We then considered enforcement trends. The total number of fines is going up; the maximum under the DPA is £½ m, the maximum under the GDPR will be €20m or 4% of global turnover. Today the ICO can fine under two laws, the Data Protection Act and the Privacy and Electronic Communication Regulation (PECR), which regulate Data Controllers and Processors and direct mailing houses respectively. The ICO have taken more interest in the DPA since they gained fining powers. This note looks at the record in court, the change in enforcement powers, and notes that the preponderance of fines have been levied due toinadequate technical protection.
Category Archives: technology
A presentation was made about the to be established Data Protection Officer, claiming to be informed by the EU’s advice on what the law means. We looked at whether a DPO is needed, the expertise and skills required, and the requirement for independence.
At the BCS legal day, a presentation was made entitled “Key Issues” which they started with a quote from Jan Albrecht MEP (the Rapporteur),
“[The] result is something that makes (as we intended from the beginning) everybody equally unhappy, but at the same time is a huge step forward for all sides involved.
Jan Albrecht MEP”
It is hoped that business opportunity will be created by a harmonisation of regulation across Europe with a goal of improved privacy for its citizens. The harmonisation is constrained by the Restrictions Article, which excludes areas of law from the Regulation and creates nationally authored variances.
I attended the BCS ISSG Legal day where the priority was the coming General Data Protection Regulation. I believe that the day was held under Chatham House rules, which means that comments cannot be attributed. I prefer to work on more open terms; it allows me to attribute credit to those who have informed me or changed my mind but the notes have been anonymised. The running order has been changed to make the story better and to conform to my preferred priority order, of principles, rights, obligations and enforcement. The day consisted of two presentations, entitled “Key Issues”, “the Data Protection Officer” and one on trends in enforcement. I have written these notes over the last week, and backdated them to the day of occurrence. These are a bit less polemic than my recent articles here, but for various reasons I have been reminded that that’s how they once were; I hope these articles are useful to my more technical readers. Some of the discussions and issues may interest those that follow me for politics.
The Digital Economy Act 2010 showed the long term goal of the entertainment industry, they want to criminalise file sharing. At the time, individual acts of copyright infringement were civil acts and the copyright owners had to pursue them through the courts, one at a time. This is expensive, slow, uncertain and most importantly expensive, compared with the cover price of a CD or DVD. The DE Act did that, it also sought to automate the justice system and in order to do that it weakened innocent until proven guilty, by prescribing defences and also placed a charge on going to court to argue not guilty. It really was a shit piece of legislation. However, the Law stated that the costs of surveillance and discovery had to be shared by the copyright owners and the internet service providers. The Courts struck down this part of the Law, (see here … for more)
In a blog at my employer’s site I looked at how to become compliant with the EU’s General Data Protection Regulation. Regulations are the Law in all the member states, and members of the European Economic Area. The article looks at the issues of consent, the new data subject rights, privacy by design, the meaning of adequate protection and new public accountability via the duty to report breaches and to appoint a professional data protection officer.
Many the implications of the vote to leave the EU has been exercising my mind. I have finally got my notes & thoughts to publish my initial views on the politics of the aftermath; this article attempts to limit itself to the events and thoughts of the first week after the referendum. I have published them as at the date I started my storify where I collected the sources I wanted to quote. This is because it is one of a planned series, I plan to follow up with a piece on immigration, one on Labour Party and Left unity and one on the mutation of capitalism and politics.
One of the reasons for my delay was that I was asked for a number of quotes in the IT trade press which took some writing time. I have posted the complete quotes as three articles in linkedin pulse, on Cybersecurity, Privacy & Trade and the single market, covering innovation, TTIP & Privacy and net neutrality.
The highest levels of international judiciary have been busy over the last week, I report and comment on the Microsoft vs. FBI on linkedin Pulse, in an article called “Citizens Win”. It was quite simple in the end, the law under which the FBI was seeking search warrant powers was not on of the post 911 laws, but an earlier one and the US District Court says that the law grants no power of inspection abroad. The spooks are going to have to apply for an Irish warrant. In Europe however, Tom Watson’s & David Davies’s judicial review on DRIPA have reached the Advocate General. This reported by Tom Watson here, and by Glyn Moody here. Watson writes about the need for strong judicial review of the search warrants, and Moody brings up that mass surveillance can only be used in the fight against serious crime.
I went up to Blackfriars to techUK’s offices to listen to their Digital Question time. They had arranged for Vaizey, Onawurah and Huppert to speak. I covered the event using storify. They covered privacy, access and inclusion, start-ups, brexit (briefly) and government IT. Computer Weekly have hosted a video here…, if you want the complete story. The Guardian ran a story, “Vaizey calls for tech firms to ‘meet politicians halfway’ over encryption” and sub-titled, “Debate needs
The UK’s Web site blocking rears its ugly head again. I was pointed at Der Spiegel who reports that Three and Vodafone are blocking the Chaos Computing Club‘s domain. The Chaos Computer Club is a grass roots technology association most well known outside Germany were it is based for its annual Congress held in Hamburg. Equally well known for not being a porn site. The Spiegel article is in German and I translated it using Google translate. I have hosted a copy here, and you can see google’s rendering here. The remainder of the article looks at over-blocking, including IT security resources as obscene, and the market share of the various UK carriers.
Yesterday, attended a session convened by the BCS North London branch, called “Data Privacy – How Private is IT?” The presentation was given by two PWC staff members in two parts, the first was a forward looking review at the proposed EU Data Protection Regulation by Kyrisia Sturgeon and the second part a scenario based exploration of good data protection practice led by Pragasen Morgan. To me the coming key changes in the law are that all companies will need to have a qualified data protection officer, and it implements a right to be forgotten, or more accurately a right to be unindexed.