Thursday, 30 September 2010

Privacy - UK regulator to issue fines for data protection breaches, at last

UK privacy regulator the Information Commissioner's Office is poised to impose, for the first time, monetary penalties of up to £500,000 on two organisations for serious data protection violations.

So said Deputy Information Commissioner David Smith yesterday at the Internet Society's INET London meeting (entitled "The Internet revolution: Opportunities, threats and challenges to your business - ignore it at your peril!"):

"We will be using that power, we're just in the process of doing that in the first two cases, and you'll see more of that."

(Note - since April 2010 the Information Commissioner has had a new power to impose financial penalties for serious breaches of the Data Protection Act 1998 (introduced under a new section 55C(1) of that Act, inserted by section 144 of the Criminal Justice and Immigration Act 2008), but hitherto hasn't made use of the new power, though it's issued guidance about its use.)

This is excellent news.

To expand further on the quote from Commissioner Reding previously mentioned, that "Having a watchdog with insufficient powers is like keeping your guard dog tied up in the basement",  Jim Killock of the Open Rights Group had suggested over lunch that the ICO had been muzzled, but was trying carefully to get its owner to lengthen its chain in such a way that it didn't get kicked back into the basement without any food! (I have permission to quote him, though I've paraphrased a bit.)

It looks like the ICO has managed to throw off its muzzle at last, and we await with interest hearing the names of who it's going to bite, and just how hard.

Law firm ACS:Law, perhaps? (On which see e.g. Technollama's blogs.)

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Phorm - Commission takes UK to court on inadequate privacy / data protection & email / browsing interception laws

Grandson of Phorm: the European Commission is referring the UK to the European Court -

"for not fully implementing EU rules on the confidentiality of electronic communications such as e-mail or internet browsing. Specifically, the Commission considers that UK law does not comply with EU rules on consent to interception and on enforcement by supervisory authorities. The EU rules in question are laid down in the ePrivacy Directive 2002/58/EC and the Data Protection Directive 95/46/EC."

I previously mentioned that in October 2009 the Commission had stepped up its action against the UK on this front, and the referral today is the final step, after their clearly unsuccessful attempts to get the UK to fix its inadequate e-privacy laws.

From the Commission press release:

"The infringement procedure was opened in April 2009 (IP/09/570), following complaints from UK internet users notably with regard to targeted advertising based on analysis of users’ internet traffic. The Commission previously requested the UK authorities in October 2009 (IP/09/1626) to amend their rules to comply with EU law.

The Commission launched the legal action against the UK in April 2009 following citizens' complaints about how the UK authorities had dealt with their concerns about the use of behavioural advertising by internet service providers (targeted advertising based on prior analysis of users’ internet traffic). These complaints were handled by the UK Information Commissioner’s Office, the UK personal data protection authority and the police forces responsible for investigating cases of unlawful interception of communications.

The Commission considers that existing UK law governing the confidentiality of electronic communications is in breach of the UK's obligations under the ePrivacy Directive 2002/58/EC and the Data Protection Directive 95/46/EC in three specific areas:

  • there is no independent national authority to supervise the interception of some communications, although the establishment of such authority is required under the ePrivacy and Data Protection Directives, in particular to hear complaints regarding interception of communications
  • current UK law authorises interception of communications not only where the persons concerned have consented to interception but also when the person intercepting the communications has ‘reasonable grounds for believing’ that consent to do so has been given. These UK provisions do not comply with EU rules defining consent as "freely given, specific and informed indication of a person’s wishes"
  • current UK law prohibiting and providing sanctions in case of unlawful interception are limited to ‘intentional’ interception only, whereas EU law requires Members States to prohibit and to ensure sanctions against any unlawful interception regardless of whether committed intentionally or not."

For those interested, the main UK laws in question are:

The Commission also has raised wider issues with the UK over the (in)adequacy of the UK Data Protection Act more generally, so we'll see if further infringement action also results on that front.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Friday, 10 September 2010

Google to talk on privacy by design - ironic after Buzz, StreetView etc?

