Privacy

The Right to Privacy: Don’t Tell Me I Have to Care!

I’ve already written on the subject of privacy several times, and will likely be regurgitating a lot of what I’ve said previously, but an article I read last week really pissed me off; Three Reasons Why the “Nothing to Hide” Argument is Flawed. It’s exactly this kind of absolutist nonsense [from both sides of the privacy ‘debate’] that makes true progress so bloody difficult.

Their first point:1) Privacy isn’t about hiding information; privacy is about protecting information, and surely you have information that you’d like to protect.” is backed up by several metaphors, one of which is “Do you close the door when you go to the bathroom?” Seriously? Even the Universal Declaration of Human Rights qualifies the right to privacy with the word ‘arbitrary’:

“Article 12 – No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.”

Every other treatise [that I’ve read] on privacy has a similar qualifier, which clearly infers that there can be very good reasons for ‘interference’. This is further supported by the fact that privacy is only a fundamental right, not an absolute right.

Their second point:2) Privacy is a fundamental right and you don’t need to prove the necessity of fundamental rights to anyone.“. If you’ve never read anything about privacy, you would think that a fundamental right is immutable and incontestable. It’s not. As Recital 4 of the GDPR phrases it; “The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.

In other words, your right to privacy must be put into context with EVERYONE else’s OTHER rights. e.g. Hypothetically, if I believed that ‘mass surveillance’ increases the safety of myself and my family, then your demand for privacy-first puts my loved ones directly in harms way. Therefore, my absolute (or ‘unalienable’) rights to what American’s call ‘life, liberty and the pursuit of happiness’ are more important than you not being seen with your trousers around your ankles.

But then they go big and say: “We change our behavior when we’re being watched, which is made obvious when voting; hence, an argument can be made that privacy in voting underpins democracy.“, which is a ridiculous stretch. Democracy through a “cohesion produced by a homogenous people.”? Sure. Democracy through a ‘consensus on fundamental principles’? Absolutely. Democracy through “privacy in voting”? Get a bloody grip.

And their final point; “3) Lack of privacy creates significant harms that everyone wants to avoid.” is basically true. But their example of “You need privacy to avoid unfortunately common threats like identity theft, manipulation through ads, discrimination based on your personal information, harassment, the filter bubble, and many other real harms that arise from invasions of privacy.“, makes it sound like organisations and governments are forcing us to put this stuff online. WE have the choice about what personal data we expose online, and while there absolutely should be [more] checks and balances against Governments overstepping their bounds, and organisations like Google should be completely transparent in their dealings, we are the ones giving our personal data away in exchange for convenience.

You’ve probably heard the quote by Snowden; “Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.

If that’s true, I could argue that what most people actually do online is little different from someone who cuts out their tongue. Regardless of whether we have the RIGHT to privacy, it does not mean we HAVE privacy, and certainly not online. If it’s online, it’s exposed, so you have two choices:

  1. Don’t put it online, so no more online banking, Facebook, Amazon, and so on; or
  2. Put online only the things you don’t care about losing (i.e. no nude selfies), or can protect in other ways (i.e. insure your bank accounts)

To one degree or another we all trade our privacy for functionality. We all want the convenience of online banking, shopping, communication, and all the world’s knowledge at our fingertips. But did you really think this was free? Our right to privacy is both a privilege, and a currency, which means you have a responsibility to protect it, and a responsibly to spend it wisely respectively. Both of these responsibilities require you to NOT be ignorant, to educate yourselves and not rely on others to do it for you.

But in the end it has to remain a CHOICE! The ‘privacy-first’ side of the debate will NEVER agree with the ‘nothing-to-hide’ side, but like every fundamental right we have (and yes, democracy itself), this choice will be determined by the majority. So even though, as Snowden said; “[…] the majority cannot vote away the natural rights of the minority.“, the opposite is equally true; “The wishes of the minority cannot outweigh the wishes of the majority.” To put it another way, if a person wants total privacy, then they should have the right to have it, but not if that conflicts with the rights of the others.

What very few people address is the fact that my definition of privacy may be different from yours. You may think ‘secrecy’ is the best way to privacy, but I think ‘hiding in plain sight’ is more appropriate in the Information Age. The more that is known about me, the more unlikely it is that someone can pretend to BE me.

I could go on bitching, but there’s no point. I will not change your mind, and you will not change mine. The only difference is that I’m not going to try to shame you for your opinions, or even LACK of opinion. We choose the things we care about, and NO ONE can care about everything. As long as your decisions are not based on ignorance of the subject, do as you wish.

[If you liked this article, please share! Want more like it, subscribe!]

Technical and Organisational Measures

GDPR: Reporting Your “Technical and Organisational Security Measures”

You could almost be forgiven in thinking that words/phrases like; ‘pseudonymised’, ‘anonymised’, ‘access control’ or ‘encrypted’ are all that is required when reporting your technical and organisational security measures for Article 30 – Records of Processing Activities.

Almost.

The UK’s ICO themselves provided a sample of what records of processing should look like, and even included examples of content. Their column headed “General description of technical and organisational security measures (if possible)” contains just two examples; “encrypted storage and transfer” and “access controls“. So in the absence of more detailed guidance from any supervisory authority [that I have seen] just what are organisations supposed to do?

First, you need to understand that in Article 32 – Security of Processing, the phrase “technical and organisational security measures” is qualified twice by the one word that makes the whole thing not only clear, but very simple; “Appropriate”.

Article 32(1): “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk…”.

I’m not going to go into detail about how you define ‘appropriate’, I’ve already done that in GDPR: How Do You Define ‘Appropriate’ Security Measures?, but I am going to provide an example of what this would look like on the only medium that counts; paper.

Continue reading

GDPR Muppets

GDPR: Now We Know Who the Muppets Are

Well, here we are, close of business May 25th, and oh look!, the sun is still shining, the world is still spinning, and no one [decent] went out of business.

What we do have however is an indication of who the world’s biggest muppets are. For example:

…and:

…and the list goes on and on.

As if the barrage of ridiculous and utterly meaningless emails over the last few months wasn’t enough, the spectacular ignorance shown by these and many other organisations defies belief. The only good thing I can say about these weapons grade plums is that they are actually taking GDPR seriously. They DID something. The fact that they are needlessly damaging their reputations is apparently beside the point.

Continue reading

Enough

GDPR May 25th – Slow Down and Get it RIGHT!

If you hadn’t heard of the GDPR before the last month or so, you have now. You have all received at least one, and more likely dozens of emails from organisations with whom you have had some contact in the past. Most of whom you have probably forgotten about. e.g. I hadn’t used my Garmin account for over a decade but still received an email asking if wanted to ‘opt in’ to continue receiving its “many benefits”.

I wouldn’t mind so much, but every last one of these ‘calls for action’ is utterly, inexcusably, and embarrassingly wrong! Literally, not one that I have received has followed what amounts to a clear instructions from the many qualified sources available (i.e. ICO for the UK, Art. 29 WP for everyone else, numerous law firms etc.) on what to do.

Therefore both of the following are true:

  • The organisations looking for GDPR guidance had no idea what they were asking for from their ‘expert’ help, or whom to ask; and
  • The providers of the guidance had no clue what they were doing

I can also assume that no one in the respective organisations had actually read the GDPR, and the providers of guidance clearly learned just enough to fool all those who have remained clueless. Frankly these people deserve each other.

Here are some of my favourite vendor emails [paraphrased]:

  • “If you don’t respond to this email we will assume you want to keep receiving emails from us.”;
  • “Unless you read and sign our new terms and conditions we will cease all communication.”;
  • “Our database of customers’ email addresses, including yours, will be deleted.”
  • “If you don’t opt in to receive emails relevant to the services we provide you, we’ll stop sending them.”
  • “Our website is not available to any European member state…”

Continue reading

Representative

GDPR: How Will ‘Representatives’ Work?

Even as a data protection novice, the GDPR makes sense to me. I get it. I may be partly wrong in some assumptions, but I am comfortable enough in my understanding of the intent of the Recitals and Articles to ask the right people the right questions.

All, that is, with the exception of Recital 80 / Article 27 – Representatives.

I understand the words, and think I even understand the intent, but I cannot even begin to fathom how it’s actually going to work in the real world. This blog is therefore aimed at those who do. I need your guidance please.

My English translation (i.e. not legalese) of Recital 80 is:

Any controller or processor not established in EU, but who:

1. offers goods or services (regardless of payment acceptance) to data subject in the EU; or
2. monitors the behaviour of data subjects within the boundaries of the EU.

…must designate a representative to act on their behalf who may be addressed by any supervisory authority. Unless the processing:

  • is occasional;
  • does not include processing on a large scale of special categories of personal data;
  • does not include processing of data relating to criminal convictions and offences;
  • is assessed as low risk; or
  • is performed by a public authority or body

Continue reading