Archive for November, 2012

The Leveson Report and UK Data Protection

Posted on November 29th, 2012 by

So, the Leveson Report has been published.  Whilst not yet having read all 2000 + pages, the key recommendations that Lord Justice Leveson has made to the Ministry of Justice about the Data Protection Act are:

* Amend s. 32 (journalism, liteature and art exemption) including making it narrower

* Amend the right to compensation under s. 13 so that it includes compensation for pure distress

* Repeal certain procedural provisons around journalism in the DPA

* Consider requiring the ICO to give special regard to the balance of the public interest in freedom of expression alongside the public interest in upholding the DPA

* Bring into force amendments made to s. 55 around increasing sentencing and an enhanced defence for the public interest with respect to journalism

* Extend the prosecuting powers of the ICO to include any offence which also constitutes a breach of the Data Protection Principles

* Impose a new duty on the ICO to consult with the Crown Prosecution Service regarding the exercise of any power to undertake criminal proceedings

* Amend the DPA to reconstitute the ICO as an Information Commission led by a Board of Commissioners

The Report also has a whole part examining the relationship between the Press and Data Protection including comments on the structure and workings of the ICO.

The anonymisation challenge

Posted on November 29th, 2012 by

For a while now, it has been suggested that one of the ways of tackling the risks to personal information, beyond protecting it, is to anonymise it.  That means to stop such information being personal data altogether.  The effect of anonymisation of personal data is quite radical – take personal data, perform some magic to it and that information is no longer personal data.  As a result, it becomes free from any protective constraints.  Simple.  People’s privacy is no longer threatened and users of that data can run wild with it.  Everybody wins.  However, as we happen to be living in the ‘big data society’, the problem is that with the amount of information we generate as individuals, what used to be pure statistical data is becoming so granular that the real value of that information is typically linked to each of the individuals from whom the information originates.  Is true anonymisation actually possible then?

The UK Information Commissioner believes that given the potential benefits of anonymisation, it is at least worthwhile having a go at it.  With that in mind, the ICO has produced a chunky code of practice aimed at showing how to manage privacy risks through anonymisation.  According to the code itself, this is the first attempt ever made by a data protection regulator to explain how to rely on anonymisation techniques to protect people’s privacy, which is quite telling about the regulators’ faith in anonymisation given that the concept is already mentioned in the 1995 European data protection directive.  Nevertheless, the ICO is relentless in its defence of anonymisation as a tool that can help society meet its information needs in a privacy-friendly way.

The ICO believes that the legal test of whether information qualifies as personal data or not allows anonymisation to be a realistic proposition.  The reason for that is that EU data protection law only kicks in when someone is identifiable taking into account all the means ‘likely reasonably’ to be used to identify the individual.  In other words and as the code puts it, the law is not framed in terms of the mere possibility of an individual being identified.  The definition of personal data is based on the likely identification of an individual.  Therefore, the ICO argues that although it may not be possible to determine with absolute certainty that no individual will ever be identified as a result of the disclosure of anonymous data, that does not mean that personal data has been disclosed.

One of the advantages of anonymisation is that technology itself can help make it even more effective.  As with other privacy-friendly manifestations of technology – such as encryption and anti-malware software – the practice of anonymising data is likely to evolve at the same speed as the chances of identification.  This is so because technological evolution is in itself neutral and anonymisation techniques can and should evolve as the uses of data become more sophisticated.  What is clear is that whilst some anonymisation techniques are weak because reintroducing personal identifiers is as easy as stripping them out, technology can also help bulletproof anonymised data.

What makes anonymisation less viable though is the fact that in reality there will always be a risk of identification of the individuals to whom the data relates.  So the question is how remote that risk must be for anonymisation to work.  The answer is that it depends on the level of identification that turns non-personal data into personal data.  If personal data and personally identifiable information were the same thing, it would be much easier to establish whether a given anonymisation process has been effective.  But they are not because personal data goes beyond being able to ‘name’ an individual.  Personal data is about being able to single out an individual so the concept of identification can cover many situations which make anonymisation genuinely challenging.

The ICO is optimistic about the benefits and the prospect of anonymisation.  In certain cases – mostly in the context of public sector data uses – it will clearly be possible to derive value from truly anonymised data.  In many other cases however, it is difficult to see how anonymisation in isolation will achieve its end, as data granularity will prevail in order to maximise the value of the information.  In those situations, the gap left by imperfect anonymisation will need to be filled in by a good and fair level of data protection and, in some other cases, by the principle of ‘privacy by default’.  But that’s a different kind of challenge.

This article was first published in Data Protection Law & Policy in November 2012.

Will access to midata work?

Posted on November 19th, 2012 by

Midata – the story so far

As part of its Consumer Empowerment push, the UK Government wants to give consumers – you and me – more control and access to our personal information. This is the stated purpose behind midata, an initiative (launched in 2011) which encourages suppliers to make available to consumers the information that the suppliers hold on a consumer’s transactions. The hope is that this will then give individual consumers insight into their own behaviour so that they can make more informed choices. Some big players have already signed up including Lloyds Bank, RBS, Visa and Mastercard, but the current arrangement is voluntary and relies on the goodwill of organisations to continue to participate. With its emphasis on putting the individual in control of their consumer data it chimes in well with the draft EU Data Protection Regulation’s focus on strengthening the rights of individuals.

Concerns of business

However, it is understandable why some commercial enterprises that have invested heavily in their consumer data analytics may not want to make such information available. Where you operate in a keenly competitive industry that uses loyalty cards or similar, there is little incentive to make this information available particularly if your competitors do not collect the same amount of information as you do. Unsurprisingly, some respondents to the consultation expressed concerns about midata’s likely costs to business (particularly for large businesses dealing with thousands of consumer records) and their view that insufficient time had been given to allow the voluntary approach to develop.

The Government’s position

The Government has been making more noises about the midata initiative in the past few days and today published its response to its earlier consultation seeking views on whether it should regulate to require organisations to fall into line with midata. The main message in the Government’s response is ‘we’re not going to wield the big stick (of legislation) yet – so long as you cooperate’.

The key points from the Government’s response are:

* The midata initiative will continue as a voluntary project in the short term and the Government will seek to accelerate progress by broadening the sectors that are engaged.

* The Government will use primary legislation to give itself a power to impose a duty (by way of secondary legislation) on businesses in the future should it consider it necessary to do so. This duty is likely to fall on suppliers of goods/ services to compel them to supply, at a consumer’s request, personal transaction data relating to the consumer’s purchase/ consumption of products and services from that supplier in an electronic, commonly used machine readable format.

* If the Government considers that progress in expanding midata on a voluntary basis is not sufficiently quick, it expects to bring forward regulations on the basis of the legislative power (although this will happen no earlier than autumn 2013).

* Certain core sectors – energy supply, mobile phones, current accounts and credit cards – are particularly in the Government’s sights and the Government will move more quickly to regulate such sectors.

* For other sectors the Government will consider certain key factors and engage in further consultation investigating issues such as the likely impact and costs for a sector or product group before imposing any duty.

* The data that will be available through midata will be ‘transaction data’. This is data about a consumer’s purchase/ consumption of products and services from the supplier. Specifically transaction data does not include any subsequent analysis that the supplier has undertaken on the information. Any Government regulations will only apply to businesses that hold the information electronically in a way that links the data to an individual consumer e.g. purchase history, interest charges and penalty charges on a credit/ debit card.

* Although midata data should be disclosed in a commonly used machine readable format the Government will not specify a particular format.

* Third parties can have a role in accessing and analysing data on behalf of consumers provided a third party is properly authorised. However, this brings with it concerns about data security and privacy as well as increased compliance costs for business. The Government has set up a working group to help ensure that where a consumer wishes to provide its midata data to a third party, (i) the consumer retains control over the data and how it is used, (ii) their privacy remains fully protected, and (iii) the consumer does not become subject to data misuse and exploitation. The place of trusted, reputable third party services to assist vulnerable consumers to access midata and act as advocates was recognised.

* Government may introduce charges for access to midata and a timeframe for responding as part of any regulations under secondary legislation.

* The ICO is the lead enforcer of the midata regime although the Government is considering granting concurrent enforcement powers to sector regulators e.g. the FSA.

* The Government argues that midata will increase competition since it will give consumers the ability to compare available options from suppliers.

Will it work?

While the Government’s aim to help consumers enjoy better access to their data may be laudable it is not clear how effectively midata will work in practice. At this stage it is evident that it depends on Government encouraging other big players – such as other banks or MNOs – to sign up. But in a time of economic fragility, what incentives are there for organisations to develop systems to facilitate midata access? In all likelihood, the Government’s big stick will come out at some point. First in line for regulation are likely to be the core sectors identified in the Government’s response – energy, mobile and banking.


A week in Brussels

Posted on November 16th, 2012 by

Life is always busy in Brussels.  Policy making and legislative activities never stop but this particular week has been rather eventful for the current European data protection reform process.  The Data Protection Congress organised by the IAPP has served as an open and constructive forum for some of the key players to get together and debate their views in front of a very sophisticated audience.  The most visible message of the week has been that all parties involved – European Parliament, Commission, Council of the EU, EDPS and of course the data protection authorities – are now working at full pace to consider the issues, listen to other stakeholders and inject their thinking into the end result.

Here are some of the key takeaways about the data protection legislative reform we heard at the IAPP Data Protection Congress:

*    Francoise Le Bail, Director General for Justice at the European Commission, kicked off a prestigious roster of keynote speakers by acknowledging the need to simplify the current proposal, particularly for the benefit of SMEs.  However, she fiercely defended two commonly criticised aspects of the draft Regulation: the Commission’s delegated acts, which she believes are needed to maintain the Regulation’s flexibility; and monetary fines, which are meant to give the new framework much needed teeth.

*    For Jan Philipp Albrecht, Rapporteur of the LIBE Committee with primary responsibility for leading the European Parliament’s position, the main challenge is to convince everyone (individuals and businesses) that a harmonised approach is needed.  Reiterating his aim to approve the final text before the next European Parliament elections in June 2014, he emphasised the need for a regulation (rather than a directive) for the sake of certainty going forward, making clear LIBE’s stance on this issue.  Mr Albrecht also said that whilst we are on the right track in terms of principles, we also need to achieve foreseeability, which suggests that some of the more technology-specific provisions will be revised.

*    Jacob Kohnstamm, Chairman of the Article 29 Working Party showed his concern about some essential elements being under attack, namely: personal data, consent and purpose limitation.  With regard to personal data, he would favour of a slight extension of the definition to cover any data that may be used to single out individuals.  He believes that it is crucial to leave the concept of consent untouched because if data protection is a fundamental right, the individual’s consent must override everything else.  With regard to purpose limitation, as well as profiling, Mr Kohnstamm announced that the Article 29 Working Party is working on alternative proposals.  Not surprisingly, Mr Kohnstamm is wary of the ‘one stop shop’ principle and emphasised the role of the proposed European Data Protection Board to get the balance right.

*    The ‘one stop shop’ principle became one of the most heatedly debated topics.  Isabelle Falque-Pierrotin, President of the CNIL, indicated that the current proposal was simply not realistic and that local data protection authorities should not be prevented from enforcing the law.  Jan Philipp Albrecht responded by saying that it is very important to have one competent regulator to ensure consistency of interpretation and actions.  The debate on this issue is clearly wide open with Peter Hustinx, the European Data Protection Supervisor, taking a position somewhere in between where there is one regulator as a single point of contact for the same organisation across the EU but all regulators are still competent.

Clearly, the pressure to get the balance right is on and whilst there is no sense of urgency yet, Sophie in ‘t Veld, MEP, summarised the situation perfectly when she referred to the fact that after months of familiarisation with the Commission’s proposals, it was now time to put our heads down and get on with the business of building the future data protection framework for Europe.


Getting the ‘one stop shop’ principle to work

Posted on November 5th, 2012 by

Going all the way to the Rio de la Plata to discuss the content of the future European data protection framework seems a little over the top, but the recent International Privacy Commissioners’ Conference in Punta del Este, Uruguay provided a perfect forum as a neutral ground for a fierce policy debate.  Surrounded by equally fierce winds and rain for added dramatic effect, regulators and other influential stakeholders in the privacy world locked horns in the most constructive possible way for three days to make the most of this annual gathering.  One of the immediate outcomes was the realisation that much work remains to be done if we are to achieve the necessary balance between progress and protection.  No other issue symbolised the need for this balance better than the ‘one stop shop’ principle under the proposed EU data protection regulation – the sole competence of one single regulator over the same controller all over the European Union.

As a concept, this principle seems like a no brainer that everyone would be happy with.  If anything, having a single regulator with responsibility for supervising the activities of a corporate group across the EU on the basis of the same law should be the most efficient way of managing the limited time and resources that data protection authorities have.  If the organisation to be supervised operates on a pan-European basis and the law is the same everywhere, surely this approach is the most logical in the absence of a central European regulator.  However, why is it that this concept is proving so difficult to shape to everyone’s satisfaction?  There is even a precedent with the concept of a “lead authority” for BCR authorisations which has been working quite effectively for years now.  Are national interests preventing this principle from working or is there a more fundamental issue getting in the way?

In line with the overall harmonisation objective, the ‘one stop shop’ principle brings with it a significant change, as the law is seeking to designate only one competent regulator per EU-based controller.  By definition, this approach relies on the trust that needs to be placed on the competent authority by the authorities of all of the other countries where a given controller operates.  This is certainly an ambitious expectation but surely one that can be met if the collaborative mood of the  Commissioners’ Conference is anything to go by.  So a lack of trust amongst regulators should not be a reason to question the ‘one stop shop’ principle.

A more damaging factor is the suspicion that astute organisations will seek to manipulate the system and aim to be supervised by the ‘easy’ regulators.  Frankly, there are no easy or difficult regulators.  They all take their jobs very seriously and have good days and bad days – like everyone else.  What is essential is a sufficient degree of pragmatism that brings compliance with the law to a viable level that meets the right standards.  For this to happen, dialogue is essential but, again, seeking that level of compliance should not be seen as a sign of defiance or an easy way of avoiding legal requirements.

Could the ‘one stop shop’ principle ever work then?  Of course it can.  As a starting point, it needs dialogue and collaboration amongst the data protection authorities and a realistic approach to data protection compliance.  Linked to this, what is also needed is trust.  Trust by the regulators in their counterparts and ultimately trust in the legal system.  However, trust should not be about ‘easy’ regulators behaving unreasonably to show how ‘tough’ they are, and trust should not be about triggering a dangerously bureaucratic “consistency mechanism” at the first sight of disagreement.  The ‘one stop shop’ principle is ultimately about effective compliance and should be given the chance to succeed.

The next two years of legislative reform are crucial.  We have a golden opportunity to establish a supervisory approach that is geared to deal with global organisations operating in Europe in a consistent and effective way.  Change should be accepted because it is inevitable.  The ‘one stop shop’ model is perfectly workable if it throws away old and unhelpful prejudices.  Efforts should be made to find the best criteria to determine which authority is the competent one in respect of every controller subject to EU law – irrespective of where they are based – and to support that authority in their role.  Diversity is a great thing but when it comes to regulatory enforcement, it creates uncertainty and unfairness.  Let’s not risk that outcome and let’s try to make the ‘one stop shop’ principle work instead.

This article was first published in Data Protection Law & Policy in October 2012.

The UK’s Justice Committee is not impressed with the EU Data Protection Framework Proposals

Posted on November 2nd, 2012 by

In the week that the UK Parliament voted for a real-terms cut in the EU’s future budget, it’s no particular surprise to hear criticism from UK Parliamentarians levelled at EU institutions. On Thursday this week, the House of Commons Justice Committee produced its opinion on the European Commission’s legislative proposals for reform of EU data protection law. Whilst accepting that reform of data protection law is necessary, the opinion urges the Commission to ‘go back to the drawing board and devise a regime which is much less prescriptive’. The opinion strongly calls upon the Commission to re-think a number of issues including the division of the proposals into a Regulation and Directive, the drive towards harmonisation at the expense of flexibility, the need for a proper impact assessment, the right to be forgotten and the power of data protection authorities to issue sanctions. The Justice Committee heard evidence from the Ministry of Justice (in charge of negotiating the UK’s position on the proposals), the Information Commissioner’s Office, the EU Commission as well as representatives of UK small businesses, the police, privacy and consumer lobbyists and global businesses.   

Regulation and Directive

While the MoJ and ICO remained resistant to splitting the proposals for reform between a Regulation (for most data processing) and a Directive (for data processing for law enforcement and judicial co-operation), the Commission argued that this split was deliberate to give Member States flexibility to take their particular culture and type of legislation into consideration. So, in the case of the UK, the Commission considered this accommodated the UK’s reliance on common law.  However, a number of witnesses considered that the protection afforded by the draft Directive was less than the protection provided by the draft Regulation so potentially not protecting the rights of individuals. 

