Relax, the Home Office is protecting us all

Last week, the Home Office released its summary of responses to its reassuringly-titled consultation "Protecting the Public in a Changing Communications Environment" (dubbed "You'll Never Talk Alone" by privacy wags). This relates to the Government's plans to introduce new legislation that would give enforcement authorities greater powers in respect of access to communications data, and oblige communications providers to retain more of that data. As Claire set out in her post marking the release of the original consultation, the general view was a guarded "could be worse", in particular in respect of the Home Office's decision to drop plans for a single, centralised database.

The response document makes interesting reading, not least in showing the Government's approach. In respect of the three consultation questions directly relating to the Government's plans, the highest level of support from respondents that the Government achieved was 53%. However, this does not take into account the views of 90 of the 221 respondents who, rather than answer the consultation questions directly, objected generally on the grounds of opposition in principle to any sort of surveillance. If those respondents are taken into account (and assuming that they do not support the Government's plans), the approval level for the Government "maintaining" its information-gathering capability by responding to the new communications environment falls from the published 53% to 31%. Using the same figures, the approval level for the Government's actual proposals falls from an already low 29% to 17%, and the percentage of respondents feeling that the Government's proposed privacy safeguards are adequate falls from the published 26% to a tiny 15%.

Despite this deeply underwhelming response to the public consultation, the Home Office's plans appear to be to plough on regardless, suggesting that their proposals "have been widely misrepresented". To be fair to the Government, the task of giving due weight to the evidence of ACPO on the one hand and civil libertarians on the other is not easy. Nevertheless, it is particularly interesting that the Home Office is happy to list the Information Commissioner's role as one of the safeguards protecting the public's privacy, and yet seems to ignore the ICO's own statement in response to the consultation that "the Information Commissioner believes that the case has yet to be made for the collection and processing of additional communications data for the population as a whole as being relevant and not excessive".

All of the above may end up being irrelevant anyway, as any legislation arising out of the Home Office's consultation would now almost certainly have to be introduced after the forthcoming general election. Roger has already given Datonomy readers some of his observations on the Conservatives' likely approach to this area if they win the election.

Data Breach Notification Law approved by EU

As reported previously on Datonomy, agreement has been reached between EU institutions on the introduction of rules on reporting data security breaches under the telecoms package. The new requirements only apply to providers of electronic communications services, and Member states will be required to introduce the new rules by 2011.

However, the Commission has committed to extending the breach notification regime to all organisations which process personal data, such as online retailers and banks, as a matter of priority by presenting draft legislation as soon as 2011.

The key elements of the new provisions are:

• a duty to notify the relevant national regulator "without undue delay";
  
• a duty to also notify the affected subscriber or individual if the breach is "likely to adversely affect" that individual's privacy" except where the provider can demonstrate it has applied "appropriate technological protection measures" which render the data unintelligible to unauthorised users;
  
• minimum content for any notifications to individuals or regulators;
  a discretion for national regulators to issue guidelines on the circumstances for and format and content of breach notifications;
  
• a power for national regulators to audit providers' compliance and to impose appropriate sanctions for non-compliance;
  
• the possibility for harmonised arrangements for the circumstances, format and procedures for breach notifications to be developed (by the EU's Article 29 Working Party and the European network and Information Security Agency).

The new legislation also boosts existing provisions in the PEC Directive, which already mandate "appropriate" technical and organisational security measures, with the following minimum standards:

• ensuring that personal data can only be accessed by authorised personnel;
  
• protecting personal data against unlawful or accidental destruction, loss, alteration, storage, processing, access or disclosure;
  
• ensuring the implementation of a security policy; and
  
• the power for national authorities to audit communications providers' implementation, and to issue recommendations.

Next steps

The telecoms package, including the new provisions on breach notification and cookies, should now proceed smoothly into law, being largely agreed in principle. While still subject to formal European Parliament and Council approval, this should be a formality save for any tidying changes. The legislation is expected to be formally adopted in early 2010, from which point Member States will have an 18 month period during which to transpose it into domestic law. As is often the case, the devil may be in the detail of the UK's legislation and guidance data breach provisions.

