Thursday, 26 August 2010

European Commission “tweets” its overview of information management in the area of freedom, security & justice


“Allo Allo ... this is your Commission calling. We know you politicos aren’t going to read all 53 pages of our report, so we thought we would tweet you the best bits.

Euroland has got loads of databases in which the cops keep stuff about the bad guys & the usual suspects. The Schenegen Information System holds well over 31.5 million records alone.

They tell us that some records are kept for 15 years, while others are only supposed to exist for a day.

Some cops want to pool all the records into a single Euro database & trawl it when investigating serious crimes. But there’s no common definition of what a “serious crime” actually is in the EU.

Yippie! If all the records are in one place, then it’s going to be much easier to pass them to the Americans, the Canadians and the Aussies, when they ask us nicely.

Hang on though, what would the privacy yonks do if they thought we could set up an Uber Database of Euro Bad Guys? May be we’re better off with things as they are.

Pass us the wet towel ... we’ll polish the broad principles we’ve developed, and create some kind of action plan. We’ll kick decisions into the long grass and write a feasibility study – say in 2012.”



If you really want to know more about the information sharing databases that have been created within the EU for various law enforcement programmes, then you’re in luck, as last month the European Commission published an overview for the European Parliament and the Council. It covers the main purposes of each large programme, their structure, the types of personal information held, the list of authorities that have access to such data and the provisions governing data protection and retention.

The overview was published as Member States had asked the Commission to develop a more ‘coherent’ approach to the exchange of personal information for law enforcement purposes.

Naturally, a single, overarching EU information system with multiple purposes would deliver the highest degree of information sharing. But, the Commission has accepted that creating such a system constitutes a gross and illegitimate restriction of individuals’ right to privacy and data protection, and poses huge challenges in terms of development and operation.

So, the Commission considers that a series of compartmentalised (or federated) databases is more likely to safeguard citizens’ right to privacy than any centralised alternative.

The Commission isn’t too sure what to do next. It’s created a bunch of high level principles that will need an awful lot more detailed developmental work before their ideas are ready to be discussed by the rest of us. These high level principles (surprise surprise) relate to
• Safeguarding fundamental rights, particularly privacy & data protection
• Necessity
• Subsidiarity
• Accurate risk management
• Cost-effectiveness
• Bottom-up policy design
• Clear allocation of responsibilities
• Review & sunset clauses

It sounds as though the Bureaucrats and the Eurocops have got many, many more months of passionate debate before the next stage of this proposal sees the light of day.


[The actual communication from the Commission, COM(2010)385 final, published on 20 July 2010, can be found at http://ec.europa.eu/justice_home/news/intro/doc/com_2010_385_en.pdf]

Wednesday, 25 August 2010

100 posts and not out (yet): the verdict


How many of us have started something, only to give it up after a few weeks, after realising that actually, it was a bad mistake and that it didn’t fit into our lifestyle? I’ve done that occasionally with diets. So in this, my 100th posting of this year, I’m going to reflect on the point of blogging and on what it’s done for me.

I took the plunge into the blogosphere last November. I had just given up one craving, and wondered what I should replace it with. I subsequently wondered whether my jottings were going to be of any interest to anyone – before realising that I wasn’t that worried about entertaining anyone else anyway. I was really doing this just for me. “Is this simply an exercise in vanity publishing, or a serious attempt at creative writing?” I was asked by some close friends just after they had noticed that I had started to blog. It didn’t take me too long to realise that I wasn’t going to change the world purely by what I wrote. But, as I have explained, that really wasn’t the intention. Nor was it the intention to leak any state secrets, or place (too much) embarrassing information into the public domain. That’s a role for Wikileaks to play.

What it actually did was to give me a platform away from the office, and a way of forcing myself to both quickly form and express my own opinions on a range of issues – and then remain accountable for those opinions after having been brave (or foolish) enough to post them in an area where anyone could access them. And it’s given me an opportunity to develop a literary style that I could never use in my professional life. It’s taken some time, but I feel that I’ve found my voice on the internet.

It’s given me a vehicle to express views on subjects about which I am passionate. And I hope they are issues which at least interest a few others too. I’ve greatly appreciated the feedback I’ve received. Most of the time, people have written directly to me. On one occasion, comments were sent to my employer – although as this is a blog that is done in my own time, using my own equipment and on my own terms, it’s really not appropriate to associate anything I may blog about with any views that may be held by my employer. So, in future, don’t bother writing to my employer about me. Get hold of me if I publish anything that you find improper or inaccurate or otherwise offends – not anyone else. I’ve set up email account for this blog, which can be found in the “About Me” column on the left of the screen. Use that.

This is not about me and my work for my employer. This is personal!

I also hope that I’ve kept true to 12 rules I set myself last November, shortly after I started to blog. The rules were set out in a posting entitled “Behavioural Blogging: My 12 simple rules of internet etiquette,” The verdict, I submit, when benchmarking the last 100 posts against these standards, is that I have adhered to my rules pretty closely. But I’ll let you be the judge of that.

