Monday 20 October 2014

Privacy regulators resolve to try more joined-up enforcement – but why?

You need to read the latest resolution of the international conference of data protection and privacy commissioners on enforcement cooperation a couple of times before much of its meaning becomes apparent.

It may be just over 900 words long, but crystal clear it aint.

It recalls previous resolutions from the 29th, 33rd, 34th and 35th conferences and the Montreux Declaration from the 27th Conference. It recalls earlier decisions to set up an International Enforcement Coordination Working Group, and notes that the Working Group reported back with six recommended co-ordination principles.

It further notes that the previous conference mandated the Working Group to “work with other networks to develop a common approach to cross border case handling and enforcement co-operation, to be expressed in a multilateral framework document addressing the sharing of enforcement-related information, including how such information id to be treated by recipients thereof, and that this work was not intended to replace existing national and regional conditions for sharing information, or to interfere with similar arrangements by other networks.” 

It also notes progress on developing  “arrangements for cross-border cooperation in the enforcement of laws protecting privacy, including efforts by APEC, the data protection authorities of the Article 29 Working Party, the OECD, the Council of Europe, the network of Francophone authorities, the Ibero-American network and the Global Privacy Enforcement Network (GPEN)” 

The resolution goes on (and on, and on) until you get to to (perhaps the most significant bit, which is  “To support the development of a secure international information platform which offers a ‘safe space’ for members of the International Conference and their partners to share confidential information and, to facilitate the initiation of coordinated enforcement action and, complement other international enforcement coordination mechanisms, adding value to the international enforcement operational framework.” 

What (slightly) surprises me is why, after some 36 international meetings, it is still necessary for privacy commissioners to bang on about the need for international co-operation amongst themselves.

Why do they need additional mandates to facilitate a greater sense of working together – is it because some regulators find it hard to cooperate with others? They all ought to be working together anyway, and it would be scandalous if they weren’t.

Or is it because they need to send more messages to data controllers to reassure them that scarce tools and resources are being pooled, and that, perhaps one day, they may be sufficient to deal with the behemoths that seek to transgress?

The reference in the resolution to the sharing of confidential information caught my attention, particularly as the Data Protection Act has a few things to say about this.

 Section 54 of the DPA provides a gateway for the ICO to exchange some information with supervisory authorities in the colonies, other EEA States or with the European Commission. The Act does not refer to cases where it may be prudent to share information with authorities elsewhere around the globe.

Section 59 places various constraints on the ability of the ICO to disclose certain types of confidential information. Presumably, the Commissioner will argue that any disclosures for fellow regulators of information supplied to it in confidence will be lawful as the disclosure will, of necessity, be in the public interest. 



Friday 17 October 2014

What’s the difference between data protection and privacy?

An animated conversation broke out at a recent meeting of the Crouch End Chapter of the Institute of Data Protection. Members were discussing the differences between data protection and privacy. 

Eventually, we decided that data protection was relatively easy to define. It referred to legal controls over access to and use of data stored (mostly) in computers.

Privacy, on the other hand, was harder to pin down. It was multi dimensional, best described in terms of:
  • Privacy of personal information. This is any information relating to an individual, who can be identified, directly or indirectly, by that information and in particular by reference to an identification number or to one or more factors specific to their physical, physiological, mental, economic, cultural, locational or social identity. Privacy of personal information involves the right to control when, where, how, to whom, and to what extent an individual shares their own personal information, as well as the right to access personal information given to others, to correct it, and to ensure it is safeguarded and disposed of appropriately. 
  • Privacy of the person. This is the right to control the integrity of one’s own body. It covers such things as physical requirements, health problems, and required medical devices.
  • Privacy of personal behaviour. This is the right of individuals to keep any knowledge of their activities, and their choices, from being shared with others.
  • Privacy of personal communications. This is the right to communicate without undue surveillance, monitoring, or censorship. 
So, there you have it. If you ever needed a conversation stopper at a drinks party, you can ask your chums for their views on the difference between data protection and privacy.

Many thanks to the member who recalled the great work on privacy that Roger Clarke has carried out in this area. 

Image credit:


Thursday 16 October 2014

Muses from Mauritius

No, I’m not in Mauritius at the international conference of data protection and privacy commissioners.

I have, however, been following some of the proceedings on the internet. The conference organisers helpfully realised that not all interested parties would be able to travel to the tropical paradise island of Mauritius, so they provided a live webcast.

The usual suspects are in attendance, including a strong contingent from the UK, led by Commissioner Christopher Graham, the mighty Eduardo Ustaran and the GSMA’s privacy guru, Pat Walshe. All are suitably dressed for a formal business occasion.  No shorts or T-shirts in sight. Despite the fact that the beach is so close. They are evidently taking the event very seriously.

The conference's colourful logo is quite apt. In just a few strokes, the illustrators have drawn the national bird of Mauritius, the dodo. Let's hope that the challenges of an ever richer data environment won't overwhelm citizens and destroy their trust in data controllers, in the same way that a new environment overwhelmed the dodo. 

Here are my favourite conference quotes:

“Milk expires – and so does data.”

“We are not in a completely safe and sustainable privacy world.”

“There are a lot of analogies between chemistry and big data.”

[Especially] in the context of big data, we need an efficient and effective provision of public services.”

“My biggest concern is the concept of digital pre-destination - where the data defines who we are going to be, rather than we allowing ourselves to be who we are going to be.”

“How do you build ethics into algorithms? – should your driverless car kill you to save 2 other people? After all, eventually, smart cars will know how many passengers are in each car.”

[In relation to the problems faced over the past decade by data protection officers and regulators with respect to addressing issues relating to transparency and new technologies] everything old is new again.”

“My children were programming code before they were allowed to use steak knives at the kitchen table. That shows you my approach to risk management.”

[Said a former data protection regulator to fellow regulators] You will never reach your destination if you throw stones at every dog that barks.”

“Accountability - we don't even know how to translate that in French.”

For many, perhaps, the most significant remark of today was made by one of the conference organisers: 

“The venue for this evening’s rum cocktail has moved, from Sugar Mountain to the fountain.”


Tuesday 7 October 2014

Teh internet really is serious business

At the Royal Court Theatre last night, the audience and I were left with the impression that internet security is a luxury that all too few of us will ever be able to afford.


Because we were seeing a magnificent play which charted, in the broadest of terms, the rise of the hacktivist group Anonymous, and the fall of members of a related group called LulzSec.

If you want to appreciate how a small group of exceptionally talented individuals can cause havoc, when they try, or shed much-needed light on secrets that large institutions have tried so hard to conceal, then this is the play for you.

 As Dominic Cavendish put it: “at last, we have a play fit for the bewildering online times in which we live. Tim Price’s Teh Internet is Serious Business (the misspelling is knowing, btw, as is much else) takes us inside the strange world of the hacker, at once solitary and part of a sort of surrogate family.”

And as John Nathan remarked: “crucially the show reveals how our lives, institutions, values and laws are at the mercy of a group of talented but unruly teens - sometimes for good, at others, for ill.”

It made me realise how much we rely on those who provide us with our own on-line security products to go that extra mile to keep up with the very latest advances in digital protection. It made me appreciate how much so many organisations have relied on software developers who, because of the speed with which they have been required to deliver products, have not been able to fully assess all potential vulnerabilities.  And it made me think even more carefully about the motivations of those who attempt to test to the very limits the security controls that currently exist. These people will not necessarily do it with evil intent. They may not even appreciate the gravity of what they are doing – until the digital locks have been broken and much-valued secrets are secret no more.

I’m planning to attend a meeting of Parliament’s Intelligence and Security Committee next week, to offer my views on the appropriate balance between our individual right to privacy and our collective right to security. I do hope that many of the Committee members manage to pop over to the Royal Court to soak up some of the exuberance, anarchy and occasional naivety of some of those who have such strong hactivist skills.  The play is running until 25 October, so there is time, if any are so minded.

If they do see it, then they may realise that its not only the intelligence Agencies’ use of intrusive surveillance capabilities, and the adequacy of the existing legislative framework that governs this issue, that requires a review. What’s also required is a more fundamental review into the consequences of a truly interconnected world.

If I’ve learnt anything from last night, it’s the need for organisations to consider building even more physically separate systems, rather than relying on security to be provided primarily by means of specially designed software. Certainly, they need consider the merits of creating air gaps within their own IT systems. Does every large organisation need to rely on a single set of connected servers? Cyber attacks are here to stay.