The Cat Herder

A busy week. Facebook just kept right on Facebooking. As did everyone else. 😼   April 14 · Issue #29 · View online A busy week. Facebook just kept right on Facebooking. As did everyone else. 😼 Pinboard @Pinboard The New York Times fancy new 'Privacy Project' homepage is stuffed to the gills with third-party tracking scripts. https://t.co/vSGOsukFHG https://t.co/iT8UyGPzBx 3:57 PM - 11 Apr 2019 Pinboard @Pinboard This is like the NYT running a special issue on arson and delivering it to your porch already on fire 5:49 PM - 11 Apr 2019 Surprise! Amazon reportedly has thousands of people listening to snippets of Alexa conversations www.cnbc.com – Share Amazon employees are listening some conversations through Alexa in order to help the voice assistant improve its understanding of speech, according to Bloomberg. But wait, there’s more. Not merely listening but sharing. Yet more surprise! Violet Blue® @violetblue Everything in this Echo/Alexa article is horrifying. "Two of the workers said they picked up what they believe was a sexual assault. When something like that happens, they may share the experience in the internal chat room as a way of relieving stress." https://t.co/E3xugpSQQ8 https://t.co/rkqXAd2q9O 7:02 AM - 11 Apr 2019 Is Anyone Listening to You on Alexa? A Global Team Reviews Audio - Bloomberg www.bloomberg.com – Share A global team reviews audio clips in an effort to help the voice-activated assistant respond to commands.  — Unprecedented levels of surprise! ‘Is your pregnancy app sharing your intimate data with your boss?’ “Maybe I’m naive, but I thought of it as positive reinforcement: They’re trying to help me take care of myself,” said Diller, 39, an event planner in Los Angeles for the video game company Activision Blizzard. The decision to track her pregnancy had been made easier by the $1 a day in gift cards the company paid her to use the app: That’s “diaper and formula money,” she said. Connecting a few DNA dots … Karlin Lillington had a piece in The Irish Times on Thursday about Genomics Medicine Ireland, the Irish branch of WuXi NextCODE and the increasing number of unanswered questions about its operations. It’s strange that an already operational EU-based DNA company is asking a government department for clarification on some basic GDPR data consent, transfer and governance issues. Controversy regarding consent has already arisen over the transfer by Our Lady’s hospital in Crumlin of the DNA records of 1,500 Irish children to GMI in 2016 .  “The requirements to have informed consent either for biomedical research or for processing personal data are far from new,” says Dr Katherine O’Keefe, head of training and research, and ethicist with data consultancy Castlebridge, who has co-authored a book on data ethics. “All but one of the core data-protection principles have been in Irish law since 1988.”  She adds: “Asking for an exemption from the requirements for consent for data that GMI already has, now raises the question why GMI doesn’t have the proper documentation of consent from when they obtained the data.” On Friday the Information Commissioner’s Office in the UK announced a £400,000 fine for Bounty, “a pregnancy and parenting club” which “collected personal information for the purpose of membership registration through its website and mobile app, merchandise pack claim cards and directly from new mothers at hospital bedsides.” Commenting on the fine, Steve Eckersley, ICO’s Director of Investigations, said “Bounty were not open or transparent to the millions of people that their personal data may be passed on to such large number of organisations. Any consent given by these people was clearly not informed.” The European Data Protection Board’s 9th Plenary Session also took place during the week. Digiday interviewed European Data Protection Supervisor Giovanni Buttarelli as the plenary was still going on. He had some relevant comments on consent: It requires an active approach. Even ticking a box does not necessarily mean consent is freely given. Unambiguous consent means it must not only be explicit but meaningful The requirements set out in the GDPR for any consent to the processing of personal data are the same no matter whether the processing is for the purpose of medical research or the purpose of serving targeted advertisements on a website. In January of this year the European Data Protection Board adopted Opinion 3/2019 concerning the Questions and Answers on the interplay between the Clinical Trials Regulation (CTR) and the General Data Protection regulation (GDPR) (art.70.1.b)) [direct PDF link]. This Opinion stresses that “the informed consent foreseen under the CTR must not be confused with the notion of consent as a legal ground for the processing of personal data under the GDPR.” 16. The obligation to obtain the informed consent of participants in a clinical trial is primarily a measure to ensure the protection of the right to human dignity and the right to integrity of individuals under Article 1 and 3 of the Charter of Fundamental Rights of the EU; it is not conceived as an instrument for data protection compliance. 17. Under the GDPR, consent must be freely given, specific, informed, unambiguous, and explicit consent is required when the processing of special categories of data, such as health data, are involved (Article 9(2)(a) GDPR). In other words, informed consent and GDPR-compliant consent are two distinct items and the conditions required for both must be satisfied. The Sunday Times reports today that some “Irish hospitals are allowing Genomics Medicines Ireland (GMI) to collect samples and data from patients attending clinics.” The Data Protection Commission issued guidance on taking photos at school events and similar occasions and the limits of the household exemption. — The European Data Protection Board published a draft of the Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects and is looking for comments before finalising them. The aforementioned New York Times Privacy Project which in addition to the large volume of embedded trackers has a wealth of good writing on the subject. ‘Online Privacy Isn’t Dead—If We Fight for It’ by Trevor Timm concisely slaps down four pernicious fallacies about privacy and data protection. From last month by Joke Bodewits and Benjamino Blok for the Hogan Lovells Chronicle of Data Protection, ‘Dutch Data Protection Authority Sets GDPR Fines Structure’. Includes some figures to focus the minds of data controllers such as a €100,000 default fine for “simple violations such as … not publishing the contact details of the Data Protection Officer” “The police then administered what they call a “health check,” which involves collecting several types of biometric data, including DNA, blood type, fingerprints, voice signature and face signature—a process which all adults in Xinjiang are expected to undergo.” Logic Magazine has a detailed and chilling piece by Darren Byler on Chinese state surveillance in the Xinjiang region. —— Endnotes & Credits The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds. As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”. The image used in the header is by Krystian Tambur on Unsplash. Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running. Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can. Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn. Barring a disaster we’ll be in your inbox again next weekend. If you know someone who might enjoy this newsletter do please forward it on to them. Did you enjoy this issue? In order to unsubscribe, click here. If you were forwarded this newsletter and you like it, you can subscribe here. Powered by Revue Privacy Kit, Made with 💚 in Dublin, Ireland

A busy week. Facebook just kept right on Facebooking. As did everyone else.

😼

Surprise!

Amazon employees are listening some conversations through Alexa in order to help the voice assistant improve its understanding of speech, according to Bloomberg.

But wait, there’s more. Not merely listening but sharing. Yet more surprise!

A global team reviews audio clips in an effort to help the voice-activated assistant respond to commands. 

—

Unprecedented levels of surprise! ‘Is your pregnancy app sharing your intimate data with your boss?’

Connecting a few DNA dots …

Karlin Lillington had a piece in The Irish Times on Thursday about Genomics Medicine Ireland, the Irish branch of WuXi NextCODE and the increasing number of unanswered questions about its operations.

On Friday the Information Commissioner’s Office in the UK announced a £400,000 fine for Bounty, “a pregnancy and parenting club” which “collected personal information for the purpose of membership registration through its website and mobile app, merchandise pack claim cards and directly from new mothers at hospital bedsides.”

Commenting on the fine, Steve Eckersley, ICO’s Director of Investigations, said “Bounty were not open or transparent to the millions of people that their personal data may be passed on to such large number of organisations. Any consent given by these people was clearly not informed.”

The European Data Protection Board’s 9th Plenary Session also took place during the week. Digiday interviewed European Data Protection Supervisor Giovanni Buttarelli as the plenary was still going on. He had some relevant comments on consent:

The requirements set out in the GDPR for any consent to the processing of personal data are the same no matter whether the processing is for the purpose of medical research or the purpose of serving targeted advertisements on a website.

In January of this year the European Data Protection Board adopted Opinion 3/2019 concerning the Questions and Answers on the interplay between the Clinical Trials Regulation (CTR) and the General Data Protection regulation (GDPR) (art.70.1.b)) [direct PDF link]. This Opinion stresses that “the informed consent foreseen under the CTR must not be confused with the notion of consent as a legal ground for the processing of personal data under the GDPR.”

In other words, informed consent and GDPR-compliant consent are two distinct items and the conditions required for both must be satisfied.

The Sunday Times reports today that some “Irish hospitals are allowing Genomics Medicines Ireland (GMI) to collect samples and data from patients attending clinics.”

The Data Protection Commission issued guidance on taking photos at school events and similar occasions and the limits of the household exemption.

—

The European Data Protection Board published a draft of the Guidelines 2/2019 on the processing of personal data under Article 6(1)(b) GDPR in the context of the provision of online services to data subjects and is looking for comments before finalising them.

• The aforementioned New York Times Privacy Project which in addition to the large volume of embedded trackers has a wealth of good writing on the subject.
• ‘Online Privacy Isn’t Dead—If We Fight for It’ by Trevor Timm concisely slaps down four pernicious fallacies about privacy and data protection.
• From last month by Joke Bodewits and Benjamino Blok for the Hogan Lovells Chronicle of Data Protection, ‘Dutch Data Protection Authority Sets GDPR Fines Structure’. Includes some figures to focus the minds of data controllers such as a €100,000 default fine for “simple violations such as … not publishing the contact details of the Data Protection Officer”
• “The police then administered what they call a “health check,” which involves collecting several types of biometric data, including DNA, blood type, fingerprints, voice signature and face signature—a process which all adults in Xinjiang are expected to undergo.” Logic Magazine has a detailed and chilling piece by Darren Byler on Chinese state surveillance in the Xinjiang region.

——

Endnotes & Credits

• The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
• As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
• The image used in the header is by Krystian Tambur on Unsplash.
• Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
• Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

Barring a disaster we’ll be in your inbox again next weekend.

If you know someone who might enjoy this newsletter do please forward it on to them.