Thursday, 5 May 2016

750 days to go before the new data protection rules bite

How often do organisations get 750 days’ notice of new rules that may require them to make huge changes to comply?

Well, it’s happened. The European Commission has just announced that the General Data Protection Regulation, a mighty piece of legislation that took over 4 years to negotiate, will come into force on 25 May 2918.

What will it mean to most organisations?

Potentially, lots.  Unlike Y2K, which passed  (mercifully, on 1 January 2000) without a hitch, the new rules are potentially pretty disruptive. After all, from May 2018, organisations will be under greater obligations provide assurance to their boards, customers and regulators that their data protection processes and procedures are fit for purpose.

For the most serious violations (such as ignoring data subjects' rights) privacy regulators will be able to impose penalties up to €20m or 4 percent of global revenue (whichever is higher). This is a critical change compared to current UK fines, which is a maximum of £500,000.

Other changes include

    Responsibility for data protection. Any organisation that processes or accesses personal data will also be held responsible for its protection, including third parties such as cloud providers. Data processors, (not only data controllers) will be accountable for protecting data.
    Applicability and Extraterritorially. Any organisation that processes personal data on individuals in the EU is in scope. This includes companies that are established outside the EU, even if they have no physical presence in the EU.
    Data protection officer. Many companies will need to designate a DPO.
    Data breach notification. Currently, different countries have different rules on data loss reporting. The GDPR will streamline the process, requiring regulators to be informed within 72 hours.
    Claims and damages. Individuals and some representative organisations will be able to claim damages in certain cases. Litigation can be extremely costly and invariably results in both reputational and financial losses. Reputational damage will be a key consideration in managing the data breaches that will be reported to both regulators and customers.
    Organisations will have to provide much more information to individuals about how their personal information is being processed, their rights and safeguards. These include the right to be forgotten, the right to restrict the processing of their personal data, and the right to data portability.

How can organisations prepare for these changes?

There will be no shortage of advice from the consulting firms that have been waiting a long time for the starting gun to be fired.

But how can they prevent themselves from over-engineering the solution?

As we experienced when the new cookie rules came in, some organisations tried almost too hard to implement the rules. Users were offered a bewildering array of choices about what cookies could be dropped on their device. Now, the general tendency is for organisations simply to say: “We use cookies, get over it. Click for more details.” 

I’ve prepared for these changes by changing my own job. I’m now leading the data protection offering at a major consultancy firm, and able to help clients by offering them support from a wider array of data protection specialists than was previously the case.

Wish me luck in my new role – and don’t hesitate to get in touch if you and/or your organisation need help in developing or implementing an enhanced privacy compliance programme.

Transformation and behavioural change?

Yes we can.

So let’s do it.
If your clients want to know what good data protection practices look like, you know I can help.


Wednesday, 30 March 2016

A (light hearted and) handy guide to privacy activists for the under 10s

Privacy activists in the olden days
There weren’t many privacy activists in the olden days. This was because there was no Internet, and very few people had heard of the Data Protection Commissioner. As it was expensive to make a telephone call, and texts had not yet been invented, it was quite hard to spread rumours and exchange information with lots of people you didn’t know. Only print journalists were usually able to do this, which is why the Sunday papers were often packed with stories about prostitutes and vicars. 

Journalists didn't bother about people’s privacy in the olden days.

Nowadays, privacy activists are bored with journalists because, on the whole, they behave themselves.

Nowadays privacy activists are bitter, but balanced, people. They have chips on both shoulders. Social media companies are a big disappointment to privacy activists.

Privacy activists now think that most people are:
a) Simple and easily led
b) Un-enlightened and susceptible to short-term pleasures
c) Terribly sad and struggling, unable to cope on their own
d) All of the above

Education is a life-long task
Privacy activists think that most people are unable to think for themselves and require life-long education to help them make informed decisions.

Privacy activists work tirelessly campaigning to encourage most people to be acutely aware when buying online, rather than in local shops. They are disappointed that most people like to exchange their privacy for “free stuff”.

Most people like to surf the Internet, watch pornography, have sex and book foreign holidays. They do not understand that these activities are dangerous and need continuous education from privacy activists.

Most people need to be protected from the internet, even though they don’t read behavioural targeted adverts. They are easily influenced and their happy-go-lucky ways can be turned into bigoted nasty ways. Privacy activists are needed to help them use Facebook carefully and not make mistakes.

Privacy activists like to be sad and unhappy
Many privacy activists have a very nice life, but they like to be sad. To help with this, they choose to be sad for other people. Sometimes these people are far away and sometimes they are nearby, but different to them.

In the olden days, privacy activists tried to make it better for other people. Nowadays, they like to protect them by being offended when a normal person doesn’t behave as the activist would like them to do.

Privacy activists like to help other people by being offended on their behalf. This means that the other people can carry on with their lives and the privacy activists do all the work. This isn’t really fair, but the privacy activists seem to carry on doing it, so they must enjoy it. Despite all this effort privacy activists are still very sad.

Privacy activists care more than other people
Privacy activists care so much that they hate most social media companies. And Google. Other people don’t really think about social media companies, they only care about themselves and other people that they know. This means that piracy activists have to hate the social media companies even more, even more than they actually hate Google.

Privacy activists show that they care by telling other people about how much they care. They send special “I care” signals to other people. Forwarding videos on Facebook is one way that they can show how much they care. The videos often show people far away who are living miserable lives, but links to poorly written privacy policies are also considered sufficient.

Privacy activists (see below) are very helpful. They make lots of “I object” videos which makes it quick and easy for other activists to send their “objections”. They do this several times throughout each day when they are not busy.

Sometimes privacy activists are made angry by other people
Privacy activists care so much, it makes them hate people who don’t show that they care. These people are normal people. Privacy activists have given them a name. It is “Corporate scum”. Privacy activists like to shout at the people and tell them that they are scum even when they aren’t listening.

Shouting at the staff at the Information Commissioner’s Office is another way to show that they care. Caring is very important to privacy activists.

Privacy activists care so deeply that they don’t have time for thinking and convincing. They use their precious time for shouting about caring.

Also, normal people don’t know what privacy activists are saying, so it is helpful when they point to the people and shout “scum”. They think that normal people do understand shouting and caring.

If you have observed someone and you are not sure if they are a privacy activist, seek their opinion on “the corporates”. If they start to shout and care, they are privacy activists.

Privacy activists are helpful
Privacy activists are people who have an encrypted internet connection. They make the internet very loud.

Privacy activists help other people care on the internet. They are very helpful in pointing out when people have forgotten to show that they care. They help people in many ways – watching videos, commenting on things and clicking on buttons called “start a petition”. Privacy activists sometimes go outside their houses and meet other privacy activists and they care together and shout at the corporate scum.

Privacy activists are funny
Privacy activists have “enlightened comedians” who make jokes on “panel games” and tweet a lot. These are broadcast on the television, BBC Radio 4, and Twitter.

The enlightened comedians make people laugh at normal people, whom they consider stupid. In the olden days, comedians made jokes about Irish people, but these comedians weren’t clever like the enlightened comedians.

Instead of the Irish people, the enlightened comedians make jokes about Facebook. Because they care, they use special words like “Privacy Policies”, “Trans border data flows” and “Privacy Shield”, so the normal people will not notice.

Normal people do funny things like posting selfies on the Internet, eating Haribos and watching television. This is funny and the enlightened comedians are helpful because they point at them and laugh, so we know who to laugh at as well. It is very funny and we all laugh because we are enlightened too.

Further reading
Any tweet by @tim2040 should be enough to put you off your dinner.

I am deeply indebted to Andy Shaw, whose recent article on a handy guide to Left-wing people for the under 10s prompted me to lovingly plagiarize his work. I do hope he won’t be offended.

Thursday, 11 February 2016

Scrutinizing the draft Investigatory Powers Bill

The point about pre-legislative scrutiny is that a parliamentary bill gets a good prod before it begins its usual passage through Parliament. The main issues are identified, and stakeholders can marshal their views in an attempt to influence the decision-makers in good time for changes to be made that ought to result in a statute that is far fitter for purpose.

Three Parliamentary Committees have recently reported on the Draft Investigatory Powers Bill. The measure, complete with a guide to its powers and safeguards, was published as a 296-page document on 4 November. It is not an easy read, even for the surveillance specialists.

