Monday, 31 October 2011

Why the Commission sometimes drafts in Eurobabble and Gobbledegook

Elanor Sharpston QC was on great form tonight. By day she’s the UK Advocate General at the Court of Justice of the European Communities. And tonight she was at the University of London, delivering the Sir William Dale memorial lecture, explaining why European Commission Directives and Regulations sometimes attract some fairly heavyweight drafting criticism. We need to understand how the process works, she explained – and she started by praising the Commission for its official guidance on drafting, complete with 23 guidelines with examples of good and bad drafting. It's a good document. Full of common sense.

But the problems start when we ask ourselves who it is who is doing the drafting. After all, the working language of the first drafts of the Commission Documents is usually French and English – great for the Brits and the French, but not so great for some poor Hungarian or Slovak official, who could be trying to draft the initial text in their second – or third – language, rather than their mother tongue. These linguistic difficulties really can’t be underestimated.

Next, when the drafts are considered by the politicians and the negotiators the problems continue. After all, many negotiators have very different starting points. Some negotiators don’t really want the legislation or are ambivalent about the proposed measure as they already have domestic legislation which is something like what they think the Commission proposal is going to achieve. On top of this, representatives of the Member States may well have different perceptions of the meaning of the text under consideration. There can be a difference between perception, text and reality. Sometimes the built in assumptions are different between people who interpret the text. What is obvious to one party may also be obvious to the other side. But what is “black” to one side could easily be “white” to the other. Eventually the political negotiators will ask their legal teams for a legal view on suggested revisions to the text – but sometimes that view is only sought when the textual revisions have actually been accepted.

Elanor also noted that texts sometimes had ambiguous terms simply because that was the only way to get a majority support for the document. While the golden rule was, of course, that terms should be unambiguous (and all the major terms ought to be defined), it was not unknown for the Commission to propose something that didn’t make complete sense, but enough of it made enough sense for it to have some value when implemented.

And then, the Commission has to issue an equally authentic translation of the final text to the 27 Member States in each of the 23 Community languages.

In most cases, the legislation is finally agreed and is generally workable. But, if the text is ambiguous or unclear, a lawyer will eventually litigate and a national court will make a reference to Elanor’s court to ask what the text actually means. Sometimes, her court will refer to the legislative history of the instrument to see if any relevant statements were made by negotiators during the different sets of discussions on the text. At other times, her court will try to comprehend the different translations of the instrument, to see if a majority of them see the concept under dispute in a particular way. Other times, they’ll just make it up themselves. But her court has never been undermined by a Member State refusing to accept her court’s interpretation. Nor has any Member State ever tried to amend an ambiguous term in an existing Directive so that it ceases to mean what her court decided it meant.

Elanor did make the point that her court does not relish this responsibility, and would really prefer it if the politicians, who have the necessary democratic accountability, had actually made the relevant terms unambiguous.

Very wisely, Elanor declined to say too much more about the defects that are inherent in EC legislation. She simply reminded us of Count Otto Von Bismarck’s view that if you like laws and sausages, you should never watch either being made.


Sunday, 30 October 2011

Communications Data Retention: the public debate resumes

Here we go again. Reports are emerging of politicians seeking to change the current EC data retention regime. What do they want? The retention of more types of records. And who should be doing this retention? Ah, that’s the interesting bit, as some are now proposing that it should be content providers (eg the likes of Google, Yahoo!, Twitter and Facebook) rather than internet service providers (ie the folks whose pipes are simply used to access this content).

Back in 2006, the Data Retention Directive made it a requirement for telecoms companies to retain information about communications records for a period determined by national governments of between six months and two years. Not every EC Member State has yet implemented this Directive – but while there has been talk of the Commission issuing infraction proceedings against the laggards, to be honest with you I have not read a single word of criticism from the relevant law enforcement agencies complaining at their inability to do their job properly because that measure had not yet been implemented in that Member State. Perhaps this means that no-one cares about the lack of enforcement of a retention standard that is pretty irrelevant in those countries. Perhaps, in those countries, their own domestic policing techniques work perfectly well without this retention rule. And if that is the case, then presumably they won’t take much advantage of the newly retained data anyway, as they have not really needed it in the past.

The new rules are designed to recognise reality, which is that people use the internet to browse websites, as well as make communications. And it’s this internet browsing behaviour that some politicians now seek to track.

There could be pretty intensive discussions ahead, and I would expect the usual suspects to gather around the usual tables to develop credible responses to the usual questions.

