Friday, 31 January 2014

The weakest EU privacy regulator is ...

OK. Let’s assume that you are a multinational data controller who can chose which of the EU privacy regulators you wish to be regulated by.

Today, which regulator would that be?

The Fundamental Rights Agency helpfully published a very useful report back in April 2010, which compared the independence, effectiveness, resources and powers of each data protection authority. Almost 4 years have passed since its publication, so some of the text is out of date, but it still remains a great reference document.

If you are interested in learning which regulators are truly independent, and which are political patsies, read the report.

If you really want to know which ones are starved of resources, then this is a good place to start.

If you want to compare their powers of investigation, powers of intervention, powers to hear claims and engage in legal proceedings, and appreciate what advisory powers they have, then this really is an essential document.

And if you want a report that comments on their activities, yes – what they had actually got up to - then again you should read the report.

The report also points out the deficiencies of data protection authorities, the relative lack of enforcement of data protection rules generally, the problems of rights awareness among citizens, the problems of meshing the needs of the crime and security agencies with general privacy rules, and various technological challenges that data protection authorities face.

It’s an essential document for anyone interested in forum shopping - or for anyone who (mistakenly) believes that multinational data controllers are seriously interested in data protection forum shopping. No one in their right minds is going to deliberately arrange their business affairs so that they fall under the supervision of the weakest data protection regulator. Tax and employment issues will always far outweigh data protection considerations. 

Just be mindful of the report's subliminal message – which is that if there should be 'one data protection rule to rule us all,' then the logical consequence is that 'one regulator should enforce it all.'

Anyway, the identity of Europe’s weakest data protection regulator.

Please.

I’ve given you enough material for today.

Read the report and work it out for yourself!

Source:
http://fra.europa.eu/sites/default/files/fra_uploads/815-Data-protection_en.pdf

.

Wednesday, 29 January 2014

Book review: Cloud Computing Law, edited by Christopher Millard

If you need to consult a great book on the legal implications of cloud computing, then look no further. This is the one for you. 

Professor Christopher Millard and his colleagues at the Cloud Legal Project at the Centre for Commercial Legal Studies at Queen Mary, University of London, – and colloquially known as “the Queen Mary Mafia” - have done it again. 

They've given us, in a readily accessible manner, the very latest thinking on an issue that all information governance professionals need to be very familiar with.

During a reception to celebrate its launch in Brussels last week, Ken Ducatel, Head of Unit for Software, Services and Cloud at the European Commission remarked that he was so impressed with the book that he had already bought 2 copies.

There is a substantial body of law and regulation which already applies to the cloud computing sector, and it is evolving rapidly. Unfortunately, data protection compliance is a particularly difficult issue, mainly because the conceptual basis on which the current law is based (where there are known locations and clear divisions of responsibility between stakeholders, who are either data controllers or data processors) predates the reality of cloud computing.

So when is cloud computing appropriate? What scope is there to negotiate individual contracts with cloud providers? What steps are European regulators likely to take to enforce current laws? What about the relevant law enforcement, competition and consumer protection implications of cloud computing? And how much easier is the proposed new General Data Protection Regulation likely to make life for cloud users?

The book pulls no punches. Take, for example, its views on the burning topic of the day: "Notwithstanding the frequent invocation by EU officials of ‘the cloud’ as a catalyst and justification for new data protection laws, the proposed Regulation does not look particularly ‘cloud friendly’, nor indeed ‘business friendly’, ‘citizen friendly’ or ‘future proof’." And the book then explains why this is so.

Further editions are bound to follow in the next few years – but a substantial body of the text is unlikely to change.  Professor Millard is responsible for a work which explores the principles of cloud computing law in a way that will remain relevant for some time.

It’s a book that the serious players will return to again and again.

Brilliant value at £75 in hardback, £34.95 as a paperback, or just £15.43 for the kindle edition.

Source:
ISBN 978-0-19-967167-0

.

Tuesday, 28 January 2014

Data protection in a dream world

Last Wednesday’s report about the Computers, Privacy & Data Protection conference cocktail party featuring an acrobat on a trapeze, playing the saxophone upside down, has been met in many quarters with total disbelief. My email box has been swamped with people declaring that there’s no way there’re falling for that story. Evidently, I should stick to commenting about the credible, rather than the totally unbelievable.

Ok, you non-believers – so what do you have to say about today’s images?

And its connection with data protection? Well, we can look at the performer’s website to get a clue:

“This unique solo-performance combines unique trapeze acrobatics with soulful saxophone playing. The audience is able to experience the personal language of exotic movements that take you on a journey into a magical and bewitching dream world. 'What will you experience? Dive into the story about a voyage that reconnects us with our roots in nature.”

So, data protection is a “magical and bewitching dream world.” the performer's vision is “To let people dream.”

If the acrobat were to have dedicated this performance to the European Commission last week, in the context of their plans to have a Regulation passed before the forthcoming European Parliamentary elections, I can quite understand what she would have meant.

Dream on ...

(Rumours that she has been booked to repeat her show at the ICO’s Data Practitioner Conference in Manchester on 3 March, with the ICO chorus featuring as her backing singers, are unfounded.)

Anyway, happy Data Protection Day. However you celebrate today, I doubt that it will involve swinging upside down, with a saxophone. But if it does, please send me the pics!



Source:
 www.connyschneider.com

.

Monday, 27 January 2014

NHS data sharing – great comments from the ICO

The ICO’s Dawn Monaghan has been showing us how good she is again. Her latest blog, on how changes to patient information in England could be used by NHS bodies and others, is full of insightful, pragmatic and very sensible comments on how the Data Protection Act applies to the proposed scheme.

This is just the sort of commentary that we data protection professionals (at least those at the more pragmatic end of the spectrum) like.  Crisp, short, and to the point. What a welcome change from the language of a typical Article 29 Working Party Opinion, which is evidently designed for a very different audience to that which the ICO likes to address.

Also, reassuringly, Dawn’s comments reaffirm my own views on the subject.  I trust the NHS, and am content with the view that the advantages of such data sharing among relatively sensible healthcare stakeholders overwhelmingly outnumber the risks.  This stance has not gone down too well with a certain section of my readership, but I don't expect everyone to agree with me on such an important subject. Unlike those who focus on blogging as a means of airing their objections to the issues of the day, I’m also happy to explain why I support certain initiatives, when the occasion requires.

Dawn will have more to say on these matters in a few months. Meanwhile, feel free to continue taking my advice: “Read the leaflet that dropped through your letterbox recently. And then relax.”


Sources:

.

The new EDPS – the Commission’s official response

I am grateful to my chums at Statewatch for having placed in the public domain a recent letter from the European Commissioner for Inter-Institutional Relations and Administration to the President of the European Parliament, shedding a little more light on what is going to happen next concerning the matter of the appointment of a new European Data Protection Supervisor.

I love that person’s job title. If ever there were to be another series of that wonderfully funny BBC TV series “Yes Minister,” perhaps this time set within the European Commission, our eponymous hero Jim Hackett would be the European Commissioner for Inter-Institutional Relations and Administration.

Anyway, as indicated in last Friday’s blog, the current EDPS (and his assistant) will continue in office until 16 October 2014, during which time the selection process will be re-run.  Helpfully, and in response to the international clamour for more details about the selection process, we now know a little more about what the candidates go through. Applications are reviewed by a Consultative Committee on Appointments, “composed of high ranking civil servants who have great experience in evaluating candidates for senior positions at EU level.” Candidates can also expect the decision of this committee to be reviewed by “Representatives of the European Parliament and the Council.”

This time round, previous candidates can reapply, and there may be a different selection process for the EDPS’s Assistant.

