Tuesday 31 January 2012

Another day, another data protection referral to the European Court

I do hope that Commissioner Reding will be taking notice of the chaos and confusion that is capable of being created when ill-thought through Euro-legislation makes its way through the Parliamentary processes and finally arrives on the Statute Book.

What’s the story behind this one? Well, it’s all about discussions that went on behind the scenes a decade ago as representatives from each EC Member State argued about what rules should be put in place to permit phone and internet records to be available for law enforcement investigations into serious crime, but in a way that protected the human rights of the phone and internet users.

The issue could be reduced, following long tedious arguments, to one of ensuring that the most serious law enforcement investigations should not be compromised because the communications records were no longer available. While that seemed a fine principle to agree about in theory, the principle couldn’t be implemented very easily. Why? Simply because the law enforcement agencies operating in the different Member States had different practices when it came to investigating crime using traffic records. In some Member States, the common practice was to rely on 6 months of records. In other Member States, the practice was to use up to 4 years of records. So given the disparity on investigation practices, lots of people got upset when the new rules prohibited the retention of records for more than 2 years, and ever since they’ve been devising new legal challenges to postpone the enforcement of these rules.

If my memory serves me right, the Irish were unhappy because they wanted records to be retained for 3 years, while the Italians wanted a 4 year limit. On the other hand, the Germans didn’t care so long as it could get hold of 6 months of records. Other Member States didn’t really seem to care as, at that time, the law enforcement agencies in that country didn’t seem to rely on phone or internet records at all.

And, if my memory serves me right, there was general acceptance that the words used in the draft legislation about the retention of internet records didn’t make any sense – but the point was that the statute had to be approved at that time because the Chairman of the relevant Committee of the Council of Ministers was completing his term of office and if the legislation wasn’t accepted, then the discussions would have to start again from the beginning of the tenure of the next Chairman. I won’t embarrass the Chairman of that Committee by naming him, nor will I point out which Member State had the honour of chairing the discussions and forcing the key decisions. (Well, not until someone asks me nicely.)

Does this approach to drafting legislation sound familiar?

The upshot of this unholy mess has been another appeal to the European Court on the basis that some people don’t like what’s going on, and they consider that their human rights have been abused.

And why am I writing about this now?

Because the more I read the European Commission’s proposals for a General Data Protection Regulation, the more convinced I am that the target that the Commission set itself was one focussed on the calendar, rather than common sense. I’m convinced that the Commission was so keen to launch “something” on 25 January that the “thing” was, to a large extent, immaterial.

Perhaps that was what was meant by Commisisoner Reding’s introductory remarks last week: “Ladies and Gentlemen, we have done it”.

We will now send the following months and years working out in detail what really is appropriate to meet the changing needs of our times.

I only trust we have time to undo the stupid bits and get it right before some other parliamentary timetable forces the pace, and we are left with a text that so many of us know is still not fit for purpose.



Monday 30 January 2012

Getting into a lather over LinkedIn?

We data protection folk can be so busy worrying about other people’s privacy that we totally forget to think about our own.

Who, for example (in their right minds) actually reads the “we have changed our privacy policy” blurb which is spewed out each time a data controller changes their practices? And how do we know if we’ve missed anything serious?

This is where the blogosphere, with its notorious internal networks of friends and colleagues, can really shine. What concerns one person can very quickly concern lots of other people.

Today, for example, I was sent an email from the ever vigilant (and oh so brilliant) Pascale Gelly, pointing out that “Without attracting too much publicity, LinkedIn has updated their privacy conditions. Without any action from your side, LinkedIn is now permitted to use your name and picture in any of their advertisements.”

Whoops, I missed that one. On the other hand, if my name and picture sells sufficient quantities of dog food, or whatever else I am supposed to be endorsing, is this really such an invasion of my privacy? I do try to take care when I am on line, and I do what I can to obscure my digital vapour trails whenever my cursor accidentally clicks on a site that some folk might find alarming (or amusing).

But then again, I thought to myself, I can’t make myself aware of everything that happens around and about me. My life is too full already. I can’t take any more in. My mind already hurts (and plays tricks on me). The last thing I really want to do is spend more time in front of a screen, reading about data protection stuff. I do this for a living. Surely, I don’t have to do it as a private citizen too, do I? I shrug my shoulders with mock despair. After all, if we can’t be bothered to do it ourselves, and we actually know about the consequences of remaining digitally vigilant, then the great unwashed has no chance at all of keeping up to speed with things that data controllers think matters.

Accordingly, based on my own personal experience, I really don’t think that the European Commission’s cunning plan of encouraging European citizens to consent to more stuff is going to work. They can’t consent to what they can’t understand or can’t be bothered to read, or simply don’t have the time to read. It’s a brilliant example of a policy initiative that looks great in theory and turns out to be unworkable in practice.

So perhaps we need not blame LinkedIn.

Perhaps I can offer LinkedIn a special deal. Can I be a celebrity ambassador, and be paid decent money to have my image associated with products and services that the producers of those products and services will want me to be associated with?

Anyway, for those among us (not me) who wish to opt out of this new LinkedIn practice, Pascale tells me that all that needs to be done is:

• Place the cursor on your name at the top right corner of the screen. From the small pull down menu that appears, select "settings"
• Then click "Account" on the left/bottom
• In the column next to Account, select the option "Manage Social Advertising"
• Finally un-tick the box "LinkedIn may use my name and photo in social advertising"
• and Save

With thanks to the amazing Pascale Gelly for the news


Saturday 28 January 2012

One policy, one Google experience

Happy International Data Protection Day!

In a brilliant move that can’t surely attract criticism from the European Data Protection Supervisor, Google is commemorating International Data Protection Day with a short message on its landing page, which may well be read by over half the internet-enabled population on the planet.

The message is sweet and simple: “We’re changing our privacy policy and terms. This stuff matters. Learn more”

It will be great to consult the Google Analytics team in a few months to see just how many people did actually click the hyperlink and take up the opportunity to “learn more”.

What has Google just done? Well, it’s announced changes to its privacy policy, which will take effect in 1 March. Over 60 different Google privacy policies are being replacing them with one that’s a lot shorter and easier to read. One rule to rule them all? Sounds suspiciously like what Commissioner Reding was trying to announce, last Wednesday. It’s also what Gandalf was striving to achieve, during his existence.

When you read the policy (some 2,300 words, depending on what parameters are selected before the automatic word counting exercise is carried out), you appreciate the trouble that has been taken to make Google's operating processes easy to understand. The Google team evidently agree with me that it’s better to draft policies in words that can be understood by Homer Simpson than just by Albert Einstein.

The words flow as if they had been penned by a Hollywood scriptwriter. The slick, lean and easy phrases don’t challenge anyone. I expect that some aspects of them will upset some of the privacy wonks, but for the remaining millions of data controllers who care, Google has created a great language that I’m sure many websites would benefit from being re-written in. Whether many lawyers and data protecton professionals are going to be brave enough to change their own, treasured, text for something that is written in common sense language, rather than obscure gobbledegook, is another matter.

Here is a sample of some of the headline stuff before users are directed to the actual policy:

”Our new policy covers multiple products and features, reflecting our desire to create one beautifully simple and intuitive experience across Google.

Our new policy reflects our desire to create a simple product experience that does what you need, when you want it to. Whether you’re reading an email that reminds you to schedule a family get-together or finding a favourite video that you want to share, we want to ensure that you can move across Gmail, Calendar, Search, YouTube or whatever your life calls for, with ease.

If you’re signed in to Google, we can do things like suggest search queries – or tailor your search results – based on the interests that you’ve expressed in Google+, Gmail and YouTube. We’ll better understand which version of Pink or Jaguar you’re searching for and get you those results faster.

