Author: Karen

My TikTok – My Observations

by

9 July 2020

14:20

Leave a comment on My TikTok – My Observations

Social Media

Well apart from the fact that my 10 year old daughter has been an avid user of TikTok for 2 years, my interest would be nonetheless sparked by the torrent of privacy issues which have been popping up left, right and centre. I thought it could be good to give you an idea of what TikTok actually is if you haven’t tried it (yet), and what it means to kids, because I’ve actually spent some time there.

To summarise on the list of issues I see:

  • TikTok is a Chinese business and hence privacy is not something they feel strongly about so I just don’t trust them -I guess this is a British understatement 😉
  • They are not following any of the GDPR principles, e.g. data minimisation on content created by EU data subjects, incl. minors.
  • Privacy is not built in the design of the App -you only need to Google to find what I mean here.
  • Kids are be stalked by sexual predators, there are no ‘safe gardens’ for kids.
  • Kids are being cyber-bullied -aggressively, and not only by peers but by older users, the Trolls.

Nonetheless, TikTok is in fact fun! I created an account 2 years ago to try and understand why kids were here. All good material for my next book! As a success, one TikTok Post (below) I made together with the help of my daughter got of 67,8k Views, 3 630 Likes and circa 100 Comments. So had had something perfect to use for my analysis.

Fun observations:

  • It’s addictive, and getting involved as a parent has removed barriers we had concerning the use of TikTok or other social media Apps.
  • The inbuilt templates provides kids with opportunities to test their creative abilities beyond what I ever thought was possible. Working with my daughter to create this and other TikToks has given me an insight of what the world could look like when they are entering the workplace!
  • Watching kids collaborate on TikTok and other social Apps is mind-blowing beyond what we ever did ourselves as kids. We have a generation of kids growing up socially connected/collaborating -these kids won’t understand why our generation had to learn how to work as a team.
  • I was amazed at how my daughter on seeing some rather nasty comments, just deleted them, and then how she advised me to ignore them.
  • Accounts setup -at least 2 years ago- were not on Only Friends as a default.

Worrying observations:

  • I saw kids being cyber-bullied on TikTok aggressively one poor girl who couldn’t have been older than 9 was being attacked as ugly… the Comments were damning. There was a ‘report abuse’ button which I used, but there was no follow-up.
  • The template we used was damned as racist “100% DNA, Swedish”. Although not raciest, they are triggers for Trolls.
  • Kids can be easily lured into creating ‘duets’ or more and I’ve seen kids kissing through a virtual wall to older teenage boys when singing together a love song. This makes online grooming very easy.
  • It is likely that many kids have multiple accounts for reasons such as they lost their password and can’t fix it, or they are harassed by cyberstalkers and need to move.

This is the TikTok I made together with my daughter which went viral a couple of years ago. Btw. Something going viral, doesn’t mean it’s good…. so you’ve been warned 🙂

The ex-employee & data subject rights

by

3 July 2020

16:53

1 Comment on The ex-employee & data subject rights

China, Data subject rights, Germany

This is an interesting case, and not only for the reasons mentioned in the press. It doesn’t give us much to work with but…

What strikes me, which is often overlooked by organisations are that employees and ex-employees -as is the case here- have rights under GDPR. Every employee is a data subject…. although of course you knew that 😉

What seems to be common with dissatisfied customers applies to unhappy ex-employees (in this case) they exercise their rights under GDPR. This guy wanted to be forgotten and access (on what couldn’t be deleted one can assume). This means that even if your organisation is a role of processor in the delivery of services to your customers, who are the controller, you are still regardless the controller to your employees.

What was used for the transfer of employee data over to China is contractual clauses. However, the award of the fine, a meagre €5k was for not responding to the ex-employee as per his rights, not on the use of contractual clauses…. would be interesting to know more on this.

What is a ‘cookie wall’?

by

1 July 2020

14:15

1 Comment on What is a ‘cookie wall’?

Uncategorized

Given the recent Post by Konstantin I thought it made sense to write a brief Post on what a cookie wall actually is… after all it really is not obvious, or is it?

Just in case it is not here we go. A cookie wall makes it impossible for visitors to browse a website without agreeing to all cookies irrespective of whether they are absolutely necessary for functioning of the website. An example are cookies used to track visitor browsing habits.

In order to be compliant with GDPR, the visitor does not need to consent to essential cookies (i.e. the website will not function correctly without them), but they should have the choice to consent to non-essential cookies.

What’s more is that cookies, whether essential or not should have an expiry date on them unless they are something called session cookies. Session cookies are the best because they are automatically deleted following termination of a browsing session. Cookies which are not session cookies should have an expiry date which is aligned to a specific purpose and a legal basis.

Finnish business fined for tracking employees

by

27 May 2020

14:42

Leave a comment on Finnish business fined for tracking employees

Finland

, ,

In Finland one of the first fines handed out to a water supply management company which used location data in the vehicles used by employees which is considered systematic monitoring. A DPIA should be conducted.

Taken from DLA Piper blog
Followed from a complaint made by an individual. Kymen Vesi processed location data of its employees by locating their vehicles. This location data was used to monitor the employees’ working hours.
The Data Protection Ombudsman stressed in its decision that a data controller must carry out a DPIA when the processing likely results in high risk to the rights and freedoms of data subjects. Kymen Vesi should have carried out a DPIA since the processing of location data concerned data subjects in a vulnerable position (employees) and the data was used for systematic monitoring. In reference to the criteria list set in WP29 guidelines on DPIA and determining whether processing is likely to result in high risk, the processing conducted by Kymen Vesi satisfied three of the criteria (processing of location data, data subjects in vulnerable position and systematic monitoring of data subjects) when usually a DPIA is already required when two of the criteria are satisfied.

Read the rest of the blogpost from DLA Piper blog.

Belgium DPO conflict of interest resulted in a fine

by

26 May 2020

14:38

Leave a comment on Belgium DPO conflict of interest resulted in a fine

Belgium

2 years on and finally a fine pertaining directly to the role of the DPO…. hurray! What a great celebration for GDPR and each of us who have the privilege to be a Data Protection Officer.

Avoidance of a conflict of interest for the DPO is super important in any organisation because the role requires that he/she stands in the shoes of the data subject which potentially can conflict with how the organisation views risk.

If we take this from a privacy risk angle, what is privacy risk? It is the risk of harm to the rights and freedoms of an individual (or natural person as per GDPR). You can think of the DPO similar to a consumer advocate in an organisation, except it’s ensuring that the organisation is fulfilling its obligation as a fit custodian of personal data, and ensuring that the rights of the data subject are met.

A conflict of interest can occur when looking at risk. Every privacy risk will equate to another organisational risk, i.e. missing encryption on laptops is a privacy risk but it is a security risk which is the cause of this privacy risk.

When you as DPO need to decide on risk appetite, you need to do this in the shoes of the data subject first. It’s not practical to ask all (data subjects) if they find this risk okay to accept, most wouldn’t understand what you’re talking about. As a CISO/CRO you will be looking at risk from the view of the organisation’s risk appetite. In fact these 2 views can create conflict in the role of the DPO, hence a conflict of interest.

This is why the recent ruling in Belgium is so important since GDPR came into force.

Happy Birthday 2 years on with GDPR!

by

25 May 2020

01:00

Leave a comment on Happy Birthday 2 years on with GDPR!

Sweden

,

In celebration for GDPR 2 years on, I thought to repost some blogposts from June 2018. However, when looking I realised that they were a few and the theme was strong on how our personal data is public in Sweden and the use of utgivningsbevis to keep this status quo. So, I ended writing an additional blogpost, realising that I’m still really unhappy about the Swedish status quo on this.

GDPR has brought progress in ensuring that we, data subjects, have rights over our personal data, but sadly what I posted 2 years ago is still acutely relevant today in 2020.

The fact is in Sweden our personal data is made public and we have no say! After all public is public, impossible to restrict processing when this is the case, and as acknowledged in privacy laws, not just in the EU. The data brokers get to this data scrape from public sources, do some intelligent profiling and sell on to businesses, e.g. based on where you live will determine how you are profiled and to whom you will be sold.

Someone tried to argue with me once that a street name (missing house no.) was not personal data. The fact is that the street where you live says quite a lot about who you are. It gives an indication on your wealth, if you’re young, with kids, or elderly and if you’re likely to have a garden, 1 or 2 cars, etc. Your street name is directly or indirectly linked to you as an individual. The street name could be enough that you receive cold calls either by phone or someone knocking on your door to sell you double-glazing.

In UK for example, you are hidden by default. The difference in Sweden is that it still stands today the clash between laws pertaining to ‘freedom of press’ versus ‘a right to a private life’. In Sweden it is the former which wins.

I read somewhere that there are 100s, maybe 1000s of complaints from Swedish data subjects on the lack of control and rights (as per GDPR) they have over their personal data. This is positive! People are aware of their rights and are asking questions, why is this happening? I can’t find the article now, so would appreciate if anyone can dig it up? The question is if this will change? Can it change?

The e-Privacy Regulation has something to protect from unsolicited calls, and by default protected, as in UK the resident needs to opt-in to be included in a public directory.

Protection against spam: this proposal bans unsolicited electronic communications by emails, SMS and automated calling machines. Depending on national law people will either be protected by default or be able to use a do-not-call list to not receive marketing phone calls. Marketing callers will need to display their phone number or use a special pre-fix that indicates a marketing call.

How it works in Sweden today is that every business needs to have a ‘do not call list’, it seems that what is proposed in the e-Privacy Regulation is a national list, which is an improvement, but still does not solve the root of the problem. I do not want my data public unless I have specifically consented to this or I have myself made my data public.

The whispering protocol and covid-19

by

23 May 2020

13:15

Leave a comment on The whispering protocol and covid-19

Uncategorized

, ,

Covid-19 smart wearable using privacy enhancing technologies popped up in my LinkedIn feed just today…. I was sceptical until I started reading the academic paper for the Whisper Tracing protocol used by the product.

This is a product which is not installed on a smart device, it is something you clip to your shirt (or whatever) and warns you if you are too close to another individual. It does not link the wearer of the wearable with an identity. The data is collected centrally, but deleted after a short time.

What is good about this product is that with covid-19 the most vulnerable group apart from those with underlying illnesses are the elderly, but it is mainly this group that do not own a smart phone, if they do probably do not use it optimally, which means they are excluded.

This is great for the workplace. I know when I’m out that I’m rubbish at this social distancing. I live on an island, at least thats my excuse, I work mainly from home, or it’s just I get so focused on what I need to do that I don’t notice people around me. I really could do with a clip-on which beeps when I get too close to others.

It is a startup Nodle which produced this wearable. It will be interesting to read more on this -when I have time- and see where this wearable ends up.

Occupational doctor is controller when you test your employees for coronavirus

by

15 May 2020

11:08

Leave a comment on Occupational doctor is controller when you test your employees for coronavirus

covid-19, Italy

At least this is the latest position in Italy, which is rather interesting, and provides some lead in controlling this pandemic in the workplace, reducing the risk on rights and freedoms of employees. The relevant paragraph from the article worth reading and I am referring to is quoted below.

The Italian data protection authority held that serological tests run on employees are privacy compliant in Italy provided that the occupational doctor is the data controller and is the sole individuals aware of the results of the test, communicating to the employer only the suitability/unsuitability of the employee to perform the working activity.