Sunday, 31 January 2010

Net neutrality - free book

Net Neutrality - Towards a Co-regulatory Solution, 320-page PDF book by UK tech law expert Chris Marsden, available free under a Creative Commons Attribution Non-Commercial Licence. Copyright 2010 but as of June 2009.

From the intro:

"This is a book about net neutrality. It is intended to be read by the nontechnical as well as the technical reader, by the non-economist as well as the economic, and also most defi nitely by non-lawyers… It is an international book, in that it is written by an English lawyer who now preaches but used to practise, but with significant input from study of the European Union (and European Economic Area) more widely, and with attention paid to North America and Japan, if less so to developing countries…

At the end of the book, I expect you to disagree with me, whether you are a traffic prioritization free-market ‘RoundHead’ or an information-wants-to-be-free fundamentalist net neutrality ‘Cavalier’. My argument will be a ‘Middle Way’ between these extreme positions that strikes a balance between intervention and innovation, which inevitably means no-one will be happy, including me. It is not a debate with any easy non-controversial answers…"

The book has a good list of abbreviations on internet & technology terms as well as legislation too.

Contents

  • Introduction - Net Neutrality as a Debate about More than Economics
  • Net Neutrality: Content Discrimination
  • Quality of Service: A Policy Primer
  • Positive Discrimination and the ZettaFlood
  • User Rights and ISP Filtering: Notice and Take Down and Liability Exceptions
  • European Law and User Rights
  • Institutional Innovation: Co-regulatory Solutions
  • The Mobile Internet and Net Neutrality
  • Conclusion: Towards a Co-regulatory Solution

Via @privacyint

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Saturday, 30 January 2010

Google's Privacy Principles - & spoof!

To mark Thursday's International Privacy Day 2010, search giant Google had unveiled their new Privacy Principles to "help guide decisions we make at every level of our company, so we can help protect and empower our users while we fulfill our ongoing mission to organize the world's information." (See the Google YouTube video.)

UK-based privacy advocacy group Privacy International have just issued a funny spoof "Google privacy principles Draft – not to be shown to anyone, especially Microsoft".

This is not surprising in view of their historically rocky relationship with Google, but rather amusing all the same.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Wednesday, 27 January 2010

"Personal data" - browser fingerprint, not just IP addresses


Never mind the data protection debates about whether computer IP addresses (with or without notifying the provider) constitute "personal data" or "personally identifying information" (PII) - the US's Electronic Frontier Foundation are showing by their Panopticlick project that it's easy to track you by your browser's "fingerprint". (The title is a play on "Panopticon", the concept of a jail where a prison guard can see all prisoners but they can't tell they're being watched.)

Try it yourself to get your browser's "uniqueness measurement", measured against the browsers of others who've tested it - which will also help with their research into the privacy risks posed by browser fingerprinting (and they will anonymize your info). It seems Internet tracking and advertising companies are already using these kinds of web browser tracking techniques to record and track people's online activities.

The theory behind this is intuitively obvious - the more facts that someone knows about you, the more likely it is that they can identify exactly who you are (it's been shown that zip code, birth date and gender combined were enough to uniquely identify 87% of the US population).

In maths terms, to uniquely identify 1 person out of the current world population of 7 billion, you need about 33 bits of identifying information; each fact you learn about a person reduces the "entropy" of their identity (I'll spare you the formula! As the EFF explains, bits of entropy are about how large a crowd the information would reveal you within. 10 bits of identifying information would allow you to be ID'd from a crowd of 2 to the power of 10, or 1024, people; 3 bits of info would identify 1 person uniquely within a group of 8 people, and so on).

The same principle can be applied to web browsers. Every web browser has particular characteristics. When you go to a webpage on the internet, the browser sends information to the web server includes a User-Agent header with some info about some of those characteristics like the browser's name (e.g. Internet Explorer), operating system (e.g. Windows XP) and browser version number (e.g. 3.5.7).

The EFF have found that on average, User Agent strings contain about 10.5 bits of identifying information (5 bits to 15 bits on average), so only 1 person in about 1,500 (which is 2 to the power of 10.5) has the same User Agent as you do. 10.5 isn't much out of 33, there's all those 1,499 or so other people, but if you combine that with other info like geographical location and what browser plugins are installed, it all starts to add up.

Even if you reject or delete browser cookies, even if you hide your IP address using tools like the EFF's Tor, your browser's User-Agent gives away quite a lot of info.

The EFF are now extending their research from User Agents to include other web browser info that can be collected and analysed by web servers, info which together make up the "fingerprint" of the browser:

  • The user agent string
  • The HTTP ACCEPT headers sent
  • Screen resolution/size and color depth (time zone too, it seems)
  • The browser extensions/plugins or addons, like Quicktime, Flash, Java or Acrobat, that are installed, and their versions
  • The fonts installed on the computer, as reported by Flash or Java
  • Whether your browser executes JavaScript scripts
  • Yes/no information saying whether the browser accepts various kinds of cookies and "super cookies"

(plus "housekeeping" information to help them fingerprint the data: cookies for repeated visits; encrypted IP addresses and timestamps - see their privacy policy for full details).

When I tried their Panopticlick, my browser was unique amongst the over 33,000 tested so far (word must be spreading, it was only a couple of hundred when I first tried it this afternoon!):

"Currently, we estimate that your browser has a fingerprint that conveys at least 15.03 bits of identifying information."

Of course, this will only identify the individual browser used, not the person using it, but if you visit a website several times using the same browser, even if you change your IP address, and if the site uses the same sorts of techniques as the EFF are trying in their research, you may well be fingered as the same person, and thereafter tracked, from your browser's fingerprint - especially if it's a site where you login and they can link your real name or identity used on the site to your browser's fingerprint (e.g. because they plant a cookie too).

The EFF suggest some methods that users could try to prevent or reduce this kind of tracking.

It seems we're heading more and more towards "Everything could well be personal data", especially with the ability to link more and more information.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

EDPS on agreements to transfer data outside EU - passenger name records, financial data

The European Data Protection Supervisor Peter Hustinx has issued comments on international agreements for the exchange of data of 25 Jan 2010, notably the EU-US and EU-AUS PNR (passenger name record i.e. passenger flight info) agreements and the EU-US TFTP (Terrorist Finance Tracking Program) agreement (allowing the US to get info on EU banking transactions).

In brief, he's not happy with that the agreements adequately protect the privacy of EU citizens in terms of purpose limitation, proportionality etc.

He also emphasised the need for a comprehensive approach to international data exchange agreements and would support the current initiative for a transatlantic agreement on law enforcement with the United States of America (mentioned in my summary of the Article 29 Working Party's paper on the future of privacy) - "provided that the level of protection offered by the agreement is sufficiently high and strong implementation measures are foreseen".

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Data breaches - reports to ICO - "disclosed in error"?