Recent EDPS opinions

The European Data Protection Supervisor has not been idle in the recent past, as the Official Journal of the European Union this past Wednesday shows. Two Opinions from his office have just been published.

Right: no, he's not a candidate in the current race for the European presidency -- but he has been on the EDPS's mind of late

They are

* 2009/C 276/01 Opinion of the European Data Protection Supervisor on the proposal for a Council Regulation amending Regulation (EC) No 881/2002 imposing certain specific restrictive measures directed against certain persons and entities associated with Usama bin Laden, the Al-Qaida network and the Taliban

* 2009/C 276/02 Opinion of the European Data Protection Supervisor on the Communication from the Commission to the European Parliament and the Council on an area of freedom, security and justice serving the citizen.

It's good to know that some effort is made to ensure that European Union legislation is data protection-compliant, and that the basis on which it does so is transparent.

Cookies and online behavioural advertising

The new EU telecoms regulatory package will strengthen the existing legal requirements for "clear and comprehensive" information to a requirement to obtain users' informed consent on the use of cookies on computers and mobile/smart phones. The cookie related requirements will apply to websites in the jurisdiction. To find out more about the new rules including the effect on online behavioural advertising click here.

My Digital Footprint - a review

A small plug for Tony Fish's My Digital Footprint, released in beta earlier this month. For those of you old enough to remember Nicholas Negroponte's Being Digital , published in 1995, the publication of Tony Fish's latest work is a milestone.

Negroponte's Being Digital had an introductory chapter, "The paradox of a book" which tried to explain why it was necessary to publish such an old fashioned thing as a book in order to tell us about the brave new digital world then dawning. The third of the three reasons Negroponte gave was that interactive multimedia leaves too little to the mind's eye and actually, if you really wanted to understand what "being digital" might mean in practical terms to your own life, the written word (without even accompanying pictures) trumped everything else: "You are expected to read yourself into this book. And I say this as somebody who does not like to read."

Roll forward to My Digital Footprint in 2009 and reading in takes on new meaning. Although you can buy it here (or on Amazon), using money, you can also read it online for free, which allows you actively to add to (or argue against) its store of knowledge by inserting links and, if you are prepared to pay for the online tokens, by posting comments to it. (The token payment is to deter the inevitable spoiler squad who would otherwise have no disincentive to posting silly remarks, just because they can). But why should we want to do any of these things?

My Digital Footprint examines the question of where the value lies in those footprints that we all leave behind as we use a digital network of one sort or another. That footprint is a valuable record of "where we have been [online], for how long, how often and the inter-relationships." That last part is deliberately left hanging: inter-relationships between whom, or what? The question of who "owns" my digital footprint (and yours) is explored in a series of thought-provoking chapters, full of insights into who is (or could be) deriving value from them and how.

The many lucid practical examples in this 2.0 book will be of interest to investors and privacy thinkers alike, to anyone, in fact, interested in new perspectives bringing the value chain in "personal (and other) data" in the abstract to life. One other footprint is worth mentioning: your carbon one. If you prefer a more traditional read, buy My Digital Footprint (see above) and don't try to print the free online version page by page (fortunately made difficult to do by the publishers)! Tony will no doubt tell us if we can get it on the Kindle or other e-book readers.....

Google in Switzerland

Google, as is now being widely reported, is facing legal action initiated by the country's Federal Data Protection Commissioner Hanspeter Thur for failing to ensure sufficient privacy in its Street View service. The Commissioner has expressed serious concerns about locations such as hospitals, prison or schools appearing on the service and has decided to sue the company for not blurring the faces and licence plates properly.

