Project Fear or Project Reality about Brexit continues and while risks to banking, air travel, radio-therapy and the pan-European integrated manufacturing supply chains are all making the headlines, there is also a serious problem with maintaining data flows particularly of personal data, which underpins both secondary & tertiary sector industries. This article looks at the threat to trade involving data flows posed by Brexit and looks at the likely shape of US/EU data flow and privacy regulation.
Tag Archives: privacy
I have had a look at the manifestos and see what they have to say on the internet and Digital Liberty. I have been very influenced by the EDRi voting exchange and summarise the issues of Digital Liberty as e-citizenship, equality before the law, privacy and copyright reform, to which for this election we must add internet governance and industrial & innovation policy. I have created a table summarising the positions of the Tories, Labour, LibDems and Greens. Possibly I should have analysed the SNP manifesto since much of this is Westmister reserved powers. I was hoping to write something easy and quick to read. I don’t think I have succeeded. My super summary is in the figure immediately below, and here is the table I built to help me write this article. (I lost the excel file, so this will have to do!) My main source was the ORG pages but I have been reading the Labour Manifesto also. I feel that the opposition parties have suffered from the surprise; they probably expected more time to develop their promises. All three opposition parties 2015 manifestos covered these issues in more depth.
We then considered enforcement trends. The total number of fines is going up; the maximum under the DPA is £½ m, the maximum under the GDPR will be €20m or 4% of global turnover. Today the ICO can fine under two laws, the Data Protection Act and the Privacy and Electronic Communication Regulation (PECR), which regulate Data Controllers and Processors and direct mailing houses respectively. The ICO have taken more interest in the DPA since they gained fining powers. This note looks at the record in court, the change in enforcement powers, and notes that the preponderance of fines have been levied due toinadequate technical protection.
At the BCS legal day, a presentation was made entitled “Key Issues” which they started with a quote from Jan Albrecht MEP (the Rapporteur),
“[The] result is something that makes (as we intended from the beginning) everybody equally unhappy, but at the same time is a huge step forward for all sides involved.
Jan Albrecht MEP”
It is hoped that business opportunity will be created by a harmonisation of regulation across Europe with a goal of improved privacy for its citizens. The harmonisation is constrained by the Restrictions Article, which excludes areas of law from the Regulation and creates nationally authored variances.
Late last year, the UK Parliament passed the Investigatory Powers Act 2016. This law builds on the Regulation of Investigatory Powers Acts and the Data Retention Laws. This law allows the Government to store all our electronic communications traffic, read the content and meta data and co-opt the product and service vendors to help them. I describe this in more detail below.
The Law was written in the aftermath of Court of Justice of the European Union’s (CJEU) ruling in the Schrems vs. Facebook case that the EU’s Data Retention Directive and hence the member state implementations were in contradiction to the EU’s human rights law, the Charter of Fundamental Rights. Parliament had considered aspects of these proposals twice before under the two previous administrations and rejected them.
This article looks at the new Law, criticises it on Human Rights grounds in that it jeopardises the right to privacy, the right to organise, the right to a fair trial and rights to free speech and on IT Security grounds in that the new regulation of encryption products jeopardises access to electronic trust and privacy. It also examines the likely impact of the recent CJEU ruling on the legality of its predecessor law, and in passing, likely conflicts with last year’s passage of the General Data Protection Regulation (GDPR) by the European Union.
Earlier this week, the Court of Justice of the European Union delivered its judgement on the legality of the UK & Swedish data retention and surveillance laws. They confirmed their ruling from 2015 that general monitoring is illegal, that retention must be specific and is only allowed to combat serious crimes, that access to surveillance records must be authorised by independent authorities and that EU data subjects must be have access to legal remediation if their rights to privacy are breached. The Guardian report on it here, the Independent here ,the Register here and even the Daily Mash comments here. The UK’s Investigatory Powers Act also gives the government the right to mandate backdoors in UK operated communications products; these powers may also fall foul of the prohibition on general monitoring and the need for independent review. While the ruling is specific to the UK’s DRIPA law, which has now been replaced by the Investigatory Powers Act, it poses a clear challenge to the legality of the new Law.
In a blog at my employer’s site I looked at how to become compliant with the EU’s General Data Protection Regulation. Regulations are the Law in all the member states, and members of the European Economic Area. The article looks at the issues of consent, the new data subject rights, privacy by design, the meaning of adequate protection and new public accountability via the duty to report breaches and to appoint a professional data protection officer.
Many the implications of the vote to leave the EU has been exercising my mind. I have finally got my notes & thoughts to publish my initial views on the politics of the aftermath; this article attempts to limit itself to the events and thoughts of the first week after the referendum. I have published them as at the date I started my storify where I collected the sources I wanted to quote. This is because it is one of a planned series, I plan to follow up with a piece on immigration, one on Labour Party and Left unity and one on the mutation of capitalism and politics.
One of the reasons for my delay was that I was asked for a number of quotes in the IT trade press which took some writing time. I have posted the complete quotes as three articles in linkedin pulse, on Cybersecurity, Privacy & Trade and the single market, covering innovation, TTIP & Privacy and net neutrality.
The highest levels of international judiciary have been busy over the last week, I report and comment on the Microsoft vs. FBI on linkedin Pulse, in an article called “Citizens Win”. It was quite simple in the end, the law under which the FBI was seeking search warrant powers was not on of the post 911 laws, but an earlier one and the US District Court says that the law grants no power of inspection abroad. The spooks are going to have to apply for an Irish warrant. In Europe however, Tom Watson’s & David Davies’s judicial review on DRIPA have reached the Advocate General. This reported by Tom Watson here, and by Glyn Moody here. Watson writes about the need for strong judicial review of the search warrants, and Moody brings up that mass surveillance can only be used in the fight against serious crime.
Trefor Davies of trefor.net commissioned and published an article by me on the state of the politics of digital and its likely impact on the General Election. In the article I classify the issues around citizenship and economics. Obviously the manifesto has not been published and so prediction of its content is not easy. Regular readers will know that I am a supporter of both the Open Rights Group and Privacy International. I have also served on NESSI, the EU’s internet/I.T. R&D project incubator. I am hopeful on the issues of citizenship, unsure on copyright and intellectual property laws and expect a good offer on digital government. Read more …
Glynn Moody, of course, at TechDirt, syndicates the EDRi scoop about the final stages of the new EU Data Protection Regulation exposing the National Governments’ role in weakening the current legislation which have completed their 1st & 2nd stages. The EDRI have published a document called “Broken Badly” which contains their critique of the Council’s behaviour and positions because they weaken the rules around consent (both authorisation and purpose), corporate sanctions, duty to notify breaches, and the problematic one stop shop for jurisdiction. Correspondence to Chris Grayling I suppose.