ICO decides that European Commission’s criticism of the Data Protection Act should be published

Just a brief note on my pet obsession; should data controllers and data subjects in the UK know why the European Commission claims that the Data Protection Act 1998 is a defective implementation of Directive 95/46/EC? The good news is that I have obtained a Decision Notice that requires some of the full details to be provided to me; the bad news is that the Government has 35 days to appeal.

I should explain why I think the Government are treating this subject as if I had asked for some state secret which makes one vulnerable to extraordinary rendition. The main exemption used is section 27 (prejudice to international relations) which on the face of it appears laughable; I don’t think anything about data protection will cause any international rumpus or the withdrawal of ambassadors. But this is what is being argued – so why?

Underpinning the requested information is a threat of infraction proceedings against the UK; these have been pending since Durant (another obsession!) in 2003. I have had to argue that the threat of infraction proceedings is very limited (after 9 years of inaction by the Commission, they are hardly going to embark on legal proceedings given the Regulation); but it is this threat of infraction that explains why the UK/Commission FOI shutters are firmly closed.

Infraction proceedings are considered when any Member State has not implemented a Directive (i.e. any Directive of which there is a great number). Thanks to the case of Petrie (Case T-191/99 Petrie and Others v Commission [2001] ECR II-3677), a case determined by the European Court of Justice over a decade ago, details of infraction proceedings are not published because of confidentiality concerns and the risk to legal proceedings.

This has resulted in very little information being released. For instance, Guardian Journalist, Rob Edwards, tried to get some very limited details about infractions but anything substantial was rebutted on Petrie grounds (see Decision 196/2007 Mr Rob Edwards and the Scottish Ministers).

The Petrie decision is used by the European Commission to justify not providing details about any infraction proceeding; in many instances Member States are also not keen for these details to be published. The result is a hermetically sealed system where nothing about infraction proceedings is published and what is given out is done so grudgingly – even to national Parliaments. The only relaxation is when the Commission or Member State decides it is in their interest to provide details. And this is about ANY DIRECTIVE.

So do you think the public or national Parliaments should know why infraction proceedings are occurring? The European Ombudsman thinks so; that is why he supported my case to extract a very minimal information from the European Commission. This took four years, believe it or not (see references)! If it wasn’t for the Ombudsman, there would be nothing.

However, like a hole in a dam, the breach is widening. My FOI request is now a significant chink the Petrie position. For the first time, there is a prospect of significant details of the information underpinning infraction proceedings being published in the absence of any approval or agreement from the Commission and European Government.

This argument can be applied to any Directive. That is why the “obsessive” battle is important; it also explains why I am expecting an Appeal.

References

The Decision Notice:Download FS50411133_for blog May 2012

If you want summary details of why the European Commission thinks the UK Act is defective see:

http://amberhawk.typepad.com/amberhawk/2011/02/european-commission-explains-why-uks-data-protection-act-is-deficient.html  (Commission’s view; this took 4 years)

http://amberhawk.typepad.com/amberhawk/2011/05/privacy-new-government-revelations-amplify-concerns-surrounding-deficiencies-in-uks-data-protection-.html (UK summary of the Commission’s view – more substantial; released because the Commission released details)

The following reference relates to the reply that the Government has made to the Commission (this information is still “top secret”): http://amberhawk.typepad.com/amberhawk/2011/10/what-is-wrong-with-the-data-protection-act-foi-infraction-saga-hits-the-buffers.html

 

Fines for non-registration with the police? Reforms permit enhanced secondary use of electoral rolls.

Should you be fined if you failed to register with the local police, the national security agencies, any Government Department or a Credit Reference Agency? Should the national security agencies, for instance, be entitled to create a population register, the core of which could be similar to that of associated with the ill-fated ID Card (much beloved by the previous Government)?

Surprised by these questions? Both these outcomes are possible, courtesy of the Electoral Registration and Administration Bill just published following last week’s Queen’s Speech.

This Bill allows for individual electoral registration; this means that each elector must apply individually to be registered to vote. To ensure that all voters are registered, the Bill permits extensive data matching powers to verify applications, to check existing entries in electoral registers against other sources of data, and to hunt for individuals who do not currently appear on the electoral roll.

Also like registration for an ID Card, there will be a civil penalty for those who fail to make an application when required to do so by an Electoral Registration Officer (“ERO”). This continues the compulsion under the current law which makes it an offence if an individual fails to provide information to an ERO when asked.

The details provided on such registers are usually the voter’s name, address, nationality and age; however the associated Privacy Impact Assessment adds that the register will need to have access to Nationality (plus immigration status where appropriate), NINO and previous and/or alternative address. All these details formed core elements of the ID Card’s database (the National Identity Register or NIR).

Each full register is updated every month and published once a year. Like the ill-fated NIR, the full register can be used for several purposes: there is the obvious electoral purpose, a prevention and detection of crime purpose, a safeguarding national security purpose and a purpose related to checking the identities of individuals who have applied for financial services.

Each full register can also be sold to any government department for its purpose, it can be used for vetting job applicants and employees if this is required by law, and by credit reference agencies. The selling price for a full register is about £15 per 1,000 names so a 100,000 constituency will cost about £1,500 (for details see references). The Bill does not propose a central database of voters, but clearly this has not stopped the collection of a comprehensive set of electoral rolls (e.g. by the credit reference industry).

Despite an obligation to inform the ERO (and thence several state institutions) of your name, address and age (when asked), the Explanatory Notes accompanying the Bill plays down concerns over Article 8 and the obligation to respect private and family life. The Notes explain:

“The operation of the provisions in the Bill involves the processing of individuals’ personal information and therefore arguably engages Article 8 ECHR” (my emphasis on arguably).  The Notes then add “The question of compatibility with Article 8 will, therefore, depend to an extent on the way in which the new system is implemented”. (As we shall see, the implementation is by wide ranging, unfettered, exercise of power by the Secretary of State).

The claim that Article 8 is not engaged arises because:

a. it is necessary for EROs to ensure that only those individuals who are entitled to be registered to vote are included on the register and to reduce voter fraud;

b. all secondary uses (e.g. prevention of crime) are exclusions in Article 8(2) of the Human Rights Act; and

c. a challenge to the current scheme for the disclosure and use of the electoral register was found to be a “very modest” interference with the right to vote (and if challenged, is likely to fall within the margin of appreciation associated with Article 8; see R (Robertson) v Secretary of State [2003] EWHC 1760 (Admin)).

Now I turn to the powers of the Secretary of State in the Bill (and can you remember that what the ERO puts on an electoral register potentially goes to everybody allowed a copy of the full register e.g. police, credit reference agencies etc). The powers can be used to permit any ERO:

(a) to verify information relating to a person who is registered or who is named in an application for registration, or alteration of, an entry in a register (note that such verification includes checking with other sources of information held by other persons);

(b) to ascertain the names and addresses of people who are not registered but who are entitled to be registered (note that this is a “hunt the errant voter” provision possibly by data matching from such sources identified above), or

(c) to identify those people who are registered but who are not entitled to be registered (perhaps doing checks with the immigration service – who knows!).

The Secretary of State’s powers may also authorise “comparisons” (i.e. more data matching) with other information and allow the “conferring of other functions on a person” (this should make the processing undertaken by the other person, legitimate in terms of Schedule 2 of the DPA) and authorise the Secretary of State to make grants to a person on whom functions are conferred (this means the tax payer pays for the pleasure).

The idea behind the above is, for example, to set up a system whereby information provided with applications for registration and information held by specified public authorities are passed to say another person for comparison, with the results passed back to EROs for registration. The Audit Commission (or its replacement when abolished) springs to mind with its considerable data matching experience countering Local Government benefit fraud.

The powers can also minimise the impact or protection afforded by the Data Protection Principles; they can:

a. authorise “a person to disclose or otherwise process information only in accordance with an agreement” (i.e. this makes the data sharing lawful,  provides a Schedule 2 ground but the processing may have to be in accordance with a data sharing protocol);

b. authorise or require “a person to disclose or otherwise process information only in accordance with requirements imposed by the Secretary of State” (i.e. allows the Secretary of State to mandate such disclosures in the absence of an agreement; any disclosure becomes lawful in terms of the First, Second and Seventh Principles);

c. require “the retention or disposal, or otherwise regulating the processing, of information disclosed” (i.e. this can legitimise retention criteria that are more extensive that the minimum retention criteria that would be established by Fifth Data Protection Principle).

Now take a big breath as we are not finished discussing powers. Are you ready? There is also a power so that “Provision made under this paragraph (e.g. to require disclosure or data sharing) has effect despite any statutory or other restriction on the disclosure of information”! No comment except to say “overkill to the power of a million”.

The only safeguard re exercise of these powers is that the “Secretary of State must consult any relevant person” (e.g.  the Electoral Commission, the Information Commissioner). Note that what this really means that the Secretary of State is free to ignore what either Commissioner says; the obligation only is to “consult”.

The degree of compulsion that will be placed on voters to register under the new arrangements is yet an unknown quantity; however, the current position was set out in an answer to a PQ six months ago. Mr Clegg, Deputy PM, wrote that:

“It is currently not compulsory to be registered to vote and this will not change under the Government’s individual electoral registration (IER) proposals. It is an offence at present for anyone not to provide information when required to do so by an electoral registration officer (ERO), for example, in response to the household canvass form. The Government propose to retain this offence under the new system, however, it is not proposed to create a new offence for an individual failing to respond to an invitation to register. We believe that the act of registering is one of personal responsibility, and as such there should be no compulsion for an individual to make an application to register to vote”. (Hansard, 17 Oct 2011 : Column 714W).

To be fair to EROs, they have not pursued many prosecutions and I have only seen the odd one or two over the last decade. However, the fining regime that involves civil penalties could be completely different as there appears to be a shift in enforcement power: fining policy is in the hands of the Secretary of State and not in the hands of an ERO (as in the case or prosecution). All the Bill vaguely says is that “The procedure for imposing a civil penalty on a person is to be set out in regulations”; it outlines an appeals process but does not define the amount of the penalty.

If these civil penalty regulations are used to implement an combative approach to enforce voter registration, then you almost turn the clock back to the ID Card situation where failure to register on the NIR attracted a penalty, and entitlement for services depended on the existence of an entry in the NIR. Under an aggressive penalty regime, for instance, those in receipt of a benefit or driving licence or paying tax could be “reminded” by the relevant government department that they are not on the local electoral register, and be told that the local ERO “has been informed”. I think you can follow the rest of the logic by yourself!

The Government intend that the number of such organisations that can have copies of the individual voter registers are not really part of the discussion; this is because the wide powers of the Secretary of State, found in Schedule 2 (para 10B) of Representation of the People Act 1983, are being enhanced and strengthened (and not questioned! - even by the published PIA).

Under the 1983 Act provisions, the Secretary of State can continue to authorise or require an ERO “to supply to such persons as may be prescribed copies of the full register and other documents, or prescribed parts of them, whether free of charge or on payment of a prescribed fee”; the Secretary of State can also continue to define the secondary purposes for which the information contained in the registers may be used.

In other words, the Secretary of State has complete control over use, content and disclosure from all electoral registers and the Secretary of State has untrammelled powers to deliver any outcome the Government wants. All these powers exercised by Statutory Instruments which usually get little or no scrutiny; this is very redolent of New Labour’s surveillance state legislation.

The real issue is of course, is whether Electoral Rolls should be used for these wider purposes; and of course there are arguments either way on this score. In my view, the primary purpose of the Electoral Roll is to encourage voters to engage with the democratic process; having an infrastructure of wide ranging data sharing powers so that recalcitrant voters can be issued civil penalties will discourage such political engagement. Far better, I suggest, is to make the institution of Parliament more in tune or responsive with the needs of the voters; what we have with majority Governments is a Parliament that usually offers a degree of scrutiny at the level of a rubber stamp.

Such penalties do make more sense if the objective is to populate the databases of the police, credit reference agencies, other Government Departments and the national security agencies etc etc; this is especially the case when the improved accuracy of individual voter registers become available.  So, in summary, I can see in about five years time (when this Bill is settled in), there will be increased pressure for even further wider use of electoral rolls by different bodies.

Those of you with memories of the National Identity Register will remember that the NIR was to be used for a Population Register, accessible to all public authorities. Remember that NIR was supported by wide ranging disclosure powers for the Secretary of State, a strict eligibility criteria of registration, and strident civil penalties for refusenicks.

Now consider the new system of voter registration and that pinnacle of inductive reasoning: “if it looks like a duck, swims like a duck, and quacks like a duck, then it probably is a duck”.

And now you know where I am coming from!

References

Explanatory Notes on the Electoral Registration and Administration Bill: from http://www.publications.parliament.uk/pa/bills/cbill/2012-2013/0006/en/13006en.htm

The Electoral Registration and Administration Bill itself: http://services.parliament.uk/bills/2012-13/electoralregistrationandadministration.html

Privacy Impact Assessment (which amazingly does not consider any of the legislative issues raised here) https://update.cabinetoffice.gov.uk/sites/default/files/resources/Privacy-Impact-Assessment-090512.pdf.

Download background details of the supply and sale of the Electoral Roll (Parliamentary Paper):Download Electoral roll document_for blog May2012

 

Is the Surveillance State being resurrected? Assessing whether privacy is protected when surveillance policy is developed

April is becoming a month of resurrections. The last blog referred to the Members of an Information Rights Tribunal resurrecting the corpse of Durant which then bit them; they were thus turned into zombies and issued a Decision that I will politely call “provocative and novel”.

Last month Theresa May resurrected the data retention ambitions of GCHQ so that all contact details, dates and times of all electronic communications between all individuals in the UK are retained for a year or so and captured in real-time (the electronic communication can be in any format - email, social network, VOIP).

Now Francis Maude appears to have resurrected the data sharing ambitions of the previous Government, quoting Thomas Walport as justification. In a speech on 6th February, he said that he had established a Taskforce that “is committed to removing barriers to sharing information and it is prepared to recommend changes to legislation where there are unnecessary legal barriers”.

Somewhere down the line, Mr Maud appears to have formed a different view of Thomas Walport which concluded on page 2 (of a 200 page report) that:

“There can be no formulaic answer as to whether or not it is appropriate to share personal information. The legal context for the sharing of personal information is encompassed by the common law, the European Union Data Protection Directive, the Data Protection Act and the Human Rights Act. We have found that in the vast majority of cases, the law itself does not provide a barrier to the sharing of personal data” (my emphasis).

So I have decided that it is time to do some resurrecting of my own.

Four years ago, I became fed up of New Labour Ministers saying stuff like: “Don’t panic! Privacy is safeguarded in the ID Card system, Childrens' database etc etc as the Data Protection Act applies”.

I decided to set out formally why reliance on the current framework of data protection or human rights legislation, or on the current regulatory regime would not and could not protect privacy. This is still the case if the Government’s current plans go-ahead.

I developed a set of Principles that were to be used to assess whether individual privacy is comprehensively considered/protected whenever surveillance policy is developed by Government. These Principles can be applied to surveillance in the UK to identify the structural improvements that could create an effective balance between the citizen and the state.

These Principles have little to do with a Privacy Impact Assessment (PIA) which is focused on ensuring compliance with the existing framework of law. What I was showing was that a PIA  is irrelevant as it looks at HOW to make sure that surveillance is complaint with the existing law; PIA does not really consider WHETHER  some surveillance activity should be made lawful in the first place. The difference is that a PIA largely applies "post-legislation"; my Principles are definitely "pre-legislation". They are a guide to the process of scrutiny.

For completeness these Principles are:

Principle 1: THE JUSTIFICATION PRINCIPLE: Information relating to any legislation or policy that involves surveillance (or extension to an existing surveillance policy) is provided so an assessment can be made to ensure that the surveillance can be justified in terms of pressing social needs and measurable outcomes; this information is provided prior to the approval of legislation or policy.

Principle 2: THE APPROVAL PRINCIPLE: Any surveillance is limited to lawful purposes defined in legislation where such legislation has been thoroughly scrutinised by a fully informed Parliament and, where appropriate, informed public debate has taken place.

Principle 3: THE SEPARATION PRINCIPLE:  Procedures which authorise or legitimise a surveillance activity are separate from procedures related to the actual surveillance itself; the more invasive the surveillance, the wider the degree of separation.

Principle 4: THE ADHERENCE PRINCIPLE:  Procedures which authorise a surveillance activity are professionally managed and audited; staff involved in a surveillance activity are fully trained to follow relevant procedures and that such training is assessed if appropriate; any malfeasance in relation to a surveillance activity can be identified and individuals concerned suitably punished.

Principle 5: THE REPORTING PRINCIPLE: A Regulator shall determine what records, including statistical records, are retained and maintained concerning a surveillance activity, in order to ensure transparency and accountability to the Regulator, to the public and to Parliament.

Principle 6: THE INDEPENDENT SUPERVISION PRINCIPLE: The system of supervision for a surveillance activity is independent of Government, well financed, and has effective powers of investigation and can delve into operational matters.

Principle 7: THE PRIVACY PRINCIPLE: Individuals should be granted a right to privacy of personal data, via data protection legislation, which can be enforced by a Data Protection Commissioner, and should possess a much simpler right to object to the processing of personal data in appropriate circumstances.

Principle 8: THE COMPENSATION PRINCIPLE: An individual should obtain compensation if a surveillance activity has caused damage, distress or detriment that proves to be unjustified.

Principle 9: THE UNACCEPTABILITY PRINCIPLE :If the  other Principles cannot be complied with in relation to a surveillance activity then within a reasonable time:

(a) the activity ceases; or
(b) alternative steps are taken to bring the activity into conformity with the other Principles; or
(c) Parliament or a Parliamentary Committee approves the non-compliance with the relevant Principle.

So, if for example, the Government wants to propose legislation so that personal data between Department X and Department Y are shared (or to capture more communications data),  you can use these Principles to assess whether the policy  or legislation and the degree of interference with privacy:

• is justified in terms of pressing social need;
• is properly scrutinised by Parliament;
• is subject to a rigorous approval process and separation of powers;
• is supported by rigorous procedures that can be independently audited by an independent regulator who can investigate fully and require certain records to be kept and require changes of procedure or even halt the processing;
• is protected by Article 8 of the Human Rights Act;
• is subject to compensation when things go wrong, and
• is subject to the above rules at all times.

In other words, these Principles provide a means of exploring possible deficiencies in information law governance when Parliament's is scrutinising the executive's proposals. They will allow you to make your own conclusion as to where the Government are leaving privacy loopholes and whether promises made by Ministers are worth the paper they are written on. They also identify where policy and legislation needs to be strengthened.

Health warning: if you apply them to some of the stuff the European Commission has agreed (e.g. USA-EU PNR)  you get a migraine.

References

Download my analysis of why data protection cannot protect privacy when Government legislate and more details of the Principles specified above. Download Assess surveillance principles

Thomas Walport can be obtained here: Download Thomas Walport DataSharingReview2008

Francis Maude Speech promising more data sharing on http://www.cabinetoffice.gov.uk/news/francis-maude-speech-tackling-financial-loss-government-fraud-error-debt.

Google’s Privacy Policy: incoherent and does not meet the standards of the USA’s own Safe Harbor Principles

Google’s new combined Privacy Policy (March 2012) has been widely criticised by privacy professionals and Data Protection Authorities (in particular the CNIL – the French Data Protection Authority). However the reasons for this criticism have been made in general terms; the analysis I have published (see references) provides a detailed explanation.

The analysis shows that Google’s Privacy Policy is incoherent because it uses overlapping terms. This makes the Policy difficult to follow or to understand what type of information the Policy is claiming to protect. It cannot be fair to users if they cannot easily understand what the Policy means for them. The Policy is also unfair in conventional terms as it does not, in many instances, fully describe the purposes of the processing. I identify these areas in the analysis.

Secondly, my analysis also supports the claim of the CNIL that the Privacy Policy is in breach of the Data Protection Directive. However, I also show that the Policy is in breach of the USA’s Safe Harbor Principles. As the Privacy Policy states that “Google complies with the US-EU Safe Harbour Framework”,  I show that this claim cannot be substantiated if Google’s new Privacy Policy is implemented.

Why contradictory and confusing?

The Privacy Policy uses a wide range of similar terms in different circumstances which I think are contradictory. For example, it uses the following terms: “information”, “personal information”, “personal data”, “data”, “non-personally identifiable information", “personally identifiable information”, “sensitive personal information", and "other information that identifies you". Are these terms talking about the same thing?  Put simply, the reader doesn’t know for certain.

So when one part of the Policy offers protection for “personal information”, another offers protection for “personal data”, another for “personally identifiable information” and yet another for "other information that identifies you" is the Policy referring to the same type of information or not? Answers on a post-card to Google.

This is not the only problem as sometimes the Policy uses a qualifier (e.g. “log information” or “location information”). "Log information" by the way are the "details of how you used our service, such as your search queries" whilst "location information" which is "information about your actual location". (My emphasis on you and your).

Can we have a quick quiz? Can you tell me whether “information” about your use or your location is “non-personally identifiable information” or “personal information”? My own view is that, because the Policy uses the word “information” to describe logs and locations, that Google thinks it to be the former, but I suspect you think it could well be the latter.

Confused? You can now safely join the ranks of those who do not know what Google’s Privacy Policy means in practice.

Why in breach of the Directive and Safe Harbor?

The CNIL has claimed that, at first reading, Google’s Privacy Policy is in breach of the Directive, a claim so far not accepted by Google. As the Directive is the legislation mentioned expressly in the Safe Harbor Framework, I have checked whether Google’s Privacy Policy is consistent with the terms of that Framework.

There are demonstrable areas where Google’s Privacy Policy is inconsistent with the Safe Harbor Principles (see Appendix 1); it follows that it is inconsistent with the Directive. These areas include the following:

1. Safe Harbor requires acceptance of the EU Directive definition of “personal data” – Google’s Privacy Policy uses a definition which is close to that used by the old UK’s Data Protection Act 1984 (and ignores the Directive definition of personal data completely).

2. Safe Harbor requires acceptance of the EU Directive definition of sensitive personal data – Google’s Privacy Policy does not include all items of sensitive personal data identified in the Directive.

3. Safe Harbor requires acceptance of the right of access to personal data – Google’s Privacy Policy includes some administrative exemptions from the right of access to personal data that are not authorised by Safe Harbor.

4. The confusion in the Privacy Policy does not meet the Safe Harbor requirement for clarity; there are several places where the purposes of the processing are not fully described by the Policy.

5. Google’s co-operation with data protection authorities specified in the Privacy Policy relates only to the transfer of personal data; Safe Harbor requires co-operation across the whole Framework.

Concluding comment

Everybody uses Google because its services are free and very useful. However, because they are “free”, it does not mean that Google can take the privacy of its users for granted in order to maximise profit. The Privacy Policy, I am afraid to say, is incoherent, unclear, and likely lead to breaches of data protection legislation. In my view, the Policy needs a major overhaul.

Secondly, I don’t think Google (and other USA corporations, I have to say) have quite “got it” in the context of the messages coming out of the Leveson Inquiry. Google has not understood that a large multinational communications company, headed by the Murdochs, is in trouble not because it invaded the privacy of celebrities, but because it invaded the privacy of ordinary individuals. Google’s meat and drink is the processing of personal data and data relating to millions of ordinary citizens.

The Murdochs thought they were so large and powerful  that they were invincible; so does Google. The Murdochs thought they were above the law; so does Google. By ignoring basic data protection laws and rules in the way described in its Policy, even those agreements established in the USA, Google is taking some unnecessary risks.

References

Follow the link to down load the analysis in Word (which includes Google’s Policy, the related FAQs and the Safe Harbor Framework) Download Google_privacy_docs .

 

Enforced Subject Access to medical data raises its ugly head in the insurance industry

There is a dispute between the British Medical Association and the insurance industry over payments for GP medical reports concerning the health of claimants and the underwriting of insurance. The result is that some insurance providers (e.g. Legal and General) are resorting to a variant of enforced subject access.

This trend is likely to continue, especially if Government plans to provide patients with on-line access to their own health records come to fruition. I can see many organisations being tempted to ask patients to provide a “looksy-peepsy” – with consent of course! And why limit this kind of procedure to medical records – why not online banking records etc?

In short, this issue is serious – and like most serious issues to do with data protection, there is a record of Government inaction that stretches out for more than two decades.

The history of enforced subject access

Enforced subject access is the technique used by employers to obtain copies of criminal record data about employees or prospective employees when they don’t have legal authority to obtain these details from the Criminal Record Bureau (CRB).  Under section 56 of the Data Protection Act,  the enforced subject access procedure is an offence.

However, the offence is dependent on the CRB being able to provide a “Basic Check” (or a “criminal conviction certificate” to use the Police Act 1997 terminology) to applicants (usually the data subject). For whatever reasons, the CRB have been unable to deliver this service.

Section 75(3) of the Data Protection Act states that section 56 (i.e. the enforced subject access offence) does not come into effect until the “criminal conviction certificate”, the “criminal record certificates” and the “enhanced criminal record certificates” are all available. As the CRB only provide the two criminal record certificates (i.e. they do not provide the “criminal conviction certificate”), the offence has never been commenced.

Government has refused to change this law. Statutory protection has thus been removed from data subjects for 15 years:– more if you consider that enforced subject access was first raised as a serious problem needing urgent Government attention by Eric Howe, the First Data Protection Registrar, in the early 1990’s – more than two decades ago.

The Information Commissioner has already told the Government that it has an opportunity in its Freedoms Bill to do something about the problem – wishful thinking (see references). And you know those infraction proceedings with the European Commission, I always go on (and on and on) about. Well the European Commission explicitly mentioned the absence of the enforced subject access offence in connection with health personal data and employment was a deficiency in the UK’s implementation of Directive 95/46/EC via the Data Protection Act (see references also).

I must admit, that until now, I was under the impression that medical records were subject to the same provisions as criminal records, but looking at the detail of Section 57 of the DPA, this impression is incorrect. Section 57 only deals with “Avoidance of certain contractual terms relating to health records” and merely states that in the context of a contract requiring a data subject to use his subject access rights to obtain medical records that: “Any term or condition of a contract is void”.

Note that this provision is very weak and affords hardly any protection to data subjects; it requires an explicit contractual provision AND it is not an offence. So if the insurer were to ask an applicant to use his subject access rights (i.e. it is not an explicit “condition of a contract”) then there is no prohibition. This is why I call the Medical Record SAR procedure a variant of the enforced subject access (SAR) procedure.

The variant of enforced subject access as used by the insurance industry

Mr. Russ Whitworth (see references), underwriting and claims director at Legal & General (L&G), has told the insurance trade press the attractions of the SAR approach. Noteworthy quotes include:

• "We're doing this to make us more attractive from a customer proposition angle," he said.  (i.e. the procedure benefits the consumer because repudiation rate is lower because if the underwrites have everything, then “you're effectively indemnifying the customer from non-disclosure”);

• "This sometimes is inadvertent because of the questions which underwriters feel the need to ask, which can be quite tricky”, and

• "SARs have got a better return rate”.

According to L&G there is nothing different from usual GP Report mechanism. For instance Mr Whitworth is reported to have said: 

• "The customer doesn't have to do anything more than they do at the moment - which is just sign the consent form and be informed about what we're about to do,".

• "The agent doesn't need to do any more either", and

• In relation to any extra medical information, “the industry has been dealing with this for sometime already and that the customer suffers no detriment” and  in fact, “if any extra material is included that supports the client's case, this is used to adjust the underwriting accordingly”.

Mr Whitworth concludes his interview by saying "I see SARs as the future for L&G - whether others in the industry choose to follow, we'll see".

So can I first congratulate Mr Whitworth for projecting this “theoretically” unlawful SAR procedure as a form of altruism. I did not realise that the enforced subject access process helps customers, increases their claims payouts, and makes it easier for everybody concerned.

Perish my wicked thoughts that the procedure was installed to reduce costs, maximise profit and not to take on potentially uninsurable, loss-making customers. Oh how wrong you can be!

Potential breaches of data protection law

I also part company with L&G because I think its SAR procedure:

• quite simply, is ethically unacceptable (without considering any data protection issue);

• could result in the obtaining of personal data that are not necessary to be processed for the insurance purpose;  any personal data that are not relevant could constitute a breach the Third and Fifth Data Protection Principles;

• could breach the Sixth Principle on the grounds that the procedure does not respect the rights of data subjects granted under the Data Protection Act; these rights are to protect the data subject and not increase L&G’s profitability.

• could breach the Fourth Principle if inaccurate medical records are disclosed and used in an insurance decision;

• undermines the statutory Code of Practice on data sharing between Third Parties; and finally,

• the outcome of the procedure could be unfair to data subjects in breach of the First Data Protection Principle if the excessive personal data were used to deny insurance.

In addition, the SAR procedure undermines the protection, granted by Parliament to individuals in the Access to Medical Reports Act 1998. Arguably, the processing is unfair in First Principle terms as the SAR procedure ensures the data subject is denied the right:

• to withhold permission for the company to seek a medical report (that is, to refuse consent to the release of information);

• to have access to the medical report after completion by the doctor either before it is sent to the company or up to six months after it is sent;

• to instruct the doctor not to send the report after seeing the report before it is sent; and

• to request the amendment of inaccuracies in the report.

My own view? If there is a problem of some people fiddling health and insurance, you find a procedure to deal with that issue. If there is a dispute with the BMA over payments with respect to GP reports, you negotiate an agreement.

What you don’t do is resolve an insurance problem by undermining the rights of everybody in the UK following a procedure that, in the context of criminal records, should be a criminal offence.

References

The trade press on the enforced subject access procedures: http://www.ifaonline.co.uk/cover/feature/2144639/battling-progress-gprs-vs-sars/page/3#ixzz1n1M15umH

The altruism of Legal & General is described here: http://www.ifaonline.co.uk/cover/interview/2142714/interview-gs-russ-whitworth

Changing the law to protect data subject from enforced subject access has been suggested by the ICO in the Freedoms Bill: http://amberhawk.typepad.com/amberhawk/2011/03/ico-evidence-identifies-data-protection-concerns-over-freedoms-bill.html

The weakness in the law surrounding enforced subject access was identified by the European Commission as why the UK’s Data Protection Act is deficient: http://amberhawk.typepad.com/amberhawk/2011/05/privacy-new-government-revelations-amplify-concerns-surrounding-deficiencies-in-uks-data-protection-.html

Advert

Our Update session on March 26th (London, £195+VAT; details on www.amberhawk.com has half a day devoted to the Regulation. As well as a guest speaker from the ICO on the Regulation, we have sessions on:
• What are changes in the definitions?
• What are changes in the Principles?
• What are changes in the Rights?
• What are changes in the Enforcement and other odds and ends?

EU Data Protection Regulation breaks explicit link with “privacy” and Human Rights.

The Data Protection Regulation intended to replace Directive 95/46/EC has broken the very explicit link to Article 8 of the European Convention of Human Rights. It has also replaced the “right to privacy” with “the right to the protection of personal data” (which I will shorten to the "right to data protection").

Article 1 of Directive 95/46/EC to be replaced, defines its purpose in these words: “In accordance with this Directive, Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data” (my emphasis).

Recital 10 then amplifies what is meant by the “right to privacy”. It states that “... the object of the national laws on the processing of personal data is to protect fundamental rights and freedoms, notably the right to privacy, which is recognized both in Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms”. Recital 11 then adds that “the right to privacy” in the Directive is intended to “give substance to and amplify those (provisions) contained in the Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data”.

Compare this position with the Regulation which does not use the word “privacy” (except in the context of “privacy by design” or “data loss”). In the Regulation, there is no mention of the “right to privacy”,  no mention of Article 8 of the Human Rights Convention, nor the Council or Europe Convention No 108 (which drove most European States to have data protection legislation in the first place).

Is this decoupling deliberate? Answer has to be “yes”. Why is there decoupling?  So far, no reason has been given.

The “right to data protection” is found in Article 8 of the Charter of Fundamental Rights of the European Union (and Article 16(1) of “The Treaty on the Functioning of the European Union”). The three parts to Article 8 state:

1. “Everyone has the right to the protection of personal data concerning him or her”.

2. “Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.

3. Compliance with these rules shall be subject to control by an independent authority.

This reference replaces, I assume, the Human Rights Article 8 emphasis of the Directive which relates to a “Right to respect for private and family life". This Article states that:

“1. Everyone has the right to respect for his private and family life, his home and his correspondence.

2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.”

So what is worrying about “a right to data protection?”.

Well, I think the term doesn’t mean anything and if one “Google's” the term, it is clear nobody on the planet has published a view. Whereas there is a detailed literature, legal precedence and 100 year history of debate surrounding the term “privacy”, there has none surrounding “a right to data protection”. Yes, I know there are several different expressions of what “privacy” means in practice, and these have been compared, criticised and compared and still people argue. However, such involvement and debate is a far cry from a Regulation that relies on a right which is not even been defined or subject to any debate.

Without such debate, there is a great risk that the “right to data protection” will mean different things to different people. For example, individuals might see it as equivalent to “data privacy” (which clearly it is not, in my opinion) whereas data controllers might see it as just an expression that they have to comply with the law (which I suspect it is). If it is the latter, the "right to data protection" is a right that possesses the same characteristics as “a right not to be mugged or murdered”.

In fact, I would say that if the “right to data protection” means as little as “data controller compliance” then it is not a right at all. A general statement that “data controllers have to comply with the data protection regulation” would have the same effect (e.g. as in Section 4(4) of the Data Protection Act 1998). To promote "a data controller compliance concept" as “an individual right” is clearly misconceived.

In short, the “right to data protection” upon which this Regulation is to be based is currently a confused, ill-defined concept. This is not an auspicious beginning.

References

Our Update session on March 26th   (London, £195+VAT; details on www.amberhawk.com) has half a day devoted to the Regulation. As well as a guest speaker from the ICO on the Regulation, we have sessions on:

• What are changes in the definitions?
• What are changes in the Principles?
• What are changes in the Rights?
• What are changes in the Enforcement and other odds and ends?

Judgement reinforces the link between “lawful processing”, the First Data Protection Principle and human rights/other laws.

Belated Happy New Year, but we start 2012 with a report that has a lot in it. Stick with this judgement as, in summary, it states that:

(a) the term “lawful” processing in First Principle relates to that processing which is consistent with the application of any relevant law including law of confidence (the Information Commissioner is not keen to enforce “lawful processing”); I should add that the implications of “lawful processing” have yet to be applied to other Principles (e.g. to the Seventh Principle and security considerations);

(b) the purpose of the Data Protection Directive is to implement Article 8 of the Human Rights Act; so in theory, the Information Commissioner could consider “lawfulness” in terms of Article 8; and

(c) the Information Commissioner ignores the Lindqvist decision (see references) in his detailed commentary on the application of the domestic purpose exemption to personal data on a website; the Court says the Commissioner’s advice is inconsistent with the law.

The judgement concerns the “SolictorsFromHell” website (see references). The publisher (and data controller) of that web-site claimed that “under Article 10 of the European Convention on Human Rights, you have the right to freedom of speech and expression to voice your complaint! But it must accurate and truthful. You can complain here. RIGHT NOW! NAME and SHAME your OPPRESSOR Problem Solicitor? No need to register or even leave your name. Click on the link below and add them to our list of 'Solicitors from Hell'”.

Despite the plea for accuracy, the website collected a vast number of unattributable, unchecked allegations concerning named solicitors, some of which alleged activities of a salacious or criminal nature. In other words the personal data involved sensitive personal data; this probably explains why the publisher had also lost a number of previous libel cases and was bankrupt.

Three complainants (one of which was the Law Society) took up the cudgels against the publisher in order to stop the further processing of personal data. In an uncontested action, they argued that that the Data Controller (i.e. the publisher) had breached:

i) The First Data Protection Principle because the processing was unfair and there was no Schedule 2 condition to legitimise the processing (and in the case of some sensitive personal data no Schedule 3 condition). In the event, the Court concluded “None of the conditions in Schedule 2 of the DPA is met by the Defendant in respect of the processing of this data on the Website” and that “the Defendant has processed the said data in a grossly unfair and unlawful way”;

ii) The Fourth Data Protection Principle: that personal data shall be accurate and, where necessary, kept up to date. In the event, the Court concluded “the personal and sensitive personal data about the Third Claimant processed by the Defendant and published on the Website are false and accordingly wholly inaccurate”;

iii) The Sixth Data Protection Principle: that personal data shall be processed in accordance with the rights of data subjects under the Data Protection Act 1998; in particular the Defendant had ignored the exercise of the right to object to the processing of personal data. The Court agreed, and granted a notice under section 10(4) of the Act.

So that’s the case and outcome; now look at what the judge said re the First Principle (at para 78; my emphasis):

The reference to ‘lawfully’ in the First Data Protection Principle applies to any form of conduct that is unlawful, including breach of confidence, libel, and harassment. As Patten J said in Murray v Express Newspapers Ltd [2007] EWHC 1908 (Ch) [200] EMLR 22 at para [72]:

“It seems to me that the reference to lawfully in Schedule 1, Part 1 must be construed by reference to the current state of the law in particular in relation to the misuse of confidential information. The draftsman of the Act has not attempted to give the word any wider or special meaning and it is therefore necessary to apply to the processor of the personal data the same obligations of confidentiality as would otherwise apply but for the Act”

The Information Commissioner (ICO) is reluctant to deal with complaints of unlawful processing because they require him to understand how any piece of legislation defines what is lawful so that lawfulness under the Data Protection Act can be assessed. The ICO claims that he cannot be an expert in every law – and that is why, in some case, he prefers to deal with such cases in terms of “fair processing” issues (where the subject is purely a data protection issue).

His guidance makes this clear;  in the context of lawful processing, states that his office may not

“pursue allegations of breach of copyright (or any other law) as this would go beyond the remit of the Data Protection Act. Many areas of law are complex, and the ICO is not and cannot be expected to be expert in all of them” (my emphasis)”.

Despite these difficulties, unlawful processing has now, in these two judgements, been given a clean bill of health; data subjects clearly can ask for assessments whether or not such and such a processing is lawful (e.g. in terms of copyright, confidence and any other law) – and expect them to be considered in these terms.

Another possible consequence may be the inclusion of the Seventh Principle in cases were breaches of confidence involving personal data are the issue. This is clear from the text of the Principle which requires “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data....etc ” (my emphasis). So if a data controller failed to secure personal data of a confidential nature (e.g. loss of health personal data), then a breach of confidence can also be extended to include a Seventh Data Protection Principle breach.

Another “advance” in the judgment is the express linkage between Article 8 and Data Protection (a particular hobby-horse of mine – see references); I think it means that it is legitimate to ask the ICO for an assessment whether the processing is lawful in terms of Article 8. This is because the judge says (at para 97):

“...The purpose of the (Data Protection) Directive was to give effect in the context of data protection to the Art 8 rights of the ECHR (right to respect for private life). See Recitals (8) to (12). It is a privacy statute, although its scope is limited by a number of provisions, including the definition of data in s.1 and the application of the Act delimited in s.5”. (A big hurray from me!)

Lindqvist and blogging

The Information Commissioner’s analysis is panned I am afraid. He had argued that the “Solicitors from Hell” website fell within the “domestic purpose exemption”, and in a letter to one of the complainants, he explained this fact. The Court concluded that in the context of lawful processing:

“I do not find it possible to reconcile the views on the law expressed in the Commissioner’s letter with authoritative statements of the law. The DPA does envisage that the Information Commissioner should consider what it is acceptable for one individual to say about another, because the First Data Protection Principle requires that data should be processed lawful.” (para 100)

This is important as the relevant part of the Commissioner’s letter is clearly very wrong. It states (para 96):

 “The inclusion of the “domestic purposes” exemption in the Data Protection Act (s.36) is intended to balance the individual’s rights to respect for his/her private life with the freedom of expression. These rights are equally important and I am strongly of the view that it is not the purpose of the DPA to regulate an individual right to freedom of expression – even where the individual uses a third party website, rather than his own facilities, to exercise this. (The s.36 exemption clearly did not anticipate individuals using third party websites to carry out their ‘personal’ processing).

The situation would clearly be impossible were the Information Commissioner to be expected to rule on what it is acceptable for one individual to say about another be that a solicitor or another individual.  This is not what my office is established to do.  This is particularly the case where other legal remedies are available – for example, the law of libel or incitement. ….

This analysis (and the Court’s conclusions by the way) ignores the case of Lindqvist (see references) where the European Court of Justice decided that in the context of the domestic purpose exemption:

"As regards the exception ... which concerns ... the processing of data carried out by a natural person in the exercise of activities which are exclusively personal or domestic, correspondence and the holding of records of addresses.

That exception must therefore be interpreted as relating only to activities which are carried out in the course of private or family life of individuals, which is clearly not the case with the processing of personal data consisting in publication on the internet so that those data are made accessible to an indefinite number of people”. (paras 46 and 47 of Lindqvist)

This interpretation of the exemption should be binding in the UK context (but it was missed). It states that if personal data are published on a website then this processing CANNOT fall within the domestic purpose exemption. This in turn means that any argument re Freedom of Speech is simply not relevant.

This then focuses on those infraction proceedings where the European Commission has said the Data Protection Act is a deficient implementation of the Directive. One of the myriad of grounds claimed by the Commission is that “the inclusion of “recreational purposes” in the Data Protection Act which, in the Commission’s view appeared to be broader than household activities” (see references).

In other words, the Commissioner’s interpretation of the law with respect to websites could have been based on the Government’s incorrect implementation of the Data Protection Directive (the details of which been kept secret for seven years).

The result, if true, is serious: ALL data subjects (and not just the ones who had the time and money to take this action) have been denied the protection that the Act affords if personal data about them is published on websites; additionally they may have been denied proper access to the ICO to explore the data protection issues.

This in turn increases the importance of knowing the issues surrounding the UK Government’s approach to the implementation of the Directive. It also means the ICO should revisit his policy re "lawful" processing.

References

Load the Solicitors from Hell ([2011] EWHC 3185 (QB)) judgement here:Download Jan2012_solfromhel

Load Lindqvist (ECJ, Case C-101/01, 6 November 2003)  here: Download Jan2012_Lindqvist

Article 8 and the first data protection principle links are: “Information  Commissioner should enforce Article 8 privacy-rights”:
http://amberhawk.typepad.com/amberhawk/2010/04/information-commissioner-should-enforce-article-8-privacy-rights.html

Infraction proceedings link: http://amberhawk.typepad.com/amberhawk/2011/05/privacy-new-government-revelations-amplify-concerns-surrounding-deficiencies-in-uks-data-protection-.html

 

The Data Protection Officer's ABC

There is a folk tradition which involves ABC songs; the “Sailor’s ABC” and the “Socialist’s ABC” are perhaps the most notable. So to sing at parties or around the holiday log-fires, I offer an addition to the genre. It is called "The Data Protection Officer's ABC".

 

 When that I was a tiny, tiny boy, my daddy said to me;

"The time has come, me bonny, bonny bairn, to learn your ABC."

Now my daddy was a privacy man and had a data protection mind

So his ABC was different from the kindergarten kind.

 

He sang,

"A is for access to data; and the details we all can get back.

And B is the Blairite Government; it thinks FOIA is worse than Iraq!

C is for CCTV, installed so we can all be surveilled.

And D is for data of all kinds; even adult videos when played.

E is for excessive exemptions; which occur in all access regimes.

And F is for effing refusals; full access occurs only in dreams.

G is GCHQ; which intercepts e-mails to you.

And H is for horrid Home Office; it drafts laws so it’s easy to do.

I is for intelligence data; MI5 and 6 on our side.

And J is the judgement these spies make; it’s OK if you’ve nothing to hide.

K is for kind Kenneth Younger; his report on privacy was so good.

And L is for lovely Lord Leveson; his findings, I fear, will be dud.

M is for matching or mining of data; assumptions made with mouse clicks.

And N are the non-disclosure provisions; they get the details to coppers real quick.

O is for ongoing observation; and the cookies which catch us on-line.

And P is for privacy policy; pure lies most of the time.

Q is for queries and queuing;  understanding the law needs a sage.

And R is repetitive ringtones; as the Commissioner's helpline’s engaged.

S is for sources of data; who share secrets behind our backs.

And T is for the tabloid papers; and the telephones they like to hack.

U is for undervaluation; as DPO's pay is so poor.

And V is the salute that we’re given; when like Oliver, we ask for more.

W is for all written warrants; which stay lawful for quite a while.

And that’s why X, Y and Z, my old daddy said, will be found in a Special Branch file.

 

Now that I'm not a tiny, tiny boy, my daddy says to me,

'"Please try to forget the things I said, especially that ABC."

For daddy is no longer a privacy man, and he's had to change his plea.

His alphabet is different now …since they made him ….Home Secretary.

Comment

Please accept our warm wishes for the coming holiday; hopefully a time when we can erase all thoughts about economic doom and gloom. Hawktalk will be back in early January.

Reference

If you can think of other couplets or improvements, please post them as comments. The metre of the above ABC is that of the late Alex Glasgow’s Socialist’s ABC: http://www.youtube.com/watch?v=gqfz4-sMgak

 

EU/USA PNR Agreement: data protection is weak, proportionality not guaranteed, and obvious safeguards absent.

Did you see the recent press coverage extolling the virtues of latest European Union Agreement with the USA as to how Europe will exchange Passenger Name Records (PNR)? Much of the press coverage was highly favourable, highlighting additional privacy protections, shorter periods of data retention and thorough respect for data subject rights. All these assertions are somewhere between misleading and wrong.

Yesterday, the European Data Protection Supervisor (EDPS) entered the fray. His analysis (see references) concludes that: the 15-year retention period is excessive; the purposes should be limited to combating terrorism or a well defined list of transnational serious crimes; the list of data to be transferred to the USA is disproportionate; data subjects' rights are ineffective, and the Department of Homeland Security (DHS) should not transfer the data to other US authorities or third countries unless they guarantee an equivalent level of data protection.

Also yesterday, the USA Deputy Secretary of Homeland Security , Jane Holl Lute, signed the PNR Agreement and stated: "Today's signing of the new agreement on the transfer of Passenger Name Records (PNR) is a significant step forward in strengthening our cooperation with the EU to combat terrorism and transnational threats, while respecting our commitment to privacy and data protection. ..."

So who do you believe?

This is why in the last few days I have been admiring the text of this Agreement in detail and have prepared an annotated version which highlights several shortcomings.  This analysis confirms and provides the evidence that justifies the EDPS’s stance. I should add that the Agreement that I have read bears no relationship to the Agreement described in the official Press Releases and as reported in the press.

In summary these are the major issues I have identified:

1.    Proportionality is not an obligation; it is an aspiration. The Agreement does not stipulate that any data sharing has to be proportionate, even when there are transfers, made by the USA, to third countries or internally within the USA. There is a requirement to be “mindful” of data protection obligations but not “conform with” or “apply” them.

2.    The Agreement is being promoted to the public as an aid to prevent “serious transnational crime and terrorism”; however, the term “serious transnational crime” is not found in the Agreement other than in its preamble, nor is it a defined term. The Agreement also covers data sharing that is not related to crime nor terrorism.

3.    The retention period could be far longer than has been stated by the Commission. This arises because after 7 years of operation, the Agreement is renegotiated where “the necessity of a 10-year dormant period of retention will be considered”(see Article 8(6)) and the “consultations shall in particular examine whether any future EU PNR system would apply less stringent data protection standards than those provided for in the present Agreement” (see Article 20).  Get the gist! Although the text might say there is 10 year retention period, any renegotiation might add on a further 10 years.

4.    The data subject rights are very weak because they are limited to PNR data; most passengers will know how they paid for their flight, where they were going and when. In other words, most of the rights apply to personal data that passengers already know; these rights are rarely going to be exercised. Although there may be circumstances where the rights could be useful for data subjects, I contend that for the vast majority of data subjects, the PNR data will be of little (probably no) interest at all.

5.    Most of the data protection issues will reside in the other personal data (i.e. other than the PNR data). For example, suppose a name of flyer is shared with a known criminal etc and the authorities think the criminal is flying to the USA. It is when this kind of mix-up occurs, that the other personal data that needs correcting, updating etc.  Any damage to the data subject arises from the other information and not the PNR data – but the Agreement, as it relates to PNR data, does not relate to this other information. Nor does it state how this kind of issue will be resolved.

6.    There is no role for the data protection authority, not even an advisory one in the circumstances identified above. These bodies who have been established in Europe to protect the data subjects’ interests have been airbrushed out of the Agreement (even when there is a large personal data loss, a major privacy incident or when “rights of access and correction” go awry).  Even the provisions that describe the reviews of the data protection elements, do not give a role for any data protection authority.

7.    Reporting on how the Agreement works in practice, or assessing its privacy protection is undertaken by the parties who want to exchange the PNR data; there is no independent audit, no independent reporting, no requirement to keep statistics that would show that the Agreement is worthwhile. Any analysis runs the risk of being flawed, skewed, self-serving and lacking in credibility. At worst, it’s like asking Count Dracula (yes him again) to report on the effectiveness of the distribution of blood from a blood bank, where our blessed Count manages that blood bank.

8.    The press release associated with the Agreement does not even pass the threshold of being “economic with the truth”. If I am honest, it turns being “misleading by omission” into an art form. The Commission evidently also restricted Euro MPs from seeing the Agreement when issuing its press release thus ensuring the absence of critical commentary based on its text. If this is true, it is truly shocking.

The real problem is the conflict of interest that arises because the European Union (EU) has two responsibilities: (a) it negotiates the terms of the Agreement to facilitate the transfer of PNR data, and (b) it also decides whether the privacy protection in the USA is adequate. As the EU has a vested interest in getting PNR data from the USA to support Europe’s law enforcement bodies, the suspicion is that it has compromised on data protection standards to get these data.

The role of the data protection authority should be to act as an independent counter-balance that ensures that any compromise on the personal data needs of law enforcement does not unfairly prejudice individual privacy.  In a nutshell, the exclusion of these authorities means that there is no independent counter-balance in this Agreement that protects the interests of data subjects.

Just ask a simple question: “Who should have oversight of an issue that involves data protection?”. The answer the Agreement comes to is “the law enforcement bodies that are responsible for the interference with private and family life in the first place”.

If you want the detail of the annotated Agreement (plus press release) see below – but have a stiff drink by your side.

References specific to the EU-USA PNR Agreement

1. Follow the link to download my analysis of the “Agreement between the United States of America and the European Union on the use and Transfer of Passenger Name Records to the United States Department of Homeland Security” and related press release Download Eu-usa-pnr-deal-amberhawk analysis

2. To get the full agreement down load here Download Eu-usa-pnr-deal-com-807_November 2011

3. To download the (“economic with the truth”) Press Release from the Commission’s web-site just go to http://europa.eu/rapid/pressReleasesAction.do?reference=IP/11/1368

4. EDPS opinion on EU-US Passenger Name Record agreement (13.12.2011) and press release

http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2011/11-12-09_US_PNR_EN.pdf

http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/PressNews/Press/2011/EDPS-2011-12_US-PNR_EN.pdf

5. The Commission evidently restricted Euro MPs from seeing the agreement when issuing its press release; if this is true, it is truly shocking: 

http://www.itworld.com/government/225603/eu-parliamentarians-speak-out-over-gag-order-data-deal)

Related references to the general data sharing PNR Directive between EU Member States

The general PNR Directive which deals with internal flights shows many of the faults of the EU-USA PNR Agreement. See Hawktalk on:

• “Analysis of proposed PNR Directive exposes absent or minimal data protection and privacy safeguards”: http://amberhawk.typepad.com/amberhawk/2011/06/my-entry.html

• “Data Protection: UK wants to extend PNR Directive despite proportionality fears and the lack of evidence”:http://amberhawk.typepad.com/amberhawk/2011/04/data-protection-uk-wants-to-extend-pnr-directive-despite-proportionality-fears-and-the-lack-of-evidence.html

• “Why the PNR Directive is disproportionate and does not protect privacy”: http://amberhawk.typepad.com/amberhawk/2011/02/why-the-pnr-directive-is-disproportionate-and-does-not-protect-privacy.html

• The problems with data sharing with the USA are unbalanced in relation to the financial sector also. See “Financial data sharing agreement with USA remains unbalanced and defective”: http://amberhawk.typepad.com/amberhawk/2010/06/financial-data-sharing-agreement-with-usa-remains-unbalanced-and-defective.html

• Spoof:  “Oyster Card Passenger Name Record system to protect London Olympics” : http://amberhawk.typepad.com/amberhawk/2011/04/oyster-card-passenger-name-record-system-to-protect-london-olympics.html

Email marketing under PECR and the Data Protection Act

I have just had published an article on PECR and Data Protection in the context of email marketing. I think it might be useful to practitioners so I have added it to the blog. It combines the marketing rules under PECR with the Data Protection obligations and goes into the overlap between subscriber, user and data subject. The article will be useful for practitioners from the public and private sector data controllers, as well as those sitting the ISEB exam.

Enjoy reading. I had a heavy teaching load last week, so that explains the absence of a blog. Hope this makes up!

To download the article, just click on the link Download Article_marketing by electronic mail_dec2011_v2