How Google lost the trust of Europe’s Data Protection Authorities

Over the last two years, various European Data Protection Commissioners have taken action against Google. Hardly a month goes by without something being reported: a €145,000 StreetView fine here or a court case about jurisdiction there.

So it is important to understand: “why is Google on the receiving end all this enforcement action?”. Why now, and not five years ago? What has changed?

From Europe’s Data Protection Commissioners perspective, there is a collective recognition that Google has given them the equivalent of the two fingers. Despite a lack of powers and resources, (and even though, for example, a maximum fine of £500,000 is a pinprick to an organisation whose profits are running at more than £8 billion per year), the Commissioners have collectively concluded that not to take action is not an option.

From Google’s perspective, I don’t know whether it is “carelessness” or “arrogance” or a combination of the two. “Carelessness” because data protection regulators generally try to reach some kind of compromise; so why can’t Google compromise? “Arrogance” because Google might have taken the view that it is such a rich, powerful and profitable multinational that it can process personal data despite the concerns of national data protection regulators (and if there is a dispute, tie them down in court processes that wipe out their legal budget).

Faustian Pact and increasing surveillance

Five years ago, there was an acceptance by most Internet users that the free access to services offered by Google involved an undeclared Faustian Pact. The user received the services for free and in return Google captured some data that assists something called “behavioural advertising”.

At that time, the user did not care much because – what the heck - the Internet experience was really valuable and of course, the Internet got better by the day. The Pact was sustained in the knowledge that free access to the Internet was (and still is) the main delivery vehicle for uncensored information into authoritarian regimes.

Of course, at that time also, there were a collection of “privacy nutters” bleating on the side-lines, identifying a host of hypothetical or far-fetched problems. For instance, the StreetView images of anonymous individuals (but identifiable to those who know that individual) entering a sex-shop or, more recently, receiving a hand-job in the back streets of Manchester. I guess that such images caused more general amusement than concerns over individual privacy – after all the user was not looking at himself or herself.

However, over time, there has been dawning realisation that Google’s surveillance does indeed focus on each and every user; Google follows surfers around the net, wherever they go, whether they are logged into a Google service or not.

As Google’s “free” services expanded and the Internet developed, this Faustian Pact resulted in an unrestrained collection of more data about its users. This in turn resulted in a virtuous (or vicious) spiral; a booming business that needs more and more user data to guarantee higher and higher revenues from advertising.

That is why Google’s Mission Statement is all about data collection: it states that “Google’s mission is to organise the world’s information and make it universally accessible and useful”. Want a “scary version” of this Statement? Just place the word “personal” before the word “information” and ask “accessible by whom?” or “useful for what?”.

It is no surprise that Google’s vast personal data collections are acting as a magnet for other forms of surveillance activity. That is why Governments want access to how the public uses the Internet so that law enforcement can obtain IP addresses and details of browsing habits. The collection and subsequent retention of such personal data concerns all users irrespective of whether or not there are grounds for suspicion for its retention.

The privacy issue here can be simply expressed: the grounds for suspicion about an individual user do not arise before the time of collection of IP addresses etc. Such grounds are found afterwards when the authorities, in some back office and at some time in the future, try to find a “wrong-un”. If a profiling algorithm is used, then any suspicion is likely to be based on a pre-programmed set of assumptions. In this way, the data that Google (and others) collect turns every user into a potential suspect.

Application of the Reagan Doctrine

Even with its own privacy pronouncements, Google has been exposed as being “economical with the truth”. For instance, what Google told the Information Commissioner in July 2011 was that the WiFi data collection by its StreetView Camera cars was accidental.

By contrast, a Federal Communications Commission (FCC) report into the same problem made it clear that Google intentionally intercepted such WiFi data for business purposes and that many supervisors and engineers within the company reviewed the code and the design documents associated with the interception. That is why the Federal Communications Commission imposed a $25,000 fine in April 2012.

However, I think the most damaging conclusion was that Google impeded the FCC investigation by “delaying its search for and production of responsive emails and other communications, by failing to identify employees, and by withholding verification of the completeness and accuracy of its submissions”.

So when Google says something about privacy, how do we know that it is kosher? That is why European Data Protection Commissioners are pushing their equivalent of the “Regan Doctrine” at every turn: “trust but verify”.

So when Google last year changed its Privacy Policy, many Data Protection Commissioners wanted answers to certain questions and the CNIL (the French Data Protection Authority) was given the lead co-ordinating role. All European Commissioners signed a letter containing a number of queries on 26 October 2012 expressing their concerns asking Google to comply with their recommendations within 4 months. Google’s response was of the two fingered variety.

The CNIL’s concerns (still unaddressed) were that Google:

• did not provide retention periods and has refused to provide retention periods
• has not provided sufficient information about its personal data processing
• should reinforce users' consent  offer an improved control over the combination of data  by simplifying and centralizing the right to object (opt-out)
• should allow users to choose for which service their data are combined
• should adapt the tools that its various data combinations remain limited to the authorized purposes, e.g. by differentiating the tools used for security and those used for advertising
• should avoid an excessive collection of data.

So what’s wrong with Google’s Privacy Policy?

At the heart of Google’s problems is its Privacy Policy, and it is quite easy to see why there are issues. For example, just compare one basic definition:

Google definition of “Personal information”. This is “information which you provide to us which personally identifies you, such as your name, email address or billing information, or other data which can be reasonably linked to such information by Google.

UK Act definition of “personal data”. This "means data which relate to a living individual who can be identified:- (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller…”

Now suppose Google has collected an IP address. To satisfy its definition of personal information, that IP address requires identification of an individual from “other data which can be reasonably linked to such information by Google”. By contrast, the Data Protection Act requires merely that the identification information to be “in the possession” of Google (i.e. there is no requirement to “reasonably link” the identifying information with the IP address as per the Google definition).

Note also that the UK definition merely requires the identification information to be “likely to come into the possession” of Google. By contrast again Google’s definition needs the data to be under Google’s control and an actual linkage to the specific individual.

It now can be seen, that the Google definition is far narrower than the 1998 Data Protection Act. How then does the UK’s Information Commissioner know that Google has complied with that Act, if Google does not provide the details such as those requested by the CNIL?

