Monday 30 April 2012

Stuffed with spam

Has anyone else noticed that they are receiving more SMS SPAM these days?

Today, someone at +44 7541 686931 wrote “Due to new legislation, those struggling with debt can now apply to have it written off. For more information next the word ‘INFO’ or to opt out text stop."

Yesterday, what I took to be a claims management service on +1 (813) 384-7716 sent me a message that I’ve already deleted from my device.

Also yesterday, +44 786 306801 texted “FREEMSG: Need a quick end of month emergency Payday topUp? Get upto £750 TODAY!! No Docs or Checks Regd at SMSFORLOANS.COM Reply STOP to stop.”

While on Saturday, +44 7503 441947 texted “Hi. Want the latest iphone or smart mobile but can’t get a contract? Whatever your status we can help! NEWMOBILES.COM reply STOP to stop offers.”

I have not replied to any of these messages. I'm torn. The usual line is that we should say reply "stop" because if we don't, then the miscreant could well argue that the user has implicitly consented to receiving more messages by not having bothered to object when the option was offered to them.

On the other hand, replying "stop" could improve the utility of the marketing list, as the miscreants will know that the end user exists and cares sufficiently to react to messages. So they might react more positively to the next SPAM message.

So what’s happening at the moment? Have I made my way onto some suckers list, or has my provider slipped up by allowing some gungy marketing companies to send spam to its customers? Or, more likely (given that I know a thing or two about how these cowboys operate), has another communications service provider slipped up by failing to stop messages like these from being generated on their network?

The blame should fairly and squarely fall on the communication service provider that is being paid by the actual gungy marketing company to send spam to its customers. It’s much harder for the networks that are simply told to deliver SMS messages to intercept the content of the message and decide if it’s the sort that their customers would be likely to have consented to receiving. No provider really wants to get too close to being accused of intercepting messages and reading their content. That’s really not a very British thing to do.

Ironically, I’ve been working with a bunch of dedicated people from the enforcement end of the spectrum and am privy to some of their cunning plans to reduce this type of awful behaviour. But I do groan when I get this messages, as I appreciate that, despite the herculean efforts of a few, some of these cowboys are still roaming free. But rest assured everyone. An SMS posse is tracking them down. This group is not armed with Smith & Weston revolvers, but I guess it’s got come mighty clever IT tools to spot the bad guys - and perhaps video cameras so that the highlights of the raids can be posted on You Tube.

A recent favourite video site of mine is the I dare you – watch it and fight away those tears as (mostly American) families are filmed reacting with unrestrained joy as they see their sons, daughters, fathers and mothers coming home safely from conflict zones. The website celebrates some amazing military homecoming reunions. Take a squint at the videos of members of our armed forces returning home to surprise their families & friends. There’s even a special page dedicated to the reactions of the soldier’s dogs when they are reunited with their owners.

And if we can see those people expressing so much pleasure when they are reunited with family members who have literally put their lives on the line for many months, I’m sure that, if we ask nicely, data protection laws will eventually allow us to see the surprise on the faces of those cowboys who are raided at unearthly hours in the morning (ie before 10.00am) when they are reunited with the ICO’s enforcers.

The usual prize will be awarded to the person who can think of the best name for such a website to post such videos. I would go for “”.



Saturday 28 April 2012

Introducing “Billy the Great”

I had an excellent booking last Thursday morning – I was the warm up act to introduce the keynote speaker – the Irish Data Protection Commissioner - to delegates attending the first IAPP Europe Data Intensive Conference ever to be held in London. As we all ought to know, Billy Hawkes was first appointed Commissioner in 2005 for a five year term, and again in 2010 for a further five years.

I won’t explain in any great detail just what my warm up act comprised - let’s say it didn’t take too long before some of it appeared on Twitter. But it was warm, from the heart, and had the audience ready and oh so willing to receive Billy’s address.

And what Billy had to say was very interesting. Again, as we all ought to know, his office has taken an extremely close look at Facebook recently, in the light of various complaints about some of their processes. He explained that he would be announcing the results of his latest audit, and his official response to the complaints that have been received, in July. He did not indicate what he was likely to say, other than to refer to the importance of the need for Facebook to better control the applications that use and share information that Facebook users transfer to their personal sites. But there were no other words of criticism about Facebook. They have evidently been as transparent as possible with their processing operations, and have fully respected the role that he, as an independent regulator, has to play in the current process.

Billy may be the type of man that prefers his local pub as his social network of choice, but I have full confidence in his impartiality, when it comes to assessing Facebook.

What a refreshing change from the approach recently taken by some other opinion formers when considering complaints about Google’s processes. Those opinion formers preferred to publicly denounce the company for operating processes which, in their view, could conflict with European privacy laws, without even waiting for the results of the evidence they had requested to help them make up their minds as to whether the relevant laws had been breached.

Give me Billy’s approach, any time.

Billy was followed to the stage by Alessandro Acquisti from Carnegie Mellon University, the co-director of CMU Centre for Behavioural Decision Research. Alessandro astounded the audience with the results of his recent and ongoing academic research into how data controllers can get users to share ever more confidential types of personal information with either their friends – or with the data controller. In a stunning reveal, he gave us a glimpse into the way that modern processing speeds were capable, using facial recognition techniques, to gather significant amounts of other information from data freely available on the internet, to enable a data controller to peer deep into the soul of whatever individual was being photographed.

What I thought was science fiction is, perhaps, not that far away from reality.

But there is hope for us all – we all just need to wear our “Prince William” masks when we step onto the public pavement, and then we’ll be treated with courtesy and respect wherever we go.

