Tuesday 30 September 2014

The RTBF myth busters hit the street

I’m impressed.

Either the European Commission’s internal visual design teams have had a new boss, or this summer’s crop of interns have been allowed to produce a document that looked great even to them.

However it happened, I do congratulate whoever was responsible for signing off this factsheet which explains elements of data protection law in such a visually engaging manner.

Lots of colour, great fonts, nice use of a discrete watermark, the text was easy to follow.

This factsheet was on the “right to be forgotten” – and designed, in part, to lower public expectations on how strong a “right” it actually was. Six myths were presented, which were then demolished (in plain English, rather than in Eurospeak):
  • Myth 1: “The judgment does nothing for citizens”
  • Myth 2: “The judgment entails the deletion of content”
  • Myth 3: “The judgment contradicts freedom of expression”
  • Myth 4: “The judgment allows for censorship”
  • Myth 5: “The judgment will change the way the internet works”
  • Myth 6: “The judgment renders the data protection reform redundant”

Yes, you can write about data protection in terms that citizens can understand.

It’s instructive to compare this document with language used in the Article 29 Working Party’s latest missive.  Why oh why, if the Commission is capable of writing in such a direct style, doesn’t the Working Party issue documents like this? Is it done deliberately, to ensure that very few journalists actually use the press release?

OK, it may be a question of resources, or perhaps the Working Party may feel it necessary to couch its language in more formal terms, as lawyers are generally more comfortable reading such texts. But our world moves far beyond that inhabited by lawyers – and the Working Party should do more to reach out to European citizens, using language they are more likely to comprehend, rather than restrict its focus to a small data protection elite.

If only the Working Party could hire the same visual design teams / interns. Then, perhaps, more of their material might reach a wider audience.  Failing that, they might like to use the team that prepares the ICO’s documents, as they are written in Plain English, too.

Some Working Party opinions, after all, are quite useful – but it is a shame that so much of their stuff is so hard to read.




Monday 29 September 2014

Changes at the ICO

ICO watchers (of whom there are many) are generally keen to track subtle changes that occur within the organisation. Thanks to the ICO’s transparency agenda, the published minutes of internal meetings are always a useful source of intelligence. Significant ICO initiatives are usually accompanied by a press release, but every now and again other stuff happens which, in a more opaque organisation, might never have been disclosed to the public at large.

Did you know, for example, that the ICO’s Information Rights Committee meets regularly to exchange views on relevant issues?

If you were to glance at the minutes of its meeting held on 12 August, you may be interested to learn that it has carried out a review of its priority action groups and other cross-office groups.

Deputy Commissioner David Smith introduced a paper aimed at ensuring the various ICO internal groups with an information rights agenda are clearly defined, effective and able to deliver relevant priorities. Evidently, there is a risk that if groups are not established in the correct way, then opportunities may be lost or some duplication of effort may occur.

After some deliberation, the following recommendations were agreed:

·       Priority Area Groups concept will be retained, albeit with the groups being renamed as Priority Area Action Groups (PAAGs)
·       Tasking and Coordination Groups, (TCGs) Hot Issues Groups and Cross Office Information Exchange Groups (COIEGs) will continue unchanged.
·       An update on the activities of relevant TCGs will be included in the Management Board information rights report.
·       The Health PAG will become the Health and Social Care PAAG.
·       The Internet and Mobile Services PAG will be renamed as the Emerging Technologies and Applications PAAG.
·       The SME COIEG will become the SME PAAG.
·       A new Support to Individuals PAAG will be established. It will include representation from the E&D Committee.
·       The Information Rights Committee will annually review the effectiveness of each PAAG.

So, now we know.



Friday 26 September 2014

And the final speaker at the next (beachside) privacy conference is ...

Oh to be a privacy regulator, these days.

Who else gets to contemplate horribly complicated issues, treading a fine line between the needs of citizens, global organisations, public authorities and SMEs?

And who else gets to contemplate it in Mauritius?

From 13 to 16 October, some of the worlds finest data protection minds will be working out how to keep the sand out of their laptops as they contemplate more effective ways to regulate the digital universe.

