Data-driven campaigning: how and why do political parties do it?

Data-driven campaigning: how and why do political parties do it?

I attended a lecture last week, it was advertised by its conveners on twitter. The lecture was videoed and I am expecting the video to be posted on Youtube. I’ve made some notes, some about what the lecturers said and some about the thoughts they provoked.  I try to offer some value on this blog, however much of this article is reporting the views of the three lecturers;

The lectures argue there's little to worry about; I disagree and quote the ICO and the DCMS select committee to back up my thoughts. They suggest that Gen-AI is not yet in use and suggest that Fake News does not have much effect. i suggest that Fake News reinforces prejudice and drives out reasoned policy analysis. I conclude that there are common practices that need better regulation. Regulation's weakness is based on powers and accountability in the case of the Electoral Commission, a lack of will in the case of the ICO and a lack of resources and independence in the case of ONS. I hope there’s enough of what I say to be worth the read. Please use the 'Read More' button to view the complete article which is about four pages long ...

What the CoFoE thinks about citizen privacy

What the CoFoE thinks about citizen privacy

The Conference on the Future of Europe, Democracy and Rule of Law panel has generated 39 recommendations to improve the EU’s Democracy and compliance with the Rule of Law. Three of these related to Privacy and one to Cybersecurity. I have drafted a response for CTOE, which I hope will become part of their response but did not form part of their first response, which is fortunate since I changed my mind slightly. The article, overleaf, covers regulations and sanctions, equality of arms, and enforcement and political will. ...

A note on Data Protection Officers

A note on Data Protection Officers

Data Protection Officers roles were revised by GDPR and the member state implementations. Here is a reminder for those that need it.

Article 37 states that a processor or controller requires a DPO if it is a public authority, if it requires regular sys systematic monitoring of data subjects on a large scale or if it processes special data.

A DPO may work for multiple companies, but Article 38 requires the DPO to be adequately resourced and supported.

The DPO must be appointed on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks specified in the GDPR Article 39.

Article 38 states that the DPO must be involved in in all issues which relate to the protection of personal data, be properly resourced to perform their duties and to maintain their professional expertise, not receive instructions on the conduct of their duties, not be dismissed for doing their job, and report to the highest levels of management.

The tasks of the role are defined in Article 39, the job is to advise the highest levels of management on their obligations, to monitor compliance including the assignment of responsibilities,  training and operations’ audits, to assist and monitor the data privacy impact assessments, to cooperate and act as a contact point for the supervisory body, in the UK, the ICO.

I have used the EU text as the source of my summary and is reproduced overleaf/below ...

This post was originally posted at linkedin.

More Brexit missed or almost missed deadlines

More Brexit missed or almost missed deadlines

This article, or one very similar to it first appeared on AEIP's Brexitspotlight. The 3rd deadline of the post Brexit Future relationship passed on the 30th June. The deadlines were on the issues of cross border data adequacy, northern Irish meat product movement, the end of equivalence for share depositaries and the end of the grace period to allow EU citizens resident in the UK to apply to stay. It looks like the security depository equivalence was sorted in Sept. 2020 and the EU have granted a three month extension on moving chilled meat from Great Britain to Northern Ireland as required by the treaty’s Northern Ireland protocol[1]. The Commission flagged the agreement of a data adequacy ruling earlier in the year and finally agreed it with two days to go. The parliament is more sanguine. The EDPB is also more cautious, and we expect the CJEU to be so too. Whenever the CJEU has ruled, it has ruled in favour of citizens, whereas the ECtHR gives nation states significant leeway. For more see here, or read more ....

Privacy Regulation

Privacy Regulation

I wrote a little piece on my linkedin blog on the EU Commission’s proposal to agree a data “adequacy” agreement. I point out the next set of hurdles, although I downplay the likelihood of any intervention by the CJEU but note that not was critical in striking down the original EU/US “Safe Harbour” agreement. I note that one threat to its renewal at the end of its four year live is the desire and plans of the British Govt to depart from the current legal protections which are based on the EU’s GDPR.

Issues of state surveillance, the European Council’s Convention 108 and the Human Rights act are all engaged. We’ll probably get it, but for it to be renewed, we’ll have to remain aligned with the GDPR & C108. The right to seek judicial redress by EU citizens may become important as it is a point of contention between the EU & US over the Privacy Shield.

One indicator of a desire for divergence is the advert for the role of Information Commissioner, which asks for,

The Government’s National Data Strategy sets out its ambition for the UK’s pro-growth and trusted data regime, one that helps innovators and entrepreneurs to use data responsibly and securely, without undue regulatory uncertainty or risk, …

cabinetoffice.gov.uk

This has been picked up by the Open Rights Group, who are asking people to write to their MPs, we need an independent Privacy Regulator.

The retreat from the promise of the GDPR is not just a UK phenomenon, across Europe pro-business politicians are beginning to say that it’s too onerous. It’s a shame we’re out, our voices no longer count …

Automating the professionals

Automating the professionals

I attended a seminar the other day which raised some questions in my mind about the next and prior waves of automation, the location of value creation and the legal/social barriers to adoption. Much is spoken of the use of artificial intelligence to augment or replace professional workers and this note briefly looks at this. It examines the nature of decisions and the need to transparently serve a human rights agenda, the question of regulation and assessment by one’s peers, and why it’s so hard to organise Trade Unions amongst the software authors. …

Google, the GDPR and Brexit

Google, the GDPR and Brexit

Google are going to move their UK users data from Ireland to the USA. I wrote a little note on my linkedin blog. I headline it as

Google are moving UK data from Ireland to the US … what does this say about UK/EU/US dataflows and ompliance with the GDPR and the world’s data protection laws.

I also point out the need for robust legal redress to comply with the GDPR, which the UK and USA may not meet and that the UK will lose access to the US Privacy Shield arrangements. I note that the UK will lose its member state privileges and powers under the GDPR when the transition period ends and that RIPA 2016 and the immigration exception of the DPA 2018 may cause the Commission some problems with respect to “Adequacy”.

I note that model clauses and binding corporate rules will remain in place and I wonder if this is a business opportunity for a European based phone operating system author as people choose to withdraw from Android? Nokia? Canonical? …

Do the right thing!

A new linkedin blog by me on the fine print of the GDPR’s “legitimate interest”. The print is not so fine, and in summary, you don’t need to read the fine print to do the right thing.

When claiming a legitimate interest, the privacy rights of data subjects are established as controlling the data processor/controller’s legitimate interest by the requirement to recognise the “fundamental rights and freedoms” of the data subject. The “fundamental rights and freedoms” are defined in the Charter of Fundamental Rights

Due to indirection and thus undocumented nature of the data subject’s consent inherent in legitimate interest, I’d advise finding another lawful purpose. …