So, I’m not giving up just yet. I’ll carry on writing because I enjoy it. People are perfectly entitled to ignore me. If you don’t want to know what I’m writing about, then just avoid squinting at this part of the internet. But before I start to celebrate my centenary, I thought I had better remind myself (and the casual reader) just what rules I have been following. And, again, please feel free to let me know when I overstep them:

1 Tell the truth.

2 Write short blogs.

3 Publish them regularly.

4 Focus on a single issue for each blog.

5 Respect everything supplied in confidence.

6 Stick to what I know (or what I think I know).

7 Use plain language, not technical gobbledegook.

8 Make serious, as well as trivial, points in each blog.

9 Develop my own ideas, in my own time, using my own equipment.

10 Change the text when I write something that causes unnecessary offence or embarrassment.

11 Credit everyone I plagiarise.

12 Try to look on the brighter side of life. (I think I sense a song coming on ...)

Tuesday, 24 August 2010

Has Zurich UK just been mugged by the FSA?


If I were a Zurich UK shareholder, I think I might be asking directory enquiries for the name of a good human rights lawyer, as I would have a feeling in the pit of my stomach that the FSA had just breezed in and ripped off some of my human rights.

What do I think this? Because I’ve just seen a press release from the Financial Services Authority which has fined Zurich UK £2,275,000 for the loss of an unencrypted back up tape which contained confidential (but not “sensitive”, as the Data Protection Act defines “sensitive” data) details of 46,000 customers. The loss occurred 2 years ago. This is something which, had it have occurred 2 months ago, and the Information Commissioner’s Office led the enforcement action, might well have resulted in a penalty of significantly less than £500,000.

How can this be right? How can one administrative body be able to impose a fine of £3.25 million (excluding the “good behaviour” discount) and yet another administrative body can only impose a maximum fine of £500,000 for the worst possible data breach immaginable? It seems perverse, and I do hope to read a press release from the ICO sometime soon outlining its views on whether different regulators ought be permitted to impose penalties of a wholly different magnitude to each other. I wondered if the ICO had already issued a press release on the matter but no – today’s message from Wilmslow focussed on the discovery at a bus stop of an unencrypted CD containing old (“sensitive”) medical records of 112 patients from the intensive care unit of a hospital in Wolverhampton.

What also surprises me is that the most senior management levels within Zurich have apparently agreed to pay the fine. But why? Let’s have a good, public, fight about this. It may only be customer’s money they are playing with, but I really want to see a decent debate about the principles involved here.

On the one hand, Zurich UK appears ready to accept the punishment because the FSA says that it “failed to take reasonable care to ensure it had effective systems and controls to manage the risks relating to the security of customer data resulting from the outsourcing arrangement. The firm also failed to ensure that it had effective systems and controls to prevent the lost data being used for financial crime.”

But, we all know that, from April of this year, the Information Commissioner has new powers to impose fines when the business knew or ought to have known that there was a risk that a serious breach would occur, but failed to take reasonable steps to prevent it.

Call me old fashioned, but I can’t see much difference between the two competing sets of jurisdictions. The only thing that appears to be different is the size of the stick that each regulator can wield. I’m not convinced that this is fair. I don’t like healthcare lotteries, where levels of care vary depending on where someone lives. Nor do I like the concept of regulatory lotteries, where levels of punnishment depend on which regulator claims “dibs” over it first. Thank goodness, in either case, the fines go to the Treasury, rather than the regulator’s own coffers.

So, my brief to counsel would be to construct an argument to the effect that it is wholly unacceptable for Zurich’s customers to be expected to meet the costs of this FSA fine when Parliament, in its wisdom, has only recently given general guidance (in setting the ICO’s fining powers at such a relatively low level) about the true level of punishments that should be meted out to the miscreants who knowingly continue to use dodgy processes that could lead to losses of personal data.

Failing that, my brief to counsel would also be to take Lord McNally, Minister of State for Justice, out for a couple of pints and explain to him that we’ve got this great idea for a new clause in the upcoming Great Constitutional Reform Bill. The aim of the clause would be to set out a statutory code which clarified which regulator was allowed to take action against who and for what – so that Parliament can make the determination, rather than leave it up to any agreements between the regulators themselves.

These financial services people appear to live in another world, when it comes to fines and financial losses. I wonder if that was one of the reasons that the new Coalition Government are so determined to restructure the FSA and get its feet closer to the ground.

The FSA’s press release which explains what they did and why they did it can be found at http://www.fsa.gov.uk/pubs/final/zurich_plc.pdf

The ICO’s press release, explaining its views on the issue, does not yet appear to exist.

Monday, 23 August 2010

MoJ officials in listening mode


In a move that may well dismay civil servants working for administrations in some other EU Member States, the data protection team at the Ministry of Justice is so keen to assemble a body of evidence to support the UK’s case for reform of the Data Protection Directive that it’s not only asked for stakeholders to write in with their views, but it’s also hosting a series of workshops - to give stakeholders an opportunity to explain their views and have them debated. What a great idea. There’s probably still time for the civil servants in the other Member States to extend the same courtesies to their own stakeholders – but I wonder how many will.

