Wednesday 29 February 2012

That Regulation – as a carol

Today’s offering is the last in this short series of lyrical doggerel, and has been created just in case I’m invited to the Ministry of Justice’s Christmas Party this year (or any year, for that matter) and get asked to submit an idea for a festive carol about the new data protection Regulation.

Could I write something which, in typically solemn tones, paid tribute to the stoicism, sincerity and passion that the British negotiating team will be demonstrating over the next months (or years) as discussions focus on finding a common view about how to improve standards of data protection within Europe?

Well, I’ve turned my thoughts from the theatrical to one of the greatest stories ever told. Back to basics – and how much more basic can one get this - set in a Committee room in some grotty European Commission office building that will be used by the delegates who will get to know each other really well, and who will find it really hard to keep focussed on every legal, privacy and procedural detail that will be raised and debated so diligently?

They have a truly monumental task ahead, and they need as much support as we can possibly give them: All hail, the MoJ!

To put yourself in the right mood for this carol, you should imagine that you are participating in an all night business meeting – knowing that it’s not over, not yet. And not for a long while.

“AWAY IN THE COMMISSION”

Away in the Commission
No time to be fed
The British negotiator
Had an ache in his head

The words in the official brief
Bounced straight off the page
Got the British negotiator
Worked up in a rage

The linguists are murmuring
The Vice Chairman wakes
But of the British negotiator
No notice anyone takes

I implore you, Mr Minister
Please make a try
To pay some attention,
As morning is nigh

Bear with me, Mr Minister
I ask you to stay
With the words you’ve been told to use
Then we’ll get home today

Bless all the dear negotiators
Showing privacy such care
Roll on the next meeting
And another nightmare



Image credit:
http://www.padfield.com/1999/images/manger.jpg

.

Tuesday 28 February 2012

That Regulation – as a musical

Following my last blog post, I’ve been asked to submit an more light-hearted idea than a grand opera about the new data protection Regulation. Could I write a rousing libretto that was more focused on Europe – and had more jokes?

Well, I’ve turned my thoughts from the grand operas that Sir Tim Rice has penned to the work of another master, this time Alain Boublil. Yes, he of Les Miserables fame. So, again, I apologise in advance if some of the themes make a listener think too carefully of what happened in that glorious work.

Let me know what you think of my sketch for this number, which closes Act 1. It salutes the extremely hard work that is about to be carried out by our chums in DG Justice, and in other parts of the European Commission, as suggestions for revisions to the current text of the Regulation flow in and need to be considered. The number features our illustrious heroine, who again for no real reason I’m just calling Viviane, a draftsman, a data subject (but we don’t hear too much from him), choruses of regulators and professional advisors, and another cameo appearance from this interesting character called Data Protector.

"ONE MORE DRAFT"

VIVIANE
One draft more,
Another draft, another assault on your sanity,
This never ending road to infamy;
These men who seem to speak in rhyme
Will surely come a second time,
One draft more...


DRAFTSMAN
I cannot live another day,
How can I live with this I’ve drafted?


VIVIANE
One draft more...

THE REGULATORS
Tomorrow you'll be moved away,
But for us, our job’s just started.


DATA SUBJECT
One more go - all on my own

THE PROFESSIONAL ADVISORS
Will we ever agree on what it means, again?

THE DATA PROTECTION OFFICERS
One more draft with them not caring

DATA PROTECTOR
One more draft before the storm!
At the barricades of Freedom!
When our ranks begin to form,
Will you register on-line with me?


DATA SUBJECT
Do I follow where he goes!
Shall I join his brothers there!
Do I stay or do I dare?


ALL
The time is now
The place is here


VIVIANE
One draft more!

DRAFTSMAN
One more draft will ignite a revolution,
My reputation’s in the mud!
I will join these humble people,
This Regulation is a dud!


VIVIANE
One draft more!

...
(To be continued)
...

Standard disclaimer:
Naturally, all characters in this libretto are fictitious and any resemblance to real persons, living or dead, is purely coincidental.

Image Credit:
https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_qRhyphenhyphen89xm5zpo6Wrk-Zr42F2WghRPyM3cVQJUMuMHNplK92mVs4yKuILeoPlEjE3E2gR9j09VnxkUl4g8-a7xNsnphVhcuFPGeeq8_Ql59vbMfvsBGupYqVK2AuaZO4Ai1rlBkqrnCuRQ/s1600/EC_FLAG_2.jpg

.

Monday 27 February 2012

That Regulation – as an opera

I’ve been wondering what my response would be if I were asked to submit an idea for an opera about the new data protection Regulation. It’s certainly possible – after all, in the second half of this year the Government of Cyprus will assume responsibility for running political business in Europe, and there is a wonderful auditorium (pictured) near Episkopi, which has existed since antiquity. The acoustics are stunning – as I remember from spending some happy evenings at that venue some time ago. It’s a great place to witness a tragedy.

Anyway, what better way for the Government of Cyprus to commemorate its responsibility to continue work on developing the Regulation than by staging an opera about it?

I set to work on lovingly ripping off some lyrics penned by one of England’s greatest lyricists, Sir Tim Rice. Yes, he of Evita fame. So, I apologise in advance if some of the themes make a listener think too carefully of what happened in that glorious musical.

Let me know what you think of my sketch for the opening number. It features our illustrious heroine, who for no real reason I’m just calling Viviane, a chorus of regulators, the UK Information Commisioner, a chorus representing the mob, and a cameo appearance from an interesting character called Data Protector.

THE REGULATORS

The Euro is sinking, the knives are out
Would be Commissioners are all around
I don’t think they mean harm, but they’d each give an arm
To see us six feet underground.


VIVIANE (to DATA PROTECTOR)

It doesn’t matter what those morons say
Our Vice Presidents are a feeble crew
There are only 26 of them anyway
What is 26 next to the millions who
Are looking at you?

All you have to do is sit and wait
Keeping out of everybody’s way
We – you’ll be handed power on a plate
When the ones who matter have their say
And with chaos installed
You can reluctantly agree to be called.


THE MOB

A new Regulation!
The cookies of the masses, revealed!
A new Regulation!
No more before Google must we kneel!


VIVIANE (to THE MOB)

Don’t think I don’t think like you, I often get those nightmares too
They always take some swallowing
Sometimes it’s very difficult to keep a straight face if
It’s your blog they are following
Don’t close the doors
On that mob we deplore
Because we might lose
This opportunity

But, would I have done what I did
If I hadn’t thought, I hadn’t known
That we would take over the Commission?


(Dramatic silence as VIVIANE appoints herself President of the Commission. Then with a wave of her hand, she signifies that DATA PROTECTOR is to serve her as an additional (27th) Vice President, and that the UK's INFORMATION COMMISSIONER is also to serve her as the (28th) Vice President. She sings slowly to THE MOB)

It hasn’t been easy, you'll think it strange
When I try to explain how I feel
Why you still need to love me after all that I've done

You won't believe me
All you will see is a Vice President you once knew
Although she's dressed better than the other twenty eight
I am a true head of state.

I had to let it happen, I had to change
Couldn’t stand this old data protection stuff any more
But now this draft Regulation has hit the floor
Both rich and poor just want to ignore
The hard work my officials put in.

