The Cat Herder

Schrems. Yes. But other things too. 😼   July 19 · Issue #91 · View online Schrems. Yes. But other things too. 😼 “The Students Awards Agency for Scotland (SAAS) used technology that is not even available to Police Scotland, which has placed a moratorium on its use amid human rights concerns.” SCOTLAND’S STUDENT LOANS AGENCY USES FACIAL RECOGNISTION TO CATCH FRAUDSTER - FutureScot futurescot.com – Share Back in 2011 - even before there was such a thing as the Facebook Timeline - friction-less sharing was introduced as a concept by Mark Zuckerberg. It was described by ReadWriteWeb at the time Here’s how it works: Anytime you’re reading news from a social news app or listening to music from a social music app, Facebook automatically shares it to your Facebook profile (soon to be Timeline). The goal for Facebook was, as always, to acquire more information to add to its profiles of individuals. While the nuts and bolts of this particular implementation may not have hung around, the concept certainly did, and knitted itself into the fabric of the web. It made its way into developer tools provided by the platforms, liking and sharing buttons on websites which doubled as silent snoopers tracking your movements around the web and the truly mind-boggling labyrinths of interconnecting tubes which make up adtech. C-311/18 can certainly be called a landmark judgment by the Court, but it was also in many ways a clarification and restatement of positions that have been clear and can be traced through cases such as DRI in 2014, Tele2 / Watson in 2016 and the first Schrems judgment in 2018. It is the Court saying to the Commission, the wider array of directly involved stakeholders and anybody else who’s watching ‘Yes, we mean what we say about the importance of Charter and data protection rights.’ Although it isn’t overtly stated anywhere in the text of the GDPR, one of its intentions and effects was to introduce more friction into the use of personal data. To attempt to shift some of the costs and risks of processing back onto those doing the processing and away from those whose data is being processed. To make data controllers deeply consider their data processing activities rather than kludging together some code and spinning up a server or continuing the standard industry practice of collecting as much data as possible and figuring out what it might be useful for later. This judgment confirms that the rebalancing of power in the relationship between controllers and data subjects has to be done in daylight. It cannot be cloaked in nod-and-a-wink agreements. It also means that many of the compliance-in-a-box solutions that have been popping up in the market may not be effective at all. This judgment reaffirms that those involved in data protection compliance must show their work, make their assessments and be prepared to defend and justify them. Humans from the data controller talking to humans from the supervisory authority about what the controller plans on doing with the personal data of other humans. Individual data subjects have rights, personal data is part of who they are and not a raw material, per Zuboff, for a wildly profitable economic activity. The rights follow the data whether it’s to a data centre in Ashbourne or through an undersea cable and over to California, or China, or Chennai. What happens next? For individuals nothing especially noticeable will happen, unless Mark Zuckerberg decides he’s had enough of his quest to become the Emperor Of All Information via unchecked corporate power, shuts down Faceberg and refocuses all his efforts on hassling the natives in Hawaii. The DPC can feel vindicated in seeking (and taking more than a bit of a convoluted route to) this week’s judgment. It does now have to act fairly promptly, since the Court makes it very clear in paragraph 112 that “the supervisory authority is nevertheless required to execute its responsibility for ensuring that the GDPR is fully enforced with all due diligence”, and further in paragraph 121 unless there is a valid Commission adequacy decision, the competent supervisory authority is required to suspend or prohibit a transfer of data to a third country pursuant to standard data protection clauses adopted by the Commission, if, in the view of that supervisory authority and in the light of all the circumstances of that transfer, those clauses are not or cannot be complied with in that third country and the protection of the data transferred that is required by EU law, in particular by Articles 45 and 46 of the GDPR and by the Charter, cannot be ensured by other means The requirement for a far greater number of Standard Contractual Clauses to be assessed in detail by data protection authorities means these authorities will need more resources. It seems to follow from this that the Irish state’s foolish underfunding of the Data Protection Commission will come under much more intense external scrutiny soon enough. Schrems is happy with the outcome, saying on an IAPP webinar on Friday that NOYB got the answers they wanted to the questions they asked the Court. The real head-scratching over the next few months will happen in companies who used the now dead Privacy Shield, wish to keep transferring data to the United States and don’t have the scale or expertise to switch seamlessly to SCCs. More Simon McGarr’s The Gist has a wonderfully concise explanation of what the judgment is about. Far more than just the gist. Karlin Lillington put together a thread on Twitter with links to many of her pieces for the Irish Times about the shaky foundations on which Privacy Shield was based. These pieces go all the way back to February 2016. So don’t pay any attention to anybody who claims to be surprised by this judgment. ultimately, this decision poses a shattering challenge to the data-centric business models of many companies, from social media platforms to advertising giants, which make their money by exploiting users’ personal data. The list culminates with her latest. ‘“You Were Only Supposed to Blow the Bloody Doors Off!”: Schrems II and external transfers of personal data’ won the battle of the headlines we didn’t even know was going to happen. The headline on this piece from K&L Gates deserves a prize for gamely continuing the medieval armour and arms theme: ‘EU Data Protection: Privacy Shield Shattered by the Sword of European Justice - What Comes Next for Transatlantic Dataflows?’ And perhaps another smaller prize for attempting to coin the word datactivist. If poetry is more your thing, Paul Bernal wrote ‘The Saga Of the Privacy Shield’ in 2016. OneTrust’s DataGuidance.com has a collection of statements issued by European data protection authorities. New York Times: ‘E.U. Court Strikes Down Trans-Atlantic Data Transfer Pact’ Techcrunch: ‘Europe’s top court strikes down flagship EU-US data transfer mechanism’ Ars Technica: ‘US-EU Privacy Shield data sharing agreement struck down by court’ These numbers are the fairly useful numbers. The numbers of downloads are the not useful numbers. The numbers of cases in which the proximity monitoring part of the app has been demonstrably effective are the really useful numbers. Numbers using Covid app correctly not yet available, says HSE www.irishexaminer.com – Share Numbers using Covid app correctly not yet available, says HSE The Dutch DPA issued a statement on its investigation into the Dutch tax and customs authority, finding the authority had been processing the personal data of certain applicants for childcare allowances in a discriminatory manner (in Dutch | English machine translation). This is a great example of the wide scope and applicability of principles-based European data protection law. Processing may not infringe upon fundamental rights such as the right not to be discriminated against. Fans of the long-running Public Services Card-themed series of skirmishes between the Data Protection Commission and the Department of Employment Affairs and Social Protection will especially enjoy the responsible minister’s reaction to the supervisory authority’s findings in the Netherlands: an apology. Whereas in Ireland we were treated to the strange spectacle of the responsible minister appealing all the findings of the supervisory authority including the one in her favour (“I am appealing all eight findings”, The Cat Herder, Volume 2, Issue 37, September 29th, 2019) — During all the excitement about the Schrems judgement the fact that the Garante fined telecoms operator Wind €17 million went somewhat under the radar. — The Belgian DPA imposed a fine of €600,000 on Google Belgium “for not respecting the right to be forgotten of a Belgian citizen, and for lack of transparency in its request form to delist”. — The Norwegian DPA “imposed a NOK 500,000 ($52,900, €46,800) penalty on Raelingen town council for errors in its use of the digital-learning platform Showbie. The local authority communicated health-related information between school and home via the app, but insufficient security was put in place to avoid users accessing the personal information of others in their group.” No DPIA or risk assessment was carried out before the processing began. “Most industries use some form of specialist expertise, which is then held accountable through public engagement; in public services, usually that’s measured by impact, and in technology, it’s usually measured by adoption. Even that small difference can create a cumulative cost — and technology companies’ complicated relationship with their impacts on the public and trust was reaching critical cost levels before the pandemic.” If you read one thing today make it this. Sean McDonald on ‘Technology Theatre’. “It is unclear how much the Wellness Pass initiative is motivated by public health concerns as opposed to free market considerations. Indeed, the GAVI alliance, largely funded by the Bill and Melinda Gates and Rockefeller Foundations, as well as allied governments and the vaccine industry, is principally concerned with improving “the health of markets for vaccines and other immunization products,” rather than the health of individuals, according to its own website.” ‘Africa to Become Testing Ground for “Trust Stamp” Vaccine Record and Payment System’ by Raul Diego for Mint Press News. “Among the government’s wilder Mitre orders: a prototype tool that can hack into smartwatches, fitness trackers and home thermometers for the purposes of homeland security; software to collect human fingerprints from social media websites like Facebook, Instagram and Twitter for the FBI; support in building what the FBI calls the biggest database of human anatomy and criminal history in the world; and a study to determine whether someone’s body odor can show they’re lying.” ‘Inside America’s Secretive $2 billion Research Hub’ by Thomas Brewster for Forbes. Endnotes & Credits The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds. As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”. The image used in the header is by Krystian Tambur on Unsplash. Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running. Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can. Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn. If you know someone who might enjoy this newsletter do please forward it on to them. Did you enjoy this issue? In order to unsubscribe, click here. If you were forwarded this newsletter and you like it, you can subscribe here. Powered by Revue Privacy Kit, Made with 💚 in Dublin, Ireland

Schrems. Yes. But other things too.

😼

“The Students Awards Agency for Scotland (SAAS) used technology that is not even available to Police Scotland, which has placed a moratorium on its use amid human rights concerns.”

Back in 2011 - even before there was such a thing as the Facebook Timeline - friction-less sharing was introduced as a concept by Mark Zuckerberg. It was described by ReadWriteWeb at the time

The goal for Facebook was, as always, to acquire more information to add to its profiles of individuals.

While the nuts and bolts of this particular implementation may not have hung around, the concept certainly did, and knitted itself into the fabric of the web. It made its way into developer tools provided by the platforms, liking and sharing buttons on websites which doubled as silent snoopers tracking your movements around the web and the truly mind-boggling labyrinths of interconnecting tubes which make up adtech.

C-311/18 can certainly be called a landmark judgment by the Court, but it was also in many ways a clarification and restatement of positions that have been clear and can be traced through cases such as DRI in 2014, Tele2 / Watson in 2016 and the first Schrems judgment in 2018. It is the Court saying to the Commission, the wider array of directly involved stakeholders and anybody else who’s watching ‘Yes, we mean what we say about the importance of Charter and data protection rights.’

Although it isn’t overtly stated anywhere in the text of the GDPR, one of its intentions and effects was to introduce more friction into the use of personal data. To attempt to shift some of the costs and risks of processing back onto those doing the processing and away from those whose data is being processed. To make data controllers deeply consider their data processing activities rather than kludging together some code and spinning up a server or continuing the standard industry practice of collecting as much data as possible and figuring out what it might be useful for later.

This judgment confirms that the rebalancing of power in the relationship between controllers and data subjects has to be done in daylight. It cannot be cloaked in nod-and-a-wink agreements.

It also means that many of the compliance-in-a-box solutions that have been popping up in the market may not be effective at all. This judgment reaffirms that those involved in data protection compliance must show their work, make their assessments and be prepared to defend and justify them. Humans from the data controller talking to humans from the supervisory authority about what the controller plans on doing with the personal data of other humans. Individual data subjects have rights, personal data is part of who they are and not a raw material, per Zuboff, for a wildly profitable economic activity. The rights follow the data whether it’s to a data centre in Ashbourne or through an undersea cable and over to California, or China, or Chennai.

What happens next? For individuals nothing especially noticeable will happen, unless Mark Zuckerberg decides he’s had enough of his quest to become the Emperor Of All Information via unchecked corporate power, shuts down Faceberg and refocuses all his efforts on hassling the natives in Hawaii.

The DPC can feel vindicated in seeking (and taking more than a bit of a convoluted route to) this week’s judgment. It does now have to act fairly promptly, since the Court makes it very clear in paragraph 112 that “the supervisory authority is nevertheless required to execute its responsibility for ensuring that the GDPR is fully enforced with all due diligence”, and further in paragraph 121

The requirement for a far greater number of Standard Contractual Clauses to be assessed in detail by data protection authorities means these authorities will need more resources. It seems to follow from this that the Irish state’s foolish underfunding of the Data Protection Commission will come under much more intense external scrutiny soon enough.

Schrems is happy with the outcome, saying on an IAPP webinar on Friday that NOYB got the answers they wanted to the questions they asked the Court.

The real head-scratching over the next few months will happen in companies who used the now dead Privacy Shield, wish to keep transferring data to the United States and don’t have the scale or expertise to switch seamlessly to SCCs.

More

Simon McGarr’s The Gist has a wonderfully concise explanation of what the judgment is about. Far more than just the gist.

Karlin Lillington put together a thread on Twitter with links to many of her pieces for the Irish Times about the shaky foundations on which Privacy Shield was based. These pieces go all the way back to February 2016. So don’t pay any attention to anybody who claims to be surprised by this judgment.

The list culminates with her latest.

‘“You Were Only Supposed to Blow the Bloody Doors Off!”: Schrems II and external transfers of personal data’ won the battle of the headlines we didn’t even know was going to happen.

The headline on this piece from K&L Gates deserves a prize for gamely continuing the medieval armour and arms theme: ‘EU Data Protection: Privacy Shield Shattered by the Sword of European Justice - What Comes Next for Transatlantic Dataflows?’ And perhaps another smaller prize for attempting to coin the word datactivist.

If poetry is more your thing, Paul Bernal wrote ‘The Saga Of the Privacy Shield’ in 2016.

OneTrust’s DataGuidance.com has a collection of statements issued by European data protection authorities.

New York Times: ‘E.U. Court Strikes Down Trans-Atlantic Data Transfer Pact’

Techcrunch: ‘Europe’s top court strikes down flagship EU-US data transfer mechanism’

Ars Technica: ‘US-EU Privacy Shield data sharing agreement struck down by court’

These numbers are the fairly useful numbers. The numbers of downloads are the not useful numbers. The numbers of cases in which the proximity monitoring part of the app has been demonstrably effective are the really useful numbers.

Numbers using Covid app correctly not yet available, says HSE

The Dutch DPA issued a statement on its investigation into the Dutch tax and customs authority, finding the authority had been processing the personal data of certain applicants for childcare allowances in a discriminatory manner (in Dutch | English machine translation). This is a great example of the wide scope and applicability of principles-based European data protection law. Processing may not infringe upon fundamental rights such as the right not to be discriminated against.

Fans of the long-running Public Services Card-themed series of skirmishes between the Data Protection Commission and the Department of Employment Affairs and Social Protection will especially enjoy the responsible minister’s reaction to the supervisory authority’s findings in the Netherlands: an apology. Whereas in Ireland we were treated to the strange spectacle of the responsible minister appealing all the findings of the supervisory authority including the one in her favour (“I am appealing all eight findings”, The Cat Herder, Volume 2, Issue 37, September 29th, 2019)

—

During all the excitement about the Schrems judgement the fact that the Garante fined telecoms operator Wind €17 million went somewhat under the radar.

—

The Belgian DPA imposed a fine of €600,000 on Google Belgium “for not respecting the right to be forgotten of a Belgian citizen, and for lack of transparency in its request form to delist”.

—

The Norwegian DPA “imposed a NOK 500,000 ($52,900, €46,800) penalty on Raelingen town council for errors in its use of the digital-learning platform Showbie. The local authority communicated health-related information between school and home via the app, but insufficient security was put in place to avoid users accessing the personal information of others in their group.” No DPIA or risk assessment was carried out before the processing began.

• “Most industries use some form of specialist expertise, which is then held accountable through public engagement; in public services, usually that’s measured by impact, and in technology, it’s usually measured by adoption. Even that small difference can create a cumulative cost — and technology companies’ complicated relationship with their impacts on the public and trust was reaching critical cost levels before the pandemic.” If you read one thing today make it this. Sean McDonald on ‘Technology Theatre’.
• “It is unclear how much the Wellness Pass initiative is motivated by public health concerns as opposed to free market considerations. Indeed, the GAVI alliance, largely funded by the Bill and Melinda Gates and Rockefeller Foundations, as well as allied governments and the vaccine industry, is principally concerned with improving “the health of markets for vaccines and other immunization products,” rather than the health of individuals, according to its own website.” ‘Africa to Become Testing Ground for “Trust Stamp” Vaccine Record and Payment System’ by Raul Diego for Mint Press News.
• “Among the government’s wilder Mitre orders: a prototype tool that can hack into smartwatches, fitness trackers and home thermometers for the purposes of homeland security; software to collect human fingerprints from social media websites like Facebook, Instagram and Twitter for the FBI; support in building what the FBI calls the biggest database of human anatomy and criminal history in the world; and a study to determine whether someone’s body odor can show they’re lying.” ‘Inside America’s Secretive $2 billion Research Hub’ by Thomas Brewster for Forbes.

Endnotes & Credits

• The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
• As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
• The image used in the header is by Krystian Tambur on Unsplash.
• Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
• Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

If you know someone who might enjoy this newsletter do please forward it on to them.