All the best for the forthcoming holiday. Back online in early September
In the meantime, if interested in our courses (see left hand side), email email@example.com
“Hats off” to Statewatch. I don’t know how they do it, but they have just managed to liberate a 170 page document from the Commission that explains what each Member State thinks of the Data Protection Regulation. The UK, of course, has the largest number of pages outlining its objections (24 pages in all).
So here is a summary of some of the key issues for the UK with the Regulation. All sentences that are not italicised are quotes from the document; the italics underneath contain either some serious commentary or a flippant translation concerning the relevant chunk of “MoJspeak”. References and useful links at the bottom as usual.
So here goes......
1. “We are of the view that the proposed general Regulation should be a Directive in order to provide greater member state flexibility to implement the measures – a Regulation would allow the EU to prescribe rules without necessarily giving due regard to national tradition and practice”.
Translation: a Directive will give more chance for the UK to negotiate specific carve-outs as and if we don’t get our way, we can delay proceedings as we did with Directive 95/46/EC.
2. “There is an excessive number of delegated and implementing acts, which often does not constitute a correct exercise of the power conferred in the parent legislation - for example there are many instances in the instruments where the Commission has powers to impose further criteria or requirements which cut across essential aspects, such as pursuant to Article 6(1)(f) of the proposed Regulation in determining whether personal data may be processed on the basis of legitimate interests in various situations”.
Translation: the Secretary of State currently has these powers (see Schedule 2, para 6(2) or Schedule 3, para 10) and we don’t like them being taken away. We only need to mention that these powers are going to Brussels and many of our Conservative back-benchers will become so apoplectic they will demand a referendum – so be warned.
3. “The Regulation contains many prescriptive requirements in the main body of the instrument which places unrealistic obligations on data controllers, particularly on Small and Medium Size Enterprises and not-for-profit organisations.”
Translation: we would like more exemptions for SMEs and not-for-profit; preferably we would like the UK Government to define these.
4. “Other prescriptive requirements includes requirements to notify a data breach within 24 hours, to maintain documentation of all data processing operations and mandatory data protection officers which could be costly and impractical for many business and organisations.”
Translation: if there is any prescribing to be done, please leave it to Member States to do.
Commentary: In practice there is common ground that the data breach notification provisions will become more flexible.
5. “It would be helpful to clarify that personal, commercial activity, such as selling ones’ personal possessions on an auction site can also fall within the (domestic purpose) exemption”.
Translation: the domestic purpose exemption is too narrowly drawn; surely people can sell their own stuff on Ebay?
6. “Where data controllers are not established in the EU and fail to appoint a representative, there is a real question as to whether this is enforceable and what steps Member States are expected to take in order to enforce where there is no existing mechanism”.
Commentary: this problem already exists in the UK Act which also gives no clue as to what a representative has to do and what happens if one is not appointed. In the current UK Act, if a data controller is outside the EEA and uses equipment to process personal data in the UK a representative has to be appointed, identified in notification, and in a fair processing notice. What else the representative does is not specified in the UK Act.
7. “The scope of what could constitute “personal data” is unjustifiably broadened to include “any information relating to” a data subject. The term “related to” lacks the precision required for a Regulation”.
Translation: If we play our cards carefully we might be able to sneak in the Durant definition of “relate to”, especially if we can successfully argue for a Directive (see above)!
8. “We question the removal of: “authorities which may receive data in the framework of a particular inquiry shall not be regarded as recipients”, as set out in 2(g) of the 1995 Directive. It is unclear what the consequences of this would be for authorities”.
Commentary: The UK want to maintain the current structure of the UK’s DPA which excludes from the definition of “recipient”, any person who has the power to perform an investigation and needs the disclosure of personal data in connection with a specific investigation authorised by law.
So for example police, when they obtain of personal data from a data controller in connection with a criminal investigation, are not a recipient. As recipients are identified in fair processing notices and in the right of access, the fact they are “not recipients” means that the disclosure does not need to be identified.
So the consequences are not as unclear as the Government indicate; it means more data sharing is transparent to data subjects.
9. “We would like to revisit this discussion in working groups, particularly whether it imposes the higher consent threshold for sensitive personal data under the existing Directive onto non-sensitive personal data”.
Translation: we don’t like the high threshold for consent and prefer to keep the current Directive 95/46/EC definition of data subject’s consent.
Commentary: I have some sympathy for this position, for if the controller has the burden of proof of establishing that the data subject gave their consent, and consent has to contain an indication of the data subject’s wishes, there is less need for a more prescriptive formulation of consent. But see the next item before you agree.
10. We prefer that “the existence of imbalanced situations should be taken into account in determining whether consent is freely given, and informed”.