Right: the Swiss have taken blurring-out very seriously even before the appearance of Google Street View

Google, which maintains that it had been given the all-clear (or is it the "all-blur"?) by the Swiss data protecton service and that it already complied with national law, has indicated that it will defend itself stoutly.

For further details see TechWatch here; ComputerWeekly here; ITProPortal here

Cookies: can you help?

To mark the recent upsurge of interest in cookies (see Datonomy posts here, here and here, for instance), our new Datonomite Rosie Burbidge is compiling a really exciting cookie resource: the Datonomy Cookie Cookbook. She hopes to gather data concerning recipes for cookies (in the American English sense of 'biscuits') from readers of all nationalities who follow this blog, and especially from all 27 European Union Member States.

The collected recipes, each of which will be tried and tested by Rosie herself, will be made available to all readers in due course. If you can assist Rosie in her research, please email her here.

Government proposes fines of up to £500,000 for serious DP breaches

The Government has published its long awaited proposals on fines for serious breaches of the Data Protection Act 1998. The proposal is for a maximum fine of £500,000, with a discretion for the information Commissioner's Office to assess the actual level of fines imposed on a case by case basis. The consultation period ends on 21 December, and the new fines could come into force as soon as April 2010.

The proposals are set out in consultation paper published on 9 November entitled "Civil monetary penalties: setting the maximum penalty".

The penalties will significantly boost the Information Commissioner's (currently very limited) enforcement powers. They are being introduced response to the seemingly endless tide of serious security breaches, which began to come to light almost two years ago with the HMRC debacle.

The new powers are to be found in the recently added section 55A of the DPA (introduced by section 144 of the CJIA 2008) and will apply to serious breaches of the Act which are likely to cause substantial damage or distress, and which are committed deliberately or recklessly.

The new provisions received Royal Assent in May 2008. However, the sanction is still not "live", as the amount of the penalties will need to be set by statutory instrument.

The MoJ has dropped the idea of fines based on a percentage of turnover model, similar to that used by other regulators, in favour of a fixed maximum fine which the ICO can then assess according to the seriousness of the breach and the resources of the data controller in question.

The consultation document poses a single question, namely whether the fine of up to £500,000 provides the ICO with a "proportionate sanction" for serious DPA contraventions. The cap seems modest when compared with fines imposed by the FSA for data breaches in the financial services sector.

The MoJ and the ICO have both indicated that the plan is for the new fines to go live in April next year.

Online Behavioural Advertising

The survey commissioned by the Internet Advertising Bureau and Olswang LLP into consumer attitudes towards online behavioural advertising or "interest based advertising" has been out for a little while now but interest in the field shows no sign of abating. In addition to the OFT's market study the All Party Parliamentary Communications Group recently threw its hat into the ring with its report "Can we keep our hands off the Net?" calling, amongst other things, for opt-in to the use of all behavioural advertising technologies.

Thus far, it has tended to be user reaction rather than legal intervention that seems to have shaped the industry's approach to OBA. User reaction seems to have been a key consideration behind BT's decision in July 2009 to cease implementation of Phorm, while the online petition by Facebook users against Beacon in 2008, rather than strict legal considerations, is what seems to have driven Beacon to an opt-in (rather than opt out) consent model.

Privacy norms in this field will take time to develop given the different legal approaches within Europe let alone outside it. How should we think about the issues in the meantime?

European legislators have emphasized that if necessary new regulation could be introduced to deal with the anonymised profiles created via much online behavioural advertising. Meglena Kuneva, Consumer Affairs Commissioner, speaking earlier this year, indicated: "the current work on privacy has concentrated on eliminating personally identifiable information such as name or IP addresses from the public domain…..consumer policy needs to go beyond that and address the fact that users have a profile and can be commercially targeted based on that profile, even if no one knows their actual name."

Such an approach reflects the established opinion of the Article 29 Working Party that ISPs and search engines would be required to treat IP information as personal data unless they can distinguish with "absolute certainty that the data correspond to users that cannot be identified".

Given the extent of the scrutiny of market practices which regulators are signalling, a key question for those participants who favour self-regulation (not all of them, see parliamentary report above) will be how to communicate (and be seen to be communicating) to consumers in a meaningful way the choices available to them and how to exercise those choices. Whatever one might think of consumers expressing their view on such matters, the survey suggests they have a clear view on the level of control they would like over this form of advertising - for a copy of the survey please contact Datonomy.

There will be an opportunity to exchange thoughts with your peers on the issues at the Advertising+Technology event at Olswang on 8 December. Datonomy will be reporting further in the meantime and from the event itself.

Telecoms package adopted - including new data breach and cookie provisions

In the small hours of this morning, the European Parliament and the Council of Ministers reached agreement on the new EU Telecoms Package. This wide-ranging set of reforms is of particular interest to data protection practitioners because it will introduce mandatory notifications for personal data breaches. It will also amend the rules on the use of cookies, and strenghten anti-spam measures. It is also of interest to those on both sides of the file sharing debate because of the controversial "Amendment 138" which at one stage threatened the fate of the entire package.

Datonomy will be bringing you more detailed thoughts on the impact of the measures in due course. In the meantime, we wanted to bring you the news hot off the press. This Commission press release has more details.

All a Man's Privacy

This is Henry D Thoreau in his diary on July 10, 1840:

“ All a man’s privacy is in his eye, and its expression he cannot alter any more than he can alter his character. So long as we look a man in the eye, it seems to rule the other features, and make them, too, original. When I have mistaken one person for another, observing only his form, and carriage, and inferior features, the unlikeness seemed of the least consequence, but when I caught his eye, and my doubts were removed, it seemed to pervade every feature.”

It is a remarkable passage, and difficult in the third sentence. Thoreau seems to be saying that it is easy to mistake someone for someone else, unless you have the key to the individual, the look in his eye, which then makes someone unique, original and unmistakeable. It is interesting how he says the “unlikeness seemed of the least consequence” because it suggests how little you might care unless you care quite a lot about what he calls privacy.. We are familiar with that least consequence. And of course, it is also interesting that Thoreau says that there is something about the expression in the eye which cannot be altered – something which iris biometrics also claim, perhaps with less certainty.

What is notable about Thoreau is the confidence of his reading of identity and personality (confident that an original exists), a confidence which is of its time and place – it is a peculiarly American statement conflating personal and cultural identity, where the dominant stress is on the personality side, the isolate American ego. And, as Americans at that time did, it is a reading untouched by the weight of history and society.

We are in a different place and time, but perhaps the permanent difference between the American and the English or British tradition, is that in this tradition the idea and the practice of privacy was located in the cultural and collective identity and reflected the ingrained conservatism, eccentricities and hierarchies of British society; and was not located, where we place it now, in personality and personal identity.

And while it may be that the rationalist universalist approach which we find in both Article 8 Rights and Data Protection law fits the changed country and the homogenous culture in which we now live, it doesn’t, it often seems to me, fit with the idiosyncrasies and peculiarities of the national tradition.

Better than buying votes?

Times Online reported last week ("BNP leader ‘paid for UKIP member list'") that British National Party leader Nick Griffin is to be investigated following an accusation that he paid for a database containing the names and addresses of thousands of members of the rival UK Independence party for just £500. The list was reportedly used for fund-raising purposes in the run-up to the European elections in which the BNP secured two seats.

Datonomy, naturally curious to see the outcome of the Information Commissioner's Office investigations, recalls the time when politicians were accused merely of buying votes. It seems now that buying voters' data may be by far the more profitable course -- and a source of great discomfort to supporters of UKIP who may have thought twice about joining that party if they felt there was a risk that their details would be passed on to the BNP. One further point to consider is whether the protection of voters and the conduct of elections, both of which are regulated, are sufficiently joined-up that there should be no practices involving the acquisition, possession and use of data for political and electoral purposes which fall between the two sets of regulators.