Principles rather than prescription?

There was considerable opposition to the prescriptive elements in the Regulation and the ICO, amongst others, encouraged an outcome focused approach based on principles. On the other hand, privacy and consumer lobbyists welcomed the administrative requirements on controllers which they considered helped to secure the rights of individuals.

Good for business?

It was accepted that simple, harmonised rules would greatly help small businesses seeking to expand across the EU as well as global businesses. However, the more prescriptive the rules the harder it would be for businesses to comply (particularly small businesses). The MoJ saw a real threat to business if the Regulation placed extra burdens on businesses and stated that it would influence negotiations to ensure a proportionate, flexible approach that does not impede entrepreneurship. The recent announcement from the EU Justice Commissioner Viviane Reding that she does not wish to see small businesses overburdened by the Regulation should provide some relief for businesses overawed by the compliance requirements of the Regulation.

Good for the ICO?  

Representatives from the ICO stated bluntly that they would not be able to resource their new role under the Regulation. Additionally, the MoJ made it clear that the ‘wish list of extra responsibilities and tasks‘ for the ICO under the Regulation was ‘genuinely wishful thinking’. Likewise, the ICO objected to having its hands tied by the Regulation when it came to identifying and dealing with compliance failures and wanted regulators to have more discretion to apply their own judgement and experience.   

The European Commission

In the Commission’s view enhanced harmonisation would make global processing of personal data simpler and cheaper and thus lead to increased business for the EU. However, this picture of harmonisation downplays the efforts that organisations will have to go to in order to strive for this end.  The MoJ and others sharply criticised the impact assessment that the Commission provided as inadequate and the Justice Committee called for a full assessment of the impact of the proposals.

The Commission also argued that they had sought to technology-proof the Regulation by leaving flexibility in the form of delegated Acts for the Commission to implement later. However, there was significant criticism from witnesses on the extent and scope of provisions for delegated Acts which potentially gave power to the Commission to prescribe technical formats, standards and solutions. There appears to be some scope for movement on this point given Viviane Reding’s recent announcement that she was willing to review the delegated Acts individually and to limit them to only what is truly necessary for future technological developments.

The right to be forgotten

Comments from the ICO provided insight into this controversial concept as Christopher Graham indicated (to his surprise) that Viviane Reding had told him that the right to be forgotten was ‘more of a political slogan’ which actually represented something that already existed. So amidst all the excitement and debate that the trumpeting of the right to be forgotten had stirred up, there was now a suggestion that it wasn’t really a big deal after all. The MoJ strongly emphasised that it would resist the implementation of the right to be forgotten since it would raise unrealistic expectations that will prove impossible to fulfil. More cautiously, the Justice Committee recognised the importance of an individual’s right to delete their data but recommended that the phrase ‘right to be forgotten’ should be avoided since it was misleading. Since the right to be forgotten is inextricably linked in most people’s minds with social media, it was significant that the MoJ considered that parts of the Regulation appeared to be overly-concerned with social media (an anxiety that has perhaps infected the tenor of the drafting).

Subject access rights

Although there were objections from the Federation of Small Businesses to the abolition of the £10 fee for access to personal data and the MoJ was clearly sympathetic to these concerns, the Justice Committee (along with privacy and consumer lobbyists) supported the Commission’s position that the right of access should be free. The MoJ was urged to change its negotiating position on this point.

Justice Committee’s conclusions

In the Committee’s view, the draft Regulation does not produce a proportionate, practicable, affordable or effective system of data protection. Therefore the Committee lay out a stark choice for the Commission: either pursue harmonisation under a Regulation by focusing on the elements essential to harmonise and deploy the consistency mechanism and the European Data Protection Board to achieve this, or use a Directive to set out the outcomes to be achieved and leave implementation down to Member States, thus forgoing an element of harmonisation and consistency. With respect to the new draft Directive on processing personal data for law enforcement and judicial co-operation purposes, the Committee queried whether there is a pressing need to amend EU law in this area. 

What next?

The Justice Committee was asked by the European Scrutiny Committee to provide an opinion on the new data protection framework proposals. Although it has delivered its opinion, the opinion contains a number of outstanding actions on the MoJ to clarify its view or provide responses to the Committee on certain aspects of the new data protection framework. This may well inform the MoJ’s position as it continues to negotiate at European level on the shape of the data protection framework proposals.