Don’t cry at me, I’ve committed no misdemeanour
The truth is I never liked IT law
All through my wild days
My mad existence
I kept my promise
Now I need your assistance

And as for power, and as for glory
I never invited them in
Though it seemed to the world they were all I desired

This Regulation is an illusion
It is not the solution that was promised to me
The answers might be found in time
So long as you sit through this pantomime.

Don’t cry at me, I’ve committed no misdemeanour
It’s an adequate state, Argentina
Don’t get too close, you’re getting too close

Help! Save me from this baying mob

I’ve committed no misdemeanour
Just get me out of here and to Argentina
Now. Fly me straight to Argentina


(Dramatic chaos as VIVIANE is surrounded by THE MOB. She vanishes, never to be seen again. THE MOB turns to face DATA PROTECTOR, who appears on a platform high above them)

THE MOB

A new Regulation!
The cookies of the masses, revealed!
A new Regulation!
No more before Google must we kneel!


...
(To be continued)
...


Standard disclaimer:
Naturally, all characters in this libretto are fictitious and any resemblance to real persons, living or dead, is purely coincidental.

Image credit:
http://en.wikipedia.org/wiki/File:PanoKourionTheater.jpg

.

Sunday 26 February 2012

Can we continue to fudge access to people’s medical records?


Following my last blog post, I’ve been asked for examples of types of manual files that might now fall outside the ambit of the draft Regulation (which might possibly result in regulatory savings in the UK), and for those which might now be included in the ambit of the draft Regulation (possibly resulting in increased regulatory costs in the UK).

So, here goes.

We need to remember that the Article 24 of the draft Regulation defines a “filing system” as “any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis.”

And we need to remember that the Data Protection Act 1998 currently restricts an individual’s right of access to only certain types of information held in manual files.

As I pointed out last time, the general rule is that information in a manual file is disclosable when specific information about an individual in that manual file can be quickly found. This is known as the easy access rule, or the temp test. If a temporary employee can’t locate specific information in a manual file within a very short time of their opening the file, then the information is not disclosable.

But, we all know that’s not quite the story. There are certain types of manual files that are disclosable, even when if the file fails the temp test. The Data Protection Act 1998 extends access to personal information held what it defines as accessible records and it also protects the personal information held in all types of files held by public authorities. The accessible records relate to various types of health, education, local authority housing and local social services authority records.

The big question is what happens to access to these types of records under the draft Regulation? Will citizens continue to enjoy access to them, or will access be denied?

I’m not expressing an opinion here, as I don’t yet have one.

But I do want to point out some of the consequences of the answer – which, presumably, is either Yes or No.

If the answer is Yes, then it could be argued that the UK has been indulging in a little gold plating of the current Directive, by extending (for understandable cultural reasons) its ambit. But I thought it was the stated intention of the British Government that, from now on, gold plating was to be forbidden. So what will it do next?

On the other hand, if the answer is No, then it could be argued that some people are to be disadvantaged because (presumably) they will no longer have statutory access the relevant information, which (probably) in practice means that it will still be provided, but at a cost which is closer to the actual cost of producing the information.

Widening the issue, given the “one rule to rule them all” principle of the draft Regulation, and the powers that will be reserved to the European Commission to ensure that all citizens across Europe will have equal access to everything, I wonder what this means elsewhere. Does it mean, for example, that citizens in countries which formerly restricted access to social services authority records will now have to open them up to public inspection? If so, at what cost?

And what other manual file subject access” extras may exist elsewhere in Europe, which might suddenly be extended to other countries, potentially imposing additional compliance costs?

I don’t have an answer to that, today.

But I will comment that the more you examine the concept of a Regulation, where rules are to apply equally everywhere, the more you wonder just how local citizens will react to changes which they really don’t understand.

Anyway, my task today was to set out a potential problem. And to invite readers to submit cunning plans for a resolution – before our political masters start asking why the Commission hadn’t thought of this before presenting us with a more elegantly worded draft Regulation.

.

Saturday 25 February 2012

How will the Commission fudge the issue of non-computerised records?

Back to basics today. As I try to work out what burdens might have been removed, and what costs might have been imposed by that “draft Regulation”, I’m still coming to grips with just what it is that this Regulation us supposed to regulate. Because if this Regulation is all that regulators are going to be able to regulate, what implications does that have for stuff that regulators currently regulate but don’t feature in the draft anymore?

I started by taking a squint at what the draft Regulation had to say about manual records. After all, if the European Commission is to impose rules that apply everywhere equally, then presumably some types of manual records will fall within the ambit of the Regulation while others will not. Then, in a flash of inspiration it occurred to me that, actually, it’s not quite as clear as that – in fact it could be chaos as normal (as if anyone really mattered about it, that is).

My argument, in a nutshell, is as follows:

By making no change to the critical definition of a “filing system”, most data controllers will assume that there has been no change to the extent to which manual records fall within the ambit of the draft Regulation. But, currently, Member States define what is meant by a “filing system” in slightly different ways, so it’s not quite true that all types of information in these filing systems are covered in the same way - yet. However, very considerable compliance costs might be imposed on data controllers if it were determined that, despite their local practices, changes were now required to, say, give applicants across Europe equal access to information held in “filing systems” that previously fell outside local rules.

The trouble is, until I know what changes might be required for the data controllers in 'Blighty, it’s quite hard to offer the Ministry of Justice an indication of what the increased compliance costs might be.

Here’s a more technical explanation:

Whereas Clause 13 of the draft Regulation points to the desirability of data controllers in all Member States following the same rules: "The protection of individuals should be technologically neutral and not depend on the techniques used; otherwise this would create a serious risk of circumvention. The protection of individuals should apply to the processing of personal data by automated means as well as to manual processing, if the data are contained or are intended to be contained in a filing system. Files or sets of files as well as their cover pages, which are not structured according to specific criteria, should not fall within the scope of the Regulation.”

This is a slightly different concept than that which is used in Whereas Clause 15 of the current Directive: “Whereas the processing of such data is covered by this Directive only if it is automated or if the data processed are contained or are intended to be contained in a filing system structured according to specific criteria relating to individuals, so as to permit easy access to the personal data in question.”

If I were a Eurodatalegalpolicywonk, I might argue that the difference in the new Whereas clause is to make it clear that, in future, the file should still be structured according to specific criteria, but it’s not just data which affords easy access which is covered. Someone could well argue that the draft Regulation now applies to the stuff that’s harder to access, as well as the stuff that's easy to access.

Fear not, for all hope is not lost – at least yet. Because while a change was made to the Whereas clause, no-one bothered to make any changes to the actual Article in the main body of the Regulation.

Article (2)( 2)(c) of the current Directive provides the current rule: 'personal data filing system' ('filing system') shall mean any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis.

The new draft Regulation is identical - Article (24( 4) provides that “filing system” means any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis.

So, do British data controllers need to make any changes to the current processes to make sure that they can get at the stuff that’s harder to access, which is what the Whereas clause implies?

I think not.

This is because, despite what the Article 29 Working Party might say, it is still lawful to rely on statements that have been made by our very own Court of Appeal on the meaning of a relevant filing system, and these remarks trump those of the Commission . And this must remain the case until someone either challenges the state of the law, as it is held by the Court of Appeal, or until someone changes the definition, at which time it might be prudent to assume that it would be impolite to continue to rely on the Court of Appeal Judgment.

The judgement – of course, our very own Durant vs FSA judgement. For those that don’t have it on their favourites tab, I’ve referenced it below. But take a good look at Lord Justice Auld’s remarks at paragraphs 32- 51. This is the law that currently applies in the UK, whatever the European Commission would like to think.

At paragraph 50 he announces that: "a relevant filing system" for the purpose of the Act, is limited to a system:
1) in which the files forming part of it are structured or referenced in such a way as clearly to indicate at the outset of the search whether specific information capable of amounting to personal data of an individual requesting it ... is held within the system and, if so, in which file or files it is held; and
2) which has, as part of its own structure or referencing mechanism, a sufficiently sophisticated and detailed means of readily indicating whether and where in an individual file or files specific criteria or information about the applicant can be readily located.


This is in line with his previous very pragmatic views, set out in paragraph 45, on the practical reality of searching for specific and readily accessible information about individuals: “The responsibility for such searches, depending on the nature and size of the data controller's organisation, will often fall on administrative officers who may have no particular knowledge of or familiarity with a set of files or of the data subject to whose request for information they are attempting to respond. ... If the statutory scheme is to have any sensible and practical effect, it can only be in the context of filing systems that enable identification of relevant information with a minimum of time and costs, through clear referencing mechanisms within any filing system potentially containing personal data the subject of a request for information. Anything less, which, for example, requires the searcher to leaf through files to see what and whether information qualifying as personal data of the person who has made the request is to be found there, would bear no resemblance to a computerised search. And ... it could, in its length and other costs, have a disproportionate effect on the property rights of data controllers under Article 1 of the First Protocol to the European Convention on Human Rights, who are only allowed a limited time ... 40 days ... to respond to requests, and are entitled to only a nominal fee in respect of doing so."

So, how will the Commission fudge this issue? Will it allow Member States to continue to have their own local rules on what manual files are covered, or will it be bold and try a new rule to apply to everything, regardless of the additional costs that may be imposed on data controllers in certain Member States?


Sources:
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML (Current Directive)
http://www.bailii.org/ew/cases/EWCA/Civ/2003/1746.html (Durant vs FSA)

.

Wednesday 22 February 2012

ISEB Accreditation: Chapter 1


I've been spending the past few days a little out of my comfort zone. No, not because I've been in Manchester, instead of London, but because I've gone back to "data protection school", as it were, and have been preparing myself for a professional exam in date protection. I'm referring to the Certificate in Data Protection, which is awarded by the Information Systems Examination Board.

This stuff is a little out of my comfort zone because it requires me to know just what the law says. I’m used, in my normal working life, to applying common sense to issues that face me, rather than having to refer to first principles and rely purely on what the law provides. So, it's been fun to remind myself about just what it is that the law does say, as it's often so helpful to go further than the strict letter of the law, and offer advice based on what I think ought to be acceptable to my company and its customers.

All of the delegates on this course are determined to sit the ISEB exam, and not just attend to familiarise themselves with some of the key elements. There is a great variety of prior data protection experience among the delegates, which is incredibly helpful, as it prompts discussion about the elegance with which the beloved Data Protection Act 1998 was drafted. I remember some of the discussions that were held behind the scenes, so to speak, as much of the implementing legislation was developed, following the adoption of the main Data Protection Directive back in the early 1990s.

Considerable time was spent back then discussing how clear the Parliamentary language ought to be - with some people hoping that it could be as confusing as possible, so as to put people off from trying to work out what their rights actually were, and subsequently from taking action to enforce them.

Well, we have been left with is a piece of legislation which certainly put off all but the most determined to enforce their rights through the courts.

Our course trainer, the wonderful Sue Cullen, is one of the stalwarts of the current data protection regime. She was part of a very small legal team that took a couple of legal points, about subject access rights and the definition of personal data, to the Court of Appeal back in 2003. Unfortunately, the Court appeared to take such a dislike to the defendant and his case that the leading Judge, Lord Justice Auld, took the opportunity to make a number of statements that didn't quite square with what many people (including people in the European Commission and a bunch of people from what was then known as the Data Protection Registrar’s Office) thought the law actually meant.

And, because no one else has had the funds (or the temerity) to ask the Court of Appeal to think again on the relevant issues since 2003, some of the stuff I am learning about is certainly stuff that would be frowned upon by European Commission (and by our chums in Wilmslow), and consequently they are hoping to change British law through the implementation of "that" Regulation, of which I'll try not to refer any more today.

Some homework before bed time, and I’m now looking forward to returning to the classroom for the second round of this intensive course the week after next.

I'm still smiling, and so far I'm extremely glad that I've committed myself to obtaining the Certificate.

.

Sunday 19 February 2012

Taking the compliance costs seriously


I’ve started to think about the potential costs of complying with “that” Regulation. And, in looking at the areas that are potentially very expensive to implement, my mind keeps on harping back to that phrase John McEnroe used so often on the world’s tennis courts: “You cannot be serious”.

And, the more I think about it, the more I realise that the European Commission is not that serious about the additional costs that might conceivably be imposed on data controllers who try to fully comply with the current draft.

This is because these costs will never actually be required to be met, as the Commission simply can’t impose a Regulation that could financially cripple so many data controllers in the ways provided by the current text.

Not only that, but I also think it’s unlawful.

Let me explain.

Turning to the lawfulness bit first, let’s not forget that if we’re playing the “fundamental rights” game, then it’s not just individuals who have fundamental rights. Data controllers have fundamental rights too. And before anyone scoffs too loudly at this assertion, let me point them to the Human Rights Act, and in particular to Article 1 of Part II of Schedule 1.

Here it is, in all its glory:

“Every natural or legal person is entitled to the peaceful enjoyment of his possessions. No one shall be deprived of his possessions except in the public interest and subject to the conditions provided for by law and by the general principles of international law. The preceding provisions shall not, however, in any way impair the right of a State to enforce such laws as it deems necessary to control the use of property in accordance with the general interest or to secure the payment of taxes or other contributions or penalties.”

For my money, this means that the property rights of legal persons (such as data controllers) must be respected, just as the privacy rights of individuals are to be respected. So, I think this means that the compliance costs which fall on to data controllers must be necessary and proportionate, otherwise they are unlawful.

And we all know what the European Court of Human Rights likes to do against Members States that propose measures that aren’t sufficiently necessary and proportionate.

Do I have any examples of potentially disproportionate and unnecessary costs?

Well, I hope to be offering the Ministry of Justice some examples shortly – but none of this stuff is rocket science, and we can all anticipate the really contentious areas, where the privacy activists will be ready and waiting to take action against recalcitrant data controllers. They relate to, in no particular order:

1. An unconditional right on the part of an individual to make a Subject Access Request, at no cost to them, regardless of the reason for the request (ie to pursue a legitimate complaint or just because the applicant is mildly curious). This can impose significant costs on the controller in dealing with the request (and redacting unnecessary information from the body of work searched) within the statutory period, on penalty of facing a grotesque fine for non-compliance, even when the individual suffers no adverse consequences as a result of the delay.

