Member States divide over the protection offered by the Irish version of the data protection regulation

Do you know what? After watching a very turgid video covering the meeting of Ministers (June 6th) which discussed the Irish text of the Data Protection Regulation, I have concluded that there is a no agreement in sight. Indeed, I think the Regulation will not see the light of day unless there is a great “love-in” between Member States.

As I explained in the last blog, some Member States want more “risk assessment”; a move which in combination with a reduced consent requirement will, in my view, definitely reduce the protection afforded to individuals below that of Directive 95/46/EC (see last blog). This view has been reinforced by public comments in the French Parliament (see references) following the meeting last Friday week.

In summary, at the Meeting, each Minister expressed broad support for the risk assessment elements of the Irish text (i.e. that certain security elements such as reporting data losses depend on a risk assessment or Privacy Impact Assessment) and the consequential reduction in the administrative burden.

There was also universal agreement that the Regulation should apply to the European Union itself (and this will happen).

Apart from that, there was very little else to agree on and that is why all Member States agreed that “nothing is agreed until the text as a whole is agreed”. A better version of this quotation is perhaps “we agree to disagree for the moment”, (which I suspect is more accurate).

I have broken down the blog into four areas that report the areas of Member State division: these are;

• Do we want a high level of data protection?
• Unambiguous consent versus explicit consent
• Public sector inclusion
• Data minimisation

 Do we want a high level of protection?

The European Commissioner responsible for the original text of the Regulation (Viviane Reding) and Ministers from Germany, Austria and France all referred to the need for a “high level of protection”. This statement really should raise alarm bells with data subject groups; why would this question be raised unless the Member States concerned think that the Irish text did not offer a high level of protection?

Indeed, Ms. Reding stressed that a red-line for her was a text that did not offer the level of protection afforded by the Directive 95/46/EC. Greece, for instance, explicitly referred to “regression with respect Directive 95/46/EC” (which happens to coincide with my view of the Irish text; see references).

In other words, some important Member States have expressed the worry that the Irish “flexible” text degrades the existing level of protection afforded to individuals; if this view persists, the Regulation is finished (much to the satisfaction, I suspect, of a few Member States including the UK).

As for Ms Reding, all I will do is use the quote she gave in  press release before the Minister’s meeting. It says it all:

"I will fight for a reform of the EU's data protection rules that will strengthen the rights of EU citizens and stimulate growth in the evolving digital single market. With this reform, Europe should become a standard setter for modern data protection rules across the globe. I count on the European Parliament and on the incoming Lithuanian Presidency to resist, alongside the Commission, all attempts by those who are still trying to weaken data protection standards in Europe. (my emphasis).

Unambiguous consent versus explicit consent

For Mrs Reding, the Irish reversal to “unambiguous consent” means that the Regulation will fail to offer a higher level of protection. Her view is that the Directive 95/46/EC formulation of “unambiguous consent” has meant that silence (e.g. some forms of opt-out, one presumes) has been equated with consent, thus guaranteeing some lower level of protection.

For her, “explicit consent” is needed because the “unambiguous consent” of Directive 95/46/EC has failed to deliver; a view that has the support of Germany, Greece, France, Italy, Poland, Rumania and Spain. On the other hand, many countries prefer “unambiguous consent”; for instance, the UK, with many others in support.

My own conclusion is that Member States are split on this subject and the final form of consent is unclear. However, on balance, I think consent needs to be explicit because many Member States want the old “unambiguous consent”  to be combined with a risk based approach to data protection.

As I explained in the last blog, this combination could significantly degrade the protection afforded to data subjects so much so that any call for “risk approach” in the absence of “explicit consent” as per the original Regulation text, is in my view, is a euphemism for the “reduced protection” so feared by Ms. Reding.

Public sector flexibility

A number of Member States (e.g. Germany, Denmark, Spain, Belgium, Lithuania) want “flexibility for the public sector”. For flexibility, read “more exemptions”.

Sadly, however, these Member States did not specify what "flexibility" was being sought so one assumes that it is broadly based. Since the Irish text relates to rights and Principles, one presumes also that these exemptions being sought by certain States are from rights of data subjects and/or Principles (merely because the data controller is in the public sector). However, public sector exemptions from the regulatory regime (yet to be agreed at Ministerial level) could be a further possibility.

It is important to explain why such exemptions degrade the level of data protection. For example, suppose a data controller is required by law to collect data item X from all data subjects for purpose Y. For example, in Scotland, Mrs Thatcher’s Poll tax legislation demanded the collection of dates of births of all adults in Scotland.

In practice dates of birth were only needed for those coming up to the age of 18 so the date upon which the Community Charge commenced for them could be identified. After the 18th birthday, the date of birth was not needed by Community Charge officials.

In other words, the vast majority of dates of birth were collected by law and not needed. However, because there was legislation requiring the collection and use of such dates of birth, the processing was lawful and the personal data were relevant (i.e. the legislation itself legitimised the excessive processing of personal data is in fact an exemption from that requirement).

Note that the data protection requirements of “relevance” did not get a look in!

This problem is writ large across the public sector and explains why public sector surveillance, authorised by law, is in effect a broad data protection exemption. So if Ministers want more carve outs from data protection obligations for their own Departments of State; don’t be surprised if you see many of them in the Regulation.

Minimal data minimisation

Quite a few countries (Germany, France) expressed concern that the Principles had lost the requirement for data minimisation (i.e. the obligation that personal data are “limited to the minimum necessary in relation to the purposes for which they are processed; they shall only be processed if, and as long as, the purposes could not be fulfilled by processing information that does not involve personal data”).

These Member States agreed with Ms Reding who said that the data minimisation Principle was important to protect privacy with respect to developments in Cloud Computing and Big Data, and would promote the use of 'pseudonymous data' (rather than identifiable personal data). I suspect Ms. Reding sees data minimisation as another red-line.

Note that this has to be read with the fact that Privacy by Design (PbD) requirements are now subject to a risk assessment which reduces the impact of the original provision. The data minimisation requirement of the original text have been eliminated; instead PbD is a requirement (if appropriate to the risks); the Irish requirements (in A.23) applies only to “the amount of data collected, the period of their storage and their accessibility”.

Note that these PbD provisions do NOT apply to the “use” and “disclosure” of personal data and I think this, and the removal of the strict data minimisation requirement, substantially degrades PbD as a protection.

Conclusion

So, in short, data subjects can see reduced consent requirements, their personal data not subject to some minimisation rules, more exemptions for the public sector in circumstances not related to crime and taxation, as well as a risk based/unambiguous consent combination I discussed in the last blog.

I short, I think Member States that fear a reduced the level of privacy protection afforded to data subjects are right.

References

Council of the European Union Justice and Home Affairs - Legislative Deliberations re the Data Protection Regulation, Thursday, June 6, 2013;  (starts 9 minutes 48 secs in):
http://video.consilium.europa.eu/webcast.aspx?ticket=775-979-13017

Note: to get to a specific Member State contribution, scroll down after the five items marked (Item A), the last obe being “A Item 5 – removal of fins from sharks”. Under the “personal data tag, is a list of country flags (Mrs Reding is the Euro flag). Before each country flag is the Irish flag (which is the Irish chair’s introduction to the contribution to each Member State. Remember to choose your national language as well.

My blog on Google and Facebook getting the upper hand with the Irish text:
http://amberhawk.typepad.com/amberhawk/2013/06/irish-data-protection-regulation-text-gives-google-and-facebook-the-upper-hand.html

My blog on the Irish gutting the Commission’s original Regulation text: http://amberhawk.typepad.com/amberhawk/2013/06/irish-do-hatchet-job-on-the-data-protection-regulation.html

French view of the Regulation (another blog) http://www.hldataprotection.com/2013/06/articles/consumer-privacy/draft-eu-data-protection-regulation-rejected-by-french-government/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+ChronicleOfDataProtection+%28HL+Chronicle+of+Data+Protection%29

If you are interested in why data protection and human rights legislation has difficulty in protecting privacy (set in the context of general surveillance): http://www.amberhawk.com/uploads/surv1_website(2).doc

 

How the UK’s risk-based data protection policy can result in lower standards of data protection

Today’s blog deals with the UK position on the Irish text of the Regulation and is based on the statements of Chris Grayling MP, the Cabinet Minister responsible for data protection at a June’s Council of Ministers meeting (see references).

Following these statements I have concluded that the current UK Government policy on data protection supports a level of protection below that established by Directive 95/46/EC. This arises because the Government want many more data protection obligations in the replacement Regulation to be assessed on a risk based approach whereas in the current Act, the notion of risk is only applied in a small part of the Interpretation of the Seventh Principle.

In this blog, I explain why such a comprehensive approach based on risk or harm is flawed and why it reinforces my concerns over Article 80a (see last blog). I also show that the Information Commissioner’s (ICO’s) stance on the Regulation has been selectively used to bolster the Government’s position.

The UK position on the Regulation

The UK position was expressed by Secretary of State, Chris Grayling in a 5 minute speech. After welcoming the changes in the Irish text, all further statements related to imperfections in the Irish text. Only once did the Secretary of State mention, in passing, the importance the enhanced protection for individuals but only in the context of a balanced approach for data controllers.

In summary, the UK position on the Regulation is as follows; remember these comments relate to the Irish text published in June 2013, and not the draft produced by the European Commission a year and a half ago. These are

• The territorial nature of the Regulation needs more consideration to assess whether it is practicable; Chris Grayling used the word “unrealistic” to describe these provisions in the Irish text. These provisions relate to a provision where a data controller based outside the EEA, offers goods or services to data subjects or monitors their behaviour within the European Union. In other words, the UK is questioning the application of the Regulation to data controllers based in the USA (and there are no prizes for guessing which USA based organisations fall into this category).
• The provisions concerning “consent” have not been discussed by the working groups (by implication, the Irish move to “unambiguous consent”, which is exactly as those in Directive 95/46/EC, might not be a sufficient change for the UK). Remember the Irish text has removed the provision that the data controller has the burden of proof to show he obtained consent, and the provision relating to the imbalance of power between data controller and data subject (i.e. the Irish text allows for the continuation of Hobson’s choice consent – or as I call it, Home Office consent).
• The impact on business should be judged from the context of the SME’s which are going to drive economic recovery and not from the standpoint of Google or Microsoft (this is at variance from the French position which is seeking application for the complete Regulation to Microsoft and Google but with appropriate exemptions for SMEs).
• There should be a business impact assessment (as the UK has its own figures, as do the Dutch and Belgium Governments which show a cost to business of the original Regulation). This I suspect is a device to waste time as the Regulation needs to be enacted by June 2014.
• The risk based approach needs to be taken further and the security principle is welcome (mainly because it looks like the existing UK provision). This implies that other Principles and rights should be subject to risk based approach (see below).
• Finally, the UK still want a Directive (with the support of Belgium and Hungary); I consider this likely for the next European Parliament (see next blog; later this week).

The ICO position

The ICO has published a letter that summarises his well known concerns with respect to the Regulation text as published by the Commission in January 2012. These are not new: for example, reporting every data loss; authorising transfers; funding for his office if notification is scrapped; lack of flexibility re the role and responsibilities of the ICO.

Unsurprisingly, as this supported the UK position, the letter was promoted by Secretary of State, Chris Grayling as justifying the UK stance. What the Secretary of State did not say was that ICO’s letter (see references) also welcomed elements in the Commission’s text which the Irish text has subsequently weakened.

For instance, the ICO’s letter welcomed:

• the stronger explicit “consent” provisions of the Commission’s text; by contrast these have been reduced by the Irish text to “unambiguous consent” (i.e. the standard of Directive 95/46/EC).

• the clearer provisions about data processor responsibilities; however the Irish text provides a mechanism so that Member States can order a data processor to disclose personal data to the law enforcement authorities without informing the data controller. Note that this means that NSA-PRISM-type activities can be legitimised by any Member State in relation to any data processor – and nobody is the wiser unless a whistle-blower is forthcoming.

• the “introduction of accountability” for data controllers; by contrast, the Irish text removes the Accountability Principle in favour of a Security Principle based on the current UK Seventh Principle.

• recognition of the importance of Privacy by Design or Privacy Impact Assessments; by contrast, the Irish text removes the data minimisation provisions (i.e. removal of the requirement to limit the processing to the “minimum necessary in relation to the purposes for which they are processed” and that personal data “shall only be processed if, and as long as, the purposes could not be fulfilled by processing information that does not involve personal data”).

One really wonders whether the ICO is content with the Irish text changes so far? What I will say is that after being so critical of the Commission’s Regulation, he cannot remain silent if, in his view, changes to the Regulation reduces the protection afforded to data subjects.

The risks of the risk based approach

However, Chris Grayling also stated that the risk based approach should be extended to more of the Regulation. This moves UK data protection policy objectives in the direction of the approach adopted by the APEC Privacy Framework or the Obama Administration’s policy towards online privacy – both of which are based on a risk assessment or the notion of “harm”.

There are three problems with such a harm or risk-based approach:

• First, a risk based approach will be based on a data controller assessment of harm to data subjects in general, whereas harm can only be accurately assessed from the standpoint of each data subject.
• Second, any personal data processed with “data subject consent” is unlikely to need a risk assessment.
• Third, any personal data that is published does not need a risk assessment.

Some thirty five years ago, well before the UK had any data protection law, the notion underpinning a data protection regime based on "harm" was firmly rejected by the Lindop Committee in its Report on data protection in 1978 (Cmnd 7341 paras 18.24-18.27).

Lindop concluded that there was no objective standard whereby a data controller could be able assess harm prior to the processing of personal data because there was no way an organisation could judge whether its personal data or its processing would be sensitive or non-sensitive.

Of course the data controller could identify that there might be harm in some cases (e.g. because of the confidential nature of some personal data or the potential for impact on the data subject). However, as a data controller could not make an assessment that the processing was “harmless”, it followed that many data protection obligations could not be based on harm.

This is because the potential for harm is a subjective assessment that can only be accurately judged by each data subject concerned and of course, such assessments can change over time and in context.

For example, suppose a data subject gives a new address to a data controller: is this “harmless”? For most data subjects the change of address might follow some routine house-move. However, if a data subject is changing address because of a violent relationship, then who has access to the name and new address becomes a matter of deep concern for that data subject. The data subject knows this context; the data controller doesn’t.

That is why putting more of the Regulation on a risk-based approach is a flawed idea; the only person who can assess risk properly is the data subject and such risks fluctuate depending on the context.That is why the French Minister, at the meeting of Ministers, was wholly correct to assert in her speech that any risk assessment approach needs the involvement of the data subject.

Consent, public domain personal data and a risk-based approach

If a data subject consents to the processing of personal data, then he is making an informed judgement about any harm to himself caused by any intended processing by a data controller. Any data controller assessment of harm is redundant as it will be trumped by the data subject’s own assessment of harm.

For instance, what would you say to a data subject who took a risk in relation to his own privacy and then argued for compensation based on the fact that the data controller’s assessment of risk was wrong. I think you would say something like “get lost”.

And that is why data subject consent makes it difficult to argue there has been a breach of Article 8 of the Human Rights Act; most Article 8 cases involve interference with private and family life in the absence of consent.

And that is why, when considering the Regulation, the definition of “data subject consent” is so important. If it is weakened, then a single unticked-opt-out box could easily reduce the protection afforded to data subjects. Note also, the implication that any change to a risk based approach towards data protection needs a stronger and more detailed consent base (not a weakened one!). For example, for consent to be fully informed, details about retention periods (5th Principle) might need to be given.

If more of the Regulation becomes “risk-based”, the more protection is stripped off the data subject for that unticked-opt-out box. For instance, if all the data protection principles were “risk based” and if the data subject were to consent, then the application of the principles would also be removed.

Similarly, if personal data were published by a data subject and someone else took advantage of that, one would say “well, you should not have published”.  In the APEC Privacy Framework for example, the Privacy rules do not apply to personal data that has been published (e.g. by Facebook, Youtube etc).

So, for instance, in a complete risk-based data protection world, a data controller can use public domain information (e.g. put into the public domain by unambiguous default Facebook settings) to assess a data subject for employment. There is no obligation to ensure that these personal data are relevant for the employment purpose, nor to be fair to the data subject, nor indeed to keep the personal data secure.

After all these personal data are in the public domain. By contrast, the Data Protection Act does require observation of these Principles.

More importantly, Article 80a of the Irish text allows Member States liberty to introduce exemptions with respect of freedom of expression; this could be applied to personal data placed in the public domain by the data subject with “consent” (whatever that means).

Conclusion

You can see now why the UK Government public policy for reduced standard of consent AND more risk based approach results in a reduction of the standards of data protection.

References
ICO letter of 24th May 2013:  http://www.ico.org.uk/news/~/media/documents/library/Corporate/Notices/rt-hon-chris-grayling-ministry-of-justice-20130603.ashx

Blog on UK Government’s preference for a Directive:
http://amberhawk.typepad.com/amberhawk/2012/11/uk-government-opposed-to-the-commissions-data-protection-regulation.html

Blog on Article 80a of the Regulation;
http://amberhawk.typepad.com/amberhawk/2013/06/irish-data-protection-regulation-text-gives-google-and-facebook-the-upper-hand.html

Council of the European Union Justice and Home Affairs - Legislative Deliberations re the Data Protection Regulation, Thursday, June 6, 2013;  (starts 9 minutes 48 secs in):
http://video.consilium.europa.eu/webcast.aspx?ticket=775-979-13017

Note: to get to the UK contribution, scroll down after the five items marked (Item A), the last one being “A Item 5 – removal of fins from sharks”. Under the “personal data tag, click on the Irish flag just before the Union Jack.

Obama’s Consumer Privacy Bill of Rights:  http://www.whitehouse.gov/sites/default/files/privacy-final.pdf
The APEC Privacy Framework and data protection – 2008 which explains why the APEC Framework is deficient in European Data Protection terms (e.g. Directive 95/46/EC); available on http://www.amberhawk.com/uploads/APEC.doc

Irish data protection regulation text gives Google and Facebook the upper hand

Would you be surprised if the Irish text of the Regulation could allow a Member State, most likely Eire, to implement specific exemptions for companies like Google and Facebook from those data subject rights that involve accuracy, correction, erasure of personal data and the so-called “right to be forgotten”?

In addition, would you be surprised if the definition of “main establishment” introduced by the Irish could mean that any enforcement action against such companies would be prolonged and could easily exhaust a regulator’s capacity (most likely the Irish Commissioner) to enforce the Regulation?

Finally, the change from “explicit consent” to “unambiguous consent” means that the fair information practices that these companies employ with respect to Directive 95/46/EC (which are now subject to legal action by the CNIL on behalf of all Europe’s Data Protection Commissioners) can continue into the new Regulation, unabated. This change makes the outcome of the CNIL’s action more important to the privacy of Europe’s citizens.

These are three reasons why, in my view, the Irish redraft risks taking the level of protection for individuals to a level lower than that achieved by Directive 95/46/EC. More detail of these concerns are given below.

The freedom of expression issue

The objective of the Irish drafting changes to the Regulation is to allow for “flexibility”. However, Article 80 is so “flexible” that it is possible for any Member State to enhance their “attractive” corporation tax policies with some “reduced” data protection standards as well.  And when enacting these reduced standards, any politician would be able to justify them in terms of defending “freedom of expression”?

In the UK’s Data Protection Act, the Special Purposes (journalism, literature, art) and a special enforcement mechanism is defined in order to protect freedom of expression. In Section 22A of the Irish Data Protection Act, there are exemptions for that processing which is undertaken “solely with a view to the publication of any journalistic, literary or artistic material” (my emphasis on solely throughout).

Wide exemptions like this are justified in terms of Article 9 of Directive 95/46/EC which states:

“Member States shall provide for exemptions or derogations from (…the main chapters of the Directive such as rights and principles ..) for the processing of personal data carried out solely for journalistic purposes or the purpose of artistic or literary expression only if they are necessary to reconcile the right to privacy with the rules governing freedom of expression”.

Notice that in the Directive, the processing has to be carried out “solely for journalistic purposes or the purpose of artistic or literary expression” and any exemption introduced by Member States has to be in the context of these three purposes.

Now look at the replacement for this Article in the Irish text:

Article 80:  “Member State law shall reconcile the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression, including the processing of personal data for journalistic purposes and the purposes of artistic or literary expression”.

Notice the provision includes journalistic purposes or the purpose of artistic or literary expression. In other words, the provision of exemptions on freedom of expression grounds can go beyond art, journalism and literature as these three are examples of “freedom of expression”.

Of course, one might argue that the extension is needed to protect personal data in blogs or tweets. For instance, the Hawktalk blog is not journalism (far too accurate to qualify for journalism?), nor does its prose have much in the way of artistic or literary merit (not flowery enough, perhaps?). Hence, for example, if I criticised a politician for degrading the level of data protection, I am pleased that there is a freedom of expression exemption that could give me some protection.

However, the extension is not limited to blogs and tweets; it can “flexibly” be extended by a Member State. For instance, during the furore over the Commission’s initial suggestion for a “right to forget”,  Google’s Global Privacy Counsel, Peter Fleischer began referring this right in terms of “censorship” (i.e. a restriction on “freedom of expression”). So could one imagine a “freedom of expression” exemption be fashioned by a Member State in order to satisfy a requirement from Google re the right to forget? I think it can.

Suppose you share something on Facebook about a friend without permission: is that an invasion of your friend’s privacy or an indication of your freedom of expression? Facebook representatives have often argued that any restriction on such sharing is a prohibition on the freedom of expression. So, there again, could a “freedom of expression” exemption be fashioned by a Member State that facilitates such data sharing on social networks?

Also, please remember that corporate USA’s dollars funded an extensive lobbying campaign against the Regulation. If corporate America organised this effort in the European Parliament, it is easy to imagine them applying the same pressure on a Member State to demonstrate “flexibility” in the context of rights that relate to “freedom of expression”. This is especially the case in these economic hard times.

Of course one might say that the European Commission would step in and take immediate action if this were to happen. All I would respond is that the words “immediate” and “action by the European Commission” in my judgment is a contradiction in terms. For instance, the Commission started threatening infraction proceedings against the UK in 2004 on the grounds that the Data Protection Act 1998 was an inadequate implementation of Directive 95/46/EC. Nearly a decade later nothing has happened.

The “main establishment” issue

I am also concerned that the regulatory framework in the European Commission’s original text could be so weakened to such an extent that a regulator cannot take effective legal action against such large multi-national companies. This is best shown in the context of the Ireland, because as is well known, for corporation tax “flexibility” purposes, Google and Facebook have both established their European HQs in Eire.

The definition of main establishment in the Irish text of the Regulation states that for a data controller “the place of its establishment in the Union where the main decisions as to the purposes, conditions and means of the processing of personal data are taken”. This would be Ireland and it also means that the Irish Commissioner is the key data protection supervisory authority for all of Europe’s citizens with respect to Google and Facebook etc.

So suppose, perish the thought, that one of the European Union’s half billion data subjects has a data protection problem with Facebook. That data subject would turn to the Irish Commissioner.

Now Facebook is a large organisation, and UK taxpayers might want to know that a low corporation tax payment in the UK has allowed it to invest in real-estate in Dublin. Click here to view Facebook Dublin HQ (pleasant isn’t it):  View this photo

Of course, if there are legal problems, Facebook in Dublin will call on the assistance of Facebook HQ in the USA.  Click here to view Facebook HQ occupying a site of over a square kilometre in size:  View this photo

Against Facebook would be the Irish Data Protection Commissioner and it is useful to click here to compare Facebook HQs with that of the Irish DP Commissioner. The Commissioner’s HQ is next to the Centra supermarket:   View this photo

Get the message?

According to the 2012 Annual Report, the Irish Commissioner’s budget is £1.3 million  per year (€1.5 million or $2 million). He will be taking on Facebook (2012 revenue of $1.68 billion) and Google (2012 Revenue $50 billion) and all the other corporation tax refugees settled in Ireland.

Thus, irrespective of the merits of the Irish Commissioner and the ability of his staff, any serious enforcement action means that he will be tied up in legal red tape; these companies are simply too big for one small Commissioner to take on.

Conclusion

The reasons above explain why I think the Irish text of the Regulation sets up, in the case of corporate America, a structure that could very easily seriously undermine the data protection obligations that protect the privacy of all of Europe’s citizens.

Update on FOI/DP Interface

In my blog of the DAPIX leak (date 29/05/2013) I said that the proposed changes to the Regulation could interfere with the DP/FOI interface. This risk of interference has been lessened by Article 80a of the Irish text which states that:

 “Personal data in official documents held by a public authority or a public body may be disclosed by the authority or body in accordance with Union law or Member State law to which the public authority or body is subject in order to reconcile public access to such official documents with the right to the protection of personal data pursuant to this Regulation”.

This Article was missing from the DAPIX leak. So what I think will happen is that the powers in Schedule 2, para 6(2) can be used to restore the Data Protection/FOI interface that we love and know.

References

Data protection as “censorship”: Peter Fleischer; http://peterfleischer.blogspot.co.uk/2011/03/foggy-thinking-about-right-to-oblivion.html

Facebook: Proposed EU ‘right to be forgotten’ raises “major concerns” over freedom of expression online: http://thenextweb.com/facebook/2012/11/20/facebook-proposed-eu-right-to-be-forgotten-raises-major-concerns-over-freedom-of-expression-online/

Irish do a "hatchet job" on the Data Protection Regulation

The Irish Presidency has published the first 40 Articles of what it considers to be an acceptable Regulation; as I said with my DAPIX blog (see references) based on a leak of this document, my conclusion is:

Irish text = old Directive 95/46/EC + tweaks

In previous blogs on this subject, I have referred to the fact that there has been no agreement by Member States on the text. The DAPIX leak document (see references) is one of the few documents which explains why these disagreements arise.

The Irish text does not make any attempt to explain why the text has changed from the published draft, and this lack of explanation is a major hurdle in any analysis as it is easy to jump to a wrong conclusion.

For example, consider any deletion (this is marked by “(…)”) in the text. Is this because that there is no agreement on the text or is it because there is total agreement that the text should be removed? The answer to this question informs the analysis. With the former, the removal is to paper over the cracks of disagreement; with the latter, all Member States disagree.

So when looking at the detail of the Irish text (which I expect many of you will do so), please have the DAPIX leak at your side – the "why?" the text has changed is as important as the actual change to the text.

To overcome all disagreements and arrive at its "hatchet job", the Irish Presidency has resorted to three devices:

(1) Remove the offending passage in the original’s text that give rise to the disagreement (Just look at the number of “(….)’s” in the Irish text – easy to find, they are on every page!).

(2) Reduce the impact of a provision (e.g. insert words such as “where appropriate”, “where necessary” or “taking into account the impact on the data subject”. For example, the data loss, PIA and PbD provisions do this). Such changes also introduce a "risk assessment" element to these provisions (e.g. data controllers report high risk data losses). 

(3) Leave it to Member States to decide (e.g. the Data Protection Officer provisions). So where you see words like “where a Member State considers it useful….” replace them with “Except in the UK”. (The UK Government has a track record of “where there is an option, take it”).

Other changes that have caught my eye

I am not repeating the text of my blog on the DAPIX leak; those comments are still valid. Comments about the direction of travel are also valid as are comments on rights and security. So here goes with other commentary.

The Accountability Principle of the draft Regulation (personal data shall be “processed under the responsibility and liability of the controller, who shall ensure and demonstrate for each processing operation the compliance with the provisions of this Regulation”) is replaced by a general security principle (more or less our Seventh).

So does this mean that accountability is reduced or do Member States think that the obligations are covered elsewhere? I suspect that accountability principle is covered elsewhere – but without official explanation, I can’t be sure!

There is a definition of 'pseudonymous data' which is not used in the Irish text!  This suggests that the definition is used in the other 40 or so Articles that are not in the Irish text (e.g. Articles 81 or 83 that relate to the processing of personal data for medical purposes or research).

The definition of consent is weakened. The requirement that “Consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the controller” is removed.  There is no requirement that “The controller shall bear the burden of proof for the data subject's consent to the processing of their personal data for specified purposes”. No explanation is given for a change that will surely alarm most data subject advocates.

Article 11 (which requires data controllers to have transparent and easily accessible policies with regard to the processing of personal data and for the exercise of data subjects' rights) is removed. For public bodies, FOI requirements will cover this obligation. Most large data controllers should do this already, so it is possible that its removal is an attempt to be less prescriptive for smaller SMEs.

Article 13 (Rights in relation to recipients) is removed. This Article concerns the requirement on data controller to communicate any rectification or erasure carried out in accordance with the exercise of data subject rights to any recipient to whom the data have been disclosed, unless this proves impossible or involves a disproportionate effort. I have no idea why this removal was deemed to be necessary; it could be that the obligation becomes wrapped up in the data protection principles.

Article 29 (Co-operation with the supervisory authority is removed). This covers the requirement on the controller and the processor to co-operate, on request, with the supervisory authority in the performance of its duties or powers). This removal looks alarming – however, the powers of the supervisory  authorities (Article 53) have not been agreed by Member States and I suspect that the content of this Article is contingent on the content of the powers granted to supervisory authorities (and that explains the removal).

The time period for meeting a subject access request can be doubled in complex cases to around 90 days; the normal time period for simple requests is 1 month (30 days), but it can be extended to 3 months max in difficult cases (90 days).

In conclusion, I think most of the privacy lobby will see the revised Irish text as a “sell out” to big business. This is especially the case as the Irish have made no effort to publish any explanation of its changes.

I need to look at some areas more carefully before I come to any conclusion. What I will be looking for is not the removal of the obligations on the data controller (which can be included in a broad based Principle approach) but the ability of the data subject to get corrective action when an error occurs. After all, when something goes wrong, the first thing we want is to get the problem fixed quickly and easily.

In this regards, the powers of the supervisory authorities are key. If these are given the Irish hatchet as well, then I think the result could easily be a lower standard of data protection. In which case, I would advise the European Parliament to reject the Regulation and stick to the Directive.

References

Down load the Irish text here: Download Blog_revised Irish text published 31 May 2013

Blog on DAPIX leak here http://amberhawk.typepad.com/amberhawk/2013/05/latest-leak-the-new-data-protection-regulation-is-looking-more-like-the-old-directive.html  (The DAPIX document is a link at the end of this blog)

 

ICO needs a different strategy to deal with data protection offences

I have drawn the conclusion that the Government will not commence the custodial nature of Section 55 offence in the Data Protection Act this side of the General Election (and within the next few years). The reason is familiar: fear of upsetting the press.

I also think that the ICO needs to adopt another strategy to deal with the problem of not having the custodial element available; for instance, by passing over suitable cases to the public prosecutors and/or using the Monetary Penalty Notice (MPN).

As is well known, some of the tabloids and broadsheets are to the right of UK politics. Most of these newspapers take an anti-European stance and some support the idea of an “in-out” referendum; most of these newspapers also support the alternative Leveson Royal Charter drafted by their proprietors. In addition, some proprietors of these newspapers support those Conservative Euro-sceptic back-benchers who want Mr. Cameron either tied to a “UKIP-like” political-agenda (e.g. on human rights, immigration etc) or not leading the Party at all.

Suppose you are advising Mr Cameron in this febrile political atmosphere? With the next General Election about a year or so away, how about suggesting an offence that could result in Daily Mail journalists being locked up? Even after the Election, I don’t think an incoming Government say: “Hey, let’s implement S.55?”.

That is why, in a nutshell, I think the S.55 offence will not see the light of day for the next four or five years, when I suspect any Data Protection Regulation (if it survives – another story) will force the issue. The Regulation would also give Government the perfect alibi when implementing the custodial element of this offence: “Don’t blame me. Look what those nasty Europeans are imposing on us”. (No doubt, another reason for leaving the EU).

The issue has come to a head with the ICO’s Press Release (23 May 2013) concerning a former manager of a health service based at a council-run leisure centre in Southampton. This manager used sensitive personal data (medical) relating to over 2,000 people, and a fortnight ago was prosecuted under section 55 of the Data Protection Act at West Hampshire Magistrates Court. He was fined £3,000 and ordered to pay a £15 victim surcharge and £1,376 prosecution costs.

The ICO said:

“This case shows why there is a need for tough penalties to enforce the Data Protection Act. At very least, behaviour of this kind should be recognised as a 'recordable offence' which it isn't now. For the most serious cases the current 'fine only' regime will not deter and other options including the threat of prison should be available. The necessary legislation for this is already on the statue book but needs to be activated.

How many times, over the last decade, have you heard the ICO say something like the quote above? Well, if I were ICO, I would not “go there” again.

So what is my suggestion?

Well, I would pass serious cases like this to the Director of Public Prosecutors asking him to assess whether there was a prospect of a custodial offence:

• under the Computer Misuse Act (as personal data are often on a computer) and unauthorised access to a computer should equate with using computerised personal data without the consent of the data controller;

• of Malfeasance in Public Office (this is a common law offence – see references below) which applies to all public servants (as in this case); or

• under sector specific legislation that applies to certain information held by public authorities (e.g.  Census, Official Secrets and Social Security legislation has these offences).

Secondly, I would take a close look at the Monetary Penalty Notice (MPN). According to the Press Release, the convicted manager  “took the information hoping to use the data for a new fitness company he was setting up”.  Ergo, his company was a data controller and could have actually processed sensitive personal data unlawfully (and the data controller should have known that this is the case).

So, it is possible that the manager’s company could be subject to a MPN that then puts it out of business; well if a business depends on the unlawful processing of sensitive personal data it probably deserves it. Even if the company went into bankruptcy before the penalty could be recovered (as with the case of ACS Law), the message that a MPN would send would be unmistakeable.

Even if the manager moved jobs to by some other employer, that employing data controller could have benefitted by the processing of sensitive personal data unlawfully. Here the substantial breach could be associated with the First Data Protection Principle on the grounds of “unlawful processing”. There again, the MPN could be in the frame.

Then I would look at the manager’s previous employer. What did this data controller do with respect to leavers procedures? Are leaving employees told that they cannot use or disclose personal data they have been privy to? Is there a breach of the Seventh Principle?

Finally, I would challenge tosh like this published by the NHS on its home to reassure the public. Read on to find one obvious mistake:

“There are strict laws and regulations to ensure that your health records are kept confidential and can only be accessed by health professionals directly involved in your care….  Under the terms of the Data Protection Act (1998)  …. “It is a criminal offence to breach the Data Protection Act (1998) and doing so can result in imprisonment”.  (Quote present  on the site’s home page on 5 June 2013; I wonder how long it remains!)

If I were ICO, I would insist that this sentence would be replaced by: “It is a criminal offence to breach the Data Protection Act (1998); the penalty associated with this offence might be insignificant, for example when compared with what individuals might gain from committing the offence”.

References:

ICO press release re the DPA offence: http://www.ico.org.uk/news/latest_news/2013/leisure-centre-employee-prosecuted-for-unlawfully-obtaining-health-information-23052013

More on malfeasance in public office: http://amberhawk.typepad.com/amberhawk/2011/01/absence-of-custodial-data-protection-offence-increases-likely-use-of-malfeasance-in-public-office.html

NHS website with tosh about the DPA: http://www.nhs.uk/NHSEngland/thenhs/records/healthrecords/Pages/overview.aspx

Latest leak: the new Data Protection Regulation is looking more like the old Directive

Here is a swift “low-down” on the latest DAPIX leak (thanks to a friend of a friend who knows someone who received an email).

I think the headline says it all; the Regulation is being softened and weakened from the data subject perspective. The DAPIX document (see references for a copy) only refers to some Articles so the general effect on the Regulation is not clear from the document. However the direction of travel is clear.

That direction is; less prescription and more flexibility for Member States, all data subject rights to object (e.g. to forget, profiling) much reduced, the data protection officer role is not going to happen in the UK (I think), and data loss reporting becomes more sensible. The proposed modification to Schedule 2, paragraph 6 condition could impact on the UK's DP/FOI interface (Note posted 12/6/2013: the Irish draft text of the Regulation contains Article 80(a) which removes this risk - see last para of blog of 12/6/2013)

My own view: I still think the Regulation will not make it. Just look at the number of reservations from Member States. And there are another 40 Articles to go.

Definitions are closer to the Directive

The definition of personal data looks like the one in the Directive:

'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly (…), in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. (Identification by persons other than the data controller has "gone")

There is a definition of 'pseudonymous data': this means “personal data processed in such a way that the data cannot be attributed to a specific data subject without the use of additional information, as long as such additional information is kept separately and subject to technical and organisational measures to ensure non-attribution”. However, it is unclear where it is used in the Regulation, so hold off criticism. Remember Google et al have spent a lot of money on this amendment!

Despite intensive lobbying from those who avoid corporation tax, the definition of 'pseudonymous data' has not been well received by Member States (so I suspect its use will be limited). The DAPIX document notes that “BE, DE, DK, IT, SI, PL and PT have lodged scrutiny reservation. FR and UK reservation. FR and PL queried the need for a definition of pseudonymous data. UK thought the definition was too  strict, making pseudonymous data tantamount to anonymous data”. (I am assuming that readers can identify Member States by their two letters).

Lawful processing

The Schedule 2 condition if the 1998 Act re that processing which is necessary in order to protect the vital interests of the data subject” has “or another person” added. This makes the condition look like the Schedule 3 vital interests condition.

The balance of interest conditions (para 6 of Schedule 2 of the 1998 Act) has replaced “third parties” by "data controller". For instance, the “processing is necessary for the purposes of the legitimate interests pursued  by the controller or by a controller to which the data are disclosed except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child”.

Note that for this condition to apply, the person to whom the personal data are disclosed has to be a data controller (and thus most likely subject to a data protection regime). So for instance, disclosure to Third Parties who are not processing personal data will no longer be legitimised by this version of the para 6 condition.

It can be seen that the condition used to justify disclosures of personal data to "third party" FOI requestors (i.e. the public in general) does not work if the requestors are NOT data controllers (i.e. some requestors will not be data controllers). An example of the law of unintended consequences perhaps.”.

Second Principle expanded in the direction of WP29 view

There are conditions prescribed for when a further processing purpose is incompatible with the purpose of collection. The WP29 view of the purpose limitation principle finds some reflection in the DAPIX document. It suggests:

“In order to ascertain whether a purpose of further processing is compatible with the one for which the data are initially collected, the controller shall take into account:
(a) any link between the purposes for which the data have been collected and the purposes of the intended further processing;
(b) the context in which the data have been collected;
(c) the nature of the personal data;
(d) the possible consequences of the intended further processing for data subjects;
(e) appropriate safeguards (CP comment: "for whom?" - one hopes "data subjects")

Right to data portability in trouble

The document shows that Member States don’t like this right and it might not survive. There is a “UK reservation: while it supports the concept of data portability in principle, the UK considers it not within scope of data protection, but in consumer or competition law. Several other delegations (DK, DE, FR, IE, NL, PL and SE) also wondered whether this was not rather a rule of competition law and/or intellectual property law or how it related to these fields of law. Therefore the UK thinks this article should be deleted".

The countries of “DE, DK and UK pointed to the risks for the competitive positions of companies if they were to be obliged to apply this rule unqualifiedly and referred to raises serious issues about intellectual property and commercial confidentiality for all controllers. DE, SE and UK pointed to the considerable administrative burdens this article would imply.”

Right to forget in trouble

I have counted 18 countries (66% of Member States) having some gripe or other about this right; I think it’s a “gonner”. Just look at the following:

“DE, EE, PT, SE, SI, FI and UK scrutiny reservation . BE, EE, FR, NL, RO and SE  reservation on the applicability to the public sector. Whereas some Member States have welcomed the proposal to introduce a right to be forgotten (AT, EE, FR, IE); other delegations were more skeptical as to the feasibility of introducing a right which would go beyond the right to obtain from the controller the erasure of one's own personal data (DE, DK, ES). The difficulties flowing from the household exception (UK), to apply such right to personal data posted on social media were highlighted (BE, DE, FR), but also the impossibility to apply such right to 'paper/offline' data was stressed (EE, LU, SI).”

Right to object to profiling neutered; carry on profiling

The right to object to profiling is made completely ineffective (e.g. as the right to object to automated decision taking in the current Act). There is an exemption that covers most of the time when profiling occurs. Profiling is OK if: 

"it is carried out in the course of the entering into, or performance of, a contract between the data subject and a data controller (…) and suitable measures to safeguard the data subject's legitimate interests have been adduced, such as the rights of the data subject to obtain human intervention on the part of the controller, to express his or her point of view, and to contest the decision"

Transfers outside the EEA

There is a new Right to know about transfers : "Where personal data are transferred to a third country, the data subject shall  have the right to obtain a copy of the appropriate safeguards relating to the transfer".

Data loss reporting conditions much reduced

All data loss provisions are qualified by the condition: "In the case of a personal data breach which is likely to severely affect the rights and freedoms of data subjects"  or “When the personal data breach is likely to severely affect the rights and freedoms of the data subject,  the controller shall communicate the personal data breach to the data subject without undue delay".

Data protection officer role left to Member States

In the UK, we might not have the data protection officer role. This can be seen immediately when one reads “The controller or the processor may, or where required by Union or Member State law shall, designate a data protection officer”. Will we get one? Doubt it.

Happy summer time reading (if we have a summer that is).

References

The DAPIX document Download Blog DAPIX leak June 2013

We are holding our half day on the Data Protection Regulation on June 10th (half a day with me must be worth something; for details click on the top left)

How Google lost the trust of Europe’s Data Protection Authorities

Over the last two years, various European Data Protection Commissioners have taken action against Google. Hardly a month goes by without something being reported: a €145,000 StreetView fine here or a court case about jurisdiction there.

So it is important to understand: “why is Google on the receiving end all this enforcement action?”. Why now, and not five years ago? What has changed?

From Europe’s Data Protection Commissioners perspective, there is a collective recognition that Google has given them the equivalent of the two fingers. Despite a lack of powers and resources, (and even though, for example, a maximum fine of £500,000 is a pinprick to an organisation whose profits are running at more than £8 billion per year), the Commissioners have collectively concluded that not to take action is not an option.

From Google’s perspective, I don’t know whether it is “carelessness” or “arrogance” or a combination of the two. “Carelessness” because data protection regulators generally try to reach some kind of compromise; so why can’t Google compromise? “Arrogance” because Google might have taken the view that it is such a rich, powerful and profitable multinational that it can process personal data despite the concerns of national data protection regulators (and if there is a dispute, tie them down in court processes that wipe out their legal budget).

Faustian Pact and increasing surveillance

Five years ago, there was an acceptance by most Internet users that the free access to services offered by Google involved an undeclared Faustian Pact. The user received the services for free and in return Google captured some data that assists something called “behavioural advertising”.

At that time, the user did not care much because – what the heck - the Internet experience was really valuable and of course, the Internet got better by the day. The Pact was sustained in the knowledge that free access to the Internet was (and still is) the main delivery vehicle for uncensored information into authoritarian regimes.

Of course, at that time also, there were a collection of “privacy nutters” bleating on the side-lines, identifying a host of hypothetical or far-fetched problems. For instance, the StreetView images of anonymous individuals (but identifiable to those who know that individual) entering a sex-shop or, more recently, receiving a hand-job in the back streets of Manchester. I guess that such images caused more general amusement than concerns over individual privacy – after all the user was not looking at himself or herself.

However, over time, there has been dawning realisation that Google’s surveillance does indeed focus on each and every user; Google follows surfers around the net, wherever they go, whether they are logged into a Google service or not.

As Google’s “free” services expanded and the Internet developed, this Faustian Pact resulted in an unrestrained collection of more data about its users. This in turn resulted in a virtuous (or vicious) spiral; a booming business that needs more and more user data to guarantee higher and higher revenues from advertising.

That is why Google’s Mission Statement is all about data collection: it states that “Google’s mission is to organise the world’s information and make it universally accessible and useful”. Want a “scary version” of this Statement? Just place the word “personal” before the word “information” and ask “accessible by whom?” or “useful for what?”.

It is no surprise that Google’s vast personal data collections are acting as a magnet for other forms of surveillance activity. That is why Governments want access to how the public uses the Internet so that law enforcement can obtain IP addresses and details of browsing habits. The collection and subsequent retention of such personal data concerns all users irrespective of whether or not there are grounds for suspicion for its retention.

The privacy issue here can be simply expressed: the grounds for suspicion about an individual user do not arise before the time of collection of IP addresses etc. Such grounds are found afterwards when the authorities, in some back office and at some time in the future, try to find a “wrong-un”. If a profiling algorithm is used, then any suspicion is likely to be based on a pre-programmed set of assumptions. In this way, the data that Google (and others) collect turns every user into a potential suspect.

Application of the Reagan Doctrine

Even with its own privacy pronouncements, Google has been exposed as being “economical with the truth”. For instance, what Google told the Information Commissioner in July 2011 was that the WiFi data collection by its StreetView Camera cars was accidental.

By contrast, a Federal Communications Commission (FCC) report into the same problem made it clear that Google intentionally intercepted such WiFi data for business purposes and that many supervisors and engineers within the company reviewed the code and the design documents associated with the interception. That is why the Federal Communications Commission imposed a $25,000 fine in April 2012.

However, I think the most damaging conclusion was that Google impeded the FCC investigation by “delaying its search for and production of responsive emails and other communications, by failing to identify employees, and by withholding verification of the completeness and accuracy of its submissions”.

So when Google says something about privacy, how do we know that it is kosher? That is why European Data Protection Commissioners are pushing their equivalent of the “Regan Doctrine” at every turn: “trust but verify”.

So when Google last year changed its Privacy Policy, many Data Protection Commissioners wanted answers to certain questions and the CNIL (the French Data Protection Authority) was given the lead co-ordinating role. All European Commissioners signed a letter containing a number of queries on 26 October 2012 expressing their concerns asking Google to comply with their recommendations within 4 months. Google’s response was of the two fingered variety.

The CNIL’s concerns (still unaddressed) were that Google:

• did not provide retention periods and has refused to provide retention periods
• has not provided sufficient information about its personal data processing
• should reinforce users' consent  offer an improved control over the combination of data  by simplifying and centralizing the right to object (opt-out)
• should allow users to choose for which service their data are combined
• should adapt the tools that its various data combinations remain limited to the authorized purposes, e.g. by differentiating the tools used for security and those used for advertising
• should avoid an excessive collection of data.

So what’s wrong with Google’s Privacy Policy?

At the heart of Google’s problems is its Privacy Policy, and it is quite easy to see why there are issues. For example, just compare one basic definition:

Google definition of “Personal information”. This is “information which you provide to us which personally identifies you, such as your name, email address or billing information, or other data which can be reasonably linked to such information by Google.

UK Act definition of “personal data”. This "means data which relate to a living individual who can be identified:- (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller…”

Now suppose Google has collected an IP address. To satisfy its definition of personal information, that IP address requires identification of an individual from “other data which can be reasonably linked to such information by Google”. By contrast, the Data Protection Act requires merely that the identification information to be “in the possession” of Google (i.e. there is no requirement to “reasonably link” the identifying information with the IP address as per the Google definition).

Note also that the UK definition merely requires the identification information to be “likely to come into the possession” of Google. By contrast again Google’s definition needs the data to be under Google’s control and an actual linkage to the specific individual.

It now can be seen, that the Google definition is far narrower than the 1998 Data Protection Act. How then does the UK’s Information Commissioner know that Google has complied with that Act, if Google does not provide the details such as those requested by the CNIL?

In practice, I think the Google definition is very close to that found in the Data Protection Act 1984 repealed by the 1998 Act (this required the processing of personal data had to be “by reference to the data subject”). In my view, the definition that Google uses in its Privacy Policy is nearly three decades out of date.

Finally there are questions of the scope of Google’s Privacy Policy. Its web-site says that it applies to “Information that you give us (for example, “many of our services require you to sign up for a Google Account”) or “Information that we get from your use of our services” (for example, when you visit a website that uses our advertising services”).  There is no reference to personal information obtained by Google from other sources or from the public domain; so the status of such personal information is unclear.

You can see now that Google’s Privacy Policy does indeed raise several legitimate questions as to what it means in the context of data protection legislation which uses different definitions. I think most responsible companies would answer these questions; failure to answer them merely serves to raise suspicion.

The “Starbucks Effect” (and the Boston Tea Party)

The press report that Google employs more than 1,300 people in London and Manchester, generates £2.5bn of UK sales and pays Corporation tax of £6 million or so. This latter figure implies its UK profits are of the order £30 million per year.

This crude analysis shows that Google is, in effect, another “Starbucks”. It generates hundreds of millions of pounds of revenues in the UK and pays disproportionately little Corporation Tax. Of course Google pay VAT and their UK employees their PAYE, but in general the public can now categorise Google as another large organisation evading their fair share of tax. The Prime Minister’s dictum that “we are all in this together” clearly excludes Google from the “we”.

It follows that when Google take the high moral ground in support for notions of freedom of speech, this does not extend to the facts that allow such speech to be informed in the context of its own tax affairs. In summary, any future public pronouncement by Google about “freedom” should be accompanied with a great deal of cynicism.

Then there is the unprecedented lobbying from USA companies like Google concerning the content of the Data Protection Regulation. The idea that corporate America can employ its financial muscle to influence Europe’s Parliamentary processes and laws should make everyone feel very uneasy. What do you think would happen if Europe’s corporate giants started lobbying the USA Senate about gun control or abortion or taxation? They would quickly be told where to go.

Indeed, Google’s involvement presents a historical curiosity. In 1773, the cry at the Boston Tea Party was "No taxation without representation".

Google’s version of this is: “Full representation without taxation".

References

CNIL’s Google links

1. http://www.cnil.fr/english/news-and-events/news/article/google-privacy-policy-six-european-data-protection-authorities-to-launch-coordinated-and-simultaneo/
2. http://www.cnil.fr/linstitution/actualite/article/article/googles-new-privacy-policy-incomplete-information-and-uncontrolled-combination-of-data-across-ser/
3. http://www.cnil.fr/linstitution/actualite/article/article/googles-privacy-policy-g29-ready-for-coordinated-enforcement-actions/

and LINKS at the bottom of the above pages.

Mrs Thatcher’s data protection legacy

Successive UK Governments have seen data protection more as a cost overhead to be minimised rather than as an essential protection for the individual in an electronic age. This view started with Mrs Thatcher’s first Government and has endured for over three decades.

During the 1970s, there were a number of White Papers and Reports starting with the Younger Report on Privacy (in 1972) and ending with the Lindop’s Report on Data Protection (December 1978). So when Mrs Thatcher came to power in May 1979, it is fair to say that data protection was an item on the agenda but following the “winter of discontent”, probably very close to “AOB”.

Lindop’s proposals were not well received at the time, especially by the Home Office which had responsibility for data protection policy as well as its traditional law enforcement areas (e.g. national security and policing). It is difficult to imagine now, but the Home Office whose main functions required the invasion of privacy had also the responsibility towards the policy that protected individual privacy. In this way, the Home Office was acting like a lothario who has been tasked to define a law of celibacy.

This conflict of interest was only resolved in the last decade with the establishment of the Ministry of Justice. However, it has to be recognised that the current Data Protection and Freedom of Information Acts were Home Office Bills when they were presented to Parliament over a decade ago. That perhaps explains why there are generous exemptions for, yes you have guessed it, law enforcement, national security and policing.

Lindop called for statutory codes of practice produced by an independent data protection authority which would balance the needs for organisations to process personal data and the privacy of data subjects. Embedded in Lindop’s Codes were the rights of data subjects and the application of the various data protection principles, set in the context of the organisation’s processing purpose.

Lindop identified the need for about 40 Codes (e.g. for purposes such as employment, marketing and banking) and the current statutory Code of Practice on data sharing roughly provides an example of what Lindop had in mind. The text of the Code would be drafted by the Data Protection Authority to ensure that any balance between conflicting priorities was independently set.

Even the police and security services would be subject to a code of practice and be independently supervised. When you remember that 1979 was an era when there were no regulators in these areas, Lindop’s suggestion were too far ahead of their time to be universally accepted.

So in 1979, on the back of all the problems faced by the country, Mrs Thatcher was being asked to establish a large Quango which could produce statutory codes of practice that set the personal data processing rules for Government Departments, the police, security services and all businesses.  The result? Lindop was speedily shelved.

However in 1981, the Council of Europe Convention No. 108 became active and the risk was that if the UK did not have any data protection legislation, countries that had ratified the Convention would prohibit the transfer of personal data to countries that had not. This meant that, without data protection legislation in the UK, personal data could be lawfully withheld from the City of London’s vital financial centres.

A rumour current at the time was that the Department of Trade and Industry was so concerned that it had rushed a memo to Number 10. To get Mrs T’s attention, it started off with the words “Do you know what those French and Germans are planning to do next?”.

This is the start of the process whereby Governments saw data protection legislation as being needed to protect the interests of free-trade. If the UK had a data protection law that just met its international obligations, then that would be problem solved;  “maintaining privacy” was not an issue on anyone’s political agenda. (As an aside, I would identify the implementation of the Scottish Community Charge (Poll Tax) in 1989 as a significant turning point in this respect).

So in December 1982, the Home Office tabled a minimalistic Data Protection Bill that just satisfied the requirements of Convention No 108; it applied only to automatic processing of personal data. There was to be a central public register of all mainframe computers and details of the processing of personal data (e.g. purposes, sources, transfers, data items). The data protection principles only applied to registered organisations and were found in a Schedule towards the end of the Bill.

The regulator, known as the Data Protection Registrar, was given very few powers; there were no Monetary Penalty Notices, Information Notices, powers of audit or compliance agreements such as Undertakings. Criminal offences were linked to registration, compensation was limited to unauthorised disclosure of personal data or the processing of inaccurate personal data and there was a wide range of exemptions.

For example, in the Bill, the equivalent to the S.29 exemptions of the current Act (e.g. from the non-disclosure provisions and right of access if prejudicial to policing) extended to “the control of immigration” and removed the powers of the Regulator in relation to such disclosures. This meant that disclosures made by organisations that were Home Office responsibilities (e.g. police) were largely unfettered by any data protection concern.

This Bill was lost when the General Election was called, but it reappeared to be enacted as the Data Protection Act 1984. The 1984 Act lost the immigration clauses (which were removed because of a very effective campaign by Paul Sieghart) but included voluntary Codes of Practice.

Manual files containing personal information were excluded from the 1984 Act and there was a restrictive definition of personal data. Even word processing to produce the “text of documents” was excluded from the Act, as were data about intentions of an organisation towards an individual (e.g. “We intend to sack Fred Bloggs”).

For those of us working with the Data Protection Act 1984 within organisations, these weaknesses made data protection compliance a very difficult sell to management. Most of the personal information was in manual files and not subject to the Act. Non-registration was the key threat (an organisation could not process personal data without being registered) and subject access meant retrieval of information from the computer’s central databases. Non compliance wasn't a significant risk.

In summary, the minimalistic law that Mrs Thatcher had introduced meant that data protection was largely seen as needing low level administrative support: filling in (horrendous) 16 page registration forms per purpose and retrieving personal data from the mainframe.

It took a decade and the advent of Directive 95/46/EC for the main emphasis in the UK’s data protection regime to change from registration to the data protection principles. It took another decade and some lost disks to increase the risk factors associated with data protection non-compliance;  New Labour's surveillance state made individual privacy a political issue

Of course, when this Directive was implemented by the 1998 Act, Mrs Thatcher was long gone from office. But the attitude of her first Government, namely that trade and business needed to be protected from “expensive” data protection obligations has been the mantra she has passed to all subsequent Governments.

Indeed, if you listen carefully, you can still hear her words today in relation to the Government's attitude to the cost of the current Regulation.

Simple extension of ICO’s NHS audit powers are needed. Do you agree?

Just a brief blog about the proposals to extend the ICO’s audit powers to NHS bodies and how improved protection for data subjects can be obtained at minimal cost.

Amberhawk argues that if “unannounced” NHS data protection audits are to occur, then such audits should be extended to any department of a data controller who obtains health personal data from the NHS (e.g. research organisations; Local Authority Social Work Department).

This will enhance the protection for data subjects. In our view, there is little point in extending "unannounced" audit to NHS bodies, if widespread data sharing of health records occurs with non-NHS data controllers who are not subject to such an audit.

We also suggest the ICO should be able to recover some or all the costs of an audit, especially when an audit arises as a result of enforcement action (e.g. MPN) or an Undertaking. We do not see why scarce ICO resources that protect data subjects should be expended on errant data controllers who should know better. A cost recovery mechanism that can be used by the ICO as required allows those resources that protect data subjects to be replenished.

If you agree with some or all of these simple propositions, can I encourage you to complete the consultation exercise; there is a chance that the current limited suggestion can be significantly improved.

In further detail, the four improvements we suggest are as follows:

1. Audit powers should be extended to Local Authorities especially Social Work Departments which now have responsibilities for public health and joined up services with the NHS (in theory).

2. In general, if NHS bodies share health personal data, then those organisations (or parts of organisations) who obtain the health personal data should also be subject to audit. These organisations include research organisations and Universities. This step will help reassure data subjects that all health data originating from the NHS are subject to "on the spot audit" at any time, irrespective of the identity of the data controller.

3. The ICO should have the flexibility to recover some or all of the cost of all consensual and compulsory audits, especially when an audit follows a breach of a Principle or Right  (e.g. a reported data loss where there has been enforcement action or Undertaking signed by the data controller). If costs are not recovered, the resources of the ICO that are aimed at protecting data subjects are expended on errant data controllers that cause problems for data subjects. A contribution from those errant data controllers will help maintain the ICO's ability to protect data subjects.

4. The extension of powers to NHS bodies in Wales, NI and Scotland should be subject to approval of the respective devolved Parliaments

Of course, you can argue that the ICO's audit service should be free, but in general, I do not see a modest contribution made by the data controller to costs as being excessive.  It is also possible to link the cost recovery to size of data controller (e.g. those that pay £500 notification fee).

References
Submit your views: https://consult.justice.gov.uk/digital-communications/ico-assessment-notices/consultation/intro/view
Consultation document widening the powers of audit to NHS bodies on: https://consult.justice.gov.uk/digital-communications/ico-assessment-notices

 

Data collected by Google’s drones for 3D StreetView service is compliant with European data protection law

Buried in three of the 250,000 diplomatic cables published two years ago by Wikileaks was an obscure reference to a curious purchase made by Google from the Pentagon. These cables record that Google has contracted to buy all surplus surveillance drones as the USA military withdraws from Afghanistan and Iraq.

These drones have been used to develop Google’s controversial StreetView service. Google’s idea is to have a drone electronically follow each StreetView CCTV camera car at a height of 50 metres. Instead of StreetView’s two dimensional presentations (which are very familiar), the idea is to capture three dimensional images using software developed by Google and California’s prestigious Institute of Technology (Caltech).

This software is being installed in Google’s Glass so that users can explore a 3-D representation of any street they choose to download; in effect users can imagine that they are standing in the actual street. As Google Glass users move their heads, they can see different street perspectives displayed in their headset.

The 3D StreetView Privacy Impact Assessment (PIA) appended to Google’s Privacy Policy, shows how it complies with European Data Protection laws. For instance, to ensure maximum transparency of data collection, the drones are to be repainted in wasp-like reflective yellow and black stripes and to be fitted with loudspeakers.

The Assessment recommends that the drones should not be silent and “should emit a suitable sound, something like the low frequency buzz of a Doodlebug” (a reference to the Nazi V1 flying bomb). Other suggestions for a sound is the continual emission of the Morse Code for Google to identify the data controller (“--.” : “---“ : “---“ : “--.” : “.-..” and “.”)

The PIA does not call its drones, “GoogleBugs” but I am sure that this name is likely to catch on as Google develops its drone functionality. However, the PIA does recommend that the drone’s facility to intercept satellite communications is switched off “to avoid issues similar to the capture of WiFi logon-details by StreeView camera cars”.

The PIA deals with the inadvertent capturing of 3D images of adults engaging in nude sunbathing etc in back gardens. The PIA says that applying the usual blurring algorithm to just the face of a sunbather (as currently happens with Streetview) “risks leaving other body parts exposed, in full 3D”.

As an aside, it is interesting to note that some modern Google marketing executives wanted to develop the alliterative effect of the “repetitive g”, and call Google Glass,  “Google Goggles”. However, this would inevitably lead to the new virtual 3D service being known a “Oggling”, and users of Google Goggles become known as “Ogglers”. I can’t be sure, but this probably explains why Google Glass emerged as the preferred name.

Other potential privacy issues are dismissed on grounds that unlawful activity is being unmasked. For instance “addresses where grandparents have been reported missing to the police” and “where gardens at these addresses clearly contain areas which have recently been dug over”. Similarly, local authorities can explore the dimensions of extensions at the back of houses to check that planning rules are not violated.

However, security companies wanting to sell security products to householders would need prior consent of each householder. The PIA notes that 3D StreetView would “revive the services offered by this failing sector as burglars are likely to become users of the 3D system”. To protect Google’s image, the PIA suggests voluntary disclosure of IP addresses to the police “whenever a request relates to breaking and entering”.

Finally, the PIA confirms that drones do not collect information in a way that requires any change to Google’s Privacy Policy. This is because the Policy does not apply; as the drones only collect information that is already in the public domain, there are no privacy issues that need a change of policy.

In further detail, Google’s Privacy Policy applies only to “Information that you give us (for example, “many of our services require you to sign up for a Google Account”) or “Information that we get from your use of our services” (for example, when you visit a website that uses our advertising services”).

So clearly, it does not apply in circumstances where the drone is used.

References
Wikileaks http://wikileaks.org/cablegate.html
Google Press releases: http://www.google.co.uk/press/
Google’s Goggles: http://www.google.co.uk/mobile/goggles/#text
Google Privacy Policy: http://www.google.com/help/maps/streetview/privacy.html