.” Something which could be narrowly technically true about any cloud-based service.
|
|
|
This is an interesting twist to slowly unfolding saga.
In Feb 2020 I asked An Garda Siochana were they using this facial recognition tech. They said they “had no relationship” with the company.
1/ https://t.co/qT3QuXiOiD
|
|
|
|
Will there be further developments in this story in 2022? There might be.
|
|
|
|
|
A cost benefit analysis of the SAFE-PSC-MyGovID Framework written by the head of investment analysis at the Department of Social Protection (which is still busy delaying its own appeal against the DPC’s decision of more than two years ago, which came after an investigation into this system which lasted close to two years, which is in turn delaying the completion of the second part of the DPC’s investigation) was published by the Department of Public Expenditure and Reform (the subject of an investigation by the DPC into this system which was opened in August of this year on Friday afternoon. |
This analysis uses the word “counterfactual” 207 times. It mentions the Data Protection Commission zero times. Ignoring the DPC decision and ongoing investigations is certainly staying true to the principles of the counterfactual approach or, as it’s more commonly known, speculative fiction.
|
|
|
The Public Services Card saga entered a new phase with the Department of Social Protection abandoning its appeal before it reached court while insisting it was but a flesh wound. |
|
|
|
Endnotes & Credits If you know someone who might enjoy this newsletter do please forward it on to them.
|
|
Did you enjoy this issue?
|
|
|
|
In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
|
|
|
|
Privacy Kit, Made with 💚 in Dublin, Ireland
|
|
|
As promised last week, here’s a collection of highs and lows from the last year in rough chronological order with a few callbacks here and there and some news items from this very week. Thank you all for reading and a special thank you to everyone who got in touch during the year and said nice things about this newsletter. Have a great holiday and see you in 2022!
January brought vaccines and the publication of the final report of the Commission of Investigation into Mother and Baby Homes. The Minister for Children put down in writing something which the Irish State has long been reluctant to formally acknowledge.
The Norwegian DPA announced its intention to fine Grindr 100 million krone (~€10 million) for invalid consent. If upheld this decision sets a strong precedent for many other data controllers who also rely on consent which is not “freely given, specific, informed and unambiguous”. More on this later.
From ‘“a broken, surreptitious industry in desperate need of regulation”’, 4.06, February 14th -
The techno-optimism that fueled the tracking app’s creation fizzled due to privacy worries, technical bugs, and the fact that hardly anyone used it as intended.
In related news we learned earlier this week that in Ireland the ‘Covid tracker app committee has met just once’.
In March Prime Time Investigates revealed that the ‘Department of Health built secret dossiers on children with autism’. Which the department initially described as “normal practice”. (‘Normal Practice’, 4.11, March 28th.)
By the following week this appeared to be no longer normal practice. Or so the Taoiseach said. (‘No Longer Normal Practice’, 4.12, April 5th.)
We haven’t heard anything at all since about the DPC’s statutory investigation. Which the Secretary General of the Department of Health welcomed while describing it as a “review” which would issue “recommendations”. That’s not how it works Bob.
Digital Rights Ireland launched their ‘Mass legal action against Facebook over data breach’.
This prediction made in ‘False Or Misleading’, 4.14, April 18th turned out to be accurate.
This is another DPC inquiry we haven’t heard much about since.
From ‘Relevant Ads Save Lives’, 4.16, May 3rd -
This remains the case. Except the market caps of the companies have increased since then. And it turns out Senator Ron Wyden never did get around to banning the export of Americans’ personal data to Ireland. Maybe it’s on his to-do list for next year.
The Minister for Children published the General Scheme of the Birth Information and Tracing Bill. Which could be read as a second attempt by his department in less than a year to position a piece of domestic legislation outside the scope of the GDPR and the principles of EU law. This piece from January in the Irish Examiner puts the first attempt in context: ‘Simon McGarr: It’s time to tell the truth – give survivors their data’.
We have not yet seen the final draft of the Birth Information and Tracing Bill so we don’t know whether the drafters will take onboard the large volume of submissions pointing out the flaws in the General Scheme, and the strong recommendations in the report of the Oireachtas Joint Committee on Children, Equality, Disability, Integration and Youth, published earlier this week after extensive pre-legislative scrutiny. (I was extremely proud to have been able to contribute to the Clann Project’s submission to the Comittee on the General Scheme, which you can read here.)
From ‘HSE could face €1m fine for GDPR failings over cyber attack’
May was also the month of “Put your Eircode on your bike”.
From ‘Misadvised’, 4.22, June 13th -
From ‘Minister To Minister’, 4.27, July 25th -
August was the month of Apple’s new child protection features.
These were ‘paused’ the following month.
The Irish state’s €66 million Genomics Medicine Ireland experiment ended with a loss. From ‘PSC Anniversary’, 4.32, August 22nd -
The DPC’s WhatsApp decision was published.
It is used by two billion people globally each month.
The Data Protection Commission’s final 250-plus page decision could be significant for the application of GDPR.
Clearview AI spent the year getting kicked out of an increasing number of countries across the world, with various law enforcement agencies in Europe being fined and reprimanded for unlawfully using the company’s technology.
From ‘“the most egregious of a very bad bunch”’, 4.39, October 10th
Will there be further developments in this story in 2022? There might be.
From ‘Counterfactual’, 4.43, November 7th -
The Public Services Card saga entered a new phase with the Department of Social Protection abandoning its appeal before it reached court while insisting it was but a flesh wound.
The Norwegian DPA finalised its fine against Grindr. It will be interesting to watch this develop in 2022 as Grindr operates worldwide. Natasha Lomas’ piece in Techrunch on the wider implications of this sanction is well worth your time.
Endnotes & Credits
Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.
If you know someone who might enjoy this newsletter do please forward it on to them.
