Thursday 28 March 2013

Confidential discussions continue

It is evident that confidential discussions are underway between a range of interested parties, all of whom have conflicting views on the proposals for a new legislative framework for European data protection. Indeed, there are so many different sets of confidential discussions going on that barely anything interesting about them is being reported.

People are obviously so busy mulling over this stuff that there’s no time for them to write about what they are up to.

So, I thought I might add something new to the mix.

I have deliberately refrained from reporting any personally identifiable information to deter fellow bloggers or journalists from contacting relevant participants with a view to publishing articles on this development themselves.

An extremely useful meeting took place in a restaurant at the Royal Exchange in the City of London today. A very select group of diners discussed how best to improve the plight of beleaguered data protection officers, who were constantly striving to ensure that they still knew what they actually needed to know to do their job properly.

The discussion moved on to how companies who had little concept of compliance with data protection mumbo jumbo matters could better consider just what risk they ran.

A cunning plan was hatched.

This plan will see the light of day in the fullness of time, once the principal stakeholders complete their Easter breaks and return to work.

Who might be concerned at this development? 

Certainly not people who are keen to promote high data protection standards.

Perhaps people who hope that their sloppy data protection standards will remain unnoticed for a few more years.

The best bit about the event was that almost no one mentioned “the draft Regulation”. And the person who mentioned “the draft Regulation” very quickly realised what they were doing, and changed the subject.

No. Today saw a group of Brits considering a British solution to a British data protection problem. The answer won’t have to wait for any co decision procedures between the European Parliament and the Council of Ministers. It can go ahead this year. Not next, nor the year after.

More news on precisely what cunning plan has been hatched to address the issue under discussion will emerge later.

Meanwhile, happy holidays.

If anyone fancies meeting for lunch towards the end of April for a confidential sharing of information about what everyone’s up to and what we think is likely to be achieved (Regulation-wise), please let me know and I’ll arrange something in the City.

Image credit:


Friday 22 March 2013

Something for the weekend?

I have enjoyed reading this Parliamentary report, which says little that is new and contains recommendations that are likely to be mostly ignored duly noted with care and concern by the Government. There may well be one significant recommendation that the Government will strongly support though – which is to ignore a recommendation in the Leveson Report that the ICO be reconstituted it as an Information Commission, led by a Board of Commissioners with suitably broad expertise. Evidently, the current model is still fit for purpose – although it ought to be accountable directly to (and funded by) Parliament, rather than be funded by the Ministry of Justice.

Two key issues struck me as I read it.

First, funding for the ICO’s Freedom of Information work has been slashed with severity that would shame even Quentin Tarantino. That budget has been cut by 23% from £5.5 million in 2011–12 to £4.25 million in 2012–13. In line with public spending targets, there will be a further cut of 6% in 2013–14,  and the Ministry of Justice has asked for a business case showing how the work would be impacted by a further 5% cut in that year.

The message to those who fancy exercising their FOI rights in future is that they should be prepared to dig deep into their own pockets to fund the civil litigation that could be necessary to help enforce their statutory rights. The ICO is unlikely to be able to intervene to a significant extent on their behalf. Public authorities are hardly likely to be able to fund many FOI posts, either. The message to public authorities who fancy ignoring an FOI request in future is that such temptation may be even harder to resist.

Second, the public concern at unlawful data handling practices has not been reflected by the penalties that the courts impose. Accordingly, it may not really matter if the maximum fine levels are dramatically increased – current evidence is that the actual level of fines will continue to remain at the bottom end. The reason for this is clear – the level of the fine depends on the means of the defendant, and in most cases, prosecutions are launched against people who are involved in domestic disputes and who have very few savings anyway.

Behaviours might well change, though, if Section 55 offences became “recordable offences”. These are the offences that are recorded on the Police National Computer, and where those who are prosecuted also have their fingerprints and DNA samples recorded for whatever period the police currently set. That might focus a few minds as to the severity of such offences. 

The Government continues to refuse to allow custodial sentences for DPA offences because other charges are capable of being made against defendants that do permit custodial sentences to be imposed (paragraph 43). These charges include:

·         Unlawful interception of communications: Regulation of Investigatory Powers Act 2000
·         Unauthorised access to computer material: Computer Misuse Act 1990
·          Dishonestly making a false representation: Fraud Act 2006
·         Bribing another or being bribed: Bribery Act 2010
·         Unauthorised access to computer material: Contrary to section 1 of the Computer Misuse Act 1990
·         Unauthorised access to computer material with intent to commit another offence: Contrary to section 2 of the Computer Misuse Act 1990
·         Phone hacking: Regulation of Investigatory Powers Act 2000
·         Misconduct in public office: common law offence
·         Inchoate and accessory offences including attempt and conspiracy

This is an interesting point, and I would love an academic to set his students the research task of identifying how these offences have been prosecuted over the past few years (should the CPS also have been able to have charged the defendant with a Section 55 offence), what penalties have been imposed and whether they really have served as an effective deterrent.

If you have not already done so, you might like to read the report this weekend.


Monday 18 March 2013

Big Brother Watch: Packing a big punch

Nick Pickles, Director of the Big Brother Watch organisation gave a very interesting presentation to members of the Data Protection Forum last week. There can be few groups that pack a larger punch than BBW, given their staff and budget. With a huge list of press contacts, and a capacity to respond to media enquiries within minutes, they’re always ready with a juicy quote to spice up a story.  

In 2012, Big Brother Watch appeared in the national press on more than 400 times, with nearly 300 national and regional broadcast appearances. They secured 6474 pieces of media coverage during the year in total, and registered 2 million hits on their website.

Nick made a number of points that make uncomfortable reading for the larger brands. Following a data breach, or a high profile run in with the ICO, the brand damage may not be immediately obvious – but it could prove to be extremely corrosive, over time. When managing an incident, consumer communications are critical. Once a business is seen as not being on the side of consumers, the damage may be irreversible.

All good sense as far as DPOs are concerned, but how do we get the message to the Board? Well, given the research that Nick presented, there are compelling business cases that demonstrate the damage done to brands once a celebrity or information rights organization has generated interest in a particular privacy issue.  

And, let’s hope  that the ICO’s current enforcement strategy will encourage more famous brands to realise the importance of high data protection standards before their deficiencies are on show for everyone to see.  



Wednesday 13 March 2013

Google maps: gone, but not forgotten

Our chums at Google have found a brilliant way of adapting their maps to deal with a person’s right to be forgotten, but to leave us with a reminder about what they might well have got up to.

Let me explain.

We all know that Google’s Street View service captures images of people in public places, as well as the buildings on each side of the road. And, we all know that, every now and again, the images capture activities that these people might have preferred not to have been captured, even though their activities were perfectly visible to anyone passing by.  Also, we all know that Google’s software automatically blurs certain objects, such as faces, effectively making these people quite hard to recognise.

Recently, when photographing Temperance Street in Manchester, Google’s software automatically blurred the faces (and evidently the hands) of the couple seen in the main picture, although it is pretty clear what was going on as the vehicle drove by.

(Those who attended the ICO’s Data Protection Officer Conference in Manchester last week will be interested to learn that Temperance Street is about a mile away from the Convention Centre.)    

Some wag saw and posted the image on Facebook, causing a spike in traffic to this particular location that was so large that the Google cartographers took a quick squint and promptly blocked anyone else from looking at it. Yesterday, as I manoeuvred past that spot with my curser, a black page with the message “This image is no longer available” was displayed.

But, all is not lost.

For, reverting to Google’s satellite image of that spot, I noted that someone with a sense of humour had renamed said location. Rather than Temperance Street, I was now looking at Hand Job Alley.

No doubt, that new name will be removed as swiftly as the image of the couple was.

But, just in case anyone wants proof as to how hard it is to ‘forget’ incidents logged on the internet, let’s see how long it will be before the two images I’ve posted in today’s blog are permanently removed from every location they get to be stored in.  

Tuesday 12 March 2013

Another opportunity or another scam?

One of my (business) email accounts has received a couple of unsolicited emails from the International Who’s Who Historical Society. They are always in the following format:

"Dear Mr. Sinha:

On behalf of International WHO'S WHO of Professionals, I am pleased to inform you that you have been nominated by one of your peers as a candidate for inclusion in the 2013 Anniversary Edition commemorating 85 Years of Publishing Excellence!  We congratulate you!  Nomination into WHO'S WHO is an honor in itself.  

International WHO'S WHO has over 20,000 members in 200 countries worldwide and has been publishing biographies since 1928.  It is the most elite professional network in the world.  Our members assist each other daily with business and career opportunities. 

It is in times like these that such a network is most valuable and we are seeing members help other members expand their businesses, find new positions, even relocate to another country.  

If selected into WHO'S WHO, you will be listed in the 2013 Edition of International WHO'S WHO of Professionals.  This is the definitive work on the world's leaders in commerce, economics, policy, and trade."

