Unprecedented | The Cat Herder, Volume 4, Issue 23

Extraordinarily broad powers for Gardaí in a new draft Bill, an adtech court case, corporate spying h   June 20 · Issue #136 · View online Extraordinarily broad powers for Gardaí in a new draft Bill, an adtech court case, corporate spying has consequences and an inadequate adequacy decision. 😼 A French court ruled on Tuesday that Ikea had set up an elaborate system to illegally spy on hundreds of employees and job applicants over several years, using private detectives as well as police sources. The French unit of the Swedish furniture giant was fined €1 million (US$1.2 million) while its former chief Jean-Louis Baillot was handed a suspended two-year prison term and ordered to pay €50,000. They were found guilty of “receiving personal data by fraudulent means,” though the sentences were less severe than sought by prosecutors who accused them of illicitly carrying out “mass surveillance”. Ikea France fined for illegally spying on staff | South China Morning Post www.scmp.com – Share — “This is a really dangerous hole for us to go down, and the State authorities need to step in to ensure that we don’t see this information being used to fix prices and we don’t see estate agents maintaining vast databses of prospective buyers’ data,” Ms Moynihan said. People that logged an interest in viewing the 44 properties for sale at Somerton development were required to fill out a questionnaire providing proof of a mortgage approval in principle; evidence of a Help-to-buy grant, if applicable; evidence of savings to be used in the purchase and evidence of gifts from family members, if this applied. Housing Minister Darragh O’Brien said requesting “this level of info from a prospective buyer to view a home is simply wrong”. Data Protection Commission investigating Savills’ ‘proof of funds’ demand for home viewing - Independent.ie www.independent.ie – Share The Data Protection Commission (DPC) is investigating the practice of Savills estate agents demanding detailed financial information from home buyers before they are allowed to view the property. The current proposal would greatly widen the search warrant to permit the search of a person’s entire digital life, but without introducing any corresponding protections … The current proposal – by providing for password demands indiscriminately, in relation to every search warrant – is unprecedented. New Garda powers Bill must go back to the drawing board www.irishtimes.com – Share Proposal may be breach of European Convention on Human Rights and Constitution TJ also wrote an accompanying thread on Twitter with further concerns which weren’t included in his piece in the Irish Times. TJ McIntyre @tjmcintyre A few points which didn’t make it into the final piece: * This is a security risk, particularly as it will enable demands for eg online banking passwords. * Tech firms in Ireland should be very concerned that this will be used against them and their employees. 2/ 7:53 AM - 17 Jun 2021 This comes despite the UK abandoning similar plans and all the advice from European authorities being that the certificate shouldn’t be used for these purposes because it’s almost impossible to avoid discrimination. However, event organisers are far more likely to choose the cheap option of demanding a digital cert than the more expensive option of hiring “trained professionals”. ‘Digital green certs’ could be introduced for concerts, festivals or matches, Nphet hears - Independent.ie www.independent.ie – Share ‘Digital green certs’ could be introduced for people fully vaccinated or who have had a recently confirmed case of Covid-19 if they are attending mass gatherings such as concerts, festivals or football matches, it emerged today. The Irish Council for Civil Liberties announced it is taking a case in the Hamburg District court against Digital Strategies, AppNexus and OnlineMarketing.de. The CJEU published its judgment in Facebook Ireland Ltd, Facebook Inc., Facebook Belgium BVBA v. Gegevensbeschermingsautoriteit (Case C-645/19), in which it responded to the Belgian Court of Appeal’s request for a preliminary ruling in relation to the effect of the application of the ‘one-stop shop’ mechanism provided for by the GDPR. The CJEU outlined that, under certain conditions, a national supervisory authority may exercise its power to bring any alleged infringement of the GDPR before a court of a Member State, even though that authority is not the lead supervisory authority with regard to the processing. The full judgement is here and the accompanying press release is here (direct link to PDF). — The ICO published an Opinion on ‘The use of live facial recognition technology in public places’ (direct link to PDF) “In the meantime, EU data subjects are stuck with a decision that fails to protect them against UK mass surveillance or denial of rights in immigration contexts, while businesses cannot properly plan because the EU adequacy decision is built on sand and one day will (like the Safe Harbour and the Privacy Shield decisions) be washed away.” From Douwe Korff‘s 'Initial comments on the EU Commission’s final GDPR adequacy decision on the UK’. “During the preparation of a legislative measure, a Data Protection Impact Assessment (‘DPIA’) may be required, or may be helpful to identify risks to the rights and freedoms individuals.3 In light of Article 35(10)GDPR, it is also recommended that a DPIA is carried out during the legislative drafting process as a means not only to help ensure the legislative measure meets data protection requirements, but also to identify and mitigate risks with respect to its inconsistent application by data controllers subject to the legislation. Controllers are required to undertake a DPIA for any processing or intended processing that is ‘likely to result in a high risk to individuals’.” From ‘Legislative consultation process with the Data Protection Commission’ (direct link to PDF) which the DPC quietly published recently. Whether this is specifically for the benefit of the Department of Children and its Information and Tracing Bill is unclear. ‘“Even if Google didn’t think about these things when it was designing this technology, as soon as they put this stuff out in public back in 2019, this is exactly what advocates were saying,” said Bennett Cyphers, a technologist with the EFF who focuses on adtech. “You could take one look at this thing and immediately know it’ll just turn into another tool for fingerprinting and profiling that advertisers can use.”’ From ‘Google’s Quest to Kill the Cookie Is Creating a Privacy Shitshow’ by Shoshana Wodinsky for Gizmodo. “This resource details the potential privacy issues for numerous internet-connected devices. They include connected cameras (doorbells, indoor, and outdoor cameras), smart speakers and digital assistants, physical activity trackers, thermostats, in-car systems, and automated license plate readers. The summaries include how the devices work and who makes them, what kinds of data are collected and how long it’s retained, possible uses of device data by law enforcement, transparency reports, and relevant legal cases and further reading.” The Brennan Center for Justice’s guide to ‘Law Enforcement Access to Smart Devices’ by Ángel Díaz. Although US-centric this is a very useful resource. Endnotes & Credits The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds. As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”. The image used in the header is by Krystian Tambur on Unsplash. Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running. Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can. Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn. If you know someone who might enjoy this newsletter do please forward it on to them. Did you enjoy this issue? In order to unsubscribe, click here. If you were forwarded this newsletter and you like it, you can subscribe here. Powered by Revue Privacy Kit, Made with 💚 in Dublin, Ireland

Extraordinarily broad powers for Gardaí in a new draft Bill, an adtech court case, corporate spying has consequences and an inadequate adequacy decision.

😼

—

The Data Protection Commission (DPC) is investigating the practice of Savills estate agents demanding detailed financial information from home buyers before they are allowed to view the property.

Proposal may be breach of European Convention on Human Rights and Constitution

TJ also wrote an accompanying thread on Twitter with further concerns which weren’t included in his piece in the Irish Times.

This comes despite the UK abandoning similar plans and all the advice from European authorities being that the certificate shouldn’t be used for these purposes because it’s almost impossible to avoid discrimination. However, event organisers are far more likely to choose the cheap option of demanding a digital cert than the more expensive option of hiring “trained professionals”.

‘Digital green certs’ could be introduced for people fully vaccinated or who have had a recently confirmed case of Covid-19 if they are attending mass gatherings such as concerts, festivals or football matches, it emerged today.

The Irish Council for Civil Liberties announced it is taking a case in the Hamburg District court against Digital Strategies, AppNexus and OnlineMarketing.de.

The CJEU published its judgment in Facebook Ireland Ltd, Facebook Inc., Facebook Belgium BVBA v. Gegevensbeschermingsautoriteit (Case C-645/19), in which it responded to the Belgian Court of Appeal’s request for a preliminary ruling in relation to the effect of the application of the ‘one-stop shop’ mechanism provided for by the GDPR. The CJEU outlined that, under certain conditions, a national supervisory authority may exercise its power to bring any alleged infringement of the GDPR before a court of a Member State, even though that authority is not the lead supervisory authority with regard to the processing.

The full judgement is here and the accompanying press release is here (direct link to PDF).

—

The ICO published an Opinion on ‘The use of live facial recognition technology in public places’ (direct link to PDF)

• “In the meantime, EU data subjects are stuck with a decision that fails to protect them against UK mass surveillance or denial of rights in immigration contexts, while businesses cannot properly plan because the EU adequacy decision is built on sand and one day will (like the Safe Harbour and the Privacy Shield decisions) be washed away.” From Douwe Korff‘s 'Initial comments on the EU Commission’s final GDPR adequacy decision on the UK’.
• “During the preparation of a legislative measure, a Data Protection Impact Assessment (‘DPIA’) may be required, or may be helpful to identify risks to the rights and freedoms individuals.3 In light of Article 35(10)GDPR, it is also recommended that a DPIA is carried out during the legislative drafting process as a means not only to help ensure the legislative measure meets data protection requirements, but also to identify and mitigate risks with respect to its inconsistent application by data controllers subject to the legislation. Controllers are required to undertake a DPIA for any processing or intended processing that is ‘likely to result in a high risk to individuals’.” From ‘Legislative consultation process with the Data Protection Commission’ (direct link to PDF) which the DPC quietly published recently. Whether this is specifically for the benefit of the Department of Children and its Information and Tracing Bill is unclear.
• ‘“Even if Google didn’t think about these things when it was designing this technology, as soon as they put this stuff out in public back in 2019, this is exactly what advocates were saying,” said Bennett Cyphers, a technologist with the EFF who focuses on adtech. “You could take one look at this thing and immediately know it’ll just turn into another tool for fingerprinting and profiling that advertisers can use.”’ From ‘Google’s Quest to Kill the Cookie Is Creating a Privacy Shitshow’ by Shoshana Wodinsky for Gizmodo.
• “This resource details the potential privacy issues for numerous internet-connected devices. They include connected cameras (doorbells, indoor, and outdoor cameras), smart speakers and digital assistants, physical activity trackers, thermostats, in-car systems, and automated license plate readers. The summaries include how the devices work and who makes them, what kinds of data are collected and how long it’s retained, possible uses of device data by law enforcement, transparency reports, and relevant legal cases and further reading.” The Brennan Center for Justice’s guide to ‘Law Enforcement Access to Smart Devices’ by Ángel Díaz. Although US-centric this is a very useful resource.

Endnotes & Credits

• The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
• As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
• The image used in the header is by Krystian Tambur on Unsplash.
• Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
• Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

If you know someone who might enjoy this newsletter do please forward it on to them.