View profile

No Evidence | The Cat Herder, Volume 4, Issue 2

A shorter issue this week (and more than likely next week too) due to some entirely unforeseen person
January 17 · Issue #115 · View online
The Cat Herder
A shorter issue this week (and more than likely next week too) due to some entirely unforeseen personal issues which are consuming a lot of my time right now.

Some readers may notice that this accident in the UK is very similar to the plot line of an episode of The Thick Of It (Series 3, Episode 2). Fingers crossed it’s all resolved as neatly in real life as it was in fiction when the missing records are discovered on a USB key in the bottom of somebody’s second best bag.
Home Office 'working to restore' lost police records - BBC News
“From a data protection perspective we do not see the need to use Deutsche Post’s database,” said Barbara Thiel. “Once again, a false impression was created that data protection is treated as the highest good and prevents necessary measures. Regrettably my office was not consulted on these questions by the social ministry.”
German Covid vaccine officials play name game to comply with data privacy laws | World news | The Guardian
Oh yes we did
Oh yes we did
Every Deleted Parler Post, Many With Users' Location Data, Has Been Archived
No evidence, said the final report of the Comission of Investigation into the Mother and Baby Homes. Despite the survivors’ testimonies contining a wealth of evidence.
From a data protection perspective the revelation that the Commission of Investigation does not know what the word transcript means was highly alarming. Noelle Brown told Claire Byrne on Wednesday morning that what she was supplied with as a ‘transcript’ of her testimony to the Commissions’ Confidential Committee was nothing of the sort. It was an interpretation of her evidence “shoehorned” into an interview template of 222 questions. This ‘transcript’ therefore contained ‘answers’ to questions she had never been asked.
The Commission of Investigation has an obligation to correct these inaccuracies without undue delay, and certainly before its archive is transferred to the Minister for Children, Equality, Disability, Integration and Youth. Since the Commission has up until this point refused to comply with Subject Access Requests and issued only terse one line statements to RTÉ after the story of the inaccuracies in Noelle’s testimony broke it seems doubtful whether it will comply with its obligation to rectify the records it holds.
Simon McGarr has a detailed exploration of the ongoing attempts to avoid allowing people to exercise their rights by the next arm of state which will hold the archive when the Commission is dissolved at the end of February, the Department of Children, Equality, Disability, Integration and Youth.
And yet, just last Friday, the minister advertised for data protection experts to help draft the rules his department would use when mother and baby home survivors sent in their GDPR data access requests.
And there, once again, in the document was a requirement that the applicants acknowledge the same old fantasy of domestic restrictions on releasing data: 
“The particular legal regime applying to a commission of investigation requires consideration whether the release of personal data may prejudice the effective operation of commissions and the future cooperation of witnesses.” 
To be clear – this restriction is invalid under GDPR.
The European Data Protection Board and the European Data Protection Supervisor adopted joint opinions on two sets of new Standard Contractual Clauses.
The Controller-Processor SCCs will have an EU-wide effect and aim to ensure full harmonisation and legal certainty across the EU when it comes to contracts between controllers and their processors.
The draft SCCs for the transfer of personal data to third countries pursuant to Art. 46 (2) © GDPR will replace the existing SCCs for international transfers that were adopted on the basis of Directive 95/46 and needed to be updated to bring them in line with GDPR requirements, as well as taking into account the CJEU ‘Schrems II’ Judgment, and to better reflect the widespread use of new and more complex processing operations often involving multiple data importers and exporters. In particular, the new SCCs include more specific safeguards in case the laws of the country of destination impact compliance with the clauses, in particular in case of binding requests from public authorities for disclosure of personal data.
This new privacy policy also does not apply to WhatsApp in the European Union (EU), which has strict privacy laws. WhatsApp said any plan to share data with Facebook or other group companies would only be done once the company made an agreement with the Irish Data Protection Commission, the lead regulator for the service in Europe.
I’m willing to bet this is the first time the DPC has appeared on
The Norwegian DPA fined Coop Finnmark NOK 400,000 (~€39,000) for unlawful sharing of CCTV footage and another unnamed company the same amount for unlawful forwarding of an employee’s emails.
The Spanish DPA fined CaixaBank S.A. €6 million “for violating Articles 6, 13, and 14 of the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’). In relation to the violation of Articles 13 and 14 of the GDPR, the resolution highlights, among other things, that the information provided by CaixaBank in different documents and channels was not uniform, imprecise terminology was used within the privacy policy, and information about the category of personal data processed, profiles made of users and specific uses of the same, as well as the exercise of rights and data retention periods, was insufficient.”
  • The Norwegian Consumer Council (Forbrukerradet) filed a legal complaint with the Norwegian Consumer Protection Authority against Amazon for breaches of the Unfair Commercial Practices Directive. This is of interest because many of the same dark patterns detailed in the complaint are used in cookie notices and other data protection information to trick people into sharing data they don’t want to.
  • This Twitter thread about a 2 year tussle with a mobile network operator and the DPC over gaining access to personal data, in this case location data held by the operator. Oh and by the way, it turns out the Central Statistics Office is monitoring people’s movements in collaboration with Three. For mysterious Covid-related reasons.
Endnotes & Credits
Find us on the web at and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.
If you know someone who might enjoy this newsletter do please forward it on to them.
Did you enjoy this issue?
If you don't want these updates anymore, please unsubscribe here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue
Privacy Kit, Made with 💚 in Dublin, Ireland