The first set of workshops was held today, in Petty France. That’s the name for the building that used to house the Home Office (and is now the home of the MoJ). It’s recently been gutted and completely refurbished, and has become a very pleasant place to work. The old Home Office got so grotty that I often wished there was a mat by the front door – so the visitors could wipe their feet as they left.

In the spirit of these harsh economic times, no free lunch was served today. But the staff restaurant is extremely good. Some of us who were saying for both morning and afternoon workshops enjoyed a hearty meal there, rather than braving the rain to sprint over to the sandwich shops.

Anyway, back to the plot. The purpose of the workshops today was to enable data controllers, and representatives of organisations that comprised or serviced the larger data controllers, to present evidence which supported their views on matters relating to subject access requests and the costs of compliance, and also on the powers and penalties of the Commissioner. (I'm sure that other events will be held which will offer a similar platform to other groups of stakeholders.) None of the evidence was offered on Chatham House grounds. What I mean by this is that those who spoke were prepared to be accountable for what they said. And what they said was noted down by some awfully smart people, whose jottings will, I’m sure, be made available to the wider (data protection) community in the fullness of time.

None of what was said today will come as a surprise to the close observers of the British data protection community, although it may well appear a bit odd to people who are used to the workings of other jurisdictions. We Brits can be a passionate lot – and also quite a pragmatic bunch too. We like following general guidance, but we like the flexibility to do things in culturally appropriate ways. One size does not necessarily fit all. We like common sense, and having the confidence to apply common sense, rather than stick to rigid rules which could, if followed to the letter, result in perverse outcomes. We’re also quite a sociable bunch, so we like chatting to regulators to see if things can be sorted out informally, before anyone has to put their head above the parapet and go on the record. And, having a flair for theatricality, we also like it when someone wields a big stick, or when someone gets locked up. That makes us all feel better (unless we’re on the receiving end of the stick, or have just got ourselves locked up).

There was general agreement about issues relating to subject access requests – and I’ll leave it to the carefully crafted words of the rapporterus today to announce just what it was we all actually agreed on.

And as usual, we went off-piste, so to speak. You know what data protection professionals can be like. We weren’t asked for our views on data protection registration and notification issues, but we provided them anyway. We could all see the point in letting the ICO know who we were, roughly what we did, who the ICO should contact within the company when it became aware of a problem, and also how we were going to pay the registration fees. But that was about it. We couldn’t see much point in providing any more information on long and complicated forms – especially if that prevented lots of staff from the Commissioner’s Office from being able to escape from the drudgery of the Notification Department and be set free to work on the sexy stuff – like actually offering data protection advice, or helping resolve complaints.

More workshops at the MoJ are scheduled, and I’m looking forward to attending at least one of them. And of course I’m also looking forward (as we were all reminded a couple of times today) to sending in written comments, and real evidence, too. Feel free to write to Kavita Perry at informationrights@justice.gsi.gov.uk as well - we've all got until 6th October before we have to start asking for the deadline to be extended.

And, most importantly of all, I’m really looking forward to empowering the teams from the MoJ to engage with their European counterparts over the coming months. I want to do my bit to ensure that these guys really do know what they are expected to be talking about. They’ve looked us straight in the eyes, and they are taking the opportunity to understand just why it is we think the way we do. To civil servants in foreign climes, who prefer a more hands-off approach to those whom they wish to regulate, this British way of doing things may not be sufficiently pure in terms of developing data protection law and theory. But believe me, it tends to work awfully well in practice!


[If you want some hints about the sort of evidence the MoJ is after, take a quick squint at http://www.justice.gov.uk/consultations/call-for-evidence-060710.htm]

Sunday, 22 August 2010

Facebook Places – Will it be tweaked before it arrives in the EU?


Millions of us are becoming very comfortable thinking about privacy issues these days – and thanks to our friends at Facebook, concepts which were alien to most of the public just a few years ago are commonplace now. What is it that “the great unwashed” are about to have at their fingertips, and to what extent is it likely to cause them harm? These are a couple of the questions that the “usual suspects” will be considering as they think through the privacy implications of Facebook’s new location based tool. Currently available in the States, let’s see how quickly the pressure builds for it to be exported to more privacy sensitive countries (like ours!)

I remember participating in a series of earnest discussions with a trade body representing the UK mobile phone networks who managed to craft a series of measures to protect people from being harmed by the first wave of location based services about 8 years ago. My, have times changed. At that time the great fear was that children could be harmed by predatory adults, and therefore a whole series of protective layers needed to be verified and set in place before parents and guardians would be entitled to know the “rough” location of their offspring’s mobile device. The fear was that people could be subject to unwelcome pressure of others who had realized that the devices were not in the location they were supposed to be, etc. Were the kids really at school, or were they bunking off for the day? Perhaps they had just left their device on the bus. We’ll never know.

The result, I suppose, was to create a Code of Practice on Location Based Services which incorporated standards that were high enough to stifle the development of personal location based services using mobile devices for half a decade. They deemed (particularly by those who were determined to stamp out child abuse in all its forms) OK for corporate use, but not for social use. The code could be policed effectively by mobile network operators as they controlled “who” got to see the network records which explained “where” a device was at any given time.