Watch out for Alessandro’s work when the next batch of his research is formally published. This research (if it's right, and I have no reason to suspect otherwise), is literally changing the privacy game. If data controllers are going to be capable of using some of those techniques, and individuals are going to feel so engaged that they share ever more information about themselves with their friends and other data controllers, then we really do need to call for a stiff drink and ask ourselves what privacy actually means to emerging generations of citizens. We won’t need that Regulation. But I won’t explain why in this blog.

So, I sense that soon it will be time to quietly put away the European Commission’s current proposals for a new legal instrument to govern data protection matters. Then we’ll all be off to join Billy and his colleagues for a pint of two at his favourite social network in Portarlington, County Laois, to work out just how much this privacy stuff realistically can be regulated.

Note to event organisers:
From the end of May I’m available for bookings for other speaking gigs. Get in touch if you require a passionate and/or somewhat irreverent compere for your privacy event!


Friday 27 April 2012

ISEB Accreditation: The exam

Wow. The dirty deed has been done. I can relax and carefully store my ISEB coursework and revision notes in a safe place (but definitely where the sun won’t shine) until I get the result of today’s efforts.

If all does not quite go to plan, I’ll have about 4 weeks from the date I get the result of today’s exam to the date of the re-sit. But as I spend my professional life looking on the brighter side of things, I am determined to enjoy the rest of the spring and not start to panic until the summer.

What can I say to those who have not yet taken the ISEB exam? Despite my very considerable experience in applying common sense to problems that popped into my email box at work, the exam is not just focused on common sense. It’s focused on the wording of the 1998 Data Protection Act – that remarkable piece of legislation that will celebrate its 14th birthday on 16 July. And you know what 14 year olds can be like. Sometimes you just can’t understand a word they say – without professional help, that is.

Who can clearly remember as far back as July 1998? Well, who can forget The Spice Girls, who went to the top of the charts with “Viva Forever” at the end of that month? Or perhaps you prefer to recall the single “Three Lions 1998”, reworked by David Baddiel, David Skinner & the Lightning Seeds from their Euro 96 success? Unfortunately, the England Football team's success didn't reflect the song either time. I plan to have much more to celebrate when I get today’s result.

Anyway, what can I say about this experience? Well, it’s hard work. There is a lot to know. You can’t just wing it. No matter how experienced you are. But, having done it, I feel it ought to be valued to a far greater extent than it currently is.

If there’s anything useful to come out of that Regulation, it’s a wakeup call to data controllers to get their houses in order and to understand the data protection landscape. One of the biggest challenges, though, is that controller’s don’t fully understand their regulatory responsibilities, because it’s so low down on so many people’s risk radars.

As we’ve seen, the ICO is determined to do something about that, but is the message getting into the Boardrooms? I think there’s a long way to go. I also think that when the penny does drop about the significance of the issue, all of the data protection training firms are going to be swamped with applications to educate and help certify staff.

If I were a canny student, wondering where the next “job for life” were to emerge from, I would take a close look at issues relating to information risk management. Corporate reputations are so easy to lose should any sloppy practices or sneaky stuff come to light, and the scarcity of people with hands-on date protection experience, and a certifiable level of knowledge, ought to put them in a great position.

From my perspective, pass or fail, it’s been a great financial investment – and one that I’m sure will prove to be far more lucrative than wagering an equivalent amount on Neptune Collognes, who was this year’s Grand National Champion, coming home at odds of 33-1.

If you do take this data protection stuff sufficiently seriously, I do urge you to have a word with Chris Pounder and Sue Cullen over at Amberhawk and ask them how they can help you prepare for the ISEB exam.

You know it makes sense.

Source (And no, this is not marketing...):


Tuesday 24 April 2012

Cookies: A new initiative from the Commission?

What measures could the European Commission next take to make European web masters wake up and realise that they absolutely have to observe the new cookie rules? Rules are rules, after all. Even European ones.

So, if I were an oik in the Commission, I would strongly urge that Jose Manuel Barosso, the current President of the Commission, exercised his reserve powers to force the European Broadcasting Union to accept a late entry for the Eurovision Song Contest, which is to be held between 22 and 26 May in Baku, Azerbaijan.

Spookily, the day after the final is held will be the first anniversary of the supposed coming into force of the cookie consent rules. And there aren’t going to be many television audiences much larger than those watching the Eurovision Song Contest that the Commission can reach out to and engage in the next few months.

So, I thought to myself, wouldn’t it be a tragedy if another year were to pass with as little movement on the actual implementation of the rules as the first year has experienced.

"Tragedy" – yes – that’s a good name for a song. But the Bee Gees got there first, so my little ditty is called something more apt.

Given the fact that British television channels are currently screening “Britain’s Got Talent” and “The Voice” every weekend, there aren’t many vocal coaches available to get the very best out of our singers – which can comprise, say, 4 of the most presentable Data Protection Commissioners around. You can choose the top 4 – I’m going nowhere near that subject. But I do hear that Cheryl from Bucks Fizz is available to coach the group– and she’ll be great as she can also be a consultant on the costumes and the choreography, too. She’s got form with Eurovision, that girl.

The name of the group is obvious – "The Commissioners". And the lyrics – well, what about these as a starter:


Here I am
In a cold and dirty part of town
Once held in awe
Now my words they ignore, I slowly drown

What’s the point
I’m making no headway in this joint
I really should be leading you, leading you
Telling you just what to do

My motivation’s gone and I can’t go on
It's apathy
When regulation cries and you don't know why
I do declare
That no-one has noticed we’re getting nowhere

Users lose control and Google gets their soul
It's apathy
When your laptop shows you what to buy and you don't care why
I want to swear
Since no one has noticed we’re getting nowhere

All my working hours
There's a need right down inside of me
Oh, burnin' lust
I’ll force you to get consent for your cookies – yes you must

Advertising ones
And performance too
Even the spyware
That records everything we do

My motivation’s gone and I can’t go on
It's apathy
When regulation cries and you don't know why
I say a prayer
That someone must notice we’re getting nowhere

Users lose control and Google gets their soul
(Repeat to fade)


Tragedy, the brilliant song from which my lyrics have been lovingly ripped off, was written and recorded by the Bee Gees, and included on their 1979 album Spirits Having Flown. The single reached number one in the UK in February 1979 and repeated the feat the following month on the U.S. Billboard Hot 100.

Image credit:


Monday 23 April 2012

Dogs and the data protection principles

In the final run up to my ISEB exam on data protection, I am finding it hard to concentrate fully on work-related matters. Other friends of mine are busy revising for exams run by the International Association of Privacy Professionals, which will also be held on Friday. So, I suspect that quite a few of us are more than usually concerned at data protection-type issues this week.

My mind is running wild, and, as a revision exercise, I’m constantly linking everything I do with the obligations in the Data Protection Act. I’m asking myself what Data Protection Principles are particularly relevant, and whether and how any of the Act’s exemptions might apply. Sad. But can it be helped?

Last night, for example, a friend came over for dinner – with her dog. So, naturally, my thoughts turned to how the Data Protection Act might be applied to dogs. This is what I came up with:


1. Dogs shall be treated fairly and lawfully and, in particular, shall not be handled unless-
a. at least one of the conditions in Schedule 2 is met, and
b. in the case of the handler’s children, at least one of the conditions in Schedule 3 is also met.

2. Dogs shall be obtained only for one or more specified and lawful purposes, and shall not be further treated in any manner incompatible with that purpose or those purposes. (They are not just for Christmas).

3. Dog food shall be adequate, relevant and not excessive in relation to the purpose or purposes for which dogs are handled.

4. Microchips shall be accurate and, where necessary, kept up to date.

5. Fur and claws shall not be kept any longer than is necessary.

6. About the rights of dogs e.g. They have the right to have fleas about them removed.

7. Appropriate collars, leads and muzzles shall be used to prevent unauthorised or unlawful biting and prevent accidental loss or destruction of, or damage to, other dogs or handlers.

8. Dogs shall not be transferred to a place outside their familiar area or territory unless that area or territory ensures an adequate level of protection for the rights and freedoms of dogs in relation to their welfare.

Wishing all fellow data protection candidates the very best of luck as they sit their exams on Friday!

Image credit:


Sunday 22 April 2012

Another rumour from the Westminster village

Word is reaching me of an interesting rumour sweeping Westminster. Someone is apparently running a book on the identity of the next European Commissioner to run DG Justice, when the term of office of the current incumbent, Viviane Reding, expires.

Bets are apparently being wagered on the probability of Viviane being promoted to the role of President of the European Commission, and today’s front runner to succeed Viviane Reding is the very popular Dutch politician, Neelie Kroes, who is currently the Vice President of the Commission responsible for the Digital Agenda.

However, around the same time of the reshuffle, David Cameron, the British Prime Minister, is expected to appoint a new European Commissioner, too. It’s understood that this will be to reward that particular individual for their years of faithful service to the British Government. That person will have had enough of Britain by that time. Or, Britain will have had enough of them. Anyway, being British, I would hope they’ll only be satisfied with a big job, running a big department, when they actually get to Brussels.

So, in honour of these rumours, I’ve penned this little ditty:


No-one yet knows
If Neelie Kroes
Will get DG Justice
When Viviane goes.

Neelie’s clever, Neelie’s quick
She likes the open web and Arabic
Frequently clad in designer clothes
Wonderful teeth, painted toes.

So, what will our Neelie do
When you know who
Finally gets permission
To rule the whole European Commission?

Let’s all plead with Neelie to stay on
And flourish as our data icon
For we must hope and we must beg:
It must be Neelie - not Nick Clegg.


Friday 20 April 2012

Progress on “that” Regulation

The recent news that the Article 29 Working Party is concerned at the costs of enforcing the proposed General Data Protection Regulation prompted me to wonder how the (fictional) Headmaster of St Berlaymont’s College (pictured) might respond to a similar situation.

Perhaps he might write a memo like this:

To: Senior Prefect(Justice)
From: Headmaster Rumpoy

Subject: Next College Production

Dear Viviane

Your house mistress has spoken to me because she is very worried about the state of the preparations for the next college production of “Hector, the Perfect Data Protector”. I am grateful to you for volunteering the members of your house to mount the production, but after hearing what she has had to say, and after having kept my ear to the ground over the past few days to pick up other rumours, I am also getting increasingly concerned at the evident lack of progress.

I would have hoped that, by now, you would have finalised at least the first proper draft of a script, so that the other members of staff can decide whether it’s an initiative they really want the college to support. But I hear you have run into difficulties. I have been told that while you circulated a rough draft in January, everyone who has seen it has found different ways to criticise it. It still hasn’t got a proper beginning, middle and end. The jokes are poor, the songs are awful, and it really doesn’t properly reflect the cultural diversity that our college takes pride in demonstrating to the other schools.

You can’t just take something that young Angela M wrote a few years ago, and expect the rest of the college – or the schools in the surrounding neighbourhood - to appreciate it. You have to cast your net much wider. I want bigger parts for many more students. It’s not just meant to be a soliloquy, you know. If you can’t write a big enough role for each of the 27 students under your care, then I’m going to have to ask another prefect to submit a script.

You also have to be mindful that a number of the students in the production will be entering other talent contests over the coming months, and I don’t want you saying or doing anything that will harm their chances in those competitions. Obviously, these pupils care about the good name of the school, but they all have their own self interests at heart, too. They’ve got to win their own local contests, as well as make sure that the college has a critically acclaimed hit. Otherwise you’re going to have new students arriving just before the production is to be staged, and that will require you to do some re-writing to reflect the personalities of these new students.

I am also very concerned about the budget for the project, as it appears to be extremely expensive, even though you haven’t submitted a detailed breakdown, yet. Where do you think the money is going to come from? You know that the school hasn’t got much money. We are still we paying the bills from last year’s production of “Grease”, and I have no idea when those creditors will stop writing to me. Your proposal to fine parents 2% of their annual salary if they arrive late to take their seats simply won’t work as a way of raising funds. It is highly irresponsible to budget on the basis that some people will not turn up on time, and it’s not fair that they should pay for the entertainment that will be provided to everyone else. We cannot know, in advance, just how many parents will turn up late, but we have to know, in advance, financially just what we are letting ourselves in for.

And, you’ve been so rude to our corporate sponsors recently that I don’t think they’re going to be willing to stump up funds for a Facebook page to promote it this time.

I want to see you, in my office, after prep tomorrow night so you can tell me why your proposals are so good, and why the rest of the college staff – and all the parents - are going to like it. I still haven’t shaken off the blame for the chaos that was caused when the Catering Department tried out that new cookie recipe recently. No-one liked them, and cook still can’t work out whether he followed the instructions properly, or not.

I’m not going out on a limb to support this show, you know. I want my impending retirement party to be known as a sad event when a well loved headmaster left the college. I don’t want people to feel glad to see the back of me because I made them sit through a turgid production, that no-one understood, or liked, and which almost bankrupted the other college departments that had to pay for the costumes and the sets.

If I’m not happy, it’s not going ahead. We’ll arrange to show a good film, like “Titanic”, instead.



Image credit:


Thursday 19 April 2012

Revealed – the list of British data protection events

The best kept secret in town is about to be revealed. Believe it or not, there is a web page somewhere on the internet that sets out to list forthcoming events that are likely to be of interest to members of the British data protection community. And, there’s another web page that contains an archive of recent events, so you know what you’ve missed. It was created at the end of February, with no publicity at all, and is now ready for a little more public exposure.

The aim is that conference organisers will use it to check whether the event they are planning is likely to attract the right sort of delegates, given other events that are also being planned around that time. And, it is hoped that data protection officers will use it as a sort of social diary to check when they are next likely to bump into their friends.

The archive already records 24 data protection events that have been held since the end of February. But all is not lost – there are another 21 data protection events that have yet to take place in 2012. And more will be added to the list, as the owner of the website gets to learn about them.

Please feel free to check back every now and again to see what’s being arranged. And, if you are a conference organiser, please feel free to get in touch with the owner of that website to ask for your event to be listed. It’s a free listings service, so if you ask nicely, I’m sure details of yours will be promoted, too.

If nothing else, it gives ammunition to those who argue that we Brits really do care about data protection. After all, if we didn’t care, then why are so many events being held - if not to meet the obvious needs of those who are evidently very happy to attend them?

The only downside, as far as the event organisers are concerned, is that it might give me the opportunity to create an awful limerick or two in honour of the efforts that some of them take to spread the data protection word. So, you have been warned – if you are keen to arrange data protection events, you may well be on the receiving end of doggerel as awful as this:


Those attending a Speechly Bircham data protection webinar
Will encounter an experience quite spectacular.
They’ll hear Robert Bond and his chums
Offering positive outcomes
Improving their knowledge of stuff that was previously quite granular.


Tuesday 17 April 2012

Dealing with requests for personal data

I had problems sleeping last night. Probably due to more revision for my ISEB data protection exam, which is coming up shortly. Around midnight, I even set myself a test, asking what personal data I would supply either to Viviane or to Kathy should they make a valid subject access request, seeking a copy of their personal data which was contained in this imaginary memo, found on the hard drive of St Berlaymont’s College(pictured).

I thought that might set me to sleep.

But it didn’t.

Tell me, if you were the acting for the data controller of St Berlaymont's College, what personal data would you supply to either applicant under current data protection rules?


To: Headmaster Rumpoy
From: Head of Talent (6th Form)
Subject: 6th Form Prefects

Dear Van

I‘ve been reviewing the recent performance of a couple of our prefects, and I need to make an urgent recommendation that their duties be reviewed, as they are both currently supervising teams that are quite unsuitable for them.

Viviane, looking after the students in the Justice house, really is a bright girl, and I predict that, with a fair wind, she’ll have a good future ahead of her when she leaves the college. I would go so far as to predict that she is so popular that you had better look out for your own job, in a few years’ time! The trouble is that her talents are wasted looking after the students in that house. None of the projects that any of the students are working on are very inspiring. One project, on an obscure bit of the data protection curriculum, is causing mayhem among everyone else who gets to know much about it. There’s little direction to the project, no-one seems to know what the college actually wants to get out of the project, and, frankly, no one will be that bothered if it were to be quietly dropped. It's a real dud. But Viviane has guts and charisma and deserves to shine by being given a more useful responsible role.

Kathy, on the other hand, looking after the students in the Foreign house, looks quite out of her depth. She’s had an awfully hard job to do and many of the students are ignoring her. She has little presence or charisma. This is a real shame as lots of the students don’t speak her language very well, so she faces real difficulties exerting any proper authority over them. She's got fewer Facebook friends than even you. She’s also required to deal with an awful lot of yobs who don’t belong to that house, but insist on being visited in their own homes. Things could really go pear shaped if Kathy were to cause any offence to anyone, or fail to discipline them as they would expect.

As it’s really important that we handle the Foreign students properly, and show a bit more leadership to the surrounding schools, I’m recommending that you arrange for Viviane and Kathy to swap their current responsibilities. No-one will mind (or even notice) if the students in Justice stop their current privacy project, but I really wouldn’t want Kathy to be responsible for nuclear war breaking out somewhere in the world just because she failed to impose her authority over some foreign oik. She was only given that job because of that awful Brown man who wanted to ensure that Foreign was as ineffectual as possible. Now he’s well gone from the scene, I don’t think anyone’s going to complain if Kathy is moved on.

If you agree to this recommendation, I’ll ask matron to supervise them as they swap their bedrooms after prep tomorrow evening. You can make the announcement to the entire college during tomorrow morning’s assembly.


David C

Image credit:


Sunday 15 April 2012

Cookie (Non)Compliance: Is the Commission getting concerned?

If I were a humble oik working for DG Justice in Brussels, I would propose that Commissioner Viviane Reding sent a stiff memo to her fellow European Commissioners and to all European Data Protection regulators, just like this:

Right you lot, listen in.

I’m writing this email myself, rather than having it drafted by one of my flunkies, to explain to you just how unhappy I am. And you’re going to be unhappy too, unless I see some positive action – and fast.

Many months ago, we delivered a perfectly decent package of reforms on telecommunications to our European citizens. One part of those reforms included a requirement for you all to get your fingers out and implement new cookie rules on your websites that were supposed to be in force from 25 May 2011.

I say “supposed to” – regrettably, many of those on this distribution list are backsliders who have been so slow to pull their fingers out that the Commission is turning itself into a laughing stock.

What’s the point of me working on data protection reforms, creating additional fundamental rights for European citzens, and then introducing legislation to ram them home when you lot can’t be bothered to implement the stuff that’s already on the European statute book? You’ve taken so long to pass these rights on to the citizens that European data controllers have realised that they’re entitled to some fundamental rights too. And, as you know, I’m determined not to allow them to exercise many of those rights. They get in the way of what our citizens “want”. And remember, come the next elections, its only “citizens” that will be voting. Not “data controllers”.

Don’t give me all this rubbish about it being the duty of Member States to implement legislation that the Commission has simply proposed. That won’t wash. We all know where the real power lies. And you’re going to be looking around for other jobs soon, unless you can demonstrate how effectively you can exert the powers you’ve actually got.

And, why are so many of you continuing to encourage your internet users to follow you on Facebook and Twitter just when I am trying to give these organisations a stiff kicking for not implementing effective privacy safeguards?

How on earth am I supposed to be taken as a serious candidate for the position of President of the Commission when you lot won’t deliver as you’re expected?

In a few weeks time, European institutions are going to be humiliated - again. The Eurovision Song Contest will show the world that many of our most entertaining singers are a bunch of tuneless wasters, with no dress sense and no future in the music industry. The following day, Europe will wake up to the first anniversary of – basically – insufficient action implementing the new cookie rules. I am turning into a figure of fun. People are going to stop sniggering behind my back, and instead they’ll be laughing in my face as I explain to them how keen I am to implement new data protection reforms before my current term in office expires.

So, I’m taking some action. You’ve had over a year, and now it’s my turn.

Today, I’m ordering UK Information Commissioner Christopher Graham to review the websites of each European Institution – including all Information Commissioners websites – and that of the European Data Protection Supervisor – and I want him to give each institution marks out of 10 for the current state of their compliance with the cookie rules. I’ve appointed Graham for the task as the ICO is the most senior regulator to have appeared to have got it close to being right.

To ensure that no-one cheats, I’m instructing Graham to take a copy of the current explanations as they appear on your own websites at 12 noon today.

I want Graham’s assessment, on my desk, by 5pm next Monday, so that I can review it while I’m having my hair done.

Those Commissioners who score less than 6 out of 10 will be required to pass to me, in their own handwriting, their punishment lines by Wednesday lunchtime. They will be expected to write “I will deliver fundamental rights to European Citizens, whether my organisation likes it or not” 10 times in each of the official languages of the 27 Member States of the European Community.

Any Commissioner who hands in lines containing spelling mistakes, or illegible writing, will be required to repeat their punishment and hand in their new lines by Friday lunchtime.

Once all Commissioners have delivered on the cookie requirements, I’ll instruct the Commission engineers to turn on the air conditioning in the rooms that will be used in Cyprus over the summer to reach unanimous agreement on my proposals for reforms to the current data protection rules.

You have been warned.

Now, get your fingers out, and start delivering.



Inspiration for this blog came from a chum who was concerned that Regulators sometimes found it hard to practice what they preach. He wondered if I had ever reviewed the privacy policies for the UK ICO and EU data protection sites. As far as he was concerned, the EC DG Justice and European Data Protection Supervisor’s sites seem not to be complete, especially on cookies. He considered that the UK ICO seems thorough enough on cookies. I must say that I am warming to the idea of a Citizen’s Panel to audit compliance with the rules they expect others to follow!


Wednesday 11 April 2012

The benefits of reporting on data breaches

What is the point of reporting data breaches to the regulator? This was the question I asked an eminent academic yesterday – and I was quite surprised with the answer he gave.

The opportunity to ask the question arose at the end of an interesting briefing on the problems associated with disposing electronic data. An organisation –the Asset Disposal & Information Security Alliance has recently created a standard to certify companies in the IT Asset Disposal marketplace. The UK IT Asset Disposal market is largely unregulated, highly competitive, with no barriers to entry, and offering huge differences in the quality of service provided. It operates in an environment where there is little awareness of the real data protection issues, a weak or non-existent value proposition, characterised by a significant degree of illegal exportation of data held on IT assets to organised criminal gangs in third countries. (This is why an 8G iPhone 3G with 4G of data sells for more on the black market than a 16Gb iPhone 3G with no data on it.)

And that’s just the UK. There are no genuine global standards and there are no genuine global suppliers.

Not nice. Which is why so few people in businesses feel that it’s actually “their” duty to care about what happened to data once it’s left their premises. Is it a data protection, a legal or a procurement issue? Who really checks to clear the memory caches in the photocopiers before they are returned to the leasing company? Or carries out audits to ensure that the corporate data on laptop hard drives and servers really is destroyed before the devices find their way onto eBay?

Anyway, back to the plot. One of the speakers at this event was Professor Andrew Blyth, from the University of Glamorgan. His work (for various reasons) means that he is very familiar with the data breaches reported to the ICO, and particularly about the data breaches that occur in the National Health Service.

view on data breach reporting within the NHS is that the sheer volume of data breach reports has had an effect on the NHS. It’s removed the stigma of breach reporting, as everyone is now doing it. And, in removing the stigma, media interest in breach reporting has reduced, too. A few years ago, the media used to pay great attention to his comments on the significance of data breaches. Now, they are far less interested. We are now, apparently, much more grown up about the issue.

As far as the extent to which breach reporting is having a positive behavioural effect, Andrew pointed out that there are signs of a change in culture within the NHS, but it’s a long, uphill struggle and has to be seen as a long-term initiative.

Andrew also pointed out that he saw privacy issues impacting generations in different ways. With younger people living increasing amounts of their lives on-line, and being more prepared (when compared with older generations) to trade their personal information with a data controller for “free” access to an on-line service, data breaches apparently meant increasingly less to them.

At least for now. Perhaps, when their credit cards or passwords have been compromised for the umpteenth time, they’ll be less sanguine.

So, the message is that breach reporting is of use in facilitating behavioural change, but it should not be expected that cultural transformations will occur overnight. It’s a long haul. For those companies that already embrace a culture which puts privacy at the heart of its operations, then compulsory breach reporting may have less of an effect in encouraging behavioural change.

Data breaches will always occur. As do fires, thefts, and industrial accidents. If breach reporting helps reduce the volume of incidents, then all well and good. But, so far, no-one has carried out any research comparing levels of data breaches in environments where breach reporting is, or is not, encouraged. So there is no objective evidence yet which establishes the true value of breach reporting.

There could well be a PhD in this area of academic research for someone, if they really wanted to look into the issue.

Image credit:
Today’s image was taken at the reception after the event, which was held at the top of the BT Tower in Central London. The Victorian "H" shaped building with the short green roof connecting both main wings, close to the foot of the tower (and in the centre-left part of the image) is actually an extremely significant object. Now a derelict former NHS psychiatric clinic, it was originally built as a workhouse. Just 60 yards down the road, at 22 Cleveland Street, (next to the building with the very pale green roof at the centre-top of the image, opposite the large brown parcel of land) lived as a youth the author Charles Dickens. So, what you are actually looking at is an unusual view of the workhouse, made famous in his novel, Oliver Twist, written when Dickens was 26 years old.


Tuesday 10 April 2012

What is it about data protection, European politicians and plagiarism?

London buses occasionally appear in packs. As do European politicians who run into trouble over plagiarism accusations. They may be busy guys, but they really ought to properly credit their sources. Actually, I’m posting this blog with a sense of irony, as I seem to spend increasing amounts of my time these days on the concept of creating a common data protection language, so data controllers can be persuaded to use common words and phrases to describe common types of processing operations, and offer users common sets of choices. Which ought to be a good thing. And all this is with the blessing of our political (and regulatory) masters. So, it’s with a sense of rough justice that I refer to some politicians who like to share the same language when expressing opinions – but who don’t receive the same degree of respect from the rest of us when this happens!

In the spate of just a few weeks, Hungarian President Pál Schmitt announced his resignation, as a plagiarism scandal around his doctoral thesis unfolded; EU Regional Policy Commissioner Johannes Hahn (from Austria) has been asked to explain how an expert group could have found 76 cases of plagiarism in his 1987 doctoral thesis; while Germany’s Defence Minister Karl-Theodor zu Guttenberg faced a plagiarism scandal over allegations that he had lifted passages of his law dissertation without correctly attributing them in footnotes or bibliography. Apparently, Guttenberg wrote his dissertation for the University of Bayreuth in 2006, receiving the top grade of summa cum laude. It was published under the title, "Constitution and Constitutional Treaty: Constitutional developments in the USA and the EU." With a subject like that I can understand why anyone might be tempted to seek inspiration from a variety of sources. But, for the sake of fairness, I’m sure he made lots of it up all by himself, too.

At least European politicians are educated folk, with time on their hands to address weighty academic issues. I’m not sure that academic research is an essential prerequisite of today’s British politician. A private education probably helps, but intellectual brilliance isn’t always required.

To those who are tempted to lift my prose from these blog pages – please feel free to spread the word as widely as you can. But remember, thanks to Google word search, it’s pretty easy these days to find the sources of most of the good stuff. So if I am copied, please credit me.

And I’ll do my best to respect those who inspire my words, too.


Image Credit:
It's not what you think. Really.


Friday 6 April 2012

Will this new survey shock the European Commission into inaction?

Stunning news has just emerged from Ofcom, Britain’s independent regulator and competition authority for the UK communications industries. It’s likely to shock our chums in the European Commission, who are busy working on introducing better data protection safeguards for those who want to live their lives on-line.

Remember, the Commission has been betting the house on the requirement for introducing uniform ultra strong regulatory safeguards within (and outside of) Europe, as this is what is apparently required to foster greater confidence in the use of on-line services.

The trouble is that British consumers probably don’t need the Commission’s help to ramp up the regulatory safeguards to enhance public confidence levels. They are actually getting less concerned as they use the internet more. Perhaps European citizens don’t need a Euro nanny state, after all.

For those who don’t like to face the hard facts, please don’t read the next two paragraphs.

Concern levels have been dropping steadily since 2005 to 50%, from 70%. Online confidence was at 84% at the end of last year, with 79% of adults going online on any device in any location, up by 20% from 2005. Social networking is continuing to grow in popularity, with more than half (59%) of adult internet users saying they now have a profile on a social networking site. The increase has slowed, with a rise of five percentage points since 2010 compared with increases of 10%in 2010 and 22% in 2009. Among those with a profile, 67% say they visit every day, up from 30 per cent in 2007.

Yes, of course an element of risk is still present. A quarter of social networkers (26%) say that their personal information could potentially be seen by people they do not know, and 16% say they share their contact details with anyone or friends of friends. Two-thirds (61%) only allow friends to view contact details and a further 13% say they do not have this information on their profile. One-third (31%) of people are still willing to put their credit or debit card details on websites compared to 28% in 2005. However, users are increasingly looking for security signs like padlocks and system messages, up from 43% in 2005 to 56% in 2011. The number of adults turning to the internet for information about public services has risen from 49% in 2005 to 68% in 2011. Those aged over 65 are less likely than other age groups to be online.

Now, with confidence levels as high as this, we really do need to ask whether the current data protection regulatory environment actually is as bad as all that. Of course, like anything, it could be improved, but would the regulatory world cave in if the current proposals had to be withdrawn because they were hopelessly over engineered?

I think not.

So I won’t be losing any sleep this Bank Holiday weekend, fearing Armageddon if the Commission’s proposals for a new set of legal instruments on data protection were to collapse, to be replaced with a more workable set of proposals some time in 2015. That might even be a good thing.

To echo one of the themes of the 1979 Monty Python film Life of Brian (pictured) and the 2005 musical Spamalot: “Always look on the bright side of life.”

Happy Easter.


Picture credit:


Thursday 5 April 2012

The ICC clarifies the cookie conundrum

Those clever folk over at the London Chapter of the International Chamber of Commerce have just published a cunning plan which sets out, in simple terms, what it is that web masters could do to implement the cookie rules. The guidance, because of its universal application, ought to be capable of being followed by webmasters anywhere around the world. In my humble view, it’s a really helpful nudge in the right direction, and I’m looking forward to seeing how the concepts it introduces begin to embed themselves into standard business practice in the fullness of time.

The concept is pretty simple – to classify cookies into 4 categories, and then to give internet users some control over how cookies from these categories could be used to provide them with the sort of on-line experience they are looking for. The hope is that increasing numbers of web masters will use a standard classification system, and consequently develop a standard form of words to explain these concepts to internet users.

When the same message is repeated over and over again, it can sink in. It’s how we learnt our multiplication tables and the Green Cross Code. It’s why we “clunk click, every trip”, and realise that the value of our investments can go down as well as up”. It’s also a helpful way of explaining stuff that almost no-one can understand, but occasionally needs to compare. For example, I have no idea what rocket science is used to calculate an APR when I want to borrow some money, but as every lender is forced to go use the same calculations, I can compare interest rates offered by competing lenders.

So, it is expected, internet users will gradually develop a greater understanding of what goes on behind the scenes when they access internet sites. Thus, their cookie preferences will become more meaningful. And lo, the digital economy will thrive and greater prosperity there will be for all. Halleluiah.

But I must not sound too cynical. I’ll concentrate on the good news today, which is that the ICC have published this great guide which, when applied, really does offer internet users a richer understanding of a web site’s ecosystem. Whether internet users, having been sufficiently informed about what’s going on, will actually change their behaviours in ways that make it harder for web masters to deliver information and services to them, only time will tell. We’ll have to wait and see.

The just as good news is that this ICC guidance does not just appear in theoretical form. If you want to see how it works in practice, take a squint at the BT website ( I am impressed at the way the ICC has gone about its task to educate internet users, and at the clever way it has worked with a great company like BT to show what the user experience could look like.

The ICC has risen to the challenge. It’s taken an unwieldy piece of legislation and has tried to make sense of that it was the legislators were probably trying to say. Well done.

Now all the Member States who haven’t yet got around to implementing the cookie rules have to do is follow the leadership that’s been shown by this initiative. That’s right. All they need to do is to copy the Brits, and common sense can return to the digital community.



Wednesday 4 April 2012

Cookie latest: Keep calm and carry on

It’s official. I heard it myself on Monday afternoon directly from the Minister, Ed Vaizey, and the Information Commissioner, Christopher Graham.

They were both headlining a big cookies event, at the offices of the Department of Culture, Media & Sport. The DCMS is a pretty posh venue to use – I mean, who else can announce, without a smirk on their face, that no fire drills are expected during the event, but if one is activated, everyone should pop outside and regroup just across the road, in the middle of Trafalgar Square!

