Posts by post-truth

Re: Missing Information

Win-win. Well played by both sides.

Re: Powers of entry without warrant

Good points, but they miss the "key points"

- Criminal search warrants can be tricky, and the ICO if they're contemplating criminal charges should simply turn the matter over to the CPS, as happened in respect of all the data protection criminal convictions associated with a certain naval-sounding insurance group a few years back.

- civil Search Orders ought to be relatively straightforward, plus the RCJ has a dedicated Applications court plus a 24/7 duty judge for genuine emergency applications, plus civil judges (paradoxically) have occasionally useful powers instantly to jail people for contempt for up to two years (without charge or trial or appeal). As with a certain notorious cellphone-not-being-switched-off-in-court episode a few years back...

- Here's the amusing "killer" - obviously the publicity has eliminated any chance of any judge considering this an emergency or something that must be done without notice (aka ex parte aka without the other party represented at first hearing). Because if they had factual grounds to need such an order, they wouldn't have blabbed. Which in turn undermines the ICO's opportunities ever to secure the Order it seeks!

Re: Reverse discrimination is now political correctness.

"Anon because I am genuinely concerned we now live in a society where having a minority opinion will lead to punishment."

Concur. Not only statutes but even common law is heading in the same direction: in the UK, harassment, ASBOs [anti-social behaviour orders] and now the demise of the dual Ghosh tests for dishonesty are perfect examples. Now, if we honestly disagree with someone in the majority or in Authority (whether because we're seen as a kook, or anti-social, or have Aspergers/ADD/whatever, or someone simply takes a dislike to us and can't think of anything specific), we can acquire a criminal record just for being viewed as, quite literally, potentially anti-social for any or no reason at all - without there ever having been a subject-matter-specific offense committed.

(I am not commenting on reverse discrimination or any laws engaging a self-contained actus reus).

Re: The argument makes me sick

These jurisdictional arguments are all about angels on the heads of pins.

In the reality that is international law, all nations can ask for extradition of anyone in any other nation to face trial, provided the metalaws associated with extradition treaties etc are satisfied.

Sometimes this becomes absurd - such as when a foreign nation of which I am a citizen criminalized my work teaching encryption and building encryption into software to protect US/European companies from data breach. An extraditable offence for which any citizen of that nation could face ten years imprisonment regardless of where they plied their trade. Happily, they recently updated that particular law to change the citizenship element, but the point is a general one and the UK is no stranger to such calamities in its own laws.

Re: Like the privacy policy on my new LG TV

In reverse order:

"Question is, is there anyone to complain to (that may care?)"

Yes (if they don't tell you about that in advance of 25 May, they're in breach anyway). Any or all of the relevant Supervisory Authorities, for a start. Choose from the 46-odd regulators, for a start (28 Member State data protection.agencies, see http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm, plus the EDPS, plus the German lander authorities).

Then there's the Article 80-promoted non-profit class action companies, such as Max Schrems' http://noyb.eu.

Then there's the Member State Courts. If you can't work out which of your rights have been breached, just plead in respect of the "washup" Article 79. A small claim is sufficient (if your jurisdiction supports that) and is recommended as they are likely to eliminate all legal costs beyond the (usually recoverable if you win) dozen-beers money the Court charges you to file the claim. Post-GDPR the legal burden of proof is now on the defendant, so you arguably don't have to prove a thing beyond providing factual context, it's for them to prove their own compliance. (In England the standard thing is to add a claim, alongside the basic DPA 1998 or now the GDPR/DP Bill, in the new worldwide English tort of misuse of private information, but that uses tort rules so you'd have to prove stuff to Court standards of proof so don't try that in DIY litigation).

"I am not a lawyer/solicitor but the policy wording is so vague as to make it not worth writing all the words they wasted below with details."

If that is right, then it might be inferred that their "privacy policies" already clearly breach Article 12 GDPR, despite it being enacted into all Member States' laws since 2016. To detect breach you're not required to be a lawyer any more, that's the whole point.

Article 12(1) of the GDPR (see p39 http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN), specifying the modalities of information to be provided to data subjects, requires that information be provided in, inter alia, "... concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child...". Ambiguity, or failure to address any material point of the Articles 13/14 Notification requirements, arguably equals non-compliance. In turn non-compliance might equal fines (from any of the 46 empowered regulators in the EU) plus criminal prosecution of directors (conceivably including overseas following extradition). Even the CPS in England has prosecuted data protection offences using anti-racketeering law (POCA) to confiscate profits. Plus private injunctive relief (money for old rope), and compensation/class actions, including tort in or from common law jurisdictions.

