"Vague, immature and short" | The Cat Herder, Volume 2, Issue 33

Top tip: if you keep meaning to change and strengthen your passwords but can never quite find the tim   September 1 · Issue #49 · View online Top tip: if you keep meaning to change and strengthen your passwords but can never quite find the time to get around to doing it why not write your password down on a piece of paper and hand it over to the staff in the ticket office at your local train station. That should encourage you to do it. 😼 Yes, TfL asked people to write down their Oyster passwords – but don't worry, they didn't inhale | The Register www.theregister.co.uk – Share Transport for London is looking at ways to improve its processes after a Register reader queried why he was being asked to write down his password on a paper form for railway staff to read. Oh yes they did Yet more developments from the ‘If it’s got a microphone and it’s connected to the internet it’s probably listening to you’ desk. ‘Apple to stop default practice of keeping Siri recordings’, Reuters ‘Microsoft faces questions over Xbox voice recordings’, The Drum ‘Facebook gets German data probe into voice transcriptions’, Los Angeles Times Save a hundred bucks on a Fitbit band in exchange for paying a SG$10 monthly subscription fee and having all your data shared with the government. Not that great a deal. Or not a bargain at all. Singapore's Government Will Give Every Citizen a Free Fitbit, With a Catch | Digital Trends www.digitaltrends.com – Share Fitbit has won Singapore’s public health contract to supply thousands of fitness trackers. Under the country’s national program, Live Healthy SG, residents can register for a free Fitbit Inspire. The program comes with a catch: citizens have to share their health data with the government Oh yes it could The Trump Administration Wants To Start DNA Testing Undocumented Immigrants In Government Custody www.buzzfeednews.com – Share A draft rule, seen by BuzzFeed News, said hundreds of thousands of people could have their DNA collected each year if it is fully implemented. We were told in The Irish Examiner this week that the two departments most inextricably involved in the Public Services Card cannot decide between them “which … or both, has primary responsibility for the Public Service Identity (PSI) database.” While it might be tempting to chalk this down as merely an attempt to buy time for a response to the Data Protection Commission’s findings, or to continue to attempt to obfuscate matters in the hope that something else will happen which will allow them to evade responsibility for the series of decisions which have led to this point, it’s worth a closer look. Data controllers determine the purposes and means of processing. Declaring one body the data controller and another a data processor is not how this works. An entity which makes decisions about the purposes and means of processing personal data cannot declare itself a data processor and thus avoid the obligations and liabilities of a data controller. The assessment is based on the situation in the real world where it seems clear that the Department of Public Expenditure and Reform has long been involved in deciding the purposes of the processing. While that’s something that the two departments could probably continue arguing over and thereby waste a little more time (to what end nobody knows), the data sharing agreement between the pair of them says one thing and then describes another. Simon McGarr @Tupp_Ed Here’s the Agreement between the two Depts. This is the legal basis for the transfers out of Welfare to DPER. And it’s wrong on its face- says DPER are just Data Processor for Welfare (as Controller). But then says Welfare collect the data for DPER. https://t.co/aUcEGm4Zf8 3:34 PM - 22 Aug 2019 Considering this aspect of the investigation has taken two years, and was preceded by at least a year of sharp correspondence between the DPC’s office and the Department of Employment Affairs and Social Protection it is incredible that the two departments still haven’t familiarised themselves with the basics of data protection. Don’t forget we haven’t yet seen any of the results of the DPC investigation into the department’s use of biometrics. The department has been fighting a spirited battle against the very meaning of words on that front. Politico reported during the week that Google has agreed to pay between US$150 and US$200 to the Federal Trade Commission for violations of the Children’s Online Privacy Protection Act. — Also in the as-yet-unconfirmed queue, there were Bulgarian press reports that the Bulgarian Data Protection Authority plans to fine the National Revenue Agency 5.1 million Lev (circa €2.6 million) for breaches of the GDPR which led to the personal data of over five million Bulgarians being leaked. Original (in Bulgarian) Translation via Google Translate — In an interview with the FT Simon McDougall of the ICO didn’t make it sound as if the adtech industry is making much progress in meeting the goal set for it of being compliant with the GDPR by the end of the year. Without singling out any individual companies, he said the industry has so far given “vague, immature and short answers” when asked about how it safeguards personal information. ‘UK regulator warns online advertisers over use of personal data’, FT (€) “Scholars have been pointing to the technical and social risks of facial recognition for years. Greater accuracy is not the point. We need strong legal safeguards that guarantee civil rights, fairness and accountability. Otherwise, this technology will make all of us less free” writes Kate Crawford in Nature. “In 2019, it’s hard to trust companies that don’t think they owe us clarity about data.” Geoffrey A. Fowler takes an alarming stroll through the massive data sharing machinery behind purchases made with credit cards and the accompanying lack of transparency. ‘I visited 47 sites. Hundreds of Trackers Followed Me’ by Farhad Manjoo for the New York Times does something similar with online tracking. To its credit the NYT does throw in a sub-head near the end, “News sites were the worst.” As Brexit appears to be getting Brexitier (sorry), the August 2019 edition of ‘Personal Data Transfers after Brexit’ from Data Compliance Europe is worth reading. —— Endnotes & Credits The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds. As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”. The image used in the header is by Krystian Tambur on Unsplash. Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running. Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can. Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn. Barring a disaster we’ll be in your inbox again next weekend. If you know someone who might enjoy this newsletter do please forward it on to them. Did you enjoy this issue? In order to unsubscribe, click here. If you were forwarded this newsletter and you like it, you can subscribe here. Powered by Revue Privacy Kit, Made with 💚 in Dublin, Ireland