Interestingly, the letter suggests that the EDPS’s job description (but not necessarily that of his Assistant) may be revised to highlight the need “to work at high international level and to lead the EDPS in facing future changes in an environment of rapid technical evolution with high political, economic and social sensitivity.”  This job description would certainly fit the high-flier whose identity was revealed to me last week, but who will is currently unlikely to be available until the autumn.  They would be an absolute shoe-in.

Also interestingly, the letter commented that “certain media mentioned names or persons in certain functions who had allegedly applied for the positions. The Commission regrets this publicity since it is neither in the interest of the institutions nor in the interest of the real or alleged candidates.”

If any of this criticism was particularly directed at this blog, then I’m happy to point out that I've never identified the individuals and candidates whom I've spoken to, and in any event I would never have needed to comment on the situation if the Commission had not been so opaque in the first place. It was not in the interests of the Commission to keep so quiet about this legitimate matter of public interest. The Commission’s failure to be more transparent about its own processes simply encouraged the media speculation. The Commission should not criticise others for its failure to media manage this issue.

As I pointed out last week: “It’s a sophisticated machine, the European Commission. And, in the end, all will turn out for the good.

(For the European Commission, that is.)”

Source:
http://www.statewatch.org/news/2014/jan/eu-new-edps-letter-com-ep.pdf

.

Saturday, 25 January 2014

The Fundamental Rights Agency sets on a collision course with EU Member States

On Monday, the Fundamental Rights Agency will publish a (59 page) report on access to data protection remedies in EU Member States. The Ministry of Justice is likely to take its allocation of the reports and stuff them straight into the ICO’s furnace.

Why?

The report, based on interviews with some 350 relatively knowledgeable individuals, examines the nature of data protection violations and highlights the obstacles that victims face as they seek redress. Only a few European citizens are aware of their data protection rights, and there is a lack of legal expertise in the field. Those who do make complaints inevitably use their national data protection authorities, but these often suffer from a lack of resources and powers.

The FRA’s conclusions and recommendations are predictable:

First, the EU should harmonise data protection rules across EU Member States, and increase the sanction powers that should be made to national regulators. And, these regulators should be independent from external control both for allocating and spending funds and recruiting personnel: “Such independence is particularly important since data protection authorities also have to address data protection violations by the state. Moreover, they must be equipped with proper procedures, sufficient powers and adequate resources, including qualified professionals to make use of these procedures and powers.”

Second, the EU should increase funding for civil society organisations and other bodies in the third sector to help victims who seek redress, including collective redress where appropriate.

Next, Member states should sponsor public awareness campaigns to encourage people to take more interest in asserting their rights, and provide better training to judges and lawyers to underline the importance of these rights.

Finally, Data Protection Authorities: “Should focus awareness of their existence and role, cultivating their public profile as independent guardians of the fundamental right to date protection. They should seek closer cooperation with other guardians of fundamental rights such as equality bodies, human rights institutions and civil society organisations.”

The FRA's solution is relatively simple. Spend more public resources and ensure people take a more active interest in asserting their rights.

But, there remains a big problem. Member states won't allocate sufficient public money available to address these recommendations. In a number of respects, some supervisory authorities (and the Governments of some Member States) don't agree with the proposed solutions, anyway. 

In the UK, for example, the ICO is planning to reduce the resources that are allocated to investigate complaints that don’t inform and are not aligned with the ICO’s strategic priorities. (Which means not dealing with an lot of petty complaints)  Whether this is a decision that is been willingly taken by the ICO, or in response to a funding squeeze imposed by the Government, is not an issue for this blog.  But other data protection authorities have already taken, and move are considering, this approach, given the realities of their own funding positions. European data protection authorities are increasingly having to be selective to be effective.

So a report like this, emerging from a Vienna-based organisation that I must confess I had never heard of before, (despite it already being 7 years old), is very unlikely to be welcomed with open arms by those who will have to meet the implementation costs.  No, the report does not contain a compliance cost assessment, but then again, when it comes to protecting fundamental human rights, who does care about the associated price tag?