2. An obligation to inform the regulator of the most minor of data breaches, even when the individual suffers no adverse consequences as a result of the incident. This can impose significant costs on the controller in adding new members to the response teams who are already dealing with the incident, to satisfy the Regulator that as much as possible to being done to remedy a situation that no-one wanted to experience in the first place.

3. An obligation to develop Privacy Impact Assessments in respect of certain types of processing activities, and to discuss them with individuals or their representatives, before such activities are to commence, will cause havoc within companies that keep their commercial intentions close to their chest, for fear of having the “first mover advantage” mitigated by those involved in stealing others’ commercial secrets.

4. A requirement to appoint a suitably experienced Data Protection Officer, in the absence of any guidance as to what qualifications and experience is considered “sufficient”, could lead to a rash of bogus institutions emerging, selling worthless qualifications that don’t adequately prepare Data Protection Officers for the responsibilities and accountabilities they will be expected to assume.

5. But even trying to cost these measures pale into significance when you try to cost the implications of the powers that the Commission has reserved to itself to create new data protection standards that will have uniform application. In the UK, Parliament rebelled against such measures when King Henry VIII tried to give his ministers an unacceptable level of discretion to pass and repeal laws. Cummon, it’s simply not going to happen. Who in their right mind is going to vote for such a turkey? Especially in the UK? Remember, the cleverest of the Ministry of Justice bods are currently working on the possibility of draft ”Devo Max” legislation that will devolve as much power as is possible from the Westminster Parliament to the Scottish Assembly, to reward the people of Scotland for not voting for Independence. So, our very own Justice Minister is hardly likely to look kindly on a set of provisions that takes even more power away from Westminster and dumps them at the door of the European Commission. That's entirely the wrong direction. He may think that power should be flowing down to the people, not deeper into European institutions.

So, it is for these reasons that I’m certain that the European Commission can’t really be serious about its current published plans. That’s what happens when someone takes a decision to launch a proposal on a particular day, rather than when sufficient internal consultation has been carried out to satisfy everyone that it is actually fit for purpose.

Image credit
http://www.tennisperspective.com/wp-content/uploads/2011/02/John-McEnroe.jpg

.

Thursday 16 February 2012

Children’s privacy – being disappointed with the FTC


I was quite looking forward to reading the US Federal Trade Commission’s report about the privacy aspects of mobile applications for children, which was published today.

Until I read it, that is.

And, with a heavy heart, I wondered if this was not just another golden lost opportunity to make an important point.

The report focused on the point that currently privacy disclosures are disappointing. I didn’t really want to read that. What I did want to read was why they are disappointing, in terms of the harm that had been caused to kids as a result of these disappointing privacy disclosures.

But, unfortunately the report didn’t focus on the consequence of the disappointing privacy disclosures.

If I were a legislator, I might find it hard to get all worked up about a report about non-compliance with rules, unless I could have also had been presented with evidence of the results of the non compliance – rather than just evidence of the non-compliance. Then, I could have bounded up onto my soap box with a little more vigour.

I have to be able to answer the basic question “Does it matter if you don’t comply with rules that, if ignored, don’t result in harm?”

Because if I can’t find much evidence of harm, then I’m concerned that hardly anyone’s going to be bothered to listen to me.

Source:
www.ftc.gov/os/2012/21/120216mobile_apps_kids.pdf

The report recommends:
• All members of the "kids app ecosystem" – the stores, developers and third parties providing services – should play an active role in providing key information to parents.
• App developers should provide data practices information in simple and short disclosures. They also should disclose whether the app connects with social media, and whether it contains ads. Third parties that collect data also should disclose their privacy practices.
• App stores also should take responsibility for ensuring that parents have basic information. "As gatekeepers of the app marketplace, the app stores should do more." The report notes that the stores provide architecture for sharing pricing and category data, and should be able to provide a way for developers to provide information about their data collection and sharing practices.


.

Wednesday 15 February 2012

Overcoming LinkedIn spam


Perhaps it was just down to the fact that it was St Valentine’s Day yesterday. I’m not quite sure of the reason. But it does appear that some miscreants have been busy on the LinkedIn site, and have been sending unsolicited commercial emails, promoting the Canadian Family Pharmacy.

No, Connor Ross, I wasn’t that interested in your email, sent last Friday. Nor, for that matter, was I interested in Linda Spencer’s email sent the day before, which told me all about how to order Viagra, Viagra Super Active+, Viagra Professional ,and even Viagra Super Force from the Canadian Family Pharmacy. I didn’t realise that Viagra had so many variants.

I’m sure that, by now, the ever efficient Information and Privacy Commissioner of Ontario, Dr Ann Cavoukian, has received a few complaints about this outfit and is well onto the case. It’s a shame about the geographic distance between them - Google Maps tells me that it’s a good 5 hour drive from her offices in Toronto to the Canadian Family Pharmacy’s registered office in Ottawa. Little chance of her dropping by unannounced, then ...

What did occur to me, though, was remarkably how few spam emails seem to find their way to me through the LinkedIn network. I’m absolutely not complaining at this – far from it – and I won’t be asking any searching questions about just how LinkedIn manage to identify and trap messages that might be potentially spam. I’m just grateful for whatever it is they do, and I wouldn’t want some privacy wonk embarking on some campaign or other to outlaw whatever it is that they are doing. Especially if the result was that I received more stuff that was of no (commercial) interest to me.

I only hope that LinkedIn's cunning plans to add more encryption to the messages sent through their network won’t degrade the effectiveness of their spam detection techniques.

Is there much more that LinkedIn could do to overcome this problem? I’m sure they’re working on ever more clever techniques. After all, in the end, they will have their self interest at heart, as if they can’t provide professionals with a space which can be used to share stuff which really is of interest, there’s always the danger that we LinkedIn folk will just transfer our business to a more convenient space.

So, I would hazard a guess that spam will continue be countered just as fiercely by service providers, who will suffer commercial angst if their customers migrate, than by regulators who hope that miscreants will take note of the restrictions that are being imposed.

We shouldn’t expect regulators to feel obliged to resolve all the ills in the world. They should allow data controllers the latitude that is required to occasionally act as they see fit. Even if it requires people to be named and shamed, rather than respect their wish to be forgotten. And if that necessitates the sharing of personal information of people who have potentially been associated in unlawful (or, occasionally, unsocial) behaviour, then so be it.

.

Tuesday 14 February 2012

Is this the greatest thing to do before a data protection professional dies?


My blogs last month (on 16 & 17 January) listing a series of life-affirming events which may help assess someone's contribution to the data protection world have generated a lot of discussion. Some friends were awfully pleased to have been able to tick off at least half of them. One poor soul hardly managed to get into double figures. But she still has a smile on her face.

Others took up the challenge I issued on 23 January, and have provided me with some excellent sets of additional suggestions. It goes to prove my point that we data protection professionals don’t live with some disorder of neural development, with impaired social interaction and communication skills, exhibiting alarming tendencies of restricted and repetitive behaviour. We can talk about things other than data protection.

Please, I urge, don’t take these lists too seriously. Let’s put life, as well as data protection, into perspective.

And, on this special day, let’s accept that Eden Ahbez probably gave us all the best advice, in his poem “Nature Boy” written in 1984:

"The greatest thing you'll ever learn is just to love and be loved in return."


