Privacy Regulation

Privacy Regulation

I wrote a little piece on my linkedin blog on the EU Commission’s proposal to agree a data “adequacy” agreement. I point out the next set of hurdles, although I downplay the likelihood of any intervention by the CJEU but note that not was critical in striking down the original EU/US “Safe Harbour” agreement. I note that one threat to its renewal at the end of its four year live is the desire and plans of the British Govt to depart from the current legal protections which are based on the EU’s GDPR.

Issues of state surveillance, the European Council’s Convention 108 and the Human Rights act are all engaged. We’ll probably get it, but for it to be renewed, we’ll have to remain aligned with the GDPR & C108. The right to seek judicial redress by EU citizens may become important as it is a point of contention between the EU & US over the Privacy Shield.

One indicator of a desire for divergence is the advert for the role of Information Commissioner, which asks for,

The Government’s National Data Strategy sets out its ambition for the UK’s pro-growth and trusted data regime, one that helps innovators and entrepreneurs to use data responsibly and securely, without undue regulatory uncertainty or risk, …

cabinetoffice.gov.uk

This has been picked up by the Open Rights Group, who are asking people to write to their MPs, we need an independent Privacy Regulator.

The retreat from the promise of the GDPR is not just a UK phenomenon, across Europe pro-business politicians are beginning to say that it’s too onerous. It’s a shame we’re out, our voices no longer count …

Whatsapp?

Whatsapp?

I am a bit confused over the whatsapp privacy update furore. Whatsapp say it’s only about business correspondence, Alec Muffet agrees, and so does the Independent Schneier thinks it’s a bad thing, and points at Nick Slatt’s article which adds to my confusion by pointing out that early users of whatsapp had the opportunity to deny Facsebook access to their data and that European users are managed under a different policy to ensure Facebook’s compliance with the GDPR. I am an early user and so they shouldn’t be mining my address book however they maybe doing so for my correspondents, particularly any US correspondents. However, I wonder if they or Facebook still consider the UK regime as equivalent to that of European Union, the Independent article confirms it does. I don’t consider the update notice to be a collection of consent that is freely given nor ‘informed’, as the future purpose is not clear, at least not to me but I may not have to worry yet. The problem is Facebook, both the company and the service, if we’re serious about our privacy, we’d stop using it but until then they can obey the law. …

Bosses & CCTV

I wrote a piece on my linkedin blog called, “Reusing CCTV in employee relations“. I rang the ICO and was told that employers can reuse CCTV, “if they come across something they cannot reasonably ignore”. The linkedin article looks at the ramifications of this and points to the ICO document, “the employment practices code“, which states that cameras may not be covert and may not be used for general monitoring. …

A first domino?

Carol Cadwalladr and others are speculating that the US Federal Trade Commission plan to fine Facebook $5bn for its privacy law breaches. This is reported today in the New York Times, in an article, Facebook Expects to Be Fined Up to $5 Billion by F.T.C. Over Privacy Issues. This documents the breaches which focus on Cambridge Analytica and the Brexit time span and the laws. $5bn is a lot, the EU only fined Google €1.5bn. I posted the NYT article on Facebook with the following comment.

But he still won’t come to the UK to testify to the DCMS select committee, although I have sympathy with the argument that if we aren’t investigating our citizens who have broken the law, why should he put himself at the front of the queue.

 …

Do the right thing!

A new linkedin blog by me on the fine print of the GDPR’s “legitimate interest”. The print is not so fine, and in summary, you don’t need to read the fine print to do the right thing.

When claiming a legitimate interest, the privacy rights of data subjects are established as controlling the data processor/controller’s legitimate interest by the requirement to recognise the “fundamental rights and freedoms” of the data subject. The “fundamental rights and freedoms” are defined in the Charter of Fundamental Rights

Due to indirection and thus undocumented nature of the data subject’s consent inherent in legitimate interest, I’d advise finding another lawful purpose. …

Big Brother. No, not the TV show

The police are building a new super database combining records with “intelligence”. Liberty have withdrawn from the government consultation as they rightly feel that it’s a breach of our privacy rights and even the government admit that much/some of the data has no lawful purpose. (I see an ECHT case coming on.)

I have three comments to add.

The Guardian article states that the database will be held on a private cloud provider’s systems; if US owned, then the databases will be subject to US FISA warrants, so the “encrypted at rest” security solution had better be pretty good as the best in the world may be looking for it.

Secondly, government data leaks! The legal precedents in this country show that while the Government may build systems for one purpose, the courts may force disclosure to them in the resolution of private/civil disputes. The first Norwich Pharmacal warrant was issued against the HMRC as the plaintiff showed that the defendants tax records were relevant to the court. It seems that there is a public interest defence against these now, and ensuring the Government’s ability to keep it’s secrets would seem to be in the public interest but we’ll see.

Thirdly, the intelligence databases as noted probably fail the need for a lawful purpose, and fail to deliver most of the privacy rights legislated for by the GDPR, most obviously the need to ensure that personal data is accurate.

I am glad I am still a member of Liberty, and I’ll help them. …