The CJEU provides roughly the same answers to the latest round of member state questions about indisc
| |
| October 11 · Issue #103 · View online |
|
|
The CJEU provides roughly the same answers to the latest round of member state questions about indiscriminate mass surveillance as it has on multiple previous occasions. The state of biometrics, immunity passports and cookies. A bad week for Microsoft in both Germany and France. đź
|
|
|
It turns out that taking steps to avoid being profiled and tracked online can single you out and allow you to be, err, tracked and profiled. What an online experience weâve built for ourselves.
|
EFF off: Privacy Badger disables by default anti-tracking safeguard that can be abused to track you online ⢠The Register
Google has a word with digital rights warriors
|
|
|
The committee could do a bit more than âspecifically suggestâ the HSE not break the law by giving special categories of personal data to employers with no lawful basis.
|
Significantly, the committee specifically suggests that the results should be returned âto the individual workersâ. In its final report, the committee says it welcomes an investigation by the Data Protection Commissioner of potential breaches of data belonging to meat plant workers in relation to test results.
|
Covid outbreaks in meat plants likely to come under further scrutiny
The outbreak of the coronavirus in meat processing plants is likely to come under further scrutiny following a series of recommendations from the Oireachtas Special Committee on Covid-19 Response.
|
|
|
As the European Commission and the academic community have stated, any public health monitoring systems are high risk measures that must be shown to be lawful and necessary in a democratic society. These should be adopted with legal safeguards put in place by design and default in order to counter or mitigate such risks. These conflicts with human rights particularly include high levels of interference with the rights to private life, data protection, and non-discrimination which are protected by Articles 8 and 14 of the European Convention on Human Rights, the EU Charter of Fundamental Rights, and the EU General Data Protection Regulation (GDPR). Dr NĂłra NĂ LoideĂĄin on immunity passports, which weâll be hearing a lot more about in the coming months.
|
|
|
The sensitive nature of biometric data, recognised both within the EU legal framework, as well as in the framework of the Council of Europeâs Modernised Convention 108+, makes it subject to special protection: the processing of biometric data is prohibited in principle and there are only a limited number of conditions under which such processing is lawful.
|
The quote above is from a keynote speech on âThe State of Biometricsâ (direct link to PDF) the European Data Protection Supervisor gave during the week. |
The quote below is from the DPCâs final report from its investigation âin respect of the processing of personal data by the Department of Employment Affairs and Social Protection in relation to THE PUBLIC SERVICES CARD (âPSCâ) examining compliance with the obligations in relation to LEGAL BASIS AND TRANSPARENCYâ, published, grudgingly, by DEASP in August 2019.
|
 A further report will shortly make provisional findings to the DEASP, including matters relating to data security; arithmetic template generation (and associated processing of personal data) for SAFE 2 and the PSC; and in relation to the DEASPâs processing of personal data generated in connection with the use of the free travel variant of the PSC. Once the DPC has considered any final submissions of DEASP in relation to that second report, it will finalise its report and decision on those particular issues.
|
|
|
|
It definitely could.
|
The original warrant sent to Google is still sealed, but the report provides another example of a growing trend of data requests to the search engine giant in which investigators demand data on a large group of users rather than a specific request on a single suspect.
|
The keyword warrants are similar to geofence warrants, in which police make requests to Google for data on all devices logged in at a specific area and time. Google received 15 times more geofence warrant requests in 2018 compared with 2017, and five times more in 2019 than 2018. The rise in reverse requests from police have troubled Google staffers, according to internal emails.
|
Google is giving data to police based on search keywords, court docs show - CNET
Court records in an arson case show that Google gave away data on people who searched for a specific address.
|
|
|
|
|
Thereâs some very interesting detail in a Telegraph story (hat tip TJ McIntyre) which is ostensibly about Instagramâs failure to crack down on self-harm content on its platform. When contacted by the Telegraph Facebergstagram blamed data protection law and the mean olâ Data Protection Commission for its inability to manage its own platform. |
As is fairly typical in these situations, an assertion without evidence is made - that adding more technology to the problem caused by the existing technology is the only reasonable and available solution to the problem.
