GDPR and Irish politics.

FrancieBrady · 23-04-2021 1:34pm #1

Deserves a thread if it's own with all parties having issues with compliance.

What are the implications of proper compliance to GDPR for Irish politics?

My opinion (not expert by any stretch) is that it is too restrictive in the modern age. I get that the data has to be available to people who want to know what is held on them But what are the implications of misuse of this data? Can anyone lay them out in a real world way?

Another question would be, what has the DPC being doing if this has been going on? Is he/she remiss in not checking this?

francois · 23-04-2021 1:42pm

FrancieBrady wrote: »

Deserves a thread if it's own with all parties having issues with compliance.

What are the implications of proper compliance to GDPR for Irish politics?

My opinion (not expert by any stretch) is that it is too restrictive in the modern age. I get that the data has to be available to people who want to know what is held on them But what are the implications of misuse of this data? Can anyone lay them out in a real world way?

Another question would be, what has the DPC being doing if this has been going on? Is he/she remiss in not checking this?

GDPR is fine and needed. In fact Id like it to properly policed and more power given to the DPC. Look how the latest Facebook leak of half a billion names was treated by a shrug of Zuckerberg's shoulders.... presume the context for this is the SF db?

FrancieBrady · 23-04-2021 1:46pm

francois wrote: »

GDPR is fine and needed. In fact Id like it to properly policed and more power given to the DPC. Look how the latest Facebook leak of half a billion names was treated by a shrug of Zuckerberg's shoulders.... presume the context for this is the SF db?

In what way 'more powers'? He/she surely had the power to ensure parties were fully compliant.

*Yes, this is in the context of what came out about SF's database, but as we know now, all parties are under scrutiny and have issues. They are all coming into committee to answer questions.

Dyr · 23-04-2021 1:49pm

GDPR was needed but it is most definitely not fine, its a byzantine mess that's added significant cost and significant complexity to European businesses and them less competitive. You can tell it was designed by people who love creating rules, EU bureaucrats and legal professionals

It should have introduced a simple ruleset and built on it rather than the current mess.

francois · 23-04-2021 1:54pm

Bambi wrote: »

GDPR was needed but it is most definitely not fine, its a byzantine mess that's added significant cost and significant complexity to European businesses and them less competitive. You can tell it was designed by people who love creating rules, EU bureaucrats and legal professionals

It should have introduced a simple ruleset and built on it rather than the current mess.

There's 7 principles to adhere to, not particularly difficult to apply, and I say this as someone involved with these in my job

blanch152 · 23-04-2021 2:05pm

GDPR can be viewed as similar to road traffic offences. If you have been driving for 40 years, you are bound to have exceeded a speed limit here or there, not given enough space to cyclists, braked too sharply etc. Most of these happen as a result of carelessness or oversight. Similarly, with GDPR, if you are handling large amounts of data, you will on occasion not be in compliance in a similar way.

At the same time, there are offences linked to road traffic which are of a serious nature - dangerous driving, driving under the influence, dangerous driving causing injury or death. Similarly, with GDPR, there are offences which are much more serious than others, such as centralised databases with the electoral register used to profile voters.

Minor inadvertent or careless breaches of GDPR shouldn't be used as a distraction from significant and serious breaches.

AndrewJRenko · 23-04-2021 2:37pm

blanch152 wrote: »

Similarly, with GDPR, there are offences which are much more serious than others, such as centralised databases with the electoral register used to profile voters.

.

How exactly did you work out that holding a centralised database with the electoral register used to profile voters is a GDPR offence?

KildareP · 23-04-2021 2:54pm

AndrewJRenko wrote: »

How exactly did you work out that holding a centralised database with the electoral register used to profile voters is a GDPR offence?

Profiling requires consent.

Taking the electoral register and blindly knocking on doors is not profiling.

Taking the electoral register, then adding additional information from other sources to it in order to build a better picture of each individual voter to better target them with a view to securing their vote for you is profiling.

AndrewJRenko · 23-04-2021 2:56pm

KildareP wrote: »

Profiling requires consent.

Taking the electoral register and blindly knocking on doors is not profiling.

