Archive for the ‘dataprotection’ tag
This is one of a series of responses to the publication of the report of the Leveson Inquiry. For an introduction, and links to other posts, see here.
The extent of the recommendations on amending the provisions for journalism in the Data Protection Act came as a surprise to me, and of course the Government will have to be aware of the context of EU law if it does implement these proposals. It would change the nature of the journalistic exemption under the Directive as implemented in the UK through the Data Protection Act. (This is an unusual formulation in the Directive – member states *shall* provide a derogation but only when it is *necessary*; implementation is therefore of interest to the EU; and not forgetting the interaction between data protection and (other?) fundamental rights.
Although this is a field of law that is complex, and the recommendations may seem on the legalistic side, I do believe that this has the potential to be quite far-reaching. It’s not a surprise that it has come up in the House of Commons debate (although more heat than light so far). Some of the objections may be fairly categorised as symbolic, that is to say, it is the idea of having an exemption (or special treatment, if you will) that is important rather than every aspect of compliance. However I would anticipate particular tensions in respect of subject access requests (i.e. Mary Murphy contacts a newspaper asking for all the data it holds on her), and the proposed shift in the burden for those areas that are covered by an exemption might have an impact.
The recommendations on the structure of the ICO are also particularly detailed – there may be a need to consider the consequences of such changes for other areas under the DPA supervised by the ICO (which were well beyond Leveson’s remit or indeed interest). There is, quite fairly, a reminder that some of the recommendations can be implemented soon and should not be delayed until longer-term structural changes are considered. Nonetheless the role of the ICO is surely up for discussion now, and not just in respect of its relationship with the media. Data protection watchers (of which I am not really one) will be interested in this process. (Time for a focused review of the ICO in the context of these recommendations but with wider participation from IT lawyers?).
It’s less of a surprise, but still important, to see it recommended that the stronger sentencing powers for the criminal provision in the Data Protection Act (s 55) be (finally) brought into force.
I’m at the annual conference of the Society of Legal Scholars, where I’ll be convening the Media & Communications section later in the week. Yesterday, though, I had the pleasant opportunity to sit back (or lean forward) and listen to the papers in this year’s ‘cyberlaw‘ section. Here are some comments on the papers (not all I’m afraid due to coming and going from the room).
Uta Kohl (Aberystwyth): on intermediaries. Currently working on a ‘trilogy’ of articles on connectivity, navigation and hosting Intermediaries. There are two theoretical influences here: Spar’s work on phases regulation (e.g. from Ruling the waves 2004) and Foucault’s use of Bentham’s panopticon work. Intermediaries are key to the system, ie you cannot have regulated online environment without the regulation of intermediaries. They are key players in these debates. Connectivity, navigation (a key facilitator) and hosts. Judges taking a different approach to what they can ‘make’ intermediaries do. Attractive because there are so few of them. Also in transnational context.
There has lately been a change of regulatory mood; specifically mentioned the 9th Circuit decision re roommates.com and the comments on unfair advantage over offline equivalents. In general, immunities are hardly ever used, preference for general law of the land. Use general law to favour intermediaries instead of the special provisions, or don’t find them applicable at all. Integration into economy supports Spar hypothesis. Noted that full paper reviews different topics e.g. defamation, copyright, competition. In the case of copyright, liability and blocking obligations are being separated (Newzbin and EU law) and there are other developments (Australian cases). Existence of Cleanfeed influences copyright changes.
Paul Bernal (UEA): on the right to be forgotten in the US, EU and UK. There has been a tension between EU and US in this field for a long time (with the UK quite confused). In the EU this is a key aspect of proposed reform of data protection, protecting individuals in the face of (US) corporate power. From US perspective this is a threat to free speech and the end of the Internet as we know it, e.g. Rosen in Stanford Law Review. UK is resisting the right given its existing doubts about both privacy or free speech. So who is right? Paul talked through the actual text and argues more like a right to delete than to be forgotten. Important is the obligations it places on others, but also be aware of all reasonable steps clause re links etc. Is this ‘seek and destroy’? What about search engines? US free speech arguments relevant here, but more broadly (i)is data speech? (ii) Held vs published (iii) Links vs data (iv) significance of ‘journalism/art/literature’ defence.