These days, though, technological changes mean that a large number of stakeholders – not just mobile network operators – collect information which can reveal the location of a mobile device or laptop. Hey, some of these new players can even pick up tiny snippets of the content of someone’s communications (by mistake, of course) as their vehicles are driving over the place generating maps and other images and stuff!

But I digress.

As we spring forward and embrace the rapid advance of smart devices and the internet, for the first time it’s really make it possible for these services to be made available in a manner which far more transparent in terms of who had been given permission to see what. Location Baser Service providers could now, thanks to dashboards, offer a huge range of privacy options to users. This really wasn't possible just a few years ago, when mobile phones just had tiny screens above the keypad.

And, what has really impressed me, is the scale of the media coverage that accompanies the launch of the some of these location based services these days. Opinion formers are almost falling over themselves to discuss the privacy protections now available, and journalists are also getting in on the act by producing material which is incredibly easy to read and useful. Take a look at Patrick Miller’s great article in PC World which explains, using prose and pictures, just how Facebook’s new Places feature works on a smartphone or laptop.

Patrick explains how to set up the “places” account, and learn more about the places your friends are checking into. A flag will allow you to set which friends you wish to share your locations with – and naturally the flags can be disabled too. Business owners will be able to turn the listings to proper Facebook pages – and the mind boggles at the commercial implications of this smart move. Finally, Patrick explains how to turn off the whole application – which is (currently) a bit more complicated than setting it up in the first place.

OK, so if its going to be acceptable for the Americans, what will need to be tweaked for European sensibilities? I wonder if the regulators in some Member States are going to get excited at the possibilities of young people broadcasting their current locations to their friends, or people of certain religious views having to demonstrate to their mums that they really are at their regular place of worship, rather than behind the Co-Op. Will some European regulators demand that such a service should only be used by mature adults, rather than all smart phone and laptop users? If I have an “Anti Social Behaviour Order” and am banned from entering a shopping centre, will one of my “friends” – who co-incidentally is also a security guard at the shopping centre – have lawful authority to track me and get his employers to take action against me if he sees me somewhere I shouldn’t be?

Lots of questions. And hopefully a few answers will emerge from the American experience soon. And as it’s over there now, it won’t be long before it’s over here too!


For those sufficiently interested, the term “the great unwashed” was coined by the Victorian novelist and playwright Edward Bulwer-Lytton. He used it in his 1830 novel Paul Clifford: "He is certainly a man who bathes and ‘lives cleanly’, (two especial charges preferred against him by Messrs. the Great Unwashed)."

Patrick Millar’s excellent article can be found at: http://www.pcworld.com/article/203819/how_to_use_facebook_places.html

Thursday, 19 August 2010

Wilmslow to get a “Geek Gang”


Last month, the Data Chiefs in Wilmslow met to agree that they needed help. Not just any old help. No, the sort of help that can only be supplied by the geeks who really understand where all this technology-thingy-stuff is going, and can explain it in simple words to the teams that are charged with applying the data protection laws to the rest of us. So, if any reader gets a message from their regular contact in Wilmslow to the effect of “Pssst, wanna join our Geek Gang?”, here’s a little more background information.

The ICO’s Executive Team met on 19th July to endorse a paper by Jonathan Bamford which recommended the setting up of a Technology Reference Panel. The idea was that it would help the ICO keep up with technological changes across a wide front. There was a need to better understand the technology in new and emerging areas.

The panel would be made up of trusted experts with a range of experience who would meet twice a year to discuss issues and whose expertise could be called upon between times as and when necessary. They could be nominated by organisations they work for. They would not be paid.

It was apparent that were risks in setting up the panel, for example in terms of confidentiality. However, there were also risks in not doing anything to help the ICO gain an understanding of technological advances, and the risks could be mitigated against by clear corporate governance such as terms of reference, contracts and selection criteria.

It was not the intention that the panel would advise directly on individual complaints and possible enforcement action against individual data controllers. Their role would be to provide the ICO with a more general view of technology. The panel would not have the role of being an expert witness. Where expert input into particular complaints was needed this would be obtained separately.

The Executive Team is apparently now considering how to ensure that the panel operates in a transparent manner, and whether nominations should be sought for the panel, or whether it should be staffed by the “usual suspects”.

I think it’s a great idea to set up a group like this. Just as the EU has its Article 29 Working Party, to advise it on date protection stuff, so should the guys and galls in Wilmslow surround themselves with teams of experts to help them make informed decisions. And no, I’m not a geek. So I don’t expect to be invited to join the gang.

But, if you get the call, please unzip your anorak and say “yes”.


For those who believe this article is a joke, just read the source document, which is on the ICO’s website at: http://www.ico.gov.uk/upload/documents/library/corporate/notices/20100719_et_minutes.pdf

Wednesday, 18 August 2010

Wilmslow scores an own goal



Skimming through the Freedom of Information decisions that have recently been reported on the Information Commissioner’s website, I found one that made me chuckle.

In this case, someone had first asked the Commissioner’s Office itself for some information in the records it held about Crawley Borough Council’s non compliance with the Freedom of Information Act. The requester did not want any personal information about third parties. The ICO initially responded by providing what it thought was the requested information in the form of a synopsis of each case plus redacted case closure letters written by the ICO.

Then, a disagreement arose as to what information the requester had actually asked for, and a formal complaint was raised to resolve matters. As a result, further information was provided by the ICO to the requester.

All well and good.

Well, not quite. The complainant exercised their statutory rights to complain about the actions of this public authority, and wrote to the public authority that deals with such complaints. Yes, the complainant referred the ICO to ... the ICO.

So, the Commissioner investigated the complaint (against himself) and found that while his Office was correct to interpret the request as it did, unfortunately there had been 3 breaches of the Act. His Office had failed to provide disclosable information at the time of the completion of the internal review [Section 1(1)(b)]. Then, his Office had taken more than 20 working days to provide the information [Section 10(1)]. And finally, his Office had failed to issue the complainant with a refusal notice within twenty working days following the date of receipt of the request [Section 17].

Lets hope that any future reductions in the ICO’s budget (or headcount) won’t lead to many other examples of delays in dealing with FOI requests, and correspondingly more times that the Commissioner has to castigate himself for failing to meet his own statutory obligations.

Fortunately for the ICO, on this occasion the Commissioner did not require himself to take any further action against his Office. Nor did he issue a press release about the decision.

However, the decision notice has so upset the original complainant that an appeal has been lodged with the Information Tribunal. What the requester really meant when they made the original application is apparently still in dispute. I suppose this is what may happen should someone ask for the publication of material they know exists, and for whatever reason, the public authority declines the request to publish it.

But back to the plot. I will remember, should I ever need to be reprimanded for failing to respond to Subject Access Requests within the statutory period, that the Commissioner won’t fail to be as tough with his own staff as he may be with me.

For those who want more information on this decision, browse over to the Information Commissioner’s website and look up Case Ref: FS50233875: http://www.ico.gov.uk/upload/documents/decisionnotices/2010/fs_50233875.pdf

Tuesday, 17 August 2010

Attitudes to electronic commerce & privacy – “down under”


“Electronic commerce is a lot like sex: it involves two (or more) consensual partners engaging in (and usually completing) a ‘transaction’. Surrounding this seemingly simple act, however, are a myriad of legal, cultural and social issues – consent, trust, privacy, loyalty, competitiveness, safety, potential abuse of power and exploitation. In both contexts, there are even nasty ‘viruses’ to be avoided. Among the most crucial of the issues to be addressed in order to have fulfilling – and safe – e-commerce is the protection of privacy.”

A friend passed me quote this quite recently and I thought it was a joke. Surely, I thought to myself, such language could only come from a comic. The similes were so tortured that, if it really were a quote, it could only have come from someone with a very raw sense of humour.

But I was assured that it was a genuine quote, and that it had been attributed to an Australian.

Oh, I thought to myself, then it must be a quote from Sir Les Patterson, the erudite Australian Cultural Attaché (whom you never see in the same room these days as Dame Edna Everage, or the comedian Barry Humphries, for that matter).

Oh no, I was reliably assured. Actually, it’s an extract from a speech from the then Australian Privacy Commissioner, Moira Scollay! And I now learn that while she spoke those works in 1998, she didn't actually write the speech herself. That task was carried out by Dr Anthony Bendall, who is now the Deputy Privacy Commissioner.

I wish he would help me with my speeches on data protection ...

If you are similarly broad minded and fancy reading more about Australian attitudes to privacy, you could do far worse than point your browser at the quarterly bulletins published by the Office of the Victorian Privacy Commissioner. They may live a long way away from Blighty, but they are, spookily, facing exactly the same challenges as us all. And their views, pragmatic and workmanlike, are a joy to read.

Try this link for a bit more from some of Australia’s finest: http://www.privacy.vic.gov.au/privacy/web.nsf/download/22E668CCDF3EB0A3CA25776D00050F3A/$FILE/Privacy%20Aware%20Winter%202010.pdf

Wednesday, 11 August 2010

Article 29 WP "tweets" its Opinion on RFID chips & privacy impact assessments



"OMG! A bunch of academics, industry experts and real people actually want us to comment on their proposals for a privacy impact assessment.

What’s an RFID application all about anyway? It could only be doing stuff about things, rather than about people.

Bugger. This bunch have taken a year to write 25 pages. And they’ve got a diagram. Right, our opinion had better be almost half as long.

Nope. These muppets just don’t get it. That’s not a proper impact assessment. We’ll give it a D- and tell them to go away and think again.

... Let’s all get back together in Brussels soon. A bientôt! ... Grusse! ... Cheers!"


For the data protection professionals who need a little more substance about their views on the Industry Proposal for a Privacy and Data Protection Impact Assessment Framework for RFID Applications, the Article 29 Working Party’s full Opinion [5/2010], adopted on 13 July 2010, can be found at http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2010/wp175_en.pdf

The Industry Proposal itself is found at
http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2010/wp175_annex_en.pdf

Monday, 9 August 2010

Article 29 WP "tweets" its Opinion on the FEDMA Code


"Zut alors! –we’ve been asked for an opinion about an Annex to a European Direct Marketing Code.

As they asked us nicely to look at it back in December 2005, we’ve pulled out all the stops and it’s taken us less than 5 years to agree what to say.

Yep, it looks like it's legal, as it’s what the DP Directive says. Oh, and it’s quite detailed and it’s 15 pages long. So our opinion had better be almost half as long as the Code itself.

Whoopee! We’ve got a new Directive coming into force soon which mentions cookies and spyware. So FEDMA might have to take their Code back and tinker with it again.

... Let’s all get back together in Brussels soon. A bientôt! ... Grusse! ... Cheers!"


For the data protection professionals who need a little more substance about the Opinion and the Annex to the code, the Article 29 Working Party’s full Opinion [4/2010], adopted on 13 July 2010, on the European code of conduct of FEDMA for the use of personal data in direct marketing can be found at http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2010/wp174_en.pdf

The Annex to the FEDMA code itself is found at http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2010/wp174_annex_en.pdf

Summertime – and the pranksters have been frustrated


Well done that social networking site for working so quickly to stop the pranksters I was blogging about last Saturday. A message was spreading on a social networking site suggesting that by dialling 14-19-99 the caller gets free tops up to their mobile phone.

Of course, it was a mischievous prank. In reality, user was fooled into dialling the emergency number used in the United Kingdom, much to the frustration of the emergency services operators – and also to genuine callers who were trying to contact an emergency service when real lives were at risk .

I’m delighted to report that the social networking site’s integrity team quickly realised the significance of this issue, and immediately took action which will ease pressure on the emergency services. I don’t intend to explain what they have done, as this might only give the pranksters potentially useful information about that social networking site’s capabilities - but I do know that, thanks to their prompt actions, people who encounter serious accidents now have a greater chance of contacting the emergency services quickly.

Many thanks, you guys and gals on the integrity team. Quite a few of the blogs I read have recently tended to criticise social networking sites for the way they operate. Well, here’s a blog commending them, for once, for their speedy and entirely appropriate actions.

Sunday, 8 August 2010

Who should watch over the watchers?


A thought occurred to me last night as I wandered through an excellent exhibition at the Tate Modern. “Exposed: Voyerism, Surveillance and the Camera” contains a series of pictures taken by professional models and artists, but also images made without the subject’s knowledge.

You can imagine the types of images that are presented in the various sections of the exhibition, which are divided into five themes: the unseen photographer; celebrity & the public gaze, voyeurism & desire; witnessing violence; and surveillance. Some of the images are quite funny – the artist Degas is pictured leaving a public pissoir in Paris. Marylyn Monroe is above the hot air vent. Kim Novak dines alone in a railway restaurant car, with every other man in the shot watching her. Some are quite shocking – particularly the results of the lynch mobs in the Southern States of America, and the remains of the victims caught up in genocide in Africa. While a few are unsettling for entirely different reasons – the British Army’s watchtowers in Northern Ireland, or the huge middle eastern town that the US military has built in an America desert, to prepare their troops for what will face them when they are deployed in Iraq or Afghanistan, look entirely out of place with their contemporary surroundings.

I took this image just past the exit of the exhibition – the thought of discretely creating an image of people who had just attended the surveillance exhibition stopping to watch banks of CCTC cameras monitoring what was going on in some of the galleries in Tate Britain Gallery, just down the river, was too tempting (and ironic) to pass up. At that timein the evening, the Tate Britain was closed, but one of the museum’s cats was wandering around the galleries, and it was lovely to see this animal appear in the monitors as it continued on its nightly pussy patrol. The artist who installed this exhibit cleverly realised that the fun we get from monitoring the actions of this cat were sure to be similar to the voyeuristic pleasures that the photographers must have had.

Anyway, back to the plot. Who should watch over the watchers? In the UK, we have the mighty RIPA (Regulation of Investigatory Powers Act) which has created a supervisory structure for surveillance, which is headed by two Commissioners – the Surveillance Commissioner and the Interception of Communications Commissioner, both of whom are appointed by the Prime Minister and report directly to him.

Despite the fact that both Commissioners (and their staff) are utterly honourable people, some might argue that their independence could be compromised as they are not seen to be as independent as they might be. After all, they are appointed by the Prime Minister, it is he to whom their annual reports are presented, and it is the Home Office who sets they were to be appointed by Parliament, and their budgets were to be set by Parliament, instead?

This is the same argument I’ve recently heard when the Information Commissioner has argued that he must be seen to be more independent, and that rather than his office being “administered” by the Ministry of Justice, it would be more appropriate if he (and it) were to deal directly with a Parliamentary Committee.

Let’s see what happens. But what’s good for the goose is obviously good for the gander – so if the Information Commissioner manages to loosen his ties from the Ministry of Justice, so that he becomes more firmly wedded to direct Parliamentary scrutiny, then I would expect not too discrete pleadings being made on behalf of the other Commissioners, too.

It’s a cunning way of transferring just a tiny bit of power from the Executive to the Legislative.

Saturday, 7 August 2010

Summertime – and time to censor the pranksters


Warning- Don’t try this at home – or anywhere else, for that matter.

School holidays are upon us – and some pranksters are about causing not only mischief, but also problems that could place so much pressure on the emergency services that lives could be at risk.

What promoted me to write this blog was a thought that I’ve come across a prank which could be spread like wildfire across the internet, so this may well be one of those rare instances where it is necessary to censor (or deny access to) material that has been published on the internet.

The message that has caused recent concern appeared on a social networking site where a member has placed a message suggesting that by dialling 14-19-99 the caller gets free tops up to their mobile phone.

In reality the numbers dialled do the following. The first digits dialled [141] are used within the United Kingdom to suppress the telephone number of the phone making a call – so that the caller’s number is not given out. The next set of digits [999] is the emergency number used in the United Kingdom.

Actually, 141 works every time to block the caller’s telephone except when calling the emergency services on 999.

Within the United Kingdom it is a criminal offence to make erroneous calls to the emergency services. There is also an offence of aiding, abetting, counselling or procuring others to commit any such offence.

The effect has been to cause a significant load of unnecessary calls on the emergency services – and obviously when operators are dealing with them, they are not able to deal with the real emergencies.

What have the hoaxed have to say on their social networking sites, having fallen for the prank? Comments include “hahaha im such a dik ed i done dat” and “looooool”. They may find it funny, but others don’t.

I doubt that the people behind hoax actually appreciated the distress they were causing to genuine emergency callers. But considerable distress is being caused, and that to me seems a sufficiently good reason for an internet censor to intervene – for the public good.


Here endeth today’s lesson.

Tuesday, 3 August 2010

Ready, steady, wait for a year


Hurrrah. Hurrah. Hurrah.

Three cheers for those awfully clever Burghers at the European Commission, who have just announced that the timeframe for the revision of the EU Data Protection Directive has been delayed, possibly by up to a year.

In what could be read as a challenge to the authority and intentions of the Great She Goddess of Justice, Fundamental Rights and Citizenship, (Commissioner Viviane Reding) it is understood that several data protection authorities have urged caution and have asked for more time to consider how best to change the current regulatory framework. And more time has evidently been granted.

It seems that the European Commission now intends to present proposed revisions in the latter half of 2011, rather than in just a few months time.

I think we should only welcome this, as it’s always hard to get things right – and in my experience about the only opportunity an institution has to “get things right” is when it gives time for its officials to work diligently behind the scenes with the professionals (and by that I mean professional consumers as well as professional data controllers). The aim is to create something that the politicians will find hard to unravel when they get their opportunity to play around with the text. Once the text hits the political arena, then any proposal to amend the text is more likely to take on a political tone, rather than a practical tone. And we all know what can happen when politicians start to drum up support for various changes which suit their own particular purposes. There must be such a temptation for one politician to agree to support another's proposal if they, in turn, agree to support theirs.

I’m also welcoming this from a personal perspective, as I was rather dreading the next few months. My days are long and fun packed as they are, but the thought of trying to lobby for particular changes in addition to doing my day job could well have been a stretch too far.

But this extra time ought give me (and all of us) time to think hard and work even harder to persuade those in positions of authority that the changes I’ll (and we'll)be supporting are essential. I don’t think I’m necessarily aging that well. In the past, I might have adopted a reasonably tolerant attitude if a bunch of Burghers managed to manoeuvre legislation that evidently was not fit for purpose through the European Institutions and onto the statute book. This time, it’s "no more, Mr nice guy." I’m looking forward to calling the shots as I see them. I may not be any more successful (and I certainly won’t be rude or condescending) as I lobby anyone I find around the corridors (and salons) of power, but I hope my passion for what I believe to be just will shine through.

And if the end result is a legislative instrument we can all live with, then that’s great.

And if not then I’ll have to follow the example of former Prime Minister Margaret Thatcher. In November 1990, after a day of plots and wild rumour, Conservative MPs were left with a leadership contest scenario which split the party for a political generation. Amid well-founded speculation that at least six cabinet ministers were among those convinced she should step down when she returned from an EU Summit meeting in Paris, instead she took advice from senior party barons, revitalised her campaign team and declared: “I fight on, I fight to win."

To be honest though, I actually prefer another quote attributed to her: “I am extraordinarily patient - provided I get my own way in the end”.


[Today’s image is of US Senator John Kerry, firing the starting gun to signal the start of the men's wheelchair race, during the 2005 Boston Marathon, on 18th April 2005. The race was held almost exactly 6 months before the date of the formal adoption of the Data Protection Directive.]

Monday, 2 August 2010

Can we have a data protection passport?


I’ve recently had a really thought-provoking email from David, who has read some of my postings and decided to contact me as he has similar views to mine. He’s also passionate about data protection, and equally keen, as a businessman, to be both at the “bleeding edge” of data protection practice – but also to be on the right side of that edge.

Here’s an edited version of what he had to say:

“I rather tend to agree with you about how EU data protection law has become so complex that it can’t really be observed properly, and that it needs to be ignored when unfair or impractical. But for all that this is very tempting, especially for people like me who are designing IT solutions that will stretch data protection (although not, I stress, to the detriment of the data subjects), it’s also a very dangerous message to preach, simply because the penalties for non-compliance are steadily becoming more painful for data controllers.

You write in your ‘Chester Hangman’ piece about the desirability of DPAs having an ex officio right of appearance in court cases about data protection, and I think you’re right; but I think it’s equally important that technologists and entrepreneurs in data-intensive businesses should have the right of access to DPAs to get pre-rulings on what they are planning to build, so that they don’t get involved in unnecessary and expensive court cases. Equally, I think it is very important that data protection practices in the EU and elsewhere should follow the example of financial industry regulation, so that DPAs would be able to give a ‘regulated by the Ruritanian DPA’ status to data-rich companies that could then be ‘passported’ to other jurisdictions.”


I agree with David that it’s a dangerous message to preach that one should ignore laws when they are impractical – especially when the penalties for non-compliance are becoming more painful for data controllers. But I would argue that the fault here lies in the hands of the regulators. Data controllers have human rights too, and they have the right to know what the rules are – and to be told that the rules are in terms that are accessible and comprehensible. It would be thoroughly reprehensible for a regulator to hide behind a complex web of rules and regulations, and then lash out at a data controller simply because they had not taken the precautionary measure of seeking (expensive) expert advice on an arcane and unwieldy set of rules. I think we would all welcome higher penalties for non compliance - so long as the penalties were proportionate to the offence committed, and it was easy to understand whether non compliance had occurred in the first place.

David’s core point is that technologists and entrepreneurs in data-intensive businesses should have the right of access to DPAs to get pre-rulings on what they are planning to build, so that they don’t get involved in unnecessary and expensive court cases. What a great idea. Why is it that, in some cases, this relatively simple “ask” results in either different answers or, in the case of some Member States, an apparent refusal even to deal with the question. I’m glad I’m not the product manager for Google’s Steetview application, spending months dealing with separate Data Protection regulators, and getting different answers from lots of them. (And no answer at all from at least one of them.)

If the members of the Article 29 Working Party were permitted by law to have sufficient confidence in each other, they should always accept each other’s passports. But European law does not yet permit this.

How long have passports been in existence? According to gsitltd.com, one of the first passport holders was Nehemiah around 450BC. He was an official in the court of King Ataxerxes of ancient Persia. Nehemiah, who rebuilt Jerusalem asked permission to travel to Judah. Ataxerxes agreed and gave Nehemiah a letter "to the governors of the province beyond the river" requesting safe passage for him as he travelled through their lands.

So, if passports have permitted human beings to cross borders with integrity for almost 2,500 years, then they really ought to allow concepts to cross borders with the same degree of respect in the not too distant future. A start is being made with the mutual recognition of binding corporate rules. Well, at least among some of the members of the Article 29 Working Party. Small steps. But in the right direction.

I read recently that the UK has recently let another huge section of its domestic telephone betting infrastructure to slip through its fingers, as the tax laws in Gibraltar are much more attractive than the tax laws in Glasgow. But does it mean that the Glaswegian punters, in real terms, have suffered a corresponding decrease in consumer protection?

I think not.

I’m sure that individuals in one jurisdiction are unlikely to suffer real damage simply because the service to which they have become linked has been approved by someone who lives in another country.

And I’m equally sure that the forces of data protection conservatism will prevent member states from taking that bold step of trusting each other in the same way that the financial services industry have managed to reach out and spread their bit of common sense.

But I may be wrong – so come and join the passport campaign – and campaign for the mutual recognition of the learned views of the righteous!

Sunday, 1 August 2010

The Article 29 Working Party’s Opinions: “tweeted”


I’ve been thinking about how I can help a friend write her book on data protection. I thought that I could do my bit by going through the first 100 opinions delivered by the Working Group, to see how I might consolidate their learned views into more manageable chunks. Some of it is pretty heavy going. A lot more of it is really heavy going. The rest isn’t that much fun, either.

And then, at the Serpentine Gallery in Hyde Park today, I bought a brilliant book by Alexander Aciman & Emmett Rensin. It’s called “Twitterature”, and basically it’s 60 of the world’s greatest books, irreverently retold through twitter.

Each book is reworked into a series of just a few tweets – and each tweet is less than 140 characters.

Absolutely hilarious. [Warning: some of the stories, particularly the reworking of Lady Chatterly's Lover, are quite rude. But unless you are of delicate disposition, you should order your copy now.]

Returning home on the tube, it suddenly occurred to me that I could probably reduce the core bits of all these 100 Article 29 Working Party learned opinions to just one tweet, if I really put my mind to it.

So here goes:

BLAH BLAH blah blah
BLAH BLAH BLAH
BLAH BLAH
blah blah
BLAH

Please feel free to try and beat this tweet – reworking, say, just one of their Opinions, or the lot of them, all in one go!