TechBlog

Looking for things to do on those long, hot(ish) summer nights (or at least the few we have left)?

Why not take the time to read the Ministry of Justice’s recent call for evidence on the Data Protection Act – see http://www.justice.gov.uk/call-for-evidence-060710.htm.

Sounds too dull? Maybe – but for those of us who work with the DPA, it looks as if this is the long awaited opportunity to get some of that frustration off our collective chests by looking to contribute ideas as to how the legislation can be improved.

The MoJ have highlighted what they see as being the key themes and these are:

• The definitions used in the DPA
• Data subject rights
• Data controller obligations
• Powers and penalties of the Information Commissioner
• The principles based approach
• Exemptions under the DPA
• International transfers

All pretty fundamental stuff.

One major inhibitor to any outcome will be the fact that the UK government can’t just do what it wants. The DPA implements a European Directive and it will be the shape of that Directive that ultimately drives the DPA. This exercise is being conducted as a precursor to a wider EU debate on the Directive and the UK’s views will simply be thrown into the melting pot along with the views of other member countries.

That said, there does seem to be a recognition that the Directive does need overhauled. The world has moved on massively since the current Directive was put on the statute book in the mid 1990′s and, as with all laws that regulate activity that is supported by technology, there is the constant challenge of making sure that the law keeps up with the pace of change and is relevant (and workable). For instance, how does data protection handle concepts like cloud computing where data is being hosted in a virtual environment where the physical location of the data (and, in many cases, who it is being hosted by) is very difficult to ascertain.

Coming back to the UK level, and leaving aside the bigger picture issues, from a personal perspective, I really do hope that the legislators take the opportunity to rework the DPA into piece of legislation that is easier to understand for everyone – not just specialist DPA practitioners. In my view –and for what it is worth – the legislation is overly technical in its drafting – being too focussed on the detail rather than the desired outcomes – and this means it is inaccessible to far too many. This leaves the DPA prone to misunderstanding, meaning that it is often misapplied in practice and that leads, in turn, to controversy which brings the legislation as a whole into disrepute with some even calling for wholesale repeal on the grounds that it is just unnecessary red tape. I don’t subscribe to that view. I think the DPA is a hugely important piece of legislation and the concepts that is seeks to underpin in terms of how our information is dealt with – fairness, transparency, respect to legitimate privacy interests, taking data security seriously etc – are even more relevant today than they were back in the 1990′s. In short, the legislation is worth saving; it just needs improving.

Which brings me back full circle. If you want to see change then don’t just grumble, take the time to read the Call for Evidence and send your views to the MoJ. The closing date for responses is 6 October 2010.

Last week saw some important changes in the powers of the Information Commissioner to enforce data protection legislation.

We have just issued an update explaining those changes. It’s worthwhile reading for all organisations which handle personal data – information about identifiable, living individuals, whether staff, clients/service users, contacts or otherwise. 

The main point to note is that, for the first time, a deliberate or reckless, serious failure to comply with any of the eight data protection principles in the Data Protection Act 1998 (the “DPA”) could result in a fine of up to £500,000.  So, for example, a failure to put in place adequate systems to protect against the theft or loss of personal data, or to ensure that personal data is only shared with other organisations to the extent permitted by the DPA, could now result in a very substantial fine.

The amounts involved look set to persuade even the most reluctant of organisations to pay more attention to data protection compliance. If the threat of regulatory sanction still doesn’t seem real at this early stage in the new regime, it no doubt will when the first fines have been handed out. Those on the receiving end will be faced not only with paying them, but also with the negative publicity and related legal and commercial problems which a penalty of this nature could bring.

No time like the present then to have a look at your policies, procedures and practices relevant to the handling of personal data and identify (and prioritise) any issues which require to be addressed.

Under euro wide anti-terror laws ISPs and Telecomm providers are required to retain connection data for a minimum of six months *. 

 By “connection data” I mean records of, e.g. what number called what number, or what email accounts have been communicating, and not the actual content of the communications. 

However, it is reported that the German constitutional court has ruled that this requirement to retain connection data is incompatible with the country’s fundamental law, and has ordered the immediate destruction of all current connection data held by ISPs etc. 

Now I am not qualified to talk about German law.  However, in some ways this is not a huge surprise because Germany is the birthplace of modern data protection law (laws preventing misuse of data about individuals).  From memory, and just to prove I was listening in Law School, the first dp laws were enacted in the state of Hess in the mid seventies.

Why is Germany so hot on dp?  I suspect this may be (at least in part) a reaction to what happened in WWII.

Now I am not the biggest fan of dp law – I have in the past described it as anti-business.  However, if you think about how personal data was used (misused) by the Nazis in WWII in order to persecute people on ethnic, religious, political and/or sexual grounds then dp laws make a lot more sense.

* – At time of posting the wikipedia entry is not entirely up to date about the UK law in this area.  The requirement to keep connection data is now statutory in the UK and is for 12 months.

ps – I am not the Brodies dp guru, so if you have any detailed questions about dp I am going to pass them to Eleanor.

So the European Council has finally approved amendments to the “E-Privacy” Directive (Directive 2002/58/EC) which will introduce a formal data security breach notification obligation for providers of telecommunications services.

This brings a temporary end to the wrangling which saw the European Parliament pushing for the notification requirements to extend also to providers of other information society services. However “temporary” is the operative word as the amending Directive makes it clear in its recitals that the Commission should in the meantime be working with the European Data Protection Supervisor to “encourage” the application of the principles embodied in the new rules throughout the Community, regardless of sector or nature of personal data involved. 

I said in my post on the California law position a few weeks ago, that flexibility and proportionality are key if data breach notification is to fulfil its purpose. For that reason, the march towards wide ranging mandatory breach notification requirements in Europe in itself doesn’t fill me with quite as much enthusiasm as might be expected of a conscientious data protection lawyer.

However the approach taken by the new legislation is encouraging. The obligation will be to notify the Information Commissioner without undue delay of a data security breach and to notify any data subject only if the breach is likely to adversely affect that person’s personal data or privacy. And the telecoms provider will be relieved of the obligation to tell data subjects if it can show that the data affected by the breach was  protected by appropriate security measures, rendering the data “unintelligible” to anyone not authorised to access it. So, in theory, this approach means that the information overload/breach fatigue which I discussed in my earlier post could be restricted to the Information Commissioner, with data subjects only finding out about incidents where there is a real risk that they may be adversely affected.

Of course there is still a risk that cautious data controllers will tell data subjects anyway, regardless of the likelihood of their being affected. But there is a right in the new legislation for the Information Commissioner to effectively make this judgment for the data controller and order it to tell data subjects if it hasn’t already done so.  Whilst that right doesn’t excuse a failure on the part of the controller to make the right decision on this in the first place, there is perhaps at least some scope for this mechanism to curb unnecessary notification in practice. Time will tell.

Earlier last month the Office of Fair Trading announced a review of the targeting of “online behavioural advertising and customised pricing”. I think this is a result of the EU threatening legal action against the UK.

The dispute centres around BT’s secret trials in 2006 and 2007 of “behavioural advertising” technology developed by UK tech firm Phorm. The technology was presented to BT internet customers on an opt-out basis, and cheerily described as being designed to provide greater protection from online fraud. (Cheekily, tailoring of advertising was glossed over as a secondary feature.) If you didn’t opt-out then advertising you saw on your browser was duly based on previous web browsing activity – so that the adverts more closely matched the browser’s interests. This secret trial was uncovered by some impressive detective work by BT customers.

The explanation is fairly technical, and it’s hard to decipher without being reminded of The Terminator or The Matrix or any of the other 100 dystopian sci-fi films which tell you that technology is only going to make things horrible for humans. But it’s enough to understand that some BT customers began to note that anytime they visited a new website their browsers were exchanging information with a mysterious domain, and the truth was unravelled from there. (It’s not quite as heroic as saving the future of mankind by fighting an unstoppable cyborg assassin who has been sent back from the year 2029 by a collective of artificially intelligent computer-controlled machines – but it’s still pretty heroic in its own way.)

The discovery of this sneaky secret trial led to complaints to the Information Commissioner, the UK police and MEPs, and a dialogue was opened between the Information Commissioner and the European Commission about possible problems in the way in which the UK has implemented parts of EU rules on the confidentiality of communications.

A subsequent government investigation, by the Department for Business, Innovation and Skills concluded that the Phorm technology did not breach European laws on data protection. Nevertheless, the E-Privacy Directive clearly requires EU Member States to ensure confidentiality of the communications and related traffic data by prohibiting unlawful interception and surveillance unless the users concerned have consented. And the Data Protection Directive also specifies that user consent must be “freely given specific and informed”. Does an obscure opt-out amount to “freely given” or “informed” consent? The EC thinks not, and is also concerned that the UK does not have an independent national supervisory authority that deals with such interceptions.

The EC also thinks that the application of UK surveillance law (as set out in the Regulation of Investigatory Powers Act (RIPA) isn’t being regulated properly.

The UK which now has two months in which to respond to the Commission. If the Commission is unsatisfied with the response it could take the case to an EU court and perhaps force a change in UK law.

California introduced a requirement to inform its residents if the security of any unencrypted personal information about them had been compromised as far back as 2003. For those who are interested, the obligations can be found in California’s Civil Code – see section 1798.82.

A number of other States followed suit, but have since gone on to elaborate further on their respective notification requirements. The vetoed Bill would have done the same for California law, adding requirements to provide individuals affected with specific details about any breach, such as the types of personal information affected, the date or range of dates (actual or estimated) when the breach is believed to have occurred and a general description of the breach incident. Significantly, it would also have required that any single breach affecting more than 500 Californian residents be notified to the State Attorney General.

In declining to sign the Bill the Governor cited the absence of evidence that the additional requirements would benefit consumers. In particular, he made the apparently sensible point that a requirement to tell the Attorney General’s Office about breaches affecting a lot of people doesn’t really serve much purpose if the Attorney General doesn’t have any corresponding obligations to do anything in response.

On the face of it Schwarzenegger’s approach, although apparently a surprise to those backing the Bill, looks reasonable. Why impose more detailed rules around breach notification if it doesn’t help the individuals affected? Looking at this in practical terms, would a list of all of the things listed in the Bill – exactly what happened, how and when – help the individuals affected to take steps to protect themselves against misuse of their data in all or even most of the cases in which notification is required? And even if it potentially did, how many of those people would actually proactively use that additional information for those purposes in any given case? There is surely a danger that with more detail comes an increasing adminstrative burden (and cost) and that that cost quickly becomes out of proportion to any benefit which the additional information brings.

In the UK at present there is no breach notification  requirement. Guidance from the UK Information Commissioner’s Office states that, as a matter of good practice, data controllers should inform the ICO of any serious data security incident, with what is serious being determined by reference to the nature and extent of the personal data affected. The primary consideration according to the guidance is the likely extent of potential harm to the individuals whose data has been compromised. Separate guidance suggests broadly the same appproach to informing the individuals affected, stressing that notifying them should have a clear purpose, such as allowing them to take steps to prevent or mitigate the effects of any unauthorised use of their data.  Shades of Schwarzenegger’s reasoning on the Bill then.

To me, the UK’s current approach builds in the flexibility and proportionality which is essential if breach notification is to be a worthwhile exercise for everyone concerned. The danger, if the UK moved at any point to make notification mandatory, is that data controllers would be likely to ”overnotify”. In other words, even if the obligation was drafted to reflect the ICO’s guidance – only tell people about serious incidents and where it will help them to protect themselves - data controllers would naturally tend to tell people about every incident, removing the need to take difficult decisions about what exactly the law required of them and avoiding any risk of compliance failure. That in turn, in my view, could lead to notification “fatigue”, with individuals becoming gradually less interested in (and therefore likely to do anything with) the information sent to them.

There are of course other views on this and I would be interested to hear what any of you think. The US are obviously quite keen on their breach notification requirements, albeit that Schwarzenegger has, for now at least, halted the legislative march in California. The issue though will undoutedly be back.