Privacy Kit

Subscribe
Archives
September 13, 2020

The Cat Herder

Leaks! Facebook! Judicial review! Sadly even adding exclamation marks can't make this exciting or any
 
September 13 · Issue #99 · View online
The Cat Herder
Leaks! Facebook! Judicial review! Sadly even adding exclamation marks can’t make this exciting or anything other than the latest in a series of time wasting moves by Facebook.
😼

No. Just no.
Amazon's Alexa for Landlords Is a Privacy Nightmare Waiting to Happen
www.gizmodo.com.au – Share
You know that clip of Steve Carell from The Office where he’s shouting “No, God! No, God, please no! No! No! Nooooooooo!” That’s how I feel about Amazon’s announcement that it’s adding a new service to Alexa for landlords. It’s called Alexa for Residential that, according to Amazon, “makes it…
—
It’s just over ten months since DPC told Digital Rights Ireland it had “commenced a “widespread compliance and supervision” examination” of GMI/Genuity. Since then we’ve heard nothing further while the DNA data harvesting continues apace.
Roisín Shortall TD posted a video message on Twitter about the latest in this seemingly unstoppable march through the stored DNA samples of people in Ireland which this private company has been permitted to go on.
Roisin Shortall
Roisin Shortall
@RoisinShortall
Were you or anyone you know treated for a brain tumour in Beaumont Hospital between the 29th Nov 1987 and the 7th Aug 2018? If so, your archived brain tissue samples will be used in a new research study, unless you opt-out by Monday. Please watch for info. https://t.co/1Gxr9kFyeI
7:29 PM - 10 Sep 2020
Mandatory COVID-19 apps could result in an even worse outcome than that of tracking athletes—whom universities may be able to coerce more effectively because many athletes need their scholarships—because public health rests on trust and cooperation. Knowing that they are being tracked, some students will no doubt let their phone “sleep” peacefully in their bed while they party elsewhere. If a few get sick, they may hide it, for fear of having their tech trickery found out.
The Pandemic Is No Excuse for Colleges to Surveil Students - The Atlantic
www.theatlantic.com – Share
Trying to do so is all but useless.
A lot of us did
A lot of us did
Tusla expresses concern over bringing itself into compliance with recommendations after being fined €115,000 for a series of data breaches – TheStory.ie
www.thestory.ie – Share
Child and family agency Tusla expressed serious concerns over whether it would be able to bring itself into line with recommendations from the Data Protection Commissioner following a series of serious data breaches.
—
Portland became the first city in the US to vote for a ban on private sector use of facial recognition. Whatever did happen to the very large array of facial recognition technology which was going to be deployed in the new national children’s hospital in order to prevent baby-snatching? (see issue 2 of this newsletter from January 2020)
Portland’s city council also voted to ban local government bureaus from acquiring or using the controversial surveillance technology. Several U.S. cities, including San Francisco and Oakland, have previously banned government use of facial recognition.
Portland votes for first-ever U.S. ban on corporate use of facial recognition | Reuters
www.reuters.com – Share
Portland on Wednesday voted in favor of the first-ever ban in the United States on private entities, such as restaurants and retail stores, from using facial recognition technology in public places in the city.
Or un-regulators, in some situations
Or un-regulators, in some situations
The fallout from Schrems II rumbles on. The Swiss data protection authority recommended that the Swiss Privacy Shield be chucked in the bin.
It emerged the DPC had told Facebook it couldn’t use SCCs as a replacement for the EU-US Privacy Shield.
Facebook told it can no longer send user data from EU to US
www.thejournal.ie – Share
The social media giant said the Data Protection Commission told it the key mechanism it uses to transfer data to the US “cannot in practice be used”.
Someone leaked some details of the approach the DPC was taking to the Wall Street Journal, which ran a story (€) on Wednesday. Facebook put out a statement from Nick Clegg shortly after the story appeared in the WSJ. Max Schrems and noyb also put out a statement shortly afterwards. This included copies of correspondence between noyb and Facebook and noyb and the DPC.
On Thursday Facebook sought a judicial review of the DPC’s preliminary decision. Which is nothing more than more time wasting. Which Facebook can certainly afford.
—
The ICO appears to have given up regulating in some cases. A supervisory authority failing to exercise its powers to compel data controllers to comply with access requests is alarming. Without the right of access most other data subject rights are unavailable.
Here we have the ICO telling a data subject that it will not take action against a public authority data controller which has infringed her rights by failing to comply with an access request. Instead, the requester must seek her own legal advice (almost inevitably at her own significant cost).
If ICO won’t regulate the law, it must reboot itself | information rights and wrongs
informationrightsandwrongs.com – Share
The exercise of the right of (subject) access under Article 15 of the General Data Protection Regulation (GDPR) is the exercise of a fundamental right to be aware of and verify the lawfulness of the processing of personal data about oneself. That this is a fundamental right is emphasised by the range of enforcement powers…
—
The Belgian DPA fined a local political organisation €3,000 for sending out election ads without a lawful basis and without providing information to the data subjects.
—
The Hungarian DPA fined the publisher of the Hungarian edition of Forbes magazine 4.5 million Forints (~€12,500) for a laundry list of infringements related to its publication of a rich list.
—
The EDPB published a public consultation version of its guidelines on the concepts of controller and processor in the GDPR. The consultation closes on the 19th October.
  • “The majority of people (up to 83% in Spain) think that consumers should be well informed when they deal with an automatic decision system*. Respondents agree or strongly agree that AI users should have the right to say “no” to automated decision-making. The numbers are as high as 78% in Italy and Portugal and 80% in Spain*.” From BEUC‘s 'Artificial Intelligence: what consumers say’ report (direct link to PDF).
  • “There is an added concern about how AI, used in combination with facial recognition and other biometric processing technologies can facilitate unlawful mass surveillance in public spaces. Risks of surveillance, profiling and discrimination are interconnected, particularly when likely to be deployed disproportionately in lower income or minority areas.4 EDRi is calling for an outright ban on biometric mass surveillance, or the untargeted processing of data (such as facial and speech recognition) in public places.” From the EDRi‘s explainer on Artificial Intelligence and Fundamental Rights (direct link to PDF).
  • “There has been a lot of debate as to whether targeting social media users can be carried out by a controller on the basis of "legitimate interests”. Some commentators have been quite insistent that only “consent” is good enough. In this guidance, the EDPB recognises that both “legitimate interests” and “consent” are potential options. I am emphasising “potential” here, since the guidance — paragraphs 44-49 — set out what the EDPB expects of a controller looking to rely on legitimate interests.“ Neil Brown looks at the EDPB’s guidance on targeting social media users.
—
Endnotes & Credits
  • The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
  • As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
  • The image used in the header is by Krystian Tambur on Unsplash.
  • Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
  • Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.
Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.
If you know someone who might enjoy this newsletter do please forward it on to them.
Did you enjoy this issue?
In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue
Privacy Kit, Made with 💚 in Dublin, Ireland

