View profile

Mandatory And Also Mandatory | The Cat Herder, Volume 4, Issue 1

Happy New Year to you all. Some entirely predictable developments in Singapore, some of the same old
January 10 · Issue #114 · View online
The Cat Herder
Happy New Year to you all. Some entirely predictable developments in Singapore, some of the same old carry on regarding the Public Services Card, and the same old carry on from landlords, a published DPC decision on CCTV and online ad fraud, because there’s always online ad fraud.

House-hunters seeking to rent a home are increasingly being asked to provide references to secure a viewing of a rental property, contrary to data protection guidelines.
The practice has been criticised by housing charity Threshold, and the Data Protection Commission is examining a number of complaints from renters.
Landlords and letting agents are asking prospective tenants to provide payslips, references and personal details when making enquiries to view a property.
This comes up regularly and until the DPC sanctions a few offenders pour encourager les autres it will continue to do so.
Let’s just quickly rearrange a few of the paragraphs from this story.
A spokesperson for the Data Protection Commission said organisations using such technology must ensure they meet their data protection obligations under the GDPR.
and then
“They must also be fair and transparent with individuals and inform them of the reasons for collecting their personal data, what it will be used for and how long they intend to keep it.”
and then
Tesco declined to comment further on how the information will be stored, whether it would be kept alongside other details such as purchasing history, and for how long it would be retained.
So here we have, in one short news story, a data controller not complying with its data protection obligations under the GDPR.
A great big store of personal information gathered for public health purposes has proved too attractive for law enforcement in Singapore to resist.
Singapore has confirmed its law enforcers will be able to access the country’s COVID-19 contact tracing data to aid in their criminal investigations. To date, more than 4.2 million residents or 78% of the local population have adopted the TraceTogether contact tracing app and wearable token, which is one of the world’s highest penetration rates.
Chong, long used to being an outlier when it comes to apprehension over data collection in Singapore, says he has been encouraged by the recent increase in public awareness. But he’s still keeping his expectations low because he thinks the burgeoning resistance isn’t enough to put the brakes on it.
“Unless people start to band together and question these [Smart Nation] initiatives, I think [the government is] just going to push ahead. There are benefits to these technologies, but there needs to be some sort of debate about the trade-offs.”
Oh yes we did
Oh yes we did
Fraud? In the adtech ‘ecosystem’? Surely not. More on this below in ‘What We’re Reading’.
Nandini Jammi
The biggest story in tech no one’s talking about is Uber discovering they’d been defrauded out of $100M - or 2/3 of their ad spend.

And all bc Sleeping Giants kept bugging them to block their ads on Breitbart.
The screenshots are from the first 2021 issue of Bob Hoffman’s excellent Ad Contrarian newsletter, ‘TOP 10 MARKETING FOLLIES OF 2020’.
It wouldn’t be a proper new year without the Public Services Card rearing its head and we weren’t disappointed.
On Wednesday of last week Brian O'Connell reported for the Claire Byrne Show [direct link to MP3] that in order to renew a driving licence online - and avoid the risks associated with an in-person appointment during a pandemic - with the body that issues driving licences you have to get a verified MyGovID account, which means you have to get a Public Services Card, which means you have to attend an in-person appointment with the body which issues the Public Services Cards.
Both the RSA and DEASP issued statements to RTÉ.
Brian O'Connell
Re @TodaywithClaire PSC card and driving license renewals report, this is the mainstay of what both @RSAIreland and @welfare_ie told me in response to the issue:
There isn’t much new in what DEASP have to say for themselves, although it is notable that the department is still bullish on the Attorney General’s advice which it received on this matter, even after the sudden u-turn of the Minister for Children, Equality, Disability, Integration and Youth late last year on data protection advice from the Attorney General which his department had been relying on to make all sorts of erroneous assertions about ‘sealing’ the archive of the Mother and Baby Homes Commission of Investigation.
The RSA tries a line which DEASP have in the past used and discarded, which can be paraphrased as ‘we’re allowed do what we’re doing despite a DPC decision that we’re not allowed do what we’re doing because the government has spent a lot of money on this yoke and therefore’ … the argument, as always, tails off after this because this is not a legal basis for processing personal data.
The RSA also asserts that MyGovID will be “a mandatory feature of all online government services from now on.” This may be news to the DPC, and mandatory is perhaps an unfortunate word choice given the contortions the same word forced a previous Minister for Employment Affairs and Social Protection into.
The obtained under FOI the DPC’s decision in relation to Kerry County Council’s use of CCTV “regarding the surveillance of citizens by the State for Law Enforcement Purposes”.
As well as being of great interest since it’s the first decision we’ve seen of the many taken or pending by the DPC after investigating the use of CCTV by local authorities across the country, fans of transparency should also note that:
  • The DPC didn’t publish this decision, and still does not publish any of its decisions in full. The decision in the high-profile Twitter case from late last year was published by the EDPB, not the DPC.
  • Kerry County Council refused to release it under FOI
  • It was only released after an appeal to the Information Commissioner
This is an unsatisfactory situation for data subjects and doesn’t seem to sit well with a data controller’s accountability and transparency obligations. How can a data controller be fully demonstrating compliance with the GDPR while simultaneously taking steps to conceal the decision of the supervisory authority from the public? Hopefully this will not be the case with the remaining CCTV inquiries.
An inquiry into a public body using public finds to surveil members of the public in public spaces is something which should automatically be published.
The EDPB adopted a number of documents at its 42nd and 43rd plenaries, including its 2021-2023 strategy.
  • “After decades of dominance, growth, and easy money, adtech’s metastasized into a fattened beast gorging on advertisers’ lack of options. Fraud runs rampant. ROI is shrinking. And the platforms that once provided high quality attribution are so dominant, they no longer need to bother proving themselves. Something truly is rotten in the state of online ads. But, in the words of King Hamlet: the hour is almost come when advertising’s tormenting fraud must render itself up.” If you only read one thing this weekend, make it Rand Fishkin‘s scathing and accurate assessment of 'What the #$%* is going on with the digital advertising ecosystem?’
  • “The lawsuit highlights growing dissatisfaction among consumers, privacy advocates and some regulators about the way complaints against large companies are handled by the data protection authority in the country where the company has its European headquarters, no matter where the complaints originated. This so-called one-stop shop rule in the European Union’s 2018 General Data Protection Regulation has led to a backlog of cases in a small number of countries such as Ireland.” Catherine Stamp reports for the WSJ on the lawsuit taken by consumer advocacy group Consumentenbond against the Dutch DPA. The groups “wants the Netherlands court system to require the local data protection authority to investigate a privacy complaint filed in 2018 against Google.”
  • “Apple’s stunning response to this undercurrent of metadata collection has been its privacy labels, now live on the App Store. “On each app’s product page,” Apple explains, “users can learn about some of the data types an app may collect, and whether that data is linked to them or used to track them.” These labels launched last month and caused a furore between Apple and app developers whose data collecting practices were now heavily exposed. Facebook led this charge, taking out full-page ads to argue against Apple’s move.” Zak Doffman looks at the scrap caused by Apple’s deployment of privacy labels for Forbes.
  • This Twitter thread by Miss IG Geek on the nature of harms caused by data protection violations.
Endnotes & Credits
Find us on the web at and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.
If you know someone who might enjoy this newsletter do please forward it on to them.
Did you enjoy this issue?
If you don't want these updates anymore, please unsubscribe here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue
Privacy Kit, Made with 💚 in Dublin, Ireland