The missing courage of the ICO

The missing courage of the ICO

I note from Jim Killock’s pinned repost of a post by David Erdos on X, that the media and the ICO have issued a report, dated March 2024, on journalistic practices and the Data Protection Act 2018. This was produced as part of response to the Leveson Report, itself, spawned by the Millie Dowler & celebrity phone hacking scandal. Erdos makes the point that the ICO did not make use of its investigatory powers, which he refers to as §17 powers nor that the story was followed by … err! … the Press.

Additionally, over the last week, the ICO announced its report into its investigations into the Labour Party and its compliance with GDPR/DPA. Again, they weren’t asking the big questions and say more about the mitigation actions than the compliance failures. This allows the Guardian to run a headline focusing on the failure to respond to DSARs, in fact the Guardian focuses only on late response, and not on failure and everyone is silent on the refusals.

I would like to know what measures the Party took to ensure that their IT sub-contractors met their obligations as data processors, what measures the Party took to ensure their DPO was qualified[1] according to Article 37 of the GDPR, why no compensation has been offered/mandated to victims of the breach, what measures Labour took to ensure the completeness of any DSARs, what measures the Labour Party took to ensure that only appropriate staff had access to personal data and what measures the Party took to ensure that democratic rights of members weren’t adversely effected by the breach? It would seem the ICO have not asked these questions; this is exceedingly disappointing.

Regulatory capture is a well-studied phenomenon. However, it’s simpler if one is the government rather than a private business or an NGO. It seems pretty clear that the ICO is frightened of the major political parties which since human rights law is designed to protect citizens from governments, rather spoils the point of having one. NB the GDPR has a lot to say about the importance of the independence of both Data Protection Officers and also the national data protection supervisory authority.


[1] The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices … n.b. Data Protection practices require an expertise in cyber security. …

Data-driven campaigning: how and why do political parties do it?

Data-driven campaigning: how and why do political parties do it?

I attended a lecture last week, it was advertised by its conveners on twitter. The lecture was videoed and I am expecting the video to be posted on Youtube. I’ve made some notes, some about what the lecturers said and some about the thoughts they provoked.  I try to offer some value on this blog, however much of this article is reporting the views of the three lecturers;

The lectures argue there's little to worry about; I disagree and quote the ICO and the DCMS select committee to back up my thoughts. They suggest that Gen-AI is not yet in use and suggest that Fake News does not have much effect. i suggest that Fake News reinforces prejudice and drives out reasoned policy analysis. I conclude that there are common practices that need better regulation. Regulation's weakness is based on powers and accountability in the case of the Electoral Commission, a lack of will in the case of the ICO and a lack of resources and independence in the case of ONS. I hope there’s enough of what I say to be worth the read. Please use the 'Read More' button to view the complete article which is about four pages long ...

Virtual Worlds and the EU

Virtual Worlds and the EU

I am about to return to Brussels for the final session of the EU's citizen's assembly on virtual worlds. I decided to make a document from my notes on the EU citizens panel on Virtual Worlds. As I have said, my notes were contemporaneous and do not tell a story. This article hopefully documents the lessons I have learned and would like others to read, and of course agree. Hopefully, it's more directed! For more, see overleaf ...

Digital Transformation in Europe

Digital Transformation in Europe

I attended a conference, on the Digital Transition chapter of the CoFoE final report. This was hosted by the Estonian Human Rights centre and held in Tallinn. This article contains my notes and views of what happened. The conference invited two keynote speakers but otherwise looked at the four objectives from the COFOE final report, Chapter 6 on Digitisation, which I précised on my blog [or on Medium], in working groups.  The conference came to together in plenary to share its findings on the CoFoE proposals. My key takeaway may be that the Eastern European citizen’s legitimate fear of a censorious and surveillance state, will lead to a failure to regulate private sector players who are driven by profit, wealth and exploitation.

The article continues, overleaf. Please use the read more button if necessary ...

What the CoFoE thinks about citizen privacy

What the CoFoE thinks about citizen privacy

The Conference on the Future of Europe, Democracy and Rule of Law panel has generated 39 recommendations to improve the EU’s Democracy and compliance with the Rule of Law. Three of these related to Privacy and one to Cybersecurity. I have drafted a response for CTOE, which I hope will become part of their response but did not form part of their first response, which is fortunate since I changed my mind slightly. The article, overleaf, covers regulations and sanctions, equality of arms, and enforcement and political will. ...

On Cyber-security

On Cyber-security

I posted a note on cyber security on my linkedin blog. I post some pointers on the standards and controls needed to defend against a cyberattack and implement “adequate technical and organisational” protection. It looks and links at the NIST cyber-security framework and lists some of the necesary controls to implement a reasonable defence and prove “adequate technical and organisational” controls. If you do what I suggest badly, you might get away with it, if you do it well, you might stop and or recover from attacks.  …

Privacy Regulation

Privacy Regulation

I wrote a little piece on my linkedin blog on the EU Commission’s proposal to agree a data “adequacy” agreement. I point out the next set of hurdles, although I downplay the likelihood of any intervention by the CJEU but note that not was critical in striking down the original EU/US “Safe Harbour” agreement. I note that one threat to its renewal at the end of its four year live is the desire and plans of the British Govt to depart from the current legal protections which are based on the EU’s GDPR.

Issues of state surveillance, the European Council’s Convention 108 and the Human Rights act are all engaged. We’ll probably get it, but for it to be renewed, we’ll have to remain aligned with the GDPR & C108. The right to seek judicial redress by EU citizens may become important as it is a point of contention between the EU & US over the Privacy Shield.

One indicator of a desire for divergence is the advert for the role of Information Commissioner, which asks for,

The Government’s National Data Strategy sets out its ambition for the UK’s pro-growth and trusted data regime, one that helps innovators and entrepreneurs to use data responsibly and securely, without undue regulatory uncertainty or risk, …

cabinetoffice.gov.uk

This has been picked up by the Open Rights Group, who are asking people to write to their MPs, we need an independent Privacy Regulator.

The retreat from the promise of the GDPR is not just a UK phenomenon, across Europe pro-business politicians are beginning to say that it’s too onerous. It’s a shame we’re out, our voices no longer count …

Whatsapp?

Whatsapp?

I am a bit confused over the whatsapp privacy update furore. Whatsapp say it’s only about business correspondence, Alec Muffet agrees, and so does the Independent Schneier thinks it’s a bad thing, and points at Nick Slatt’s article which adds to my confusion by pointing out that early users of whatsapp had the opportunity to deny Facsebook access to their data and that European users are managed under a different policy to ensure Facebook’s compliance with the GDPR. I am an early user and so they shouldn’t be mining my address book however they maybe doing so for my correspondents, particularly any US correspondents. However, I wonder if they or Facebook still consider the UK regime as equivalent to that of European Union, the Independent article confirms it does. I don’t consider the update notice to be a collection of consent that is freely given nor ‘informed’, as the future purpose is not clear, at least not to me but I may not have to worry yet. The problem is Facebook, both the company and the service, if we’re serious about our privacy, we’d stop using it but until then they can obey the law. …

Bosses & CCTV

I wrote a piece on my linkedin blog called, “Reusing CCTV in employee relations“. I rang the ICO and was told that employers can reuse CCTV, “if they come across something they cannot reasonably ignore”. The linkedin article looks at the ramifications of this and points to the ICO document, “the employment practices code“, which states that cameras may not be covert and may not be used for general monitoring. …