Just over 800 data security breaches were reported to the Information Commissioner's Office since November 2007, according to the ICO press release of 26 Jan 2010.

Will the ICO's new powers to fine organisations up to £500,000 for serious data protection breaches ("monetary penalty notices" - see ICO guidance), coming in from 6 April 2010, spur them to report breaches more - or not report, and cross fingers that the ICO doesn't find out?? Hopefully the prospect of higher penalties if they don't report breaches, and get caught out, will incentivise organisations to report breaches, but who knows - at least telecoms companies will be required to report data breaches come May 2011, though again if they don't, who's to know that it happened?

Here is the ICO "breach table" dated as of 26 Jan 2010 (source link - inexplicably the PDF's filename has "jan09" in it rather than "jan10", hopefully a mistake in the filename rather than in the period covered?). Click on it for a larger version.


Thefts and losses (including losses in transit) seem to be the biggest sources of data breaches, but we knew that.

"Disclosed in error" beats even thefts, in terms of private sector data breaches - is that from social engineering, or just carelessness? How do you "mistakenly" disclose private data?

David Lacey pointed out a Financial Times article noting that in the recent attack on Google and other US corporations, the attackers had been pretty systematic - they figured out which employees had access to the proprietary data they wanted, then found out who their friends were and hacked into the social network accounts of the friends (e.g. on Facebook), to try to make it more likely that the targeted employees would click on links that the attackers sent the employees while masquerading "as" those friends. (Although they also could have used backdoors required by the US government.)

And ComputerWeekly recently reported that the UK Ministry of Defence had admitted that military secrets had been leaked on social media sites and forums, including Twitter, 16 times in the last 18 months (text of MoD reply).

Surely these incidents boost the argument made by many, including by Bruce Schneier and by the EU Article 29 Working Party, that the law should require websites' user defaults to be much more protective of privacy than they are now? (which are mostly not private, everything including your friends visible to everyone by default.)

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Sunday, 24 January 2010

Creative content online - EU consultation responses

The European Commission have published the responses to their consultation "Content Online" 2009-2010 which closed on 5 January 2010.

I had previously mentioned their very wide ranging October 2009 consultation paper Creative Content in a European Digital Single Market: Challenges for the Future which covered access of consumers and commercial users to digital content as well as protection of rights holders in the light of increasing digitisation and internet use, i.e. the "information society".

There have been lots of contributions in response to the consultation, from states and public bodies, organisations, businesses and even individuals e.g. the BBC, BSkyB, Consumer Focus, European Federation of Journalists, European Telecommunications Network Operators Association, IFPI - International Federation of the Phonographic Industry, Intel, UK Intellectual Property Office, Nokia, Open Rights Group, PRS for Music, UK Film Council, libraries and other trade bodies for creators, publishers and sellers of books, music, games, films, videos etc.

We await the Commission's analysis of the submissions and their official response.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Lawmakers - politicians still have little business experience

The Industry & Parliamentary Trust's December 2009 paper "PPCs’ Business Backgrounds: An Analysis - Prospective Parliamentary Candidates standing at the next General Election: An analysis" is interesting reading given that the UK elections are due this year.

Key findings:

  • "Less than half the PPCs surveyed (48%) can demonstrate Business Management or Financial Services (BMFS) experience;
  • PPCs standing in the next General Election have more BMFS experience than current MPs (as surveyed in April 2008);
  • In comparison to the current House of Commons, there are a higher proportion of female PPCs standing for the three main political parties;
  • The average age of a PPC standing in the next General Election is 43;
  • Across the three main parties, Business Management or Financial Services roles dominate over current employment in other sectors."

From the summary (emphasis added):

"In August 2009, the IPT commissioned research into the political backgrounds and outside ‘real-world’ experience of the prospective parliamentary candidates (PPCs) standing for election in the more marginal parliamentary seats. The aim of this research was to create a clearer picture of the next generation of MPs. This research builds on the joint IPT-ComRes report, Do Our Lawmakers Understand Business? (April 2008). The report considered two questions:

· “How suitable is the law-making system, in general, when it comes to matters of business or finance?”

· “How do the six legislatures relevant to the UK compare to each other in terms of their business friendliness?”

It demonstrated that the vast majority of MPs across all six legislatures (the House of Commons, the House of Lords, the National Assembly of Wales, the Scottish Parliament, the Northern Ireland Assembly and the European Parliament) had little or no substantial business experience. Across all six legislatures, just 13% of politicians could demonstrate five years or more practical experience of Business Management or Financial Services. In the House of Commons the figure was 21%.

The research underlined the fact that many of the politicians who make decisions having a major impact on UK businesses have very limited personal experience of the sort of challenges that those businesses face.

Furthermore, surveys carried out within industry or commerce showed that business leaders feel that, ‘too few of our politicians have business experience’ and 86% of those surveyed agreed that ‘too often legislation is passed with insufficient regard to its impact on business’.

This latest report focuses on the backgrounds and experiences of PPCs, with the aim of drawing comparisons between their demographics as a group against those of MPs currently in the House of Commons."

Little change, one might say - the 2008 report commissioned by the IPT, "Do Our Lawmakers Understand Business?", had already "exposed a worrying, if unsurprising, trend: more of our MPs are entering politics with little or no experience of the business world."

At least there are more female candidates and this bunch of candidates seems to have more real life real world experience than the current lot.

I'm increasingly a fan of the House of Lords, who although unelected seem to have done a lot of good in terms of making sensible laws, e.g. currently with trying to get improvements through on the Digital Economy Bill.

A perceptive friend of mine once suggested a plausible reason for their generally more common sense approach and and longer-term view of things. Lords are appointed for life, so they are much more likely to look at the bigger picture for the whole country over a period of some years, rather than MPs who (admittedly putting this somewhat simplistically) just care about the next few handful of years. I think there's something in that.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

UK Oink P2P filesharing acquittal

In what's been widely reported as the first UK filesharing case, software engineer Alan Ellis, who ran the peer to peer music file-sharing site Oink (a BitTorrent tracker that enabled communication between other computers), was on 15 January 2010 unanimously acquitted by a Crown Court jury of the criminal charge of conspiracy to defraud - a common law offence.

There's a succinct summary of the verdict and legal position in the Financial Times. Some members of the Oink community who had been charged with copyright infringement offences had already pleaded guilty, previously.

What's puzzling is why they didn't try to get Ellis on some other basis like (as Technollama pointed out) "communicating" the copyright works to the public under section 107(2A) Copyright, Designs & Patents Act 1988, or - not as juicy as a criminal offence, granted, but more likely to give them a victory on liability - "authorising" others to infringe copyright under section 16(2) Copyright, Designs & Patents Act 1988, as Out-Law suggested.

Incidentally TorrentFreak said the charge was conspiracy to defraud the music industry, rather than to defraud the members of the site who made donations - possibly conspiracy to undermine the music industry's business model? Either way, full details of the exact charges laid would have been helpful to know.

There are some concerns, expressed e.g. in Technollama, that this acquittal will be used to try to help push through the disproportionate Digital Economy Bill - e.g. the FT article said "However, Friday’s acquittal indicates that it could still be difficult to pin down illegal downloading".

As may be obvious, I don't think that's right. The inexplicable failure in the Oink Ellis case to properly pursue the remedies available under existing law (under the sections mentioned above) is not a good reason to take away the right to a fair trial before an impartial court based on all the evidence whenever the person concerned is accused of copyright infringement.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Tuesday, 19 January 2010

PETs - Stephan Engberg's response

Stephan Engberg, one of the speakers at the European Commission's December 2009 workshop on PETs (privacy enhancing technologies), has responded to my blog post on the recently published PETs workshop papers, and has kindly given his permission to post his emailed comments here:

"Interesting comments.

As speaker at the workshop I cannot help noticing that key elements are not reported accurately (amendment ongoing but perhaps not in conclusions).

I therefore suggest to have a look at my presentation to some of the key ommissions.
http://ec.europa.eu/justice_home/news/events/workshop_pets_2009/presentations/ENGBERG_Stephan.pdf

Especially my definition (page 12 below) of PET eID (or "National Id 2.0" as I prefer to label it ) - this is critical because it is about empowering the citizen in free choice negotiations and ensure that markets can selfadjust EVEN if consumers prior made a mistake by providing identifiable data elsewhere.

The interim report was severaly biased towards mere internal data protection (does NOT provide privacy) and rally bad applications claiming PET status for no justifiable reason while ignoring many of the most obvious and successfull PETs (e.g. Elections and CAR GPS Navigation)

We need much more precise defintions and economic framework understanding which was exactly what I was trying to provide.

E.g. definitions on PET (Enabling value and data sharing without transferring control), Privacy (Security from the point of view of an Individual forcussing on Rrisk management and minimisation in generel) and PET eID (Enable Context Isolation to ensure the DEMAND control value chains) while also demonstrating the economic fundamentals and how PETs are critical for innovation, security and efficiency.

PETs are not about what service providers do themselves (internal security meassures does not provide privacy), but what infrastructure and governments do (e.g. preventing the citrizens/consumers from "having to identify" in the first place).

Consumers are always in a conflict of interest negotation with Service providers about price and control (power in later transactions) . Unless we ensure the tools for consumers to MAINTAIN data control (i.e. remain un-identifiable which is not necesarily the same as anonymous), service providers will try to take control and create lock-in.

So when Government make eID which assume identifikationc it is truely anti-privacy because bureaucrats WANT CONTROL for the sake of power. When infrastrure cartel standards prevent PET because THEY want gatekeeper control for (power and thereby) profits.

Here we should notice that Identity Gatekeepers are about a huge problem in themselves as they present privacy invasive and severly market distoring elements - Microsoft Passport was an Identity Gatekeeper trying to get into the role of being the "trusted party" to all transactions, and now we see the same with SAML and eGovernment gateways.

PET are prevented by lack of authoriy attention to the critical requirements for markeds processes to work.

BAD GOVERNMENT or rather bureaucrat polcies are preventing PETs through lack of interoperability in communiocation protocols and technical interfaces while also preventing PETs from maturing by killing the marked demand to pay for the industry to evolve.

PETs are a huge success - ask the criminals, look to Car GPS Navigation, Democratic Elections and Broadcase communication. Problem is that governents (incl. EU) amd infrastructure cartels (through non-interoperable technical standards) are preventing the PET providers from making legitimate PETs for consumers in the private sector and citizen in eGovernment.

POINT: If we want prosperity through market innovation and efficient eGovernment, we CRITICALLY NEED PETs to empower the citizens.

Even though these are not simple issues, when bureaucrats claim Security through Surveilance, they are in reality undermining security and severely damaging the economy from evolving.  They prevent PETs themselves for the
sake of their interest while trying to claim PETs is a failure because nobody wants them.  And most critical processes have no justification for this whatsoever - when shiopping or getting eGovernment services you are NOT talking to terrorists or committing crimes justifying surveillance.

Legal Conclusions - we no longer can suffice with "Data Protection" and trying to regulate what is allowed to do with Identifiable Data -the problems are simply scaling out of control with digital integration and especially cloud. Instead we need to ensure Technilogy Design prevent abuse of data simply to prevents markets (and not only PET markets) from failling.

It goes so far as to realise that this blog is selling Personal Data in direct violation with the ePrivcacy Directive (look in the thirdparty links yourself) and that the costs are much bigger than the benefit of what looks like a "free service". This is not intuitively obivous.

Regards
Stephan Engberg
(I consent to this being digitally linkable to my name meaqning exactly zero privacy in this context risking abuse out of context)"

I am grateful for the clarification as to what was said at the presentation.

I agree that we need PETs to empower citizens. And I broadly agree about the conflict of interest and why PETs are not being adopted (see my blog post on PETs and compliance & enforcement - moving to PETs costs hard cash, and deprives businesses & governments of data which they think (probably rightly) would give them an edge, whether in crime policing or commercial competitiveness terms, so why should they do it unless it would benefit them e.g. because it's compelled by law with large penalties for breach, or because people will pay more for it?).

Many people do think eID could and should be implemented without full identification, i.e. more granular disclosure with pseudonymity - see e.g. Dave Birch's brilliant and very readable paper "Psychic ID: A blueprint for a modern national identity scheme" (PDF).

It's interesting that the Article 29 Working Party also want current laws to be beefed up to require PETs etc (see my report of the Article 29 Working Party's Future of Privacy paper), although as mentioned in that blog post I'm taking a "wait and see" attitude as it may be over-optimistic to think their recommendations will be taken up fully by the Commission.

However, I don't follow the references to car GPS etc as demonstrating the success of PETs - surely they underline the need for PETs? And I don't quite see how SAML and eGovernment gateways necessarily constitute identity gatekeepers?

Finally, I don't believe this blog is selling personal data in breach of the ePrivacy Directive in view of the third party links, and would be interested to know in more detail why that has been suggested?

In terms of selling data, this blog doesn't even have ads. And merely linking to a third party site surely wouldn't reveal to the third party site the IP of a visitor to this blog, at least in the case of a basic simple link. The Javascript for Delicious, tweets, Digg and AddThis sharing might, I suppose, tell Delicious etc that a particular IP address has visited my blog, but how does that violate the ePrivacy Directive? I'd be interested in any further views on this, or indeed any other points.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Saturday, 16 January 2010

PETs - economic benefits - EU

As part of an ongoing European Commission project, in June 2009 the Directorate General for Justice Freedom and Security (DG JLS) commissioned London Economics to conduct a study on the economic benefits of privacy enhancing technologies or PETs.

They presented their Interim Report at a Commission workshop on the economic benefits of PETs on 12 November 2009 at which there were several other presentations, including by representatives from the UK Information Commissioner's Office and other regulators, consultants Accenture, and the Center for Democracy and Technology.

See the 20-pg report on the workshop proceedings, where the interim report seems to have met with some criticism:

"Caspar Bowden launched the Q&A session with a scathing attack on the Interim Report, highlighting a fundamental lack of both definition and categorisation of PETs. He went on to assess the results so far as being predictable as a result of questions which were too vague. He sited a list of terms which he suggested should be fundamental to any report on PETs, and which were missing: zero-sum, minimisation, subject access, transparency, threat model, onion routing, differential privacy…, and a “total blindness in the Report to any […] notion of personal data”. In response,
Moritz Godel accepted there was indeed a weakness with reference to the current research on PETs from a Computer Science perspective. Caspar Bowden reiterated his concerns that there appeared to be a general lack of understanding on the subject and that the questions being asked were too simplistic – much of these concerns into the validity and competence of the Report to-date were echoed by a number of other speakers including in particular John Borking and Stephan Engberg."

If the interim report failed to deal with data minimisation, the concept of "personal data" etc, I can quite see why attendees felt it was disappointing.

Unfortunately I can't seem to find a copy of the interim report itself. However, there are copies of the workshop presentations / papers on the Commission events webpage, including on:

As previously mentioned the ICO had last year commissioned research to develop a "compelling"business case for investing in proactive privacy protection (see the progress report). It'll be interesting to see the final version when it comes out.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Wednesday, 13 January 2010

Numeracy again - "up to" 2 million

While on the subject of numeracy and statistical literacy, I notice that there's a Reuters news story today saying that:

"President Barack Obama's emergency spending measures last year saved up to 2 million U.S. jobs".

Saved "up to" 2 million jobs?

So they could have saved just 1 or 2 jobs, then. Or none.

This is, of course, not a comment about the Obama administration but about how figures and stats can be misused. I don't know if the quote was verbatim or if it was the reporter who phrased it as "up to".

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

MPs & numeracy / maths literacy

The topical briefing notes occasionally prepared by the House of Commons Library for UK Members of Parliament included one yesterday on "How to understand and calculate percentages" (statistical literacy guide).

It covers e.g. "What are percentages?", "Why are they useful?", increases & decreases, how to work out percentages and "What is the % button on a calculator?"

Other briefing notes were on topics like UK Overseas Trade (Current Account): Economic Indicators, GDP - International Comparisons: Economic Indicators page, House prices: Social Indicators page, and Interest Rates and Inflation. Many of which contain percentages, so that's just as well.

While the note is good it's somewhat worrying as one would have hoped that those who make the laws that affect all aspects of our lives would have already known what percentages are and what they're for. At least it's not on "How to tie your shoelaces".

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Saturday, 9 January 2010

"Oh Mandelson" - Digital Economy Bill - parody

If you choose to sing or play along with this to the tune of "Mandy" by Barry Manilow or Westlife, don't do it out loud in "public"! Scroll to the second half of this blog post to find out why.

Links for the references below don't appear in the video as you can't yet link YouTube videos to external sites (only to other YouTube items). Click the links to find out more about the references, e.g. to Finland.

Oh Mandelson

We'll regret it all our lives
If our freedoms don't survive
With the DEB, they'll reach through our windows
Prying day and night
To get right into
What we're sharing on the Net
- but kids and grans are not the threat
What a rotten show, to cut their connections
Without a court of law to weigh up the evidence

Oh Mandelson
You can take your posh dinner and -- eat it
But don't kill our cafes, oh Mandelson
When a Bill is so wrong, we must beat it
Or we're all gonna pay, oh Mandelson…

Seems like you don't fathom tech
Kids and grans are not the threat
Don't just cut them off, while organised crime
Gets away with it, time after time.
Parliament debates our laws
When they're major, just because
Democracy demands that one person's say-so
Can't change copyright
That's got to be wrong - oh

Oh Mandelson
You can take your posh dinner and -- eat it
But don't kill our cafes, oh Mandelson
When a Bill is so wrong, we must beat it
Or we'll all gonna pay, oh Mandelson…

Innocence should be the default position
No one should be done on mere accusation

Oh Mandelson
Many people have insecure wifi
- or just live in Swindon
Oh Mandelson
Please don't force me to not share my Mifi
Or go live to Finland

Oh Mandelson
You can take your posh dinner and -- eat it
But don't kill our cafes, oh Mandelson
When a Bill is so wrong, we must beat it
We'll defeat it

This video, images and words are released under a Creative Commons BY-NC-SA licence – i.e. copy, use, remix as much as you like, as long as you credit it with a link back to this blog post and don’t use it commercially without my permission. I of course gave TalkTalk permission to use, even commercially, this blog post as well as the video, as part of the conditions for entering the competition mentioned below.

The above video and words are my entry for the Don't Disconnect Us competition. The contest was for people to create a song, poem or other form of artistic expression in protest against the proposed UK ‘Three Strikes’ law (see Digital Economy Bill links). UK ISP TalkTalk set up the Don't Disconnect Us site.

The compo, to be judged by polymath actor/comedian/presenter, writer and technology/science enthusiast Stephen Fry, is open till midnight on Friday 22 Jan 2010. So if you want to have a go yourself, go ahead - it could be a poem, artwork etc, it's entirely up to you.

But if you like my entry do please rate it so that I can be in with a chance of winning!

The rest of this blog post explains why I am confident my video doesn't infringe any copyright.

No need to read on unless you're interested in things like that - but, I repeat, be careful not to sing or play along with the video "in public"!

Warning: the following may contain "copyright" as a verb, and "copyrightable". If that offends your sensibilities, don't read on.

Singing along with this video - don't do a public “performance”

If you want to sing along to my video feel free. Pick a tune, any tune.. . But DON'T sing it (or indeed sing or play any other "in copyright" songs / carols / recordings) “publicly”- whether on your radio or PC speakers, not as background music while working e.g. in a garage or a police station, not to your cats, dogs or horses, not even at a Girl Scouts' campfire singsong. Just don't do it unless you get the copyright owner's permission.

Your home livingroom or bedroom, or indeed shower, is fine as long as you're not so loud that “the public” (i.e. effectively anyone who's not in your family) can hear you - neighbours, passers-by etc.

Why? Because the copyright police could pop up to claim it’s a “public performance” - so pay up for a licence now, or get sued. That even includes singing Happy Birthday in public (because it’s still technically in copyright).

Indeed, in the USA ASCAP wanted to be paid again for (already-bought) ringtones whenever mobile phones / cellphones rang in public, but the judge sensibly wouldn't wear it.

Not singing or playing a copyrighted song in public is the strict "100% safe" view, of course. In practice you would have to be heard, and considered worth suing - even if it's just to make an example of you - before you get sued. Though sometimes they can relent.

Things to note about copyright in songs & recordings

  1. Copyright rights. Copyright in a creative work gives the copyright owner certain exclusive rights to that work - including (with some exceptions) the right to stop others from copying or reproducing the work, adapting it or performing it in "public", unless the owner allows it. Which they won't usually do unless they get paid e.g. royalties for licensing the rights.

    The law gives creators exclusive rights for a certain period or term to reward them for their efforts or creativity, but, in return, after that term anyone can (generally) use and build on the work etc. freely, to the enrichment of culture as a whole. No one creates in a vacuum, everyone has influences.
  2. Copyright term. Copyright in things like songs and poems lasts for (generally) the life of the author plus X years (X=70 in the EU), in order in theory to help support the author's children and grandchildren - but for copyright in performances and sound recordings the duration is 50 years in the EU, though the EU wants to extend it to 95 years in order to feed, perhaps rather more realistically, music industry executives' and shareholders' great grandchildren. Again, after the copyright term ends, anyone can copy, use, adapt or publicly perform the work (or recording, depending).
  3. Different things, different rights. The rights of composer and lyricist in a song are different from the rights of the record producer and performers (singers & other musicians) in relation to their recording of the song. In other words several people may well have different rights in relation to the same song. And of course there may be different recordings of the same song.
  4. "Private use". There is no general "private use" get out for breach of copyright in the UK. I repeat, no general private use exception!

Why don't my video and lyrics land me in copyright doodoo?

Am I in trouble for my video and lyrics? Do they cause me to infringe copyright?

I don't think so, and here's why not.

Title - why did I call it "Oh Mandelson" and not "Oh M****"?

In the UK and US, generally titles (of songs, books, poems etc) can't effectively be copyrighted because they're too short (see p.2 of this Australian note mentioning the case of Francis Day & Hunter Ltd v Twentieth Century Fox Corp Ltd [1940] AC 112 where the highest English court said that a film called "The Man who Broke the Bank at Monte Carlo" didn't infringe the copyright in a song with that title).

However, France and some other countries will protect even short titles. In the EU (which of course includes the UK) it seems even 11 word snippets could now be subject to copyright.

So to avoid being sued in the likes of France, I'm not calling the song "M****" or even "Oh M****". I'm calling it "Oh Mandelson". Now you know why.

Music - why isn't there any music?

Even though I'd worked out a piano accompaniment and made up a harmony line to go with the original song which I'm riffing off, I didn't include any music with my video (except for the credits at the end, which are over a Creative Commons licensed song by the eternally brilliant David Byrne). Why not?

Rhythm patterns or chord progressions / harmonic progressions - there’s generally no copyright in rhythms or in chord progressions. Else virtually no one would be able to write any new songs.

Countless songs are based on the same 3 chord trick, while other combos of chords are used again and again too, e.g. the "sensitive female chord progression" (Am F C G if in A minor).

Another commonly used sequence of chords is demonstrated by the following clever video (via Techdirt, and see the Pachelbel video rant mentioned there) which runs together bits from different songs into the same key - and guess what, they use the same chords! (E B C#m A if in E major):

Indeed, popular 80's comediennes French & Saunders got away with taking off well known songs or genres just by using the same (or at least very similar) chord progressions - but different tunes.

However, that's only in general. As this blog post puts it:

"To use the same chords with the same rhythm as the song you found it in starts to move into the copyright infingement area. So be sure that your use of the progression is unique."

In other words if you're using the same chord progressions and rhythm and indeed the same groups of (albeit well known and commonly used) chord progressions in the same order, that combination is probably getting too close to the line, and may even cross it.

It's an infringement to make an "adaptation" of a work without permission, which in the case of a "musical work" means recording (writing, audio etc, so unrecorded piano doodlings are OK) "an arrangement or transcription" of the work (section 21 of the Copyright, Designs & Patents Act 1988, section 21(3)(b) to be precise, if you're desperate to know).

What's an "arrangement or transcription" of a musical work? Encylopaedia Britannica: "A transcription is essentially the adaptation of a composition for an instrument or instruments other than those for which it was originally written. An arrangement is a similar procedure, although the arranger often feels free to take musical liberties with elements of the original score. This is especially true of arrangements for jazz or rock groups and arrangements of popular compositions or songs from musical comedies".

I can't find any case law exactly on point (ADDED: only on taking parts of lyrics not being an "adaptation", Morrison Leahy 1993, and that creating performing editions which try to reconstruct a 17th century composer's music, including missing bits, faithfully but playably, wasn't in general making an "arrangement" of it - Sawkins 2005 - and see the Williamson parody case mentioned below, where the lyrics were thought safe but the music was too close; if the music sounds too similar to the ear, that could be "substantial" enough). So I suspect there's a good chance that, even though it doesn't include the original melody, any backing music with the exact same chord progressions in exactly the same order and with exactly the same rhythms for the whole length of the song might well be considered an "arrangement" of the original song (Oxford English Dictionary: "a composition arranged for performance with instruments or voices differing from those originally specified") if not a substantial reproduction ("the way that the commonplace elements are assembled", see Williamson). That's why there's no backing music in my video, as it's not worth the risk.

Harmony line - making up a harmony can’t infringe copyright as long as the harmony line is original and doesn’t copy any part of an existing copyrighted melody. In that sense my own harmony line, which is itself an original tune in its own right, should be OK because I was careful to make sure it didn't copy any other melody.

Trouble is, my words follow much the same rhythm pattern as those of the original song so that they'll scan and match if you sing them to the original tune - even though, of course, you can recite my words like a poem, you don't actually have to sing them to any tune (and, I repeat, if you do sing or play them to the tune of "Oh Mandy", don't do it in public or you're risking a "public performance"!).

My harmony's not a "copy" of the original tune - but could it be an "adaptation", i.e. an arrangement or transcription? I don't know what "transcription" means here either. OED again on "transcription": "an arrangement of a piece of music for a different instrument, voice, or group of these" (so, the same as "arrangement" then??)

I'd have thought a totally different monophonic tune with the same rhythm pattern (but no musical backing whatsoever) wouldn't be a "transcription", whereas it seems the same (or very similar) tune in a different key or style or for a different instrument would be - but who knows.

So while I believe my own harmony line would be non-infringing, I don't want to take the risk of my own melody being considered an "adaptation" of the original song. If anyone knows whether making up an original and totally different harmony line to an existing tune has been held to breach (or indeed not breach) copyright in the existing tune, I'd really like to hear about it.

If DontDisconnectUs or TalkTalk thinks the risk is minimal and offers to help fund my defence should I get sued, however, I'd be happy to put up the video complete with my own tune that harmonises with the original tune (but is an original melody in its own right that doesn't copy the original tune)!

Words - are my words safe?

What about my words? Do they infringe copyright in the original lyrics?

In the UK, there's a "reproduction" copyright problem only if you copy or reproduce a “substantial part” of the original. Copying only an insubstantial part is OK.

Unfortunately, “substantial” isn’t clear. It’s an issue of quality, not quantity. E.g. with words, one verse (4 lines) of Kipling’s 32 line poem "If" used in a Sanatogen pills ad was enough to amount to a “substantial part”. With music just the short hook or recognisable riff from a song might be enough – e.g. the lawsuit about the Ghostbusters guitar riff, or Vanilla Ice and the bass riff from “Under Pressure”. It's whether people can recognise the original song from the bits used in the "copy".

So let's compare my words with Manilow's - I haven't even used any 2-word sequences from his original lyrics, just single words here and there:

  • Same word in same place, only 1 word used
    • used just once - all, night, into
    • used several times - Oh
  • Different but similar(ish!) word in same place, again only 1 word used
    • used just once - regret (remember), our (my), lives (life), windows (window), prying (crying)
    • used several times - Mandelson (Mandy).

In a parody of the song "There is Nothin' Like a Dame", the only parts left from the original song were the words "we got", used several times. Result - no infringement, those words weren't copyrightable anyway in themselves, so there was no copy of a "substantial" part. (Williamson Music v Pearson, 1987). On that basis I think I'm OK because you can't copyright "all", "night" etc. Or even "Oh". Fancy that. ADDED another example: in the Joy Music case a parody whose chorus contained "Rock-a-Philip, Rock-a-Philip, Rock-a-Philip, Rock" didn't infringe copyright in an existing song which had the words "Rock-a-Billy, Rock-a-Billy, Rock-a-Billy, Rock" - the verses were totally different and no music was used.

So I think I'm in the clear. I don’t believe my words have copied a “substantial part” of the original lyrics so as to infringe copyright in the original lyrics in the first place.

In the USA they value freedom of speech rather more than in the UK, and I'm pretty sure that there they'd consider my lyrics "transformative" enough to let me off. Even in the UK, being "transformative", putting a huge amount of your own work and effort into your creation, should help to make it "fair" dealing (but I won't tell you how many days I spent on mine, you'll think I'm even sadder!).

“Fair dealing”?

What's fair dealing? Now if I'm wrong and my lyrics do reproduce a “substantial part” of the original song, could I be saved by any of the exceptions which are allowed by law? These are defences or get outs that can save you even if you have breached copyright. (But, I repeat, there's no "private use" or "non-commercial use" exception -and "private study" doesn't apply here.)

One major UK exception which lets you off copyright infringement is where what you've done is ”fair dealing” with the original work for the purpose of criticism or review (where the work's been published), or for the purpose of reporting of current events (where the work isn't a photo) - as long as it's accompanied by a "sufficient acknowledgement" of the original. (Note that UK "fair dealing" is NOT the same as the much broader and culture-friendlier US “fair use” concept).

Criticism or review. My words are meant to be criticism and review of the Digital Economy Bill via a homage to "Mandy" by Barry Manilow which is a classic, a perfect pop song with a great tune - go buy the original if you’ve never heard it (I trust that was a sufficient acknowledgement!) Also, I mention the original song in the video itself. Is that good enough?

To be saved by this get out, my work has to be criticism “of that [original song] or another work or of a performance of a work”.

Now my words don't constitute a criticism of Manilow's song or another creative work; they criticise proposed laws affecting internet access and copyright etc. While some might say, with no little justification, that the Bill is itself a creative work being performed by certain politicians, I dunno if that’s good enough! But seriously, the Bill is a "literary work", so I think I'm OK there. I'm criticising another copyrightable work, which is within the scope of the exception.

Also, the English courts have said that "criticism or review" is to be interpreted liberally. So e.g. it's enough to criticise the decision to withdraw a film as opposed to criticising the film itself (the Clockwork Orange Channel 4 case, where excerpts from the film were shown), and similarly to criticise the practice of chequebook journalism using extracts from a TV programme said to typify that kind of journalism (Pro Sieben, Court of Appeal). That should help even though the song lyrics whose rhythm I've based my on words on aren't perhaps directly related to the work (the Bill) which I'm criticising, i.e. I'm really doing a parody about something else (which is what parodies tend to do - see further below on parodies).

Reporting current events. I've sufficiently acknowledged the original song, above. Tick. My words and video were certainly created at least partly for the purpose of reporting on issues under the Digital Economy Bill to do with internet connection cut-off without a fair trial before a court, and the risk of copyright law changes being made by an unelected Minister rather than by Parliament. Is that good enough?

The DEB is probably a "current event" as it's of national political importance. Not all events qualify as"current events" even if people are interested in them or they're reported in the news, though extensive media coverage can sometimes turn something otherwise trivial into a "current event". This matters because if it's not a "current event" there's no defence for reporting it. But at least the courts have said "reporting current events" is to be interpreted liberally too.

The bigger hurdle is that for the get-out to help me, the work I've dealt with, i.e. the Manilow lyrics, have to relate to, or at least be relevant to, the current event reported. Now the song has nothing to do with the Bill or copyright law (except to the extent I'm using it to illustrate difficulties with grey areas and absurdities in current copyright law), but obviously the title can be (and has been) used colloquially to refer to the prime mover behind the DEB, Lord Mandelson. Is that enough to make my lyrics "fair dealing" for the purpose of reporting "current events"? I honestly don't know.

(There's also a, very restrictive, let out for copyright breach if the copying is "for educational purposes", but although this song is in part to educate people about the problems with the Digital Economy Bill and in part to help educate people about some copyright issues, I am not yet, nor will I ever be, an educational institution!)

What about parody or satire?

My work is what most of us would think of as a parody or satire.

It's hard to parody a work without putting in enough references or allusions to the original work such that people will recognise the original, because that’s part of the point - you do it in such a way that people will get what work you're trying to parody, and hopefully think that your parody is clever or funny.

Problem is, if the original is identifiable from the parody, have you copied a “substantial part” of the original? Do the allusions make it a “copy”? The amount of work you've put into the parody will be a factor (the more the better for you), and I've certainly put in a lot.

Even if your work infringes copyright, if it pokes fun at an existing work there’s a good chance that it is a "criticism or review" of the work, and so might be saved by the "fair dealing" exception.

But what if you’re poking fun at the artist or composer / songwriter, rather than the song itself? Or what if you're building on or making reference to an existing work not in order to make fun of a creative work but to make a point about something else altogether, as in the case of my work? Basically then you're back to having to hope you'll be saved by the standard exceptions like "criticism and review" or "reporting current events", with all their uncertainties.

My point here is, being able to create and perform a parody / satire is important to freedom of speech, but there’s no let out in the UK for parody or satire generally - unlike in the USA and France, where parody and satire are specifically permitted by law – and there really ought to be.

The government-commissioned, evidence-based, independent 2006 Gowers review of intellectual property recommended bringing in a UK parody/satire exemption (for more info see e.g. this PDF note on Gowers and parody / satire), as well as other sensible reforms like making it legal to rip your own bought CDs - at the moment, believe it or not, strictly that’s not legal.

But sadly many of the Gowers recommendations seem destined never to be implemented, despite the increasing weight of public and expert opinion that our current copyright laws are broke. The UK IPO have alas decided (see para 19) not to introduce a parody / pastiche / caricature exception, but their consultation on what they do propose to implement from Gowers is still open, till 31 March 2010 - so if you have views do consider responding to them.

Basically what I'm really saying is that my words are so different that they don't infringe copyright in Manilow's lyrics at all in the first place, even if the rhythm is very similar, so I won't have to try to run arguments that it's fair dealing for criticism or review or reporting of current events.

If there’s nevertheless a complaint about copyright in relation to my words, I’ll just have to change them or delete them. Else – sacrificial lambs ‘r’ us!

Just so you know

I support ORG but I'm also a member of the "creative industries", as they like to call it, given my authorship of both words and music (in fact with any luck I hope to be getting something in from the MCPS and PRS myself. For other stuff, nothing whatsoever to do with any of this).

I just happen to believe in quaint outmoded old fashioned concepts like the right to a fair trial, innocence till guilt is proven, and basic democratic principles such as only duly elected representatives of citizens being empowered to make important changes to fundamental laws, and then only after proper open informed discussion.

And I also believe that we have to move with the times, that internet access is too important to modern society to allow disconnection of citizens or consumers without grounds judged to be correct and legitimate by an independent court of law based on all the evidence after a proper hearing, and that heavy handed over- the-top measures can be counterproductive and alienate consumers.

There are signs that the entertainment industry is finally modernising its business models by starting to deliver what consumers want, in the way that they want to consume them. Singles sales are at record levels largely due to MP3 downloads: "Digital sales now account for around 98% of the singles market. The BPI, which represents UK record labels, has said it expects total single sales in 2009 to exceed 150 million." Record label and entertainment group EMI has increased revenues in 2009 over 2008. Even US movie box office receipts are up as "Americans spent more money at the movie theater in 2009 than the year before".

All that without any 3 strikes or other threats of disconnection or suspension of internet access.

There are ways and there are ways. The Digital Economy Bill, certain parts of it at least, is not the way.

Disclaimer

Nothing is this blog post is legal advice, of course. If you need assistance on things copyright, please consult a copyright lawyer in the relevant country.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Friday, 8 January 2010

EU privacy, data protection - Art 29 working party "Future of Privacy" response to Commission consultation & other Art 29 WP developments

1. Privacy & data protection in the EU

Summary and overview

The EU's Article 29 Working Party has published The Future of Privacy (WP 168).

It's a good, well-informed summary of the current position and current thinking on the way ahead, and repays close reading given the status of the WP (effectively its members are the privacy & data protection regulators or supervisors of the EU member states). So I'll cover it in some detail.

This paper is its 28-pg response (made jointly with the Working Party on Police and Justice) to the Commission's curiously question-light consultation on the legal framework for the fundamental right to protection of personal data in the EU.

The response recommends that while better application of existing data protection principles would be beneficial, a new comprehensive legal framework for data protection is needed in the EU (including in cooperation on criminal matters), with possible additional regulation specific to industry sectors or member states.

In brief, the response says that the new framework should:

  • clarify key issues like:
    • consent (opt in / opt out confusion; not using "consent" when it's not the appropriate legal basis for processing)
    • transparency (as a pre-condition to valid consent and fair processing), and
    • applicable law (i.e whether and which EU member state law applies, especially for multinationals with offices in more than one EU country. The WP is currently working on an opinion on the concept of applicable law, see para 28 of the Future of Privacy report, which may well be published in 2010, possibly with recommendations for a future legal framework)
  • introduce principles like accountability and privacy by design including privacy-protective defaults and use of standards-compliant privacy enhancing technologies or PETS (binding on technology designers & engineers, hardware manufacturers and developers as well as data controllers)
  • make improvements like cutting down on red tape and facilitating binding corporate rules (BCRs), and
  • harmonise and beef up the independence, powers, say and resources of national data protection authorities (DPAs);

and that the Commission should take forward initiatives towards a binding international framework based on global standards (such as the Madrid Resolution) to facilitate transborder data flows while protecting personal data, and bilateral agreements (at least as protective as global standards) such as may be developed by the EU-US High Level Contact Group on information sharing, privacy and personal data protection.

Some specific points of interest

Globalisation and accountability (para 39, emphasis added):

"from a general point of view, a new provision could be included in the new legislative framework pursuant to which data controllers would remain accountable and responsible for the protection of personal data for which they are controllers, even in the case the data have been transferred to other controllers outside the EU" [do they mean to include, processors outside the EU?]

Privacy by design (PbD) and privacy enhancing technologies (PETs): a "broader and consistent" principle of privacy by design should (emphasis added):

"be binding for technology designers and producers as well as for data controllers who have to decide on the acquisition and use of ICT. They should be obliged to take technological data protection into account already at the planning stage of information-technological procedures and systems. Providers of such systems or services as well as controllers should demonstrate that they have taken all measures required to comply with these requirements…
48. The application of such principle would emphasize the need to implement privacy enhancing technologies (PETs), 'privacy by default' settings and the necessary tools to enable users to better protect their personal data (e.g., access controls, encryption). It should be a crucial requirement for products and services provided to third parties
and individual customers (eg. WiFi-Routers, social networks and search engines)
. In turn, it would give DPAs more powers to enforce the effective implementation of such measures."

Recommended PET principles (para 53), emphasis added:

"• Data Minimization…
Controllability: an IT system should provide the data subjects with effective means of control concerning their personal data. The possibilities regarding consent and objection should be supported by technological means.
Transparency: both developers and operators of IT systems have to ensure that the data subjects are sufficiently informed about the means of operation of the systems. Electronic access / information should be enabled.
User Friendly Systems
Data Confidentiality: it is necessary to design and secure IT systems in a way that only authorised entities have access to personal data.
Data Quality: data controllers have to support data quality by technical means. Relevant data should be accessible if needed for lawful purposes.
Use Limitation: IT systems which can be used for different purposes or are run in a multi-user environment (i.e. virtually connected systems, such as data warehouses, cloud computing, digital identifiers) have to guarantee that data and processes serving different tasks or purposes can be segregated from each other in a secure way."