You can register to attend a tech talk by Google Privacy Product Manager Yariv Adan, entitled "Designing Privacy as a Product" if you're in Brussels on Mon 27 Sept 2010. They're even providing lunch. The Google blog post says:

Google has a whole group of engineers and product managers solely focused on developing innovative privacy features. Do you want to get an insider’s view into this team and the industry leading products they launched? What are the goals and principles leading their work? How do they "design for privacy"? How do they get users engaged? What are the challenges they face?...

Yariv has spent three years focused on building innovative products that protect both your privacy and your data, and will provide his insights into the goals and challenges we face as a company today.

If you're not a Brussels resident (is there a word for that, like Londoner? I dare not suggest the S word) and you can't flit over there, no doubt Google will be recording the talk. If so, I'll post the video as soon as I know the link.

Google has recently settled, to the tune of US$8.5 million for privacy advocates / educators, plus promises to help educate users on privacy, class action litigation by US Gmail users over Buzz, which exposed to the world Gmail users' "top" contacts (in Google's automated opinion) and other info users expected to be private, like what RSS feeds they subscribe to. (See the Buzz settlement agreement terms.)

And Google is under privacy regulators' microscopes in various countries in relation to the collection of people's wifi data by Street View vehicles (on which I plan to blog more anon).

So any focus on privacy by design / privacy enhancing technologies is welcome, but one can't help thinking that it would behove Google to make these kinds of talks compulsory internally too, and - even more to the point - to overhaul their internal procedures and processes relating to the public rollout of new products / services or updates in order to ensure compliance with privacy and data protection requirements.

As LightBlueTouchPaper pointed out, a compulsory internal compliance / privacy testing review before Buzz's launch would have caught the problem.

The Google Buzz fiasco was partly a product design issue, true (it seems they didn't think through the implications). But it was also partly caused by Google's failure to test Buzz externally, even within a limited group, before its public launch (see BBC, Forrester).

Perhaps this talk is a sign that Google are starting to change their "pay for services with privacy; personal information needn't be private" culture - but a lot more surely remains to be done on that front.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Friday, 3 September 2010

Privacy - UK regulator's response to government on data protection laws

I notice the UK Information Commissioner's Office has put up a response to the Ministry of Justice's call for evidence on how well current UK data protection laws are working - the consultation was only issued in July with an October closing date.

The ICO's response is, surprisingly (or perhaps not), very brief. Their points (emphasis added):

  • The current data protection principles are sound, but the law needs to achieve greater clarity of purpose and presentation. The principle of ‘privacy by design’ should be incorporated.
  • The law must provide greater clarity about what is personal data, with a more contextual approach to the sensitivity of information.
  • The law must be clearer about when consent is needed and what this involves.
  • The approach the law takes to the responsibilities of data controllers and data processors should better reflect modern business relationships.
  • The law needs more realistic rules for international data flows.
  • The law needs to be more in tune with the freedom of information regime and to recognise the impact of modern technology on what private individuals do with personal information.
  • Given that the point of the consultation was to help inform the UK's position in negotiating future reforms of the EU Data Protection Directive, which have been postponed to late 2011 anyway, I expect nothing much is going to happen for a long time.

    Still, it's interesting and useful to see a summary of what the UK privacy regulator considers are the most important issues with the current law.

    There's one major issue they've not mentioned, which I've stressed before in the PETs context: monitoring/enforcement - perhaps because they think it's to do more with money and/or internal issues within the ICO rather than the law?

    It seems to me there's a need to beef up monitoring and enforcement eg by increasing powers and by the government providing more resources to the ICO; certainly by the ICO using its teeth properly, giving those who breach data protection requirements at least a nip. Continued teeth baring really isn't good enough, there's no point barking if people think you're never going to bite. (To expand on Commissioner Reding's excellent quote "Having a watchdog with insufficient powers is like keeping your guard dog tied up in the basement"!)

    Lest anyone raises the recent £2.275 million fine imposed on Zurich Insurance for data losses (reported by eg ComputerWeekly and Out-Law), that was levied by the Financial Services Authority - not the ICO.

    See also European Data Protection Supervisor Peter Hustinx's views on reform of the Data Protection Directive and the collective EU data protection regulators' views on the future of privacy.

    ©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.