An organisation connected to the UK’s ICO to breach privacy rules
Privacy concerns and people making complaints are common. In the UK, the body to whom you should report your privacy concerns is the Information Commissioner’s Office.
Users have to be vigilant. Issues and opaqueness of who tracks our data continue to pose a problem, even among those who want to help (see my privacy investigation into online user tracking for Crimestoppers UK) or organisations that work with stakeholders in the industry.
One of those parties is the Global Privacy Assembly. Its aim is to bring together groups of data protection and privacy commissioners to share knowledge and build strong cooperation.
The Global Privacy Assembly (GPA) is fighting for “an environment in which privacy and data protection authorities around the world are able effectively to act to fulfill their mandates, both individually and in concert, through diffusion of knowledge and supportive connections”.
The hypocritical part is that this organisation seem not to comply with privacy rules. I checked whether GPA’s website tracks users without their consent after a source tipped me off.
When we ran a data-tracking scan on the group’s website — supported by Cybot, a Danish privacy and analytics company — I stumbled across something that might worry the very set of privacy commissioners who are members at GPA.
The website allows Twitter to track visitors without prior, informed consent. There would also be no mention of this in their privacy policy, I was told by an expert.
In their defense, one pundit said, it is only on a single page this is happening via an embedded Twitter feed. But they should ask for consent in order to be compliant with privacy rulings. But others I spoke to said that GPA’s tracking occurs because it loads the Twitter feed of its profile on the site and that it is “on various pages” if one looks around — “right side of the page, midway down, typically”.
Check a request captured from another page of GPA’s website: https://globalprivacyassembly.org/news-events/events-calendar/
An online privacy advocate I spoke to said: “The notable aspect of this find, regarding those responsible for the website, is the hypocrisy, not the severity. If I were a member, I’d be embarrassed by my association with this assembly and not noticing this failure sooner; also likely a bit frustrated at my own privacy being breached”.
Although small in scale, this could be a problem because of the relationship with the ICO. Global Privacy Assembly claims to have Elizabeth Denham CBE, the UK’s Information Commissioner at the Information Commissioner’s Office, on its executive committee. Even such a small breach should raise questions. The ICO also shares the same physical address with the Global Privacy Assembly. Not from me personally, but it is likely that the ICO may soon receive a complaint about this issue from a member of the public.
