ORG policy update/2017-w01

This is ORG's Policy Update for the week beginning 02/01/2017.

If you are reading this online, you can also subscribe to the email version.

ORG’s work

  • ORG scored a major win against indiscriminate data retention just before the end of 2016. The CJEU ruled in a case on legality of DRIPA brought forward by ORG and Privacy International that blanket surveillance is unacceptable in a democracy. Read more about the case below.

Planned local groups events:

  • ORG Cambridge is having their monthly meet up on 10 January to discuss the current state of digital rights, what they've done in the past month and what they are planning to do in the upcoming month.
  • ORG Cambridge is organising a screening of the new 'Snowden’ film on 16 January, followed by a discussion with an esteemed panel. Join the group for an exploration into how mass surveillance violates our rights to privacy and free speech.
  • ORG Birmingham's Local Organiser, Francis Clarke, will be speaking about digital rights at the next Brewcamp West Midland meeting on 25 January. Come along to learn about how technology is shaping the public sector.
  • ORG Aberdeen is organising a Cryptonoise meeting on 26 January. Learn how you protect your rights in a digital world. You do not need to be a tech wizard to attend.



The Digital Economy Bill is soon to enter the Committee stage in the House of Lords. Both Houses of Parliament are on recess until 9 January and the dates for the next stage have not been announced yet.

Before the Christmas break, Lords debated the Bill during the Second Reading on 13 December. The full transcript of the debate can be found here.

During the debate, very few Lords raised concerns regarding data sharing issues and barely any mentioned online copyright infringement and the lack of thresholds for sentencing. The issue of age verification was more prominent in the debate. Lords predominantly enquired about enforcement of age verification, and only marginally about privacy issues related to it. (See ORG’s briefing to the House of Lords before the Second Reading.)

Ancillary service providers for porn publishers

Lord Ashton clarified during the Second Reading that ancillary services providing pornography publishers with their service are meant to include social media sites such as Twitter. As such, the age-verification regulator, the British Board of Film Classification (BBFC), will have the power to notify Twitter (and other social media sites) of accounts that need to be blocked. However, the BBFC has no specific power to enforce these notifications.

It appears that the Government expects Twitter, Reddit or Tumblr to block non-complying accounts within the UK voluntarily. This creates a whole lot of other issues. Because the social media websites will technically have no legal basis for blocking, no external way of appeal other than an expensive judicial review will be available.

Jim Killock looks at the issue of ancillary providers in more detail in his blog.

Letter by Lord Ashton

Following the Lords’ first debate of the Bill, Lord Ashton wrote a letter responding to questions raised by several Lords.

On the account of age verification and the issue of privacy protection, Ashton said that the Bill does not require people to surrender their personal data to pornographic websites.

This is correct because age verification can be administered by a third party provider who will not need to pass the data to pornographic publishers. However, plenty of harm can still be done if this data is accessed through age-verification service. The Bill in its current form does not address privacy concerns at all.

It appears that our criticism of the lack of sexual education at schools has been heard to a certain extent. Reports show that the Government changed their mind and plan to bring forward proposals to make sex education compulsory to tackle porn and consent issues.

Question on protection of medical records

Roger Godsiff MP asked the Secretary of State for Health, whether the Department has assessed the potential effect on public trust in medical confidentiality in regards to the continued dissemination of the hospital data of those patients who opted out of the dissemination.

Nicola Blackwood MP responded that the Secretary of State for Health commissioned the National Data Guardian for Health and Care to lead an independent review of data security, consent and opt-outs. The review was published on 6 July 2016. A public consultation closed on 7 September 2016 and the Government intends to respond to the consultation shortly.

Question on cybercrime

Chi Onwurah MP asked the Secretary of State for Culture, Media and Sport, what progress has been made in signing up small and medium-sized businesses to the cyber essentials programme.

Matthew Hancock MP responded that by November 2016 4,792 Cyber Essentials certificates had been awarded, of which it is estimated that 77% had been awarded to small and medium-sized businesses. The Government is working on several measures to drive faster adoption of the scheme. The rate of adoption of the scheme is expected to increase significantly in 2017.

Question on protection of IPAct-generated data

Richard Graham MP asked the Secretary of State for the Home Department, what safeguards there are to ensure that data held under the Investigatory Powers Act 2016 is secure. Graham further enquired about any discussions there might have been with internet service providers on this matter.

Ben Wallace MP responded that Communication Service Providers must put in place appropriate technical and organisational measures that follow principles of security, integrity and destruction. Where it is appropriate, data is retained in dedicated stores and separated from business systems. The Government maintains regular talks with CSPs regarding retention notices.

Other UK developments

CJEU ruling against IPAct

The European Court of Justice (CJEU) ruled in a case brought forward by Tom Watson MP (and initially David Davis MP), supported by ORG, Privacy International and Liberty, over legality of bulk data collection. The judgment made it clear that generalised data retention is not acceptable.

The case was referred to the CJEU by the UK High Court after the Government appealed the Court’s ruling that the Data Retention and Investigatory Powers Act 2014 (DRIPA) was illegal. DRIPA was replaced by the Investigatory Powers Act, thus the judgment will have a direct impact on the Act.

The judgment says:

“Article 15(1) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), as amended by Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009, read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter of Fundamental Rights of the European Union, must be interpreted as precluding national legislation which, for the purpose of fighting crime, provides for general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication.”

The ruling endorsed the previous UK High Court ruling. The CJEU has repeated the arguments first made in the Digital Rights Ireland case that struck down the European Data Retention Directive in 2014.

Issues raised in the judgment:

  • generalised data retention is unlawful and disproportionate
  • only serious crime is an acceptable purpose for accessing retained data
  • access to retained data needs to be subjected to prior review and authorisation
  • data retention engages both freedom of expression and right to privacy
  • persons affected by data retention must be notified as soon as it would not jeopardise investigation
  • only the data of people suspected of direct involvement in crimes can be accessed
  • the data must be retained within the European Union

See detailed analysis of the judgment by Javier Ruiz here.

The case will now go back to the Court of Appeals which will determine the actual impact of the judgment on the IPAct.

David Anderson, the Independent Reviewer of Terrorism Legislation, provides a detailed breakdown of the judgment and its implication here.

Following the judgment, Diane Abbott MP offered to cooperate with the Government on a “major legislative rethink”.

Media coverage

See ORG Press Coverage for full details.

2016-12-20-New Statesman-What are the scariest Terms and Conditions you've agreed to?
Author: Amelia Tait
Summary: Pam Cowburn quoted on calling on companies to adjust terms and conditions so it is possible to understand how data is going to be used and shared.
2016-12-20-Kit Guru-Digital Economy Bill puts blocking onus on ‘ancillary’ sites
Author: Jon Martindale
Summary: ORG mentioned in relation to there being no legal obligation for Twitter, Reddit or Tumblr to block accounts displaying adult content.
2016-12-21-New Scientist-European court deals blow to controversial UK surveillance law
Author: Victoria Turk
Summary: ORG mentioned in relation to the legal challenge against DRIPA.
2016-12-21-Reactions Net-Garry Booth comment: UK watchdogs sound the cyber alarm
Author: Garry Booth
Summary: Jim Killock quoted on the necessity for insurance companies to engage in public discussion about ethics if they are to use social media data.
2016-12-21-Gizmodo-Snooper's Charter Given a Massive Slap by the EU's Highest Court
Author: James O Malley
Summary: Jim Killock quoted on the Government having to rewrite the Investigatory Powers Act or be prepared to go to court again after a judgment from the CJEU.
2016-12-21-The Guardian-EU's highest court delivers blow to UK snooper's charter
Author: Owen Bowcott
Summary: Jim Killock quoted on the Government having to rewrite the Investigatory Powers Act or be prepared to go to court again after a judgment from the CJEU.
2016-12-21-Information Age-UK’s Investigatory Powers Act shut down by EU
Author: Nick Ismail
Summary: Jim Killock quoted on the Government having to rewrite the Investigatory Powers Act or be prepared to go to court again after a judgment from the CJEU.
2016-12-21-IP Pro-Blow for Snoopers Charter as EU court bans mass data collection
Author: Nicole Kobie
Summary: Jim Killock quoted on the Government having to rewrite the Investigatory Powers Act or be prepared to go to court again after a judgment from the CJEU.
2016-12-21-Daily Start-UK porn shock as Gov BLOCKED from spying on Brits' internet history
Author: Henry Holloway
Summary: ORG mentioned in relation to the legal challenge against DRIPA.
2016-12-22-The National-European court delivers a brief reprieve from new data laws
Author: Andrew Learmonth
Summary: ORG mentioned in relation to the legal challenge against DRIPA.
2017-01-05-Sky News-Social media terms and conditions 'incomprehensible' to children
Author: Tom Cheshire
Summary: Pam Cowburn quoted on the lack of clarity on how company use people’s personal data.

ORG Contact Details

Staff page