The Office of Communications v IC

The Information Rights Tribunal has ruled on an ongoing matter about disclosure of the precise location and other details of mobile operators' base stations under the Environmental Information Regulations 2004, holding that Ofcom must release the information supplied to it by mobile operators, including information about the TETRA network, which is used for emergency services communications.

The decision is EA/2006/0078.

The tribunal adopted much of the reasoning of the tribunal which originally heard the case, with some added discussion about the nature of the public interest test and its application, in determining certain qualified exemptions to the regulations.

The result of this case is that, in a few days, a lot of detailed information about cell site locations, power outputs and directions and the like will be released to the applicant in the case by Ofcom. It remains to be seen what the applicant will do with this information — the tribunal acknowledges that the operators' claims to database rights may well be valid, and that, whilst the claimant is entitled to receive these data, it does not get a licence for any act restricted by copyright — but I would have expected it to be posted online.

What do you think? Should this sort of information be made public? Or is it right that it should be kept confidential? Do you think there's a risk here that, if operators cannot trust their regulator to keep information private, they will stop providing information, potentially frustrating a regulator's ability to regulate?

From Freiburg

I'm, along with Steve Saxby, in snowy Freiburg at the moment attending a very interesting conference on the future of the Council of  Europe Cybercrime Convention. It is advertised as a  meeting of experts (about 15 of us). Especially in the later sessions  I have the feeling that I am here under false pretences!

At first  the focus was on substantive law and the specific offences laid down in the Convention. There was a lot of discussion how the technology had moved on since the Convention was drafted. A couple of points which may be of interest. A lot of concern was expressed  that trying to tie criminal  provisions to telecommunications terminology no longer works. The notion of messages being in the course of communication (or not) is problematic. One issue which attract a lot of attention is when and to what extent emails are protected legally against interception? Generally once it has read by the recipient a message  is classed as being stored and ( at least in continental legal systems) gets a lot less protection than when it is being communicated. As one person commented, in the age of the cloud, storage is merely a slow form of communication. In a slightly different context, there is evidence that criminals/terrorists are using email systems such as google or yahoo. Member one can post a message in draft format n the mail server. If member 2 ( or 3 or 4 ...) can access the email box they can amend the message but in traditional terms there is no communication. But  there is communication!

We considered also the need to harmonise the provisions of data protection and computer crime legislation. A linked topic was the suggestion that we need to extend data protection laws to include commercial data (as happens to some extent under the Communications Privacy Directive. This might give criminal law protection to things like trade secrets without having to wrestle with the thorny topic whether data might be consider property. In the UK , and moving away  from Freiburg, there is a very interning High Court decision on the point - Fairstar v.Adkins ([2012] EWHC 2952).

A good deal of time was spent on the topic of copyright law. Perhaps surprisingly, there was little support from copyright owners attempts to involve the criminal law. We has a senior German policeman present and he indicated that the German police were not interested in acting against ordinary users. He recounted a tale of one copyright owner who, with the aid of dishonest lawyers, actually uploaded materials to a file sharing web site and then got the lawyer to demand money with menaces from individuals who had downloaded materials.

Day one saw a bit of momentum for (limited changes to the Convention), At the start of day 2 we heard from a senior Council of Europe person who spoke in some detail about the problems any attempt to make changes would be. What the Council are planning is to make more use of Guidance Notes. There were he considered ( and those of us from the UK will know the truth of his comments) too many misunderstandings by police, prosecutors and judges as to what the legislation means. The criminality  of denial of service attacks was an example he gave. In addition, there might be more protocols attached to the Convention although the basic instrument is likely to email unchanged. A number of new countries ( including Japan) have now ratified the Convention and more are in the pipeline.

The focus of the second day was on procedural issues and we started with a discussion about transborder issues. If police in England execute a search warrant and find a computer with a link to an email account in the United States, can they access it. he general consensus was that laws were rather vague but that law enforcement agencies would access data unless they knew that it was held outside their jurisdiction. A difficult test! There are tensions in the field. We talk much about cyber terrorism and it got publicity in the UK last week with the publication of a Ministerial statement on the working of the UK's cyber terrorism strategy. All countries need to build defences against such attacks but the danger or difficulty is that attempts to pre-empt attacks may involve accessing sites on foreign  territories. The analogy was drawn with sending troops into foreign territories to rescue citizens being held hostage. Politically risky if done without the knowledge and consent of the territory in question.

Perhaps not surprisingly but rather depressingly, there was little confidence in cross border cooperation between law enforcement agencies and aspects of the session had me first baffled by some of the technologies that scientific experts were talking about but also with the feeling that only clever criminals have any real expectation of privacy in the modern world. Encryption poses real challenges to law enforcement and the only real solution identified was to attack suspected computers at source - before data was encrypted for transmission. Again, arrangements for intercepting communications have become more complex in recent  years and again the point came over that there was too much reliance on telecommunications terminology. Can SKYPE be required to maintain a capability to intercept communications at the behest of law enforcement?

I have to say that I can only hope that I have given an accurate account of the procedural discussions. There were times when, although all the sessions were conducted in English, I could have benefited from simultaneous translation of the technologies.

All in all, a fascinating 2 and a half days ( and rather long days). I certainly learned a lot ( and also found an Irish pub to watch the Celtic Champions League game) but suspect we are still at the stage which does make IT law both fascinating and frustrating. We are increasingly aware that old models are not working but are not sure what can replace them. In a networked world we need global solutions but as we can see in the Euro crisis, this is not easy to achieve even at a regional level. The Council of Europe Convention is achieving success in being ratified but it is very general in its provisions, especially at the procedural level.

Hopefully I will be able to post more formal minutes of the meting in a month or so. In the meantime,  maybe this account will be f interest in showing the possible form of future developments.

"When in China, don't leave your laptop alone"

InfoWorld makes a very bold assertion: "If you travel to China or Russia, assume government or industry spooks will steal your data and install spyware."

Is this something which all companies need to be aware of, from a basic data protection point of view, if employees are traveling with laptops which have on them, or enables easy access to, customer data, to meet the requirement of "appropriate security"?

ICO's code of practice on anonymisation

The Information Commissioner's Office has released its code of practice on anonymisation, following a consultation period earlier in the year.

It's quite a lengthy document, but is worth a look —

• it reaffirms that anonymising data is an act of processing in itself, but one which is likely to be permitted under the "legitimate use" basis, and thus does not require consent;
• there's an interesting discussion about the disclosure of anonymous data, and the "motivated intruder" test for determining whether something should be treated as anonymous or not; and
• the second case study, on mobile footfall analytics, is particularly pertinent to the course here — my view is that the overall privacy harm (and public perception of the activity) would seem to demand more user control over the activity than ICO has seemed to suggest here.

What do you think? Does it set the bar too low, or it is realistic?

Unleashing the Potential of Cloud Computing in Europe

I saw this report from the EU commission and thougth to share it. It gives an overview and status of the cloud computing within the EU.

http://ec.europa.eu/information_society/activities/cloudcomputing/docs/com/com_cloud.pdf

Cloud computing requires clarity and knowledge about the applicable legal framework,

by making it easier to signal and verify compliance with the legal framework (e.g. through

standards and certification) and by developing it further (e.g. through a forthcoming

legislative initiative on cyber security).

Judge: Your boss has no right to your emails held by a third party

"Staff emails can’t just be accessed by a company whenever it feels like it, a UK High Court Judge has ruled, in what could be a guiding case on email privacy."

"The only way that emails could belong to a firm is if they contained copyrighted material or confidential information or if the employee’s signed contract with the firm already said so."


This is new to me, having been employed for so long, and it has  always been the case that employees should be careful on how to use their e-mails becuase the company has the right for accessing it.


Full text here.

Businesses need more guidance on how to verify cloud providers' data protection compliance, says EU watchdog

Organisations need to be provided with further guidance over how to ensure that the cloud computing providers they wish to contract with deal with personal data in a manner that complies with EU data protection laws, a privacy watchdog has said.

Full text here.

Certainly, personal data protection covers storing and processing within the cloud, therefore compliance with EU data protection laws is required.

Welcome to Information Security

As we start work on the module I want to make a posting which is perhaps rather different from the norm. If you have had the chance to look back at previous postings you will realise that they normally relate to topical issues. Today, I’m going to say a bit about myself and throw out some opening thoughts about the module.

I live in Glasgow and that perhaps says a lot about the potential of the Internet. I’m teaching this course for the University of Southampton which is about 500 miles away. I visit Southampton maybe 3-4 times a year and do the rest of my work over the Internet.

I’ve taught in the field of Information Technology Law for about 25 years. It feels longer.  My book on IT law is now in its sixth edition and I have a new book on Telecommunications Law due out early next year. Its aimed at the practitioner market and is being sold at an eye watering £150.

I’m married to Moira – who you will also get to know on the course – and we have 2 sons, Thomas and James.  Apart from the family another love of my life is Glasgow Celtic Football Club. If you ever want to contact me to ask a favour, you might check to see how we fared in our latest matches. We are doing quite well at the moment.

On to legal aspects of information security. We will start by looking at notions of privacy and then put this into an IT context by looking at what we in Europe call data protection  - and the rest of the world know as privacy protection. We will look at substantive provisions – such as the data subject’s (you and me) right to obtain a copy of data about us which is held on a computer – and then the internationally contentious issue of regulation of international (Transborder) data flows. . We will then switch focus somewhat and look at the topic of computer crime.

A few thoughts about privacy.  It’s certainly seldom out of the news. I was teaching in Tanzania a few weeks ago when the controversy erupted about the publication of topless photos of the Duchess of Cambridge. Breach of privacy was the cry. Three comments – or maybe points for you to ponder. Would anyone have been interested if the photos had been of Katy Ordinary Person?  In many respects the doctrine I linked to publication which is likely to affect only a few people.  A second comment.  You cannot view  the photos in any UK publication. I set my Tanzanian students the task of finding copies on the Internet. Time taken, less than 10 seconds.  Third comment and perhaps related to the previous  one. Traditional media outlets do try (generally) to comply with the law  and can face sanctions if they fail. I have a lawyer friend who is employed by a newspaper to read the text of every issue before it is published to ensure that it does not contain anything which is defamatory. Blogs and web sites are seldom so scrupulous. Last year, a famous English footballer secured an injunction to prevent publication of details of his private life (an affair with his brother’s wife). The injunction prohibited publication of anything that might identify him. At least initially, the injunction  was observed by the mainstream media.  Again, you could go on to the Internet and a couple of Google searches later you had all the salacious details. By my reckoning, however, 3 other footballers were (presumably) falsely identified on different web sites. Power without responsibility?

Anyway, please respond to this posting with a little bit of data about yourself and your thoughts, either about the points I have made or your own take on privacy. What, if any, aspects of modern Internet related life worry you?
 

"NatWest suspends Get Cash app "

The bank NatWest has suspended its "Get Cash" application, which appears to have been used to commit fraud. Somewhat disappointingly, the bank does not appear to be in a hurry to provide refunds, blaming user behaviour rather than a platform which would appear to have a security problem enabling third party registration.

I'm a geek, but it makes even me think that ensuring the continuity of cash is a good idea!

"Facebook page shows Belfast women walking home after night out"

A piece on the BBC about a Facebook page showing photographs of women walking home after a night out, coupled with what is reported as some derogatory comments.

Fair depiction of actions in a public setting, or invasion of privacy? Censorship by the university or legitimate protection of students' privacy?

EU policy-makers roll out red carpet for cloud adoption

from the article:

At the start of 2012, the commissioners announced plans to create a new legal environment that should make it simpler for cloud providers to offer solutions that support innovation and mobility while also providing security and data portability.

At the heart of this plan is a new approach to data protection that means it will no longer matter where the data is or where the provider is based: "In Madrid, Mumbai or Mountain View", as Kroes put it. If the customer is based in the EU, EU data protection standards will apply.

In short, says Reding, cloud service providers will need to offer "privacy by design" as standard.

for full text see here,  also related article see here.

Topless Kate pictures: Duke and duchess sue French magazine Closer

So it seems that publishing photographs of Prince Harry naked in a private hotel room is fine, but topless photos of Kate Middleton in France is not...

More details of the (rather rare) threat from the Royal Family to sue the French magazine "Closer" for the publication of topless photos of Middleton here — personally, I am not sure that publication of either set of photographs, whether the subjects are "visible from the street" or not, are in the public interest, such that the right to privacy should be overridden.

The Sun - the only British newspaper to publish recent pictures of Prince Harry naked - said it had no intention of publishing the images.
"The circumstances are very different to those relating to the photos of Prince Harry in Las Vegas. As we said at the time, he was at a party in a hotel suite with a large group of strangers and one of those present released a photograph into the public domain," said the Sun's editor Dominic Mohan.

How far does one need to hide from camera lenses to gain a right to privacy? Should one need to hide at all?

Free Wi-Fi... if you don't mind being analysed and targeted

It's becoming increasingly difficult to fund the operation of a mobile network, and I've wondered for some time whether, rather than being a chargeable service, mobile operators might soon become data generators, making money from selling data about user activity to third parties, and receiving advertising commissions from third parties.

