Friday 25 October 2013

A cunning plan for the Surveillance Camera Commissioner

I wasn’t sure what I thought of the office of the Surveillance Camera Commissioner until I attended an SCC conference at the Royal Society earlier this week.  

With a remit that covers less than 5% of the camera population, a mandate to encourage compliance with a Code of Practice in just England and Wales, and with no direct enforcement powers against those who ignore the Code, the image of Big Brother’s little brother initially sprang to mind. Those responsible for creating this office were evidently determined to ensure that this Commissioner’s role would be evangelical in nature, and not prescriptive.

Let’s remember that his office created by the Protection of Freedoms Act 2012 to meet the coalition agreement to further regulate CCTV. The Act committed the Home Office (not the Commissioner) to produce a code of practice to set out guidelines for CCTV and automatic number plate recognition. The Commissioner exists to encourage compliance with the code, review how it is working and to provide advice to ministers on whether or not it needs amending.

As it is, the current Commissioner will be leaving his office next year, so he won’t have much time to advise ministers on the extent to which the Code has been adopted. He’s not leaving because he’s disillusioned with the role, but because his other job, that of Forensic Science Regulator, will be ending.

Would applicants for the role of the next Surveillance Camera Commissioner form an orderly queue please, behind me.

What did become pretty apparent pretty quickly at the conference, however, was that there is a role to be played by someone to evalgelise good data protection standards in this area, as things can go tragically wrong, say when Automatic Number Plate Recognition systems are not used effectively. Last February, the Association of Chief Police Officers published a report which was triggered by the findings and recommendations from an IPCC investigation into ANPR use surrounding the murder of Ashleigh Hall. Two further IPCC investigations, those into the deaths of Hayley Adamson and Sean Robert Toombs, also highlighted concerns. It’s really worth reading,

So where do we go from here?

Well, during a panel session and in a roundabout way, I asked Lord Taylor, the Home Office Minister, whether he thought it important that more evidence be adduced which could be used to explain to citizens why it was necessary for the Surveillance Camera Commissioner to have a role independent to that of the Information Commissioner. His answer was quite interesting. Of course it was necessary for a Commissioner to have been created last year because there was a very important job to do at that time. This was what I had expected to hear – he was a minister, after all, in a Government which had only recently introduced the Act. And, the current Commissioner, Andrew Rennison, was an extremely capable man. But I did not sense a ringing endorsement that the Office of the Surveillance Camera Commissioner itself was so vitally important that it always needed to remain independent of that of the Information Commissioner.

So I have a cunning plan.

When the current term of the Surveillance Camera Commissioner ends, the Home Office could consider either of two options.

The first option is to replace Andrew Rennison with yours truly. I’ll gladly make myself available, either on a full time or a part time basis.

The second option is to speak nicely to the Information Commissioner’s Office and arrange for Jonathan Bamford, the ICO’s Head of Strategic Liaison, to reduce his contracted hours at the ICO to, say 2 ½ days a week. Then, Jonathan can be appointed Surveillance Camera Commissioner for the remaining 2 ½ days a week.  Jonathan was also at the conference, and gave a great speech. After all, he currently deals with many of the matters that are just outside the Andrew Rennision’s reach. And he knows Lord Taylor.

The beauty of the “JB for SCC” option is that when the Surveillance Camera Commissioner needs help persuading the remaining 95% of the camera population to adhere to the Home Office’s Code, or do stuff in Scotland or Northern Ireland, or carry out enforcement action when it is necessary, all the Commissioner needs to do is send a memo to himself. And, when JB returns to his ICO duties later in the week, he can deal with it.



Tuesday 22 October 2013

And now, the amended Regulation

I am extremely grateful to Richard Beaumont of the Cookie Collective for pointing out where I can find a copy of the amended version of the Data Protection Regulation on the internet.

Many thanks.

I did wonder how the admin wonks at the European Commission were able to work so fast to prepare a document that we could all look at.

Then I noticed the date the document was prepared – 7 October. A few tweaks have evidently been made to it since then – there are a few coloured highlights which suggest that those parts were probably altered between 7 October and last weekend – but what strikes me is how little the text has changed in the past two weeks.

Perhaps this will enable ministers to have a decent discussion about it at the next meeting of the Justice & Home Affairs Council. There probably won’t be time for anyone to prepare a compliance cost assessment, but then again who cares about compliance costs when you’re trying to assert fundamental human rights?

Two little tweaks did catch my eye, as I was speed reading it.

First, it is proposed that the discussions of the European Data Protection Board may, in future be confidential, rather than shall, be confidential.  That’s a nod to the transparency agenda.

Second, the European Data Protection Supervisor no longer has the right, if he is not elected Chairman of the European Data Protection Board, be appointed as one of the (at least) two deputy chairs of the Board. He has to submit himself for election along with the rest of the candidates.  That’s a nod to the democracy agenda.



Monday 21 October 2013

In praise of the One Stop Shop

There was much meeting of minds at the Ministry of Justice this morning. No, not about the infamous amendments that members of the European Parliament’s LIBE Committee were going to make to the draft Data Protection Regulation later today. What was being discussed in Room 3 was far more important than proposals that were going to be ignored respectfully considered by the Governments of the Member States when the Justice and Home Affairs Council next meets.

