Saturday 31 March 2012

Victory for German Data Protection!

I had trouble sleeping last night. I think this is because I was so taken by Chris Pounder’s description of the attitude expressed by the European Commission’s spokesperson (Paul Nemitz) at the ICO’s conference on the future of data protection in Central London, held a few days ago. According to Chris: “Paul signalled an inflexible approach towards the implementation of the Data Protection Regulation; he stated that he would consider amendments that make the Regulation work better but not those amendments that were based on alternative (and better) ideas.

“At the meeting Mr Nemitz pointedly said that in Germany there is a high level of data subject trust and a thriving German economy; high standards of data protection and economic success go hand in hand. He said that the Commission had the balance of interests “more or less correct”, and changes to the text most needed would be those that tinker at the edges.”

This kept me awake for most of last night. I wondered how I could turn such an attitude into a popular song. Inspiration struck around the time of the dawn chorus. I remembered that brilliant scene in the 1972 film Cabaret when a young boy was spotted, singing a seemingly innocent lyrical song about the beauties of nature. His song gradually turned into a much more menacing chant.

So, with more than a grateful nod to John Kander and Fred Ebb, I do hope they’re not too offended by my (mis)treatment of their wonderful song “Tomorrow Belongs to Me". I’ve even changed its title. But I think the new one is just as strong as the original. The English translation appears as the title of this blog posting. The German translation of the new title is set out just above my lyrics. And I’ve also changed the singers. In the film, the boy was surrounded by a bunch of waiters. In my version, the soloist (an anonymous Commission official) is surrounded by his chums from DG Justice.

(First, dear reader, I do hope you’re not going to be too offended by the rest of this blog. I write in jest. Not out of spite. If you are of a nervous disposition, I suggest that you point your browser at something else, right now.)


The draft Regulation must take a fixed form
Protestors can chant by that tree
We’ll gather together to fight the storm
Tomorrow belongs to me

The Rappateur in the Parliament gets it - and is green
MEPs will approve it with glee
But somewhere a glory awaits unseen
Tomorrow belongs to me

Now Datenschutz, Datenschutz show us the sign
Data subjects have waited to see
That day will soon come
When the world is mine
Tomorrow belongs to me

The Vice President, in her office, is closing her eyes
Licking her lips with glee
But soon says the whisper, arise, arise
Tomorrow belongs to me
Tomorrow belongs to me

Image credit:

I took this image during a trip to Berlin in October 2007. It caught my eye as I was on my way to visit a travelling exhibition devoted to the theme of failed relationships, which had originated in Croatia. The Museum of Broken Relationships asked people in the cities it visited to donate mementos of everything from short flings to painful divorces. Berliners donated more than 30 objects, including a wedding dress and an axe used to break an ex's furniture. Perhaps it will soon be time to donate that photograph (which ought to exist somewhere) of Commission officials expressing their full confidence in all of the opinions ever issued by the Article 29 Working Party.

Friday 30 March 2012

ISEB Accreditation: The mock exam (and an inflexible Commission)

There was an unusual atmosphere in the (mock) exam room in Central London today as I joined a group of people who were all sitting a mock ISEB data protection exam, under the strict supervision of the great Chris Pounder from Amberhawk.

What is supposed to happen on such occasions, apparently, is that as the hours tick by, the candidates get ever more stressed, while the invigilator sits benignly at the front of the room, doing whatever it is that invigilators get up to as the rest of us have got our heads down, writing as fast as modern technology will allow. I’m sure, when I was 18, I wrote far faster (and far more legibly) than I do these days. I’m now obviously spending far too much time on the keyboard, and less time with a pen between my fingers. Writing for 3 hours solid hurts. And writing for Amberhawk’s mock exam, which actually lasts for 3 ½ hours, hurts even more.

Anyway, back to the plot.

What actually happened today was that, as the hours ticked by and we candidates became increasingly stressed, so too did Chris Pounder. Was this because he was worried that the questions he had set were far too hard for us?

Actually, no.

It was because he was pounding his fingers over his keyboard, preparing this week’s Hawktalk blog. He had spent the past few days at the ICO’s data protection event on the implementation of that Regulation, and could not believe that the European Commission were adopting the attitude that their spokesperson (Paul Nemitz) was taking as he addressed the meeting yesterday. Talk about inflexible. Apparently, the Commission would consider amendments that make that Regulation work better but not those amendments that were based on alternative (and better) ideas.

I was not able to attend Paul Nemitz's presentation. I was, instead, busy revising for today. Having heard about how Paul Nemitz (allegedly) behaved, I really would have liked to have witnessed it for myself. But I guess there will be plenty more opportunities for me to witness at first hand an attitude that is going to win no friends and no consumer support from most parts of Europe.

This is war. And what can the Commission’s aim really be? Unless it realises that the possibility of the current proposal being accepted by the European Parliament and the Council is even more remote than me being appointed to the House of Lords by next Easter. Perhaps it has already decided to allow itself to be defeated and for it go be seen to be going down because it wished to adopt a principled approach, rather than seek some grubby back-room compromises that would result in a legal instrument pleasing no-one.

I’m not quite sure what George Galloway’s Respect Party thinks of the Commission’s proposals, but given the pasting it’s just given to the Labour Party in yesterday’s by-election in Bradford West, if I were the Commission I would be afraid when Mr G gets to hear about it. Very afraid.

We Brits are not that keen on Euro-Imperialism, especially when we used to be the top dogs and were expert at spreading our particular brand of British Imperialism across the globe several centuries ago. We’ll happily dole it out, but we won’t take to it that readily.

I have not seen Chris Pounder so agitated before. Ever. Not during normal business hours, anyway.

But, back to the mock exam.

The first part of the exam was marked while we candidates attempted parts 2 and 3. So we all now have a rough idea of where we stand, and what areas of the syllabus we either need to revise, or learn from scratch. I’ll be debriefed on the 2nd and 3rd parts of the exam in a few weeks time. Then it will be full steam ahead to ensure that I’m going to be all right for the actual event, which will take place on 27 April.

I now have even more respect for those brave souls who have put themselves through this process, which really does test a candidate’s legal and data protection knowledge. And I do hope that I’ll be able to remain focused and provide exam answers that are in accordance with what it is the examiners actually wish to see on the answer page, rather than what a pragmatic data protection officer might otherwise suggest in an internal note in a hurry.



Thursday 29 March 2012

The hidden cost of breach notification

How many more staff might the Information Commissioner’s Office have to employ if the breach notification rules in that Regulation are actually implemented?

I’ve been doing some sums, and my calculations are pretty horrific. In fact, they’re so horrific that I’m looking forward to consulting the academic community to work out just what’s wrong with them. We’ve all known that the proposed rules are to place pretty onerous burdens on data controllers – but I hadn’t quite realised what the consequences might also be for regulators.

According to my calculations, the ICO might need to increase the volume of staff reviewing breach notifications by a factor of 15. So, they might need to increase a team of 10 to a division of 150. That means adding another floor to the ICO’s only recently extended office in Wilmslow. So much for efficiency savings by not needing so many staff for the Data Protection Notification Division. They’ll simply have to transfer them all to a Data Protection Breach Notification Division.

Let me explain.

What I’ve actually done is that I've taken another look at the incidents that I’ve personally dealt with as a Data Protection Officer over the past 9 months, and I’ve tried to work out whether they could have been classified as data breaches that were sufficiently serious to merit notifying the ICO using different sets of reporting conditions. Yes, this research uses real data.

Having reviewed all the circumstances of the incident. I’ve sorted them into three categories. The first (blue) category is the criteria that a responsible data protection officer would use when they apply the current ICO “best practice” guidelines on breach notification. In very general terms, this is where a threshold of 1,000 victims applies, with lower thresholds if the information breached is particularly confidential.

The second (red) category is the criteria that a responsible data protection officer would use when they apply the current breach notification rules in the ePrivacy Directive, as interpreted by the ICO. This category obviously includes the first category, but also contains less significant incidents. Remember, under the ePrivacy Directive, notifications have to be made when even where no harm has been caused to a victim, the only stuff that’s been lost is encrypted, there has only been one victim, and where there has been unauthorised access and alteration to the information, however minor. But, breach reports only need to be submitted once a month.

The third (green) category is the criteria that a responsible data protection officer would use when they apply the proposed breach notification rules in that Regulation. Naturally, it includes the stuff that would have been reported under the ePrivacy Directive, but it also contains a host of more trivial incidents. Remember, under these proposed rules, breach reports should be made within 24 hours, and huge fines can be imposed on those who fail to notify the right stuff. So, the cautious compliers will probably feel encouraged to over-notify, as there aren’t any penalties for over notification. It’s a bit like the old Data Protection Registration days, when data controllers ticked every box they could find on an ICO Registration form, just to be on the safe side. It still cost £35 to register, regardless of the number of boxes that were ticked.

I presented these figures yesterday at an ICO workshop on data breach management in Central London. I also made a number of other comments, and displayed the stats in a slightly different way yesterday – but the results are the same, however you cut and dice the figures.

Getting to the hard stats (pictured), if I were a responsible data controller, over the last 9 months I would have submitted 4 breach notification reports to the ICO if I were adhering to the ICO’s “best practice” guidelines, 27 reports if I were adhering to the ePrivacy rules, and a whopping 88 reports if I were doing my best to comply with the proposed rules in that Regulation.

It’s my contention, that of the 88 reports sent to the ICO, in truth they could throw away 84 of them and just concentrate on the 4 reports that I would have sent using the ICO’s current ”best practice” guidelines. And, they would find that there was no need to take any regulatory action against the data controller in respect of these 4 reports, given the nature of the reports – which I won’t discuss in this blog.

But what happens when the other 330,000 large data controllers in the UK start to follow my lead, and increase the volume of reports by so much? Especially when, frankly, all that’s new that's being sent is the inconsequential and the trivial? Remember, we are all probably going to be reporting a couple of incidents each week.

And, being a responsible data controller, I’ll be demanding that the ICO promptly marks my homework, and gives me feedback on each report, so I can better calibrate the next incident that comes along and decide whether it needs to be reported.

The faster the regulators realise the consequences of having to deal with the huge additional workload, the better. I don’t mind keeping regulators busy. But if they can’t cope with what they are being sent, then data controllers are going to be mightily unhappy if they are to be fined for not keeping up with their obligations to promptly report the incidents in the first place.

Note to academic researchers:
Please get in touch if you are seriously interested in helping out by sanity checking my calculations. And if you want to help prevent regulators from being swamped with a daily tsunami of trivial breach notification reports.


Saturday 24 March 2012

Speaking in clichés

This weekend I'm preparing a series of remarks that I'll be making at the ICO’s conference on the future of data protection, to be held in Central London later in the week. Don’t worry if you haven’t heard about it – I gather that such was the anticipated interest, and the predicted subsequent disappointment when it was realised that not every applicant could attend, that it has turned into an invitation-only event. I’ll blog about the best bits later.

Some of the phrases I'll be using in my presentation ought to be pretty good. And that will be because I'll be repeating a few of the lines used by Cory Doctrow at the Open Rights Group's conference, held in Central London today (pictured). Who is he? He's a Canadian-British blogger cum journalist who is also well known as a science fiction author.

Cory was speaking (using reams of carefully honed phrases) on the war on general purpose computing. I'll be speaking on data breach management. But we could well be using the same language to make same the points in our presentations. Spooky.

And what phrases may I be gratefully be rehashing?

Eyes down for catch phrase bingo:

“They made a series of unrealistic demands on the community and the community stubbornly refused to follow them.”

“As they say on aircraft carriers, Mission Accomplished.”

“The triviality of this issue is revealed when we appreciate the significance of the real issues that face us today.
[Such as the economy, education and public health.] This is not a war, this is barely a skirmish.”

“Are we finally fighting the final boss at the end of the game, or is it just the intermediate boss at the end of the level? Or are we still fighting the mini boss?”

“Real legislative toxic waste.”

Other speakers such as Wendy Seltzer also used cool phrases. Wendy is a Fellow at Yale Law School, on the board of directors of the TOR project. She quoted US Senator Ron Wyden, referring to the draft Combating Online Infringement and Counterfeits Act:"It seems to me that online copyright infringement is a legitimate problem, but it seems to me that COICA as written is the wrong medicine. Deploying this statute to combat online copyright infringement seems almost like using a bunker-busting cluster bomb when what you really need is a precision-guided missile."

Professor Ross Anderson, from the University of Cambridge Computer Laboratory, also came up with a great quote, fearing the consequences of a data breach involving large databases containing people’s sensitive medical details: “When the moral entrepreneurs get going it will be like Alder Hay on steroids.” Interestingly, he’s just published some great stuff on anonymisation. So the ICO won’t have that much research to do when prepares its own Code of Practice on the same subject.

I won’t identify the speaker who opined about “an Office deliberately created to be toothless back in the 1980s.” Nor will I identify the Office. But I am looking forward to doing my bit for the ICO later in the week.

Is it necessary just to in clichés? Probably not, but why waste time reinventing the wheel?

Feel free to count them as I use them later in the week. And, if I get to use them all, I'll give a nod to the person who shouts "Data Protection Bingo" first!


Friday 23 March 2012

OMG! My personal data’s just been breached by the ORG!

I’m not making this up. I wish I were but, let’s face it, it happens to everyone.

I was quite looking forward to attending the Open Rights Group’s conference in Central London tomorrow. Now, I’m really looking forward to the event.


Because I know who else will be there.

Yes, early this morning, some overworked conference organiser sent me an email reminding me about tomorrow, and carelessly circulated my email details to everyone by using a .cc list, rather than a .bcc list. So now I have the email addresses of at least 145 people who may be attending. One minute later, at 3.18am, the sender realised that a mistake had been made, and a full apology was offered to all.

No harm done. Not to me, anyway. Some of the email addresses are quite revealing, though, It shows just what a great sense of humour a number of the people attending the event evidently have, if they have registered those domain names to themselves. No, I’m not going to be giving any names - or domain names away. That would be naughty. Great fun, but a bit naughty.

Anyway, if you are free, I hope to see you there. According to the conference blurb, you’ll get a chance catch up with everything digital rights related, while meeting the brilliant minds of Lawrence Lessig, Cory Doctorow, Wendy Seltzer, Ross Anderson, Tom Lowenthal and many more. From the government snooping on your data to default internet blocking and monitoring to the corporate capture of state and democratic institutions –the ORG will be covering vast regions of the digital rights sphere. And there may even be a competition or two!

Ironically they’ll be a session on the current campaign to: “Stop the government snooping on every email and Facebook message”. Signatures are being requested for an e-petition to explain to David Cameron, Nick Clegg and Theresa May: "I do not want the government to try to intercept every UK email, facebook account and online communication. It would be pointless – as it will be easy for criminals to encrypt and evade – and expensive. It would also be illegal: mass surveillance would be a breach of our fundamental right to privacy. Please cancel the Communications Capabilities Development Plan."

It is explained to me that, by becoming an ORG member, my personal data is safe. Paragraph 3 of its privacy policy explains that: “We shall never voluntarily share your information with a third party for their own use, and will fight to the degree that we are able any legal or government action that attempts to obtain such data. We will keep a public list of any third party service providers that we use to further our stated purposes. Supporters will be given 14 days notice before any changes to this list.”

And paragraph 4 goes on to explain that: “We will not transfer any information that we hold on you to anyone outside the European Economic Area. Unless there is an equivalent data protection regime, as provided for example by the US Safe Harbour agreement.”

So that’s all right then. I can trust them with my personal data, then. I just hope they don’t exact too cruel a punishment from the poor conference organiser who fouled up so early this morning.

A more appropriate punishment that a savage kicking, I think, would be for the miscreant to offer to donate £20 to the drinks kitty when the most loyal of the ORG members gather for a celebratory pizza after the conference, tomorrow night.


Thursday 22 March 2012

Vint speaks: The UK’s internet community listens

Internet God Vint Clef set the room alight today, when he addressed the usual suspects at the annual meeting of the UK Internet Policy Forum in Central London. If there ever existed a living invividual whose personal contribution to mankind exceeds that of Vint, then I would be very surprised. I’m so grateful to my chums at Nominet for making today’s event happen.

For those who don’t know, Vint is the VP and Chief Internet Evangelist for Google. He co-invented the architecture and basic protocols of the internet and has received more awards and honours than anyone would ever need. It was he, some 40 years ago, who put in place building blocks which everyone takes for granted today. So when >The Beatles first sang: “it was 20 years ago today, Sergeant Pepper taught the band to play” back in 1967, it’s absolutely astonishing to think that the band was playing in a pre-internet world.

Just think what has happened since then.

As this was a conference on internet policy, a lot of what Vint had to say really needs to be respected. And, significantly, it is evidence of a profound disagreement about the role that Governments should play in what happens on the Internet. If I were the European Commission, I would doubt that the European view of internet regulation could be readily or properly reconciled with that of the American view.

A principal point was that individuals will always have a desire to communicate. When pressed, he admitted that what has most surprised him about the development of the internet is the extent to which so many people have been so keen to spread information via the internet. Equally, Vint pointed out that not everyone wants to hear what everyone else wants to say. Which is why we rely on search machines, clues from friends or brands to filter the information we are looking for.

He suggested that our greatest concern was the unintended consequence of introducing rules which are designed to prevent some bad things from happening, but also prevented good things from happening. To the American politicians who supported internet censorship, he pointed out that America was born in the aftermath of an anonymous revolution (Tom Payne’s revolutionary writings, published just prior to the American Revolution, were initially published anonymously, as he feared the consequences of State retribution), and that they were making a great mistake if they objected to that.

The issue, today, is the lack of sufficiently precise tools with which to prevent bad things happening, People who generally want control over the internet tend to show people the worst possible cases, and they gloss over that else their tools will prevent. Is this security or are they wolves in sheep’s clothing?

But Vint was also keen to emphasise that we do need to create ways of protecting our citizens. We can’t ignore the need to make society a safe place. But, critically, we should not pay the price of freedom of expression to serve that goal.

So, we have the old argument of freedom of expression against someone else’s fundamental rights. I think I keep hear that argument played out as the EU and US negotiators try to form a coherent view on data protection regulation. In my humble view, agreement is unlikely to break out any time soon.

Vint also made a couple of announcements that will soon turn into pub quiz questions – so you’ve heard them here first:

• Originally, Vint didn’t want to be known as the Chief Internet Evangelist for Google. When first asked for a Google job title, Vint suggested Arch Duke. And then it was pointed out what had happened to an earlier Arch Duke, and how the First World War had followed swiftly afterwards.
IP version 6 address protocols will officially be in common use from Wednesday 6 June. Currently they are being tested on the internet, meaning they are occasionally turned on, and then off again. But from 6 June they won’t be turned off. Internet browsers will have to process both versions simultaneously, if they are to work properly.

Vint saved the ultra impressive stuff to the last few minutes of his speech. He gave us a truly astonishing overview of the sort of services that Google were just about to offer, and then spent a few minutes talking about his recent role in the Interplanetary Internet Architecture Programme. That’s right. Not only will different national space agencies be able to talk to each other, but plans are also in place to communicate with objects as far away as Alpha Centauri A star (pictured), which requires communications technologies that work over a distance of 4 light years. And yes, they are already being developed.

So, how will the European Commission address the tricky issue of servers in space, when it can’t even sort out workable laws that govern flows of data to countries or territories outside the EEA? Cummon, guys, we are now talking about internet servers in space. And soon.

Very soon.

Just perhaps, space will not be that final (regulatory) frontier, after all.

Image credit:


Tuesday 20 March 2012

Hurrah! We’re not all doomed when that Regulation is dropped

In a speech delivered yesterday to the Statute Law Society by Philip Coppel QC, I was left with the clear sense that there were indeed some prominent supporters of the current Data Protection Act. The inference of Coppel’s speech was pretty clear: Don’t worry too much if the discussions over that Regulation come to nothing. All is not lost. We can make do with what we already have for the time being – and for some time to come.

Philip Coppel is well known to those who follow litigation involving the Information Commissioner’s Office. A quick squint at his case history reveals he certainly has “form” when appearing in information law cases. He does know his stuff.

The Judiciary are no lovers of data protection legislation, but then again, when you look at the cases that have been argued before various benches, it’s hard to find a less attractive bunch of plaintiffs. Perhaps that’s one of the main problems – if the courts had only more experience in dealing with more reasonable plaintiffs, they might take the protections that the Act can provide a little more seriously. I’ve often thought that the less responsibly the plaintiff’s appears to behave, then the harder the Bench will strive to find some way of denying their application, whatever everyone else thinks the law says.

But enough of my rant.

Coppel saw lots of nods of agreement among the audience as he described the Data Protection Act as: “the ugly relation in the law of privacy.” It’s a thicket and an unpleasant piece of legislation, which takes a lot of guidance before you get to realise how it is actually supposed to work. Tell me about it. I’ve been spending days being lectured on how the various bits of the legislation mesh together, as I mug up for my ISEB data protection exam.

The legislators have also known that for an awful long time. Coppel ruefully remarked that, as the House of Lords commenced the Second Reading of the Data Protection Bill in February 1998, “the chamber emptied itself as quickly as health and safety legislation permitted”.

Even one of the members of the audience, who later introduced himself as a former Home Office official who was heavily involved in progressing much of the data protection implementing legislation through Parliament over a decade ago, commented that: “At bottom, it’s simply not very clear what it’s all about.”

But, Coppel made the vitally important point that when you look at what the Act actually provides for, it’s not as bad as all that: “Properly understood, the Data Protection Act 1992 does provide an adequate system for the protection against intrusion upon privacy of record. Properly applied, it saves the need for bending the law of confidentiality to remedy the obvious wrongs that have spawned a “law of privacy”. The Act has a sophistication which is not going to be matched by the fits and starts of the developing common law.”

There are very good reasons why it’s such a hard piece of legislation to follow. After all, its principal author (whose identity I know so wont embarrass them) is an awfully bright person, and to them, once you know how to navigate around the legislation, it’s really quite straightforward. Had any of the parliamentarians on the scrutiny committees (whose identity I also know, but won’t embarrass them) bothered to take a little more interest in the legislation, rather than dealing with their constituency correspondence during the Committee meetings, there might have been a Parliamentary call for something that was easier to understand. But no. This is what you get when you get Parliamentarians who care about clarity as much as they evidently did.

In closing came the Coppel cry: “The time has come, then, to give true effect to the Data Protection Act 1998. We should learn to appreciate what we have already got. And with that, I would suggest, the cry for a privacy law will in no small part be answered.”

The great and the good of the Statute Law Society then adjourned for drinks and polite discussion, to continue what had started as an extremely agreeable evening.

Printed copies of his speech, “The Data Protection Act & Personal Privacy”, by Philip Coppel QC, are available from the Statute Law Society. Email:


Saturday 17 March 2012

A deluge of data protection events?

Do you often feel bemused by the volume of invitations received to both “free” and “commercial” privacy events these days? Do you ever wonder how on earth you are going to be able to get the day job done, let alone try to keep briefed on the latest issues? No wonder so many events are quite thinly attended. Reading about contemporary data protection matters is one thing. But getting up close to a speaker is something entirely different. And the gossip and the networking that goes on in the margins of these events can be of critical importance to a data protector on a mission. Or a job hunt.

One conference organiser was seriously unhappy when I recently replied to their phone call asking me if I was interested in attending a particular upcoming data protection event. After all, I was assured, the event had been precisely tailored to my immediate needs, so of course I was going to be interested in being corralled with a group of my peers to be spoken at for a couple of hours. Wasn’t I?