Anyway, back to the plot. The key messages were pretty clear. The Minister, after apologising for the blocked men’s loos, was keen to point out that that, we are talking about something which has turned into law, so businesses do have to find an effective and common-sense way of implementing it without causing too many problems for themselves or their customers. Customers need not be overwhelmed with choices or information they didn’t want (and therefore probably wouldn’t read). But, information ought to be available for those (those happy few) who wanted to read all about it.

Ed Vaizey
also pointed out that “consent” did not actually mean prior consent, and explained that the word “prior” had deliberately been removed from earlier drafts of the legislation, presumably to make this clearer. That view will probably cause some healthy discussion among the most dedicated of data protection professionals – but for me I’ll wait until the courts issue their own determination. Ed Vaizey was also keen to ensure that the digital advertising community (the UK has the second largest online advertising market in the world) should not discourage innovation, but it should still respect privacy concerns. Targeted advertising needs to be done right. We have to find solutions which engage users, and other speakers outlined their cunning plans to find solutions to give users more opportunities to exercise their options.

While the audience were probably encouraged by Ed Vaizey’s remarks on the (absence of a) requirement for prior consent, they were probably less encouraged by his view that analytics cookies were not those which looked as though they fell into the Strictly Necessary category (ie the category for which no kind of consent is required from the user). Christopher Graham shared the same view on the need for consent for analytics cookies, despite the French Data Protection Authority holding a different view. But the Commissioner did announce that the Article 29 Working Party was likely to issue an opinion which touched on this point at some time in the future. Presumably, all of the regulators will be locked in a room, and they’ll only be let out when they disagree with the French.

Presumably the CNIL will be persuaded to change their minds – perhaps after the forthcoming French Presidential elections, when the votes of French web masters will matter less.

Christopher Graham was also quite frank about the practical issues facing those who have already tried to comply with the rules – and really wasn’t suggesting that web masters follow the “clunky banner” approach initially adopted by the ICO. But, the ICO was one of the few organisations that really had to comply from day one. Otherwise, Christopher Graham would have had to report himself – to the ICO. So a quick and dirty solution was absolutely necessary.

But let’s be clear. He’s a regulator and the Minister (while not apologising to anyone for creating it) pointed out to us all what the law is. So, we need to be seen doing things to comply. We are not going to be permitted to slope off behind the regulatory bike sheds for a quick smoke, hoping to evade the entire exercise. It’s not like a school sport’s afternoon. The European Commission would really have a sense of humour failure if that were to happen.

So, we need to be doing stuff. In media speak, we need a narrative. Web masters need to decide how to comply in a responsible and proportionate way, and then they need to provide (or be capable of providing, should the information request come) assurances that the good work that has started will continue. Otherwise, the game’s up.

But, we must also watch the Commissioner for his actions as well as his words. We’re probably lucky that analytics compliance is probably not at the top of the Commissioner’s agenda, right now. If he loses sleep at night, it must be about the much more harmful activities that he and his team are currently preventing and detecting.

There is a shining star, and I’m determined to mention them today. If you want to see how this cookie stuff can be done sensibly and proportionately, take a squint at what our chums at British Telecom have achieved. Their website ( really does set the standard. It makes you proud to be British. No wonder they were allowed to become a sponsor for those summer games that are being held in London over the summer. I’m not sure if I’m allowed to mention the Olympics, so I won’t.

If I were a betting data protector, I would expect to see increasing numbers of folk pointing to the BT website soon and asking when all proper websites will be like that.

Another issue that came up (as it always does), is about how sensible web masters can provide information to users in ways that encourage them to want to know what’s going on, and even offer their consent (whatever that means).

Georgina Nelson, the great privacy lawyer from Which? Made the very sensible point that no-one wanted to read a privacy policy that was even longer than Hamlet. Yes, I agree. But how do we develop a language that is sufficiently engaging for web users? Well, as I’ve demonstrated on previous occasions, the Bard I ain’t. I did think setting a cookie policy as a sonnet. But I ran into trouble cramming it all into 14 lines. I didn’t even bother trying to set it as a Haiku, which is a Japanese lyric verse which contains just three unrhymed lines of five, seven, and five syllables.

In desperation, and in honour of Georgina, I’ve written a cookie policy in the form of three limericks – totaling some 15 lines. I’m not sure just how (un)compliant the ICO feels it is, but I would be very happy to publish anyone else’s efforts!


If you want to know what we do with your data
We will tell you a little bit later
We use cookies to find stuff
Of which you can’t get enough
And targeted adverts to tell it to you straighter

We actually think you would want to consent
To see our web site as it was really meant
Just configured for you
With a background in blue
And a special discount on your favourite scent

To those who say “Oh my
Those consent rules - how do you comply?”
With simple writing and prose
We explain what we think everyone knows
So your approval we can mostly imply


Sunday 1 April 2012

My political lobbying has paid off!

I’ve just had my letter from party headquarters, formally appointing me as their candidate for the next election to the European Parliament. It’s taken a lot of lobbying, but it’s been worth it. Power awaits. Soon I won’t just be creating this blog – but I’ll be developing ever more creative and culturally appropriate policies for those that have put me in such a responsible position.

You are probably aware that the next set of elections to the European Parliament are to be run using slightly different rules. This is because it’s been noticed that while the current arrangements produce politicians who represent geographic districts, they don’t produce politicians who necessarily have any experience in vital (but obscure) areas of policy. So, as well as geographic constituencies, there is to be a top-up list of candidates who are to represent particular disciplines for what are to be known as “special constituencies.”

And, yes, I am delighted to announce that I’ve made it to the data protection list.

If enough of you vote for me, I’m going to be the MEP for data protection.


I’m off now to celebrate for the rest of the day. And I hope you all enjoy this special day, too.