Thursday 31 January 2013

Cookies: Was the ICO’s original approach too extreme?

An interesting announcement has recently appeared on the ICO’s website. Now, visitors will have to explicitly consent to a narrower range of cookies before they are set. This means that a wider range of cookies will be set automatically, which the user will obviously be able to delete, should they wish.

This is great news – not only for the ICO, who will be able to harvest very useful information about how users navigate the website, but also for those who argue that implied consent can, in certain cases, be just as valid as obtaining explicit consent, to process data lawfully.

The ICO’s public explanation for the change is interesting: We first introduced a notice about cookies in May 2011, and at that time we chose to ask for explicit consent for cookies. We felt this was appropriate at the time, considering that many people didn’t know much about cookies and what they were used for. We also considered that asking for explicit consent would help raise awareness about cookies, both for users and website owners. Since then, many more people are aware of cookies – both because of what we’ve been doing, and other websites taking their own steps to comply. We now consider it’s appropriate for us to rely on a responsible implementation of implied consent, as indeed have many other websites.”

However, there was no mention of the difficulties that were caused to ICO staff, who found that hardly anyone had explicitly consented to the placement of cookies that fell outside the 'strictly necessary' category on their devices, so the ICO didn’t know whether much of the content that had been published on its own website was actually being read by many people.  Perhaps the original approach really was detrimental to the legitimate interests of webmasters.

Nor was there mention of any evidence of whether many people had actually realised, from the plethora of cookie warnings that have been plastered on websites everywhere since May 2011, what cookies actually were.  I suspect that the great British public has generally ignored this historic opportunity to learn more about cookies – and that they will be quite grateful not to have to click away at a snowstorm of warning notices before they get to the stuff they really wanted to access. If anyone has any evidence about how these notices have changed behaviours, I’m sure we would all really like to see it.

Sanity rules. And three cheers for that.

What we now need is, say, for good incident to arise which night cause a spat between different regulators. Perhaps a Dutch citizen, resident in Holland, could complain to the Dutch Data Protection Regulator that they had logged onto the ICO’s website and found that some types of cookies had been installed on their devices – cookies which, if they had been loaded by a Dutch data controller in Holland, should only have happened after explicit consent had been supplied.  That will keep the Sado Dataprotectionists going for a few more months.



Tuesday 29 January 2013

Data Protection Day divides London’s DP community

Yesterday’s ‘Data Protection Day’ was celebrated by London’s Data Protection community assembling at a variety of venues to discuss the obvious. Just like Washington DC, this town evidently isn’t large enough to host a single gathering.  From the Gherkin, where Rosemary Jay’s latest book was launched, to New Street Square, where others assembled for free drinks nibbles, and to a host of smaller bars, the talk was pretty much the same.

The proposed Regulation: what form a new legal instrument might take, when it might be passed, and what might be in it.  

Some discussions referred to last week’s Computers, Privacy & Data Protection conference in Brussels. A few of the more quotable quotes that have emerged from that event, which are worthy of further discussion are:

“We are in a climate of increasing co-operation between national authorities throughout the world. The challenges are switching from talking together to working together and achieving results together” Deputy Information Commissioner David Smith.

“There are legal restrictions on what we can share with other authorities” Deputy Information Commissioner David Smith when explaining some of the practical difficulties that face the ICO when working with other regulators to investigate certain DPA offences.

“The vacuum cleaner operates at full bandwidth” Gordon Nardell QC, when explaining how American intelligence agencies allegedly acquire internet data on people who are not US citizens. 

“Harmonisation cannot be seen as an aim in itself. You need clarity before its implemented” Christopher Woolf, Future of Privacy Forum.

"You can’t have an EU right to be forgotten and a Member States right to remember” Professor Gerrit Hornung, Passau University, commenting on the problem that fragmentation may bring if certain legal powers are not transferred to a central body. 

“Publishing all privacy impact assessments could mean that the assessments are reduced to boilerplate. PIAs must be able to be modified to allow for an element of retrospection.” Jean Gonie, Microsoft, commenting on the need for data controllers to be able to hold private discussions on the potential privacy implications of certain initiatives before a decision is taken on which option to adopt. 

“The Aretha Franklin approach to respect” Gordon Nardell QC, when describing the UK Government’s approach to respecting an individual’s right to privacy. (Aretha’s refrain throughout the song is ‘Respect – just a little bit’)

“We don’t want growth without principles. But we don’t want principles without growth”. Anonymous panellist.

“Privacy by Design is the ‘sustainable development’ of this era – no-one really knows what it means” Anonymous panellist.

“I’ll just stop for the sake of time” Anonymous panelist.

Image credit:


Thursday 24 January 2013

ICO continues to wield the fining stick

It’s official. We Brits have given up on winning the Eurovision Song Contest. We may still compete, but in our hearts we know we won’t win. However fear not, our proud nation has set its sights on winning another contest – the Eurodatabreach Fining Contest.

Our proud champions in Wilmslow have spent the last year limbering up and have started to levy fines that are calculated to impress even the Spanish Data Protection regulator.

Where will it end?

I’m not quite sure.

They ought to encourage a great deal more compliance. Fear matters.

And many more data controllers will be adding the ICO's David Smith to their Christmas card list, I guess.

But, if I had my way, in addition to monetary penalties, Chief Executives of organisations found  to have shoddy data protection practices should be required, as well as washing all the cars in the ICO’s car park, to write out the following ditty 100 times:

From the dongles I’ve tossed in the can, from the servers in Japan
From me mam to my gran, ev'ry woman, ev'ry man

I despair
Data keeps escaping everywhere

So hit me your fining stick, hit me, hit me
Je t'adore, ich liebe dich, hit me, hit me, hit me
Hit me with your fining stick
Hit me slowly, hit me quick
Hit me, hit me, hit me

Take our money if you must

Remember we’re a charitable trust
Show the world that you're no phoney
But don’t fine us as much as you’ve fined Sony


Image credit:


Wednesday 23 January 2013

Soundbites from the CPDP conference

On the Regulation:

 “[It] is not the most appropriate way to proceed… [It] contains some good ideas but they need a lot more work … we should bring in a whole bunch of new people with more expertise.”  Toomas Hendrik Ilves, President of the Republic of Estonia

“What will happen in 2013 is a defining moment for the proposal . It’s very challenging, but we hope to reach a political compromise by the end of the year.”  Francois le Bail, Director General DG Justice

“Core fundamental rights are not negotiable.” Jan Philipp Albrecht, MEP

“Data protection is not necessarily a Holy Grail if it provides a fig leaf for a lack of transparency in EU spending. No public money must be spent anonymously. Data protection means we don’t know where Common Agricultural Policy funds go – and these make up  40% of the EU’s budget.” Toomas Hendrik Ilves, President of the Republic of Estonia

 “[It] means we could be putting our application developers to a distinct disadvantage to those outside the EU… It will kill certain industries in the EU but this will come with no benefit, as these developers will simply move offshore. Toomas Hendrik Ilves, President of the Republic of Estonia

“We must not have a regulation that stifles innovation and puts such a burden on businesses.” Francois le Bail, Director General DG Justice

“The last thing we want is for the Commission to intervene all the time – but we want to make sure the decisions taken by the [Data Protection] Board are in conformity with the Regulation.”  Francois le Bail, Director General DG Justice

 “Consent is only one of several grounds for allowing for the lawful  processing of personal data – presumably the one you use when no other grounds apply.”  Francois le Bail, Director General DG Justice

“It is not the intention to limit international transfers of data.”  Francois le Bail, Director General DG Justice

 “We are ready to fight to give control back to consumers.” Kostas Rossoglou, BEUC

“Our role is not to facilitate more US business in Europe, but to encourage European innovation… We are very unhappy at the aggressive lobbying carried out by US firms in Brussels.”  Kostas Rossoglou, BEUC

