Category Archives: social media

September 29, 2014 · 1:18 pm

Brooks Newmark, the press, and “the other woman”

UPDATE: 30.09.14 Sunday Mirror editor Lloyd Embley is reported by the BBC and other media outlets to have apologised for the use of women’s photos (it transpires that two women’s images appropriated), saying

We thought that pictures used by the investigation were posed by models, but we now know that some real pictures were used. At no point has the Sunday Mirror published any of these images, but we would like to apologise to the women involved for their use in the investigation

What I think is interesting here is the implicit admission that (consenting) models could have been used in the fake profiles. Does this mean therefore, the processing of the (non-consenting) women’s personal data was not done in the reasonable belief that it was in the public interest?

Finally, I think it’s pretty shoddy that former Culture Secretary Maria Miller resorts to victim-blaming, and missing the point, when she is reported to have said that the story “showed why people had to be very careful about the sorts of images they took of themselves and put on the internet”

END UPDATE.

With most sex scandals involving politicians, there is “the other person”. For every Profumo, a Keeler; for every Mellor, a de Sancha; for every Clinton, a Lewinsky. More often than not the rights and dignity of these others are trampled in the rush to revel in outrage at the politicians’ behaviour. But in the latest, rather tedious, such scandal, the person whose rights have been trampled was not even “the other person”, because there was no other person. Rather, it was a Swedish woman* whose image was appropriated by a journalist without her permission or even her knowledge. This raises the question of whether such use, by the journalist, and the Sunday Mirror, which ran the exposé, was in accordance with their obligations under data protection and other privacy laws.

The story run by the Sunday Mirror told of how a freelance journalist set up a fake social media profile, purportedly of a young PR girl called Sophie with a rather implausible interest in middle-aged Tory MPs. He apparently managed to snare the Minister for Civil Society and married father of five, Brooks Newmark, and encourage him into sending explicit photographs of himself. The result was that the newspaper got a lurid scoop, and the Minister subsequently resigned. Questions are being asked about the ethics of the journalism involved, and there are suggestions that this could be the first difficult test for IPSO, the new Independent Press Standards Organisation.

But for me much the most unpleasant part of this unpleasant story was that the journalist appears to have decided to attach to the fake twitter profile the image of a Swedish woman. It’s not clear where he got this from, but it is understood that the same image had apparently already appeared on several fake Facebook accounts (it is not suggested, I think, that the same journalist was responsible for those accounts). The woman is reported to be distressed at the appropriation:

It feels really unpleasant…I have received lot of emails, text messages and phone calls from various countries on this today. It feels unreal…I do not want to be exploited in this way and someone has used my image like this feels really awful, both for me and the others involved in this. [Google translation of original Swedish]

Under European and domestic law the image of an identifiable individual is their personal data. Anyone “processing” such data as a data controller (“the person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed”) has to do so in accordance with the law. Such processing as happened here, both by the freelance journalist, when setting up and operating the social media account(s), and by the Sunday Mirror, in publishing the story, is covered by the UK Data Protection Act 1998 (DPA). This will be the case even though the person whose image was appropriated is in Sweden. The DPA requires, among other things, that processing of personal data be “fair and lawful”. It affords aggrieved individuals the right to bring civil claims for compensation for damage and distress arising from contraventions of data controllers’ obligations under the DPA. It also affords them the right to ask the Information Commissioner’s Office (ICO) for an assessment of the likelihood (or not) that processing was in compliance with the DPA.

However, section 32 of the DPA also gives journalism a very broad exemption from almost all of the Act, if the processing is undertaken with a view to publication, and the data controller reasonably believes that publication would be in the public interest and that compliance with the DPA would be incompatible with the purposes of journalism. As the ICO says

The scope of the exemption is very broad. It can disapply almost all of the DPA’s provisions, and gives the media a significant leeway to decide for themselves what is in the public interest

The two data controllers here (the freelancer and the paper) would presumably have little problem satisfying a court, or the ICO, that when it came to processing of Brooks Newmark’s personal data, they acted in the reasonable belief that the public interest justified the processing. But one wonders to what extent they even considered the processing of (and associated intrusion into the private life of) the Swedish woman whose image was appropriated. Supposing they didn’t even consider this processing – could they reasonably say they that they reasonably believed it to have been in the public interest?

