1. Duelling Data Protection Authorities (Well, Not Really)
There was a decision in the Irish courts at the start of the month with fairly broad-reaching implications. It turns out the Irish Data Protection Commissioner (DPC) does not have to reveal which third parties lobby it. So the body responsible for ensuring that multinationals deal with the personal data of all EU citizens in an above board and transparent manner does not have to be transparent about which third parties (for example, multinationals) are lobbying it. Yes folks, that’s a regulator going to court to ensure it doesn’t have to let the public know when it’s being lobbied by the entities it’s supposed to be regulating. This is not to criticise the court’s decision or the attempt to regulate lobbying in Ireland through the Lobbying Act, but this has resulted in a rather peculiar situation which is most certainly not to the benefit of hundreds of millions of EU citizens.
[Warning: more acronyms ahead.]
Can anyone give logical reason for why lobbying of Data Protection Commissioner would be exempt from FOI? Anyone? https://t.co/EKo8PjSzOa
— Ken Foxe (@kenfoxe) March 2, 2017
At around the same time, the Information Commissioner’s Office (ICO) in the UK opened a public consultation about consent under the General Data Protection Regulation (GDPR). This started on the 2nd March and ran until the 31st and was structured in a friendly and accessible way, which always encourages feedback. A draft guidance document was created. A complementary feedback document which asked questions about the quality of the guidance document, how readable it was, what areas were missing and so on was also created. The ICO stated it would collate all responses to their request for consultation and publish them.
In Ireland the DPC started a consultation process on the 16th March, the day before a public holiday and a long weekend. Submissions were to be accepted until the 28th. The period was subsequently extended until the 31st. The DPC consultation covered four large areas of the GDPR rather than one – consent, profiling, personal data breach notification and certification. Rather than preparing guidance documents on these four areas, as the ICO had done for consent, the DPC presented a large number of questions. These ranged from the peculiarly specific (“In respect of minors how should parental consent be collected in an online environment?”) to the surprisingly philosophically broad (“Are there limits to profiling?”) The DPC also informed readers that it wouldn’t be collating the responses or publishing any document.
Let’s do some facetious maths. The DPC originally allowed 7 working days (including the closing date) for submissions on four areas of the GDPR. The ICO allowed 21 working days (including the closing date) for one area of the GDPR. 21 multiplied by four is 84. 84 divided by seven is twelve. So the DPC is allowing one twelfth of the time the ICO is for consultation. 8.3333% of the time if you prefer percent.
One approach certainly seems more engaged with regular people whose data is at issue here than the other.
The ICO has also been quite active in dishing out fines to both private and public sector organisations who are guilty of mishandling people’s personal information. In Ireland the DPC doesn’t yet have the ability to fine public sector organisations. As seen by the ongoing parade of data errors in the HSE, the slap on the wrist approach doesn’t seem to be improving organisational behaviour in the public sector.
+ ‘Council fined for leaving sensitive files in cabinet sent to second hand shop’, ICO
+ ‘Data watchdog does not have to disclose lobbying by firms’, Irish Times
2. It Certainly *Looks* A Lot Like A Compulsory ID Card
The government launched a thing. If you pay any attention to current affairs you’re doubtless well aware that the government is always launching things. Some of these go on to become realities that may or may not impact on your everyday life as an Irish citizen. Some of them don’t. Some of them have a habit of reappearing in slightly different clothing, over and over and over again.
Anyway, the thing in this case is an online authentication service named MyGovID. The rather unclear pitch is that it is a single secure identity for every Irish citizen to use in their interactions with some government bodies and to access some services. It is connected to the Public Services Card, in that in order to access the second tier of authentication with MyGovID you must be in possession of a Public Services Card. How departments and other government bodies are acquiring information from each other and whether they have obtained explicit consent to do so is at best opaque.
This is important because, as of October 2015, they can’t really just pass information to one another whenever they feel like it. This is because of this paragraph in what’s informally known as the Bara ruling by the Court of Justice of the European Union (link to more information below)
Articles 10, 11 and 13 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995, on the protection of individuals with regard to the processing of personal data and on the free movement of such data, must be interpreted as precluding national measures, such as those at issue in the main proceedings, which allow a public administrative body of a Member State to transfer personal data to another public administrative body and their subsequent processing, without the data subjects having been informed of that transfer or processing.
Interestingly, MyGovID was launched in the same week the Australian government decided to run a mile from a similar project. Angus Taylor, the Assistant Minister for Cities and Digital Transformation said “the government considers it a citizen’s right to have multiple digital identities for their interactions with government, if that’s what they want.”
He also emphasised that the system had to be user-driven rather than top-down, and that citizens’ consent is crucial to the model.
“I must be user-driven. If I want to have 45 identities across the Internet and across my applications, it should be my choice. If I want to have one, that’s my choice too.”
He added that the “user-driven approach” has to extend to the citizen having a “genuine consent” about how they interact with a digital identity.
Notes for humans
Minister Donohoe insists that use of the Public Services Card will not be mandatory. If you can’t access some government services without identifying yourself using MyGovID, which requires a Public Services Card then that would seem quite mandatory.While there are undoubted benefits to be gained by streamlining and improving access to government services, sneakily imposing an ID card on citizens as is the worst way to do it, will lead to pushback and destroy any positives that might have come out of the project. Public faith in State handling of data in general is probably not at a high point considering the police force have just been caught making whopping errors in their breath test data.
+ ‘Public service card use not mandatory, says Donohoe’, Irish Times
+ ‘Misreading Bara: The Irish State’s database crisis’, McGarr Solicitors
3. Genes On The Late Late Show
By providing AncestryDNA with personal information, you specifically consent to the transfer and storage of personal information to and in the United States, and to the processing of personal information in the United States, Ireland and your country of residence.
Notes for humans
4. “We’ve Lost Control Of Our Personal Data”
The man typically dubbed the inventor of the web had a few things to say on the occasion of the web celebrating its twenty eighth birthday. He published an open letter highlighting three challenges for the future of the web. At the top of Berners-Lee’s list was “We’ve lost control of our personal data.” It’s not a long letter and it is well worth a read.
A short time later a data breach was reported by researcher Troy Hunt. The breach contained 33,698,126 very detailed and carefully curated entries for individuals. As interesting as the breach itself was the response, in which Dun & Bradstreet contended that email addresses, job titles and first and last names were not personally identifiable information. Hunt’s account of the incident and how it ties in to Berners Lee’s remarks is also worth a few minutes of your time.
Notes for humans
Berners-Lee is very much correct in his assessment. The dissembling around the NetProspex records shows how little respect corporations have for personally identifiable information. Don’t forget, this is your information which they are using for their benefit, frequently without your knowledge.
+ ‘The Man Who Invented The Web Agrees [KitBits 17.4]’
5. Special Rapporteur’s Report
Professor Joseph Canatacci, the UN Special Rapporteur on privacy, published a report which was very critical of the enthusiastic rush by countries everywhere to bulk surveil as many people as possible. He singled out the US, UK, France and Germany for particular criticism.
He said that the passed laws amount to “gesture-politics,” which in his words, “have seen politicians who wish to be seen to be doing something about security, legislating privacy-intrusive powers into being — or legalize existing practices — without in any way demonstrating that this is either a proportionate or indeed an effective way to tackle terrorism.”
Notes for humans
This has happened, is happening, will continue to happen. Amber Rudd’s muddled remarks in the wake of the attack in Westminster about breaking encrypted messaging services are evidence of this.
+ ‘State surveillance boom sparked by fear-mongering political populists, says UN’, The Register
+ ‘UN privacy watchdog says ‘little or no evidence’ that mass surveillance works’, ZDNet
- Miele put a web server into a dishwasher. This wasn’t a good idea, as it wasn’t secure. As is very frequently the case with the devices which make up the Internet Of Things That Really Shouldn’t Be Connected To The Internet. Whilst we’re on that topic, unless it’s your particular kink, there isn’t any particularly good reason to connect your sex toys to the internet, and a plethora of reasons not to, as the manufacturers of a smart vibrator found out to their cost this month.
- Straight from the Department of Didn’t Think This Through At All, it was reported that British and American banks were monitoring contraceptive purchases and dinners in swanky restaurants as part of a spectacularly misguided effort to crack down on human trafficking.
- The tenth anniversary of Daniel Solove’s seminal essay ‘”I’ve Got Nothing to Hide” and Other Misunderstandings of Privacy’ rolled around this month. You can find it and more good things to read on our recommended reading page.
- There was a lot of plain bad – or at the least eagerly sensationalist – reporting this month on a serious issue. Wikileaks dumped a lot of documents at the beginning of the month. This piece by Zeynep Tufekci is what you need to read, not any of the preceding or subsequent terrifying headlines about the CIA creeping into your house via the ducts in your television.
- The Irish government launched a second thing of interest during the month. A data summit, no less. From a privacy perspective it was all a bit of a mess.
[Image credit: Annie Spratt on Unsplash]
One Comment Add yours