View profile

The Department Declined | The Cat Herder, Volume 3, Issue 45

Department surprised, collecting locations, building profiling bridges, Taoiseach confirms law applie
November 22 · Issue #109 · View online
The Cat Herder
Department surprised, collecting locations, building profiling bridges, Taoiseach confirms law applies, another department remains uncooperative.

This - which has been going on in some form or other for a long time - kinda blows the argument that at least it’s private companies and not the state which is profiling you out of the water.
The news highlights the opaque location data industry and the fact that the U.S. military, which has infamously used other location data to target drone strikes, is purchasing access to sensitive data. Many of the users of apps involved in the data supply chain are Muslim, which is notable considering that the United States has waged a decades-long war on predominantly Muslim terror groups in the Middle East, and has killed hundreds of thousands of civilians during its military operations in Pakistan, Afghanistan, and Iraq. Motherboard does not know of any specific operations in which this type of app-based location data has been used by the U.S. military.
A modest suggestion for the world of  ̶m̶a̶r̶k̶e̶t̶i̶n̶g̶ profiling: how about simply not striving to build this “bridge” in the first place?
This can include offline phone numbers, email and home addresses, alongside browsing activity. “We can provide a bridge to the digital world for offline names,” he said, adding that Zeotap works with some 112 providers to pool data into a single, unified customer view.
Civil rights and privacy experts warn that the spread of such wearable continuous-monitoring devices could lead to new forms of surveillance that outlast the pandemic — ushering into the real world the same kind of extensive tracking that companies like Facebook and Google have instituted online. They also caution that some wearable sensors could enable employers, colleges or law enforcement agencies to reconstruct people’s locations or social networks, chilling their ability to meet and speak freely. And they say these data-mining risks could disproportionately affect certain workers or students, like undocumented immigrants or political activists.
The Hot New Covid Tech Is Wearable and Constantly Tracks You - The New York Times
It was refreshing to see Karlin Lillington set out the actual facts surrounding the Grahm Dwyer phone data retention case in the Irish Times on Thursday.
The true problem is the State’s refusal to implement this decision, and comply with the DRI ruling, in the subsequent six years. By failing to do so, it has not only jeopardised a conviction in this one case, but potentially, also in every single other case since in which mobile records have been used.
He described the State’s failure to implement the DRI case, and ensure its data retention laws were compliant, as “a crisis”, not just because it was a continuing violation of Irish citizen rights, but “also because there will be … risk that prosecutions that would otherwise be successful could face challenge”. This warning is also implied in Murray’s 187-page report.
Refreshing because the Department of Justice had chosen to use the same newspaper to begin a spin campaign earlier in the week with the aim of - presumably - absolving itself of any blame for the situation it now finds itself in.
“It is very difficult for the Garda or the police service in each individual member state to access information if the information is never being retained to begin with. It’s a conundrum.”
They added a decision against the Irish State in the matter could have implications for the integration of the European Justice system on a par with Brexit and may cause some member states to question the competency of the ECJ to rule on such matters.
Perhaps I’m old fashioned and not up to speed on the current niceties of access journalism but I do feel if a senior official of the Irish state is going to 1) describe the state’s legal obligations as “a conundrum” and 2) obliquely question the competence of Europe’s top court they should have the courage to put their name to this, and the Irish Times should not pull the comfort blanket of anonymity over them.
Across the river in Áras Mhic Dhiarmada it was business as usual.
Privacy Kit
The Sideshow Bob Rake Department is always on the lookout for new opportunities to be generally uncooperative while simultaneously reducing the level of transparency about its processing of personal data.
It did happen here.
It did happen here.
The Taoiseach said the following in a Dáil debate on Tuesday.
GDPR stems from European Union law and trumps other regulations.
This shouldn’t be remarkable yet it is. We shall now have to wait and see how long this takes to trickle down to government departments and their agencies, if it ever fully does. As we can see from the furious spinning around the data retention issue above it could be years.
Genuinely didn't see this coming.
Genuinely didn't see this coming.
TJ McIntyre
When I started in law I didn’t imagine having to consider the legal issues of robot vacuum cleaners listening to your conversations via your bin. Yet here we are.
The Italian data protection supervisory authority (Garante per la protezione dei dati personali) ordered Vodafone to pay a fine in excess of Euro 12,250,000 on account of having unlawfully processed the personal data of millions of users for telemarketing purposes. As well as having to pay the fine, the company is required to implement several measures set out by the Garante in order to comply with national and EU data protection legislation.
The Garante fined Vodafone €12.25 million for some very bad telemarketing.
Messenger services enable consumers to send text messages, photos and videos or make telephone calls via the internet. Surveys and media reports have repeatedly pointed out possible violations of consumer protection law in this sector: In some cases the way in which established messenger services manage the personal data of their users could be in violation of applicable data protection rules.
  • “Today, we’re announcing new protections for our public sector and enterprise customers who need to move their data from the European Union, including a contractual commitment to challenge government requests for data and a monetary commitment to show our conviction. Microsoft is the first company to provide these commitments in response to last week’s clear guidance from data protection regulators in the European Union.” Microsoft are certainly talking a good talk in this blog post ‘New Steps to Defend Your Data’ by head privacy honcho Julie Brill.
  • “The complainants said the inclusion of top civil servants Frank Robben, Nicolas Waeyaert and Séverine Waterbley on the panel runs counter to GDPR requirements for members to "remain free from external influence.” … Of those targeted in the EU complaint Robben is the most well-known in Belgium, and is behind many of the country’s public data initiatives including its COVID-19 contact-tracing app. Waterbley is a top civil servant in the economy ministry, while Waeyaert heads up the country’s official statistics institute.“ If it looks like a duck etc., and this certainly has all the attributes of a conflict of interest duck. From ‘Belgian data regulator roiled by infighting’ by Vincent Manancourt for Politico.
  • "Newly filed accounts show admin expenses for WhatsApp Ireland increased by €86.2 million, versus the previous 18 months, primarily due to the recognition of provisions of €77.5 million for “possible administrative fines arising from regulatory compliance matters presently under investigation.” … “The provisions recognised are based on the advice of outside legal counsel, regulatory correspondence received in 2019 and 2020, and relevant mitigating and other factors, which under the relevant legislation may impact any final fine amounts,” the company said.” From ‘WhatsApp Ireland sets aside €77.5m for possible data compliance fines’ by Charlie Taylor in the Irish Times. Last year Facebook had some tactical success in ‘predicting’ the amount of an FTC fine on an investor call (see Volume 2, Issue 15) so it’s not at all surprising to see the same approach being taken here.

Endnotes & Credits
Find us on the web at and on Twitter at @PrivacyKit. Of course we’re not on Facebook or LinkedIn.
If you know someone who might enjoy this newsletter do please forward it on to them.
Did you enjoy this issue?
If you don't want these updates anymore, please unsubscribe here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue
Privacy Kit, Made with 💚 in Dublin, Ireland