The AV referendum appears to have been acting as a dry run. During the campaign we can see the Action Centre section of the now defunct website (via Wayback Machine), where widgets could be added to blogs, Facebook and websites. Supportive tweets could be sent directly via the website and donations could be made which required names and addresses. All this information helping to build a database of supporters. Is it a coincidence that subsequently Metis began life in 2013 covering already 500,000 people?
What's interesting is this section of the Privacy Policy on the NotoAV website, (my emphasis):
We may provide other third parties with information about our users, where this is likely to contribute to a successful outcome in the referendum for our campaign. Where you have not indicated that you agree to such sharing we will only provide third parties with statistical information cannot be used to identify you.Curiously one of Matthew Elliott's other business ventures Business for Britain does not have such an explicit "overseas third party" clause.
We may engage a third party to help us carry out any of our activities and these third parties may be located in countries that do not provide the same level of protection as is provided in the United Kingdom. We will ensure that these third parties have an obligation to protect your information in the same way that we protect your information.
That NotoAV did begins to make more sense when we consider that Strateusis submitted a number of invoices to the AV campaign including this one below for £7,000 providing Search and Facebook marketing services:
Strateusis is, as we have noted before, registered in Hong Kong. Providing Facebook marketing services would strongly suggest it needs access to the database being accumulated, meaning that a copy of the data would be offshored.
If so this raises further concerns. Hong Kong data protection laws "are miles away" from developments internationally particularly within the EU. The main privacy law is the Personal Data (Privacy) Ordinance (Cap 486) (the Ordinance). But crucially Section
33 of the Ordinance which prohibits the transfer of data overseas has never been enacted, meaning there currently is no effective legal restriction on cross-border data
transfers in Hong Kong (Guidance on Section 33 published by the
Privacy Commissioner is voluntary and not binding).
No comments:
Post a Comment