jm + data-protection   79

GDPR Advisors and Consultants - Data Compliance Europe
Simon McGarr's new consultancy:
Our consultancy helps our clients understand how EU privacy law applies to their organisations; delivers the practical and concrete steps needed to achieve legal compliance; and helps them manage their continuing obligations after GDPR comes into force. Our structured approach to GDPR provides a long-term data compliance framework to minimise the ongoing risk of potential fines for data protection breaches. Our continuing partnership provides regulator liaison, advisory consultancy, and external Data Protection Officer services.
gdpr  simon-mcgarr  law  privacy  eu  europe  data-protection  regulation  data 
11 weeks ago by jm
Unroll.me sold your data to Uber
'Uber devoted teams to so-called competitive intelligence, purchasing data from Slice Intelligence, which collected customers' emailed Lyft receipts via Unroll.me and sold the data to Uber'.

Also: 'Unroll.me allegedly "kept a copy of every single email that you sent or received" in "poorly secured S3 buckets"': https://news.ycombinator.com/item?id=14180463

Unroll.me CEO: 'felt bad “to see that some of our users were upset to learn about how we monetise our free service”.'
https://www.theguardian.com/technology/2017/apr/24/unrollme-mail-unsubscription-service-heartbroken-sells-user-inbox-data-slice
uber  unroll.me  gmail  google  privacy  data-protection  lyft  scumbags  slice-intelligence 
april 2017 by jm
Australian Doctor on Twitter: "Outcry as MyHealthRecord default privacy setting left open to universal access"
Funnily enough, this is exactly what Ross Anderson warned about 10 years ago re patient record digitisation in the UK.

'Occupational therapists working for an employer, doctors working for insurance companies, a dietitian, an optometrist or a dentist or their staff can view the [patient] record and see if individuals have a sexually transmitted disease, a mental illness, have had an abortion or are using Viagra.'
privacy  heaith  australia  myhealthrecord  data-protection  data-privacy  healthcare  medicine 
april 2017 by jm
Research Blog: Federated Learning: Collaborative Machine Learning without Centralized Training Data
Great stuff from Google - this is really nifty stuff for large-scale privacy-preserving machine learning usage:

It works like this: your device downloads the current model, improves it by learning from data on your phone, and then summarizes the changes as a small focused update. Only this update to the model is sent to the cloud, using encrypted communication, where it is immediately averaged with other user updates to improve the shared model. All the training data remains on your device, and no individual updates are stored in the cloud.

Federated Learning allows for smarter models, lower latency, and less power consumption, all while ensuring privacy. And this approach has another immediate benefit: in addition to providing an update to the shared model, the improved model on your phone can also be used immediately, powering experiences personalized by the way you use your phone.

Papers:
https://arxiv.org/pdf/1602.05629.pdf , https://arxiv.org/pdf/1610.05492.pdf
google  ml  machine-learning  training  federated-learning  gboard  models  privacy  data-privacy  data-protection 
april 2017 by jm
[1606.08813] European Union regulations on algorithmic decision-making and a "right to explanation"
We summarize the potential impact that the European Union's new General Data Protection Regulation will have on the routine use of machine learning algorithms. Slated to take effect as law across the EU in 2018, it will restrict automated individual decision-making (that is, algorithms that make decisions based on user-level predictors) which "significantly affect" users. The law will also effectively create a "right to explanation," whereby a user can ask for an explanation of an algorithmic decision that was made about them. We argue that while this law will pose large challenges for industry, it highlights opportunities for computer scientists to take the lead in designing algorithms and evaluation frameworks which avoid discrimination and enable explanation.


oh this'll be tricky.
algorithms  accountability  eu  gdpr  ml  machine-learning  via:daveb  europe  data-protection  right-to-explanation 
march 2017 by jm
The Internet Thinks I’m Still Pregnant - The New York Times
This is pretty awful -- an accidental, careless and brutal side effect of marketers passing on sensitive info to one another, without respect for their users' privacy:

'I hadn’t realized, however, that when I had entered my information into the pregnancy app, the company would then share it with marketing groups targeting new mothers. Although I logged my miscarriage into the app and stopped using it, that change in status apparently wasn’t passed along. Seven months after my miscarriage, mere weeks before my due date, I came home from work to find a package on my welcome mat. It was a box of baby formula bearing the note: “We may all do it differently, but the joy of parenthood is something we all share.”'
privacy  pregnancy  miscarriage  data-protection  apps  babies  parenthood 
september 2016 by jm
German Privacy Regulators Fined Adobe, Others Over U.S. Data Transfers
Adobe was fined 8,000 euros, Punica 9,000 euros and Unilever 11,000 euros. The regulator said they had put in place alternative legal mechanisms for transferring data to the United States following the fine. “The fact that the companies have eventually implemented a legal basis for the transfer had to be taken into account in a favorable way for the calculation of the fines,” said Johannes Caspar, the Hamburg Commissioner for Data Protection. “For future infringements, stricter measures have to be applied.”
data-protection  eu  fines  us  privacy  safe-harbor 
june 2016 by jm
Primary Online Database: POD now (mostly) not compulsory (for now)
Ever since the introduction of the Primary Online Database of schoolchildren by the Department of Education, the Department and its Minister have been eager to point out that any parent who refused to allow a child’s data to be transferred would see that child’s education defunded.

Well, for all children other than this week’s crop of new Junior Infants, that threat has now collapsed. This is despite the Minister and her department having claimed that the drastic threat of defunding was because it simply wasn’t possible to give grants without a child’s full data being transferred. [...]

Oddly, as the prospect of defunding the education of 30% of the nation’s children in the run up to an election loomed large, the Department discovered it could, after all, pay for a child’s education without all its POD data.
pod  law  ireland  data-protection  privacy  children  school 
april 2016 by jm
Journalists, this GSOC story isn’t all about you, you know
Karlin Lillington in the Irish Times, going through journos for a shortcut:
All the hand-wringing from journalists, unions and media companies – even politicians and ministers – over the GSOC’s accessing of journalist’s call records? Oh, please. What wilful ignorance, mixed with blatant hypocrisy. Where have you all been for the past decade and a half, as successive Irish governments and ministers for justice supported and then rammed through legislation for mandatory call data retention for one of the longest periods in the world, with some of the weakest legal constraints and oversight?
karlin-lillington  privacy  data-protection  dri  law  journalists  gsoc  surveillance  data-retention 
january 2016 by jm
Amazon Echo security fail
Ughhhh.
Amazon Echo sends your WiFi password to Amazon. No option to disable. Trust us it's in an "encrypted file"
amazon  echo  wifi  passwords  security  data-privacy  data-protection 
january 2016 by jm
EU counter-terror bill is 'indiscriminate' data sweep
"To identify if someone is travelling outside the EU, we don't need an EU PNR. This data are already easily available in the airline reservation system,” [Giovanni Buttarelli, the European data protection supervisor] said. EU governments want more information in the belief it will help law enforcement in tracking down terrorists and are demanding access to information, such as travel dates, travel itinerary, ticket information, contact details, baggage information, and payment information of anyone flying in or out of the EU. ... EU PNR data would be retained for up to five years
pnr  eu  law  privacy  data-protection  europe  counter-terrorism  travel  air-travel 
december 2015 by jm
One of the Largest Hacks Yet Exposes Data on Hundreds of Thousands of Kids | Motherboard
VTech got hacked, and millions of parents and 200,000 kids had their privacy breached as a result. Bottom line is summed up by this quote from one affected parent:
“Why do you need know my address, why do you need to know all this information just so I can download a couple of free books for my kid on this silly pad thing? Why did they have all this information?”


Quite. Better off simply not to have the data in the first place!
vtech  privacy  data-protection  data  hacks 
november 2015 by jm
No Harm, No Fowl: Chicken Farm Inappropriate Choice for Data Disposal
That’s a lesson that Spruce Manor Special Care Home in Saskatchewan had to learn the hard way (as surprising as that might sound). As a trustee with custody of personal health information, Spruce Manor was required under section 17(2) of the Saskatchewan Health Information Protection Act to dispose of its patient records in a way that protected patient privacy. So, when Spruce Manor chose a chicken farm for the job, it found itself the subject of an investigation by the Saskatchewan Information and Privacy Commissioner.  In what is probably one of the least surprising findings ever, the commissioner wrote in his final report that “I recommend that Spruce Manor […] no longer use [a] chicken farm to destroy records”, and then for good measure added “I find using a chicken farm to destroy records unacceptable.”
data  law  privacy  funny  chickens  farming  via:pinboard  data-protection  health  medical-records 
november 2015 by jm
Tesla Autopilot mode is learning
This is really impressive, but also a little scary. Drivers driving the Tesla Model S are "phoning home" training data as they drive:
A Model S owner by the username Khatsalano kept a count of how many times he had to “rescue” (meaning taking control after an alert) his Model S while using the Autopilot on his daily commute. He counted 6 “rescues” on his first day, by the fourth day of using the system on his 23.5 miles commute, he only had to take control over once. Musk said that Model S owners could add ~1 million miles of new data every day, which is helping the company create “high precision maps”.


Wonder if the data protection/privacy implications have been considered for EU use.
autopilot  tesla  maps  mapping  training  machine-learning  eu  privacy  data-protection 
november 2015 by jm
After Bara: All your (Data)base are belong to us
Sounds like the CJEU's Bara decision may cause problems for the Irish government's wilful data-sharing:
Articles 10, 11 and 13 of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995, on the protection of individuals with regard to the processing of personal data and on the free movement of such data, must be interpreted as precluding national measures, such as those at issue in the main proceedings, which allow a public administrative body of a Member State to transfer personal data to another public administrative body and their subsequent processing, without the data subjects having been informed of that transfer or processing.
data  databases  bara  cjeu  eu  law  privacy  data-protection 
october 2015 by jm
Tech companies like Facebook not above the law, says Max Schrems
“Big companies didn’t only rely on safe harbour: they also rely on binding corporate rules and standard contractual clauses. But it’s interesting that the court decided the case on fundamental rights grounds: so it doesn’t matter remotely what ground you transfer on, if that process is still illegal under 7 and 8 of charter, it can’t be done.”


Also:
“Ireland has no interest in doing its job, and will continue not to, forever. Clearly it’s an investment issue – but overall the policy is: we don’t regulate companies here. The cost of challenging any of this in the courts is prohibitive. And the people don’t seem to care.”


:(
ireland  guardian  max-schrems  privacy  surveillance  safe-harbor  eu  us  nsa  dpc  data-protection 
october 2015 by jm
"Customer data is a liability, not an asset."
Great turn of phrase from Matthew Green (@matthew_d_green). Emin Gün Sirer adds some detail: "well, an asset with bounded value, and an unbounded liability"
data  privacy  data-protection  ashleymadison  hacks  security  liability 
july 2015 by jm
Government forum to discuss increasing use of personal data
Mr Murphy said it was the Government’s objective for Ireland to be a leader on data protection and data-related issues.
The members of the forum include Data Protection Commissioner Helen Dixon, John Barron, chief technology officer with the Revenue Commissioners, Seamus Carroll, head of civil law reform division at the Department of Justice and Tim Duggan, assistant secretary with the Department of Social Protection.
Gary Davis, director of privacy and law enforcement requests with Apple, is also on the forum. Mr Davis is a former deputy data protection commissioner in Ireland.
There are also representatives from Google, Twitter, LinkedIn and Facebook, from the IDA, the Law Society and the National Statistics Board.
Chair of Digital Rights Ireland Dr TJ McIntyre and Dr Eoin O’Dell, associate professor, School of Law, Trinity College Dublin are also on the voluntary forum.
ireland  government  dri  law  privacy  data  data-protection  dpc 
july 2015 by jm
EU-US data pact skewered in court hearing
A lawyer for the European Commission told an EU judge on Tuesday (24 March) he should close his Facebook page if he wants to stop the US snooping on him, in what amounts to an admission that Safe Harbour, an EU-US data protection pact, doesn’t work.
safe-harbour  privacy  data-protection  ecj  eu  ec  surveillance  facebook  nsa  gchq 
march 2015 by jm
ECJ case debates EU citizens' right to privacy
The US wields secretive and indiscriminate powers to collect data, he said, and had never offered Brussels any commitments to guarantee EU privacy standards for its citizens’ data. On the contrary, said [Max Schrems' counsel] Mr Hoffmann, “Safe Harbour” provisions could be overruled by US domestic law at any time.
Thus he asked the court for a full judicial review of the “illegal” Safe Harbour principles which, he said, violated the essence of privacy and left EU citizens “effectively stripped of any protection”.
[Irish] DPC counsel Paul Anthony McDermott SC suggested that Mr Schrems had not been harmed in any way by the status quo. “This is not surprising, given that the NSA isn’t currently interested in the essays of law students in Austria,” he said.
Mr Travers for Mr Schrems disagreed, saying “the breach of the right to privacy is itself the harm”.
ireland  dpc  data-protection  privacy  eu  ec  ecj  law  rights  safe-harbour 
march 2015 by jm
Meet the man whose utopian vision for the Internet conquered, and then warped, Silicon Valley - The Washington Post
Thought-provoking article looking back to John Perry Barlow's "A Declaration of the Independence of Cyberspace", published in 1996:
Barlow once wrote that “trusting the government with your privacy is like having a Peeping Tom install your window blinds.” But the Barlovian focus on government overreach leaves its author and other libertarians blind to the same encroachments on our autonomy from the private sector. The bold and romantic techno-utopian ideals of “A Declaration” no longer need to be fought for, because they’re already gone.
john-perry-barlow  1990s  history  cyberspace  internet  surveillance  privacy  data-protection  libertarianism  utopian  manifestos 
march 2015 by jm
Ireland accused of weakening data rules
Privacy campaign group Lobbyplag puts Ireland one of top three offenders in pushing for changes to EU privacy law
privacy  data-protection  lobbyplag  ireland  eu  germany  lobbying 
march 2015 by jm
Epsilon Interactive breach the Fukushima of the Email Industry (CAUCE)
Upon gaining access to an ESP, the criminals then steal subscriber data (PII such as names, addresses, telephone numbers and email addresses, and in one case, Vehicle Identification Numbers). They then use ESPs’ mailing facility to send spam; to monetize their illicit acquisition, the criminals have spammed ads for fake Adobe Acrobat and Skype software.

On March 30, the Epsilon Interactive division of Alliance Data Marketing (ADS on NASDAQ) suffered a massive breach that upped the ante, substantially.  Email lists of at least eight financial institutions were stolen. 

Thus far, puzzlingly, Epsilon has refused to release the names  of compromised clients. [...] The obvious issue at hand is the ability of the thieves to now undertake targeted spear-phishing problem as critically serious as it could possibly be.
cauce  epsilon-interactive  esp  email  pii  data-protection  spear-phishing  phishing  identity-theft  security  ads 
march 2015 by jm
Ask the Decoder: Did I sign up for a global sleep study?
How meaningful is this corporate data science, anyway? Given the tech-savvy people in the Bay Area, Jawbone likely had a very dense sample of Jawbone wearers to draw from for its Napa earthquake analysis. That allowed it to look at proximity to the epicenter of the earthquake from location information.

Jawbone boasts its sample population of roughly “1 million Up wearers who track their sleep using Up by Jawbone.” But when looking into patterns county by county in the U.S., Jawbone states, it takes certain statistical liberties to show granularity while accounting for places where there may not be many Jawbone users.

So while Jawbone data can show us interesting things about sleep patterns across a very large population, we have to remember how selective that population is. Jawbone wearers are people who can afford a $129 wearable fitness gadget and the smartphone or computer to interact with the output from the device.

Jawbone is sharing what it learns with the public, but think of all the public health interests or other third parties that might be interested in other research questions from a large scale data set. Yet this data is not collected with scientific processes and controls and is not treated with the rigor and scrutiny that a scientific study requires.

Jawbone and other fitness trackers don’t give us the option to use their devices while opting out of contributing to the anonymous data sets they publish. Maybe that ought to change.
jawbone  privacy  data-protection  anonymization  aggregation  data  medicine  health  earthquakes  statistics  iot  wearables 
march 2015 by jm
Digital Rights Ireland announces its first conference!
Digital Rights Europe, Wednesday, April 15th in Dublin. deadly!
digital-rights  ireland  dri  privacy  data-protection  europe  eu 
february 2015 by jm
Can we have medical privacy, cloud computing and genomics all at the same time?
Today sees the publication of a report I [Ross Anderson] helped to write for the Nuffield Bioethics Council on what happens to medical ethics in a world of cloud-based medical records and pervasive genomics.

As the information we gave to our doctors in private to help them treat us is now collected and treated as an industrial raw material, there has been scandal after scandal. From failures of anonymisation through unethical sales to the care.data catastrophe, things just seem to get worse. Where is it all going, and what must a medical data user do to behave ethically?

We put forward four principles. First, respect persons; do not treat their confidential data like were coal or bauxite. Second, respect established human-rights and data-protection law, rather than trying to find ways round it. Third, consult people who’ll be affected or who have morally relevant interests. And fourth, tell them what you’ve done – including errors and security breaches.
ethics  medicine  health  data  care.data  privacy  healthcare  ross-anderson  genomics  data-protection  human-rights 
february 2015 by jm
Excellent example of failed "anonymisation" of a dataset
Fred Logue notes how this failed Mayo TD Michelle Mulherin:
From recent reports it mow appears that the Department of Education is discussing anonymisation of the Primary Online Database with the Data Protection Commissioner. Well someone should ask Mayo TD Michelle Mulherin how anonymisation is working for her.

The Sunday Times reports that Ms Mulherin was the only TD in the Irish parliament on the dates when expensive phone calls were made to a mobile number in Kenya. The details of the calls were released under the Freedom of Information Act in an “anonymised” database. While it must be said the fact that Ms Mulherin was the only TD present on those occasions does not prove she made the calls – the reporting in the press is now raising the possibility that it was her.

From a data protection point of view this is a perfect example of the difficulty with anonymisation. Data protection rules apply to personal data which is defined as data relating to a living individual who is or can be identified from the data or from the data in conjunction with other information. Anonymisation is often cited as a means for processing data outside the scope of data protection law but as Ms Mulherin has discovered individuals can be identified using supposedly anonymised data when analysed in conjunction with other data.

In the case of the mysterious calls to Kenya even though the released information was “anonymised” to protect the privacy of public representatives, the phone log used in combination with the attendance record of public representatives and information on social media was sufficient to identify individuals and at least raise evidence of association between individuals and certain phone calls. While this may be well and good in terms of accounting for abuses of the phone service it also has worrying implications for the ability of public representatives to conduct their business in private.

The bottom line is that anonymisation is very difficult if not impossible as Ms Mulherin has learned to her cost. It certainly is a lot more complex than simply removing names and other identifying features from a single dataset. The more data that there is and the more diverse the sources the greater the risk that individuals can be identified from supposedly anonymised datasets.
data  anonymisation  fred-logue  ireland  michelle-mulherin  tds  kenya  data-protection  privacy 
january 2015 by jm
No POD
This group aims to consolidate opposition, give clear information and support letter writing and information awareness against the Dept. of Education's Primary Online Database.
pod  ireland  privacy  data-protection  children  kids  schools 
january 2015 by jm
Surveillance of social media not way to fight terrorism – Minister
Blanket surveillance of social media is not the solution to combating terrorism and the rights of the individual to privacy must be protected, Data Protection Minister Dara Murphy said on Monday. [He] said Ireland and the European Union must protect the privacy rights of individuals on social media. “Freedom of expression, freedom of movement, and the protection of privacy are core tenets of the European Union, which must be upheld.”
dara-murphy  data-protection  privacy  surveillance  europe  eu  ireland  social-media 
january 2015 by jm
DRI’s Unchanged Position on Eircode
'Broadly, they are satisfied with what we are doing'

versus:

'We have deep concerns about the Eircode initiative… We want to state clearly that we are not at all ‘satisfied’ with the postcode that has been designed or the implementation proposals.'
dri  ireland  eircode  postcodes  privacy  data-protection  quotes  misrepresentation 
january 2015 by jm
Madhumita Venkataramanan: My identity for sale (Wired UK)
If the data aggregators know everything about you -- including biometric data, healthcare history, where you live, where you work, what you do at the weekend, what medicines you take, etc. -- and can track you as an individual, does it really matter that they don't know your _name_? They legally track, and sell, everything else.
As the data we generate about ourselves continues to grow exponentially, brokers and aggregators are moving on from real-time profiling -- they're cross-linking data sets to predict our future behaviour. Decisions about what we see and buy and sign up for aren't made by us any more; they were made long before. The aggregate of what's been collected about us previously -- which is near impossible for us to see in its entirety -- defines us to companies we've never met. What I am giving up without consent, then, is not just my anonymity, but also my right to self-determination and free choice. All I get to keep is my name.
wired  privacy  data-aggregation  identity-theft  future  grim  biometrics  opt-out  healthcare  data  data-protection  tracking 
november 2014 by jm
Irish Water Data Protection Notice: A review…
Tried and came up wanting. Particularly notable for its illegal "Marketing" section, which attempts to evade opt-in-required anti-spam law with a "consent landgrab" on SMS and email
irish-water  law  dpc  data-protection  privacy  spam  opt-in  si336  sms  email  ireland 
september 2014 by jm
Data sharing deal with U.S. referred to EU's top court | Reuters
High Court Justice Gerard Hogan said that given the Safe Harbour agreement, which says that U.S. has sufficient data safeguards in place, the Irish regulator did not have the authority to investigate. If Safe Harbour stands, the student group's application must fail, he said. "The critical issue which arises is whether the proper interpretation of the 1995 [EU data protection] directive and the 2000 Commission decision [on the Safe Harbour principles] should be re-evaluated in the light of the subsequent entry into force of article 8 of the EU charter," on the right to the protection of personal data, Hogan said.
eu  safe-harbor  privacy  high-court  ireland  law  data-protection 
june 2014 by jm
Using AWS in the context of Australian Privacy Considerations
interesting new white paper from Amazon regarding recent strengthening of the Aussie privacy laws, particularly w.r.t. geographic location of data and access by overseas law enforcement agencies...
amazon  aws  security  law  privacy  data-protection  ec2  s3  nsa  gchq  five-eyes 
april 2014 by jm
WePromise.EU
'The European election will take place between 22 and 25 May 2014. Citizens, promise to vote for candidates that have signed a 10-point charter of digital rights! Show candidates that they need to earn your vote by signing our charter!'
europarl  ep  digital-rights  rights  ireland  eu  data-privacy  data-protection  privacy 
march 2014 by jm
Theresa May warns Yahoo that its move to Dublin is a security worry
Y! is moving to Dublin to evade GCHQ spying on its users. And what is the UK response?
"There are concerns in the Home Office about how Ripa will apply to Yahoo once it has moved its headquarters to Dublin," said a Whitehall source. "The home secretary asked to see officials from Yahoo because in Dublin they don't have equivalent laws to Ripa. This could particularly affect investigations led by Scotland Yard and the national crime agency. They regard this as a very serious issue."


There's priorities for you!
ripa  gchq  guardian  uk  privacy  data-protection  ireland  dublin  london  spying  surveillance  yahoo 
march 2014 by jm
Microsoft "Scroogles" Itself
'Microsoft went through a blogger’s private Hotmail account in order to trace the identity of a source who allegedly leaked trade secrets.'

Bear in mind that the alleged violation which MS allege allows them to read their email was a breach of the terms of service, which also include distribution of content which 'incites, advocates, or expresses pornography, obscenity, vulgarity, [or] profanity'. So no dirty jokes on Hotmail!
hotmail  fail  scroogled  microsoft  stupid  tos  law  privacy  data-protection  trade-secrets  ip 
march 2014 by jm
Enemies of the Internet 2014: entities at the heart of censorship and surveillance | Enemies of the Internet
The mass surveillance methods employed in [the UK, USA, and India], many of them exposed by NSA whistleblower Edward Snowden, are all the more intolerable because they will be used and indeed are already being used by authoritarians countries such as Iran, China, Turkmenistan, Saudi Arabia and Bahrain to justify their own violations of freedom of information. How will so-called democratic countries will able to press for the protection of journalists if they adopt the very practices they are criticizing authoritarian regimes for?


This is utterly jaw-dropping -- throughout the world, real-time mass-monitoring infrastructure is silently being dropped into place. France and India are particularly pervasive
journalism  censorship  internet  france  india  privacy  data-protection  surveillance  spying  law  snowden  authoritarianism 
march 2014 by jm
Next clothing retailer loses appeal over €100 fine in ‘spam’ case - Crime & Law News from Ireland & Abroad | The Irish Times - Wed, Mar 19, 2014
as TJ McIntyre noted: '€100 fine for a repeat spammer. Data Protection Commissioner calls this "strong protection". With a straight face.'

Next will doubtless fork over the 100 Euros out of the petty cash drawer, then carry on regardless. This isn't a useful fine. What a farce...
cheap  farce  dpc  data-protection  privacy  anti-spam  next  spam  convictions  fines  ireland 
march 2014 by jm
Health privacy: formal complaint to ICO
'Light Blue Touchpaper' notes:
Three NGOs have lodged a formal complaint to the Information Commissioner about the fact that PA Consulting uploaded over a decade of UK hospital records to a US-based cloud service. This appears to have involved serious breaches of the UK Data Protection Act 1998 and of multiple NHS regulations about the security of personal health information.


Let's see if ICO can ever do anything useful.... not holding my breath
ico  privacy  data-protection  dpa  nhs  health  data  ross-anderson 
march 2014 by jm
Ucas sells access to student data for phone and drinks firms' marketing | Technology | The Guardian
The UK government's failure to deal with spam law in a consumer-friendly way escalates further:

UCAS, the university admissions service, is operating as a mass-mailer of direct marketing on behalf of Vodafone, O2, Microsoft, Red Bull and others, without even a way to later opt out from that spam without missing important admissions-related mail as a side effect.

'Teenagers using Ucas Progress must explicitly opt in to mailings from the organisation and advertisers, though the organisation's privacy statement says: "We do encourage you to tick the box as it helps us to help you."'

Their website also carries advertising, and the details of parents are sold on to advertisers as well.

Needless to say, the toothless ICO say they 'did not appear to breach marketing rules under the privacy and electronic communications regulations', as usual. Typical ICO fail.
ucas  advertising  privacy  data-protection  opt-in  opt-out  spam  direct-marketing  vodafone  o2  microsoft  red-bull  uk  universities  grim-meathook-future  ico 
march 2014 by jm
Care.data is in chaos. It breaks my heart | Ben Goldacre
There are people in my profession who think they can ignore this problem. Some are murmuring that this mess is like MMR, a public misunderstanding to be corrected with better PR. They are wrong: it's like nuclear power. Medical data, rarefied and condensed, presents huge power to do good, but it also presents huge risks. When leaked, it cannot be unleaked; when lost, public trust will take decades to regain.

This breaks my heart. I love big medical datasets, I work on them in my day job, and I can think of a hundred life-saving uses for better ones. But patients' medical records contain secrets, and we owe them our highest protection. Where we use them – and we have used them, as researchers, for decades without a leak – this must be done safely, accountably, and transparently. New primary legislation, governing who has access to what, must be written: but that's not enough. We also need vicious penalties for anyone leaking medical records; and HSCIC needs to regain trust, by releasing all documentation on all past releases, urgently. Care.data needs to work: in medicine, data saves lives.
hscic  nhs  care.data  data  privacy  data-protection  medicine  hospitals  pr 
march 2014 by jm
Big doubts on big data: Why I won't be sharing my medical data with anyone - yet
These problems can be circumvented, but they must be dealt with, publically and soberly, if the NHS really does want to win public confidence. The NHS should approach selling the scheme to the public as if was opt-in, not opt-out, then work to convince us to join it. Tell us how sharing our data can help, but tell us what risk too. Let us decide if that balance is worth it. If it's found wanting, the NHS must go back to the drawing board and retool the scheme until it is. It's just too important to get wrong.
nhs  uk  privacy  data-protection  data-privacy  via:mynosql  big-data  healthcare  insurance 
february 2014 by jm
Hospital records of all NHS patients sold to insurers - Telegraph
The 274-page report describes the NHS Hospital Episode Statistics as a “valuable data source in developing pricing assumptions for 'critical illness’ cover.”
It says that by combining hospital data with socio-economic profiles, experts were able to better calculate the likelihood of conditions, with “amazingly” clear forecasts possible for certain diseases, in particular lung cancer.
Phil Booth, from privacy campaign group medConfidential, said: “The language in the document is extraordinary; this isn’t about patients, this is about exploiting a market. Of course any commercial organisation will focus on making a profit – the question is why is the NHS prepared to hand this data over?”
nhs  privacy  data  insurance  uk  politics  data-protection 
february 2014 by jm
German IT Industry Looks for Boom from Snowden Revelations - SPIEGEL ONLINE
This is a great idea -- Neelie Kroes suggesting that there be a certification mark for EU companies who have top-of-the-line data protection practices.
data-protection  privacy  certification  marks  eu  neelie-kroes 
february 2014 by jm
How to invoke section 4 of the Data Protection Acts in Ireland
One wierd trick to get your personal data (in any format) from any random organisation, for only EUR6.35 and up to 40 days wait! Good to know.
Hospitals and doctors’ offices in Ireland will give a person their medical records if they ask for them. Mostly. Eventually. When they get to it. And, sometimes, if you pay them over €100 (for a large file).

