Data Protector

Overcoming LinkedIn spam

2012-02-15T11:19:00.001-08:00

Perhaps it was just down to the fact that it was St Valentine’s Day yesterday. I’m not quite sure of the reason. But it does appear that some miscreants have been busy on the LinkedIn site, and have been sending unsolicited commercial emails, promoting the Canadian Family Pharmacy.

No, Connor Ross, I wasn’t that interested in your email, sent last Friday. Nor, for that matter, was I interested in Linda Spencer’s email sent the day before, which told me all about how to order Viagra, Viagra Super Active+, Viagra Professional ,and even Viagra Super Force from the Canadian Family Pharmacy. I didn’t realise that Viagra had so many variants.

I’m sure that, by now, the ever efficient Information and Privacy Commissioner of Ontario, Dr Ann Cavoukian, has received a few complaints about this outfit and is well onto the case. It’s a shame about the geographic distance between them - Google Maps tells me that it’s a good 5 hour drive from her offices in Toronto to the Canadian Family Pharmacy’s registered office in Ottawa. Little chance of her dropping by unannounced, then ...

What did occur to me, though, was remarkably how few spam emails seem to find their way to me through the LinkedIn network. I’m absolutely not complaining at this – far from it – and I won’t be asking any searching questions about just how LinkedIn manage to identify and trap messages that might be potentially spam. I’m just grateful for whatever it is they do, and I wouldn’t want some privacy wonk embarking on some campaign or other to outlaw whatever it is that they are doing. Especially if the result was that I received more stuff that was of no (commercial) interest to me.

I only hope that LinkedIn's cunning plans to add more encryption to the messages sent through their network won’t degrade the effectiveness of their spam detection techniques.

Is there much more that LinkedIn could do to overcome this problem? I’m sure they’re working on ever more clever techniques. After all, in the end, they will have their self interest at heart, as if they can’t provide professionals with a space which can be used to share stuff which really is of interest, there’s always the danger that we LinkedIn folk will just transfer our business to a more convenient space.

So, I would hazard a guess that spam will continue be countered just as fiercely by service providers, who will suffer commercial angst if their customers migrate, than by regulators who hope that miscreants will take note of the restrictions that are being imposed.

We shouldn’t expect regulators to feel obliged to resolve all the ills in the world. They should allow data controllers the latitude that is required to occasionally act as they see fit. Even if it requires people to be named and shamed, rather than respect their wish to be forgotten. And if that necessitates the sharing of personal information of people who have potentially been associated in unlawful (or, occasionally, unsocial) behaviour, then so be it.

.

Is this the greatest thing to do before a data protection professional dies?

2012-02-14T10:21:00.001-08:00

My blogs last month (on 16 & 17 January) listing a series of life-affirming events which may help assess someone's contribution to the data protection world have generated a lot of discussion. Some friends were awfully pleased to have been able to tick off at least half of them. One poor soul hardly managed to get into double figures. But she still has a smile on her face.

Others took up the challenge I issued on 23 January, and have provided me with some excellent sets of additional suggestions. It goes to prove my point that we data protection professionals don’t live with some disorder of neural development, with impaired social interaction and communication skills, exhibiting alarming tendencies of restricted and repetitive behaviour. We can talk about things other than data protection.

Please, I urge, don’t take these lists too seriously. Let’s put life, as well as data protection, into perspective.

And, on this special day, let’s accept that Eden Ahbez probably gave us all the best advice, in his poem “Nature Boy” written in 1984:

"The greatest thing you'll ever learn is just to love and be loved in return."

Happy St Valentine’s day.

.

Should the Commission, or should Member States, protect our fundamental rights?

2012-02-13T13:30:00.000-08:00

Another group of some of England’s data protection finest gathered at the London offices of Field Fisher Waterhouse today to share a few more insights about “that Regulation” and to raise a toast to those wonderful bods at the European Commission. Yes, it really appeared to be true. We data protection professionals (once suitably accredited) really will have careers for life. We can almost name our salaries, too. Woe betide any large data controller that fails to hire an independent Data Protection Officer, protected from dismissal, on a 2 year contract. If a regulator gets to hear about such an omission, the controller could face a fine of a million Euros. That is an awful lot of money. So, a Data Protection Officer needs to be suitably paid to help the controller avoid grotesque fines for minor indiscretions.

Not only that, but the rules that the Data Protection Officers will be accountable for upholding could be so desperately complicated that only the very finest legal minds in the country will be capable of giving quality advice to the data controllers. So there’s going to be no significant push back from our learned friends at this initiative, I suspect. In these days of economic austerity, fee earners just love initiatives like this.

The mighty Eduardo Ustaran chaired a panel of distinguished speakers, many of whom assured those of us in the audience that there was still an awful lot to play for before the Regulation would become a reality. Was a uniform, prescriptive approach to the problems had been identified, actually too ambitious given the political circumstances that the European Commission finds itself dealing with today?

I pondered that question as today’s events unfolded.

A Commission official offered some very interesting insights into the workings of his organisation, and we had a glimpse into the Commission’s vision for the future. Let’s be quite clear about this. The Commission is promoting societal change. We are in the midst of a digital revolution, and so it’s vitally important that, just as the Commission promotes digital growth, citizens’ fundamental rights are also properly protected. And, it is the Commission’s view (on the record) that the current Regulation is sufficiently balanced between the rights of individuals and of data controllers.

What I had not fully understood until tonight was that this is actually the first time that the Commission has proposed a Regulation as a means of safeguarding an issue as sensitive and as significant as citizen’s fundamental rights. So, these days, fundamental rights are apparently too important to be left to the discretion of Member states. No, to prevent the Member States from “getting it wrong”, as it were, Europe’s citizens are to be better protected by being regulated directly from the centre.

That sort of language is likely to be used these days in many ways by people whose interests are not simply of the data protection kind, but also of the “Subsidiarity” and the “Nation State” kind. We’ve only too recently seen reports of unrest in Greece because Greek citizens were wary of what they perceive as a shift of political and economic control from the Greek State to European institutions.

Will such sentiments be expressed in other Member States when citizens realise that their “data protection” controls are being tweaked to reflect more readily the needs of some central co-ordinating authority? I’ve already detected differences of views from some regulators as to the desirability of the Commission reserving so many rights to impose a common interpretation about so many key issues above the heads of local regulators.

But, there’s nothing much to worry about. At least, not yet. A few members the awkward squad gathered in the corner of the conference suite during the drinks session after the proceedings, and wondered about the prospects, in reality, of the chances of some central co-ordinating authority emerging.

Let’s be honest, some murmured to themselves. Sometimes, the only people who find it harder than solicitors to come to an agreement, following a dispute, are regulators. Ironically, both are supposed to have skills that are highly honed in conflict resolution, but the truth can sometimes be very different. They can express firmly entrenched views, too. Will we ever see a love-in at a meeting of all the members of the European Data Protection Board?

Perhaps – should I ever get appointed to that august body, that is. But I’m not counting on it.

I will end this posting by pointing out that the attendees – and the speakers – were all desperately keen to achieve an outcome that truly was fit for purpose. We’re all digital citizens, these days, and we all have a self interest in trying to get things right. But, of course, getting things as right as we can at a cost that can be afforded by most. We are in the business of risk management, not risk elimination. No responsible data controller wants to find that the reduction of administrative burdens in terms of notification, etc, is simply replaced by a disproportionate amount of other forms of gold plating and internal form filling and retrospection. This is especially the case given that so much of the real digital economy will increasingly operate on an internet beyond the political, legal and administrative control of the European Commission.

I will also end this posting by pointing out that almost no blood was spilt on the (freshly laid) carpet in Field Fisher Waterhouse’s new conference suite this evening. The only blood that was spilt was my own – I had a nosebleed - but that was due to a sudden rush of blood to my head, rather than being assaulted by a speaker – or by a fellow attendee.

Image credit:
European Court of Human Rights
http://2.bp.blogspot.com/_n84njjq9AC4/TQpUDpWXrtI/AAAAAAAAAGg/7VYI1sjfbRU/s1600/eur%252520court%252520human%252520rights.jpg

.

Wanted: volunteers to blog about their own data protection certification experiences

2012-02-12T12:07:00.000-08:00

I’ve already received some encouraging emails following yesterday’s announcement that I’m about to start my studies which should lead to the ISEB certification in data protection. One person was keen to point out, though, that it’s not only Amberhawk who are offering training courses for the qualification, and that readers of this blog may be keen to hear the experiences of candidates who have their ISEB training delivered by other providers.

So, if you have just enrolled on a programme which will be delivered by a provider other than Amberhawk, and you fancy getting in touch and sharing your ISEB experiences with me, then please feel free to do so. You know where to find me. Dataprotectorblog@gmail.com. My only aim is to encourage a wider discussion of the actual value and practical experience of obtaining privacy qualifications.

And, if you would prefer me to publish your comments on an anonymous basis, I could be very happy with that arrangement, too.

Happy learning!

.

What privacy qualifications are worth having, these days?

2012-02-11T03:35:00.000-08:00

Given the changes that are anticipated in the European privacy rules in the next few years, some friends have been asking themselves whether there’s much point in obtaining a privacy certification right now. Is there really that much point in achieving an accreditation about a body of knowledge that shortly could change quite radically?

My response to such questions has been to argue that there’s no point in putting off that fateful time when a formal privacy certification is obtained, because hardly anyone (outside the accredited parties) actually knows what body of information it was essential to master before the accreditation was awarded. So, it probably won’t matter if the privacy rules change soon, because not that many people know how relevant the current certifications schemes are.

I speak as someone who is not yet formally accredited, so I don’t really know how hard you need to study to obtain them, nor how relevant they really are to a data protection professional, either. Sure, they appear to impress the HR professionals, who like sifting potential applicants in terms of their formal knowledge base, but what practical use are they once a data protection professional actually sets out to do their day job? Does an HR professional favour an individual with 5 years data protection experience and a professional qualification over someone with, say, 20 years data protection experience but with no formal qualification?

Well, I’ve decided to find out. I’m about to seek two types of accreditation, so that I can compare them and offer some views on their relative merits.

The first type is the traditional approach, and I’ve enrolled on a series of courses that will lead to the ISEB qualification. Between February and April I’ll be studying under the careful eyes of Sue Cullen and Chris Pounder of Amberhawk. And I do hope I won’t let them (or me) down. Having paid for the course myself, I’m committed to completing the coursework immediately after each of the 5 modules, to reinforce the day’s learning. I’m also committed to completing a series of set written assignments, and to attend a mock exam to refresh my experience of exam conditions. With a study commitment of, say, 60 hours, I’m hoping that I’ll pass first time, and I’ll then be able to blog more authoritatively about its value.

The second type is the approach recently introduced by the International Association of Privacy Professionals, which will give me a CIPP/E privacy certification once I’ve passed the basic Foundation Course, and subsequently the European component. The foundation course looks at the common principles and general approaches to privacy, information security and on-line privacy. The European component will require me to demonstrate a deeper knowledge of pan-European and national data protection laws, the European model for privacy enforcement, key privacy terminology, and practical concepts concerning the protection of personal data and trans-border data flows. I have to read a course book to acquire the relevant information, and can take an (optional) intensive refresher training session before the computer-based multiple choice exam occurs. I will be expected to have to demonstrate knowledge of laws in a variety of EU Member States, even if I work for a data controller whose operations are focused on just one EU Member State.

And that’s about as much as I know about these professional qualifications, so far. What I am keen to find out (and subsequently blog about) is whether I learn much from the training, whether the knowledge helps me in my daily job, and whether the accreditation is appreciated, either by my peers or by potential employers.

I have no pre-set agenda, here. I don’t know how useful I’ll find these different certification courses to be. But I will try to share my experiences, however good or awful. Will I blog about disproportionate hope, followed by raging despair? Or, will there be a happy ending? Time will tell.

Sources:
http://amberhawk.com/training.asp
https://www.privacyassociation.org/certification/cipp_certification_programs/cipp_e

.

Maybe it’s because I’m not American

2012-02-09T14:52:00.000-08:00

I was invited to a really interesting lunch recently to talk tactics about the draft regulation. The hosts were desperately keen to ensure that the European Commission really understood their reservations about the recently published draft. But they were afraid. Very afraid, actually. And what they were really afraid of was that they thought the Commission officials would dismiss their views out of hand, simply because of who they were. Not because of the strength of their arguments, but purely because of who they were.

And who were they? They were a bunch of Americans.

Ouch. Has it really come to this? That some folk fear that the European Commission is still capable of creating non-tariff trade barriers that discriminate on the grounds of someone’s race (or place of establishment)? Is someone wrong “just because” they are of American origin? Or can they be wrong “just because” their arguments don’t stack up?

These people wanted help. They wanted to know how their arguments could be presented to Commission officials in a manner that would not instantly be dismissed.

My initial reaction was to tell them that they were lunching the wrong person if they wanted advice on Commission etiquette. I don’t stalk those circles of power as frequently as I should. Not yet, anyway. My social skills aren’t sufficiently tuned to pick up the different types of body language that is used by the officials in Brussels. My emotional intelligence has been honed to a level which gives me confidence to communicate with colleagues who prowl around the corridors of Westminster and Whitehall.

I can speak the political language of my mother country, but I can’t be certain that I’m always sending out the right signals when dealing with friends from Spain, Hungary, and Italy. I just haven’t had enough time to immerse myself in their cultures. I don’t know that I will always be communicating with them in a way they need to be communicated to. I can trust myself when I’m engaging with German Ditch and Austrian officials, but this European Commission embraces people from an extremely wide range of cultures – and new cultural norms have to be learnt.

If anyone knows of a website which, rather than translating words, translates European etiquette, please let me know. I want a "diplomatic body language" version of Bablefish.

The lunch caused me to think carefully about how I should engage with the Commission officials, if I am to be given the privilege of trying to work with them to help ensure that the draft Regulation meets the lofty ambitions so many expect of it.

I also thought to myself, poor them. How will they attune their ears (and eyes) so they can appreciate the message that is intended to be communicated, if the words and phrases that are used to express the intention are so alien to their own senses?

We’ve all got a great learning curve to go on, here.

I ended the lunch by explaining that I had given considerable thought to the points that had been raised by my hosts, and that it would only be right if I were to reflect for a couple of weeks on what they had asked, and then let them host another lunch, during which I could offer some considered views. I’m so glad they liked this suggestion – as it will give me an opportunity to try the rabbit next time, rather than the (excellent) fish.

Image credit:
http://blog.visitlondon.com/wp-content/uploads/2010/02/pearly_kings_back.jpg

.

That regulation ... and the next steps

2012-02-08T13:45:00.000-08:00

Some of the finest data protection minds in the country (and around Europe) have completed their first review of the draft Regulation. And a series of on (and off) the record briefings have commenced, where the usual suspects are sharing their thoughts about what might have been intended by those who drafted the text which was published last month, and on what is likely to happen next.

I do ike attending these briefing sessions (when I can), as it reminds me what a rich amount of material we all have to work with over the next few years. Every speaker I’ve heard has had some extremely interesting insights to make, and all have presented a slightly different reactions to (and interpretations of) the proposals. Next week, I hope to have the pleasure of attending the Field Fisher Waterhouse event, and a couple of less high-profile briefing sessions, too.

If I were a Commission official responsible for drafting the document, I wouldn’t worry too much. Not yet, anyway. Now the identities of the key players who were behind the drafting are know, it’s pretty clear why the principal changes to the Directive we have grown accustomed too since 1995 will be oddly familiar to those who practice German, Belgian, Dutch and Spanish data protection law. But I’m not here to make personal attacks or smears about people’s nationalities.

No, now is the time to roll up our sleeves and workout where to go from here.

For what it’s worth, I hope that we will make a start by considering the claims that Commissioner Reding has been making recently. A lot of what she has been saying is very encouraging, and we need to make sure that we don’t waste this golden opportunity to put right many of the difficulties that have emerged as technology (and customer expectation) evolves.

It would be wonderful to have a new legal framework that takes account of the realities of cloud computing, and of data controllers that will have a legal existence outside the geographic boundaries of Europe, but a huge influence within. It would be wonderful for the principle of accountability to be launched properly, and for people to be able to do something when significant events occur that result in their confidential information being compromised. It would also be wonderful if bureaucratic burdens that were more designed to ensure that boxes could be ticked following some ritual or other by various sets of officials, could be removed.

The trick, I’m sure, is going to be trying to ensure that the costs which are imposed by the proposal are outweighed by the benefits that will be realised. And I don’t care in the slightest bit today about the costs that data controllers will face. After all, this proposal will create many more data protection jobs for a very long time. Hurrah! Jobs for life – and I’m not kicking that concept.

No, what I’m much more concerned about is ensuring that the people who will end up meeting these additional costs (ie the great unwashed) actually feel that the additional protections which are supposed to be provided to them represent value for money. And, that these protections don’t, perversely, have the effect of stifling innovation, so that people outside Europe actually get to enjoy better services at cheaper costs than those of us in Europe. I really don’t want to design a “fortress Europe” where life is actually much nicer for those outside the fortress than for those trapped within it.

And this is where I think the Ministry of Justice has played a blinder. By urgently calling out for evidence from some of the usual suspects about the costs of compliance with the text as it is now drafted, we all ought be able to learn a few things when that evidence has been reviewed. It has asked for the evidence by 6 March, and hopes to publish the results on 4 June. So, start writing for England, folks!

But why 4 June? Well, remember, that day is a Bank Holiday, and it falls during a special four-day Bank Holiday weekend to mark the Queen’s Diamond Jubilee. It’s also the day after a specially constructed Royal Barge will lead the grandest river pageant for more than 300 years, featuring 1,000 boats and up to 40,000 people on the River Thames, which is expected to attract more than a million spectators.

So, what finer present could the Ministry of Justice offer our Monarch on 4 June than a specially bound copy of the results of the call for evidence? Come to think of it, if anyone is doing anything in the offices of the Ministry of Justice on 4 June, I’ll be awfully impressed.

Anyway, back to the plot.

I understand that the Parliamentary timetable, both in Westminster and in Europe, is a little light at the moment, so there will be some interest in making a start on the Parliamentary scrutiny on the text pretty soon. Actually, well before the river pageant that will mark the Queen’s Diamond Jubilee. Rooms and flights have evidently been booked for the first session of the consideration of the text by officials. And we know, thanks to the Commission’s timetable, which sets of officials will be responsible for running the meetings over the next few years. For the first half of 2012, meetings will be chaired by the ever so efficient bods from Denmark. Come the summer, they’ll hand over responsibility for steering the discussions to their colleagues from Cyprus. And, if there’s still lots to talk about, the sessions will be steered by the Irish team during the first half of 2013.

And, as far as the European Parliament is concerned, we know that the LIBE Committee will be taking a keen interest in the text, along with a couple of others who will want to ensure that their views will be fully taken into account.

So, if the legislative scrutiny is to start soon, I do hope that we will all have sufficient time to get our evidential packages together, so that these lucky scrutineers can fully appreciate the consequences of whatever it is they are scrutinising.

None of us want this project to fail. But we don’t want this to be a lost opportunity, either. Let’s see how we might achieve a desirable objective but without having to undergo some bureaucratic form-filling circus that simply crushes the spirit of well-intentioned data protection folk. Because as soon as you lose the support of the well-intentioned data protection officers who will be responsible for implementing most of this stuff, the sooner we might as well all pack up and go home. This nascent profession could be snuffed out at birth.

No self-respecting data protection officer is going to put up with putting themselves through hopeless rituals they don’t believe in. For that, all you need is a jobsworth with a sharp pencil. And you know how innovative that lot can be.

Source:
https://consult.justice.gov.uk/digital-communications/data-protection-proposals-cfe

Image credit:
http://www.paragonventures.com/images/Steps.jpg

.

The big freeze – it’s enough to make me stop learning about data protection

2012-02-06T10:09:00.000-08:00

Temperatures are plummeting so fast that I feel very sorry for those who have tried so hard to organise data protection events over the next few days. How many souls will turn into “fair weather supporters”, and decline the invitation to learn more about the subjects of the day?

I’m facing that dilemma, today. If I travel into central London now, I fear that the journey won’t be the customary experience. It will be even worse – and I’m not sure I can stomach that.

This means that tonight I’ll be forgoing the pleasure of travelling to the Grand Committee Room of the House of Commons for a meeting held by the Parliamentary Internet Communications & Technology Forum to hear a panel discuss the concept of search neutrality on the internet. I just hope that the speakers Shivaun Raff (CEO, Foundem) Alec Muffett (Computer Security specialist, consultant and writer) and Mark Margaretten (University of Bedfordshire) make it. Panel Chairman Eric Joyce MP will certainly be there. Well he ought to be. After all, it’s his usual place of work.

Were I not to have attended that session, I expect that I would have been at the Demos bash, over at One Bird Cage Walk, Westminster. Why? Because the leading American commentator Michael Lind will be talking about the current trends in US politics and economics and his book, The Land of Promise, which discusses the 200 year tug of war between American economic philosophies.Penny Mordaunt MP, the Guardian's Jonathan Freedland and Director of Demos, David Goodhart will also be giving their views on the US in this election year. There’s potentially plenty of data protection meat to be had from that session, too.

And I so hope the weather won’t be too awful tomorrow, as Messrs Hunton & Williams will be hosting a morning session on the forthcoming General Data Protection Framework Regulation. And, in the afternoon, Messrs Bird & Bird will be hosting a session on ... yes you’ve guessed it ... the forthcoming General Data Protection Framework Regulation. And before that, there’s another special data protection breakfast that has been organised somewhere in Mayfair.

So, what am I to do? And how am I to get my day job done as well as keep up to speed with everything else? This is why I feel I’m living with information overload right now. There is just so much knowledge, so many useful things to know, and I find it so hard to say “Not now, thank you. I’ve over committed myself”. I hope I’m not alone – but I would love to hear what other people’s coping mechanisms are. Theirs must surely be better than mine. Come to think of it, I do hope that what's driving my thirst to attend these events really is a genuine thirst for the information I would otherwise have missed out on, rather than some egotistical effort to be seen to attend events everywhere and all the time.

This is why I feel for sorry for the European Commission. Does it really think that, in a revised new world, the great unwashed will take a closer interest in the privacy policies and the personal data breach notices that will be sent out? I think not. The more information that is sent, I fear the more people will rebel and just not bother reading it.

Until recently, a lot of us used to spend a lot of time caring about unwanted marketing messages. Soon, I fear we could be wanting to turn off the flow of unwanted service messages too– and quite where that leaves the notion of “notice and consent”, I really don’t know. We can’t allow a rule to be created which requires people to be bothered with stuff they don’t want to have, simply to tick a regulatory box. We have to find a clever way of not bothering those who don’t want to be bothered.

Enough of my rant. I’ve made my decision for today. I’ll forgo this evening’s data protection education, with the attendant risk of slipping on the icy hills around Crouch End as I return home. Instead, I will focus on attending some of tomorrow’s events (and I’ll even try to deal with some work emails, too...).

Image credit:
http://blog.burrard-lucas.com/wp-content/uploads/burrard-lucas_snow-westmins.jpg

.

Is this the best invitation to a data protection consultation event?

2012-02-05T09:30:00.001-08:00

This is a hint on how to do it just in case anyone has forgotten the proper way of inviting people to data protection consultation events.

The very best invitations are
• Sent on stiff white card;
• Spell the invitee’s name correctly; and
• Say what’s in it for the invitee as well as for those doing the inviting

This has to be one of the greatest invitations to a data protection consultation event, anywhere, ever. In this case, it was an invitation to a session on the retention on communications data – which appears not to be that much of an issue in Blighty, but a bit troublesome elsewhere within the European Community.

Note the excellent handwriting on the card. And the prestigious venue that had been booked.

Marvel at the way that the Brits do these things – over an invitation to Afternoon Tea, rather than an invite just to some workshop or other.

Yes, the invitation was sent a few years ago. But manners, like data protection principles, ought to be timeless. But, some of the civil servants responsible for that invitation and that event are still enjoying a glittering career within the Home Office. They do these things everso well, you know.

So, now I have a bit of spare time on my hands, I would be delighted to receive some more invites like this, either for afternoon tea or for morning coffee, to discuss any data protection issues that are of particular concern to you.

Please rest assured that it's not compulsory for me to be sent me an invite on stiff white card - an email works just as well, these days.

Stage 2: Consultations commence on the General Data Protection Framework Regulation

2012-02-04T03:58:00.000-08:00

Somewhere, in a basement hidden deep under the offices of DG Justice, must be a War Room with a special data protection chart. I can imagine a huge wall, upon which is beamed a copy of the proposed General Data Protection Framework Regulation. And by each provision is a coloured spreadsheet indicating how the various sate of stakeholders view each of the proposals, and about the links that are emerging between these stakeholders. That spreadsheet might well compare the views of the regulators, ministers, local politicians, Euro politicians, and perhaps even significant data controllers and significant groups of concerned individuals.

When you read the current reports of initial reactions, is seems that the signs are already there of different stakeholders disliking different things. Do all Regulators like the concept of “one regulator to regulate them all? Not, from what I’ve heard. Is everyone happy that an inflexible Regulation is still absolutely necessary, and that the discretion which has been afforded to the law enforcement agencies as they implement their equivalence measures my means of a Directive is not appropriate for the rest of us? Again, not from what I’ve heard. Does personal data breach notification work? Not yet. Are the sanctions appropriate? You must be joking.

So, the next issue we need to address is one of transparency.

How will the stakeholders really learn about the views of the other stakeholders? I can't keep up with all of the invitations I've had to attend the initial meetings, and I certainly can't maintain a grid of the various diverse opinions that are emerging all by myself. If I were in DG Justice, charged with getting something on the statute book, I would not be encouraging these stakeholders to meet too frequently, just in case they got a bit powerful and threatened to derail the Parliamentary timetable that has initially been sketched out for his initiative.

And what is that the stakeholders really want to do?

I expect that the first thing the stakeholders will be doing is digesting the draft, and they will then reach out and explore the possibility of making alliances with unusual sets of friends in order to achieve what is known in the trade as a blocking minority. It’s a matter of ensuring the Commission can’t get sufficient votes to pass my pet hate proposal, as it will need a particular percentage of votes to get it through the Committee. And then, what is likely to happen is that various groups of interested parties who can almost get a blocking minority against their pet hate will negotiate an informal liaison with another group, so both groups can achieve their aim to have their pet hate blocked.

This may be messy, but it’s the stuff of daily politics. Please note – it’s not the stuff of political principle. It’s the stuff off political expediency. No-one will be totally happy with whatever emerges.

And we should not be so naive as to assume that negotiations will just concern opposition to this measure. We can fully expect various groups of stakeholders to negotiate strategic allegiances across various EU proposals. The Spanish might welcome support from the Slovakian representatives on a point of data protection law so long as they both agreed to oppose an obscure point in a proposed agricultural farming subsidy regulation.

I really can’t predict the outcome of this stuff yet. It’s much too early. Think I know where my prejudices are, but I’m not sure how many others share them, yet.

So, the next steps are pretty simple. We all need to talk so that the policy oiks in the DG Justice War Room get to work completing the grid. Then we can see what sort of a state we are in, and assess the chances of creating a draft that is less objectionable.
How will these meetings take place?

I’m already aware of a range of informal briefing sessions that have been set up by the usual legal firms. I expect the Information Commissioner to refer to the issue at his Data Protection Conference, which he will be holding next month in Manchester. The Data Protection Forum’s meeting on 13th March in central London is likely to be addressed by representatives of the French and the German Data Protection Officer Associations (AFCDP & the GDD) as well as (fingers crossed!) Lord McNally, the minister responsible for Data Protection. The Forum also hopes to get a speaker to explain what the proposed changes might mean from the point of view of the regulator (they’re trying to get a former senior ICO official for this one) and there could be an additional surprise guest, too.

And after we’ve talked, a real difficulty could lie in finding the resources to ensure that the right messages are sent to the politicos and officials who are to be involved in the next round of the negotiations. I’ve got some spare time on my hands now, so would be very happy to help, if anyone wants to ask nicely.

Somewhere, deep in my archives, I think I have the best invitation to a consultation exercise on a data protection issue that was ever created by a Government Department. I’ll dig it out soon, and publish it – with a challenge to anyone else to propose a better invitation.