In practice, I think the Google definition is very close to that found in the Data Protection Act 1984 repealed by the 1998 Act (this required the processing of personal data had to be “by reference to the data subject”). In my view, the definition that Google uses in its Privacy Policy is nearly three decades out of date.

Finally there are questions of the scope of Google’s Privacy Policy. Its web-site says that it applies to “Information that you give us (for example, “many of our services require you to sign up for a Google Account”) or “Information that we get from your use of our services” (for example, when you visit a website that uses our advertising services”).  There is no reference to personal information obtained by Google from other sources or from the public domain; so the status of such personal information is unclear.

You can see now that Google’s Privacy Policy does indeed raise several legitimate questions as to what it means in the context of data protection legislation which uses different definitions. I think most responsible companies would answer these questions; failure to answer them merely serves to raise suspicion.

The “Starbucks Effect” (and the Boston Tea Party)

The press report that Google employs more than 1,300 people in London and Manchester, generates £2.5bn of UK sales and pays Corporation tax of £6 million or so. This latter figure implies its UK profits are of the order £30 million per year.

This crude analysis shows that Google is, in effect, another “Starbucks”. It generates hundreds of millions of pounds of revenues in the UK and pays disproportionately little Corporation Tax. Of course Google pay VAT and their UK employees their PAYE, but in general the public can now categorise Google as another large organisation evading their fair share of tax. The Prime Minister’s dictum that “we are all in this together” clearly excludes Google from the “we”.

It follows that when Google take the high moral ground in support for notions of freedom of speech, this does not extend to the facts that allow such speech to be informed in the context of its own tax affairs. In summary, any future public pronouncement by Google about “freedom” should be accompanied with a great deal of cynicism.

Then there is the unprecedented lobbying from USA companies like Google concerning the content of the Data Protection Regulation. The idea that corporate America can employ its financial muscle to influence Europe’s Parliamentary processes and laws should make everyone feel very uneasy. What do you think would happen if Europe’s corporate giants started lobbying the USA Senate about gun control or abortion or taxation? They would quickly be told where to go.

Indeed, Google’s involvement presents a historical curiosity. In 1773, the cry at the Boston Tea Party was "No taxation without representation".

Google’s version of this is: “Full representation without taxation".

References

CNIL’s Google links

1. http://www.cnil.fr/english/news-and-events/news/article/google-privacy-policy-six-european-data-protection-authorities-to-launch-coordinated-and-simultaneo/
2. http://www.cnil.fr/linstitution/actualite/article/article/googles-new-privacy-policy-incomplete-information-and-uncontrolled-combination-of-data-across-ser/
3. http://www.cnil.fr/linstitution/actualite/article/article/googles-privacy-policy-g29-ready-for-coordinated-enforcement-actions/

and LINKS at the bottom of the above pages.

Mrs Thatcher’s data protection legacy

Successive UK Governments have seen data protection more as a cost overhead to be minimised rather than as an essential protection for the individual in an electronic age. This view started with Mrs Thatcher’s first Government and has endured for over three decades.

During the 1970s, there were a number of White Papers and Reports starting with the Younger Report on Privacy (in 1972) and ending with the Lindop’s Report on Data Protection (December 1978). So when Mrs Thatcher came to power in May 1979, it is fair to say that data protection was an item on the agenda but following the “winter of discontent”, probably very close to “AOB”.

Lindop’s proposals were not well received at the time, especially by the Home Office which had responsibility for data protection policy as well as its traditional law enforcement areas (e.g. national security and policing). It is difficult to imagine now, but the Home Office whose main functions required the invasion of privacy had also the responsibility towards the policy that protected individual privacy. In this way, the Home Office was acting like a lothario who has been tasked to define a law of celibacy.

This conflict of interest was only resolved in the last decade with the establishment of the Ministry of Justice. However, it has to be recognised that the current Data Protection and Freedom of Information Acts were Home Office Bills when they were presented to Parliament over a decade ago. That perhaps explains why there are generous exemptions for, yes you have guessed it, law enforcement, national security and policing.

Lindop called for statutory codes of practice produced by an independent data protection authority which would balance the needs for organisations to process personal data and the privacy of data subjects. Embedded in Lindop’s Codes were the rights of data subjects and the application of the various data protection principles, set in the context of the organisation’s processing purpose.

Lindop identified the need for about 40 Codes (e.g. for purposes such as employment, marketing and banking) and the current statutory Code of Practice on data sharing roughly provides an example of what Lindop had in mind. The text of the Code would be drafted by the Data Protection Authority to ensure that any balance between conflicting priorities was independently set.

Even the police and security services would be subject to a code of practice and be independently supervised. When you remember that 1979 was an era when there were no regulators in these areas, Lindop’s suggestion were too far ahead of their time to be universally accepted.

So in 1979, on the back of all the problems faced by the country, Mrs Thatcher was being asked to establish a large Quango which could produce statutory codes of practice that set the personal data processing rules for Government Departments, the police, security services and all businesses.  The result? Lindop was speedily shelved.

However in 1981, the Council of Europe Convention No. 108 became active and the risk was that if the UK did not have any data protection legislation, countries that had ratified the Convention would prohibit the transfer of personal data to countries that had not. This meant that, without data protection legislation in the UK, personal data could be lawfully withheld from the City of London’s vital financial centres.

A rumour current at the time was that the Department of Trade and Industry was so concerned that it had rushed a memo to Number 10. To get Mrs T’s attention, it started off with the words “Do you know what those French and Germans are planning to do next?”.

This is the start of the process whereby Governments saw data protection legislation as being needed to protect the interests of free-trade. If the UK had a data protection law that just met its international obligations, then that would be problem solved;  “maintaining privacy” was not an issue on anyone’s political agenda. (As an aside, I would identify the implementation of the Scottish Community Charge (Poll Tax) in 1989 as a significant turning point in this respect).

So in December 1982, the Home Office tabled a minimalistic Data Protection Bill that just satisfied the requirements of Convention No 108; it applied only to automatic processing of personal data. There was to be a central public register of all mainframe computers and details of the processing of personal data (e.g. purposes, sources, transfers, data items). The data protection principles only applied to registered organisations and were found in a Schedule towards the end of the Bill.

The regulator, known as the Data Protection Registrar, was given very few powers; there were no Monetary Penalty Notices, Information Notices, powers of audit or compliance agreements such as Undertakings. Criminal offences were linked to registration, compensation was limited to unauthorised disclosure of personal data or the processing of inaccurate personal data and there was a wide range of exemptions.

For example, in the Bill, the equivalent to the S.29 exemptions of the current Act (e.g. from the non-disclosure provisions and right of access if prejudicial to policing) extended to “the control of immigration” and removed the powers of the Regulator in relation to such disclosures. This meant that disclosures made by organisations that were Home Office responsibilities (e.g. police) were largely unfettered by any data protection concern.

This Bill was lost when the General Election was called, but it reappeared to be enacted as the Data Protection Act 1984. The 1984 Act lost the immigration clauses (which were removed because of a very effective campaign by Paul Sieghart) but included voluntary Codes of Practice.

Manual files containing personal information were excluded from the 1984 Act and there was a restrictive definition of personal data. Even word processing to produce the “text of documents” was excluded from the Act, as were data about intentions of an organisation towards an individual (e.g. “We intend to sack Fred Bloggs”).

For those of us working with the Data Protection Act 1984 within organisations, these weaknesses made data protection compliance a very difficult sell to management. Most of the personal information was in manual files and not subject to the Act. Non-registration was the key threat (an organisation could not process personal data without being registered) and subject access meant retrieval of information from the computer’s central databases. Non compliance wasn't a significant risk.

In summary, the minimalistic law that Mrs Thatcher had introduced meant that data protection was largely seen as needing low level administrative support: filling in (horrendous) 16 page registration forms per purpose and retrieving personal data from the mainframe.

It took a decade and the advent of Directive 95/46/EC for the main emphasis in the UK’s data protection regime to change from registration to the data protection principles. It took another decade and some lost disks to increase the risk factors associated with data protection non-compliance;  New Labour's surveillance state made individual privacy a political issue

Of course, when this Directive was implemented by the 1998 Act, Mrs Thatcher was long gone from office. But the attitude of her first Government, namely that trade and business needed to be protected from “expensive” data protection obligations has been the mantra she has passed to all subsequent Governments.

Indeed, if you listen carefully, you can still hear her words today in relation to the Government's attitude to the cost of the current Regulation.

Simple extension of ICO’s NHS audit powers are needed. Do you agree?

Just a brief blog about the proposals to extend the ICO’s audit powers to NHS bodies and how improved protection for data subjects can be obtained at minimal cost.

Amberhawk argues that if “unannounced” NHS data protection audits are to occur, then such audits should be extended to any department of a data controller who obtains health personal data from the NHS (e.g. research organisations; Local Authority Social Work Department).

This will enhance the protection for data subjects. In our view, there is little point in extending "unannounced" audit to NHS bodies, if widespread data sharing of health records occurs with non-NHS data controllers who are not subject to such an audit.

We also suggest the ICO should be able to recover some or all the costs of an audit, especially when an audit arises as a result of enforcement action (e.g. MPN) or an Undertaking. We do not see why scarce ICO resources that protect data subjects should be expended on errant data controllers who should know better. A cost recovery mechanism that can be used by the ICO as required allows those resources that protect data subjects to be replenished.

If you agree with some or all of these simple propositions, can I encourage you to complete the consultation exercise; there is a chance that the current limited suggestion can be significantly improved.

In further detail, the four improvements we suggest are as follows:

1. Audit powers should be extended to Local Authorities especially Social Work Departments which now have responsibilities for public health and joined up services with the NHS (in theory).

2. In general, if NHS bodies share health personal data, then those organisations (or parts of organisations) who obtain the health personal data should also be subject to audit. These organisations include research organisations and Universities. This step will help reassure data subjects that all health data originating from the NHS are subject to "on the spot audit" at any time, irrespective of the identity of the data controller.

3. The ICO should have the flexibility to recover some or all of the cost of all consensual and compulsory audits, especially when an audit follows a breach of a Principle or Right  (e.g. a reported data loss where there has been enforcement action or Undertaking signed by the data controller). If costs are not recovered, the resources of the ICO that are aimed at protecting data subjects are expended on errant data controllers that cause problems for data subjects. A contribution from those errant data controllers will help maintain the ICO's ability to protect data subjects.

4. The extension of powers to NHS bodies in Wales, NI and Scotland should be subject to approval of the respective devolved Parliaments

Of course, you can argue that the ICO's audit service should be free, but in general, I do not see a modest contribution made by the data controller to costs as being excessive.  It is also possible to link the cost recovery to size of data controller (e.g. those that pay £500 notification fee).

References
Submit your views: https://consult.justice.gov.uk/digital-communications/ico-assessment-notices/consultation/intro/view
Consultation document widening the powers of audit to NHS bodies on: https://consult.justice.gov.uk/digital-communications/ico-assessment-notices

 

Data collected by Google’s drones for 3D StreetView service is compliant with European data protection law

Buried in three of the 250,000 diplomatic cables published two years ago by Wikileaks was an obscure reference to a curious purchase made by Google from the Pentagon. These cables record that Google has contracted to buy all surplus surveillance drones as the USA military withdraws from Afghanistan and Iraq.

These drones have been used to develop Google’s controversial StreetView service. Google’s idea is to have a drone electronically follow each StreetView CCTV camera car at a height of 50 metres. Instead of StreetView’s two dimensional presentations (which are very familiar), the idea is to capture three dimensional images using software developed by Google and California’s prestigious Institute of Technology (Caltech).

This software is being installed in Google’s Glass so that users can explore a 3-D representation of any street they choose to download; in effect users can imagine that they are standing in the actual street. As Google Glass users move their heads, they can see different street perspectives displayed in their headset.

The 3D StreetView Privacy Impact Assessment (PIA) appended to Google’s Privacy Policy, shows how it complies with European Data Protection laws. For instance, to ensure maximum transparency of data collection, the drones are to be repainted in wasp-like reflective yellow and black stripes and to be fitted with loudspeakers.

The Assessment recommends that the drones should not be silent and “should emit a suitable sound, something like the low frequency buzz of a Doodlebug” (a reference to the Nazi V1 flying bomb). Other suggestions for a sound is the continual emission of the Morse Code for Google to identify the data controller (“--.” : “---“ : “---“ : “--.” : “.-..” and “.”)

The PIA does not call its drones, “GoogleBugs” but I am sure that this name is likely to catch on as Google develops its drone functionality. However, the PIA does recommend that the drone’s facility to intercept satellite communications is switched off “to avoid issues similar to the capture of WiFi logon-details by StreeView camera cars”.

The PIA deals with the inadvertent capturing of 3D images of adults engaging in nude sunbathing etc in back gardens. The PIA says that applying the usual blurring algorithm to just the face of a sunbather (as currently happens with Streetview) “risks leaving other body parts exposed, in full 3D”.

As an aside, it is interesting to note that some modern Google marketing executives wanted to develop the alliterative effect of the “repetitive g”, and call Google Glass,  “Google Goggles”. However, this would inevitably lead to the new virtual 3D service being known a “Oggling”, and users of Google Goggles become known as “Ogglers”. I can’t be sure, but this probably explains why Google Glass emerged as the preferred name.

Other potential privacy issues are dismissed on grounds that unlawful activity is being unmasked. For instance “addresses where grandparents have been reported missing to the police” and “where gardens at these addresses clearly contain areas which have recently been dug over”. Similarly, local authorities can explore the dimensions of extensions at the back of houses to check that planning rules are not violated.

However, security companies wanting to sell security products to householders would need prior consent of each householder. The PIA notes that 3D StreetView would “revive the services offered by this failing sector as burglars are likely to become users of the 3D system”. To protect Google’s image, the PIA suggests voluntary disclosure of IP addresses to the police “whenever a request relates to breaking and entering”.

Finally, the PIA confirms that drones do not collect information in a way that requires any change to Google’s Privacy Policy. This is because the Policy does not apply; as the drones only collect information that is already in the public domain, there are no privacy issues that need a change of policy.

In further detail, Google’s Privacy Policy applies only to “Information that you give us (for example, “many of our services require you to sign up for a Google Account”) or “Information that we get from your use of our services” (for example, when you visit a website that uses our advertising services”).

So clearly, it does not apply in circumstances where the drone is used.

References
Wikileaks http://wikileaks.org/cablegate.html
Google Press releases: http://www.google.co.uk/press/
Google’s Goggles: http://www.google.co.uk/mobile/goggles/#text
Google Privacy Policy: http://www.google.com/help/maps/streetview/privacy.html

 

Local Government likely to follow NHS down the mandatory data protection audit road

I am going to make a simple prediction; within 19 months  Local Authorities will be subject to compulsory data protection audit.

Why do I think that? Well I  think it is obvious if one reads the MoJ’s consultation document that argues that the ICO should have the power to audit NHS data controllers on demand.

For instance, if you consider a “complaint” to the ICO as a possible data protection compliance issue, then the following Table shows that Local Government are the main offenders with respect to data protection failure. They are well ahead of  NHS bodies which are likely to be subject to compulsory  audit (when the consultation process is complete).

 
                                       (Click on picture for a larger image).

 

Secondly, with respect to data loss, Local Authorities,  the table below shows that Local Government is second in the list of “reportable data losers”.  So, who is next in line if the ICO gets wider powers?

 

As an aside, note that 78% of all reportable data losses relate to either error in disclosure procedure, lost data or hardware and stolen data or hardware. So, procedures and counter-measures in this area should reduce three quarters of the data loss risk.

Finally, Local Government is blessed with a Secretary of State, Mr Pickles, who likes a good headline or two. Mandatory data protection audits for Local Government would reinforce his  “Protecting the tax-payer from careless town-hall bureaucrats” image.

The only real question I think, is which type of organisation is after Local Government for a compulsory audit? Why not the Banks that we all own!

References

Consultation document widening the powers of audit to NHS bodies on:  https://consult.justice.gov.uk/digital-communications/ico-assessment-notices

This document is to be discussed at our Data Protection Update session (April 18th; London) – details on http://www.amberhawk.com/uploads/Brochures/Amber_Update%2015%20April%202013.pdf

Could a Conservative Party lead by Theresa May drop the Data Protection Act?

Last week, Home Secretary Theresa May made a speech that could fundamentally alter the Conservative Party’s approach to human rights. The Party's currently policy position is that it would like to replace the Human Rights Act 1998 with its own Bill or Rights, but it would not derogate from the European Convention of Human Rights.

Theresa May has put that all in doubt. In her speech, she said:

“…And we need to stop human rights legislation interfering with our ability to fight crime and control immigration. That’s why, as our last manifesto promised, the next Conservative government will scrap the Human Rights Act, and it’s why we should also consider very carefully our relationship with the European Court of Human Rights and the Convention it enforces. … So by 2015 we’ll need a plan for dealing with the European Court of Human Rights. And yes, I want to be clear that all options – including leaving the Convention altogether – should be on the table. (my emphasis)

Obviously, with UKIP snapping at the Conservative Party’s heels, Mrs May's anti-European rhetoric went down well with those elements that are allergic to anything European. However, it is only when you deconstruct the implications of Mrs May’s message, do the risks emerge.

The first point to stress is the European Convention on Human Rights (ECHR) is not “European”; it is as British as roast beef and Yorkshire pud. The Council of Europe which provides judicial oversight of the Convention through its Court and Parliament involves 47 European States;  the Council of Europe was formed by the Treaty of London 1947. The ECHR is most important product of the Council of Europe; it was drafted by UK Government Civil Servants and identifies the characteristics of a democratic state and promotes the rule of law.

Whenever you read of the ECHR text, think “totalitarian regime”. For instance, Article 1 (no slave labour; abolished in the UK in 1833) and Article 2 (right to life) were absent from Hitler’s concentration camps and Stalin’s gulags. Article 6 (right to a fair trial; idea established in the UK by Magna Carta in 1216) and Article 8 (respect for private life); both are absent when the judiciary is beholden to a dictator or when the writ of a secret police force runs riot.

When Mrs May says complete withdrawal from the ECHR is on the cards, she is opening the door to a range of possibilities that go far wider than her concerns which are limited (in her speech anyway) to immigration or crime. For instance, such a move could permit a return of capital punishment, imprisonment without charge, extra-ordinary rendition or, as the Americans used to say of Abu Ghraib  "enhanced interrogation techniques" and "alternative set of procedures".

Eric Howe, the First Data Protection Registrar, in his valedictory Annual Report in 1994 got it spot on. He noted that the history of Europe was littered with totalitarian regimes and concluded that “democracy, liberty and freedom were fragile flowers”. In my view, the ECHR is the earth that sustains those flowers; pluck them, and these flowers eventually wither.

So, if the UK actually withdraws from all of the ECHR, perhaps under a future Prime Minister May, it is also withdrawing from the institutions and Conventions that depend on, or support, the ECHR. This includes Council of Europe Convention No 108, which derives its authority from Article 8 (respect for private life) of the ECHR. And if Convention No 108 goes, then so does the UK’s need for a Data Protection Act.

However, if Prime Minister May does withdraw from the ECHR, I suspect losing data protection could be the least of our worries.

Refererences

Mrs May's speech: http://conservativehome.blogs.com/thetorydiary/2013/03/full-text-of-theresa-mays-speech-we-will-win-by-being-the-party-for-all.html

 

Could the Conservative Party’s electoral database breach the Data Protection Act?

Ever since the Scottish National Party breached the PECR Regulations back in 2005, all political parties have had problems using personal data to identify potential supporters at election time. It is a tricky issue; those standing for election need to process personal data in order to contact supporters and voters.

Last Sunday, it emerged that the Conservative Party appears to have used USA-style polling techniques to create a database of voters which, in part, is legitimised by a simple privacy axiom: personal information that is published is not private; hence there cannot be any obligation to protect privacy.

This privacy axiom might work in the USA but it does not work in the UK as most Data Protection Principles are not negated, even when data subjects publish personal data about themselves. For instance, if a data controller gathers together all sorts of personal data from the Internet, it cannot claim that because these details are in the public domain, then there is no right of access to these personal data or that security obligations can be ignored.

With that in mind, just consider this passage from The Sunday Times (3rd March 2012, page 19). It explores a database that supports future Conservative Election Campaigns in the following terms:

“The key to victory may lie in technology. For several months, four brainboxes have quietly creating the most sophisticated ever database for use in future by-election and general election campaigns”.

This database is stored “in the Cloud” and will “amass data from public records, pollsters, fundraisers and political activists and volunteers… It will also trawl social networking sites for information on voters’ habits and preferences”.

“Facebook, Twitter – if it’s in the public domain it’s not off limits”, says Jag Singh, a digital whizz-kid who has worked on two US presidential elections……Singh hopes the database will contain details of as many as 20 million voters by 2015”.

Before progressing, I am making the assumption that this system is up and running in some form and that some (possibly most) personal data are being processed without the consent of the data subject.

However, I can’t resist making a comment that these “brainboxes” and “whizz-kids” appear to know little of the data protection consequences of their processing actions. Their plans also reveal why users of web-browsers need to consider very carefully what electronic trails they are leaving, and why in the case of social media software, there are risks of making personal details available to others.

The first comment to say is that in many cases, sensitive personal data about voters are being processed; this is likely to bring with it enhanced security obligations as the particular context includes expressions of opinion in support of, or opposition to, a particular political or social policy (e.g. Immigration, Gay Marriage etc).

So there is an immediate accuracy problem in cases where a “friend” of the data subject has published commentary on the data subject’s political views, or if that friend inadvertently places a data subject’s preliminary views in the public domain (e.g. by forwarding a private posting to his friends). For instance, how many times have you said something on a topical issue, a colleague then mentions something that you haven’t considered, and you then modify your view.

Secondly, the personal data that are being processed extend well beyond the name and address details that are provided when political parties obtain copies of the Electoral Roll for each constituency. What in essence is happening is that the Electoral Roll provides the core name and address data for a central register, which is then linked to other personal data obtained which is likely to be obtained without the consent of the data subject concerned.

Third, there is the issue of fairness. Is it fair to process personal data from social media postings when in many circumstances they have not been posted with the intent that they can be copied for general use or for a political purpose? Do the fairness requirements mean that data subjects need to be informed that a political party is amassing their personal details on them in order, for example, to profile their political preferences?

Of course one could argue that there is no need for a fair processing notice at all, as a data subject should know that if his personal data are published by him then these published data can be used for anything. (This is despite the fact that it is well known that many data subjects do not appreciate this point and that in many cases, the default privacy setting provided by social networking sites is “no privacy”).

Consequently, I have constructed an argument that requires the data controller to contact with the data subject with the fair processing details that does not depend on the fair processing requirements of the First Principle.

In the absence of consent, the processing by the data controller of any additional personal data (i.e. additional to name and address from the Electoral Roll) is very likely to be subject to the balance of interests grounds (i.e. Schedule 2, paragraph 6). This means that the processing by a data controller, if necessary, is legitimate if there is no overriding interest of the data subject to protect.

Given that sensitive personal data are likely to be processed, the question then arises as to how can a data controller take account of any overriding legitimate interests of each data subject without making contact with that data subject?

In addition, the right of objection (S.10 of the DPA) applies. So how can a data subject exercise their right to object to the processing of personal data by a data controller if they do not know that such personal data are being processed and for what purpose? How, for instance, can a data subject exercise their rights of access without knowing the identity of the data controller or where to send any request for access?

In other words, contact by a data controller with data subjects to alert them to the processing purpose and the identity of the data controller is a consequence of the Sixth Principle, and the legitimisation arm of the First Principle (and not only the fairness limb of the First Principle).

Handily, because the Conservative Party has the Electoral Roll, contact with data subjects should not prove too difficult; a brief billet-doux should suffice (e.g. “Dear Data Subject. XYZ Party is processing your personal data for a political purpose. Lots of love…”).

Other data protection issues also show that the claim of Jag Singh (“if it’s in the public domain, it’s not off limits”) is clearly misguided. For instance, how long are details kept on the central database and how on earth are these additional details (i.e. other than name and address) are kept up to date? What details are deemed relevant to the political purpose and when are political views of electors deleted (if ever)? Finally there are the Cloud issues and transfers outside the EEA.

Lurking in the background are other important questions such as: “Would a database that contained the political views of voting adults in the UK present a target for unauthorised access?” or questions that arise from function creep (e.g. would employers use such a database in their employment decisions).

In summary, I think that Conservative Party (and to be fair, probably the other main political parties as well) are considering steps that urgently… how shall I put it… need a Privacy Impact Assessment (PIA) at the very least.

Hopefully when doing this PIA they can employ whizz kids and brainboxes who appreciate that “if it’s in the public domain, the Data Protection Act still applies”!

Quick advert

We still have places on our half day workshop on the Data Protection Regulation on Monday March 18th in London (details on http://www.amberhawk.com/bookevents.asp)

 

 

 

Data Protection Code of Practice for the Press raises the prospect of enhanced protection for ordinary data subjects.

Five days ago, the Conservatives outlined their plans for implementing the Leveson Recommendations (the “Recommendations”) by creating an independent panel, established by Royal Charter, to verify that any new press regulator is effective. Yesterday, the Information Commissioner put a spanner in these works; he has published outline plans for his own voluntary Code of Practice and is consulting on its possible content.

This blog explains why an ICO Code of Practice, if eventually published, could help aggrieved data subjects, and why I expect it to be opposed by the press.

Both Labour and the Liberal Democrats disagree with the Mr. Cameron’s preferred voluntary system of press regulation. Many MPs from these Parties want a statutory underpinning of the regulatory structure by statute whilst the Prime Minister believes that this could threaten the freedom of the press. The ICO’s Code of Practice would be a voluntary Code; there is no statutory underpinning of the Code but, as will be seen, any future Parliament could decide to underpin.

The press and also many MPs continue to (deliberately) conflate statutory regulation of the press (e.g. as in full state control) with statutory underpinning of the regulatory regime that applies to the press (e.g. because many argue that the old voluntary system of regulation has palpably failed). The ICO’s Code of Practice, if there were to be a failing of the press to comply with a decision of any non-statutory press regulator could therefore come into play. To some extent the ICO's Code would therefore create a fall-back position for aggrieved data subjects. 

Readers of the blog already know that I think you can have statutory underpinning of the Recommendations via very modest changes to the definition of “Special Purposes” under the Data Protection Act (see references). The advantage of my approach is that you do not change the balance between press freedom and privacy that the press has readily accepted since 1998.

The ICO's approach in his outline voluntary Code of Practice similarly does not disturb this balance. So it is interesting to speculate how such a Code of Practice could work for the press, even assuming no change to the Section 32 exemption.

As is well known, this Section 32 exemption is pretty wide: it includes all the Data Protection Principles except the Seventh Principle (dealing with security), the right of access and objection. This exemption applies so long as the press-related data controller believes that the special importance of the public interest in freedom of expression is served by the processing of personal data, and that the processing of such data is with a view to publication.

Section 32(3) states that when considering whether “the belief of a data controller that publication would be in the public interest was or is a reasonable one, regard may be had to his compliance with any code of practice”. Clearly any Code of Practice that concerns the press, produced by the ICO, is going to be highly relevant to the publication in question.

So this explains one reason why the ICO is thinking of producing a Code of Practice; the existing DPA provides that one can be created and the Press Complaints Commission (PCC) Code is set to disappear. A second reason is that the ICO was expressly criticised in Leveson for not using his enforcement powers against the press; a Code of Practice is the current Commissioner's response to that criticism. A third reason is that the ICO's Code is likely to exist well before the new regulatory framework is established; in this way, the ICO can influence events.

However, there is a sting in the tail here. If the eventual ICO Code is designated by the Secretary of State (as is the current PCC Code of Practice: by SI 2000 No. 1864) then, in theory, serious non-compliance with the Code is likely to bring enforcement action by the ICO beyond that of any new press regulator.

Of course, the current Secretary of State might not designate the ICO's Code, but it only needs one future Secretary of State to designate the Code, then it becomes an important component of the press regulatory regime.

The ICO’s Code has picked up the approach used by Mr Jay during the cross examination of the current and previous Commissioners at Leveson. Mr Jay employed a simple argument to state that the Section 32 exemption did not apply in many circumstances; his argument goes as follows:

• Does the Section 32 exemption apply to any personal data processed by the press with “a view to publication”? Answer “yes”.
• When the press obtains an ex-directory number (for hacking purposes), is it likely that the press would publish the ex-directory number? Answer, of course, “no”.
• It follows that with regards to ex-directory numbers, there is no “view to publication” of personal data and so the Section 32 exemption does not apply.

Now, if you expand Mr Jay's line of argument, you can understand the implication of the questions posed by the ICO  in the chapter in the proposed Code which focuses on the section 32 exemption. These questions (followed by my comments) are as follows:

• When does the exemption apply? (Comment: here the ICO is implying that the exemption does not apply to some processing of personal data by the Press);
• Where section 32 does apply, what rights and obligations flow from the Data Protection Act? (Comment: here the ICO is saying that data subject rights and all Principles can apply to some personal data processed by the Press);
• Are there minimum standards of good practice which apply to the handling of personal data in all cases? (Comment: here the ICO might have fair and lawful obtaining in mind);
• When is personal data processed only for the special purpose of journalism? (Comment: here the ICO is implying that personal data such as contact telephone numbers may not be processed for the special purpose of journalism);
• When is processing undertaken with a view to publication of any journalistic material? (Comment: here the ICO is implying that personal data that do not have a view to publication cannot claim the exemption);
• When is it reasonable to believe that publication would be in the public interest? (Comment: here the ICO is implying that personal data that are processed not for a public interest purpose cannot claim the protection of the S.32 exemption)
• When is it reasonable to believe that compliance with a relevant provision of the Data Protection Act would be incompatible with the special purpose of journalism? (Comment: here the ICO is implying that fair processing practices are often compatible with the special purpose of journalism so no exemption is needed)
• What role can other codes of practice play when considering the above? (Comment; the Privacy Notice Code and perhaps Codes in connection with surveillance or telephone monitoring come into mind).

It is worth noting that the ICO’s proposed Code would make an explicit reference to the Human Rights Act and its role in defining the “relationship between data protection and freedom of expression, demonstrating how the two concepts co-exist; and explaining why high standards of information-handling are not inconsistent with the freedom of the press”. This means that unlawful processing (and the link with Article 8 and all the case-law in this area) is very strongly in play (see references).

For this reason, in particular, I suspect the press will oppose the Commissioner’s Code and will try to discredit it. However, they may find it hard to do because they have accepted the current data protection arrangements since 1998. Any ICO Code is voluntary, and the press are as free to ignore the ICO Code as it has its own PCC Code. In addition, if designation of the PCC’s own Code of Practice a decade ago was not opposed by the Press, why should the ICO one be opposed?

Finally, Leveson was adamant that the data protection regime should be strengthened; any taking away of the Code of Practice provisions in Section 32 would signal the Government’s intent to further weaken the Leveson Recommendations.

The idea of a Code based on data protection can work; so get engaged in the consultation.

References:

Leveson Principles underpinned in 133 words of legislation: no need for an extensive  law. http://amberhawk.typepad.com/amberhawk/2012/12/leveson-principles-underpinned-in-133-words-of-legislation-no-need-for-an-extensive-law.html

The linking of data protection and human rights regime: see Information Commissioner’s enforcement proceedings links Article 8 to unlawful processing: http://amberhawk.typepad.com/amberhawk/2012/11/information-commissioners-enforcement-proceedings-links-article-8-to-unlawful-processing.html

Download the ICO’s document about the Press Code of Practice here: Download BLOG_Press Code outline Feb 2013

 

Update on my Tribunal hearing re data protection infraction letters

I have had a several inquiries as to how my Tribunal appearance went (see  blog of 6th Feb for details of the subject matter of these proceedings)

Well I was hoping to do a full blog, but Monday's hearing was adjourned and we might have to lock horns at a later stage.

Reading the runes, the MoJ was cross examined for more than 2 hrs in closed session (more than twice as long as timetabled) after which I was told that I may receive something called “non-disputed information” and parts of an email from the European Commission.

I have no idea what this means in practice or indeed whether the MoJ will release anything; at the hearing it was clear that the MoJ was adamant that it does not want to release anything at all.

It also emerged at the open session of the Tribunal that the MoJ invited the European Commission to write a letter to the MoJ expressing its objections to the release of the letters I had requested. The MoJ then gave the Commission's letter as evidence that the MoJ should not release the information to me! I am sure that the MoJ would put a different gloss on the Commission's manufactured evidence, but that is how I see it.

I hope to do a complete report as part of our Update session in April 15th. Those wanting to know about the Regulation itself, we are doing a half day afternoon session on the Regulation on March 18th .

Throughout the whole process which commenced in 2005, I have made mistake after mistake (some of which I am kicking myself about). I hope to do a blog identifying these mistakes so people don’t follow me into some unnecessary holes.

Anyway, may thanks for your support - especially to the person who turned up!

Details of Update and Regulation half day can be found linked on the following page of the Amberhawk website: http://www.amberhawk.com/bookevents.asp 

Question answered: “Why does the European Commission think the UK’s Data Protection Act is a deficient implementation of Directive 95/46/EC?”.

Whilst preparing for “my day in Court”, I have realised that I also have had, for over a year, some further detail which explains why the European Commission thinks the UK’s Data Protection Act 1998 (DPA) is a deficient implementation of Directive 95/46/EC. I think I have the answer and this extra detail is the subject of this blog.

Next Monday (11th Feb), I have my Tribunal hearing as to whether I can obtain the full text of the letters sent by the European Commission to the UK Government which explains their position on the DPA. At Monday’s Tribunal the Ministry of Justice will be arguing that release of these letters to me will prejudice international relations.

Note that two decades of Conservative euro-phobia and the Prime Minister’s promise for an in-out referendum has not been prejudicial to international relations. By contrast, my little FOI request about data protection is causing all sorts of mayhem and mischief. Indeed, if I win, I suspect the resulting euro-havoc will trigger contingency plans to recall all European Ambassadors for “discussions on data protection”.

The letters I have requested describe why, according to the Commission, the DPA is a deficient implementation of Directive 95/46/EC. According to the Commission, UK Government has defectively implemented 15 Articles of a 34 Article Directive (i.e. Articles 2, 3, 6, 8, 10, 11, 12, 13, 16, 17, 22, 23, 25, 26 and 28). Summary details from these letters have been blogged before (see references).

However, what I have discovered that in one of its responses to me, the UK Government has grouped the Commission’s issues under headings, which I had previously ignored. Now in conjunction with other information, these headings reveal the detail of the alleged problems with the DPA.

Of course my analysis involves some deduction and supposition but I think I have “cracked it”. However, I don’t have further details on the problems with Articles 16, 17, 25 and 26 as these are not featured in the MoJ’s heading.

This means that the Commission’s letters assert that the UK has inappropriate provisions with respect to transfers outside the EEA (Articles 25 and 26) and the security of personal data (Articles 16 and 17). Something which I still think is of public interest.

Anyway, to the headings and the problems (see the download; it is easy to see why I ignored it!).

1. Definition of “Personal Data” and “Relevant Filing System” (Article 2)

I am pretty sure that this is a reference to the consequences of the Durant Court of Appeal judgment which narrowed the definition of personal data and Relevant Filing System. I suspect the Government are arguing that the ICO’s Guidance on personal data widens the scope of personal data and that this Guidance corrects the Durant judgment.

Sadly this is not correct. I remember a moment in the CSA v SIC case when Barrister for the ICO invited (then pleaded, begged, implored and almost prostrated himself on the floor of the Court in tears) the House of Lords to say some approving comments in its judgement about the ICO’s Guidance on the definition of personal data. This is because the ICO’s Guidance expanded the scope of personal data beyond the narrow confines of Durant.

Lord Hoffman stopped the barrister in his tracks and intervened to say that CSA v SIC was about “identity” whilst Durant was about “relate to”. He then added something on the lines: “we are not revisiting Durant; thereby lies a can of worms”.

Now as readers know that my comments about Durant are usually interspersed with a few anglo saxon nouns and adjectives, so I will leave my commentary to the information law barristers from the 5RB Chambers. They said of the Durant on their website:

“Sir Humphrey would have been delighted with this decision. The definition given by the Court of Appeal to personal data is so restrictive in relation to manual filing systems, as to constitute a serious obstacle to any citizen seeking to verify the accuracy of information held about him/her by the state. It is surprising that such a wide exclusion of "data" from the Act should be found consistent with the Data Protection Directive or Article 8”.

I agree. And that is why I am taking my FOI requests as far as I can.

