Wednesday 18 February 2015

More positive news from the European Commission about the data reform package

If you want to cheer yourself up, just surf over to the European Commission’s website and read all about the amazing benefits that the impending data protection reform package will deliver.

Wow, it’s impressive.

Benefits for citizens and businesses – particularly small and medium sized businesses. Citizens will be put back in control of their own data. The “right to be forgotten” gets another airing. Consent cannot be assumed. Saying nothing is not the same as saying yes. Businesses will save €2.3 billion a year by dealing with one law, not 28.

If we are to believe the hype, "It is a golden opportunity. By fostering a Digital Single Market, we can create up to €250 billion in additional growth, hundreds of thousands of new jobs, and a vibrant knowledge-based society."

So what’s the problem? Why the delay? Who’s opposing this wonderful measure?

This is where the Commission’s website fails to deliver.

Nowhere is there even a summary of the principle issues that have yet to be resolved, with an explanation about why Member States continue to have significant concerns. For that sort of information, you need to dive deep into the footnotes of the DAPIX documents that occasionally appear online.

This is a lost opportunity – if you expect the Commission to be even-handed in its reporting of the issue, that is.

What we read is a one sided summary of the issue, full of stock paragraphs that could so easily be inserted into the speech of any politician / public official tasked with delivering a homily on the benefits of the reform package.

Journalists that want to cover the potential deficiencies of the reform package have to work a lot harder if they are to file a decent report. The lack of an alternative narrative is unsettling. If the package were so good, why is the gestation period proving to be so difficult? 

Perhaps the Commission’s website is not the place to go for impartial news about legislative proposals. Perhaps it exists purely to promote the Commission’s aims and aspirations.

But if it wishes to rise about the political debate, it should be bold enough to acknowledge that every proposal has its detractors, and that their views could also be made available to European citizens, perhaps through hyperlinks from the Commission’s website, in order that citizens can determine for themselves whether public policymakers are taking appropriate decisions.



Tuesday 17 February 2015

The Subject Request App

Those clever bods over at Allen & Overy have developed a handy app to remind Data Protection Officers how to deal with Subject Access Requests. First released in May 2012, I must admit that I’ve only just seen it.

It makes a change from having to refer to 10 separate ICO publications that touch on particular aspects of Subject Access Requests. If you didn’t realise that there were 10 separate guidance documents, take a squint at A&O’s reference materials. Some of the hyperlinks to materials on the ICO’s website are currently broken – but a decent internet search engine should be able to locate the original documents eventually. Perhaps, in the fullness of time, an ICO archivist will develop a list of “live” and “withdrawn” guidance notes, to avoid too much confusion amongst the privacy anoraks, for whom guidance from the ICO is as greatly revered as an original copy of the Magna Carta. But I do appreciate that, given the current financial constraints, such a task is well down the ICO's priority list.

As well as bite size summaries of relevant ICO advice, the AccessAssist app includes an interactive Q&A-based tool, an analysis of the usual exemptions, frequently asked questions, links to support materials and subject access fee tables.

Having used the app for a few minutes, I can see its potential to comprise a key item in a DPO’s toolbag. Any decent DPO needs some props to reassure their clients that they’ve got all the tools of the trade. I usually carry an original copy of the Data Protection Act, carefully annotated with notes and comments made by a key civil servant that was responsible for implementing it. And a tatty copy of an old ICO data protection guide.

From now on, when I’m advising on tricky Subject Access Requests, I’ll make sure that the client sees me using this reference tool, too – which ought to provide sufficient assurance that I both know my stuff and am completely up to date with the very latest legal thinking.

The best bit – particularly for hard pressed public sector information rights folk – is that the app is free. All you need is an iPad. It's not yet available for the iPhone, and I’ve no idea whether there are plans to develop a version specifically for the small screen.

The app has also been scrutinised by the ICO. According to Deputy Commissioner and Director of Data Protection David Smith, “we congratulate Allen & Overy on the development of this app. The right of subject access is at the heart of the Data Protection Act. Any tool that makes it easier for businesses to understand and meet their obligations to those individuals they hold information about can only be welcomed.

Download it and let me know what you think.

Monday 16 February 2015

Data breaches: an unhelpful headline from the IT security press

A headline caught my eye in the latest edition of SC Magazine. Evidently, the UK has been named and shamed as Europe’s worst country for data breaches.

It may be a catchy headline, but it belies the facts. The article focused on a report published by Gemalto, drawing attention to significant data breaches during 2014. It focused on 1541 breach reports that, in total, affected over 1 billion records.

The article’s headline simply referred to a statistic, buried away on page 7, indicating that in terms of the number of separate incidents reported, there were more reports from UK organisations (117) than from any other country in Europe. Germany, for example, reported 7 incidents. The French had 9 incidents, the Italians 3 and Poles only 2. Nobody was shamed. Not even the countries that reported hardly any incidents.

Need I say more?

I think it would be more helpful just to highlight the point that British organisations were more likely to report data breaches to the researchers than organisations in other European countries.

So what lessons can we learn from this report?

Very few, actually – as its so hard to accept that the raw breach reporting data is credible.  It was collected from “pubic sources” – whatever those were. While it makes great reading if you’re after a few horror stories to use in presentations that seek to justify additional expenditure on encryption and control access for users, the document doesn’t purport to be an authoritative study on the breaches that are currently being experienced.

Indeed, Gemalto helpfully emphasises that it “makes no representations or warranties regarding this information and is not liable for any use you make of it.”

But don’t let that disclaimer put you off reading it. 

Just take the headlines from the IT security press that purport to report on the document with a healthy dose of scepticism.



Friday 13 February 2015

Article 29 Working Party tests its influence (again)

I’ve read the letter from the Article 29 Working Party to Google and to various Internet search engines in the light of the Google Spain decision. It concerns “The applicability of Directive 95/46/EC to a search engine insofar as the processing of personal data is carried out in the context of the activities of a subsidiary on the territory of a Member State, set up to promote and sell advertising space on its search engine in this Member State with the aim of making that service profitable.”

And I have some difficulties with the letter.

I should start by agreeing that there may be circumstances where offensive material must be de-listed by the search engines.

However, the letter’s key sections are:

“De-listing decisions must be implemented in such a way that they guarantee the effective and complete protection of data subjects’ rights and that EU law cannot be circumvented. In that sense, limiting de-listing to EU domains on the grounds that users tend to access search engines via their national domains cannot be considered a sufficient means to comply with the ruling. In practice, this means that in any case de-listing should also be effective on all relevant domains, including .com.

Moreover, search engines should not as a general practice inform the webmasters of the pages affected by removals of the fact that some web pages cannot be acceded from the search engine in response to a specific name-based query.”

Is this a problem?

It depends critically on what the material is and whether people have confidence in the panel that will ultimately decide what material is to be censored. I don’t think it should be up to the search engines to make the entire decision – even though, of course, its their commercial activities that led to a decision to list the relevant website in the first place. 

Fortunately, there are some 40+ former senior privacy regulators that might be available (for a fee) to offer advice on an as-required basis.  Unshackled from their former roles, some may have more pragmatic minds that I was once led to believe.  So, perhaps we need a “Star Chamber” of former national regulators who can preside over the harder cases.

I do have a difficulty in accepting that decisions, even if made by the “Star Chamber”, should have an effect on individuals that search outside the EU.  If, for example, I was the Minister of Information in some backward state I might well be determined to control the flow of information within my own State, and might well be embarrassed if certain information were to be disseminated outside it. But I might be rightly condemned in some quarters for trying to censor information that others had a legitimate right to know.

I also have difficulty in accepting the view that webmasters should not be told of their sites that had been de-listed. Are we to allow secret courts within the EU being able to dispense “justice” in ways that can’t be challenged? I do hope not.

But I suppose the Article 29 Working Party has to be seen to be doing something.

If nothing else, it's encouraging a debate on the salient issues.

Whether it's views are taken on board by the global Internet search engines is another matter entirely.


Friday 6 February 2015

What hope of a Magna Carta for big data?

The European privacy fraternity does think about issues other than the European General Data Regulation.

The latest idea, from the Insight Centre in Ireland, is a Magna Carta for big data. 

With over 350 researchers, Insight is Ireland’s largest ever research investment and one of the biggest data analytics institutes in the world. In their words: “There is growing public unease about the pace of growth in Big Data and lack of transparency about its use. Data use by public and private entities raises important questions about ownership, privacy, individual rights and societal progress. We cannot allow technology to outrun policy and legislation. We need to define the rights of all stakeholders and anticipate the issues that are likely to arise.”

Great idea. But can it be realised?

Given how the European institution’s concept of privacy has morphed from a qualified right to a fundamental right – by stealth – problems arise in appreciating that data controllers have rights, too. It is a poorly understood fact that, actually, human rights legislation also gives rights to bodies that are not human.

As Insight (more diplomatically) put it: “The almost exclusive focus on the privacy of the individual, while politically popular, is potentially damaging to progress.”

When asked recently to comment on the proposal for a Magna Carta for an article in Washington Internet Daily, I pointed out that the paper clearly sets out why something must be done to define the rights of all stakeholders and anticipate likely emerging issues. But that was the easy part. The Centre hasn’t really explained how the rights of all stakeholders should be defined, nor what those rights should be.

Another open question is whether there’s sufficient common ground among players to make any big data standards meaningful. The question of who should be permitted to own what information is so toxic.

The proposals have extremely worthwhile aims but I’m not convinced the developed world has sufficiently robust processes in place that are capable of achieving them, and in particular ensuring that all stakeholders respect them.
Let's face it. Our record on regulating climate change is poor. Nor do we appear to have had much success in ensuring that citizens, in significant parts of the world, can live in peace.

So why do we think its possible for stakeholders to reach a European-wide agreement on norms for processing Big Data?

Please, please, please – someone prove me wrong.