|
The DPC quite rightly didnât agree with this.
|
|
|
A slap on the wrist for Wexford County Council.
|
âThe DPC considers that the drones deployed by [Wexford County Council] constituted a system carrying out surveillance which had the potential to collect personal data and therefore a DPIA should have been carried out by WCC prior to the drones being deployed,â Eunice Delaney, assistant commissioner, said in her ruling. However, she said that, given the county council had moved to amend its drone policy so that a DPIA will be carried out before the future purchase or use of drones, and given that no identifiable footage had been recorded, no further action would be taken.
|
|
|
|
|
After an investigation triggered by complaints from groups including Liberty, the ICO found that the DfE had failed to comply with sections of the general data protection regulation (GDPR). It said there was âno clear picture of what data is held by the DfEâ and that its handling of millions of pupil records âcould result in multiple data breachesâ. âThe audit found that data protection was not being prioritised and this had severely impacted the DfEâs ability to comply with the UKâs data protection laws,â the ICO said.
|
|
|
|
|
|
|
|
|
|
|
|
|
The CNIL has asked the Conseil d'Etat to stop using Microsoft to host the French Health Data Hub.
|
|
|
Coincidentally this week was also the week the DPC began enforcing its cookie guidance, published six months ago. Our money is on there being plenty of data controllers who still arenât abiding by the rules on this. The easiest infringement to spot is the use of implied consent to set cookies. So if you notice an Irish website with a banner that says something like âby continuing to use this website you consent to our use of cookiesâ then do drop the DPC a line. Theyâll probably be delighted to hear from you.
|
â The Belgian DPA reprimanded a public body for âwrongful processing of personal data from the National Registerâ. In an echo of what we discussed last week concerning Irish public bodies wishing to use CCTV footage to prosecute individuals for littering, this body has the competence to fine individuals for littering but does not have the competence to search the National Registry and infer family connections. |
|
|
-
âCurrent thinking around tech addiction is largely based in biological determinismâthe idea that we âcanât help ourselvesâ from becoming addicted to technologyâand tech solutionismâa belief that technological changes alone can solve for digital well-being. Neither of these approaches are grounded in empirical evidence, and both put the blame on the individual, rather than the platform.â âGood Intentions, Bad Inventions The Four Myths of Healthy Techâ by Amanda Lenhart and Kellie Owens deflates some common talking points deployed by moral panic merchants.
-
âIn nearly every case, we have absolutely no idea what determinations go into these algorithms. We do not know who coded them. We do not know how they work; how they judge. By their very nature â hidden lines of complex code, obscured by laws protecting business assets â they function invisibly. They are shielded as corporate proprietary information and âintellectualâ property â even though it is our intellects that they lay claim to, judging us by the data they gather (typically, without us knowing). This data then, ludicrously, becomes their property, not ours. Whole, revealing chunks of us, some of it extremely revealing and sensitive, owned not by us, but by them.â Karlin Lillington awards the grading of the 2020 Leaving Cert an F.
-
âThe Court also relied on Schrems II, implicitly confirming aspects of its approach there and embedding that decision in its jurisprudence. The underlying concern in Schrems II was the same as here: that is, data collected by private actors are accessed by state actors.  In sum, even in the interests of national security, general and indiscriminate surveillance does not satisfy the test of strict necessity and proportionality.â Lorna Woods reviews this weekâs Privacy International, La Quadrature du Net and Ordre des barreaux francophones et germanphone CJEU judgments in âWhen is mass surveillance justified? The CJEU clarifies the law in Privacy International and other casesâ
â
|
|
|
|
|
If you know someone who might enjoy this newsletter do please forward it on to them.
|
|
Did you enjoy this issue?
|
|
|
|
If you don't want these updates anymore, please unsubscribe here.
If you were forwarded this newsletter and you like it, you can subscribe here.
|
|
|
|
Privacy Kit, Made with đ in Dublin, Ireland
|
