Search
Content type: Long Read
In 2019, we exposed the practices of five menstruation apps that were sharing your most intimate data with Facebook and other third parties. We were pleased to see that upon the publication of our research some of them decided to change their practices. But we always knew the road to effective openness, transparency, informed consent and data minimisation would be a long one when it comes to apps, which for the most part make profit from our menstrual cycle and even sometimes one’s desire to…
Content type: Advocacy
International data transfers are an important feature of the present-day global economy. However, when crossing borders, data should also be accompanied by strong and effective privacy and personal data protections. Laws, such as the General Data Protection Regulation (GDPR), play an important role in ensuring data flows respect with privacy.
Trade negotiations that cover cross-border data flows can complicate this. All 80 countries that are part of digital trade negotiations should be able to…
Content type: Frequently Asked Questions
On 27 October 2020, the UK Information Commissioner's Office (ICO) issued a report into three credit reference agencies (CRAs) - Experian, Equifax and TransUnion - which also operate as data brokers for direct marketing purposes.
After our initial reaction, below we answer some of the main questions regarding this report.
Content type: News & Analysis
Privacy International (PI) welcomes today's report from the UK Information Commissioner's Office (ICO) into three credit reference agencies (CRAs) which also operate as data brokers for direct marketing purposes. As a result, the ICO has ordered the credit reference agency Experian to make fundamental changes to how it handles people's personal data within its offline direct marketing services.
It is a long overdue enforcement action against Experian.…
Content type: Examples
A study describes the data transmitted to backend servers by the Google/Apple based contact tracing (GAEN) apps in use in Germany, Italy, Switzerland, Austria, and Denmark and finds that the health authority client apps are generally well-behaved from a privacy point of view, although the Irish, Polish, Danish, and Latvian apps could be improved in this respect. However, the study also finds that the Google Play Services component of the apps contacts Google servers as often as every 20 minutes…
Content type: Examples
An audit of two apps and a website used by national and local governments in Colombia finds: an absence of public information about the tools, how they work, or how their security and privacy is protected; non-compliance with Colombia’s data protection legal framework, particularly in the area of consent; and reckless deployment of solutions that put hundreds of thousands of users’ personal data at risk. Fundación Karisma, which conducted the audit, makes a number of recommendations for…
Content type: Examples
Following trials in Leicester, Luton, and Blackburn with Darwen, the UK government will assign teams of health care professionals to more than ten local authorities and offer them Public Health England’s near real-time data on infections and a dedicated team of contact tracers, shifting away from its £10 billion centralised national system run under contract by Serco. As of early August, the Serco scheme was still failing to reach a significant proportion of those who had been in close contact…
Content type: Case Study
The Peruvian government has a history of collaboration with the private sector in developing technology with the alleged purpose of providing greater security to citizens. The most recent example, the smartphone application "Peru En Tus Manos" launched in the context of the Covid-19 crisis, has been developed in a similar fashion and currently collects geolocation data on more than a million users. Although Peru has a proper legal framework for public private partnerships, developments are…
Content type: Report
National identity systems naturally implicate data protection issues, given the high volume of data necessary for the systems’ functioning.
This wide range and high volume of data implicates raises the following issues:
consent as individuals should be aware and approve of their data’s collection, storage, and use if the system is to function lawfully. Despite this, identity systems often lack necessary safeguards requiring consent and the mandatory nature of systems ignores consent…
Content type: Report
While identity systems pose grave dangers to the right to privacy, based on the particularities of the design and implementation of the ID system, they can also impact upon other fundamental rights and freedoms upheld by other international human rights instruments including the International Covenant on Civil and Political Right and the International Covenant on Economic, Social and Cultural Rights such as the right to be free from unlawful discrimination, the right to liberty, the right to…
Content type: Examples
The outsourcing company Serco, which the UK government has contracted to perform contact tracing, accidentally shared the email addresses of almost 300 of the contact tracers it hired when a staff member sent an introductory email and used CC rather than blind CC. Serco does not intend to refer itself to the Information Commissioner's office.
Writer: Ross Hawkins
Publication: BBC
Content type: News & Analysis
Banning TikTok? It's time to fix the out-of-control data exploitation industry - not a symptom of it
Chinese apps and tech companies have been at the forefront of the news recently. Following India's ban of 59 chinese apps in July, President Trump announced his desire to ban TikTok, shortly followed by his backing of Microsoft's intention to buy the US branch of its parent company ByteDance. Other than others lip syncing his public declaration, what does President Trump fear from this app, run by a firm, based in China?
It's all about that data
One clear answer emerges: the exploitation of…
Content type: Explainer
At first glance, infrared temperature checks would appear to provide much-needed reassurance for people concerned about their own health, as well as that of loved ones and colleagues, as the lockdown is lifted. More people are beginning to travel, and are re-entering offices, airports, and other contained public and private spaces. Thermal imaging cameras are presented as an effective way to detect if someone has one of the symptoms of the coronavirus - a temperature.
However, there is little…
Content type: Examples
After ORG asked questions via its legal representative, AWO’s Ravi Naik, the UK’s Department of Health and Social Care agreed to change the period it would retain Test and Trace data from 20 years to eight. Public Health England manager Yvonne Doyle explained that the novelty of COVID-19 was the reason for keeping the data longer, in case PHE needed to get back in touch with those who had tested positive with additional information.