Perhaps I should offer a prize to the first person who spots a reference to the report in the Parliamentary journal, Hansard. It could be some time before British Parliamentarians formally note that the report urges a higher level of public spending to ensure adequate data protection remedies.

Perhaps I should also offer a prize to the first person who sends me a selfie of themselves wearing one of the FRA's great  baseball caps, which were freely available from the FRA's stall at the recent CPDP conference in Brussels. They are great caps, and I have every intention of wearing mine regularly.


Source:
http://fra.europa.eu/en/publication/2014/access-data-protection-remedies-eu-member-states

ISBN 978-92-9239-309-0

.

Friday, 24 January 2014

EDPS appointment confusion clarified


Brussels is a wonderful place to meet new chums and exchange views, gossip and intrigue. Last night, I was able to enjoy the company of an extremely experienced (and discrete) Commission insider who presented me with an extremely convincing overview of the current situation regarding the appointment of a successor to Peter Hustinx, the outgoing European Data Protection Supervisor.

First, the facts. The Commission is stuffed with sophisticated administrators who carry out their tasks in an extremely professional manner. They try hard to take full account of the particular sensitivities of a very diverse range of stakeholders. They can’t please everyone all of the time. And I admire their integrity and dedication to trying to do what they consider to be in the best interests of the European community. Many of them are extremely polished performers. They don’t often make mistakes.

Next, the politics. Getting the timing of all major Commission appointments right is an impossible task. High-fliers who are earmarked for particular jobs often encounter difficulties when making themselves available at a time that suits both their current, and their future, boss.

And that is what has happened in this case. While the term of the European Data Protection Supervisor is supposed to have expired last week, the individual whom I understand has been earmarked for the job is currently so valuable to their current boss that it is highly unlikely that they will be available to serve as EDPS until this autumn.

If my source is right – and they helpfully shared with me (in confidence) the name of their nominee – I see the logic behind that explanation. This individual currently has an extremely important role, and I can see why it is that their boss would not wish to dispense with their services at this precise time. I can also see why their boss would not like the name of that candidate to become widely known just yet.

Even the European Commision’s transparency agenda contains the odd exception. Like, when it relates to the European Commission.

So, the stage is set for a rerun of the selection process. This individual will apply, and will sail through the “What is your vision of the future role of the EDPS question when it is asked by the anonymous selection panel.  A newly elected European Parliament will nod the appointment through, the usual suspects will issue a collective groan, and the new EDPS will thank Peter Hustinx for so kindly (and so expertly) keeping the seat warm.

As a mild diversionary tactic, I understand that Peter Hustinx has let it be known that as it only takes nine months for a couple to create a new human being, he will formally resign from his post if he has not been replaced by the end of October.

Fear not, Peter.  If I were you, I would safely book a holiday in the fjords next October. Your services as EDPS won’t be required by then.  The die has been cast. The European Commission knows what it is doing, and what it wants, and for all I know it has probably already pencilled a date in the calendar for the formal announcement of your successor.

It’s a sophisticated machine, the European Commission. And, in the end, all will turn out for the good.

(For the European Commission, that is.)

.

Wednesday, 22 January 2014

Soundbites from today’s Computers, Privacy & Data Protection conference

Today’s conference session in Brussels produced some genuine revelations.

A very reliable source gave me some of the names of the unsuccessful candidates for the post of the next European Data Protection Supervisor. No, I’m not leaking my list. Another totally reliable source told me that, when seeking official explanations as to why none of the shortlisted candidate were considered suitable for the post, it was explained that none of them had advanced a sufficient vision of the future role of the office of the EDPS. Having also managed to secure a few private words with (at least) one of the unsuccessful shortlisted candidates today, I appreciate that this is not the real reason that no appointment has been made. But let’s get back to business. European citizens do need more transparency around the EDPS appointment procedures, if a new one is to be appointed before this calamity descends into even more of a farce.  When even Commission officials can barely suppress their sniggers each time this mess is mentioned, you appreciate how little credibility the current appointment process has. 

