August 25, 2019
The Cat Herder
| |
| August 25 · Issue #48 · View online |
|
|
A slight change in running order this week. Rest assured, your weekly helping of Futuendi Gratia is still here though, it’s just been pushed down the page a bit.
😼
|
|
Giovanni Buttarelli, the European Data Protection Supervisor, died during the week at the far too young age of 62. Tributes flowed in from around the world. One of the most touching was from his colleague Christian D'Cunha. It captures the spirit of Buttarelli: “No coffee, no meeting,” he warned his personal assistant, arriving in the office one morning.
It also captures the spirit and purpose of data protection.
|
Data protection was about showing respect for people. It was not an absolute right. It does not block technological progress or public safety or other things that society cares about; it’s essential for ensuring these things are done responsibly and sustainably.
|
At its core, data protection is about showing respect for people. The data referred to is data about people. Their lives, their hopes, their dreams, their mistakes, their successes. The protection referred to is not, as frequently assumed, to do with securing this data. It is about protection of the information rights of people, ensuring they are treated with dignity and respect, showing awareness of their agency and autonomy.
|
‘Choose Humanity: Putting Dignity back into Digital’ is the title Buttarelli chose for his keynote address to the International Conference of Data Protection and Privacy Commissioners last year.
|
Choose Humanity: Putting Dignity back into Digital, speech by Giovanni Buttarelli
|
|
|
It’s interesting to read the recent statement from the Data Protection Commission of Ireland and the response from the Department of Employment Affairs and Social Protection relating to the Public Services Card in Ireland in the light of this.
|
The DPC statement focuses again and again on individuals and their rights, and how these must be balanced against the interests of the Irish state.
|
… State agencies make thousands of decisions every day that impact in very direct and significant ways on individual members of the public
|
… is there transparency and foreseeability in terms of what information is collected and how it will be used? How does the operation of the system impact on each person’s capacity to exercise meaningful control over their personal information?
|
the information provided by the Department to the public about the processing of their personal data in connection with the issuing of PSCs is not adequate.
|
… the approach to the project from a data protection perspective is lacking in coherence and where, more importantly, there is little or no evidence of any attempt to balance the interests of the State, acting through those public bodies who participate in the scheme, and the interests of those members of the public who are required to obtain and produce the card (and provide their personal information when registering for it).
|
In marked contrast, the statement from the department makes no mention of the rights of individuals. The only glancing mention of the several million people whose rights have been infringed upon is in a comment from the minister, who is concerned that “the public hears a properly prepared response”. |
|
|
The Irish state has had ample time to familiarise itself with the basics of data protection. That data protection is context dependent, based on principles rather than hard and fast rules. Rooted in assessing the risks to the rights and freedoms of individuals as well as the risks to organisations who are processing personal data.
|
To reiterate, data protection is essential to ensure things are done responsibly and sustainably. The sooner the Irish state realises this the better. Perhaps best not to hold your breath though.
|
But lawmakers, across the political spectrum, must ensure the citizens they represent are better protected by asking relevant questions, and demanding clear answers, as these large database schemes are proposed and drafted. Not after – too often, long after – alarms are raised.
|
|
|
Instead, the Taoiseach has suggested that the way to address all these problems (some, raised by a UN special rapporteur) is to whip up a few new laws to enable the State to move ahead as desired, rather than rethink the card and its myriad problems. When will the State learn European and national laws are not aspirational, but rather, mandatory? Even compulsory?
|
|
|
|
|
|
|
Facebook has released its "Clear History" tool and --- surprise! --- it doesn't really clear history, or stop Facebook tracking you in the future. https://t.co/w9IPHlob7B
|
|
|
|
|
|
|
|
Mercedes spies on drivers by secretly installing tracking devices in cars and passing information to bailiffs – The Sun
|
|
Oh yes they did
|
Here’s the latest from the ‘If it’s got a microphone and it’s connected to the internet it’s probably listening to you’ desk.
|
Microsoft Contractors Listened to Xbox Owners in Their Homes - VICE
Multiple contractors working for Microsoft explain how they listened to audio captured by Xbox consoles.
|
|
|
It appears even Google is applying a modicum of risk assessment to its product thinking. Though of course in this case it’s the risk to Google that has influenced this decision. Concerned that people might find out what they’re doing.
|
The withdrawal of the service, which has not been previously reported, has disappointed wireless carriers that used the data as part of their decision-making process on where to extend or upgrade their coverage. Even though the data were anonymous and the sharing of it has become commonplace, Google’s move illustrates how concerned the company has become about drawing attention amid a heightened focus in much of the world on data privacy.
|
Exclusive: Fearing data privacy issues, Google cuts some Android phone data for wireless carriers - Reuters
Alphabet Inc’s Google has shut down a service it provided to wireless carriers globally that showed them weak spots in their network coverage, people familiar with the matter told Reuters, because of Google’s concerns that sharing data from users of its Android phone system might attract the scrutiny of users and regulators.
|
|
|
Collect and store information about people’s sexual orientation and interests? What could possibly go wrong.
|
Facebook’s ad data may put millions of gay people at risk | New Scientist (€)
Over four million people that live in countries where being gay is illegal have been labelled by Facebook as being interested in homosexuality
|
|
|
The Swedish DPA fined a school 200,000 kronor (~€18,600) for deploying facial recognition technology in an unlawful manner. “The school has processed sensitive biometric data unlawfully and failed to do an adequate impact assessment including seeking prior consultation with the Swedish DPA.”
|
|
|
The Swedish DPA also announced it is forwarding on its review of Google’s use of location data to the Data Protection Commission of Ireland. This is noteworthy as it’s nice to see the DPAs keeping the general public aware of how the cooperation and consistency mechanism is working.
|
|
|
|
|
The Czech DPA (UOOU) published an opinion on the use of facial recognition technology at the entrances to football stadia. The DPA doesn’t see a legal basis for this processing to go ahead.
|
|
|
The Spanish DPA (AEPD) published their monthly roundup of breach notifications received.
|
|
|
The Berlin DPA has indicated that significant fines (“a double-digit million amount of euros”) are on the way, and that it had imposed two fines totalling circa €200,000 on an organisation for unspecified violations of the GDPR. |
|
|
The Bremen DPA (LfDI) is carrying out a survey of organisations’ usage of Microsoft Office 365 since there are persistent questions about the security and legality of the personal data processed.
|
|
|
- “Blocking cookies is bad for privacy. That’s the new disingenuous argument from Google, trying to justify why Chrome is so far behind Safari and Firefox in offering privacy protections. As researchers who have spent over a decade studying web tracking and online advertising, we want to set the record straight. That’s exactly what Arvind Narayanan and Jonathan Mayer do here.
- 🐦 This Twitter thread from @Cybermatron on the apparent lack of a legal basis for many, many facial recognition projects underway in the UK.
——
|
|
|
|
|
Barring a disaster we’ll be in your inbox again next weekend. If you know someone who might enjoy this newsletter do please forward it on to them.
|
|
Did you enjoy this issue?
|
|
|
|
In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
|
|
|
|
Privacy Kit, Made with 💚 in Dublin, Ireland
|
|
|
A slight change in running order this week. Rest assured, your weekly helping of Futuendi Gratia is still here though, it’s just been pushed down the page a bit.
😼
Giovanni Buttarelli, the European Data Protection Supervisor, died during the week at the far too young age of 62. Tributes flowed in from around the world. One of the most touching was from his colleague Christian D'Cunha. It captures the spirit of Buttarelli: “No coffee, no meeting,” he warned his personal assistant, arriving in the office one morning.
It also captures the spirit and purpose of data protection.
At its core, data protection is about showing respect for people. The data referred to is data about people. Their lives, their hopes, their dreams, their mistakes, their successes. The protection referred to is not, as frequently assumed, to do with securing this data. It is about protection of the information rights of people, ensuring they are treated with dignity and respect, showing awareness of their agency and autonomy.
‘Choose Humanity: Putting Dignity back into Digital’ is the title Buttarelli chose for his keynote address to the International Conference of Data Protection and Privacy Commissioners last year.
Two Statements
It’s interesting to read the recent statement from the Data Protection Commission of Ireland and the response from the Department of Employment Affairs and Social Protection relating to the Public Services Card in Ireland in the light of this.
The DPC statement focuses again and again on individuals and their rights, and how these must be balanced against the interests of the Irish state.
In marked contrast, the statement from the department makes no mention of the rights of individuals. The only glancing mention of the several million people whose rights have been infringed upon is in a comment from the minister, who is concerned that “the public hears a properly prepared response”.
The department has had a very long time to prepare a response properly. A decade ago the Data Protection Commissioner was reported to be in “extensive consultations” with the same department over its plans for the introduction of a card.
The Irish state has had ample time to familiarise itself with the basics of data protection. That data protection is context dependent, based on principles rather than hard and fast rules. Rooted in assessing the risks to the rights and freedoms of individuals as well as the risks to organisations who are processing personal data.
To reiterate, data protection is essential to ensure things are done responsibly and sustainably. The sooner the Irish state realises this the better.
Perhaps best not to hold your breath though.
September 2017: ‘Public Services Card reveals State ignorance of data privacy issues’, Karlin Lillington, The Irish Times
August 2019: ‘State will not learn from Public Servies Card fiasco’, Karlin Lillington, The Irish Times
‘Facebook’s 'Clear History’ tool arrives with ambiguous data privacy controls’, Washington Post
—
Here’s the latest from the ‘If it’s got a microphone and it’s connected to the internet it’s probably listening to you’ desk.
Multiple contractors working for Microsoft explain how they listened to audio captured by Xbox consoles.
It appears even Google is applying a modicum of risk assessment to its product thinking. Though of course in this case it’s the risk to Google that has influenced this decision. Concerned that people might find out what they’re doing.
Alphabet Inc’s Google has shut down a service it provided to wireless carriers globally that showed them weak spots in their network coverage, people familiar with the matter told Reuters, because of Google’s concerns that sharing data from users of its Android phone system might attract the scrutiny of users and regulators.
—
Collect and store information about people’s sexual orientation and interests? What could possibly go wrong.
Over four million people that live in countries where being gay is illegal have been labelled by Facebook as being interested in homosexuality
The Swedish DPA fined a school 200,000 kronor (~€18,600) for deploying facial recognition technology in an unlawful manner. “The school has processed sensitive biometric data unlawfully and failed to do an adequate impact assessment including seeking prior consultation with the Swedish DPA.”
Original (in Swedish)
Translation via Google Translate
—
The Swedish DPA also announced it is forwarding on its review of Google’s use of location data to the Data Protection Commission of Ireland. This is noteworthy as it’s nice to see the DPAs keeping the general public aware of how the cooperation and consistency mechanism is working.
Original (in Swedish)
Translation via Google Translate
On a similar note the Belgian DPA and the Hessian DPA are cooperating on a data breach reported to them by Mastercard.
—
The Czech DPA (UOOU) published an opinion on the use of facial recognition technology at the entrances to football stadia. The DPA doesn’t see a legal basis for this processing to go ahead.
Original (in Czech)
Translation via Google Translate
—
The Spanish DPA (AEPD) published their monthly roundup of breach notifications received.
Original (PDF, in Spanish)
Translation via Google Translate
—
The Berlin DPA has indicated that significant fines (“a double-digit million amount of euros”) are on the way, and that it had imposed two fines totalling circa €200,000 on an organisation for unspecified violations of the GDPR.
—
The Bremen DPA (LfDI) is carrying out a survey of organisations’ usage of Microsoft Office 365 since there are persistent questions about the security and legality of the personal data processed.
Original
Translation via Google translate
- “Blocking cookies is bad for privacy. That’s the new disingenuous argument from Google, trying to justify why Chrome is so far behind Safari and Firefox in offering privacy protections. As researchers who have spent over a decade studying web tracking and online advertising, we want to set the record straight. That’s exactly what Arvind Narayanan and Jonathan Mayer do here.
- 🐦 This Twitter thread from @Cybermatron on the apparent lack of a legal basis for many, many facial recognition projects underway in the UK.
——
Endnotes & Credits
Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.
Barring a disaster we’ll be in your inbox again next weekend.
If you know someone who might enjoy this newsletter do please forward it on to them.