.

Smoothing out the lather over LinkedIn

2012-02-02T05:00:00.000-08:00

No sooner than I had posted my blog on the way in which LinkedIn updated their privacy conditions (last Monday) than Eric Heath, LinkedIn’s Director of Legal (product) has entered the debate.

Eric has been keen to emphasise that LinkedIn takes privacy very seriously: “I want to be clear about LinkedIn’s priorities when it comes to privacy – we take it very seriously. In fact, our core principle is “Members First” and we strive to put members first in everything we do.”

Eric has also been keen to reassure those who are concerned about the issue that it is not, actually, a new issue, and pointed to a blog that was posted last June, announcing the change: “LinkedIn changed its privacy policy last year to address what we call “social advertising.” We also blogged about it in advance: http://blog.linkedin.com/2011/06/10/privacy-policy-changes/.

Shortly after we started rolling out social advertising, however, our members reacted negatively to our efforts, so, looking to our first principle of putting members first, we listened to the feedback, and rolled back the program. Here's the blog post on that: http://blog.linkedin.com/2011/08/11/social-ads-update/

Regarding the existence of the social advertising setting within the LinkedIn Settings panel – we are working on updating that in the near term.

Additionally, FYI, this article appeared in the press yesterday via Reuters: http://blogs.reuters.com/mediafile/2012/01/30/linkedin-alert-shows-users-still-on-edge-about-privacy/.”

I, personally, have absolutely no problem with what LinkedIn have done.

What concerns me is if the European Commission were to create a new data protection rule that forbade LinkedIn acting as they have done. After all, in my view, they are a perfectly respectable data controller that has made changes which they don’t consider to be against the legitimate interests of their customers, and they have done so after making information about the change available to their customers.

What many of their customers did not do (including me) is read the material that was published which explained these changes. Why? Presumably, because, like me, they already live in a world of information overload, and they do not have the mental capacity to comprehend the changes that so many controllers make to their privacy policies. And if they don’t have the mental capacity to comprehend so many changes, they certainly won’t be able to “consent” to these changes, given the proposed definition of consent in the draft Regulation.

The mighty Eduardo Ustaran (he of Field Fisher Waterhouse fame) is also concerned at the implications of an over reliance on consent as a condition for legitimising data processing. We both agree that the harder the Commission pushes on consent, the more devalued it gets.

So what is to be done, in this ever more complicated world?

Well, I think it’s time to relax a little, and give responsible data controllers some more slack. We need to balance the legitimate interests of individuals with the legitimate interests of responsible data controllers, who are passionate about providing the best services to their customers. We need to have the confidence to allow data controllers to constantly innovate to improve their offerings to their customers. If the customer doesn’t like it, then they can always blog about it - and very soon their gripe will reach the laptop screens of those who matter. And if the customer really doesn’t like it, they can (generally) find a competing service on the internet.

The last thing we really want to do is to enter into a negative world, one where it’s easy for people to be fobbed off with an excuse along the lines that they can’t have a particular service “because of data protection”. People are never going to be able to be clever enough to understand everything that happens to their personal data. And in the vast majority of instances, this is not a problem as these processes don’t cause harm to the individual.

Let’s try to create a new data protection instrument where it’s easier for controllers to feel free to innovate, rather than restrict them simply because their customers are insufficiently engaged with them to offer informed consent every time they want to try something a bit new.

Source:
Members of LinkedIn’s Privacy Professional Worldwide Group can access Eric Heath’s response at
http://www.linkedin.com/groups?viewMemberFeed=&gid=1048187&memberID=361171

.

Another day, another data protection referral to the European Court

2012-01-31T12:06:00.000-08:00

I do hope that Commissioner Reding will be taking notice of the chaos and confusion that is capable of being created when ill-thought through Euro-legislation makes its way through the Parliamentary processes and finally arrives on the Statute Book.

What’s the story behind this one? Well, it’s all about discussions that went on behind the scenes a decade ago as representatives from each EC Member State argued about what rules should be put in place to permit phone and internet records to be available for law enforcement investigations into serious crime, but in a way that protected the human rights of the phone and internet users.

The issue could be reduced, following long tedious arguments, to one of ensuring that the most serious law enforcement investigations should not be compromised because the communications records were no longer available. While that seemed a fine principle to agree about in theory, the principle couldn’t be implemented very easily. Why? Simply because the law enforcement agencies operating in the different Member States had different practices when it came to investigating crime using traffic records. In some Member States, the common practice was to rely on 6 months of records. In other Member States, the practice was to use up to 4 years of records. So given the disparity on investigation practices, lots of people got upset when the new rules prohibited the retention of records for more than 2 years, and ever since they’ve been devising new legal challenges to postpone the enforcement of these rules.

If my memory serves me right, the Irish were unhappy because they wanted records to be retained for 3 years, while the Italians wanted a 4 year limit. On the other hand, the Germans didn’t care so long as it could get hold of 6 months of records. Other Member States didn’t really seem to care as, at that time, the law enforcement agencies in that country didn’t seem to rely on phone or internet records at all.

And, if my memory serves me right, there was general acceptance that the words used in the draft legislation about the retention of internet records didn’t make any sense – but the point was that the statute had to be approved at that time because the Chairman of the relevant Committee of the Council of Ministers was completing his term of office and if the legislation wasn’t accepted, then the discussions would have to start again from the beginning of the tenure of the next Chairman. I won’t embarrass the Chairman of that Committee by naming him, nor will I point out which Member State had the honour of chairing the discussions and forcing the key decisions. (Well, not until someone asks me nicely.)

Does this approach to drafting legislation sound familiar?

The upshot of this unholy mess has been another appeal to the European Court on the basis that some people don’t like what’s going on, and they consider that their human rights have been abused.

And why am I writing about this now?

Because the more I read the European Commission’s proposals for a General Data Protection Regulation, the more convinced I am that the target that the Commission set itself was one focussed on the calendar, rather than common sense. I’m convinced that the Commission was so keen to launch “something” on 25 January that the “thing” was, to a large extent, immaterial.

Perhaps that was what was meant by Commisisoner Reding’s introductory remarks last week: “Ladies and Gentlemen, we have done it”.

We will now send the following months and years working out in detail what really is appropriate to meet the changing needs of our times.

I only trust we have time to undo the stupid bits and get it right before some other parliamentary timetable forces the pace, and we are left with a text that so many of us know is still not fit for purpose.

Source:
http://www.thejournal.ie/ecj-asked-to-rule-on-mandatory-retention-of-phone-and-internet-data-339434-Jan2012/

.

Getting into a lather over LinkedIn?

2012-01-30T10:41:00.000-08:00

We data protection folk can be so busy worrying about other people’s privacy that we totally forget to think about our own.

Who, for example (in their right minds) actually reads the “we have changed our privacy policy” blurb which is spewed out each time a data controller changes their practices? And how do we know if we’ve missed anything serious?

This is where the blogosphere, with its notorious internal networks of friends and colleagues, can really shine. What concerns one person can very quickly concern lots of other people.

Today, for example, I was sent an email from the ever vigilant (and oh so brilliant) Pascale Gelly, pointing out that “Without attracting too much publicity, LinkedIn has updated their privacy conditions. Without any action from your side, LinkedIn is now permitted to use your name and picture in any of their advertisements.”

Whoops, I missed that one. On the other hand, if my name and picture sells sufficient quantities of dog food, or whatever else I am supposed to be endorsing, is this really such an invasion of my privacy? I do try to take care when I am on line, and I do what I can to obscure my digital vapour trails whenever my cursor accidentally clicks on a site that some folk might find alarming (or amusing).

But then again, I thought to myself, I can’t make myself aware of everything that happens around and about me. My life is too full already. I can’t take any more in. My mind already hurts (and plays tricks on me). The last thing I really want to do is spend more time in front of a screen, reading about data protection stuff. I do this for a living. Surely, I don’t have to do it as a private citizen too, do I? I shrug my shoulders with mock despair. After all, if we can’t be bothered to do it ourselves, and we actually know about the consequences of remaining digitally vigilant, then the great unwashed has no chance at all of keeping up to speed with things that data controllers think matters.

Accordingly, based on my own personal experience, I really don’t think that the European Commission’s cunning plan of encouraging European citizens to consent to more stuff is going to work. They can’t consent to what they can’t understand or can’t be bothered to read, or simply don’t have the time to read. It’s a brilliant example of a policy initiative that looks great in theory and turns out to be unworkable in practice.

So perhaps we need not blame LinkedIn.

Perhaps I can offer LinkedIn a special deal. Can I be a celebrity ambassador, and be paid decent money to have my image associated with products and services that the producers of those products and services will want me to be associated with?

Anyway, for those among us (not me) who wish to opt out of this new LinkedIn practice, Pascale tells me that all that needs to be done is:

• Place the cursor on your name at the top right corner of the screen. From the small pull down menu that appears, select "settings"
• Then click "Account" on the left/bottom
• In the column next to Account, select the option "Manage Social Advertising"
• Finally un-tick the box "LinkedIn may use my name and photo in social advertising"
• and Save

Source:
With thanks to the amazing Pascale Gelly for the news

.

One policy, one Google experience

2012-01-28T04:42:00.000-08:00

Happy International Data Protection Day!

In a brilliant move that can’t surely attract criticism from the European Data Protection Supervisor, Google is commemorating International Data Protection Day with a short message on its landing page, which may well be read by over half the internet-enabled population on the planet.

The message is sweet and simple: “We’re changing our privacy policy and terms. This stuff matters. Learn more”

It will be great to consult the Google Analytics team in a few months to see just how many people did actually click the hyperlink and take up the opportunity to “learn more”.

What has Google just done? Well, it’s announced changes to its privacy policy, which will take effect in 1 March. Over 60 different Google privacy policies are being replacing them with one that’s a lot shorter and easier to read. One rule to rule them all? Sounds suspiciously like what Commissioner Reding was trying to announce, last Wednesday. It’s also what Gandalf was striving to achieve, during his existence.

When you read the policy (some 2,300 words, depending on what parameters are selected before the automatic word counting exercise is carried out), you appreciate the trouble that has been taken to make Google's operating processes easy to understand. The Google team evidently agree with me that it’s better to draft policies in words that can be understood by Homer Simpson than just by Albert Einstein.

The words flow as if they had been penned by a Hollywood scriptwriter. The slick, lean and easy phrases don’t challenge anyone. I expect that some aspects of them will upset some of the privacy wonks, but for the remaining millions of data controllers who care, Google has created a great language that I’m sure many websites would benefit from being re-written in. Whether many lawyers and data protecton professionals are going to be brave enough to change their own, treasured, text for something that is written in common sense language, rather than obscure gobbledegook, is another matter.

Here is a sample of some of the headline stuff before users are directed to the actual policy:

”Our new policy covers multiple products and features, reflecting our desire to create one beautifully simple and intuitive experience across Google.

Our new policy reflects our desire to create a simple product experience that does what you need, when you want it to. Whether you’re reading an email that reminds you to schedule a family get-together or finding a favourite video that you want to share, we want to ensure that you can move across Gmail, Calendar, Search, YouTube or whatever your life calls for, with ease.

If you’re signed in to Google, we can do things like suggest search queries – or tailor your search results – based on the interests that you’ve expressed in Google+, Gmail and YouTube. We’ll better understand which version of Pink or Jaguar you’re searching for and get you those results faster.

When you post or create a document online, you often want others to see and contribute. By remembering the contact information of the people you want to share with, we make it easy for you to share in any Google product or service with minimal clicks and errors.

Our goal is to provide you with as much transparency and choice as possible through products like Google Dashboard and Ad Preferences Manager, alongside other tools. Our privacy principles remain unchanged. And we’ll never sell your personal information or share it without your permission (other than rare circumstances like valid legal requests).

If you want to learn more about your data on Google and across the web, including tips and advice for staying safe online, take a look at Good to Know.”

I did think of looking at the policy and of comparing it to the recently published General Data Protection Regulation to see what sort of changes might need to me made to ensure that it complied with the proposed new rules on dealing with children, using cookies and obtaining consent. But why spoil a joyous day? Let’s just relax and celebrate International Data Protection Day, rather than have a quiet dig at the Commission. Just for once.

And how will I celebrate International Data Protection Day?

Quietly.

Last night I followed the lead of those intrepid souls who made their way to the Front Line Club in Paddington, who were on a mission to celebrate at a dinner organised by the Privacy Advisors Supper Club. Laughter there was lots. And what an array of different experiences were brought to the supper table. You learn so many unexpected things about your privacy colleagues. Who would have thought, for example, that one of the advisors among us had published a book a few years ago on surgical implants and surgical appliances, and, while a Commission official, had lobbied the European Commission to adopt their ideas as the basis for a new way of regulating medical devices in the EU? And you thought that data protection law was an obscure subject!

I can confirm that everyone present is now entitled to tick off items 12 & 50 on my list of “50 things to do before a data protection professional dies”.(see my blog postings of 17 and 18 January.

Anyway, given what we had to eat last night, there is only one appropriate way to spend today – to abstain from cookies for as long as possible (well, until dusk, anyway).

Source:
https://www.google.com/intl/en-GB/policies/#utm_source=googlehp&utm_medium=hpp&utm_campaign=en_all-hpp_pp

.

Taking a butchers at our breaches

2012-01-27T08:50:00.000-08:00

Yesterday afternoon, a select group of the usual suspects gathered together to share war stories about their experiences on dealing with data breaches.

The speakers included an official from the ICO, a couple of lawyers, and a pair of data protection officers, all of whom had different perspectives to share. And a useful sharing session it actually was, especially when it became pretty clear that everyone was keen on developing a reasonably settled view on precisely the same issues. We’re just not there, yet.

The usual elephants were in the room. Who would be the first to admit that they didn't actually know what a data breach actually was, as the definition (in the ePrivacy Directive and the proposed General Data Protection Regulation) was so vague? Who would be the first to point out that some reporting threshold was required, to avoid overburdening the regulator with trivia. And who would be the first to question the need for the regulator to receive breach reports, if it wasn't at all clear what they were doing with the information that was being supplied?

No one in the room suggested that data breach management was not an important issue. And everyone agreed that responsible data controllers would be striving every sinew to resolve the trivial, as well as the more serious, data breaches. This is because they cared about their customers and certainly wanted to engage, to the greatest extent possible, with their customers. News of an extremely recent UK data breach revealed how quickly the data controller was seen to act when allegations emerged in the blogosphere. Customers - and complainants - certainly have a voice, thanks to the internet. Many seem to be able to quickly detect irregular types of activity on their online accounts and, using their powers of social networking, get the data controller to respond responsibly.

So, turning to minor breaches, what role does the regulator play here? It is a valid, and important, question.

Later, over a data protection dinner most generously hosted by Bird & Bird, a few of the guests asked themselves whether there were any lessons to be learnt from the breach notification rules that were prevalent in the USA. Had these rules led to a measurable change in the behaviour of American data controllers? Were there now fewer breaches than before? Were citizens more confident that data controllers were more vigilant than before?

Well, we asked ourselves these questions, but answers were there few. I left the dinner confused. Not inebriated, but just still not clear what the point of the breach notification process to the regulator actually was.

Tonight, I’m off to dine, gossip and dance the night away at an event organised by the Data Protection Officers’ Supper Club. I’ll raise the same questions that were raised last night, and I’ll report back if any significant insights emerge.

Image credit:
http://4.bp.blogspot.com/_wgns7r5yd8c/SrPHugvNbqI/AAAAAAAAI5A/T-Es6FhnCig/s1600/data%20breach-thumb-640x480.jpg

.

“Ladies and Gentlemen, we have done it”

2012-01-25T09:37:00.000-08:00

With these words, Commissioner Reding unveiled the latest set of proposals for a comprehensive reform of Europe’s data protection today. The Commission has, apparently, just adopted what is called “a comprehensive reform on the use of the data protection rule”. I won't ask too many questions about how this agreement was reached. Like making sausages, you really don't want to know just how they managed to do it.

If you want to view the 34 minute recording of today's announcement yourself, click the “banbuser” link below.

There are some grand claims: “Our reform will eliminate the unnecessary administrative burden as well as the many costs linked to the different reporting requirements currently existing throughout the EU.” Apparently, there will be a single set of rules across the EU, which will save some 2.3 billion Euros each year. But, there will be special care for SME’s, who will be sheltered from some of the more onerous requirements, at least until they have grown into larger enterprises. Commissioner Reding wants to help these young companies to become big – and to help them to do their job without being drowned by administrative burdens. So, there will be no need for them to appoint Data Protection Officers, carry out impact assessments for low and medium risk processing operations, or put together documentation about other data processing activities.

As far as citizens are concerned: "there are to be immediate benefits, and these will ensure that they are well informed about what will happen to their personal data.”

If you listen closely to the recording of the announcement, you will occasionally hear the audience’s reaction. Once or twice there is nervous laughter. On at least one occasion someone out of vision is heard to ask their colleague “is this legal?” It will be interesting to learn the reaction of more of our learned friends once we've all had time to fully consider the implications of the published proposal.

Anyway, how did this one differ from the version that I saw a few days ago and blogged about on 20 January? What can be gleaned about the shifting nature of the text as it underwent those final revisions in the period of frantic activity up to today? The text has lost one Whereas clause (there are now just 139 of them), it has gained an additional Article (there are now 93) and, somewhere along the way, three pages of text. This tells me that the negotiations carried on for some time, and a lot of changes were made, compared to the infamous leaked “Version 56” (which had a mere 118 Whereas clauses, 91 Articles and 78 pages).

As predicted, there is new language around the territorial scope of the Regulation, and we can wait for our legal chums to opine on whether it clarifies matters or causes more confusion.

As predicted, the definition of personal data is still pretty vague and we need to work out whether “online identifiers” are the same as IP addresses. And, the definition of a personal data breach means that all of the problems faced by those trying to live within the data breach requirements of the ePrivacy Directive might now be shared with everyone else. Yuk.

A radical rethink on what to do about protecting the interests of children has resulted in special rules for the processing of children under 13, and some interesting questions to resolve if a data controller is dealing with people between the ages of 13 and 18. As the Regulation won’t affect the general contract law of Member States such as rules on the validity, formation, or effect in relation to a child, we’ll have to work out just what all this stuff means quite carefully. But the Commission wants to give itself the power to adopt other legislation to further specify the condition sunder which children’s data should be processed, so I don’t have a clue what the final effect will be.

As far as the principles of data processing are concerned, private data controllers can breathe a sigh of relief and the processing for legitimate interests condition survives. As predicted, the rules for public data controllers have been tweaked – but I have not had the time to consider whether there might be howls of protest around Brussels and town halls when the implications sink in.

As anticipated, the rules on consent have been tweaked, and to such an extent that I do expect that data controllers will react in an unexpected way to the lessons learnt when individuals exercise greater control of their information by exercising their right to withdraw their consent to the processing of that information. The natural result of this power to withdraw consent will, in many cases, simply lead to a flight from consent – as prudent data controllers will increasingly use the legitimate interests condition as a basis for legitimising their data processing, rather than rely on creaky notions of consent that could easily be withdrawn.

On the rights of data subjects, and as anticipated, we can brace ourselves for no Subject Access Request Fees, unless such requests are manifestly excessive (whatever that means). As I’ve suggested before. this could turn out, in essence, to be a brilliant EU job creation scheme, if armies of staff are to be required to be recruited to deal with these additional Subject Access Requests.

Just a few more headlines for today. The breach notification requirements still appear overly onerous (in the sense that there are draconian requirements to report matters fast, but no corresponding obligations on the part of the regulator to do anything with them in an equally speedy manner). We really need to make better sense of this provision. I'll be developing this theme when I presenting my ideas with the amazing Jeanette Fitzgerald, SVP and General Counsel of Epsilon, at a DataGuidance breach notification event at the London offices of Bird & Bird tomorrow. Jeanette and I do not see entirely eye to eye on such matters, so it will be a great opportunity to appreciate how the same issues can be handled differently by an American or an English data controller. Expect arguments – and laughter – as we share our passion with anyone who’s sufficiently interested.

Turning to the infamous sanction powers, the Commission continues to back down in the face of protests at their disproportionate nature. The ludicrous proposal to fine companies between 100,000 and 1 million Euros or up to 5% of their annual worldwide turnover for a failure to report a breach within 24 hours, which was lowered to a fine of merely between 1,000 and 1 million Euros or up to 4% of their annual worldwide turnover last week, has been further reduced to just up to 1 million Euros or just 2% of their annual worldwide turnover. But, is anyone celebrating?

There’s so much more to be said about this document and about the inevitable subsequent versions. And there are lots of people with good will, who want to see high data protection standards enforced by proactive data controllers and adequately equipped regulators. But that is a huge ask, especially in today’s economic climate.

Let’s hope that, as we work through the compliance cost assessments, the end result is an appropriate increase in standards that can be afforded by data controllers. My main worry is that, given the extensive powers the Comission wants to give itself to make further changes to the data protection rules, by means of delegated legislation, so they don't need to go through such an extensive consultation process, the result could be the creation of a monster that can turn on anyone at will.

If we get it wrong, we could get it wrong for an entire generation of EU citizens. And I don’t want my name associated with that.

Sources:
http://bambuser.com/channel/privateuser/broadcast/2313394
http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf
http://europa.eu/rapid/pressReleasesAction.do?reference=IP/12/46&format=HTML&aged=0&language=EN&guiLanguage=en
http://ec.europa.eu/justice/newsroom/data-protection/news/120125_en.htm

.

Was this the Commissioner's protocol statement?

2012-01-24T10:52:00.000-08:00

Perhaps, we now know what is meant when we are told that a Commissioner will make a “protocol statement”. Commissioner Reding spoke in Munich last Sunday. Unlike my suggestion on 18 January, what she had to say was not an explanation of the behaviours that are to be exhibited when meeting a Commissioner. It’s more of an announcement of things to come. In this case, the things to come are to come “this week”. Yes, I know it was delivered last Sunday. But it’s not Data Protection Day, yet.

On the other hand, she might well be saying something tomorrow, too. Who knows? There's really no stopping her, once she puts her speaking shoes on. I am aware of arrangements for a press conference which will announce "something" tomorrow, but I wonder who will be at that conference, and what will be said ...

I was intrigued to find a few similarities between the draft I had prepared for Commissioner Reding on 12 January, and the text of Sunday's speech. They both start the same way (with the phrase “Check against delivery”). They both acknowledge that this is not the occasion on which the drafts are formally revealed. And they both contain a number of questionable statements.

First, let’s look on the bright side of life. I share her hope that the new rules achieve their purpose of creating legal certainty, in a simplified regulatory environment which provides for clear rules for international data transfers. And if they achieve this, then I will be among the first of many who will laud her to the skies and take to the streets to demand that she be appointed “Queen of the European Commission”, before she graces the UN as its next Secretary General.

On the other hand, the measures have to work fairly and proportionately, taking into account the legitimate rights of data controllers, as well as individuals. Will red tape be cut, as is hoped, or will the existing red tape simply be replaced with reams of other types of tape? I really hope that it will not be the latter – but I’m not yet persuaded. Will savings from the scrapping of a general notification rule simply be swallowed by hugely increased compliance expenditure in other areas, without commensurate protections being given to individuals? I fear this may be the case.

Will individuals actually be able to exercise many of the new rights that appear to be bequeathed to them? Commissioner Reding makes some play of the principle that individuals will be able to exercise greater control of their information by exercising their right to consent to the processing of that information. What she fails to point out is that the natural result of this power to withdraw consent will, in many cases, simply lead to a flight from consent – as prudent data controllers will increasingly use the legitimate interests condition as a basis for legitimising their data processing, rather than rely on creaky notions of consent that could easily be withdrawn.

The Commissioner skated over many of the details of the proposal (presumably so that she did not then need to refer to the manner in which other Directorate Generals had expressed their own reservations). She made the general commitment to extending the breach notification provisions to all data controllers, with notification as a general rule within 24 hours, even though the evidence that the current rules are either workable, effective or have brought about any measurable behavioural change among data controllers is questionable (if it actually exists, that is). Still, it’s a great headline, and we can enjoy many months of discussions fleshing out the details, as we first work out what we are trying to stop, and then assess whether the proposed measures actually achieve that aim.

But I should not be too cranky. Individuals deserve great protections whenever they go on line, and they’ll get the best protections that the state can afford to give them. Whether they will actually enjoy similar levels of protections wherever they are in the European Union, well, that’s another matter. European citizens don’t actually enjoy similar levels of healthcare, public housing, social security provision, taxation or education wherever they are just yet, so it is a brave Commissioner who commits themselves to ensuring that: “all data protection authorities in whichever EU country will have the same adequate tools and powers to enforce EU law.” I’ll believe that when I see it. And I’ll celebrate, when I see it, too. But I won’t hold my breath.

One casual, almost throw away remark that did take my breath away was her last statement. Then again, it may well have been designed to have left the audience in a state of shocked excitement as she left the stage and departed for Davos.

It was about freedom of information and copyright: “The protection of creators must never be used as a pretext to intervene in the freedom of the internet. That is why, for Europe, blocking the internet is not an option”.

Well said. What she didn’t say was that “blocking access to parts of the internet is not an option”.

Because we do block access to parts of the internet, and for very good reasons. Hold your horses, you civil libertarians, please hear me out. We block access to illegal content on the internet. We don’t want the on-line experience of minors or the easily led to be harmed by their ability to access information that might corrupt or deprave them.

So, we need an internet censor, or at least someone who cares passionately about the safety of internet users. And I’m happy to be that censor - or at least to be appointed as a person who cares passionately about the safety of the internet users of whichever service provider is employing me.

So, well done, Commissioner. Enjoy your trip to Davos. Then return refreshed, and ready to work with the rest of the passionate squad to develop a set of legal instruments that are truly fit for purpose.

Source:
Speech 12/26 to the Innovation Conference Digital, Life, Design, "The EU Data Protection Reform 2012: Making Europe the Standard Setter for Modern Data Protection Rules in the Digital Age” Munich 22 January 2012
http://ec.europa.eu/commission_2010-2-14/reding/pdf/speeches/s1226_en.pdf

.

Is there anything else to do before a data protection professional dies?

2012-01-23T14:15:00.000-08:00

Suggestions for new additional things to achieve before a data protection professional dies (see my blog posting of 16 & 17 January) have been thin on the ground. But all is not lost. I’ve been chatting to some friends, who can already tick off a couple of items on the list, and who would rather not have any additional challenges set.

On the other hand, I met some chums at the Privacy International drinks party in central London last Thursday night, who were proud to have been able to tick off achievement 41. And I’ll be meeting more chums on Friday evening to witness them tick off achievements 12 and 50. There could still be time (and room) for you to join in the fun, if you are free.

But there must be more achievements for a data protection professional to accomplish, surely? Or is inanely a ticking off an item on a list a sign of autism? Are we data protection professionals just living with some disorder of neural development, with impaired social interaction and communication skills, exhibiting alarming tendencies of restricted and repetitive behaviour? Can we talk about anything other than data protection?

I do hope so.

Anyway, if you can (or want) to think of additional achievements, before the strain of crawling all over the documents that are just about to be launched by the Commissioner Reding numbs us into a state of oblivion, please feel free to contact me through the usual channels. A prize such as the one pictured (recently sent to me by a contact who is so useful to know in this business) may well be presented to the person who sends me the best set of suggestions.

.

EU breach reporting guidelines? They might be on their way

2012-01-22T05:37:00.000-08:00

Work is continuing, behind the scenes, to develop better guidelines for European data controllers on managing and reporting security breaches. Sponsored by ENISA, the European Network and Information Security Agency, a group of regulators have been working with a very select handful of industry representatives to develop something that might make sense to the wider data protection community.

What has hit home is the fact that the vague breach notification obligations, as set out in the ePrivacy Directive, have been implemented (when at all) in a very patch manner. I was told that, last October, just12 Member States, for example, had actually implemented the security breach notification requirements, yet they were all supposed to have done so by last May.

What is actually meant by the obligation to report a breach “without undue delay”? How long is that? If you’re Greek, it’s apparently a period of 12 days. If you’re Irish it’s 2 days, and if you’re Hungarian its 24 hours. And how do we resolve the conflict which arises when, on the one hand, there is an obligation to report a breach, but on the other hand, data controllers have rights under Article 6 of the European Convention on Human Rights concerning self-incrimination. And, what is the point of reporting losses relating to encrypted information, if it’s evident that no harm will arise to anyone as a consequence of the loss?

What is meant by a minor breach? What rules apply if you’re unfortunate to incur a cross border breach? And should ENISA really be publishing breach notification guidelines without closely consulting the data controllers who were already subject to the ePrivacy breach notification regime, just to make sure that they hadn’t missed anything?

What’s happened so far is that the ENISA working party has created a substantial draft (currently some 64 pages long) which tries to address the issues. Let’s give credit where credit’s due. The participants have a good idea of what’s required, and what needs to be done. An initial workshop, held on 24 January 2011 (yes, a year ago), listed the following:

• Lack of a unified approach towards data breach notifications among sectors and among Member States
• Different understanding of the nature of a data breach
• Lack of guidelines, best practices, common formats of notifications
• Lack of guidelines on effective technical measures for protection of data
• Lack of guidelines on follow-up actions after notification
• Economics of notifications
• Cases of exemption from notification

And they have set themselves a challenging target to create a text that will really add value to the current knowledge base. Constructive discussions continue (but I won’t be playing any active part in these discussions – at least not until I leave my current job and am invited to join in and play by someone else).

A lot of what I’ve read is really good stuff. There are sections, though, that need more work. The section that probably needs the greatest amount of work is the section which offers guidance on how a data controller assesses the impact of a personal data breach. When I say the greatest amount of work, it is evident that the current text has been crafted by one of the greatest mathematical minds the European data protection community has ever had the privilege of working with it. It’s so brilliantly conceived that it’s gone straight over my head. And, even though statistics was a component part of my University degree, I really don’t think that this section of the guidance resonates very well among those of us who have normal mathematical minds.

Today’s illustration, believe it or not, is the formula which is proposed to assess the impact / severity of a detected personal data breach, when various sets of criteria, as well as their consequences on four impact areas, are fully taken into account. The mathematical minds have even devised two possible approaches on how to perform the impact / severity assessment of the personal data breach. They also offer guidance about how to flex the formula : “For the ease of the assessment, the competent authorities can provide a calculator of the severity of the breach, taking into account all circumstances and their own ways of calculations. For specific cases, the data controller could adjust the result obtained from the calculator by one grade (up or down).”

What does this really mean? That we should rejoice – since we data protection professionals will have jobs for ever as we blind colleagues within our businesses with such science? Teams of highly paid boffins will probably have to tour the European Community, explaining this stuff to the likes of you and me. And they may need to explain it several times before it all sinks in.

Actually, no. This can’t be the right approach. We need simpler ways of assessing the likelihood of harm to an individual. We’ve got to have Homer Simpson in our minds as we develop understandable rules and calculations. Not Albert Einstein. Do I have any ideas? Yes, I have oodles of ideas, but they’re not for dissemination in a blog like this. If you’re that interested in my ideas, speak to me privately, later.

That’s enough on data breach management for today. Those who feel particularly inspired in this subject can see me presenting my ideas with the amazing Jeanette Fitzgerald, SVP and General Counsel of Epsilon, at a DataGuidance breach notification event at the London offices of Bird & Bird on Thursday 26 January. Jeanette and I do not see entirely eye to eye on such matters, so it will be a great opportunity to appreciate how the same issues can be handled differently by an American or an English data controller. Expect arguments – and laughter – as we share our passion with anyone who’s sufficiently interested.

Source:
I must thank those good folk at ENISA for their commitment to transparency by creating and circulating a draft document that has no protective security markings, so it is only fair to assume that it is not a confidential document. I’m sure they’ll let you have a copy of their latest draft if you ask them nicely.

.

Another day, another draft of the Regulation

2012-01-20T11:00:00.000-08:00

The word from Brussels is that DG Justice is really, really keen to publish something soon to show for all the hard work that has been put in, behind the scenes, for the Data Protection Day (or the Davos) celebrations. If I were a cynic, I might argue that a fuss about proposals for an obscure Data Protection Regulation might be welcomed by the Commission right now, especially if it diverted media attention from the fuss about the European economic situation. Or the fuss about the recent legal and constitutional changes in Hungary.

Or, is this a time to bury bad news, which is a phrase sometimes used in the UK?

Anyway, I’ve got my hands on something that looks suspiciously like (yet) another draft proposal from the Commission. Or, perhaps I have been sent a spoof document from someone I usually trust, cunningly designed to divert my attention from the real discussions that could still be continuing somewhere. I honestly don’t know. But I’m happy to believe it is genuine.

When you read it, it becomes evident that it has been prepared after representatives from all Directorate Generals had been summoned to a basement room in Brussels and told to stand on one leg on the naughty step until they had all agreed on a version that could be published for us ungrateful rabble to pick holes in. And, to add to the pressure on the representatives that had turned up, perhaps no one was allowed a bathroom break until all the stakeholders had had indicated their agreement to the same draft. Whatever the pressure was, it seems to have done the trick.

What are the areas that the Directorate Generals had previously issued unfavourable opinions about but where a deal has now been reached? And what is the deal? That was the question I tried to keep in mind as I read it.

The version I’ve seen (which could have been prepared around 16 January, so is probably already out of date) contains 140 Whereas clauses, 92 Articles and is 102 pages long. Version 56, which is the one commonly available on the internet, has just 118 Whereas clauses, 91 Articles and is only 96 pages long.

A new Article (Article 3) relates to the territorial scope of the Regulation, and tries to define when non EU controllers will be obliged to respect the Regulation. I’m not clever enough to appreciate the subtlety of what is being proposed, and what changes it heralds, so we’ll wait for the international lawyers to opine on this point.

The definition of “personal data” is still pretty vague and we need to work out whether “online identifiers” are the same as IP addresses. The definition of “personal data breach” means that all of the problems faced by those trying to live within the data breach requirements of the ePrivacy Directive might now be shared with everyone else. Yuk.

We ought to brace ourselves for “children” to be defined as any person below the age of 18 years – which could have implications on the legitimacy of data processing for anyone under 18. And, a special article could well introduce special rules for the processing of children under 13. Perhaps they will only need to get their parent’s consent for some types of processing if they are under 13. On the other hand, the Regulation may also provide that it won’t affect the general contract law of Member States such as rules on the validity, formation, or effect in relation to a child. So, the “one Regulation to rule them all” approach will fall flat on its face when it comes to the problem of addressing the different requirements that Member States already have in how they treat people under the age of 18. But will children be permitted to give their consent for profiling activities? Let’s see. I can’t quite work it out as you have to cross refer to various Articles in the text, and I frankly don’t have the motivation to work out which will take priority. Especially if I’m working on a text that has already been updated, and will be updated again before it is formally published.

As far as the principles of data processing are concerned, we can expect a slight tweak (but probably nothing to worry about), and the processing for legitimate interests condition survives – at least for private companies. It looks as though public authorities can’t use the “legitimate interests clause” to justify the processing of personal data, but they will be able to process data when it’s in the public interest or the exercise of official authority vested in the data controller. Don’t ask me what the difference is, but there probably is one – and if so there might be howls of protest around Brussels and town halls when the implications sink in.

We can expect a glimmer of hope as far as the rules on marketing “similar products and services” are concerned.

On the rights of data subjects, we can brace ourselves for no Subject Access Request Fees, unless such requests are manifestly excessive (whatever that means). This could turn out, in essence, to be a brilliant EU job creation scheme, if armies of staff are to be required to be recruited to deal with these additional Subject Access Requests.

And yes, of course we’ll have some stuff about the “right to be forgotten and to erasure”. And to data portability. Whether it will have any practical effect, only time will tell.

There’s lots more to comment on, if I felt that any reader had the energy to carry on reading this posting. Let me just whet their appetite by suggesting that the breach notification requirements still appear overly onerous (in the sense that there are draconian requirements to report matters fast, but no corresponding obligations on the part of the regulator to do anything with them in an equally speedy manner). Help may be at hand, though, if they provide standard forms and templates to work out what needs to be reported to whom. Well, templates that work, anyway. I’ll shortly be blogging on an initiative by ENISA, offering guidance and a standard form. And a mightily clever (and fiendishly complicated) way of calculating the severity of harm.

Turning to the infamous sanction powers, we may all have a pleasant surprise. The ludicrous proposal to fine companies between 100,000 and 1 million Euros or up to 5% of their annual worldwide turnover for a failure to report a breach within 24 hours could well be lowered to a fine of merely between 1,000 and 1 million Euros or up to 4% of their annual worldwide turnover. Is anyone celebrating?

But that’s enough from me. It’s enough to put me off my pudding tonight. I won’t read and analyse any more of this draft, or any more drafts. I will just thank the folk at European Commission for their commitment to transparency. Yet again, they appear to have created and circulated a document that has no protective security markings, so it is only fair to assume that it is not a confidential document.

Confidential or not, I won't be sharing this draft with anyone. Sorry, friends, but it won’t be too long to wait before another text emerges from the official channels, and you will be free to feast on that.

.

Cookiepedia – you heard it here, first

2012-01-20T05:08:00.000-08:00

The data protection experts who are so far ahead of the curve that it hurts will already have consulted this internet site, and now it’s your turn to know that it exists and to spread the word about what useful purpose it could serve. And think of the brownie points you will earn when your chums realise how on the ball you really are!

Launched by our chums at the Cookie Collective just 48 hours ago, the purpose of the site is to provide webmasters with a way of starting to comply with the cookie requirements in the ePrivacy Directive. If “the great unwashed” are to be provided with information about what cookies actually are, and what types of cookies exist, then it’s going to help greatly if the industry can create easy-to-read explanations. The sort of explanations that can be understood by people like Homer Simpson, as well as Albert Einstein. And, it will help even more if all of the players in industry can provide its users with very similar, if not identical, explanations of these cookies.

We all know that, ultimately, some of these cookies will be treated like Jose Mourinho, currently the Real Madrid football coach. These cookies will fall into the category of “the special ones”, for which preferential treatment will be available. In language used in the e Privacy Directive, these will be the “strictly necessary” cookies, ie those for which consent will not be required before they can be placed on a person’s electronic device.

The website does not offer advice on the types of cookies that will fall into the Mourinho category, but it is only in beta form right now. You never know how it might evolve. After all, Richard Beaumont, the guru behind this initiative, seems keen to let users play with the site and we can all see how it develops organically from here.

And because it’s only in beta form, please don’t scoff if you can’t yet find a privacy policy (or a cookie policy, for that matter). We all know how hard it is to get the legal bits all nicely formed, at the bottom of the home page. So let’s take a moment to celebrate the great work which had been achieved so far, rather than carp from the sides about the absence of compliance and regulatory stuff that means so little to so many.

I don’t know how these cookie definitions will differ from the categories of cookies that are being created by the International Chamber of Commerce (see the blog I posted on 14 January). Hopefully, it won’t be too long before their initial approach is known.

Source:
http://cookiepedia.co.uk

Declaration of interest:
I have no business, personal or financial interest in this website, nor am I associated with any members of the Cookie Collective. But it does seem like a good idea and I do like speading news about good ideas.

.

Is someone in the Commission discarding some articles?

2012-01-18T11:57:00.000-08:00

The gossip is that someone has obviously put their common sense shoes on, and has started kicking out a few of the more outrageous proposals in the widely leaked draft of a new legal framework for data protection (the infamous Version 56).

This can only be good news.

Actually, I had no sooner returned from delivering a hard-hitting presentation in central London yesterday, lampooning Commissioner Reding’s team for proposing that data controllers face fines of between 100,000 and 1 million Euros (or 5% of their global turnover), for failing to promptly inform the regulator of a personal data breach (ie within 24 hours), than I learnt from my chums at DataGuidance that the proposal has apparently been dropped.

Excellent to see common-sense breaking out before the wider world starts to question the Commission’s general approach, once what’s left is formally published.

And let’s hope for better news to come. What about the age of consent, for example. Is it really appropriate that people under the age of 18 are considered children and therefore unable to give their consent without an adult’s permission? It is surely ludicrous that in the UK, a Chief Constable of Police can authorise a person as young as 7 to be issued with a firearms permit, and yet they will have to wait a further 11 years before being able, in data protection terms, to consent to, say, non essential cookies being placed on their electronic devices.

But I digress. Actually, the real purpose of today’s blog was to offer some advice on etiquette and protocol. And especially the protocol on how to behave in the presence of a Commissioner.

Should I be summoned into the presence of a Royal personage, I will have first had a briefing on Royal protocol. So I will feel comfortable with the rules on when to bow, and how deeply, and when I should raise my eyes to look into theirs. What questions should the honoured visitor be asked? That sort of stuff.

Some friends of mine are getting awfully excited as they are about to meet a Commissioner. In fact, they were so excited about the meeting that when they told me, I forgot to ask them what sort of Commissioner it was. So they could be meeting a European Commissioner, or it might be a Police Commissioner, or on the other hand it could just be a Health Services Commissioner. I really should have inquired.

But if I were asked to draw up a protocol statement for a Commissioner, so my friends would know how to behave and what to expect, what would I do? Well, with tongue very much in cheek, and without being briefed on the seniority (or the sex) of the office holder, I might start with something like this:

When they enter you must stand
As they're impossibly grand
But you can sit in a while
When they flash their brilliant smile

The next time you hear the band
Is when a glove leaves their hand
How alluring, how appealing
Now their jacket's hit the ceiling

The tension starts to crack
As you spot the dimples on their back
You should start to grin
As you view their glistening shin

Everyone will agree
They've got a mighty fine knee
You must emit a huge sigh
At first glimpse of their thigh

You'll be desperate to clap
When they untie that safety strap
And there will be roars of applause
As they step out of their drawers

For it's the Commissioner
Simply, the greatest stripper in town

Sources:

http://statewatch.org/news/2011/dec/eu-com-draft-dp-reg-inter-service-consultation.pdf (Article 79(4)(h)
http://dataguidance.com/news.asp?id=1695
And thanks to Chris de Burg, whose music was in my mind last night.

.

50 things to do before a data protection professional dies (part 2)

2012-01-17T10:16:00.000-08:00

Hot on the heels of yesterday’s list is the second half of life-affirming events which may help assess your contribution to the data protection world.

Given that we tend to surround our daily lives with HR-type objectives, and it’s that time of the year again when we need to think of a few to populate this year’s forms, please feel free to perm some from this list.

After all, the purpose of the exercise isn’t just to feel some form of personal satisfaction at the conclusion of a data protection career – it’s also to remind our employers that most of the stuff we do is also ultimately for the benefit of them, too.

So, how many of these have you done?

26. Offer to buy Peter Fleisher a drink after work
27. Pay for professional advice as well as receiving free hospitality from our chums at Bird & Bird, Bristows, Clifford Chance, Covington & Burlington, Field Fisher Waterhouse, Linklaters, Morrison & Forester, Olswang, Pinsent Masons, Speechy Bircham or White & Case (extra points for freeloading off the lot)
28. Persuade your CEO to sign the ICO’s Personal Information Promise
29. Praise a politician for passing a sensible data protection law (extra points if it’s a British data protection law)
30. Publish an article in a commercial data protection journal
31. Purchase a bound copy of the Data Protection Act (extra points if used as a prop when work colleagues get stroppy)
32. Quote sections from the Durant vs FSA Judgment when Subject Access Requesters ask for more than they are entitled to receive
33. Read every word of an opinion from the Article 29 Working Party
34. Reassure the Minister in charge of data protection that you’re just as anxious to create a workable law as he is
35. Smile when your CV is rejected – it’s their loss, not yours!
36. Serve on the Management Committee of the Data Protection Forum for at least a year
37. Shamelessly plagiarise someone else’s work in a presentation, without giving due credit to the rightful author
38. Sing a data protection ditty to the tune of a popular song
39. Speak at a European Commission seminar on some ever so important (but oh so dull) aspect of data protection
40. Support a social event organised by the guys at BigBrotherWatch, or their next door neighbours at the Centre for Policy Studies
41. Take a bottle of wine to a Privacy International party to show that you share their passion to respect fundamental human rights
41. Tell the intelligence agencies that their latest cunning plan complies with all relevant data protection laws
43. Throw an all-nighter to complete work the data protection on a project that’s subsequently cancelled
44. Understand what the rules on transborder data flows actually mean
45. Volunteer a few hours of your time with a recognised think tank to help them explain some bits of data protection law to a focus group
46. Work with the International Chamber of Commerce to make sense of an obscure EU rule
47. Work with the ICO to get someone successfully prosecuted for a DPA offence
48. Work with the police to get a someone successfully prosecuted for a DPA-type offence (extra points if the case is heard at the Old Bailey and you avoid national media attention)
49. Write a data protection blog that occasionally sets tongues wagging
50 . Propose a toast to absent data protection friends (Dear Shelagh Gaskill, you are still so greatly missed)

Footnote:
No, I have not achieved everything on this – yet. There are a couple I’ve still to tick off. Please feel free to contact me to propose additional challenges – the very best of which may be rewarded with a bottle of Plymouth Gin, as I do seem to have some spare bottles around the place.

.

50 things to do before a data protection professional dies (part 1)

2012-01-16T07:08:00.000-08:00

When you die, how will your contribution to the data protection world be assessed?

I asked myself this question today as I passed this wooden bench (pictured), on the way to my local farmer’s market. The brass plate brought a smile: “In memory of Paul Eddington (1927 – 95). Much loved TV and stage actor and local resident.” He was widely known for his appearances in three of the most popular television comedies of the 1970s and 80s: The Good Life, Yes Minister and Yes, Prime Minister.

Other former neighbours include comedian Tommy Cooper , Vietnamese leader Ho Chi Minh and Soviet spy Anthony Blunt, but their contributions to society have not been marked with inscriptions on local benches.

I doubt that I’ll be remembered by an inscription on a local bench. But I’m not bothered. My name is carved into a flagstone on the floor of Shakespeare’s Globe, the theatre on London’s South Bank, to commemorate those who contributed to the building costs some 15 years ago. That’s enough for me.

But how should data protection professionals assess their careers? How can we decide whether we have lived our professional lives to the full, or whether it’s just been a bit of a joke? I’m submitting the first half of this 50 point checklist for your comment and approval - and of course I welcome your alternative suggestions.

1. Visit the ICO’s offices in Wilmslow
2. Be summoned to the ICO’s offices in Wilmslow
3. Have a quiet word with the Commissioner at his office in Millbank
4. Attend a Privacy Laws & Business conference in Cambridge (extra points for speaking)
5. Attend an ICO Data Protection Officer conference in Manchester (extra points for speaking)
6. Attend an IAPP congress (extra points for speaking)
7. Attend an international conference of Data Protection Commissioners (extra points for speaking)
8. Brief Ministry of Justice officials on a topical data protection problem
9. Challenge your own long-held interpretation of a bit of data protection law
10. Comment on a draft ICO code prior to its publication
11. Co-author some industry specific guidance on an aspect of DPA compliance
12. Dance the night away at a meeting of the Privacy Officers Supper Club
13. Deal with the aftermath of a high profile personal data breach
14. Discuss Larry Ponomon’s “cost of data breach” report with the great man himself
15. Disagree with an opinion expressed by the European Data Protection Supervisor
16. Draft layered privacy policies that people actually read
17. Find a way of disagreeing with Dr Chris Pounder on a point of data protection law
18. Get an IAPP privacy qualification
19. Get an ISEB data protection qualification
20. Get an honourable mention in an article published by “The Register”
21. Gracefully accept that a career in data protection will never lead to untold riches
22. Halt the progress of a silly data protection initiative without the people who are proposing it realising what you are doing
23. Implement an employee training and awareness programme that staff actually enjoy completing
24. Link your LinkedIn profile to that of at least 500 colleagues (extra points for links with data protection professionals from other continents)
25. Meet Mark Zuckerberg

The second half of the list will be published tomorrow.

.

Cookies: Commission indicates unease at the current rules

2012-01-14T05:14:00.000-08:00

If you read the responses that a couple of the Directorate Generals have made in opposing the Commission’s proposals for a new data protection Directive, you can sense that they’re just realised how hard it might be for everyone to make sense of the current cookie rules, and how much worse the situation could become should the Commission get its way with its new proposals.

We’re all busy people, so I’ll just sketch out the high level argument in this blog. The details can be fleshed out by those who really like getting immersed in the legal bumf. All I want to focus on today is the basic issue.

The argument is that the ePrivacy Directive threatens legitimate on-line business, and that it does so by requiring the categorisation of cookies into particular types, only one of which (the “strictly necessary” type) can be deployed without first having to obtain the consent of the user. If you believe what you read in the leaked Inter service consultation document, the Commission now proposes to compound difficulties by tightening up the definition of “consent” and by preventing people under the age of 18 from giving consent themselves (since only grown-ups are considered capable of giving this type of consent).

If you read the DG Markt comments, for example, you will learn that:

• “Web analytics used for site optimization and variation testing is an essential part of e-commerce operations, It is likely that under the explicit and specific consent regime a large majority of site visitors would not accept any cookies, giving websites a massively reduced statistical basis on which to make site optimization decisions;
• A trader should be able to promote products which are relevant to a recent purchase the customer has made, without having to ask for “consent” each time when he would have to address the customer. Traders often stress the fact that reconfirming the consent of customers can be 10 times more expensive than the retention of an existing consent. This is a cost many businesses will not afford; especially since consent, extended to all categories of data, will in fact increase the amount of data collected and the costs for date controllers;
• Explicitly removing the less explicit context-based means of obtaining consent is likely to ensure that less users agree to harmless forms of data processing, with a negative impact on the performance of e-commerce operators and the availability of free internet services.
• Further, there is an open question as to whether these proposed measures would affect the interpretation of the E-privacy Directive. At present, the cookie consent requirements ... can be satisfied by adequate browser (or other technologies) settings that might require affirmative opt-in consent to receive cookies and may in the future be satisfied by a “Do Not Track” or other setting. However, it would not be possible for a data controller to prove that a data subject consented to receive cookies or permit tracking through their browser or other indirect means of consent unless more privacy invasive tools were employed (such as identity encoded cookies).”

DG Markt is also concerned about the difficulties of obtaining consent:

“The data controller will need to bear the burden of proving that the data subject has given “explicit”, “affirmative”, consent for the processing of their personal data for the specific purposes for which the data was collected. This will in effect push companies and service providers to a registration model, or other business models that rely on identified or authenticated users. This will be:

• Potentially negative for privacy as it will lead more companies to request more and more personal data from users, held in databases, which will be more “invasive” of personal data and privacy than those presently required;
• Disproportionately costly in terms of compliance, with dubious benefit. Controllers will have to record the various consents and details such as: the time they were given, the purposes for which they were given and the identity of the individual who gave them.”

To say that this challenges the business models of internet-based companies such as Facebook is to put it mildly.

The criticism from DG Markt is pretty strong stuff. And it makes it all the more important that we try to implement the current cookie rules in a pragmatic and sensitive way. Otherwise, when the screws are tightened, as is inevitably foreseen by the Commission’s proposals, the “rules” will be ignored to an even greater extent that data controllers currently ignore the transborder data flow rules.

And this is why it’s so important that, at least in the UK, the Information Commissioner’s Office and the International Chamber of Commerce create guidance on implementing the cookie rules that can actually be implemented. The next meeting of the usual suspects will occur in a few weeks time, in central London. I hope to attend that meeting and, subsequently, to comment on any relevant developments.

Source:
DG Markt reply to CISNet – delai 20/12/2011 – Data Protection Reform consultation just.c3(2011) 1350739 bis de la DG JUST, p12

Situation wanted:
If all goes to plan, I will shortly be ceasing full-time employment with my current employer, and will have time on my hands to help others who need pragmatic data protection advice and support. Please let me know if you are aware of anything interesting on the horizon. I do prefer policy work to ticking boxes, but we all have our price!

.

Congratulations to our chums at DataGuidance

2012-01-12T11:42:00.001-08:00

In a ****DataGuidance exclusive**** which has just been published online, those intrepid journalists at DataGuidance report that the publication of the proposal for the review of the data protection directive has been postponed to late February/March.

The ****exclusive**** bit is that they have laid their hands on 3 of the 4 unfavourable opinions I was blogging about yesterday. And, they are making copies of these documents available to their subscribers. No, they didn’t get the copies from me. (But yes, they did ask me, and very nicely, too).

My guess is that this is the first commercial publishing house to report on the delay. The first legal firm to publish a report was, I think, Covington & Burlington. I read Mark Young’s posting about 27 hours ago. I have not seen an earlier blog posting to the one I published yesterday, reporting on the delay, but I am far too modest to blow my own trumpet.

I’m thinking about presenting one of the many bottles of Plymouth Gin that are on their way to me to the person who can claim to have been even faster to the internet than either Mark Young or me with news of the delay. If you think you were the first, then please contact me – with the evidence.

I’m expecting to see a few more “copy cat” articles in the days and weeks to come. Let’s see who can add how much more detail to this story.

Source:

.

Is this the speech that Commissioner Reding will deliver on 25 January?

2012-01-12T03:25:00.001-08:00

Check against delivery

Ladies and Gentlemen

Before I depart for the World Economic Forum at Davos in Switzerland, where I plan to spend the rest of the week conferring with world leaders and others who are at least as important as me, I have decided to announce that you will have to wait a little longer for the Commission to publish its proposals to revise the current data protection directive.

Yes, I know that you were all expecting something substantive by Data Protection Day. So was I, to be frank with you. After all, who would have thought that so many people might want to get so upset with the proposals that my officials had so carefully worked on for so many months. I think that’s rude. You lot should have been grateful for what you were going to be given.

Now, the cat’s really out of the bag. It’s not just about defending the basic human rights of individuals any more. Even data controllers think they’ve got rights these days, and they’ve been working frantically behind the scenes to ensure that whatever does emerge from the Commission recognises those rights to a far greater extent than I thought they deserved.

So, I have failed. I had hoped to have presented you with a package that was so tilted to the rights of the individual that there would have been riots in the streets when citizens became aware that companies, institutions and public authorities wanted to dilute them.

I am sorry. My officials will now continue their hard work to ensure that the rights of individuals are at least balanced against the legitimate interests of businesses and public authorities.

I really don’t know how long this additional period of internal consultation will last. After all, my officials are busy people, and there are other things on their plate, some of which are much more important than changes to the data protection regime.

I am pleased to announce today that I am hoping that the draft legislative proposal will be published in mid-March. But you know me. I am an eternal optimist. I always look on the bright side of life, and I always live in hope that we can resolve our differences by a series of amicable and constructive discussions.

Will the world come to an end if the proposal is not published in mid-March? No.

Are data controllers capable of applying the current rules in a flexible manner, ignoring the bits that are hopelessly out of date? Yes.

Will I be bothered if I have to announce in mid March that the review will take even longer before it can be shared more widely? Not really.

The current review will take as long as it takes. So please wait, with patience, good humour and a sense of compassion for those who are straining every sinew to knock heads together and to make some sense of this shambles.

I won’t be taking any questions today.

Now, I’m off to Davos.

Sources:
If I were asked to draft a speech for Commissioner Reding, scheduled for delivery on 25th January, this is what I would submit.

.

Cookies: even more guidance coming soon

2012-01-12T01:09:00.000-08:00

Hot on the heels of the revised ICO cookie guidance that was launched last month comes word that the mighty UK Chapter of the International Chamber of Commerce is close to publishing its own guide to compliance.

The usual suspects will soon be placing cold towels around their heads as they try to work out the differences between the ICO’s and ICC’s advice, and to advise about what people should be doing next.

Don’t scold yourself too severely if you have not already digested the ICO’s latest effort. Published on 13th December (right in the middle of the Xmas party season), the 27 page document tries as hard as it can to explain what the law now is, and how responsible data controllers might choose to comply with it. The unwritten subtext is pretty clear – that the ICO did not create the law, so it shouldn’t be blamed for the position that data controllers currently find themselves in. What you get this time is examples (and pictures) of the types of words that the ICO considers could usefully appear on websites, and where the text should ideally positioned for the maximum regulatory impact.

I explained this to some friends who run websites a few days ago and was taken aback by their incomprehension. It was pretty clear that I was speaking a very different language to that which they use.

“What on earth do you mean?” they challenged me, incredulous that anyone would want to focus on designing websites for maximum regulatory impact, rather than in terms of what customers actually wanted to experience for themselves. I was told about piles of consumer research which suggested that the very best websites these days try their very hardest to tailor their content to the needs of the individual user. As far as they were concerned, this well-intentioned initiative was going to struggle to survive in its present form.

The core of the problem seems to lie in a common understanding about why certain websites exist in the first place, and in customer’s unwillingness to want to understand the magic that goes on behind the scenes to give them the content they want when they visit a website. I was told that the regulatory solution – one of consent – is not really achievable, as users are very unlikely to genuinely have sufficient knowledge about cookies to actually be capable of providing this consent. Finally, the web designers I have spoken to have very firm views on what cookies are strictly necessary, and their views are not reflected by the ICO.

Let’s unpack this a little.

First, it’s important to agree understand that websites are created for a range of purposes, by organisations who have very different views about the prominence they play in the overall offering to the customer. While some well known organisations are principally known as purely on-line companies (eg Amazon, Facebook, BBC and other media organisations), most of those who have an internet presence also employ specialist Customer Services staff. The consumer research I have seen suggests that websites are not very helpful when customers have a problem that needs resolving then and there, where handling or seeing a product is important, or when quire specialised advice is needed in order to make a decision. Such cases are better resolved when a customer deals with a real person. Websites excel when they spread general advice, facilitate social or professional networking contacts or allow users to purchase standard items (say groceries, books or concert tickets).

The consumer research I have seen suggests that consumers really don’t want to know about the magic that goes on behind the scenes to put relevant content in front of the user. And the discussions I have had with web developers indicates a degree of incredulity that they would ever deploy cookies that were not strictly necessary to maximise the user’s on-line experience. These developers were painfully aware of the fatal consequences of getting a website wrong – customers don’t return in huge numbers and the result is commercial death. (To paraphrase the Bard: Wherefore art thou, Bebo?)

This is one of the fault lines of the ICO’s advice. It’s analysis of the lawfulness of using certain cookies without specific consent is based on functionality (ie “is it possible for a web site operate without this cookie”) while others base the legitimacy of their cookies on the perceived expectations of the user (ie “is this the best experience that we can offer the user so that this website gives them what they want, when they want it, and how they want it?”).

The ICO’s solution can be summarised in 3 words: “Education and consent”. Education can take the form of long lists of cookies being published on a website. (Yet, I’m also told by the ICO that long explanations in privacy policies generally don’t work, as people ignore them.) Consent can take the form of a process which suggests that the user has “accepted” something. The real problem, of course, is that if we are not careful, some litigant will argue that this is hardly proper “consent”, because the user simply ticked some boxes and, not having read the accompanying bumf, didn’t really know what they were consenting to anyway. So it doesn’t meet the really high definition of “consent” in the Data Protection Directive.

Is all lost? It’s never all lost. Soon, I’ll get to review the approach recommended by the International Chamber of Commerce. I’ll then be able to work out whether customer behaviour is likely to change as a result of that guidance, and whether website operators are getting any closer to finding a solution to a legislative issue that wasn’t much of a problem in the first place.

Source:
http://www.ico.gov.uk/news/latest_news/2011/must-try-harder-on-cookies-compliance-says-ico-13122011.aspx

The Commission’s 2012 Data Protection Day “present” prematurely scuppered?

2012-01-11T06:18:00.000-08:00

The pantomime season continues. I understand that the Commission’s plans to commemorate 2012 Data Protection Day by publishing its proposals for a new legislative framework are unravelling, fast. This is because the results of the Inter service consultation are in. Some of those that have been consulted are really very unhappy with the proposals. Four Directorate-Generals have gone so far as to issue formal unfavourable opinions, which could really slow things down.

For those not in the know, the Inter service consultation process requires each respondent to return a form to the sponsoring Directorate General and check one of three boxes to indicate their high level position on the matter. The options are (1) Favourable opinion, (2) Favourable opinion subject to account being taken of the following comments, and (3) Unfavourable opinion (see attached comments).

Of the unfavourable opinions, DG Trade’s two page reply points out that the proposal “is likely to have a significant negative impact on EU cross border trade”. The European Anti-Fraud Office (OLAF) sent in a six page response focussing on 17 specific aspects of the proposed package. The Information Society & Media Directorate General submitted a 22 page response, making some quite detailed points and recommending a number of specific changes to the text.

Finally, DG Markt prepared a 26 page document outlining their reservations. The language is cold and uncompromising: “In bilateral meetings between DG MARKT and DG JUST your services have highlighted pragmatic and balanced approaches to data protection. However, we considers (sic) the ISC draft in its present form might lead to important and even dangerous consequences for businesses and citizens / users / consumers as main data protection principles would be applied in an inflexible manner without taking into account the context of the processing of information."

This is pretty sensational stuff. And it changes the procedures that now have to be followed before the proposals can be formally published. Basically, the civil servants urgently need to find a compromise with each of these 4 Services, and if they are unwilling or unable to reach a compromise, the issue has to be elevated and referred to the next meeting of the College of Commissioners. Here, political discussions will take place to resolve the issues at the level of the Commissioners themselves. I don’t think they’ll be that happy – especially since I reported in yesterday’s blog that work on revising the current Directive is only prioritised at 42nd place in the Commission’s inventory of 78 outstanding issues.

So, given the fundamental nature of so many of the objections, and the status of the European institutions who have issued these unfavourable opinions, will it really be possible for harmony to break out within the next two weeks? And for a text to be revised that takes full account of these objections?

I think not.

And if I’m right, a number of my learned friends may have to hastily postpone the events they are currently organising to discuss the thing as soon as it appears.

Then again, I did ask back in my blog posting of 26 September 2011 “What comes first? St Valentine’s Day or a new draft DP Directive?”

Sources:
Applications for copies of these opinions should really be sent directly to the Directorate Generals themselves. Very close friends may get one from me, if they would be so kind as to enclose a bottle of Plymouth Gin with their request.

.

The European Data Protection Supervisor shows us his list

2012-01-10T10:47:00.001-08:00

Truth really is stranger than fiction.

Yesterday, for example, I blogged (in a light-hearted manner) about an imaginary 37 point plan that Commissioner Viviane Reding would unveil on International Data Protection Day (28th January) “which commits the Commission to sweeping away the rights of Member States to create their own data protection rules”.

Surely, I thought to myself, no-one really works to things as complicated as 37 point plans any more.

But I was wrong.

No sooner than I published yesterday’s blog than friends from Brussels had contacted me with the news that it was not only Commissioner Reding who had a lot on her plate. This very day, for example, Peter Hustinx, the European Data Protection Supervisor would announce his own workload for 2012. Peter’s tasks will compliment the European Commission’s very own agenda (or inventory) – which has 78 separate items which need tracking and resolving.

And to show just how frantically busy Peter is going to be, today he announced that he will issue an opinion on 32 items in the inventory. Additionally, he may comment or issue an opinion on a further 27 items. And as for the remaining 19 items? Well, apparently he’ll just be following developments.

So, a minimum of 32 opinions from Peter Hustinx to look forward to this year. Mmmmmmmm. Can’t wait.

It’s interesting to note the order in which the European Commission has prioritised the inventory. It reads like a political hit parade, with the most important issue ranked No 1, and the least important one (which concerns an Anti-Counterfeiting Trade Agreement) languishing at the bottom at No 78.

Other interesting rankings are an EU-US consumer protection cooperation agreement (No 71), and the development of EU driving licences containing microchips (No 63).

Work on a new Data Protection Directive comes in at 42 on the list. Work on making the internet a safer place for children slips in at No 33. Common rules on data breach notifications is at No 26. Revised rules on the retention of communications records for law enforcement purposes streaks in ahead of these at No 16.

And the most pressing priority?

No, it’s not about protecting the Euro. Actually it’s about the transparency rules on the financing of the Common Agricultural Policy. It seems that some farmers are pretty miffed that their basic human rights may be compromised if Member States were obliged to publish details of all subsidies to beneficiaries of payments under the CAP and rural development policy. And, some courts have held that these farmers may have a point.

Some point!

Peter Hustinx might want to have a word with former (British) Information Commissioner Richard Thomas about this. After all, Richard faced similar issues when deciding whether politicians needed to own up about making “subsistence” claims for duck houses and moat cleaners a few years ago. The roar from the crowd when they realised they might have been ripped off must have been heard all the way from Westminster to Rotherham.

So, I don’t think that Peter needs to spend too much time on priority No 1. I think he should make it pretty clear that the basic human right of privacy can turn into a very qualified right when someone consciously applies for public funds for a purpose which is subsequently seen as dishonest or unconscionable.

Let’s see how Peter opines on that one.

And let’s hope that, even with a workload as heavy as his, Peter still manages to get out from his office frequently and travel all over Europe to assess life as we live it, rather than just life as it is imagined from Brussels.

(If he needs anyone to carry his bags, I will be available quite soon.)

Source:
http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Priorities/12-01-10_Inventory%202012%20external_EN.pdf

.

The Commission’s 2012 Data Protection Day secrets prematurely revealed?

2012-01-09T13:34:00.000-08:00

Last night I dreamt that I had been passed another sensational set of documents that the European Commission had been expected to keep secret until European Data Protection Day.

In an amazing breach of security within the European Commission, the Directorate General responsible for press launches and pronouncements (also known as DG XVIIXV) appeared to leak details of not only what initiatives will be launched by the Commission on European Data Protection Day, but also what Commissioner Viviane Reding will be wearing as she formally launches them.

Pictured (left) are the 3 outfits that Commissioner Reding is apparently due to slip into for the Data Protection Breakfast, Data Protection Brunch and Data Protection Dinner events that will be held in Brussels on 28 January. Designed by international couturier Harknee Onlea, the clothes are set to frame three very significant (and different) types of initiatives that are to flower over the next few years.

The Data Protection Breakfast dress, pictured centre, represents Commissioner Reding’s current aim which, as she sees it, is to clean up the mess of a couple of decades of anarchy by Member States, who have for too long wanted things all their own way. At this event, she will unveil a 37 point plan which commits the Commission to sweeping away the rights of Member States to create their own data protection rules, and with a few strokes of her magic broom, she’ll tidy up the data protection clutter that various controllers prefer to think of as rules which their own citizens quite like.

The Data Protection Brunch dress, pictured left, represents Viviane’s next aim, which is to look friendly to those funny foreigners who prefer to play by other rules. You know the people I mean, the “foreigners” whose place of establishment is outside the EEA. Those that, for reasons best known to themselves, believe that data flows around the world, rather than just within EEA boundaries. So we can expect her to be announcing at the brunch that she'll be doing a lot of travelling in this outfit (tights being optional in the hotter climates), as she works tirelessly, visiting the many hundreds of countries on the Commission’s list which do not yet officially have “adequate” data protection standards.

Finally, the Data Protection Dinner Dress, pictured right, represents Viviane’s aim to ensure that the Commission’s new legislative framework, to be unveiled at precisely midnight on Data Protection Day, receives the full scrutiny it deserves before negotiators from the Member States collapse with exhaustion and agree something, anything, rather than continue the interminable discussions. In a master stroke, the designers have cleverly hidden a couple of travel pillows inside her outfit, so Viviane can snatch some proper rest while everyone else continues the marathon arguments over the wording of the 398 draft Articles (and the 1,649 whereas clauses) in the months and years ahead.

There is a silver lining to this calamity though. The early reporting of this unprecedented security breach has at least given international couturiers Harknee Onlea a few more weeks to make some last minute tweaks to Commissioner Reding’s costumes, so they will come as a genuine surprise to those who get to see her on International Data Protection Day.

As for the rest of the carefully worked out 37 point plan, the announcements to visits hundreds of foreign countries and the publication of all 398 articles and whatever else passes for proposals for a revised legal framework, that pantomime might as well continue as planned.

Sources:
It is Christmas, after all, and I may well have been at the pies. They bring on odd dreams. I have also been to see Cinderella at the Hackney Empire, and can recommend it most warmly to all data protection folk who have a sense of humour.

.

Assessing fair sanctions for Subject Access Mistakes

2012-01-09T01:57:00.001-08:00

It won’t be long now before the European Commission publishes its proposals for a revised legal framework, and will then be required to face the reaction. Given that many of the politicians who will be required to take the final vote on the measure may not even have been elected to the European Parliament yet, I don’t want to focus too greatly on the current draft (the infamous Version 56, currently undergoing some form of EC Interservice consultation.

But, I have been wondering how some of the sanctions in the document might be credibly applied. And, as I’ve just completed my own annual review of assessments that the ICO has made of complaints that were made about my current employer, I’ve been wondering just how it could fairly wield some of the very considerable powers that are contemplated.

To be more specific, there are powers to fine data controllers between 500 Euros and 600,000 Euros (or up to 3% of their turnover if they are a company) if they intentionally or negligently impose a standard Subject Access Fee, or fail to fully respond to a Subject Access Request within one month.

Such penalties are about as appropriate as a medieval ducking stool. In 20 years as a data protection professional I’ve never heard of a case where such a penalty is remotely relevant. If any evidence exists, I will be challenging the European Commission (or a data protection regulator) to publish it, to put all our minds at rest.

If I were a determined individual, I could easily cause havoc for data controllers by flooding their offices with Subject Access Requests and then complaining very loudly when, after a month, not enough information had been supplied to meet my whims. And then I would probably complain even louder to the Ministry of Justice and to everyone else who would listen when it became clear that the ICO felt that it had better things to do than to take action against every data controller who was subsequently complained about.

Let’s unpick this a little – because the root cause lies with the European Commission giving vague rights to people, who will then get understandably frustrated when the regulators find it impractical and undesirable to enforce them.

What’s going to happen?

Well, it looks as though the Commission will extent the categories of information about people (and objects) that will fall within the definition of “Personal data”. And, in giving individuals the right to access all this information free of charge (unless they make repeated requests or they are manifestly excessive, in particular because of their repetitive character), I predict that data controllers’ inboxes will soon start to overflow with requests from the mildly (or obsessively) curious, rather than from those who actually need the information for a good reason.

Many applicants do need information for a good reason, They may have a legitimate complaint, or need the stuff to help defend themselves against accusations that they are innocent of. But there are also those people who just appear to have time on their hands. Believe me, I’ve dealt with them.

This is why I like the concept of a Subject Access Request fee, as at least it deters some applicants, particularly those who have unreasonably high expectations of customer service departments. I find that the vast majority of such applicants decide not to pursue their Subject Access Request when they have to exchange just a little bit of their own money for information that most often has been assembled for them at a far greater cost. The costs, of course, are generally in redacting inappropriate material from the raw information initially swept up, removing from the records the information which the applicant is not entitled to see, and simply correcting the short hand, grammar and spelling of contemporaneous notes made by Customer Service Advisors.

But how will the ICO take action when it gets complaints from unhappy Subject Access Request applicants? After all, technical breaches will always occur as it takes time to assemble (and redact) the relevant information, and the ICO will generally only be aware of the cases where an applicant has decided to complain.

In 2011, for example, less than 20 of the some 18 million customers my company deals with complained to the ICO about problems relating to Subject Access Requests. Yes, 20 complaints are 20 too many complaints. But, these 20 complainants comprised less than 3% of all the Subject Access Requests that were dealt with by my company in 2011. And, even after a thorough investigation, the ICO still didn’t find fault with the way that a number of them were had been dealt with. While in others, the fault lie in complicated requests taking slightly longer than 40 days to fully deal with.

So, is an ICO assessment about less than 3% of a corporate workload a cause for concern? Or is it a cause for celebration that the company appears to getting many things right? And just how will the ICO be capable of commencing meaningful disciplinary action against a data controller if it can’t fully take into account the overwhelming majority of cases where, evidently, applicants are satisfied with what they have received?

I really don’t know. But, don’t panic! We’ve got a good few years to find out, before these potentially grotesque fining powers come into force.

Source:
The full details of the proposed administrative sanctions are to be found in Article 79.

.

Tracking shoppers in retail centres: the Daily Mail throws a hissy fit

2012-01-06T05:00:00.001-08:00

Apparently there’s not much real news at the moment, so some of the newspapers have filled their pages with stuff that really oughtn’t be read by sensible folk.

Yesterday, for example, I was reading about how:“Shops are secretly tracking your every move by snooping on your mobile - WITHOUT asking permission”. Oh, that sounds naughty. Time to rustle up a posse from the ICO to stop this stuff, or should we read on and work out just what is happening, and whether it’s actually causing anyone any harm?

When you actually read the article, it becomes clear that the headline writer evidently didn’t bother reading it, as if they had, I would have expected a much less sensationalist headline.

Quickly, you realise that it’s not the “death knell for privacy”, which was one the claims I read yesterday. Actually, it’s a great example of a “privacy enhancing technology” that renders a mobile phone user anonymous and still gives the retail centre the critical information it actually needs.

For the privacy wonks that bother about such matters, what actually happens is that the tracking technology which has been specially installed in various location in retail centres detects an electronic signature which comes from mobile phones. But, and here is the clever bit, the electronic signature that is detected from the mobile phone actually changes pretty frequently, for network security reasons. So, while the technology might well track what shops I visit in a retail complex today, it’s not able to work out, if I were to return to the retail centre tomorrow, that I was there today, and what it was that I was doing there today. So, it’s not able to build up a pattern of “my" behaviour.

Big Brother, it aint.

And I’m glad to note that even BigBrotherWatch declined to adopt a sensationalist approach when they were offered the chance to publicise the “story”. Instead of couching their comments in shrill tones and exclamation marks, they reported on amicable and constructive discussions that had taken place between their representatives and the manufacturers of the ‘FootPath’ technology, manufactured by UK company Path Intelligence, which is used in some UK retail centres: “Customers are notified that the technology is in use by signs around the premises, but are otherwise unaware their movements are being monitored. There is a risk that companies will not publicise what equipment is being used to avoid negagtive publicity of this kind. FootPath should be applauded for their efforts to publicise what is going on, and they have been open and honest in talking to Big Brother Watch about their work. We have been assured that no personal information is collected, and that it is impossible to connect their data with the identity of handset owners, even at the request of the police. The company has reassured us that they only supply aggregate data on an hour-by-hour basis, and refuse to disclose individuals movements or provide real-time information.”

Now, if those good folk at BBW can get it right, then there’s even less reason for some headline writer to try and whip the Daily Mail readership into a hissy fit about nothing of any consequence.

I’m so glad to have got that off my chest.

Sources:
http://www.dailymail.co.uk/sciencetech/article-2067187/Privacy-invasion-Shops-secretly-track-snooping-mobile.html
http://www.dailymail.co.uk/debate/article-2067665/Mobile-phone-tracking-high-street-stores-death-knell-privacy-care.html
http://www.bigbrotherwatch.org.uk/

.

ICO reveals its 2012 targets -as do I

2012-01-03T12:23:00.001-08:00

A late Xmas present arrived on my desk today – the Commissioner has written to me outlining his 2012 Information Rights Strategy. While the ICO’s general duties require his officials to educate, empower, engage, enable and enforce, this simply can’t be comprehensively done given the resources available to the folk in Wilmslow. Choices must be made. To quote a phrase in pretty common use in 2011, the ICO has to be “selective to be effective”. And, in 17 pages, the document sets out the areas which have been prioritised as meriting special attention this year.

One of the underlying outcomes is the need to ensure that: the law, technology and public policy developed consistently within the ICO’s goal, but without imposing disproportionate burdens on organisations. When I read that, I sensed that war was being declared against the uber data protection geeks who see DP compliance merely as a tick box exercise, rather than a struggle to win over the soul of the data controller.

And here are the 5 priority areas :
1) Health
2) Credit & finance
3) Criminal justice
4) Internet and mobile services
5) Security

Any surprises?

I would have described the areas in slightly different terms, based on my knowledge of the probable reasons behind the emergence of these areas:
1) The need for society to pool sensitive information about individuals for the greater benefit of the community (so long as it’s not used in a manner calculated to be detrimental to an individual)
2) Maladministration involving a small minority of labour- intensive batch processes
3) The tension between retaining information only for special purposes when there is no legitimate need for it to be retained for the purposes originally envisaged by the original data controller
4) The globalisation of data flows, masterminded by actors who may well be established, but who do not have their head office located within the EC
5) Weak or non-existent IT protective measures which leave individuals prone to compromise

For me this is good news - as I think I know a thing or two about these special areas. So I'm looking forward to playing a pretty full-on role.

The ICO announces that its well up for a fight, too – it does not see itself as a necessarily populist regulator: “In assessing where the public interest lies we will work hard to understand the importance the public attach to the different aspects of information rights and will factor this into our choices. This does not mean that we will always adopt positions that are universally popular. We take the view that sometimes the public interest will be best served by us acting to protect the information rights of minorities or by us drawing attention to the downsides of new developments that might otherwise appear attractive.”

Perhaps this means that it won’t assume that every last drop of EC legislation needs to be enforced with the same degree of rigour. It may not have time to concern itself with the minutiae of some of the more esoteric data protection arguments (like which cookies are to be deemed strictly necessary, rather than those which are merely necessary, and hence subject to the user’s consent, whatever that means ....). Phew.

Significantly, the ICO also sets itself apart from its peers who are more inward looking as far as transborder data flows are concerned. Perhaps this means that the folk at Wilmslow are tiring of some of the arguments that go on within the Article 29 community, and instead it intends to adopt a more robust and global approach: “We need to work, not just within the EU but also more widely at international level, most particularly with other information rights regulators, to ensure that, in so far as it makes sense to do so, we take a consistent and harmonised approach to the application of information rights law.”

I like that stuff. When I cast my eyes into my crystal ball, I don’t see a “fortress EC” any more. I see a global playing field, with those who are left behind being those who fail to recognise that data, like the weather, is no respecter of geographic, administrative or political borders.

I like what I read – especially as after 11 years working for one company, the time has come for me to consider how and where I can be most passionate about my own particular data protection philosophy.

So, as I prepare to leave my current employer, I do hope that if there is anyone out there, seeking help on matters relating to health, credit & finance, criminal justice, internet & mobile services or security, they might kindly drop me a line, and we can talk.

And if it’s commutable from Crouch End, I could be very interested!

Source:
The strategy is now available to be downloaded from the ICO's website at http://www.ico.gov.uk/

.

The Subject Access Request Xmas Ditty

2011-12-18T14:20:00.001-08:00

It’s that time of the year when we can let our guard down a little and enjoy awful puns and think more about the lighter side of life.

Data protecting can be a depressing game if you let it, as all we data protection folk seem to see these days are the bad news stories. It’s not that easy to find shining examples of things going right.

And I’m sure that plenty of things are going right. Indeed, I like to think that there is far more going right than is actually going wrong. When measured against the vast majority of things that do go right, I hope that these bad incidents will be seen, in proportion and siginificance, as just as important as a pimple on an elephant’s bottom.

Let’s accentuate the positive, for once, and not just focus on the negative. I’m a glass half full man, not a glass half empty one.

Anyway, with that in mind, may I offer seasonal greetings to all my readers, and send my very best wishes for what’s likely to be a really busy New Year.

A is for Aaaaaaaaaagh, when I read today’s email
From that blighter of a customer whose threatening me with jail

Deaf to my protestations that we haven’t kept eny
Hold on – he’s still writing, claiming there are many

Of his facts and opinions, information galore
Lurking unnoticed in our digital store:

“Go and hunt for it and now, or Mistress Justice will play her part
In stringing you up by the knackers, until you look less smart

“Let this be a lesson, from a man who’s never wrong
About how you should observe a personal information ding dong”

[Later, after the ICO investigation]

Quelle surprise, it’s really simple, and according to tradition
It seems I’ve shown him all that’s in the statutory definition

There’s no need to sign any undertakings, victory is in sight,
Wilmslow says “happy Xmas! this yokel of a zealot is wrong and you really right.”

.

What is the Commission really trying to achieve?

2011-12-17T05:03:00.001-08:00

I’ve been very quiet this week as I’ve been trying to get to grip with a number of very different issues, all of which demand some pretty intensive focus and all of which have resulted in my needing to ask the same basic question. This question related not to the immediate and intimate details of each problem, but the bigger issue – ie what was it that the client actually wanted to achieve?

It’s the same with the leaked proposals for a new legislative framework – many of my legal and data protection friends have been pouring over the leaked text, and have been producing ever more detailed analyses of the proposals. Many of them must be rubbing their hands with glee. After all, given such a complicated set of proposals, what self respecting data controller could now not afford to pay heavily to ensure that they were moving to a state of compliance. As for data protection officers, well, they have a job for life – so long as all they want to do is turn into an auditor and enter an environment where the ticked box is king.

But I didn’t enter the data protection world just to tick a series of boxes. To me, fairness and transparency are qualitative concepts, not quantitative concepts. I love music, not mathematics.

My main problem with the proposals (yes, having read them, not just having read summaries of them) is that I really don’t fully understand the background narrative. Before we all get too bogged down in the detail, I want to have the bigger picture much clearer in my mind. After all, the very detailed proposals contained in the text (and to be further particularised in legal instruments to be created by the newly formed European Data Protection Board) have to be assessed in terms of the sort of society that the European Commission feels its citizens should live in.

And this is where I feel lost, as I simply don’t understand the Commission's vision about how this society will look like and feel like. I fear that bad things will come from an over-centralised, distant, powerful body, like the Commission or a European Data Protection Board. My heart tells me that this body will be staffed with people who care and who are just as honourable and decent as the friends I like to associate with. But my head tells me that it’s always possible that it will be perceived as an unloving, disengaged institution that fails to take sufficient time to show its stakeholders just how much it cares.

Perhaps, just as Mr Putin must today be fearing that a Russian Spring does not have similar outcomes to the recent Arab and African Springs.

But, back to the plot. The more I get lost in the detail of the draft proposal, the more I forget what the answers to the most basic questions ought to be.

They include:
• What is to be the role of the state and of public institutions in holding information about people it is responsible for, or accountable too? When can these people exert a “right to be let alone” from the state (if at all).
• What rights are data controllers to have, if they are not to be allowed rights that are equivalent to that of individual people?
• How can we expect society to function under a regime of extremely complicated data protection rules that will be ignored by huge numbers of citizens and controllers? Can this really be termed effective government? Is this a desirable outcome to the process?
• In quantitative and qualitative terms, what will the benefits to society be if these rules were to be fully implemented? Are the costs that will be imposed on all stakeholders fully commensurate with the perceived benefits?
• How will local practices and cultures be respected, given the fact that the overwhelming majority of data controllers are likely to provide services to a very restricted (in terms of geographic reach or social mix) set of customers.

I’m sorry that this blog makes such heavy reading as we're getting focused on the forthcoming holiday season. But that’s what happens when we only see half the story – what’s been leaked is really the roadmap to “Data Protection Nirvana”, not a proper description of what this Nirvana actually is, nor an explanation of what we will feel when we actually get there.

So where do we go from here?

I suspect that many people will disengage themselves from the process that will roll on for the next few years, as groups of people earnestly huddle together and try to build political alliances that will leverage changes to the texts that we see before us. I expect the campaign of attrition to continue for a few years, as ever more weary teams of negotiators try to keep their political masters interested in the tedious minutia of the subject.

But I also wonder, in practical terms, how this initiative is ever going to be passed, given the huge emotion that will be built up by stakeholders from all sides of the debate. If I were an MEP, I would want an easy ride, to be honest. I would not want to be too personally involved in a controversial legislative proposal, as I would expect to be vilified and abused as a result of being associated with it. I would expect my own character to be called into question, and for vested interests to do whatever they considered necessary to further their own objectives. So I would not want to be the Rapporteur or a committee member, or have my fingerprints anywhere near it. MEPs go to the European Parliament to do good, not to find themselves on the wrong side of a set of very public attacks.

I heard European Commissioner Viviane Reding speaking a few weeks ago, in Paris, describing a late Christmas present that the Commission will be delivering to the European Parliament. If this is it, then it’s some present.

.

How do the Commission’s proposals square with its Impact Assessment?

2011-12-11T06:39:00.000-08:00

I’ve recently learnt that fellow blogger Markus Kastelitz read my posting about the Commisison’s impact assessment on the data protection reform (published on 8 October), and tried to get a copy from the Commission.

A couple of weeks ago, he received a letter from the Director-General, Ms Le Bail, of the Directorate-General Justice of the European Commission refusing the request. The explanation was as follows :“First, I have to clarify that the Commission has not yet issued any staff working document on the impact assessment for the future EU legal framework. Even though, the impact assessment document we possess has not been disclosed yet. The document is covered by one of the exceptions provided for by the policy relating to access to documents and therefore it cannot be made available to you. The exception which applies to the document you requested is that laid out in Article 4 (3) of the above-mentioned Regulation (...) In the case of your request, granting access to the said document would prejudice the ongoing intra-Commission decision-making process on the future data protection regulatory framework. Access to this document may be granted once the decision-making process on this matter is completed. (...)”

That, of course, was before the current draft proposals (let’s call them “Version 56”) were leaked onto the internet. I’m not sure whether this changes anything – but it might. How much more prejudice can publication of that document now cause to the ongoing consultation, since the text of the document containing the actual proposals is so readily available on the internet?

Back in October I described three quite detailed options that the Commission was considering, to make the changes it thought appropriate. I also explained that the Commission had analysed the impacts of these options. The analysis included an appreciation of how well each option addresses the problems that were originally identified, their political feasibility / acceptability by stakeholders, financial & economic impacts, social impacts, impact on fundamental rights and their impact on simplification.

It appears to me that the authors of Version 56 have basically gone for the option which the Commission considers has a low risk of political feasibility / acceptability: this option would be too unbalanced as it would highly strengthen data subject rights but at great costs for data controllers. Most stakeholders would find it too radical.

Now, I have not heard of any Commission attempts to take down Version 56 from the internet – so perhaps the ground is shifting. Oh, the power of publishing information on the internet. Long gone are the days when all Governments had to worry about were what was published by newspaper barons. But I wonder how Governments will manage, in future, to discuss sensitive issues. What new communications technology will they use which prevents the average internet user from finding out what they are up to?

Perhaps they’ll start to communicate via Blackberry Messenger – after all, if the security of BBM is hard for national authorities to break when the great unwashed are indulging in a spate of rioting, it could also prevent us oiks from learning what the Commission is up to when the Commission wants to keep something quiet.

What I had not expected was a Regulation for the oiks and a Directive to take care of issues relating to police and criminal justice. Given the ever increasing co-operation between the (state) law enforcement regime and the (private) security and anti-fraud networks , it really ought to be possible for both groups to operate using broadly equivalent rules. Given the ever increasing privatisation of the administration of law and order, it would be a shame if state actors were to enjoy significantly greater freedoms should equivalent responsibilities be devolved to actors in the private sphere.

Let’s see if the next draft of a new regulatory framework, to be released sometime next year, will be more balanced and less radical.

Source:
http://legalmemory.blogspot.com/2011/10/commission-staff-working-document.html

.

Save us from a secretive Data Protection Board

2011-12-10T09:02:00.001-08:00

We’ve all had a good laugh at some of the Commission’s proposals contained in the infamous “Version 56” – the document recently leaked on the internet which is currently being reviewed within the Commission before a (presumably heavily) revised version of its proposals for a new legal framework is unveiled sometime next year.

My favourite bit is the part of the text which tries to create more effective co-ordination between the data protection supervisors of each Member State (and of course the European Data Protection Supervisor). The Article 29 Working Party is to be rebranded as the European Data Protection Board.

It is either to be chaired, or have as one of its 2 deputy chairs, the European Data Protection Supervisor. Its secretariat will be co-located with that of the European Data Protection Supervisor. It is to act independently and arrive at decisions by a simple majority of its members. Board discussions are to be confidential, as are documents and papers submitted to the Board. Similarly, all experts and others who support the Board are to have confidentiality requirements imposed on them.

So much for freedom of information and our own Government’s transparency agenda.

My next favourite bit is the proposal that its decisions, recommendations, guidelines and best practice notes are to have greater weight than before.

Currently, of course, the Article 29 Working Party issues opinions – and many of us are grateful for that as that is all they are. I’m happy to listen to anyone’s opinion, so long as they don’t always expect me to act in accordance with it. Let’s be honest, how many of the opinions that have been adopted by the Article 29 Working Party are on our “memorise” list? I find that too many of them are written in language that is quite difficult to understand, over long, and very hard to engage with. At least I can ignore the more tedious stuff.

But, please, spare us data protection officials from feeling that we may be more formally bound by standards or systems that will emerge from these new documents. Is there to be any political accountability on the part of the Data Protection Board – or a means of appeal when data controllers feel that this body has simply got it wrong?

Will we have to wait for decisions to be made in secret and then just unconditionally accept, in some sense of Papal infallibility, the correctness of this decision?

Please help us.

We all enjoy hearing about some of the personal characteristics of the current crop of Data Protection Supervisors, and to some extent we can forgive their foibles, after all they are only human. But what happens when their views start to radically diverge from the “norm”?

This was the thought that occurred to me last night, as I was enjoying the sensational new musical Matilda in London. One of the key figures is Miss Agatha Trunchball, played by the outrageous & brilliant Bertie Carvel (pictured). A former Olympic hammer thrower, she is now the Principal of Crunchem Hall Elementary School. Surreal and psychotic, she utters the phrases “Children are maggots” and “You’re heading for the chokey” whenever she wants to cast terror into the hearts and minds of the pupils (and their teacher).

How might European data controllers prevent a latter day Miss Agatha Trunchball from becoming Chairman of the European Data Protection Board and then running amok? How might they be able to stand up to her, as Maltilda did last night, when they haven’t got special powers to change things? In terms that Roald Dhal would have appreciated, how might the data controllers manage to divert her attention, if they can’t slip a newt into her knickers?

Perhaps the only way to ensure that sanity prevails will be to ensure that someone like me gets to be elected its first Chairman. Well, if it’s a choice between me, Agatha Trunchball or Edna Turnblad, I think I ought to win, hands down.

Notes:
Articles 73-72 of Version 56
A musical version of Roald Dhal’s novel, Matilda: A Musical, written by Dennis Kelly and Tim Minchin and commissioned by the Royal Shakespeare Company, opened at the Cambridge Theatre on 24th November 2011, after a run the previous year in Stratford-upon-Avon.
Edna Turnblad is a character from the award winning film and musical Hairspray. Another larger-than-life individual, she also has a lot to teach her fellow citizens in terms of dignity and mutual respect.

.

The Interception of Communications Commissioner shows us his independence

2011-12-08T12:42:00.000-08:00

In a visit that astonished and inspired many members of the Data Protection Forum last Tuesday, Sir Paul Kennedy, the Interception of Communications Commissioner, spoke about his role and, in discussing a few topical issues of the day, showed just how independent a person he actually is. Most of the members of the Forum had never met a retired Lord Justice of Appeal before – well they have now, and they can now better appreciate the care, discretion, dedication, humility and integrity that Sir Paul brings to the job.

The full text of his speech will shortly be loaded onto his website – which is the impressively named www.intelligence commissioners.com. What a great title for a website. But I expect he won’t be sorry that he will have to relinquish it when his term of office ends.

The day had started with a minor calamity for the first speaker, the award-winning lawyer, barrister, blogger and tweeter Stewart Room. All the IT in the well equipped conference room could not open the PowerPoint presentation he had carefully prepared – so he played a blinder. In a masterly display of oratorical powers, he spoke without hesitation, repetition or deviation for 45 minutes on the interface between security and data protection. He quickly got everyone up to speed on the relevant issues, so they could better appreciate the world that Sir Paul regulated.

The final speaker of the day was Martin Smith of The Security Company. And yes, he blogs too. It’s obviously the new way of communicating to the masses. Whereas in the past, people would have polished off a pamphlet, got it printed and then sent around the coffee houses of London, these days we press a few buttons and, hurrah, our jottings have been published for the whole world to consume. Anyway, if you have not heard Martin Smith speak, then you are in for a treat. He certainly sympathised with the lot of the Data Protection Officer. It may not be sexy, and it may not be the job that attracts the greatest attention from the Board, but it’s certainly one of the really worthy ones. He had us eating out of his hands in minutes.

And what was also inspirational about the day was Sir Paul’s nomination of the beneficiary of another innovation the Forum tried last Tuesday – to hold a charitable raffle just before the Christmas lunch. He nominated the Charlie Waller Memorial Trust. The Trust was set up in 1998 in memory of a 28 year old professional who had committed suicide whilst suffering from depression. His family and friends formed the Trust to raise awareness of depression, reduce the stigma attached to seeking help and to ensure help was available when needed.

Charlie’s death had an impact which continues to affect those who knew him. Yet, Charlie’s case is not an isolated one. Each year around 1,760 young men commit suicide and a recent report from the Royal College of Psychiatrists highlighted the impact of stress and work pressures.

Stress and work pressures are both issues I have struggled with, as have people with whom I am and have been very close too. I’m so pleased to learn about this charity. And I’m honoured to recommend it to others who want their charitable donations to really make a difference.

Further reading:
http://intelligencecommissioners.com/sections.asp?pageID=5§ionID=4&type=blog
http://www.stewartroom.com/
http://www.thesecurityco.com/kzscripts/default.asp?
http://www.cwmt.org.uk

.

Woops- jail time for non-registration?

2011-12-05T09:30:00.001-08:00

Dan Worth, that excellent IT journalist from V3.co.uk must have been kicking some poor copywriter last Friday. What a misleading headline: ”Estate agent avoids jail time after breaching Data Protection Act” to accompany Dan’s article!

Dan was right to report that the miscreant was “given a six-months conditional discharge and ordered to pay £614 towards prosecution costs in a hearing at Caernarfon Magistrates' Court” for a Section 17 offence (ie failing to register with the ICO). But, failure to register is not a custodial matter. Surely, a custodial offence could only have been considered appropriate if the estate agent had beaten up the ICO’s inspectors with some old For Sale boards.

A conditional discharge simply means that the miscreant does not receive a punishment if they comply with certain rules (eg stay out of trouble) for a fixed period of time. So the penalty for non registration is, actually, nothing, other than to pay the prosecution costs if you get caught. Some penalty that is.

These bloopers, and others (remember, the European Commission has just threatened to place 16 Member States on the naughty step for failing to fully implement a Telecommunications Data Protection Directive that was due to take force from 25 May) are bound to be discussed when the great and the good of the Open Rights Group gather for their Christmas drinks in Paddington tonight. So, if you’re passing by the Wood Marylebone pub in Balcome Street later, and hear a strange “12 days of Christmas” refrain, do pop in and join the songsters. You never know who you might meet there.

Sources:
http://www.v3.co.uk/v3-uk/news/2129757/estate-agent-avoids-jail-breaching-protection-act
The Member States vying for a spot on the naughty step are Austria, Belgium, Bulgaria, Cyprus, the Czech Republic, France, Germany, Greece, Hungary, Italy, The Netherlands, Poland, Portugal, Romania, Slovenia and Spain. Not the UK, this time.

.

The ICO’s twelve days of Christmas

2011-12-03T03:45:00.001-08:00

It’s getting to that special time of the year when differences are set aside and we data protection folk gather together for the Christmas parties. People whose views are usually rejected with distain are treated in a wholly different light when they congregate with various beverages in their hands.

Old arguments are forgotten as we all realise that, within this data protection community, what binds us together is that we do all care. OK, we may care about slightly different things, but the main thing is that we do care.

Fundamental rights, respecting each other, dignity and a broad outlook on life. That’s what binds us data protection folk together.

We also like a good sing song once in a while, to relieve the tedium of working out whether Binding Corporate Rules will be a truly effective and scalable way of legitimising international personal data flows. Or how we are going to get the people we advise to take data protection issues as seriously as we do.

As its getting close to the holiday season, here’s one little ditty that is only appropriate when there are a group of people whose throats have been generously lubricated and no-one has any inhibitions left:

On the twelfth day of Christmas,
Our chums in Wilmslow sent to me
Twelve audit recommendations,
Eleven blogs on breaches,
Ten more assessments,
Nine press releases,
Eight FOI reminders,
Seven voicemail messages,
Six monetary penalties,
Five SAR’s
Four draft undertakings,
Three renewal reminders,
Two codes of practice,
And an email that I wasn’t supposed to see!

Image credit:
For those of you who won’t be traveling to Paris to enjoy the Xmas decorations along the Champs Elysees this year, they look like this!

.

Behavioural advertising: Scrap “do not track”. Try “do not target”

2011-12-01T09:22:00.001-08:00

Gwendal Le Grand, head of the IT Department of the French data protection regulatory authority CNIL, made a remark, in passing, at the International Association of Privacy Professionals’ European congress on Paris on Tuesday, which I think could be very significant.

During a session on on-line behavioural advertising, he used words that may well resonate for a few years to come. The issue is, of course, about how individuals can (or should) object to the use of their personal information for behavioural advertising. Many of the delegates had attended an earlier presentation by Ilana Westman from the Create with Consent organisation, and were thus aware that most internet users really had no idea how their information was shared by web publishers, nor how web publishers actually found the money to pay for the content that the user, typically, was enjoying for free.

Gwendal suggested that, rather than using the phrase "do no track", individuals should really be saying “I beg you not to target me".

This is because an awful lot of tracking is going to go on, regardless of the user's stated tracking preferences. Cookies and other device features will always be monitoring how someone is navigating between the web pages, or remembering what items are in their shopping basket, but have not yet been paid for or despatched. Other forms of tracking will inevitably go on for traffic management, analytics and law enforcement purposes.

So, responsible organisations should not even think of using words and phrases that might mislead a user, such as “do not track”. There is no "cloak of invisibility" that would result in all internet usage to being unmonitored. So we should be careful not to use words or phrases that are incompatible with the legitimate expectations of Internet users.

I think this is a very sensible and practical suggestion. I'll see what I can do to encourage more people to start using this phrase.

.

Freebies: The kindness of (not so) strangers

2011-12-01T08:53:00.000-08:00

“Whoever you are, I have always depended on the kindness of strangers”. It’s a brilliant final line from the play Streetcar Named Desire. And it’s one that frequently comes to mind when accepting corporate hospitality when data protecting.

The sponsors of the International Association of Privacy Professionals’ European congress in Paris certainty pulled out all the stops this week. [Note to the sponsor's expenses departments: None of the expenditure was inappropriate, nor of a kind likely to interest local fraud and corruption teams. No money changed hands. One iPad was won, some really nice chocolates, football shirts and card holders were proffered, and we all now must have enough spare pens and paper pads to enable us to start to restock the stationery cupboard when we return to the office.]

But, and this is a big but, the conference venue was within a few yards of the Arc de Triumph. Local hotels were not cheap, people (like me) who were not travelling on expenses we were all very grateful for the drinks and dinners that were so kindly laid on for all those who were considered sufficiently deserving. Data protecting is thirsty and hungry work. And all of the sponsors laid on wonderful events.

The largest drinks event was held at the ultra fashionable night club L’Arc, just across the road from the Arc de Triumph. Every conference delegate had been invited for IAPP cocktails sponsored by our chums at Yahoo!, and a fashionably chic time was had by all. Apparently, George Clooney was there last week. I doubt they will be talking for long in such hushed tones about the way in which I worked the room and smashed a glass of champagne, but I did have a quiet word with some old friends – and take the opportunity to make some really nice new friends. It’s a club I would heartily recommend – and its website advises that there are just a few tickets left for the New Year bash, each priced at £330 (excluding drinks).

The most historic event occurred on Wednesday night, after the congress had actually finished. Trevor Hughes, Chief Executive Officer of the IAPP had a brilliant idea and had invited the heads of the principal national European data protection associations to a special dinner at the Hotel Vernet, one of the most distinguished hotels in Paris. It was the first time that the representatives from these bodies had been formally invited to meet each other. Personal relationships were quickly cemented. And agreements were reached to deepen these relationships.

Hopefully, for example, next March will see senior figures from both the French and the German privacy associations addressing members of the Data Protection Forum in London, giving their own national perspectives on the European Commission's proposals for a new legal framework. The aim is that we Brits will get a better understanding of what concerns French and German citizens (and data controllers) have about the measures which really ought to have been published by then, and vice versa. A bientôt! Bis Bald! The Data Protection forum really will adopt an international flavour that day.

If this is the sort of event that might be of interest (the Forum meeting, not the dinner!), and you are free on Tuesday, 13 March 2012, then please feel free to contact the Forum’s secretary and ask her nicely about how to become a member of the Forum. Guidance on becoming a DPF member is at http://www.dpforum.org.uk/join-data-protection-forum.shtml.

And what about the weighty matters discussed by those who attended the dinner? Well, enough business was transacted for us to unanimously declare the occasion a great success. Privacy, as a profession, has well and truly arrived. So, through the IAPP, another international network of privacy professionals is being created, which will enable members to engage both with their contemporaries, and with the hierarchies of the privacy regulators.

.

Commissioners commenting at the IAPP Congress

2011-12-01T07:07:00.001-08:00

European Commissioner Viviane Reding made a great impression on the delegates at the International Association of Privacy Professionals' European congress in Paris on Tuesday. She swept into the conference room just a few minutes before her carefully prepared speech to Europe’s data protection elite was billed to start. She majestically read it, and then glided away, protected by a posse of flunkies, well before any members of the awkward squad in the audience could ask her any questions.

What did she say?

Well, were promised a late Christmas present. It is to be a simpler way of legitimising global data flows, and it is to be delivered in the form of an easier way for Binding Corporate Rules to be approved by regulators in all Member States. Oh, we’ll also get consistent enforcement across Europe, and some innovation. This, apparently, will increase levels of confidence, as it is evidently confidence which is what lacks today in the digital world.

And that was about it. Introduced as "the most important person in Data Protection in Europe today" this really was about all she had to say to an audience that included Jacob Kohnstamm (Chairman of the Article 29 Working Party), Peter Hustinx (European Data Protection Supervisor), Peter Scharr (Federal Commissioner for Data Protection & Freedom of Information Germany, Richard Thomas (former UK Information Commissioner), Peter Fleisher (he of Google), and Richard Allen (of Facebook fame). Some late Christmas present we’ve got to look forward to. But, let’s give Viviane her due. She is the most important woman in Data Protection in Europe today, and she did very kindly agree to speak.

The audience were left a little bemused, but there were lots of really important issues that were discussed last Tuesday and Wednesday. There was the inevitable speculation about what else might be in the Commission's proposals for a new legal framework. The Commission is either keeping its proposals a very closely guarded secret, or it hasn't yet got much to unveil. There were murmurs of an announcement about the framework during "data protection week" next year. Excuse me. Data Protection Day is quite enough for me, thanks. There's only so much fun a data protector can have. This fun can be squeezed into a day, but I think it would be really hard to stretch it to cover a whole week.

The announcement from the platform (just before Viviane Reding swept into the building) was that the new legal instrument would take the form of a Regulation, not a Directive. But I'm not sure I believe that announcer (so I won't identify her, to save potential blushes later). Peter Hustinx pointed out that there can be various kinds of Regulations, and that Directives can also take different forms, too. It left the audience little the wiser as to what was really likely to happen.

I managed to raise a laugh among delegates when I asked Peter Scharr a question. It was related to his support for rules which had Community-wide application. He had commented, in his keynote speech, that Data Protection authorities need to think on a global basis, yet they were organised and were obliged to react locally. I pointed out that, recently, on economic matters, the Germans had been really helpful to the Greeks and others who were facing local economic difficulties, in order to strengthen confidence in the Euro. I asked Peter if he thought that the Germans might be so kind as to consider lowering their own current data protection standards, if this would result in the prize of the possibility of common data protection rules applying across the European Community, in order to strengthen confidence in data protection.

Significantly, Peter did not rule this out. He accepted that everyone needed to adopt a flexible approach, if common standards were to apply across a wider geographic area. You heard it here, first! No-one laughed at Peter's response - and many were mightily relieved.

It was left for Richard Allen to make the really significant point that in future, data protection regulation is only likely to be effective if the applicable law is to focus on where the data controller is based, not where the data (or copies of the data) is being processed. After all, the data, thanks to the wonders of cloud computing and the internet, is likely to be all over the globe and constantly on the move. Everyone appeared to supported this suggestion. These Facebook chaps talk a lot of common sense.

Source:
The full text of Viviane Reding’s speech can be found at http://europa.eu/rapid/pressReleasesAction.do?reference=SPEECH/11/817&format=HTML&aged=0&language=EN&guiLanguage=en

.

Off for a clear(er) view in Paris

2011-11-27T04:18:00.001-08:00

Today I will be packing my bags – tomorrow I leave for Paris. Not for good, just for the International Association of Privacy Professionals’ congress at the “Salons de la Maison des Arts et Metiers”, during which some 300 of the usual suspects will discuss the latest data protection developments. The strapline for this eagerly awaited event is “A Clear View” - and I expect that when the event was originally planned , it was hoped that Viviane Reding, one of the keynote speakers, might be unveiling all of the Commission’s proposals for a new regulatory framework.

Well, as we all know, that’s unlikely. What will be interesting to note is what new thinking emerges. Recent media reports have hinted at some of the proposed changes, but let’s see if any other ideas are floated. I suspect that much of debating time will actually spent commentating on the changes that have already been suggested.

Hey ho – you never know, though.

I’ll be keeping my ears to the ground to pick up the best bits of gossip as I network furiously between Monday evening and Thursday morning. Yes, I know that the “congress” part of event will only take up Tuesday and Wednesday, but I plan to be one of the first to arrive and one of the last to leave. This means that not only should I avoid most of the chaos that will be associated with the strike by British border control officials (and a very large proportion of other British public sector workers) on Wednesday, but I ought to have more time to root out some of the real data protection issues that are or ought to be of concern to us.

If you know where to go, you may find a group of us in a corner of a Parisian cafe on the Rue Vernet, late on Wednesday evening, singing a quiet refrain to mark the passing of the current data protection directive. And if Bob Dylan were to have had a hand in writing the lyrics, they might sound something like this:

If You See Me, Say Hello

If you see me, say hello, I’ll buy you a cold beer
I checked in Monday afternoon, and you’re OK, I hear
I should tell you that I’m all right, though feeling kind of strange
As the rules which are so familiar are just about to change

We haven’t had a falling-out, like best friends often will
And to think of how I heard that day, it still brings to me a chill
As we discuss our separation, it’s piercing me through to my heart
Old ways still live deep inside of me, but from these we need to part

If you get time enough, we’ll have one last drink on me
I always have respected you, but I’m busting out and gettin' free
Oh, whatever makes you happy, I won't stand in your way
Though the bitter taste still lingers as I know you cannot stay

I see a lot of people as I make the rounds
And I say your name here and there as I go from town to town
I’ve never undermined you, I’ve quoted from you oft
Either I'm too sensitive or else I'm gettin' soft

From morning to night time, I replay the past
I know every article by heart, they all went in so fast
If you’re passin’ back this way, I'm not that hard to find
You can always look me up - I really wouldn't mind

Source:
Many thanks to Bob Dylan, whose song “If you see her, say hello” can be found on his “Blood on the Tracks” album. The discussions at the forthcoming IAPP congress should not result in any blood being spilt on Parisian carpets – but, metaphorically, you just never know what might happen.

.

The ICO joins the blogosphere

2011-11-25T08:45:00.001-08:00

Welcome! A new blogger has emerged to offer thoughts and insights on data protection and freedom of information issues. This is great news – especially as the new entrant is the Information Commissioner’s Office itself. Yesterday marked their first posting – with Deputy Commissioner David Smith doing the honours, writing the historic first entry.

David focussed on an issue close to my heart, the future of data protection law in Europe. And what he had to say heartened me, as it was very much along the lines that I’ve been blogging about recently, too.

On the date of the release of the Commission’s proposals for a new legal framework, David explained why it was unlikely that it would not be before the end of January. I suggested on 26 September that it was more likely to be published after St Valentine’s Day (even though Data Protection Day, 28 January, would have been a good date to reveal all).

On whether the Commission’s proposals would be for another Directive or a Regulation, David explained that “two instruments would fit with the UK Government’s right to opt out of new EU measures covering the former third pillar [which is the area of crime and justice], but might make it harder to achieve our objective of a single, overarching framework applying to all the processing of personal data carried out in the EU.” He didn’t address the issue I raised on 9 October which suggested that Regulations could only be laid if it were demonstrably impractical for a Directive to be agreed. Remember, Regulations have direct effect in that they do not have to be transposed into member states’ laws.

On the content of the new framework, David was very firmly of the view that it must be “clear in what it does and does not cover and is easy for businesses to understand and apply. Regulation that is hard to understand and even harder to apply will not be followed in practice and does not serve the interests of those we are trying to protect.” Great stuff. Just what I said on 21 November.

David also emphasised that individuals need to have rights that are “clear, effective and simple to use.” On the “right to be forgotten” argument he suggested that: “the position of the individual could be strengthened simply by changing the existing right to object to processing from one where the individual has to provide compelling legitimate reasons for deletion to one where it is the data controller who has to provide the compelling legitimate reasons for retention.” This seems like a useful idea, and will encourage data controllers to be clearer about why data is retained (but doesn’t address the issue I raised on 13 September about the ease with which data controllers outside Europe can archive and retain data).

David was also a keen supporter of an “accountability” principle: “The law should be less prescriptive about means but business should be able to account for how they deliver data protection in practice. Concepts like privacy impact assessments and in house data protection officers are important, but should not be mandatory in all cases. This approach should extend to international transfers of personal data so that businesses take their own decisions on “adequacy” but can be challenged if they get this wrong.” I like this principle too, and am sure I have mentioned it once or twice in the 257 posts I have published since January 2010.

On the role of Data Protection Authorities, David was keen to preserve the British model: “We need to be independent, have a clear role and be armed with effective powers but we should supervise, enforce and advise rather than give prior approval or authorisation to a data controller’s activities.”

Interestingly, David also commented that much of the Commission’s current thinking is influenced by “large multi-national, mainly US based, businesses”. There was a relatively low level of engagement from those representing European business and citizens’ interests. Perhaps this is because, given these harsh economic times, European businesses and consumer groups simply have not been able to allocate sufficient resources to enable those who would have liked to have had their say to actually engage more fully in the lobbying process. I expect this may change slightly when the first draft of the Commission’s proposals have been published. I blogged on 8 October about the likely political impact of these proposals, and am amazed that no-one has yet posted that impact assessment on the web. We data protectors are obviously better at respecting confidences than English rugby players (or English rugby administrators, or whoever else it was)!

One thought has just occurred to me – given the similarity of views between yours truly and the Commissioner’s Office, perhaps I ought to apply for the post of Information Commissioner when the present incumbent’s term expires ...

I’ll certainly watch out for future ICO blog postings. But remember folks – don’t stray too far away from my blog. You might read about most of it here, first!

Sources:
http://www.ico.gov.uk/news/blog.aspx
http://www.telegraph.co.uk/sport/rugbyunion/international/england/8915521/English-rugby-scandal-live-reaction.html

.

The BBW data breach report – a tsunami of trivia

2011-11-25T02:32:00.000-08:00

There’s an interesting report out from the folk at Big Brother Watch. It highlights research revealing more than 1035 data breaches across 132 local authorities, including at least 35 councils who have lost information about children and those in care. At least 244 laptops and portable computers were lost, while 98 memory sticks and more than 93 mobile devices went missing.

Only 55 breaches were reported to the Information Commissioner’s Office. And, only 9 incidents resulted in termination of employment. BBW were very concerned that “highly confidential information has been treated without the proper care and respect it deserves”.

Is this report really as shocking as it appears? Let’s unpack it a little.

First, the time frame over which the breaches occurred – the report covers breaches over a 3 year period, from July 2008 to July 2011.

Second, the breaches report include losses of encrypted as well as unencrypted information. So its really hard to unpack the reports to work out how many breached related to unencrypted sensitive information – of the sort that really could cause harm or embarrassment to those whose information was compromised.

Third, and as we can expect from a report of local authority data breaches, a small proportion (less than 10%) of breaches related to information about some 3100 children, young people or students.

Fourth, the incidents included cases where council staff had lost information which had been downloaded onto personal laptops and computers. It highlights the risks involved when data is moved around by staff to enable them to work on a different machine: “Where council information has been transferred to a personal machine, there is no guarantee that personal devices contain the same security and encryption protection. Indeed, several incidents have been highlighted where malware has been discovered on machines, a risk of using personal machines where virus and anti-malware is often not at the same level as a corporate machine.”

And, of course, the report repeats the advice on the use of portable memory storage and mobile devices that all security professionals know off by heart, yet can’t quite get their businesses to fully implement: “Policies and procedures should reflect not only how information is stored, but the grounds for which it should be moved in the first place. As soon as information is held on a portable device, the risk for that information to be compromised significantly increases and so much more needs to be done to restrict the transfer of data occurring in the first place.”

So where does this leave us? Well, the report does offer some fine (or tongue in cheek) examples of the lengths to which a local authority will (apparently) go to contain a data breach. For example, in Bolton, a smartphone containing internal contact details of council employees slid off a car bonnet and fell into a shaft. The phone was assessed to be irretrievable without dismantling the car park. Instead, it was sent a remote wipe command within one hour and the owner of the car park subsequently sealed the cavity with concrete. My, they take the security of their staff seriously in Bolton!

Sometimes when paper documents were mislaid or wrongly addressed, the breach was reported to the ICO. Mostly, they were not.

And does it really matter that the ICO was not formally advised of all security breaches?

Frankly, I think it supports the case that reports of all data breaches would have served no useful purpose, as so many of them were trivial in nature or they occurred despite the usual steps being taken to safeguard against loss. For example, Bromley council reported that 2 USB sticks were stolen from a Council-run youth centre. The USB sticks were inside a security safe which was itself stolen.

Buckinghamshire council reported that a disk containing data on vulnerable children was left in the hard drive when a personal computer was taken away to be replaced – but the repairers were immediately contacted and the data was retrieved. In another breach, it reported that a social worker lost client notes in their office – but access to that site is controlled and no outsiders are permitted to visit that area.

In other cases, global emails were sent, without blind copying. Simple mistakes – we’ve all done that. Oh yes. Yes, even (unnamed) experienced and award winning data protection solicitors have done that.

Actually, what I would have loved to have read about was not the data beaches, but a frank assessment of whether anyone was actually harmed as a result of the breaches. The report’s authors did not address this point, and I think that’s a lost opportunity.

What we have is evidence of system failures, but not evidence of system failures that caused harm.

So we should be careful not to scare the readers of these reports by suggesting that, in light of these incidents, that data handling standards are necessarily unacceptably low. Of course there’s always room for improvement, but until real harm can be seen to have been caused, I would expect many council officials to be wary at spending a greater proportion of their diminishing budgets on enhanced security measures.

Perhaps, of the 1035 incidents, there really were only 55 that merited the attention of the ICO. In that case, they have been saved reading through an awful lot of reports of trivial breaches.

Let’s hope that the new data protection directive also contains proposals that require data controllers to report the serious breaches to the regulator, rather than get them to wade through a tsunami of trivia.

Sources:
http://www.bigbrotherwatch.org.uk/home/2011/11/local-authority-data-loss-exposed.html#.Tsy-109jUjw
http://bigbrotherwatch.org.uk/la-data-loss.pdf

.

“Frictionless” – the new buzz word from Silicon Valley

2011-11-21T15:19:00.001-08:00

Attending a meeting in Central London tonight, someone used a brilliant phrase she had picked up while out doing stuff in Silicon Valley, California. The conversation was about how customers viewed the products and services that were offered to them. And the key feature was, these days, the way the product or service answered the question “how frictionless was that”?

I think it’s a brilliant phrase – as the very best brands have products or services which, quite simply, just work. Think of anything we buy from Apple. Who ever pulled out the user manual before getting it to work for the first time? Their products are just so intuitive that you feel that you know how to use them as soon as you take them out of the box.

I can’t imagine me always saying the same thing about a piece of flat pack furniture from Ikea.

So, as it considers the changes it will propose, I’m determined to lobby the European Parliament to create a “frictionless” data protection directive. I mean, wouldn’t it be nice to have a piece of legislation that simply was intuitive and worked. One that met the needs of both individuals and bodies that used personal information. One that didn’t need an expensive “translation layer” in which our learned friends spent years disagreeing with each other about what the words actually meant, and therefore how they could be implemented without the European Commission feeling minded to take infraction proceedings against Member States on the grounds that they hadn’t got the domestic legislation quite right.

Perhaps we should lobby for a new, 9th Data Protection Principle – that personal data should be regulated by a set of frictionless rules, readily understood by all parties.

.

Whose personal data is it anyway?

2011-11-20T04:13:00.001-08:00

The current “debate” over the “right” to be forgotten reminds me of the plot of Whose Life is it Anyway?, a television play first transmitted in 1972. The play brilliantly raised issues that were so profound that the television version was turned into an award winning stage play starring Tom Conti in the West End in 1978, transferring to Broadway the following year. The film version, starring Richard Dreyfuss, was released in 1981.

What’s it about? Basically, the central figure is a profoundly handicapped sculptor. Left a quadriplegic after a car accident, he feels utterly useless, as both an artist and a human being. He doesn't want his family's love, or his doctor's care, or his nurse's ministrations. He simply wants to die-but this is impossible, given the legal state of things in the 1970s. It’s one of the few plays/films in which a person's right to self-destruction is regarded as a happy ending. Actually, it’s not as depressing as it sounds, and contains some wonderfully funny lines.

It’s reminded me (as if I ever needed reminding) that Human Rights Act legislation ended up conferring rights on bodies that aren’t even human. In a data protection context, data controllers have rights, too, and these need to be balanced against the rights of individuals.

How can these individuals assert, say, their rights to have their data deleted, when it is held by data controllers over which they have no control? How long will the European Commission try to assert that individuals within the European Union should actually have the power, say to force the Internet Archive, which is not based in the European Union (nor does it have any equipment or offices within the European Union), to delete “their” personal data on demand?

I gather tempers got quite heated during a recent meeting of Data Protection Commissioners as they discussed such things. What may be nice to have in theory can be impossible in practice.

So my advice to those who wish to continue this argument is to agree that, rather than exchanging views in ever more strident tones, they order a copy of the Whose Life is it Anyway? DVD and appreciate that the problem wasn’t totally resolved when it was debated 40 years ago. The protagonists should not get too hot under the collar when it dawns on them that they can’t totally resolve it now – but they will have a really enjoyable 118 minutes.

.

What sort of Directive will emerge from this fundamental divergance of views?

2011-11-19T14:19:00.000-08:00

The more I think about these things, the more I thank my lucky stars that I’m not going to be accountable for proposing a new Data Protection Directive. The closer we get to European Data Protection Day (28 January 20112) the happier I am that my DNA won’t be too closely associated with (perhaps) the first publicly available draft of the new proposals.

The battle lines have already been drawn up and if you know where to look, you can read about the tectonic policy plates grinding along the usual fault lines. The principal fault line seems to be the extent to which common rules will be imposed on data controllers and on citizens across the entire Community, and the extent to which Member States will be able to implement the main rules in ways that sympathetically address local cultural traditions.

I’ve recently been reading the comments made by prominent ladies on the different sides trotting out their positions – and I am really not sure which side will eventually win.

On the “One law to rule them all” side, we have people who share the views expressed by Commissioner Viviane Reding. She was recently interviewed by the Washington Post, and made it pretty clear that her preference is for a highly harmonised set of binding regulatory rules for all data controllers. In her words:

"Today in Europe, if you are an American company, you have to abide by 27 different interpretations of the EU law data protection. This makes no sense for a business and is absolutely cumbersome. Our reforms are aimed at getting rid of this fragmentation and providing consistency and coherence for the whole of the continent. That means providing services to 500 million people, which presents a fantastic business opportunity for companies.

Q: What do you think of self-regulation? Is it a good idea?

A: Self-regulation can be little more than a fig leaf. It works only if there is strong, legally binding regulation in the first place. Otherwise self-regulation means that everyone does whatever he or she has in mind. Just look at the instability that self-regulation in the financial markets brought us. The financial markets, through personal greed and irresponsibility, failed to effectively regulate themselves. This is why I do encourage codes of conduct for businesses in Europe provided that they are fully in line with our European data protection law.

Q: Explain your philosophy behind individual privacy.

A: It is clear that every citizen has a right to their own data. Before a company can use your data they should ask for permission. This is a basic rule of the European Union.

We do have a set of rules today that is not always being applied and controlled in the way it should be. That has led to fragmentation and different interpretations of the rules.

For example, with Google’s StreetView last year, seven countries took seven different decisions on how to deal with a case of e-mails being collected and stored without people knowing it. Divergent interpretations of the same rules in the same situation is not good -- neither for citizens nor for companies.

Q:Is there a divergence between the U.S. and Europe in terms of the approach to data privacy?

A:It is clear that we have different approaches between the two sides of the Atlantic. The American people and their representatives understand that the question of data protection is not a theoretical one. These are not questions by idealists but bipartisan issues that are directly linked to the way we see the individual, the citizen, in our society. But I also want to say that we are heartened to see proposals such as the one by Senators John Kerry (D-Mass.) and John McCain (R-Ariz.) for new online privacy rules."

And, on the other side, we have people who share the views expressed by commentators such as Janet Daley. Writing in the Daily Telegraph recently she made her distaste of detailed centralist European regulation very clear. As far as she is concerned:

"What you hear in the grandiose speeches of European leaders and the bumptious pronouncements of EU officials is precisely this: we have an ideal system which can guarantee infinite security and wellbeing, provided that everyone behaves in ways that are consistent with the rules of life as we describe them.

The great irony of the [economic] mess we are now in is that this concept of a totally rational, perfect society which must be imposed on actual people, each with his own distinct experience and perception of life, was the same delusion that wreaked havoc in Europe for generations. From one Terror to another, Robespierre to Stalin, the enforced experiments ran their course. And virtually every one required the “temporary” expunging of democracy.

... However repugnant the present generation of capitalists may be, and however much personal disrepute they may incur, it is not capitalism that is about to destroy the prosperity of the populations of modern Europe. It is the folly of enforced uniformity – yet another dream of enlightened perfection – that will accomplish that."

It’s an argument that will run for a long time. And the deeper I think about these issues. The more sympathy I feel with the need to respect local cultural traditions, rather than have rules imposed that will generally be ignored locally precisely because they conflict with local cultural traditions. If I were ever to work for a multinational, or global, data controller, I might be more sympathetic to the practical problems they deal with as they offer services across continents. But, currently, I don’t, so I’ll focus on developing an approach that respects local, or national, needs, rather than a more centralist approach.

Should I change my employer in the New Year, I may revisit this view. But, right now, this is what I think.

Sources:
http://www.washingtonpost.com/blogs/post-tech/post/qanda-eu-chief-privacy-regulator-on-new-internet-rules/2011/11/15/gIQAOeZzRN_blog.htm
http://www.telegraph.co.uk/news/worldnews/europe/8886150/Theres-nothing-new-about-this-European-folly.html

.

ICO to change its name

2011-11-18T09:19:00.000-08:00

I am not making this up. The hunt is on to dream up a new name for the Information Commissioner’s Office in Wilmslow.

What? Does that mean we could see the Office of the Information Commissioner (aka “the OIC”), or perhaps the Information Rights Commissioner?

No way. Actually what is on the cards is a new name for Wycliffe House the office building that houses the Information Commissioner’s staff in Water Lane in Wilmslow.

The ICO’s staff have been invited to submit ideas for a new name for the building. I haven’t, but that won’t stop me thinking up something appropriate. And even if you haven’t been specifically asked, please consider this as an extended invitation to join in the fun.

Let’s set some ground rules here:

1) No profanities in any of the working languages of the European Community.
2) Try and get the name to reflect the work that goes on there.
3) Include an homage to previous leaders. A quick hint – the former leaders were Eric Howe, Elizabeth France, Richard Thomas, while the current incumbent is Christopher Graham.

Surely, there must be better ideas than these:

Using the first letter of the surnames of Eric Howe, Elizabeth France, Richard Thomas and Christopher Graham, and adding I for Information and R for Rights you get Fright, so perhaps Fright House?

Or, using the first two letters of the forenames of Eric Howe, Elizabeth France, Richard Thomas and Christopher Graham, and D for Data, P for Protection and A for Act you get Charred Pile, and Harped Relic. No, I don't like those very much.

Or, using the first two letters of the forenames of Eric Howe, Elizabeth France, Richard Thomas and Christopher Graham, and I for Information C for Commissioner and O for Office you get Heroic Relic. No, that's not right, either.

Or, using the first two letters of the forenames of Eric Howe, Elizabeth France, Richard Thomas and Christopher Graham, and U for Upholding, D for Data, and P for Protection you get Crier Upheld and Epic Hurdler. Still not very impressive.

And finally for today, using the first letter of the surnames of Eric Howe, Elizabeth France, Richard Thomas and Christopher Graham, and adding U for upholding, I for Information and R for Rights you get Frig Hut. Come on readers, you ought to be able to do better than this!

Fellow entrants are welcome to use a clever website to help them create their own anagrams once they’ve decided what letters to use – take a look and try out the wonderful http://wordsmith.org/anagram. I would get your entries over to your usual contact at the ICO sharpish, if I were you.

Sources:
http://www.ico.gov.uk/about_us/boards_committees_and_minutes/executive_team.aspx
(See Item 7.1 of the minutes of the ICO’s Executive Team Meeting, held on 3 October 2011)

http://babynamesworld.parentsconnect.com/meaning_of_Frig.html (Frig is not a rude word, actually it’s of Germanic origin, meaning peaceful ruler or peacekeeper – which is what the ICO tries to do, an awful lot of the time).

.

Cloud Computing: reviewing the risks

2011-11-17T10:52:00.001-08:00

I’ve just attended an excellent private discussion forum on cloud computing and consumerisation. Attendees considered the benefits, as well as the possible pitfalls, of this emerging technology, as it might be used by public authorities, private companies, and individual consumers. No, I won’t be reporting in detail on what was discussed under the Chatham House rules. All I’ll say is that the event was held by the Information Assurance Advisory Council and that it took place at the offices of the British Computer Society in Covent Garden. Now then, those who read this blog and who know about the IAAC will be able to appreciate who might have attended.

What I will say, however, is that some of the discussions might have been oddly familiar to those who can access the minutes of the meetings of the Royal Society in the Victorian era. During the early part of that era, Michael Faraday read before the Royal Society a series of 30 papers about his experimental researches in electricity. Gradually, private companies created their own Directors of Electricity, as each company generated its own power. It was only at the very end of the Victorian era that the concept of a high voltage integrated electrical power distribution system was created in the UK, and private companies made their Directors of Electricity redundant as they joined what was to become the National Grid.

It occurred to me on the tube home that many of the issues that needed to be considered as companies were faced with the choice of continuing with their own power generation capabilities, or moving towards a shared power service were oddly familiar with those of us who are thinking deeply about the cloud computing conundrum. What is also oddly familiar is the venue for some of the dinners held by the IAAC – after all, Simpson’s in the Strand rose to prominence in the mid Victorian era, too, and would have been frequented by members of the great and the good and by those who were sufficiently interested in modern matters (such as members of the Royal Society).

One key message emerging from today’s meeting that I am free to share is the need for people to be aware of what the cloud computing risks and rewards actually are. Easy to say, actually very hard in practice to deliver. After all, we all think we know what we are talking about, but is our knowledge level really that deep?

To demonstrate (just to you) how flaky your own knowledge might be, I’ve come across this really handy on-line test which asks a series of questions about what is legal, and what is not legal, when you use Twitter, Facebook, upload material, blog, get involved in on-line discussions or sell anything on the internet. You may think you know the law – but is that really the case?

Feel free to take this on-line test, at http://accidentaloutlaw.knowthenet.org.uk/ hosted by Nominet (so it is a credible website), and marvel at your own results. It will only take a few minutes to complete, and no-one else ought to be able to know how knowledgeable you really are.

And it makes you wonder that if normal people are as ignorant about the basic elements of the current law as those of us who take this straightforward test, then what hope is there of getting them to appreciate the possible consequences of allowing their own material to be stored or processed in a cloud environment?

.

So, even Cabinet Office Ministers have to comply with Cabinet Office rules, these days

2011-11-15T10:25:00.001-08:00

Ouch. But we ought commend Oliver Letwin, the Minister of State for Policy at the Cabinet Office, for agreeing so quickly to accept the regulatory action that the ICO has considered appropriate after the media reported on his somewhat strange data handling practices last month.

What did he do? Well, last month he was photographed by a newspaper tossing more than 100 documents into bins during morning walks around St James’ Park, close to Parliament. Letwin admitted throwing the papers away but denied that any were sensitive.

"None of them of course were classified and none of them were papers that originated from government," he told the BBC.

"I was walking around dictating responses and simply wanted to make sure the pieces of paper were not weighing me down."

The documents were dated between July 27, 2010 and September 30, 2011 and contained correspondence with parliament's Intelligence and Security Committee, the body which oversees Britain's spy agencies, the newspaper report said.

Others included references to the European Commission, Ministry of Defence, Home Office, Treasury and London's Metropolitan Police, it said.

Letwin had ripped some of the documents in half and handed others directly to a rubbish collector, the paper said. Some had details of people living in his parliamentary district of West Dorset. The material supplied to the ICO by a Daily Mirror journalist revealed that the letters and emails contained the names, addresses and contact details of approximately 20 individuals. One email also included a limited amount of information relating to an individual’s recent hospital treatment.

So, in disposing of his constituent’s correspondence in such a manner, he breached the Data Protection Act.

His penalty? To sign an undertaking that he shall:

(1) only dispose of documents containing personal data in a secure manner, such as shredding, pulping or incineration;

(2) take note of, and comply with, the latest standards of data handling issued by the Cabinet Office for use in central government departments; and

(3) implement such other security measures as he deems appropriate to ensure that personal data is protected against unauthorised and unlawful processing, accidental loss, destruction, and/or damage.

I did chuckle when I read undertaking 2 – after all, as a Cabinet Office Minister, it is rubbing it in a bit to get him to undertake that he will comply with the standards that are issued by his own Office, and thus presumably under his own signature!

His penalty, obviously, is also to endure no end of public ridicule, while many of us think “there but for the grace of God, go I.”

But brilliant timing by the ICO – especially after my last blog, which remarked on the length of time it took the folks in Wilmslow to publicise a series of recent breaches. This time, the ICO’s enforcement team worked at the speed of greased lightening to publicise the penalty within one month of the offence actually coming to light! Mightily impressive. Well done.

I wonder which politician will be next in the firing line. Despite the cuts to the ICO’s budget, it seems that the Commissioner will still find time to address the failings of public figures.

Sources:
http://uk.reuters.com/article/2011/10/14/uk-britain-letwin-idUKTRE79D2R620111014
http://www.ico.gov.uk/news/latest_news/2011/letwin-signs-commitment-to-keep-personal-details-secure-14112011.aspx

.

Breach notification: What have we done to deserve this?

2011-11-13T11:27:00.000-08:00

Each time I open the data protection press I read about yet another data breach. In fact there seem to be so many right now that it’s hard to care too greatly about many of them. Should we worry about the sad incident involving Rochdale Metropolitan Borough Council whose employee. Last May, lost an unencrypted memory stick containing the details of over 18,000 residents. The data included, in some cases, residents’ names and addresses, along with details of payments to and by the council. But the device did not include any bank account details. Six months later, the ICO issued a press release about the affair.

Or should we worry about Newcastle Youth Offending Team, which managed to have an unencrypted laptop contained personal data relating to 100 young people stolen from a contractor’s home in the Northumbria area last January. Ten months later, the ICO issued a press release about the affair.

Or perhaps we should worry about University Hospitals Coventry & Warwickshire NHS Trust, who lost records relating to the treatment of 18 patients in February and then some more patients last May. And the ICO’s press release was issued at the end of October.

Should we worry about the breaches themselves or the time it has taken the Information Commissioner's Office to publicise the breaches? Or indeed should we worry that the vast majority of the stuff we read about relates to the public sector, rather than the private sector?

I have to say that there may be a bit of special pleading here, as of course Communication Service Providers have been required to report breaches to the ICO for several months now, so perhaps it won’t be too long before their transgressions are more generally known, too.

Should I worry myself? Well, given the fact that the breaches which the communication service providers have to report include those where no-one has been harmed, where the loss has related to encrypted information, where the breach of even a single record is sufficient to warrant a notification, and the breach can involve the accidental alteration of information, as well as the loss of information, I would expect the Commissioner’s staff to have a healthy stream of notifications through which to wade. And these notifications have to be made “without undue delay”. We are talking of weeks here, not months. So, on current form, the initial wave of ICO Press Releases could be getting drafted sometime soon. With luck, they might simply say that the Service Providers are meeting the obligations that have been imposed on them by SI 2011 No 1208. With more luck, they might say that a number of the incidents that have been notified to them were probably not intended to have been notified to them by those who drafted the initial legislation, so it hopes to hold a workshop in the new year to consider, in the light of the experience of actually operating the current mandatory personal data breach notification scheme, what it actually means and what purposes are being served.

After all, if there is confusion now about what is required and who is expected to do what and when, how will the ICO manage when the mandatory breach notification process is extended to cover, say, all 300,000 UK data controllers?

What has the delay, though, in the breach notification and the decision by the ICO to publicise the breach achieved? Presumably it’s given the offending party an opportunity to get its house in order, to understand the cause of the breach and an opportunity to raise a project to address the cause of the breach. So hopefully thay type of breach won’t happen again. At least to that data controller, anyway.

But can this actually be the case? Many of the incidents I see arise not as a result of technical failures (although of course systems will always encounter the odd weakness every now and again) but because individuals have not exercised the personal behaviours that you might wish of them.

So the incident involving Rochdale Metropolitan Borough was obviously avoidable, as it involved the loss of an unencrypted memory stick. Likewise, the incident involving Newcastle Youth Offending Team, and the unencrypted laptop. But are we really going to be able to avoid incidents involving the inappropriate disposal of paper records (even if they relate to confidential medical information)? Such matters won’t be resolved by new IT security policies, or central controls. No, they relate to human behaviours – like which bin to dispose confidential waste in - and we’re all human, after all.

And if the medical profession can’t quite master the disposal of paper copies of confidential personal files, then I dread to think what will happen when the rest of us are invited to realise just what employees of other data controllers have been up to!

Sources:

http://www.ico.gov.uk/news/latest_news/2011/council-lost-memory-stick-containing-18000-residents-details-03112011.aspx
http://www.ico.gov.uk/news/latest_news/2011/youth-offenders-details-lost-on-unencrypted-laptop-28102011.aspx
http://www.ico.gov.uk/news/latest_news/2011/patients-details-binned-on-two-occasions-27102011.aspx

.

Cloud computing – do the data protection jurisdiction problems really matter?

2011-11-02T12:29:00.001-07:00

Dr Julia Hornle and Kuan Hon are not very confident that all the legal problems surrounding cloud computing will be resolved in the foreseeable future. They were speaking last night at the Institute of Advanced Legal Studies at the University of London. They ought to know – as they are both academics at the Centre for Commercial Law Studies at Queen Mary, University of London, and have helped write a series of papers on the underlying issues. Whether enough people in the European Commission have the time and energy to adequately address the main legal issues is far from clear.

Their presentation was focused on the problems that are familiar to anyone who invents and tries to apply a new concept (in this case, cloud computing), to laws where those drafting the relevant laws had no idea that it would ever be expected to cover such matters. So what we are left with are teams of awfully clever lawyers explaining why, in certain circumstances, current laws don’t quite work (or don’t work at all). Does this really matter? Not if you’re an anarchist. But it would be helpful if decent folk might agree on a few basic ground rules, so that no-one gets hurt.

What are we talking about? In a nutshell, it’s mostly to do with what rules should apply when the different building blocks of scalable IT resources are provided from inside and outside the EEA to people inside and outside the EEA. I hope I’m not boring you yet.

If you really want to get bored, you can immerse yourself in the details of the issue, which means that you have to get familiar with the concepts of who holds the user’s data and where. To add to the complexity, you can throw in issues of multiple providers; data being replicated and deleted in different centres; data being sharded, chunked or fragmented; issues where the multiple locations data was being held in were constantly changing; and our old favourites encryption issues and the use or dependence on shared resources.

Still with it?

Julia and Kuan pointed to examples where EC data protection laws applied to different providers differently in different jurisdictions, as Member States occasionally interpreted the terms “establishment”, “context”, “use of equipment” and “transit” in different ways, depending on whether they wanted to attract cloud providers (which is what the French appear to want to do) or deter cloud providers (which is what at least one German Lander appears to want to do).

I won’t get any more technical – I promise.

But is there a relatively sensible way to unravel the complexity or fill in the gaps in the legislative drafting?

Julia and Kuan think there is, and suggested that some of the Article 29 Working Party’s ideas might work. These ideas follow the principles that the Commission has developed when regulating consumer contracts (ie when a consumer buys a product or service in one Member State for consumption in another Member Sate) or, say, in trademark infringement actions.

On the other hand, more commentators are thinking that it’s not the location of the data which is the key issue. After all, even if it’s all agreed in a contract with a cloud provider, how many people in their right minds are really ever going to read that contract, or know whether any of the parties are always adhering to that contract? There is more to life than contracts.

No, the real answer probably lies in encryption. What really matters is who can access the data in an intelligible form. If the encryption were strong enough, the data could be safe anywhere. What we really need to concentrate on is understanding whether the cloud provider can get at the data, and who can force the cloud provider to get at the data.

So, the lawyers will continue to comment on the limitations and adequacy of the current legal regimes for so long as clients have money to offer them.

And EEA Member States will continue to embark on their shrill campaign against (basically) American cloud providers, whose Patriot Act obligations occasionally cause people to wince. Does the location of the data really matter anymore? Not really. Let’s encourage the European Commission to focus on issues of security accountability and transparency instead.

Finally, Julia and Kuan commended the European lawmakers to adopt an awfully European negotiating line in this “phony war” against non EEA based cloud providers. The Commission should take a broader view, and cave in quietly, while protesting loudly, about these really tricky location/transborder data flow issues.

Sources:
http://www.cloudlegal.ccls.qmul.ac.uk/Events/items/53050.html
http://www.cloudlegal.ccls.qmul.ac.uk/Research/index.html

.

Why the Commission sometimes drafts in Eurobabble and Gobbledegook

2011-10-31T15:24:00.000-07:00

Elanor Sharpston QC was on great form tonight. By day she’s the UK Advocate General at the Court of Justice of the European Communities. And tonight she was at the University of London, delivering the Sir William Dale memorial lecture, explaining why European Commission Directives and Regulations sometimes attract some fairly heavyweight drafting criticism. We need to understand how the process works, she explained – and she started by praising the Commission for its official guidance on drafting, complete with 23 guidelines with examples of good and bad drafting. It's a good document. Full of common sense.

But the problems start when we ask ourselves who it is who is doing the drafting. After all, the working language of the first drafts of the Commission Documents is usually French and English – great for the Brits and the French, but not so great for some poor Hungarian or Slovak official, who could be trying to draft the initial text in their second – or third – language, rather than their mother tongue. These linguistic difficulties really can’t be underestimated.

Next, when the drafts are considered by the politicians and the negotiators the problems continue. After all, many negotiators have very different starting points. Some negotiators don’t really want the legislation or are ambivalent about the proposed measure as they already have domestic legislation which is something like what they think the Commission proposal is going to achieve. On top of this, representatives of the Member States may well have different perceptions of the meaning of the text under consideration. There can be a difference between perception, text and reality. Sometimes the built in assumptions are different between people who interpret the text. What is obvious to one party may also be obvious to the other side. But what is “black” to one side could easily be “white” to the other. Eventually the political negotiators will ask their legal teams for a legal view on suggested revisions to the text – but sometimes that view is only sought when the textual revisions have actually been accepted.

Elanor also noted that texts sometimes had ambiguous terms simply because that was the only way to get a majority support for the document. While the golden rule was, of course, that terms should be unambiguous (and all the major terms ought to be defined), it was not unknown for the Commission to propose something that didn’t make complete sense, but enough of it made enough sense for it to have some value when implemented.

And then, the Commission has to issue an equally authentic translation of the final text to the 27 Member States in each of the 23 Community languages.

In most cases, the legislation is finally agreed and is generally workable. But, if the text is ambiguous or unclear, a lawyer will eventually litigate and a national court will make a reference to Elanor’s court to ask what the text actually means. Sometimes, her court will refer to the legislative history of the instrument to see if any relevant statements were made by negotiators during the different sets of discussions on the text. At other times, her court will try to comprehend the different translations of the instrument, to see if a majority of them see the concept under dispute in a particular way. Other times, they’ll just make it up themselves. But her court has never been undermined by a Member State refusing to accept her court’s interpretation. Nor has any Member State ever tried to amend an ambiguous term in an existing Directive so that it ceases to mean what her court decided it meant.

Elanor did make the point that her court does not relish this responsibility, and would really prefer it if the politicians, who have the necessary democratic accountability, had actually made the relevant terms unambiguous.

Very wisely, Elanor declined to say too much more about the defects that are inherent in EC legislation. She simply reminded us of Count Otto Von Bismarck’s view that if you like laws and sausages, you should never watch either being made.

.

Communications Data Retention: the public debate resumes

2011-10-30T05:27:00.000-07:00

Here we go again. Reports are emerging of politicians seeking to change the current EC data retention regime. What do they want? The retention of more types of records. And who should be doing this retention? Ah, that’s the interesting bit, as some are now proposing that it should be content providers (eg the likes of Google, Yahoo!, Twitter and Facebook) rather than internet service providers (ie the folks whose pipes are simply used to access this content).

Back in 2006, the Data Retention Directive made it a requirement for telecoms companies to retain information about communications records for a period determined by national governments of between six months and two years. Not every EC Member State has yet implemented this Directive – but while there has been talk of the Commission issuing infraction proceedings against the laggards, to be honest with you I have not read a single word of criticism from the relevant law enforcement agencies complaining at their inability to do their job properly because that measure had not yet been implemented in that Member State. Perhaps this means that no-one cares about the lack of enforcement of a retention standard that is pretty irrelevant in those countries. Perhaps, in those countries, their own domestic policing techniques work perfectly well without this retention rule. And if that is the case, then presumably they won’t take much advantage of the newly retained data anyway, as they have not really needed it in the past.

The new rules are designed to recognise reality, which is that people use the internet to browse websites, as well as make communications. And it’s this internet browsing behaviour that some politicians now seek to track.

There could be pretty intensive discussions ahead, and I would expect the usual suspects to gather around the usual tables to develop credible responses to the usual questions.

These questions include, let’s not forget:

If the new rules are really to apply to internet browsing, and people use all manner of different communication service providers to do the browsing, then wouldn’t it be better for the new rules to apply to the provider of the service people are actually using - eg Facebook, Twitter or Google? After all, the whole point of mobile devices, such as iPads and smart phones, is to enable users to log onto their Facebook site from any hotspot or their provider’s mobile cell site. So the hotspot or mobile providers will only ever have just part of the complete picture.

What information should be retained and how helpful will this really be to law enforcers? The current (UK) rules prevent content records from being retained, and these, as far as Parliament is concerned, are records which go past the first slash of an internet address. So, a traffic record is www.facebook.com. This is not a lot of help to investigators who want to know just what on Facebook a user tried to do. They want more of the web log – but that brings us past the line of what is traffic and what is content.

For how long should these records be retained? All the solution providers are interested in this point, because their public service contracts are drying up so they are ever keener to sell technologies capable of searching huge databases to companies in the private sector.

What else will the private sector companies be allowed to do with the retained information? And who will be making sure that there won’t be any sneaky stuff going on?

How many more criminals is this initiative likely to deter, or even catch? And, how much will this initiative cost? The deterrence, prosecution and cost questions are actually important – not because I want to wade into the “who pays” argument, but because we need to look at “utility” argument. What I mean is whether the substantial investment that will be required to deliver this initiative might not be better spent in another area of law enforcement. In the UK, police budgets are under severe pressure for the forseeable future. Could the money be better spent on more fuel, to enable more police cars to drive more miles each week? Or could the money be better spent on more training, to enable more law enforcement investigators to better analyse and react on the information that phone and internet service providers already have? If they can’t cope with what is currently available, is it strictly necessary for them to be drowned by a tsunami of even more stuff?

The biggest question, though, is simply Why bother? On the back of a recent high profile murder trial, resulting in the successful conviction of an individual at Bristol Crown Court, I’ve read press reports that very clearly indicate what internet activity the offender had been engaged in, both in the UK and while they were abroad. Enough records were evidently available to give the investigators a very clear picture of what this person had been up to. So, if that’s the case under the current regime, where is the pressing need to change things?

I do hope someone will state this case quite forcibly.

I can certainly see why Governments in various African and Middle Eastern countries are very keen to know what their citizens are up to when they use Facebook, YouTube or Twitter. And I can understand the lengths the providers are going to in order to protect the identities of their users, to prevent them from unfortunate consequences, or visits from representatives of the national authorities. But as users (and content providers) develop ever more clever encryption techniques to evade these authorities, it won’t be that long before those very same techniques are used in EC Member states too. And whose benefit would that really serve? Probably not the EC law enforcers – nor the EC service providers. No-one really wants to be forced to retain huge amounts of information they can’t access or can’t understand.

Let’s hope that pragmatism will be permitted to prevail – eventually.

Source:
http://www.out-law.com/en/articles/2011/october/details-of-all-internet-traffic-should-be-logged-mep-says/

.

Privacy icons and privacy nudges – how do we leave the world of the ubergeek?

2011-10-23T09:11:00.001-07:00

One of the most thought provoking presentation on privacy I’ve seen in many weeks was delivered by Patrick Gage Kelly last Tuesday. He was speaking at a privacy workshop organised by the GSM Association in Central London, and is currently involved with a considerable amount of academic research that’s ongoing at Carnegie Mellon University, which has established the CyLab Usable Privacy and Security Laboratory. This lab brings together researchers working on a diverse set of projects related to understanding and improving the usability of privacy and security software and systems. The researchers employ a combination of three high-level strategies to make secure systems more usable: building systems that "just work" without involving humans in security-critical functions; making secure systems intuitive and easy to use; and teaching humans how to perform security-critical tasks.

Let’s get this straight. Patrick is not an ubergeek. He is determined, however, to ensure that privacy does not become an issue controlled only by ubergeeks, as it’s clear that when they are in charge, the rest of us can have little idea of what’s going on, and can’t make proper choices about how we would like our personal information to be used. And, for the most part, we can’t make these proper choices because those designing privacy systems make the choice mechanisms fiendishly difficult to operate.

To give us an example, Patrick tore into the privacy dashboard that has been built into the new online behavioural advertising initiative, started in the USA and currently being rolled out in Europe. I blogged about this on 4 September. Patrick made the point that unless users actually understood the choices that were presented to them, and actually knew where to look on the screens to find the right drop down menus to click the right bits to register their objections, then the opt-out mechanism was somewhat limited in terms of privacy protection. Perhaps this is why the current opt-out rate is low. When I say low, the figure of .0002% (based on ads shown to users) was mentioned by the person who runs Evidon, the solution provider behind the Advertising Option Icon initiative. It was a great pity that the Evidon representative was not able to refute the quite troubling points that Patrick raised. He had left the building just before Patrick rose to speak. But he did know what Patrick was going to say. Evidently, he had heard Patrick speak before.

Given that some users are now being served some 1,100 ads per week by Google as they surf the internet, an opt out rate as low as .0002% is mighty impressive. Those promoting the scheme see the Advertising Option Icon initiative, with its ways to change preference management sessions so they can alter what the ad provider thinks of them, as the ultimate cookie. Is this the data protection equivalent of the mythical ring in Tolkien’s famous saga? Have we found the one cookie to rule them all?

Patrick was not so sure. As far as he was concerned, users wanted protections that didn't break things. Too often, one set of configurations simply mess up existing services. How often, for example, do we need to reconfigure the “pop up blocker” on our laptops so that a favoured website can work as originally designed? Apparently, users have found that the:
• privacy tools they are presented with are usually hard to understand and configure;
• privacy terminology is confusing, as people simply aren’t familiar with these concepts; and
• privacy tools provide little or no feedback, which leads many to think they may have configured the tools to block trackers, when they actually hadn’t.

Patrick’s main point was that privacy nudges are really hard to incorporate in the privacy sphere, as their purpose is usually, using soft determinism techniques, and psychological biases, to nudge users in a direction that is considered to be beneficial. But what is beneficial in the privacy sphere? And how should this be expressed to the user?

It can’t be the case that it is always better to safeguard our privacy. If that were the case, Facebook would close down tomorrow. The whole point of the exercise is that Facebook is an outstanding example of self-promotion. People love it because in this new world, we are all celebrities (of various degrees). But a well designed Facebook privacy nudge might work if, as well as being given the standard options of whether users wanted to share stuff with their friends, or their friends and their friends, users were given the total number of friends and the friends of friends – so the user could appreciate just how many people would be capable of seeing it. Will Facebook take up this idea? Well, they just might. They haven’t said no, yet.

And, whether the protesters like it or not, targeted advertising at least serves to offer material to a device user that may be more, rather than less, relevant to their recent interests ( as expressed through their browsing behaviour).

So where should we go from here?

We certainly shouldn’t give up – but we should redouble our efforts to dumb down privacy notices. Context matters, not long legalistic documents that simply protect a data controller. Controllers should try to make their privacy labelling clearer – and should take great care not to use colours and symbols that are associated with good and bad connotations - this is simply likely to scare people, when one choice can actually be just as valid as another choice, so long as the user appreciates the consequences of their choice.

And we shouldn’t give up on the Advertising Option Icon concept – but we really ought to make privacy choices easier for the likes of Homer Simpson, rather than Albert Einstein, to understand and use.

Source:
http://cups.cs.cmu.edu/#news

.

How should our use of the internet be controlled?

2011-10-16T05:42:00.000-07:00

We’ve all recently witnessed massive changes in the way we use the internet. “People use Facebook to plan before the revolution, Twitter to organise on the day, and then You Tube to show what happened to the world.” That was what Dave Coplin, Microsoft's Director of Search, Advertising & Online, had to say about its importance at last Thursday’s Parliament and the Internet Conference. This is why the more sensible nations will be thinking very carefully before demanding that any of these services are disconnected, should there be any more instances of civil unrest.

This does not mean that the internet will become a virtual Wild West, though. As Detlef Eckert, Director of Policy Coordination and Strategy in the FG Information Society and Media of the European Commission commented during his presentation, “It's not just a deregulated telecoms structure. It needs to be regulated to be civilised.”

How it can be regulated though, and how civilised you really want to get it, is a very difficult question to answer.

Other speakers were not too optimistic about the future of the way the internet will be governed. Some of them had just returned from the annual Internet Governance Forum, held this time in Nairobi, and were thinking of the themes that were likely to be debated during the next Forum meeting, which will be in Baku next year. Is it really necessary to travel to such places to consider such issues? Yes it is – Europe only represents some 23% of internet traffic, Asia has 44% of the traffic and it will continue to dominate. There may be no agreement on how to tackle this global problem, but that does not necessarily mean that European nations will be able to punch above their weight when the debates are held. The latest wheeze, apparently, could be for a new United Nations-sponsored organisation to sit about the current Internet Governance Forum

Lesley Cowley, Nominet's CEO, was not convinced that such a plan would necessarily be a brilliant idea. The more UN oversight bodies there are, the greater will be the pressure from various stakeholders to bring more decision-making within the sphere of Member States, and this could lead to less reliance on obtaining advice and, critically, experience, from the key companies who are likely to have a far better appreciation of the consequences of policies that are developed by people with little experience in actually implementing them.

Does this matter? I think it does – no-one wants to be faced with the unenviable task of being required to implement legislation which is either contradictory, open to a wide variety of interpretation, or out of kilter with common sense. And surely, no-one wants to be regulated by officials from countries where human rights are less well observed as they are in the EU. But hey, ho. Let’s see what happens.

The other key takeaway from last Thursday's conference, from my perspective, was the view, from several commentators, that mobile commerce in Europe remains in its infancy. In other parts of the world, it’s taken off at a much faster pace. South Korean commuters, in some metro stations, see posters on walls that allow them to choose items, pay for them and have them delivered and waiting for them when they get home. Webcams in some retail clothes chains have web cams in the fitting areas that enable the wearer to take and post pictures on their Facebook site so their friends can comment on how the garment suits them (and perhaps also to tell them whether their bum looks too big in it).

Within Europe, though, there are still some huge problems to be overcome there really is to be a single market for digital goods. Currently, only a small percentage of people purchase physical or digital products from another country. It’s hard to imagine that the percentage will increase significantly until the different copyright management, liability, sales law, and data protection regimes are more closely aligned. And it’s hard to imagine that such changes will take place any time soon. And it’s extremely hard, if not impossible, to expect smaller businesses to be capable of understanding all the laws when, thanks to the internet, they could be trading in 150'countries

A few commentators very briefly mentioned the likely changes to Data Protection legislation, but no-one had anything really significant to say. Richard Allen, Facebook's Director of EU Policy, made the point that it was obviously necessary for a revised EU data protection directive to move away from the premise that what was required was an instrument to regulate the way large organisations held data on citizens. In the new world, we are all both data subjects and data controllers, and it's a much more complex environment. Richard did make the point quite forcibly that the current models which finance internet content don’t fit neatly with EU regulations. It is increasingly impractical to put advertising and marketing into a separate box from internet content, so to speak, and it will be interesting to see just how this debate plays out.

.

Does the Commission actually have the authority to make a data protection regulation?

2011-10-09T07:15:00.000-07:00

Friends at dinner last night began a debate on whether the European Commission actually had a right to make changes to the current data protection directive by means of a regulation. Some of what they had to say was quite interesting, and repeatable, so I thought I should make some notes.

The debate was sparked off as we were about to see No Naughty Bits, a wonderful new comedy by Steve Thompson at the Hampstead Theatre. It followed the adventures of Michael Palin and Terry Gilliam as they travelled to New York in December 1975 to take on the ABC television channel – who had recently broadcast Month Python’s Flying Circus coast-to-coast, but without all the naughty bits. A court case followed. The play’s themes included freedom of expression and artistic integrity. We learnt about the nature of comedy, the operation of censorship and the misunderstanding of the Anglo-American relationship.

Sitting right behind me in the theatre was a comic from that era, the great Ronnie Corbett, who also found the play very funny – but that’s another story.

Anyway, we got onto this subject at the dinner table because I had pointed out the links between the ABC’s desire to make changes to a copyright work that they had only obtained a licence to broadcast, and a Commission desire to make changes to the data protection directive – and that both felt the changes were to be non-negotiable.

Ultimately, I suspect, this matter will be decided by the courts. Certainly not by us mere mortals having dinner in Hampstead last night. But, before the legal superstars weigh in (and before the mighty Chris Pounder opines on the subject in one of his Hawktalk blogs), I thought I would outline some of the arguments that are likely to be repeated for some time.

Starting at the basics (and with a suitable acknowledgement to Wikipedia) the Subsidiarity principle was established in EU law by the Treaty of Maastricht, and entered into force in November 1993. In very general terms, matters ought to be handled by the smallest, lowest or least centralised competent authority (the close to the citizen criterion). However, the European Commission may intervene when its actions:

• are necessary because actions of individuals or member-state governments alone will not achieve the objectives of the action (the sufficiency criterion);
• are necessary to bring added value over and above what could be achieved by individual or member-state government action alone (the benefit criterion); and
• will secure greater freedoms for the individual (the autonomy criterion).

So, the critical question is about whether this test can be successfully applied in the case of the data protection directive. I think it’s a very high threshold.

Counsel for the Commission are likely to argue that:

• The right to personal data protection is a fundamental European right.
• Transborder data flows mean it’s hard for Member States acting by themselves to safeguard individual’s rights.
• European citizens presumably need to enjoy the same level of rights wherever they are in the EU (no more or no less).
• Member States have not been particularly good at co-operating with each other and creating uniform data protection standards.
• It’s unlikely that they’ll be capable of greater co-operation in the foreseeable future.
• Current EU laws don’t appear to be particularly effective at ensuring the problems in the existing data protection framework will be reduced.
• A regulation is necessary because data protection issues affect a whole bunch of other legal rights that European citizens ought to enjoy, including:
- Respect for private life
- Freedom of expression
- Freedom to conduct a business
- Right to property
- Right to non-discrimination
- Right of the child
- Right to an effective remedy and a fair trial.

On the other hand, Counsel for those who oppose a regulation are likely to argue that:

• The global nature of data flows is such that European -wide laws are likely to have very limited degree of additional protection for individuals. It ignores the fact that regulation in this area is likely to work only if it’s global in nature, rather than regional.
• The “damage” done to individual citizens as a result of current laws is actually quite small, and there is no pressing case to suggest that any damage a citizen’s legitimate privacy interests would be significantly reduced by means of a regulation.
• Citizens in different Member States enjoy and expect different degrees of privacy. What is perfectly acceptable in one Member State is unacceptable in another (hence the argument for censorship of the Monty Python television programmes in America).
• There is no significant evidence that many citizens in different Member States actually care that the privacy laws are different in other Member States. Many people find it quaint that they live in different communities which share different values.
• Some Member States will find it unacceptable that this type of “social legislation” is foisted upon them and their citizens, as it represents a significant shift in legislative autonomy from the State to the Commission.
• The Commission ought to be prevented from micro-managing individuals’ lives.

I expect this discussion to carry on for some time. And I am looking forward to taking part in it, and seeing how it concludes.

Image credit:
Those who have seen, or will see, No Naughty Bits at the Hampstead Theatre, will certainly recognise it .

.

The Commission’s dilemma about a new data protection directive

2011-10-08T01:22:00.001-07:00

I’ve just finished reading a sensational document. It’s not probably designed for general publication, so I won’t post it anywhere on the internet. It does not carry any private or confidential markings, though, so I don’t think that I’m breaching any national or international secrets by blogging about it. And I’m only going to quote 140 words from it in this blog. I understand it to be a candid document written for members of the Commission staff reviewing the comments that have been received following the consultation exercise on amending the data protection directive. The direction of travel for the Commission is set out in a range of policy options. But the most interesting comments appear in a frank assessment of the political dimension of these options.

I can now understand why its going to take until next February to publish their proposals – as first the Commission needs to consider very carefully which block of opinion formers it wants to side with, and which block it can afford, politically, to overrule.

The 72 page document first very cleverly sets out four problems that currently exist and have arguably become more serious over the years. After all, thanks to the wonders of the internet, greater numbers of people are blogging, posting images on the internet, and generally acting in ways which indicate that they are oblivious to the concept of fundamental rights and freedoms of others. This increasingly results in:

• Difficulties for individuals to exercise their data protection rights effectively;
• Legal uncertainty, unnecessary costs and administrative burden for data controllers operating in the EC;
• Loopholes in the protection of personal data in the field of police and judicial co-operation in criminal matters and inconsistency of the rules;
• Weak and inconsistent enforcement of data protection rules.

This analysis, set out over 14 pages, is really good, solid stuff, as each of the four problems are analysed in some detail. The text identifies the drivers of each problem, who is affected and also to what extent.

The analysis then tries some crystal ball gazing, and makes a series of predictions as to what might happen if nothing were done to address these problems. Some of these predictions might be challenged by people who get to see the document. I think they probably need to be challenged and earnestly debated, as the Commission’s proposals on how to amend the directive depend, to a significant extent, on whether the assessment of what would happen if nothing were to be done is actually credible. It is also really important to test these predictions if the Commission wants to make a case for ignoring the general concept of subsidiarity (ie allowing rules to be implemented at the level of the Nation State rather than the Community Level). If there is a case to be made for implementing change by means of a Regulation, rather than a Directive, surely this can only happen if Member States can’t be trusted to make the right changes themselves, and if the predicted outcomes really are dire.

The document authors then get a bit bolder, and set out their policy objectives, the purpose of amending the current data protection directive, in terms of four general objectives, nine specific objectives, and 18 operational objectives.

The document authors then create three quite detailed options to meet some, most, or all of these objectives. And then the real fun begins, as the paper analyses the impacts of these options. The analysis includes an appreciation of how well each option addresses the problems that were originally identified, their political feasibility / acceptability by stakeholders, financial & economic impacts, social impacts, impact on fundamental rights and their impact on simplification.

Using a rough and ready (and unweighted) marking system, one of the three options as presented appears to be significantly less attractive than the other two.

And of these remaining two, it is clear that there are real political hurdles to overcome if either is to be adopted. One option is assessed at medium risk of political feasibility / acceptability: Member States are likely not to welcome increased harmonisation and the reduction of their room of manoeuvre. The European Parliament is, on the contrary, likely to welcome an ambitious proposal, both enhancing individuals’ rights and the internal market dimension of data protection. Private stakeholders/businesses will also welcome more harmonisation/reduction of administrative burden.

The other option is considered at low risk of political feasibility / acceptability: this option would be too unbalanced as it would highly strengthen data subject rights but at great costs for data controllers. Most stakeholders would find it too radical.

It’s a very cleverly written paper. Full of common sense, but it is not clear who ought, in a democratic society, be given the honour of deciding whether any of these options, or indeed a different option, should be presented to the European Parliament. Don’t say “and this is why we have Commissioners”, as I can’t remember the names of many of them and have forgotten just how (and why) they were appointed to their respective roles.

Initial decisions on the future direction of the Directive, which include the concept making people more accountable when they process other people's personal information, appear to have to be taken by people who aren’t that accountable themselves.

So, there is an awful lot more work that needs to be done. And the decisions are, to some extent, overshadowed by decisions that are being taken on the European economic front. As some EC Member States work ever more closely together to support the Euro, so their financial systems will converge. But Member States whose currency is not the Euro will want to take steps to run their own financial systems in ways that best support the interest of their own currencies.

Using a similar analogy, will Member States that wish to remain outside the Euro zone necessarily accept such a convergence of data protection laws? Or will they take steps to ensure that their data protection laws best support the interests of their own data controllers?

Time will tell.

Image credit:
This not a joke. This is part of the cover page of the document I’ve been reading. Wait for your copy to be posted somewhere on the internet, so that you can download it yourself. I guess those folk at Privacy International will be trying hard to locate a copy and get it up there before anyone else does.

.

Depressing ways of implementing EC breach notification laws

2011-10-07T10:44:00.000-07:00

Yesterday’s webinar run by the law firm Hunton & Williams on how various Member States were implementing EC personal data breach notification requirements left me so depressed that I ate an entire packet of Hotel Chocolat's Boozy Combo immediately afterwards to cheer me up. If you haven't tried their Boozy Combo, and quite like the concept of eating chocolate flavoured with whiskey, rum and Poire William, then you're in for a treat.

Why was I so depressed? Because I was presented with a narrative which made it clear that laws had been passed without a complete understanding of what their effects were going to be. In this case, European companies are faced with a bizarre set of breach notification requirements, for no obvious purpose.

It's understandable why there should be some types of breach notification requirements in the US. After all, if there isn't a basic federal law requiring all data controllers to put in place steps to ensure the adequate security of personal data, then it's clear that there should be an incentive not to make mistakes - such a breach notification requirement. But why should this necessarily be the case in the EC?

The data protection directive has already set a standard, requiring data controllers to take adequate care of personal data. Will breach notification measures really encourage data controllers to "up their game"? I don't think that behaviours will necessarily change. Especially with regard to those data breaches which involve simple human errors and affect just one or two victims. It's hard to put in place technical controls that provide cast iron guarantees that individuals won't make simple mistakes when dealing with individual data records. It's much easier to put in place technical controls that encrypt large volumes of information that is transported from one place or another.

I was also depressed because I had just declined an invitation to consider applying to join an expert group set up by the European Network and Information Security Agency. This expert group has been tasked with creating recommendations for technical guidelines for the implementation of compulsory personal data breach notification requirements by communication and internet service providers.

But why do we need technical guidance on a common breach notification format if it is wholly unclear whether regulators in each of the EC member states were going to adopt a common approach to the breach notifications that they'll be sent? Why expect people to fill in the same form if, in some states, it will be thrown straight in the bin? And in others, only a cursory glance will be given to it as the staff in that office are too busy working on more important issues?

Another reason for my not wanting to join the group was that the experts were only scheduled to meet once or twice more, and none of the people I knew to be members of that group of experts were people who were employed by communication or internet service providers. The final draft is scheduled to be presented to those who commissioned it at the end of this month. Critics may well argue that the standard will appear to have been created by no expert who had any practical experience of trying to determine whether the security incidents they were actually experiencing met the various statutory and regulatory definitions of personal data security breaches.

So why should I join a group solely comprised of people involved in regulating and enforcing, rather than implementing, these issues? If they didn't need the experience of practitioners when they started work to develop this common reporting and response format, would I simply have been there for a spot of window dressing at the end?

If I had been invited to participate at the commencement of the expert group, I expect that I would have pointed out the absurdity of expecting large numbers of data controllers to promptly notify regulators of the most minor of breaches. I would have urged a harm-based approach with thresholds that were sufficiently high to ensure that regulators would take notice of the incident, once they had received a report. So I can understand why I wasn't invited earlier.

But, to be honest, I would not really have wanted to have helped to devise a way of implementing a concept that was so flawed in the way it was originally drafted.

.

Compensation for distress? Or sometimes plain greed?

2011-10-05T12:56:00.001-07:00

None of us are perfect. Every data controller makes mistakes. But most data protection professionals I know are quite prepared to put their hands up when things go wrong, and admit that an error has occurred.

What interests me is the attitude of the person who is the focus of the error. How many times do they tend to shrug their shoulders and accept that, in an electronic world, things occasionally go wrong, but life goes on regardless? And how many times do they adopt a "victim" mentality for which a significant compensation payment is the only acceptable solution? Even if the "offence" was to take a little time before recognising that they had objected to the receipt of a direct marketing message?

I guess we ell see a fair smattering of both ends of the spectrum. Indeed, that's what makes the job so interesting. How can one person value their privacy so greatly that only an offer of several hundred pounds will stop them from going to the county court to claim damages for having been sent an unwanted marketing message? Incidents like this light up my day.

I wish I could send them a copy of the presentation that Rosemary Jay made to members of the Data Protection Forum in September 2010. It was very revealing, as it set out the levels of compensation that the courts award victims for distress and inconvenience in other areas (spoilt holidays, awful wedding photos, and banking errors - those sorts of things). Without wishing to steal her thunder, the general message is that claimants don't often get much. If you want to hit the jackpot these days, you need to be seriously inconvenienced (I'll deliberately avoid using the phrase "hacked off") by the likes of the News International group.

Perhaps we should mount a annual awards ceremony, in order that those who make the most outrageous claims can be properly recognised. Whether they would turn up to receive their awards would be another matter. But we would all enjoy a good dinner, and the after dinner speaker (hopefully a top comedian) would have plenty of new material from which he could poke fun at those who were so deserving.

Perhaps there could also be categories for the most ridiculous reportable personal data breach, too. We could have a special "my dog ate my data stick" prize, where entrants could send pictures of their pets and the awards panel could vote on the cutest pooch. And we could have an award for the NHS Trust that has managed to lose the greatest numbers of patient records. And, perhaps, we could offer a complimentary invitation to the data controller that had received (and paid) the largest monetary penalty in the past year.

I'll ask those who will be attending the next Data Protection Supper Club for their ideas on other awards categories too. Will there be fierce discussion amongst the judging panel when they review the nominations for "the most useful Opinion from the Article 29 Working Party"? Will judges storm out in disgust when other members of the panel disagree with their assessment of the strangest undertaking offered by a data controller to the Information Commissioner?

No, I don't think so. I expect that they will all share a similar sense of humour.

.

The art of drafting clearer EC laws

2011-10-04T11:24:00.001-07:00

How much effort is really put into the drafting of EC laws? Why is so much of it so incomprehensible? If the Plain English Campaign can combat gobbledegook in the UK, why can’t an equivalent European body combat unintelligible Eurospeak?

If, like me, you have thought about these matters, and you’ve draped wet flannels over your head to keep your brain from overheating as you struggle to find the real meaning behind various EU Directives, fear not. Help is at hand. Well, it will be soon.

Why?

Because on 31st October, Elanor Sharpston QC, who is an Advocate General at the Court of Justice of the European Union, will be speaking on these matters at a free lecture in Central London. She’s calling her presentation: Drafting comprehensible legislation in a multi-lingual, multi-legal-system environment: some reflections on the EU drafting process and its consequences. I do hope that one of the things she will be doing, on behalf of the juro-linguistic translators is apologising for the stuff that the legislators pass as laws. I do hope that she will be explaining how much care and effort really is made to improve the draftsthat were originally presented by euro Parliamentarians, but we’ll see.

I am a supporter of the Plain English Campaign, and remember, some 20 years ago, visiting their Headquarters in a converted mill in High Peak, Derbyshire. Working away in the corner of the building was their founder, Chrissie Maher. Chrissie’s life story is an inspiration to us all. She largely missed out on formal education and could not read until she was in her mid teens. She was heavily involved in community work during the 1960s and founded Britain's first community newspaper, 'The Tuebrook Bugle'. In the 1970s she set up 'The Liverpool News', the country's first newspaper for semi-literate adults, and Impact Foundation, a community printshop. Chrissie was invited to be a councillor on the National Consumer Council when it was created in 1975. Around that time she started the Salford Form Market - a project to help people fill in forms - which led to the birth of Plain English Campaign.

I got to meet her when I was working with the Association of British Insurers, as the ABI was encouraging its members to change its practices in line with new rules that were introduced with the implementation of the Unfair Terms in Consumer Contracts Regulations in 1989. I remember working with insurers to develop clear ways to communicate with customers – an initative that was strongly encouraged by a senior Office of Fair Trading official, a certain Richard Thomas. Yes, that Richard Thomas!

Don’t let the venue of Elanor’s presentation put you off. The event has been organised by the Institute of Advanced Legal Studies of the University of London, but the presentation will take place, because of its significance, in Senate House, in Bloomsbury, Central London. You don’t have to be a student (or an academic) to attend. Just be someone who has a keen interest in the subject matter. And be prepared to have a drink afterwards with some familiar faces to discuss the points that she will have made. I might even buy a round myself.

It’s likely to be great fun. And very instructive. So, hopefully I'll see you there in good time for a 6pm prompt start. The chairman - The Hon Mr Justice Sales – is unlikely to look too kindly on the latecomers. Those who fancy registering should point their browser here: http://www.sas.ac.uk/events/view/9842

Source:
http://www.sas.ac.uk/events/list/ials_events

A data protection anthem: to be sung at the Proms

2011-10-03T12:54:00.000-07:00

I can get quite emotional when I watch the annual broadcast of the Last Night at the Proms concert on the television. It's one of the highlights of the British cultural calendar. Who can’t resist reaching for a flag, standing to attention and belting out the chorus of Rule Britannia at the appropriate time?

Very few of us actually know the words to the verses, but we all like to join in when it’s time for the chorus.

According to Wikipedia, this anthem was written by James Thomson, some 250 years ago. The lyrics were first published in 1763. A few changes have obviously been made to those currently used by the soloists. But how could the words be tweaked to make them more relevant to the data protection community in the 21st Century, while keeping true to the original jingoistic spirit?

How about something like this?

1.
When Britain first, at the Council’s command,
Enacted laws about the facts that we retain,
Enacted laws about the facts that we retain,
Their 108th Convention, behave as they demand,
And guardian angels sang this strain:

Data Protection!
Keeping up the fight
Respecting privacy as a human right.

2.
Then nations, not so blest as those in the EC,
Must in their turn, to regulation fall,
Must in their turn, to regulation fall,
Join us, and flourish, you can flourish great and free,
Your sneaky little practices, you will overhaul.

Data Protection!
Keeping up the fight
Respecting privacy as a human right.

3.
Still more majestic can we rise,
Above the claims that compliance is a joke,
Above the claims that compliance is a joke,
Fear not cloud servers, those boxes in the skies
Making life easier for European folk.

Data Protection!
Keeping up the fight
Respecting privacy as a human right.

4.
The internet is marvelous, it’s truly changed our world
But information overload leaves us no place to hide
But information overload leaves us no place to hide
Getting hot and bothered when the facts are all unfurled
Facing the music now we’re digitally classified.

Data Protection!
Keeping up the fight
Respecting privacy as a human right.

.

Internet cookies: an idea for a new Article 29 Opinion

2011-10-01T07:30:00.000-07:00

I don’t know about you, but I don’t like the language the Article 29 Working Party uses in its opinions. They are usually extremely long and legalistic. And boring.

Why can’t they develop a new way of communicating with the rest of us? Perhaps in a tone that would connect with us in a more subtle way?

Why can’t they do it in verse?

And if they were to try it in song, what might it sound like?

Well, I’ve written an anthem to mark the care with which members of the Working Party would want us to take when using the internet. You can sing the lyrics to a well known tune, which once promoted a global (American-originated) beverage. I figured that this approach might go down well both sides of the pond.

And I’m also proposing that the members sing it at the start of each of their meetings, rather than hum along to Beethoven’s Ode to Joy, or other Euro anthem. Or whatever else it is they do before they earnestly get down to a spot of data protecting.

And I would be delighted if the Article 29 Working Party might also record it and release it as a charity single on iTunes. It can be their contribution to European Data Protection Day next year.

The song goes something like this:

1.
We’d like to teach the world to surf
In anonymity
No nasty cookies on our turf
No permanent ID.

[CHORUS]
We’re the real thing
Are you sure, are you sure?
We’re the real thing
But what if I want a bit more?
We’re the real thing
I’m cash rich time poor
We’re the real thing
How will they know me from before?

2
We're charged with fighting practices
All over cyberspace
Preventing bad guys adding you
To their customer database.

[CHORUS]
We're the real thing
But they know my taste
We're the real thing
And my time they won't waste
We're the real thing
I've already seen her waist
We're the real thing
Look I don't want it chaste.

3.
There's spyware from their market place
Selling your details on the sly
To strangers you will never trace
Causing harm that's hard to rectify.

[CHORUS]
We're the real thing
Do what we say and you'll be fine
We're the real thing
Respect the guys who draw the line
We're the real thing
Can't rhyme like Oscar Hammerstein
We're the real thing
All hail the Article Twenty Nine!

.

Consider yourself (notified)

2011-09-30T00:33:00.001-07:00

On Wednesday I blogged about being really impressed with the way that a Newham youth group had worked with the people behind the VOME (Visualisation and Other Methods of Expressions) project. Members of the youth group had produced a great music video, very cleverly setting out the principal concerns in song - and in dance moves that may well soon be copied in the clubs when the video goes viral.

Ironically, their reward is that Newham Council have announced the imminent closure of the youth group, so that the building they currently use can be made available to the Canadian Olympic Team for a couple of months next year. Some reward.

Anyway, their video is not out on YouTube yet, so there’s still chance for the staff at the Information Commissioner’s to pip them to the post by releasing a video of their own. Or perhaps they can form a choir to perform a series of songs at the ICO’s Xmas Party.

So, in case the ICO’s staff are up for it, and are on the lookout for a number with a full chorus, they might want to try belting out this one. (After they’ve apologised to Lionel Bart, that is...)

Picture it: The curtain opens to reveal a data controller handing over their £35 annual notification fee to a grey haired man in the cafe around the corner from a workhouse in Wilmslow, cunningly disguised as the Information Commissioner’s Office. The audience’s attention shifts from the data controller to the grey haired man. No, he’s not Gandalf. But he is an enforcer, and educator and a master of data protection. Yes, he’s a Deputy Commissioner. The Director of Data Protection.

He steps forward. He speaks, before singing to an oddly familiar tune.

[DIRECTOR OF DP (spoken)]
So, Data Controller, now you’ve paid your notification fee, you're coming with me.

[DATA CONTROLLER (spoken)]
Are you sure Mr. Graham won't mind?

[DIRECTOR OF DP (spoken)]
Mind?!

Consider yourself at home
Consider yourself one of the family
We've taken to you so strong
But my, your privacy policy is too long
Consider yourself well in
Consider yourself taking our literature
There isn't a lot to spare
Who cares?..Whatever we've got we share!

When it will chance to be
You will see
Some awful days
Data breaching days
Why worry?
We will rely on you
To step right in
And sort it out
Then you can take us out for a curry!

Consider yourself first rate
Stopping practices we hate,
And after some consideration, we can state
Consider yourself
One of us!

Consider yourself...

[DATA CONTROLLER]
At home?

[DIRECTOR OF DP]
Consider yourself...

[DATA CONTROLLER]
One of the family

[HEAD OF ENFORCEMENT]
We've taken to you

[DATA CONTROLLER]
So strong

[HEAD OF GOOD PRACTICE]
But my

[ENTIRE OFFICE]
Your privacy policy is too long.

[DIRECTOR OF DP]
Consider yourself...

[HEAD OF CUSTOMER CONTACT]
Well in!

[DIRECTOR OF DP]
Consider yourself...

[HEAD OF GOOD PRACTICE]
Taking our literature

[HEAD OF FINANCE]
There isn't a lot to spare

[ALL]
Who cares?
Whatever we got we share

[DIRECTOR OF DP]
Nobody tries to be lah-di-dah or uppity--
There’s a drinks machine for all

Only it's wise to be handy with a staple gun
When the MoJ wants a brawl!

[HEAD OF ENFORCEMENT]
Consider yourself
First rate.
Stopping practices we hate

[ALL]
And after some consideration we can state

[DATA CONTROLLER]
Consider yourself

[DIRECTOR OF DP]
Yes!

[ALL]
One of us!

.

Privacy on mobile devices: Not bad

2011-09-29T10:35:00.001-07:00

Thud. Landing in my in-box yesterday was a hefty email from the GSM Association, giving me details of the views of over 4,000 mobile phone users in Singapore, Spain and the UK, on some privacy issues, particularly relating to the use of the mobile Internet and mobile applications. The research follows the January publication of the GSMA’s Mobile Privacy Principles, which described the way in which mobile consumers’ privacy should be respected and protected.

I’ll quote quite extensively from the study, as it’s quite interesting.

This study was designed to help mobile operators understand to what degree privacy interests were of concern to mobile users, as well as how they influence attitudes towards, and usage of, mobile Internet services and applications.

Overall, it showed that while privacy concerns can discourage consumer engagement with mobile Internet services, mobile applications and advertising, users greatly value the services and the opportunities they bring.

And the chief learning is that it’s necessary to strengthen consumer confidence and trust by giving users meaningful transparency, choice and control over how their personal information is used. So, there’s still a way to go, but consumers generally like what they’re getting.

Key Research Findings

About half of users were concerned about sharing their personal information while using the mobile Internet or mobile applications. Around 81 per cent of mobile users surveyed felt that safeguarding their personal information was very important and 76 per cent said they were very selective about whom they gave their information to. Key areas of user concern, which focused on trust and confidence, were highlighted as behavioural advertising, location-based services, mobile applications and third-party sharing. Other study findings include:

• 89 per cent of users think that it is important to know when personal information is being shared by an application and to be able to turn this off or on;
• 89 per cent think it important to have the option of giving permission for personal information to be used by third parties and 78 per cent are concerned with third parties having access to the location of their mobile without permission;
• 74 per cent want to be told if their personal information is collected to target them with offers or promotions; and
• 92 per cent of respondents have concerns when applications collect personal information without their consent and 79 per cent would like to know when and what type of personal information is being collected.

Practical services such as maps and weather are the most frequently used location-based services and are highly valued by over 70 per cent of respondents. 79 per cent think it is important to have the choice whether to receive location-based advertising with 86 per cent believing it important to be able to turn LBS promotions or advertising on or off.

Over 60 per cent of respondents were familiar with behavioural advertising, with 35 per cent finding it valuable, but 84 per cent thought it important to be able to have the choice whether to receive behavioural advertising that is based on browsing history and 81 per cent remained concerned about receiving behavioural advertising without their consent.

So, it’s somewhat of a thumbs up, and not a “doom and gloom” message for those who fear that a bit more transparency and control will result in customers switching off the behavioural advertising and other tracking technology in droves. The message is pretty clear – if consumers understand what it is that they are trading some of their privacy away for, they are going to be happy with the deal if, in return, they get stuff which is valuable to them.

The trick, therefore, is for the providers of this stuff to make their offerings sufficiently compelling, so that they’re not characterised as money- or privacy-grabbing bodies who simply want to take, rather than give back.

Simple, huh?

Source:
http://www.gsm.org/newsroom/press-releases/2011/6474.htm

How can young people better manage their online identities?

2011-09-28T12:38:00.001-07:00

To many people, on-line privacy is a joke. To some it's a game. And this morning, on the 49th floor of One Canada Square in Canary Wharf, a select group of people assembled to play a new privacy game.

What am I on about?

Well, a Group of academic researchers from the Information Society Group at Royal Holloway College, University of London, have been working on a 3 year research project with other academics, consultants and Sunderland City Council. They've been learning how young people engage with concepts of information privacy and consent in the on-line world.

It's called the VOME project, which is an acronym for the Visualisation and Other Methods of Expressions project.

What they have learnt has turned their world upside down. In an age where it can be the teenager who does the on-line banking for the family because their parents don't understand the Internet, it seems clear that many of these young people have got a better understanding of what can go on than their parents.

The researchers have also found that young people communicate amongst each other in terms that are vastly different to older generations. Image and attitude can be more important than the actual words that are used. And when the searchers offered a youth group the funds to produce a video explaining their privacy concerns, they were astounded with the results. No, it wasn't a series of talking heads, earnestly discussing privacy issues. These guys had actually produced a music video, very cleverly setting out the principal concerns in song - and in dance moves that may well soon be copied in the clubs when the video goes viral.

Watch out for "Internet Saint or an Internet Demon", which should be out on YouTube pretty soon. You too can be one of the first to have seen it.

Regular readers will appreciate that I also know the value of slipping privacy messages into songs, and am developing a series of ditties based on various privacy issues. You can see some of my earlier efforts in the blogs I posted on 6 November 2009, 16,17,18 & 19 June 2011 and 12 July 2011.

Anyway, back to the on-line privacy game. The developers have found a way to use the rules of a game to model the way that information flows around the online environment as it does in real life. Players seek to collect and use different types of personal information cards. Some of the information can be swapped. Other types of information are supposed to remain private. Each player assumes the identity of a secret character (such as a hacker, online shopper, advertiser or bank. Players then trade cards with each other to obtain the highest scores.

And, to mix up the game, the players have to contend with a "random event" deck. Events such as "super injunction" or "game network hack" make life difficult for the players; perhaps by stopping them from using certain types of cards for a round.

Plans are afoot for this game to feature in the GameCity event in Nottingham, which will be held from 26-29th October. At this event, experienced gamers will be playing it and they'll be invited to develop online prototypes of it.

The game’s good. And it's still I development, although the version we played today was certainly at a very advanced stage. It has all the hallmarks of a great teaching tool. Particularly for those of us who like to learn by doing things, rather than by having a teacher just standing up in front of a class and saying things.

Sources:
www.vome.org.uk
http://gamecity.org/

.

Cookie compliance – Govt website suggests a new way to do it

2011-09-27T13:43:00.001-07:00

The webmasters at the main Government website appear to have ignored the pioneering route the ICO’s team took to ensure compliance with the new cookie rules. Whether it’s absolutely lawful only time will tell, but as it’s the Government’s main website, I think they would be hard pressed to criticise many who adopted their cunning plan.

They’ve found a way of operating their site by giving users the option of objecting to the use of cookies – so long as the users burrow through the cookie explanations until they find the right hyperlinks.

Clever, huh? If it works, certainly.

Read on if you want to learn how they’ve managed this feat.

First, just an explanation of the site. Directgov is the website which is supposed to save public funds by enabling citizens to use this single portal to access all other Government services.

So, from the home page, in just In 3 clicks the user can navigate to the page explaining freedom of information and data protection. Interestingly, as well as briefly outlining the data protection principles, subject access rights and guidance on how to stop direct marketing, it also provides advice on how people can appeal against decisions made by the Information Commissioner. I’ve never seen a popular Government site carrying such prominent advice on how people can appeal against these decisions.

The Data Protection stuff is available by clicking on:
Government, citizens and rights
Your rights & responsibilities
Data protection & freedom of information

Anyway, the Directgov privacy policy (helpfully located by clicking on the link when you have scrolled to the bottom of the landing page) provides the usual stuff, and explains, in a section headed “Changes to this privacy policy”:

If this privacy policy changes Directgov will update this page. You should visit this page regularly so you know:

• What personal information Directgv collects
• how Directgov uses your personal information
• when (if ever) Directgov shares your personal information with someone else

Then, there’s a link to the cookies page.

The text explains that: Cookies allow Directgov to improve the services we provide, by telling us how people use them. Cookies are also used to make some parts of the website work properly. Find out what cookies Directgov uses and what they're for.

Under the heading “Why Directgov uses cookies” the following explanation is available:

When we provide services, we want to make them easy, useful and reliable. Where services are delivered on the internet, this sometimes involves placing small amounts of information on your device, for example, computer or mobile phone. These include small files known as cookies. They cannot be used to identify you personally.

These pieces of information are used to improve services for you through, for example:

• enabling a service to recognise your device so you don't have to give the same information several times during one task
• recognising that you may already have given a username and password so you don't need to do it for every web page requested
• measuring how many people are using services, so they can be made easier to use and there's enough capacity to ensure they are fast.

And then there’s another hyperlink “Internet browser cookies - what they are and how to manage them”

An interesting section (for the cookie anorak brigade) is called “Your privacy - how cookies are used by Directgov.”

I like it. It contains a list of the cookies that have been found on the websites operated by the companies and and government departments Directgov works with. The list is to be updated as more information emerges.

The section “Cookies for measuring use of services” states that: by understanding how people use Directgov, we can improve the information provided. This also ensures that the service is available when you want it and fast. We use a number of different methods of gathering this data, including services provided by the following companies.

The text then provides details about 5 cookies placed by Speed-Trap and 5 placed by Google Analytics. The details are set out as follows:

Name: jobseekerscsauvt
Typical content: which Directgov pages you have visited and when
This cookie is used by the Directgov jobs and skills search.
Expires: 1 year

Name: __utmmobile
Typical content: randomly generated number
Expires: 2 years
For further details on the cookies set by Google Analytics, users can click on yet another hyperlink.

Then, there’s an explanation about third party advertising cookies:

Where government uses advertising, it wants to make sure that this money is well spent. To help measure this, the following cookies are used on pages which are being marketed.

Doubleclick
Name: doubleclick.net
Typical content: randomly generated number
Expires: 2 years

GroupM
Name: b3-uk.mookie1.com or uk.gmads.net
Typical content: randomly generated number
Expires: 13 months

Then, there’s a section on “Cookies to make specific web services work”. These cookies are sorted into the following types:

Site customisation
Online forms
Cookies for using personalised answer tools (eg redundancy pay calculator)
Cookies for using mobile services
Cookies for using Local Directgov services
Cookies for using Directgov Innovate website - innovate.direct.gov.uk

Another hyperlink leads to more information on how to control or delete cookies. And yet other hyperlinks lead to more information about various cookies placed on some of the sites which can be accessed from the Directgov website.

There are some interesting details about some of the other cookies that are served under the Directgov domain. Virtually all of the cookies expire when the user exits the browser. But, for some reason, those set by the Schools and children centre finder (schoolsfinder.direct.gov.uk) last for 30 years. Don't ask why.

Finally, there are a few words on “Cookies on Directgov from social networking websites”: Directgov has links so you can use social networking websites (eg Facebook and Twitter) with Directgov. For example, you can bookmark and share links using the toolbar at the bottom of each page. These websites may place cookies on your computer. To find out more, users can click on the hyperlink 'How do you use this toolbar?'.

Clever, huh? By not making it too obvious about how to delete the Google Analytics cookies, these guys probably know far more about what users do when they browse onto these websites than the ICO does when users browse on the ICO’s website.

Sources:
http://www.direct.gov.uk/en/SiteInformation/DG_4004497
Privacy policy http://www.direct.gov.uk/en/SiteInformation/DG_020456
http://www.direct.gov.uk/en/SiteInformation/DG_196009

.

What comes first? St Valentine’s Day or a new draft DP Directive?

2011-09-26T05:25:00.000-07:00

Brid-Aine Parnell of The Register has just posted an interesting statement from Matthew Newman a spokesman for EU Commissioner Viviane Reding.

It gives credence to the blog I posted on 21 September, when I announced: if my chums are to be believed, and believe me, I believe them, I’m likely to enjoy Xmas lunch with my friends and family well before the new draft Data Protection Directive may be published.

Apparently, Matthew Norman has recently said: the reform of the Data Protection Directive is ongoing and our proposals should be released in the next 20 weeks.

Getting my calandar out, that’s awfully close to February 14th.

So there’s even less chance of hearing much about the proposed amendments then, this side of Xmas.

Source:
http://www.theregister.co.uk/2011/09/26/viviane_reding_statement_withdrawn/

.

SMS spam: an odd remark in yesterday’s Hawktalk blog

2011-09-24T14:17:00.000-07:00

Blog wars this is not. And nor should this be seen as a note of correction from the Provisional Wing of the mobile telecoms industry’s Rapid Rebuttal Unit. But, occasionally, even the great Chris Pounder makes remark that deserves to be challenged. Or, perhaps as he knows that I’m an avid reader of his blog, he was just trying to get me to comment on the accuracy of what he said.

Good try, Chris. And it is in a spirit of constructive criticism that I challenge his remarks. Not spite. We’re both on the same side – really, we are.

Anyway, readers of his blog will have noticed that yesterday he was commenting (as I did in my posting on 16 September) about the Information Commissioner’s recent appearance before the Justice Committee:

The IC is also concerned about “spamming texts” when they say something like “Our records show that you are in line for a compensation payment of £4,750 for that accident you had. Text CLAIM or STOP". The problem is, the IC said, was that “if you text either, you are confirming that you are there and providing a marketing lead, because these are randomly generated texts”.

The IC added that “We are working very hard with OFCOM and the telecom companies to try to get to the source of these spam texts, but it is a bit like looking for the launch sites of V2 bombers in the Second World War”. I don’t buy this explanation at all: telecom companies that do not know who is using their network. Come off it – they charge for texts don't they?

Believe it or not, Chris, the phone companies (almost certainly) don't know the identities of the bad guys. This is because these guys are applying some clever technology to something that was created over a decade ago. They are very likely to be using anonymous SIM cards. You know, the ones you can get at any newsagent or main railway station, or from a huge variety of retail outlets. And how might they be charging up these SIM cards? By using cash, rather than electronic money.

And these guys will be clever, too. They'll be trying to cover their tracks. And they'll also be relying on the hope that the spambusters who are investigating them won't have the analytical skills and technical toys that, say, the Anti Terrorism Squad probably has. We do need a healthy dose of proportionality in the resources that they have at their command. They are unlikely to have the sort of technology we see on Spooks or the Bourne Identity.

These crooks will also be quite clever in how they operate these spam campaigns. For obvious reasons I don't intend to speculate on how they operate. I don’t want to give the game away. But these crooks also don't know how much the spambusters know about them. They don't know how close they are. Nor do I. But I do hope it won't be too long before the police dogs bark as a specialist team of officials mount a dawn raid and catch them off guard.

So, Chris may have noted that what he Commissioner did not do in his evidence was criticise the phone companies for the part they are playing in disrupting and catching the crooks. Perhaps the Commissioner knows something that Chris Pounder does not.

In conclusion, a plea to Chris: go easy on the telecoms networks please. They may be doing quite a bit more than you think, behind the scenes, but even they won’t yet know just who is behind these scams.

Source:
http://amberhawk.typepad.com/

.

What's happening on September 28th?

2011-09-23T14:10:00.000-07:00

September 28th is a rather special day in the calendar.

It’s the birthday of, among others, Confucius (551BC), Thomas Crapper (1836) Bridget Bardot (1934) Marilyn Manson (1966) and Dita von Teese (1972).

Those to have died on this day include Pompey the Great (48BC), Pyotr Tolstoy 1844), Harpo Marx (1964), Pope John Paul I (1984).

In addition, William the Bastard (as he was known at the time) invaded Britain in 1066, and Sir Alexander Fleming noticed a bacteria-killing mold growing in his laboratory, discovering what later became known as penicillin in 1928.

But did you know that next Wednesday is also the 9th International Right to Know Day?

Well, you do now. And to celebrate it, Christopher Graham, the Information Commissioner will be posting a speech on his youtube site at 10am.

It’s an occasion to commemorate the fact that people around the globe will all be exercising their right to know what their governments are doing. It’s not supposed to turn into a “Subject Access Request fest”, but I bet a few activists will do what they can to exercise whatever rights they can.

Last year Lord McNally, the (Lib Dem) minister responsible for Freedom of Information, said: Government, at national and local level, has become a lot better at delivering information requests. What we are promising to do is release lots of information which was within government, but stayed within government. That’s out there now for those with the initiative to request it. It remains a solid right of the citizen to ask for information. Perhaps Lord Henley, the current (Conservative) minister responsible for Freedom of Information, will provide us with an update.

And what’s the Commissioner going to say? I don’t really know. Other that he wants to mark the occasion with a view on the state of information rights here in the UK: the right to know and the right to privacy.

He is expected to explain why the Information Commissioner’s Office is already a key player in delivering an effective Right to Know; how our responsibility for both the right to know and the right to privacy equips us to assess where the public interest lies; and why the ICO should be an essential partner in delivering the much trumpeted transparency agenda - through to practical reality.

You just might have heard it here first.

Happy viewing next Wednesday.

http://www.youtube.com/user/icocomms

.

What comes first? Xmas or a new draft DP Directive?

2011-09-21T10:38:00.000-07:00

If my chums are to be believed, and believe me, I believe them, I’m likely to enjoy Xmas lunch with my friends and family well before the new draft Data Protection Directive may be published.

This probably comes a bad news to lots of us who are aching to leave the iapp's Europe Data Protection Congress in Paris on 29-30 November with a copy of the new draft – or at least a partial understanding of the Commission’s proposals. After all, the Congress is to be addressed by Commissioner Viviane Reding, together with the three wise men of Euro Data Protection Peter Hustinx, European Data Protection Supervisor, Jacob Kohnstamm, Chairman of the Article 29 Working Party, and Peter Schaar, Federal Commissioner for Data Protection and Freedom of Information, Germany. And, the Congress will be packed with other people whose lives are so heavily steeped in this stuff that they also deserve the accolade as one of the “Lords of Data Protection.” You might even see me somewhere in the audience, too.

But I’m not fretting. I just want the Commission to get it right. And I don’t really care how long that takes. So long as it is right, in the end.

Given the pace of technological development though, and of changes in customer perception and attitudes, I appreciate that it will be very hard to develop a Directive that meets the needs of people who don’t quite get know what their needs are, as that technology hasn’t been brought into universal use. But it will. And soon.

Whoever thought that geolocation services would have taken off in the manner that they have done, or that facial tagging (or tattoo tagging) would become so widespread – and so quickly. Or that Governments would feel so threatened by terrorist groups and therefore need to react as they have done? Or that Google+ would have circles of friends, while Facebook has developed different groups of friends? Or that Amazon and Kindle enable the spread of knowledge so easily? Or that, shortly, e-commerce and the creation of new ways of spending e-money may bring forth a data controller with significant knowledge about very significant numbers of us – and that controller may not be “controlled” from within the borders of the European Community?

We live in such interesting times. So let’s continue to concentrate on the items that are currently in our in-trays before anticipating an email with that special package from the Commission.

Image credit:
I think this is a brilliant print of the Grand old Duke of York, by Canadian artist Mychael Barratt – you can buy framed copies of this limited edition of 100 prints for just £295 from the Yard Gallery, in Holywood near Belfast.

http://www.yardgallery.com/product_specific.aspx?title=Mychael%20Barratt&id=5415&dataid=587969

I’m not suggesting that anyone is behaving like the Grand Old Duke of York, ie getting us all excited and then letting us down again. According to Wikipedia, the oldest version of the song that survives is from 1642, under the title 'Old Tarlton's song', with the lyrics:
The King of France with forty thousand men,
Came up a hill and so came downe againe.

.