Tag Archives: dataprotection

Computers and the Coalition

This is a summary of a talk (at some point soon to be a full article) given at the launch of the Centre for Law & Information Policy on 25 February 2015.  (I am a member of the Centre’s advisory board). I wrote it up afterwards, so it’s less of a speech and more ‘what I think I said’. For a note and reflection on the talk itself, see Ray Corrigan’s post here. Further comments welcome, especially on things I’ve skipped / missed.


As we approach the 2015 General Election in the UK, and mark the launch of this new Centre, it seems appropriate to look back on the record of the outgoing Coalition government regarding law and information policy.   The agreement between the Conservative and Liberal Democrat parties specifically emphasised the importance of information and of technology on a number of occasions, as I will highlight where appropriate. Beyond specific commitments, other issues of significance and controversy emerged during the lifetime of the Government.  It’s fair to say that this administration has been perceived (at least at times) as engaged with questions of law and technology, but is that an accurate observation?

I have reviewed the legislation adopted by Parliament during this period, referring back to the Coalition agreement where appropriate. I have also considered the more significant instances of secondary legislation and policy documents, including EU measures (but primarily those measures where Member States had some discretion in implementation or where there is a meaningful link with a national-level debate or controversy.

I group the work of the Coalition into four categories: rollback, rebalancing, re-regulation, and projects.


My first category of Coalition activity can be described as ‘rollback’, on the grounds that the avowed intention of the Government was to repeal or substantially amend existing legislation and/or practice.  Typically, these changes were flagged up in the Coalition agreement, and appeared in one (or both) of the party manifestos.

An early piece of relevant legislation was the Identity Documents Act 2010. This repealed the 2006 legislation on identity cards, as part of the Coalition’s commitment to abandon the scheme. Not only was the legislation adopted, but the responsible Minister (Damien Green) was pictured assisting with the physical destruction of hard drives on which ID card information was stored.

A broader package of changes, again highlighted in the Coalition agreement, was included in the Protection of Freedoms Act 2012. This Act included provisions on DNA retention, biometrics, oversight of CCTV, and amendments to the Regulation of Investigatory Powers Act (RIPA) 2000. Perhaps these are not true ‘rollback’ in isolation, but the deliberate packaging of them in legislation on freedoms demonstrates the high water mark of the libertarian strand of thinking in the Government.

However, evidence of this approach is not only found in big-ticket legislative proposals. Take for example the changes in the Enterprise and Regulatory Reform Act 2013 sch 21, and related secondary legislation, removing the duty on television retailers to record and report the details of customers (to support the TV Licence system).

A good example of a rollback amendment, albeit not included in the Coalition agreement and not yet in force, is the proposed repeal of sections 17/18 Digital Economy Act 2010. These provisions, adopted in the very last days of the previous Parliament, were a move towards a statutory system for Internet blocking injunctions. However, in practice the expansive interpretation of section 97A CDPA 1988 (inserted in 2003), and latterly the use of wider powers (in the context of EU legislation), has meant that such injunctions are readily available against ISPs, on the application of affected rights holders. Ofcom was in 2010 critical of the feasibility of these provisions (in response to a request from the new Government), and the Government committed in 2011 not to implement them and then in 2012 to their repeal. The Deregulation Bill, which remains before Parliament, would do this.


My second category is ‘rebalancing’. In this category, we find major, established areas of private law, where the Government has researched and/or successfully proposed changes that, taken as a whole, amend the balance between the different interests affected by the law in a clearly demonstrable fashion.

The first such example is the Defamation Act 2013. The Coalition agreement included a commitment to “review libel laws to protect freedom of speech”. Thus, both the intention and purpose were connected. The resulting legislation was indeed a reform project with a goal in mind, rather than a general review/update. The new provisions, including single publication, jurisdiction, yet another form of protection for Internet intermediaries (including the newly minted ‘operator of a website’), and changes to the threshold for making out the cause of action, generally favour the interests of libel defendants. These changes were not without criticism, but were broadly welcomed and supported by interests including publishers, journalists, and scientists.

In copyright law, the Government set up the Hargreaves Review, which built on the work of the Gowers Review under a previous administration. This was not the only IP project (see for instance the Intellectual Property Act 2014 on designs and patents, or the provisions of Part 6 of the Enterprise and Regulatory Reform Act 2013 on performances). However, the long gestation of the changes (eventually adopted by statutory instrument in 2014) points to the significance and controversy of the project. These changes included a new statutory exception for works of parody, caricature and pastiche, various protections for libraries, archives, cultural institutions and educational institutions, and a scheme to allow private copying without remuneration (which is under challenge).  Broadly, these changes restrict the exercise of exclusive rights under copyright law, although many were supported by technology industries. The freedom of action of the Government was constrained by EU law, so the new provisions are within what is permissible under the Information Society Directive. Nonetheless, the whole package – and the extensive economic evidence assembled during and after Hargreaves – is a lasting contribution to the field of copyright.

Before leaving this category, one could also consider an area of public law – the proposed Privacy and Civil Liberties Board, which is provided for (subject to future secondary legislation) in the Counter-terrorism and Security Act 2015 s 46. This Board, which was proposed during discussion of data retention legislation (see below), would allow the Home Secretary to appoint a board (mandate to be set out by statutory instrument) to support independent reviewers of terrorism powers. Its inclusion in counter-terrorism legislation is semantically uncomfortable, but does assist the scholar in categorising it as an attempt to address the perception that one set of interests (security) dominates over another (privacy) and requires rebalancing.


My third category is a more controversial one, re-regulation. In the later days of the Coalition, it has put in place a number of areas that add new forms of regulation in respect of the use of the Internet – often reversing or significantly departing from provisions adopted under predecessor Governments.

One cannot avoid starting with the controversial, speedily-adopted Data Retention and Investigatory Powers (DRIP) Act 2014. Introduced ostensibly to fill the lacuna following the Court of Justice of the European Union (CJEU)’s finding that the Data Retention Directive was not valid due to infringement of fundamental rights, it readopted in primarily legislation much of the secondary legislation initially introduced as transposition of the Directive. A number of further changes were made. The legislation was given limited consideration by Parliament in summer 2014, and the author signed a letter critical of both its provisions and the lack of time available for its consideration. Already, however, it has been extended by way of s 21 Counter-Terrorism and Security Act 2015, which provide in effect for the further retention of data that will allow the association of devices with IP addresses.

An even clearer example of the Government’s changing approach to the Internet is found in the Audiovisual Media Services Regulations 2014. These provisions amend the scheme for regulating on-demand services, which were put in place in 2009/10 following the 2007 AVMS Directive. While the UK had been a vocal critic of the perceived over-regulation of on-demand services at the time, these new provisions (essentially applying BBFC standards on explicit content to on-demand services) go well beyond those in other EU states. The issue of restricting access to and in some cases prohibiting outright online video services was a matter of some concern to the Department for Culture, Media & Sport, including a request for input from Ofcom, regular updates (and exercise of existing powers) by the designed co-regulatory body ATVOD, and ongoing consideration of how far the UK could go without contravening the Directive.

Similarly, the Gambling (Licensing and Advertising) Act 2014 was an attempt to put in place, within the bounds of EU law, further restrictions on online gambling. The Gambling Act 2005 facilitated the advertising of online services from selected jurisdictions (EU and those on a ‘whitelist’ of countries with sufficiently robust regulatory mechanisms), and did not require providers located outside the jurisdiction to be regulated by the Gambling Commission. As I have written, the 2014 Act reverses both principles; now, where a service is used or likely to be used by users in Britain (if the operator knows or should know that), the Gambling Commission has regulatory jurisdiction. Only services regulated by the Commission can lawfully advertise in the UK. This legislation was unsuccessfully challenged by Gibraltar-based operators, and clearly responded to a degree of tolerance demonstrated by the CJEU in respect of similar legislation emanating from other member states.

