"there’s no opt-out feature for your car" | The Cat Herder, Volume 2, Issue 19

This was an especially busy week. The one year anniversary of the GDPR coming into effect prompted ma   May 26 · Issue #35 · View online This was an especially busy week. The one year anniversary of the GDPR coming into effect prompted many words to be written. Of these a large amount were confused, confusing, misleading and evidence that there’s still a lack of understanding of the basics of data protection among a lot of those assigned to write about it. Naturally ideas so bad they wouldn’t even have occurred to a Professor of Supervillainy continued to flow. 😼 This … really isn’t a thing. Francis Clauson @fclauson ⁦@Tupp_Ed⁩ ⁦@PrivacyMatters⁩ ⁦@FredPLogue⁩ ⁦@kenfoxe⁩ ⁦@tjmcintyre⁩ ⁦@tim2040⁩ An interesting concept - is there compliance for things when there is no compliance for people/roles https://t.co/QEai20SHyY 5:17 AM - 25 May 2019 — Moving on, this is probably the most wildly stupid idea since Mark Zuckerberg proposed that people should send nudes to Facebook for their own security and peace of mind. Airbnb teams up with 23andMe to recommend heritage travel destinations | VentureBeat venturebeat.com – Share Airbnb announced a partnership with 23andMe through which the two companies will work together to facilitate heritage travel trips. In addition to the stupidity it also appears that such data sharing isn’t allowed for in 23andMe’s privacy notice. Simon McGarr @Tupp_Ed I just took a look at the Privacy Notice for 23andMe, who are the Data Controllers for the senstitive personal dna data (covered by Art 6 and Art 9 of the GDPR) in this plan It does not allow for the sort of data sharing this involves. No consent is valid https://t.co/cUiMon6m8c 9:20 AM - 22 May 2019 Unlike a GDPR compliant shredder, data protection by design and default is a thing. This mess neatly illustrates the need for more teams than just the compliance office within organisations to be aware of this. Yes they did. Of course they did. Snapchat Employees Abused Data Access to Spy on Users - VICE www.vice.com – Share Multiple sources and emails also describe SnapLion, an internal tool used by various departments to access Snapchat user data. Although Snap has introduced strict access controls to user data and takes abuse and user privacy very seriously according to several sources, the news highlights something that many users may forget: behind the products we use everyday there are people with access to highly sensitive customer data, who need it to perform essential work on the service. But, without proper protections in place, those same people may abuse it to spy on users’ private information or profiles. Time for the regular reminder that most personal data breaches are not caused by hoodie wearing, energy drink chugging hackers finding their way into systems through the deployment of wizard-like skills. They’re internal. And most of the internal personal data breaches aren’t malicious, they’re caused by human error. Which can be minimised through awareness and training. It most likely will London Underground to start tracking all phones using Wi-Fi in July - The Verge www.theverge.com – Share Starting on July 8th, Transport for London (TfL) will start tracking passengers’ phones on the London Underground by default. Wi-Fi access points across 260 of the capital’s stations will track customers using the MAC addresses of their phones. Last week it was the Danish government profiling unemployed people to assess whether they were likely to be long or short term unemployed, this week comes news that the Dutch DPA has opened an investigation into the tax office on suspicion of ethnic profiling. — “The Lithuanian data protection inspectorate issued a 61,500 EUR fine against a payment services provider for violations of the data minimization, adequate security measures and data breach reporting requirements of GDPR.” ‘Lithuanian Data Protection Inspectorate Levies Fine for GDPR Data Management Violations’, Fox Rothschild — Last Monday complaints about the compliance or otherwise of real-time bidding were handed in to four more European data protection authorities, bringing to seven the number of countries in which complaints had been lodged. — Last Wednesday the Data Protection Commission announced it was opening a statutory investigation into Google Ireland as a result of one of the earlier complaints. The purpose of the inquiry is to establish whether processing of personal data carried out at each stage of an advertising transaction is in compliance with the relevant provisions of the General Data Protection Regulation (GDPR). The GDPR principles of transparency and data minimisation, as well as Google’s retention practices, will also be examined. — The information commissioner has expressed concern over the lack of a formal legal framework for the use of facial recognition cameras by the police. A barrister for the commissioner, Elizabeth Denham, told a court the current guidelines around automated facial recognition (AFR) technology were “ad hoc” and a clear code was needed. Facial recognition tech: watchdog calls for code to regulate police use | Technology | The Guardian www.theguardian.com – Share Barrister for information commissioner tells court formal legal framework is required Last week we mentioned that some very interesting questions had been forwarded to the ECJ by a Belgian court. Fieldfisher have a bit more detail and commentary on the significance of these. Belgian Facebook case: Brussels Court of Appeal refers questions for preliminary ruling to the European Court of Justice - Privacy, Security and Information Law Fieldfisher privacylawblog.fieldfisher.com – Share “Companies like Apple and Amazon, staffed by overwhelmingly male engineering teams, have built AI systems that cause their feminised digital assistants to greet verbal abuse with catch-me-if-you-can flirtation,” the report says. Jane Wakefield covers a new study for UNESCO which examines gender divides in digital skills. Also alarming: “According to the report, women make up just 12% of AI researchers.” “The data on your driving habits — how fast you drive, how hard you brake, whether you always use your seatbelt — could be valuable to insurance companies. You may or may not choose to share your data with these services. But while you can turn off location data on your cellphone, there’s no opt-out feature for your car” writes Bill Hanvey of the Auto Care Association in an op-ed in The New York Times. Data protection failures by data controllers can have long lasting effects on operations and even continued viability. This doesn’t have to be in any way related to regulatory sanction. Last week in a first of its kind move, ratings agency Moodys downgraded Equifax’s credit rating as a consequence of the ongoing fallout from the 2017 data breach. “Moody’s has indicated that the types of companies most at risk include financial firms, securities firms, hospitals, market infrastructure providers and electric utilities”, Kate Fazzini reports for CNBC. Finally, all those ‘GDPR one year on’ pieces mentioned earlier? This one by Matt Burgess is worth a few minutes of your time. “But in reality, GDPR has just been a step change that highlighted how badly the internet and some businesses were handling people’s personal data.” That’s not a bad achievement. —— Endnotes & Credits The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds. As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”. The image used in the header is by Krystian Tambur on Unsplash. Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running. Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can. Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn. Barring a disaster we’ll be in your inbox again next weekend. If you know someone who might enjoy this newsletter do please forward it on to them. Did you enjoy this issue? In order to unsubscribe, click here. If you were forwarded this newsletter and you like it, you can subscribe here. Powered by Revue Privacy Kit, Made with 💚 in Dublin, Ireland

This was an especially busy week. The one year anniversary of the GDPR coming into effect prompted many words to be written. Of these a large amount were confused, confusing, misleading and evidence that there’s still a lack of understanding of the basics of data protection among a lot of those assigned to write about it.

Naturally ideas so bad they wouldn’t even have occurred to a Professor of Supervillainy continued to flow.

😼

This … really isn’t a thing.

—

Moving on, this is probably the most wildly stupid idea since Mark Zuckerberg proposed that people should send nudes to Facebook for their own security and peace of mind.

Airbnb announced a partnership with 23andMe through which the two companies will work together to facilitate heritage travel trips.

In addition to the stupidity it also appears that such data sharing isn’t allowed for in 23andMe’s privacy notice.

Unlike a GDPR compliant shredder, data protection by design and default is a thing. This mess neatly illustrates the need for more teams than just the compliance office within organisations to be aware of this.

Multiple sources and emails also describe SnapLion, an internal tool used by various departments to access Snapchat user data.

Time for the regular reminder that most personal data breaches are not caused by hoodie wearing, energy drink chugging hackers finding their way into systems through the deployment of wizard-like skills. They’re internal. And most of the internal personal data breaches aren’t malicious, they’re caused by human error. Which can be minimised through awareness and training.

Starting on July 8th, Transport for London (TfL) will start tracking passengers’ phones on the London Underground by default. Wi-Fi access points across 260 of the capital’s stations will track customers using the MAC addresses of their phones.

Last week it was the Danish government profiling unemployed people to assess whether they were likely to be long or short term unemployed, this week comes news that the Dutch DPA has opened an investigation into the tax office on suspicion of ethnic profiling.

—

“The Lithuanian data protection inspectorate issued a 61,500 EUR fine against a payment services provider for violations of the data minimization, adequate security measures and data breach reporting requirements of GDPR.” ‘Lithuanian Data Protection Inspectorate Levies Fine for GDPR Data Management Violations’, Fox Rothschild

—

Last Monday complaints about the compliance or otherwise of real-time bidding were handed in to four more European data protection authorities, bringing to seven the number of countries in which complaints had been lodged.

—

Last Wednesday the Data Protection Commission announced it was opening a statutory investigation into Google Ireland as a result of one of the earlier complaints.

—

Barrister for information commissioner tells court formal legal framework is required

Last week we mentioned that some very interesting questions had been forwarded to the ECJ by a Belgian court. Fieldfisher have a bit more detail and commentary on the significance of these.

• “Companies like Apple and Amazon, staffed by overwhelmingly male engineering teams, have built AI systems that cause their feminised digital assistants to greet verbal abuse with catch-me-if-you-can flirtation,” the report says. Jane Wakefield covers a new study for UNESCO which examines gender divides in digital skills. Also alarming: “According to the report, women make up just 12% of AI researchers.”
• “The data on your driving habits — how fast you drive, how hard you brake, whether you always use your seatbelt — could be valuable to insurance companies. You may or may not choose to share your data with these services. But while you can turn off location data on your cellphone, there’s no opt-out feature for your car” writes Bill Hanvey of the Auto Care Association in an op-ed in The New York Times.
• Data protection failures by data controllers can have long lasting effects on operations and even continued viability. This doesn’t have to be in any way related to regulatory sanction. Last week in a first of its kind move, ratings agency Moodys downgraded Equifax’s credit rating as a consequence of the ongoing fallout from the 2017 data breach. “Moody’s has indicated that the types of companies most at risk include financial firms, securities firms, hospitals, market infrastructure providers and electric utilities”, Kate Fazzini reports for CNBC.
• Finally, all those ‘GDPR one year on’ pieces mentioned earlier? This one by Matt Burgess is worth a few minutes of your time. “But in reality, GDPR has just been a step change that highlighted how badly the internet and some businesses were handling people’s personal data.” That’s not a bad achievement.

——

Endnotes & Credits

• The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
• As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
• The image used in the header is by Krystian Tambur on Unsplash.
• Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
• Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

Barring a disaster we’ll be in your inbox again next weekend.

If you know someone who might enjoy this newsletter do please forward it on to them.