WELCOME to Connected Rights, your wind in the sails of digital rights news and analysis.
PRIVACY SHIELD IS NOT IN THE CLEAR YET. Europe’s privacy regulators said on Tuesday that they want to see the US stick to the terms of the transatlantic data-transfer deal by 25 May next year, otherwise they will take the matter to court: http://bit.ly/2B5psPJ
Specifically, the US State Department (inasmuch as it still exists) has not yet appointed an independent ombudsperson to deal with data complaints from European citizens. The regulators also don’t like the fact that the ombudsperson would have no powers to take a complaint to court, and they’re urging the European Commission (which has claimed that everything is going just fine thank you) to restart discussions with their American counterparts.
Privacy Shield’s self-certification system also “still lacks sufficient oversight and supervision of compliance in practice”, the Article 29 Working Party thundered.
I’ve always said Privacy Shield will go the way of its annulled predecessor, Safe Harbour, and I’m still saying it. Yes, it’s the system that companies have to rely on for now, but it ain’t gonna last.
EUROPE’S PRIVACY REGULATORS ARE SENSIBLY taking the collective approach to dealing with Uber’s dreadful data breach cover-up (see last weeks’ CR). They’ve formed a task force that allows them to coordinate their actions against the company: http://for.tn/2zNmviA
As current EU data protection laws give the regulators relatively constrained fining powers (as opposed to the GDPR that will come into effect next May), this is the best way for them to make the maximum impact as they tackle the company for treating its customers’ personal information in such a cavalier fashion.
THE GERMAN BRANCH OF REPORTERS WITHOUT BORDERS has complained to the European Court of Human Rights about mass surveillance in Germany: http://bit.ly/2jYi25V
The complaint is based on mass surveillance’s effect on journalists, who are supposed to be able to offer their sources confidentiality – without it, the free press is done for. And Germany’s Bundesnachrichtendienst (BND), the country’s equivalent to the NSA, makes that confidentiality extremely hard to achieve.
German courts, including the federal constitutional court in Karlsruhe, have turned down the organisation’s previous complaints on the basis that it cannot prove its members have been affected by BND monitoring. However, the branch does a lot of work with reporters in Middle Eastern countries, making it extremely likely that their communications have been scooped up.
The outcome of this case will be very interesting to see. After all, it’s almost always impossible to say whether or not you have been subject to mass surveillance, so German law makes it effectively impossible to complain about the rights-trampling practice.
THE GERMAN GOVERNMENT reportedly wants to install backdoors in the security mechanisms of, well, everything. According to Redaktionsnetzwerk Deutschland, interior minister Thomas de Maizière wants backdoors in connected cars, computers and even smart TVs, to enable more surveillance: http://bit.ly/2AusCth
Want to support this newsletter? If so, you rock! Here’s my Patreon page. A thousand thanks to those who are already contributing. Oh yeah, and don’t forget you can buy Control Shift .
THE UK’S GCHQ SPY AGENCY TRIED TO UNDERMINE the independence of the body that’s supposed to oversee it, the Investigatory Powers Commissioner’s Office, by suggesting that it could work together with IPCO to determine which evidence could be submitted in legal proceedings against it. The watchdog said no.
“It is extraordinary that GCHQ has written to its independent regulator to ask if it and ‘wider Government’ can work together, essentially to head off legal claims,” said Privacy International solicitor Millie Graham Wood. “It is a blatant attempt to bury embarrassing evidence and claims against them. They seem to want to avoid the kind of extraordinary disclosures that we had at the last hearing, such as the revelations that the intelligence agencies are collecting massive amounts of information, including from our social media accounts.”
MEANWHILE, THE UK GOVERNMENT HAS CONCEDED that there should be independent authorisation in cases where the authorities request communications data that’s been gathered under the country’s data retention law: http://bit.ly/2AnV2F8
This will supposedly bring the law in line with EU fundamental rights, as the Court of Justice of the European Union decided last year was not the case. However, as the Open Rights Group has pointed out, the Investigatory Powers Act still breaks EU law on several fronts: http://bit.ly/2AAwKHW
PRIVACY INTERNATIONAL HAS RELEASED a new report on how car rental companies fail to protect customers’ personal data: http://bit.ly/2AxWFCo
REMEMBER WHEN GOOGLE BYPASSED THE PRIVACY PROTECTIONS in Apple’s Safari half a decade ago, so it could continue collecting the browsing information of people who didn’t want to be tracked? Well, despite settling multiple lawsuits in the US, here comes another one in the UK: http://for.tn/2niMi00
This time it’s a class-action-style lawsuit brought about by veteran consumer protection champion and former Downing Street advisor Richard Lloyd. If he wins the case, it is theoretically possible that Google might have to pay out more than £1 billion to British iPhone users. Google doesn’t believe the case has any merit, of course.
If you’d like me to write articles for you about digital rights issues, speak at your event or provide privacy advice for your business, drop me an email at firstname.lastname@example.org.
IT’S CONNECTED TOY NIGHTMARE TIME AGAIN! You will surely remember the episode earlier this year when the German federal network agency told parents to destroy the My Friend Cayla connected doll, because it had terrible security. Now the French privacy regulator is joining the fun: http://bit.ly/2iXrdXC
CNIL issued a formal notice on Monday to Genesis Toys, the Hong Kong-based company that sells the accursed doll and a robot called i-QUE. Part of the problem is standard data protection stuff about not informing users of data processing, but the security problems are truly scary. From CNIL’s statement:
“Controllers of the CNIL observed that any individual located 9 meters away from the toys, outside a building, can connect (or ‘pair’) a mobile phone to the toys through the wireless technology standard Bluetooth, without having to log in (for instance, with a PIN code or a button on the toy). The individual located at such a distance is able to listen and record the talks between the child and the toy or any conversation taking place nearby.
“The CNIL delegation also observed that it was possible to communicate with the child close to the product through two methods: Either by releasing, via the loudspeaker, sounds or words previously recorded with the ‘Dictaphone’ application available on some mobile phones; or by using the toys with the ‘hands-free kit’. One only has to call the phone connected to the toy with another one in order to talk with the child located near it.”