Most recently, provisions in the Criminal Justice and Courts Act 2015 will, when they come into force, create or extend criminal offences of some significance. The Act extends the penalty for breach of the Malicious Communications Act 1988. It also extends the scope of the ‘extreme pornography’ provisions enacted by the previous Parliament. This was presented at various stages as a ‘possible loophole’ or ‘loophole’, although the evidence was in my view more nuanced and contested than this.  Famously, the Act also contains a new offence of ‘disclosing private sexual photographs and films with intent to cause distress’ – often, but not entirely accurately, called the ‘revenge pornography’ clause. Although without doubt a difficult and sensitive issue, these provisions were introduced without a committee stage in the House of Commons, and with limited research or consultation. The use of new approaches and definitions is interesting (note the focus upon distress, or the defining of sexual as including something that a reasonable person would consider to be sexual). However, unfortunately it is another example, in Internet-related criminal law, of the creation of a new offence without the methodical consideration of existing offences or an attempt to put in place a meaningful set of workable, understandable provisions. Taking along with the MCA changes and pornography provisions, we see the gradual growth of criminal sanctions in an area that surely demands a proper look (perhaps along the lines of the House of Lords Communication Committee’s 2014 report on social media and criminal offences).


A final category is major projects – here, I highlight open data, juries, consumer law, creative industries tax relief, local media, and the Leveson Inquiry.

Starting with the big one – open data. This is an area where the Government has been very active, at least in terms of policy statements and reports. The manifesto included commitments to openness in principle and further points of detail. Since then, we have seen a White Paper (2012), a review on public sector information, another review on anonymisation, and more. Open Data Strategies have been adopted at department level, prompted by a letter from the Prime Minister. Data.gov.uk is a repository of data and a shopfront for innovative uses.  An Open Data Institute, with a focus on private-sector activity, has been created. Legislatively, the changes were at a smaller scale. The Protection of Freedoms Act included an amendment to the FOI Act in support of the release of usable datasets. More controversially, the Health & Social Care Act 2012 put in place various regimes in relation to health data, which have already proven to be controversial (e.g. the care.data events of 2014). Interestingly, though, much of the work here has been non-legislative, confirmed by the statement in the 2012 White Paper that “we don’t want to use legislation too readily – that would sit at odds with our core principle to reduce bureaucracy”.

A smaller project, perhaps, is the work that the Law Commission has done on jurors, in the context of contempt of court. New provisions were included in the Criminal Justice and Courts Act 2015, dealing with matters including the carrying out of research by jurors and the use of electronic devices. The Law Commission’s project was wide-ranging, and led to timely legislation.

The consumer law reform project is an interesting one. There wasn’t much detail on this in the Coalition agreement (beyond a general commitment to “introduc(ing) stronger consumer protections, including measures to end unfair bank and financial transaction charges.” Initial steps came in the transposition of the Consumer Rights Directive, which had at one time been a planned overhaul of the EU consumer law acquis, but turned out to be something a lot less extensive. In this gap, then, came the Consumer Rights Bill, which remains before Parliament. The Bill, in line with the recommendations of a number of reports, addressed a long-standing potential gap in consumer law, which has a firm distinction between the sale of goods and the supply of services, without properly addressing the position of ‘digital content’. The new Bill creates a three-tier structure, with much (but not all) of the existing or reframed requirements for goods being applied to the new digital content category.

Creative industries tax relief was the subject of a notable shift in direction. The incoming Government initially abandoned video games tax relief, on the grounds that it was ‘poorly targeted’. However, it subsequently introduced a new relief for games, high-end television and animation. The games scheme was delayed pending consideration by the European Commission, but ultimately approved – and is now in force. Indeed, a follow-up set of changes introduces relief for theatre as well.  As I have written elsewhere, the adopting of this scheme highlights the ability of the Government to promote it within the UK as an industrial measure, while reassuring the European Commission that its objectives were truly cultural.

Local media was an early theme of the Department for Culture, Media and Sport, with the initial Secretary of State frequently wondering why local TV was in a better state in Birmingham, Alabama than in Birmingham, England. Beyond the soundbite, a number of specific changes were made. The Communications Act was amended twice: first in 2011 to liberalise some cross-ownership requirements, and then again in 2012 to put in place a new form of licence for local TV stations; some of them are now up and running.

And then, there was the Leveson Inquiry. Certainly not in the Coalition agreement, as the question of phone-hacking was yet to come to a head. When it did in 2011, the Prime Minister established the Inquiry, and the rest was history. Or was it?  Leveson’s recommendations were acknowledged in part through the inclusion of provisions in the Crime and Courts Act 2013 (linking membership of an approved regulator to the question of exemplary damages for certain media-related causes of action e.g. defamation), and the broadly-worded clause in s 96 Enterprise and Regulatory Reform Act 2013 on the relationship between Parliament and Royal Charters for specific industries. This was part of the Government’s attempt to provide for some measure of press regulation without formal statutory control, although the current Secretary of State at DCMS seems to have stepped back from this approach somewhat. Other areas of the Leveson report, especially on data protection and media pluralism, remain unimplemented at a legislative level.


Finally, I make three general observations, and then highlight some issues to watch in the election campaign and the formation of the next Government.

There was no major legislative project in this field during the lifetime of the Coalition. Open data as a project could be considered as information policy, although the lack of legislative underpinning is surprising for something argued to be so fundamental to a change in the way of governing. With 130 or so Acts adopted since the 2010 election, only a handful relate to information and technology, and often it was only a clause or two that were relevant.

The initial urgency of Coalition libertarianism gave way to a late enthusiasm for Internet (re)regulation.  This is not unusual for governments, and the knee-jerk response to perceived disorder or threat is not specific to the Internet, but it is remarkable how the measures in this field adopted over the last 12-18 months have been characterised by the extension of State power in a whole range of areas.

The Coalition also addressed a range of industries in varying ways. The press was pleased at the Defamation Act and (mostly) pleased with the (limited) approach to the Leveson report. IT industries were well served by changes to defamation and copyright law, but some spoke out against changes to data retention. Some in the creative industries were upset at the copyright changes, but reassured by the new tax reliefs.

Here are a few things to watch out for.

1. Data and information. Eventually, the EU will (should?) adopt the General Data Protection Regulation, which may lead to a debate at national level for other or related issues. A consultation on ‘nuisance calls’ consultation closed in December 2014, so the proposed changes might follow (update: this has now happened). The Law Commission’s project on data sharing has so far provided a scoping report, which sets out very explicitly the complexity of the legislative changes that could be necessary to support this goal. The long-term position of data retention will need to be resolved after DRIP expires, and the Justice Committee’s post-legislative scrutiny of the FOI Act could also be a useful starting point for a future Government.

2. Infrastructure. The Law Commission’s 2013 report on the Electronic Communications Code (which affects the building of networks) was to be implemented through the Infrastructure Bill. However, the provisions were withdrawn and a separate consultation is now taking place.

3. A review of the sharing economy reported in November 2014, recommending various changes to the law (albeit not in much detail, and the handling of the matter was questionable, with the report being written by an ‘independent’ person, the founder of a home-swapping company). Already, the Deregulation Bill contains a specific amendment that supports private short-term letting of property in London (amending 1970s legislation). However, the controversy associated with this field, and the existence of a report, could well keep this on the agenda.

4. Media. Many would have predicted, given DCMS activity and proposals, that this Government would have proposed a new Communications Act. The 2003 Act has been amended (mostly through secondary legislation), and other provisions are politically contentious. Will the next Parliament be asked to consider a Communications Bill?

PS: Subsequently, and quicker than I had expected, the Serious Crime Bill became the Serious Crime Act 2015. This Act contains provisions on journalistic sources (s 83), possession of any item that contains advice or guidance about abusing children sexually (s 69), sexual communication with a child (s 67), and a series of changes to the Computer Misuse Act. In the next version of this work, I’ll incorporate all that…

Ten things to read about today’s data retention decision

I am a fair-weather blogger, and so I cannot remember the last time I had so many visits or retweets in a day.  Piggybacking on the unexpected traffic boost, here are ten things worth reading (from various sources) about the reason for that traffic – the finding by the Court of Justice of the EU that the Data Retention Directive is, on human rights grounds, invalid.  (My own post, Data retention parrot, is here).

I had plenty to choose from in putting this list together – fortunate that the decision was published when many of us legal academics are not teaching?

  1. The decision of the Court.  The early pages are taken up with reproducing the provisions of the legislation, so if you are familiar with the Directive, those pages are most skippable.
  2. Fiona de Londras, professor at Durham Law School, writing at Human Rights in Ireland. Special mention: discussion on whether “a more tailored, narrower approach” might survive scrutiny if the Directive is to be replaced (see also her lessons for the US, posted at The Conversation).
  3. “Cybermatron”, an expert in this field, writing on her blog. Special mention: highlighting weaknesses in the decision, including where the Court may have underappreciated the significance of the legislation and of this challenge.
  4. Steve Peers, professor at the University of Essex Law School, writing on his blog EU Law Analysis. Special mention: analysis of the current status of the (invalid) Directive, and options for states and the EU from this point on.
  5. Paul Bernal, lecturer at the UEA Law School, writing on his blog. Special mention: how the decision sits within the wider debate on and advocacy for privacy.
  6. Karlin Lillington, journalist, writing in the Irish Times. Special mention: the consequences for Ireland and the EU, by someone who has been instrumental in highlighting data retention practices for over a decade.
  7. Luke Scanlon, solicitor, Pinsent Masons, writing on Out-law. Special mention: impact on other legislation, including data protection present and future.
  8. Glyn Moody, author and journalist, writing for ComputerWorld UK. Special mention: explanation, point by point, of how the court’s decision relates to specific data retention practices.
  9. Gabriele Steinhauser, journalist, writing in the Wall Street Journal. Special mention: how the decision is being reported to an international audience, including the political dimension.
  10. Press release and FAQ on the decision from the European Commission (the ‘losing’ side, not that you would know that from the statement). Special mention: reading it with a straight face.

Apologies to those omitted – additional links welcome, through the comments sections below.

Early thoughts on Leveson 3 of 4 – data protection

This is one of a series of responses to the publication of the report of the Leveson Inquiry.  For an introduction, and links to other posts, see here.

The extent of the recommendations on amending the provisions for journalism in the Data Protection Act came as a surprise to me, and of course the Government will have to be aware of the context of EU law if it does implement these proposals.  It would change the nature of the journalistic exemption under the Directive as implemented in the UK through the Data Protection Act.  (This is an unusual formulation in the Directive – member states *shall* provide a derogation but only when it is *necessary*; implementation is therefore of interest to the EU; and not forgetting the interaction between data protection and (other?) fundamental rights.

Although this is a field of law that is complex, and the recommendations may seem on the legalistic side, I do believe that this has the potential to be quite far-reaching.  It’s not a surprise that it has come up in the House of Commons debate (although more heat than light so far).  Some of the objections may be fairly categorised as symbolic, that is to say, it is the idea of having an exemption (or special treatment, if you will) that is important rather than every aspect of compliance.  However I would anticipate particular tensions in respect of subject access requests (i.e. Mary Murphy contacts a newspaper asking for all the data it holds on her), and the proposed shift in the burden for those areas that are covered by an exemption might have an impact.

The recommendations on the structure of the ICO are also particularly detailed – there may be a need to consider the consequences of such changes for other areas under the DPA supervised by the ICO (which were well beyond Leveson’s remit or indeed interest).  There is, quite fairly, a reminder that some of the recommendations can be implemented soon and should not be delayed until longer-term structural changes are considered.  Nonetheless the role of the ICO is surely up for discussion now, and not just in respect of its relationship with the media.  Data protection watchers (of which I am not really one) will be interested in this process.  (Time for a focused review of the ICO in the context of these recommendations but with wider participation from IT lawyers?).

It’s less of a surprise, but still important, to see it recommended that the stronger sentencing powers for the criminal provision in the Data Protection Act (s 55) be (finally) brought into force.

Cyberlaw at the Society of Legal Scholars

I’m at the annual conference of the Society of Legal Scholars, where I’ll be convening the Media & Communications section later in the week.  Yesterday, though, I had the pleasant opportunity to sit back (or lean forward) and listen to the papers in this year’s ‘cyberlaw‘ section.  Here are some comments on the papers (not all I’m afraid due to coming and going from the room).

Uta Kohl (Aberystwyth): on intermediaries.  Currently working on a ‘trilogy’ of articles on connectivity, navigation and hosting Intermediaries. There are two theoretical influences here: Spar’s work on phases regulation (e.g. from Ruling the waves 2004) and Foucault’s use of Bentham’s panopticon work.  Intermediaries are key to the system, ie you cannot have regulated online environment without the regulation of intermediaries. They are key players in these debates. Connectivity, navigation (a key facilitator) and hosts. Judges taking a different approach to what they can ‘make’ intermediaries do. Attractive because there are so few of them. Also in transnational context.

There has lately been a change of regulatory mood; specifically mentioned the 9th Circuit decision re roommates.com and the comments on unfair advantage over offline equivalents. In general, immunities are hardly ever used, preference for general law of the land.  Use general law to favour intermediaries instead of the special provisions, or don’t find them applicable at all. Integration into economy supports Spar hypothesis.  Noted that full paper reviews different topics e.g. defamation, copyright, competition.  In the case of copyright, liability and blocking obligations are being separated (Newzbin and EU law) and there are other developments (Australian cases).  Existence of Cleanfeed influences copyright changes.

Paul Bernal (UEA): on the right to be forgotten in the US, EU and UK.  There has been a tension between EU and US in this field for a long time (with the UK quite confused).  In the EU this is a key aspect of proposed reform of data protection, protecting individuals in the face of (US) corporate power. From US perspective this is a threat to free speech and the end of the Internet as we know it, e.g. Rosen in Stanford Law Review. UK is resisting the right given its existing doubts about both privacy or free speech.  So who is right? Paul talked through the actual text and argues more like a right to delete than to be forgotten.  Important is the obligations it places on others, but also be aware of all reasonable steps clause re links etc. Is this ‘seek and destroy’? What about search engines? US free speech arguments relevant here, but more broadly (i)is data speech? (ii) Held vs published (iii) Links vs data (iv) significance of ‘journalism/art/literature’ defence.

Notes that if data protected by copyright, there is already a takedown option. Data as an IP right? Objections and constitutional issues both present. Ultimately it is more about free enterprise than free speech.  Those targeting products at EU are within scope.  And although the UK does not focus on privacy and expression there is an interst in bring a good place to do business! For example, MoJ consultation focused on businesses and the burden that it would create. Would require work eg privacy by design but also challenges the business model based on keeping data.

Damien McCallig (Galway), on his ‘digital remains’ project, specifically the deceased and data protection today.  In some jurisdictions the protections of data protection law are transformed upon death. Data subject defined as natural person? The A29 Working Party opinion on concept of personal data as personality, i.e. birth to death.  He reviewed the history of data protection law with a particular focus on the Council of Europe convention 1981; it is only in 1992 that natural person is used but that was so as to exclude legal persons. Conclusion is that there is no bar to inclusion.

Within the EU: 12 include, 4 express exclude, 10 say natural persons (presumed exclusion), 1 x 30-year limit.  But even within those that do recognise, there is a lack of consistency.  Ireland and UK  start with the common law proposition that the dead have no rights. Strong criticism of inclusion in Parl Ctee work implementation of directive in the UK. In Ireland it did not arise in parliamentary debates until 2003 revision. Government said no demand at first consultation but this clearly not true.

Proposed EU regulation followed same language although latest draft would mention living persons at the urging of Sweden (which currently excludes). Pressure to finalise soon (perhaps even during Irish presidency).

Michaela MacDonald (Queen Mary) discussed virtual assets, within environments ranging from Facebook to Second Life to World of Warcraft.  Key problems associated with virtual currency purchased with real-world currency and then used as means of exchange.  However the regulatory dimension includes EULAs (contracts of adhesion).  The focus of the talk was theft-related incidents and decisions (Chengwai situation in China, R v Mitchell in UK, Dutch supreme court consideration of Runescape).

Kim Barker and Olga Jurasz (Aberystwyth) – misogyny in gaming. While there is some awareness and discussion of explicit content there is also a need to consider predation, violence, etc.  This is in public eye again for various reasons (including Habbo Hotel investigation on C4), and also targeting of women (e.g. Anita Saarkesian, had Tropes vs Women Kickstarter project, drew extreme reaction including abuse on wiki page and even game to ‘beat up’ her image. While there is some work on cybercrime (Brenner, Kerr etc) that assists in understanding, and old situations from Internet studies (LambdaMoo), new situations emerge (ageplay in Second Life).  A key problem is that cybercrime (including academic work) focuses on different issues ie property, pornography.  The problems they have found are rooted in virtual real world framework but same problems re enforcement, public attitudes, etc.

So we must be aware of selectiveness in regulation; some issues (children) receive attention in the Cybercrime convention so why not violence against women, do we pick and choose?  Then, some comments on virtual harms and the dispute over violent acts in virtual worlds, with responses ranging from catharsis to online/offline mirroring (specific mention of Ryan Chinnery’s conviction).  What would the impact be of a human rights framework or even language?  Discussion too of Jessie Daniels’ Cyber Racism.

Good to know about Good To Know

This week’s English newspapers (including the Guardian and Independent, but there may be others) carried a number of full-page advertisements for Google, which formed part of its current ‘Good To Know‘ campaign. The campaign is ‘in partnership with the Citizens Advice Bureau‘.

Some parts of the campaign strike me as extremely sensible and useful information, and leave me very pleased that Google is putting its money and reputation behind them. For example, one ad (which I first saw in a Tube station) emphasised Google’s 2-step verification; another (which I saw in print, but can’t recall where) gave examples of good passwords. (You can see a collection of these ads on the Good To Know website). The most recent ads, though, raise some interesting questions around data and privacy. As readers of the growing literature on the development of Google will know (most recently Douglas Edwards’ I’m Feeling Lucky on his experiences as employee #59), it’s clear that these issues are thought about and debated a lot within Google; this however is my external take and some quite preliminary questions rather than conclusions;.

One ad is about IP addresses – it doesn’t appear to be on the Google site, but I’ve scanned it (apologies for resolution) here. Explaining how a user in Brighton doesn’t need a plumber from New York when they use a search engine, the ad states that results based on where you are use your computer’s IP address. “It’s a number like which acts a bit like the first part of a postcode to tell them the rough area your computer is in“. I think this isn’t the best definition of an IP address, particularly in the week where (in the Sabam decision regarding ISP filtering for copyright reasons) the Court of Justice of the EU found it to be common ground “that the injunction requiring installation of the contested filtering system would involve a systematic analysis of all content and the collection and identification of users’ IP addresses from which unlawful content on the network is sent. Those addresses are protected personal data because they allow those users to be precisely identified”. This confirms a direction in European Union practice, particularly the statements of the article 29 Working Party (e.g. opinion 1/2008 on search engines, opinion 2/2010 on online behavioural advertising), that an IP address can be personal data. In a way, I’d suggest, that the first part of a postcode is less likely to be.

Another ad (with a quirky little graphic about extra-shot coffee, which is what I’m drinking as I type this) (scanned here) draws a link between the barista knowing your coffee order (but not your name) as you walk through the door, and how Google and other websites act:

Making a note of your preferences in case you visit them again. It’s how they are able to recommend a particular artist you might like, or if you prefer to fly from a certain airport, or if you like a specific printer ink.

(I think ‘preferences’ here is broader than a technical meaning of preferences as in settings, but am open to correction).

Again, I can see what they are getting at, but I think the anonymous coffee order may not be the best model here – as (a) there are plenty of ‘preferences’ that are more revealing (and yes, legally sensitive) than coffee choice, and (b) concerns about profiling include the cumulative impact of data collection rather than a single point – the barista doesn’t know what you prefer when you go to the clothes shop next door!

Google does some great work around data – and the Good To Know website highlights this, including work on Data Liberation, cookie deletion and more. But there’s something about the ads above that I’m not as sure about.

I mentioned this campaign to a fellow academic and s/he pointed out that the ultimate target here might not be users, but the forthcoming (and unpopular with large Internet companies) revision of the Data Protection Directive. If that’s the case, Google’s intervention isn’t unwelcome – we need to hear its voice – but it’s worth debating those points. If it’s just about consumers, I think it goes in the right direction (particularly the security stuff), but the wording could be a good bit tighter.

Finally, I think there are questions to be asked about the role of the Citizens Advice Bureau. It knows well that the interests of consumers are different to the interests of corporations – see for example its current struggle to publish the results of investigations and how libel law appears to prevent that. So should it be involved with (a) a particular company and (b) a particular view of the law of privacy? Indeed, the UK government proposes (consultation paper here) to take a whole range of consumer information and advocacy functions away from public bodies and transfer them to the (private, charitable and generally wonderful) CAB. Should it therefore be more careful about taking ‘sides’, appearing to endorse the views of Google and in having the ads presented as authoritative and neutral?