Category Archives: Privacy

March 19, 2013 · 8:34 am

Don’t Panic about the Royal Charter. Panic Now!

Bloggers shouldn’t panic about the proposed Royal Charter, unless they’re already panicking about the current law.

Imagine that a local citizen blogger – let’s call her Mrs B, who is a member of a local church group – decides to let others know, by way of a website, some news and information about the group. She includes information for those about to be confirmed into the church as well as extraneous, light-hearted stuff about her fellow parishioners, including the fact that one of them has a broken leg. Now imagine that a complaint by one of the fellow parishioners that this website is intrusive is upheld and Mrs B is found to have breached domestic law.

The coercive power of the state being brought against a mere blogger would be, you might imagine, unacceptable. You might imagine that any such domestic law, in a country which is a signatory to the European Convention on Human Rights, would be held to be in breach of the free-expression rights under Article 10 of the same.

This sort of outcome, you might say, would surely be unimaginable even under the proposed regulatory scheme by Royal Charter agreed in principle by the main party leaders on 18 March.

But, as anyone who knows about data protection law will tell you, exactly this happened in 2003 in Sweden, when poor Mrs Bodil Lindqvist was prosecuted and convicted under national Swedish legislation on data protection and privacy. On appeal to the European Court of Justice her actions were held to have been the “processing” of “personal data” (and, in the case of the person with the injured leg, of the higher-category “sensitive personal data”) and thus those actions engaged Article 3(1) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data which is given domestic effect in Sweden by the law under which she was convicted. The same Directive is, of course, given domestic effect in the UK by the Data Protection Act 1998 (DPA).

The response to the proposed Royal Charter was heated, and many people noticed that the interpretative provisions in Schedule 4 implied the regulation of web content in general (if said content was “news-related material”), thus potentially bringing the “blogosphere” and various social media activities into jurisdiction. This has caused much protest. For instance Cory Doctorow wrote

In a nutshell, then: if you press a button labelled “publish” or “submit” or “tweet” while in the UK, these rules as written will treat you as a newspaper proprietor, and make you vulnerable to an arbitration procedure where the complainer pays nothing, but you have to pay to defend yourself, and that will potentially have the power to fine you, force you to censor your posts, and force you to print “corrections” and “apologies” in a manner that the regulator will get to specify.

But the irony is, that is effectively exactly the position as it currently stands under data protection law. If you publish or submit or tweet in the UK information which relates to an identifiable individual you are “processing” “personal data”. The “data subject” can object if they feel the processing is in breach of the very broad obligations under the DPA. This right of objection is free (by means of a complaint to the Information Commissioner’s Office (ICO)). The ICO can impose a monetary penalty notice (a “fine”) up to £500,000 for serious breaches of the DPA, and can issue enforcement notices requiring certain actions (such as removal of data, corrections, apologies etc) and a breach of an enforcement notice is potentially a criminal offence.

As it is, the ICO is highly unlikely even to accept jurisdiction over a complaint like this. He will say it is covered by the exemption for processing if it is “only for the purposes of that individual’s personal, family or household affairs (including recreational purposes)”. He will say this despite the fact that this position is legally and logically unsound, and was heavily criticised in the High Court, where, in response to a statement from the ICO that

The situation would clearly be impossible were the Information Commissioner to be expected to rule on what it is acceptable for one individual to say about…another individual. This is not what my office is established to do. This is particularly the case where other legal remedies are available – for example, the law of libel or incitement.

Mr Justice Tugendhat said

 I do not find it possible to reconcile the views on the law expressed in the Commissioner’s letter with authoritative statements of the law. The DPA does envisage that the Information Commissioner should consider what it is acceptable for one individual to say about another, because the First Data Protection Principle requires that data should be processed lawfully. The authoritative statements of the law are to be found not only in the cases cited in this judgment (including para 16 above), but also by the Court of Appeal in Campbell v MGN Ltd [2002] EWCA Civ 1373 [2003] QB 633 paras [72] to [138], and in other cases. As Patten J made clear in Murray, where the DPA applies, if processing is unlawful by reason of it breaching the general law of confidentiality (and thus any other general law) there will be a contravention of the First Data Protection Principle within the meaning of s.40(1), and a breach of s.4(4) of the DPA…The fact that a claimant may have claims under common law torts, or under HRA s.6, does not preclude there being a claim under, or other means of enforcement of, the DPA.

The ICO will decline jurisdiction because, in reality, he does not have the resources to regulate the internet in its broadest sense, and nor does he have the inclination to do so. And I strongly suspect that this would also be the position of any regulator established under the Royal Charter.

I’m not normally one for complacency, and I actually think that the fact that the coercive power of the state potentially applies in this manner to activities such as blogging and tweeting is problematic (not wrong per se, note, but problematic). But the fact is that, firstly, the same coercive power already applies, to the extent that such activities engage, for instance, defamation law, or contempt of court, or incitement laws, and secondly – and despite the High Court criticism – no one seems to be particularly exercised by the fact that the current DPA regulator is able to ignore the activities of the blogosphere, so I doubt that the social and legal will exists to regulate these activities. I hope I’m not wrong.

2 Comments

Filed under Data Protection, human rights, Information Commissioner, monetary penalty notice, Privacy

Tagged as ,

March 7, 2013 · 2:13 pm

Google Streetview and “Incidental” Processing

Someone I follow on twitter recently posted a link from Google Streetview of the interior of a pub, in which he could identify himself and a friend having a quiet pint. I must confess this addition of building interiors to the Streetview portfolio had passed me by. It appears that businesses can sign-up to have “Google Trusted Photographers and Trusted Agencies” take photographs of their premises, which are uploaded to the web and linked to Streetview locations.

When it was launched Streetview caused some concern in privacy circles, and this was prior to, and separate from, the concerns caused by the discovery that huge quantities of wifi payload data had been gathered and retained during the process of capture of streetview data. These more general concerns were partly due to the fact that, in the process of taking images of streets the Google cameras were also capturing images of individuals. Data protection law is engaged when data are being processed which relate to a living individual, who can identified from the data. To mitigate against the obvious potential privacy intrusions from Streetview, Google used blurring technology to obscure faces (and vehicle number plates). In its 2009 response to Privacy International’s complaint about the then new service the Information Commissioner’s Office said

blurring someone’s face is not guaranteed to take that image outside the definition of personal data. Even with a face completely removed, it will still be entirely likely that a person would recognise themselves or someone close to them. However, what the blurring does is greatly reduce the likelihood that lots of people would be able to identify individuals whose image has been captured. In light of this, our analysis of whether and to what extent Streetview caused data protection concerns placed a great deal of emphasis on the fact that at its core, this product is in effect a series of images of street scenes…the important data protection point is that an individual’s presence in a particular image is entirely incidental to the purpose for capturing the image as a whole. (emphasis added)

One might have problems with that approach (data protection law does not talk in terms of “incidental” processing of personal data) but as an exercise in pragmatism it makes sense. However, it seems to me that the “business interiors” function of Streetview takes things a step further. Firstly, these are not now just “images of street scenes”, and secondly, it is at least arguable that an individual’s presence in, for instance, an image of an interior of a pub, is not “entirely incidental” to the image’s purpose.

Google informs the business owner that “it would be your responsibility to notify your employees and customers that the photo shoot is taking place” but that “Google may use these images in other products and services in new ways that will make your business information more useful and accessible to users”. It seems likely to me therefore that, to the extent that personal data is being processed in the publishing of these images, Google and the business owner are potentially both data controllers (with consequent responsibilities and liabilities under European law).

It would be interesting to know if the Information Commissioner’s assessment of this processing would be different given that a factor he previously placed a “great deal of emphasis on” (the fact that Streetview was then ”just images of street scenes”) no longer applies.

1 Comment

Filed under Data Protection, enforcement, Information Commissioner, Privacy

Tagged as ,

February 21, 2013 · 12:59 pm

We still have judgment here

Mr Justice Tugendhat makes very interesting observations about reserved judgments and open justice,  in a judgment on whether a defendant is in breach of prior undertakings relating to tawdry publications about the parents of Madeline McCann:

The decision not to identify in a reserved judgment a fact or person that has been identified in open court is not a reporting restriction, nor any other derogation from open justice. The hearing of this committal application was in public in the usual way. The decision not to set out everything in a judgment is simply a decision as to how the judge chooses to frame the judgment (¶86)

I have previously written about discussions taking place about the privacy and data protection implications of electronic publication of lists from magistrates’ courts, and I also wrote a thesis (NEVER to see the light of day thank you very much) which attempted in part to deal with the difficulties of anonymisation in court documents. These seem to me to be very urgent, and tremendously difficult, considerations for the subject of open justice in the digital era (the title of the initiative, led by Judith Townend, to “make recommendations for the way judicial information and legal data are communicated in a digital era”).

The judgment continues with Tugendhat J observing that, in previous cases where he has referred to parties by initials in reserved judgments this has sometimes been misinterpreted as his having made an anonymity order. Not true: the proceedings themselves were in open court, but

what happens in court, if not reported at the time, may be ephemeral, and may soon be forgotten and become difficult to recover, whereas a reserved judgment may appear in law reports, or on the internet, indefinitely (¶87)

This is a crucial point. My concern has always been about the permanence of information published on the internet, and the potential for it to be used, and abused, in ways and under jurisdictions, which would make a mockery of, for instance, the Rehabilitation of Offenders Act 1974, and the Data Protection Act 1998.

I haven’t noted the judge’s comments for any particular reason, other than I think they helpfully illustrate some important points, and might provoke some discussion.

1 Comment

Filed under Confidentiality, court lists, Data Protection, Open Justice, Privacy, Rehabilitation of offenders

September 29, 2012 · 9:04 am

Private emails, FOI and Criminality

Private emails are subject to FOI searches, and it’s a crime intentionally to conceal relevant information.

So, it appears that the Department of Education (DfE) has conceded that business emails sent by private email accounts are subject to the Freedom of Information Act 2000 (FOIA), thus accepting what the right-thinking world, and, indeed, anyone with a glimmer of common sense knew all along.

Plaudits, or brickbats, according to your position on the merits of FOIA, should go to Christopher Cook of the Financial Times, who has pursued the Department of Education (DfE) on this with the enthusiasm of a Jack Russell terrier faced with a scurrying rat. Fellow hacks at the Independent had also joined themselves to the proceedings listed (but now withdrawn) in the First-tier Tribunal (Information Rights). The DfE had had the balls to launch a challenge to a previous decision by the Information Commissioner (ICO) that the information (held in private email accounts) requested by Chris should be released. The decision notice itself was clear, and difficult to argue with, as is the advice on the subject published by the ICO around the same time. One wondered what possible grounds the DfE had to base a successful appeal on, and the withdrawal of the appeal probably answers that point, although it appears the withdrawal was actually prompted by the imminent publication of Cabinet Office guidance.

Some are now predicting that there will be a deluge of FOI requests specifically targeted at information held in private emails, or text messages, and I think this is probably right. What is not clear is how they will be handled. The ICO’s guidance suggests that, faced with requests for information that could be held in private emails, public authorities should restrict themselves to asking the person to search their account and keeping a record to show that this was asked:

The public authority will then be able to demonstrate, if required, that appropriate searches have been made in relation to a particular request. The Commissioner may need to see this in the event of a…complaint

This suggests that, when investigating a complaint about refusal to disclose information, the ICO will restrict himself merely to satisfying himself that an authority has asked its staff to check emails. Absent any evidence that those staff have not been honest about the contents of those private emails, the ICO will take no further action. The reasons for this are, really, quite obvious: the powers open to a public authority to access private email accounts are limited. Although the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 allow an employer to “intercept” an employee’s private emails  (if sent using the employer’s systems) to determine whether they are business-related, those powers must be exercised with due regard to the employee’s privacy rights. The interception of private emails in a private email account (sent using the employer’s systems) must be necessary and proportionate. If an employee has told his or employer that their private emails contain no information caught by an FOI request it is doubtful, absent any evidence to the contrary, that a “trawl” of emails without the employee’s consent would be lawful (I’ve written for PDP journals on this subject – subscription needed).

On one view, then, nothing much has changed with the concession by the DfE, although no doubt many new FOI requests will be made as a result. What has changed, perhaps, is the focus on individuals’ personal responsiblity under FOIA. Currently, section 77 creates an offence if a person alters, defaces, blocks, erases, destroys or conceals a record in response to an FOI request. If a trawl of emails on a public authority’s systems is required this will normally fall to IT, or similar, and employees have little say – or, if you like, given the existence of back-up systems – limited opportunity to commit a section 77 offence. Now, if the same employee is asked whether private emails contain specific information, and he or she untruthfully says “no”, criminality – the mens rea – will be relatively easy to make out.

The question is, how would we find out?

6 Comments

Filed under Freedom of Information, Information Commissioner, Information Tribunal, Privacy, RIPA, Uncategorized

Tagged as , ,

May 7, 2012 · 6:53 pm

Godwin’s Law and Data Protection (or, Let’s Be Careful Out There)

A data protection officer I know has been having a bit of a hard time lately from his managers for questioning their relentless push to encourage greater sharing of information between their public sector organisation and other public sector bodies. My friend has been accused of not being a “can-do” person. In defence of his managers, they are being pushed themselves: despite the Conservative party’s pre-election pledge to “scale back the database state” and the Lib Dems’ commitments not to harvest unneccesary information about people’s private lives, data-sharing is being vigorously promoted.

Sometimes it’s important to share data. I blogged only yesterday about a situation where (if it’s true) a failure to share data possibly had tragic consequences. Similarly I remember once, when I worked in a mental health clinic, how two police officers came in and asked if we knew the whereabouts of one of our regular patients: I had been warned that some police officers would try to trick us into revealing information about our patients, but I knew that this patient was highly vulnerable and unstable and the officers apparently had good reason to know the information. I exercised a discretion that I still wonder about today to disclose that personal data. It was a judgement call, and sometimes you get them wrong -  I hope I didn’t then.

However, it is surely not uncontroversial to say that there are risks in excessive data-sharing. Paul Bernal has blogged today, prompted by the worrying success of the neo-Nazi Golden Dawn movement in last week’s Greek elections, about the importance of recognising what are the current, and historical, implications of surveillance of citizens by the state. “Surveillance” can take many forms – sometimes it’s video recording of people, or retention of their DNA. Sometimes it’s not even the state doing it, but citizens themselves: I recently wrote a rather crude post (which I need to re-visit) questioning whether it was a good idea to have hyper-local media collating and publishing information about people appearing in magistrates’ courts.

Sometimes, as well, it can take the form of creeping databases.  Thus, hypothetically, the state is able to collate the following: person W, who is Jewish, knows person X, who is a trade unionist, who has been known to associate with person Y, who is disabled and has twice been accused of crime Z. The state thinks this is useful data. It might be, but equally it might be excessive, or unnecessarily gathered, or retained too long.

In a modern, liberal, state, none of the identifiying features in my hypothetical example should really raise an eyebrow. In a non-liberal state, however, similar information that has possibly been innocently, or naively, collated, can be misused in horrendous ways: so, in 1940s Holland, municipal registers were used by the Nazis to identify and persecute Jews, trade union membership lists used to persecute organised labour and public health and crime records used to persecute the disabled and criminals.

Maybe I’ve godwinned myself and my own blog, but one cannot avoid the fact that modern digital communication and storage are tremendously powerful – unimaginably so compared to even ten years ago, let alone 70 years. Data-sharing can have enormous and beneficial implications, but we need to exercise caution. We mustn’t amass personal data just because we can. We mustn’t use that data for purposes which were not envisaged when we gathered it. And we mustn’t retain that data just because we can’t be bothered to think what to do with it after its usefulness has passed.

As it happens, all the foregoing  principles are actually enshrined in the statutory Principles in the Data Protection Act 1998. That Act gave domestic effect to an EC Directive, which in part had its genesis in the European Convention on Human Rights. That Convention – in turn – had its genesis in the lessons learned after a fascist party gained support in Europe, and then ultimately took power in a fractured and devastated country.

 

1 Comment

Filed under Data Protection, Privacy

February 17, 2012 · 4:30 pm

Police complaints, a databreach and a High Court injunction

I notice an interesting application in the High Court.

 The Independent Police Complaints Commission (IPCC) has been granted an injunction (actually, a second injunction) requiring that the first defendant, a Mark Warner, disclose to the IPCC the identity of the second defendant -“person(s) unknown” – who Mr Warner has indicated is holding certain information about a third party, as well as the circumstances in which they came to be in the possession of those person(s) unknown.

 The reason I’m posting about this is that it appears that the IPCC disclosed the information about the third party in error to Mr Warner while responding to a subject access request under section 7 of the Data Protection Act 1998 (DPA).

 Mr Warner apparently received some of his own data in response to that section 7 request, but feels that there is further information to which he is entitled, and for his own reasons, has refused to return the papers relating to the third party sent to him by mistake, saying (in a telephone conversation with the IPCC):

If I do not get [the further material which he wants the IPCC to provide to him] within a reasonable timeframe I will not only hang onto the information which I have been sent in error, but I will identify it to Fleet Street

 The IPCC brought the current application not only to protect its own rights, but the Article 8 rights of the third party.

 One wonders if the Information Commissioner has been informed. Inadvertent disclosure of personal data of a third party, of a kind which requires a high court injunction to identify the “person(s) unknown”, sounds like a serious contravention of the DPA of a kind likely to cause substantial damage or distress. Such contraventions can attract monetary penalty notices of up to £500,000.

 As several local authorities know to their cost.

Leave a Comment

Filed under Breach Notification, Data Protection, Information Commissioner, police, Privacy

January 25, 2012 · 8:12 pm

STOP BOTHERING US!

I’m a customer of the mobile phone service provider O2. They’re OK. Probably much the same as the rest, but I’ve been with them for a few years now, and I’ve had no real problems with them. And every so often they give me an “upgrade” to a nice shiny new smartphone which half fools me into thinking I’m getting a nice deal.

This morning a corner (my favourite corner) of twitter was buzzing with news of a potential security flaw (or was it deliberate coding?) discovered by a twitter user by the name of @lewispeckover which meant that customers using O2′s mobile network to access the internet were inadvertently revealing their mobile phone number in the headers delivered when they visited a website. As Lewis succinctly put it

So, @O2 send my phone no in an HTTP header to every site I browse. WTF? Is this normal?

No, it’s not normal. Some people have very good reasons for not wanting their mobile numbers handed to third parties, especially when they aren’t aware that it’s being done, and I’m one of them (actually, I haven’t got a “very good reason”, other than I just don’t like it). I had intended blogging about why this incident might involve breaches of the first, second, seventh and eighth data protection principles in the Data Protection Act 1998 (DPA), regulations 6 and 7 of the Privacy and Electronic Communications Regulations 2003 (PECR) and chapter II of the Regulation of Investigatory Powers Act 2000 (RIPA). However, as the news got picked up, first by specialist media then mainstream, and as I realised that people were complaining in numbers to the Information Commissioner (IC), who regulates compliance with both the DPA and the PECR (although not RIPA), I decided that the issue was in the appropriate hands.

But I still intended, when I got home from work tonight, making a complaint to that statutory regulator. This is a) an issue that concerns me, b) one I know something about, c) one that has made me a bit angry, and d) one I’m prepared to rant about. However, I noted, on my bus journey home, browsing the internet on my shiny smartphone via O2′s network, that the IC had updated his home page, and was saying

Today we’ve received a large number of complaints about an alleged data breach on the O2 mobile phone network.

We now have enough information to take this matter further, so there is no need for customers to complain to us.

Great. They’re taking the matter further. But hang on – they don’t want us to complain now, because they have enough information? Well, that’s a bit presumptuous, and risky (how do they know they’ve got enough information?). But also, it’s quite concerning. The IC has many powers available to him if he finds that a data controller has breached the DPA or the PECR. In assessing how bad a breach might be, he has to take into account various factors. For instance, from his own guidance on imposing Monetary Penalty Notices,

The number of individuals actually or potentially affected by the contravention

Hang on a minute.

The number of individuals actually or potentially affected by the contravention

Er.

I just question how can you can properly assess how many people have been affected by an alleged contravention if you discourage people from complaining about that alleged contravention?

And not satisfied with this attempt at dissuasion, the IC took to tweeting the same message, earlier this evening. He clearly doesn’t want any more people to send him complaints, but this could lead to a misleading assessment of the number of people actually affected. I’m sure that O2, in assisting the IC in his subsequent investigation, will tell him how many people were potentially affected, but, if were them, I would say “well, only a small number actually complained, so it wasn’t that bad a breach, after all”.

And this is not the first time the IC has done this. Currently, the first question and answer on his “Data Protection for the Public” FAQs page are

Q: I have received a letter from Welcome Financial Services Limited. What should I do?

We have recently been informed of a data breach involving Welcome Financial Services Limited including its business Shopacheck. We believe they are taking steps to inform those affected. We will be making enquiries into the circumstances of the apparent breach of the Data Protection Act before deciding what action, if any, needs to be taken.

As we are already aware of this issue and in contact with Welcome Financial Services Limited, there is no need to submit further complaints to this office. [emphasis added, as if you needed to know]

I do try to defend the IC and his office, and I know they are always sorely lacking funds, but when a regulator, who is supposed to be receptive to complaints about alleged failures to comply with laws he regulates, actively discourages people from complaining, my enthusiasm for defending falters.

To the IC I ask, do you want me to complain, and say how I have been affected by O2′s handling of my personal data? And if not, why not?

2 Comments

Filed under Data Protection, Information Commissioner, PECR, Privacy

Tagged as , ,

December 8, 2011 · 1:58 pm

Can the ICO Regulate the Internet?

It is…beyond doubt that the DPA was not designed to deal with the way in which the internet now works

says Tugendhat J in a crucial recently-published judgment (The Law Society & Ors v Kordowski [2011] EWHC 3185 (QB)), in which he lays into the Information Commissioner (IC), albeit in a polite, judgely manner.

The case concerned applications for injunctive relief against Kordowski, the publisher of the “Solicitors from Hell” website. The claims were in defamation, under the Protection of Harassment Act 1997, and the Data Protection Act 1998 (DPA). Unsurprisingly, given the focus of the blog, it is the last I focus on, although one must be aware it was only one of the causes of action discussed.

It transpires that the Chief Executive of the Law Society, on behalf of many solicitors who felt aggrieved by the contents of the website in question (which invited people to “rate” and comment on solicitors, with predictably defamatory results) had complained to the IC that the site was in breach of the provisions of the Data Protection Act 1998 (DPA). On 6 January this year the IC replied, in a three-page letter, apparently saying that the exemption at section 36 of the DPA effectively meant he lacked jurisdiction to determine whether there had been a breach:

 The inclusion of the “domestic purposes” exemption in the Data Protection Act (s.36) is intended to balance the individual’s rights to respect for his/her private life with the freedom of expression. These rights are equally important and I am strongly of the view that it is not the purpose of the DPA to regulate an individual right to freedom of expression – even where the individual uses a third party website, rather than his own facilities, to exercise this.

Fellow blogger Tim Turner has already recently criticised the IC’s invoking of s36 to avoid regulating the internet/blogosphere. He will be pleased to see Tugendhat J agreeing with him, in pretty stern and unequivocal language, that using that DPA “domestic purposes exemption” to avoid regulating websites and blogs is not an option open, in general terms, to the IC.

The IC had said in his letter

The situation would clearly be impossible were the Information Commissioner to be expected to rule on what it is acceptable for one individual to say about another be that a solicitor or another individual. This is not what my office is established to do. This is particularly the case where other legal remedies are available – for example, the law of libel or incitement.

The slapdown from Tugendhat J is

 I do not find it possible to reconcile the views on the law expressed in the Commissioner’s letter with authoritative statements of the law. The DPA does envisage that the Information Commissioner should consider what it is acceptable for one individual to say about another, because the First Data Protection Principle requires that data should be processed lawfully. The authoritative statements of the law are to be found not only in the cases cited in this judgment (including para 16 above), but also by the Court of Appeal in Campbell v MGN Ltd [2002] EWCA Civ 1373 [2003] QB 633 paras [72] to [138], and in other cases. As Patten J made clear in Murray, where the DPA applies, if processing is unlawful by reason of it breaching the general law of confidentiality (and thus any other general law) there will be a contravention of the First Data Protection Principle within the meaning of s.40(1), and a breach of s.4(4) of the DPA. See also Douglas v Hello! Ltd [2003] EWHC 786 (Ch) [2003] 3 All ER 996 paras 230-239 and Clift v Slough Borough Council [2009] EWHC 1550 (QB) [2009] 4 All ER 756. The fact that a claimant may have claims under common law torts, or under HRA s.6, does not preclude there being a claim under, or other means of enforcement of, the DPA.

This, of course, places the IC in a very difficult situation (actually, according to him, an “impossible” one). In fairness to him, and in fairness to the judge, it is pointed out that IC was not in attendance nor represented in the proceedings, and it might be that he has a killer riposte up his sleeve. If not, he has a problem. Until now he has only had the criticism of mere people like Tim, or me, to lead him to question his approach to s36 and the internet.(Yes, yes, there was also the European Court of Justice, but the Lindqvist judgment was a very long time ago – effectively in pre-history – and therefore easy to sidestep). Now, given that a superior court of record has overruled him, and held that there were multiple breaches of the DPA in this case and that the IC was wrong in his application of the s36 domestic purposes exemption, he may find that his already over-stretched resources will have to cover complaints from people who feel that their rights under DPA have been both engaged, and breached, by other individuals on the Internet. Picking a theoretical example – a complaint from someone who objects to the uploading of a private photo of them to Facebook without their consent.

It also places bloggers, and social media users in general, in a potentially risky position. Tugendhat J distinguishes such internet publication from journalism (as does Hugh Tomlinson QC – who, uncoincidentally, I suspect, acted for the claimants in this case – in two important recent posts on the Inforrm blog). If we non-journalists are potentially subject to the DPA but lack the protection it offers to journalists, we could all find ourselves at risk not just of regulatory action from the IC, but those private actions which can also be brought under the Act.

One would hope that the new draft EC data protection regulation would grapple with “the practical difficulties raised by cases such as the present” but on first viewing I’m not sure it does. Whether the door would be open to the UK legislature to address the problem is a matter for conjecture. In the interim, however, with the publication of this judgment, the IC has some close reading to do.

2 Comments

Filed under Data Protection, Information Commissioner, Privacy

December 2, 2011 · 9:03 am

Mandatory breach reporting and the public interest

In May of this year the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 amended the existing Privacy and Electronic Communications (EC Directive) Regulations 2003 (the “PECR”).

The regulations apply to different bodies in different circumstances (for instance those parts relating to cookies, which apply effectively to anyone using cookies on their website). However, a key amendment applies to specifically to providers of a public electronic communications service (broadly, telecoms companies and internet service providers): regulation 5A(2) of the PECR now says

If a personal data breach occurs, the service provider shall, without undue delay, notify that breach to the Information Commissioner.

This is the first appearance in domestic law of a mandatory requirement to inform the Information Commissioner (IC) of a data breach. “Data breach” itself  is defined as

a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service

While a PECR data breach is not, expressly, a breach of the Data Protection Act 1998 (DPA) I cannot imagine circumstances in which a PECR breach would not also involve a breach of the provisions of the DPA (and – specifically and primarily – the seventh data protection principle). How the IC responds to notifications made to him under regulation 5A(2) will, therefore, be of interest to all data controllers.

This is because the imminent new European data protection instrument (either a new Directive or a Regulation) is likely to introduce mandatory data breach reporting into the Data Protection laws. It is not yet clear how far the requirement would extend. In an interview on 16 November with The Washington Post the EU Justice Commissioner, Vivian Reding, said

…we will now have such rules on notification for all sectors so citizens will know when their data has been breached, whether by criminal intent, accidental or other circumstances. We already have this rule for telecom companies but not for other sectors such as e-banking services, private-sector medical records and online shopping. We will extend the telecom rules to the Internet.

So will mandatory notification apply to “all sectors” or just (in addition to telcos/ISPs) “e-banking services, private-sector medical records and online shopping”? We’ll have to wait and see.

I made a Freedom of Information Act 2000 (FOIA) request to the IC asking how many mandatory notifications had been made to this office since the amended PECR came into effect, and by whom and whether the companies involved had informed data subjects of the breach. The IC’s response is that 76 notifications have been made (they don’t say, but I presume this is to the 3 November, the date of my request) and in 64 of these cases data subjects were also informed. By way of explanation for the latter figure the IC says

…it is not a requirement of the regulations for providers to tell the ICO whether or not they have notified data subjects. The service providers only have to inform subscribers where ‘the personal data breach is likely to adversely affect the personal data or privacy of a subscriber or user’. If that is the case they have to ‘without undue delay, notify that breach to the subscriber or user concerned.’

When it comes to disclosing the names of the companies involved, however, the IC is scratching his head. He has identified (at least this is how I read his response) that disclosing this information would prejudice the commercial interests of those companies, and that, therefore, section 43 of FOIA is engaged. Having decided this, however, he has to consider (under section 2(2)(b) of FOIA) whether

in all the circumstances of the case, the public interest in maintaining the exemption outweighs the public interest in disclosing the information

Section 10(3)(b) of FOIA allows authorities to extend the time for compliance with a request (from 20 working days) where they need to consider the public interest test. FOIA itslef unhelpfully only says that it can be extended by “such time as is reasonable in the circumstances” but the IC himself advises that the maximum time that should be taken, in total, is 40 working days. His office has advised me that this applies with my request for names of companies, and it

…may take up to an additional 20 working days to take this decision.  We therefore aim to provide you with a response to this part of your request for information by 23 December 2011

This is, of course, completely acceptable, and I’ll update this post when I get the response, but three things occur to me.

First, if or when mandatory breach notification is extended to other organisations, they will need to be aware that people may request information about such breaches from the IC, and that there is a clear public interest in such information.

Second, if the IC is wrestling with the public interest factors this is clearly a finely-balanced point, and if he comes down against disclosure then this might be a case worth appealing.

Third, surely the IC anticipated that he would get such requests? I’m surprised he hadn’t already considered this public interest point.

 

 

1 Comment

Filed under Breach Notification, Data Protection, Freedom of Information, PECR, Privacy

October 3, 2011 · 8:50 am

(Non-) Invasion of the Body-scanners

The writer and broadcaster Victoria Coren wrote in The Observer yesterday that commuters at Bath railway station had recently been “instructed to walk through a 7ft body scanner”:

Since when did we surprise the public with electronic body searches, randomly as they go about their daily lives, without any reason to suspect them of anything? Have search warrants also been abandoned while I wasn’t looking? May the police now turn up on a whim and rootle around in our drawers?

These are serious and current concerns. The use of Advanced Imaging Technology (or AIT) at airports is not without controversy. However, the rolling-out of this technology to other areas, for instance railway stations, would be a major development, and it would raise great concern if it was done without publicity, consultation, and without there being clear reasons for its use. However, the American blogger and privacy activist who goes by the twitter handle of @PogoWasRight has spotted this press release on Avon and Somerset Constabulary’s website, which suggests that in fact what Coren experienced was a metal detector designed primarily to pick up people carrying hidden knives:

The police operation will see people arriving by train being screened by an airport-style metal detector to see if they are carrying knives or other weapons.

These are commonly known as “knife-arches” and are essentially the same metal detector arches we are accustomed to passing through at airports. They are a considerably less intrusive technology than AIT, although their use is not in itself without controversy

Many police forces now set up “knife arches” as part of their drive against knife crime. They have no legal power to compel an individual to walk through them, yet the Met has indicated that refusal to walk through an arch when asked to do so by an officer “may” be grounds for a search. In other words, the police have no explicit power to compel an individual to walk through an arch – if parliament had wished to grant that power, it probably would have – but creative interpretation of the law has given it to them all the same.

Unless any further information is received, it seems safe to assume that what Coren saw at Bath was a knife-arch, about which Liberty‘s James Welch has written some helpful advice.

EDIT: this Daily Mail article confirms the point (via Aaron K. Martin, @WC2A_2AE on twitter).

Leave a Comment

Filed under Privacy

Tagged as , ,