Nov 1, 2020

Fines, Discounted | The Cat Herder, Volume 3, Issue 42

Revue

November 1 · Issue #106 · View online

After weeks of messing and insulting the intelligence of anyone who was paying attention the Irish state grudgingly admits to the existence of 1) the principle of supremacy of European law, 2) the Treaty of Lisbon and hence the Charter of Fundamental Rights of the European Union and 3) the General Data Protection Regulation. Elsewhere it’s business / bungling as usual.

😼

Colin Lenihan

@colinlenihan

There is such a failure within INIS that migrant communities have to arrange between themselves to return passports that were sent by INIS to the wrong person and wrong addresses https://t.co/gd8519ry10

1:29 PM - 29 Oct 2020

—

Pfizer Exposes Data on Hundreds of Prescription Drug Users - Infosecurity Magazine

www.infosecurity-magazine.com – Share

Pfizer Exposes Data on Hundreds of Prescription Drug Users. Pharma giant misconfigured cloud storage bucket

—

This week in ‘well, this is awkward’.

True bills itself as the social networking app that will “protect your privacy.” But a security lapse left one of its servers exposed — and spilling private user data to the internet for anyone to find.

The app was launched in 2017 by Hello Mobile, a little-known virtual cell carrier that piggybacks off T-Mobile’s network. True’s website says it has raised $14 million in seed funding, and claimed more than half a million users shortly after its launch.

But a dashboard for one of the app’s databases was exposed to the internet without a password, allowing anyone to read, browse and search the database — including private user data.

Techcrunch, ‘True, the social networking app that promises to ‘protect your privacy,’ exposed private messages and user locations’

It’s usually a glitch but this one’s being described as a bungle. As somebody said six months back, no matter how much money you throw at it you can’t app your way out of a pandemic.

Software bungle meant NHS Covid app failed to warn users to self-isolate | News | The Sunday Times

www.thetimes.co.uk – Share

The “world-beating” NHS Covid app, downloaded by 19 million people, has systematically failed to send alerts telling people to self-isolate after they came into contact with infected people.Thousands

This week developments in the Mother and Baby Homes fiasco brought clarifications (not u-turns, don’t call them u-turns) in which the government acknowledged that data subjects have rights and state data controllers have obligations which must be met.

We also saw either the Taoiseach or the Irish Times - it’s unclear from the copy - invent a new right out of thin air, the right not to be traced. During the week the Irish Times continued to publish mostly factual reporting on events as they transpired side by side with weird inaccurate opinion pieces which appeared to be informed mostly by the wishful thinking of officials in the Department of Children and Youth Affairs. As Máiréad Enright observed on Twitter, we moved seamlessly from misinterpreting existing laws to inventing new ones. As happened last week, the Irish Times ended the week on a patronising and condescending note.

Simon McGarr

@Tupp_Ed

Because the Dept’s top legal advisors appear not to have known a national law can’t create a “blanket ban” on GDPR rights. https://t.co/XTxHlBzZLo

9:44 PM - 30 Oct 2020

The minister, armed with a “clarification” from the AG’s office, who had presumably become fed up with having their reputation dragged around in the mud by his department, told us there would be two tests applied to subject access requests. The first of these is already in the law his department had been doing elaborate somersaults trying to exempt itself from. The second of these is pure fantasy.

And to conclude on the topic for this week, the point below really wasn’t made frequently enough during the entire shambolic progress of the government’s Bill through the Houses of the Oireachtas or in all the commentary afterwards.

Fred Logue

@FredPLogue

I think it's worth pointing out that unnecessarily deleting a whole database of personal information (particularly where data subjects don't want it deleted) is likely as much a breach of the GDPR as "sealing" it for 30 years.

10:28 PM - 26 Oct 2020

There's a pretty good chance it is.

Surveillance Startup Used Own Cameras to Harass Coworkers

www.vice.com – Share

Employees at Verkada accessed the company’s facial recognition system to take photos of women colleagues and make sexually explicit jokes.

Ángel S. Díaz

@AngelSDiaz_

The people making surveillance tools and the police departments themselves often make the first case-studies about how their products will be misused to target women.

Exhibit A:
https://t.co/KgudB4XoYy

3:06 PM - 27 Oct 2020

Olivia Solon

@oliviasolon

Yes. I heard of a retailer that installed facial recognition tech for detecting shoplifters but managers started adding images of attractive women to the system so they'd get notified the next time they came in. https://t.co/uokoS1OX5I

3:33 PM - 27 Oct 2020

The DPC added a new page to its website, ‘Decisions exercising corrective powers made under the Data Protection Act 2018’, which contains links to short descriptions of a half dozen decisions. Hopefully this will be updated regularly, and possibly more detail added to the decisions.

—

The ICO issued another steeply discounted fine, this time to Marriott. Down from £99 million last year to £18 million this week.

—

The ICO took enforcement action against Experian, giving it an enforcement notice setting out changes which are to be made to its processing operations within 9 months. Otherwise, fines are a possibility.

“In the announcement last week, the Taoiseach acknowledged that the EU General Data Protection Regulation (GDPR) is, of course, supreme over any conflicting laws or arrangements that the Irish state had previously constructed to address our so-called “historical” systems of abuse. He and Roderic O‘Gorman, the Minister for Children, have committed to ensuring the effective implementation of GDPR in this area without delay. They have further committed to legislating urgently to provide adopted people, natural mothers and relatives with all of the information they need, and to ensure respectful exhumations where necessary at unmarked burial sites.” Maeve O'Rourke in the Business Post on where we are now in relation to the Mother and Baby Homes and other records of institutional abuse.
“I simply do not remember a time when global public communication channels have been so codified and platformitized. By this, I mean that 2020 marks the stage—quite literally—when hundreds of public health agencies and government communication channels simultaneously collapsed their efforts into exactly two tightly controlled commercial marketplaces: Apple’s iOS and Google’s Play stores.” Jonathan Albright in ‘The Pandemic App Ecosystem: Investigating 493 Covid-Related iOS Apps across 98 Countries’.
The Australian Competition and Consumer Commission’s detailed research into ‘1,000 Mobile Apps in Australia’.

—

Endnotes & Credits

The elegant Latin bon mot “Futuendi Gratia” is courtesy of Effin’ Birds.
As always, a huge thank you to Regina Doherty for giving the world the phrase “mandatory but not compulsory”.
The image used in the header is by Krystian Tambur on Unsplash.
Any quotes from the Oireachtas we use are sourced from KildareStreet.com. They’re good people providing a great service. If you can afford to then donate to keep the site running.
Digital Rights Ireland have a storied history of successfully fighting for individuals’ data privacy rights. You should support them if you can.

Find us on the web at myprivacykit.com and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.

If you know someone who might enjoy this newsletter do please forward it on to them.

Did you enjoy this issue?

If you don't want these updates anymore, please unsubscribe here.

If you were forwarded this newsletter and you like it, you can subscribe here.

Privacy Kit, Made with 💚 in Dublin, Ireland