Happy St Valentine’s day.

.

Monday 13 February 2012

Should the Commission, or should Member States, protect our fundamental rights?

Another group of some of England’s data protection finest gathered at the London offices of Field Fisher Waterhouse today to share a few more insights about “that Regulation” and to raise a toast to those wonderful bods at the European Commission. Yes, it really appeared to be true. We data protection professionals (once suitably accredited) really will have careers for life. We can almost name our salaries, too. Woe betide any large data controller that fails to hire an independent Data Protection Officer, protected from dismissal, on a 2 year contract. If a regulator gets to hear about such an omission, the controller could face a fine of a million Euros. That is an awful lot of money. So, a Data Protection Officer needs to be suitably paid to help the controller avoid grotesque fines for minor indiscretions.

Not only that, but the rules that the Data Protection Officers will be accountable for upholding could be so desperately complicated that only the very finest legal minds in the country will be capable of giving quality advice to the data controllers. So there’s going to be no significant push back from our learned friends at this initiative, I suspect. In these days of economic austerity, fee earners just love initiatives like this.

The mighty Eduardo Ustaran chaired a panel of distinguished speakers, many of whom assured those of us in the audience that there was still an awful lot to play for before the Regulation would become a reality. Was a uniform, prescriptive approach to the problems had been identified, actually too ambitious given the political circumstances that the European Commission finds itself dealing with today?

I pondered that question as today’s events unfolded.

A Commission official offered some very interesting insights into the workings of his organisation, and we had a glimpse into the Commission’s vision for the future. Let’s be quite clear about this. The Commission is promoting societal change. We are in the midst of a digital revolution, and so it’s vitally important that, just as the Commission promotes digital growth, citizens’ fundamental rights are also properly protected. And, it is the Commission’s view (on the record) that the current Regulation is sufficiently balanced between the rights of individuals and of data controllers.

What I had not fully understood until tonight was that this is actually the first time that the Commission has proposed a Regulation as a means of safeguarding an issue as sensitive and as significant as citizen’s fundamental rights. So, these days, fundamental rights are apparently too important to be left to the discretion of Member states. No, to prevent the Member States from “getting it wrong”, as it were, Europe’s citizens are to be better protected by being regulated directly from the centre.

That sort of language is likely to be used these days in many ways by people whose interests are not simply of the data protection kind, but also of the “Subsidiarity” and the “Nation State” kind. We’ve only too recently seen reports of unrest in Greece because Greek citizens were wary of what they perceive as a shift of political and economic control from the Greek State to European institutions.

Will such sentiments be expressed in other Member States when citizens realise that their “data protection” controls are being tweaked to reflect more readily the needs of some central co-ordinating authority? I’ve already detected differences of views from some regulators as to the desirability of the Commission reserving so many rights to impose a common interpretation about so many key issues above the heads of local regulators.

But, there’s nothing much to worry about. At least, not yet. A few members the awkward squad gathered in the corner of the conference suite during the drinks session after the proceedings, and wondered about the prospects, in reality, of the chances of some central co-ordinating authority emerging.

Let’s be honest, some murmured to themselves. Sometimes, the only people who find it harder than solicitors to come to an agreement, following a dispute, are regulators. Ironically, both are supposed to have skills that are highly honed in conflict resolution, but the truth can sometimes be very different. They can express firmly entrenched views, too. Will we ever see a love-in at a meeting of all the members of the European Data Protection Board?

Perhaps – should I ever get appointed to that august body, that is. But I’m not counting on it.

I will end this posting by pointing out that the attendees – and the speakers – were all desperately keen to achieve an outcome that truly was fit for purpose. We’re all digital citizens, these days, and we all have a self interest in trying to get things right. But, of course, getting things as right as we can at a cost that can be afforded by most. We are in the business of risk management, not risk elimination. No responsible data controller wants to find that the reduction of administrative burdens in terms of notification, etc, is simply replaced by a disproportionate amount of other forms of gold plating and internal form filling and retrospection. This is especially the case given that so much of the real digital economy will increasingly operate on an internet beyond the political, legal and administrative control of the European Commission.

I will also end this posting by pointing out that almost no blood was spilt on the (freshly laid) carpet in Field Fisher Waterhouse’s new conference suite this evening. The only blood that was spilt was my own – I had a nosebleed - but that was due to a sudden rush of blood to my head, rather than being assaulted by a speaker – or by a fellow attendee.

Image credit:
European Court of Human Rights
https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOfohGtYyblG2tt6IsFPh9H98gWkaToGhisLdyReu1APC8fJ0Gb0uhdHwCejfSjbARJaI1hyphenhyphennPW92rrjtoY3TH1g7Sc7gQhPCcrOOQ-rCr9SndMRo71be15vrWjeCgurMczYhGCScZxy0d/s1600/eur%252520court%252520human%252520rights.jpg

.

Sunday 12 February 2012

Wanted: volunteers to blog about their own data protection certification experiences

I’ve already received some encouraging emails following yesterday’s announcement that I’m about to start my studies which should lead to the ISEB certification in data protection. One person was keen to point out, though, that it’s not only Amberhawk who are offering training courses for the qualification, and that readers of this blog may be keen to hear the experiences of candidates who have their ISEB training delivered by other providers.

So, if you have just enrolled on a programme which will be delivered by a provider other than Amberhawk, and you fancy getting in touch and sharing your ISEB experiences with me, then please feel free to do so. You know where to find me. Dataprotectorblog@gmail.com. My only aim is to encourage a wider discussion of the actual value and practical experience of obtaining privacy qualifications.

And, if you would prefer me to publish your comments on an anonymous basis, I could be very happy with that arrangement, too.

Happy learning!

.

Saturday 11 February 2012

What privacy qualifications are worth having, these days?


Given the changes that are anticipated in the European privacy rules in the next few years, some friends have been asking themselves whether there’s much point in obtaining a privacy certification right now. Is there really that much point in achieving an accreditation about a body of knowledge that shortly could change quite radically?

My response to such questions has been to argue that there’s no point in putting off that fateful time when a formal privacy certification is obtained, because hardly anyone (outside the accredited parties) actually knows what body of information it was essential to master before the accreditation was awarded. So, it probably won’t matter if the privacy rules change soon, because not that many people know how relevant the current certifications schemes are.

I speak as someone who is not yet formally accredited, so I don’t really know how hard you need to study to obtain them, nor how relevant they really are to a data protection professional, either. Sure, they appear to impress the HR professionals, who like sifting potential applicants in terms of their formal knowledge base, but what practical use are they once a data protection professional actually sets out to do their day job? Does an HR professional favour an individual with 5 years data protection experience and a professional qualification over someone with, say, 20 years data protection experience but with no formal qualification?

Well, I’ve decided to find out. I’m about to seek two types of accreditation, so that I can compare them and offer some views on their relative merits.

The first type is the traditional approach, and I’ve enrolled on a series of courses that will lead to the ISEB qualification. Between February and April I’ll be studying under the careful eyes of Sue Cullen and Chris Pounder of Amberhawk. And I do hope I won’t let them (or me) down. Having paid for the course myself, I’m committed to completing the coursework immediately after each of the 5 modules, to reinforce the day’s learning. I’m also committed to completing a series of set written assignments, and to attend a mock exam to refresh my experience of exam conditions. With a study commitment of, say, 60 hours, I’m hoping that I’ll pass first time, and I’ll then be able to blog more authoritatively about its value.