Given that a number of stakeholders submitted the same comments to (at least two of) the Committees, it’s not surprising that they all independently reached (broadly) similar conclusions. What is surprising, however, is the tone of the reports. Each gave the Home Office a good kicking. And the Committee comprising the most experienced politicians gave the Home Office the hardest kicking.

First up was the Science and Technology Committee. The committee of 11 MPs had received 50 written submissions, held 2 public hearings during which witnesses gave evidence, and published a 38-page report making 14 recommendations on 30th January.

The STC noted that "Previous attempts to legislate in this area have met with criticisms over the lack of consultation with communications service providers (CSPs) on matters of technical feasibility and cost.” …. Following the failure of previous attempts to introduce data legislation, the Government has made efforts to consult and engage with communications service providers likely to be most affected by the draft Bill. However, there remain widespread doubts over the definition, not to mention the definability, of a number of the terms used in the draft Bill. This has given rise to uncertainties over the likely scope and costs associated with implementing the proposed measures.

The nature of ICRs and the true extent of the Bill’s ‘removal of electronic protection’ and ‘equipment interference’ powers are precisely the subject of uncertainty and concern from business due to lack of clarity in the Bill and in the consultation so far. It is clear that greater reassurance is needed—both on the face of the Bill and in forthcoming Codes of Practice—that businesses will not be subject to disproportionate additional burdens that will not be fully paid for.

If law enforcement agencies and the intelligence and security services are effectively to combat terrorism and serious crime, they must have the means to keep pace with developments in communications. They will doubtless need to continue to deploy a range of methods for intercepting and acquiring information about communications. The evidence we have received suggests there are still many unanswered questions about how this legislation will work in the fast moving world of technological innovation."

Next to report was the Intelligence & Security Committee, a group of very senior politicians. The committee comprising 2 peers and 7 MPs held no public hearings, but instead heard evidence in private from the Home Secretary, Home Office officials and the heads of the intelligence agencies. A 13-page report, making some 23 recommendations, was published on 9th February.

The ISC pulled few punches. "The Investigatory Powers Bill is the first major piece of legislation governing the Agencies’ powers in over 15 years. While the issues under consideration are undoubtedly complex, we are nevertheless concerned that thus far the Government has missed the opportunity to provide the clarity and assurance which is badly needed. That the confusion surrounding the existing legislation fuelled many of the allegations and suspicions concerning the Agencies’ investigatory powers over the past few years clearly demonstrates the importance of transparency in this area.
Overall, the privacy protections are inconsistent and in our view need strengthening. We recommend that an additional Part be included in the new legislation to provide universal privacy protections, not just those that apply to sensitive professions.
The provisions in relation to three of the key Agency capabilities – Equipment Interference, Bulk Personal Datasets and Communications Data – are too broad and lack sufficient clarity.
We fail to see how Parliament is expected to approve any legislation when a key component, on which much of it rests, has not been agreed, let alone scrutinised by an independent body. 

The approach towards the examination of Communications Data in the draft Bill is inconsistent and largely incomprehensible. The Committee recommends that the same process for authorising the examination of any Communications Data (including Related Communications Data) is applied, irrespective of how the Agencies have acquired the data in the first instance. This must be clearly set out on the face of the Bill: it is not sufficient to rely on internal policies or Codes of Practice.
The issues we have highlighted in this Report must be addressed before any subsequent Bill is laid before the House and we would urge the Government to ensure that it takes sufficient time and care in so doing. While we recognise the timing constraints imposed by the ‘sunset clause’ in the Data Retention and Investigatory Powers Act 2014, it appears that the draft Bill has perhaps suffered from a lack of sufficient time and preparation and it is important that this lesson is learned prior to introduction of the new legislation."
Finally, it was the turn of the Joint Committee on the draft Bill. This committee, comprising 7 peers and 7 MPs, had received 148 written submissions, running to over 1500 pages of evidence, heard from 59 people in 22 public panels during which witnesses gave evidence, and published a mighty 198-page report making 86 recommendations on 11th February. As a specialist adviser to this Committee, I was one of the lucky few who spent their Xmas holidays reading over half a million words of evidence.