Taking the electoral register, then adding additional information from other sources to it in order to build a better picture of each individual voter to better target them with a view to securing their vote for you is profiling.

So did they get consent?

KildareP · 23-04-2021 2:58pm

AndrewJRenko wrote: »

So did they get consent?

This is what the Irish DPC and UK ICO are currently investigating.

FrancieBrady · 23-04-2021 2:58pm

KildareP wrote: »

Profiling requires consent.

Taking the electoral register and blindly knocking on doors is not profiling.

Taking the electoral register, then adding additional information from other sources to it in order to build a better picture of each individual voter to better target them with a view to securing their vote for you is profiling.

I'm wondering if that is too restrictive? If used properly what is the harm in gathering this kind of data?
The worst that can happen is the data is wrong and the profiled votes another way?

KildareP · 23-04-2021 3:02pm

FrancieBrady wrote: »

I'm wondering if that is too restrictive? If used properly what is the harm in gathering this kind of data?
The worst that can happen is the data is wrong and the profiled votes another way?

That question is in many ways subjective.

If I were to ask you what you thought of Cambridge Analytica and their involvement in Donald Trump's election win, for example?

FrancieBrady · 23-04-2021 3:03pm

KildareP wrote: »

That question is in many ways subjective.

If I were to ask you what you thought of Cambridge Analytica and their involvement in Donald Trump's election win, for example?

Did you miss this bit?

If used properly

KildareP · 23-04-2021 3:05pm

FrancieBrady wrote: »

Did you miss this bit?

Define "properly".

FrancieBrady · 23-04-2021 3:07pm

KildareP wrote: »

Define "properly".

For electoral purposes.

KildareP · 23-04-2021 3:08pm

FrancieBrady wrote: »

For electoral purposes.

Which is exactly what Donald Trump used Cambridge Analytica for.

AndrewJRenko · 23-04-2021 3:10pm

KildareP wrote: »

This is what the Irish DPC and UK ICO are currently investigating.

So you don't know and I don't know and Blanch doesn't know, even though they've somehow already decided that this is an 'offence'.

KildareP · 23-04-2021 3:22pm

AndrewJRenko wrote: »

So you don't know and I don't know and Blanch doesn't know, even though they've somehow already decided that this is an 'offence'.

Until the DPC/ICO complete their investigation and publish their report, then no, none of us can state they are found guilty of an offence, until they have, well, been found guilty.

However it is widely reported they were already established not to be in compliance with at least two areas of GDPR so far:
(1) that SF were required to appoint a Data Protection Officer, but did not
(2) that SF were required to carry out a risk assessment on the data collection activity, but did not.

The question of whether they had the consent on the profiling aspect remains to be seen also.

blanch152 · 23-04-2021 3:29pm

KildareP wrote: »

Until the DPC/ICO complete their investigation and publish their report, then no, none of us can state they are found guilty of an offence, until they have, well, been found guilty.

However it is widely reported they were already established not to be in compliance with at least two areas of GDPR so far:
(1) that SF were required to appoint a Data Protection Officer, but did not
(2) that SF were required to carry out a risk assessment on the data collection activity, but did not.

The question of whether they had the consent on the profiling aspect remains to be seen also.

It is not just widely reported, it was confirmed by Mary-Lou herself on Prime Time that SF are not in compliance with GDPR and that previous statements that they were were false.

blanch152 · 23-04-2021 3:30pm

FrancieBrady wrote: »

I'm wondering if that is too restrictive? If used properly what is the harm in gathering this kind of data?
The worst that can happen is the data is wrong and the profiled votes another way?

That is extremely naive. A political party building a database on every single voter in the country doesn't alarm you in any way?

23-04-2021 3:35pm

KildareP wrote: »

That question is in many ways subjective.

If I were to ask you what you thought of Cambridge Analytica and their involvement in Donald Trump's election win, for example?

I’d say that has been widely disproven and is a moral panic.

With regard to the property register and the electoral register I would rather that neither were online. My experience with GDPR is a fair amount of extra work at work and little benefit in terms of spam etc. Those guys weren’t obeying the rules to begin with.

FrancieBrady · 23-04-2021 3:35pm

KildareP wrote: »

Which is exactly what Donald Trump used Cambridge Analytica for.

Cambridge Analytica are a private consulting firm.

I am talking about a political party doing this and using it for electoral purposes.

AndrewJRenko · 23-04-2021 3:39pm

blanch152 wrote: »

It is not just widely reported, it was confirmed by Mary-Lou herself on Prime Time that SF are not in compliance with GDPR and that previous statements that they were were false.

Just to be clear, what you said was; "there are offences which are much more serious than others, such as centralised databases with the electoral register used to profile voters". That is false. A centralised database with the electoral register used to profile voters is not an offence under GDPR.

It remains to be seen whether the SF database complied with GDPR. But there is not in principle wrong with such a database.

FrancieBrady · 23-04-2021 3:40pm

blanch152 wrote: »

That is extremely naive. A political party building a database on every single voter in the country doesn't alarm you in any way?

Not particularly, given I have known since the 70's that political parties do this.

If I could use a gun analogy, there is nothing inherently wrong with a gun, it is what it is used for is the problem.

What is the problem (nobody has outlined one) using this data for canvassing and electoral purposes?

Again, I think a DPC doing their job properly could keep an eye on stuff like this. He/she is supposed to be anyway and I hope questions are asked why so many issues across parties in compliance, as it is.

blanch152 · 23-04-2021 3:42pm

AndrewJRenko wrote: »

Just to be clear, what you said was; "there are offences which are much more serious than others, such as centralised databases with the electoral register used to profile voters". That is false. A centralised database with the electoral register used to profile voters is not an offence under GDPR.

It remains to be seen whether the SF database complied with GDPR. But there is not in principle wrong with such a database.

If the database consists of the electoral register and nothing else, there is no problem. The question, is to what purpose is such a database, unless you include other information garnered from voters. Unless you get the consent of every single voter for that other information you put on that database, then there is a problem, and it is a big one, given the nature of the database.

KildareP · 23-04-2021 3:46pm

FrancieBrady wrote: »

Cambridge Analytica are a private consulting firm.

I am talking about a political party doing this and using it for electoral purposes.

That is some impressive contortion!

Either it's acceptable practice or it's not.

Let's consider another example - the HSE/Dept of Health building "dossiers" from private and confidential patient medical records of people it considers are very likely to sue them in the future. All done in house. Is that acceptable?

FrancieBrady · 23-04-2021 3:48pm

blanch152 wrote: »

If the database consists of the electoral register and nothing else, there is no problem. The question, is to what purpose is such a database, unless you include other information garnered from voters. Unless you get the consent of every single voter for that other information you put on that database, then there is a problem, and it is a big one, given the nature of the database.

The question I asked is, what is the problem with that, if it is used for more efficient electioneering?

Is GDPR getting in the way here?

FrancieBrady · 23-04-2021 3:49pm

KildareP wrote: »

That is some impressive contortion!

Either it's acceptable practice or it's not.

Let's consider another example - the HSE/Dept of Health building "dossiers" from private and confidential patient medical records of people it considers are very likely to sue them in the future. All done in house. Is that acceptable?

What?

I am asking about using this information properly, as a tool to be more efficient, not for nefarious improper use.

blanch152 · 23-04-2021 3:50pm

FrancieBrady wrote: »

Not particularly, given I have known since the 70's that political parties do this.

If I could use a gun analogy, there is nothing inherently wrong with a gun, it is what it is used for is the problem.

What is the problem (nobody has outlined one) using this data for canvassing and electoral purposes?

Again, I think a DPC doing their job properly could keep an eye on stuff like this. He/she is supposed to be anyway and I hope questions are asked why so many issues across parties in compliance, as it is.

As someone else said, every organisation will have inadvertent and minor breaches of GDPR from time to time, given the nature of GDPR. However, a deliberately constructed database using information from voters obtained and stored without their consent is a horse of a very different colour.

There is no problem using the electoral register for canvassing and political purposes i.e. to identify where voters live and how many voters are in a particular dwelling or to address a general letter or election material to each individual. Those are the types of things the electoral register can be used for.