Top tip: if you keep meaning to change and strengthen your passwords but can never quite find the time to get around to doing it why not write your password down on a piece of paper and hand it over to the staff in the ticket office at your local train station. That should encourage you to do it.

😼

Transport for London is looking at ways to improve its processes after a Register reader queried why he was being asked to write down his password on a paper form for railway staff to read.

Yet more developments from the ‘If it’s got a microphone and it’s connected to the internet it’s probably listening to you’ desk.

‘Apple to stop default practice of keeping Siri recordings’, Reuters

‘Microsoft faces questions over Xbox voice recordings’, The Drum

‘Facebook gets German data probe into voice transcriptions’, Los Angeles Times

Save a hundred bucks on a Fitbit band in exchange for paying a SG$10 monthly subscription fee and having all your data shared with the government. Not that great a deal. Or not a bargain at all.

Fitbit has won Singapore’s public health contract to supply thousands of fitness trackers. Under the country’s national program, Live Healthy SG, residents can register for a free Fitbit Inspire. The program comes with a catch: citizens have to share their health data with the government

A draft rule, seen by BuzzFeed News, said hundreds of thousands of people could have their DNA collected each year if it is fully implemented.

We were told in The Irish Examiner this week that the two departments most inextricably involved in the Public Services Card cannot decide between them “which … or both, has primary responsibility for the Public Service Identity (PSI) database.”

While it might be tempting to chalk this down as merely an attempt to buy time for a response to the Data Protection Commission’s findings, or to continue to attempt to obfuscate matters in the hope that something else will happen which will allow them to evade responsibility for the series of decisions which have led to this point, it’s worth a closer look.

Data controllers determine the purposes and means of processing. Declaring one body the data controller and another a data processor is not how this works. An entity which makes decisions about the purposes and means of processing personal data cannot declare itself a data processor and thus avoid the obligations and liabilities of a data controller. The assessment is based on the situation in the real world where it seems clear that the Department of Public Expenditure and Reform has long been involved in deciding the purposes of the processing.

While that’s something that the two departments could probably continue arguing over and thereby waste a little more time (to what end nobody knows), the data sharing agreement between the pair of them says one thing and then describes another.

Considering this aspect of the investigation has taken two years, and was preceded by at least a year of sharp correspondence between the DPC’s office and the Department of Employment Affairs and Social Protection it is incredible that the two departments still haven’t familiarised themselves with the basics of data protection.

Don’t forget we haven’t yet seen any of the results of the DPC investigation into the department’s use of biometrics. The department has been fighting a spirited battle against the very meaning of words on that front.

Politico reported during the week that Google has agreed to pay between US$150 and US$200 to the Federal Trade Commission for violations of the Children’s Online Privacy Protection Act.

—

Also in the as-yet-unconfirmed queue, there were Bulgarian press reports that the Bulgarian Data Protection Authority plans to fine the National Revenue Agency 5.1 million Lev (circa €2.6 million) for breaches of the GDPR which led to the personal data of over five million Bulgarians being leaked.

Original (in Bulgarian)

Translation via Google Translate

—

In an interview with the FT Simon McDougall of the ICO didn’t make it sound as if the adtech industry is making much progress in meeting the goal set for it of being compliant with the GDPR by the end of the year.

‘UK regulator warns online advertisers over use of personal data’, FT (€)

• “Scholars have been pointing to the technical and social risks of facial recognition for years. Greater accuracy is not the point. We need strong legal safeguards that guarantee civil rights, fairness and accountability. Otherwise, this technology will make all of us less free” writes Kate Crawford in Nature.
• “In 2019, it’s hard to trust companies that don’t think they owe us clarity about data.” Geoffrey A. Fowler takes an alarming stroll through the massive data sharing machinery behind purchases made with credit cards and the accompanying lack of transparency.
• ‘I visited 47 sites. Hundreds of Trackers Followed Me’ by Farhad Manjoo for the New York Times does something similar with online tracking. To its credit the NYT does throw in a sub-head near the end, “News sites were the worst.”
• As Brexit appears to be getting Brexitier (sorry), the August 2019 edition of ‘Personal Data Transfers after Brexit’ from Data Compliance Europe is worth reading.

——

Endnotes & Credits

• The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
• As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
• The image used in the header is by Krystian Tambur on Unsplash.
• Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
• Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

Barring a disaster we’ll be in your inbox again next weekend.

If you know someone who might enjoy this newsletter do please forward it on to them.