The second type is the approach recently introduced by the International Association of Privacy Professionals, which will give me a CIPP/E privacy certification once I’ve passed the basic Foundation Course, and subsequently the European component. The foundation course looks at the common principles and general approaches to privacy, information security and on-line privacy. The European component will require me to demonstrate a deeper knowledge of pan-European and national data protection laws, the European model for privacy enforcement, key privacy terminology, and practical concepts concerning the protection of personal data and trans-border data flows. I have to read a course book to acquire the relevant information, and can take an (optional) intensive refresher training session before the computer-based multiple choice exam occurs. I will be expected to have to demonstrate knowledge of laws in a variety of EU Member States, even if I work for a data controller whose operations are focused on just one EU Member State.

And that’s about as much as I know about these professional qualifications, so far. What I am keen to find out (and subsequently blog about) is whether I learn much from the training, whether the knowledge helps me in my daily job, and whether the accreditation is appreciated, either by my peers or by potential employers.

I have no pre-set agenda, here. I don’t know how useful I’ll find these different certification courses to be. But I will try to share my experiences, however good or awful. Will I blog about disproportionate hope, followed by raging despair? Or, will there be a happy ending? Time will tell.

Sources:
http://amberhawk.com/training.asp
https://www.privacyassociation.org/certification/cipp_certification_programs/cipp_e

.

Thursday 9 February 2012

Maybe it’s because I’m not American

I was invited to a really interesting lunch recently to talk tactics about the draft regulation. The hosts were desperately keen to ensure that the European Commission really understood their reservations about the recently published draft. But they were afraid. Very afraid, actually. And what they were really afraid of was that they thought the Commission officials would dismiss their views out of hand, simply because of who they were. Not because of the strength of their arguments, but purely because of who they were.

And who were they? They were a bunch of Americans.

Ouch. Has it really come to this? That some folk fear that the European Commission is still capable of creating non-tariff trade barriers that discriminate on the grounds of someone’s race (or place of establishment)? Is someone wrong “just because” they are of American origin? Or can they be wrong “just because” their arguments don’t stack up?

These people wanted help. They wanted to know how their arguments could be presented to Commission officials in a manner that would not instantly be dismissed.

My initial reaction was to tell them that they were lunching the wrong person if they wanted advice on Commission etiquette. I don’t stalk those circles of power as frequently as I should. Not yet, anyway. My social skills aren’t sufficiently tuned to pick up the different types of body language that is used by the officials in Brussels. My emotional intelligence has been honed to a level which gives me confidence to communicate with colleagues who prowl around the corridors of Westminster and Whitehall.

I can speak the political language of my mother country, but I can’t be certain that I’m always sending out the right signals when dealing with friends from Spain, Hungary, and Italy. I just haven’t had enough time to immerse myself in their cultures. I don’t know that I will always be communicating with them in a way they need to be communicated to. I can trust myself when I’m engaging with German Ditch and Austrian officials, but this European Commission embraces people from an extremely wide range of cultures – and new cultural norms have to be learnt.

If anyone knows of a website which, rather than translating words, translates European etiquette, please let me know. I want a "diplomatic body language" version of Bablefish.

The lunch caused me to think carefully about how I should engage with the Commission officials, if I am to be given the privilege of trying to work with them to help ensure that the draft Regulation meets the lofty ambitions so many expect of it.

I also thought to myself, poor them. How will they attune their ears (and eyes) so they can appreciate the message that is intended to be communicated, if the words and phrases that are used to express the intention are so alien to their own senses?

We’ve all got a great learning curve to go on, here.

I ended the lunch by explaining that I had given considerable thought to the points that had been raised by my hosts, and that it would only be right if I were to reflect for a couple of weeks on what they had asked, and then let them host another lunch, during which I could offer some considered views. I’m so glad they liked this suggestion – as it will give me an opportunity to try the rabbit next time, rather than the (excellent) fish.

Image credit:
http://blog.visitlondon.com/wp-content/uploads/2010/02/pearly_kings_back.jpg

.

Wednesday 8 February 2012

That regulation ... and the next steps

Some of the finest data protection minds in the country (and around Europe) have completed their first review of the draft Regulation. And a series of on (and off) the record briefings have commenced, where the usual suspects are sharing their thoughts about what might have been intended by those who drafted the text which was published last month, and on what is likely to happen next.

I do ike attending these briefing sessions (when I can), as it reminds me what a rich amount of material we all have to work with over the next few years. Every speaker I’ve heard has had some extremely interesting insights to make, and all have presented a slightly different reactions to (and interpretations of) the proposals. Next week, I hope to have the pleasure of attending the Field Fisher Waterhouse event, and a couple of less high-profile briefing sessions, too.

If I were a Commission official responsible for drafting the document, I wouldn’t worry too much. Not yet, anyway. Now the identities of the key players who were behind the drafting are know, it’s pretty clear why the principal changes to the Directive we have grown accustomed too since 1995 will be oddly familiar to those who practice German, Belgian, Dutch and Spanish data protection law. But I’m not here to make personal attacks or smears about people’s nationalities.

No, now is the time to roll up our sleeves and workout where to go from here.

For what it’s worth, I hope that we will make a start by considering the claims that Commissioner Reding has been making recently. A lot of what she has been saying is very encouraging, and we need to make sure that we don’t waste this golden opportunity to put right many of the difficulties that have emerged as technology (and customer expectation) evolves.

It would be wonderful to have a new legal framework that takes account of the realities of cloud computing, and of data controllers that will have a legal existence outside the geographic boundaries of Europe, but a huge influence within. It would be wonderful for the principle of accountability to be launched properly, and for people to be able to do something when significant events occur that result in their confidential information being compromised. It would also be wonderful if bureaucratic burdens that were more designed to ensure that boxes could be ticked following some ritual or other by various sets of officials, could be removed.

The trick, I’m sure, is going to be trying to ensure that the costs which are imposed by the proposal are outweighed by the benefits that will be realised. And I don’t care in the slightest bit today about the costs that data controllers will face. After all, this proposal will create many more data protection jobs for a very long time. Hurrah! Jobs for life – and I’m not kicking that concept.

No, what I’m much more concerned about is ensuring that the people who will end up meeting these additional costs (ie the great unwashed) actually feel that the additional protections which are supposed to be provided to them represent value for money. And, that these protections don’t, perversely, have the effect of stifling innovation, so that people outside Europe actually get to enjoy better services at cheaper costs than those of us in Europe. I really don’t want to design a “fortress Europe” where life is actually much nicer for those outside the fortress than for those trapped within it.

And this is where I think the Ministry of Justice has played a blinder. By urgently calling out for evidence from some of the usual suspects about the costs of compliance with the text as it is now drafted, we all ought be able to learn a few things when that evidence has been reviewed. It has asked for the evidence by 6 March, and hopes to publish the results on 4 June. So, start writing for England, folks!

But why 4 June? Well, remember, that day is a Bank Holiday, and it falls during a special four-day Bank Holiday weekend to mark the Queen’s Diamond Jubilee. It’s also the day after a specially constructed Royal Barge will lead the grandest river pageant for more than 300 years, featuring 1,000 boats and up to 40,000 people on the River Thames, which is expected to attract more than a million spectators.

So, what finer present could the Ministry of Justice offer our Monarch on 4 June than a specially bound copy of the results of the call for evidence? Come to think of it, if anyone is doing anything in the offices of the Ministry of Justice on 4 June, I’ll be awfully impressed.

Anyway, back to the plot.

I understand that the Parliamentary timetable, both in Westminster and in Europe, is a little light at the moment, so there will be some interest in making a start on the Parliamentary scrutiny on the text pretty soon. Actually, well before the river pageant that will mark the Queen’s Diamond Jubilee. Rooms and flights have evidently been booked for the first session of the consideration of the text by officials. And we know, thanks to the Commission’s timetable, which sets of officials will be responsible for running the meetings over the next few years. For the first half of 2012, meetings will be chaired by the ever so efficient bods from Denmark. Come the summer, they’ll hand over responsibility for steering the discussions to their colleagues from Cyprus. And, if there’s still lots to talk about, the sessions will be steered by the Irish team during the first half of 2013.

And, as far as the European Parliament is concerned, we know that the LIBE Committee will be taking a keen interest in the text, along with a couple of others who will want to ensure that their views will be fully taken into account.

So, if the legislative scrutiny is to start soon, I do hope that we will all have sufficient time to get our evidential packages together, so that these lucky scrutineers can fully appreciate the consequences of whatever it is they are scrutinising.

None of us want this project to fail. But we don’t want this to be a lost opportunity, either. Let’s see how we might achieve a desirable objective but without having to undergo some bureaucratic form-filling circus that simply crushes the spirit of well-intentioned data protection folk. Because as soon as you lose the support of the well-intentioned data protection officers who will be responsible for implementing most of this stuff, the sooner we might as well all pack up and go home. This nascent profession could be snuffed out at birth.

No self-respecting data protection officer is going to put up with putting themselves through hopeless rituals they don’t believe in. For that, all you need is a jobsworth with a sharp pencil. And you know how innovative that lot can be.

Source:
https://consult.justice.gov.uk/digital-communications/data-protection-proposals-cfe

Image credit:
http://www.paragonventures.com/images/Steps.jpg

.

Monday 6 February 2012

The big freeze – it’s enough to make me stop learning about data protection


Temperatures are plummeting so fast that I feel very sorry for those who have tried so hard to organise data protection events over the next few days. How many souls will turn into “fair weather supporters”, and decline the invitation to learn more about the subjects of the day?

I’m facing that dilemma, today. If I travel into central London now, I fear that the journey won’t be the customary experience. It will be even worse – and I’m not sure I can stomach that.

This means that tonight I’ll be forgoing the pleasure of travelling to the Grand Committee Room of the House of Commons for a meeting held by the Parliamentary Internet Communications & Technology Forum to hear a panel discuss the concept of search neutrality on the internet. I just hope that the speakers Shivaun Raff (CEO, Foundem) Alec Muffett (Computer Security specialist, consultant and writer) and Mark Margaretten (University of Bedfordshire) make it. Panel Chairman Eric Joyce MP will certainly be there. Well he ought to be. After all, it’s his usual place of work.

Were I not to have attended that session, I expect that I would have been at the Demos bash, over at One Bird Cage Walk, Westminster. Why? Because the leading American commentator Michael Lind will be talking about the current trends in US politics and economics and his book, The Land of Promise, which discusses the 200 year tug of war between American economic philosophies.Penny Mordaunt MP, the Guardian's Jonathan Freedland and Director of Demos, David Goodhart will also be giving their views on the US in this election year. There’s potentially plenty of data protection meat to be had from that session, too.

And I so hope the weather won’t be too awful tomorrow, as Messrs Hunton & Williams will be hosting a morning session on the forthcoming General Data Protection Framework Regulation. And, in the afternoon, Messrs Bird & Bird will be hosting a session on ... yes you’ve guessed it ... the forthcoming General Data Protection Framework Regulation. And before that, there’s another special data protection breakfast that has been organised somewhere in Mayfair.

So, what am I to do? And how am I to get my day job done as well as keep up to speed with everything else? This is why I feel I’m living with information overload right now. There is just so much knowledge, so many useful things to know, and I find it so hard to say “Not now, thank you. I’ve over committed myself”. I hope I’m not alone – but I would love to hear what other people’s coping mechanisms are. Theirs must surely be better than mine. Come to think of it, I do hope that what's driving my thirst to attend these events really is a genuine thirst for the information I would otherwise have missed out on, rather than some egotistical effort to be seen to attend events everywhere and all the time.

This is why I feel for sorry for the European Commission. Does it really think that, in a revised new world, the great unwashed will take a closer interest in the privacy policies and the personal data breach notices that will be sent out? I think not. The more information that is sent, I fear the more people will rebel and just not bother reading it.

Until recently, a lot of us used to spend a lot of time caring about unwanted marketing messages. Soon, I fear we could be wanting to turn off the flow of unwanted service messages too– and quite where that leaves the notion of “notice and consent”, I really don’t know. We can’t allow a rule to be created which requires people to be bothered with stuff they don’t want to have, simply to tick a regulatory box. We have to find a clever way of not bothering those who don’t want to be bothered.

Enough of my rant. I’ve made my decision for today. I’ll forgo this evening’s data protection education, with the attendant risk of slipping on the icy hills around Crouch End as I return home. Instead, I will focus on attending some of tomorrow’s events (and I’ll even try to deal with some work emails, too...).

Image credit:
http://blog.burrard-lucas.com/wp-content/uploads/burrard-lucas_snow-westmins.jpg

.

Sunday 5 February 2012

Is this the best invitation to a data protection consultation event?

.

This is a hint on how to do it just in case anyone has forgotten the proper way of inviting people to data protection consultation events.

The very best invitations are
• Sent on stiff white card;
• Spell the invitee’s name correctly; and
• Say what’s in it for the invitee as well as for those doing the inviting

This has to be one of the greatest invitations to a data protection consultation event, anywhere, ever. In this case, it was an invitation to a session on the retention on communications data – which appears not to be that much of an issue in Blighty, but a bit troublesome elsewhere within the European Community.

Note the excellent handwriting on the card. And the prestigious venue that had been booked.

Marvel at the way that the Brits do these things – over an invitation to Afternoon Tea, rather than an invite just to some workshop or other.

Yes, the invitation was sent a few years ago. But manners, like data protection principles, ought to be timeless. But, some of the civil servants responsible for that invitation and that event are still enjoying a glittering career within the Home Office. They do these things everso well, you know.

So, now I have a bit of spare time on my hands, I would be delighted to receive some more invites like this, either for afternoon tea or for morning coffee, to discuss any data protection issues that are of particular concern to you.

Please rest assured that it's not compulsory for me to be sent me an invite on stiff white card - an email works just as well, these days.


Saturday 4 February 2012

Stage 2: Consultations commence on the General Data Protection Framework Regulation

Somewhere, in a basement hidden deep under the offices of DG Justice, must be a War Room with a special data protection chart. I can imagine a huge wall, upon which is beamed a copy of the proposed General Data Protection Framework Regulation. And by each provision is a coloured spreadsheet indicating how the various sate of stakeholders view each of the proposals, and about the links that are emerging between these stakeholders. That spreadsheet might well compare the views of the regulators, ministers, local politicians, Euro politicians, and perhaps even significant data controllers and significant groups of concerned individuals.

