Follow-up on gdpr.observer in Belgium

Dear all,

thank you for a great time at OFFDEM and the days that followed.

With this message I wanted to summarise the state of gdpr.observer and how we could work with Petite Singularity with the aim of:

  1. start running the workflow as quickly as possible, with about fifty to a hundred institutional sites.
  2. test, start, or plan, a campaign that will be done by PS, to remind us that not even government sites are privacy compliant. this will be informed by the data we will produce.

I will soon circulate a file in a suitable format. it should be YAML. The format allows you to add metadata at your discretion, e.g. if you want to mark the ‘type’ of institution (central government, municipal, school, police, etc.) or even the type of region, these are all metadata you can decide. In the results these will be included (they can help with filtering, visualisation, etc.). You can also think about it later, but in the test file I will give you it will be clear.

Unfortunately I had a bit of a backlog after the travel, and could already show progress in this. In the meantime, I will also contact the friend from Technopolice.be who said he was interested.

Meanwhile, if there is any list of public agencies online, would be a good start

/cc @natacha @how

I sent a few emails to various NIC-related and DPO-related emails to obtain a list of public sites. Meanwhile, I figured out a couple of sources and gathered about 130 websites to test. The last line in the file has an URL for 1056 institutional and public sites for Belgium. I made YAML comments to indicate the sources (lines starting with -- ). So I guess we can launch a first test as soon as you like, @vecna. There are probably a few duplicates (e.g., www.bosa.be, bosa.be, bosa.fgov.be or so) so a sort | uniq might be useful.

domaines.txt (2.8 KB)

1 Like

Amazing! I did not think it would go that quick, super good.

Maybe before launching the tests we should think of a strategy,
Could you share with us the message that was sent in Italy so we get an idea on how you proceeded.

2 Likes

Thanks for the input! I’ve progress to share too

  1. The list was a good start, but I couldn’t use your comment
  2. The list has been enriched with title description and other elements that can be retrieved automatically, but would be better if a manual selection add, for example schools compared to other kind of public agency. It might not be that important
  3. I produced a new format thanks to this: gdpr.observer/belgium.yaml at main · vecna/gdpr.observer · GitHub

but the important parts missing are:

name:
  site:
  dpo: mail@address
  type:

let’s say type might help to aggregate by category (school, ministry, municipality…) dpo is missing and might be complex to automate it. all the other fields are optionals.

Results

This is the first preliminary collection. From the API the produces JSON result I put them in a few more accessible visualizations

Sure, it is this (but in italian)

Alla Att.ne del DPO (Responsabile Protezione Dati) dell’Ente.

Diffida per per l’illecito utilizzo di Google Analytics su c_l751, in violazione del Regolamento generale sulla protezione dei dati personali 2016/679 (GDPR)

Spett.le Ente,

siamo un gruppo di hacker italiani, attiviste e attivisti, cittadine e cittadini attenti alla privacy ed alla tutela dei diritti cibernetici del nostro Paese: https://privacy.g0v.it

Abbiamo rilevato che il vostro Ente utilizza Google analytics (GA) nel suo sito […], nonostante sia ormai pacifico che questo strumento non sia conforme ai principi del GDPR in ordine al trasferimento transfrontaliero di dati personali.

L’utilizzo di GA è infatti stato ritenuto illecito dall’EDPS, con riguardo al trattamento dei dati operato dal Parlamento europeo, dall’Autorità di controllo austriaca e da ultimo da quella francese (si veda in sintesi https://noyb.eu/en/edps-sanctions-parliament-over-eu-us-data-transfers-google-and-stripe).

Riteniamo che il mantenimento, da parte dell’Ente, di un trattamento di dati personali così evidentemente illecito, che comporta un ingiustificato e massivo trasferimento transfrontaliero di dati personali, riguardante tutti gli utenti del sito www.nomesito.ext.it , costituisca una grave violazione che debba immediatamente cessare.

Invitiamo pertanto a voler immediatamente provvedere alla rimozione di GA e di qualsiasi altro strumento di analytics o tracking che produca effetti analoghi.

La suddetta violazione, imputabile al Vs. Ente nome dell’Ente, quale titolare del trattamento, in persona del legale rapp.te pro tempore […] espone l’Ente stesso alle sanzioni amministrative pecuniarie previste dall’art. 83 del GDPR.

La presente viene inviata in via informativa, proprio al fine di consentire una rapida rimozione di Google Analytics, rimandando a quanto raccomandato dalla Agenzia per l’Italia Digitale Web Analytics Italia https://www.agid.gov.it/design-servizi/web-analytics-italia

Il resoconto complessivo delle Pubbliche Amministrazioni in violazione, con particolare riguardo a quelle che non avranno provveduto alla tempestiva rimozione di GA, verrà pubblicato come report e inviato come segnalazione al Garante per la Protezione dei Dati e al Difensore Civico Digitale.

Please note, the references written in the first batch of email changed after a few months. Instead of quoting the French DPA, have been quoted the Italian one because it expressed thet, in fact, Monitora PA action were right.

À l’attention du DPO (délégué à la protection des données) de l’institution.

Avis d’utilisation illicite de G̸͍͇̚á̶̙̘g̷̋͝ͅģ̶̓l̸͍̀e̸̻͐ Analytics sur SITE_REFERENCE, en violation du Règlement Général sur la Protection des Données 2016/679 (RGPD).

Chère entité,

nous sommes une association de droit belge engagée dans la recherche européenne pour l’Internet de Nouvelle Génération (NGI) composée de citoyen·ne·s préoccupé·e·s par la vie privée et la protection des droits liés au numérique : https://ps.lesoiseaux.io.

Nous avons détecté que votre organisation utilise G̸͍͇̚á̶̙̘g̷̋͝ͅģ̶̓l̸͍̀e̸̻͐ Analytics (GA) sur son site web […], alors qu’il est désormais de notoriété publique que cet outil n’est pas conforme aux principes du RGPD concernant le transfert transfrontalier des données personnelles.

En effet, l’utilisation de GA a été jugée illégale par le CEPD, en ce qui concerne le traitement des données par le Parlement européen, par l’autorité de contrôle autrichienne et plus récemment par l’autorité de contrôle française (voir en résumé L'EDPS sanctionne le Parlement au sujet des transferts de données entre l'UE et les États-Unis vers Google et Stripe).

Nous considérons que le maintien par l’Entité d’un tel traitement manifestement illicite de données à caractère personnel, impliquant un transfert transfrontalier injustifié et massif de données à caractère personnel, concernant tous les utilisateurs du site SITE_REFERENCE, constitue un manquement grave auquel il doit être mis fin immédiatement.

Nous demandons donc la suppression immédiate de GA et de tout autre outil d’analyse ou de suivi produisant des effets similaires.

La violation susmentionnée, imputable à votre Entité, en tant que responsable du traitement des données, en la personne du représentant légal pro tempore […] expose votre Entité aux sanctions administratives pécuniaires prévues par l’art. 83 du RGPD.

La présente est envoyée à titre d’information, précisément pour permettre une suppression rapide de G̸͍͇̚á̶̙̘g̷̋͝ͅģ̶̓l̸͍̀e̸̻͐ Analytics, en se référant à ce qui est recommandé par l’Agenzia per l’Italia Digitale Web Analytics Italia Web Analytics Italia|Agenzia per l'Italia digitale.

Le rapport global des Administrations publiques en infraction, avec une attention particulière à celles qui n’ont pas supprimé rapidement GA, sera publié sous forme de rapport et envoyé comme notification à l’Autorité de protection des données et au Médiateur numérique.

This would be a template variable.

We should probably find something like this in Belgium.

matrix channel

#gdpr.observer:42.chat

new results

I runned yesterday the test agrain,
changed the testing day to 22 in the API,
and the previous link now render the new results Belgium case study / Claudio Agosti | Observable

1 Like

I am at the interhack. Will look at it next week

1 Like

A small list of updates:

  1. yesterday some privacy activist in Lisbon point to me to https://dados.gov.pt/ which are open data from Portugal. Among them, also for example Agrupamentos de Escolas ou Escolas não Agrupadas: websites e histórico de versões no Arquivo.pt - Agosto 2021 - dados.gov.pt - Portal de dados abertos da Administração Pública the list of schools
  2. It was simple to start the import (note: only a partial list, because we want to be quick), fork the visualization on observablehq, change the API, and display results: Please C & S, fork the page, trim the description of your user, and describe the input and the output for the right audience / Claudio Agosti | Observable
  3. I made the day before a test on all the EDRi organization, as previously agreed: European Digital Rights preliminary survey / Claudio Agosti | Observable but one of the important realization, is that the concept of Beacons might not be entirely accurate in the way the Web Evidence Collector is analyzing them. For example, there are organization using piwik and matomo but the easyprivacy.txt counts them as trackers, and therefore are reported as beacons.

Concerning Open Data in Portugal you might want to get in touch with: Manufactura Independiente, Ana Caravalho and Ricardo Lafuente they have been quite active (and critical also) of the open data movement in portugal
http://ricardolafuente.com/

1 Like

Thanks @natacha I forwarded the message, (they know them, but they say good reminder to reach out :wink: )

[p.s. I’m still the only one in #gdpr.observer:42.chat]

Probably it was a problem of the 42.chat server, that was not allowing remote listing of rooms and therefore only people in that server can easily join.

Now I opened a new dedicated chatroom. now is: #gdpr.observer:matrix.org

1 Like