Here, the criticism is more measured, although the message is the same:

"Resolving the tension between privacy and effective law enforcement in this area is no easy task. The Home Office has now come forward with a draft Bill which seeks to consolidate in a clear and transparent way the law enabling all intrusive capabilities. The Committee, together with the many witnesses who gave evidence to us, was unanimous on the desirability of having a new Bill.
The major change which would be brought about by the draft Bill is the creation of a new judicial oversight body and the much greater involvement of judges in the authorisation of warrants allowing for intrusive activities. As well as being important in in its own terms, making this change will reduce the risk that the UK’s surveillance regime is found not to comply with EU law or the European Convention on Human Rights.
A proposal which has attracted much attention from our witnesses is that of the creation of an obligation on communications service providers to collect and retain users’ internet connection records (ICRs). We heard a good case from law enforcement and others about the desirability of having such a scheme. We are satisfied that the potential value of ICRs could outweigh the intrusiveness involved in collecting and using them. But we also heard strong concerns, in particular from some of the providers themselves, about the lack of clarity over what form the ICRs would take and about the cost and feasibility of creating and storing them. The Home Office has further work to do before Parliament can be confident that the scheme has been adequately thought through.
Other concerns were over the provisions in the Bill for bulk powers to intercept, to acquire communications data and to interfere with equipment. These powers are not new, but have been avowed for the first time in legislation. The public debate over these powers is a healthy one, and the Home Office should ensure that it and the security and intelligence agencies are willing to make their case strongly in the months ahead.
Much of the important detail about the way the new legislation will work is to be contained in a set of Codes of Practice. We call on the Government to ensure that these Codes are published alongside the Bill to inform the further scrutiny which the Bill will receive from the two Houses. In our view, the Bill would also benefit from a post- legislative review by Parliament five years after its enactment. We call for provisions for such a review to be included in the Bill."
The Joint Committee’s recommendations for improving the draft Bill were all designed to ensure that the powers are workable, can be clearly understood by those affected by them and have proper safeguards. Most significantly:
On encryption: "The Home Secretary assured the Committee that its approach to encryption is not designed to compromise security or require the creation of ‘backdoors’. The Committee welcomed this clarification, but was concerned that this needs to be made clear the drafting of the legislation."
On bulk powers: The Committee recommends that if bulk powers are to be included in the Bill, a fuller justification for each should also be published alongside the Bill. It recognises that the Intelligence and Security Committee has recently published its report, which the Committee believes will be of significant value to the two Houses when the Bill is introduced and scrutinised.”
And, on Internet Connection Records (ICRs): "The Committee can see the desirability of ICRs, but has not been persuaded that enough work has been done to conclusively prove the case for them. The Committee would like to see the Government work harder with industry in order to provide more robust information."
So, where do we go from here?

Pre-legislative scrutiny is, after all, just the end of the beginning.

In parliamentary terms, the Government’s business managers have already decided how much parliamentary time can be made available for Home Office-sponsored legislation before the end of the year – when the sunset clause for the records retention provisions in the Data Retention and Investigatory Powers Act 2014 takes effect.

Should Parliament concentrate on passing a Bill that is narrower in scope this year, say one that just addresses the data retention and oversight provisions? Is there really sufficient time to consider other elements – such as overhauling the bulk data and equipment interference provisions in 2016? A second Bill, containing the remaining provisions, could always be considered in 2017.

The Parliamentary calendar will be constrained this year as much business will cease during the EU referendum campaign, the dates of which have not yet been set. 

Looking at the 2016 Parliamentary holidays for the House of Commons (the House of Lords will set slightly different dates), the February recess is from today (11 February) until 22 February. The Easter recess is set from 24 March to 11 April. The Summer recess will be from late July to early September, the Conference recess will be from mid September to mid October, there will be a week’s break in mid November and then the Christmas recess will commence in mid December. That doesn’t leave a lot of time for legislating.

So, a new bill needs to be ready and tabled within weeks. And, if it is to get through both Houses of Parliament unscathed, it really does needs to take full account of each of the 123 recommendations that have been made by the scrutiny Committees.

There will be no rest for the Home Secretary, her officials and the Parliamentary draftsmen for the foreseeable future.