ORG policy update/2017-w48

This is ORG's Policy Update for the week beginning 27/11/2017.

If you are reading this online, you can also subscribe to the email version or unsubscribe.

ORG’s work

ORG have begun to prepare briefings for peers in the House of Lords for the upcoming Report Stage of the Data Protection Bill (see below).
ORG is running a petition against the Government’s proposals to criminalise repeated viewing of online terrorist propaganda and compelling internet companies to police their own networks. Sign the petition here!
In case you couldn’t come to ORGCon, you can now watch the talks online! Have a look at our YouTube channel.

Planned local group events:

Join ORG Cambridge on Tuesday 5 December for a monthly meetup. They will discuss the current state of digital rights, what they've done in the past month, and what they are planning to do in the upcoming months.
ORG Glasgow will hold their monthly meetup on Thursday 7 December at the Electron Club. You will have an opportunity to discuss current affairs and topics of interest and to generate new ideas for public events and presentations.
ORG Birmingham are hosting an introduction to the Indieweb on Monday 11 December. Tired of Twitter? Fed up with Facebook? Miss the variety and quirkiness of the open web? Be the change you want to see in the world by visiting their introduction to the Indieweb!
ORG London are hosting a presentation on the 'Cryptobar' installation on Tuesday 12 December. Cryptobar is a project aimed at spreading the word about privacy (and privacy-enhacing technologies) in an artistic and accessible way.

Official meetings

Jim Killock, Myles Jackman and Alex Haydock met with representatives from the Home Office to discuss potential privacy issues in a proposed redesign of the Police National Computer and Police National Database.
Slavka Bielikova gave a presentation to CILIP about Government and corporate surveillance, and the potential impact to librarians and library users.
Jim Killock, Myles Jackman and Javier Ruiz met with Judicial Commissioners outlining civil society views on their role in relation to the Investigatory Powers Act. ORG presented on bulk surveillance powers and internet connection records (ICRs) and the filter. Other speakers (FIPR, Big Brother Watch) dealt with topics such as equipment interference.

UK Parliament

Data Protection Bill continues to progress through Parliament

No further progress has been made on the Data Protection Bill since last week. The current full text of the bill, as amended in the Lords Committee Stage is available here.

Article 80(2) amendments were debated last week, which would allow consumer groups like the Open Rights Group to take independent action against entities who have been abusing data protection law. If successful, not for profit bodies could take action on behalf of data subjects without having to seek their mandate. The amendment would create similar enforcement powers for data protection as in others consumer rights like finance, and competition. The amendment is anticipated to be one of the main topics of debate in Report Stage.

The government also debated an exemption to data protection in the Bill, which would remove all rights to personal data when disclosure would prejudice “effective immigration controls". Such an exemption has never existed before. Requests for information under data protection (subject access requests) are an integral part of most immigration cases, and will be critical for anyone going through an immigration process in the future, such as the three million EU citizens resident in the UK. The Home Office has a policy of using any available data for immigration surveillance, such as the National Pupil Database, which this exemption would enable without restraint. Open Rights Group are calling for the removal of the exemption from the Bill.

Report sittings will begin in the House of Lords on 11 December and 13 December.

Other national developments

Home Office publishes consultation on their response to the CJEU judgment on data retention

On 30 November, the Government published a public consultation document proposing changes to the Investigatory Powers Act to bring it into line with the December 2016 judgment from the Court of Justice of the European Union in the Davis/Watson case against mass surveillance.

Davis/Watson (officially: Joined Cases C‑203/15 and C‑698/15) challenged the UK's legislation governing data retention (the Data Retention and Investigatory Powers Act 2014, or 'DRIPA'). The judgment set out the safeguards that need to be in place in order for a data retention regime to be consistent with EU law. The CJEU did not consider DRIPA's safeguards to be adequate, and the legislation was thus deemed incompatible with EU law.

Since the 2016 judgment, DRIPA has been replaced with Part 4 of the Investigatory Powers Act, but the Government accepts that amendments will be required to the IPA in response to the CJEU's judgment. With this in mind, the Government published its consultation paper seeking opinions on their approach to amending the IPA to comply with the judgment.

The Government has accepted that the extensive list of public bodies originally found in Schedule 4 of the Act are no longer allowed to self-authorise requests for communications data as per the judgment in the CJEU case. A new body, the Office for Communications Data Authorisation (OCDA), will be created to handle the authorisation of requests for stored data. (Consultation p.18)

Additionally, the CJEU ruling required traffic and location data to be retained or accessed only in cases of 'serious crime'. The Goverment sets a particularly low bar on its test of 'seriousness' in the consultation, claiming that 'serious' should apply to crimes for which an adult would be 'capable' of being imprisoned for six months or more. (Consultation p.14) ORG does not believe this is adequate to stop blanket data retention, as this could apply to a significant number of crimes.

The CJEU judgment imposed a clear obligation upon national authorities to notify persons for whom access to their data has been granted to any relevant entities "as soon as that notification is no longer liable to jeopardise the investigations being undertaken by those authorities". However, the consultation notes that "the Government’s position is that a general requirement to notify an individual that their data has been accessed would unnecessarily inform criminals, suspected criminals and others of the investigative techniques that public authorities use. Simply because an investigation has ceased or an individual is ruled out of a particular investigation does not mean that notification would not be operationally damaging". The Open Rights Group believes this particular section of the consultation is in clear breach of the CJEU judgment. (Consultation p.20)

The draft Code of Practice published alongside the consultation makes it clear that the Government intends to push forward with its 'Request Filter' initiative (CoP, s.11) - which it claims will help to safeguard privacy by limiting the amount of information returned when requests for data are made. Though there are concerns that this could effectively amount to a "police search engine", or something similar in nature to the NSA's XKeyscore system.

Consultation documents are available here, and the consultation will close on 18 January 2018.

Government publishes interim cyber security science and technology strategy

On 30 November, the Government published a policy document billed as an "interim strategy for future-proofing cyber security".

The policy aims to:

"identify the technology areas that will have most impact on cyber security
develop the government’s policy response and the expertise base in government, academia and industry
assess whether we are sufficiently responding to cyber security science and technology developments"

Lauri Love appeals against extradition

Lauri Love is under prosecution for allagedly hacking into US Government, Missile Defence Agency and NASA systems. United States prosecutors feel that the US-centric nature of Love's alleged hacking targets mean it would be most appropriate for Love to be extradited from the UK, to stand trial in US courts. In September 2016, District Judge Nina Tempia ruled at Westminster Magistrates' Court in favour of permitting Love's extradition.

Love's appeal against this decision was heard this week in the Royal Courts of Justice in London, on 29-30 November. Defence lawyers for Love argue that he is at high risk of suicide if extradited, due to health issus, and being removed from the support of his family. High Court judges said they will "take time" to reach a decision in the case.

Lauri Love is supported by the Courage Foundation, who run a site dedicated to his case at https://freelauri.com/

ICO publishes updated GDPR guidance for businesses

This week, the ICO published an updated compliance guide on the General Data Protection Regulation, targeted at businesses and organisations.

International developments

FCC plans vote on repeal of net neutrality rules

In the United States, FCC chief Ajit Pai has put forward a plan to "rescind the so-called net neutrality rules championed by Democratic former President Barack Obama that treated internet service providers like public utilities.

The rules barred broadband providers from blocking or slowing down access to content or charging consumers more for certain content. They were intended to ensure a free and open internet, give consumers equal access to web content and prevent broadband service providers from favoring their own content."

If successful, the FCC vote would clear the way for ISPs to charge customers more to access certain content or to throttle and restrict certain traffic as desired.

A vote on the repeal is expected on December 14.

Questions in the UK Parliament

Question on online bullying

Lord Mancroft asked the Government when they intended to publish their digtal charter to address online bullying.

Lord Ashton of Hyde answered that the Government published their Internet Safety Strategy on 11 October, "which focuses on keeping all users safe online. The Strategy covers the responsibilities of companies to their users, the use of technical solutions to prevent online harms and Government's role in supporting users."

He noted that the strategy involves a consultation on the Digital Economy Act 2017's social media code of practice, which aims to "address conduct that involves bullying or insulting an individual online, or other behaviour likely to intimidate or humiliate the individual."

Lord Ashton confirmed that a Government response to this consultation is expected in early 2018.

Update on cyber security and data protection

Matthew Hancock gave a statement regarding the ongoing response of the Government to Uber's October 2016 data breach, which affected approximately 2.7 million user accounts in the UK. He confirmed that the ICO and NCSC are working with Uber to investigate what kind of personal data about users may have been compromised.

He also confirmed that the forthcoming Data Protection Bill aims to "give more powers to the ICO to defend consumer interests and issue higher fines of up to £18 million or four per cent of global turnover, in cases of the most serious data breaches."

ORG media coverage

See ORG Press Coverage for full details.

2017-11-28-Naked Security-Age verification legislation will lead to porn habit database: Author: Lisa Vaas; Summary: Myles Jackman quoted in story about the potential privacy risks of age verification.; Topics: Data protection, Privacy
2017-11-29-Chatter Podcast-Chatter Episode 29 – Mathew Rice on The General Data Protection Regulation and Online Censorship: Author: The Jist; Summary: Matthew Rice appeared on The Jist's 'Chatter' podcast to discuss issues surrounding GDPR and censorship.; Topics: Censorship, Data protection
2017-11-29-FutureScot-We're all data subjects now: Author: Matthew Rice; Summary: Matthew Rice contributed an article on GDPR and the Data Protection Bill for FutureScot, highlighting ORG's position on the Bill.; Topics: Data protection, Privacy
2017-11-30-Computer Weekly-Proposed snoopers’ charter changes inadequate, says rights group: Author: Warwick Ashford; Summary: Open Rights Group quoted in an article about issues with the Home Office consultation on their response to the Watson CJEU ruling.; Topics: Surveillance
2017-11-30-The Register-UK.gov admits Investigatory Powers Act illegal under EU law: Author: Rebecca Hill; Summary: Jim Killock quoted in an article about the Government's recently-released consultation on their proposed amendments to the Investigatory Powers Act.; Topics: Surveillance
2017-11-30-New Statesman-Why the data protection bill must be amended before it becomes UK law: Author: Jim Killock; Summary: Jim Killock authored an op-ed piece for the New Statesman about the shortcomings of the Data Protection Bill.; Topics: Data protection, Privacy

ORG Contact Details

Staff page