Coalition Government chooses to minimise privacy protection against spammers and behavioural advertisers

Last week, the Government published its ideas as to how it would implement the changes to EU Directive 2002/58/EC. In relation to spammers and behavioural advertising it has decided to keep the low privacy standards that were acceptable to the previous New Labour government.

The changes discussed in the consultation (see references) are modifications to Directive 2002/58/EC introduced by the need to implement Directive 2009/136/EC. These new provisions have to be brought into UK law by 25th May next year (and this accounts for the consultation process launched by the Government last week).

One of the changes that you won’t find explained in the consultation document is the complete re-wording of Article 13 of Directive 2002/58/EC – a key Article which regulates all forms of electronic marketing including spam. The consultation ignores this complete redrafting and fails to discuss options that consequently arise.

For example, I think Article 13 allows Member States to introduce consent/opt-out requirements for ALL forms of electronic marketing including behavioural marketing. However, the drafting of Article 13 also allows a continuation of a minimum privacy protection policy with respect to the use of electronic marketing by organisations. The Government could have chosen to debate options that included the former; instead it has chosen to keep quiet give its support to the latter.

The argument for Article 13 providing further controls to protect browsing on the internet can be seen if you read the text carefully. For example, “electronic mail” is a defined term in the Directive to mean “any text, voice, sound or image message sent over a public communications network” directed to a "recipient". So when the term is NOT used in some of the marketing provisions (as in Article 13(3) of the Directive), one can make the inference that the provision is intended to apply to other forms of marketing that is conveyed NOT by “electronic mail”. The assumption being that if the text of the Directive wanted to limit the provision in Article 13(3) to “electronic mail” it would have been in the text.

Also note the use of the word "recipient". This refers to anybody (e.g. a "user" of the system) who receives a marketing message and includes a subscriber (who is likely to be identifiable because they pay the bills). Note also that "users" are more likely to be anonymous (as they just use the subscriber's  system). Keep this distinction in mind for a  moment - it is important!

Throughout Article 13 there is a conspicuous absence of the use of “personal data” although obviously personal data are subject to the e-marketing  rules (e.g. an email address is often personal data – chris.pounder@amberhawk.com). So where the term “personal data” is NOT used (as in Article 13), then provisions are clearly intended to apply in circumstances where other “data” (i.e. beyond the narrow confines of personal data) are processed for a marketing purpose. As behavioural marketing involves such “not personal data” (according to Google and other behavioural marketers – see references), the Article clearly allows for Member States to legislate for control over marketing that does not use personal data.

By contrast, the consultation states that the effect of the revised Article 13  is limited to “personal data”. This is because the consultation document requires that any “data” used to convey “electronic mail” has to relate to an “individual subscriber” and because of this, the data have to be “personal data”. Note also (as mentioned above) that in the Directive "electronic mail" is defined in term of a "recipient"; a recipient includes the subscriber and any user of the subscribers system. The consultation document in effect equates "recipient" with "subscriber" - which is not what the Directive says!

The consultation, for some reason, overlooks the consequences of this distinction. It explains that the “provisions on the use of personal data for marketing certain services” (in Article 13) only require “minor modification”. Note that if the information were “data” then the changes would not be minor as they include that marketing which does not identify an individual (e.g. to users who might be targeted by behavioural marketers).

In other words,  the consultation fails to explain the impact of Article 13 properly and to identify a range of options that could be debated as part of the consultation.

By the way, I should add that the statement in the consultation document (quoted above) is in line for the “Economical with the truth award - 2010”. This is a highly valued prize to be awarded by Amberhawk at the end of the year for the most misleading privacy statement that has a vestige of truth.

Finally the text of Article 13 uses the term “direct marketing” which is not defined. So if one assumes a definition of “direct marketing” similar to that in Section 11 of the Data Protection Act (“direct marketing” means “the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals”), then one can see that behavioural marketing can be captured. For example, if a marketing message depends on an user's browsing habits, then any user who exhibits a required browsing behaviour, receives a particular advert directed to them.

Last Spring (May 4th) I stated that the changes to Directive 2002/58/EC “will be an early test of the privacy credentials of the next Government in the UK”. I think they have failed that test.

What is more disturbing is the way in which the Government has failed the test. It has failed by deciding not to debate with the public the various pros and cons of the range of privacy options that could be available. Of course one can argue that an enhanced privacy protective option might be judged to harm economic activity but that position should form part of the informed debate.

My conclusion on the consultation: incomplete bordering on the misleading.

References: The Government Consultation is on http://www.bis.gov.uk/assets/biscore/business-sectors/docs/i/10-1132-implementing-revised-electronic-communications-framework-consultation.pdf.

Compare the Consultation with my analysis (“Privacy and electronic communications: comments on the modifications to Directive 2002/58/EC introduced by Directive 2009/136/EC”, downloadable from http://www.amberhawk.com/policydoc.asp.

Also relevant are arguments that show that an IP address can be transformed unambiguously into personal data; see “Reclaiming Privacy on the Internet – 2009” (also on http://www.amberhawk.com/policydoc.asp).

Marketing: We also have a course on Privacy Impact Assessments on 21st Oct in London and our data protection update sessions with our colleagues at Pinsent Masons in October. We have a Data Protection courses commencing in Manchester late September and London in November. Our next FOI course is in Leeds (commencing 19th October). Details on www.amberhawk.com

Cartoon - dedicated to all those involved in research

 
  ©Chris Slane

Police legal advice says there is full RIPA protection for unread spam (but no privacy protection for your confidential archive)

The voice-mail hacking incident is still exercising MPs – especially the Labour ones who did little to protect individual privacy in its decade in power (see last week’s blog). So when Assistant Commissioner John Yates of the Metropolitan Police Service (MPS) gave evidence on “Specialist Operations” to the Home Affairs Select Committee (last week), MPs on the Committee took the opportunity to ask a range of questions about the lack of prosecutions re such hacking.

Mr Yates’ answers reveal that the MPS have obtained legal advice from a leading QC which, if applied in practice, means that unread spam messages receive a high level of privacy protection under the Regulation of Investigatory Powers Act (RIPA) whereas read private email messages of immense confidentiality do not receive any privacy protection from RIPA. Don’t believe me – then read on!

In relation to the incidence of “voice mail hacking”, Mr Yates said the following (at Q5 - see references):

Mr Yates: “.... hacking is defined in a very prescriptive way by the Regulation of Investigatory Powers Act and it’s very, very prescriptive and it’s very difficult to prove....  There are very few offences that we are able to actually prove that have been hacked. That is, intercepting the voicemail prior to the owner of that voicemail intercepting it him or herself”.

Note my emphasis on “prior to the owner of that voicemail intercepting it him or herself”? What does that imply?

Consider the relevant provisions of RIPA and its definition of interception. Section 2(2) of RIPA states that “....a person intercepts a communication in the course of its transmission by means of a telecommunication system if, and only if ... (he makes) ...some or all of the contents of the communication available, while being transmitted, to a person other than the sender or intended recipient of the communication”. Section 2(4) states that an “interception of a communication” has also to be “in the course of its transmission” by any public or private telecommunications system (my emphasis).

I had not appreciated the significance of “in the course of its transmission” or “while being transmitted” until now – but John Yates’ testimony has put an end to that. What Mr Yates appears to be telling the Home Affairs Committee is that the MPS legal advice states that once the lawful recipients have read or listened to their Inbox messages, there can be no interception in connection with those messages. The RIPA offence falls away because each read message “has been transmitted” rather than “is being transmitted”.

So consider your email (or telephone) inbox. According to the MPS legal advice, if someone gains unauthorised access your unaccessed voicemail or inbox messages, there is an interception of communications under RIPA, and the risk of a custodial sentence. If you have read your messages, there is unlikely to be an interception and no RIPA offence. Of course Section 55 offence under the Data Protection Act could be engaged, but that is not going to frighten anyone (see last week’s blog).

Now consider what you did today. In your email Inbox will be all sorts of messages, some of which you will no doubt leave unread (e.g. spam in your Deleted Items folder), and some of which you will undoubtedly read and subsequently cherish (e.g. mailings from me or Amberhawk). Those unread deleted messages gain the full protection of RIPA whereas those messages that you have read do not.  In other words, the MPS legal advice appears to imply that RIPA provides a very a topsy-turvy world of privacy protection.

However, there is a more serious side to the MPS legal advice. If it is correct, then any claim that RIPA provides a high level of protection against the misuse of RIPA powers by law enforcement agencies could easily be misplaced. For instance, suppose the law enforcement agencies wanted to gain access to the content of your email Inbox: in relation to the content of your read messages, there would be no interference, and there would be no need to obtain a warrant, because RIPA is not even engaged. RIPA’s warrant provisions only cover unread messages.

However, access to the content of your read Inbox items would be protected by the Data Protection Act. As this legislation provides for very minor offences and a weak, underfunded, regulatory regime, that is why the MPS legal advice has a far more worrying consequences.

It is for this reason, that the arguments underpinning the MPS legal advice have to be published in full; Mr Yates' comments on RIPA cannot be left to gather dust. If they are seen to be correct, then Parliament needs to call for a complete review of all RIPA powers as when it provided public authorities with intercepting powers in 1999, Parliament had in mind the content of all messages – not just the unread ones.

References: Uncorrected evidence of Assistant Commissioner John Yates: http://www.publications.parliament.uk/pa/cm201011/cmselect/cmhaff/uc441-i/uc44101.htm (beging at Q5)

Marketing: We have a Data Protection courses commencing in Manchester late September. Our next FOI course is in London (commencing 20th September) and in Leeds (commencing 19th October). We also have a course on Privacy Impact Assessments  on 21st Oct in London. Details on www.amberhawk.com

Custodial offence for deliberate invasion of data protection? Forget it!

I must confess that I find it rich that New Labour Ministers, who were in Government for more than a decade, are now huffing and puffing about their “phone inboxes being hacked”. The sad truth is that, in Government, they could have done a great deal to protect individual privacy by making such hacking a custodial offence.

In short, they failed to implement an offence that would have extended to a very large number of situations - well beyond the difficult issue of when (or whether) it is in the public interest for the press to hack into individual voicemail inboxes.

I also make a prediction: the custodial section 55 offence in the Data Protection Act is not going to happen for the foreseeable future.

In 2006, the Information Commissioner published details of the scale of the problem. In his documents “What Price Privacy” and “What Price Privacy, Now” (see references), the Commissioner outlined how a range of organisations were obtaining personal data by deception.

Although this blog focuses on the press, the problem of unlawful obtaining was endemic across a range of industries. The current S.55 offence usually offers a minor punishment of a fine; it is not a recordable offence, and those successfully prosecuted do not have the indignity of providing a DNA sample or fingerprints. This gives the impression that the offence is of little importance to society.

In relation to the press, the Commissioner documented that following the invoice trail of a few private investigators who had delivered services to the following tabloid newspapers:

Daily/Sunday Mail had paid for 1,218 investigations to be undertaken by Private Investigators on behalf of up to 91 different journalists. The Daily/Sunday Mirror ordered 824 investigations on behalf of up to 70 journalists. The Sunday People ordered 802 investigations involving up to 50 journalists, and the News of the World (the paper of current interest” had ordered 228 transactions of up to 33 journalists.

The evidence above suggests there was a large number of invasions of privacy but the facts cannot be proven. For instance, if there were an investigation into a target politician, the fact of the investigation (as proved by the invoice) would not reveal evidence as to the methods employed by the investigator. It is very unlikely that the fact of “hacking into voicemail inboxes" would appear on any invoice!

However, the number of investigations undertaken by a handful or private investigators at the behest of tabloid newspapers is simply staggering. They show a systemic use of this kind of investigation and it is inconceivable that all newspaper editors appear to be ignorant of the methods employed by their contracted agents. After all, in total 305 journalists had commissioned about 3,500 investigations into individuals. So is the News of the World claim that there was an isolated case of hacking undertaken by a rogue reporter credible? I leave you to answer that one.

The lack of evidence meant that all the Information Commissioner could do was to summarise his findings (in 2009):

“The main case was Operation Motorman. This was a case where a private investigator had been supplying personal information to some 305 journalists. The personal information included details of criminal records, registered keepers of vehicles, driving licence details, ex-directory telephone numbers, itemised telephone billing and mobile phone records. Documentation seized at the home of the private investigator included reports, invoices, settlement of bills between the detective and many of the better known national newspapers – tabloid and broadsheet”.

The Labour Government had greeted the What Price Privacy reports by conceding the need for custodial sentences. However in 2008, it backed down over its plans to introduce jail sentences of up to two years for those who obtained personal data by underhand methods. Although, it tabled two amendments to the Criminal Justice and Immigration Act 2008 signifying the custodial offence was coming, the actual implementation of the custodial sentence needed the Minister to exercise his powers and lay an order before Parliament.

As there was no use of these powers, the effect of the amendments was to maintain the status quo of the current Section 55 offence and further delay any custodial element. The changes also created a new defence for journalists to the Section 55 offence which is operational.

Eighteen months of New Labour inaction followed. In the Autumn of 2009, the Ministry of Justice tabled a consultation document on “The knowing or reckless misuse of personal data”. This consultation ended in January 2009 and since the General Election was looming, the product of that consultation was quietly dropped. The reason for this can be found in my blog of 12th Feb 2010, where I wrote:

“The sticking point (of commencing the custodial offence) I suspect is the application of the offence to the special purposes and in particular journalism. It has dawned on the Government that embracing legislation which could imprison journalists has very little to commend it when a General Election is looming. One can also imagine the fuss if this measure was actually passed by a Parliament full of MPs whose credibility is about zero, thanks the expenses scandal.”

However, with the new Coalition Government elected, penal policy has changed and there is an emphasis on not creating new custodial sentences. Kenneth Clarke now wants to reduce prison numbers – not increase them. That is why I think there will be no new custodial sentences for some time – even though the purpose of the custodial sentence is more symbolic than being an actual offence that will increase the jail population.

However, back to the main point. When ex-Labour Ministers claim invasion of privacy on our TV screens in the next few days – remember, they had their chance to do something about it - and blew it.

References: What Price Privacy Now: http://www.ico.gov.uk/upload/documents/library/corporate/research_and_reports/ico-wppnow-0602.pdf. Details of Operation Motorman: http://www.ico.gov.uk/upload/documents/library/corporate/detailed_specialist_guides/section_55_response_to_moj_consultation_20091112.pdf

Marketing: We have a Data Protection courses commencing in Manchester late September. Our next FOI course is in London (commencing 20th September) and in Leeds (commencing 19th October). We also have a course on Privacy Impact Assessments  on 21st Oct in London. Details on www.amberhawk.com