Like Facebook, mobile-for-advertising could be a compelling proposition, as there's a clear consumer benefit — a measurable exchange of value, with privacy on one side, and connectivity on the other.

It seems that this has come to fruition in the UK: O2, the Telefonica subsidiary, has launched a free Wi-Fi service, where a user pays with their data, rather than in money.

In return for 10GB of free Wi-Fi per month, you just need to agree to:

"information about you and your use of the Service including, but not limited to, how you conduct your account being used, analysed and assessed by us and the other parties identified in the paragraph above and selected third parties for marketing purposes including, amongst other things, to identify and offer you by phone, post, our mobile network, your mobile phone, email, text (SMS), media messaging, automated dialling equipment or other means, any further products, services and offers which we think might interest you."

You can opt-out at any time, but it would seem that (not unreasonably) this means that you lose access to the service.

Yes, we should be afraid of facial-recognition software

Just came across this articles, which I found interesting, that the identity of a person can be discovered with a facial recognition software, impacting privacy, security,etc.. if used without control and juridical measures.
Full text here.

EU data protection will STIFLE business, moans gov.UK

The European Commission has not calculated the full costs to businesses of changes to the EU data protection regime, the Government has said.
The Ministry of Justice (MoJ) said that the Commission's assessment on the impact its draft General Data Protection Regulation would have on businesses does "not properly quantify the costs which would be imposed on business through compliance with the proposals."

It added that the commission had also "potentially" overstated the benefits of creating a single data protection law to govern across the EU.

Full text here.

Trust lawyers, not techies, when it comes to the cloud

Cloud computing, virtual networks and other similar technologies continue to make the headlines. Little is said about the security aspects when reading the articles from the technical point of view. This article brings it to the point that legal issues are important when considering these emerging technologies, as we know :-)

"Obvious issues were security and location of data, with most companies at least vaguely aware of the implications of moving data outside of the EU."

Opinion of the European Data Protection Supervisor on the data protection reform package

Just wanted to share this report.

Thoughts on the new Data Protection Regulation

Introduction

 Data protection has been much in the news recently.  It is perhaps fair to say that little of the publicity has been complementary of the legislation. After a prolonged period of gestation, the European Commission has now published legislative proposals based in some respects on concepts in the recently revised Directive on Privacy in the Electronic Communications sector, that, if adopted, will alter significantly the data protection landscape.

 One of the major complaints that has been raised at European level is that the existing Directive has been implemented in significantly different ways across the Member States. In the case of some countries, perhaps especially the UK there is the belief that the implementing legislation is too weak – and legal proceedings alleging a failure to implement fully the Directive have been initiated  by the Commission. The range of legislative approaches is also seen as creating difficulties for multinational companies who have to comply with up to 27 different regulatory regimes.

 In order to enhance legislative consistency across the member States a significant change is proposed with a Regulation (which will be binding in all States without the need for any implementing legislation) replacing the current Directive.  In some respects it is difficult to see how this might operate in practice especially at the level of supervisory authorities. In the absence of a single EU supervisory authority, something that would probably be politically unacceptable to many countries – responsibility for establishing and resourcing national authorities remains with the Member States. The Regulation may will the ends but it cannot provide the means.

 The IT world has been transformed massively since the original Directive was adopted in 1995. Indeed the Directive itself draws heavily on legal principles dating back to the 1970s. It has been suggested that if a single smart phone had existed in the 1970s it would have classed as the most powerful computer in the world. OFCOM now reports that there are almost 13 million ‘smartphones’ in use in the UK.. The search engine Google was founded in 1998 and the ubiquitous social networking site, Facebook in 2004. The list of examples could go on and on but, undoubtedly explaining the increasing publicity afforded to privacy protection issues, more and more important and indeed sensitive elements of our lives are conducted on-line.  The key question relating to the new legislative proposal is, how well can it refine data protection law to meet the demands of the  online world? The Commission Communication accompanying the draft Regulation commences

 The rapid pace of technological change and globalisation have profoundly transformed the way in which an ever-increasing volume of personal data is collected, accessed, used and transferred. New ways of sharing information through social networks and storing large amounts of data remotely have become part of life for many of Europe's 250 million internet users. At the same time, personal data has become an asset for many businesses. Collecting, aggregating and analysing the data of potential customers is often an important part of their economic activities

 Whilst there are some interesting aspects to the new draft Regulation (which is very substantially larger than the current Directive) my initial assessment is that it represents something of a wasted opportunity.. Given the size of the new instrument, an early comment cannot be comprehensive but I will try to focus on the points that seem most significant to me.

 Plus ça change?

 Many of the key definitions survive unchanged from the original Directive. In some respects this is not a surprise but the emergence of cloud computing has raised some novel and serious issues regarding the applicability of concepts of data controller and processor and it is unfortunate that  the opportunity has not been taken to attempt to address the issue.

 There is a potentially significant change in the definition of consent. The UK approach has traditionally been to accept that the use of ‘opt out’ approaches is a valid means of securing and evidencing consent. The draft Regulation takes a different approach stating that

the data subject's consent' means any freely given specific, informed and explicit indication of his or her wishes by which the data subject, either by a statement or by a clear affirmative action, signifies agreement to personal data relating to them being processed

It is further provided that ‘Consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the controller.’. It is difficult to see how this can be implemented but the effect could be devastating for many data controllers. A passenger seeking to book a railway ticket on line  is in a weak position compared with the train provider. The choice is between accepting the conditions of carriage or find another mode of transport. It is normal practice for web sites to ‘offer’ to send further promotional mailings if the traveller consents. It seems that this will no longer be possible. This seems draconian, given especially that if there was real evidence of abuse of a dominant position, there could be challenge on the ground that consent was not freely given. Many consumers might actually value being notified of future offers.

 A further change to the notion of consent relates to the processing of data relating to children under the age of 13.. In such cases it is provided that processing ‘shall only be lawful if and to the extent that consent is given or authorised by the child's parent or custodian.’  It is difficult to see what problem this provision is seeking to overcome and again the consequences may be undesirable. If a child should be injured and taken to hospital it would appear that it would be unlawful for the hospital to take any X Rays without parental consent. Whilst consent  might always be desirable the consequences could be serious in the case of an emergency and where the parent cannot be contacted.

 Likewise, perhaps, the data protection principles have remained largely unchanged since the earliest days of data protection legislation. They can fairly be analogised to religious notions such as the Ten Commandments (or mother’s apple pie) Few would disagree with the concepts but the devil is always in the detail. The headline change proposed in the Regulation is that there should be a Right to be Forgotten. As an old-fashioned sort or person, this concerns me.  I am old enough to recall the debates in the UK in the context of computer related fraud whether the machine could be the victim of  deception. The Law Commission’s work  on Fraud seems to me to have provided compelling reasons why the establishment of criminal offences should be based on other criteria (which can fairly easily be established as Scots law has shown with the notion of basing criminality on the making a false pretence. By focusing on the intent of the perpetrator this neatly avoids the issue. If computers cannot be subject to the human fallibility of being deceived, neither can they forget. This, however, is exactly what the Regulations proposes. Article 17 is headed ‘Right to be forgotten and to erasure’. The first part of this is abject nonsense.  Just as a computer cannot be deceived, so it cannot forget. Even placed in a human context, no law can compel forgetfulness – although human frailty may be more effective.

 There is no doubt that the emergence of social networking sites has lured many users into placing sensitive aspects of their lives into a public or semi-public domain. It does seem clear beyond doubt that this data may be used in ways which would not have been conceived of or approved by the individual. Article 17 goes on at some length:

The data subject shall have the right to obtain from the controller the erasure of personal data relating to them and the abstention from further dissemination of such data, especially in relation to personal data which are made available by the data subject while he or she was a child, where one of the following grounds applies:

(a) the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or when the storage period consented to has expired, and where there is no other legal ground for the processing of the data;

(c) the data subject objects to the processing of personal data pursuant to Article 19;

(d) the processing of the data does not comply with this Regulation for other reasons.

 Whilst certainly well meaning, it is difficult to see what this provision will accomplish that could not have been attained under existing provisions.  It has always been the case, for example, that data must be processed fairly that it must not be retained for longer than is necessary for the controller’s legitimate purposes.

 There have long been issues whether an individual is aware of the implications of their online conduct but the reality is that once data is put into the public domain it cannot be  retrieved. It does appear that responsible social networking sites have made efforts to inform users and, within their possibilities of control, accede to request  that data be deleted. It is hard to see this provision as anything other than an attempt at headline grabbing which takes advantage of vulnerable elements of society. It is wrong to give a headline promise of legislative support that is not worth the paper it is written on.

 One of the most impressive legal documents of recent times has been the Hargreaves Report on the digital economy. Covering issues such as the value of software patents and the losses caused by copyright piracy it makes the point again and again that what is needed is an evidence based approach. In some respects it seems the Commission is falling into the trap of making proposals without evidence. There are certainly tales of individuals being denied employment because a potential employer has viewed their social networking postings. A recent survey has suggested that 69% of employers have denied an applicant a job on thie basis of such a search. That is the bad news. 68% of employers have indicated that they have offered a job because they have been impressed by on-line postings.  A bigger problem perhaps is the malicious dissemination of personal data. Reference might be made to the recent English case of  AMP v. Persons Unknown. This relates to a sad, but perhaps increasingly common situation where a teenage girl had used her mobile phone to take intimate photographs of herself. They were intended to be sent to her boyfriend (itself often a source or problems) but the phone was stolen and an unknown person posted copies on the Internet. In the case, the English courts have issued orders compelling any ISPs who can be identified to take steps to block access to the pictures and ordering that the anonymity of the complainant be preserved. It appears, however, that in order to serve an order in the USA on Google, US law requires that the identity of the complainant be disclosed.

 Data Portability

 Linked in some respects to the deletion of data is the issue of portability. The draft Regulation proposes that:

 The data subject shall have the right, where personal data are processed by electronic means and in a structured and commonly used format, to obtain from the controller a copy of data undergoing processing in an electronic and structured format which is commonly used and allows for further use by the data subject.

Concerns have been expressed that data subjects might effectively be locked into online services, perhaps in particular social networking (or blogging) sites because of the investment in time and effort expended in creating their profiles. It is not clear, however, to what extent competing sites operate in ways that are sufficiently interoperable to make the right of significant value.

 Data Security Breaches

 The imposition of requirements to notify supervisory authorities and data subjects of security breaches which may have implications for data subjects was introduced in the Directive on Privacy in Electronic Communications. It is now proposed to extend it to the more general field of data protection with the draft Regulation proposing that:

In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 24 hours after having become aware of it, notify the personal data breach to the supervisory authority.

 When the personal data breach is likely to adversely affect the protection of the personal data or privacy of the data subject, the controller shall, after the notification referred, communicate the personal data breach to the data subject without undue delay.

In an era of 24/7 online businessess there might perhaps be a query whether supervisory authorities are in a position to respond to notifications received between 5pm on Friday and 9am on Mondays.

 It is perhaps strange that the formula for notifying data subject is less extensive than that for notifying the supervisory authority. Certainly it can be accepted that it is easier to notify one person then perhaps several millions but it is hard to see what constructive purpose is served by such a notification. One of the criticism made of breach notification requirements (which have been commonplace in the United States for several years) is that the number of notifications required is too great so that there is the danger of notifications of potentially serious breaches being disregarded following a number of trivial notifications.. In the event of a potentially serious breach – perhaps involving details of credit cards or bank accounts,- there seems no reason why controllers should not be subject to the same 24 hour rule. Many businesses manage to send marketing communications on a daily basis to millions of subject so there is no valid reason why they should not be as quick to send breach notifications on a similar timescale.

 Data Protection Officers

 The notion of in-house supervisory officials has been an established feature of the German data protection scheme. Although it is sanctioned in the Data Protection Act 1988, it does not appear to have been adopted to any significant extent within the UK. The draft Regulation proposes what will be a significant change. Every public authority or private sector undertaking employing more than 250 persons will have to appoint a data protection officer:

 The controller or processor shall designate the data protection officer on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and ability to fulfil the tasks referred to in Article 37. The necessary level of expert knowledge shall be determined in particular according to the data processing carried out and the protection required for the personal data processed by the controller or the processor.

 The controller or the processor shall ensure that any other professional duties of the data protection officer are compatible with the person's tasks and duties as data protection officer and do not result in a conflict of interests.

.The tasks of the data protection officer are stated to be to inform the data controller of the extent of its obligations under the Regulation and to monitor its compliance with its requirements. Data protection Officers (who may be an employee of the data controller or an independent sub-contractor (possibly a lucrative new source of work for IT Lawyers) are to be appointed on a fixed term contract of at least 2 years duration. Within this period  the data protection officer may be dismissed only for a failure to fulfill data protection obligations.

 Any legislative move to increase awareness amongst data controllers and their staff as to data protection issues is to be welcomed. In some respects, however, the approach demonstrates some of the weaknesses of the new approach. It specifies that there is to be a data protection officer and what the prime duties are to be. It does not indicate how extensive requirements may be. Is it to be a full time job or a part time (how part time?) position? If part time and the position is held by an employee what is to happen if the person is considered to be guilty of misconduct in other aspects of his or her work sufficient to justify dismissal? There is need for much more detail.  In this provision, as with a number of the other Articles, the Regulation provides that the Commission is to have power to make supplementary provision. These will not, however, have legal effect.

 Data protection by design and by default

 Considerable work has been carried out by the UK’s Information Commissioner under the general heading of Privacy by Design.  The basic premise is that it is easier and better to take data protection factors into consideration at the earliest stage of designing IT systems than to attempt to include them at a later stage. The draft Regulation endorses this approach proposing that:

1. Having regard to the state of the art and the cost of implementation, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.

2. The controller shall implement mechanisms for ensuring that, by default, only those personal data are processed which are necessary for each specific purpose of the processing and are especially not collected or retained beyond the minimum necessary for those purposes, both in terms of the amount of the data and the time of their storage. In particular, those mechanisms shall ensure that by default personal data are not made accessible to an indefinite number of individuals.

Such an approach could create difficulties for many web sites. The word ‘necessary’ has featured prominently in many instruments in the field of human rights. It sets a high threshold for data collection. An e-commerce web site sending goods to consumers through a postal system will not need, for example, details of phone numbers.  The same will apply with systems such as airline booking systems. Very often these give customers the option of giving a mobile phone number so that they can be advised of any schedule alterations by SMS. It might be argued that this should be classed as a distinct form of processing,  but what is a well meaning attempt to protect individuals could all too easily turn into a bureaucratic nightmare.

Subject Rights

 In many respects what has been considered above is intended to protect the interests of data subjects. It has also been a feature of data protection laws that subjects should have the right to object to certain forms of processing  The draft Regulation proposes that:

 The data subject shall have the right to object, on grounds relating to their particular situation, at any time to the processing of personal data which is based on points (d), (e) and (f) of Article 6(1), unless the controller demonstrates compelling legitimate grounds for the processing which override the interests or fundamental rights and freedoms of the data subject.

This is a significant and very much welcome change from the current legislation which provides that, except in the case of processing with a view to direct marketing and a few other limited situations, a data subject can object to processing only if he or she can demonstrate that the processing is unlawful (as implemented in the UK the requirement is to show that the processing would cause substantial and unwarranted damage or distress) . It seems entirely appropriate to reverse the burden of proof and after many paragraphs of criticising aspects of the new Regulation, three cheers are in order.

 Supervisory Authorities

 In some respects  the provisions regarding the status, powers and duties of supervisory agencies  appear to be based on those  contained in the Electronic Communications Privacy Directive. There may well be implications for the UK regime and it is perhaps here where it becomes difficult to identify the basis for a Regulation.

 Each Member State shall provide that one or more public authorities are responsible for monitoring the application of this Regulation and for contributing to its consistent application throughout the Union, in order to protect the fundamental rights and freedoms of natural persons in relation to the processing of their personal data and to facilitate the free flow of personal data within the Union. For these purposes, the supervisory authorities shall co-operate with each other and the Commission.

 The Regulation states that supervisory authorities are to be given ‘complete independence’ and in particular provides that:

Each Member State shall ensure that the supervisory authority is provided with the adequate human, technical and financial resources, premises and infrastructure necessary for the effective performance of its duties and powers, including those to be carried out in the context of mutual assistance, co-operation and participation with the European Data Protection Board.

 Throughout, the terminology of the Regulation appears consistent only with the notion that the supervisory authority should be a multi-membered authority; something which has been recommended by the UK’s former Information Commissioner but which has not been adopted as Government policy.

 In terms of the powers to be afforded to supervisory authorities, the draft Regulation provides that there should be a general auditing power

 Each supervisory authority shall have the investigative power to obtain from the controller or the processor:

(a) access to all personal data and to all information necessary for the performance of its duties;

(b) access to any of its premises, including to any data processing equipment and means, where there are reasonable grounds for presuming that an activity in violation of this Regulation is being carried out there

Such a power has long been sought by the UK’s Information Commissioner.

 One further element of the Regulation may have significant implications for data protection in the United Kingdom. At present, the Information Commissioner’s office is funded almost entirely through fees paid by data controllers upon notification . The Regulation proposes that responsibility for maintaining the data associated with notification should lie with the data controller and that this should only be supplied to the supervisory authority on specific request. There does not appear to be any possibility of the authority charging fees and it appears that significant change will be required to the UK’s funding mechanism. Given that the section of the Information Commissioner’s office which is responsible for the freedom of information legislation is funded directly by the exchequer, it would seem logical to treat data protection in the same way.

 Transborder Data Flows

 The attempt to regulate Transborder data flows was one of the most controversial aspects of the data protection Directive. With its headline of “you shall not transfer there unless there is an adequate level of protection” the legislation offered so many hostages to fortune .

 There is remarkably little change in the headline provisions of the Regulation. Given the small number of findings of adequacy which have been made in the 14 years Directive 95/46 has been in force, it might be questioned whether it serves a particularly useful rule. Assuming (perhaps a big assumption) that transfers are lawful there are so many other mechanisms which can be used to confer legitimacy. The notion of adequacy if a complex one and certainly as interpreted by the Commission would not seem to provide a basis which would secure sufficient global acceptance to form part of any wider privacy protection instrument.

 Binding corporate rules

 The concept of binding corporate rules has emerged through the Article 29 Working Party this year as  a potential mechanism for evidencing an adequate level of protection in the case of Transborder data flows. The concept has been applied without any specific statutory provision, something which the draft Regulation proposes to rectify although without changing significantly anything in the system as it has been applied.

The European Data Protection Board – and Consistency

 Since the implementation of Directive 95/46, the Article 29 Working Party has provided a forum for national data protection supervisors to meet and publish opinions and guidance on a wide range of data protection related issues. The Regulation proposes that it should be replaced by a European Data Protection Board. The membership will be essentially the same but the intention appears to be  that it should operate on a more formal basis with the general duty to ‘ensure the consistent application of this Regulation’.

 The Data Protection Board’s powers are however limited and legal authority to ensure the  consistent operation of the Regulation lies with the Commission. The Regulation establishes a general obligation for supervisory authorities to ‘cooperate with each other and with the Commission’.  In respect of a range of issues, principally relating to the regulation of transborder data flows, any national proposals are required to be notified to the Commission which, after consulting the European Data Protection Board, may approve the proposal, require modifications or require that it be withdrawn.

Conclusions

 The draft Regulation has been the subject of internal discussion within the Commission and consultation with external parties for a number of years. My initial impression might be summed up by the old aphorism ‘the elephant has laboured and given birth to a mouse’.

Few would deny that there have been problems with the implementation of Directive 95/46. These were perhaps inevitable. At the time of its adoption two countries in particular raised concerns. Germany feared that the Directive was too weak and might weaken its own strong data protection regime. The United Kingdom, which abstained in the final vote in the Council, complained that it went too far.  Given the normal problems that arise concerning national implementation of a Directive, problems were perhaps inevitable.

 Although it does seem to me that there is now greater awareness of the value of data protection in the United Kingdom than was the case in the 1990s, the core problems do remain. The decision to proceed on the basis of a Regulation may overcome some of the problems of inconsistency although the political road to implementation may be a long and tortuous one.  Some of the headline elements of the draft Regulation, such as the right to be forgotten, are stronger on style than on substance. It is probably politically inconceivable that a single European Data protection Supervisory Authority would  be acceptable to all the Member States, but in its absence it is unclear how consistency of application will be achieved in practice.

 Perhaps the main cause for concern is how reluctant the draft Regulation is to accept that the computer world has moved on from the 1970s. In previous eras, it was important to know what data was held by a data controller. Today the key question is ‘what data can be accessed’? Networks and data sharing agreements have transformed the data processing world but this is not reflected in the draft Regulation. It still reads like a twentieth century piece of legislation. Individuals certainly need more rights but there is also need for a workable regime for data controllers.

 As a final point, and perhaps as important as any, we are faced every day with evidence that the Internet operates on a global basis. National borders have not disappeared and we also see continually evidence of nation states trying to flex their muscles in respect of particular activities. As is perhaps emerging in the field of computer crime, there is need to establish wide consensus. It is not clear that the draft Regulation will assist. Fortress Europe may have some appeal but history tells us that medieval fortresses which were largely resistant to bow and arrows crumbled before the cannon. It is unfortunate that part of the effort which has obviously gone into drafting the new proposals had not been diverted to seeking to find a basis for a wider Convention which might in the medium term better protect the interests of EU citizens.