Thursday, 1 March 2012

A lack of joined up working – and inappropriate fines

I wasn’t planning to wax lyrical today. Instead, I was planning to write a blog commemorating the great work of the GSM Association in publishing guidelines for people who develop applications for mobile devices, pointing out that there are such things as data protection laws, and that here are some relatively straightforward ways of trying to comply with them.

However, something threw me. I've just noticed that, last week, the Attorney General of California issued a press release advising she had reached an agreement with Apple, Google, Microsoft, RIM, Amazon and HP that they will ensure users of mobile apps are given privacy policies before an application is downloaded. The agreement also requires the companies to: "educate developers about their obligations to respect consumer privacy and to disclose to consumers what private information they collect, how they use the information, and with whom they share it. The platforms will also work to improve compliance with privacy laws by giving users tools to report non-compliant apps and committing companies to implement processes to respond to these reports.” The Attorney General will review progress made in six months time.

Talk about spooky – I thought I had been working on an almost identical project with the GSM Association in London for the past few years. And, if my memory serves me right, I'm sure we consulted our chums over there, and invited them to express an interest in participating in the European one. The GSM Association’s initiative was launched this week. But I wonder how the likes of Apple, Google, Microsoft, RIM and Amazon and HP managed to keep their amazing work from so many privacy professionals this side of the pond until it was formally announced?

I wonder who knew about both projects being developed in parallel. Perhaps it was a lost opportunity not to have been able to create a joint initiative between the mighty European companies and the mighty American ones. What a shame.

Just like London buses, you can wait a long time to see a privacy initiative, and then suddenly two similar ones come along just about the same time.

At least both are trying to do pretty much the same thing, so the end result ought to result in some consumer benefit, not consumer detriment.

Anyway, what really caught my attention today was a statement from Information Commissioner Christopher Graham commenting on the recent conviction of four private investigators who had pleaded guilty to stealing confidential information and selling it to paying clients. Because the ICO worked with the Serious Organised Crime Agency, and convictions were secured under the Fraud Act, they faced custodial sentences. But, in a virtually identical case, held in another court at almost the same time, because the defendant was tried under Data Protection legislation, they were only fined some £200.

And I was quite shocked to realise that the proposed Regulation, despite its grotesque fining powers for data controllers, is silent on any requirement to impose custodial penalties on corrupt employees, private investigators or social engineers. No jail time for them? Surely this will be made more specific, soon. The vague reference in Article 78 to Member States laying down rules on penalties, applicable to infringements of the provisions is surprising given how prescriptive most of the rest of the Regulation is. If there were anywhere in the Regulation where a little more prescription might be welcome, its here.

Sitting on the tube on the way home today, a fellow passenger's headphones were leaking the sounds of the late Ian Dury and the Blockheads. So, what could be more appropriate than this little ditty:

HIT ME WITH YOUR FINING STICK

Lost on a laptop, in Milan
Were the health records of ev'ry woman, ev'ry man

Hit me your fining stick, hit me, hit me
Je t'adore, ich liebe dich, hit me, hit me, hit me
Hit me with your fining stick
Hit me slowly, hit me quick
Hit me, hit me, hit me

In the wilds of Wilmslow can be found the ICO
“How much should we levy, let’s be macho”

Hit me with your fining stick, hit me, hit me
Das ist gut, c'est fantastique, hit me, hit me, hit me

Hit me with your fining stick
“Is that all you can do? That’s lunatic”
Hit me, hit me, hit me

Hit me, hit me, hit

Tucked in that Regulation, meantime
In Article 79, are grotesque powers to fine
For not returning a form in time

Hit me with your fining stick, hit me, hit me
C'est si bon, mm? Ist es nicht? Hit me, hit me, hit me
Hit me with your fining stick
One million Euros, tick, tick, tick
Hit me, hit me, hit me

Hit me, hit me, hit me - hit me, hit me ....



Sources:
http://oag.ca.gov/news/press_release?id=2630
http://www.ico.gov.uk/news/latest_news/2012/statement-private-detectives-jailed-for-blagging-27022012.aspx

Image credit:
http://www.megachwiep.com/PaulHardcastle/Hit_Me_with_Your_Remixes/IanDuryandtheBlockheads-HitmewithyourRhythmStick100.jpg

.