ORG policy update/2016-w29

This is ORG's Policy Update for the week beginning 18/07/2016.

If you are reading this online, you can also subscribe to the email version.

ORG's work

ORG made a submission to the European consultation on the new net neutrality rules. Read it here.
We ran another one of our Cybersecurity risks workshop. Don't miss the next one and join our London Meetup group!
We were busy following the debate in the House of Lords.
ORG is preparing for an industry meeting to discuss policy and legal issues in digital rights post Brexit.

Official meetings

Jim Killock attended a briefing meeting in the House of Lords.
Jim Killock did a talk for the Skeptics in the Pub in Eastbourne on “How much surveillance is acceptable in a democracy?”.
Javier Ruiz attended IMI conference in Barcelona.

IPBill

The House of Lords debated amendments to the IPBill in the Committee on 19 July. The debate covered amendments regarding Internet Connection Records (ICRs), the request filter and equipment interference (hacking). This was the last Committee sitting before Parliamentary recess and the Committee will be back with three more sittings in September.

Throughout the debate, the Lib Dem Lords posed a strong opposition to the Government in all three areas being discussed.

Lord Paddick and Baroness Hamwee presented their amendments requesting removal of the ICRs arguing they fail to meet the basic test of necessity. Lord Paddick referred to earlier statements made by MI5, MI6 and GCHQ that they do not have explicit necessity for the ICRs. Lord Strasburger seconded their reasoning and pointed to high costs and impracticalities related to keeping the records. Strasburger said

“It is a matter of when, not if, these sensitive data get into the wrong hands.”

His concerns of misuse were also shared by the Conservative Lord Lucas.

Lord Oates agreed with the above statements and questioned why the UK is the only democratic country, and the only country from among the Five Eyes members, to try to collective such intrusive information.

The Government maintained their position that ICRs are necessary in combatting crime but did not offer any compelling evidence, instead repeatedly stressed their desire for ICRs to future-proof the Bill.

Under the agreed amendments on ICRs, they can only be obtained by UK authorities if they are to be used to help prevent or detect crime. The amendments were still criticised because of their vague phrasing.

The request filter was debated under similar narrative. Lord Strasburger argued the filter is too intrusive. The Government's response to him was that the filter facilitates public authority cross-stakeholder communications; the authorities will only see the data they need to see (they did not provide any information on how this is technically possible).

The Lords also discussed several probing amendments on thematic warrants and hacking, proposal by Baroness Jones to create the Investigatory Powers Commission instead of IP Commissioner and amendment to create a right to appeal to the Court of Appeal regarding rulings by the Investigatory Powers Tribunal.

Regarding the opinion of the Advocate General published the morning of the debate, Lord Strasburger used it to challenge the ICRs collection. However, Lord Keen refused to comment on potential implementation of the opinion until the European Court of Justice rules in the DRIPA challenge. Baroness Jones issued a statement on stopping the IPBill following the publication of the Advocate General's opinion. She said about the Bill

“This is a monstrous Bill which, in essence, means the end of privacy for us all. It is very important that we get these things right, so I welcome all the debate that we are having.”

The Lords will be back in the Committee with the Independent Review of Bulk Powers after the summer recess. Make sure to tune in on 5 September.

EU Advocate General's opinion on DRIPA

The European Court of Justice Advocate General Henrik Saugmandsgaard Øe published his opinion in the Davis-Watson (now only Watson) challenge to the Data Retention and Investigatory Powers Act (DRIPA). The opinion states that DRIPA might be compatible with EU law if safeguards are in place. In his opinion, blanket (or indiscriminate) data retention is justifiable when there is no other means of solving serious crimes.

The opinion of the Advocate General is not binding but the Court rarely rules in a completely different direction. The opinion on retaining communications data by public telecommunications operators, for up to a year, says the decision has to be made in a national context and is up to national courts.

He does however say that the original Digital Rights Ireland judgment applies, and in particular paragraphs 60-68 need to be abided for as the establish minimum safeguards for any data retention scheme. For instance, an independent authorisation access requests would need to be part of the local law, which is not present in the UK's regime. Data would also need to be stored locally, in the domestic country, and securely.

This case was expected to have impact on the IPBill with DRIPA nearing its sunset clause and the IPBill replacing it. The most obvious potential issues for the IPBill arising from the opinion would be:

restricting general data retention obligation to combating serious crime
a requirement for independent prior review of access to mandatorily retained communications data
the emphasis on binding legislative measures

In a response to the opinion, Jim Killock said

“The Advocate General has stated that data retention should only be used in the fight against serious crime, yet in the UK there are more than half a million requests for communications data each year. These do not only come from police but also local councils and government departments. It is difficult to see how the Government can claim that these organisations are investigating serious crimes.”

More in depth analysis by Jim Killock of what the opinion means for the UK can be found here.

Tom Watson MP. Labour's deputy leader, said

"This legal opinion shows the prime minister was wrong to pass legislation when she was home secretary that allows the state to access huge amounts of personal data without evidence of criminality or wrongdoing."

The final judgment of the ECJ will follow after the summer break.

Other Parliamentary business

Cabinet reshuffle

With Theresa May becoming the Prime Minister, the Tory government cabinet has been dramatically reshuffled.

Some of the more notable changes include:

Ed Vaizey MP was replaced as the Minister of State for Culture and the Digital Economy by Matthew Hancock MP, previously the Minister for the Cabinet Office. Hancock's Sir Keith Joseph Memorial lecture sets out his attitudes to the tech sector.
John Whittingdale MP was replaced as the Secretary of State for Culture, Media and Sport by Karen Bradley
David Davis MP was appointed the Secretary of State for Exiting the European Union. The appointment of Davis into May's cabinet comes as a bit of a surprise since he has been May's critic on pushing for greater surveillance powers. Davis was previously suing the government over the Data Retention and Investigatory Powers Act (DRIPA) with Tom Watson MP at the European Court of Justice. He withdrew his name from the suit on Monday, a day before the Advocate General was due to publish his opinion on the case.

Age verification for pornography consultation

The government published its response to the consultation on Child Safety Online: Age Verification for Pornography this week that is supposed to inform the introduction of a new law under the Digital Economy Bill.

The report outlines its planned involvement with payments and ancillary services to use “follow the money” approach and to cut off services that do not comply. The government also intends to maintain their ongoing engagement with the porn industry and listen to their input on the issue to avoid restricting freedom of speech. The report announced plans to start an awareness-raising campaign about the risks to young people exposed to harmful content online.

The consultation responses from across the spectrum (including porn industry members and charities) agreed on blocking of websites on the level of the Internet service providers. The government will deal with age verification on all platforms, including apps.

ORG warned last week, when the government released the Digital Economy Bill, about infringements of privacy and free speech stemming from age verification.

The consultation was a part of a wider inquiry into children's behaviour on the internet and its effect on them. The Select Committee on Communications of the House of Lords has launched a new consultation aiming to investigate the risks and benefits of children's use of the internet. The deadline for written submission is on 26 August.

Cyber Growth Partnership meeting

Matthew Hancock MP, the new Digital Economy Minister, co-chaired the first meeting of the Cyber Growth Partnership (CGP). The meeting saw cyber firms, academics, investors and users debating several initiatives including the Government's commitment to doubling its investment in cyber security.

The Government announced plans to develop two Cyber Security Innovation Centres. The Minister emphasized he is keen to engage with industry and academia to stimulate the UK cyber security sector.

Questions in Parliament

Question on the IPBill

Valerie Vaz asked the Secretary of State for the Home Department,

“what arrangements were made for the declaration of (a) financial and (b) other interests by technical advisers to the independent review of the Investigatory Powers Bill before their appointment.”

Ben Wallace MP responded that the Government published the Terms of Reference for the independent review. David Anderson was responsible for selecting the team best equipped to carry out the review.

Question on social security benefits trial

Chi Onwurah MP asked the Secretary of State for Work and Pensions, referencing the blockchain-based social welfare payments trial, what information is given to benefit recipients taking part in the trial about the potential risks to their privacy.

Onwurah also asked whether the blockchain technology used for the trial will be dismantled once the trial has ended; which organisations outside the Government will have access to the blockchain technology and the data stored as part of the trial.

Damian Hinds MP, the Exchequer Secretary, responded that the participants in the trial have complete control over their data and how it is used. The government does not receive any of that data.

Question on data protection of medical records

Chi Onwurah MP asked the Secretary of State for Health, whether NHS patients are able to opt out of data being held by their GP being sent to the Health and Social Care Information Centre (HSCIC).

Nicola Blackwood MP responded that at the moment, patients can object to:

personal confidential information about them leaving the GP practice
personal confidential information being disseminated from HSCIC aimed at purposes beyond their direct care.

The two recently published reviews of Data Security, Consent and Opt-Outs recommend a new simpler and more easily understood model enabling people to object to health and care information about them being used beyond their direct care.

Question on proscribed organisations (Terrorism Act 2000)

Baroness Smith of Basildon raised the issue of terrorist organisations having their websites advertised through a Twitter account (@jihadology_net) during the debate of the amendments to the Terrorism Act 2000. She asked Lord Ahmad whether these organisations have to be proscribed before any action can be taken and whether there is any possibility that accounts be closed down sooner.

The @jihadology_ne Twitter account says that it is an "Academic website that curates new primary source material from global jihadis." The Jihadology website says that it is a "a clearinghouse for jihādī primary source material, original analysis, and translation service." and that "This blog is for academic purposes only and it does not endorse any of the jihadist material that is posted on it." Jihadology is run by Aaron Y. Zelin who is a Research Fellow and PhD candidate at King's College London. Zellin produces a podcast called Jihadology which "features analysis of Jihadi primary source material and interviews with scholars and journalists who work in this field."

