Friday 25 April 2014

Privacy seals: What does the market really want?

Almost exactly a year ago, the ICO’s Information Rights Committee considered “a proposal to implement a framework for ICO accreditation of a third party to operate a privacy seal or trust mark scheme.” It was agreed that the proposal should be taken forward in principle. Subsequently, various discussions have taken place with various data protection bods, but I’m not entirely sure how much concrete progress has been made.

I was among those consulted on earlier attempts to implement a similar initiative. The last one was a couple of years back, and was sponsored by the consumer rights organisation, Which? I also remember being consulted on similar initiatives before that – all of which suffered a similar fate.

I was dubious about the proposal then, and remain ambivalent about it now. I just can’t see the business case for persuading responsible data controllers that they should pay to have their internal processes examined by a third party in order that they might be awarded a privacy seal that so few of their customers might actually take any notice of or care about anyway.

Webmasters and marketing teams are usually very determined to control all the images that appear on their landing pages, and surely hardly any of them would welcome a proposal that their precious pixels should be devoted to displaying a logo about non-statutory, non-corporate stuff.

The Which? proposal fell at an early hurdle because Which? and its chosen audit partner couldn’t develop a business plan that made much financial sense. How many data controllers were sufficiently confident about their internal processes that they were happy for a third party to inspect them? How much was this audit exercise going to cost, and how frequently might it need to be repeated for the privacy seal to be of any value? And, most crucially, how high was the privacy bar to be set? No one knew.

The main point about privacy seals is, presumably, that some people will not be able to attain them. So, anyone who is at all worried that they might not pass probably won’t apply for an audit in the first place. Organisations don’t like to set themselves up to fail. And, as one size does not fit all, it’s extraordinarily hard to develop an audit methodology that gives equivalent assurance about large and not-so-large organisations. I can’t ask precisely the same audit questions to different sized organisations, particularly when their business models relate to very different privacy risks.  

The next point about privacy seals is that, presumably, independent auditors will need to be assured that there is sufficient demand for that service before they seek to become an accredited audit partner. And if the proposed standards deter potential applicants, auditors will face natural demands to lower the standards, to increase the pool of certificate holders (and hence increase the pool of organisations that will need to be re-audited in a few years time).

I see this pattern in the current race to “accredit” data protection officers.   An increasing range of organisations are vying to offer data protection training and accreditation services to privacy (and other) professionals, and the result is that said professionals can now choose how much (or how little) effort they commit to getting their privacy qualification.

Certifications of competence can be obtained by learning by rote, writing short essays, filling in multiple choice questionnaires or by completing longer pieces of written research. On-line, in your own time, or in a classroom.  Just take your choice.

The costs vary from a few hundred to several thousand pounds – particularly when a certification provider requires that certificate holders commit to purchasing continuing professional development courses every year from a restricted range of suppliers.

But which privacy qualifications are actually worth having, from the perspective of the privacy practitioner, and which qualifications simply meet the commercial needs of the relevant training provider?

It would be indelicate to venture too far into this debate today, but it is a debate that needs to be had. Particularly when people are spending their own time and money seeking a decent qualification, it would be helpful for an independent assessment to be available about the relative merits of the offerings of the current range of training providers. 

So, my plea to the ICO's Information Rights Committee is that it should devote less time developing a framework of privacy seals that enabled third parties to accredit the practices of data controllers, and more time developing an assurance framework about privacy training providers.

To the extent that there is a demand for seals or trust marks, I sense that the demand is currently far stronger from the privacy professionals themselves, who seek credible privacy qualifications from competent accredited training providers, than it is from organisations whose customers really couldn't care less if an independent privacy audit had been carried out.


Image credit:

Wednesday 23 April 2014

Botched EU communications data retention rules quashed

How many people really care about how long their communications data is retained for national security and law enforcement purposes?

Beyond the readership of this blog, probably not very many.

I remember first becoming involved in this issue some 15 years ago, when working for what was then known as the mobile company One2One. It was my job, amongst others, to understand just what the company needed to use these records for, and for how long they needed to be retained. I remember conferring with colleagues in the mobile (and fixed) telecoms field, exchanging ideas as to what retention standards ought to be appropriate.

I won’t list the (then) retention standards in this blog, as I would only be opening a can of worms - suffice to say that today’s retention standards differ greatly from that practiced by certain providers then.

I also remember working with the Home Office on the issue of mandating certain retention standards – really to ensure that data that was actually required for an investigation could readily be made available when it was proportionate and necessary to do so.

And finally, under the stewardship of the then Home Secretary Charles Clarke, I remember the UK Government being primarily responsible for the Communications Data Retention Directive (2006/24/EC), which broadly tried to set common retention standards throughout Europe. Why? Just in case communication records generated by, say, British customers in the UK, were to be held not in the UK but in a central European records database. Given that, back then, the parent companies of Orange, One2One, O2 & 3 were based respectively in France, Germany, Spain & China, there was a real possibility that Britain’s law enforcers might have lost out if British mobile phone records were to have been held outside the UK.

