January 17, 2021
The Cat Herder
| |
| January 17 · Issue #115 · View online |
|
|
A shorter issue this week (and more than likely next week too) due to some entirely unforeseen personal issues which are consuming a lot of my time right now. 😼
|
|
|
Some readers may notice that this accident in the UK is very similar to the plot line of an episode of The Thick Of It ( Series 3, Episode 2). Fingers crossed it’s all resolved as neatly in real life as it was in fiction when the missing records are discovered on a USB key in the bottom of somebody’s second best bag. |
Home Office 'working to restore' lost police records - BBC News
Hundreds of thousands of DNA and arrest records were deleted after a human error, the Home Office says.
|
|
|
“From a data protection perspective we do not see the need to use Deutsche Post’s database,” said Barbara Thiel. “Once again, a false impression was created that data protection is treated as the highest good and prevents necessary measures. Regrettably my office was not consulted on these questions by the social ministry.”
|
German Covid vaccine officials play name game to comply with data privacy laws | World news | The Guardian
Authorities in Lower Saxony accused of overzealous interpretation of data privacy laws
|
|
Oh yes we did
|
Every Deleted Parler Post, Many With Users' Location Data, Has Been Archived
In the wake of the violent insurrection at the U.S. Capitol by scores of President Trump’s supporters, a lone researcher began an effort to catalogue the posts of social media users across Parler, a platform founded to provide conservative users a safe haven for uninhibited “free speech” — but which ultimately devolved into a hotbed of far-right conspiracy theories, unchecked racism, and death threats aimed at prominent politicians.
|
|
|
No evidence, said the final report of the Comission of Investigation into the Mother and Baby Homes. Despite the survivors’ testimonies contining a wealth of evidence.
|
From a data protection perspective the revelation that the Commission of Investigation does not know what the word transcript means was highly alarming. Noelle Brown told Claire Byrne on Wednesday morning that what she was supplied with as a ‘transcript’ of her testimony to the Commissions’ Confidential Committee was nothing of the sort. It was an interpretation of her evidence “shoehorned” into an interview template of 222 questions. This ‘transcript’ therefore contained ‘answers’ to questions she had never been asked. |
The Commission of Investigation has an obligation to correct these inaccuracies without undue delay, and certainly before its archive is transferred to the Minister for Children, Equality, Disability, Integration and Youth. Since the Commission has up until this point refused to comply with Subject Access Requests and issued only terse one line statements to RTÉ after the story of the inaccuracies in Noelle’s testimony broke it seems doubtful whether it will comply with its obligation to rectify the records it holds.
|
|
|
And yet, just last Friday, the minister advertised for data protection experts to help draft the rules his department would use when mother and baby home survivors sent in their GDPR data access requests. And there, once again, in the document was a requirement that the applicants acknowledge the same old fantasy of domestic restrictions on releasing data: “The particular legal regime applying to a commission of investigation requires consideration whether the release of personal data may prejudice the effective operation of commissions and the future cooperation of witnesses.” To be clear – this restriction is invalid under GDPR.
|
|
|
|
|
The Controller-Processor SCCs will have an EU-wide effect and aim to ensure full harmonisation and legal certainty across the EU when it comes to contracts between controllers and their processors.
|
The draft SCCs for the transfer of personal data to third countries pursuant to Art. 46 (2) © GDPR will replace the existing SCCs for international transfers that were adopted on the basis of Directive 95/46 and needed to be updated to bring them in line with GDPR requirements, as well as taking into account the CJEU ‘Schrems II’ Judgment, and to better reflect the widespread use of new and more complex processing operations often involving multiple data importers and exporters. In particular, the new SCCs include more specific safeguards in case the laws of the country of destination impact compliance with the clauses, in particular in case of binding requests from public authorities for disclosure of personal data.
|
|
|
|
|
|
|
This new privacy policy also does not apply to WhatsApp in the European Union (EU), which has strict privacy laws. WhatsApp said any plan to share data with Facebook or other group companies would only be done once the company made an agreement with the Irish Data Protection Commission, the lead regulator for the service in Europe.
|
|
|
|
|
|
|
|
|
The Spanish DPA fined CaixaBank S.A. €6 million “for violating Articles 6, 13, and 14 of the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’). In relation to the violation of Articles 13 and 14 of the GDPR, the resolution highlights, among other things, that the information provided by CaixaBank in different documents and channels was not uniform, imprecise terminology was used within the privacy policy, and information about the category of personal data processed, profiles made of users and specific uses of the same, as well as the exercise of rights and data retention periods, was insufficient.” |
|
|
- The Norwegian Consumer Council (Forbrukerradet) filed a legal complaint with the Norwegian Consumer Protection Authority against Amazon for breaches of the Unfair Commercial Practices Directive. This is of interest because many of the same dark patterns detailed in the complaint are used in cookie notices and other data protection information to trick people into sharing data they don’t want to.