Some other fun stuff controllers must get right in advance: see for example https://www.gdpr360.com/gdpr-what-are-the-lawful-bases-under-which-data-can-be-processed

Pro tip: avoid complaining until 1st July 2018 if you can resist. For technical reasons, waiting five weeks may "improve" evidence against defendants, both qualitatively and quantitatively.

HTH

Nothing communicated or referenced above is legal advice.

"I had the misfortune to spend 20 minutes or so with a webcast about GDPR until it became very clear it was about a vendors product and not best practice for an SME like ours.

At least we've been aware of the term since last year, but so far all we've done is make our email list double-opt-in. We all know there is more to be done, it just doesn't seem to be very apparent what needs to be done."

@Anon. In response to your two paras (and assuming hypothetically you're in the UK):

(1) there is no such thing as GDPR "best practice", and *never can be*. This is because all GDPR compliance is unique to the enterprise. Because in practice it's all centred around your Article 30 artefact which is unique to your enterprise. So the best you can do is adopt a methodology that will enable you to comply.

(2) What to do?

(a) build yourself an Article 30 artefact - like a dynamic "information-architecture-lite" populated by systems, datasets (meaning whatever you want it to mean in your own context, even recursively, don't go all IT-precise on me), and processes. Including shadow IT (yes I know, but there are products out there than can identify that for you). Then add to the process repository everything you need for Article 13/14 Notifications, starting with jurisdictions, data-protection-law attributes of the data, legal bases, and purposes, the results will tell you what else you need to add. None of these additions can be done by distinct IT people. Can all be done in spreadsheets and until you know what you're doing (most vendors and consultants have no clue) ought to be.

(b) then urgently create your Notifications, which safely can be done only at this point.

(c) perform any necessary DPIAs per Article 35. Guidance as to when and how in WP29's WP248 document. Remember to document *in advance* when and why you *don't* perform DPIAs for any given process.

(d) do/plan the rest of your data subject rights processing per Articles 12, 15-21.

(e) all other obligations, including security and data breach stuff, are relatively minor pieces of work and can be done in parallel.

As Lord de Ramsey said not so long ago in the House of Lords, "semper in excretia sumus solum profundum variat": we're always in the poo, only the depth varies. Different context, same message, and that's the right attitude (I've even screwed up myself on some past Notifications). Don't be low-hanging fruit!

HTH!

Oops. I think I feel another blog coming on...

[disclaimer: Yes, I've co-founded a GDPR consultancy and product vendor so I'm conflicted. Yes, I'm a data protection litigator and IT architect and teach this stuff so I'm conflicted. No, I am not here offering legal services and you may not treat any part of this communication as legal advice]

Re: Don't care about how their applications do what they do?

Excellent point on GDPR, @Warm Braw. Just as any jurisdictionally non-deterministic cloud application processing personal data necessarily breaches the GDPR even if the data never actually leaves the EU (if only because ignorance plus mandated advance notification plus reversal of legal burden of proof ipso facto equals breach), the same applies to anything that replicates the same effect.

That said, actually I'm exploring the feasibility of deploying what used to be called "middleware" as BDCAs, even in the context of GDPR control software - so long as you never ever send anything but non-personal metadata into the black box! Then the only issue becomes performance...

Re: Good

Indeed. This "Democracy in America" discussion recalls two comic events to mind.

The first is from 1964 when, on-stage in New York, Peter Cook(or perhaps Alan Bennett?) was carefully explaining to Dudley Moore, deadpan, the differences between the two political systems:

"On the one hand they have the Republican Party... which is the equivalent of our Conservative Party. On the other, they have the Democratic Party... which is the equivalent of our Conservative Party".

The second is from when Mahatma Gandhi, that notorious Inner Temple barrister, was asked his opinion of Western civilization. He purportedly answered: "I think it's a very good idea."

[Caution: I have neither attribution to hand, so my memory may well be at fault]

So America is a shining light on the hill. Or is it a will 'o the wisp? Or a siren calling to drag us to our doom and feast on our remains?

(post-2015 events may be seen as a logical outcome, a mere historical footnote. Many other Western systems are no better equipped to to deal with web-based demagogy cloaked in the same democratic principles adopted, ironically less plausibly, by parliamentary systems centuries ago)

Re: Is this an outbreak of common sense?

What a fabulous method permanently to destabilize the West Island! (Speaking as a West and Far Northwest Islander...)

On the other hand, they'd all migrate northwest to my refugeee camp aka Ukmanus Island, and re-enter politics here. So you're a very mean and nasty person. I'd have to go even further - I think only Iceland qualifies. But after they're kicked out of Ukmanus Island they'll just go to Iceland and take over the Pirate Party, leaving me screwed again...

"Zuckerberg knows how to do something, and other people don’t, so he does it."

You're right, of course, but it needs some nuance.

What you've done is describe not just Zuck, but also myself, pretty much all hackers, and maybe half the creative IT geeks and politicians across the entire world (paradigmatically including the president of the United States).

We're all sociopaths and narcissists. Most of us are in denial (this is not an excuse, just an observation). Some of us try to face it later on their career and try for redemption (in my case I became a plaintiff lawyer in, coincidentally, the same field trodden by Zuck - though I'm still addicted to doing stuff just because I can).

My point is: when you say the [perceived] problem is down to Zuck's personality you're in danger of trivializing the problem. Witch-burning won't help if we're just swapping out witches... [and now I'm in danger of talking politics so I'll stop there]

Re: Not sure about Office?

"our company said screw this and went ahead and developed it's own Windows 10-like OS shell and remade the command line interface of Linux to PROPER ENGLISH! We remade LAMP into custom Windows 2016 server-like environment with a decent Active Directory WAN/ALN management system analogue!"

You may be onto something there. Use Linux o/s with Windows-like UI. Just make sure you avoid exactly the same names (to avoid MS legal stupidity). A perfect solution?

When I was young, and dinosaurs roamed the earth, I used to do something similar when teaching my youthful underlings hard lessons about computer security. Basically I'd quietly shoehorn my own pseudo-Unix shell into theirs at login. This mimicked their own. Their commands would act exactly as they expected (simply by passing them through to the real UNIX)... except when they simply failed harmlessly for peculiar reasons. Over time the frequency of failure slowly would increase, and increasingly silly random explanation messages would emerge, referring to say "logic overflow at segment xxx, booleans restored from swap", progressing ultimately to things like "Memory hole detected in BitBucket 3.0, install patch 3.0912". Etc. Cruel? Not entirely. The point was to eliminate a dangerous level of arrogance and replace it with the deliberately paranoid assumption that we're always being played. And the ultimate objective was to motivate them to bring themselves up to the level at which they could do the same to me...

Re: Sack the data scientists & feed global big-data; abuse has no political consequence

WOW! You're dead right. I didn't work for the ABS even in consulting gigs, but I have strong circumstantial evidence supporting your position that they're the most focused on their (albeit informal?) Constitutional duties.

To me the rot set in 1980-ish, when the government ordered the ABS to start focusing collection of its unemployment statistics in obviously deprived areas like South Yarra and Toorak. The ABS, to its eternal credit, went on strike. I have never, before or since, seen such selfless behaviour by any government department in any nation. Didn't work of course, only slowed down the remorseless march of policy mediocrity, but undying kudos. Te morituri salutant!

The reason I remember this is that just beforehand, as a new grad I made my first and only employment application to the APS. The ABS was not one of my options and my chosen departments turned me down after interview (I stupidly revealed my obviously insane ideas about using data to build predictive algorithms in order to support policy). But 4-5 months later, after the strike and after I'd taken a different career path, out of the blue I received an unconditional job offer letter from the ABS piggy-backing on my application. I was no statistician, though my science degree (maths/computer science/physics) included kibitzing a final-year statistics subject: forecasting, which fascinated me enough to start modelling. Perhaps more importantly, my strongest fields were methodology and the philosophy of science, studied repeatedly within my four-year philosophy degree. So perhaps someone realized I might be handy to build internal defences? Nothing else made sense to me. I've always wondered what might-have-been if the timing had been different...

Re: Right now on the Equifax site

That's another thing the execs have to fear - derivative claims from shareholders. And you don't even need fraud to jail them. With the data protection laws changing, this will have peculiar effects on the "business record" admissibility rules of criminal evidence in each jurisdiction. Interestingly, as Google execs found out the hard way a few years ago, most EU nations award custodial sentences (generally five years or less, though Greece has up to 10) for criminal data protection offenders (i.e. controllers), and breaches undoubtedly will engage those criminal laws.