"We can all blame GDPR" | The Cat Herder, Volume 2, Issue 1

And so we're back, from outer space. Hopefully you enjoyed the holiday period and the somewhat unsche   January 13 · Issue #17 · View online And so we’re back, from outer space. Hopefully you enjoyed the holiday period and the somewhat unscheduled break in this newsletter’s publication schedule. Blame it on an unexpectedly unpleasant cold, exams, the boogie. The main thing is that we’re back, refreshed and ready to once again slip down the highways and byways of bad privacy practices. As well as casting the usual jaundiced eye on what’s in the news this year we’re going to focus on a few areas in particular and, time-permitting, publish some longer pieces on these themes. Privacy notices These should be easy for anyone to understand, or at least that’s how they’re supposed to be. If a privacy notice is poor, inadequate or confusing it suggests one of a few things The organisation can’t explain what it’s doing with personal data and why because they don’t understand what they’re doing with personal data in the first place. The organisation doesn’t care enough about the way they handle personal data and the rights of data subjects to prepare a privacy notice which presents all the required information in “a concise, transparent, intelligible and easily accessible form, using clear and plain language”. The organisation is willfully attempting to obscure what they’re doing with personal data because they’re worried people might be appalled to discover the extent of misuse of their personal data. DNA harvesting companies might just be the new Facebook In the sense that in a few years time there will be scandal after scandal and a chorus of ‘nobody could have seen this coming’ when, in fact, plenty of people saw it coming. Our advice on this remains the same as it did last year - don’t give your DNA to a commercial entity whose motives in acquiring it are likely to have nothing whatsoever to do with helping you find out how Irish you are. Elections There are both local and European elections coming up here in Ireland, scheduled for the end of May. There will no doubt be ‘mistakes’ made with people’s personal data. We’ll be waiting. Anyway, on with this week’s show. 😼 Seamus Ryan @meanderingtripe Out in west Limerick, a few councillors have decided that "GDPR is on the side of criminality" because everyone in a Garda station doesn't get unfettered access to the local CCTV footage. https://t.co/Yra8HM4hIc @Tupp_Ed https://t.co/lqqf6ipyOL 12:28 PM - 11 Jan 2019 A lot. An awful lot could go wrong. Our old friends Genomics Medicine Ireland announced they’re opening a city centre location. You can drop in on your lunch hour and hand over your DNA. They will retain this “indefinitely”, according to their privacy notice. How this is in accordance with the principles of data minimisation and storage limitation is anyone’s guess. Don’t give your DNA to any commercial entity. Whether it’s pitched as a way you can contribute to medical research or a fun way to find out just how Viking you are, don’t. You don’t know what they might do with it. They don’t know what they might do with it in future but possession is nine-tenths of the law and all that. You don’t know what might happen to any one company in a year’s time, or three years’ time. They might be acquired by another company and your DNA will be part of the acquisition package. Which contains not just your personal data but also that of your family members. Which certain third parties are very interested in. a young woman named Theresa Morelli applied for individual disability insurance, consented to release of her medical records through the Medical Information Bureau (a credit reporting agency for medical history), and was approved for coverage. One month later, Morelli’s coverage was cancelled and premiums refunded when the insurer learned her father had Huntington’s disease, a genetic illness. Startlingly, the Medical Information Bureau (MIB) used Morelli’s broad consent to query her father’s physician, a doctor with whom she had no prior patient relationship. More importantly, the applicant herself wasn’t diagnosed with Huntington’s carrier status, but she suffered exclusion on the basis of a genetic predisposition in her family. ‘Ancestry.com takes DNA ownership rights from customers and their relatives’, ThinkProgress.org, May 2017 The ill-conceived Data Sharing and Governance Bill is still making its way through the legislative process. While the GDPR aims to reduce unnecessary data processing, compels data controllers to give consideration to alternate means of achieving their aims and introduces the principles of data protection by design and default, the government is determined to pass this Bill which encourages public bodies to behave in exactly the opposite manner. The Bill is, of course, also an attempt at some retroactive justification for the creation of the biometric register which underpins the Public Services Card. Speaking of the Public Services Card, Karlin Lillington recently wrote a great piece about its continuing search for a discernible purpose In the baffling, Kafkaesque world of the PSC – a card that can only be obtained in the first place by the production of a passport or other documentation proving the right to be resident in the State – a PSC is not itself acceptable proof that you have the right to be resident in the State. And even though I had to get a PSC to apply for citizenship, and the card was also required when I applied for my Irish passport, the granting of citizenship or a passport is not data shared with the PSC system.  Since the Public Services Card has trundled on omnishambolically for years now despite the government departments responsible for it not being able to clearly articulate what problem it is solving or even what legal basis they are operating it under it seems likely that we’ll be writing about it a fair bit in the coming year. Yes they did. US carriers were caught selling their customers’ location data despite saying they wouldn’t. Well, at least one of them said they wouldn’t and T-Mobile CEO John Legere’s assurances from last June do hinge around the definition of “shady middlemen”. At a guess his definition differs to yours and ours. T-Mobile, Sprint, and AT&T Are Selling Customers' Real-Time Location Data, And It's Falling Into the Wrong Hands - Motherboard motherboard.vice.com – Share T-Mobile, Sprint, and AT&T are selling access to their customers’ location data, and that data is ending up in the hands of bounty hunters and others not authorized to possess it, letting them track most phones in the country. So Friday’s latest round of reassurances that they’ll stop doing this should probably be taken with a grain of salt. The DPC have a busy year ahead. Amongst many other things ☑️ Statutory investigation into Facebook ☑️ Statutory investigation into Twitter ☑️ Inquiry into surveillance of citizens by the State sector for law enforcement purposes through the use of technologies such as CCTV, body worn cameras, Automatic Number Plate Recognition-enabled systems and drones Is there a new DPC website yet? Yes Yes, there is a new DPC website which is significantly easier to navigate then its predecessor was. So that’s good. Not so good was the decision to expunge almost two decades of case studies from the site.  Just one thing this week. Issue 54 of McSweeney’s Quarterly Concern, The End Of Trust. Jointly produced with the Electronic Frontier Foundation, this is McSweeney’s first entirely non-fiction issue of the Quarterly Concern. It’s available on the EFF website under a Creative Commons licence. Contributors include Sara Wachter-Boetcher, the Edward Snowden - Ben Wizner double act, and Bruce Schneier, all firm favourites around these parts. The print edition is beatifully presented and well worth spending a few quid on if you can afford to in January, the most cash-strapped of months. —- Endnotes & Credits The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds. As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”. The image used in the header is by Krystian Tambur on Unsplash. Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running. Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can. Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn. Barring a disaster this newsletter will be in your inbox again next weekend. See you then. If you know someone who might enjoy this newsletter do please forward it on to them. Did you enjoy this issue? In order to unsubscribe, click here. If you were forwarded this newsletter and you like it, you can subscribe here. Powered by Revue Privacy Kit, Made with 💚 in Dublin, Ireland