No, I wasn’t. I was already busy that day, and they ought to have known that. I was planning to attend a free event to get a very similar perspective from speakers just good as those that this conference organiser wanted to charge a significant sum of money for.

This unhappy exchange set a cunning plan running in my head, and one that I’ll be asking for your advice and support over. If it works, it will take off. If it doesn’t, well at least I tried.

My cunning plan is to publish an independent list of upcoming data protection events. It will have several purposes. From the perspective of the conference organiser, it will help remind everyone what’s already likely to be happening around that time, as that could have a very significant impact on attendee numbers (and thus the viability of the project). And from the perspective of the data protection officer, it may help remind people what is likely to be going on in the next few months, so that ever decreasing conference and training budgets can be focused on the events that are more likely to be of real value. And for conference speakers, it can help forewarn them about who else is currently on the circuit talking about “their” pet subject.

I’m not doing this for any financial reasons, but simply to share knowledge of what data protection events are being planned, and held. And to help us busy data protectors to better plan our time.

I started compiling the list some three weeks ago. 10 of these events have already happened, so I've moved them into a separate list. And there are another 25 in the pipeline. But I know I have not really begun to scratch the surface yet of privacy events that are likely to be of interest to a British data protector. But I think it may be useful to bring information about them all together into one place. So, please get in touch and help me add details of other credible events to the list.

If you are at all interested in this initiative, then please pop over to my serious data protection website and take a squint.

The list of upcoming events is here. The archive of past events is here.

I’ll review this initiative in a few months time and will report back.

Image credit:


Friday 16 March 2012

Cookies – Barclays wins a glittering prize

I’ve just been invited to a brilliant bash. It’s to celebrate the fact that one company, that banking behemoth Barclays, has apparently found a cunning way to comply with the new cookie rules. And their compliance method is so utterly, utterly brilliant that both Christopher Graham, the Information Commissioner and Ed Vaizey, the Minister for Culture, Communications and Creative Industries in the Department for Culture, Media and Sport, will be delivering keynote speeches on this prestigious occasion.

Praise indeed.

To be absolutely honest, I would be more impressed if Barclays offered a better rate of return on their Loyalty Reward ISA, but I can’t have everything. Instead, I’ll make do with appreciating their cunning cookie compliance methodology.

I understand that data controllers who are not as fast off the mark as Barclays will have an opportunity to ask questions about the new cookie requirements at this event, and it will be really interesting to work out, from Ed Vaizey’s replies, just how high a priority he really sees cookie compliance. Other speakers will include our chums from the Internet Advertising Bureau and the International Chamber of Commerce. So it ought to be good.

Places are limited, so I hope you will forgive me if I don’t announce the details of the venue and when it will be held. But I will blog about it afterwards.

One of the reasons I want to attend is so that I can respond to journalists who are writing negative stories about all this cookie chaos. One article that very recently caught my eye shouted that “Online marketers really dislike Europe’s new digital privacy law”. Fancy that! Apparently, 82% of them think the European Union’s new cookie law is bad for the web, according to survey results released by the market research agency Econsultancy.

Econsultancy surveyed 739 marking professionals earlier this month via e-mail, Facebook and Twitter to learn their thoughts about the requirements, which the journalist claimed “takes effect this spring and generally requires web sites to ask for permission before placing a cookie on a consumer’s browser to track her behaviour. Those cookies can tell marketers where that consumer has come from and what she’s viewed and searched for—which in turn enables marketers to target web ads based on those behaviours, or tweak discount and merchandising tactics. The law doesn’t require permission for cookies that track items put into shopping carts or which remember a consumer’s shipping address.”

Reported comments from survey respondents pointed to lingering confusion about the law and scepticism that it will do any good. “There's total confusion on how to apply it and what it should be applied,” read one such comment from a survey participant. “There are a few nice implementations [but] nothing which everyone agrees on, which means a disjointed user experience from site to site.”

Other comments included: “There are still a number of grey areas and the legislation has obviously been put together by people that do not understand the workings of online marketing.” Someone else commented: “We just need to be sensible about how we interpret it and ensure that we turn this into positive legislation for the online industry.”

Somewhat reassuringly: “57% of respondents claimed to have actually read the EU privacy directive that requires consumers to opt in for most web tracking by retailers and marketers, and 54% report their employers have carried out a cookie audit in advance of the law’s May 26 deadline for compliance. Only 7% of respondents say they think that online consumers understand how cookies work.”

I was astonished to read that as many as 57% of respondents had actually read the thing. I would have thought it was more likely to have been 5-7%. I’m not at all surprised that so few respondents understand how cookies work. After all, I don’t know how the engine in my car works. All I need to know is where to put the key and who to call when I have a problem with it.

I do hope this great forthcoming bash will give me plenty of material to blog about. Actually, I’m so convinced it will that I’ve already accepted the 4pm speaking slot at the prestigious Marketing Week Live event at Olympia on 27 June to talk about it. But if the cunning plan from Barclays turns out to be a complete dud, then I’ll have to think swapping my 4pm speaking slot with that of the 4am presenter!



Thursday 15 March 2012

ISEB Accreditation: Chapter 3

The fifth formal day of the course of instruction that ought to lead to my ISEB qualification has been completed. Just the mock, and then a whole day’s tutorial, then the actual exam. Roll on the end of April. Then I need to ask myself what to do with the 4” (10cm) pile of notes that course presenters Chris Pounder and Sue Cullen have so lovingly prepared, distributed, and let me scrawl all over. I think I know just the place for them, but first I had better pass the exam.

To describe the course so to someone who has not considered taking the ISEB qualification before is not easy. After all, why would anyone want to give up a significant portion of their private life for a few months to take it? Well, first they had better be a dedicated data protection professional. Second, they ought to be astute enough to realise that about the only thing no Member State has criticised the European Commission about in that Regulation is the way it will significantly raise the profile of data protection officers in future.

The more responsible data controllers will be obviously feel obliged to employ people who have an appropriate qualification. And the really good news is that, if we play our cards right, the law will compel them to employ/engage someone, so the head hunters should be out in droves, linking-in with people who have suddenly become endowed with some very marketable skills.

This could become a problem for those companies whose salary structures are such that they find it hard to pay market rates for (anyone, let alone) qualified data protection professionals. And, if the ludicrous fining proposals in that Regulation manage to become law, the pressure on salaries can surely only be in one direction. Data protection officers could be as eagerly sought after as members of that popular boy band. I do hope that public sector organisations won’t find it too hard to recruit and retain the right people. Presumably, our head hunter chums will be causing a few headaches in the Information Commissioner's Office’s Human Resources team too, when it becomes clear that former ICO staff are even more highly prized than they currently are.

But I can’t think too far ahead. I can barely think at all, right now. My mind is stuffed with concepts like the subject information provisions and the non-disclosure provisions. And also trying to distinguish between Article 7 rights, Section 7 rights, Principle 7 issues, and Schedule 3 (7) conditions. Oh yes, I’m also trying to get my head around the distinction between the grounds for processing in Schedules 2 and 3 and the non-disclosure exemptions. And understanding how the law of confidence potentially interacts with the First Data Principle.

And it goes on. And on. And on. It’s not a doddle. You have to seriously know your stuff.

Whoever finally gets certified really deserves a badge to wear as a talking point so that they can tell anyone who asks just what they’ve had to go through. The International Association of Privacy Professionals confers on appropriately certified IAPP/E professionals the right to wear a badge emblazoned with the letter “E”. I think that the British Computer Society ought to confer an equivalent tight on appropriately certified ISEB professionals a badge too.

And what should it say?

If I had my way, it should simply say “£”.

Plagiarism Disclaimer:
Peter Fleisher from Google has also been warning in his personal blog that there are not enough experienced data protection officers to meet the impending legal requirements and that more need to be trained. He might have said it first, but I wasn’t aware of that until I was about to publish this blog today.


Wednesday 14 March 2012

That Regulation: the red lines emerge

If you were at, or had dialled into, yesterday's meeting of the Data Protection Forum, you would have appreciated the political significance of what was being discussed.

In a historic first for the Forum, speakers from equivalent data protection organisations in France and Germany had travelled to Central London to share their thoughts about that Regulation, and to see what common ground existed between them.

What very quickly emerged was a shared determination to ensure that local citizens could continue to enjoy the standards of data protection they had grown to expect. A "one size fits all" approach is a complete non starter. Until, that is, Member states are abolished and we all become grateful citizens of the European Union. But we are absolutely not there, yet. And as discussions turned to how local laws would need to be enacted to take account of very important bits of data protection law that were missing from the current draft, the more the logical inconsistency of such a thing as a Regulation became apparent (at least to me). Who can describe to me the practical difference between a legislative package which comprises (1) a Regulation and a bunch of local laws to meet local needs, and (2) a Directive and a bunch of local laws to meet local needs?

What also emerged during the discussions was how very different was the role that was played by Data Protection Officers in three countries. This is in terms of their legal standing, duties and their working relationships with local data protection authorities. If the new legal instrument is to require certain organisations to have such an animal, is it to look more like the German, the French or the English DPO? Given the (potentially) very significant role that such animals will play in future, it is vital that Member States get this bit right. Especially if these DPOs are to have fixed contracts. How will a DPO act if they spy something dodgy, say, just six months before their contract is due for renewal? Will concerns about not having their contact renewed cloud their judgement about the most appropriate course of action to take?

Surely not!

I don't intend to go into any greater detail about what was discussed as that might only forewarn our chums in Brussels about what's going to be hitting them. So no, I will keep my powder dry. If you want to know more about these vitally important issues, all you need to to is become a member of the Data Protection Forum and witness at first hand how policy is developed. Forum members now understand what's about to happen, and why. My other readers can just sit back and marvel at the way things are about to unfold. Or unravel! With membership at just £150 for 4 meetings a year, this has to be the greatest value around for anyone who is serious about data protection in 'Blighty. More information about the Forum and how to join it is available here.

Perhaps I should just plant one thought with the Commission officials before I end today's blog, though. Just as a taster for things to come: There are some data protection rights that are too important to be entrusted into the hands of the European Commission. In fact, they are so important that they will be left in the hands of Member States, whatever the Commission thinks.

Image credit:


Monday 12 March 2012

The pressure facing today’s data protection regulators

The latest word from the Information Commissioner’s Office is that there is some interest in seeing me hand over £100 to the charity Help for Heroes if a video of an ICO team doing a Cookie Warp dance is posted on YouTube by 26 May. If you have no idea what I’m talking about, please take a quick look at my blog dated 9 March.

One wag has been in touch to suggest that the charitable donation could easily multiply just to ensure that certain members of the ICO’s staff are not heard singing (and that’s before the money floods in to make sure certain others are not donning any Frank N Further style costume…).

They also suggested: “Perhaps their version should be the song that refers to the sword of Damocles hanging over their heads….

This person has a serious point. The pressure on regulators to enforce legislation (even if they themselves don’t believe it’s been properly thought through) must be pretty awful. I’m glad I’m not in that position.

So, in honour of those who are charged with carrying out such a very difficult job, I thought I should pen a little ode just for them. I didn’t find it that easy to come up with lyrics that rhymed with Damocles and made much sense, though. If you’re interested, I toyed with lines which ended in words such as: please, he’s, squeeze, she’s, wheeze, disease, faeces, species, Chinese, herpes, trapeze, appease, freeze and Maltese.

Oh the pressure of producing a data protection ditty to order! And then inspiration hit me. So today’s effort, inspired by David Bowie and Queen, is dedicated to those regulatory folk in Wilmslow and Brussels who are bold enough to put their heads above the policy parapet.

Now, three cheers for the dedicated band of people whose guidance is eagerly craved, and then just as eagerly criticised when it finally comes!


Pressure pushing down on me
Pressing down so much – I didn’t ask for
Under pressure - that so wears me down
Splits friends in two
When people meet me they stare and frown

It's the terror of knowing
What this stuff is about
Watching some good people
Screaming: You know nowt
Pray for tomorrow (its gotta get better)

Pressure on people - people everywhere
Protecting the weak from my worst nightmare
Kicking my brains round the floor
Fighting off those whom I deplore
There are days when it rains but it will never just pour

It's the terror of knowing
What this world is about
Watching some good friends
Screaming: You know nowt
Pray for tomorrow (it’s gotta get better)

Don’t know what it must feel like to be a blind man
Sat on the fence but it didn't work
Tired, hungry and bored at some conference in Cannes
Finding solutions – before going berserk
Under pressure

Insanity laughs under pressure we're cracking
Some light relief comes when we give Google a smacking
Shouldn’t allow controllers that one more chance
They’ll only send us on another merry dance
Under pressure

Fair and lawful are such old fashioned words
Yet praise for our efforts is so seldom said
Smiling while working in a field of turds
Keeps the pressure steadily building in my head

But someone’s got to do it
(And it obviously ain’t gonna be you)

It's the terror of knowing
What this stuff is about
Watching some good people
Now I’m screaming: Let me out
Pray for tomorrow (its gotta get better)

This is our last chance
Standards we should enhance
This is ourselves
Under pressure
Under pressure

Image credit:
The Sword of Damocles parable illustrates the constant fear with which many people in authority live. Wikipedia explains that in the fourth Century BC, Damocles was a courtier in the court of King Dionysius II of Syracuse, Italy. In the parable, Damocles praised his King that, as a great man of power and authority surrounded by magnificence, Dionysius was truly extremely fortunate. The King then offered to switch places with Damocles, so that Damocles could taste that very fortune at first hand. Damocles quickly and eagerly accepted the King's proposal. Damocles sat down in the king's throne surrounded by every luxury, but the King arranged that a huge sword should hang above the throne, held at the pommel only by a single hair of a horse's tail. Damocles finally begged the King that he be allowed to depart, because he no longer wanted to be so fortunate.


Saturday 10 March 2012

We need to talk about Europe ...

I’m commenting on two stories today, both of which question the legitimacy of the European Commission to adopt legislative measures that seem to go well above the heads of national Parliaments.

Before I’m written off as a maverick, let me assure you that I am not a natural Euro-sceptic. I believe in European integration – to some level, but I also believe in the principle of Subsidiarity, too. This is an organizing principle that matters ought to be handled by the smallest, lowest or least centralized competent authority, according to the definition in Wikipedia.

Of course, it’s always easy to find stories criticising the European Commission. When there are positive stories, I will comment on those, too. My aim here is not simply to knock the institution. But it is to question it, and to challenge it in the spirit of the Latin proverb Qui bene amat bene castigat (Who loves well castigates well).

So, for the first story, please step forward Belgium's enterprise minister Paul Magnette. He spoke recently at a conference, auspiciously titled Can one criticize Europe?, organized by the Université libre de Bruxelles. He was bold enough to criticise the European Commission for being "too tough" on his country and pleaded for more "margin of manoeuvre" for national governments to enforce EU budget discipline rules.

The EU's budget discipline dogma had become "monomaniac," he had said, commenting that the only possible result of such policies was recession. In his view, the Commission’s role in approving the Belgian budget was close to micro-management. When it rejected the 2.8% deficit forecast of the Belgian government in favour of its own 3.01% projection, the Commission had put the country in the excessive deficit procedure [EDP], which was nothing less than “nitpicking,. And, as the Commission has more powers vis-à-vis a country under EDP, the feeling was that the Commission "abuses" it’s right of control to leverage its power over member countries.

This is not the first time that Magnette, has courted controversy. He’s also on record for making comments critical to the EU executive, for which he was reprimanded both by Prime Minister Elio Di Rupo and Council President Herman Van Rompuy, a former Belgian Prime Minister.

Reportedly, Magnette had said that the economic and budgetary policy, imposed on EU countries, condemned them "to a 15-year-long recession". He added that he doubted that the Commission had the democratic legitimacy to impose such policy: "We must stand up to the European Commission, as the big states do, or we will slip into an ultra-liberal Europe."

