View profile

Imbalance | The Cat Herder, Volume 4, Issue 9

March 14 · Issue #122 · View online
The Cat Herder
Breaches, facial recognition, vaccination passports. All the usual suspects.

At least they got that Fartway Couriers Twitter account taken down though. Priorities.
Fastway Couriers apologises after customer data from over 440,000 parcel deliveries hacked
“We literally had 20-year-old interns that had access to over 100,000 cameras and could view all of their feeds globally,” said one former senior-level employee, who asked not to be identified discussing private information.
Verkada Workers Had Extensive Access to Private Customer Cameras - Bloomberg
The breach shows the astonishing reach of facial recognition-enabled cameras in ordinary workplaces, bars, parking lots, schools, stores, and more.
Hacked Surveillance Camera Firm Shows Staggering Scale of Facial Recognition
Vaccine passports are go in China! (In a vague way with very little detail about how they’ll work or what personal data they’ll process or where this data will be held.)
China launches COVID-19 vaccination certificates for cross-border travel | Reuters
Or could they?
Or could they?
T-Mobile US Inc. will automatically enroll its phone subscribers in an advertising program informed by their online activity, testing businesses’ appetite for information that other companies have restricted.
Daring Fireball: T-Mobile Is Automatically Enrolling Cell Phone Customers Into Ad Tracking Based on Their Online Activity
Perhaps Commissioner Reynders has somewhat belatedly realised that he does not want to be the Commissioner who introduces a spiritual successor to Privacy Shield (struck down by the ECJ) which was itself a spiritual successor to Safe Harbour (struck down by the ECJ) which is struck down by the ECJ.
It will be difficult to find a solution that protects Europeans’ data from U.S. law enforcement and intelligence authorities, EU Justice Commissioner Didier Reynders said in an interview.
Surveillance Concerns Could Hold Up European-U.S. Data Agreement for Years
What Gabriela Zanfir Fortuna has dubbed the Data Retention War has restarted in earnest. The EDPB fired a salvo back in the direction of the member state governments who are attempting to sneak data retention provisions which suit their law enforcement agencies into the ePrivacy Regulation.
As already stated on numerous occasions, the ePrivacy Regulation must under no circumstances lower the level of protection offered by the current ePrivacy Directive but should complement the GDPR by providing additional strong guarantees for confidentiality and protection of all types ofelectronic communication. In no way the ePrivacy Regulation can be used to de facto change the GDPR. In this regard, the Council’s position is raising a series of concerns and the EDPB wishes to point issues, which should be addressed in the upcoming negotiations.
In Brexitland the ICO, seemingly on instruction from Her Majesty’s Government, which raises questions about the independence of the ICO, is going to be involved in some rebalancing. The laziest of false dichotomies here: it is perfectly possible to innovate without removing the rights of individuals.
The government will ask the successor to the UK’s chief data regulator to redress an imbalance that has created a perception that our data protection regime errs too far in favour of privacy rights and against innovation.
Next Information Commissioner will correct ‘imbalance’ favouring privacy rights | IT PRO
  • “If a responsible adult would not let their child travel, alone and unsupervised, around the offline world, until they were comfortable that they understood the risks and had the tools and techniques and support network suitable for their needs and capabilities available to look after themselves, perhaps we should take the same approach when it comes to travelling online, rather than asserting that we must make the online world suitable for unsupervised, unaccompanied access for everyone from toddlers upwards.” From Neil Brown‘s wonderful 'Unpicking the “making children as safe as they are offline” fallacy’. This should be required reading for all the Cyber Helen Lovejoys out there.
  • “back in January I filed a complaint with the Irish Data Protection Commission about transfers of data to a 3rd country (the US) by an organisation that has its headquarters in the United States but operates an EMEA headquarters in Brussels and has market presence in many of the EU member states. I am a customer of this organisation. They rely on consent, contractual necessity, or compelling legitimate interests (all of which were discussed on the IAPP’s webinar and all of which have ‘issues’ that need to be addressed).” From Daragh O Brien‘s blog post 'Article 49 Derogations and GDPR’. Make sure you stick around until the end for the twist and read the comprehensive complaint itself.
  • “Under the two trials, the Home Office is working with the National Crime Agency to harvest “internet connection records (ICRs)” – information about which websites a customer visited, when they did so and how much data they downloaded. The metadata, as it is known, does not detail the specific pages visited on a given website, such as But it can nevertheless point to a lot of personal information about an individual. That could include health or financial information, revealed because a browser visits a certain site or category of site frequently.” From ‘Internet providers tracking sites we visit in secretive trial’ by Dan Sabbagh for the Guardian. That draft adequacy decision is looking more and more inadequate with every passing week.

Endnotes & Credits
Find us on the web at and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.
If you know someone who might enjoy this newsletter do please forward it on to them.
Did you enjoy this issue?
If you don't want these updates anymore, please unsubscribe here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue
Privacy Kit, Made with 💚 in Dublin, Ireland