When you post or create a document online, you often want others to see and contribute. By remembering the contact information of the people you want to share with, we make it easy for you to share in any Google product or service with minimal clicks and errors.

Our goal is to provide you with as much transparency and choice as possible through products like Google Dashboard and Ad Preferences Manager, alongside other tools. Our privacy principles remain unchanged. And we’ll never sell your personal information or share it without your permission (other than rare circumstances like valid legal requests).

If you want to learn more about your data on Google and across the web, including tips and advice for staying safe online, take a look at Good to Know.”

I did think of looking at the policy and of comparing it to the recently published General Data Protection Regulation to see what sort of changes might need to me made to ensure that it complied with the proposed new rules on dealing with children, using cookies and obtaining consent. But why spoil a joyous day? Let’s just relax and celebrate International Data Protection Day, rather than have a quiet dig at the Commission. Just for once.

And how will I celebrate International Data Protection Day?


Last night I followed the lead of those intrepid souls who made their way to the Front Line Club in Paddington, who were on a mission to celebrate at a dinner organised by the Privacy Advisors Supper Club. Laughter there was lots. And what an array of different experiences were brought to the supper table. You learn so many unexpected things about your privacy colleagues. Who would have thought, for example, that one of the advisors among us had published a book a few years ago on surgical implants and surgical appliances, and, while a Commission official, had lobbied the European Commission to adopt their ideas as the basis for a new way of regulating medical devices in the EU? And you thought that data protection law was an obscure subject!

I can confirm that everyone present is now entitled to tick off items 12 & 50 on my list of “50 things to do before a data protection professional dies”.(see my blog postings of 17 and 18 January.

Anyway, given what we had to eat last night, there is only one appropriate way to spend today – to abstain from cookies for as long as possible (well, until dusk, anyway).



Friday 27 January 2012

Taking a butchers at our breaches

Yesterday afternoon, a select group of the usual suspects gathered together to share war stories about their experiences on dealing with data breaches.

The speakers included an official from the ICO, a couple of lawyers, and a pair of data protection officers, all of whom had different perspectives to share. And a useful sharing session it actually was, especially when it became pretty clear that everyone was keen on developing a reasonably settled view on precisely the same issues. We’re just not there, yet.

The usual elephants were in the room. Who would be the first to admit that they didn't actually know what a data breach actually was, as the definition (in the ePrivacy Directive and the proposed General Data Protection Regulation) was so vague? Who would be the first to point out that some reporting threshold was required, to avoid overburdening the regulator with trivia. And who would be the first to question the need for the regulator to receive breach reports, if it wasn't at all clear what they were doing with the information that was being supplied?

No one in the room suggested that data breach management was not an important issue. And everyone agreed that responsible data controllers would be striving every sinew to resolve the trivial, as well as the more serious, data breaches. This is because they cared about their customers and certainly wanted to engage, to the greatest extent possible, with their customers. News of an extremely recent UK data breach revealed how quickly the data controller was seen to act when allegations emerged in the blogosphere. Customers - and complainants - certainly have a voice, thanks to the internet. Many seem to be able to quickly detect irregular types of activity on their online accounts and, using their powers of social networking, get the data controller to respond responsibly.

So, turning to minor breaches, what role does the regulator play here? It is a valid, and important, question.

Later, over a data protection dinner most generously hosted by Bird & Bird, a few of the guests asked themselves whether there were any lessons to be learnt from the breach notification rules that were prevalent in the USA. Had these rules led to a measurable change in the behaviour of American data controllers? Were there now fewer breaches than before? Were citizens more confident that data controllers were more vigilant than before?

Well, we asked ourselves these questions, but answers were there few. I left the dinner confused. Not inebriated, but just still not clear what the point of the breach notification process to the regulator actually was.

Tonight, I’m off to dine, gossip and dance the night away at an event organised by the Data Protection Officers’ Supper Club. I’ll raise the same questions that were raised last night, and I’ll report back if any significant insights emerge.

Image credit:


Wednesday 25 January 2012

“Ladies and Gentlemen, we have done it”

With these words, Commissioner Reding unveiled the latest set of proposals for a comprehensive reform of Europe’s data protection today. The Commission has, apparently, just adopted what is called “a comprehensive reform on the use of the data protection rule”. I won't ask too many questions about how this agreement was reached. Like making sausages, you really don't want to know just how they managed to do it.

If you want to view the 34 minute recording of today's announcement yourself, click the “banbuser” link below.

There are some grand claims: “Our reform will eliminate the unnecessary administrative burden as well as the many costs linked to the different reporting requirements currently existing throughout the EU.” Apparently, there will be a single set of rules across the EU, which will save some 2.3 billion Euros each year. But, there will be special care for SME’s, who will be sheltered from some of the more onerous requirements, at least until they have grown into larger enterprises. Commissioner Reding wants to help these young companies to become big – and to help them to do their job without being drowned by administrative burdens. So, there will be no need for them to appoint Data Protection Officers, carry out impact assessments for low and medium risk processing operations, or put together documentation about other data processing activities.

As far as citizens are concerned: "there are to be immediate benefits, and these will ensure that they are well informed about what will happen to their personal data.”

If you listen closely to the recording of the announcement, you will occasionally hear the audience’s reaction. Once or twice there is nervous laughter. On at least one occasion someone out of vision is heard to ask their colleague “is this legal?” It will be interesting to learn the reaction of more of our learned friends once we've all had time to fully consider the implications of the published proposal.

Anyway, how did this one differ from the version that I saw a few days ago and blogged about on 20 January? What can be gleaned about the shifting nature of the text as it underwent those final revisions in the period of frantic activity up to today? The text has lost one Whereas clause (there are now just 139 of them), it has gained an additional Article (there are now 93) and, somewhere along the way, three pages of text. This tells me that the negotiations carried on for some time, and a lot of changes were made, compared to the infamous leaked “Version 56” (which had a mere 118 Whereas clauses, 91 Articles and 78 pages).

As predicted, there is new language around the territorial scope of the Regulation, and we can wait for our legal chums to opine on whether it clarifies matters or causes more confusion.

As predicted, the definition of personal data is still pretty vague and we need to work out whether “online identifiers” are the same as IP addresses. And, the definition of a personal data breach means that all of the problems faced by those trying to live within the data breach requirements of the ePrivacy Directive might now be shared with everyone else. Yuk.

A radical rethink on what to do about protecting the interests of children has resulted in special rules for the processing of children under 13, and some interesting questions to resolve if a data controller is dealing with people between the ages of 13 and 18. As the Regulation won’t affect the general contract law of Member States such as rules on the validity, formation, or effect in relation to a child, we’ll have to work out just what all this stuff means quite carefully. But the Commission wants to give itself the power to adopt other legislation to further specify the condition sunder which children’s data should be processed, so I don’t have a clue what the final effect will be.

As far as the principles of data processing are concerned, private data controllers can breathe a sigh of relief and the processing for legitimate interests condition survives. As predicted, the rules for public data controllers have been tweaked – but I have not had the time to consider whether there might be howls of protest around Brussels and town halls when the implications sink in.

As anticipated, the rules on consent have been tweaked, and to such an extent that I do expect that data controllers will react in an unexpected way to the lessons learnt when individuals exercise greater control of their information by exercising their right to withdraw their consent to the processing of that information. The natural result of this power to withdraw consent will, in many cases, simply lead to a flight from consent – as prudent data controllers will increasingly use the legitimate interests condition as a basis for legitimising their data processing, rather than rely on creaky notions of consent that could easily be withdrawn.

