Privacy Regulation

Privacy Regulation

I wrote a little piece on my linkedin blog on the EU Commission’s proposal to agree a data “adequacy” agreement. I point out the next set of hurdles, although I downplay the likelihood of any intervention by the CJEU but note that not was critical in striking down the original EU/US “Safe Harbour” agreement. I note that one threat to its renewal at the end of its four year live is the desire and plans of the British Govt to depart from the current legal protections which are based on the EU’s GDPR.

Issues of state surveillance, the European Council’s Convention 108 and the Human Rights act are all engaged. We’ll probably get it, but for it to be renewed, we’ll have to remain aligned with the GDPR & C108. The right to seek judicial redress by EU citizens may become important as it is a point of contention between the EU & US over the Privacy Shield.

One indicator of a desire for divergence is the advert for the role of Information Commissioner, which asks for,

The Government’s National Data Strategy sets out its ambition for the UK’s pro-growth and trusted data regime, one that helps innovators and entrepreneurs to use data responsibly and securely, without undue regulatory uncertainty or risk, …

cabinetoffice.gov.uk

This has been picked up by the Open Rights Group, who are asking people to write to their MPs, we need an independent Privacy Regulator.

The retreat from the promise of the GDPR is not just a UK phenomenon, across Europe pro-business politicians are beginning to say that it’s too onerous. It’s a shame we’re out, our voices no longer count …

Automating the professionals

Automating the professionals

I attended a seminar the other day which raised some questions in my mind about the next and prior waves of automation, the location of value creation and the legal/social barriers to adoption. Much is spoken of the use of artificial intelligence to augment or replace professional workers and this note briefly looks at this. It examines the nature of decisions and the need to transparently serve a human rights agenda, the question of regulation and assessment by one’s peers, and why it’s so hard to organise Trade Unions amongst the software authors. …

Google, the GDPR and Brexit

Google, the GDPR and Brexit

Google are going to move their UK users data from Ireland to the USA. I wrote a little note on my linkedin blog. I headline it as

Google are moving UK data from Ireland to the US … what does this say about UK/EU/US dataflows and ompliance with the GDPR and the world’s data protection laws.

I also point out the need for robust legal redress to comply with the GDPR, which the UK and USA may not meet and that the UK will lose access to the US Privacy Shield arrangements. I note that the UK will lose its member state privileges and powers under the GDPR when the transition period ends and that RIPA 2016 and the immigration exception of the DPA 2018 may cause the Commission some problems with respect to “Adequacy”.

I note that model clauses and binding corporate rules will remain in place and I wonder if this is a business opportunity for a European based phone operating system author as people choose to withdraw from Android? Nokia? Canonical? …

Do the right thing!

A new linkedin blog by me on the fine print of the GDPR’s “legitimate interest”. The print is not so fine, and in summary, you don’t need to read the fine print to do the right thing.

When claiming a legitimate interest, the privacy rights of data subjects are established as controlling the data processor/controller’s legitimate interest by the requirement to recognise the “fundamental rights and freedoms” of the data subject. The “fundamental rights and freedoms” are defined in the Charter of Fundamental Rights

Due to indirection and thus undocumented nature of the data subject’s consent inherent in legitimate interest, I’d advise finding another lawful purpose. …

Five steps to Compliance

As we entered the ground rush zone for the GDPR a number of organisations issued numbered guidance documents in preparation. I joined in and published a blog article on my linkedin blog called “Beyond Adequate Protection”. This had my five point list of tasks to be GDPR compliant. I summarise them here,

  1. Know and document your personal data catalogue and its lawful purpose
  2. Create an identity solution for your data subjects, so subject access requests can be fulfilled
  3. Build a record keeping solution
  4. Ensure that your incident management solutions are compliant
  5. Implement changes to the software development Life Cycle(SDLC) to include privacy impact assessments

The original article deals with these in a bit more detail but I finish by saying that it’s only this easy if your organisation already meets the need to provide adequate technical and organisational protection.

 …

A coach and horses through privacy rights

A coach and horses through privacy rights

I have just been approached by a Trade Union member who wanted to know how to complain about his employer’s record keeping. The short answer is to complain to the Information Commissioner’s Office. It reminded me that the ORG are campaigning to change the current Data Protection Bill to allow non-profits to represent complainants; this reminds me that Trade Unions might also want to benefit from this legislative protection, but I was horrified by the Government’s proposed exemption of immigration data from the remit of the Data Protection law and thus the GDPR.  …

Working Title

Today, I wrote to Labour List and proposed to write an article for them.

I’ll take help on the title but currently working with “Privacy Law, canvassing and registered supporters”

Next year, 28th May, the EU’s General Data Protection Regulation comes into force. Among other things it will prohibit the storage and processing of canvass returns without freely given, informed and explicit consent. We will have to prove that consent has been obtained and be able to tell electors everything we know about them.

The simplest answer to these new compliance requirements is to extend the registered supporter arrangement, make it an ongoing contract so that the agreement can include privacy clauses. The ambition would be to extend the scheme to high proportions of our voter base. For this purpose, the fee would need to be low, nearer £3 than £25.

ooOOOoo

I should add that without some form of reform, the retention of the Registered Supporters data in the membership system is in my mind questionably legal, as it breaks the storage limitation principle. When compliance ruled that Registered Supporters could not be invited to member’s meetings, they made the sole purpose of holding the data the leadership election. This purpose was confirmed when the NEC required re-registration of the registered supporters at £25 in 2016; the consequence of such a decision to my mind negated the purpose of the original registrations. …