Today was a time for contemplation on the concept of the One Stop Shop. What was a One Stop Shop? Was it one where the shopkeeper was master of his premises, and could decide how to treat his customers, what to sell them, at what price and when to exclude them?  Or was it one where someone else could have the final say in who should be allowed in the store, what could be sold, and at what price?

In data protection terms, the discussion focused on what role a lead supervisory authority should play when dealing with complaints raised by someone who lived elsewhere, but where the data controller fell within that supervisory authority’s ambit.

What role should the lead authority be required to allow a regulator from that other country to play?  Should the lead authority be allowed to deal with the complaint, determine the appropriate sanction and take the relevant enforcement action all by themselves? Or should there be a formal requirement to refer some issues to a European Data Protection Board, who might be given powers to articulate precisely how the Regulation (if there is to be a Regulation) should be interpreted in that instance, with the decision being binding both in that country and elsewhere within the European Union?

Surely, anything less than absolute control over the complaint, sanction and enforcement mechanism would undermine the lead authority.

If the concept of the One Stop Shop is to work, then it can only work when a political decision has been taken to allow it to work. There was general agreement that it has to be the lead DPA that makes the final decision.  Yes, it can take account of representations made by other regulators, but accountability for taking the final decision must lie completely at the door of the lead authority.

But this has consequences. It means that Member States will have to overcome their natural reluctance to give up things they had enjoyed before. Global corporations with “main establishments” in, say,  Ireland will, in future, be regulated by, say, Irish regulators, rather than a host of European regulators, each with slightly different views on what local cultural norms comprise acceptable data processing.  

It would not be acceptable to weaken the competence of the lead authority by creating some crafty “review by qualified majority” mechanism.  The potential consequences for some Member States could be pretty dire. We plucky Brits could face the prospect of being outvoted by the Data Protection Taleban each and every time another regulator felt it appropriate to challenge the ICO’s competency and have decisions referred to a superior body.  It’s happened before. Remember how the rules of the Eurovision Song Contest have resulted in the UK never being able to win that competition again.

I also shudder to think how long this superior body might ponder the issue for, before making a decision that could well be referred to the courts by the losing party, anyway. If anyone thinks they’re going to get a speedy decision, they must be mistaken.

Now, tell me. Just where would a review mechanism leave the concept of legal certainty and all the other good things that could emerge from the One Stop Shop?

Image credit:


Sunday 20 October 2013

Finally, the proposals have been leaked

Three cheers for European Digital Rights, the international advocacy group based in Brussels. 

Thank you for posting on your website details of the amendments to the Data Protection Regulation that the LIBE Committee members will be voting on tomorrow.

Better late than never, but it does confirm the general direction of travel.

I have no idea how Member States, in their own capacity as data controllers, will be able to afford to implement all the protective measures that are being proposed.

Evidently, Europe is out of the economic doldrums, and all Member States can all afford the very significant compliance costs that this Regulation mandates.

If Europe’s economy is actually in great shape then wonderful: no-one will have any problems paying for this stuff.

But, if national economies are still in a bit of a mess, then I really do wonder how seriously we should take tomorrow’s vote. Then again, if some of the LIBE committee members will be leaving the European Parliament after the elections next year, perhaps they don’t care about the implications, either.


Friday 18 October 2013

One day to go (and still no papers)

One working day to go before the politicians vote in Strasbourg on proposals to create a new data protection framework. The draft agenda for what is being billed as an "extraordinary meeting" can be found here.

A quick squint at the LIBE Committee’s website indicates that Committee members have been sent a huge array of documents about the meeting, but it still does not contain possibly the most important document, which is the one that sets out precisely which amendments will be considered.

In an age where European politicians are screaming out at data controllers, demanding they display greater transparency over their dealings with individuals, it is ironic that individuals can’t easily find out what the politicians are planning, either.



Thursday 17 October 2013

The Regulation – finally a vote (but on what?)

Next Monday evening, Europe’s data protection policy wonks will be focussing their attention on the actions of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs. Finally, members of this Committee will get to vote on how they think they draft the Data Protection Regulation should be amended. Someone will have decided beforehand which of the 3-4,000 amendments that were proposed will actually be put before the Committee.

Monday will be a big day.

And so you might have thought that the Committee members will be given an opportunity to carefully consider the amendments that will actually be tabled, in order that they can make considered decisions on whether to support or oppose them.

There is a tinsy winsy problem, though.

My sources tell me that very few people have seen the critical amendments, so it’s not entirely clear how the Committee members will be able to consider them properly before Monday’s vote. Nor do these amendments appear to have been leaked. Even Statewatch doesn’t seem to have published them on its website yet.

Will this matter? Well, it depends on whether we think that politicians should understand just what it is they are voting on, and fully appreciate the implications for Europe if particular proposals are tweaked (or dumped).

What seems clear is that there will be a vote and that something will emerge from this committee session.

But whether it’s in a form that the Council of Europe could possibly find common interest with, I really couldn’t say.

We can all expect the data protection news drums to be beating fast and loud next week. The usual suspects will be offering their views on what has emerged, and the prospects of common agreement being reached on a data protection package before the European elections in May 2014.

Image credit: