Thursday 31 July 2014

Another hero leaves the stage

Well well well.

John Bowman, winner of the Data Protection Hero of the Year award for 2013, has moved on.

Lauded for his outstanding service to the country as the Ministry of Justice’s lead negotiator, overseeing the negotiations on the European Commission’s data protection proposals, John has left the MoJ and the Civil Service. His departure will leave a huge gap which, at this delicate stage in the DAPIX data protection discussions, will be extraordinarily difficult to fill.

John was appointed Head of EU and International Data Protection Policy at the MoJ in November 2011. He had completed a review of Claims Management Regulation, and previously led MoJ’s engagement with Muslim communities on raising awareness of domestic and matrimonial law.  He also headed the UK delegation to the 2011 Special Commission on the practical application of the Hague Conventions on international child abduction. So his has a huge range of experience that I’m sure most organisations would do anything to take advantage of.

All eyes will be focused on his LinkedIn account for the official announcement of his next role.

I’m sure I join many UK data protection professionals in wishing John the very best for the future.



Wednesday 30 July 2014

The UK’s influence at the European Commission: “A lost cause”

Last Monday, some prominent European data protection commentators, each with links deep within European Commission institutions, predicted that we would see fewer EU officials travelling to the UK to discuss and negotiate EU positions in future.


Because, increasingly, the UK is judged as “a lost cause”.

Monday’s workshop on the Data Retention and investigatory Powers Act, held at the Free Word Centre in Central London, with proceedings conducted (mostly) under Chatham House rules, was attended by a fair smattering of the UK’s data protection finest academics, practitioners and campaigners, together with some of the greatest of the good of the land.

While the focus of the meeting was on what ought to happen next in light of the speedy passage of DRIP through Parliament, and what preparations needed to be made to facilitate a more fundamental review of the Regulation of Investigatory Powers Act, 2000, a number of key observations were made which illustrate just how significantly the tectonic plates which frame the relationship between the UK and the European Union are shifting.

From a data protection perspective, this shift has some key implications.

Most importantly, the debate within the UK as to whether the new legal instrument setting out new data protection rules should be cast as a Regulation or a Directive becomes less significant.


Because by the time the deadline arrives for the new legal instrument to be implemented by EU Member States, the UK needs to plan for the possibility that it won’t be an EU Member State any more. In light of the “in-out EU referendum”, whenever that is held, some very smart minds now need to plan for the contingency that the UK will have cast itself away from the EU, and will therefore expect to be treated as a non-EU country with “adequate” data protection safeguards. Just like Andorra, Argentina, Guernsey, the Faroe Islands, the Isle of Man, Israel, Jersey, Uruguay and Israel – to mention but a few.

In this scenario, the UK’s revisions to the current 1988 Data Protection Act need not be as radical and as dogmatic as the changes that might be imposed on the data controllers situated elsewhere in the EU. The UK could even keep its DPA registration fee – which might well come as a relief to the MoJ bods currently struggling with the task of inventing a scheme similar to (but not called the same as) the current ICO funding process. This will allow data controllers, rather than public funds, to continue to meet the lion’s share of the ICO’s budget.

In this scenario, the UK won’t need to adopt all of the provisions in a Regulation to be accepted as having “adequate” data protection arrangements. Remember, after all, what the Article 29 Working Party had to say about the Faroe Islands back in 2007:

“While Faeroese law may not meet every requirement imposed upon the Member States by the Data Protection Directive, the Working Party is aware that adequacy does not mean complete equivalence with the level of protection set by the Directive. Thus, on the basis of the above mentioned findings, and the additional information given by the Faroe Islands, the Working Party concludes that the Faroe Islands ensure an adequate level of protection within the meaning of Article 25(6) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.”

Another really significant insight from the workshop came from someone who suggested that a huge amount of the blame for the UK needing to pass its emergency DRIP legislation actually lay at the door of the Irish Government. 


Because had the Irish Government not have so spectacularly delayed the proceedings (it really not have needed to have taken some 7 years for the relevant cases to have been heard by the European Court of Justice), the legal arguments would have been assessed by judges in a “pre-Snowden” climate, where public “interest” (and press “outrage”) at the alleged activities of various national security agencies would have registered at a much lower level.

The Irish Government originally opposed the data retention proposals as it wanted communications data to be retained for 3 years, rather than the maximum of 2 years that was eventually agreed.  So, it is ironic that much of the credit for striking down the Data Retention Directive has been taken by an Irish digital rights organisation.

The topic of drafting fresh EU-wide communications data retention legislation for law enforcement purposes seems currently far too toxic for the policymakers of EU Member States and for EU officials to want to visit again.

Before they do, they will need to possess more credible sets of cojones.


Image credit:


Tuesday 22 July 2014

Why DRIP differs from the Dangerous Dogs Act

Given the events of last week, it hasn’t been long before various wags have been comparing the passage of the Data Retention and Investigatory Powers Act through Parliament with another example of hasty legislation, the Dangerous Dogs Act.

A few are already calling DRIP the ‘Dangerous Logs Act’ – but I think that’s wrong.

Having been (slightly) involved in the discussions that led to the drafting of the DDA, almost exactly 23 years ago, (I was the Association of British Insurers’ Legislation Manager at the time) I thought I should explain why.

The Dangerous Dogs legislation was prepared in great haste during the early part of the summer of 1991, following a spate of dog attacks on young children. The ensuing media commotion and the cry that  “something should be done” led to Parliamentary draftsmen being given almost no notice with which to create a legal instrument that would have the effect of assuring the public that sufficient was being done before Parliament rose for its summer holidays. With minimal debate, a short (10 clause) bill was rushed through both Houses of Parliament, and it received Royal Assent on 25 July 1991.

Significantly, the DDA sought to cover four types of dog, and cross breeds of these types. The were the pit bull terrier, the Japanese tosa, dogo argentina and fila Brasiliero. The problem, in classifying the prohibited animals by “type” rather than breed label caused huge problems. No-one had thought about whether, on the face of the bill, there should be a provision to set out who had sufficient expertise to assess whether an animal that was brought before them actually had the relevant offending physical characteristics. So chaos ensued as the initial attempts were made by courts to decide which animals should be put down, and which owners should be prosecuted for acting unlawfully.

The RSPCA criticised the act as like using “a sledgehammer to crack a nut,” and argued that it was wrong to criminalise individual breeds of dog: “Demonising individual breeds does not achieve anything as all breeds can attack people, just as all breeds can produce wonderful dogs.”
In hindsight, this was rushed legislation which was an overreaction to a transient public mood.

Now, lets turn to recent events.

The Data Retention and Investigatory Powers Act was prepared in less haste during the early part of 2014, following an adverse judgment in cases heard by the European Court of Justice, which declared the Data Retention Directive (2006/24/EC) invalid. This was the legislation that provided the statutory underpinning for the data retention obligations that had been imposed on European telecommunications service providers. It became necessary to ensure that the UK providers could have a degree of legal certainty as to what records should be kept and for how long, in order that they could be subsequently made available to law enforcement investigators (when it was necessary and proportionate for them to demand it).

Accordingly, Parliamentary draftsmen created a legal instrument that would have the effect of assuring providers that sufficient was being done before Parliament rose for its summer holidays. With minimal debate, a short (eventually 8 clause) bill was rushed through both Houses of Parliament, and it received Royal Assent on 17 July 2014.

Significantly, DRIP was designed as a short-term measure that would offer some immediate protection to providers, while at the same time enabling Parliament to embark on a longer-term review of the issue of how communications data is used for law enforcement purposes. The longer-term nature of the review means that the major decisions will be made by the Government that is to be formed after the next general election.

Accordingly, this controversial issue has been “parked” by politicians who currently have at least one eye on forthcoming election. Whatever proposals are to emerge from their review of the current legislation will generate a huge degree of media attention. But no political party wants to deal with potentially divisive issues (particularly when elements of the media hold entrenched positions that don’t accord with Home Office views), when their main aim is appearing united and focused on what will really inspire an electorate.

Unlike the DDA, I really don’t think that, in hindsight, commentators will view DRIP as an overreaction to a transient public mood.


Image credit:


Sunday 13 July 2014

How should you carry out a data protection audit, or health check?

Bearing in mind the audit points that the ICO auditors tend to raise when they visit an organisation, what issues should you focus on, bearing in mind that businesses have many things to worry about, in addition to worrying about not getting on the wrong side of the regulator?

And, just as importantly, how much is the busy data protection professional prepared to pay to get a set of decent audit questions?

Well, if you are prepared to pay as little as £5.99 to learn more about my audit methodology, then read on.

I’ve just published a short guide for the busy data protection professional who needs to ensure that their organisation operates practices and procedures which meet their legal obligations. People who follow the advice in this guide will significantly improve the likelihood that, should their organisation be examined, the ICO will determine that there is a high level of assurance that effective controls are in place. 

Data protection professional, beware - this is not a book designed for people who are obsessed with complying with absolutely every aspect of data protection law. Some may think that I've set the bar far too low in terms of what needs to be done do demonstrate that organisations take data protection issues sufficiently seriously. 

Please, reader, please feel free to part with £5.99 of your own money and decide for yourself as to how robust my audit methodology is. If you have, and can also monitor, the controls that I've outlined in my guide, then as far as I’m concerned, you're well on the way to data protection nirvana.

I’m always open to suggestions proposals about publishing this methodology in an alternative format. I’m embarking on the digital format first.  Once I’ve learnt whether others are just as excited about it as I, and my clients who have submitted themselves to this audit methodology, am, then I’ll consider revising it and publishing it as a paperback, too.