Publication: ZDNet
Writer: Daphne Leprince-Ringuet…
Content type: Examples
In early July the Open Rights Group issued a pre-action legal letter to UK health secretary Matt Hancock and the Department of Health and Social Care saying they have breached requirements under the Data Protection Act 2018 and GDPR by failing to conduct an impact assessment for the Test and Trace system. ORG and its lawyers, AWO, had been asking for details of the DPIA since the beginning of June, a few days after the system was launched. In their response, the DHSC’s lawyers said “there were…
Content type: Advocacy
Identification systems across the world increasingly rely on biometric data. In the context of border management, security and law enforcement, biometric data can play an important role in supporting the investigation and prevention of acts of terrorism.
This Briefing aims to map out some of the implications of the adoption of identification systems based on biometrics.
Content type: Examples
Hours before OpenDemocracy filed suit to compel the UK government to release all the contracts governing its deals with a list of technology firms including Amazon, Microsoft, Google, Palantir, and Faculty, the UK government released the contracts. Faculty is being paid more than £1 million to provide AI services for the NHS, and the companies involved in the NHS data store project, including Faculty and Palantir, were originally granted intellectual property rights and were allowed to train…
Content type: Advocacy
Privacy International responded to the call for submissions on Zimbabwe’s Cyber Security and Data Protection Bill, 2019.
According to its Memorandum, the Bill seeks to “consolidate cyber related offences and provide for data protection with due regard to the Declaration of Rights under the Constitution and the public and national interest.” The Bill also proposes the establishment of a Cyber Security Centre and a Data Protection Authority.
In its submission, PI applauds the positive aspects…
Content type: Long Read
What Do We Know?
Palantir & the NHS
What You Don’t Know About Palantir in the UK
Steps We’re Taking
The Way Forward
This article was written by No Tech For Tyrants - an organisation that works on severing links between higher education, violent tech & hostile immigration environments.
Content type: Video
Immediately following the UK general election in December 2019, we worked with Open Rights Group to commission a YouGov poll about public understanding and public opinion about the use of data-driven campaigning in elections.
The poll used a representative sample of 1,664 adults across the UK population.
'Data-driven political campaigning' is about using specific data about you to target specific messages at you. So, for this might involve knowing that you are, for example, likely to…
Content type: Call to Action
Google wants to know everything about you.
It already holds a massive trove of data about you, but by announcing its plans to acquire the health and fitness tracker company Fitbit, it now clearly wants to get its hands on your health too. We don’t think any company should be allowed to accumulate this much intimate information about you. This is why we’re trying to stop its merger with Fitbit.
Google and Fitbit need the European Commission’s approval before they can merge. The merger would…
Content type: Long Read
There are few places in the world where an individual is as vulnerable as at the border of a foreign country.
As migration continues to be high on the social and political agenda, Western countries are increasingly adopting an approach that criminalises people at the border. Asylum seekers are often targeted with intrusive surveillance technologies and afforded only limited rights (including in relation to data protection), often having the effect of being treated as “guilty until proven…
Content type: Explainer
Hello friend,
You may have found your way here because you are thinking about, or have just submitted, a Data Subject Access Request, maybe to your Facebook advertisers like we did. Or maybe you are curious to see if Policing, Inc. has your personal data.
The right to access your personal data (or access right) is just one of a number of data rights that may be found in data protection law, including the European Union's General Data Protection Regulation, better known as "GDPR", which took…
Content type: Examples
The AI firm Faculty, which worked on the Vote Leave campaign, was given a £400,000 UK government contract to analyse social media data, utility bills, and credit ratings, as well as government data, to help in the fight against the coronavirus. This is at least the ninth contract awarded to Faculty since 2018, for a total of at least £1.6 million. No other firm was asked to bid on the contract, as normal public bodies’ requirements for competitive procurement have been waived in the interests…
Content type: Examples
The lack of data protection laws and the absence of a privacy commission are contributing factors to Pakistan’s failure to investigate or remedy security flaws in the country’s recently-launched COVID-19 tracking technology, which partially depends on a system originally developed to combat terrorism. While there are no reported cases of harassment or targeting based on the leak online of the personal details of thousands of COVID-19 volunteers, the lack of response fails to boost citizens’…
Content type: Frequently Asked Questions
The right to access your personal data (or access right) is just one of a number of data rights that may be found in data protection law, including the European Union's General Data Protection Regulation. Data Subject Access Requests, or DSARs, have helped us several times understand the extent of data companies and governments might hold on us, how this data might be shared among various recipients, or what other third parties a company might be using to obtain additional data and enrich their…
Content type: News & Analysis
This week, we read that a former Apple contractor who blew the whistle on the company’s programme to listen to users’ Siri recordings has decided to go public, in protest at the lack of action taken as a result of the July 2019 disclosures. The news adds to a series of revelations that have been reported over the past months.
While the issue raises serious questions regarding the compatibility of such practices with data protection laws, at the same time, it highlights a wider problem that…
Content type: News & Analysis
GDPR was hard won. PI, together with other civil society actors, fought from the beginning for a version of the law that offers the strongest rights and protections in the face of intense industry lobbying.
Holding the hidden data ecosystem to account
Two years ago, we committed to using GDPR to seek to hold to account the hidden data ecosystem - those companies that amass and exploit large amounts of our data for profit.
Here’s some of the action we’ve taken:
In Nov 2018,…