When you read the current reports of initial reactions, is seems that the signs are already there of different stakeholders disliking different things. Do all Regulators like the concept of “one regulator to regulate them all? Not, from what I’ve heard. Is everyone happy that an inflexible Regulation is still absolutely necessary, and that the discretion which has been afforded to the law enforcement agencies as they implement their equivalence measures my means of a Directive is not appropriate for the rest of us? Again, not from what I’ve heard. Does personal data breach notification work? Not yet. Are the sanctions appropriate? You must be joking.

So, the next issue we need to address is one of transparency.

How will the stakeholders really learn about the views of the other stakeholders? I can't keep up with all of the invitations I've had to attend the initial meetings, and I certainly can't maintain a grid of the various diverse opinions that are emerging all by myself. If I were in DG Justice, charged with getting something on the statute book, I would not be encouraging these stakeholders to meet too frequently, just in case they got a bit powerful and threatened to derail the Parliamentary timetable that has initially been sketched out for his initiative.

And what is that the stakeholders really want to do?

I expect that the first thing the stakeholders will be doing is digesting the draft, and they will then reach out and explore the possibility of making alliances with unusual sets of friends in order to achieve what is known in the trade as a blocking minority. It’s a matter of ensuring the Commission can’t get sufficient votes to pass my pet hate proposal, as it will need a particular percentage of votes to get it through the Committee. And then, what is likely to happen is that various groups of interested parties who can almost get a blocking minority against their pet hate will negotiate an informal liaison with another group, so both groups can achieve their aim to have their pet hate blocked.

This may be messy, but it’s the stuff of daily politics. Please note – it’s not the stuff of political principle. It’s the stuff off political expediency. No-one will be totally happy with whatever emerges.

And we should not be so naive as to assume that negotiations will just concern opposition to this measure. We can fully expect various groups of stakeholders to negotiate strategic allegiances across various EU proposals. The Spanish might welcome support from the Slovakian representatives on a point of data protection law so long as they both agreed to oppose an obscure point in a proposed agricultural farming subsidy regulation.

I really can’t predict the outcome of this stuff yet. It’s much too early. Think I know where my prejudices are, but I’m not sure how many others share them, yet.

So, the next steps are pretty simple. We all need to talk so that the policy oiks in the DG Justice War Room get to work completing the grid. Then we can see what sort of a state we are in, and assess the chances of creating a draft that is less objectionable.
How will these meetings take place?

I’m already aware of a range of informal briefing sessions that have been set up by the usual legal firms. I expect the Information Commissioner to refer to the issue at his Data Protection Conference, which he will be holding next month in Manchester. The Data Protection Forum’s meeting on 13th March in central London is likely to be addressed by representatives of the French and the German Data Protection Officer Associations (AFCDP & the GDD) as well as (fingers crossed!) Lord McNally, the minister responsible for Data Protection. The Forum also hopes to get a speaker to explain what the proposed changes might mean from the point of view of the regulator (they’re trying to get a former senior ICO official for this one) and there could be an additional surprise guest, too.

And after we’ve talked, a real difficulty could lie in finding the resources to ensure that the right messages are sent to the politicos and officials who are to be involved in the next round of the negotiations. I’ve got some spare time on my hands now, so would be very happy to help, if anyone wants to ask nicely.

Somewhere, deep in my archives, I think I have the best invitation to a consultation exercise on a data protection issue that was ever created by a Government Department. I’ll dig it out soon, and publish it – with a challenge to anyone else to propose a better invitation.

.

Thursday 2 February 2012

Smoothing out the lather over LinkedIn

No sooner than I had posted my blog on the way in which LinkedIn updated their privacy conditions (last Monday) than Eric Heath, LinkedIn’s Director of Legal (product) has entered the debate.

Eric has been keen to emphasise that LinkedIn takes privacy very seriously: “I want to be clear about LinkedIn’s priorities when it comes to privacy – we take it very seriously. In fact, our core principle is “Members First” and we strive to put members first in everything we do.”

Eric has also been keen to reassure those who are concerned about the issue that it is not, actually, a new issue, and pointed to a blog that was posted last June, announcing the change: “LinkedIn changed its privacy policy last year to address what we call “social advertising.” We also blogged about it in advance: http://blog.linkedin.com/2011/06/10/privacy-policy-changes/.

Shortly after we started rolling out social advertising, however, our members reacted negatively to our efforts, so, looking to our first principle of putting members first, we listened to the feedback, and rolled back the program. Here's the blog post on that: http://blog.linkedin.com/2011/08/11/social-ads-update/

Regarding the existence of the social advertising setting within the LinkedIn Settings panel – we are working on updating that in the near term.

Additionally, FYI, this article appeared in the press yesterday via Reuters: http://blogs.reuters.com/mediafile/2012/01/30/linkedin-alert-shows-users-still-on-edge-about-privacy/.”


I, personally, have absolutely no problem with what LinkedIn have done.

What concerns me is if the European Commission were to create a new data protection rule that forbade LinkedIn acting as they have done. After all, in my view, they are a perfectly respectable data controller that has made changes which they don’t consider to be against the legitimate interests of their customers, and they have done so after making information about the change available to their customers.

What many of their customers did not do (including me) is read the material that was published which explained these changes. Why? Presumably, because, like me, they already live in a world of information overload, and they do not have the mental capacity to comprehend the changes that so many controllers make to their privacy policies. And if they don’t have the mental capacity to comprehend so many changes, they certainly won’t be able to “consent” to these changes, given the proposed definition of consent in the draft Regulation.

The mighty Eduardo Ustaran (he of Field Fisher Waterhouse fame) is also concerned at the implications of an over reliance on consent as a condition for legitimising data processing. We both agree that the harder the Commission pushes on consent, the more devalued it gets.

So what is to be done, in this ever more complicated world?

Well, I think it’s time to relax a little, and give responsible data controllers some more slack. We need to balance the legitimate interests of individuals with the legitimate interests of responsible data controllers, who are passionate about providing the best services to their customers. We need to have the confidence to allow data controllers to constantly innovate to improve their offerings to their customers. If the customer doesn’t like it, then they can always blog about it - and very soon their gripe will reach the laptop screens of those who matter. And if the customer really doesn’t like it, they can (generally) find a competing service on the internet.

The last thing we really want to do is to enter into a negative world, one where it’s easy for people to be fobbed off with an excuse along the lines that they can’t have a particular service “because of data protection”. People are never going to be able to be clever enough to understand everything that happens to their personal data. And in the vast majority of instances, this is not a problem as these processes don’t cause harm to the individual.

Let’s try to create a new data protection instrument where it’s easier for controllers to feel free to innovate, rather than restrict them simply because their customers are insufficiently engaged with them to offer informed consent every time they want to try something a bit new.

Source:

Members of LinkedIn’s Privacy Professional Worldwide Group can access Eric Heath’s response at
http://www.linkedin.com/groups?viewMemberFeed=&gid=1048187&memberID=361171

.