March Roundup

Join us, gentle readers, on a short adventure in which we compare and contrast the approaches and abilities of two neighbouring data protection authorities, visit a data protection summit sponsored and launched by the Minister for Data Protection which didn’t have a privacy policy and hear about the privacy concerns of the inventor of the world wide web and the UN Special Rapporteur on privacy.

1. Duelling Data Protection Authorities (Well, Not Really)

There was a decision in the Irish courts at the start of the month with fairly broad-reaching implications. It turns out the Irish Data Protection Commissioner (DPC) does not have to reveal which third parties lobby it. So the body responsible for ensuring that multinationals deal with the personal data of all EU citizens in an above board and transparent manner does not have to be transparent about which third parties (for example, multinationals) are lobbying it. Yes folks, that’s a regulator going to court to ensure it doesn’t have to let the public know when it’s being lobbied by the entities it’s supposed to be regulating.  This is not to criticise the court’s decision or the attempt to regulate lobbying in Ireland through the Lobbying Act, but this has resulted in a rather peculiar situation which is most certainly not to the benefit of hundreds of millions of EU citizens.

[Warning: more acronyms ahead.]

At around the same time, the Information Commissioner’s Office (ICO) in the UK opened a public consultation about consent under the General Data Protection Regulation (GDPR). This started on the 2nd March and ran until the 31st and was structured in a friendly and accessible way, which always encourages feedback. A draft guidance document was created. A complementary feedback document which asked questions about the quality of the guidance document, how readable it was, what areas were missing and so on was also created. The ICO stated it would collate all responses to their request for consultation and publish them.

In Ireland the DPC started a consultation process on the 16th March, the day before a public holiday and a long weekend. Submissions were to be accepted until the 28th. The period was subsequently extended until the 31st. The DPC consultation covered four large areas of the GDPR rather than one – consent, profiling, personal data breach notification and certification. Rather than preparing guidance documents on these four areas, as the ICO had done for consent, the DPC presented a large number of questions. These ranged from the peculiarly specific (“In respect of minors how should parental consent be collected in an online environment?”) to the surprisingly philosophically broad (“Are there limits to profiling?”) The DPC also informed readers that it wouldn’t be collating the responses or publishing any document.

Let’s do some facetious maths. The DPC originally allowed 7 working days (including the closing date) for submissions on four areas of the GDPR. The ICO allowed 21 working days (including the closing date) for one area of the GDPR. 21 multiplied by four is 84. 84 divided by seven is twelve. So the DPC is allowing one twelfth of the time the ICO is for consultation. 8.3333% of the time if you prefer percent.

One approach certainly seems more engaged with regular people whose data is at issue here than the other.

The ICO has also been quite active in dishing out fines to both private and public sector organisations who are guilty of mishandling people’s personal information. In Ireland the DPC doesn’t yet have the ability to fine public sector organisations. As seen by the ongoing parade of data errors in the HSE, the slap on the wrist approach doesn’t seem to be improving organisational behaviour in the public sector.

+ ‘Council fined for leaving sensitive files in cabinet sent to second hand shop’, ICO

+ ‘Data watchdog does not have to disclose lobbying by firms’, Irish Times

 

2. It Certainly *Looks* A Lot Like A Compulsory ID Card

The government launched a thing. If you pay any attention to current affairs you’re doubtless well aware that the government is always launching things. Some of these go on to become realities that may or may not impact on your everyday life as an Irish citizen. Some of them don’t. Some of them have a habit of reappearing in slightly different clothing, over and over and over again.

Anyway, the thing in this case is an online authentication service named MyGovID. The rather unclear pitch is that it is a single secure identity for every Irish citizen to use in their interactions with some government bodies and to access some services. It is connected to the Public Services Card, in that in order to access the second tier of authentication with MyGovID you must be in possession of a Public Services Card. How departments and other government bodies are acquiring information from each other and whether they have obtained explicit consent to do so is at best opaque.

This is important because, as of October 2015, they can’t really just pass information to one another whenever they feel like it. This is because of this paragraph in what’s informally known as the Bara ruling by the Court of Justice of the European Union (link to more information below)

Articles 10, 11 and 13 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995, on the protection of individuals with regard to the processing of personal data and on the free movement of such data, must be interpreted as precluding national measures, such as those at issue in the main proceedings, which allow a public administrative body of a Member State to transfer personal data to another public administrative body and their subsequent processing, without the data subjects having been informed of that transfer or processing.

Interestingly, MyGovID was launched in the same week the Australian government decided to run a mile from a similar project. Angus Taylor, the Assistant Minister for Cities and Digital Transformation said “the government considers it a citizen’s right to have multiple digital identities for their interactions with government, if that’s what they want.”

He also emphasised that the system had to be user-driven rather than top-down, and that citizens’ consent is crucial to the model.

“I must be user-driven. If I want to have 45 identities across the Internet and across my applications, it should be my choice. If I want to have one, that’s my choice too.”

He added that the “user-driven approach” has to extend to the citizen having a “genuine consent” about how they interact with a digital identity.

Notes for humans

Minister Donohoe insists that use of the Public Services Card will not be mandatory. If you can’t access some government services without identifying yourself using MyGovID, which requires a Public Services Card then that would seem quite mandatory.While there are undoubted benefits to be gained by streamlining and improving access to government services, sneakily imposing an ID card on citizens as is the worst way to do it, will lead to pushback and destroy any positives that might have come out of the project. Public faith in State handling of data in general is probably not at a high point considering the police force have just been caught making whopping errors in their breath test data.

+ ‘Public service card use not mandatory, says Donohoe’, Irish Times

‘Misreading Bara: The Irish State’s database crisis’, McGarr Solicitors

3. Genes On The Late Late Show

The Late Late Show devoted some time on its St. Patrick’s Day special edition to promoting DNA genealogy services. We’ve written about these services and the aggressive promotion of them in Ireland before. While an interest in researching your ancestry is a perfectly normal thing, you should really keep a close eye on what may be happening behind the scenes with your data. As always, you should read the privacy policy before you do anything. The company who provided the testing services on the Late Late show is called Ancestry.ie, which is the Irish part of an operation called AncestryDNA. From the AncestryDNA Privacy Statement

By providing AncestryDNA with personal information, you specifically consent to the transfer and storage of personal information to and in the United States, and to the processing of personal information in the United States, Ireland and your country of residence.

Notes for humans

Be aware of the consequences of giving a stranger with a laboratory your genetic information. Read the privacy policy and take note of where your data is being moved to before you make an impulse purchase. Be aware that a privacy policy isn’t a guarantee and can change over time, for example when financial considerations may make it attractive to an organisation to sell your data to an unknown third party.

4. “We’ve Lost Control Of Our Personal Data”

The man typically dubbed the inventor of the web had a few things to say on the occasion of the web celebrating its twenty eighth birthday. He published an open letter highlighting three challenges for the future of the web. At the top of Berners-Lee’s list was “We’ve lost control of our personal data.” It’s not a long letter and it is well worth a read.

A short time later a data breach was reported by researcher Troy Hunt. The breach contained 33,698,126 very detailed and carefully curated entries for individuals. As interesting as the breach itself was the response, in which Dun & Bradstreet contended that email addresses, job titles and first and last names were not personally identifiable information.  Hunt’s account of the incident and how it ties in to Berners Lee’s remarks is also worth a few minutes of your time.

Notes for humans

Berners-Lee is very much correct in his assessment. The dissembling around the NetProspex records shows how little respect corporations have for personally identifiable information. Don’t forget, this is your information which they are using for their benefit, frequently without your knowledge.

+ ‘The Man Who Invented The Web Agrees [KitBits 17.4]’

 

5. Special Rapporteur’s Report

Professor Joseph Canatacci, the UN Special Rapporteur on privacy, published a report which was very critical of the enthusiastic rush by countries everywhere to bulk surveil as many people as possible. He singled out the US, UK, France and Germany for particular criticism.

He said that the passed laws amount to “gesture-politics,” which in his words, “have seen politicians who wish to be seen to be doing something about security, legislating privacy-intrusive powers into being — or legalize existing practices — without in any way demonstrating that this is either a proportionate or indeed an effective way to tackle terrorism.”

Notes for humans

This has happened, is happening, will continue to happen. Amber Rudd’s muddled remarks in the wake of the attack in Westminster about breaking encrypted messaging services are evidence of this.

+ ‘State surveillance boom sparked by fear-mongering political populists, says UN’, The Register

+ ‘UN privacy watchdog says ‘little or no evidence’ that mass surveillance works’, ZDNet

Honourable Mentions
  • Miele put a web server into a dishwasher. This wasn’t a good idea, as it wasn’t secure. As is very frequently the case with the devices which make up the Internet Of Things That Really Shouldn’t Be Connected To The Internet. Whilst we’re on that topic, unless it’s your particular kink, there isn’t any particularly good reason to connect your sex toys to the internet, and a plethora of reasons not to, as the manufacturers of a smart vibrator found out to their cost this month.
  • Straight from the Department of Didn’t Think This Through At All, it was reported that British and American banks were monitoring contraceptive purchases and dinners in swanky restaurants as part of a spectacularly misguided effort to crack down on human trafficking.
  • The tenth anniversary of Daniel Solove’s seminal essay ‘”I’ve Got Nothing to Hide” and Other Misunderstandings of Privacy’ rolled around this month. You can find it and more good things to read on our recommended reading page.
  • There was a lot of plain bad – or at the least eagerly sensationalist – reporting this month on a serious issue. Wikileaks dumped a lot of documents at the beginning of the month. This piece by Zeynep Tufekci is what you need to read, not any of the preceding or subsequent terrifying headlines about the CIA creeping into your house via the ducts in your television.
  • The Irish government launched a second thing of interest during the month. A data summit, no less. From a privacy perspective it was all a bit of a mess.

 


[Image credit: Annie Spratt on Unsplash]


One Comment Add yours

  1. Pingback: May Roundup

Leave a Reply

Your email address will not be published. Required fields are marked *