These are complex questions, and the breadth and ambit of the section 32 exemption are likely to be tested in litigation between the mining and minerals company BSG and the campaigning group Global Witness (currently stalled/being considered at the ICO). But even if a claim or complaint under DPA would be a tricky one to make, there are other legal issues raised. Perhaps in part because of the breadth of the section 32 DPA exemption (and perhaps because of the low chance of significant damages under the DPA), claims of press intrusion into private lives are more commonly brought under the cause of action of “misuse of private information “, confirmed – it would seem – as a tort, in the ruling of Mr Justice Tugendhat in Vidal Hall and Ors v Google Inc [2014] EWHC 13 (QB), earlier this year. Damage awards for successful claims in misuse of private information have been known to be in the tens of thousands of pounds – most notably recently an award of £10,000 for Paul Weller’s children, after photographs taken covertly and without consent had been published in the Mail Online.

IPSO expects journalists to abide by the Editor’s Code, Clause 3 of which says

i) Everyone is entitled to respect for his or her private and family life, home, health and correspondence, including digital communications.

ii) Editors will be expected to justify intrusions into any individual’s private life without consent. Account will be taken of the complainant’s own public disclosures of information

and the ICO will take this Code into account when considering complaints about journalistic processing of personal data. One notes that “account will be taken of the complainant’s own public disclosures of information”, but one hopes that this would not be seen to justify the unfair and unethical appropriation of images found elsewhere on the internet.

*I’ve deliberately, although rather pointlessly – given their proliferation in other media – avoided naming the woman in question, or posting her photograph

4 Comments

Filed under Confidentiality, consent, Data Protection, Information Commissioner, journalism, Privacy, social media

Tagged as data protection, DPA, ICO, journalism, privacy, social media

September 7, 2014 · 12:04 pm

Blackpool Displeasure Breach

I like watching football, but any real interest I had in following a club waned around the time David Hirst stopped scoring for fun for Sheffield Wednesday. I also came to be disillusioned by the advent of big money, with clubs run more and more as business concerns aimed at boosting the investments of shareholders.

So I hadn’t appreciated that convicted rapist Owen Oyston was still listed as Director of Blackpool F.C. Nor that his son Karl Oyston is Chairman. Nor that Karl’s son Sam runs the club’s hotel. It appears that at least some fans are highly critical of the Oyston dynasty, and this manifested itself in a rather puerile twitter exchange which was drawn to my attention this morning

To explain what’s going on here, a fan replies to a news item about the club’s manager, and calls the Oyston family “wankers”. Sam Oyston responds by identifying the seat the fan – presumably a season-ticket holder – occupies, and implies that if he continues to be rude the ticket will be withdrawn.

This is all very unsavoury, but it also raises concerns about the club’s handling of its fans’ personal data. The publishing of the seat number is not particularly worrying in itself: it refers to the fan’s physical place in a very public arena, and I doubt he would be bothered about it being publicised (he might even be proud, as it implies he is a dedicated fan). However, one must ask how, and why, the manager of a hotel run by the club has such ready access to customer details.

The first data protection principle of the Data Protection Act 1998 (DPA) requires that personal data be processed fairly (and lawfully) and the second principle requires that personal data “shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes”. If fans’ details are being accessed by the club’s hotel manager, in order to implicitly threaten them with removal of their right to attend matches, it would be difficult to see how this would be compatible with purposes for which they were obtained by the club, as data controller. I suppose it is just possible that the terms of the tickets explain that, say, abusive behaviour could lead to cancellation, but even so, it would be unlikely that this would cover what happened in the twitter exchange. One might also question whether, if someone apparently unconnected with the running of the club membership can access ticket data, the club has – in accordance with the seventh data protection principle – appropriate organisational measures in place to safeguard against unauthorised processing of personal data.

A data controller has a statutory obligation to comply with the data protection principles – a failure to do so opens it up to the possibility of civil claims being made against it, and civil enforcement action being taken by the Information Commissioner’s Office.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

7 Comments

Filed under Data Protection, Information Commissioner, social media

Tagged as data protection, DPA, ICO

August 24, 2014 · 12:22 pm

Twitter timeline changes – causing offence?

@jamesrbuk: Well that’s jarring: Twitter just put a tweet into my feed showing a still from the James Foley beheading video, from account I don’t follow

When the Metropolitan Police put out a statement last week suggesting that merely viewing (absent publication, incitement etc) the video of the beheading of James Foley, they were rightly challenged on the basis for this (conclusion, there wasn’t a valid one).

But what about a company which actively, by the coding of its software, communicates stills from the video to unwilling recipients? That seems to be the potential (and actual, in the case of James Ball in the tweet quoted above) effect of recent changes Twitter has made to its user experience. Tweets are now posted to users’ timelines which are not from people followed, nor from followers of people followed

when we identify a Tweet, an account to follow, or other content that’s popular or relevant, we may add it to your timeline. This means you will sometimes see Tweets from accounts you don’t follow. We select each Tweet using a variety of signals, including how popular it is and how people in your network are interacting with it. Our goal is to make your home timeline even more relevant and interesting

I’m not clear on the algorithm that is used to select which unsolicited tweets are posted to a timeline, but the automated nature of it raises issues, I would argue, about Twitter’s responsibility and potential legal liability for the tweets’ appearance, particularly if the tweets are offensive to the recipient.

Section 127 of the Communications Act 2003 says

A person is guilty of an offence if he—

(a)sends by means of a public electronic communications network a message or other matter that is grossly offensive or of an indecent, obscene or menacing character; or

(b)causes any such message or matter to be so sent.

The infamous case of DPP v Chambers dealt with this provision, and although Paul Chambers was, thankfully, successful in appealing his ridiculous conviction for sending a menacing message, the High Court accepted that a tweet is a message sent by means of a public electronic communications network for the purposes of the Communications Act 2003 (¶25).

A still of the beheading video certainly has the potential to be grossly offensive, and also obscene. The original tweeter might possibly be risking the committing of a criminal offence in originally tweeting it, but what of Twitter, inserting into an unwilling recipient’s timeline?

Similarly, section 2 of the Terrorism Act 2006 creates an offence if a person is reckless at whether the distribution or circulation of a terrorist publication constitutes a direct or indirect encouragement or other inducement to the commission, preparation or instigation of acts of terrorism (it’s possible this is the offence the Met were -oddly – hinting at in their statement).

I’m not a criminal lawyer (I’m not even a lawyer) so I don’t know whether the elements of the offence are made out, nor whether there are jurisdictional or other considerations in play, but it does strike me that the changes Twitter has made have the potential to produce grossly offensive results.

ICO indicates that (non-recreational) bloggers must register with them

I think I am liable to register with the ICO, and so are countless others. But I also think this means there needs to be a debate about what this, and future plans for levying a fee on data controllers, mean for freedom of expression

Recently I wrote about whether I, as a blogger, had a legal obligation to register with the Information Commissioner’s Office (ICO) the fact that I was processing personal data (and the purposes for which it was processed). As I said at the time, I asked the ICO whether I had such an obligation, and they said

from the information you have provided it would be unlikely that you would be required to register in respect of your blogs and tweets

However, I asked them for clarification on this point. I noted that I couldn’t see any exemption from the obligation to register, unless it was the general exemption (at section 36) from the Data Protection Act 1998 (DPA) where the processing is only for “domestic purposes”, which include “recreational purposes”. I noted that, as someone writing a semi-professional blog, I could hardly rely on the fact I do this only for recreational purposes. The ICO’s reply is illuminating

if you were blogging only for your own recreational purposes, it would be unlikely that you would need to register as a data controller. However, you have explained that your blogging is not just for recreational purposes. If you are sharing your views in order to further some other purpose, and this is likely to impact on third parties, then you should consider registering.

I know this is couched in rather vague terms – “if”…”likely”…”consider” – but it certainly suggests that merely being a non-professional blogger does not exempt me from having to register with a statutory regulator.

Those paying careful attention might understand the implications of this: millions of people every day share their views online, in order to further some purpose, in a way that “is likely to impact on third parties”. When poor Bodil Lindqvist got convicted in the Swedish courts in 2003 that is just what she was doing, and the Court of Justice of the European Union held that, under the European Data Protection Directive, she was processing personal data as a data controller, and consequently had legal obligations under data protection law to process data fairly, i.e. by not writing about a fellow churchgoer’s broken leg etc. without informing them/giving them an opportunity to object.

And there, in my last paragraph, you have an example of me processing personal data – I have published (i.e. processed) sensitive (i.e. criminal conviction) personal data (i.e. of an identifiable individual). I am a data controller. Surely I have to register with the ICO? Section 17 of the DPA says that personal data must not be processed unless an entry in respect of the data controller is included in the register maintained by the ICO, unless an exemption applies. The “domestic purposes” exemption doesn’t wash – the ICO has confirmed that¹, and none of the exemptions apply. I have to register.

But if I have to register (and I will, because if I continue to process personal data without a registration I am potentially committing a criminal offence) then so, surely, do the millions of other people throughout the country, and throughout the jurisdiction of the data protection directive, who publish personal data on the internet not solely for recreational purposes – all the citizen bloggers, campaigning tweeters, community facebookers and many, many others…

To single people out would be unfair, so I’m not going to identify individuals who I think potentially fall into these categories, with the following exception. In 2011 Barnet Council was roundly ridiculed for complaining to the ICO about the activities of a blogger who regularly criticised the council and its staff on his blog². The Council asked the ICO to determine whether the blogger in question had failed in his legal obligation to register with the ICO in order to legitimise his processing of personal data. The ICO’s response was

If the ICO were to take the approach of requiring all individuals running a blog to notify as a data controller … it would lead to a situation where the ICO is expected to rule on what is acceptable for one individual to say about another. Requiring all bloggers to register with this office and comply with the parts of the DPA exempted under Section 36 (of the Act) would, in our view, have a hugely disproportionate impact on freedom of expression.

But subsequently, the ICO was taken to task in the High Court on this general stance (but in unrelated proceedings) about being “expected to rule on what is acceptable for one individual to say about another”, with the judge saying

I do not find it possible to reconcile the views on the law expressed [by the ICO] with authoritative statements of the law. The DPA does envisage that the Information Commissioner should consider what it is acceptable for one individual to say about another, because the First Data Protection Principle requires that data should be processed lawfully

And if now the ICO accepts that, at least those bloggers (like the one in the Camden case) who are not solely blogging for recreational purposes, might be required to register, it possibly indicates a fundamental change.

In response to my last blog post on this subject someone asked “why ruffle feathers?”. But I think this should lead to a societal debate: is it an unacceptable infringement of the principles of freedom of expression for the law to require registration with a state regulator before one can share one’s (non-recreational) views about individuals online? Or is it necessary for this legal restraint to be in place, to seek to protect individuals’ privacy rights?European data protection reforms propose the removal of the general obligation for a data controller to register with a data protection authority, but in the UK proposals are being made (because of the loss of ICO fee income that would come with this removal) that there be a levy on data controllers.

If such proposals come into effect it is profoundly important that there is indeed a debate about the terms on which the levy is made – or else we could all end up being liable to pay a tax to allow us to talk online.

¹On a strict reading of the law, and the CJEU judgment in Lindqvist, the distinction between recreational and non-recreational expressions online does not exist, and any online expression about an identifiable individual would constitute processing of personal data. The “recreational” distinction does not exist in the data protection directive, and is solely a domestic provision

²A confession: I joined in the ridicule, but was disabused of my error by the much better-informed Tim Turner. Not that I don’t think the Council’s actions were ill-judged.

10 Comments

Filed under Data Protection, Directive 95/46/EC, Information Commissioner, social media

Tagged as data protection, directive 95/46/EC, DPA, ICO, social media

August 4, 2014 · 3:10 pm

Lords’ Committee on Social Media and Criminal Offences – lacking a DPA expert?

In its generally sensible report on Social Media and Criminal Offences the House of Lords’ Communications Committee dealt with the subject of “Revenge Porn” (defined as “the electronic publication or distribution of sexually explicit material (principally images) of one or both of the couple, the material having originally been provided consensually for private use” which seems to me worryingly to miss a key factor – that the publication or distribution will be done with harmful intent). The committee considered what criminal offences might be enaged by this hateful practice, but also observed (¶41) that

a private remedy is already available to the victim. Images of people are covered by the Data Protection Act 1988 (as “personal data”), and so is information about people which is derived from images. Images of a person count as “sensitive personal data” under the Act if they relate to “sexual life”. Under the Act, a data subject may require a data controller not to process the data in a manner that is “causing or is likely to cause substantial damage or substantial distress to him or to another”.

This is all true, but the next bit is not

The Information Commissioner may award compensation to a person so affected

The Information Commissioner (IC) has no such powers, and one wonders from where the committee got this impression (maybe they mistook the IC’s enforcement powers with the powers of the Local Government Ombudsman to make recommendations (such as payment of compensation)). In circumstances where someone wishes to complain about the processing of their personal data their only direct right (regarding the IC) is to ask him (pursuant to section 42) to assess whether the data controller’s processing was likely to have complied with its obligations under the Data Protection Act 1998 (DPA). All the substantive rights given to data subjects under the DPA (such as access to data, rectification, ceasing of processing, compensation etc) are enforceable only by the data subject through the courts. Moreover, in the case of “revenge porn” cases, they would involve the data subject requesting the data controller (who in most cases will be the person who has uploaded the images/content in question) to desist. This could clearly be a course of action fraught with difficulties.

The Committee goes on to point to another civil remedy – “An individual may also apply to the High Court for a privacy injunction to prevent or stop the publication of material relating to a person’s sexual life” – but observes (¶44) that

We are concerned that the latter remedy is available only to those who can afford access to the High Court. It would be desirable to provide a proportionately more accessible route to judicial intervention

Whilst remedies under the DPA are available through the County Court (or Sheriff’s Court in Scotland), rather than the High Court, this still involves expenditure, especially if the case is not amenable to the small claims track, and also involves potential exposure to costs in the event that the claim is unsuccessful.

Furthermore, in the event that the IC were asked to consider a complaint about “revenge porn”, it might be born in mind that he is reluctant to rule on matters regarding publication of private information on the internet. Section 36 of the DPA provides an exemption to the Act where the processing is only for “domestic purposes”. The Committee correctly says (¶41)

Personal data “processed by an individual only for the purposes of that individual’s personal, family or household affairs (including recreational purposes)” are exempt from this provision but the European Court of Justice has determined that posting material on the internet is not part of one’s “personal, family or household affairs”

And the Committee cites in support of this the Court of Justice of the European Union’s judgment in the case of Lindqvist. But the IC has traditionally been reluctant fully to grapple with the implications of Lindqvist, and, as I have noted previously, its guidance Social networking and online forums – when does the DPA apply?, which says

the ‘domestic purposes’ exemption…will apply whenever an individual uses an online forum purely for domestic purposes

is manifestly at odds with the CJEU’s ruling.

I would greatly hope that, if asked to consider the legality of the posting of “revenge porn”, the IC would not decline jurisdiction on the basis of the section 36 exemption, but his position on section 36 is problematic when it comes to regulation and enforcement of social media.

It is rather to be regretted that the Lords’ Committee was not better informed on these particular aspects of its report.

3 Comments

Filed under Data Protection, Information Commissioner, social media

Tagged as DPA, ICO, social media

July 18, 2014 · 4:41 pm

Naming and shaming no shows is a no-no

I know a couple who run a restaurant. And I know how the problem of no-shows can cause great economic damage to restaurants. Failing to show up, or to cancel in advance, is, moreover, incredibly rude. But the response, which I only became aware of today, of naming and shaming the no-show customers on twitter is a risky and probably unlawful one for restaurateurs to take.

In the instance I saw this morning a London restaurant had apparently searched for the twitter account of a person who they thought had failed to show, and had openly tweeted their displeasure. He, however, had email proof that he had cancelled in advance. The restaurant investigated, accepted this, and apologised (and the customer accepted, so I’m not going to name either of the parties).

However, the restaurant was processing the personal data of the customer when it took his booking, and their use of that data would be limited to what the customer was told at the time, or what he might reasonably expect. So, unless they had a very odd privacy notice, their permitted processing purposes would not have extended to the naming and shaming of him for failing to turn up. Thus, it would seem to be a breach of at least the both the first and the second data protection principle. Moreover, the rather cavalier approach to customer data wouldn’t make one confident about other aspects of data protection compliance.

I really do sympathise with restaurateurs: one of the alternative approaches to no-shows and late cancellers is punitive cancellation fees but that also has its drawbacks and detractors. However, there are not many areas of commerce where companies would be able to get away with such apparently unfair and unlawful processing of their customer’s personal data: announcing that someone has failed to attend at a certain restaurant potentially indicates quite a bit about the person’s tastes, means and location. It’s a risky thing for a restaurateur to do, especially when, as with the restaurant I saw tweeting earlier today, they haven’t registered their processing with the Information Commissioner’s Office (which, I would emphasise, is a criminal offence).

Privacy issues with Labour Party website

Two days ago I wrote about a page on the Labour Party website which was getting considerable social media coverage. It encourages people to submit their date of birth to find out, approximately, of all the births under the NHS, what number they were.

I was concerned that it was grabbing email address without an opt-out option. Since then, I’ve been making a nuisance of myself asking, via twitter, various Labour politicians and activists for their comments. I know I’m an unimportant blogger, and it was the weekend, but only one chose to reply: councillor for Lewisham Mike Harris, who, as campaign director for DontSpyOnUs, I would expect to be concerned, and, indeed, to his credit, he said “You make a fair point, there should be the ability to opt out”. Mike suggested I email Labour’s compliance team.

In the interim I’d noticed that elsewhere on the Labour website there were other examples of emails being grabbed in circumstances where people would not be sure about the collection. For instance: this “calculator” which purports to calculate how much less people would pay under Labour for energy bills, which gives no privacy notice whatsoever. Or even this, on the home page, which similarly gives no information about what will happen with your data

Now, some might say that, if you’re giving your details to “get involved”, then you are consenting to further contact. This is probably true, but it doesn’t mean the practice is properly compliant with data collection laws. And this is not unimportant; as well as potentially contributing to the global spam problem, poor privacy notices/lack of opt-out facilities at the point of collection of email address contribute to the unnecessary amassing of private information, and when it is done by a political party, this can even be dangerous. It should not need pointing out that, historically, and elsewhere in the world, political party lists have often been used by opposition parties and repressive governments to target and oppress activists. Indeed, the presence of one’s email on a party marketing database might well constitute sensitive personal data – as it can be construed as information on one’s political opinions (per section 2 of the Data Protection Act 1998).

So, these are not unimportant issues, and I decided to follow Mike Harris’s suggestion to email Labour’s compliance unit. However, the contact details I found on the overarching privacy policy merely gave a postal address. I did notice though that that page said

If you have any questions about our privacy policy, the information we have collected from you online, the practices of this site or your interaction with this website, please contact us by clicking here

But if I follow the “clicking here” link, it takes me to – wait for it – a contact form which gives no information whatsoever about what will happen if I submit it, other than the rather stalinesque

The Labour Party may contact you using the information you supply

And returning to the overarching privacy policy didn’t assist here – none of the categories on that page fitted the circumstances of someone contacting the party to make a general enquiry.

I see that the mainstream media have been covering the NHS birth page which originally prompted me to look at this issue. Some, like the Metro, and unsurprisingly, the Mirror, are wholly uncritical. The Independent does note that it is a clever way of harvesting emails, but fails to note the questionable legality of the practice. Given that this means that more and more email addresses will be hoovered up, without people fully understanding why, and what will happen with them, I really think that senior party figures, and the Information Commissioner, should start looking at Labour’s online privacy activities.

(By the way, if anyone thinks this is a politically-motivated post by me, I would point out that, until 2010, when I voted tactically (never again), I had only ever voted for one party in my whole life, and that wasn’t the Conservatives or the Lib Dems.)

6 Comments

Filed under Data Protection, Information Commissioner, marketing, PECR, Privacy, privacy notice, social media, tracking

Tagged as consent, data protection, DPA, ICO, PECR, privacy

July 4, 2014 · 10:06 am

We’re looking into it

The news is awash with reports that the UK Information Commissioner’s Office (ICO) is “opening an investigation” into Facebook’s rather creepy research experiment, in conjunction with US universities, in which it apparently altered the users’ news feeds to elicit either positive or negative emotional responses. Thus, the BBC says “Facebook faces UK probe over emotion study”, SC Magazine says “ICO probes Facebook data privacy” and the Financial Times says “UK data regulator probes Facebook over psychological experiment”.

As well as prompting one to question some journalists’ obsession with probes, this also leads one to look at the basis for these stories. It appears to lie in a quote from an ICO spokesman, given I think originally to the online IT news outlet The Register

The Register asked the office of the UK’s Information Commissioner if it planned to probe Facebook following widespread criticism of its motives.

“We’re aware of this issue, and will be speaking to Facebook, as well as liaising with the Irish data protection authority, to learn more about the circumstances,” a spokesman told us.

So, the ICO is aware of the issue and will be speaking to Facebook and to the Irish Data Protection Commissioner’s office. This doesn’t quite match up to the rather hyperbolic news headlines. And there’s a good reason for this – the ICO is highly unlikely to have any power to investigate, let alone take action. Facebook, along with many other tech/social media companies, has its non-US headquarters in Ireland. This is partly for taxation reasons and partly because of access to high-skilled, relatively low cost labour. However, some companies – Facebook is one, LinkedIn another – have another reason, evidenced by the legal agreements that users enter into: because the agreement is with “Facebook Ireland”, then Ireland is deemed to be the relevant jurisdiction for data protection purposes. And, fairly or not, the Irish data protection regime is generally perceived to be relatively “friendly” towards business.

These jurisdictional issues are by no means clear cut – in 2013 a German data protection authority tried to exercise powers to stop Facebook imposing a “real name only” policy.

Furthermore, as the Court of Justice of the European Union recognised in the recent Google Spain case, the issue of territorial responsibilities and jurisdiction can be highly complex. The Court held there that, as Google had

[set] up in a Member State a branch or subsidiary which is intended to promote and sell advertising space offered by that engine and which orientates its activity towards the inhabitants of that Member State

it was processing personal data in that Member State (Spain). Facebook does have a large UK corporate office with some responsibility for sales. It is just possible that this could give the ICO, as domestic data protection authority, some power to investigate. And if or when the draft European General Data Protection Regulation gets passed, fundamental shifts could take place, extending even, under Article 3(2) to bringing data controllers outside the EU within jurisdiction, where they are offering goods or services to (or monitoring) data subjects in the EU.

But the question here is really whether the ICO will assert any purported power to investigate, when the Irish DPC is much more clearly placed to do so (albeit it with terribly limited resources). I think it’s highly unlikely, despite all the media reports. In fact, if the ICO does investigate, and it leads to any sort of enforcement action, I will eat my hat*.

*I reserve the right to specify what sort of hat

What’s so foolish about FOI?

The television presenter Phillip Schofield took to Twitter recently to draw attention to a Freedom of Information (FOI) request to Avon and Somerset Police. He did so because the request had asked about the cost to the force of Mr Schofield’s attendance at an open day.

Message to Tom Hodder .. No Fee!! My bro works for the police, it was a family day out! https://www.whatdotheyknow.com/request/philip_schofield … #WastingPoliceTime #Fool

I’ve no problem with his drawing attention to it, nor with his naming the person, but I thought it was rather unpleasant that he chose to use the hashtags #WastingPoliceTime #Fool. As Mr Schofield, and the response on WhatDoTheyKnow.com, say, the cost was nil, but I don’t suppose Mr Hodder was to know that: Mr Schofield was described on his own employer’s site as having been invited to attend, and he promotes himself as someone for hire for “personal appearances”. I didn’t know Mr Schofield’s brother works for the police, and I suspect Mr Hodder didn’t either.

Wasting Police Time is a term used to describe a criminal offence. What Mr Hodder was doing was exercising his statutory right to ask a public authority for information (in this instance about the expenditure of public funds), and I see nothing wrong in what he asked (nor, indeed, in the response by the police. I am sure Mr Schofield wasn’t seriously suggesting the commission of a criminal offence, but his use of the term, and the epithet “fool” seem mean-spirited. And, of course, as he might have expected, many of his fans jumped to his defence and to verbally attack Mr Hodder.

All this seems rather ironic when one considers Mr Schofield’s involvement in 2012 in another “transparency” story. This was when he confronted the prime minister with a list of alleged child sex abusers which he had found online, but which he failed to shield from the studio cameras – a stunt which Jonathan Dimbleby described as “cretinous”. This led to his employer having to pay the late Lord McAlpine (whose name was on the list) £125,000 to settle a defamation claim. Even the apology which followed the incident had a mean-spirited air about it, when Mr Schofield appeared to blame the cameraman.

Mr Schofield has one of the largest followings on Twitter (2.99 million, at the time of writing). People with that sort of following carry some responsibility, and if they criticise named individuals they should do so fairly. I think it would be in order if he apologised to Mr Hodder.

2 Comments

Filed under Freedom of Information, police, social media

Tagged as FOI, police

June 29, 2014 · 12:35 pm

I DON’T KNOW WHAT I’M DOING

As surprising as it always is to me, I’m occasionally reminded that I don’t know everything. But when I’m shown not to know how my own website works, it’s more humbling.

A commenter on one of my blog posts recently pointed out the number of tracking applications which were in operation. I had no idea. (I’ve disabled (most of) them now).

And someone has just pointed out (and some others have confirmed) that, when visiting my blog on their iphone, it asks them whether they want to tell me their current location. I have no idea why. (I’m looking into it).

These two incidents illustrate a few things to me.

Firstly, for all my pontificating about data protection, and – sometimes – information security, I’m not particularly technically literate: this is a wordpress.com blog, which is the off-the-peg version, with lots of things embedded/enabled by default. Ideally, I would run and host my own site, but I do this entirely in my own time, with no funding at all.

Secondly, and following on from the first, I am one among billions of people who run web applications without knowing a great deal about the code that they’re based on. In a world of (possibly deliberately coded) back-door and zero day vulnerabilities this isn’t that surprising. If even experts can be duped, what hope for the rest of us?

Thirdly, and more prosaically, I had naively assumed that, in inviting people to read and interact with my blog, I was doing so in a capacity of data controller: determining the purposes for which and the manner in which their personal data was to be processed. (I had even considered notifying the processing with the Information Commissioner, although I know that they would (wrongly) consider I was exempt under section 36 of the Data Protection Act 1998)). But if I don’t even know what my site is doing, in what way can I be said to determine the data processing purposes and manner? But if I can’t, then should I stop doing it? I don’t like to be nominally responsible for activities I can’t control.

Fourthly, and finally, can anyone tell me why my out-of-control blog is asking users to give me their location, and how I can turn the damned thing off?

UPDATE: 30.06.14

The consensus from lots and lots of helpful and much-appreciated comments seems to be a) that this location thingy is embedded in the wordpress software (maybe the theme software), and b) I should migrate to self-hosting.

The latter option sounds good, but I have to remind people that I DON’T KNOW WHAT I’M DOING.

UPDATE:05.07.14

The rather excellent Rich Greenhill seems to have identified the problem (I trust his judgement, but haven’t confirmed this). He says “WordPress inserts mobile-only getCurrentPosition from aka-cdn-nsDOTadtechusDOTcom/…DAC.js via adsDOTmopubDOTcom in WP ad script”…”Basically, WordPress inserts ads; but, for mobile devices only, the imported ad code also attempts to detect geo coordinates”.

So it dooes look like I, and other wordpress.com bloggers, who can’t afford the “no ads” option, are stuck with this unless or until we can migrate away.

UPDATE: 11.07.14

We are informed that the code which asks (some) mobile users for their location when browsing this blog has now been corrected. Please let me know if it isn’t.

3 Comments

Filed under Data Protection, Information Commissioner, Personal, social media, tracking

Tagged as data protection, DPA

Blogroll

Recent Posts

Follow Blog via Email

RSS Links

Privacy Notice