And, for the second story, I’m really grateful to a chum who is following data protection developments within the European Commission even closer than me, and has observed that the fun and games continue apace as everyone in the European Parliament is scrambling to get in on the act on that Regulation. Which MEPs will be appointed to key roles as the measure is considered by the Parliament? Apparently, the power struggle going on is particularly fierce between the European People’s Party and the Greens.

One of the reasons for this, I sense, is that a debate is growing about whose fundamental rights the European Commission and the European Parliament exist to uphold. In the data protection context, are these just the fundamental rights of individuals, or are they also the fundamental rights of companies and public authorities who need to process information about citizens to run public other types of services?

One of the brightest of London’s lawyers pointed out to me recently that: “while fundamental rights are at stake, these are not absolute. The Regulation itself recognises this (see recital 139). As we all know, the purpose of the legislation also is about ensuring the functioning of the internal market - indeed, the very first line of the Regulation acknowledges both the fundamental rights (Art.16 TFEU) AND the internal market dimensions (Art.114(1)/26). In line with the “property” point, recital 139 recognises that the right to the protection of personal data must be balanced against other rights, including the “freedom to conduct a business” (of which the European Court of Justice said some interesting things about in the recent SABAM ruling). Unfortunately, so far the right to property (including the right to intellectual property) has been left out…”

So, where does this leave us? In a bit of a predicament, I think. On the one hand, we have a European Commission that is determined to press on with legislation because it does not trust Member States to legislate adequately. On the other, we have(a number of) National Parliaments who may not be that bothered about giving up sovereignty in this area because they are passionate believers of a European project which requires a strong central European Government and weak national Parliaments. And on yet another hand, we have (a probably smaller number of) National Parliaments who genuinely question the extent of European integration, because they do not believe that the costs of surrendering the margin of legislative appreciation they currently enjoy will be outweighed by the benefits of further and deeper integration.

Perhaps that’s why the struggle to carve up data protection between the European People’s Party and the Greens is so important. Both groups sense that the proposal marks a huge step change in creating a new social policy within Europe, and they are both determined to control the shape of that policy. It’s a great opportunity to wrest a chunk of powers away from national Parliaments and have them salted away in the European institutions.

And where is the political influence that we, in ‘Blighty, can have on this process? I don’t see many British MEPs either sitting with the European People’s Party or the Greens. Can we just sit on the sidelines and hope that these groups of politicians will do a deal that won’t leave us too much in the cold?

Or should we adopt another approach, which is to question the legitimacy of data protection matters being removed from the competence of the Westminster Parliament in the first place?


Recital 139 of that Regulation: In view of the fact that, as underlined by the Court of Justice of the European Union, the right to the protection of personal data is not an absolute right, but must be considered in relation to its function in society and be balanced with other fundamental rights, in accordance with the principle of proportionality, this Regulation respects all fundamental rights and observes the principles recognised in the Charter of Fundamental Rights of the European Union as enshrined in the Treaties, notably the right to respect for private and family life, home and communications, the right to the protection of personal data, the freedom of thought, conscience and religion, the freedom of expression and information, the freedom to conduct a business, the right to an effective remedy and to a fair trial as well as cultural, religious and linguistic diversity.

Image credit:
This is the poster for the 2011 film “We need to talk about Kevin”. The plot focuses on Kevin's mother, who struggles to love her strange child, despite the increasingly vicious things he says and does as he grows up. But Kevin is just getting started, and his final act will be beyond anything anyone imagined.


Friday 9 March 2012

Exclusive: An easy way to comply with the cookie regulations

I can finally reveal an easy way to comply with the cookie regulations. Even the Article 29 Working Party is going to be impressed. It could make it's creator – me – a multi millionaire if a significant number of people take it up, and they then start following other pieces of wisdom that occasionally get trotted out in this popular blog.

None of us really want our stats about visitors to our web sites to fall off a cliff – as is evidenced by what happened when the Information Commissioner’s Office unveiled its cunning plan to simultaneously comply with the ePrivacy Directive and remain forever ignorant about what its website visitors actually do when they go to The result - pictured - is too horrific even to smile about.

There has to be a better way of web masters behaving like lemmings. So, rather than force customers to make a choice (which they most likely won’t do as they simply don’t understand the implications of the words that are put in front of them) before they’ve had an opportunity to know whether the web site is any good or not and whether they’ll ever want to come back, I’ve had a better idea.

I appreciate that this idea will have financial implications for the huge industry of cookie advisers that has developed over the past few years. Some of the fees I’ve heard being charged for people to receive advice from data protection professionals are so good that I want to get in on the act, too. My advice might not be delivered in as deadpan a manner as some of my learned friends, but at least it will put a smile on people’s faces.

After much research, I’ve concluded that the real problem surrounding cookies is that, for the most part, internet users can’t be bothered to do anything about them. The philosophers may ask if this is because people really don’t care about cookies, or whether people don’t know what harm may be caused to them by someone who places abusive cookies on their devices.

The answer is simple. It lies in a public awareness campaign, and in getting the general public to start asking the questions for themselves, rather than having advice screamed at them from above. It worked with public awareness about the menace of HIV and AIDS. As soon as an Eastenders character found they were living with it, public attitudes changed very quickly – and very much for the better.

And the answer also lies in making such education fun – and healthy.

So my cunning plan – wait for it – is to seek funding from the European Commission to sponsor an internationally televised competition. Students, youth groups, in fact any teams of friends or work colleagues, are to compete in a song and dance contest. Teams wishing to audition should get their first efforts loaded onto YouTube by 26 May 2012, as it is from this date that the Information Commissioner has announced that he could start to do something more about cookie compliance in 'Blighty.

One catch – I get to specify the song.

And my selection, thanks to the inspiration from Little Nell, Richard O'Brien,and Patricia Quinn, is about worshiping active recorded preferences about cookies.

This may not sound that catchy a title, until you shorten it to the Cookie Warp.

Here are the words. You all know the tune, now come up with the dance!


It's astounding, time is fleeting
Madness takes its toll
But listen closely, May’s not that much longer
You've got to take more control

I remember doing the Cookie Warp
Hitting those internet links when
Adds would strike me, as if someone had remembered
Let's do the Cookie Warp again...
Let's do the Cookie Warp again!

Just set your cursor to the left
And then you set it to the right
With your hands on your mouse
You bring your digits in tight
But it's not getting good content that really drives you insane,
Let's do the Cookie Warp again!

The Commission’s so dreamy, so fantasy free me
Now you can't see me, no not at all
I’m in another dimension, with voyeuristic intention
I’ve paid my entrance fee, now I want to experience it all

I’ve seen some sites that are unsavoury
But you must forget my knavery
I’ve got rights (and stuff that I don’t want you to know)
You're keeping too much browsing history (that should really stay a mystery)
Let's do the Cookie Warp again!

Well I was surfing down a site just a-having a think
When this snake of an add man gave me an evil wink
He really shook me up, he took me by surprise
He had my browsing life at hand, I saw the devil in his eyes.
He stared at me and I felt I must change
I’ll put an end to this: my preferences I’ll rearrange
Let's do the Cookie Warp again!

Spookily, the Rocky Horror Show was being developed, back in 1973, at around the same time that data protection was starting to be taken seriously in Parliaments around Europe.

Further note:
If our chums from DG Justice at the European Commission, or from the Information Commissioner's Office, post their entry onto YouTube by 26 May 2012, then I'll happily donate £100 to the Help for Heroes charity, in their honour.


Thursday 8 March 2012

ISEB Accreditation: Chapter 2

The third formal day of the course of instruction that ought to lead to my ISEB qualification (out of five) has been completed in Manchester. Two more days to go. Not much more black letter law to become reacquainted with. Sue Cullen really knows her stuff. The course gets lighter in tone from now on, as the participants learn more about how the law is actually applied in practice, rather than just what the law is.

I use data protection law as I would a musical instrument. I add a bit of common sense to generate a satisfactory response, rather than simply use it as a noise box to overwhelm everything else in earshot.

A Home Office official, some 20 years ago, really wasn’t lying when he observed that Data Protection legislation was specifically designed to be a cumbersome process. It will be interesting to see whether people are any more able to exercise their rights when the revised proposals see the light of day.

Someone suggested a few days ago that the new proposal (in whatever form it’s going to end up as) could quite radically change the current equilibrium between the legitimate interests of data controllers and the legitimate interests of individuals. This is because the current Directive focuses on protecting certain types of information about individuals, while the new thing is going to focus on protecting individuals. It needs to refocus if it is to be true to its “fundamental rights” agenda, because fundamental rights attach to individuals, not their information.

Is this an important distinction? For some people in the European Commission, I think it must be – which is why they must keep on harking on about the need to protect individuals at all costs. They seem to be less concerned at making sure that public institutions (and private companies) are able to flourish and innovate. Rather than roll out the red carpet when a data controller fancies doing a spot of innovating, some would prefer to smother these new initiatives in red tape.

Such an approach to prescribing the role of public authorities, when they, as data controllers, want to do a spot of innovating, might be fine in Member States whose citizens live under formal constitutions. In such states, the powers of these public authorities are formally laid down, so the limits of their authority are clear. But the situation in countries like the UK is different. We don’t live with the benefit of a formal constitution. (Not unless the European Commission has slipped one through and no-one has noticed, that is). In the UK, many powers of local authorities appear to derive from an exercise of the Royal Prerogative, rather than constitutional law. And British Governments have not, in recent generations, had an unhappy history like some former Governments of other European states, where citizens have found that their rights have been abused by the State.

But, in strictly prescribing the powers of the state institutions (in case they can’t be trusted, again), the Commission seems to wish at the same time to prescribe the powers of data controllers in just as strict a manner. But, tell me, which European data controllers have had a history of abusing the rights of individuals? And before anyone spits out the G word, or the F word, let me remind them that these examples aspire to be global data controllers not just European data controllers.

No, a cynic might suggest that the Commission is really trying to get tough with global controllers it knows it can’t tame, anyway.

Note to the Commission: Forget about Google and Facebook for a bit. They are big enough and well resourced enough to look after themselves and their customers. Focus on European data controllers for once. And try not to make life so tough for them that they cease really caring about developing new innovative privacy enhancing services and techniques. If life is made too challenging, they’ll just start to employ people to tick privacy boxes. Which won’t be much fun for those of us who want to work on the new and innovative services.


Tuesday 6 March 2012

I’m a DPO, get me in here!

The 500 lucky winners of this year’s “Get a place at the ICO’s Annual Data Protection Officer Conference” competition assembled today at the Palace Hotel in Manchester to celebrate their good fortune. And also to attend the ICO’s conference. Who needs to travel be among a cast of thousands at an international privacy event in Washington DC this week when the ICO can lay on such a magnificent event – free of charge – for those of us who need some support and assistance in ‘Blighty?

How best to describe the Palace Hotel, Manchester? Think of a Victorian version of Hogwarts, with steps (I didn't manage to find the lifts) leading to lots of floors and hidden spaces, many of which were tastefully decorated in brown and green porcelain tiles. You’ve just about got it. Spookily, “Oliver Twist” was playing at the Palace Theatre just across the road. Fagin would have felt at home in either venue, today.

But, what a great place it was to assemble some 500 souls who were most concerned about British data protection issues. And how amazing to think that there was a waiting list of a further 500 applicants who didn’t make the final cut. It really is reassuring to appreciate that there are so many people who want to apply the rules with such dedication. They wouldn’t have been there, or wouldn’t have applied, if they weren’t.

And, also, how great it was to see at the event so many bods from the Commissioner’s Office in Wilmslow, just up the road. Occasions like this really help reinforce a spirit of shared values and determination. The ICO has worked really hard to maintain a good working relationship with concerned individuals and data controllers, and it is nice to take opportunities like today to acknowledge that most people’s minds are in the right place, even though no-one can be perfect all of the time. But so many of us care, and that’s what matters.

It was so refreshing also to hear the message, from delegates and from many of the ICO officials who spoke during the workshops, that what we really need to focus on is outcomes, rather than procedures. The theme was first evoked by the keynote speaker, Francis Maude, Minister for the Cabinet Office. He characterised the current internet revolution as “an irresistible and unstoppable force.” And, in what he termed as “an immensely constrained fiscal environment,” he appeared determined not to allow data controllers (and especially those who wanted to share data for legitimate business and public purposes, to be hampered by outdated practices: “An overly restrictive environment will restrict our ability to innovate.”

While he also pointed out that the law should not be obscure, nor unclear, I sensed that he was not mightily impressed with all of the plans that the European Commission had recently announced in their plans for a General Data Protection Regulation. The draft text of his speech is available here.

If I were a betting data protector, I would bet that we Brits are really ready for a fight on some of the more prescriptive provisions in “that” Regulation. And I would also bet that a number of British Parliamentarians are going to be mightily unhappy when it dawns on them that, in a an age where reputations (and newspapers) have been lost through poor privacy practices in Britain, it is madness that the British Parliament is to be neutered when responsibility for so many things data protection are transferred from Westminster to the institutions in Brussels. This cannot be right.

I also overheard, in the margins of the meeting, gossip that one of the first Council meetings to review the proposal didn’t go as well as the Danish hosts might have expected. Despite carefully laid plans to ensure that the attendees got through a certain proportion of the text, delegates insisted on speaking their minds, rather than keeping to the timetable. So, progress was not as made as quickly as planned. If they don’t start curtailing official debates soon, all bets will be off that the gestation period will be merely 18 months.

But, delegates at today’s conference were very careful not to make any political points, nor was there any public criticism (from ICO officials, anyway) about the current legislative environment. This was not the day to discuss such sensitive matters. Instead, today was the day to discuss ever more innovative ways of getting it right.

In terms of delegate numbers, the runaway success of this conference series is truly astonishing. Perhaps it’s because it’s free, so public sector DPOs have no reason to be denied attending on internal budgetary grounds. It’s getting so large that the ICO should consider using the main conference hall in Manchester’s GMEX centre, soon. And that is a wonderful way to celebrate that we Brits are serious about getting this data protection stuff right, even though our ways of doing things aren’t always the ways that our colleagues in the Commission would prefer.

We Brits don’t need to rely on complicated forms prescribed by clever Eurodataprotectorcrats to try and get it right. We pride ourselves in preferring to rely on our own ingenuity and pragmatism to deliver culturally acceptable, good privacy practices.

Anyway, let me end by sending my best wishes to those folks currently en route to Washington DC for the International Association of Privacy Professionals’ bash. I do hope that your event is as entertaining – and as productive – as this one has been.


Saturday 3 March 2012

A battle hymn for the chocolate factory

If you can access electronic media, you must have been reading about Google this week. After all, who now can’t be aware that changes have been made to the words of the privacy policies that are associated with Google’s services? I’m not sure if, since people have not actually changed their privacy settings, it means that Google will actually be doing lots of stuff that they weren’t in the past. The vast majority of us probably don’t have much time to care, and are grateful that the Article 29 Working Party will be doing the caring for them.

I have not had the time or the energy to find out for myself precisely what’s gone on and, frankly, given the fuss that has been generated by this issue, I’m happy to wait until the courts tell me what it all means.

What a difference a few years make! It was only 27 months ago that Google was being praised to the skies by regulators for their foresight in creating a Dashboard control panel, which enables people to more easily access and adjust their own privacy settings. It was launched at an international data protection conference in Madrid on 4 November 2009.

I was so taken by the launch that I (somewhat) respectfully paid a tribute to Alma Whitten, one of Google’s gurus for privacy & safety, in the style (and using many of the phrases) of Julia W Howe. It was she who, during the American Civil War, wrote the original verses of the "Battle Hymn of the Republic" in single evening at the Willard Hotel, Washington DC, on 18 November 1861.

Spookily, that's so close to where thousands of privacy professionals will be flocking in a few days time, to attend the IAPP's annual Global Privacy Summit.

I hope Alma won't be offended. I’ve met her and have really enjoyed her easy manner, professionalism and deep commitment to fairness and transparency. She's still one of Google's shining stars!

My tribute was crafted during the course of a single evening, too. And it shows. It was originally posted on this site on 6 December 2009, and, with just a tweak or two, I think it’s time has come again.


Mine eyes have seen the glory of the coming of the Board
It’s a simple way of knowing how your preferences are stored
All set up to win every privacy award
It’s truth is marching on.

Glory! Glory! It's the Dashboard! Glory! Glory! It's the Dashboard!
Glory! Glory! It's the Dashboard! The truth is marching on.

I've heard Alma speaking softly to a hundred data chaps
They have built her a chrome platform which reads emails and her maps
It can also find her schedules and those pics of her kneecaps
Her day is marching on.

Glory! Glory! It's the Dashboard! Glory! Glory! It's the Dashboard!
Glory! Glory! It's the Dashboard! Her day is marching on.

I have read a fiery press release which really makes you feel
“You bureaucrats are ignorant and just don’t get the deal”
See the Hero, born a woman, crush the Commission with her heel
Since Alma’s marching on.

Glory! Glory! It's the Dashboard! Glory! Glory! It's the Dashboard!
Glory! Glory! It's the Dashboard! Since Google's marching on.

Alma's helped to build a Dashboard where the picture is complete
She is sorting out the hearts of men before they start to tweet
Oh, with self control, now plead with her: “Come photograph my street”
Our Alma’s marching on.

Glory! Glory! It's the Dashboard! Glory! Glory! It's the Dashboard!
Glory! Glory! It's the Dashboard! And Google marches on.

In the beauty of the lilies she was born across the sea
With a glory in her bosom that transfigures you and me
As she works to make stuff useful, let us work to keep stuff free
While Alma marches on.

Glory! Glory! It's the Dashboard! Glory! Glory! It's the Dashboard!
Glory! Glory! It's the Dashboard! While Google marches on.

She is coming like the glory of the morning on the wave
She is wisdom to the mighty, She is honour to the brave
I will start to use the Dashboard if Google promises to behave
As Alma marches on.

Glory! Glory! It's the Dashboard! Glory! Glory! It's the Dashboard!
Glory! Glory! It's the Dashboard! Yes, Google marches on.


Friday 2 March 2012

EU/US Privacy: Who blinks first?

I want to return to the theme I referred to yesterday about the different privacy initiatives that have emerged, almost at the same time, but from different sides of the Atlantic. Both addressed the perceived needs of the same group of people, ie the developers who create mobile applications for users around the globe.

Richard Brennan has been making some very interesting comments on privacy recently. Who is he? He’s is a Vice Director of Huawei’s industry standards department, based in China and Europe. He also represents the China Standards Authority internationally, and was asked for his impressions of the direction that the EU and US jurisdictions were taking.

It was a pretty bleak assessment: “In the US it is ‘freedom of speech’, in the EU it is all about constitutional privacy: those are opposing forces that cannot be balanced.”

What a perceptive comment from someone so steeped in the Chinese privacy culture.

When asked to expand his remarks, he said: “I think there are concerns generally about these two different models. One is the controlled internet versus a very open construct, which is governed by freedom of speech and not much else. They need to be balanced. As businesses we have to respect the desires of our customers and the environment in which they are doing business. We need to follow the decisions, understand and comment in a positive way in each area where those decisions are being made, we are looking at the EU environment discussing them over a broad set of issues to make sure that the network technical capabilities mirror well the policies that are being asked for on the regulatory side.”

So, there is good will on the part of the legislators to meet and talk, but it’s not at all clear how their deeply held views can be reconciled. Of course we all know how hard it is to reconcile contrary views. After all, look at the herculean efforts that the Article 29 Working Party is making to ensure that, even within Europe, regulators develop a common approach to cross border issues. And look at how much further they have to go before us European privacy watchers sense that there actually is a more joined-up approach.

Perhaps there is too much introspection at the moment. And perhaps we need more observers who, from an Asian, Indian Pacific and South American perspective, can join this debate and expose a few more home truths.


Image credit: Two Little Gunslingers, San Juan Capistrano, March 2009. Photograph copyright of Douglas Stockdale


Thursday 1 March 2012

A lack of joined up working – and inappropriate fines

I wasn’t planning to wax lyrical today. Instead, I was planning to write a blog commemorating the great work of the GSM Association in publishing guidelines for people who develop applications for mobile devices, pointing out that there are such things as data protection laws, and that here are some relatively straightforward ways of trying to comply with them.

However, something threw me. I've just noticed that, last week, the Attorney General of California issued a press release advising she had reached an agreement with Apple, Google, Microsoft, RIM, Amazon and HP that they will ensure users of mobile apps are given privacy policies before an application is downloaded. The agreement also requires the companies to: "educate developers about their obligations to respect consumer privacy and to disclose to consumers what private information they collect, how they use the information, and with whom they share it. The platforms will also work to improve compliance with privacy laws by giving users tools to report non-compliant apps and committing companies to implement processes to respond to these reports.” The Attorney General will review progress made in six months time.

Talk about spooky – I thought I had been working on an almost identical project with the GSM Association in London for the past few years. And, if my memory serves me right, I'm sure we consulted our chums over there, and invited them to express an interest in participating in the European one. The GSM Association’s initiative was launched this week. But I wonder how the likes of Apple, Google, Microsoft, RIM and Amazon and HP managed to keep their amazing work from so many privacy professionals this side of the pond until it was formally announced?

I wonder who knew about both projects being developed in parallel. Perhaps it was a lost opportunity not to have been able to create a joint initiative between the mighty European companies and the mighty American ones. What a shame.

Just like London buses, you can wait a long time to see a privacy initiative, and then suddenly two similar ones come along just about the same time.

At least both are trying to do pretty much the same thing, so the end result ought to result in some consumer benefit, not consumer detriment.

Anyway, what really caught my attention today was a statement from Information Commissioner Christopher Graham commenting on the recent conviction of four private investigators who had pleaded guilty to stealing confidential information and selling it to paying clients. Because the ICO worked with the Serious Organised Crime Agency, and convictions were secured under the Fraud Act, they faced custodial sentences. But, in a virtually identical case, held in another court at almost the same time, because the defendant was tried under Data Protection legislation, they were only fined some £200.

And I was quite shocked to realise that the proposed Regulation, despite its grotesque fining powers for data controllers, is silent on any requirement to impose custodial penalties on corrupt employees, private investigators or social engineers. No jail time for them? Surely this will be made more specific, soon. The vague reference in Article 78 to Member States laying down rules on penalties, applicable to infringements of the provisions is surprising given how prescriptive most of the rest of the Regulation is. If there were anywhere in the Regulation where a little more prescription might be welcome, its here.

Sitting on the tube on the way home today, a fellow passenger's headphones were leaking the sounds of the late Ian Dury and the Blockheads. So, what could be more appropriate than this little ditty:


Lost on a laptop, in Milan
Were the health records of ev'ry woman, ev'ry man

Hit me your fining stick, hit me, hit me
Je t'adore, ich liebe dich, hit me, hit me, hit me
Hit me with your fining stick
Hit me slowly, hit me quick
Hit me, hit me, hit me

In the wilds of Wilmslow can be found the ICO
“How much should we levy, let’s be macho”

Hit me with your fining stick, hit me, hit me
Das ist gut, c'est fantastique, hit me, hit me, hit me

Hit me with your fining stick
“Is that all you can do? That’s lunatic”
Hit me, hit me, hit me

Hit me, hit me, hit

Tucked in that Regulation, meantime
In Article 79, are grotesque powers to fine
For not returning a form in time

Hit me with your fining stick, hit me, hit me
C'est si bon, mm? Ist es nicht? Hit me, hit me, hit me
Hit me with your fining stick
One million Euros, tick, tick, tick
Hit me, hit me, hit me

Hit me, hit me, hit me - hit me, hit me ....


Image credit: