Workshop: 28th November 2021

So, we have tackled Online Abuse and Hacking. What is the difference between
hacking (computer misuse) and data protection issues? In a grand, sweeping
generalisation: one involves breaking into a computer with no authorisation and DP
involves being negligent with data that you have been given or lawfully acquired.
They key issue is how we define ‘given’. If I give you my contact details so you can
send me an invoice and do some work, that’s the purpose. Now, if you sell that data
(name, house, general income bracket, tastes – valuable to a marketing firm)
without my knowledge to a third-party company, you have broken my trust.
Moreover, if that third party company is negligent with my data and leaks it to cyber
criminals, as careful as I am with my data, there is nothing I can do to protect against
that leak save as to demanding UK-GDPR compliance.

Reading

If you want to bash through everything, go for Ch 22 and 23. However, if you want
to concentrate on the key sections, see Ch 22.2 (pp572-585) and 22.3 (pp587-592).
Pages 563-568 look at the introduction to the topic. Key provisions are in bold above.

If you’re struggling to understand the GDPR text itself, check this site out:
https://gdpr.eu/tag/gdpr/ it makes the whole think a lot easier to read and links
relevant recitals. This is the original ‘frozen/EU’ GDPR, but most of the key principles
still apply.

The Future of Data Protection

Of course, there are reforms on the horizon. These do not change the substantive
meat of the UK-GDPR because we need our data protection laws to align with the EU
so that we can do business with it (the adequacy decision) but some may be
relevant. We will discuss these in the second week of data protection.
[Optional Reading and Viewing]

In my opinion, Murray is the most helpful text here; however, we also have Ian J
Lloyd on LawTrove and he has a good section on the principles of data protection in
Chapter 5 (pp71-78). Be sure to access the latest edition on LawTrove for this topic
for those people using slightly older physical books.

I have also included a couple of videos. The first is an easier view. I used to think
that Ed was a dangerous traitor but as time has gone on I have started to sympathise
with the situation in which he found himself. I cannot say the same for Assange tbh,
but we can debate this in the workshop. All opinions welcome.

https://youtu.be/Ezp16KD8dVw?t=128 This is the Edward Snowden video. Kick

back and consider this from the vantage point of a world in which we thought such
mass surveillance systems were the work of paranoid sci-fi conspiracy.

https://www.youtube.com/watch?v=Assdm6fIHlE This is by a private company

that sells data protection advice services. Some of their sources are sales materials,
others are actually quite helpful briefing papers. This is a TLDR view on the GDPR.
 Workshop Case Study Particulars

Data Protection Implications for Arasaka PLC and the Afterlife Café

Workshop Instructions

Because of the complexity of this case, the Information Commissioner’s Office is asking
Counsel is asked to advise as to potential any potential culpability under the GDPR / UK-
GDPR in relation to any parties Counsel sees fit.

Background

Miss Rogue Amendiares offers a free WiFi service to her customers at her business, the
Afterlife Café. The WiFi network is provided and managed by Arasaka PLC though this is not
stated anywhere. The network uses a WEP security key that is considered by modern
standards to be out of date. The key is printed on the menu found on every table along with
a note that states: “use this WiFi system at your own risk. You consent to us processing
your data and we cannot be held responsible for security”.

On the 5th of July, 2021, Mr DeShawn attended the Afterlife Café with a view to conducting a
man-in-the-middle attack on Miss Amendiares’ customers. Mr DeShawn saved vast
amounts of traffic from his victims’ online activities during many visits to the café over the
course of several weeks.

Miss Amendiares contracts with a firm owned by one of her customers: Arasaka PLC. This
company, among other things, offers data management services aimed at making
automation easier for businesses.
Arasaka PLC provides in its contract with Miss Amendiares that she has the power to
determine how they should handle her customer data and she can insist that Arasaka delete
the data at any time. She is tied to Arasaka PLC for a 24-month period and they retain data
pertaining to her business including her financial details for 6 years. Unless she demands
Arasaka delete her customers’ data, they keep that data for 6 years as well.

The data Miss Amendiares passes to Arasaka includes menu information, opening and
closing times, information about her business and customer billing information as Arasaka
manage the Café’s point of sale system.

==== ===== ===== [at this point, we’re looking at Arasaka as a controller or possibly a
joint controller – most likely, a sole controller as the café does not have anything to do with
processing the survey results] ==== ==== ====

Arasaka harvests information from the free WiFi service where customers are asked to fill in
a survey about themselves before being able to access the internet. Arasaka retains this
data without the customer’s knowledge who believe that it is the Afterlife Café who are
taking it. The survey contains information about customer details, demographic, income,
ethnicity, and sexual orientation along with a brief IQ test. They are also asked to upload a
photo of themselves. Arasaka retain this data indefinitely and claim ownership over it and
refer to it euphemistically as the ‘Soul Database’.

It is alleged that Arasaka is using this data to build a genetic profile of as many people as it
can with the intention recruiting and persuading these people to participate in neuro-digital
experiments. It also uses this data to refine its recruitment processes.

Miss Amendiares recently subscribed to their Premium Autonomous Package that

autonomously offers meals from a managed web platform. Customers are able to order
from home, the order is sent to the café and Arasaka’s system schedules a courier it recruits
on Miss Amendiares’ behalf, autonomously. The food is then passed to the courier by the
café staff. Payment is handled by Arasaka autonomously as is dismissal/termination of
couriers. All staff are the employees or contractors of Miss Amendiares.

It is further alleged that Arasaka were subject to a data breach by a notorious hacker: Judy
Alvarez. Arasaka strongly deny this breach took place. Miss Alvarez, who was since arrested
and charged under the Computer Misuse Act, has given evidence in the Night City Crown
Court under rigorous cross-examination that this did indeed occur and that the data, which
included the ‘Soul Database’, was sold on the dark web to various cyber criminals.
Finally, owing to an altercation outside the café, Miss Amendiares wants to install cameras
that record the audio and video footage of the street outside her shop. She seeks your
advice on this.