The theme of the 36th international data protection and privacy commissioners conference is “A world order for data protection – our dream coming true?”

One look at the host’s website certainly indicates that someone’s dream will be coming true. If anyone ever wanted to know about data protection and snorkeling, then this the place to go. Oh, to be paid to attend a privacy conference at a stunning resort hotel, located on pristine white sands overlooking the bay of Balaclava. I want that job.

I should not snide though. I’m likely to be in London (or Dublin) helping data controllers appreciate how best to avoid the critical gaze of their regulator. Not in the tropics.

To be fair, the delegates in Mauritius will be faced with a pretty packed programme. And I do hope that a good number remain for the final speaker, Marie Georges. A good number of them will probably never have heard of her. Even her job title, “Independent Expert and Member of the Fundamental Rights European Expert Group,” doesn’t give that much away.

But I know better.

I still I last saw her a few months ago in Brussels, and first met her several decades ago.  Marie was (effectively) the person who drafted much of what we have come to know and love as the 1995 Data Protection Directive. Yes, it is her work that has become so out-of-date that it now needs to be replaced by another legal instrument. So it is probably fitting that the regulators should thank her politely before consigning her work to the statutory waste paper bin.

I have vivid memories of happy times, punting with her on the river Cam, during a privacy conference in Cambridge. Well, to be fair, some Cambridge graduate was doing all the punting. We were both just enjoying a glass or two of bubbly – as well as the view. I didn’t agree on her views on privacy back then, particularly on her insistence that it was right that policymakers be able to argue and negotiate their positions on the then (draft) Data Protection Directive in private, rather than in public.

I’m not sure whether she has changed her views about many data controllers. Particularly about those who shouted at her during the conference when they didn’t agree with her views on the need for tighter rules on direct marketing. Yes, data protection was a hotly contested topic back then, too.

To be fair, I don’t expect that the delegates will be shouting at each other this year. Many already know what they think about each other, and that’s enough.

I predict that we won’t be seeing too many public displays of disaffection.

Perhaps an argument about how to moderate public expectations of privacy in an internet age. Google will probably get another going over.

And perhaps a murmur of gratitude from the consultants present to thank the regulators for making data protection laws so complicated that data controllers will absolutely have to rely on their advices even more over the coming years.

Then, everyone can close their laptops and, if they have time before their long flight home, appreciate whatever other delights Mauritius has to offer the tired traveller.


Thursday 25 September 2014

New data protection accreditation framework launched

All eyes are currently on the British Standards Institute, as the soft launch of its new accreditation framework for BS 10012 has commenced. How quickly will it take off, bearing in mind the ICO’s intention to endorse (at least) one privacy seal scheme next year? Will organisations wait until it is clear whether this scheme has been officially endorsed by the ICO, or will they be brave and apply for BSI accreditation now?

For those not in the know, BS 10012 is the framework that sets up a personal information management system. If you need reassurance that your organisation meets the requirements of British data protection legislation, then this is the standard for you. If data controllers want to demonstrate “accountability,” they will benefit from being capable of complying with this standard.

Like all accountability frameworks, the point is that they are designed, as the BSI explains, to:
  • Identify risks to personal information and put controls in place to manage or reduce them.
  • Demonstrate compliance with data protection legislation and gain preferred supplier status.
  • Gain stakeholder and customer trust that their personal data is protected.
  • Gain a tender advantage and win new business.
  • Safeguard your organisation's reputation and avoid adverse publicity.
  • Protect you and your organisation against civil and criminal liability.
  • Benchmark your own personal information management practices with recognized best practice.

Some organisations might not want to open their internal systems up to the scrutiny of a BSI auditor until they are reasonably confident that the systems are reasonably robust. Few organisations relish the prospect of strangers poking around for dirty laundry. But they might want some help from an expert who is familiar with the standard, nonetheless.

As someone who served on the working party responsible for writing that standard, I’m in a good position to offer some useful advice.

If you are interested in a frank review of your systems (or if you just want to know what it is that the law says you ought to be doing), then please feel free to contact me.