And so we’re back, from outer space. Hopefully you enjoyed the holiday period and the somewhat unscheduled break in this newsletter’s publication schedule. Blame it on an unexpectedly unpleasant cold, exams, the boogie.

The main thing is that we’re back, refreshed and ready to once again slip down the highways and byways of bad privacy practices. As well as casting the usual jaundiced eye on what’s in the news this year we’re going to focus on a few areas in particular and, time-permitting, publish some longer pieces on these themes.

Privacy notices

These should be easy for anyone to understand, or at least that’s how they’re supposed to be. If a privacy notice is poor, inadequate or confusing it suggests one of a few things

• The organisation can’t explain what it’s doing with personal data and why because they don’t understand what they’re doing with personal data in the first place.
• The organisation doesn’t care enough about the way they handle personal data and the rights of data subjects to prepare a privacy notice which presents all the required information in “a concise, transparent, intelligible and easily accessible form, using clear and plain language”.
• The organisation is willfully attempting to obscure what they’re doing with personal data because they’re worried people might be appalled to discover the extent of misuse of their personal data.

DNA harvesting companies might just be the new Facebook

In the sense that in a few years time there will be scandal after scandal and a chorus of ‘nobody could have seen this coming’ when, in fact, plenty of people saw it coming. Our advice on this remains the same as it did last year - don’t give your DNA to a commercial entity whose motives in acquiring it are likely to have nothing whatsoever to do with helping you find out how Irish you are.

Elections

There are both local and European elections coming up here in Ireland, scheduled for the end of May. There will no doubt be ‘mistakes’ made with people’s personal data. We’ll be waiting.

Anyway, on with this week’s show.

😼

Our old friends Genomics Medicine Ireland announced they’re opening a city centre location. You can drop in on your lunch hour and hand over your DNA. They will retain this “indefinitely”, according to their privacy notice. How this is in accordance with the principles of data minimisation and storage limitation is anyone’s guess.

Don’t give your DNA to any commercial entity. Whether it’s pitched as a way you can contribute to medical research or a fun way to find out just how Viking you are, don’t.

You don’t know what they might do with it. They don’t know what they might do with it in future but possession is nine-tenths of the law and all that.

You don’t know what might happen to any one company in a year’s time, or three years’ time. They might be acquired by another company and your DNA will be part of the acquisition package. Which contains not just your personal data but also that of your family members. Which certain third parties are very interested in.

‘Ancestry.com takes DNA ownership rights from customers and their relatives’, ThinkProgress.org, May 2017

The ill-conceived Data Sharing and Governance Bill is still making its way through the legislative process. While the GDPR aims to reduce unnecessary data processing, compels data controllers to give consideration to alternate means of achieving their aims and introduces the principles of data protection by design and default, the government is determined to pass this Bill which encourages public bodies to behave in exactly the opposite manner.

The Bill is, of course, also an attempt at some retroactive justification for the creation of the biometric register which underpins the Public Services Card.

Speaking of the Public Services Card, Karlin Lillington recently wrote a great piece about its continuing search for a discernible purpose

Since the Public Services Card has trundled on omnishambolically for years now despite the government departments responsible for it not being able to clearly articulate what problem it is solving or even what legal basis they are operating it under it seems likely that we’ll be writing about it a fair bit in the coming year.

US carriers were caught selling their customers’ location data despite saying they wouldn’t. Well, at least one of them said they wouldn’t and T-Mobile CEO John Legere’s assurances from last June do hinge around the definition of “shady middlemen”. At a guess his definition differs to yours and ours.

T-Mobile, Sprint, and AT&T are selling access to their customers’ location data, and that data is ending up in the hands of bounty hunters and others not authorized to possess it, letting them track most phones in the country.

So Friday’s latest round of reassurances that they’ll stop doing this should probably be taken with a grain of salt.

The DPC have a busy year ahead. Amongst many other things

☑️ Statutory investigation into Facebook

☑️ Statutory investigation into Twitter

☑️ Inquiry into surveillance of citizens by the State sector for law enforcement purposes through the use of technologies such as CCTV, body worn cameras, Automatic Number Plate Recognition-enabled systems and drones

Is there a new DPC website yet? Yes

Yes, there is a new DPC website which is significantly easier to navigate then its predecessor was. So that’s good. Not so good was the decision to expunge almost two decades of case studies from the site. 

Just one thing this week. Issue 54 of McSweeney’s Quarterly Concern, The End Of Trust. Jointly produced with the Electronic Frontier Foundation, this is McSweeney’s first entirely non-fiction issue of the Quarterly Concern. It’s available on the EFF website under a Creative Commons licence.

Contributors include Sara Wachter-Boetcher, the Edward Snowden - Ben Wizner double act, and Bruce Schneier, all firm favourites around these parts.

The print edition is beatifully presented and well worth spending a few quid on if you can afford to in January, the most cash-strapped of months.

—-

Endnotes & Credits

• The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
• As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
• The image used in the header is by Krystian Tambur on Unsplash.
• Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
• Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

Barring a disaster this newsletter will be in your inbox again next weekend. See you then.

If you know someone who might enjoy this newsletter do please forward it on to them.