2. Collection of personal data in job applications (Article 6 & 28)

We can now say that Commission’s issue with the Articles 6 and 28 is to do with the fact that some employers are obtaining health information from job applicants in circumstances disliked by the Commission. At a guess, it could be that the Commission sees the  ICO’s Employment Code of Practice as giving too much leeway for when this practice can occur.

The involvement of Article 6 (dealing with what we know as Principles 1-5) makes me suspect that the Commission consider there is an issue concerning fairness, relevance and retention of health personal data in the context of the employment purpose; Article 28 is a reference to the fact that the ICO  (at the time of the writing of the letters) did not have sufficient powers to protect the data subject.

Note that if the Commission thinks several Principles have been breached, then there is unlikely to be compliance with Articles 7 and 8 (expressed in DPA as Schedule 2 and 3 conditions) for the processing of health personal data for the employment purpose.

Since 2006 (i.e. after the letters were sent to the UK Government), the vetting of prospective employees against criminal records has extended enormously.

Given that the ICO has taken later action under the Third and Fifth Principles in the UK Courts, in an attempt to stop the use of minor, irrelevant, age-old offences in employment decisions, I would not be surprised if the criticism raised by the Commission in the context of health records also now applies to criminal convictions in the employment context.

3. Subject Information Provision (Articles 10 & 11)

I have always been puzzled about the Commissions gripe about fair processing issues but now the Government’s heading links these Articles to the exemption from the Subject Information Provisions (SIP). This exemption means that the data subject gets neither a fair processing notice nor subject access.

So I think this in turn means that some, or all, of the SIP exemptions in Schedule 7 (e.g. management planning, forecasting and negotiations) do not need, in the Commission’s view, to include an exemption from the fair processing requirements.

Whether the Commission are dissatisfied with the Subject Access exemption is unclear – fairness as specified in Articles 10 & 11 has nothing to do with data subject rights.

4. Rectification and Judicial Discretion (Article 12)

There are two possible areas linked to the right of access (Article 12):

• The Court’s discretion to grant or refuse applications made by data subjects to rectify, or erase inaccurate personal data (caused by the “may” in Section 14 of the DPA)
• The Court’s discretion to grant or refuse subject access in circumstances other than specified in Article 13 (caused by the use of “may” in S.7(9) of the DPA)

The Durant decision determined that the right of the Court to refuse the right of access was “untrammelled”; the Commission I suspect argue that refusal is limited to the necessary circumstances specified Article 13 (e.g. prevention of crime).

5. Confidential References (Article 13)

I think the Commission is claiming that the exemption relating to confidential references given by the data controller (i.e. in Schedule 7, paragraph 1) cannot be justified in terms of Article 13 (which specifies when Member States can legislate for exemptions).

As readers should know, back in 1998 the Department responsible for  the then Data Protection Bill was the Home Office with Jack Straw as Home Secretary; additionally the UK had to comply with Gaskin v. UK, a decision from the European Court of Human Rights ((1989) 12 EHRR 36).

This combination of these factors inevitably meant that the Bill was amended in a minimalistic way to deliver Gaskin (this is via Sections 7(4) to 7(6) of the Data Protection Act). As Gaskin did not refer to the position of the giver of the confidential reference, the Home Office and Jack Straw provided an exemption for the sender of the reference.

What the Commission is saying is that the sender’s exemption and the UK’s minimalistic approach to Gaskin cannot be justified.

6. Damages (Article 23)

The Directive requires “The controller may be exempted from this liability, in whole or in part, if he proves that he is not responsible for the event giving rise to the damage”. The Data Protection Act in Section 13 provides for a “reasonable care” defence.

Note that the DPA’s implementation means that  even though the data controller is responsible for the “the event giving rise to the damage”, no damages are awarded in the UK Court because the data controller can show “reasonable cause”.

7. Information Commissioner’s Regulatory Powers (Article 28)

These problems are in the public domain, so I don’t have to suppose anything. In a press release (see references), the Commission identified “notably limitations of the Information Commissioner's Office's powers”. These are that:

• “it cannot monitor whether third countries' data protection is adequate. These assessments should come before international transfers of personal information”;
• “It can neither perform random checks on people using or processing personal data, nor enforce penalties following the checks”.

The Press Report noted: “Furthermore, courts in the UK can refuse the right to have personal data rectified or erased. The right to compensation for moral damage when personal information is used inappropriately is also restricted”.

For instance, if an Information Notice has to be served to get information and if this is appealed to the Tribunal, then there will be about a six month delay before the legal process grinds out an outcome of the Appeal. Similarly with an Enforcement Notice, if appealed, means that processing can continue until the appeal is heard.

This half year delay until the Tribunal determines the outcome of an issue is not what can be described as “effective powers of intervention”.

8. ECJ References (Article 234)

This heading is a reference to status of infraction proceedings with respect to the European Court of Justice; it has nothing to do with my request.

However, nearly a nine years ago, when I was a young man starting out on my FOI journey of delay, refusal and rejection, I was told by the European Commission that legal proceedings were “on-going”. With the current Tribunal case, the refusal of the MoJ to provide the letters is based on the fact that legal proceedings are, yes you have guessed it, “on-going”.

So how long a time is “on-going”?

This is a question that is the legal equivalent of “how long is a piece of string?”.

References:

My Tribunal will take place on Monday 11 February 2013 at 10:00 am, at Court 7, Field House, 15 Breams Buildings, London EC4A 1DZ if you want to come along.

We have a half day on the EU regulation on March 18th in London (£225+VAT): http://www.amberhawk.com/bookevents.asp

Two recent blogs relating to “Why the EU thinks the UK Act is deficient” which includes downloads are:

• Information published by the MoJ as a result of an FOI request: http://amberhawk.typepad.com/amberhawk/2011/05/privacy-new-government-revelations-amplify-concerns-surrounding-deficiencies-in-uks-data-protection-.html
• Information published by the European Commission as a result of an FOI request: http://amberhawk.typepad.com/amberhawk/2011/02/european-commission-explains-why-uks-data-protection-act-is-deficient.html

The UK Government headings that allow more detail to be deduced: Download BLOG_MoJ letter:

5RB’s commentary on Durant. http://www.5rb.com/case/Durant-v-Financial-Services-Authority

EU Press release on infringement proceedings: http://europa.eu/rapid/press-release_IP-10-811_en.htm