These questions include, let’s not forget:

If the new rules are really to apply to internet browsing, and people use all manner of different communication service providers to do the browsing, then wouldn’t it be better for the new rules to apply to the provider of the service people are actually using - eg Facebook, Twitter or Google? After all, the whole point of mobile devices, such as iPads and smart phones, is to enable users to log onto their Facebook site from any hotspot or their provider’s mobile cell site. So the hotspot or mobile providers will only ever have just part of the complete picture.

What information should be retained and how helpful will this really be to law enforcers? The current (UK) rules prevent content records from being retained, and these, as far as Parliament is concerned, are records which go past the first slash of an internet address. So, a traffic record is This is not a lot of help to investigators who want to know just what on Facebook a user tried to do. They want more of the web log – but that brings us past the line of what is traffic and what is content.

For how long should these records be retained? All the solution providers are interested in this point, because their public service contracts are drying up so they are ever keener to sell technologies capable of searching huge databases to companies in the private sector.

What else will the private sector companies be allowed to do with the retained information? And who will be making sure that there won’t be any sneaky stuff going on?

How many more criminals is this initiative likely to deter, or even catch? And, how much will this initiative cost? The deterrence, prosecution and cost questions are actually important – not because I want to wade into the “who pays” argument, but because we need to look at “utility” argument. What I mean is whether the substantial investment that will be required to deliver this initiative might not be better spent in another area of law enforcement. In the UK, police budgets are under severe pressure for the forseeable future. Could the money be better spent on more fuel, to enable more police cars to drive more miles each week? Or could the money be better spent on more training, to enable more law enforcement investigators to better analyse and react on the information that phone and internet service providers already have? If they can’t cope with what is currently available, is it strictly necessary for them to be drowned by a tsunami of even more stuff?

The biggest question, though, is simply Why bother? On the back of a recent high profile murder trial, resulting in the successful conviction of an individual at Bristol Crown Court, I’ve read press reports that very clearly indicate what internet activity the offender had been engaged in, both in the UK and while they were abroad. Enough records were evidently available to give the investigators a very clear picture of what this person had been up to. So, if that’s the case under the current regime, where is the pressing need to change things?

I do hope someone will state this case quite forcibly.

I can certainly see why Governments in various African and Middle Eastern countries are very keen to know what their citizens are up to when they use Facebook, YouTube or Twitter. And I can understand the lengths the providers are going to in order to protect the identities of their users, to prevent them from unfortunate consequences, or visits from representatives of the national authorities. But as users (and content providers) develop ever more clever encryption techniques to evade these authorities, it won’t be that long before those very same techniques are used in EC Member states too. And whose benefit would that really serve? Probably not the EC law enforcers – nor the EC service providers. No-one really wants to be forced to retain huge amounts of information they can’t access or can’t understand.

Let’s hope that pragmatism will be permitted to prevail – eventually.



Sunday, 23 October 2011

Privacy icons and privacy nudges – how do we leave the world of the ubergeek?

One of the most thought provoking presentation on privacy I’ve seen in many weeks was delivered by Patrick Gage Kelly last Tuesday. He was speaking at a privacy workshop organised by the GSM Association in Central London, and is currently involved with a considerable amount of academic research that’s ongoing at Carnegie Mellon University, which has established the CyLab Usable Privacy and Security Laboratory. This lab brings together researchers working on a diverse set of projects related to understanding and improving the usability of privacy and security software and systems. The researchers employ a combination of three high-level strategies to make secure systems more usable: building systems that "just work" without involving humans in security-critical functions; making secure systems intuitive and easy to use; and teaching humans how to perform security-critical tasks.

Let’s get this straight. Patrick is not an ubergeek. He is determined, however, to ensure that privacy does not become an issue controlled only by ubergeeks, as it’s clear that when they are in charge, the rest of us can have little idea of what’s going on, and can’t make proper choices about how we would like our personal information to be used. And, for the most part, we can’t make these proper choices because those designing privacy systems make the choice mechanisms fiendishly difficult to operate.

To give us an example, Patrick tore into the privacy dashboard that has been built into the new online behavioural advertising initiative, started in the USA and currently being rolled out in Europe. I blogged about this on 4 September. Patrick made the point that unless users actually understood the choices that were presented to them, and actually knew where to look on the screens to find the right drop down menus to click the right bits to register their objections, then the opt-out mechanism was somewhat limited in terms of privacy protection. Perhaps this is why the current opt-out rate is low. When I say low, the figure of .0002% (based on ads shown to users) was mentioned by the person who runs Evidon, the solution provider behind the Advertising Option Icon initiative. It was a great pity that the Evidon representative was not able to refute the quite troubling points that Patrick raised. He had left the building just before Patrick rose to speak. But he did know what Patrick was going to say. Evidently, he had heard Patrick speak before.

Given that some users are now being served some 1,100 ads per week by Google as they surf the internet, an opt out rate as low as .0002% is mighty impressive. Those promoting the scheme see the Advertising Option Icon initiative, with its ways to change preference management sessions so they can alter what the ad provider thinks of them, as the ultimate cookie. Is this the data protection equivalent of the mythical ring in Tolkien’s famous saga? Have we found the one cookie to rule them all?

Patrick was not so sure. As far as he was concerned, users wanted protections that didn't break things. Too often, one set of configurations simply mess up existing services. How often, for example, do we need to reconfigure the “pop up blocker” on our laptops so that a favoured website can work as originally designed? Apparently, users have found that the:
• privacy tools they are presented with are usually hard to understand and configure;
• privacy terminology is confusing, as people simply aren’t familiar with these concepts; and
• privacy tools provide little or no feedback, which leads many to think they may have configured the tools to block trackers, when they actually hadn’t.

Patrick’s main point was that privacy nudges are really hard to incorporate in the privacy sphere, as their purpose is usually, using soft determinism techniques, and psychological biases, to nudge users in a direction that is considered to be beneficial. But what is beneficial in the privacy sphere? And how should this be expressed to the user?

It can’t be the case that it is always better to safeguard our privacy. If that were the case, Facebook would close down tomorrow. The whole point of the exercise is that Facebook is an outstanding example of self-promotion. People love it because in this new world, we are all celebrities (of various degrees). But a well designed Facebook privacy nudge might work if, as well as being given the standard options of whether users wanted to share stuff with their friends, or their friends and their friends, users were given the total number of friends and the friends of friends – so the user could appreciate just how many people would be capable of seeing it. Will Facebook take up this idea? Well, they just might. They haven’t said no, yet.

And, whether the protesters like it or not, targeted advertising at least serves to offer material to a device user that may be more, rather than less, relevant to their recent interests ( as expressed through their browsing behaviour).

So where should we go from here?

We certainly shouldn’t give up – but we should redouble our efforts to dumb down privacy notices. Context matters, not long legalistic documents that simply protect a data controller. Controllers should try to make their privacy labelling clearer – and should take great care not to use colours and symbols that are associated with good and bad connotations - this is simply likely to scare people, when one choice can actually be just as valid as another choice, so long as the user appreciates the consequences of their choice.

And we shouldn’t give up on the Advertising Option Icon concept – but we really ought to make privacy choices easier for the likes of Homer Simpson, rather than Albert Einstein, to understand and use.



Sunday, 16 October 2011

How should our use of the internet be controlled?

We’ve all recently witnessed massive changes in the way we use the internet. “People use Facebook to plan before the revolution, Twitter to organise on the day, and then You Tube to show what happened to the world.” That was what Dave Coplin, Microsoft's Director of Search, Advertising & Online, had to say about its importance at last Thursday’s Parliament and the Internet Conference. This is why the more sensible nations will be thinking very carefully before demanding that any of these services are disconnected, should there be any more instances of civil unrest.

This does not mean that the internet will become a virtual Wild West, though. As Detlef Eckert, Director of Policy Coordination and Strategy in the FG Information Society and Media of the European Commission commented during his presentation, “It's not just a deregulated telecoms structure. It needs to be regulated to be civilised.”

How it can be regulated though, and how civilised you really want to get it, is a very difficult question to answer.

Other speakers were not too optimistic about the future of the way the internet will be governed. Some of them had just returned from the annual Internet Governance Forum, held this time in Nairobi, and were thinking of the themes that were likely to be debated during the next Forum meeting, which will be in Baku next year. Is it really necessary to travel to such places to consider such issues? Yes it is – Europe only represents some 23% of internet traffic, Asia has 44% of the traffic and it will continue to dominate. There may be no agreement on how to tackle this global problem, but that does not necessarily mean that European nations will be able to punch above their weight when the debates are held. The latest wheeze, apparently, could be for a new United Nations-sponsored organisation to sit about the current Internet Governance Forum

Lesley Cowley, Nominet's CEO, was not convinced that such a plan would necessarily be a brilliant idea. The more UN oversight bodies there are, the greater will be the pressure from various stakeholders to bring more decision-making within the sphere of Member States, and this could lead to less reliance on obtaining advice and, critically, experience, from the key companies who are likely to have a far better appreciation of the consequences of policies that are developed by people with little experience in actually implementing them.

Does this matter? I think it does – no-one wants to be faced with the unenviable task of being required to implement legislation which is either contradictory, open to a wide variety of interpretation, or out of kilter with common sense. And surely, no-one wants to be regulated by officials from countries where human rights are less well observed as they are in the EU. But hey, ho. Let’s see what happens.

The other key takeaway from last Thursday's conference, from my perspective, was the view, from several commentators, that mobile commerce in Europe remains in its infancy. In other parts of the world, it’s taken off at a much faster pace. South Korean commuters, in some metro stations, see posters on walls that allow them to choose items, pay for them and have them delivered and waiting for them when they get home. Webcams in some retail clothes chains have web cams in the fitting areas that enable the wearer to take and post pictures on their Facebook site so their friends can comment on how the garment suits them (and perhaps also to tell them whether their bum looks too big in it).

Within Europe, though, there are still some huge problems to be overcome there really is to be a single market for digital goods. Currently, only a small percentage of people purchase physical or digital products from another country. It’s hard to imagine that the percentage will increase significantly until the different copyright management, liability, sales law, and data protection regimes are more closely aligned. And it’s hard to imagine that such changes will take place any time soon. And it’s extremely hard, if not impossible, to expect smaller businesses to be capable of understanding all the laws when, thanks to the internet, they could be trading in 150'countries

A few commentators very briefly mentioned the likely changes to Data Protection legislation, but no-one had anything really significant to say. Richard Allen, Facebook's Director of EU Policy, made the point that it was obviously necessary for a revised EU data protection directive to move away from the premise that what was required was an instrument to regulate the way large organisations held data on citizens. In the new world, we are all both data subjects and data controllers, and it's a much more complex environment. Richard did make the point quite forcibly that the current models which finance internet content don’t fit neatly with EU regulations. It is increasingly impractical to put advertising and marketing into a separate box from internet content, so to speak, and it will be interesting to see just how this debate plays out.


Sunday, 9 October 2011

Does the Commission actually have the authority to make a data protection regulation?

Friends at dinner last night began a debate on whether the European Commission actually had a right to make changes to the current data protection directive by means of a regulation. Some of what they had to say was quite interesting, and repeatable, so I thought I should make some notes.

The debate was sparked off as we were about to see No Naughty Bits, a wonderful new comedy by Steve Thompson at the Hampstead Theatre. It followed the adventures of Michael Palin and Terry Gilliam as they travelled to New York in December 1975 to take on the ABC television channel – who had recently broadcast Month Python’s Flying Circus coast-to-coast, but without all the naughty bits. A court case followed. The play’s themes included freedom of expression and artistic integrity. We learnt about the nature of comedy, the operation of censorship and the misunderstanding of the Anglo-American relationship.

Sitting right behind me in the theatre was a comic from that era, the great Ronnie Corbett, who also found the play very funny – but that’s another story.

Anyway, we got onto this subject at the dinner table because I had pointed out the links between the ABC’s desire to make changes to a copyright work that they had only obtained a licence to broadcast, and a Commission desire to make changes to the data protection directive – and that both felt the changes were to be non-negotiable.

Ultimately, I suspect, this matter will be decided by the courts. Certainly not by us mere mortals having dinner in Hampstead last night. But, before the legal superstars weigh in (and before the mighty Chris Pounder opines on the subject in one of his Hawktalk blogs), I thought I would outline some of the arguments that are likely to be repeated for some time.

Starting at the basics (and with a suitable acknowledgement to Wikipedia) the Subsidiarity principle was established in EU law by the Treaty of Maastricht, and entered into force in November 1993. In very general terms, matters ought to be handled by the smallest, lowest or least centralised competent authority (the close to the citizen criterion). However, the European Commission may intervene when its actions:

• are necessary because actions of individuals or member-state governments alone will not achieve the objectives of the action (the sufficiency criterion);
• are necessary to bring added value over and above what could be achieved by individual or member-state government action alone (the benefit criterion); and
• will secure greater freedoms for the individual (the autonomy criterion).

So, the critical question is about whether this test can be successfully applied in the case of the data protection directive. I think it’s a very high threshold.

Counsel for the Commission are likely to argue that:

• The right to personal data protection is a fundamental European right.
• Transborder data flows mean it’s hard for Member States acting by themselves to safeguard individual’s rights.
• European citizens presumably need to enjoy the same level of rights wherever they are in the EU (no more or no less).
• Member States have not been particularly good at co-operating with each other and creating uniform data protection standards.
• It’s unlikely that they’ll be capable of greater co-operation in the foreseeable future.
• Current EU laws don’t appear to be particularly effective at ensuring the problems in the existing data protection framework will be reduced.
• A regulation is necessary because data protection issues affect a whole bunch of other legal rights that European citizens ought to enjoy, including:
- Respect for private life
- Freedom of expression
- Freedom to conduct a business
- Right to property
- Right to non-discrimination
- Right of the child
- Right to an effective remedy and a fair trial.

On the other hand, Counsel for those who oppose a regulation are likely to argue that:

• The global nature of data flows is such that European -wide laws are likely to have very limited degree of additional protection for individuals. It ignores the fact that regulation in this area is likely to work only if it’s global in nature, rather than regional.
• The “damage” done to individual citizens as a result of current laws is actually quite small, and there is no pressing case to suggest that any damage a citizen’s legitimate privacy interests would be significantly reduced by means of a regulation.
• Citizens in different Member States enjoy and expect different degrees of privacy. What is perfectly acceptable in one Member State is unacceptable in another (hence the argument for censorship of the Monty Python television programmes in America).
• There is no significant evidence that many citizens in different Member States actually care that the privacy laws are different in other Member States. Many people find it quaint that they live in different communities which share different values.
• Some Member States will find it unacceptable that this type of “social legislation” is foisted upon them and their citizens, as it represents a significant shift in legislative autonomy from the State to the Commission.
• The Commission ought to be prevented from micro-managing individuals’ lives.

I expect this discussion to carry on for some time. And I am looking forward to taking part in it, and seeing how it concludes.

Image credit:

Those who have seen, or will see, No Naughty Bits at the Hampstead Theatre, will certainly recognise it .


Saturday, 8 October 2011

The Commission’s dilemma about a new data protection directive

I’ve just finished reading a sensational document. It’s not probably designed for general publication, so I won’t post it anywhere on the internet. It does not carry any private or confidential markings, though, so I don’t think that I’m breaching any national or international secrets by blogging about it. And I’m only going to quote 140 words from it in this blog. I understand it to be a candid document written for members of the Commission staff reviewing the comments that have been received following the consultation exercise on amending the data protection directive. The direction of travel for the Commission is set out in a range of policy options. But the most interesting comments appear in a frank assessment of the political dimension of these options.

I can now understand why its going to take until next February to publish their proposals – as first the Commission needs to consider very carefully which block of opinion formers it wants to side with, and which block it can afford, politically, to overrule.

The 72 page document first very cleverly sets out four problems that currently exist and have arguably become more serious over the years. After all, thanks to the wonders of the internet, greater numbers of people are blogging, posting images on the internet, and generally acting in ways which indicate that they are oblivious to the concept of fundamental rights and freedoms of others. This increasingly results in:

• Difficulties for individuals to exercise their data protection rights effectively;
• Legal uncertainty, unnecessary costs and administrative burden for data controllers operating in the EC;
• Loopholes in the protection of personal data in the field of police and judicial co-operation in criminal matters and inconsistency of the rules;
• Weak and inconsistent enforcement of data protection rules.

This analysis, set out over 14 pages, is really good, solid stuff, as each of the four problems are analysed in some detail. The text identifies the drivers of each problem, who is affected and also to what extent.

The analysis then tries some crystal ball gazing, and makes a series of predictions as to what might happen if nothing were done to address these problems. Some of these predictions might be challenged by people who get to see the document. I think they probably need to be challenged and earnestly debated, as the Commission’s proposals on how to amend the directive depend, to a significant extent, on whether the assessment of what would happen if nothing were to be done is actually credible. It is also really important to test these predictions if the Commission wants to make a case for ignoring the general concept of subsidiarity (ie allowing rules to be implemented at the level of the Nation State rather than the Community Level). If there is a case to be made for implementing change by means of a Regulation, rather than a Directive, surely this can only happen if Member States can’t be trusted to make the right changes themselves, and if the predicted outcomes really are dire.

The document authors then get a bit bolder, and set out their policy objectives, the purpose of amending the current data protection directive, in terms of four general objectives, nine specific objectives, and 18 operational objectives.

The document authors then create three quite detailed options to meet some, most, or all of these objectives. And then the real fun begins, as the paper analyses the impacts of these options. The analysis includes an appreciation of how well each option addresses the problems that were originally identified, their political feasibility / acceptability by stakeholders, financial & economic impacts, social impacts, impact on fundamental rights and their impact on simplification.

Using a rough and ready (and unweighted) marking system, one of the three options as presented appears to be significantly less attractive than the other two.

And of these remaining two, it is clear that there are real political hurdles to overcome if either is to be adopted. One option is assessed at medium risk of political feasibility / acceptability: Member States are likely not to welcome increased harmonisation and the reduction of their room of manoeuvre. The European Parliament is, on the contrary, likely to welcome an ambitious proposal, both enhancing individuals’ rights and the internal market dimension of data protection. Private stakeholders/businesses will also welcome more harmonisation/reduction of administrative burden.

The other option is considered at low risk of political feasibility / acceptability: this option would be too unbalanced as it would highly strengthen data subject rights but at great costs for data controllers. Most stakeholders would find it too radical.

It’s a very cleverly written paper. Full of common sense, but it is not clear who ought, in a democratic society, be given the honour of deciding whether any of these options, or indeed a different option, should be presented to the European Parliament. Don’t say “and this is why we have Commissioners”, as I can’t remember the names of many of them and have forgotten just how (and why) they were appointed to their respective roles.

Initial decisions on the future direction of the Directive, which include the concept making people more accountable when they process other people's personal information, appear to have to be taken by people who aren’t that accountable themselves.

So, there is an awful lot more work that needs to be done. And the decisions are, to some extent, overshadowed by decisions that are being taken on the European economic front. As some EC Member States work ever more closely together to support the Euro, so their financial systems will converge. But Member States whose currency is not the Euro will want to take steps to run their own financial systems in ways that best support the interest of their own currencies.

Using a similar analogy, will Member States that wish to remain outside the Euro zone necessarily accept such a convergence of data protection laws? Or will they take steps to ensure that their data protection laws best support the interests of their own data controllers?

Time will tell.

Image credit:
This not a joke. This is part of the cover page of the document I’ve been reading. Wait for your copy to be posted somewhere on the internet, so that you can download it yourself. I guess those folk at Privacy International will be trying hard to locate a copy and get it up there before anyone else does.


Friday, 7 October 2011

Depressing ways of implementing EC breach notification laws

Yesterday’s webinar run by the law firm Hunton & Williams on how various Member States were implementing EC personal data breach notification requirements left me so depressed that I ate an entire packet of Hotel Chocolat's Boozy Combo immediately afterwards to cheer me up. If you haven't tried their Boozy Combo, and quite like the concept of eating chocolate flavoured with whiskey, rum and Poire William, then you're in for a treat.

Why was I so depressed? Because I was presented with a narrative which made it clear that laws had been passed without a complete understanding of what their effects were going to be. In this case, European companies are faced with a bizarre set of breach notification requirements, for no obvious purpose.

It's understandable why there should be some types of breach notification requirements in the US. After all, if there isn't a basic federal law requiring all data controllers to put in place steps to ensure the adequate security of personal data, then it's clear that there should be an incentive not to make mistakes - such a breach notification requirement. But why should this necessarily be the case in the EC?

The data protection directive has already set a standard, requiring data controllers to take adequate care of personal data. Will breach notification measures really encourage data controllers to "up their game"? I don't think that behaviours will necessarily change. Especially with regard to those data breaches which involve simple human errors and affect just one or two victims. It's hard to put in place technical controls that provide cast iron guarantees that individuals won't make simple mistakes when dealing with individual data records. It's much easier to put in place technical controls that encrypt large volumes of information that is transported from one place or another.

I was also depressed because I had just declined an invitation to consider applying to join an expert group set up by the European Network and Information Security Agency. This expert group has been tasked with creating recommendations for technical guidelines for the implementation of compulsory personal data breach notification requirements by communication and internet service providers.

But why do we need technical guidance on a common breach notification format if it is wholly unclear whether regulators in each of the EC member states were going to adopt a common approach to the breach notifications that they'll be sent? Why expect people to fill in the same form if, in some states, it will be thrown straight in the bin? And in others, only a cursory glance will be given to it as the staff in that office are too busy working on more important issues?

Another reason for my not wanting to join the group was that the experts were only scheduled to meet once or twice more, and none of the people I knew to be members of that group of experts were people who were employed by communication or internet service providers. The final draft is scheduled to be presented to those who commissioned it at the end of this month. Critics may well argue that the standard will appear to have been created by no expert who had any practical experience of trying to determine whether the security incidents they were actually experiencing met the various statutory and regulatory definitions of personal data security breaches.

So why should I join a group solely comprised of people involved in regulating and enforcing, rather than implementing, these issues? If they didn't need the experience of practitioners when they started work to develop this common reporting and response format, would I simply have been there for a spot of window dressing at the end?

If I had been invited to participate at the commencement of the expert group, I expect that I would have pointed out the absurdity of expecting large numbers of data controllers to promptly notify regulators of the most minor of breaches. I would have urged a harm-based approach with thresholds that were sufficiently high to ensure that regulators would take notice of the incident, once they had received a report. So I can understand why I wasn't invited earlier.

But, to be honest, I would not really have wanted to have helped to devise a way of implementing a concept that was so flawed in the way it was originally drafted.


Wednesday, 5 October 2011

Compensation for distress? Or sometimes plain greed?

None of us are perfect. Every data controller makes mistakes. But most data protection professionals I know are quite prepared to put their hands up when things go wrong, and admit that an error has occurred.

What interests me is the attitude of the person who is the focus of the error. How many times do they tend to shrug their shoulders and accept that, in an electronic world, things occasionally go wrong, but life goes on regardless? And how many times do they adopt a "victim" mentality for which a significant compensation payment is the only acceptable solution? Even if the "offence" was to take a little time before recognising that they had objected to the receipt of a direct marketing message?

I guess we ell see a fair smattering of both ends of the spectrum. Indeed, that's what makes the job so interesting. How can one person value their privacy so greatly that only an offer of several hundred pounds will stop them from going to the county court to claim damages for having been sent an unwanted marketing message? Incidents like this light up my day.

I wish I could send them a copy of the presentation that Rosemary Jay made to members of the Data Protection Forum in September 2010. It was very revealing, as it set out the levels of compensation that the courts award victims for distress and inconvenience in other areas (spoilt holidays, awful wedding photos, and banking errors - those sorts of things). Without wishing to steal her thunder, the general message is that claimants don't often get much. If you want to hit the jackpot these days, you need to be seriously inconvenienced (I'll deliberately avoid using the phrase "hacked off") by the likes of the News International group.

Perhaps we should mount a annual awards ceremony, in order that those who make the most outrageous claims can be properly recognised. Whether they would turn up to receive their awards would be another matter. But we would all enjoy a good dinner, and the after dinner speaker (hopefully a top comedian) would have plenty of new material from which he could poke fun at those who were so deserving.

Perhaps there could also be categories for the most ridiculous reportable personal data breach, too. We could have a special "my dog ate my data stick" prize, where entrants could send pictures of their pets and the awards panel could vote on the cutest pooch. And we could have an award for the NHS Trust that has managed to lose the greatest numbers of patient records. And, perhaps, we could offer a complimentary invitation to the data controller that had received (and paid) the largest monetary penalty in the past year.

I'll ask those who will be attending the next Data Protection Supper Club for their ideas on other awards categories too. Will there be fierce discussion amongst the judging panel when they review the nominations for "the most useful Opinion from the Article 29 Working Party"? Will judges storm out in disgust when other members of the panel disagree with their assessment of the strangest undertaking offered by a data controller to the Information Commissioner?

No, I don't think so. I expect that they will all share a similar sense of humour.


Tuesday, 4 October 2011

The art of drafting clearer EC laws

How much effort is really put into the drafting of EC laws? Why is so much of it so incomprehensible? If the Plain English Campaign can combat gobbledegook in the UK, why can’t an equivalent European body combat unintelligible Eurospeak?

If, like me, you have thought about these matters, and you’ve draped wet flannels over your head to keep your brain from overheating as you struggle to find the real meaning behind various EU Directives, fear not. Help is at hand. Well, it will be soon.


Because on 31st October, Elanor Sharpston QC, who is an Advocate General at the Court of Justice of the European Union, will be speaking on these matters at a free lecture in Central London. She’s calling her presentation: Drafting comprehensible legislation in a multi-lingual, multi-legal-system environment: some reflections on the EU drafting process and its consequences. I do hope that one of the things she will be doing, on behalf of the juro-linguistic translators is apologising for the stuff that the legislators pass as laws. I do hope that she will be explaining how much care and effort really is made to improve the draftsthat were originally presented by euro Parliamentarians, but we’ll see.

I am a supporter of the Plain English Campaign, and remember, some 20 years ago, visiting their Headquarters in a converted mill in High Peak, Derbyshire. Working away in the corner of the building was their founder, Chrissie Maher. Chrissie’s life story is an inspiration to us all. She largely missed out on formal education and could not read until she was in her mid teens. She was heavily involved in community work during the 1960s and founded Britain's first community newspaper, 'The Tuebrook Bugle'. In the 1970s she set up 'The Liverpool News', the country's first newspaper for semi-literate adults, and Impact Foundation, a community printshop. Chrissie was invited to be a councillor on the National Consumer Council when it was created in 1975. Around that time she started the Salford Form Market - a project to help people fill in forms - which led to the birth of Plain English Campaign.

I got to meet her when I was working with the Association of British Insurers, as the ABI was encouraging its members to change its practices in line with new rules that were introduced with the implementation of the Unfair Terms in Consumer Contracts Regulations in 1989. I remember working with insurers to develop clear ways to communicate with customers – an initative that was strongly encouraged by a senior Office of Fair Trading official, a certain Richard Thomas. Yes, that Richard Thomas!

Don’t let the venue of Elanor’s presentation put you off. The event has been organised by the Institute of Advanced Legal Studies of the University of London, but the presentation will take place, because of its significance, in Senate House, in Bloomsbury, Central London. You don’t have to be a student (or an academic) to attend. Just be someone who has a keen interest in the subject matter. And be prepared to have a drink afterwards with some familiar faces to discuss the points that she will have made. I might even buy a round myself.

It’s likely to be great fun. And very instructive. So, hopefully I'll see you there in good time for a 6pm prompt start. The chairman - The Hon Mr Justice Sales – is unlikely to look too kindly on the latecomers. Those who fancy registering should point their browser here:


Monday, 3 October 2011

A data protection anthem: to be sung at the Proms

I can get quite emotional when I watch the annual broadcast of the Last Night at the Proms concert on the television. It's one of the highlights of the British cultural calendar. Who can’t resist reaching for a flag, standing to attention and belting out the chorus of Rule Britannia at the appropriate time?

Very few of us actually know the words to the verses, but we all like to join in when it’s time for the chorus.

According to Wikipedia, this anthem was written by James Thomson, some 250 years ago. The lyrics were first published in 1763. A few changes have obviously been made to those currently used by the soloists. But how could the words be tweaked to make them more relevant to the data protection community in the 21st Century, while keeping true to the original jingoistic spirit?

How about something like this?

When Britain first, at the Council’s command,
Enacted laws about the facts that we retain,
Enacted laws about the facts that we retain,
Their 108th Convention, behave as they demand,
And guardian angels sang this strain:

Data Protection!
Keeping up the fight
Respecting privacy as a human right.

Then nations, not so blest as those in the EC,
Must in their turn, to regulation fall,
Must in their turn, to regulation fall,
Join us, and flourish, you can flourish great and free,
Your sneaky little practices, you will overhaul.

Data Protection!
Keeping up the fight
Respecting privacy as a human right.

Still more majestic can we rise,
Above the claims that compliance is a joke,
Above the claims that compliance is a joke,
Fear not cloud servers, those boxes in the skies
Making life easier for European folk.

Data Protection!
Keeping up the fight
Respecting privacy as a human right.

The internet is marvelous, it’s truly changed our world
But information overload leaves us no place to hide
But information overload leaves us no place to hide
Getting hot and bothered when the facts are all unfurled
Facing the music now we’re digitally classified.

Data Protection!
Keeping up the fight
Respecting privacy as a human right.


Saturday, 1 October 2011

Internet cookies: an idea for a new Article 29 Opinion

I don’t know about you, but I don’t like the language the Article 29 Working Party uses in its opinions. They are usually extremely long and legalistic. And boring.

Why can’t they develop a new way of communicating with the rest of us? Perhaps in a tone that would connect with us in a more subtle way?

Why can’t they do it in verse?

And if they were to try it in song, what might it sound like?

Well, I’ve written an anthem to mark the care with which members of the Working Party would want us to take when using the internet. You can sing the lyrics to a well known tune, which once promoted a global (American-originated) beverage. I figured that this approach might go down well both sides of the pond.

And I’m also proposing that the members sing it at the start of each of their meetings, rather than hum along to Beethoven’s Ode to Joy, or other Euro anthem. Or whatever else it is they do before they earnestly get down to a spot of data protecting.

And I would be delighted if the Article 29 Working Party might also record it and release it as a charity single on iTunes. It can be their contribution to European Data Protection Day next year.

The song goes something like this:

We’d like to teach the world to surf
In anonymity
No nasty cookies on our turf
No permanent ID.

We’re the real thing

Are you sure, are you sure?
We’re the real thing
But what if I want a bit more?
We’re the real thing
I’m cash rich time poor
We’re the real thing
How will they know me from before?

We're charged with fighting practices
All over cyberspace
Preventing bad guys adding you
To their customer database.

We're the real thing

But they know my taste
We're the real thing
And my time they won't waste
We're the real thing
I've already seen her waist
We're the real thing
Look I don't want it chaste.

There's spyware from their market place
Selling your details on the sly
To strangers you will never trace
Causing harm that's hard to rectify.

We're the real thing

Do what we say and you'll be fine
We're the real thing
Respect the guys who draw the line
We're the real thing
Can't rhyme like Oscar Hammerstein
We're the real thing
All hail the Article Twenty Nine!