On the rights of data subjects, and as anticipated, we can brace ourselves for no Subject Access Request Fees, unless such requests are manifestly excessive (whatever that means). As I’ve suggested before. this could turn out, in essence, to be a brilliant EU job creation scheme, if armies of staff are to be required to be recruited to deal with these additional Subject Access Requests.

Just a few more headlines for today. The breach notification requirements still appear overly onerous (in the sense that there are draconian requirements to report matters fast, but no corresponding obligations on the part of the regulator to do anything with them in an equally speedy manner). We really need to make better sense of this provision. I'll be developing this theme when I presenting my ideas with the amazing Jeanette Fitzgerald, SVP and General Counsel of Epsilon, at a DataGuidance breach notification event at the London offices of Bird & Bird tomorrow. Jeanette and I do not see entirely eye to eye on such matters, so it will be a great opportunity to appreciate how the same issues can be handled differently by an American or an English data controller. Expect arguments – and laughter – as we share our passion with anyone who’s sufficiently interested.

Turning to the infamous sanction powers, the Commission continues to back down in the face of protests at their disproportionate nature. The ludicrous proposal to fine companies between 100,000 and 1 million Euros or up to 5% of their annual worldwide turnover for a failure to report a breach within 24 hours, which was lowered to a fine of merely between 1,000 and 1 million Euros or up to 4% of their annual worldwide turnover last week, has been further reduced to just up to 1 million Euros or just 2% of their annual worldwide turnover. But, is anyone celebrating?

There’s so much more to be said about this document and about the inevitable subsequent versions. And there are lots of people with good will, who want to see high data protection standards enforced by proactive data controllers and adequately equipped regulators. But that is a huge ask, especially in today’s economic climate.

Let’s hope that, as we work through the compliance cost assessments, the end result is an appropriate increase in standards that can be afforded by data controllers. My main worry is that, given the extensive powers the Comission wants to give itself to make further changes to the data protection rules, by means of delegated legislation, so they don't need to go through such an extensive consultation process, the result could be the creation of a monster that can turn on anyone at will.

If we get it wrong, we could get it wrong for an entire generation of EU citizens. And I don’t want my name associated with that.



Tuesday 24 January 2012

Was this the Commissioner's protocol statement?

Perhaps, we now know what is meant when we are told that a Commissioner will make a “protocol statement”. Commissioner Reding spoke in Munich last Sunday. Unlike my suggestion on 18 January, what she had to say was not an explanation of the behaviours that are to be exhibited when meeting a Commissioner. It’s more of an announcement of things to come. In this case, the things to come are to come “this week”. Yes, I know it was delivered last Sunday. But it’s not Data Protection Day, yet.

On the other hand, she might well be saying something tomorrow, too. Who knows? There's really no stopping her, once she puts her speaking shoes on. I am aware of arrangements for a press conference which will announce "something" tomorrow, but I wonder who will be at that conference, and what will be said ...

I was intrigued to find a few similarities between the draft I had prepared for Commissioner Reding on 12 January, and the text of Sunday's speech. They both start the same way (with the phrase “Check against delivery”). They both acknowledge that this is not the occasion on which the drafts are formally revealed. And they both contain a number of questionable statements.

First, let’s look on the bright side of life. I share her hope that the new rules achieve their purpose of creating legal certainty, in a simplified regulatory environment which provides for clear rules for international data transfers. And if they achieve this, then I will be among the first of many who will laud her to the skies and take to the streets to demand that she be appointed “Queen of the European Commission”, before she graces the UN as its next Secretary General.

On the other hand, the measures have to work fairly and proportionately, taking into account the legitimate rights of data controllers, as well as individuals. Will red tape be cut, as is hoped, or will the existing red tape simply be replaced with reams of other types of tape? I really hope that it will not be the latter – but I’m not yet persuaded. Will savings from the scrapping of a general notification rule simply be swallowed by hugely increased compliance expenditure in other areas, without commensurate protections being given to individuals? I fear this may be the case.

Will individuals actually be able to exercise many of the new rights that appear to be bequeathed to them? Commissioner Reding makes some play of the principle that individuals will be able to exercise greater control of their information by exercising their right to consent to the processing of that information. What she fails to point out is that the natural result of this power to withdraw consent will, in many cases, simply lead to a flight from consent – as prudent data controllers will increasingly use the legitimate interests condition as a basis for legitimising their data processing, rather than rely on creaky notions of consent that could easily be withdrawn.

The Commissioner skated over many of the details of the proposal (presumably so that she did not then need to refer to the manner in which other Directorate Generals had expressed their own reservations). She made the general commitment to extending the breach notification provisions to all data controllers, with notification as a general rule within 24 hours, even though the evidence that the current rules are either workable, effective or have brought about any measurable behavioural change among data controllers is questionable (if it actually exists, that is). Still, it’s a great headline, and we can enjoy many months of discussions fleshing out the details, as we first work out what we are trying to stop, and then assess whether the proposed measures actually achieve that aim.

But I should not be too cranky. Individuals deserve great protections whenever they go on line, and they’ll get the best protections that the state can afford to give them. Whether they will actually enjoy similar levels of protections wherever they are in the European Union, well, that’s another matter. European citizens don’t actually enjoy similar levels of healthcare, public housing, social security provision, taxation or education wherever they are just yet, so it is a brave Commissioner who commits themselves to ensuring that: “all data protection authorities in whichever EU country will have the same adequate tools and powers to enforce EU law.” I’ll believe that when I see it. And I’ll celebrate, when I see it, too. But I won’t hold my breath.

One casual, almost throw away remark that did take my breath away was her last statement. Then again, it may well have been designed to have left the audience in a state of shocked excitement as she left the stage and departed for Davos.

It was about freedom of information and copyright: “The protection of creators must never be used as a pretext to intervene in the freedom of the internet. That is why, for Europe, blocking the internet is not an option”.

Well said. What she didn’t say was that “blocking access to parts of the internet is not an option”.

Because we do block access to parts of the internet, and for very good reasons. Hold your horses, you civil libertarians, please hear me out. We block access to illegal content on the internet. We don’t want the on-line experience of minors or the easily led to be harmed by their ability to access information that might corrupt or deprave them.

So, we need an internet censor, or at least someone who cares passionately about the safety of internet users. And I’m happy to be that censor - or at least to be appointed as a person who cares passionately about the safety of the internet users of whichever service provider is employing me.

So, well done, Commissioner. Enjoy your trip to Davos. Then return refreshed, and ready to work with the rest of the passionate squad to develop a set of legal instruments that are truly fit for purpose.

Speech 12/26 to the Innovation Conference Digital, Life, Design, "The EU Data Protection Reform 2012: Making Europe the Standard Setter for Modern Data Protection Rules in the Digital Age” Munich 22 January 2012


Monday 23 January 2012

Is there anything else to do before a data protection professional dies?

Suggestions for new additional things to achieve before a data protection professional dies (see my blog posting of 16 & 17 January) have been thin on the ground. But all is not lost. I’ve been chatting to some friends, who can already tick off a couple of items on the list, and who would rather not have any additional challenges set.

On the other hand, I met some chums at the Privacy International drinks party in central London last Thursday night, who were proud to have been able to tick off achievement 41. And I’ll be meeting more chums on Friday evening to witness them tick off achievements 12 and 50. There could still be time (and room) for you to join in the fun, if you are free.

But there must be more achievements for a data protection professional to accomplish, surely? Or is inanely a ticking off an item on a list a sign of autism? Are we data protection professionals just living with some disorder of neural development, with impaired social interaction and communication skills, exhibiting alarming tendencies of restricted and repetitive behaviour? Can we talk about anything other than data protection?

I do hope so.

Anyway, if you can (or want) to think of additional achievements, before the strain of crawling all over the documents that are just about to be launched by the Commissioner Reding numbs us into a state of oblivion, please feel free to contact me through the usual channels. A prize such as the one pictured (recently sent to me by a contact who is so useful to know in this business) may well be presented to the person who sends me the best set of suggestions.


Sunday 22 January 2012

EU breach reporting guidelines? They might be on their way

Work is continuing, behind the scenes, to develop better guidelines for European data controllers on managing and reporting security breaches. Sponsored by ENISA, the European Network and Information Security Agency, a group of regulators have been working with a very select handful of industry representatives to develop something that might make sense to the wider data protection community.

What has hit home is the fact that the vague breach notification obligations, as set out in the ePrivacy Directive, have been implemented (when at all) in a very patch manner. I was told that, last October, just12 Member States, for example, had actually implemented the security breach notification requirements, yet they were all supposed to have done so by last May.

What is actually meant by the obligation to report a breach “without undue delay”? How long is that? If you’re Greek, it’s apparently a period of 12 days. If you’re Irish it’s 2 days, and if you’re Hungarian its 24 hours. And how do we resolve the conflict which arises when, on the one hand, there is an obligation to report a breach, but on the other hand, data controllers have rights under Article 6 of the European Convention on Human Rights concerning self-incrimination. And, what is the point of reporting losses relating to encrypted information, if it’s evident that no harm will arise to anyone as a consequence of the loss?

What is meant by a minor breach? What rules apply if you’re unfortunate to incur a cross border breach? And should ENISA really be publishing breach notification guidelines without closely consulting the data controllers who were already subject to the ePrivacy breach notification regime, just to make sure that they hadn’t missed anything?

What’s happened so far is that the ENISA working party has created a substantial draft (currently some 64 pages long) which tries to address the issues. Let’s give credit where credit’s due. The participants have a good idea of what’s required, and what needs to be done. An initial workshop, held on 24 January 2011 (yes, a year ago), listed the following:

• Lack of a unified approach towards data breach notifications among sectors and among Member States
• Different understanding of the nature of a data breach
• Lack of guidelines, best practices, common formats of notifications
• Lack of guidelines on effective technical measures for protection of data
• Lack of guidelines on follow-up actions after notification
• Economics of notifications
• Cases of exemption from notification

And they have set themselves a challenging target to create a text that will really add value to the current knowledge base. Constructive discussions continue (but I won’t be playing any active part in these discussions – at least not until I leave my current job and am invited to join in and play by someone else).

A lot of what I’ve read is really good stuff. There are sections, though, that need more work. The section that probably needs the greatest amount of work is the section which offers guidance on how a data controller assesses the impact of a personal data breach. When I say the greatest amount of work, it is evident that the current text has been crafted by one of the greatest mathematical minds the European data protection community has ever had the privilege of working with it. It’s so brilliantly conceived that it’s gone straight over my head. And, even though statistics was a component part of my University degree, I really don’t think that this section of the guidance resonates very well among those of us who have normal mathematical minds.

Today’s illustration, believe it or not, is the formula which is proposed to assess the impact / severity of a detected personal data breach, when various sets of criteria, as well as their consequences on four impact areas, are fully taken into account. The mathematical minds have even devised two possible approaches on how to perform the impact / severity assessment of the personal data breach. They also offer guidance about how to flex the formula : “For the ease of the assessment, the competent authorities can provide a calculator of the severity of the breach, taking into account all circumstances and their own ways of calculations. For specific cases, the data controller could adjust the result obtained from the calculator by one grade (up or down).”

What does this really mean? That we should rejoice – since we data protection professionals will have jobs for ever as we blind colleagues within our businesses with such science? Teams of highly paid boffins will probably have to tour the European Community, explaining this stuff to the likes of you and me. And they may need to explain it several times before it all sinks in.

Actually, no. This can’t be the right approach. We need simpler ways of assessing the likelihood of harm to an individual. We’ve got to have Homer Simpson in our minds as we develop understandable rules and calculations. Not Albert Einstein. Do I have any ideas? Yes, I have oodles of ideas, but they’re not for dissemination in a blog like this. If you’re that interested in my ideas, speak to me privately, later.

That’s enough on data breach management for today. Those who feel particularly inspired in this subject can see me presenting my ideas with the amazing Jeanette Fitzgerald, SVP and General Counsel of Epsilon, at a DataGuidance breach notification event at the London offices of Bird & Bird on Thursday 26 January. Jeanette and I do not see entirely eye to eye on such matters, so it will be a great opportunity to appreciate how the same issues can be handled differently by an American or an English data controller. Expect arguments – and laughter – as we share our passion with anyone who’s sufficiently interested.

I must thank those good folk at ENISA for their commitment to transparency by creating and circulating a draft document that has no protective security markings, so it is only fair to assume that it is not a confidential document. I’m sure they’ll let you have a copy of their latest draft if you ask them nicely.


Friday 20 January 2012

Another day, another draft of the Regulation

The word from Brussels is that DG Justice is really, really keen to publish something soon to show for all the hard work that has been put in, behind the scenes, for the Data Protection Day (or the Davos) celebrations. If I were a cynic, I might argue that a fuss about proposals for an obscure Data Protection Regulation might be welcomed by the Commission right now, especially if it diverted media attention from the fuss about the European economic situation. Or the fuss about the recent legal and constitutional changes in Hungary.

Or, is this a time to bury bad news, which is a phrase sometimes used in the UK?

Anyway, I’ve got my hands on something that looks suspiciously like (yet) another draft proposal from the Commission. Or, perhaps I have been sent a spoof document from someone I usually trust, cunningly designed to divert my attention from the real discussions that could still be continuing somewhere. I honestly don’t know. But I’m happy to believe it is genuine.

When you read it, it becomes evident that it has been prepared after representatives from all Directorate Generals had been summoned to a basement room in Brussels and told to stand on one leg on the naughty step until they had all agreed on a version that could be published for us ungrateful rabble to pick holes in. And, to add to the pressure on the representatives that had turned up, perhaps no one was allowed a bathroom break until all the stakeholders had had indicated their agreement to the same draft. Whatever the pressure was, it seems to have done the trick.

What are the areas that the Directorate Generals had previously issued unfavourable opinions about but where a deal has now been reached? And what is the deal? That was the question I tried to keep in mind as I read it.

The version I’ve seen (which could have been prepared around 16 January, so is probably already out of date) contains 140 Whereas clauses, 92 Articles and is 102 pages long. Version 56, which is the one commonly available on the internet, has just 118 Whereas clauses, 91 Articles and is only 96 pages long.

A new Article (Article 3) relates to the territorial scope of the Regulation, and tries to define when non EU controllers will be obliged to respect the Regulation. I’m not clever enough to appreciate the subtlety of what is being proposed, and what changes it heralds, so we’ll wait for the international lawyers to opine on this point.

The definition of “personal data” is still pretty vague and we need to work out whether “online identifiers” are the same as IP addresses. The definition of “personal data breach” means that all of the problems faced by those trying to live within the data breach requirements of the ePrivacy Directive might now be shared with everyone else. Yuk.

We ought to brace ourselves for “children” to be defined as any person below the age of 18 years – which could have implications on the legitimacy of data processing for anyone under 18. And, a special article could well introduce special rules for the processing of children under 13. Perhaps they will only need to get their parent’s consent for some types of processing if they are under 13. On the other hand, the Regulation may also provide that it won’t affect the general contract law of Member States such as rules on the validity, formation, or effect in relation to a child. So, the “one Regulation to rule them all” approach will fall flat on its face when it comes to the problem of addressing the different requirements that Member States already have in how they treat people under the age of 18. But will children be permitted to give their consent for profiling activities? Let’s see. I can’t quite work it out as you have to cross refer to various Articles in the text, and I frankly don’t have the motivation to work out which will take priority. Especially if I’m working on a text that has already been updated, and will be updated again before it is formally published.