Examples of PbD (emphasis added):

"• Biometric identifiers should be stored in devices under control of the data
subjects (i.e. smart cards) rather than in external data bases.
Video surveillance in public transportation systems should be designed in a way that the faces of traced individuals are not recognizable or other measures are taken to minimize the risk for the data subject. Of course, an exception must be made for exceptional circumstances such as if the person is suspected of having committed a criminal offence.
Patient names and other personal identifiers maintained in hospitals' information systems should be separated from data on the health status and medical treatments. They should be combined only in so far as it is necessary for medical or other reasonable purposes in a secure environment.
• Where appropriate, functionality should be included facilitating the data subjects' right to revoke consent, with subsequent data deletion in all servers involved (including proxies and mirroring)."

Empower data subjects (paras 59 to 69):

"Changes in the behaviour and role of the data subject and the experience with Directive 95/46/EC require a stronger position for the data subject in the data protection framework… [especially children]

the possibility for class action procedures should be introduced in Directive 95/46/EC…

data controllers should provide for complaints procedures which are
more easily accessible and more effective and affordable…

A general privacy breach notification should be introduced…

Consent - [In cases] when there is a clear unbalance between the data subject and the data controller (for example in the employment context or when personal data must be provided to public authorities)… [and where] complexity… outstrips the individual’s ability or willingness to make decisions to control the use and sharing of information through active choice… consent is an inappropriate ground for processing… particularly in the context of the internet, where implicit consent does not always lead to unambiguous consent [and] Giving the data subjects a stronger voice ‘ex ante’, prior to the processing of their personal data by others, however requires explicit consent (and therefore an opt-in) for all processing that is based on consent... The new legal framework should specify the requirement of consent, taking into account the observations made above…

Redress - Several elements of the Directive… such as the liability provision and the possibility to claim immaterial [i.e. intangible, non-financial] damages, have not been implemented by all Member States…[and] the interpretation of the Directive in the Member States is not always uniform… As globalisation increases… It is therefore of great importance that harmonisation be improved... if needed by specifying legislative provisions.

[Given the rise of UGC, social networks & cloud computing etc] whoever offers services to a private individual should be required to provide certain safeguards regarding the security, and as appropriate the confidentiality of the information uploaded by users, regardless of whether their client is a data controller…"

Strengthen data controllers' responsibilities (Chapter 6):

Embedding data protection in organisations, including proactive transparent policies, processes & mechanisms, compliance reports, audits and privacy impact assessments, data protection officers and "Certification of compliance by top level company executives confirming that they have implemented appropriate safeguards to protect personal data" (para 77).

"introduce… an accountability principle. Pursuant to this principle, data controllers would be required to carry out the necessary measures to ensure that substantive principles and obligations of the current Directive are observed when processing personal data. Such provision would reinforce the need to put in place policies and mechanisms to make effective the substantive principles and obligations of the current Directive… [and] would require data controllers to have the necessary internal mechanisms in place to demonstrate compliance to external stakeholders, including national DPAs… the measures expected from data controllers should be scalable and take into consideration the type of company, whether large or small, and of limited liability, the type, nature and amount of the personal data by the controller, among other criteria…." (para 79)

"Notifications of data processing operations with national DPAs could be simplified or diminished… better data governance and accountability requirements may achieve the same purposes… It should be explored whether and to what extent notification could be limited to those cases where there is a serious risk to privacy, enabling DPAs to be more selective and concentrate their efforts to such cases… This could be combined with a registration system [for all data controllers]"

Strengthen and clarify data protection authorities' roles and cooperation

"The new challenges to data protection (globalisation and the technological changes, Chapters 3 and 4) require strong supervision by DPAs, in a more uniform and effective way. As a consequence, the new framework should guarantee uniform standards as for independence [institutional, functional and material including adequate funding and resources], effective powers, an advisory role in the legislation making process and the ability to set their own agenda by, in particular, setting priorities regarding the handling of complaints, all on a high and influential level…

On the other hand, DPAs need to be accountable for the way they make use of their stronger supervisory role. They should be transparent in this regard and publicly report on the way they operate and the priorities they set…

it should be ensured that all issues relating to the processing of personal data, in particular in the area of police and judicial cooperation in criminal
matters
, will be included in the activities of the current WP29…

[the] changing emphasis in law enforcement has led to a dramatic increase of the storage and exchange of personal data in relation to activities of the police and justice sector. The technological possibilities to easily combine information may have a profound impact on the privacy and data protection of all citizens and on the very possibility for them to really enjoy and be able to exercise their fundamental rights, in particular whenever freedom of movement, freedom of speech, and freedom of expression are at issue… a future legal framework should address in particuar… [the surveillance society.. data mining and risk assessments, stigmatisation, false negatives, false positives, conditions & safeguards on processing the personal data of non-suspects, the use of biometric data]… there may be added value in basing information exchange on a consistent strategy… Transparency is an essential element…

[On systems architecture] -

Privacy by design and PETS (certification scheme) should determine the architecture. In the area of freedom, security and justice where public authorities are the main actors and every initiative aimed at increasing surveillance of individuals and increasing the collection and use of personal information could have a direct impact on their fundamental right to privacy and data protection, those requirements could be made compulsory.
Purpose limitation and data minimization should remain guiding principles.
Access to large databases must be configured in such a way that in general no direct access on line to data stored is allowed, and a hit/no hit system or an index system is in general considered preferable.
• The choice between models with central storage, meaning systems with a central database on EU-level and decentralised storage should be made on transparent criteria and in any event ensure a solid arrangement providing for clear definition of the role and responsibilities of the controller/s and ensuring the appropriate supervision by the competent data protection authorities.
Biometric data should only be used if the use of other less intrusive material does not present the same effect."

Comments

By and large the paper makes sense and it has to be right that data protection authorities ought to be given greater independence, powers and resources (as I've observed in the context of why PETs aren't being adopted i.e. low penalties for privacy breaches and lack of resources and enforcement powers).

I'm glad that much of what is in the paper ties in with my suggested data dozen for privacy-protective identity management systems.

But I think that any future legislation needs to take specific account of human psychology and the engineering of consent (discussed in point 4 of my data dozen post).

And obviously many areas need a great deal of further thought and work, such as cross border data transfers and dealing with third party uploading of an individual's personal data on social networks such as Facebook.

It will be very interesting to see the Commission's proposals in the light of this and other responses to their consultation on the legal framework for data protection. But I wouldn't expect any proposals for legislation in the near future.

2. Other Article 29 WP developments

The article 29 Working Party has been quite active generally.

You'll recall the SWIFT provisional agreement which allows the US authorities, from 1 Feb 2010, to get info on EU banking transactions was made (coincidentally or not) just before the Lisbon Treaty gave the European Parliament more say in things EU.

In this context the article 29 Working Party has expressed its "deep regrets for not having been consulted earlier, and strongly reiterated its wish to be consulted in the drafting process of the mandate for the future agreement in the coming months".

The article 29 WP has also issued:

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.