“Trust is good. Control is better”.  Sophie In’t Veld MEP

On Cybercrime:

“You know how successful we have been at stopping physical crime, so you can guess how successful we are likely to be in relation to cybercrime… It is attractive to be a cyber criminal. The risks of getting caught are low and the potential rewards are very high.” Troels Oerting, Director of the European Cybercrime Centre at EUROPOL

“You are an old school loser if you are still planning a career in physical crime…. Hackers in China are paid by the gigabyte for what they are doing… The best way to improve infrastructure is by naming and shaming.”  Bart Jacobs, professor of Software Security and Correctness, Radboud University, Nijmegen

 “By a [EU/US] special relationship we mean circumventing due process.” Simon Davies, Privacy Surgeon


On Privacy:

“Privacy is so easy to look at and so hard to define”.  Peter Swire, Moritz College of Law of Ohio State University

Monday 21 January 2013

ICO wins historic civil monetary penalty appeal

All credit to the Panoptican blog for being the first to report on the result of the historic Central London NHS Trust appeal before the Information Rights Tribunal. This is an appeal about the power of the ICO to issue civil monetary penalties. The decision ought to be published on the Tribunal's website shortly.

In short, and in a unanimous 35 page decision, the ICO won hands down. Data controllers, be aware. Be very aware. 

What happened? Sensitive medical details were faxed to the wrong address on 45 separate occasions. In total, information about 58 people was unlawfully disclosed. After first agreeing to pay a Civil Monetary Penalty, and hoping that it would be less than £90,000, the NHS Trust then found 9 reasons why it should not pay the penalty once the Commissioner had formally decided that they should pay £90,000 (with a 20% discount for early payment). The Trust subsequently dropped one of these reasons, while the Tribunal dismissed the other 8.

Anya Proops, Counsel for the ICO argued that: "The primary purpose of the statutory penalty regime embodied in section 55A is not to ensure that contraventions are voluntarily reported when they occur but rather to penalise data controllers in circumstances where they deliberately or negligently/recklessly commit serious contraventions of the legislation, thereby promoting compliance with the Act (by that public authority and others)."

The Tribunal agreed. The key findings are:
"We ...find that a voluntary notification of a serious breach of the DPPs does not preclude the IC from investigating the breach with a view to issuing an MPN as well as taking other enforcement action.

[In relation to the other grounds of appeal] we find that the IC’s decision was in accordance with the law, and/or properly involved the exercise of his discretion."

Expect to see a wave of emails inviting you to attend emergency briefing sessions on the decision. From my perspective, there are 3 lessons that should be learnt:  
Don’t use fax machines to send sensitive personal data.
Pay whatever penalty the Commissioner decides.
Think very carefully before mounting an expensive appeal which, if you are a public authority, may well only deprive service uses of even more vital resources.


Image credit:


Vexatious requests

Occasionally, organisations hear from people who feel very strongly that their rights have not been fully respected. Less frequently, they embark on a course of behaviour that causes the organisation to consider what steps should be taken to protect the legitimate rights of their employer. Much less frequently, a call needs to be made as to whether there is a statutory obligation to disclose what has been requested.

The Information Rights Tribunal has recently issued more guidance on vexatious requests. While the behaviour at hand related to Freedom of Information legislation, I’ve wondered whether such guidance might also be relevant when dealing with Subject Access Requests.

According to the Tribunal: “The ICO has published a series of criteria which public authorities are invited to apply when considering this issue. Such guidance is undoubtedly helpful but, as the guidance itself recognises, a judgement as to whether a request is vexatious must not become a box – ticking exercise. Plainly, “vexatious” does not mean annoying. It represents conduct, here a request or requests for information, which bear no sensible proportion to the supposed objective. The proper objective of a FOIA request is the obtaining of reasonably accessible information of public importance. It is not to force the authority to change its policy through an unending battery of interrogation, to which the answers are irrelevant, in the sense that they will never stem the flow of requests."

How might this apply to Subject Access Requests? 

Well, the current law remains what was said in the Royal Courts of Justice back in December 2003. Yes, the Durant case.  The anoraks will be able to recite paragraphs 26-31 by heart. The highlights are:The intention of the Directive, faithfully reproduced in the Act, is to enable an individual to obtain from a data controller’s filing system ... his personal data, that is, information about himself ...  to enable him to check whether the data controller’s processing of it unlawfully infringes his privacy and, if so, to take such steps to protect it. It is not an automatic key to any information, readily accessible or not, of matters in which he may be named or involved. Nor is to assist him, for example, to obtain discovery of documents that may assist him in litigation or complaints against third parties. As a matter of practicality and given the focus of the Act on ready accessibility of the information - whether from a computerised or comparably sophisticated non-computerised system - it is likely in most cases that only information that names or directly refers to him will qualify. 

It follows from what I have said that not all information retrieved from a computer search against an individual’s name or unique identifier is personal data. Mere mention of the data subject in a document held by a data controller does not necessarily amount to his personal data. 

Looking at the facts of this case, I do not consider that the information of which Mr. Durant seeks further disclosure - whether about his complaint to the FSA about the conduct of Barclays Bank or about the FSA’s own conduct in investigating that complaint – is "personal data" .. . Just because the FSA’s investigation of the matter emanated from a complaint by him does not, it seems to me, render information obtained or generated by that investigation, without more, his personal data. For the same reason, either on the issue as to whether a document contains "personal data" or as to whether it is part of a "relevant filing system", the mere fact that a document is retrievable by reference to his name does not entitle him to a copy of it ... It cannot have been the intention of Parliament that ... any document held by the FSA generated by and/or arising out of the FSA’s investigation of such a complaint should itself be disclosable. .....

In short, Mr. Durant does not get to first base in his claim against the FSA because most of the further information he sought ... is not his "personal data"... It is information about his complaints and the objects of them, Barclays Bank and the FSA respectively. His claim is a misguided attempt to use the machinery of the Act as a proxy for third party discovery with a view to litigation or further investigation, an exercise, moreover, seemingly unrestricted by considerations of relevance."

The ICO covers this matter in the latest draft Subject Access Code of Practice, currently under consultation, using language which is very different to that of the Durant judgment. While the document does not offer much guidance on what personal data actually is, there is guidance on deciding what should be supplied:Documents or files may contain a mixture of information that is the requester’s personal data, personal data about other people and information that is not personal data at all. This means that sometimes you will need to consider each document within a file separately, and even the content of a particular document, to assess the content of the information they contain. It may be easier (and will be more helpful) to give a requester a mixture of all the personal data and ordinary information relevant to their request, rather than to look at every document in a file to decide whether or not it is their personal data – this approach is likely to be appropriate where none of the information is particularly sensitive or contentious.” 

According to the ICO: “If a requester asks for ‘all the information you hold’ about them, they are entitled to do that. You may ask them to provide information about the context in which information about them may have been processed, and about the likely dates when processing occurred, if this will help you deal with the request.

It may be particularly difficult to find information to which a SAR relates if that information is contained in emails which have been archived and removed from your ‘live’ systems. Nevertheless, the right of subject access is not limited to the personal data to which it would be ‘reasonable’ for you to provide access. Subject to certain exemptions, you must provide subject access to all personal data you hold, regardless of how difficult it is to find. You may, of course, ask the requester to provide you with contextual information to help you find the personal data they have requested."

This is going to be fun. I expect an interesting debate between applicants who want to see material because it has their name on it, and organisations that insist the material be withheld because there is no legal obligation to make it available.

Appeal No: EA/2012/0163

Neutral Citation No: [2003] EWCA Civ 1746

Image credit:


Sunday 20 January 2013

FPF slams some of the Commission’s proposals

Three white papers have just been published which ought to give the European Commission some angst, as it polishes its proposals to reform European Data Protection law. 

You should like them. At just 11, 7 and 10 pages long, they are concise and pull no punches. Authored by Omer Tene and Christopher Wolf of the Future of Privacy Forum, they are essential reading for anyone who tries their best to keep up with the latest plans to amend the current Data Protection Directive.

The papers do, however, contain a fatal flaw that might well be used by those who hold different views to ensure that they are widely ignored. But more about that later.

First, the papers. 

A  paper on the costs and paradoxes of explicit consent concludes that there is a the need to provide individuals with greater transparency and control over their personal data, but: “By restricting organisations’ ability to rely on implied consent without at the same time simplifying the ‘legitimate interest’ test, the GDPR elevates form over substance. Much like the amended cookie provisions in the e-Privacy Directive, this will result in formalistic compliance without delivering individuals meaningful transparency and control. Consent should not be treated as a one-size-fits-all model; it should be tailored to the context of a relationship or transaction and tied to the sensitivity of the data as well as the societal value of its use.”

A paper on the definition of personal data criticises the binary nature of regulation – that regulation only applies when the specific information fits the technical definition of ‘personal data’: “European law should avoid a rigid distinction between personal and non-personal data based on strictly technical criteria and divorced from the circumstances of data collection, retention, and use ... The GDPD should introduce the concept of pseudonomised data and give it credence by allowing the processing of such data without consent. This would prevent organisations from pursuing a perverse incentive to identify individuals strictly in order to comply with data protection law.”

A paper on the jurisdiction and applicable law proposals comments that the Commission’s proposals to extend their extraterritorial application: Constitutes a dramatic shift from a country of origin to a country of destination approach, and portends general application of the GDPR to the entire internet.” The paper argues that: “Overextension of EU law to apply to the entire internet is excessive. Such a move will result in a framework which is unenforceable and infringes upon principles of comity, interoperability and international law.”

All this, from a pragmatic perspective is common sense and ought to be supported. I’m looking forward to attending a debate in Brussels next week where some of the Gods of Data Protection will be present to debate this stuff. 

Just how might the opponents rubbish them?

Well, the documents do contain a flaw that could be fatal in the eyes of their detractors. You see, the Future of Privacy Forum is a Washington DC based think tank. Yes, it may be led by internet privacy experts Jules Polonetsky and Christopher Wolf, and include an advisory board comprised of leaders from industry, academia, law and advocacy groups. But, it is still an organisation that has its roots in America.  If it really wanted to enhance its credibility within Europe, it should move its headquarters from Washington DC to Berlin. Or Paris, at a push.  

The mere whisper that all of this common sense is coming from overseas, rather than from within the European Community, ought be enough to ensure that the opinions and conclusions are ignored by the Sado Dataprotectionists. [See my blogs of 8 and 10 November 2012 for a fuller description of this sect.] 

'Perhaps this is just special pleading from America, home to some of the greatest data protection offenders of all', the rumour will run.

And that is a pity.

But I am looking forward to the verbal equivalent of transatlantic data protection fisticuffs in Brussels next week as the papers receive their first public debate. I am also looking forward to reporting on some of the better soundbites.



Tuesday 15 January 2013

Actors keep their clothes on in new ICO video

Compared with the way the European Commission promotes privacy awareness in its videos, we do things very differently in the UK. 

This can be seen by comparing yesterday’s video with today’s example, released by the ICO last month. 

In contrast to the Commission's "Full Monty" style, the ICO ensured that all actors remained fully clothed for all 14 minutes of "Data day hygiene."

This one is designed to help viewers manage the personal information they use, with examples of where the data protection principles are followed, and where they are not.

Accompanying notes are available for viewers, and those leading the presentations.

Perhaps the British Academy of Film and Television Arts should consider an award for the special category of short data protection awareness films.  I’ll happily sit down and help judge them all day.