As far as the principles of data processing are concerned, we can expect a slight tweak (but probably nothing to worry about), and the processing for legitimate interests condition survives – at least for private companies. It looks as though public authorities can’t use the “legitimate interests clause” to justify the processing of personal data, but they will be able to process data when it’s in the public interest or the exercise of official authority vested in the data controller. Don’t ask me what the difference is, but there probably is one – and if so there might be howls of protest around Brussels and town halls when the implications sink in.

We can expect a glimmer of hope as far as the rules on marketing “similar products and services” are concerned.

On the rights of data subjects, we can brace ourselves for no Subject Access Request Fees, unless such requests are manifestly excessive (whatever that means). This could turn out, in essence, to be a brilliant EU job creation scheme, if armies of staff are to be required to be recruited to deal with these additional Subject Access Requests.

And yes, of course we’ll have some stuff about the “right to be forgotten and to erasure”. And to data portability. Whether it will have any practical effect, only time will tell.

There’s lots more to comment on, if I felt that any reader had the energy to carry on reading this posting. Let me just whet their appetite by suggesting that the breach notification requirements still appear overly onerous (in the sense that there are draconian requirements to report matters fast, but no corresponding obligations on the part of the regulator to do anything with them in an equally speedy manner). Help may be at hand, though, if they provide standard forms and templates to work out what needs to be reported to whom. Well, templates that work, anyway. I’ll shortly be blogging on an initiative by ENISA, offering guidance and a standard form. And a mightily clever (and fiendishly complicated) way of calculating the severity of harm.

Turning to the infamous sanction powers, we may all have a pleasant surprise. The ludicrous proposal to fine companies between 100,000 and 1 million Euros or up to 5% of their annual worldwide turnover for a failure to report a breach within 24 hours could well be lowered to a fine of merely between 1,000 and 1 million Euros or up to 4% of their annual worldwide turnover. Is anyone celebrating?

But that’s enough from me. It’s enough to put me off my pudding tonight. I won’t read and analyse any more of this draft, or any more drafts. I will just thank the folk at European Commission for their commitment to transparency. Yet again, they appear to have created and circulated a document that has no protective security markings, so it is only fair to assume that it is not a confidential document.

Confidential or not, I won't be sharing this draft with anyone. Sorry, friends, but it won’t be too long to wait before another text emerges from the official channels, and you will be free to feast on that.


Cookiepedia – you heard it here, first

The data protection experts who are so far ahead of the curve that it hurts will already have consulted this internet site, and now it’s your turn to know that it exists and to spread the word about what useful purpose it could serve. And think of the brownie points you will earn when your chums realise how on the ball you really are!

Launched by our chums at the Cookie Collective just 48 hours ago, the purpose of the site is to provide webmasters with a way of starting to comply with the cookie requirements in the ePrivacy Directive. If “the great unwashed” are to be provided with information about what cookies actually are, and what types of cookies exist, then it’s going to help greatly if the industry can create easy-to-read explanations. The sort of explanations that can be understood by people like Homer Simpson, as well as Albert Einstein. And, it will help even more if all of the players in industry can provide its users with very similar, if not identical, explanations of these cookies.

We all know that, ultimately, some of these cookies will be treated like Jose Mourinho, currently the Real Madrid football coach. These cookies will fall into the category of “the special ones”, for which preferential treatment will be available. In language used in the e Privacy Directive, these will be the “strictly necessary” cookies, ie those for which consent will not be required before they can be placed on a person’s electronic device.

The website does not offer advice on the types of cookies that will fall into the Mourinho category, but it is only in beta form right now. You never know how it might evolve. After all, Richard Beaumont, the guru behind this initiative, seems keen to let users play with the site and we can all see how it develops organically from here.

And because it’s only in beta form, please don’t scoff if you can’t yet find a privacy policy (or a cookie policy, for that matter). We all know how hard it is to get the legal bits all nicely formed, at the bottom of the home page. So let’s take a moment to celebrate the great work which had been achieved so far, rather than carp from the sides about the absence of compliance and regulatory stuff that means so little to so many.

I don’t know how these cookie definitions will differ from the categories of cookies that are being created by the International Chamber of Commerce (see the blog I posted on 14 January). Hopefully, it won’t be too long before their initial approach is known.


Declaration of interest:
I have no business, personal or financial interest in this website, nor am I associated with any members of the Cookie Collective. But it does seem like a good idea and I do like speading news about good ideas.


Wednesday 18 January 2012

Is someone in the Commission discarding some articles?

The gossip is that someone has obviously put their common sense shoes on, and has started kicking out a few of the more outrageous proposals in the widely leaked draft of a new legal framework for data protection (the infamous Version 56).

This can only be good news.

Actually, I had no sooner returned from delivering a hard-hitting presentation in central London yesterday, lampooning Commissioner Reding’s team for proposing that data controllers face fines of between 100,000 and 1 million Euros (or 5% of their global turnover), for failing to promptly inform the regulator of a personal data breach (ie within 24 hours), than I learnt from my chums at DataGuidance that the proposal has apparently been dropped.

Excellent to see common-sense breaking out before the wider world starts to question the Commission’s general approach, once what’s left is formally published.

And let’s hope for better news to come. What about the age of consent, for example. Is it really appropriate that people under the age of 18 are considered children and therefore unable to give their consent without an adult’s permission? It is surely ludicrous that in the UK, a Chief Constable of Police can authorise a person as young as 7 to be issued with a firearms permit, and yet they will have to wait a further 11 years before being able, in data protection terms, to consent to, say, non essential cookies being placed on their electronic devices.

But I digress. Actually, the real purpose of today’s blog was to offer some advice on etiquette and protocol. And especially the protocol on how to behave in the presence of a Commissioner.

Should I be summoned into the presence of a Royal personage, I will have first had a briefing on Royal protocol. So I will feel comfortable with the rules on when to bow, and how deeply, and when I should raise my eyes to look into theirs. What questions should the honoured visitor be asked? That sort of stuff.

Some friends of mine are getting awfully excited as they are about to meet a Commissioner. In fact, they were so excited about the meeting that when they told me, I forgot to ask them what sort of Commissioner it was. So they could be meeting a European Commissioner, or it might be a Police Commissioner, or on the other hand it could just be a Health Services Commissioner. I really should have inquired.

But if I were asked to draw up a protocol statement for a Commissioner, so my friends would know how to behave and what to expect, what would I do? Well, with tongue very much in cheek, and without being briefed on the seniority (or the sex) of the office holder, I might start with something like this:

When they enter you must stand
As they're impossibly grand
But you can sit in a while
When they flash their brilliant smile

The next time you hear the band
Is when a glove leaves their hand
How alluring, how appealing
Now their jacket's hit the ceiling

The tension starts to crack
As you spot the dimples on their back
You should start to grin
As you view their glistening shin

Everyone will agree
They've got a mighty fine knee
You must emit a huge sigh
At first glimpse of their thigh

You'll be desperate to clap
When they untie that safety strap
And there will be roars of applause
As they step out of their drawers

For it's the Commissioner
Simply, the greatest stripper in town


http://statewatch.org/news/2011/dec/eu-com-draft-dp-reg-inter-service-consultation.pdf (Article 79(4)(h)
And thanks to Chris de Burg, whose music was in my mind last night.


Tuesday 17 January 2012

50 things to do before a data protection professional dies (part 2)

Hot on the heels of yesterday’s list is the second half of life-affirming events which may help assess your contribution to the data protection world.

Given that we tend to surround our daily lives with HR-type objectives, and it’s that time of the year again when we need to think of a few to populate this year’s forms, please feel free to perm some from this list.

After all, the purpose of the exercise isn’t just to feel some form of personal satisfaction at the conclusion of a data protection career – it’s also to remind our employers that most of the stuff we do is also ultimately for the benefit of them, too.

So, how many of these have you done?

26. Offer to buy Peter Fleisher a drink after work
27. Pay for professional advice as well as receiving free hospitality from our chums at Bird & Bird, Bristows, Clifford Chance, Covington & Burlington, Field Fisher Waterhouse, Linklaters, Morrison & Forester, Olswang, Pinsent Masons, Speechy Bircham or White & Case (extra points for freeloading off the lot)
28. Persuade your CEO to sign the ICO’s Personal Information Promise
29. Praise a politician for passing a sensible data protection law (extra points if it’s a British data protection law)
30. Publish an article in a commercial data protection journal
31. Purchase a bound copy of the Data Protection Act (extra points if used as a prop when work colleagues get stroppy)
32. Quote sections from the Durant vs FSA Judgment when Subject Access Requesters ask for more than they are entitled to receive
33. Read every word of an opinion from the Article 29 Working Party
34. Reassure the Minister in charge of data protection that you’re just as anxious to create a workable law as he is
35. Smile when your CV is rejected – it’s their loss, not yours!
36. Serve on the Management Committee of the Data Protection Forum for at least a year
37. Shamelessly plagiarise someone else’s work in a presentation, without giving due credit to the rightful author
38. Sing a data protection ditty to the tune of a popular song
39. Speak at a European Commission seminar on some ever so important (but oh so dull) aspect of data protection
40. Support a social event organised by the guys at BigBrotherWatch, or their next door neighbours at the Centre for Policy Studies
41. Take a bottle of wine to a Privacy International party to show that you share their passion to respect fundamental human rights
41. Tell the intelligence agencies that their latest cunning plan complies with all relevant data protection laws
43. Throw an all-nighter to complete work the data protection on a project that’s subsequently cancelled
44. Understand what the rules on transborder data flows actually mean
45. Volunteer a few hours of your time with a recognised think tank to help them explain some bits of data protection law to a focus group
46. Work with the International Chamber of Commerce to make sense of an obscure EU rule
47. Work with the ICO to get someone successfully prosecuted for a DPA offence
48. Work with the police to get a someone successfully prosecuted for a DPA-type offence (extra points if the case is heard at the Old Bailey and you avoid national media attention)
49. Write a data protection blog that occasionally sets tongues wagging
50 . Propose a toast to absent data protection friends (Dear Shelagh Gaskill, you are still so greatly missed)

No, I have not achieved everything on this – yet. There are a couple I’ve still to tick off. Please feel free to contact me to propose additional challenges – the very best of which may be rewarded with a bottle of Plymouth Gin, as I do seem to have some spare bottles around the place.


Monday 16 January 2012

50 things to do before a data protection professional dies (part 1)

When you die, how will your contribution to the data protection world be assessed?

I asked myself this question today as I passed this wooden bench (pictured), on the way to my local farmer’s market. The brass plate brought a smile: “In memory of Paul Eddington (1927 – 95). Much loved TV and stage actor and local resident.” He was widely known for his appearances in three of the most popular television comedies of the 1970s and 80s: The Good Life, Yes Minister and Yes, Prime Minister.

Other former neighbours include comedian Tommy Cooper , Vietnamese leader Ho Chi Minh and Soviet spy Anthony Blunt, but their contributions to society have not been marked with inscriptions on local benches.

I doubt that I’ll be remembered by an inscription on a local bench. But I’m not bothered. My name is carved into a flagstone on the floor of Shakespeare’s Globe, the theatre on London’s South Bank, to commemorate those who contributed to the building costs some 15 years ago. That’s enough for me.

But how should data protection professionals assess their careers? How can we decide whether we have lived our professional lives to the full, or whether it’s just been a bit of a joke? I’m submitting the first half of this 50 point checklist for your comment and approval - and of course I welcome your alternative suggestions.

1. Visit the ICO’s offices in Wilmslow
2. Be summoned to the ICO’s offices in Wilmslow
3. Have a quiet word with the Commissioner at his office in Millbank
4. Attend a Privacy Laws & Business conference in Cambridge (extra points for speaking)
5. Attend an ICO Data Protection Officer conference in Manchester (extra points for speaking)
6. Attend an IAPP congress (extra points for speaking)
7. Attend an international conference of Data Protection Commissioners (extra points for speaking)
8. Brief Ministry of Justice officials on a topical data protection problem
9. Challenge your own long-held interpretation of a bit of data protection law
10. Comment on a draft ICO code prior to its publication
11. Co-author some industry specific guidance on an aspect of DPA compliance
12. Dance the night away at a meeting of the Privacy Officers Supper Club
13. Deal with the aftermath of a high profile personal data breach
14. Discuss Larry Ponomon’s “cost of data breach” report with the great man himself
15. Disagree with an opinion expressed by the European Data Protection Supervisor
16. Draft layered privacy policies that people actually read
17. Find a way of disagreeing with Dr Chris Pounder on a point of data protection law
18. Get an IAPP privacy qualification
19. Get an ISEB data protection qualification
20. Get an honourable mention in an article published by “The Register”
21. Gracefully accept that a career in data protection will never lead to untold riches
22. Halt the progress of a silly data protection initiative without the people who are proposing it realising what you are doing
23. Implement an employee training and awareness programme that staff actually enjoy completing
24. Link your LinkedIn profile to that of at least 500 colleagues (extra points for links with data protection professionals from other continents)
25. Meet Mark Zuckerberg

The second half of the list will be published tomorrow.


Saturday 14 January 2012

Cookies: Commission indicates unease at the current rules

If you read the responses that a couple of the Directorate Generals have made in opposing the Commission’s proposals for a new data protection Directive, you can sense that they’re just realised how hard it might be for everyone to make sense of the current cookie rules, and how much worse the situation could become should the Commission get its way with its new proposals.

We’re all busy people, so I’ll just sketch out the high level argument in this blog. The details can be fleshed out by those who really like getting immersed in the legal bumf. All I want to focus on today is the basic issue.

The argument is that the ePrivacy Directive threatens legitimate on-line business, and that it does so by requiring the categorisation of cookies into particular types, only one of which (the “strictly necessary” type) can be deployed without first having to obtain the consent of the user. If you believe what you read in the leaked Inter service consultation document, the Commission now proposes to compound difficulties by tightening up the definition of “consent” and by preventing people under the age of 18 from giving consent themselves (since only grown-ups are considered capable of giving this type of consent).

If you read the DG Markt comments, for example, you will learn that:

• “Web analytics used for site optimization and variation testing is an essential part of e-commerce operations, It is likely that under the explicit and specific consent regime a large majority of site visitors would not accept any cookies, giving websites a massively reduced statistical basis on which to make site optimization decisions;
• A trader should be able to promote products which are relevant to a recent purchase the customer has made, without having to ask for “consent” each time when he would have to address the customer. Traders often stress the fact that reconfirming the consent of customers can be 10 times more expensive than the retention of an existing consent. This is a cost many businesses will not afford; especially since consent, extended to all categories of data, will in fact increase the amount of data collected and the costs for date controllers;
• Explicitly removing the less explicit context-based means of obtaining consent is likely to ensure that less users agree to harmless forms of data processing, with a negative impact on the performance of e-commerce operators and the availability of free internet services.
• Further, there is an open question as to whether these proposed measures would affect the interpretation of the E-privacy Directive. At present, the cookie consent requirements ... can be satisfied by adequate browser (or other technologies) settings that might require affirmative opt-in consent to receive cookies and may in the future be satisfied by a “Do Not Track” or other setting. However, it would not be possible for a data controller to prove that a data subject consented to receive cookies or permit tracking through their browser or other indirect means of consent unless more privacy invasive tools were employed (such as identity encoded cookies).”

DG Markt is also concerned about the difficulties of obtaining consent:

“The data controller will need to bear the burden of proving that the data subject has given “explicit”, “affirmative”, consent for the processing of their personal data for the specific purposes for which the data was collected. This will in effect push companies and service providers to a registration model, or other business models that rely on identified or authenticated users. This will be:

• Potentially negative for privacy as it will lead more companies to request more and more personal data from users, held in databases, which will be more “invasive” of personal data and privacy than those presently required;
• Disproportionately costly in terms of compliance, with dubious benefit. Controllers will have to record the various consents and details such as: the time they were given, the purposes for which they were given and the identity of the individual who gave them.”

To say that this challenges the business models of internet-based companies such as Facebook is to put it mildly.

The criticism from DG Markt is pretty strong stuff. And it makes it all the more important that we try to implement the current cookie rules in a pragmatic and sensitive way. Otherwise, when the screws are tightened, as is inevitably foreseen by the Commission’s proposals, the “rules” will be ignored to an even greater extent that data controllers currently ignore the transborder data flow rules.

And this is why it’s so important that, at least in the UK, the Information Commissioner’s Office and the International Chamber of Commerce create guidance on implementing the cookie rules that can actually be implemented. The next meeting of the usual suspects will occur in a few weeks time, in central London. I hope to attend that meeting and, subsequently, to comment on any relevant developments.

DG Markt reply to CISNet – delai 20/12/2011 – Data Protection Reform consultation just.c3(2011) 1350739 bis de la DG JUST, p12

Situation wanted:

If all goes to plan, I will shortly be ceasing full-time employment with my current employer, and will have time on my hands to help others who need pragmatic data protection advice and support. Please let me know if you are aware of anything interesting on the horizon. I do prefer policy work to ticking boxes, but we all have our price!


Thursday 12 January 2012

Congratulations to our chums at DataGuidance

In a ****DataGuidance exclusive**** which has just been published online, those intrepid journalists at DataGuidance report that the publication of the proposal for the review of the data protection directive has been postponed to late February/March.

The ****exclusive**** bit is that they have laid their hands on 3 of the 4 unfavourable opinions I was blogging about yesterday. And, they are making copies of these documents available to their subscribers. No, they didn’t get the copies from me. (But yes, they did ask me, and very nicely, too).

My guess is that this is the first commercial publishing house to report on the delay. The first legal firm to publish a report was, I think, Covington & Burlington. I read Mark Young’s posting about 27 hours ago. I have not seen an earlier blog posting to the one I published yesterday, reporting on the delay, but I am far too modest to blow my own trumpet.

I’m thinking about presenting one of the many bottles of Plymouth Gin that are on their way to me to the person who can claim to have been even faster to the internet than either Mark Young or me with news of the delay. If you think you were the first, then please contact me – with the evidence.

I’m expecting to see a few more “copy cat” articles in the days and weeks to come. Let’s see who can add how much more detail to this story.



Is this the speech that Commissioner Reding will deliver on 25 January?

Check against delivery

Ladies and Gentlemen

Before I depart for the World Economic Forum at Davos in Switzerland, where I plan to spend the rest of the week conferring with world leaders and others who are at least as important as me, I have decided to announce that you will have to wait a little longer for the Commission to publish its proposals to revise the current data protection directive.

Yes, I know that you were all expecting something substantive by Data Protection Day. So was I, to be frank with you. After all, who would have thought that so many people might want to get so upset with the proposals that my officials had so carefully worked on for so many months. I think that’s rude. You lot should have been grateful for what you were going to be given.

Now, the cat’s really out of the bag. It’s not just about defending the basic human rights of individuals any more. Even data controllers think they’ve got rights these days, and they’ve been working frantically behind the scenes to ensure that whatever does emerge from the Commission recognises those rights to a far greater extent than I thought they deserved.

So, I have failed. I had hoped to have presented you with a package that was so tilted to the rights of the individual that there would have been riots in the streets when citizens became aware that companies, institutions and public authorities wanted to dilute them.

I am sorry. My officials will now continue their hard work to ensure that the rights of individuals are at least balanced against the legitimate interests of businesses and public authorities.

I really don’t know how long this additional period of internal consultation will last. After all, my officials are busy people, and there are other things on their plate, some of which are much more important than changes to the data protection regime.

I am pleased to announce today that I am hoping that the draft legislative proposal will be published in mid-March. But you know me. I am an eternal optimist. I always look on the bright side of life, and I always live in hope that we can resolve our differences by a series of amicable and constructive discussions.

Will the world come to an end if the proposal is not published in mid-March? No.

Are data controllers capable of applying the current rules in a flexible manner, ignoring the bits that are hopelessly out of date? Yes.

Will I be bothered if I have to announce in mid March that the review will take even longer before it can be shared more widely? Not really.

The current review will take as long as it takes. So please wait, with patience, good humour and a sense of compassion for those who are straining every sinew to knock heads together and to make some sense of this shambles.

I won’t be taking any questions today.

Now, I’m off to Davos.

If I were asked to draft a speech for Commissioner Reding, scheduled for delivery on 25th January, this is what I would submit.


Cookies: even more guidance coming soon

Hot on the heels of the revised ICO cookie guidance that was launched last month comes word that the mighty UK Chapter of the International Chamber of Commerce is close to publishing its own guide to compliance.

The usual suspects will soon be placing cold towels around their heads as they try to work out the differences between the ICO’s and ICC’s advice, and to advise about what people should be doing next.

Don’t scold yourself too severely if you have not already digested the ICO’s latest effort. Published on 13th December (right in the middle of the Xmas party season), the 27 page document tries as hard as it can to explain what the law now is, and how responsible data controllers might choose to comply with it. The unwritten subtext is pretty clear – that the ICO did not create the law, so it shouldn’t be blamed for the position that data controllers currently find themselves in. What you get this time is examples (and pictures) of the types of words that the ICO considers could usefully appear on websites, and where the text should ideally positioned for the maximum regulatory impact.

I explained this to some friends who run websites a few days ago and was taken aback by their incomprehension. It was pretty clear that I was speaking a very different language to that which they use.

“What on earth do you mean?” they challenged me, incredulous that anyone would want to focus on designing websites for maximum regulatory impact, rather than in terms of what customers actually wanted to experience for themselves. I was told about piles of consumer research which suggested that the very best websites these days try their very hardest to tailor their content to the needs of the individual user. As far as they were concerned, this well-intentioned initiative was going to struggle to survive in its present form.

The core of the problem seems to lie in a common understanding about why certain websites exist in the first place, and in customer’s unwillingness to want to understand the magic that goes on behind the scenes to give them the content they want when they visit a website. I was told that the regulatory solution – one of consent – is not really achievable, as users are very unlikely to genuinely have sufficient knowledge about cookies to actually be capable of providing this consent. Finally, the web designers I have spoken to have very firm views on what cookies are strictly necessary, and their views are not reflected by the ICO.

Let’s unpack this a little.

First, it’s important to agree understand that websites are created for a range of purposes, by organisations who have very different views about the prominence they play in the overall offering to the customer. While some well known organisations are principally known as purely on-line companies (eg Amazon, Facebook, BBC and other media organisations), most of those who have an internet presence also employ specialist Customer Services staff. The consumer research I have seen suggests that websites are not very helpful when customers have a problem that needs resolving then and there, where handling or seeing a product is important, or when quire specialised advice is needed in order to make a decision. Such cases are better resolved when a customer deals with a real person. Websites excel when they spread general advice, facilitate social or professional networking contacts or allow users to purchase standard items (say groceries, books or concert tickets).

The consumer research I have seen suggests that consumers really don’t want to know about the magic that goes on behind the scenes to put relevant content in front of the user. And the discussions I have had with web developers indicates a degree of incredulity that they would ever deploy cookies that were not strictly necessary to maximise the user’s on-line experience. These developers were painfully aware of the fatal consequences of getting a website wrong – customers don’t return in huge numbers and the result is commercial death. (To paraphrase the Bard: Wherefore art thou, Bebo?)

This is one of the fault lines of the ICO’s advice. It’s analysis of the lawfulness of using certain cookies without specific consent is based on functionality (ie “is it possible for a web site operate without this cookie”) while others base the legitimacy of their cookies on the perceived expectations of the user (ie “is this the best experience that we can offer the user so that this website gives them what they want, when they want it, and how they want it?”).

The ICO’s solution can be summarised in 3 words: “Education and consent”. Education can take the form of long lists of cookies being published on a website. (Yet, I’m also told by the ICO that long explanations in privacy policies generally don’t work, as people ignore them.) Consent can take the form of a process which suggests that the user has “accepted” something. The real problem, of course, is that if we are not careful, some litigant will argue that this is hardly proper “consent”, because the user simply ticked some boxes and, not having read the accompanying bumf, didn’t really know what they were consenting to anyway. So it doesn’t meet the really high definition of “consent” in the Data Protection Directive.

Is all lost? It’s never all lost. Soon, I’ll get to review the approach recommended by the International Chamber of Commerce. I’ll then be able to work out whether customer behaviour is likely to change as a result of that guidance, and whether website operators are getting any closer to finding a solution to a legislative issue that wasn’t much of a problem in the first place.


Wednesday 11 January 2012

The Commission’s 2012 Data Protection Day “present” prematurely scuppered?

The pantomime season continues. I understand that the Commission’s plans to commemorate 2012 Data Protection Day by publishing its proposals for a new legislative framework are unravelling, fast. This is because the results of the Inter service consultation are in. Some of those that have been consulted are really very unhappy with the proposals. Four Directorate-Generals have gone so far as to issue formal unfavourable opinions, which could really slow things down.

For those not in the know, the Inter service consultation process requires each respondent to return a form to the sponsoring Directorate General and check one of three boxes to indicate their high level position on the matter. The options are (1) Favourable opinion, (2) Favourable opinion subject to account being taken of the following comments, and (3) Unfavourable opinion (see attached comments).

Of the unfavourable opinions, DG Trade’s two page reply points out that the proposal “is likely to have a significant negative impact on EU cross border trade”. The European Anti-Fraud Office (OLAF) sent in a six page response focussing on 17 specific aspects of the proposed package. The Information Society & Media Directorate General submitted a 22 page response, making some quite detailed points and recommending a number of specific changes to the text.

Finally, DG Markt prepared a 26 page document outlining their reservations. The language is cold and uncompromising: “In bilateral meetings between DG MARKT and DG JUST your services have highlighted pragmatic and balanced approaches to data protection. However, we considers (sic) the ISC draft in its present form might lead to important and even dangerous consequences for businesses and citizens / users / consumers as main data protection principles would be applied in an inflexible manner without taking into account the context of the processing of information."

This is pretty sensational stuff. And it changes the procedures that now have to be followed before the proposals can be formally published. Basically, the civil servants urgently need to find a compromise with each of these 4 Services, and if they are unwilling or unable to reach a compromise, the issue has to be elevated and referred to the next meeting of the College of Commissioners. Here, political discussions will take place to resolve the issues at the level of the Commissioners themselves. I don’t think they’ll be that happy – especially since I reported in yesterday’s blog that work on revising the current Directive is only prioritised at 42nd place in the Commission’s inventory of 78 outstanding issues.

So, given the fundamental nature of so many of the objections, and the status of the European institutions who have issued these unfavourable opinions, will it really be possible for harmony to break out within the next two weeks? And for a text to be revised that takes full account of these objections?

I think not.

And if I’m right, a number of my learned friends may have to hastily postpone the events they are currently organising to discuss the thing as soon as it appears.

Then again, I did ask back in my blog posting of 26 September 2011 “What comes first? St Valentine’s Day or a new draft DP Directive?”

Applications for copies of these opinions should really be sent directly to the Directorate Generals themselves. Very close friends may get one from me, if they would be so kind as to enclose a bottle of Plymouth Gin with their request.


Tuesday 10 January 2012

The European Data Protection Supervisor shows us his list

Truth really is stranger than fiction.

Yesterday, for example, I blogged (in a light-hearted manner) about an imaginary 37 point plan that Commissioner Viviane Reding would unveil on International Data Protection Day (28th January) “which commits the Commission to sweeping away the rights of Member States to create their own data protection rules”.

Surely, I thought to myself, no-one really works to things as complicated as 37 point plans any more.

But I was wrong.

No sooner than I published yesterday’s blog than friends from Brussels had contacted me with the news that it was not only Commissioner Reding who had a lot on her plate. This very day, for example, Peter Hustinx, the European Data Protection Supervisor would announce his own workload for 2012. Peter’s tasks will compliment the European Commission’s very own agenda (or inventory) – which has 78 separate items which need tracking and resolving.

And to show just how frantically busy Peter is going to be, today he announced that he will issue an opinion on 32 items in the inventory. Additionally, he may comment or issue an opinion on a further 27 items. And as for the remaining 19 items? Well, apparently he’ll just be following developments.

So, a minimum of 32 opinions from Peter Hustinx to look forward to this year. Mmmmmmmm. Can’t wait.

It’s interesting to note the order in which the European Commission has prioritised the inventory. It reads like a political hit parade, with the most important issue ranked No 1, and the least important one (which concerns an Anti-Counterfeiting Trade Agreement) languishing at the bottom at No 78.

Other interesting rankings are an EU-US consumer protection cooperation agreement (No 71), and the development of EU driving licences containing microchips (No 63).

Work on a new Data Protection Directive comes in at 42 on the list. Work on making the internet a safer place for children slips in at No 33. Common rules on data breach notifications is at No 26. Revised rules on the retention of communications records for law enforcement purposes streaks in ahead of these at No 16.

And the most pressing priority?

No, it’s not about protecting the Euro. Actually it’s about the transparency rules on the financing of the Common Agricultural Policy. It seems that some farmers are pretty miffed that their basic human rights may be compromised if Member States were obliged to publish details of all subsidies to beneficiaries of payments under the CAP and rural development policy. And, some courts have held that these farmers may have a point.

Some point!

Peter Hustinx might want to have a word with former (British) Information Commissioner Richard Thomas about this. After all, Richard faced similar issues when deciding whether politicians needed to own up about making “subsistence” claims for duck houses and moat cleaners a few years ago. The roar from the crowd when they realised they might have been ripped off must have been heard all the way from Westminster to Rotherham.

So, I don’t think that Peter needs to spend too much time on priority No 1. I think he should make it pretty clear that the basic human right of privacy can turn into a very qualified right when someone consciously applies for public funds for a purpose which is subsequently seen as dishonest or unconscionable.

Let’s see how Peter opines on that one.

And let’s hope that, even with a workload as heavy as his, Peter still manages to get out from his office frequently and travel all over Europe to assess life as we live it, rather than just life as it is imagined from Brussels.

(If he needs anyone to carry his bags, I will be available quite soon.)