Sunday 18 December 2011

The Subject Access Request Xmas Ditty

It’s that time of the year when we can let our guard down a little and enjoy awful puns and think more about the lighter side of life.

Data protecting can be a depressing game if you let it, as all we data protection folk seem to see these days are the bad news stories. It’s not that easy to find shining examples of things going right.

And I’m sure that plenty of things are going right. Indeed, I like to think that there is far more going right than is actually going wrong. When measured against the vast majority of things that do go right, I hope that these bad incidents will be seen, in proportion and siginificance, as just as important as a pimple on an elephant’s bottom.

Let’s accentuate the positive, for once, and not just focus on the negative. I’m a glass half full man, not a glass half empty one.

Anyway, with that in mind, may I offer seasonal greetings to all my readers, and send my very best wishes for what’s likely to be a really busy New Year.

A is for Aaaaaaaaaagh, when I read today’s email
From that blighter of a customer whose threatening me with jail

Deaf to my protestations that we haven’t kept eny
Hold on – he’s still writing, claiming there are many

Of his facts and opinions, information galore
Lurking unnoticed in our digital store:

Go and hunt for it and now, or Mistress Justice will play her part
In stringing you up by the knackers, until you look less smart

“Let this be a lesson, from a man who’s never wrong
About how you should observe a personal information ding dong”

[Later, after the ICO investigation]

Quelle surprise, it’s really simple, and according to tradition
It seems I’ve shown him all that’s in the statutory definition

There’s no need to sign any undertakings, victory is in sight,
Wilmslow says “happy Xmas! this yokel of a zealot is wrong and you really right.”


Saturday 17 December 2011

What is the Commission really trying to achieve?

I’ve been very quiet this week as I’ve been trying to get to grip with a number of very different issues, all of which demand some pretty intensive focus and all of which have resulted in my needing to ask the same basic question. This question related not to the immediate and intimate details of each problem, but the bigger issue – ie what was it that the client actually wanted to achieve?

It’s the same with the leaked proposals for a new legislative framework – many of my legal and data protection friends have been pouring over the leaked text, and have been producing ever more detailed analyses of the proposals. Many of them must be rubbing their hands with glee. After all, given such a complicated set of proposals, what self respecting data controller could now not afford to pay heavily to ensure that they were moving to a state of compliance. As for data protection officers, well, they have a job for life – so long as all they want to do is turn into an auditor and enter an environment where the ticked box is king.

But I didn’t enter the data protection world just to tick a series of boxes. To me, fairness and transparency are qualitative concepts, not quantitative concepts. I love music, not mathematics.

My main problem with the proposals (yes, having read them, not just having read summaries of them) is that I really don’t fully understand the background narrative. Before we all get too bogged down in the detail, I want to have the bigger picture much clearer in my mind. After all, the very detailed proposals contained in the text (and to be further particularised in legal instruments to be created by the newly formed European Data Protection Board) have to be assessed in terms of the sort of society that the European Commission feels its citizens should live in.

And this is where I feel lost, as I simply don’t understand the Commission's vision about how this society will look like and feel like. I fear that bad things will come from an over-centralised, distant, powerful body, like the Commission or a European Data Protection Board. My heart tells me that this body will be staffed with people who care and who are just as honourable and decent as the friends I like to associate with. But my head tells me that it’s always possible that it will be perceived as an unloving, disengaged institution that fails to take sufficient time to show its stakeholders just how much it cares.

Perhaps, just as Mr Putin must today be fearing that a Russian Spring does not have similar outcomes to the recent Arab and African Springs.

But, back to the plot. The more I get lost in the detail of the draft proposal, the more I forget what the answers to the most basic questions ought to be.

They include:
• What is to be the role of the state and of public institutions in holding information about people it is responsible for, or accountable too? When can these people exert a “right to be let alone” from the state (if at all).
• What rights are data controllers to have, if they are not to be allowed rights that are equivalent to that of individual people?
• How can we expect society to function under a regime of extremely complicated data protection rules that will be ignored by huge numbers of citizens and controllers? Can this really be termed effective government? Is this a desirable outcome to the process?
• In quantitative and qualitative terms, what will the benefits to society be if these rules were to be fully implemented? Are the costs that will be imposed on all stakeholders fully commensurate with the perceived benefits?
• How will local practices and cultures be respected, given the fact that the overwhelming majority of data controllers are likely to provide services to a very restricted (in terms of geographic reach or social mix) set of customers.

I’m sorry that this blog makes such heavy reading as we're getting focused on the forthcoming holiday season. But that’s what happens when we only see half the story – what’s been leaked is really the roadmap to “Data Protection Nirvana”, not a proper description of what this Nirvana actually is, nor an explanation of what we will feel when we actually get there.

So where do we go from here?

I suspect that many people will disengage themselves from the process that will roll on for the next few years, as groups of people earnestly huddle together and try to build political alliances that will leverage changes to the texts that we see before us. I expect the campaign of attrition to continue for a few years, as ever more weary teams of negotiators try to keep their political masters interested in the tedious minutia of the subject.

But I also wonder, in practical terms, how this initiative is ever going to be passed, given the huge emotion that will be built up by stakeholders from all sides of the debate. If I were an MEP, I would want an easy ride, to be honest. I would not want to be too personally involved in a controversial legislative proposal, as I would expect to be vilified and abused as a result of being associated with it. I would expect my own character to be called into question, and for vested interests to do whatever they considered necessary to further their own objectives. So I would not want to be the Rapporteur or a committee member, or have my fingerprints anywhere near it. MEPs go to the European Parliament to do good, not to find themselves on the wrong side of a set of very public attacks.

I heard European Commissioner Viviane Reding speaking a few weeks ago, in Paris, describing a late Christmas present that the Commission will be delivering to the European Parliament. If this is it, then it’s some present.


Sunday 11 December 2011

How do the Commission’s proposals square with its Impact Assessment?

I’ve recently learnt that fellow blogger Markus Kastelitz read my posting about the Commisison’s impact assessment on the data protection reform (published on 8 October), and tried to get a copy from the Commission.

A couple of weeks ago, he received a letter from the Director-General, Ms Le Bail, of the Directorate-General Justice of the European Commission refusing the request. The explanation was as follows :“First, I have to clarify that the Commission has not yet issued any staff working document on the impact assessment for the future EU legal framework. Even though, the impact assessment document we possess has not been disclosed yet. The document is covered by one of the exceptions provided for by the policy relating to access to documents and therefore it cannot be made available to you. The exception which applies to the document you requested is that laid out in Article 4 (3) of the above-mentioned Regulation (...) In the case of your request, granting access to the said document would prejudice the ongoing intra-Commission decision-making process on the future data protection regulatory framework. Access to this document may be granted once the decision-making process on this matter is completed. (...)”

That, of course, was before the current draft proposals (let’s call them “Version 56”) were leaked onto the internet. I’m not sure whether this changes anything – but it might. How much more prejudice can publication of that document now cause to the ongoing consultation, since the text of the document containing the actual proposals is so readily available on the internet?

Back in October I described three quite detailed options that the Commission was considering, to make the changes it thought appropriate. I also explained that the Commission had analysed the impacts of these options. The analysis included an appreciation of how well each option addresses the problems that were originally identified, their political feasibility / acceptability by stakeholders, financial & economic impacts, social impacts, impact on fundamental rights and their impact on simplification.

It appears to me that the authors of Version 56 have basically gone for the option which the Commission considers has a low risk of political feasibility / acceptability: this option would be too unbalanced as it would highly strengthen data subject rights but at great costs for data controllers. Most stakeholders would find it too radical.

Now, I have not heard of any Commission attempts to take down Version 56 from the internet – so perhaps the ground is shifting. Oh, the power of publishing information on the internet. Long gone are the days when all Governments had to worry about were what was published by newspaper barons. But I wonder how Governments will manage, in future, to discuss sensitive issues. What new communications technology will they use which prevents the average internet user from finding out what they are up to?

Perhaps they’ll start to communicate via Blackberry Messenger – after all, if the security of BBM is hard for national authorities to break when the great unwashed are indulging in a spate of rioting, it could also prevent us oiks from learning what the Commission is up to when the Commission wants to keep something quiet.

What I had not expected was a Regulation for the oiks and a Directive to take care of issues relating to police and criminal justice. Given the ever increasing co-operation between the (state) law enforcement regime and the (private) security and anti-fraud networks , it really ought to be possible for both groups to operate using broadly equivalent rules. Given the ever increasing privatisation of the administration of law and order, it would be a shame if state actors were to enjoy significantly greater freedoms should equivalent responsibilities be devolved to actors in the private sphere.

Let’s see if the next draft of a new regulatory framework, to be released sometime next year, will be more balanced and less radical.



Saturday 10 December 2011

Save us from a secretive Data Protection Board

We’ve all had a good laugh at some of the Commission’s proposals contained in the infamous “Version 56” – the document recently leaked on the internet which is currently being reviewed within the Commission before a (presumably heavily) revised version of its proposals for a new legal framework is unveiled sometime next year.

My favourite bit is the part of the text which tries to create more effective co-ordination between the data protection supervisors of each Member State (and of course the European Data Protection Supervisor). The Article 29 Working Party is to be rebranded as the European Data Protection Board.

It is either to be chaired, or have as one of its 2 deputy chairs, the European Data Protection Supervisor. Its secretariat will be co-located with that of the European Data Protection Supervisor. It is to act independently and arrive at decisions by a simple majority of its members. Board discussions are to be confidential, as are documents and papers submitted to the Board. Similarly, all experts and others who support the Board are to have confidentiality requirements imposed on them.

So much for freedom of information and our own Government’s transparency agenda.

My next favourite bit is the proposal that its decisions, recommendations, guidelines and best practice notes are to have greater weight than before.

Currently, of course, the Article 29 Working Party issues opinions – and many of us are grateful for that as that is all they are. I’m happy to listen to anyone’s opinion, so long as they don’t always expect me to act in accordance with it. Let’s be honest, how many of the opinions that have been adopted by the Article 29 Working Party are on our “memorise” list? I find that too many of them are written in language that is quite difficult to understand, over long, and very hard to engage with. At least I can ignore the more tedious stuff.

But, please, spare us data protection officials from feeling that we may be more formally bound by standards or systems that will emerge from these new documents. Is there to be any political accountability on the part of the Data Protection Board – or a means of appeal when data controllers feel that this body has simply got it wrong?

Will we have to wait for decisions to be made in secret and then just unconditionally accept, in some sense of Papal infallibility, the correctness of this decision?

Please help us.

We all enjoy hearing about some of the personal characteristics of the current crop of Data Protection Supervisors, and to some extent we can forgive their foibles, after all they are only human. But what happens when their views start to radically diverge from the “norm”?

This was the thought that occurred to me last night, as I was enjoying the sensational new musical Matilda in London. One of the key figures is Miss Agatha Trunchball, played by the outrageous & brilliant Bertie Carvel (pictured). A former Olympic hammer thrower, she is now the Principal of Crunchem Hall Elementary School. Surreal and psychotic, she utters the phrases “Children are maggots” and “You’re heading for the chokey” whenever she wants to cast terror into the hearts and minds of the pupils (and their teacher).

How might European data controllers prevent a latter day Miss Agatha Trunchball from becoming Chairman of the European Data Protection Board and then running amok? How might they be able to stand up to her, as Maltilda did last night, when they haven’t got special powers to change things? In terms that Roald Dhal would have appreciated, how might the data controllers manage to divert her attention, if they can’t slip a newt into her knickers?

Perhaps the only way to ensure that sanity prevails will be to ensure that someone like me gets to be elected its first Chairman. Well, if it’s a choice between me, Agatha Trunchball or Edna Turnblad, I think I ought to win, hands down.

Articles 73-72 of Version 56
A musical version of Roald Dhal’s novel, Matilda: A Musical, written by Dennis Kelly and Tim Minchin and commissioned by the Royal Shakespeare Company, opened at the Cambridge Theatre on 24th November 2011, after a run the previous year in Stratford-upon-Avon.
Edna Turnblad is a character from the award winning film and musical Hairspray. Another larger-than-life individual, she also has a lot to teach her fellow citizens in terms of dignity and mutual respect.


Thursday 8 December 2011

The Interception of Communications Commissioner shows us his independence

In a visit that astonished and inspired many members of the Data Protection Forum last Tuesday, Sir Paul Kennedy, the Interception of Communications Commissioner, spoke about his role and, in discussing a few topical issues of the day, showed just how independent a person he actually is. Most of the members of the Forum had never met a retired Lord Justice of Appeal before – well they have now, and they can now better appreciate the care, discretion, dedication, humility and integrity that Sir Paul brings to the job.

The full text of his speech will shortly be loaded onto his website – which is the impressively named www.intelligence What a great title for a website. But I expect he won’t be sorry that he will have to relinquish it when his term of office ends.

The day had started with a minor calamity for the first speaker, the award-winning lawyer, barrister, blogger and tweeter Stewart Room. All the IT in the well equipped conference room could not open the PowerPoint presentation he had carefully prepared – so he played a blinder. In a masterly display of oratorical powers, he spoke without hesitation, repetition or deviation for 45 minutes on the interface between security and data protection. He quickly got everyone up to speed on the relevant issues, so they could better appreciate the world that Sir Paul regulated.

The final speaker of the day was Martin Smith of The Security Company. And yes, he blogs too. It’s obviously the new way of communicating to the masses. Whereas in the past, people would have polished off a pamphlet, got it printed and then sent around the coffee houses of London, these days we press a few buttons and, hurrah, our jottings have been published for the whole world to consume. Anyway, if you have not heard Martin Smith speak, then you are in for a treat. He certainly sympathised with the lot of the Data Protection Officer. It may not be sexy, and it may not be the job that attracts the greatest attention from the Board, but it’s certainly one of the really worthy ones. He had us eating out of his hands in minutes.

And what was also inspirational about the day was Sir Paul’s nomination of the beneficiary of another innovation the Forum tried last Tuesday – to hold a charitable raffle just before the Christmas lunch. He nominated the Charlie Waller Memorial Trust. The Trust was set up in 1998 in memory of a 28 year old professional who had committed suicide whilst suffering from depression. His family and friends formed the Trust to raise awareness of depression, reduce the stigma attached to seeking help and to ensure help was available when needed.

Charlie’s death had an impact which continues to affect those who knew him. Yet, Charlie’s case is not an isolated one. Each year around 1,760 young men commit suicide and a recent report from the Royal College of Psychiatrists highlighted the impact of stress and work pressures.

Stress and work pressures are both issues I have struggled with, as have people with whom I am and have been very close too. I’m so pleased to learn about this charity. And I’m honoured to recommend it to others who want their charitable donations to really make a difference.

Further reading:§ionID=4&type=blog


Monday 5 December 2011

Woops- jail time for non-registration?

Dan Worth, that excellent IT journalist from must have been kicking some poor copywriter last Friday. What a misleading headline: ”Estate agent avoids jail time after breaching Data Protection Act” to accompany Dan’s article!

Dan was right to report that the miscreant was “given a six-months conditional discharge and ordered to pay £614 towards prosecution costs in a hearing at Caernarfon Magistrates' Court” for a Section 17 offence (ie failing to register with the ICO). But, failure to register is not a custodial matter. Surely, a custodial offence could only have been considered appropriate if the estate agent had beaten up the ICO’s inspectors with some old For Sale boards.

A conditional discharge simply means that the miscreant does not receive a punishment if they comply with certain rules (eg stay out of trouble) for a fixed period of time. So the penalty for non registration is, actually, nothing, other than to pay the prosecution costs if you get caught. Some penalty that is.

These bloopers, and others (remember, the European Commission has just threatened to place 16 Member States on the naughty step for failing to fully implement a Telecommunications Data Protection Directive that was due to take force from 25 May) are bound to be discussed when the great and the good of the Open Rights Group gather for their Christmas drinks in Paddington tonight. So, if you’re passing by the Wood Marylebone pub in Balcome Street later, and hear a strange “12 days of Christmas” refrain, do pop in and join the songsters. You never know who you might meet there.

The Member States vying for a spot on the naughty step are Austria, Belgium, Bulgaria, Cyprus, the Czech Republic, France, Germany, Greece, Hungary, Italy, The Netherlands, Poland, Portugal, Romania, Slovenia and Spain. Not the UK, this time.


Saturday 3 December 2011

The ICO’s twelve days of Christmas

It’s getting to that special time of the year when differences are set aside and we data protection folk gather together for the Christmas parties. People whose views are usually rejected with distain are treated in a wholly different light when they congregate with various beverages in their hands.

Old arguments are forgotten as we all realise that, within this data protection community, what binds us together is that we do all care. OK, we may care about slightly different things, but the main thing is that we do care.

Fundamental rights, respecting each other, dignity and a broad outlook on life. That’s what binds us data protection folk together.

We also like a good sing song once in a while, to relieve the tedium of working out whether Binding Corporate Rules will be a truly effective and scalable way of legitimising international personal data flows. Or how we are going to get the people we advise to take data protection issues as seriously as we do.

As its getting close to the holiday season, here’s one little ditty that is only appropriate when there are a group of people whose throats have been generously lubricated and no-one has any inhibitions left:

On the twelfth day of Christmas,
Our chums in Wilmslow sent to me
Twelve audit recommendations,
Eleven blogs on breaches,
Ten more assessments,
Nine press releases,
Eight FOI reminders,
Seven voicemail messages,
Six monetary penalties,
Five SAR’s
Four draft undertakings,
Three renewal reminders,
Two codes of practice,
And an email that I wasn’t supposed to see!

Image credit:

For those of you who won’t be traveling to Paris to enjoy the Xmas decorations along the Champs Elysees this year, they look like this!


Thursday 1 December 2011

Behavioural advertising: Scrap “do not track”. Try “do not target”

Gwendal Le Grand, head of the IT Department of the French data protection regulatory authority CNIL, made a remark, in passing, at the International Association of Privacy Professionals European congress on Paris on Tuesday, which I think could be very significant.

During a session on on-line behavioural advertising, he used words that may well resonate for a few years to come. The issue is, of course, about how individuals can (or should) object to the use of their personal information for behavioural advertising. Many of the delegates had attended an earlier presentation by Ilana Westman from the Create with Consent organisation, and were thus aware that most internet users really had no idea how their information was shared by web publishers, nor how web publishers actually found the money to pay for the content that the user, typically, was enjoying for free.

Gwendal suggested that, rather than using the phrase "do no track", individuals should really be saying “I beg you not to target me".

This is because an awful lot of tracking is going to go on, regardless of the user's stated tracking preferences. Cookies and other device features will always be monitoring how someone is navigating between the web pages, or remembering what items are in their shopping basket, but have not yet been paid for or despatched. Other forms of tracking will inevitably go on for traffic management, analytics and law enforcement purposes.

So, responsible organisations should not even think of using words and phrases that might mislead a user, such as “do not track”. There is no "cloak of invisibility" that would result in all internet usage to being unmonitored. So we should be careful not to use words or phrases that are incompatible with the legitimate expectations of Internet users.

I think this is a very sensible and practical suggestion. I'll see what I can do to encourage more people to start using this phrase.


Freebies: The kindness of (not so) strangers

“Whoever you are, I have always depended on the kindness of strangers”. It’s a brilliant final line from the play Streetcar Named Desire. And it’s one that frequently comes to mind when accepting corporate hospitality when data protecting.

The sponsors of the International Association of Privacy Professionals European congress in Paris certainty pulled out all the stops this week. [Note to the sponsor's expenses departments: None of the expenditure was inappropriate, nor of a kind likely to interest local fraud and corruption teams. No money changed hands. One iPad was won, some really nice chocolates, football shirts and card holders were proffered, and we all now must have enough spare pens and paper pads to enable us to start to restock the stationery cupboard when we return to the office.]

But, and this is a big but, the conference venue was within a few yards of the Arc de Triumph. Local hotels were not cheap, people (like me) who were not travelling on expenses we were all very grateful for the drinks and dinners that were so kindly laid on for all those who were considered sufficiently deserving. Data protecting is thirsty and hungry work. And all of the sponsors laid on wonderful events.

The largest drinks event was held at the ultra fashionable night club L’Arc, just across the road from the Arc de Triumph. Every conference delegate had been invited for IAPP cocktails sponsored by our chums at Yahoo!, and a fashionably chic time was had by all. Apparently, George Clooney was there last week. I doubt they will be talking for long in such hushed tones about the way in which I worked the room and smashed a glass of champagne, but I did have a quiet word with some old friends – and take the opportunity to make some really nice new friends. It’s a club I would heartily recommend – and its website advises that there are just a few tickets left for the New Year bash, each priced at £330 (excluding drinks).

The most historic event occurred on Wednesday night, after the congress had actually finished. Trevor Hughes, Chief Executive Officer of the IAPP had a brilliant idea and had invited the heads of the principal national European data protection associations to a special dinner at the Hotel Vernet, one of the most distinguished hotels in Paris. It was the first time that the representatives from these bodies had been formally invited to meet each other. Personal relationships were quickly cemented. And agreements were reached to deepen these relationships.

Hopefully, for example, next March will see senior figures from both the French and the German privacy associations addressing members of the Data Protection Forum in London, giving their own national perspectives on the European Commission's proposals for a new legal framework. The aim is that we Brits will get a better understanding of what concerns French and German citizens (and data controllers) have about the measures which really ought to have been published by then, and vice versa. A bientôt! Bis Bald! The Data Protection forum really will adopt an international flavour that day.

If this is the sort of event that might be of interest (the Forum meeting, not the dinner!), and you are free on Tuesday, 13 March 2012, then please feel free to contact the Forum’s secretary and ask her nicely about how to become a member of the Forum. Guidance on becoming a DPF member is at

And what about the weighty matters discussed by those who attended the dinner? Well, enough business was transacted for us to unanimously declare the occasion a great success. Privacy, as a profession, has well and truly arrived. So, through the IAPP, another international network of privacy professionals is being created, which will enable members to engage both with their contemporaries, and with the hierarchies of the privacy regulators.


Commissioners commenting at the IAPP Congress

European Commissioner Viviane Reding made a great impression on the delegates at the International Association of Privacy Professionals' European congress in Paris on Tuesday. She swept into the conference room just a few minutes before her carefully prepared speech to Europe’s data protection elite was billed to start. She majestically read it, and then glided away, protected by a posse of flunkies, well before any members of the awkward squad in the audience could ask her any questions.

What did she say?

Well, were promised a late Christmas present. It is to be a simpler way of legitimising global data flows, and it is to be delivered in the form of an easier way for Binding Corporate Rules to be approved by regulators in all Member States. Oh, we’ll also get consistent enforcement across Europe, and some innovation. This, apparently, will increase levels of confidence, as it is evidently confidence which is what lacks today in the digital world.

And that was about it. Introduced as "the most important person in Data Protection in Europe today" this really was about all she had to say to an audience that included Jacob Kohnstamm (Chairman of the Article 29 Working Party), Peter Hustinx (European Data Protection Supervisor), Peter Scharr (Federal Commissioner for Data Protection & Freedom of Information Germany, Richard Thomas (former UK Information Commissioner), Peter Fleisher (he of Google), and Richard Allen (of Facebook fame). Some late Christmas present we’ve got to look forward to. But, let’s give Viviane her due. She is the most important woman in Data Protection in Europe today, and she did very kindly agree to speak.

The audience were left a little bemused, but there were lots of really important issues that were discussed last Tuesday and Wednesday. There was the inevitable speculation about what else might be in the Commission's proposals for a new legal framework. The Commission is either keeping its proposals a very closely guarded secret, or it hasn't yet got much to unveil. There were murmurs of an announcement about the framework during "data protection week" next year. Excuse me. Data Protection Day is quite enough for me, thanks. There's only so much fun a data protector can have. This fun can be squeezed into a day, but I think it would be really hard to stretch it to cover a whole week.

The announcement from the platform (just before Viviane Reding swept into the building) was that the new legal instrument would take the form of a Regulation, not a Directive. But I'm not sure I believe that announcer (so I won't identify her, to save potential blushes later). Peter Hustinx pointed out that there can be various kinds of Regulations, and that Directives can also take different forms, too. It left the audience little the wiser as to what was really likely to happen.

I managed to raise a laugh among delegates when I asked Peter Scharr a question. It was related to his support for rules which had Community-wide application. He had commented, in his keynote speech, that Data Protection authorities need to think on a global basis, yet they were organised and were obliged to react locally. I pointed out that, recently, on economic matters, the Germans had been really helpful to the Greeks and others who were facing local economic difficulties, in order to strengthen confidence in the Euro. I asked Peter if he thought that the Germans might be so kind as to consider lowering their own current data protection standards, if this would result in the prize of the possibility of common data protection rules applying across the European Community, in order to strengthen confidence in data protection.

Significantly, Peter did not rule this out. He accepted that everyone needed to adopt a flexible approach, if common standards were to apply across a wider geographic area. You heard it here, first! No-one laughed at Peter's response - and many were mightily relieved.

It was left for Richard Allen to make the really significant point that in future, data protection regulation is only likely to be effective if the applicable law is to focus on where the data controller is based, not where the data (or copies of the data) is being processed. After all, the data, thanks to the wonders of cloud computing and the internet, is likely to be all over the globe and constantly on the move. Everyone appeared to supported this suggestion. These Facebook chaps talk a lot of common sense.

The full text of Viviane Reding’s speech can be found at