-
This Twitter thread about a 2 year tussle with a mobile network operator and the DPC over gaining access to personal data, in this case location data held by the operator. Oh and by the way, it turns out the Central Statistics Office is monitoring people’s movements in collaboration with Three. For mysterious Covid-related reasons.
|
|
|
|
|
If you know someone who might enjoy this newsletter do please forward it on to them.
|
|
Did you enjoy this issue?
|
|
|
|
In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
|
|
|
|
Privacy Kit, Made with 💚 in Dublin, Ireland
|
|
|
A shorter issue this week (and more than likely next week too) due to some entirely unforeseen personal issues which are consuming a lot of my time right now.
😼
Some readers may notice that this accident in the UK is very similar to the plot line of an episode of The Thick Of It (Series 3, Episode 2). Fingers crossed it’s all resolved as neatly in real life as it was in fiction when the missing records are discovered on a USB key in the bottom of somebody’s second best bag.
Hundreds of thousands of DNA and arrest records were deleted after a human error, the Home Office says.
Authorities in Lower Saxony accused of overzealous interpretation of data privacy laws
In the wake of the violent insurrection at the U.S. Capitol by scores of President Trump’s supporters, a lone researcher began an effort to catalogue the posts of social media users across Parler, a platform founded to provide conservative users a safe haven for uninhibited “free speech” — but which ultimately devolved into a hotbed of far-right conspiracy theories, unchecked racism, and death threats aimed at prominent politicians.
No evidence, said the final report of the Comission of Investigation into the Mother and Baby Homes. Despite the survivors’ testimonies contining a wealth of evidence.
From a data protection perspective the revelation that the Commission of Investigation does not know what the word transcript means was highly alarming. Noelle Brown told Claire Byrne on Wednesday morning that what she was supplied with as a ‘transcript’ of her testimony to the Commissions’ Confidential Committee was nothing of the sort. It was an interpretation of her evidence “shoehorned” into an interview template of 222 questions. This ‘transcript’ therefore contained ‘answers’ to questions she had never been asked.
The Commission of Investigation has an obligation to correct these inaccuracies without undue delay, and certainly before its archive is transferred to the Minister for Children, Equality, Disability, Integration and Youth. Since the Commission has up until this point refused to comply with Subject Access Requests and issued only terse one line statements to RTÉ after the story of the inaccuracies in Noelle’s testimony broke it seems doubtful whether it will comply with its obligation to rectify the records it holds.
Simon McGarr has a detailed exploration of the ongoing attempts to avoid allowing people to exercise their rights by the next arm of state which will hold the archive when the Commission is dissolved at the end of February, the Department of Children, Equality, Disability, Integration and Youth.
The European Data Protection Board and the European Data Protection Supervisor adopted joint opinions on two sets of new Standard Contractual Clauses.
—
In other Schrems-related news, after “lengthy legal wrangling over procedure, jurisdiction and other technicalities, the DPC told the Schrems legal team on Tuesday that it would open its investigation irrespective of the outcome of an ongoing court case in Dublin involving” Facebook.
—
I’m willing to bet this is the first time the DPC has appeared on Snopes.com.
—
The Norwegian DPA fined Coop Finnmark NOK 400,000 (~€39,000) for unlawful sharing of CCTV footage and another unnamed company the same amount for unlawful forwarding of an employee’s emails.
—
The Spanish DPA fined CaixaBank S.A. €6 million “for violating Articles 6, 13, and 14 of the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’). In relation to the violation of Articles 13 and 14 of the GDPR, the resolution highlights, among other things, that the information provided by CaixaBank in different documents and channels was not uniform, imprecise terminology was used within the privacy policy, and information about the category of personal data processed, profiles made of users and specific uses of the same, as well as the exercise of rights and data retention periods, was insufficient.”
- The Norwegian Consumer Council (Forbrukerradet) filed a legal complaint with the Norwegian Consumer Protection Authority against Amazon for breaches of the Unfair Commercial Practices Directive. This is of interest because many of the same dark patterns detailed in the complaint are used in cookie notices and other data protection information to trick people into sharing data they don’t want to.
-
This Twitter thread about a 2 year tussle with a mobile network operator and the DPC over gaining access to personal data, in this case location data held by the operator. Oh and by the way, it turns out the Central Statistics Office is monitoring people’s movements in collaboration with Three. For mysterious Covid-related reasons.
Endnotes & Credits
Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.
If you know someone who might enjoy this newsletter do please forward it on to them.