It can also be said that we all knew that the Communications Data Retention Directive, especially as it applied to IP records, really was not fully fit for purpose when the time came for the final note on approving the thing. But what was better – a botched job, or no agreement at all? The European parliamentary timetable was such that there was a real prospect that all work on the measure would have been wasted had a final vote not have been made by a particular date. 

The Governments of the Member States, and the members of the European Parliament, took the view that any agreement would be better than no agreement.

Now, some 8 years later, the European Court of Justice has taken the view that the original job was so botched that the Directive ought to be annulled.

In essence, the court has held that the retention limits (which allowed Member States to individually set periods of between 6 and 24 months for various types of data) were disproportionate. Why was this time period originally agreed? Principally because it was a timeframe that suited the requirements of a large majority of the European law enforcement bodies that were using significant volumes of communications records for investigative purposes back then. 

Readers with a keen sense of irony will know that one of the successful appellants in this case was Digital Rights Ireland. Yet, the Irish Government was originally opposed to the Directive because they wanted to keep communications records for 36 months, not the 24 months that was finally agreed. The Italian Government were even more opposed to the Directive, because they originally wanted to keep certain records for 48 months (and even longer in some of the cases that involved Mafia investigations).

The German Government was very opposed to the concept of keeping records even for as long as 6 months. Basically, this was because it knew it would come under considerable pressure to pay the providers in that country the costs that would be incurred in setting up the relevant records retention databases and, thanks to the recently disgraced former East German administration, it also had direct experience of state abuse of communications records.

Readers with a keen sense of irony will also know that the first four communications providers to announce that they have reduced their retention periods, in light of the judgment, hail from Sweden, which is one of the 4 Member States that originally sponsored the Directive.  And it was the same European Court of Justice that fined Sweden 3 million Euros in May 2013 for delaying implementation of the Directive in that country. Where’s the justice in that? (Presumably, though, the Swedish Government will now be able to appeal that fine.)

Anyway, what will happen in Blighty as a result of the judgement?

Probably, not a lot. Certainly not soon, anyway.

Given the speed with which the Home Office moves on such weighty issues, it could be some time before an official announcement will be made. Discrete calls have already been placed to the key UK providers, inquiring whether the judgement is likely to change their current retention plans. Such is the relationship between Home Office and said providers that it didn’t take long before the relevant reassurances were received. Home Office attention will now focus on the overseas providers (yes, the usual suspects) to better understand what steps they intend to take.



Tuesday 22 April 2014

Snowden allegations stuffed by official report

Supporters of Edward Snowden will probably doing their best to ensure that a report recently published by the Interception of Communications Commissioner is read by as few people as possible.


Because it sets out, in a pretty accessible way, just why it is that we Brits have so little to fear about the capabilities that the Government actually has in terms of abusing our communications records.

I appreciate that this is not a very popular thing to say amongst some circles, but it still needs to be said. And I also appreciate that, as this is a good news story, it’s unlikely to be picked up by the mainstream media channels. But I don’t write this blog to attract the attention of the mainstream media.  

What am I talking about?

I’m talking about Sir Anthony May’s first annual report as the Interception of Communications Commissioner.

It was published on 8 April and largely ignored by the media as it coincided with the news that the European Court of Justice had quashed the Communications Data Retention Directive (2006/24/EC), which had broadly required European Communications Service Providers to retain various types of data for certain periods for the purposes of tackling serious crime. (I’ll address this issue in another blog.)

In a courageous departure from previous practice, Sir Anthony has been more open in communicating with the public on the big issues of the day. Technically, this has been a challenge, as his statutory role is to report to the Prime Minister, rather than offer a running commentary on relevant issues to the media. But it is an incredibly welcome step, as he is someone who actually knows, from firsthand experience, what really goes on. Most people are hazy about the details of this complicated set of laws, and comment from a position of what they perceive to be going on, rather than what has really been going on. He really knows.

Let’s focus on what Sir Anthony has actually said:

“I have full and unrestricted access to all information from public authorities, however sensitive, sufficient for me to be able to undertake my statutory functions.

Public authorities do not misuse their powers under RIPA Part I to engage in random mass intrusion into the private affairs of law abiding UK citizens. It would be comprehensively unlawful if they did.

I am quite clear that any member of the public who does not associate with potential terrorists or serious criminals or individuals who are potentially involved in actions which could raise national security issues for the UK can be assured that none of the interception agencies which I inspect has the slightest interest in examining their emails, their phone or postal communications or their use of the internet, and they do not do so to any extent which could reasonably be regarded as significant.

British intelligence agencies do not circumvent domestic oversight regimes by receiving from US agencies intercept material about British citizens which could not lawfully be acquired by intercept in the UK.”

If I were on the Pulitzer Prize Committee, I might now be having second thoughts about awarding the Washington Post and the Guardian their recent bauble for printing so many of Edward Snowden’s revelations. Yes these stories have stoked up a huge array of global interest in the issue, but they have also indicated the extent to which the relevant authorities have tried so hard to seek assurance from suitably qualified lawyers that whatever was going on was in accordance with local laws.

The outcome (in America, at least) will probably be new laws, further restricting current capabilities of the US law enforcement community. I don’t see the outcome resulting in any officials facing criminal prosecutions for having approved various programmes that may well have involved the collection of communications records.

And the outcome in the UK?

Given Sir Anthony’s views, probably not a lot, as he is already satisfied with many of the controls that are already in place.

On receiving it, the Prime Minister commented:

“The report makes clear the Commissioner’s view that RIPA is fit for purpose, despite advances in technology. He also finds that interception agencies undertake their roles conscientiously and effectively, and that public authorities do not engage in indiscriminate random mass intrusion.

The report also publishes, for the first time, a detailed breakdown by public authority of the number of communications data authorisations and notices issued. I welcome the greater degree of transparency that this report brings, without harming national security, and look forward to the Commissioner’s further work on the volume of requests.

In light of concerns about the activities of the intelligence agencies, the quality of oversight, and a number of public concerns and myths that have developed in the light of media allegations linked to Edward Snowden, I believe his report provides an authoritative, expert and reassuring assessment of the lawfulness, necessity and proportionality of the intelligence agencies’ work. I thank Sir Anthony for the rigour of his scrutiny.”

So, a rigorous scrutiny from the most impartial expert we are likely to get has resulted in a pretty clean bill of health for the law enforcement community.

Not that all parts of the media will necessarily report it that way, though – if they bother to report it at all.

Sunday 13 April 2014

DP compliance checks: what to look for

What does “good data protection” look like?

I’ve been asked that question several times over the past few weeks as I’ve carried out data protection health checks for a range of organisations.

It’s caused me to pause and reflect on what controls I’m really looking for in an organisation, and the extent to which these controls deal with real or potential threats that exist with regard to the organisation’s processing of personal data.

It’s also caused me to review a number of the audit methodologies that appear to be in use right now, and to refine my own approach, which appears to have been well received. My own approach now focuses much less on compliance with specific elements of data protection legislation, and much more on helping the client develop an oversight structure to give them the assurance they require when assessing how good they are at data protection.

It’s so nice to visit a client and barely mention the data protection principles. Instead, I’m following the ICO’s current thinking, which is to break data protection compliance down into a number of bite size chunks, and get the client to agree which “chunks” are most significant, as far as their organisation is concerned.

A close read of the audit reports currently published on the ICO’s website gives a good indication of what really really matters. So, organisations that have addressed these issues are going to be in a pretty good shape.

Write to me if you want more information about my methodology.

What has struck me, as I’ve carried out the latest series of health checks, is how insignificant the proposed (well, deceased) Data Protection Directive actually is.  I use the term “insignificant” in the sense that I really can’t see how it might realistically improve data protection standards beyond what might reasonably be expected of anyone who was taking their current obligations seriously.

Putting this thought into a different set of words, current data protection compliance levels could so easily be improved if people just managed to understand and follow the existing rules. I have no confidence that the imposition of an even more complicated set of rules would motivate significant numbers of data controllers to “up their game”, as it were. If they lack the resources to deal with the basics, then all they are likely to do is to fall even further behind, in terms of legal” expectations, if the impossibly high standards commended by the European Parliament ever see the light of day .

Of course, the draft Regulation does have some uses. It gives some people the opportunity to enhance the importance of data protection (and in doing so enhance their own status), by becoming an international talking head on this stuff. It gives teams of professional advisers the opportunity to sell their services to the (relatively small band of) clients that can afford to pay for such data protection wisdom.  Proposals for legislative change also create more noise and opportunity for policymakers to earnestly consider what new rules ought to be put in place. But so many of these proposed changes simply tinker at the edges, rather than seek to fundamentally review what controls are really important for this and the next generation.

The controls that are really important are those that reward good behaviours.

We data protection folk have a lesson to learn from our financial services chums. Try as I can, I find it really hard to identify a link between, say, the volume and intensity of regulation in the financial services sector, and an increase in consumer confidence and trust in the integrity of financial services institutions. To generalise (and most unfairly, perhaps) it seems to me that certain awful standards in the financial services industry exist independent of the rules. I am appalled at the rate of return my (meager) investments are realising, but there is very little I can do about it.

The more I think about it, that Emperor of a Draft Regulation never really had any clothes. And, it had no more realistic chance of changing many data controllers’ behaviours than has the ICO chorus of winning “Britain’s Got Talent”.

So what should be done today?


For a start, organisations should look at their current controls and ask themselves if they are happy with what they see.

And, if they don’t know what they really ought to be looking out for, then all they have to do is drop me a line and ask me to outline my own approach towards pragmatic compliance with the ICO’s expectations.

Image credit: