View profile

"new methods of spying on their employees" | The Cat Herder, Volume 3, Issue 38

Yet another glitch. So many glitches and software that snitches. CCTV and Genuity. 😼
October 4 · Issue #102 · View online
The Cat Herder
Yet another glitch. So many glitches and software that snitches. CCTV and Genuity.

Airbnb glitch exposed hosts' personal data | IT PRO
Workplace surveillance has rapidly morphed into home-workplace surveillance.
David Heinemeier Hansson, a co-founder of the collaboration startup Basecamp, which provides a software platform for companies to coordinate their remote workers, says he regularly has to turn down requests from potential clients for new methods of spying on their employees.
Shirking from home? Staff feel the heat as bosses ramp up remote surveillance | World news | The Guardian
There’s subtlety in choosing a name for your company and then there’s this -
Another company called Sneek offers technology that takes photos of workers through their laptop and uploads them for colleagues to see.
'I monitor my staff with software that takes screenshots' - BBC News
“This document reveals a shocking misuse of personal health information by police,” said CCF Litigation Director, Christine Van Geyn. “Police were caught using the COVID-19 database to look up names unrelated to active calls, to do wholesale postal code searches for COVID-19 cases, and to even do broad based searches outside officers’ own cities. There is no rationale for this abuse. We have filed a complaint with the Ontario Privacy Commissioner for violations of the Personal Health Information Protection Act, and with the Ontario Independent Police Review Director for officer misconduct.”
Documents reveal details of Ontario police misuse of COVID-19 database | Canadian Constitution Foundation
While we’re on the topic of police and personal data, two peculiar and concerning issues relating to Garda access to and sharing of personal data cropped up this week. Galway City mayor Mike Cubbard was quoted in the Irish Times as saying that “The gardaí have agreed to work with the college and give them addresses of houses where they have been called because of parties, and then the college will make contact with landlords".
As Liam Herrick of the ICCL says, “It’s not clear that there is a lawful basis for guards passing on information that does not relate to criminal offences.”
In the very first issue of this newsletter we poked some fun at a story in the New Ross Standard from July 2018, a short couple of months after the GDPR had come into force: ‘New Ross councillors move to reverse 'criminal’ GDPR’.
Two and a bit years later the efforts of the New Ross councillors to overturn the most significant piece of European data protection legislation in a generation have come to naught. Since this was well within what could be called the bedding-in period for the new legislation a certain amount of confusion could be understood as natural while people and organisations became accustomed to the new law.
The bedding-in and acclimatisation period has long since passed. Yet the impulse to reverse, rewrite, overturn or what have you has not gone away. It has, in fact, found its way upwards from local government chambers into the national parliament, expressed this week by An Taoiseach himself.
Micheál Martin: “In my view, privacy rights should not apply to people who are dumping illegally and if legislation is required to correct this, then it will be brought about urgently. I spoke to the Minister this morning. I understand the need for privacy and for property rights to be protected. On the other hand, we can overdo this. I think CCTV should be used to catch illegal dumpers and to prosecute them, and there should be no issue around that.”
This was in response to Deputy Noel Grealish fuming about a “ridiculous ruling by the Data Protection Commissioner, DPC” and asking the Taoiseach whether he would “deal with the crazy issue concerning the DPC and the non-use of CCTV footage”.
The DPC has opened 31 separate own-volition inquiries into state surveillance by local authorities. At the end of June of this year 25 of these inquiries were still ongoing and six were in the decision-making phase (figures taken from ‘DPC Ireland 2018-2020 Regulatory Activity Under GDPR’ [direct link to PDF]).
A decision had been issued to Kerry County Council, which is being appealed.
[The] decision was issued by the Commissioner in March 2020 and concerned Kerry County Council. It found that certain CCTV systems operated by Kerry County Council were unlawful in the absence of authorisation from the Garda Commissioner under Section 38 of An Garda Síochána Act 2005. Significantly in this regard, the Litter Pollution Act 1997, the Waste Management Act 1996 (as amended), and the Local Government Act 2001 were comprehensively considered and the decision found that those Acts do not provide a lawful basis for the use of CCTV for law enforcement purposes. [page 38]
The DPC published quite extensive guidance on the lawful use of CCTV in October 2019.
Yet this week we have the Taoiseach ignoring the multiple DPC investigations and decisions and proposing to legislate his way around a European regulation. This is the Irish state’s all too common knee-jerk response to laws it doesn’t like. Rarely considered is the fact that any national law introduced which will restrict the rights of individuals has to be necessary, proportionate and demonstrably effective at achieving its aims.
In August of last year Mr Martin’s predecessor briefly mooted legislating his way out of the fine mess the Department of Employment Affairs and Social Protection had landed his government in with its illegal biometric database.
Questioned during a weekend visit to the Fleadh Cheoil na hÉireann in Drogheda, the Taoiseach said: “There will need to be some changes around the retention of data, transparency and strengthening the legal basis of the Public Services Card.”
One of the issues the Government will soon address is the deletion of retained data on cardholders, he added.
This wasn’t a bad suggestion at all. Rather than relying on painstakingly combing through existing legislation to search for sentences which look as if they might provide something that gives the appearance of a lawful basis a brand new Public Services Card Bill could have been put forward.
Curiously enough, this idea was dropped within days and hasn’t been seen again since. Perhaps because there was a realisation somewhere within the corridors of power that any such legislation which aimed to maintain the PSC system in its current against-all-best-practice-advice manifestation would fail the necessity and proportionality tests.
It definitely could.
It definitely could.
The message came out of the blue for Taylor Fornell. A stranger told her he had complete control over the home security system in her new house in Stony Plain, Alta., and could prove it.
As she stood alone in her front hall, she watched in disbelief as the man unarmed the system, unlocked doors and windows and told her he could track when she left the house — all with a few clicks on the security company’s app.
The Hamburg DPA fined H&M €35,258,707 Euro (and ninety five cent) for extensive illegal monitoring and profiling of employees in a service centre in Nuremberg.
The company was fined despite cooperating fully, apologising to the affected employees and agreeing to pay them considerable compensation. In the absence of these mitigating measures it is possible the amount of the fine could have been considerably larger since H&M’s turnover for the preceding year was €21.9 billion.
From next year the Swedish DPA will be known as IMY, the Integrity Protection Authority.

  • “Farrell notes two particular problems with smart cities, the first being that there is no way to opt-out of having your data collected. She says, “You can’t opt-out of Trafalgar Square, you can’t opt-out of buying food. So… the whole opt-out regime, it just doesn’t work.” The second problem, according to Farrell, is that smart cities are often built with public-private contracts. She claims the companies behind these contracts “are a long way away down a chain from any kind of public accountability and are [working on] smart cities basically because they’re an incredible opportunity to vacuum up vast amounts of data.” From ‘Balancing Technological Advances and Data Privacy’, a short discussion with Maria Farrell on the Salzburg Global Seminar site.
  • The EDRi published a new booklet, ‘Data Retention Revisited’ written by researchers Melinda Rucz and Sam Kloosterboer from the Information Law and Policy Lab in the Netherlands. "Data Retention Revisited explores the history of data retention in Europe, the legal framework and the impact of data retention practices on fundamental rights. This includes the intrusiveness of metadata and the stifling effects on freedom of expression. It explores how necessity and proportionately fit into data retention practices (including voluntary ones), as well as its effectiveness (is mass surveillance even useful?) showcasing problems such as false positives and “technological solutionism”.” Meanwhile, across on the other other side of town the Council of the European Union has set up an “Ad-hoc Working Party on Data Retention” [PDF].
  • Last but not least, the investigation by Noteworthy and The Business Post into the artists formerly known as Genomics Medicine Ireland is published today. The main Noteworthy piece is here, with many links to further items. The Business Post piece is here (€).

Endnotes & Credits
Find us on the web at and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.
If you know someone who might enjoy this newsletter do please forward it on to them.
Did you enjoy this issue?
If you don't want these updates anymore, please unsubscribe here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue
Privacy Kit, Made with 💚 in Dublin, Ireland