Soundbites on the Regulation:

“The Regulation will not be passed before the European Parliamentary elections.”
 “There has been a failure on the part of the European Commission to explain what the Regulation is about. We are losing allies for the Regulation within the Council. This is due to a failure of the Commission to support its own projects. The Commission should create more support in the Council, not on Twitter.”
“The worst outcome of the current deliberations on the Regulation is that deadlock within the Council continues until the end of the summer and we may not have a new framework before 2020. This scenario is more and more possible.”
Wojciech Wiewiorowski, Polish Data Protection Inspector General

“We are not there yet.”
Peter Shaar, European Academy for Freedom of Information & Data Protection

“We want closure. Let’s get this law on the books.”
“What we have on the table is progress but it is not perfection and we will never achieve perfection. We should now seek corridors of acceptance.”
 “It’s time for the politicians to take charge.”
Paul Nemitz, European Commission

“We want a proposal that is simple, effective, and easy to understand for the man on the street.”
Anna Fielder, Privacy International.

“For once, I agree with Christopher Kuner.”
Marie-Helene Boulanger, DG Justice

Heard at other sessions:

“I have seven quick points I want to make.”
“You can’t have a homogenised approach to resilience. It’s a multifaceted response.”
Various (academic) speakers

And finally, after the cabaret session during the cocktail party to mark the close of the first day - which featured an acrobat on a trapeze, playing the saxophone upside down (don't ask me what that has to do with data protection, but it happened, believe me):

“Wow, I need another drink. Now, who’s paying for my dinner?”
Bemused delegate

Roll on tomorrow.

.

Monday, 20 January 2014

Clear or crummy cookie practice?

Every now and again, I stumble across a new website and take a quick squint at the cookie policy.
Don’t worry - it’s not something that is of any interest to me in my real life. But, for professional reasons, I do like to see how the webmaster has addressed the issues that were under such intense scrutiny a couple of years ago. (Oh, how time flies.)

I recently came across a site advertising a conference, to be held in April, on smart cities.

The first thing I noticed was the cookie banner, proclaiming: “We have published a new cookie policy. It explains what cookies are and how we use them on this site. To learn more about cookies and their benefits, please view our cookie policy. If you’d like to disable cookies on this device, please view our cookie policy for information on how to manage cookies. Please be aware that parts of the site will not function correctly if you disable cookies. By closing this message, you consent to our use of cookies on this device in accordance with our cookie policy unless you have disabled them.”

That’s right. This time you get four separate links to the same cookie policy in the four lines of text.

The cookie policy, should the reader click onto it, is a page that contains a bunch of quite accessible information, including a plain English explanation of the each of the 19 cookies that are loaded, and how long they remain. One cookie expires after 10 years, others expire at the end of the browsing session. But at least the webmaster knows what cookies are set, and when they expire.

I just hope the webmaster take as much care reviewing the website to make sure new explanations are added when new cookies are introduced, as they evidently did when creating the original text.

I did chuckle when I read the relevant cookie explanation on Informa’s main website, which explains that: "Websites are now required by law to gain your consent before applying cookies. We use cookies to improve your browsing experience. Parts of the website may not work as expected without them By closing or ignoring this message, you are consenting to our use of cookies."

So, according to Informa, ignoring a message is taken as consenting to the relevant processing,

Another instance, like my last blog post, where the data controller is adamant that silence can be taken as consent.

I must admit that I'm more comfortable with the previous example, with the NHS taking my silence as consent, than I am with Informa's stance. Informa should require the visitor to its website to do something more than just ignore a message to assume consent - I would have preferred an explanation along the lines of: By closing this message or remaining on this website, you are consenting to our use of cookies."

But then again, I'm just being pedantic. How many people really do click through cookie banners and actually read the policies, anyway?

Sources:

   

Saturday, 18 January 2014

Time to consent to sharing our health data - by doing nothing

When should silence equal consent?

Every now and again, it may be necessary to disregard the mantra that silence never equals consent.

Those who have read the NHS leaflets that have been delivered to most households in the land will appreciate that something is going on. In the context of the current NHS information sharing programme, by doing nothing, information about the healthcare we have received will be used to help a range of organisations better understand the health needs of everyone, and the quality of the treatment and care provided.

And I’m very happy about this.

I do not wish to be required to fill in a form, or tick a box, or even blink an eye to indicate that I specifically consent to this particular processing purpose.

Why?

Because if I were to be expected to anything to indicate my consent, I’m sure that my own laziness would result in that consent not being delivered to the right person / institution. Nothing would happen.  I put off so many tasks, and throw away so many leaflets without responding to their “call for action”.

As do we all.

I’m very happy with the proposed arrangements, which is that if I don't like the NHS’s proposals, I should contact my GP practice and request that a record of my objection be made in a separate note on my medical record. This is a pragmatic and sensible approach.  I’ll actually have to do something if I really want to object to this processing purpose.

I’ve read a range of posts from bloggers and privacy campaigners who fear the consequences of consenting to their confidential health data being shared for the purposes currently proposed by the NHS.  A number of them currently do not wish their information to be shared. Some fear the risks of a personal information breach. Others don’t like public bodies sharing sensitive personal data with private companies that might profit from the data. But, to the extent that their concerns are valid, in my view the advantages of data sharing among relatively sensible healthcare stakeholders overwhelmingly outnumber the risks.

I wonder how many of the “no, never” brigade will actually expend the energy that is required to do contact their GP practice and object. Not many, I predict.

I want good health – and I’m very happy for my healthcare to be delivered, free, by the National Health Service. And in return, I want to ensure that the NHS has as much data as it needs to support the care of other patients, and society as a whole.  I trust the NHS. So I’m in.

I commend my actions to everyone else. Read the leaflet that dropped through your letterbox recently. And then relax.

Sources:

.

Thursday, 16 January 2014

Time to abolish the EDPS?

If I were an oik working for the European Commission, and tasked with nominating a replacement for Peter Hustinx, the former European Data Protection Supervisor, I would draft the following memo to my boss:

"I think it’s time to review the Office of the European Data Protection Supervisor. It is a department that oversees data protection compliance of a number of European institutions.  

The rules for data protection in the EU - as well as the duties of the EDPS - are set out in Regulation (EC) No 45/2001. One of the duties is to advise the European Commission, the European Parliament and the Council on proposals for new legislation and a wide range of other issues that have an impact on data protection. There is no reason why this task cannot be carried out collectively by members of the Article 29 Working Party. They’re always issuing opinions that most people ignore, so a few more opinions won’t cause any problems.

Another duty is relates to the supervision and prior-checking of EU institutions and bodies processing personal data that present specific risks to the rights and freedoms of individuals. There is no reason why this duty cannot be carried out by the data protection regulator of the EU Member State that hosts the headquarters of the relevant institution and body. They are, after all,  responsible for regulating all the other data controllers within their jurisdiction.

The final duty is to travel the globe, speaking to international conferences on any subject that can be associated with data protection. Most senior representatives from the Commission, and from other national data protection regulators, could carry out this task.  They’re only speaking opportunities, after all.

A decision to abolish the Office of the EDPS would send a powerful message to European citizens. It would demonstrate that the European Commission is determined to make significant budgetary savings, and that it is prepared to defer competencies to Member States, rather than create more competencies for itself.

It would also get the Commission out of the scandalous mess it has found itself in, by allowing an anonymous inter-institutional EU selection board to announce, just days before the incumbent’s term of office expired, that, after a thorough search, it had found no candidates that are suitably qualified for the role. The announcement has caused a lot of people to be worried that their failed applications will eventually be leaked onto the internet. And, that announcement is bound to scare off other heavyweight players from bothering to apply. Being rejected by an anonymous selection panel is not what many people would be happy to be known for.

The best way to ensure that no strong willed EDPS is ever appointed is to abolish the post and share out the responsibilities between a much larger group of individuals.Who really wants to hear the EDPS drone on about the threats of drones, driverless cars, cybercrime, wearable technologies, children and on-line identity, the intellectual property of 3D printed objects and the potential of a Bulkanised internet? Baroness Martha Lane Fox is much more entertaining on that sort of stuff.

If the above suggestion is adopted, please may I have my EU “bright idea” fee paid to me in Bitcoins. Not in Euros, thank you very much."

.

Wednesday, 15 January 2014

A suitable retirement gift for the EDPS

The Crouch End Chapter of the Institute of Data Protection held a fractious meeting a few nights ago.

What retirement gift could be presented to the outgoing European Data Protection Supervisor, as a token of the esteem that he has been held for oh, so many years?

Or, as another wag put it, what useless but expensive trinket might do the trick?

There was much debate about whether any gift was appropriate, given his contribution to the simplification of data protection rules, and the fact that it’s only been 2 months since he received his last award, which came from the Confederation of European Data Protection Organisations.  Eventually, the majority opinion was that he might appreciate a silver computer mouse, with hallmarks from the London Assay Office, and preferably one that would actually work with a really old computer.

Well, lo and behold, passing a London jewelers today, I saw just the object (pictured).

All we need to do now is to raise the necessary funds. It’s a snip at £450. But the pockets of the members of the Crouch End Chapter of the Institute of Data Protection are not bottomless, and I still need to raise a bit more money.  Actually, I need to raise another £447 to meet the target.

So, if there are individuals deep in cyberspace who are so inclined, I would be grateful if they might get in touch in the usual manner and pledge their donation. No monies will be asked for until it is absolutely clear that, collectively, donors have pledged this outstanding £447.

If the funds are forthcoming, I’ll arrange for it to be presented to him at the Computers Privacy & Data Protection Conference in Brussels next week. If I can’t raise the funds by then, I’ll tell him where he can go to buy it himself.

Source:

Friday, 10 January 2014

The EDPS appointment calamity: latest news


More gossip about the chaos that surrounds the non-appointment of the next European Data Protection Supervisor is emerging.

Last July, just as everyone was packing up for their August holidays, the European Commission sneaked out the EDPS job advert with such little fanfare that I don’t recall any seasoned data protection observers commenting on it.  None of the sociopaths and misfits that did apply were considered to have had the qualities necessary for the job, and evidently the search is still on.

It has been authoritatively reported that applications from two current serving data protection regulators with EU member states were rejected. If anyone knows who they are, please let me know!  I’ll keep the secret to my closest friends – honest.

Anyway, in light of the chaos, some bods within the Commission are frantically searching to see if anyone has any emergency powers to invest sufficient authority in the current Supervisor, Peter Hustinx, to allow him to continue until it is convenient for the Commission to appoint anyone else. The trouble is, no-one may actually have the legal authority to insist that Peter continues in his office, and if his extension does lack legal authority, any decisions he makes could have as much legitimacy as if they were made by the milk monitor at my local school.

In an attempt to be constructive, I’ve already offered my services as interim European Data Protection Supervisor.

In another attempt to be constructive, I’ve had a look at the EDPS application form and today offer a revised version, which might attract a more suitable range of candidates for the [opaque, but apparently independent] selection board to consider:

2014 EDPS APPLICASON FORM


Whatsa u name:

U age:

Stritta name:

U ouse numba:

Isa u girl or boy? (Justte chuza one):

Putta down were u werka now:

Wasa u ever inna bigga job?        [ ]Si    [ ] No

Why u gotta fired from dat bigga job?
[ ] U gotta cought makin friends with some guyz at Google?
            [ ] U tooka pictures at a bunga bunga party?
            [ ] U din’t show enuf rezpecct for Vivien, the Main Mudda?


Ow muccha u ate dem guyz at Goodle, Facebook, Microsoft an Apple?
                [ ] Not as much as Vivien ates em
                [ ] More than Vivien ates em

Why U wanna be de bigga shotza somewday?
(writta letta between 5 – 10 pajis tellin us why)

U likka eat ...
Garlic     [ ]Si    [ ] No
Pizza      [ ]Si    [ ] No
Salami   [ ]Si    [ ] No


U know ow maker ciment shooz?             [ ]Si    [ ] No

U werra de glassis? [ ]Si    [ ] No

Whatta kinne glassis?
Georgio Armarni              [ ]Si    [ ] No
Prada                               [ ]Si    [ ] No
Google Glassis                  [ ]Si    [ ] No

U see de God Fadda (or justte de movie?)           [ ]Si    [ ] No

Make u marka                   [ ]Si    

Senda de form now (while u stilla can write)


Iffa u application issa approved, u willa getta desa benifts:
·         1 pair darka glassis
·         1 blacka shirt widda white colla    
·         1 appy face button
·         1 kilo mozerella cheeza
·         1 pair ciment shooz
·         1 pair pointie shooz
·         50 boyz to do da stuff
·         Worldwide firsta class travel for u an de boyz
·         U meeta de God Fadda
·         Free berial
·         18 x 10 picha Vivien Reddin

De European Commission is an equil oppertuniti organnnisationi



Sources:
I also gratefully acknowledge the inspiration from http://www.funofun.com/mafia.htm

.

Wednesday, 8 January 2014

Another calamity for the European Commission


The European Commission’s data protection spin doctors must be weeping in frustration.

Last year, they were all working hard to reassure everyone that the wheels had not come off the “Data Protection Regulation wagon”, and that legislation would most definitely be in place before the European Parliamentary elections later this summer.  Last month’s meeting of the Justice & Home Affairs Council indicated how the legislative proposals were unravelling, and put paid to the fantasy that an agreement would be in place by this summer. My blog of 11 December 2013 has more details.

What else could go wrong?

Well, yesterday, another issue emerged which again questions how deeply committed the European Commission is to all this data protection malarkey. It’s about the next European Data Protection Supervisor and his assistant.

First, a bit of background. A couple of years ago, the EDPS was viewed by the European Commission as a job that was so important that the jobholder must either be also Chair of the  European Data Protection Board (the reconstituted Article 29 Working Party), or be elected as one of the two Deputy Chairpersons.

That proposal didn’t go down too well with the other Data Protection Commissioners, nor anyone else who felt that a bit more democracy might be in order within the European Data Protection Board. Others were envious of the ability of his office to grow in size so quickly – from a man+dog a decade ago to some 50 officials today. A number of Data Protection Commissioners would dearly love to have that level of resources within their own countries.

Conspiracy theorists will have a field day asking whether the EDPS has recently been cut down to size, as it has emerged that there is no-one to replace the Supervisor, or his deputy, when their term of office officially ends next week.

Both are appointed by the European Parliament and the Council for a term of 5 years on the basis of a list drawn up by the Commission following a public call for candidates. I’m not aware that this public call for either post has yet been made, and it is likely that there will be a long delay before the new bod gets the nod.

So, will the office of the EDPS be leaderless for a period – and more importantly, will anyone notice?

The (soon-to-be former) EDPS is billed to speak at the Computers, Privacy & Data Protection conference at the end of the month (see yesterday’s blog). But whether he’ll bother turning up, given how his post has been treated, is a moot point. I’ll let you know.

I am available if an interim European Data Protection Supervisor is required from next week. I must admit that I’m not as wedded to the Data Protection Directive as the incumbent has been over the past few years. I prefer a more pragmatic approach. Nor, for obvious reasons, do I have a friendly relationship with the Data Protection Taliban. But I am an entertaining conference speaker, and am happy to cross the globe to earnestly debate issues that require addressing at such international events.