Notes that if data protected by copyright, there is already a takedown option. Data as an IP right? Objections and constitutional issues both present. Ultimately it is more about free enterprise than free speech. Those targeting products at EU are within scope. And although the UK does not focus on privacy and expression there is an interst in bring a good place to do business! For example, MoJ consultation focused on businesses and the burden that it would create. Would require work eg privacy by design but also challenges the business model based on keeping data.
Damien McCallig (Galway), on his ‘digital remains’ project, specifically the deceased and data protection today. In some jurisdictions the protections of data protection law are transformed upon death. Data subject defined as natural person? The A29 Working Party opinion on concept of personal data as personality, i.e. birth to death. He reviewed the history of data protection law with a particular focus on the Council of Europe convention 1981; it is only in 1992 that natural person is used but that was so as to exclude legal persons. Conclusion is that there is no bar to inclusion.
Within the EU: 12 include, 4 express exclude, 10 say natural persons (presumed exclusion), 1 x 30-year limit. But even within those that do recognise, there is a lack of consistency. Ireland and UK start with the common law proposition that the dead have no rights. Strong criticism of inclusion in Parl Ctee work implementation of directive in the UK. In Ireland it did not arise in parliamentary debates until 2003 revision. Government said no demand at first consultation but this clearly not true.
Proposed EU regulation followed same language although latest draft would mention living persons at the urging of Sweden (which currently excludes). Pressure to finalise soon (perhaps even during Irish presidency).
Michaela MacDonald (Queen Mary) discussed virtual assets, within environments ranging from Facebook to Second Life to World of Warcraft. Key problems associated with virtual currency purchased with real-world currency and then used as means of exchange. However the regulatory dimension includes EULAs (contracts of adhesion). The focus of the talk was theft-related incidents and decisions (Chengwai situation in China, R v Mitchell in UK, Dutch supreme court consideration of Runescape).
Kim Barker and Olga Jurasz (Aberystwyth) – misogyny in gaming. While there is some awareness and discussion of explicit content there is also a need to consider predation, violence, etc. This is in public eye again for various reasons (including Habbo Hotel investigation on C4), and also targeting of women (e.g. Anita Saarkesian, had Tropes vs Women Kickstarter project, drew extreme reaction including abuse on wiki page and even game to ‘beat up’ her image. While there is some work on cybercrime (Brenner, Kerr etc) that assists in understanding, and old situations from Internet studies (LambdaMoo), new situations emerge (ageplay in Second Life). A key problem is that cybercrime (including academic work) focuses on different issues ie property, pornography. The problems they have found are rooted in virtual real world framework but same problems re enforcement, public attitudes, etc.
So we must be aware of selectiveness in regulation; some issues (children) receive attention in the Cybercrime convention so why not violence against women, do we pick and choose? Then, some comments on virtual harms and the dispute over violent acts in virtual worlds, with responses ranging from catharsis to online/offline mirroring (specific mention of Ryan Chinnery’s conviction). What would the impact be of a human rights framework or even language? Discussion too of Jessie Daniels’ Cyber Racism.
This week’s English newspapers (including the Guardian and Independent, but there may be others) carried a number of full-page advertisements for Google, which formed part of its current ‘Good To Know‘ campaign. The campaign is ‘in partnership with the Citizens Advice Bureau‘.
Some parts of the campaign strike me as extremely sensible and useful information, and leave me very pleased that Google is putting its money and reputation behind them. For example, one ad (which I first saw in a Tube station) emphasised Google’s 2-step verification; another (which I saw in print, but can’t recall where) gave examples of good passwords. (You can see a collection of these ads on the Good To Know website). The most recent ads, though, raise some interesting questions around data and privacy. As readers of the growing literature on the development of Google will know (most recently Douglas Edwards’ I’m Feeling Lucky on his experiences as employee #59), it’s clear that these issues are thought about and debated a lot within Google; this however is my external take and some quite preliminary questions rather than conclusions;.
One ad is about IP addresses – it doesn’t appear to be on the Google site, but I’ve scanned it (apologies for resolution) here. Explaining how a user in Brighton doesn’t need a plumber from New York when they use a search engine, the ad states that results based on where you are use your computer’s IP address. “It’s a number like 220.127.116.11 which acts a bit like the first part of a postcode to tell them the rough area your computer is in“. I think this isn’t the best definition of an IP address, particularly in the week where (in the Sabam decision regarding ISP filtering for copyright reasons) the Court of Justice of the EU found it to be common ground “that the injunction requiring installation of the contested filtering system would involve a systematic analysis of all content and the collection and identification of users’ IP addresses from which unlawful content on the network is sent. Those addresses are protected personal data because they allow those users to be precisely identified”. This confirms a direction in European Union practice, particularly the statements of the article 29 Working Party (e.g. opinion 1/2008 on search engines, opinion 2/2010 on online behavioural advertising), that an IP address can be personal data. In a way, I’d suggest, that the first part of a postcode is less likely to be.
Another ad (with a quirky little graphic about extra-shot coffee, which is what I’m drinking as I type this) (scanned here) draws a link between the barista knowing your coffee order (but not your name) as you walk through the door, and how Google and other websites act:
Making a note of your preferences in case you visit them again. It’s how they are able to recommend a particular artist you might like, or if you prefer to fly from a certain airport, or if you like a specific printer ink.
(I think ‘preferences’ here is broader than a technical meaning of preferences as in settings, but am open to correction).
Again, I can see what they are getting at, but I think the anonymous coffee order may not be the best model here – as (a) there are plenty of ‘preferences’ that are more revealing (and yes, legally sensitive) than coffee choice, and (b) concerns about profiling include the cumulative impact of data collection rather than a single point – the barista doesn’t know what you prefer when you go to the clothes shop next door!
Google does some great work around data – and the Good To Know website highlights this, including work on Data Liberation, cookie deletion and more. But there’s something about the ads above that I’m not as sure about.
I mentioned this campaign to a fellow academic and s/he pointed out that the ultimate target here might not be users, but the forthcoming (and unpopular with large Internet companies) revision of the Data Protection Directive. If that’s the case, Google’s intervention isn’t unwelcome – we need to hear its voice – but it’s worth debating those points. If it’s just about consumers, I think it goes in the right direction (particularly the security stuff), but the wording could be a good bit tighter.
Finally, I think there are questions to be asked about the role of the Citizens Advice Bureau. It knows well that the interests of consumers are different to the interests of corporations – see for example its current struggle to publish the results of investigations and how libel law appears to prevent that. So should it be involved with (a) a particular company and (b) a particular view of the law of privacy? Indeed, the UK government proposes (consultation paper here) to take a whole range of consumer information and advocacy functions away from public bodies and transfer them to the (private, charitable and generally wonderful) CAB. Should it therefore be more careful about taking ‘sides’, appearing to endorse the views of Google and in having the ads presented as authoritative and neutral?
I had the privilege of participating in a round-table discussion (without the table) at UCL on October 20th. The event was organised by the very active Student Human Rights Programme and chaired on the day by Ben Allgrove of Baker & McKenzie. The topic was ‘Internet and E-Rights: challenges and perspectives’, and you can read the full report here and a brief note on the UEA Law School website here.
My contribution was on the subject of network neutrality and its relationship with the right to communicate. It drew on some of the material appearing in a future issue of the Journal of Internet Law (more on that soon), as well as the discussion of the right to communicate explored in my doctoral thesis. I argued that there was a need to consider the overall legal environment for ISPs, particularly the relationship between immunity as a mere conduit and the degree of neutrality regarding content, and discussed the various reviews in progress in the UK, EU and US, criticising the first two as lacking in a full appreciation of non-economic issues including fundamental rights. I was rewarded with some very interesting questions, including the method(s) of financing broadband expansion and the case for prioritising particular forms of traffic.
The theme of rights was introduced by Andrew Murray (website), who has published his suggested ‘Bill of Rights’ on his blog. This is a very interesting contribution and comes at a time where – at the Internet Governance Forum and elsewhere – the idea of drafting or amending rights is very much back on the agenda. Some (but not all) of his suggestions do related to the net neutrality debate and his draft can serve as the basis for a very interesting discussion, including on whether there is a need for ‘Internet-specific’ instruments as well as how any such rights would be monitored and enforced. In his talk, Andrew also assessed a number of current proposals for Internet rights, such as that of the proposed Bill of Digital Rights in Brazil.
The other two presentations, like mine, looked at a single topic rather than the overall picture about rights. Emily Laidlaw‘s talk on Google started with a summary of Google’s current position in the UK and elsewhere, followed by an overview of the power and potential for manipulation of search results. She suggested that there is a need to consider the social responsibilities of search engines as gatekeepers and also the need for public forum, freedom of expression and regulatory analyses of search. She has also blogged about the event here and even posted her slides. Lawyer Stratis Camatsos (Pappas & Associates, Brussels) discussed social networking in the context of privacy and data protection, suggesting that further work was needed to ensure that the activities of social networking sites are compliant with EU law in this regard, but also discussing (in the Q&A) whether the current system of data protection law was itself appropriate in the light of user practices and habits expressed through ‘sharing’.
I did enjoy the event, and the wide range of questions from the audience. For me, it highlighted the mature stage at which cyberlaw/Internet law has arrived, but also the number of issues yet to be resolved or dealt with which are still quite ‘fundamental’, whether rights-based or otherwise. It was also an opportunity to consider the relationship between specific debates of Internet law and policy and other current themes in international law and in human rights. Andrew Murray commented that the event was typically ‘international’, given the panel (an Australian chair, and speakers from Scotland, Ireland, Canada and Greece), while said chair Ben Allgrove also pointed out the focus of all speakers on beneficial forms of ‘regulation’, in contrast with other views (past and present) that might be more suspicious (often with good cause) of regulatory intervention.
The speech given by European Commission vice-president (and new Twitter user) Viviane Reding (read or download it here or even watch it here) at a think-tank’s conference on the ‘digital single market’ earlier this month is a very interesting one. It highlights the different ways in which the Commission is approaching the question of electronic commerce, and some of the areas of dispute that are likely to arise in the near future. There are two main areas of discussion in the speech.
The first is the proposed single Directive on consumer rights (which looks like it’s moving again after a long period of not much happening), which Reding argues is an important part of the promotion of digital cross-border trade. Of note here is the lack of any mention of the parallel review of the Electronic Commerce Directive (DG Markt consultation in progress) – although that’s going to be a storm all of its own (I’ll come back to this in a later post). The other thing to note about Reding’s approach is the firmly expressed argument regarding (and equal space given to) the value of a single European contract law in terms of the digital market. This is a longer-term Commission project (also in Reding’s domain of justice, rights and home affairs), but it’s quite revealing how, as with discussions on copyright and the market for music, the lack of cross-border transactions is perceived by the Commission as a result (at least in part) of the lack of harmonisation. In the case of music, the counter-argument is that it is record industry inaction that is to blame instead! In the case of consumer and contract directives, it seems very likely that arguments for both will contain frequent references to the need to promote e-commerce.
The other focus is data protection, and here again there must be a fight ahead. Reding calls for a more interventionist approach in terms of consent while also backing away from the current notification obligations. There are various mentions of concepts like data minimisation and better security, as one might expect. This is again placed in the context of consumer confidence, although it would be most interesting to find out how real the connection between criticisms of the current Data Protection Directive (of various sorts) and the views of consumers actually is. This is certainly not to say that I believe only those issues demanded by consumers should be taken seriously – clearly, data protection serves a range of purposes – but making an unsubstantiated link may be less persuasive than ignoring it entirely and assessing the Directive from other approaches. The difference between the DPD of 1995 and the forthcoming review is the new understanding of data protection as an EU fundamental right, and also the relationship between data protection legislation and principles of privacy more generally.