No Deal & cross border data flows

No Deal & cross border data flows

I have just written a blog at linkedin on the impact of a No Deal Brexit on cross border personal data flows. Obtaining an adequacy agreement will take time, one would have hoped that the transition period would have been enough, but without one there will be no adequacy decision on Day 1. Large and prepared entities may be OK as they can use the currently legally permitted alternatives. The US privacy shield may not be avaialable n Day 1, since its an EU agreement. If we leave, we i.e. the UK state may no longer avail itself of the Article 23 powers and the Investigatory Powers Act and the DPA “immigration exception” may cause problems in achieving an adequacy decision. …

Do the right thing!

A new linkedin blog by me on the fine print of the GDPR’s “legitimate interest”. The print is not so fine, and in summary, you don’t need to read the fine print to do the right thing.

When claiming a legitimate interest, the privacy rights of data subjects are established as controlling the data processor/controller’s legitimate interest by the requirement to recognise the “fundamental rights and freedoms” of the data subject. The “fundamental rights and freedoms” are defined in the Charter of Fundamental Rights

Due to indirection and thus undocumented nature of the data subject’s consent inherent in legitimate interest, I’d advise finding another lawful purpose. …

Managing Compliance Software

Managing Compliance Software

I have just published on my linkedin blog a little essay on managing software used for the purpose of compliance. One key insight which one might consider is that these programs are being used because you have to not because you want to. Also society does not want businesses innovating the compliance software, we need to know it does what society requires not what the business wants. This makes the governing super strategy for these applications one of “operational efficiency”, or in Dan Remenyi’s model, a “support” system. For compliance systems it is advantageous to buy or adopt a package and to adopt the package’s optimum process; society has confidence that companies are complying with the law, and the companies share the maintenance costs and get a superior product and support. In some cases, the requirement that society has confidence that compliance is correct leads to the regulators giving companies the software or running it themselves.  …

Big Brother. No, not the TV show

The police are building a new super database combining records with “intelligence”. Liberty have withdrawn from the government consultation as they rightly feel that it’s a breach of our privacy rights and even the government admit that much/some of the data has no lawful purpose. (I see an ECHT case coming on.)

I have three comments to add.

The Guardian article states that the database will be held on a private cloud provider’s systems; if US owned, then the databases will be subject to US FISA warrants, so the “encrypted at rest” security solution had better be pretty good as the best in the world may be looking for it.

Secondly, government data leaks! The legal precedents in this country show that while the Government may build systems for one purpose, the courts may force disclosure to them in the resolution of private/civil disputes. The first Norwich Pharmacal warrant was issued against the HMRC as the plaintiff showed that the defendants tax records were relevant to the court. It seems that there is a public interest defence against these now, and ensuring the Government’s ability to keep it’s secrets would seem to be in the public interest but we’ll see.

Thirdly, the intelligence databases as noted probably fail the need for a lawful purpose, and fail to deliver most of the privacy rights legislated for by the GDPR, most obviously the need to ensure that personal data is accurate.

I am glad I am still a member of Liberty, and I’ll help them. …

Tory Conference Data Breach

Over the weekend, it seems to have been established that the Tory Party’s confence app suffers a major secutity flaw and that personal details of its users are available to all. While the BBC seem concerned that the ex-Foreign Secretary’s details are available, its of equal concern that all the journalists are also exposed. The maximum fine for any breach is €20m.

A further problem is that under the new laws, people who suffer a breach of rights no longer have to prove harm. This would seem to be a breach of rights and so will be treated at the serious end of the spectrum and there’s a low burden of proof.

Additionally I would add, this app It should have had a data privacy impact analysis and if deemed a high risk, permission needs to be sought from the ICO to deploy it.

The cyber-security controls should have been defined before and tested before and after the DPIA.

The Tories have 72 hours to notify the ICO of the breach and will need to consider remediation for each an every user impacted.

I am sure the ICO would not want the Tories to be their first case as they would like to have established a precedent based tariff; they wouldn’t want the governing party to be the precedent; expectations are that the ICO will be one of the more forgiving of the European data protection supervisory authorities. …

A failure to serve fans

The European Parliament sent the Copyright Directive to the trialogue process, where the views of the commission, the council and the parliament are negotiated; the final words agreed by the parliament are basically the words lobbied for by the large corporate press and content companies aided at the last gasp by the sports industry. To understand why this is shit we need to go back to basics. This article is quite long and continues below, or overleaf … …

Surveillance, ignorance and a chilling effect

The Guardian, not exactly disinterested, publishes a leader on regulating Apple and its competitors. I would argue, Apple is the example of the 5th Industrial Revolution monopoly and we need to learn how to regulate it and is competitors and it is a problem for the US also. The authors  completely miss the fact that there are new forms of oppression, that of surveillance, caused by the datenkraken.

We need new forms of protest and defence even though we’ve know about it forever. It’s for this reason that we established the rights of privacy and free speech as part of the universal declaration of rights.

This quote is important, it establishes commonalities with their predecessors,

All [ the datenkraken] use remarkably few workers to generate their enormous profits. All operate an internal class system, which concentrates power in very few hands. None have any unions worth speaking of. All rely on the unglamorous work being done far from California, usually by subcontractors. All shuffle their profits around the world in an endless game of “Find the lady” with national tax authorities – a factor that should not be overlooked when it comes to asking why they are so immensely profitable. If this is the model of the company of the future, it will have consequences we have not yet learned how to manage.

They finish with,

The downside of the oil-based economy is now obvious all around us. The symptoms of apparently uncontrollable climate change have become undeniable. Cities are choked with polluting traffic while the seas are choked with plastics made from oil. Whole countries have been devastated by oil riches. The digital revolution seems, so far, much more benign. But the loss of trust that social media both causes and exploits may one day be seen as another form of unforgivable pollution.

I think this is weak, the threat is surveillance, ignorance and a chilling effect. …