Well, I’ve no idea who this Mr. Sinah is, nor why people might wish to pay to have their biographical details added to a database controlled by this organisation, when LinkedIn, my own website and the mighty Google enable enough people to find me whenever they want me.

I wondered if the International Who’s Who Historical Society, with a prestigious address in Washington DC, has any connection with Who’s Who, which, published in the UK by A&C Black, really does have an excellent reputation as the place where authoritative biographies of eminent people appear.  

If any of my LinkedIn contacts have derived any value from membership of this organisation, then I would be delighted to know. Surely it can’t simply be another scam?


Saturday 9 March 2013

Regulating Google Glasses

If you know where to go in the state of Washington in the USA, you’ll spot this clever example of privacy iconography. 

Before they have been officially released, a campaign has started to discourage Google Glass geeks from recording material that really ought to remain private. Seattle’s 5 Point Cafe claims to be the first Seattle business to ban in advance Google Glasses. It’s not just a gimmick to encourage people to use the device. I think it's more an attempt to protect a business, When your advertising strap line is “Alcoholics serving alcoholics since 1929”, you can understand why your clients might not want to draw too much attention to themselves. 

Not everyone wants to be photographed enjoying a great breakfast with a Bloody Mary in a pint glass, no matter how rejuvenating it is. 

As the cafe management recently explained on it's Facebook page to someone who suggested that this was just a publicity stunt: "Look, we threw a customer out for taking an unwanted photo of another customer with his smartphone not too long ago. Google glasses have the ability to video tape and post to the web. Many of our regulars want to be anonymous, and we appreciate that. If you want to wear Google glasses, cool. But you aren't allowed to wear them inside The 5 Point. Wear them outside, take them off inside. We're promoting respect."

So, how will cinema and theatre attendants deter Google Glass wearers from recording these shows prior to uploading them on the Internet for anyone to enjoy? Those keen on digital rights management could be in for a fun time.  This may well be a game changer in the entertainment industry. And for the rest of us, too. How will court ushers, for example, ensure that legal proceedings aren’t recorded? But at least we may finally get to know what goes on when a jury retires to consider their verdict.

And how will this product ever get accepted by some of the German data protection regulators, given what they already think of the Street View service? 

Perhaps the Article 29 Working Party might be persuaded to write an opinion on such a game changing device. And, if we were to wear Google Glasses while reading it, perhaps a Google translation service could decipher the text and present the reader with an analysis of what the authors actually meant to write.

[Note to Google Glass project team:
Yes, if asked, I would be delighted to take part in a UK Google Glass trial. And to blog about my experience. Please feel free to get in touch. You know where I am.]


Image credit:


Thursday 7 March 2013

Manchester: the ICO does it again

An enormous crowd appeared on Tuesday to attend this ICO’s Data Protection Officer Conference in Manchester. Despite increasing capacity by over 60% this year, the venue simply wasn’t large enough to accommodate everyone who had wanted to attend. It shows how important all this privacy stuff has become. 

I should report that almost everyone was on their best behaviour. The exhibitor’s stands were much appreciated – perhaps because the focus was on the many facets of the ICO, and the organisations that were not “commercial” in nature, but existed to share best practice and offer forums where similarly affected souls could work out how to deal with data protection issues at the coalface, as it were.

Francoise Le Bail, Director General for Justice at the European Commission was present and on fine form. Evidently, if there is a low level of trust in a country, then consumers won’t be as economically active on-line than if there were higher levels of trust. Given the fact that the UK has one of the highest internet penetration rates of any EU Member State, I can only assume that the UK enjoys a relatively high level of trust. But, I was too polite to put that point to the keynote speaker.  

Deputy Commissioner David Smith made a very telling point when commenting on the latest proposals to harmonise EU privacy laws. As far as he was concerned, what was most important was that there should be greater consistency around Europe, as opposed to harmonisation. The law should be consistent with regard to national cultural sensitivities. So, if the German’s didn’t like Google’s Streetview service, then that was fine – so long as the Brits, who evidently liked it, could continue to have it. I am greatly simplifying David’s views, and I do apologise for this, but you get the gist. 

Turning to those who misbehaved.  

I’m not referring to those audience members who, during the Question Time session, applauded me when I asked if the ICO would prefer a power, rather than imposing civil monetary penalties on public authorities (and thus return public funds to the Treasury), instead to require the offending authorities to spend money on data protection awareness campaigns and other initiatives that would enhance local standards.   

Actually, I’m referring to 63 delegates who, by not informing the ICO that actually they wouldn’t be attending, denied a further 63 potential delegates from sharing such a great occasion. But, the ICO does know who they are – so this happy bunch can expect to have their 2014 conference applications rejected, and for the ICO’s enforcement team to “invite” them to apply for a voluntary data protection audit later this year.

As the Chairman of a not-for profit professional conference organisation (the Data Protection Forum), I feel the ICO’s pain when it tries to anticipate delegate numbers and ends up wasting money (on catering costs, etc) when those who have said they will attend ultimately don’t. Or when it has to turn people away when there was space after all.

But that’s a minor quibble. The ICO’s team put on a great event and I can’t wait to learn what surprises are in store for those who are lucky enough to attend next year. A cabaret from the ICO’s chorus singing data protection ditties? Information Commissioner Christopher Graham, Britain's "go to" regulator, appearing on stage in a rickshaw pedalled by the European Data Protection Supervisor?  Or a presentation beamed live from a UK prison featuring someone who has been jailed for committing a data protection offence? 

Pencil the date in your diaries now. 

(Hopefully) looking forward to seeing you at the next ICO’s Data Protection Officer Conference in Manchester on Tuesday 11 March 2014.  

Question Time session - (at 7mins 22 secs)

Sunday 3 March 2013

Britain’s data protection elite to be split in two this week

Britain’s data protection elite will split into two camps immediately after the ICO’s annual conference in Manchester on Tuesday. Most data protection officers will return to their workplaces and carry on working as usual. A select elite, however, distinguished by the size of their conference budgets, will journey to Washington DC for even more days of data protection conferencing.

Whether those lucky few who face a week’s worth of conference sessions  will be any better informed as to what the proposed General Data Protection Regulation (or Directive – take your pick) will contain, I really don’t know. Actually I think I do know. And the answer is that they will almost certainly be just as mystified about the final outcome as the rest of us.

Why so?

Events, dear reader, events.

Until last week’s elections, I had underestimated the strength of apparent disillusionment at the great European Project by the British electorate in Eastleigh, and throughout Italy generally. And, in a few month’s time, German citizens will be given the opportunity to express an opinion on further European integration, when national elections are held.  

Governments in member states and politicians in the European Parliament will, I’m sure, redouble their efforts to make the EU as great a place to live and to do business in as possible.  And the pressure will be on to respect people’s fundamental human rights - but not at the cost of soaring national social security bills, should sizeable populations from one member state decide to move and apply for more generous social benefits in another member state. “Benefit tourism”, as some commentators describe it.  Or when a court designed to uphold fundamental rights acts in ways that are totally unacceptable to democratically elected Governments. 

Someone needs to do a bit more selling if businesses (and public authorities) are to welcome the additional costs that appear to be associated with the higher data protection standards that are implied by the latest drafts that are emerging from the relevant European parliamentary committees.

To be frank, I don’t see many people selling the new proposals. Perhaps all the good work is being done behind closed doors, to give the relevant stakeholders ample opportunities to reach private deals.

Given the atmosphere in which private deals will be made, I really don’t think anyone has a clue what will happen.

Does anyone know what the current Italian data protection strategy is? (Or what the next Italian Government’s strategy will be, if another election is called in a few month’s time?) Or what the German Government’s strategy will be after the German elections? 

If we don’t, then how can we judge what deals might be on the table when the elites finally agree on how to lead us all to an even greater future?  

Image credit:


Saturday 2 March 2013

The great fines debate continues

Members of LinkedIn’s European Data Protection Forum will be aware of the current debate on the effectiveness of mandatory data protection fines.

You know the issues, so I won’t bother rehearsing them here.

But I have noted that one (German) participant has recently fallen into an elephant trap.

His intervention included the following: 

The right consequence is to strengthen the power of the authorities and give them the option to put higher fines. I mean if people do not care about speed limits in traffic rules one measure might be raising the fines for speeding - that's how easy it is. 

And Germany is a good example that strict data protection rules are not bad for the economy. As I stated in one discussion before Germany has one of the strongest economies in Europe at the moment and the strictest data protection law. Maybe data protection even pushes the economy in the long term?

That intervention caused me to choke on my morning coffee. It wasn’t long before I had sent the following retort:

"Please don't try to argue that Germany has one of the strongest economies in Europe "because" it has the strictest data protection law. If the inference is that economic success is delivered through strong data protection laws, and all "failing" countries have to do to improve their economies is to strengthen their data protection laws, then I find myself violently disagreeing with you. 

Take another example - with the singular exception of Kraftwerk, German contemporary musical culture is abysmal. German bands are awful. But, Germany has a strong economy, So are you also inferring that an abysmal contemporary musical culture is also a precondition of a strong economy?

Image credit: