ORG policy update/2016-w27

This is ORG's Policy Update for the week beginning 04/07/2016.

If you are reading this online, you can also subscribe to the email version.

ORG's work

  • ORG submitted our response to the E-privacy consultation that closed on Tuesday this week.
  • We were gathering information together with the Don’t Spy On Us coalition for the Lords to brief them before the IPBill goes to the Committee stage. ORG has also been working on amendments to be discussed in the Committee.
  • Don’t Spy On Us coalition started a new campaign letting people to sign our statement to the House of Lords pointing out what parts of the IPBill need amending. You can sign the statement on the website!
  • We were preparing a talk with Naomi Colvin, from the Courage Foundation, about Lauri Love and his extradition case (read more on the story further down). The talk is today, starting at 6.30pm. You are very welcome to join in. Please sign up on Meetup ORG London!

Official meetings

  • Jim Killock attended a meeting at the Home Office.
  • Ed Johnson-Williams attended a screening of the Haystack documentary by the Scenes of Reason in Edinburgh earlier this week, where he sat on a panel discussing the IPBill.
  • Javier Ruiz attended a meeting in the Cabinet Office for mutual legal assistance treaty on mobile data.



The IPBill will be discussed in the House of Lords next week. The first sitting is scheduled for 11 July with following sittings on 13, 18 and 20 July. The Committee stage follows the Second Reading of the Bill in the House of Lords last week. The debate in the Lords did not show any surprises, Conservative and Labour Lords pointed out minor changes that need to be made to the Bill; Lib Dem peers expressed more opposition.

Amendments submitted this week to be discussed in the Committee included:

1. Lord Paddick & Baroness Hamwee

  • creating a Privacy and Civil Liberties Board
  • warrants and authorisations for interception should be only approved for serious crimes
  • provisions on interception in psychiatric hospitals and immigration detention facilities should be removed from the Bill
  • test for the intrusion of privacy
  • forbidding retention of internet connection records by a public authority

2. Lord Lucas

  • keeping a detailed record of all authorisations granted (including names, reasons for actions and results)
  • the appropriateness of actions of the Secretary of State has to be independently inspected
  • communications data and bulk acquisition warrants are considered proportionate and necessary to be obtained for the purpose of suppressing less serious crimes perpetrated on a large scale using the internet

3. Earl Howe

  • restrictions in relation to internet connection records
  • protection for trade unionists
  • time limitations on warrants
  • specifications for operational purposes in warrants
  • appointments of the Investigatory Powers Commissioner
  • Referrals by the Intelligence and Security Committee of Parliament

Digital Economy Bill

The Digital Economy Bill was introduced to the House of Commons on 5 July. The Bill tackles access to digital services, digital infrastructure, general duties of Ofcom, online infringement of copyright, internet domain registries, and television and radio services.

The main issues the Bill raises in terms of digital rights are related to the age verification for online pornography websites and intellectual property infringement penalties.

  • Online age verification

The government is making it mandatory for all porn websites to implement age verification. The Bill covers materials classified as ‘over 18’ anywhere in the world; this does not include on demand services. The enforcement mechanisms are based on ‘follow the money’ approach aiming at cutting the advertising funded websites from their income. There are further problems with the actual technical implementation of the verification as well as privacy concerns.

  • Intellectual property

The Bill is increasing penalties for online infringement from 2 to 10 years. The raised jail sentence is not supposed to be targeting individuals but rather organized groups perpetually breaking the law. However the Bill sets a very low threshold for a crime due to vague phrasing. The Bill says that the rights’ holder needs to merely “have a reason to believe” that he will be exposed to a “risk of loss”.

Javier Ruiz explores implications of all the Bill’s parts for digital rights in a blog.

The Bill is due to enter its Second Reading in the House of Commons. The dates have not been announced yet.

UK data protection legislation post Brexit

Baroness Neville-Rolfe, Minister for Data Protection, revealed the Government's perspective on the EU data protection package at the annual conference on data protection.

The Baroness pointed out that it is unclear at the moment what the UK's position will be in regards to the EU regulation on data protection post Brexit. There are different scenarios according to what type of involvement the UK has with the EU. It is possible, if the UK remains in the single market, that the data protection regulation will still apply. Alternatively, the UK would need to replace all EU rules with national ones.

For the UK, or any other state, to interact with EU citizens' data, they will need to provide adequate level of data protection. The post-Brexit situation is not clear either for EU-US Privacy Shield. Both sides are in final stages of validating the deal and it is expected to be agreed on by the end of July.

Regarding the Internet of Things, Neville-Rolfe said the UK's strength in digital will create more opportunities in the country, thanks to devices increasingly having a digital element. The Government's approach will be outlined in more detail in Digital Strategy in due course.

Written question on the costs of the IPBill

Roger Godsiff MP asked the Secretary of State for the Home Department about the potential costs of compliance with measures contained in the IPBill to the public purse and private companies.

John Hayes MP responded that most of the powers contained in the Bill already exist and therefore they will not incur additional costs. The government's estimate of costs is £247 million, including costs for increased compliance and authorisation of warranty and costs to the justice system for offences and changes to the Investigatory Powers Tribunal.

Written question on National Cyber Security Centre

David Mackintosh asked the Cabinet Office about powers the National Cyber Security Centre will have to ensure that key infrastructure providers act on the advice it gives.

Matthew Hancock MP responded that the Centre will be a source of advice for business in general and will work with government departments and regulators responsible for ensuring that the risks against critical infrastructure are appropriately managed.

Other national developments

IOCCO report on granting bulk data collection powers

The Interception of Communications Commissioner’s Office report published this week shows how the Telecommunications Act 1984 enabled the intelligence services to collect bulk data about online and phone traffic.

The report published the number of orders imposed on telecommunication companies under section 94 of the Act. Parliament does not have to be notified of emergency services being provided with the powers. This is due to change under the IP Bill. Following their report, the IOCCO will push for stricter oversight of bulk communications data collection.

It is made clear in the report that the UK government has been collecting all domestic communications data without any safeguards. The situation did not improve even after the introduction of safeguards under RIPA.

Google DeepMind accessing NHS data to fight blindness

Google DeepMind is collaborating with the NHS again. This time the company has partnered up with Moorfields Eye Hospital to create a machine learning system able to recognize sight-threatening conditions from a digital scan of the eye.

Previously, DeepMind were criticised for their work with the NHS when they were obtaining patients’ data from the Royal Free hospital without patients’ consent. The collaboration with the Moorfields hospital involves anonymised data and DeepMind obtained permission through research collaboration agreement. The privacy concerns are not as serious as they were during their previous work with NHS data.

The company’s director, Mustafa Suleyman, explained in more detail how the research is conducted and what purpose it will serve. However, what is not clear from his statement is what happens with the insights generated from patients’ data created with publicly funded infrastructure. The business model involving AI and personal data does not operate under rules clear to public. To secure public benefits, it is necessary for DeepMind embrace transparency and openness.

Online copyright infringement numbers are down

The Intellectual Property Office revealed the results of commissioned research showing decline in online infringements and a rise in consumer online streaming.

The streaming services such as Spotify and Netflix have had a positive impact on illegal copyright infringement. The research conducted by Kantar Media's Online Copyright Infringement Tracker has shown that 52% of Internet users consume online content use streaming services. At the same time, the popularity of content downloads is decreasing.

The reasons behind the rise appear to be convenience and cost of streaming services. More information on the research details can be accessed here.

Health and care data security measures

The State Secretary for Health Department, Jeremy Hunt, received two independent reviews with new recommendations about health and care system in England.

The Care Quality Commission (CQC) and the National Data Guardian for Health and Care (NDG) reviewed data security and consent, with the purpose of:

  • developing new data security standards
  • devising a method of testing compliance with the new standards
  • proposing a new consent/opt-out model for data sharing in health and social care

The NDG report recommends to improve dialogue with the public about how their health and care data is used, as well as new approach to opt-outs. It should be made clear to patients in what circumstances they can opt out of their information being shared.

A similar view, concentrating more on trust between public and authorities can be found in the CQC report as well.

The reports offer answers to several questions that were brought to the public’s attention after Google DeepMind’s collaboration with NHS was revealed. Their involvement with patients’ data shows need for adjusting consent practices.


Privacy Shield

The Article 31 Committee received the draft Privacy Shield and held a meeting to discuss the deal in detail.

“Some of the Members of the Committee asked the Commission to provide further explanations and clarifications, both on sustenance and as regards procedures. A number of them asked for more time to study the texts before delivering their opinion. Therefore, the Commission will only seek the opinion of the Committee Members on 8 July 2016. At the next meeting on 4 July, Members will have another opportunity to raise questions and discuss the texts.”

Following the Committee's meeting, the Article 29 Data Protection Working Party issued a statement reiterating its position from April on the agreement. The Working Party expects their concerns on safeguards regarding automated processing, further restrictions on access by public authorities and effective independent redress to be addressed by the Committee before they reach the final decision on the draft agreement.


The European Parliament approved new rules on cyber security this week. The cybersecurity standards and improving cooperation among EU countries will aid firms in protecting themselves and EU infrastructure.

In line with the Digital Single Market strategy, the EU network and information security (NIS) directive is the first legislative framework applying to platforms. The sectors affected by the new rules include energy, transport, health, banking and drink water supply. To a lesser extent, the rules are affecting digital service providers (online marketplaces, search engines and cloud services) as well. They are required to report major incidents to national authorities. These requirements do not concern micro- and small digital companies.

The directive is due to be introduced in the EU Official Journal. Member states will have 21 months to implement the directive into their national laws. They will have additional time of six months to identify operators of essential services.

The European Commission allocated €450 million to fund companies working on cybersecurity. More than 100 companies pledged to pay into a fund for cybersecurity research. However, several arguments were raised against companies outside of Europe being allowed to join. This requirement would exclude all the companies that do not have their headquarters within the EU, including Google, IBM and Microsoft. Even though any company can sign on to join, the programme is supposed to help home-grown European firms develop better security technology.

Debate on protection of whistleblowers

The European Commission two weeks ago called for submission of evidence to the consultation tackling media freedom, censorship, free speech, hate speech, democracy and fundamental rights. The European Parliament debated the issue this week.

The Commission specifically called for a submission from Edward Snowden on whistleblowing and the protection of journalistic sources. He submitted his evidence this week. The proceeding of the debate between MEPs can be found here.

International developments

UN online human rights

The UN Human Rights Council passed a resolution to promote an open and free Internet. The resolution specifically states that freedom of expression is a universal right that knows no borders or the type of medium used for expression. It makes a special mention of state actions against dissident bloggers and efforts to prevent access to the internet, condemning these actions.

The resolution is a response to increasing online censorship by countries that are shutting down access to the Internet (Turkey, Brazil, Tunisia). China, Russia, India and other unsurprisingly showed some opposition to the resolution. The resolution is generally welcomed by Internet rights groups; however they would like to see more detailed language in future charters.

Media coverage

See ORG Press Coverage for full details.

2016-07-06- The Inquirer-Porn sites will require age verification checks in the UK by 2017
Author: Dan Worth
Summary: ORG quoted on age verification for porn sites bringing difficulties for privacy and free expression.
206-07-06-New Scientist-Google’s new NHS deal is start of machine learning marketplace
Author: Hal Hodson
Summary: Javier Ruiz quoted on the lack of transparency from DeepMind on what public benefit they are bringing with their research.
2016-07-06-IP Watch-UK High Court Upholds Blocking Of Infringing Websites In Trademark Cases
Author: Dugie Standefort
Summary: ORG mentioned in relation to the case Cartier International AG et al. v. British Sky Broadcasting Limited et al.
2016-07-06-Daily Star-Brits facing internet porn block and this is the date when shock laws come into force
Author: Dave Snelling
Summary: ORG quoted on age verification for porn sites bringing difficulties for privacy and free expression.
2016-07-06-Tech Worm-UK to impose age verification checks on porn sites by 2017
Author: Kavita Iyer
Summary: ORG quoted on age verification for porn sites bringing difficulties for privacy and free expression.
2016-07-07-The Independent-Porn sites will need age verification from 2017, Government announces
Author: Harriet Agerholm
Summary: ORG quoted on age verification for porn sites bringing difficulties for privacy and free expression.

ORG Contact Details

Staff page