Lord Ahmad of Wimbledon said

“We are making great strides in working very closely and in partnership with internet service providers and social media companies. … We successfully took action when we co-operated with social media on issues such as sexual violence against women. There is a great deal of work going on in this respect.”

Question on Digital Single Market staff

Chi Onwurah MP asked the Secretary of State for BIS how many full-time equivalent staff are working on the Digital Single Market.

Ed Vaizey MP, the ex-Minister for Culture and Digital Economy, answered the question by explaining that BIS leads on behalf of Government but there are a number or departments working on aspects of the Digital Single Market. These include the Department for Culture, Media and Sport, the Home Office and HM Treasury. Within the BIS, policy areas that are involved directly or indirectly include the Intellectual Property Office, Competition and Consumer Policy and Advanced Manufacturing and services.

Question on email consent in the Parliamentary Network

Lord Laird asked the Chairman of Committees whether any members of the House have been asked to provide written consent for their Parliamentary emails to be monitored by MessageLabs antivirus software.

Lord Laming responded that all members logging into the Parliamentary Network agree to abide by Acceptable Use Policy. He stressed that MessageLabs is a fully automated scanning service blocking emails that can cause a potential cyber attack. The scanning does not involve any other form of monitoring of the content of parliamentary email.

Europe

Contracts for the supply of digital content

The Committee on Internal Market and Consumer Protection and the Committee on Legal Affairs scrutinised the working document regarding the proposed legislation on contracts for the supply of digital content.

The document focuses on regulating contracts in exchange for data, rules on contract conformity and the level of harmonisation. The proposal is currently awaiting the committee's decision.

Max Schrems will grill the US government

The Irish High Court ruled on the amicus curiae applications in the Schrems – Facebook case.

Max Schrems brought his legal challenge against Facebook in 2013 claiming his data was not sufficiently protected. The case is responsible for the Safe Harbour agreement being struck down and, finally, getting replaced by Privacy Shield last week.

The Court accepted applications of the US government, EPIC, Digital Europe and Business Software Alliance (BSA). The US government was admitted because of a significant interest in the outcome of the proceedings that “would have potentially considerably adverse effects on EU-US commerce.” The judge gave EPIC, privacy and freedom of information organisation, the amicus curiae status to counterbalance the perspective of the US government. BSA was admitted on the grounds of providing insights from the industry; the organisation's members include Apple, IBM, Microsoft, Oracle, etc. The Court also sees Digital Europe as capable of bringing valuable inputs from the perspective of national associations and corporations operating in the digital technology in Europe. All other applications were declined.

International developments

US proposed legislation for cross-border data access with the UK

The US government presented their proposal for cross-border data requests legislation. The proposal is being published one week after the US Court of Appeals ruled in favour of Microsoft who refused to hand over data held on a server in Ireland to the US government.

The proposal would allow the US government to access data of US corporations with bases in the UK and the UK would be able to do the same to UK companies in the US. The searches, however, would have to be related to citizens of the country doing the searching. The proposed legislation makes it clear the governments “cannot misuse a foreign government to obtain information it would not otherwise be able to obtain.”

There appear to be several obstacles in the way of the proposal. Firstly, the judgment by the US Court of Appeal contradicts the draft legislation and the US government is considering appealing it. The deal will need approval of the US and UK legislature. Strong lobby against the legislation is expected from tech companies, including Microsoft, Apple and Google, who have been opposing expanded abilities of governments to search computer data overseas.

ORG media coverage

See ORG Press Coverage for full details.

2016-07-13-Prince George Citizen-Britain has a new spy-in-chief: Author: Elias Groll; Summary: Jim Killock quoted on capabilities given to government by the IPBill if approved.

2016-07-15-Newsweek-Microsoft wins key data privacy case, as digital rights groups celebrate: Author: Mirren Gidda; Summary: Myles Jackman quoted on the US Court’s decision upholding the right to individual privacy.

2016-07-15-Tech Week Europe-Microsoft Wins Landmark Cloud Case Over Emails Stored In Ireland: Author: Ben Sullivan; Summary: Myles Jackman quoted on the US Court’s decision upholding the right to individual privacy.

2016-07-19-Fortune-A Top EU Lawyer Says Data Retention Laws May Be Legal: Author: David Meyer; Summary: Jim Killock quoted on the implications of the opinion of the Advocate General should have on the IPBill.

2016-07-19-The Guardian-Bulk data collection only lawful in serious crime cases, ECJ indicates: Author: Owen Bowcott; Summary: Jim Killock quoted on the government not sufficiently justifying access of local councils and government departments to communications data.

2016-07-19-Ars Technica-Theresa May wrong to pass spy law, and DRIPA opinion proves it—MP says: Author: Glyn Moody; Summary: Jim Killock quoted on the government not sufficiently justifying access of local councils and government departments to communications data.

2016-07-20-Telecom Paper-Groups respond to CJEU Opinion into data retention: Summary: Jim Killock quoted on the government not sufficiently justifying access of local councils and government departments to communications data.

ORG Contact Details

Staff page