But, like so much else in the legal world, there is a set of magic words you can incant to place a 40 day deadline on the delivery of your papers and limit the cost to €6.35 -- you invoke the Data Protection Acts data access request procedure.
data-protection  privacy  data-retention  dpa-section-4  data  ireland  medical  law  dpa 
february 2014 by jm
UK NHS will soon require GPs pass confidential medical data to third parties
Specifically, unanonymised, confidential, patient-identifying data, for purposes of "admin, healthcare planning, and research", to be held indefinitely, via the HSCIC. Opt-outs may be requested, however
opt-out  privacy  medical  data  healthcare  nhs  uk  data-privacy  data-protection 
january 2014 by jm
We're sending out the wrong signals in bid to lure the big data bucks - Independent.ie
Simon McGarr on Ireland's looming data-protection train-crash.
Last week, during the debate of his proposals to increase fees for making a Freedom of Information request, Brendan Howlin was asked how one of his amendments would affect citizens looking for data from the State's electronic databases. His reply was to cheerfully admit he didn't even understand the question. "I have no idea what an SQL code is. Does anyone know what an SQL code is?"

Unlike the minister, it probably isn't your job to know that SQL is the computer language that underpins the data industry. The amendment he had originally proposed would have effectively allowed civil servants to pretend that their computer files were made of paper when deciding whether a request was reasonable. His answer showed how the Government could have proposed such an absurd idea in the first place.

Like it or not – fair or not – these are not the signals a country that wanted to build a long-term data industry would choose to send out. They are the sort of signals that Ireland used to send out about Financial Regulation. I think it's agreed, that approach didn't work out so well.
foi  ireland  brendan-howlin  technology  illiteracy  sql  civil-service  government  data-protection  privacy  regulation  dpa 
december 2013 by jm
Column: The Loyaltybuild breach shows it’s time to take data protection seriously
What is afoot here is a rerun of the Celtic Tiger era “light touch regulation” of financial services. Ireland has again made a Faustian pact whereby we lure employers here on the understanding that they will not subject to too-stringent a regulatory system. As the Loyaltybuild breach has shown, this is a bargain that will probably end badly. And as with the financial services boom, it is making the Germans nervous.
Perhaps we will listen to them this time.
fergal-crehan  loyaltybuild  celtic-tiger  ireland  dpa  regulation  data-protection  privacy  credit-cards 
november 2013 by jm
It’s time for Silicon Valley to ask: Is it worth it?
These companies and their technologies are built on data, and the data is us. If we are to have any faith in the Internet, we have to trust them to protect it. That’s a relationship dynamic that will become only more intertwined as the Internet finds its way into more aspects of our daily existences, from phones that talk to us to cars that drive themselves.

The US’s surveillance programs threaten to destroy that trust permanently.

America’s tech companies must stand up to this pervasive and corrosive surveillance system. They must ask that difficult question: “Is it worth it?”
silicon-valley  tech  nsa  gchq  spying  surveillance  internet  privacy  data-protection 
november 2013 by jm
Experian Sold Consumer Data to ID Theft Service
This is what happens when you don't have strong controls on data protection/data privacy -- the US experience.
While [posing as a US-based private investigator] may have gotten the [Vietnam-based gang operating the massive identity fraud site Superget.info] past Experian and/or CourtVentures’ screening process, according to Martin there were other signs that should have alerted Experian to potential fraud associated with the account. For example, Martin said the Secret Service told him that the alleged proprietor of Superget.info had paid Experian for his monthly data access charges using wire transfers sent from Singapore.

“The issue in my mind was the fact that this went on for almost a year after Experian did their due diligence and purchased” Court Ventures, Martin said. “Why didn’t they question cash wires coming in every month? Experian portrays themselves as the data-breach experts, and they sell identity theft protection services. How this could go on without them detecting it I don’t know. Our agreement with them was that our information was to be used for fraud prevention and ID verification, and was only to be sold to licensed and credentialed U.S. businesses, not to someone overseas.”


via Simon McGarr
via:tupp_ed  privacy  security  crime  data-protection  data-privacy  experian  data-breaches  courtventures  superget  scams  fraud  identity  identity-theft 
october 2013 by jm
Groklaw - Forced Exposure ~pj
I loved doing Groklaw, and I believe we really made a significant contribution. But even that turns out to be less than we thought, or less than I hoped for, anyway. My hope was always to show you that there is beauty and safety in the rule of law, that civilization actually depends on it. How quaint.

If you have to stay on the Internet, my research indicates that the short term safety from surveillance, to the degree that is even possible, is to use a service like Kolab for email, which is located in Switzerland, and hence is under different laws than the US, laws which attempt to afford more privacy to citizens. I have now gotten for myself an email there, p.jones at mykolab.com in case anyone wishes to contact me over something really important and feels squeamish about writing to an email address on a server in the US. But both emails still work. It's your choice.

My personal decision is to get off of the Internet to the degree it's possible. I'm just an ordinary person. But I really know, after all my research and some serious thinking things through, that I can't stay online personally without losing my humanness, now that I know that ensuring privacy online is impossible. I find myself unable to write. I've always been a private person. That's why I never wanted to be a celebrity and why I fought hard to maintain both my privacy and yours.

Oddly, if everyone did that, leap off the Internet, the world's economy would collapse, I suppose. I can't really hope for that. But for me, the Internet is over. So this is the last Groklaw article. I won't turn on comments. Thank you for all you've done. I will never forget you and our work together. I hope you'll remember me too. I'm sorry I can't overcome these feelings, but I yam what I yam, and I tried, but I can't.
nsa  surveillance  privacy  groklaw  law  us-politics  data-protection  snooping  mail  kolab 
august 2013 by jm
London orders rubbish bins to stop collecting smartphone data
Good call.
AUTHORITIES IN LONDON’S financial district have ordered a company using high-tech rubbish bins to collect smartphone data from passers-by to cease its activities, and referred the firm to the privacy watchdog. The City of London Corporation, which manages the so-called “Square Mile” around St Paul’s Cathedral, said such data collection “needs to stop” until there could be a public debate about it.


(via Daragh O'Brien)
via:dobrien  privacy  phones  wifi  mac-address  data-protection  data-retention  renew  london  bins  snooping  sniffing 
august 2013 by jm
The NSA Is Commandeering the Internet - Bruce Schneier
You, an executive in one of those companies, can fight. You'll probably lose, but you need to take the stand. And you might win. It's time we called the government's actions what it really is: commandeering. Commandeering is a practice we're used to in wartime, where commercial ships are taken for military use, or production lines are converted to military production. But now it's happening in peacetime. Vast swaths of the Internet are being commandeered to support this surveillance state.

If this is happening to your company, do what you can to isolate the actions. Do you have employees with security clearances who can't tell you what they're doing? Cut off all automatic lines of communication with them, and make sure that only specific, required, authorized acts are being taken on behalf of government. Only then can you look your customers and the public in the face and say that you don't know what is going on -- that your company has been commandeered.
nsa  america  politics  privacy  data-protection  data-retention  law  google  microsoft  security  bruce-schneier 
august 2013 by jm
ICO’s Tame Investigation Of Google Street View Data Slurping
“People will yet again be asking whether Google has been let off without the kind of full and rigorous investigation that you would expect after this kind of incident,” Nick Pickles, director of the Big Brother Watch, told TechWeekEurope. “Let’s not forget that information was collected without permission from thousands of people’s Wi-Fi networks, in a way that if an individual had done so they would have almost certainly have been prosecuted. It seems strange that ICO [the UK's Data Protection regulatory agency] did not want to inspect the [datacenter] cages housing the data, while it is also troubling that Google’s assurances were taken at face value, despite this not being the first incident where consumers have seen their privacy violated by the company.”
privacy  google  ico  regulation  data-protection  snooping  wifi  sniffing  network-traffic  street-view 
july 2013 by jm
Merkel call for data protection rules puts Ireland in spotlight - Technology News
Irish Times on EU unhappiness with Ireland's "light touch" data protection regime:
Hawkes’s appearance last month on RTÉ’s Morning Ireland regarding the US Prism surveillance programme, since posted to YouTube, reheated lingering resentment among many European data authorities. His admission that he “knew in a general way” about such programmes and didn’t “regard this particular revelation as particularly new” was a red rag to his European colleagues who fear Ireland is the transmission point of wholesale EU data to the US.
eu  ireland  data-protection  privacy  billy-hawkes  regulation  dpc 
july 2013 by jm
How The Copyright Industry Pushed For Internet Surveillance | TorrentFreak
Rick Falkvinge with a good point:
The reason for the copyright industry to push for surveillance is simple: any digital communications channel can be used for private conversation, but it can also be used to share culture and knowledge that is under copyright monopoly. In order to tell which communications is which, you must sort all of it – and to do that, you must look at all of it. In other words, if enforcing the copyright monopoly is your priority, you need to kill privacy, and specifically anonymity and secrecy of correspondence.


This was exactly my biggest worry -- a side-effect of effective copyright filtering is the creation of infrastructure for online oppression by the state.
copyright  privacy  state  data-protection  rick-falkvinge  copyfight  internet  filtering  surveillance  anonymity 
july 2013 by jm
Latest leak of EU Data Protection Regulation makes fines impossible
Well, isn't this convenient. The leaked proposed regulation document from the Irish EU presidency contains the following changes from current law:
what is new is a set of prescriptive conditions which, if adopted, appears to make a Monetary Penalty Notice (MPN) almost impracticable to serve. This is because the [Data Protection] Commissioner would have consider a dozen factors (many of which will give no doubt rise to appeal). [...]

In addition, the fines in the Regulation require consideration of the actual damage caused; this compares unfavourably with the current MPN where large fines have been contingent on grave security errors on the part of the data controller (i.e. the MPN of the UK DPA does not need damage to data subjects – only the likelihood of substantial distress or damage which should have been preventable/foreseeable).
data-protection  law  eu  ec  ireland  privacy  fines  regulation  mpn 
june 2013 by jm
My email to Irish Times Editor, sent 25th June
Daragh O'Brien noting 3 stories on 3 consecutive days voicing dangerously skewed misinformation about data protection and privacy law in Ireland:
There is a worrying pattern in these stories. The first two decry the Data Protection legislation (current and future) as being dangerous to children and damaging to the genealogy trade. The third sets up an industry “self-regulation” straw man and heralds it as progress (when it is decidedly not, serving only to further confuse consumers about their rights).

If I was a cynical person I would find it hard not to draw the conclusion that the Irish Times, the “paper of record” has been stooged by organisations who are resistant to the defence of and validation of fundamental rights to privacy as enshrined in the Data Protection Acts and EU Treaties, and in the embryonic Data Protection Regulation. That these stories emerge hot on the heels of the pendulum swing towards privacy concerns that the NSA/Prism revelations have triggered is, I must assume, a co-incidence. It cannot be the case that the Irish Times blindly publishes press releases without conducting cursory fact checking on the stories contained therein?

Three stories over three days is insufficient data to plot a definitive trend, but the emphasis is disconcerting. Is it the Irish Times’ editorial position that Data Protection legislation and the protection of fundamental rights is a bad thing and that industry self-regulation that operates in ignorance of legislation is the appropriate model for the future? It surely cannot be that press releases are regurgitated as balanced fact and news by the Irish Times without fact checking and verification? If I was to predict a “Data Protection killed my Puppy” type headline for tomorrow’s edition or another later this week would I be proved correct?
daragh-obrien  irish-times  iab  bias  advertising  newspapers  press-releases  journalism  data-protection  privacy  ireland 
june 2013 by jm
DRI needs your help
Appalled by mass surveillance scandals? So are we. We’re doing something about it – and you can too.

In 2006 we started a case challenging Irish and European laws that require your mobile phone company and ISP to monitor your location, your calls, your texts and your emails and to store that information for up to two years. That case has now made it to the European Court of Justice and will be heard on July 9th. If we are successful, it will strike down these laws for all of Europe and will declare illegal this type of mass surveillance of the entire population.

Here’s where you come in. You can take part by: making a donation to help us pay for the expenses we incur; following our updates and keeping abreast of the issues; spreading the word on social media.

With your help, we can strike a blow for the privacy of all citizens.
activism  privacy  politics  ireland  dri  digital-rights  data-protection  data-retention 
june 2013 by jm
Open Rights Group - EU Commission caved to US demands to drop anti-PRISM privacy clause
Reports this week revealed that the US successfully pressed the European Commission to drop sections of the Data Protection Regulation that would, as the Financial Times explains, “have nullified any US request for technology and telecoms companies to hand over data on EU citizens.

The article [...] would have prohibited transfers of personal information to a third country under a legal request, for example the one used by the NSA for their PRISM programme, unless “expressly authorized by an international agreement or provided for by mutual legal assistance treaties or approved by a supervisory authority.”

The Article was deleted from the draft Regulation proper, which was published shortly afterwards in January 2012. The reports suggest this was due to intense pressure from the US. Commission Vice-President Viviane Reding favoured keeping the the clause, but other Commissioners seemingly did not grasp the significance of the article.
org  privacy  us  surveillance  fisaaa  viviane-reding  prism  nsa  ec  eu  data-protection 
june 2013 by jm
Why I won’t give the European Parliament the data protection analysis it wanted
Holy crap. Simon Davies rips into the EU data-protection reform disaster with gusto:
The situation was an utter disgrace. The advertising industry even gave an award to an Irish Minister for destroying some of the rights in the regulation while the UK managed to force a provision that would make the direct marketing industry a “legitimate” processing operation in its own right, putting it on the same level of lawful processing as fraud prevention. Things got to the point where even the most senior data protection officials in Europe stopped trying to influence events and had told me “let the chips fall as they may”.
[...]

But let’s take a step back for a moment from this travesty. Out on the streets – while most may not know what data protection is – people certainly know what it is supposed to protect. People value their privacy and they will be vocal about attempts to destroy it.
I had said as much to the joint parliamentary meeting, observing “the one element that has been left out of all these efforts is the public”. However, as the months rolled on, the only message being sent to the public was that data protection is an anachronism stitched together with self interest and impracticality.
[...]

I wasn’t aware at the time that there was a vast stitch-up to kill the reforms. I cannot bring myself to present a temperate report with measured wording that pretends this is all just normal business. It isn’t normal business, and it should never be normal business in any civilized society. How does one talk in measured tones about such endemic hypocrisy and deception? If you want to know who the real enemy of privacy is, don’t just look to the American agencies. The real enemy is right here in the European Parliament in the guise of MEPs who have knowingly sold our rights away to maintain powerful relationships. I’d like to say they were merely hoodwinked into supporting the vandalism, but many are smart people who knew exactly what they were doing.


Nice work, Irish presidency! His bottom line:
Is there a way forward? I believe so. First, governments should yield to common decency and scrap the illegitimate and poisoned Irish Council draft and hand the task to the Lithuanian Presidency that commences next month. Second, the Irish and British governments should be infinitely more transparent about their cooperation with intrusive interests that fuelled the deception.
ireland  eu  europe  reform  law  data-protection  privacy  simon-davies  meps  iab 
june 2013 by jm
Former NSA Boss: We Don't Data Mine Our Giant Data Collection, We Just Ask It Questions
'Well, that's - no, we're going to use it. But we're not going to use it in the way that some people fear. You put these records, you store them, you have them. It's kind of like, I've got the haystack now. And now let's try to find the needle. And you find the needle by asking that data a question. I'm sorry to put it that way, but that's fundamentally what happens. All right. You don't troll through the data looking for patterns or anything like that. The data is set aside. And now I go into that data with a question that - a question that is based on articulable(ph), arguable, predicate to a terrorist nexus.'


Yep, that's data mining.
data-mining  questions  haystack  needle  nsa  usa  politics  privacy  data-protection  michael-hayden 
june 2013 by jm
Spamalot reigns: the spoils of Ireland’s EU kingship | The Irish Times - Thu, Jun 13, 2013
The spam presidency. As European citizens are made the miserable targets of unimpeded “direct marketing”, that may be how Ireland’s stint in the EU presidency seat is recalled for years to come.
Under the guiding hand of Minister for Justice Alan Shatter, the Council of the European Union has submitted proposals for amendments to a proposed new data protection regulation, all of which overwhelmingly favour business and big organisations, not citizens.
The most obviously repugnant and surprising element in the amendments is a watering down of existing protections for EU citizens against the willy-nilly marketing Americans are forced to endure. In the US there are few meaningful restrictions on what businesses can do with people’s personal information when pitching products and services at them.
In the EU, this has always been strictly controlled; information gathered for one purpose cannot be used by a business to sell whatever it wants – unless you have opted in to receive such solicitations. This means you are not constantly bombarded by emails and junk mail, nor do you get non-stop phone calls from telemarketers.
Under the proposed amendments to the draft data protection regulation, direct marketing would become a legal form of data processing. In effect, this would legitimise spam email, junk print mail and marketing calls. This unexpected provision signals just how successful powerful corporate lobbyists have been in convincing ministers that business matters more than privacy or giving citizens reasonable control over their personal information.
Far worse is contained in other amendments, which in effect turn the original draft of the regulation upside down.


Fantastic article from Karlin Lillington in today's Times on the terrible amendments proposed for the EU's data protection law.
eu  law  prism  data-protection  privacy  ireland  ec  marketing  spam  anti-spam  email 
june 2013 by jm
PRISM explains the wider lobbying issues surrounding EU data protection reform | EDRI
The US has very successfully and expertly lobbied against the [EU] data protection package directly, it has mobilised and supported US industry lobbying. US industry has lobbied in its own name and mobilised malleable European trade associations to lobby on their behalf to amplify their message, “independent” “think tanks” have been created to amplify their message again. The result is not just the biggest lobbying effort that Brussels has ever seen, but also the broadest.

Compliant Members of the European Parliament (MEPs) and EU Member States [...] have been imposing a “death by a thousand cuts” on the Regulation. Where previously there was a clear obligation to collect the “minimum necessary” data for any given service, the vague requirement to retain “not excessive” data is now preferred. Where previously companies could only use data for purposes that were “compatible” with the original reason for collecting the data, the Irish EU Presidency (pdf) has proposed a comical definition of “compatible” based on five elements, only one of which is related to the dictionary definition of the word.

Members of the European Parliament and EU Member States are falling over themselves to ensure that the EU does not maintain its strategic advantage over the US. In addition to dismantling the proposed Regulation, countries like the UK desperately seek to delay the whole process and subsume it into the EU-US free trade agreement (the so-called “investment partnership” TTIP/TAFTA), which would subordinate a fundamental rights discussion in a trade negotiation. The UK government is even prepared to humiliate itself by arguing in favour of the US position on the basis that two and a half years (see Communication from 2010, pdf) of discussion is too fast!
edri  data-protection  eu  ec  ireland  politics  usa  meps  privacy  uk  free-trade 
june 2013 by jm
Microsoft admits US government can access EU-based cloud data
interesting point from an MS Q&A back in 2011, quite relevant nowadays:
Q: Can Microsoft guarantee that EU-stored data, held in EU based datacenters, will not leave the European Economic Area under any circumstances — even under a request by the Patriot Act?

A: Frazer explained that, as Microsoft is a U.S.-headquartered company, it has to comply with local laws (the United States, as well as any other location where one of its subsidiary companies is based). Though he said that "customers would be informed wherever possible," he could not provide a guarantee that they would be informed — if a gagging order, injunction or U.S. National Security Letter permits it. He said: "Microsoft cannot provide those guarantees. Neither can any other company." While it has been suspected for some time, this is the first time Microsoft, or any other company, has given this answer. Any data which is housed, stored or processed by a company, which is a U.S. based company or is wholly owned by a U.S. parent company, is vulnerable to interception and inspection by U.S. authorities. 
microsoft  privacy  cloud-computing  eu  data-centers  data-protection  nsa  fisa  usa 
june 2013 by jm
LobbyPlag
wow, great view of which MEPs are eviscerating the EU's data protection regime:
Currently the EU is negotiating about new data privacy laws. This new EU Regulation will replace all existing national laws on data privacy. Here you can see a general overview which Members of the European Parliament (MEPs) are pushing for more or less data privacy. Choose a country, a political group or a MEP from the “Top 10” list to find out more.
europe  eu  privacy  data-protection  datap  ec  regulation  meps 
june 2013 by jm
Council of the European Union Releases Draft Compromise Text on the Proposed EU Data Protection Regulation
Oh god. this sounds like an impending privacy and anti-spam disaster. "business-focussed":
Overall, the [Irish EC Presidency’s] draft compromise text can be seen as a more business-focused, pragmatic approach. For example, the Presidency has drafted an additional recital (Recital 3a), clarifying the right to data protection as a qualified right, highlighting the principle of proportionality and importance of other competing fundamental rights, including the freedom to conduct a business.


and some pretty serious relaxation of how consent for use of personal data is measured:

The criterion for valid consent is amended from “explicit” to “unambiguous,” except in the case of processing special categories of data (i.e., sensitive personal data) (Recital 25 and Article 9(2)). This reverts to the current position under the Data Protection Directive and is a concession to the practical difficulty of obtaining explicit consent in all cases.

The criteria for valid consent are further relaxed by the ability to obtain consent in writing, orally or in an electronic manner, and where technically feasible and effective, valid consent can be given using browser settings and other technical solutions. Further, the requirement that the controller bear the burden of proof that valid consent was obtained is limited to a requirement that the controller be able to “demonstrate” that consent was obtained (Recital 32 and Article 7(1)). The need for “informed” consent is also relaxed from the requirement to provide the full information requirements laid out in Article 14 to the minimal requirements that the data subject “at least” be made aware of: (1) the identity of the data controller, and (2) the purpose(s) of the processing of their personal data (Recitals 33 and 48).
anti-spam  privacy  data-protection  spam  ireland  eu  ec  regulation 
june 2013 by jm
IAB Europe awards MEP Sean Kelly for standing up for data privacy rights (video) - Ireland’s CIO and strategy news and reports service – Siliconrepublic.com
Irish MEP serving as a rapporteur on reform of the EU data protection regime, was given an award by an advertising trade group last month:
Sean Kelly, Fine Gael MEP for Ireland South [who serves as the EU’s Industry Committee Rapporteur for the General Data Protection Regulation], has been selected to receive the prestigious IAB Europe Award for Leadership and Excellence for his approach to dealing with privacy concerns over shortcomings in the European Commission’s data protection proposal.
IAB Europe represents more than 5,500 online advertising media, research and analytics organisations.
iab-europe  awards  spam  sean-kelly  ireland  meps  politics  eu  data-protection  privacy  ec 
june 2013 by jm
EU Council deals killer blow to privacy reforms
'In an extraordinary result for corporate lobbying, direct marketing would by default be considered a legitimate data process and would therefore – by default – be lawful.'
eu  politics  data-protection  privacy  anti-spam  spam  eu-council  direct-marketing 
june 2013 by jm
Irish EU Council Presidency proposes destruction of right to privacy | EDRI
'For example, based on the current situation in Ireland, the idea is that all companies can do whatever they want with personal data, without fear of sanction. Sanctions, such as fines, “should be optional or at least conditional upon a prior warning or reprimand”. In other words, do what you want, the worst that can happen is that you will receive a warning.' Shame! Daragh O'Brien's comment: 'utter idiocy'. ( at https://twitter.com/daraghobrien/status/292041500873850880 )
privacy  ireland  eu  fail  data-protection  data-privacy  politics 
january 2013 by jm
Digital Rights Forum - Online Privacy
'The Digital Rights Forum is a public debate on the important issues surrounding digital rights, with each event designed around the general over-arching topic of digital rights, puls a more narrowly focused subject. On Friday, the 18th of May, the forum will tackle the issue of Online Privacy.

With our lives ever more integrated with the web and social media, staying safe online is becoming an increasing concern to everyone. From mobile apps to websites and email, protecting our personal information and online privacy has never been more complicated and more important. Faced with software vulnerabilities such as contacts being leaked onto the Internet by mobile application providers, the increasing push toward revealing more private and personal information on social networks, and attempts by some to protect their businesses through litigation or processes which require the disclosure of personal information, the modern digital landscape has made protecting one's privacy more difficult than ever before.

With this in mind, this Digital Rights Forum will discuss the current state of data protection and online privacy in the current context of social networks and mobile applications.'

Featuring Billy Hawkes (the DPC, no less!), and Devore from Boards.
dpc  digital-rights  ireland  politics  online  security  privacy  data-protection 
may 2012 by jm
Daragh O'Brien on the Gardai's plans to force ISPs to implement IP filtering
'Internet blocking is ineffective. The current proposal lacks sufficient checks and balances, and may even require ISPs and telcos to break other laws to comply. It will inevitably result in innocents being tarred as offenders. Data Protection principles (such as “Adequate, Relevant, and Not Excessive” are being blatantly ignored to implement an ineffective solution. Far better is to shut down the shop by removing the images at source and invest time, energy, and resources into a more transparent effort to manage this issue.' well said
internet  filtering  censorship  blocking  gardai  isps  ireland  data-protection  privacy  from delicious
march 2011 by jm
Martin investigated over sending unsolicited e-mails
fast work from new FF leader Micheal Martin: 'None of those who complained consented to their details being used to contact them in this way and none could establish how Fianna Fáil obtained their addresses.'
spam  micheal-martin  fianna-fail  dpc  privacy  data-protection  ireland  politics  from delicious
january 2011 by jm
law firm's mocking of 4chan could cost it £500k
'Off-the-cuff bravado aimed at [4chan] has led to what must already rank as one of the worst ever data leaks, by the anti-filesharing solicitors ACS:Law' [...] 'the law firm is faced with the threat of a fine by the [UK] Information Commissioner, who is keen to use new powers that raise the maximum penalty to £500,000.'
ouch  4chan  acs-law  filesharing  data-leaks  privacy  data-protection  fines  uk  from delicious
september 2010 by jm
Spinvox in trouble after BBC investigation
'A UK firm that turns mobile messages into text faces questions over its privacy standards, technology and finances following a BBC investigation' .. 'claims to the BBC suggest that the majority of messages have been heard and transcribed by call centre staff in South Africa and the Philippines.' 'The fact that messages appear to have been read by workers outside of the European Union raises questions about the firm's data protection policy.'
data-protection  privacy  facebook  bbc  technology  mobile  transcription  spinvox  security  south-africa  offshoring 
july 2009 by jm
UK company selling "have you been phished" check using stolen data
according to this, a retired cop has set up a company called Lucid Intelligence with 'the records of four million Britons, and 40 million people worldwide, mostly Americans', and plans to 'charge members of the public for access to his database to check whether their data security has been breached.' How is this legal under Data Protection law? wtf
privacy  uk  law  hacking  phishing  fraud  crime  police  database  identity-theft  lucid-intelligence  data-protection  security  colin-holder 
july 2009 by jm

related tags

4chan  1990s  accountability  acs-law  activism  ads  advertising  aggregation  air-travel  algorithms  amazon  america  anonymisation  anonymity  anonymization  anti-spam  apps  ashleymadison  australia  authoritarianism  autopilot  awards  aws  babies  bara  bbc  bias  big-data  billy-hawkes  bins  biometrics  blocking  brendan-howlin  bruce-schneier  care.data  cauce  celtic-tiger  censorship  certification  cheap  chickens  children  civil-service  cjeu  cloud-computing  colin-holder  convictions  copyfight  copyright  counter-terrorism  courtventures  credit-cards  crime  cyberspace  dara-murphy  daragh-obrien  data  data-aggregation  data-breaches  data-centers  data-leaks  data-mining  data-privacy  data-protection  data-retention  database  databases  datap  digital-rights  direct-marketing  dpa  dpa-section-4  dpc  dri  dublin  earthquakes  ec  ec2  echo  ecj  edri  eircode  email  ep  epsilon-interactive  esp  ethics  eu  eu-council  europarl  europe  experian  facebook  fail  farce  farming  federated-learning  fergal-crehan  fianna-fail  filesharing  filtering  fines  fisa  fisaaa  five-eyes  foi  france  fraud  fred-logue  free-trade  funny  future  gardai  gboard  gchq  gdpr  genomics  germany  gmail  google  government  grim  grim-meathook-future  groklaw  gsoc  guardian  hacking  hacks  haystack  heaith  health  healthcare  high-court  history  hospitals  hotmail  hscic  human-rights  iab  iab-europe  ico  identity  identity-theft  illiteracy  india  insurance  internet  iot  ip  ireland  irish-times  irish-water  isps  jawbone  john-perry-barlow  journalism  journalists  karlin-lillington  kenya  kids  kolab  law  liability  libertarianism  lobbying  lobbyplag  london  loyaltybuild  lucid-intelligence  lyft  mac-address  machine-learning  mail  manifestos  mapping  maps  marketing  marks  max-schrems  medical  medical-records  medicine  meps  michael-hayden  micheal-martin  michelle-mulherin  microsoft  miscarriage  misrepresentation  ml  mobile  models  mpn  myhealthrecord  needle  neelie-kroes  network-traffic  newspapers  next  nhs  nsa  o2  offshoring  online  opt-in  opt-out  org  ouch  parenthood  passwords  phishing  phones  pii  pnr  pod  police  politics  postcodes  pr  pregnancy  press-releases  prism  privacy  questions  quotes  red-bull  reform  regulation  renew  rick-falkvinge  right-to-explanation  rights  ripa  ross-anderson  s3  safe-harbor  safe-harbour  scams  school  schools  scroogled  scumbags  sean-kelly  security  si336  silicon-valley  simon-davies  simon-mcgarr  slice-intelligence  sms  sniffing  snooping  snowden  social-media  south-africa  spam  spear-phishing  spinvox  spying  sql  state  statistics  street-view  stupid  superget  surveillance  tds  tech  technology  tesla  tos  tracking  trade-secrets  training  transcription  travel  uber  ucas  uk  universities  unroll.me  us  us-politics  usa  utopian  via:daveb  via:dobrien  via:mynosql  via:pinboard  via:tupp_ed  viviane-reding  vodafone  vtech  wearables  wifi  wired  yahoo 

Copy this bookmark:



description:


tags: