We don't identify anyone, except when we do | The Cat Herder, Volume 2, Issue 43

A widespread compliance and supervision exercise; "approximately 204 advertising and tracking cookies   November 10 · Issue #59 · View online A widespread compliance and supervision exercise; “approximately 204 advertising and tracking cookies, all without consent”; your car is a big, wheeled, and drivable internet-connected device and therefore eminently hackable. 😼 An ICO spokesperson said: “While the Hays microsite does have a privacy policy and cookies policy and explains the cookies in use, we will discuss compliance issues with them and ask for clarification.” Dough! Jobs microsite for UK's data watchdog set hundreds of cookies without visitors' consent • The Register www.theregister.co.uk – Share A delegation from the Department of Employment Affairs and Social Protection appeared at the Public Accounts Committee during the week. Although they were there to discuss their accounts, the conversation frequently returned to the Public Services Card. The transcript and video of the session aren’t available yet so we’ll have to rely on some news reports and tweets. The Secretary General of the department feels it is “unfortunate” that many people believe his department is breaking the law. The nature of the “incredibly strong legal advice” remains elusive, with Mr McKeon refusing to say whether any appeal the department might take against an enforcement notice would be based on this legal advice. Which raises the possibility that the department may be considering appealing just because they want to. Which brings to mind another case involving a public body and the then Data Protection Commissioner. In August 2012 in Bus Átha Cliath / Dublin Bus v. The Data Protection Commissioner Hedigan J noted No attempt has been made in the notice of appeal to identify any points of law. From the Courts perspective this is completely unsatisfactory. Simply saying that you are appealing the whole of a judgment does not amount to a valid appeal on a point [of] law. An appeal on a point of law is just that. The point of law should be identified and the submissions should be directed to that point. As the PAC meeting was drawing to a close the issue we mentioned last week concerning the personal data associated with use of the free travel pass variant of the PSC came up. Cianan Brennan @ciananbrennan Interesting. McKeon says the only time someone is identified via their free travel pass #PSC is when an investigation is under way by the gardaí. “We don’t identify people,” he says. “But you could?” asks Sean Fleming. “We could but we don’t” 3:54 PM - 7 Nov 2019 Leaving aside the strange assertion made in almost the same breath that the department both does and doesn’t identify people, this seems to be an admission that the department is engaged in blanket mass retention of personal data for the purposes of sticking it to a minuscule number of fare dodgers. Which is illegal according to the Court of Justice of the European Union. Simon McGarr has a short thread with more. Of course it could A Hobart man deliberately downloaded and set up an online application that gave him control over the stop and start function of his ex-girlfriend’s car and allowed him to track her movements, a court has heard. Man pleads guilty to stalking and controlling ex-girlfriend's car with his computer - ABC News (Australian Broadcasting Corporation) www.abc.net.au – Share A woman has been left in shock and with a deep distrust of cyber security laws after her ex-boyfriend used an app to control her car and stalk her. They did. Amazon Ring doorbells exposed home Wi-Fi passwords to hackers – TechCrunch techcrunch.com – Share Security researchers have discovered a vulnerability in Ring doorbells that exposed the passwords for the Wi-Fi networks to which they were connected. Bitdefender said the Amazon-owned doorbell was sending owners’ Wi-Fi passwords in cleartext as the doorbell joins the local network, allowing nearby hackers to intercept the Wi-Fi password and gain access to the network […] The Berlin DPA fined Deutsche Wohnen, Germany’s second-largest property company, €14.5 million for retention of personal data which was deemed to breach the data protection by design and default requirements of Article 25 of the GDPR, and the data minimisation requirements of Article 5. Presumably a large property management company would be gathering and retaining approximately the same types of personal data that a government department running an illegal biometric database would be. The decision will be appealed. — The Polish DPA issued what might be the first fine under the GDPR for the deliberate use of dark patterns, among other things. “The President of the Personal Data Protection Office imposed an administrative fine of over PLN 201,000 [~€46,000] for, inter alia, obstructing the exercise of the right to withdraw consent to the processing of personal data.” — The Data Protection Commission wrote to Digital Rights Ireland to confirm that it “has commenced a widespread compliance and supervision exercise into the processing of personal data by GMI [Genomics Medicine Ireland] and its clinical research partners.” Helen Dixon appeared before the International Grand Committee on Disinformation and ‘Fake News’ during the week and “said that her funding is not enough, and more resources will be needed to tackle the “extremely labour intensive” enforcement cases handled by her office.” — The acting EDPS head, Wojciech Wiewiórowski, told EURACTIV on Wednesday (6 November) that EU institution staff “are not aware of all the data which is collected by Microsoft,” adding that the EDPS is in the process of drafting a set of guidelines to submit to the Commission concerning the necessary revisions that need to be made to the contractual agreements with Microsoft, in order for data protection standards to be met. The guidelines are due to be sent to the Commission by the end of November. ‘EU institution staff ‘unaware’ of Microsoft data misuse, EU data chief says’, EURACTIV The EDPS published new guidelines on the concepts of controller, processor and joint controllership under the GDPR during the week. ‘How Google Edged Out Rivals and Built the World’s Dominant Ad Machine: A Visual Guide’ is a nicely presented explanation of how adtech works from the Wall Street Journal. “In other words, most of these companies are just showing you the data they used to make decisions about you, not how they analyzed that data or what their decision was.” In the New York Times, Kashmir Hill got access to her consumer score. Kind of. “In the context of the sort of balancing exercise required in handling RTBF requests, the failure to give a properly-reasoned decision is inconsistent with the principle of accountability. The primary decision-maker in these requests – which address the requester’s fundamental rights – has an interest in the outcome and the resources invested in arriving at it. The absence of reasoned decisions is a problem for data subjects and their advisers.” Stewart Duffy provides some practical tips on how to get Google to dereference content. —— Endnotes & Credits The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds. As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”. The image used in the header is by Krystian Tambur on Unsplash. Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running. Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can. Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn. Barring a disaster we’ll be in your inbox again next weekend. If you know someone who might enjoy this newsletter do please forward it on to them. Did you enjoy this issue? In order to unsubscribe, click here. If you were forwarded this newsletter and you like it, you can subscribe here. Powered by Revue Privacy Kit, Made with 💚 in Dublin, Ireland

A widespread compliance and supervision exercise; “approximately 204 advertising and tracking cookies, all without consent”; your car is a big, wheeled, and drivable internet-connected device and therefore eminently hackable.

😼

A delegation from the Department of Employment Affairs and Social Protection appeared at the Public Accounts Committee during the week. Although they were there to discuss their accounts, the conversation frequently returned to the Public Services Card. The transcript and video of the session aren’t available yet so we’ll have to rely on some news reports and tweets.

The Secretary General of the department feels it is “unfortunate” that many people believe his department is breaking the law.

The nature of the “incredibly strong legal advice” remains elusive, with Mr McKeon refusing to say whether any appeal the department might take against an enforcement notice would be based on this legal advice. Which raises the possibility that the department may be considering appealing just because they want to. Which brings to mind another case involving a public body and the then Data Protection Commissioner. In August 2012 in Bus Átha Cliath / Dublin Bus v. The Data Protection Commissioner Hedigan J noted

As the PAC meeting was drawing to a close the issue we mentioned last week concerning the personal data associated with use of the free travel pass variant of the PSC came up.

Leaving aside the strange assertion made in almost the same breath that the department both does and doesn’t identify people, this seems to be an admission that the department is engaged in blanket mass retention of personal data for the purposes of sticking it to a minuscule number of fare dodgers. Which is illegal according to the Court of Justice of the European Union.

Simon McGarr has a short thread with more.

A woman has been left in shock and with a deep distrust of cyber security laws after her ex-boyfriend used an app to control her car and stalk her.

Security researchers have discovered a vulnerability in Ring doorbells that exposed the passwords for the Wi-Fi networks to which they were connected. Bitdefender said the Amazon-owned doorbell was sending owners’ Wi-Fi passwords in cleartext as the doorbell joins the local network, allowing nearby hackers to intercept the Wi-Fi password and gain access to the network […]

The Berlin DPA fined Deutsche Wohnen, Germany’s second-largest property company, €14.5 million for retention of personal data which was deemed to breach the data protection by design and default requirements of Article 25 of the GDPR, and the data minimisation requirements of Article 5. Presumably a large property management company would be gathering and retaining approximately the same types of personal data that a government department running an illegal biometric database would be.

The decision will be appealed.

—

The Polish DPA issued what might be the first fine under the GDPR for the deliberate use of dark patterns, among other things. “The President of the Personal Data Protection Office imposed an administrative fine of over PLN 201,000 [~€46,000] for, inter alia, obstructing the exercise of the right to withdraw consent to the processing of personal data.”

—

The Data Protection Commission wrote to Digital Rights Ireland to confirm that it “has commenced a widespread compliance and supervision exercise into the processing of personal data by GMI [Genomics Medicine Ireland] and its clinical research partners.”

Helen Dixon appeared before the International Grand Committee on Disinformation and ‘Fake News’ during the week and “said that her funding is not enough, and more resources will be needed to tackle the “extremely labour intensive” enforcement cases handled by her office.”

—

‘EU institution staff ‘unaware’ of Microsoft data misuse, EU data chief says’, EURACTIV

The EDPS published new guidelines on the concepts of controller, processor and joint controllership under the GDPR during the week.

• ‘How Google Edged Out Rivals and Built the World’s Dominant Ad Machine: A Visual Guide’ is a nicely presented explanation of how adtech works from the Wall Street Journal.
• “In other words, most of these companies are just showing you the data they used to make decisions about you, not how they analyzed that data or what their decision was.” In the New York Times, Kashmir Hill got access to her consumer score. Kind of.
• “In the context of the sort of balancing exercise required in handling RTBF requests, the failure to give a properly-reasoned decision is inconsistent with the principle of accountability. The primary decision-maker in these requests – which address the requester’s fundamental rights – has an interest in the outcome and the resources invested in arriving at it. The absence of reasoned decisions is a problem for data subjects and their advisers.” Stewart Duffy provides some practical tips on how to get Google to dereference content.

——

Endnotes & Credits

• The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
• As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
• The image used in the header is by Krystian Tambur on Unsplash.
• Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
• Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

Barring a disaster we’ll be in your inbox again next weekend.

If you know someone who might enjoy this newsletter do please forward it on to them.