However, once, in an organised and systematic way (and there are more important considerations if you do this electronically, such as limiting access) you add additional information, such as likely voting intentions or that this person follows Mairia Cahill or Gerry Adams on Facebook, then you are doing something that is a huge problem because you don't have consent.

As for the DPC, they are doing their job, and I look forward to seeing the outcome.

crossman47 · 23-04-2021 3:50pm

KildareP wrote: »

Profiling requires consent.

Taking the electoral register and blindly knocking on doors is not profiling.

Taking the electoral register, then adding additional information from other sources to it in order to build a better picture of each individual voter to better target them with a view to securing their vote for you is profiling.

Is it any different to the old pen and paper approach of marking likely voters on the register to ensure, for example, they got a lift to the polling station?

Gloomtastic! · 23-04-2021 3:51pm

Niall Ring, the former Dublin mayor, was up before the courts owing hundreds of 1000s on his €1million mortgage for his palatial house in Clontarf.

The loan had been repaid in full your honour. Where did the funds come from? the judge asked.

Ring’s lawyer said he couldn’t disclose that due to GDPR.

Ok, said the judge. Next!

You really couldn’t make this up.

http://www.irishtimes.com/news/crime-and-law/bank-s-1m-claim-to-dublin-mayor-s-home-struck-out-1.3793766?mode=amp

AndrewJRenko · 23-04-2021 3:51pm

blanch152 wrote: »

If the database consists of the electoral register and nothing else, there is no problem. The question, is to what purpose is such a database, unless you include other information garnered from voters. Unless you get the consent of every single voter for that other information you put on that database, then there is a problem, and it is a big one, given the nature of the database.

Yes, consent is indeed an issue, a very big issue.

But we don't have any information about what consent was sought.

It is likely that they have a base layer of the electoral register data, and optional additional layers with canvass information and Facebook findings.

If all they hold about you is the electoral register, I'm not sure consent would be a big issue.

francois · 23-04-2021 3:54pm

blanch152 wrote: »

If the database consists of the electoral register and nothing else, there is no problem. The question, is to what purpose is such a database, unless you include other information garnered from voters. Unless you get the consent of every single voter for that other information you put on that database, then there is a problem, and it is a big one, given the nature of the database.

Indeed, if there is only the freely available information of address and resident, that is not an issue, where problems arise are other things which may identify a voter to target-socio-economic group, sexual orientation etc, these would raise red flags.
If the db is a mail list fine under GDPR, if this is for identifying potential voters who have not given consent to have anything other than the address and resident name, not fine.
Furthermore if anyone feels that they do not want to be on the DB, their information must be removed withing 30 days under right to erasure, you can also request to see what information is being stored in the DB

FrancieBrady · 23-04-2021 3:54pm

blanch152 wrote: »

As someone else said, every organisation will have inadvertent and minor breaches of GDPR from time to time, given the nature of GDPR. However, a deliberately constructed database using information from voters obtained and stored without their consent is a horse of a very different colour.

There is no problem using the electoral register for canvassing and political purposes i.e. to identify where voters live and how many voters are in a particular dwelling or to address a general letter or election material to each individual. Those are the types of things the electoral register can be used for.

However, once, in an organised and systematic way (and there are more important considerations if you do this electronically, such as limiting access) you add additional information, such as likely voting intentions or that this person follows Mairia Cahill or Gerry Adams on Facebook, then you are doing something that is a huge problem because you don't have consent.

Why is it a problem...you keep stopping short of that. If that info is used for electoral purposes? (Why you would want to know who they follow on twitter is another story)

As for the DPC, they are doing their job, and I look forward to seeing the outcome.

Are they? How hard was it for a DPC to check that cookies weren't being kept, the party had appointed the proper officers and roles, that the data was in the EU etc?

Seems to me the DPC might need a rousing boot in the proverbial here.

blanch152 · 23-04-2021 3:58pm

crossman47 wrote: »

Is it any different to the old pen and paper approach of marking likely voters on the register to ensure, for example, they got a lift to the polling station?

For a start, Joe Smith, SF member in Cork can check if his cousin Michael Smith in Kerry is a likely SF voter on the database. That was not possible in the past, and represents quite a significant shift in the ability to use information, one of the driving reasons behind GDPR.

Sinn Fein will have two difficulties with this database. Firstly, they won't have consent from each individual. Secondly, allowing all members access to the database as reported is a very serious breach.

Social Welfare have had to tighten up procedures because of scandals in previous years, to give an example.

https://www.independent.ie/irish-news/personal-security-called-into-question-by-breach-26324999.html

https://www.irishtimes.com/news/social-welfare-probe-over-breaches-1.688332

Closing the door on a SF canvasser does not give them permission to tell every SF member in the country that I am not a SF voter.

Overheal · 23-04-2021 4:00pm

KildareP wrote: »

Which is exactly what Donald Trump used Cambridge Analytica for.

You both gave me a good chuckle with this exchange

blanch152 · 23-04-2021 4:01pm

AndrewJRenko wrote: »

Yes, consent is indeed an issue, a very big issue.

But we don't have any information about what consent was sought.

It is likely that they have a base layer of the electoral register data, and optional additional layers with canvass information and Facebook findings.

If all they hold about you is the electoral register, I'm not sure consent would be a big issue.

Yes, if all they hold about you is the electoral register, there is no issue. However, the information in the public domain, including from Sinn Fein sources, is that there is much more information than that. The second question is who has access and how is that regulated.

KildareP · 23-04-2021 4:09pm

FrancieBrady wrote: »

What?

I am asking about using this information properly, as a tool to be more efficient, not for nefarious improper use.

Again, "using the information properly" is subjective.

SF believe they are using the information properly just as Trump/CA believed they were using the information properly. You clearly believe both cases are acceptable.

If you're someone who doesn't believe that an organisation should be able to profile individuals for the gain of that organisation, without implementing controls or even obtaining consent (although we don't know yet if SF gathered consent), then you're going to be of the opposite opinion and think such activity is completely unacceptable and improper use of information.

Thankfully, the GDPR sets down rules that state what requirements must be met in order to be deemed to be "using the information properly".

Naturally, if you are someone who thinks blanket profiling without control is acceptable and proper use of information then of course you are going to see the GDPR as burdensome.

Colonel Claptrap · 23-04-2021 4:10pm

Which arm of SF has access to the data?

SF Dublin?
SF Belfast?
SF Frankfurt?

cee_jay · 23-04-2021 4:13pm

FrancieBrady wrote: »

Are they? How hard was it for a DPC to check that cookies weren't being kept, the party had appointed the proper officers and roles, that the data was in the EU etc?

Seems to me the DPC might need a rousing boot in the proverbial here.

What do you think the role of the DPC is? Proactive or reactive?

FrancieBrady · 23-04-2021 4:15pm

KildareP wrote: »

Again, "using the information properly" is subjective.

SF believe they are using the information properly just as Trump/CA believed they were using the information properly. You clearly believe both cases are acceptable.

If you're someone who doesn't believe that an organisation should be able to profile individuals for the gain of that organisation, without implementing controls or even obtaining consent (although we don't know yet if SF gathered consent), then you're going to be of the opposite opinion and think such activity is completely unacceptable and improper use of information.

Thankfully, the GDPR sets down rules that state what requirements must be met in order to be deemed to be "using the information properly".

Naturally, if you are someone who thinks blanket profiling without control is acceptable and proper use of information then of course you are going to see the GDPR as burdensome.

I honestly don't believe that recording what is in fact a guess (how somebody might vote) beside a name in the electoral register is a crime of any magnitude.

Nobody is saying why this is a bad thing.

If somebody is using data improperly that is wrong and should not happen (Can we put the CA and conspiracy stuff to one side and discuss 'proper use')

KildareP · 23-04-2021 4:15pm

crossman47 wrote: »

Is it any different to the old pen and paper approach of marking likely voters on the register to ensure, for example, they got a lift to the polling station?

That would fall equally foul of the GDPR

It doesn't matter the format the data is held in, it's that the data exists and is held in the first place.

The only difference today is that doing it electronically is significantly faster, can capture far more information, often covertly, can be transported, stored and made accessible much easier and can be sorted and churned with little to no human intervention.

FrancieBrady · 23-04-2021 4:16pm

cee_jay wrote: »

What do you think the role of the DPC is? Proactive or reactive?

I would say given the nature of the activity it would have to be constantly proactive.

Is it good enough that he/she didn't know until a newspaper wrote about it?

Why isn't he/she regularly questioning parties on this, why only now?

cee_jay · 23-04-2021 4:29pm

FrancieBrady wrote: »

I would say given the nature of the activity it would have to be constantly proactive.

Is it good enough that he/she didn't know until a newspaper wrote about it?

Why isn't he/she regularly questioning parties on this, why only now?

That is not the role of the DPC though. They act through complaints, and try to drive compliance in organisations. Why single out political parties for proactivity? There are lots of activities which hold personal data.
The onus is on the company (or political party in this case) to be compliant with the law.

FrancieBrady · 23-04-2021 4:33pm

cee_jay wrote: »

That is not the role of the DPC though. They act through complaints, and try to drive compliance in organisations. Why single out political parties for proactivity? There are lots of activities which hold personal data.
The onus is on the company (or political party in this case) to be compliant with the law.

Not according to themselves.

Accordingly, the DPC is the Irish supervisory authority responsible for monitoring the application of the General Data Protection Regulation (GDPR), and we also have functions and powers related to other regulatory frameworks, including the Irish ePrivacy Regulations (2011) and the EU Directive known as the Law Enforcement Directive (LED). The statutory powers, duties and functions of the DPC are as established under the Data Protection Act 2018, which gives further effect to the GDPR, and also gives effect to the LED.

Our Mission
Safeguarding data protection rights by driving compliance through guidance, supervision and enforcement.

They are responsible for 'monitoring compliance' and 'driving compliance through guidance, supervision and enforcement.

So how did their 'monitoring' miss this stuff? And why was it not 'enforced'?

Jimbob1977 · 23-04-2021 4:35pm

GDPR is a suffocating piece of legislation.

Person A: I need you to furnish me with xyz report immediately.

Person B: Sorry, I can't

Person A: Why not?

Person B: Under GDPR, you made me delete the report last month, remember?

It is an over-engineered piece of legislation that has frustrated commerce.

expectationlost · 23-04-2021 4:36pm

blanch152 wrote: »

That is extremely naive. A political party building a database on every single voter in the country doesn't alarm you in any way?

why would something that you already presumed occurred alarm you

skimpydoo · 23-04-2021 4:48pm

Mary Lou said last night that SF used to have a data compliance offer but now have a data protection officer. It looks like they might have been slightly confused about GDPR and I am sure other political parties were as equally confused no matter how you try to spin it.

AndrewJRenko · 23-04-2021 4:53pm

Jimbob1977 wrote: »

GDPR is a suffocating piece of legislation.

Person A: I need you to furnish me with xyz report immediately.

Person B: Sorry, I can't

Person A: Why not?

Person B: Under GDPR, you made me delete the report last month, remember?

It is an over-engineered piece of legislation that has frustrated commerce.

Except that didn't happen.

Lots of stuff gets blamed on GDPR but has nothing to do with GDPR.

Floppybits · 23-04-2021 4:58pm

AndrewJRenko wrote: »

Except that didn't happen.

Lots of stuff gets blamed on GDPR but has nothing to do with GDPR.

GDPR has been the greatest gift to the government departments. They can now deny anything and everything and cite GDPR as the reason why they can do something and they just love hiding behind it. Remember the all the guest signing books are tourist locations being removed because of GDPR and then having to be put back.

cee_jay · 23-04-2021 4:59pm

FrancieBrady wrote: »

Not according to themselves.

They are responsible for 'monitoring compliance' and 'driving compliance through guidance, supervision and enforcement.

So how did their 'monitoring' miss this stuff? And why was it not 'enforced'?

How do you propose they monitor databases they have no knowledge of?

GDPR and Irish politics.

Comments