Leaks! Facebook! Judicial review! Sadly even adding exclamation marks can’t make this exciting or anything other than the latest in a series of time wasting moves by Facebook.

😼

No. Just no.

You know that clip of Steve Carell from The Office where he’s shouting “No, God! No, God, please no! No! No! Nooooooooo!” That’s how I feel about Amazon’s announcement that it’s adding a new service to Alexa for landlords. It’s called Alexa for Residential that, according to Amazon, “makes it…

—

It’s just over ten months since DPC told Digital Rights Ireland it had “commenced a “widespread compliance and supervision” examination” of GMI/Genuity. Since then we’ve heard nothing further while the DNA data harvesting continues apace.

Roisín Shortall TD posted a video message on Twitter about the latest in this seemingly unstoppable march through the stored DNA samples of people in Ireland which this private company has been permitted to go on.

Were you or anyone you know treated for a brain tumour in Beaumont Hospital between the 29th Nov 1987 and the 7th Aug 2018? If so, your archived brain tissue samples will be used in a new research study, unless you opt-out by Monday. Please watch for info. pic.twitter.com/1Gxr9kFyeI

— Róisín Shortall (@RoisinShortall) September 10, 2020

Trying to do so is all but useless.

Child and family agency Tusla expressed serious concerns over whether it would be able to bring itself into line with recommendations from the Data Protection Commissioner following a series of serious data breaches.

—

Portland became the first city in the US to vote for a ban on private sector use of facial recognition. Whatever did happen to the very large array of facial recognition technology which was going to be deployed in the new national children’s hospital in order to prevent baby-snatching? (see issue 2 of this newsletter from January 2020)

Portland on Wednesday voted in favor of the first-ever ban in the United States on private entities, such as restaurants and retail stores, from using facial recognition technology in public places in the city.

The fallout from Schrems II rumbles on. The Swiss data protection authority recommended that the Swiss Privacy Shield be chucked in the bin.

It emerged the DPC had told Facebook it couldn’t use SCCs as a replacement for the EU-US Privacy Shield.

The social media giant said the Data Protection Commission told it the key mechanism it uses to transfer data to the US “cannot in practice be used”.

Someone leaked some details of the approach the DPC was taking to the Wall Street Journal, which ran a story (€) on Wednesday. Facebook put out a statement from Nick Clegg shortly after the story appeared in the WSJ. Max Schrems and noyb also put out a statement shortly afterwards. This included copies of correspondence between noyb and Facebook and noyb and the DPC.

On Thursday Facebook sought a judicial review of the DPC’s preliminary decision. Which is nothing more than more time wasting. Which Facebook can certainly afford.

—

The ICO appears to have given up regulating in some cases. A supervisory authority failing to exercise its powers to compel data controllers to comply with access requests is alarming. Without the right of access most other data subject rights are unavailable.

The exercise of the right of (subject) access under Article 15 of the General Data Protection Regulation (GDPR) is the exercise of a fundamental right to be aware of and verify the lawfulness of the processing of personal data about oneself. That this is a fundamental right is emphasised by the range of enforcement powers…

—

The Belgian DPA fined a local political organisation €3,000 for sending out election ads without a lawful basis and without providing information to the data subjects.

—

The Hungarian DPA fined the publisher of the Hungarian edition of Forbes magazine 4.5 million Forints (~€12,500) for a laundry list of infringements related to its publication of a rich list.

—

The EDPB published a public consultation version of its guidelines on the concepts of controller and processor in the GDPR. The consultation closes on the 19th October.

  • “The majority of people (up to 83% in Spain) think that consumers should be well informed when they deal with an automatic decision system*. Respondents agree or strongly agree that AI users should have the right to say “no” to automated decision-making. The numbers are as high as 78% in Italy and Portugal and 80% in Spain*.” From BEUC‘s 'Artificial Intelligence: what consumers say’ report (direct link to PDF).
  • “There is an added concern about how AI, used in combination with facial recognition and other biometric processing technologies can facilitate unlawful mass surveillance in public spaces. Risks of surveillance, profiling and discrimination are interconnected, particularly when likely to be deployed disproportionately in lower income or minority areas.4 EDRi is calling for an outright ban on biometric mass surveillance, or the untargeted processing of data (such as facial and speech recognition) in public places.” From the EDRi‘s explainer on Artificial Intelligence and Fundamental Rights (direct link to PDF).
  • “There has been a lot of debate as to whether targeting social media users can be carried out by a controller on the basis of "legitimate interests”. Some commentators have been quite insistent that only “consent” is good enough. In this guidance, the EDPB recognises that both “legitimate interests” and “consent” are potential options. I am emphasising “potential” here, since the guidance — paragraphs 44-49 — set out what the EDPB expects of a controller looking to rely on legitimate interests.“ Neil Brown looks at the EDPB’s guidance on targeting social media users.

—

Endnotes & Credits

  • The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
  • As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
  • The image used in the header is by Krystian Tambur on Unsplash.
  • Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
  • Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

If you know someone who might enjoy this newsletter do please forward it on to them.

Don't miss what's next. Subscribe to Privacy Kit:
X
Powered by Buttondown, the easiest way to start and grow your newsletter.