Monday, 6 December 2010

Health records

For those interested in health / healthcare privacy, Access to patient records is a note the House of Commons Library have just put out (short briefing for MPs) - dated 7 Jan 2009 but only recently added to their public website.

This 9 page paper outlines (under the Data Protection Act, Freedom of Information Act etc) rights of patients to access their own health records plus access on behalf of the patient or by other third parties, retention periods etc.

Mainly on England but much should apply to other parts of the UK too.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Sunday, 5 December 2010

How to find old ICO or Article 29 Working Party documents despite broken links - use this form

If you're having problems accessing documents on UK privacy regulator the Information Commissioner's website or EU privacy regulators the Article 29 Working Party's site because of broken hyperlinks, try using this form (you have to then click Open to get to it). Please feel free to bookmark or pass the link on to anyone else you think it may help.

Background

Links to documents on both these sites recently broke on site revamps - even the internal search function eg this search hasn't been updated as of today; try that search, clicking on the first result, and you'll get no further than the home page of the sub-site.

But never fear. I've produced a little script, as y'do on a sunny Sunday afternoon, so that you can paste your old link in a box on a form, hit Submit and be automatically taken direct to the document on the new site (rather than just get the home page, or an error message).

To use my form, pictured at the very top of this blog, you need to go to this page, then click Open (as highlighted above), or just Download it (and save it on your own computer for future ref if you prefer). Javascript has to be enabled on your browser for the redirection to work. And needless to say my script only works for broken links to those 2 sites, and if they decide to "update" their sites again, I'm afraid all bets are off.  

Sorry the process is so long winded - I'd have included the form directly in the body of this blog for your convenience, but unfortunately Blogger is a bit weird with Javascript in the body of the blog or even in the head section of the template; I've figured out that it puts in line breaks so you have to run all the code on together in one line, but I've still not worked out how to escape stuff correctly whether it's quotes or the regex (I assume that's what's been going wrong, as a simple test shows a form submission can indeed trigger a Javascript function in the body of a Blogger blog.) I tried a direct link to that page on Google Docs but that doesn't seem to work either. 

If anyone knows the solution (for Blogger javascript or for getting a direct link to an HTML file uploaded to Docs), I'd really appreciate hearing from you! I'm grateful they're hosting all this for free, but I do wish Google wouldn't make it so hard for people to include Javascript on the webpages they host.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

The future of Google

Interesting article in The Economist on 2 Dec 2010 looking at Google's position in the face of regulators investigating it and employees leaving for Facebook etc.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Friday, 3 December 2010

Facebook being used by debt collectors

Privacy horrors, indeed - this news report by The Atlantic's Alexis Madrigal is a few weeks old but I've only just seen it. Debt collectors contacting the debtor's friends on Facebook!

The article points out that Facebook, Twitter and LinkedIn etc are great for helping debt collectors to track down people.

Facebook told The Atlantic that they think this sort of thing may breach their policies not to mention various laws, and ought to be reported to them. Quite.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Thursday, 2 December 2010

Browser makers & ad networks are asked what they're doing to meet EU privacy rules

EU privacy regulators have asked browser providers and ad networks to explain the technical steps they're taking on browser cookies, data collection and consent in order to implement the regulators' recommendations on online behavioural advertising (press release summary) - especially in light of the amended ePrivacy Directive's requirements on storing / accessing information on users' equipment, which will become law from 26 May 2011.

There's been much debate and concern about exactly what will be required by the new law (eg just recently in the Wall Street Journal, ComputerWeekly). Must users positively accept each and every cookie, etc? The new law, the regulators' views on what's acceptable with cookies and the scope for confusion have been criticised by lawyers (including Google's chief global privacy counsel) as well as by the internet advertising industry.

The EU privacy regulators' letters of 28 Oct 2010 to browser makers and ad networks, which didn't name specific addressees, were published on the Article 29 Working Party's webpage listing adopted documents. (Spotted them a week ago on the Article 29 site but haven't had a chance to blog 'em till now. The 28 Oct date is not shown in the letter, but is on that website page.)

From their letters, it seems clear that European data protection regulators want to put pressure on browser providers to build in "privacy by design", and that they also take a pretty strict view of what needs to be done by browser makers and advertisers. They've asked for a reply in 6 weeks from the letter date, which makes it Thursday 6 December, ie next week. But I suspect that either they won't publish the replies, or we won't see them until the New Year at the earliest.

According to their letters the EU data protection authorities, said to be "united" in the Article 29 Working Party, take this view (most of which echoes their OBA opinion):

  1. Browsers should be set as standard to reject all third party cookies by default. "To complement this and to make it more effective, the browsers could require users to go through a “privacy wizard” when they first install or update the browser, in order to provide an easy way of exercising choice during use."
  2. Browsers should -
    1. convey, on behalf of the ad network provider, in a clear and comprehensive manner fully visible to the user, "the relevant information about the name of the data controller, the purposes of the cookies, the data that are collected and the further processing that personal data might be subject to", and
    2. "require the data subject to engage in an affirmative action to accept or reject both the setting of and the continued transmission of information through the cookie. Such consent must be informed and prior to the processing" - ie before a cookie can be set, the user must be given the required info and the opportunity to affirmatively consent
    3. (Note - this ties in with the draft Juvin report on the impact of advertising on consumer behaviour (2010/2052(INI), which the European Parliament's Internal Market Committee approved in early November and is up for a plenary vote this month, that says: "ensure the application of techniques making it possible to distinguish advertising tracking cookies, for which free and explicit prior consent is required, from other cookies")
  3. Cookie expiry - "ad network providers should only place cookies with a limited lifespan in the user’s terminal equipment and they should not prolong the expiry date, so that the scope of the user’s consent is limited in terms of time."
    1. Note - but how limited must "limited" be? If a cookie is set to expire after 99 years, that's still "limited", innit? It's interesting that an Interactive Advertising Bureau (aka Internet Advertising Bureau) code of practice recommending expiry after 48 hours was reported to have been swiftly withdrawn… (although the August 2010 draft code of conduct does still seem to be online, with no further consultation draft I can find).
  4. Continuous access to info? - "to ensure the maximum level of awareness among users of the tracking over time so that they can decide whether to continue or revoke their consent," users should be provided with "sufficient and clear information" so that they have "an easily available possibility of revoking their informed consent to being tracked".
  5. Advertisers should "provide sufficient and conspicuous visual notice, possibly by creating a symbol or other tools and related messages which should be visible and understandable on all websites where the tracking takes place and which sufficiently alert users to the tracking for advertising purposes."
  6. "It would be preferable" if advertisers didn't collect sensitive personal data at all (on sexual preferences, political opinions etc)
  7. "Ad network providers should implement retention policies which ensure that information collected each time a cookie is read, i.e. profile information, is automatically deleted after a justified period of time (they should provide reasons why they consider such period of time necessary in the light of the purposes of the processing)" - and the info should also be deleted if the individual revokes their consent or asks for their profile to be deleted.
  8. "Ad network providers shall enable individuals to exercise their rights of access, rectification and erasure."

Note that they've said "The term 'cookie’ includes HTTP and flash cookies [LSOs] as well as any other method of storing or gaining access to information already stored on the terminal equipment of a user or subscriber, see Article 5(3)" - which is correctly technology neutral, and in my view should certainly catch things like DOM storage, and HTML 5 web storage (already used - or abused? - in mobile phones) and application caching too. But it doesn't catch anything where the storage is done at the server end.

Talking about consent and revocation, I wonder if the Working Party had any discussions with the EnCoRe people?

Anyway, here are the original links of the letters to browser makers and to ad networks - NB they're TIFF image files, not PDFs, so I've OCR'd them and embedded them below for ease of ref, and I can't guarantee their accuracy 100% so please refer to the originals for the definitive version. The direct links to the OCR'd versions are - browser makers, ad networks (yes I used a URL shortener there, goo.gl does track the number of clicks so just use the embed if you'd rather not click; yes URLs can be used as tracking mechanisms):

Browser makers

Advertising networks

Observations

I haven't had time to think through the issues fully yet, but even though I'm in favour of increased transparency, and empowering individuals to better control access to and use of their private information, I'm not sure that requiring third party cookies to be automatically rejected by default is the way to go - or, indeed, requiring consumers to consent individually to every single cookie (or even the first cookie per advertiser).

Many sites just won't work without cookies, and I am not sure how many non-EU sites are going to be willing to change their ways just because European privacy authorities would like them to. (Though the Wall Street Journal reports that some publishers are reining in their advertisers' cookie tricks, partly because if anyone's gonna profit from their visitors it oughta be them, not their advertisers! Ah, the power of lucre.)

Going back to accepting individual cookies, the analogies with security warnings and security education are I think appropriate here. Not to mention alerts on chemical plant emergencies!

Some people like security expert Bruce Schneier consider that the proliferation of security warnings in Windows Vista, the vast majority of which were in many users' views unnecessary, resulted in poorer rather than better security - because users became accustomed to automatically just clicking "Allow" to make the many warning dialogs go away, rather than evaluating the security risks of each individual situation:

"Users stop reading them. They think of them as annoyances, as an extra click required to get a feature to work. Clicking through gets embedded into muscle memory, and when it actually matters the user won't even realize it."

This is actually rational behaviour on the part of users.

Similarly, if users keep getting asked about lots of third party cookies, they may get used to automatically clicking "Accept" without thinking about it, so that they can get on with browsing the site they want to visit.

How to improve the browser?

It seems to me that better technical steps to require would be as follows - effectively incorporating into browsers the features of products like Cookie Culler, leaving aside for now competition law issues, and I admit reflecting my own preferences and the way I use browsers and handle cookies -

  • More fine-grained, user-friendly cookie control - including their easy deletion by users (and here I mean "cookie" in the same broad sense as the regulators - Flash cookies etc should be easy to delete from the browser too. Maybe the Working Party should have written to Adobe too??)
  • Built-in ability to delete all cookies automatically when the browser is closed, except those for sites which the user specifically wants to keep (ie delete all except those on a gradually built up whitelist).
  • The first time site wants to save a cookie, the browser should provide a clear option (or, in this case only, a second popup so it doesn't get missed) saying "Site X wants to save a cookie" etc etc, and where you can choose "Always allow this site to save and read cookies", "Never allow this site to save or read cookies", "Let this site save a cookie but delete it when I close the browser", and hey, why not "Let this site save a cookie now but delete it after half an hour" (whether I remember to close the browser or not)?
    • I'm thinking along the lines of how the excellent free (donation based) Firefox extension NoScript works. Yes you get asked a lot the first time you use it, so there may be the annoyance and automatic clicking factor, but over time it reduces in number.
  • Cookie manager settings should be easy to find, so you can un-whitelist a site if you change my mind, whitelist or blacklist a new site from that page. Let's have a single comprehensive management screen for ALL types of cookies. Users don't care what type they are.
  • Don't forget though that advertisers and other sites can now track visits without their necessarily storing anything on the user's equipment, eg through IP address, through your browser's fingerprint aka Client-less Device Identification (CDI) (and see further this blog, UPDATE - and this WSJ article), so browser providers should also be ensuring that their browsers don't send anything more than the minimum necessary info to websites, and again perhaps provide fine-grained user control over what info is sent.
  • What about Javascript tracking scripts and third party scripts and web bugs? They don't necessarily store anything on the user's equipment (though maybe if they temporarily downloaded an image or other file that might do it…). Is there a way to get browsers to handle those natively, eg building in something like NoScript?
  • And stopping Evercookies?

What about a "Do Not Track" system, rather like "Don't call" lists? It's an interesting idea, see Arvind Narayanan's outline of some technical ways in which it could be done, though Robin Wilton's pointed out the absurdity of having to save a cookie on your computer to tell sites you don't want them to save a cookie to your computer. UPDATE - the US FTC are proposing such a system, says the New York Times. I've not read their report yet. See EFF summary and Do Not Track Stanford project. FURTHER UPDATE - see Jonathan Zittrain's views on this.

(Not that my Telephone Preference Service registration helps me. I still get all sorts of calls and hangups when I let my answering machine take it. All marketers should by law be banned from withholding their phone numbers when cold calling, in my view. The sods deliberately withhold their number, I'm convinced, so that callees can't find out who they are to report them. Bah.)

Is there another way?

It's obviously important to provide fine grained browser options for the user, and fine grained user control that is nevertheless user-friendly.

But what's more important is to have finer grained choices as to exactly what private information the user is prepared to "trade", in return for what services.

However much information we are given about a site's intentions regarding our personal data, at the moment we often have to either accept their cookie and say "Yes" to everything they want from us, or reject it and be barred completely from any access to their services. It's all or nothing.

SCL editor Laurence Eastham hit the nail on the head in a recent blog where he said, "why aren’t we demanding that web sites that need cookies offer a range of options with (or without) privacy settings that allow the user a real choice?", and made the point that -

"We need to be presented with choices that have meaning - and that can only be possible if the requirements insist that web site operators offer a range: the cookie that is strictly necessary for operation, the cookie that eases your experience but transmits only minimal information and the full-fat marketing cookie that makes the web site’s bells ring – and maybe a few more unusual flavours for the discerning palate."

In other words, it's not just the technical options on the user's browser that need attention - it's also, much much more importantly, making site owners and advertisers offer users a real variety of options - "give up more personal information, which we'll do X with, and in return we'll let you access more features on our site", for instance.

Would that all sites took a leaf from the book of the BBC, who carefully explain exactly what cookies are set when you visit their website, and by whom - ie third party cookies as well as their own list - what each is for, etc. All sites should be doing that, and more. It's not just a browser settings issue, it's down to the web site and the advertising network. A choice of different cookies for different purposes ought to be offered at the start of the first visit to the site or communication with a particular ad network (all in a single simple screen or dialog, not each in succession which would increase the annoyance and "automatically click Yes" factor).

A related point is, it's important to properly enforce the purpose limitation principle - a site shouldn't collect personal information that's excessive or irrelevant to the purpose of the site visit.

If I'm signing up for a messageboard to discuss with likeminded fellows our passionate mutual interest in watching paint dry (hey, they can dry at different speeds depending on the type of paint, didja know? I've timed 'em!), the site really doesn't need to know my exact birthdate or mother's maiden name. As I've said before.

What a site thinks it needs to know about visitors (everything?!) may be different from what a user thinks it need to know. There may be a big mismatch between the data collector's purpose for obtaining the data, and the data subject's purpose in visiting the site.

The problem with website use is that merely by browsing to a site you lay yourself open to all sorts of info being collected about you and your browser, and to being forced (some might say blackmailed) into giving up all sorts of private info just for the "privilege" of registering. (You might even now be done for infringing copyright just by visiting a site, but that's a different blog…)

For even basic site access a free service will often want something in return (they usually capture your IP address automatically anyway), but they should offer users a choice as to how much personal data they collect.

For now, the lack of real choice in how many personal details consumers are asked to cough up can be dealt with, in a way, by savvy users - who just give different details, or use various tactics on social networking sites. (With a banking site I've registered a different maiden name for my mother than her real one. With many free sites I give a totally different postcode.) But remember they still grab your IP address and can correlate different visits even on different days etc. Which is why I'm changing my ISP soon - it claims my service is for a dynamic IP address but I can't effectively change my IP address unless I switch off my router for at least a week (I can't, I'd get internet withdrawal), or possibly I could try forking out for a new router, but I don't know if that would work.

Raising user awareness and educating users is critical, generally. But I think everyone knows that. The question is how. And more user friendly tools will certainly help - again the question is what those tools should do.

We will see what transpires over the next year or so. Will browser providers really rise to the challenge, and will it make much difference if ad network and others just find other ways to gather info on users and profile them? (eg in another context, insurance companies running "fun" surveys, trawling public records, and social networking sites etc to get more info about people's lifestyles and how risky they are).

Background

Article 5(3) Directive 2002/58/EC (Directive on privacy and electronic communications), after the changes made by Directive 2009/136/EC (PDF), now reads -

Member States shall ensure that the use of electronic communications networks to store storing of information or to gain the gaining of access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is has given his or her consent, having been provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing. and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide for the provider of an information society service explicitly requested by the subscriber or user to provide the service.

The UK are just going to copy that wording out without change or embellishment, according to their consultation on the implementation of this updated law. Not surprising perhaps, as they've been criticised before for their "traditional, but wholly unhelpful way of re-wording a Directive" which "nearly always…throws up room for wholly unnecessary uncertainty and argument." But it's clear what the government really intend, from the accompanying impact assessment (p.146) which says:

"Option 1: Implement an ‘opt-in’ system for cookies
Option 2: Allow consent to the use of cookies to be given via browser settings. This is the preferred option because it allows the UK to be compliant with the E-Privacy Directive without the permanent disruption caused by an opt-in regime."

There's still a few hours or so left to respond, for anyone who wishes! - the consultation runs "until" 3 December 2010 (no indication of what time).

Apparently under the Netherlands implementation it will be possibly to imply the user's consent from their browser settings.

Certainly Recital 66 of the amending Directive 2009/136/EC (PDF) says -

Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities.

Copyright note

I have shown OCR'd versions of the Working Party letters above based on the Europa copyright notice as I can find no ban on their reproduction, but if anyone from the Commission or Working Party objects please let me know and I'll take them down.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Friday, 26 November 2010

ICO - fixing broken links on your site to ICO papers or press releases

UPDATE - to find the new URL, just enter the old URL in this form - blogged here.

If your blog or website has links to files (press releases, documents) on the UK Information Commissioner's site, here is a heads up that links from about October 2010 may be broken.

Anyone who read this blog a year ago will know that linkrot - ie sites, especially official sites, breaking or killing links to their site eg on a site revamp - sets my teeth on edge. Yeah, sometimes I just have to channel my inner law librarian. But really, old URLs should not be changed. It's a usability nightmare that is all too common. Surely it would not be difficult to redirect links in the old format to the new URLs on the ICO site. See my suggested (Word-specific) regex below, for instance.

The ICO must have tweaked their site recently. Links to webpages still work; it's just links to pdfs that don't.

For instance, any link to -
http://www.ico.gov.uk/upload/documents/pressreleases/2010/response_to_moj_dpframework_press_release_06102010.pdf

won't work now; the link should instead be to -
http://www.ico.gov.uk/~/media/documents/pressreleases/2010/response_to_moj_dpframework_press_release_06102010.ashx

In other words, in the URL change "upload" to "~/media" and change "pdf" at the end to "ashx".

From my very limited testing, links (even to PDFs) in the old format to files published before about October 2010 do still work, although changing them to the new format also won't break them - but note that I don't guarantee either point!

Luckily, most of us shouldn't have too many links to PDFs on the ICO site from about 1 Oct 2010 to have to fix.

I updated the ICO links on this blog manually. Below is what I did, in case it helps anyone else who uses Blogger as their blogging platform; the same method may be assistance in relation to updating links for the recent europa.eu changes (see below) as well as for any other blogs you might need to update "en masse" (ish) on Blogger in future -

  1. The Blogger Data API doesn't support the q text search parameter - else I'd have tried coding something in Java or Python to find and download the relevant posts, update the links and re-upload them.
  2. So you can instead try downloading the XML file of all blog posts (Dashboard > Settings > Basic, it's the Export blog link against Blog Tools - good to use it for regular backup generally, anyway - then Download Blog).
  3. Open the XML file in eg Word.
  4. Search in Word for http://www.ico.gov.uk/upload/ to find the broken links, or more precisely, in order to note down the titles of the blog posts which contain those links - as mentioned above, it seems you won't have to go back beyond about 1 Oct 2010, but I don't guarantee that.
  5. You could perhaps use regular expressions in Word (tick "Use wildcards" in Word's Find and replace box) to find - 
      (http://www.ico.gov.uk/)(upload)(*)(pdf)
    and replace it with -
      (\1)(~/media)(\3)(ashx)
    - then save the XML file and re-import it into Blogger. But
  6. There's a Blogger problem with importing the edited XML file. I got the dreaded error bX-tjg9ds with a test blog that had just 4 test blog posts. Plus, I'm a bit nervous about trying to export and re-import the entire blog, especially given the error.
  7. So in the end I just searched the downloaded XML file to find all the broken links as mentioned in 4, ie blog posts published in Oct/Nov 2010, then I signed in to Blogger, and in Edit Posts I found the relevant blog posts and updated them manually in HTML view. (Or if you use the excellent Windows Live Writer you could perhaps retrieve each relevant published post from Blogger, edit it manually, then republish it; but I didn't do that myself as I haven't had time to test whether it would republish with the same timestamp or not. I believe it would, but try it at your own risk!)

Note - broken links to the Article 29 Working Party's documents it seems may be fixed by changing (in the URL) -
  justice_home/fsj
to -
  justice/policies
- but again I've not tested that fully, so use that at your own risk. I haven't the time or strength to update links on this blog at the moment (I have 59 links to A29 papers/pages!), but least I have the downloaded XML file to use now.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Friday, 19 November 2010

Facial recognition for profiling - by drinks machine

Privacy advocates may be somewhat concerned that a vending machine now exists in Japan, installed in a Tokyo train station, which uses sensors and facial recognition technology to discern a potential customer's gender and age and "recommend" drinks accordingly (based on market research as to the preferences of different ages and gender).

So it offers canned coffee to men (green tea if they're in their 50s), and tea or a sweeter drink to women in their 20s. It even makes different suggestions depending on the time of day.

Sales have apparently tripled following introduction of that technology, and the company involved, JR East Water Business Co (subsidiary of railway company) JR East Co, plans to expand to 500 such machines in Tokyo and neighbouring areas by March 2012.

Talk about biometrics profiling for advertising and marketing! But one can imagine the technology, and indeed individual machines, being used for many more purposes. A sign of times to come?

(What really gives me pause is the go ahead given to Spanish scientists to use silicon barcodes to individually tag human oocytes and embryos for identification - they "aim to develop an automatic code reading system". Are the barcodes going to be removed after birth? Can they be?)

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Thursday, 18 November 2010

EU law invalid for interfering unjustifiably with privacy & data protection rights

An EU law requiring online publication of personal data (names of recipients of certain agricultural funds, plus amounts received) was declared invalid by the European Court of Justice, as unjustifiably interfering with privacy or data protection rights under the European Convention of Human Rights / EU Charter of Fundamental Rights, because it required blanket publication of all their names/amounts however much (or little) they received, however often, whatever the period or type of aid, etc.

This case is interesting because it underlines the possibility that other EU laws could be vulnerable to being struck down by the ECJ for undue interference with privacy rights, should a national court be persuaded to refer the matter to the ECJ. Data Retention Directive, anyone…?

(The Lisbon Treaty does make it easier for individuals and organisations to complain direct to the ECJ about certain limited EU acts, but we don't know how that'll work out in practice yet.)

The EU must act consistently with the Charter, including in making the laws they pass. However, the Charter's impact on national laws is more limited. It only applies to member states when they're implementing EU law.

What's more, the UK, along with Poland, weren't happy with the Charter and insisted on a Protocol 30 to the Lisbon Treaty to try to ensure that the Charter won't create new legal rights in the UK or Poland, and won't extend the ability of the ECJ or national courts to invalidate UK or Polish laws / regulations etc as inconsistent with the Charter's fundamental rights. This "opt-out" has been called disgraceful, but it may not be clear yet what the exact legal effect of the Protocol is.

Interestingly, in their recent successful application to have the Digital Economy Act judicially reviewed, one basis put forward in their statement of facts and grounds by ISPs BT and TalkTalk was the disproportionate impact of the Act on rights under the Charter as well as the Convention of Human Rights, and reports are that the judge will allow the review to consider fully all 4 of the grounds put forward - probably in Q1 2011. (ZDNet's reference to the judge waiting for the European Data Protection Supervisor's opinion seems mistaken, incidentally, as his opinion on ACTA and 3 strikes came out a while back, in June 2010.)

Anyway, here in the UK it seems people's personal data can get published on line on government websites without their consent or indeed knowledge, even when there's no law stipulating publication! (Hellooo New Forest District Council…)

Details

The court noted that -

  1. The EU Charter of Fundamental Rights (Wikipedia entry, another explanation, full text) has the same legal importance in the EU as the EU Treaties (since December 2009, when the Lisbon Treaty (Wikipedia entry) came into force).
  2. The validity of the EU Regulation provisions in question here must therefore be evaluated in the light of the Charter, including -
    • data protection - article 8(1) - ‘Everyone has the right to the protection of personal data concerning him or her’, including that personal data ‘must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law’, and
    • privacy - article 7 - 'Everyone has the right to respect for his or her private and family life, home and communications.'
    • (Note - the ECJ has said the Data Protection Directive should be interpreted in the light of fundamental rights under the European Convention of Human Rights anyway, including article 8's right to respect for private life - see Rundfunk)
  3. However, those rights aren't absolute, depending on their function in society, and may be subject to limitations provided for by law which respect the essence of those rights and freedoms and, subject to the principle of proportionality, are necessary and genuinely meet objectives of general interest recognised by the European Union or the need to protect the rights and freedoms of others.
  4. Where rights under the Charter correspond to rights guaranteed by the European Convention on Human Rights, then their meaning and scope should be the same as those under by the Convention (article 52(3)), and anyway the Charter doesn't restrict or adversely affect rights recognised by the Convention (article 53).
  5. This means the case law of the ECHR is relevant when considering rights under the Charter, and indeed generally - notably the ECHR cases on respect for private life and protection of personal data. (Note - nothing new here, in that the ECJ generally considers the ECHR anyway where appropriate.)
  6. "In those circumstances, it must be considered that the right to respect for private life with regard to the processing of personal data, recognised by Articles 7 and 8 of the Charter, concerns any information relating to an identified or identifiable individual (see, in particular, European Court of Human Rights, Amann v. Switzerland [GC], no. 27798/95, § 65, ECHR 2000‑II, and Rotaru v. Romania [GC], no. 28341/95, § 43, ECHR 2000‑V) and the limitations which may lawfully be imposed on the right to the protection of personal data correspond to those tolerated in relation to Article 8 of the Convention."

In this case, the Regulation in question (1290/2005 on the financing of the common agricultural policy) required information to be published online regarding recipients of aid from certain EU agricultural funds - and publication of someone's name and income is an interference with their privacy, so even if the underlying laudable aim was transparency as to the use of public funds, the publication requirement still had to be legal, proportionate, necessary etc.

The law here (articles 44 and 42(8b) to be precise) wasn't valid as it required indiscriminate publication of all those details "without drawing a distinction based on relevant criteria such as the periods during which those persons have received such aid, the frequency of such aid or the nature and amount thereof." The court did say, to stem the possible flood of lawsuits no doubt, that no one could sue for past publication of those details. Going forward, obviously they can't be published in the same way.

There were other Data Protection Directive issues in the case but I won't cover them here.

Aside - the referring German court here actually tried to get the ECJ to rule on the validity of the Data Retention Directive, and on whether the Data Protection Directive prevents websites from storing the IP addresses of visitors without their express consent.

Sadly for those of us interested in these issues, the ECJ said, rightly, that those questions weren't relevant to this case, which was referred to them following lawsuits by fund recipients whose personal data had been published on a website (not by visitors to that site whose IP address had been recorded).

Case - Volker und Markus Schecke GbR (C-92/09), Hartmut Eifert (C-93/09), 9 Nov 2010.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Saturday, 6 November 2010

Google - data retention periods for different services (including deleted data)

From a privacy viewpoint, how long a service provider keeps your personal data is important. It's one of the key data protection principles in the EU that personal data shouldn't be retained for longer than is necessary for the purpose for which it was processed.

When that purpose is served, strictly the service provider ought to delete that data. And again, strictly that includes any duplicates or backups.

Insiders like employees who have access to users' data can be a major risk to data security. Sometimes they can view users' personal data, eg Google systems engineer David Barksdale (maybe more) who was fired for accessing Gmail / Google Voice /chat data - stories in ValleyWag, Reuters, ComputerWeekly (or consider the FIFA passport details debacle, or the position of Facebook employees). If stored data isn't properly deleted when it should be, that may further increase the risk of its being accessed by an insider (or outsider) who shouldn't.

Google Search - different features, different retention periods

I previously compiled a table comparing the retention periods for search data at the main internet search engines.

So it was interesting to see a blog by Google's Chief Privacy Counsel Peter Fleischer which mentioned in passing the data retention periods for logs relating to people's use of certain other search-related Google services, which I don't think I've seen documented anywhere else. Here it is in tabular form:

Google Search service

Data retention period

Search logs 9 months
Instant Search (displays search results as you type) logs 2 weeks; a Google blog post clarifies "we now store Google Instant's partial query data for up to two weeks in unanonymized form, at which time we will delete 100 percent of it. These data retention changes apply only to queries made when Google Instant is active."
Suggest feature - from 2004, available on mobile, now called Google Autocomplete (provides search auto-completion) logs 24 hours

Aside - on Suggest logs, incidentally, see the Telegraph write up of funniest Google Suggest suggestions.

Deleting data from Google services

Leaving aside search features for now, what about when you delete data from another Google service?

Google have recently introduced a new privacy policy, with supplemental privacy policies for some individual products. The general privacy policy says -

Because of the way we maintain certain services, after you delete your information, residual copies may take a period of time before they are deleted from our active servers and may remain in our backup systems. Please review the service Help Centers for more information.

It doesn't give info about how long before residual copies are deleted from servers, and "may remain in our backup systems" suggests they never get deleted from backup!

It would be good if Google clarified this point for each service, and, better still, deleted them from backups too.

Google Tasks

It's interesting to see a specific privacy policy mentioned for Google's Tasks feature (which you can use in Google Calendar as well as Gmail):

"You can delete tasks that you have created. Such deletions will take immediate effect in your account view, although residual copies may take up to 30 days to be deleted from our servers. In addition, every 90 days, if not more frequently, we permanently delete usage statistics associated with your use of Tasks. We retain this information beyond 90 days in aggregate form only."

But, I couldn't find specific mention of periods for deleting residual copies in the case of other Google products eg Google Apps services.

Google Docs

I noticed recently that when I deleted documents from Google Docs, they were still appearing in my Google Docs search results for about 2 or 3 hours thereafter. (And for how much longer "residual copies" stay on Google's "active servers" or backup servers after that, is anyone's guess.)

This "feature" may in fact be quite an annoyance if you delete documents which you no longer need, but then they keep polluting your Google Docs search results for 2 hours after that - especially if you're working to a deadline and need to find other stuff quickly!

Google really ought to sort this kind of thing out if they want to succeed in selling Google Apps to organisations, as it will probably frustrate business users. Quite apart from the data protection / privacy implications.

In addition, for those who didn't know - even when you delete a Google Docs document, it seems Google will never delete any images / pictures / photos linked to in the document. Not unless and until you specifically contact Google Docs support (not an easy thing to do) and ask them to do so. So don't go putting embarrassing pics in your Google Docs!

Gmail

It's good that for Gmail at least, Google say they make "reasonable efforts" to remove deleted info ASAP (emphasis added) -

"Data retention

Google keeps multiple backup copies of users' emails so that we can recover messages and restore accounts in case of errors or system failure, for some limited periods of time. Even if a message has been deleted or an account is no longer active, messages may remain on our backup systems for some limited period of time. This is standard practice in the email industry, which Gmail and other major webmail services follow in order to provide a reliable service for users. We will make reasonable efforts to remove deleted information from our systems as quickly as is practical."

It would be helpful to know what's the max "limited period of time"; but note that "reasonable efforts to remove deleted information" is not the same as a guarantee of eventual deletion.

Note that there are special contractual terms of service for Google Apps applications, including Gmail etc; and it seems (though that's not reflected in the terms) that there's more reliable deletion in the case of paid-for services like Apps Premier Edition:

"I received verbal assurances from our salesperson that Google always honors client requests, within reason.  E.g. A deleted account is truly deleted, however there is a 5 day 'grace period', where it seems an accidental deletion can be remedied.  Regarding the dispersal of data amongst data centers (triple redundancy), the sales person indicated it may take a week to remove data from all the caches.  So, it was implied within a certain window of time, all data that a customer wishes to be deleted is destroyed, and after that it is truly gone."

- plus customer-selectable email retention settings and archiving periods, although archiving Google Docs for records management (deliberate records retention in archives for compliance purposes) appears to be problematic.

As for third party apps obtained through Google Apps, it's up to the third party entirely what their data retention policy is. You have been warned.

It seems people are still uncertain about other issues like Google Analytics data retention.

TOS & privacy policies galore?

As well as explaining individual data retention policies, the interaction between all these different terms and conditions (and Google's Privacy Principles unveiled in Jan 2010) could be clearer.

For example the Google Apps privacy notice is very brief and refers to the basic Google Privacy Policy page - not even the privacy policy itself - and neither of which links or even refers to the "More on Gmail and privacy" page I quoted from above. This can all be rather confusing to the user.

(There's probably a lot of money to be made by anyone who can produce an app to check and cross check TOS across a single website in relation to different services of the same provider - for consistency, cross references etc.)

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Monday, 25 October 2010

EU to criminalise data protection breaches? (based on unpublished Commission paper)

Privacy advocates may be pleased to hear that, according to a European Commission document obtained by Bloomberg's Aoife White (which I'm blogging as I've not seen it reported much elsewhere), the proposed updates to the EU Data Protection Directive, which won't be fully public till 2011, may include -

Expanded criminal penalties to enforce data protection requirements regulating how personal data is dealt with - the Bloomberg report quoted the Commission's paper as saying it's "essential to have effective provisions on remedies and sanctions” including “criminal sanctions in case of serious data protection violations".

A right to oblivion, the right to be forgotten - a right for data subjects to get their personal details deleted, and to get "lists of friends, photos or medical records removed".

Enhanced enforcement capabilities for regulators and others? - the Bloomberg article said that  "The proposals may also make it easier for data protection authorities and consumer groups to file lawsuits over privacy breaches" but unfortunately didn't expand on how the proposals intend to achieve that.

Bloomberg got Matthew Newman, a spokesman for Commissioner Reding, to confirm that they've not decided yet whether the new data protection laws should be mandatory or only guidelines -but unfortunately the article didn't spell out which aspects he was talking about. It would be odd if all the new rules were either mandatory or guidelines only, although it seems from the context that he was probably talking about criminalisation of breaches. If so, "guidelines only" still wouldn't change the current position.

The Bloomberg article said regarding the timetable that

"Changes could be made to the commission’s document before regulators discuss it on Dec. 4. They will then ask for support from national governments and EU lawmakers before they draw up draft legislation in mid-2011."

Sounds like Bloomberg managed to obtain a draft or leaked draft of the Commission's internal document (draft Communication?) - Yahoo, they said, wouldn't comment on the proposals "because the EU plan hasn't yet been published".

See also: search data retention periods for Google, Microsoft and Yahoo.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Leaders with powerful faces produce top law firms. And female leaders..?

The more "powerful" a managing partner's face looks, the higher is the ranking of the law firm they manage (suggesting that those with more "powerful" faces are more effective leaders).

So it seems from a University of Toronto / Tufts University study of top 100 US law firms in 2007 according to AmLaw, where 67 people were asked to judge 73 managing partners' faces for "dominance, maturity, attractiveness, likeability and trustworthiness" (see the press release, abstract, and full article Judgments of Power From College Yearbook Photos and Later Career Success by Nicholas O. Rule and Nalini Ambady, PDF (free for limited time), to be published in Social Psychological and Personality Science Journal.)

The measure of "power" was taken from a combo of ratings for "dominance" and "facial maturity".

The measure of a law firm's success was based on three measures of firm profits as taken from AmLaw: profit margin, profitability index, and profits per equity partner (PPP). Nick Rule (one of the authors), said:

"Moreover, just to be extra rigorous, we statistically controlled for the number of lawyers working at each firm, since size can be an issue--though mostly for firm revenues."

Previous research - military, CEOs, politicians

Previous research, mentioned in the paper, has shown that -

"West Point cadets whose faces projected dominance were more likely to become generals than cadets with less dominant faces, Senate candidates whose faces were judged more competent than their opponents won three-quarters of their races, and the more powerful the faces of CEOs of Fortune 1,000 companies looked, the more profits that their companies earned."

What's new here?

So what makes this research different? (Apart from being of interest to lawyers, of course.)

First, half the photos used were from college yearbooks rather than the law firms' websites. Yet "facial power" as judged from the "old" (we're talking generally 20 year old) pictures was almost as good at predicting law firm profitability as when evaluated from more recent website pics.

Does this mean some people are just slated for power?

Well, it appears that looks do matter, but don't think yet that your fate is forever dictated by your face. It's more likely to be t'other way round - ie that your face is shaped at least in part by your own personality and life experiences.

Certainly, from my own experience (an oh so scientific approach), it does seem that people I meet who have sour faces and downturned mouths turn out to be cold, unfriendly miseries. And people with pleasant smiley faces are usually rather nice.

Other studies (mentioned in the paper) have shown that childhood personality stays pretty much the same throughout life. And - this is just me talking here, I'm sure there has been proper research on this - I suspect people tend to be quite good at judging personalities from faces, just as a survival mechanism when interacting with other people, if nothing else.

Now here's another interesting point from the study.

Unlike CEOs in most other industries (many of whom are lateral hires), managing partners of law firms have usually worked their way up within the firm - so having a powerful face should matter less than other factors like demonstrable skills, in terms of getting them selected as leader.

And yet, whether or not a more powerful face makes someone more likely to be elected as managing partner, it still seems that managing partners who do have more powerful faces are more likely to make more money for the firm who elects them.

Human warmth unrelated to profitability

The press release also said "Surprisingly, human warmth in the face—likeability and trustworthiness—was uncorrelated with law firm profits".

Some, of course, might say it's not so "surprising", especially with law firms. A likeable leader does not necessarily a profitable law firm make.

However it's perhaps a bit more worrying that "trustworthiness" isn't related to profitability in law firms.

It's true that people assessed how trustworthy the partners looked, than rather than how trustworthy they actually were, but is there a correlation between trustworthy looks and trustworthiness? My gut murmurs, possibly - shifty eyes and all that…

And what about the women?

Now what about female managing partners, you may ask? With female leaders, does having a more "powerful" face translate to a more profitable firm?

The paper didn't mention whether there were any differences there. However, Nick Rule kindly clarified to me that -

"Four of the MPs were women. Obviously, this small number prevents us from being able to do any meaningful analyses looking at differences between perceptions of the male and female MPs. However, if we remove these women from the data set the results don't change, suggesting that they were viewed consistently with the greater overall pattern."

He also pointed to a study following the work on how judgments of power from the faces of Fortune 1000 male CEOs predicted their companies' profits, mentioned above (Rule & Ambady, 2008; Psychological Science -  The Face of Success - Inferences From Chief Executive Officers’ Appearance Predict Company Profits).

Their follow-up concerned all the female CEOs in the Fortune 1,000 (Rule & Ambady, 2009; Sex Roles - She’s Got the Look: Inferences from Female Chief Executive Officers’ Faces Predict their Success). Well worth a read as it describes other research in the area too -  fascinating.

There, they found that judgments of power from the faces of female CEOs also predicted their companies' profits. Comparing the male and female data sets from the two studies they found that there were no significant differences in the way male and female CEOs were judged along any of the traits examined.

"Thus, although the findings with CEOs don't necessarily generalize to those of law firm MPs, they do seem to follow parallel lines," Nick Rule told me.

Very interesting indeed. Perhaps when deciding which job offer to go for, you should check out the photos of their managing partners or CEOs first - whether it's because you want to join a firm marked for success, or contrariwise want one with a leader ripe for displacement whose face is weaker than yours!

Now, is anyone up for doing a study on the top 100 UK law firms…?

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Wednesday, 20 October 2010

Privacy - do companies need specific power to share / use personal data?

This blog was prompted by a comment by clerkendweller on my report of the ICO's personal data sharing code consultation, about a sentence on p. 7 of the consultation paper -

The consultation mentions that private sector organisations should be able to "identify a power which permits the organisation to [disclose or share information]". The CoP suggests this might be in a company's memorandum and articles of association. [WH's note: the consultation paper said on this, "A private sector organisation’s powers are likely to be set out in, or to derive from, its constitutional documents, such as a company’s memorandum of association, rather than statute."]

Have you come across this in an actual MAA, and if so, do you know what sort of wording directors should be looking for? Maybe a corporate information policy would be a better suggestion?

This blog is my reply, because the answer to clerkendweller's question isn't as straightforward as one might like. It's affected by political, commercial and indeed historical issues more than legal ones, probably. It also depends partly on whether you're the company itself, or a third party dealing with the company.

I'm talking only about English law and "normal" English companies; and I'll ignore the issue of company directors exceeding their authority, which is another matter (something may be within the powers of a company, but not within the powers of its directors to authorise).

I also don't discuss what rights individuals might have if a company holding their personal data discloses it to someone else without having power to do so! Which is some ways the more interesting question, but wasn't what was asked, and would take even more blogs.

The short answer

It can now be generally taken that an English company of the bog standard variety has the capacity to share data, even without express specific powers in its constitutional documents to do so (and assuming the lack of certain special circumstances which corporate lawyers ought to know to look for, eg where the company is a charity).

However, most lawyers will probably say someone dealing with the company should still scrutinise its constitutional documents, and pay lawyers for doing that of course. Full reasons below.

The company itself, to make sure its own house is in order, would probably want to check it doesn't have restrictions in its own mem / arts preventing it from sharing data (unless of course that's the intention).

The long answer

To explain the answer properly, we need to consider corporate powers generally.

First, some background. Companies aren't "natural persons", of course; they're a legal construct, owing their existence and legal status to legislation by lawmakers made from the 19th century onwards.

Companies, as artificial creatures, only have capacity to do what the law says they can do - which was, largely, what was specified in the documents constituting them, filed on registering the company or when updated and publicly available for a fee. In the UK people call those constitutional documents the memorandum and articles of association, or "mem and arts".

However, people dealing with companies have sometimes found that a company has tried to get out of the deal, saying "Oh I'm just a company, I didn't actually have the power to do this deal with you, so tough luck".

Now why should those dealing with a company take the risk of the company not having enough powers? That risk should fall on the company itself, rather than third parties suffering the consequences if the company acted outside of its powers (ultra vires).

That's what lawmakers felt, too. Which is why they tried, several times over the years, to change the law to make it crystal clear (or so they thought) that innocent third parties shouldn't be prejudiced by internal restrictions on companies' powers.

The latest attempt to sort this area out was the Companies Act 2006, whose provisions on corporate capacity came in over a year ago.

Every English company should now effectively have the capacity to do anything - unless the company's articles specifically restrict what it can do (the extraneous stuff contained in the mems of pre 1 October 2009 companies is now considered to be part of the arts).

Even if there are restrictions of that kind, section 39 of the CA 2006 says (emphasis added) -

"39  A company's capacity

(1)     The validity of an act done by a company shall not be called into question on the ground of lack of capacity by reason of anything in the company's constitution.

(2)     This section has effect subject to section 42 (companies that are charities)."

This new law, from 1 October 2009, applies to existing English companies just as much as it does to companies incorporated after that date.

So an English company's ability to do things may be considered generally unrestricted, as far as third parties dealing with the company are concerned (with some limited exceptions, eg in the case of charities, or where the person dealing with the company is actually its director or connected to its director).

But now let's consider the big deals where people feel they need to bring out the lawyers.

It's been standard practice for years, when you're going to enter into a major transaction with a company, for your lawyers to check the company's constitutional documents to make sure that the company has the power to do the deal with you.

One main area where this happens is when a company wants to borrow money. The bank's lawyers will check the company's constitution, supposedly to make sure it has the power to do everything it has to do for the deal (borrow money, give security etc). The borrower pays for all this, of course. It pays its own lawyer's fees, it pays the bank's lawyer's fees. That's just life if you're a borrower trying to get finance.

In (2010) 7 JIBFL 395 (that's the Journal of International Banking and Financial Law, 1 August 2010 - subscriber-only access) Richard Bethell-Jones wrote an article "Checking constitutional documents: business as usual or money for old rope?".

There he pointed out that all these laws really ought to make people comfortable about not having to check companies' constitutional documents and the like, except in certain limited situations.

He says in trenchant terms that all this checking and re-checking is mostly a big waste of time, resources, money and paper. In fact, he think's it's "money for old rope" -

"My view is that the other reasons given for continuing these checks are unconvincing. If they convince you, please get in touch, because I can let you have the Eiffel Tower at a very advantageous price…

…I think that if the lenders paid for these checks out of their own pockets they would quickly tell their lawyers to devise
an effective sifting system, and stop checking when it isn't needed. But they do not pay; the borrower pays. Until the
borrowers tell their lenders they are not going to pay for the lenders' lawyer to make these checks (or supply it with copies
of their constitutional documents for that purpose) when it is clearly unnecessary, this ludicrous 19th century practice will
continue. It will, indeed, be business as usual."

While his article was written in the context of bank loans, the same principle applies to other powers of companies, like the power to share data.

I'm with Richard here. You shouldn't have to put specific powers allowing data sharing into English companies' constitutional documents, nor should people dealing in good faith with English companies need to check for those specific powers, in the vast majority of cases. Lawyers should of course be aware of the few cases (eg charities) where they do need to make those checks, and do them then. But not otherwise.

People dealing in good faith with English companies should be able to trust that those companies generally have power to disclose or share information (and indeed to collect and use personal data), without having to inspect their constitutional documents.

But would most lawyers (who do get paid for checking constitutional documents) agree with that view?

By training, if not temperament, most lawyers tend to be cautious conservative types.

For a company that wants to share personal data, its lawyers may well want to put into its constitutional documents specific wording spelling out powers to share personal data etc, "just in case". (Of course, for the company they really ought to make sure any restrictions on data sharing etc in the mem / arts are got rid of, although in most cases it seems unlikely that there would be any. "No restrictions on sharing" is obviously not the same thing as having specific powers to share data, but is now equally if not more important to check that.)

Similarly, lawyers working for someone obtaining data from a company will probably want to look at the company's constitutional documents to ensure that it has powers to share data, or at least no restrictions on those powers - whether they actually need to do that to protect their client, or not.

It would take a brave law firm to go against years and years of "Check the Mem and Arts!" Especially when doing that provides a steady if not always significant source of income for lawyers.

Richard also made the point that when law firms issue legal opinions to clients, it's standard practice to check constitutional documents - and it's easier to keep doing that rather than say in the legal opinion that it really doesn't matter to the third party what the company's constitutional documents contain as long as the third party is acting in good faith (and if they're not dealing in good faith, they may be in trouble, and checking the mem and arts won't do them any good then).

Richard hoped "the legal community would wake up and smell the coffee". We shall see!

(By the way, the environmentally-conscious may also applaud Richard's having a go at the practice of making those seeking finance print out and hand over "boxes and boxes" of hard copy constitutional documents -

"at completion bearing an illegible mark made in ink to certify its authenticity. This is the digital age, for heaven's sake."

- and his view that borrowers could justifiably tell lenders to go whistle for signed hard copies (my paraphrase!), they don't need them and "it is simply impertinent of the lender to ask for them.")

Declaration of interest - I know Richard well and am a huge fan of his. For many years, working mainly for banks rather than borrowers, he was a member of the elite, invitation-only City of London Law Society's Financial Law Committee, and I've been privileged to work with him as well as some other members of the Committee. He has one of the best legal minds you'll ever find, and he's robust to boot - not in the bad sense of "Oh don't worry about trivial things like the law, just do whatever you like" (which I've encountered in more than one or two lawyers), but in the good sense of being commercially pragmatic while still looking after the client's interests. He writes in a way non-lawyers can understand, too. Which is all too rare amongst lawyers.

Note - this isn't legal advice of course, just general information. And, I emphasise again, the position may well be different for other types of entities or non-English companies.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Monday, 18 October 2010

Data protection principles - mnemonics

When studying privacy law, in order to help me remember the data protection principles under the UK Data Protection Act 1998 (implementing the EU Data Protection Directive), which regulate the processing of personal data, I came up with some mnemonics.

For computery types - this blog is sort of a tribute to the OSI layer mnemonics. Which I am hereby changing to "All People Seem To Need Data Protection"! And note that "data protection", as a term in law, isn't just about backup and redundancy.

Here are my mnemonics. There are extra notes under each principle, which with Javascript turned on in your browser you can see if you [+/-] click here to show the notes (and click here again to hide them). Without Javascript the notes will be visible all the time.

If anyone has any better suggestions for mnemonics, please let me know - some of my ideas may be better for me than other people as it's just the weird way my mind works; you don't even want to know what tricks I use to try to memorise phone numbers!

1. First principle

F is for “First”, F is for “Fair and lawful” (and don’t Forget the compulsory conditions).

Personal data shall be processed Fairly and lawfully and, in particular, shall not be processed unless -

  • at least one of the conditions in Schedule 2 [of the Data Protection Act] is met, and
  • in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

(About: collection limitation, data quality, purpose specification; openness / transparency, notice / awareness, choice / consent)

In plain English, for processing of personal data to satisfy the first principle, at least one of a list of conditions must be met (eg getting the data subject's "consent" to the collection of their data, or - for sensitive personal data - falling within circumstances specified by government Order), and, in addition, the processing has to be generally fair and lawful too; again, it's not "fair" unless eg the data subject has been given notification about who's processing their personal data, for what purpose etc.

In other words, if none of the required conditions can be met the processing can't be "fair" and the processing can't comply with this principle, no matter how generally fair it might seem as a matter of common sense. "Fair and lawful" is necessary but not sufficient - you have to scrutinise the conditions and other requiremens too.

For "sensitive personal data" there are stricter conditions, precisely because the data is sensitive. That includes personal data about health, race, religious or political beliefs and sexual life, even trade union membership - but, interestingly, financial data is not considered "sensitive" in the EU, eg your income or assets.

2. Second principle

S is for “Second Principle”, S is for “Specified and lawful Purposes only”.

Personal data shall be obtained only for one or more Specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

(About: data minimization, data quality, purpose specification, purpose limitation or use limitation, transparency)

In other words, if an organisation says they're collecting your personal data for purpose X only, they should tell you so up front, and they really shouldn't then use it for another purpose Y.

But how anyone can catch them using it for purpose Y is a different matter, and one of the biggest problems for privacy protection today.

3. Third principle

T is for “Third”, and there ARE Three elements here: Adequate; Relevant; and not Excessive.

Personal data shall be Adequate, Relevant and not Excessive in relation to the purpose or purposes for which they are processed.

(About: data quality, data minimisation, purpose limitation / use limitation)

Similar point to the above. Most websites don't really need your date of birth or mother's maiden name just to let you in, but many make you give that info before they allow you to even register.

Strictly, they shouldn't be seeking to obtain excessive personal data like that. But if they don't get caught out, reported or fined for doing it, what's to stop them?

4. Fourth principle

F is for “FoUrth”, F is for “Fidelity - Faithfulness to the Facts” (=Accuracy); U is for “Updated where necessary”

Personal data shall be accurate and, where necessary, kept Up to date.

(About: data quality, data integrity)

Of course, normally you can't find out what personal data an organisation holds about you (in order to check its accuracy and currency) unless you first fork out a tenner or more. In contrast, making Freedom of Information requests to public bodies doesn't you cost a penny.

5. Fifth principle

For “Five” the Roman numeral is L; L is for the Length of time for which personal data may be kept.

Personal data processed for any purpose or purposes shall not be kept for Longer than is necessary for that purpose or those purposes.

(About: data quality, data retention, purpose limitation / use limitation)

Again, the tricky practical issue is how one checks this and makes sure all backups or duplicates are also deleted too.

6. Sixth principle

S is for “Sixth”, S is for “Subject rights”.

Personal data shall be processed in accordance with the rights of data Subjects under this Act.

(About: openness / transparency, individual participation / access, enforcement / redress)

An individual's rights in relation to personal data held about them aren't as good as you might think.

Frankly individual data subject rights don't amount to very much, in the UK. That's one of the reasons why the European Commission took issue with the UK over the UK's data protection laws. The Commission is also taking the UK to the European Court over the UK's inadequate internet privacy laws.

7. Seventh principle

S is for “Seventh”, S is for “Security - ATOM, U2 And D2”.

Appropriate Technical and Organisational Measures shall be taken against Unauthorised or Unlawful processing of personal data and against Accidental loss or Destruction of, or Damage to, personal data.

I admit I’m reaching here - the capitalised words above, and going through the explanations below of how to (vaguely!) connect the abbreviations to the concept, should hopefully help clarify my bash at the mnemonics, and make them stick better -

  • ATOMic stuff (for Appropriate Technical and Organisational Measures), you’ll certainly want security for that!
  • U2 (for Unauthorised or Unlawful) - that's an Irish band, well some authorities are still nervous about security in relation to things Irish aren’t they? (reminds me - I once heard a Northern Irish guy remark, only half-jokingly, about the risks of being arrested for being in possession of an Irish accent!).
  • And” is for Accidental loss.
  • D2 (for Destruction and Damage) - the connection there with security isn’t too hard. (I just couldn’t squeeze R2-D2 in there, believe me I tried.)

(About: data security, data integrity)

Yet again, a difficult issue is how to make sure those measures really have been taken. Which is where the principle of accountability, that's increasingly gaining credence, comes in.

8. Eighth principle

E is for “Eighth”, E is for EEA - that’s “EEA-only Except if ALPS” (Adequate Level of Protection for Subjects).

Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an Adequate Level of Protection for the rights and freedoms of data subjects in relation to the processing of personal data.

(About: data transfer)

No, Switzerland is not part of the EEA, though it certainly boasts alps galore. Austria is in the EEA, however. As are Norway, Iceland and Liechstenstein, as well as the other usual EU suspects. (Another suggested memory trick - Norway, Iceland and Liechstenstein are NOT in the EU though they're in the EEA, so think Eurovision song contest and NIL points (I know, purists would say it's actually "nul")).

(Yes, the Eighth Principle's mnemonic is a recursive acronym, as a tribute to GNU. And there's nesting too, if you count ALPS. Am I allowed to be slightly smug about that mnemonic, or d'ya think I'm just sad?)

This is another tricky area. It's not straightforward figuring out the "location" and "transfer" of data, just for starters. I won't say more about it here.

Warning notes

For non-lawyers - this blog isn't meant to explain the data protection principles or their application, it's just to provide an aide memoire and make a few points about the principles. Whole books have been written about the principles. Just bear in mind that in legislation and cases, "normal" words can have special meanings - so you can't always read the data principles (or indeed other laws) literally, as they don't necessarily mean what you'd think. Which is partly why you need specialist lawyers and judges.

F'rinstance, even the concept of "personal data" is both wider and narrower than you might think.

And "processing" includes passively storing data as well as collecting, manipulating, deleting data, using it; even sending or giving someone else access to data is "processing" it.

See generally the ICO's data protection guide, which is excellent. (The Information Commissioner is the UK's main data protection / privacy regulator.) There are good glossaries at the European Data Protection Supervisor's website and the ICO website.

For everyone - the data protection principles are good stuff and don't need changing at their core, as was recently pointed out in the ICO's response to the UK Ministry of Justice's consultation seeking views on data protection laws. Many best practices are implicit in the principles (eg using PETs).

But just having laws or regulations in place doesn't mean people will automatically respect or obey them.

If you can't monitor or police properly the extent to which organisations are failing to follow the principles, or you can't punish breaches adequately to provide a meaningful deterrent against infringements, then many will continue to ignore laws and regulations.

When proposals for a modernised EU Data Protection Directive come out in 2011 hopefully they'll include provisions that will help improve matters on this front.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.