View profile

“I understand, but I’m under instruction” | The Cat Herder, Volume 3, Issue 40

This week's accidental theme appears to be 'and governments wonder why people might not trust them wi
October 18 · Issue #104 · View online
The Cat Herder
This week’s accidental theme appears to be ‘and governments wonder why people might not trust them with their personal data’.

Police notebook with gang details stolen from car | UK news | The Guardian
The Department of Health and Social Care (DHSC) confirmed it had “agreed a memorandum of understanding with the National Police Chiefs Council (NPCC)” to provide forces with the information on a “case-by-case basis”.
The latest news on access to data comes after DHSC updated its guidance on Friday about how details would be dealt with.
In information posted online, the department said names, addresses and contact details of people who don’t self-isolate “without reasonable justification” could be passed onto a local authority, before going to police.

Coronavirus: Police granted access to details of people told to self-isolate by Test and Trace | Sky News
Nobody could have seen this coming, could they? (Story is paywalled but you can get the gist from the headline.)
Contact-tracing data harvested from pubs and restaurants being sold on | News | The Sunday Times
“We can’t have the pot calling the kettle black,” Judge Linnane said regarding the length of the State’s own affidavits. Regarding those 118 pages of statements, she said “maybe the other side was encouraged by your own length”.
“I call that concise,” she said of the DPC’s 175-page statement. 
“They have replied to your four statements with one.”
Mr Power replied that the DPC’s statement has twice the number of paragraphs as the Department’s.
The Department of Employment Affairs and Social Protection instructed a senior counsel to go to court and argue about the number of paragraphs in an affidavit. That’s it, that’s the story. It’s amusing but also infuriating since with this pretty juvenile display DEASP has yet again signalled it will go to great lengths to delay, time-waste and show disdain for the Data Protection Commission’s status and findings and hence for the data protection rights of millions which the DPC found to have been infringed.
Yet DEASP simultaneously would contend that it is an appropriate body to collect and hold biometric information about every person in the country.
Judge questions 'mandatory, but not compulsory' Public Services Card
Just by the by, in September 2019 the then minister for Employment Affairs and Social Protection told Morning Ireland that her legal advice was “incredibly strong”.
It definitely could.
It definitely could.
As the use of facial recognition has exploded across China in recent years, the country has been hit with numerous data leaks related to the technology. But people without any legal expertise might not know how to fight back, especially when the installation of such systems are being pushed by local police.
Facial recognition started becoming a more common way of controlling access to local communities last year, and law enforcement might be aiding the technology’s spread. Lao said the head of her neighbourhood committee told her that the local police demanded the installation of the system. And Chinese media reported that police in Shanghai have advocated for the same thing.
Facial recognition data leaks are rampant in China as Covid-19 pushes wider use of the technology | South China Morning Post
The Norwegian DPA fined Bergen Municipality €276,000 “because the municipality had not implemented technical and organizational measures to achieve an adequate level of security, and for not having ensured confidentiality and integrity.”
Readers should note this case involves a public sector body being sanctioned by the relevant independent supervisory authority and that said public sector body, presumably staffed by grown-ups, has given no indication it intends to send a senior counsel into court to argue about the number of paragraphs in a document prepared by the independent supervisory authority.
The ICO issued a penalty notice to British Airways for £20 million (~€22 million), which is considerably smaller amount than the £183.39 million which was in the notice of intention to fine issued in July 2019.
The inspection service of the Belgium DPA makes a number of findings in a report reviewed by TechCrunch – including that the TCF fails to comply with GDPR principles of transparency, fairness and accountability, and also the lawfulness of processing.
By any measure that’s a comprehensive set of failings.
The EDPB adopted guidelines on the concept of relevant and reasoned objection at its 39th plenary session. That’s the members of the EDPB objecting to each other’s draft decision.
Which is presumably related to this story in the Wall Street Journal: ‘Twitter Data-Breach Case Won’t Be Resolved Before Year’s End, Ireland’s Regulator Says’.
Helen Dixon, head of Ireland’s Data Protection Commission, in May submitted a draft decision to more than two dozen of the bloc’s privacy regulators for review, as required under the law. Eleven regulators objected to the proposed ruling, sparking a lengthy dispute-resolution mechanism, she said. The contents of the draft decision haven’t been disclosed.

  • “While holding considerable influence over a person’s life, the criminal checks can be wildly inaccurate, as a recent joint investigation by The Markup and The New York Times found. But, perhaps even more common, they can be confusingly vague or unfairly include information from a person’s past that a court has deemed obsolete.The Markup reviewed hundreds of federal lawsuits filed in the past 10 years against tenant screening companies and found dozens of accounts from people who alleged they’d been denied housing after tenant screening companies made mistakes in reporting their criminal records.” ‘When Zombie Data Costs You a Home’ by Lauren Kirchner for The Markup.
  • “… data governance emerges as key terrain on which to discipline firms engaged in datafication and to respond to the injustices of informational capitalism. Scholars, activists, technologists and even presidential candidates have all proposed data governance reforms to address the social ills generated by the technology industry. These reforms generally come in two varieties. Propertarian reforms diagnose the source of datafication’s injustice in the absence of formal property (or alternatively, labor) rights regulating the process of production … The second type of reforms, which I call dignitarian, take a further step beyond asserting rights to data-as-property, and resist data’s commodification altogether, drawing on a framework of civil and human rights to advocate for increased protections.” Salomé Viljoen on ‘Data as Property?’
  • “Countries with poor data protection laws typically fall into two categories: underdeveloped or authoritarian. Given its hard-won reputation of being on the side of progress and anti-authoritarianism, it would be unfortunate if the UK was associated with either of those. But there is a third possibility when it comes to bad data practices that is just as unpalatable. The UK could develop into a data haven, in the way some countries are tax havens.” Carissa Véliz in The Guardian: ‘You’ve heard of tax havens. After Brexit the UK could become a 'data haven’‘.

Endnotes & Credits
Find us on the web at and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.
If you know someone who might enjoy this newsletter do please forward it on to them.
Did you enjoy this issue?
If you don't want these updates anymore, please unsubscribe here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue
Privacy Kit, Made with 💚 in Dublin, Ireland