Commentary: The use of “should” rings alarm bells as I see it as an attempt to maintain the flexibility to identify circumstances when this imbalance can be ignored with respect to consent. In other words, this is a recipe for the retention of what I call “Home Office” consent, where there is no real choice (e.g. when you go through airport security for your holiday flight, you can consent to go through the airport scanner or not travel).
11. Having two definitions of a child (Article 4 (18) – under 18 threshold; Article 8(1) – under 13) complicates understanding the definition of a child.
Commentary: The UK prefers the common law position established by Gillick/Fraser competence.
I am worried that a general euro-standard definition of child might have unintended consequences; for instance, if there is a “sexual health helpline for teenagers advice line” and any processing of personal data might require parental consent.
The Government in my view is identifying the difficulty of having a general definition of a child, when in practice, this is a case-by-case assessment (as is done via Gillick/Fraser). For instance, 19 year-olds on the autistic spectrum might not be competent to make decisions; on the other hand, some 12 year olds might easily be competent. On balance, I think the Government may be right here.
12. “The current Directive 95/46/EC states in recital 28 and Article 6(1(c) that personal data must be adequate, relevant and not excessive - now Article 5(c) says that personal data must be "adequate, relevant and limited to the minimum necessary for each specific purpose of the processing". This shifts the focus away from proportionality to one where data can only be collected where explicitly justified. This will mean organisations will have to cleanse excess data and change the focus of their data collection activities. It is not always possible to know at point of collection what ‘minimum necessary’ constitutes”.
Translation: we don’t like or understand the concept of data minimisation
13. “The requirement for personal data to be accurate and kept up to date, without any caveat is too prescriptive and, in certain instances will be unnecessary”.
Translation: we prefer the UK’s relaxed position where data controller’s only updates personal data when it is necessary to do so. For instance, should you keep your archived personal data up-to-date? Obviously not.
14. “The burden on the controller to “ensure and demonstrate” compliance with the provisions of the Regulation is too onerous. We believe that controller should not be expected to document everything as a matter of course”.
Commentary: The “Accountability Principle” is worded so that “each processing operation” is in compliance with the Regulation.
What the UK Government wants, I suspect, is an Accountability Principle obligation that looks at all processing operations as part of an overall assessment. In other words, the Principle works on a rounded-view of assessment towards data protection compliance rather than an assessment based on each specific processing operation.
15. “It is illogical that public authority data controllers cannot rely on their legitimate interests in order to lawfully process personal data”.
Commentary: the Government want public sector bodies to be able to process personal data which is not for their statutory functions or where there is no legal obligation to process and rely on the balance of interests ground (i.e. use paragraph 6 of Schedule 2). I think the Government need to justify this position as I can’t see why it is illogical.
What two words come to mind if a public body came to you and said: “I have no statutory function with respect to processing your personal data and I have no legal obligation to process your personal data and I don’t have your consent to process your personal data .. so what should I do?”
16. The requirement that processing under points (c) and (e) must be provided for in Union law or the law of a Member State must accommodate processing that is lawful.
Commentary: the UK claims there is an issue where processing of personal data is required by a common law obligation. The Regulation assumes that as public bodies are creatures of statute, there must be statutory legal provisions that make any processing of personal lawful.
I think the UK Government needs to identify what these common law circumstances are before I am convinced.
17. “The UK questions the need for special categories of personal data” i.e. “sensitive personal data”.
Translation: let’s get rid of Schedule 3.
Commentary: The Government argue that personal data about a “cold” should not be treated as sensitive personal data, and I have been at meetings where the Information Commissioner has supported this idea. I am not so sure, as in the UK the regulatory framework rarely considers the First Principle other than “fairness”. The Information Commissioner, for instance, does not enforce lawfulness (e.g. that processing that would breach a confidence) nor have I seen him delve much into Schedules 2 or 3.
If the equivalent of Schedule 3 is removed, it leaves the processing of sensitive personal data subject to the mercies of paragraph 6 of Schedule 2 (legitimate interests of a data controller unless there is an overriding interest of the data subject). This is, in my view, could be a step too far.
I need much more convincing that there is adequate protection before I could support this idea. For example, if the test in Schedule 2, paragraph 6 were reversed for sensitive personal data (i.e. there had to be an overriding legitimate interest for the data controller and the starting presumption was that sensitive personal data were not processed) and the Commissioner enforced “lawful processing”, I would be much more relaxed.
If you want the 170 page discussion issued by the Council including detailed individual comments from Member States: http://www.statewatch.org/news/2012/jul/eu-council-dp-reg-ms-positions-9897-rev2-12.pdf
EU’s Data Protection Regulation: divisions exposed as Member States show disharmony: http://amberhawk.typepad.com/amberhawk/2012/03/eus-data-protection-regulation-divisions-exposed-as-member-states-show-disharmony.html
Expect 1,000 objections by Member States to the EU’s Data Protection Regulation: http://amberhawk.typepad.com/amberhawk/2012/06/expect-1000-objections-by-member-states-to-the-eus-data-protection-regulation.html
The Regulation: what are the big changes to the Data Protection Act regime?: http://amberhawk.typepad.com/amberhawk/2012/01/the-regulation-what-are-the-big-changes-to-the-data-protection-act-regime.html
Reading between the lines of the latest Annual Report of the Surveillance Commissioner (published last week) there is much to worry about; a lack of resources is undermining privacy protection and the system of supervision.
As well as this significant degradation in privacy protection, the Surveillance Commissioner hints that the monitoring of users on the Internet might be unlawful if it does not consider the requirements of the Regulation on Investigatory Powers Act 2000 (RIPA). He also implies that the surveillance practices of the private sector should be subject to regulation.
In addition, the Report notes that the Department of Work (DWP) and Pensions and the Police appear to be circumventing some requirements of the Regulation on Investigatory Powers Act 2000 (RIPA) and points to the damage caused by the inadequate training of those who authorise RIPA surveillance.
This blog reviews all these issues (link to the Report at the end of the blog).
The DWP and police bypass RIPA requirements
In his Report, the Surveillance Commissioner identifies that with respect to directed surveillance, the DWP are now authorising Local Authorities. In relation to benefit fraud, any DWP authorisation removes the need for Local Authorities to obtain its own authorisation to perform directed surveillance from a magistrate as now required by the Protection of Freedoms Act 2012. This mechanism sidesteps the much vaunted protection of that Act (see references for a blog on this Act).
The evidence for this is in the Report; it notes that 4,309 directed surveillance authorisations were “granted by the Department of Works and Pensions”. The report then speculates that the DWP “authorises the use of directed surveillance conducted on its behalf by many local authorities” and that this “may account for the low statistics from other local authorities”.
In relation to the Police, the Report states that “I am less happy to discover that the proper ANPR authorisation process can be circumvented using the Police National Computer. I do not desire to prevent the use of this very useful tool, but the ease with which ANPR can be used for directed surveillance demands that authorisation processes should not be circumvented”.
Data sharing problems
In relation to data sharing, the Report notes concerns over the sharing of personal data which relate to the product of covert surveillance. These problems are:
• “First, there must be adequate protection of sources, techniques and product and this is not always apparent when there is no human in the loop to challenge the need to know”.
• “Secondly, I do not detect much effort by some authorising officers to make adequate arrangements for the destruction of product which was the result of collateral intrusion or not of value to the investigation or not properly authorised” and that “The default solution appears to be in favour of retention”.
• “The necessity and proportionality of retaining data, which may later be shared in a different context, is as important as the necessity and proportionality of obtaining it in the first place”.
All I would say is that the above involve possible breaches of the First, Third, Fifth and Seventh Data Protection Principles. The latter also raises a Second Principle issue, and clearly, any data sharing should be subject to the Code of Practice on data sharing (not mentioned in the Report). Any reader who works for a public authority that uses RIPA, might want to check on the above.
Is Internet surveillance subject to RIPA?
With respect to the Internet, the Report notes that the working assumption appears to be that Internet surveillance does not fall under RIPA. The Report however states that to the contrary, “some research using the Internet may meet the criteria of directed surveillance” and this is “particularly true if a profile is built by processing data about a specific individual or group of individuals without their knowledge”.
The Report then spells it out; “The Internet is a surveillance device as defined by RIPA section 48(1)” and that “surveillance is covert if, and only if, it is conducted in a manner that is calculated to ensure that persons who are subject to the surveillance are unaware that it is, or may be taking place”.
The Report adds that “Knowing that something is capable of happening is not the same as an awareness that it is or may be taking place. The ease with which an activity meets the legislative threshold demands improved supervision”.
Can you pause for a moment here: fair processing notices which generally state that some kind of surveillance “may happen” could easily fall within the problem the Surveillance Commissioner has highlighted.
Surveillance by private sector is uncontrolled
The Report states that the “Monitoring the activity of investigative journalists or other non-public authority entities (such as private investigators working on behalf of insurance companies) is not within my remit”.
The Report then adds that as public authorities have to be held accountable (e.g. by RIPA) “it seems to me odd that the use of techniques that would require authorisation if conducted by a public body is accepted, without apparent challenge, if it is not conducted on behalf of the State”.
The Report concludes that “invasions of privacy of this nature are unregulated” and that “The public should be confident that there are adequate mechanisms so far as public authority covert surveillance is concerned; but there is no system of regulation of surveillance for covert investigative, commercial or entertainment purposes”.
The Report gives an example of where regulation is needed: “the Commissioner believes that the use of privately owned ANPR systems for a covert purpose should be subject to authorisation if it is to be used for the benefit of a public authority operation or investigation”.
The Surveillance Commissioner’s resources
The Report notes that the Commissioner’s budget “has always been less than £2 million” and that “the budget for 2011-12 was reduced to £1.58 million”. This sum covers the cost of supervising the use of directed surveillance on 12,015 occasions, 2,646 property interferences, 408 intrusive surveillance of which 82% are urgent, and 3,361 uses of covert human intelligence sources. Summing these, we can say that there were 18,430 “surveillance events” covered by the period of the Report.
So if we assume that the cost of supervision by the Commissioner is about the same for each surveillance event, then £1.58 million covers 18,430 surveillance events. This works out at £85.73p per surveillance event – a very marginal sum at best which, in my view, sends a message that supervision is not valued!
This lack of resources reflects the depth of supervision. The Report, for instance, notes that “My Assistant Commissioners and Inspectors can only carry out a dip sample of authorisations at inspections. ... The Commissioners do not contemporaneously examine authorisations for other types of covert surveillance”.
To misquote the late James Goldsmith: “Pay peanuts – get sheep dipping".
Lower protection by the Protection of Freedoms Act 2012
I think the Report provides evidence that the Protection of Freedoms Act 2012 reduces RIPA protection in the context of Local Authorities.
This evidence arises from the firm rejection of “a Home Office proposal that I should report on the performance of the many thousands of magistrates who, when the Protection of Freedoms Act 2012 commences, will be enabled to approve the authorisation of covert surveillance by local authorities under RIPA”. The Commissioner then notes that he does not possess the powers to report on magistrates and that “In any case, I do not have the resources to take on this task”.
One conseqeunce of the Protection of Freedoms Act is that,in this case, the training of 400 authorisation officer (one from each Local Authority) has been exchanged for the training of thousands of magistrates.
It is well known that surveillance is used by Local Authorities sparingly; they are a minor user of RIPA authorisations. Whereas an authorisation officer for a Local Authority will over time become familiar with the issues associated with granting authorisations for surveillance events, magistrates will not because they might not even deal with one event per year.
In other words, I think the risk of an erroneous authorisation in the context of Local Authority use of RIPA’s enabling powers has increased.
The absence of training
The lack of training will also result in many RIPA mis-authorisations. This is demonstrated by the following quotes from the Report; they don’t need any amplification from me.
“The loss of expertise in law enforcement agencies as a result of redundancy and career termination is noticeable in many forces. An increasing number of authorising officers have limited experience of covert operations; some compensate by detailed scrutiny, others succumb to the assertions of more experienced applicants or the demands of their other responsibilities”.
“An increased need for training appears to exceed the capacity of diminishing training budgets. There is an increased reliance on internal training delivery; the quality varies considerably from one authority to another”
“Using covert technology because it is easier, cheaper or potentially quicker is a temptation many authorising officers accept as a compelling argument. In some cases it may be proportionate, but in many cases other less intrusive or overt options could be considered. Proportionality is not the same as convenience and a lack of resources should not be a significant factor in decision-making”.
“I expressed concern, at paragraph 5.15 of my last report, at the ignorance of many non-law enforcement agencies regarding CHIS. The situation has not improved. I remain concerned that many non-law enforcement authorities still cannot properly identify a CHIS...”
Looking at this Report in the round, one concludes therefore that much RIPA activity is in fact unregulated and depends on the good-faith of the organisation undertaking the surveillance to follow the rules. However, increasingly, those who authorise RIPA surveillance are not fully trained in best practice and that an increasing number of incorrect authorisations is a likely consequence.
If this is the result, then the system of RIPA supervision, which many already believe to be inadequate, will ultimately fail. Self authorisation of surveillance activity cannot possibly work if those authorising the surveillance are inexperienced and do not know the law.
Annual Report of the Chief Surveillance Commissioner to the Prime Minister and to Scottish Ministers for 2011-2012 on http://www.official-documents.gov.uk/document/hc1213/hc04/0498/0498.pdf
Why the Protection of Freedoms Act changes to the RIPA regime are inconsequential. http://amberhawk.typepad.com/amberhawk/2011/03/ripa-changes-in-freedoms-bill-negligible-improvement-in-privacy-protection.html
All materials on this website are the copyright of Amberhawk Training Limited, except where otherwise stated. If you want to use the information on the blog, all we ask is that you do so in an attributable manner.