ORG policy update/2017-w30

This is ORG's Policy Update for the week beginning 24/07/2017.

If you are reading this online, you can also subscribe to the email version or unsubscribe.

This is the last policy update before a short summer break. We will be back in September with the latest info on digital rights. Enjoy the summer!

ORG’s work

Planned local group events:

Join ORG Cambridge on 1 August for their monthly meetup to discuss the current state of digital rights, what they've done in the past month, and what they are planning to do in the upcoming months.

Official meetings

Jim Killock and Pam Cowburn attended meetings with Ofcom and Sky regarding the ORG’s project Blocked which provides a tool for people to check whether their website is being blocked by the main UK ISPs. They also discussed net neutrality.
Myles Jackman and Jim Killock attended a meeting with TelevisionX regarding the new age verification policy.
Myles Jackman attended meetings with potential age-verification technology providers Verime and AVSecure.

National developments

Drone owners will have to prove they understand privacy rules

The Department for Transport announced that they will launch a scheme to implement a drone registration scheme.

Drone owners will have to demonstrate that they understand UK safety, security and privacy regulations. At the moment, drones can be bought easily on the high street and are regulated only in a limited capacity. The UK Civil Aviation Authority issued guidance for people to ensure they operate their drones safely.

The Department also said that there is no timeframe yet for the implementation of the rules.

Lord Callanan, the Aviation Minister, said

”Our measures prioritise protecting the public while maximising the full potential of drones. Increasingly, drones are proving vital for inspecting transport infrastructure for repair or aiding police and fire services in search and rescue operations, even helping to save lives.”

Europe

CJEU finds EU-Canada PNR agreement breaching the law

The European Court of Justice (CJEU) published a judgment on the EU-Canada agreement regarding the sharing of air travellers’ data. The ruling declared the Passenger Name Records agreement in breach of the European law.

The Court said that parts of the deal between Canada and EU

”do not meet requirements stemming from the fundamental rights of the European Union”.

The Court continued that the deal cannot be concluded in its current form unless it specifies what kinds of sensitive data could be shared and restricts automated analysis of information. The CJEU also found it troublesome that Canada would be able to keep the data for up to five years and share it with non-EU countries.

CJEU called for the agreement to:

determine in a more clear and precise manner certain of the PNR data to be transferred; 
provide that the models and criteria used for the automated processing of PNR data will be specific, reliable and non-discriminatory;
provide that the databases used will be limited to those used by Canada in relation to the fight against terrorism and serious transnational crime;
provide that PNR data may be disclosed by the Canadian authorities to the government authorities of a non-EU country only if there is an agreement between the European Union and that country equivalent to the envisaged agreement or a decision of the European Commission in that field;
provide for a right to individual notification for air passengers in the event of use of PNR data concerning them during their stay in Canada and after their departure from that country, and in the event of disclosure of that data to other authorities or to individuals;
guarantee that the oversight of the rules relating to the protection of air passengers with regard to the processing of their PNR data is carried out by an independent supervisory authority.

EU-Canada PNR agreement was sealed in 2014 but has not come into force yet.

This judgment will have implications for the UK after it leaves the EU if the UK’s laws do not sufficiently uphold privacy rights of EU citizens. Privacy and data protection rights are likely to be put under intense scrutiny.

Jim Killock said:

“Any future trade agreement between the UK and EU would be subject to the same stringent requirements. Given the UK’s mass surveillance laws and indiscriminate data retention, any trade agreement for digital, communications and even banking and insurance businesses, could look very fragile indeed.”

International developments

Russia passes laws on online censorship

The Russian Parliament approved two laws that will respectively ban software that makes circumvention of online censorship possible and will control search engines and messaging apps.

One of the laws will make it mandatory for the websites that circumvent website blocking, such as VPNs, proxy servers or Tor network, to block websites that are blocked in Russia. If they fail to comply, they will become inaccessible in Russia. Additionally, search engines will not be allowed to list the blocked websites in their results.

The other law passed by the Russian parliamentarians will require the identification of users of messaging services (WhatsApp, Telegram, etc.) through their phone numbers in order to allow authorities to block certain users or messages.

Both laws are now expected to be approved by the upper chamber and signed off by the President Vladimir Putin. The law applying to the websites circumventing online censorship will come into effect on 1 November. The law applying to messaging services will follow on 1 January 2018.

Implementation of the new rules will face major technological challenges. It is not clear how Russian government wants to compel international companies to abide by their rules and enforce them.

UK Parliament questions

Question on ID cards

Lord Campbell-Savours asked the Government, whether they have considered the introduction of ID cards as a contribution to the maintenance of security in the UK.

Baroness Williams responded that the Government have considered the ID cards scheme and concluded that they would not significantly contribute to the maintenance of security in the UK.

Question on citizens’ rights and browsing history

Chi Onwurah MP asked the Secretary of State for Digital, Culture, Media and Sport, what is the Government’s policy on the citizens’ rights to receive their browsing history as part of requests for data held on them by organisations.

Matthew Hancock MP responded that consumer’s rights regarding the collection, processing and disclosure of their personal data are governed by the Data Protection Act 1998. Under Section 7 of the DPA, an individual can request a copy of the information which an organisation holds about them.

Question on the EU IPO

Lord Lester asked the Government, what is their assessment of the benefits and costs to the UK membership of the EU Intellectual Property Office.

Lord Prior responded that the Government is currently undertaking a rigorous analysis to inform their position for the upcoming negotiations. The analysis includes intellectual property. Lord Prior declined to comment in more detail as the UK’s future relationship with the EU IPO will be discussed later in the negotiations.

Question on spyware and covert data capturing

Liz Saville-Roberts asked the Secretary of State for Digital, Culture, Media and Sport, what the Government’s policy is on installing spyware or a webcam or any other device capable of capturing data covertly on another person's property or digital device without the user's agreement or without legal sanction in England and Wales.

Matthew Hancock MP responded that the CCTV code of practice issued by the Information Commissioner’s Office provides guidance on how to comply with the Data Protection Act 1998.

Question on the Digital Charter

Chi Onwurah MP asked the Secretary of State for Digital, Culture, Media and Sport, when the Government intends to publish their proposals for the Digital Charter and the Data Protection Bill.

Matthew Hancock MP responded that they will introduce both during the current parliamentary session.

Question on ENISA

Lord Lester asked the Government, what is their assessment of the benefits and costs to the UK membership of the European Network and Information Security Agency.

Lord Ashton responded that the UK contributes to the budget as a whole, not to individual agencies.

Question on social media accounts and employers

Liz Saville-Roberts asked the Secretary of State for Digital, Culture, Media and Sport, what steps the Department has been taking to ensure that employers are aware that they cannot monitor employees’ social media accounts covertly unless it is part of a lawful investigation in England and Wales.

Matthew Hancock MP responded that the Information Commissioner is the responsible independent authority for administering and enforcing information rights. They also provide guidance to employers on data protection.

Question on data held by local authorities

Chi Onwurah MP asked the Secretary of State for Communities and Local Government, whether the Department has made an assessment of the capacity of local authorities to provide citizens with all the data authorities hold on them.

Jake Berry responded that has not made any such assessment.

Question on electronic surveillance

Liz Saville-Roberts asked the Secretary of State for Justice, what plans they have to introduce legislation to make it an offence to use digital devices to repeatedly locate, listen to or watch a person without a legitimate reason.

David Lidington MP responded that they have no current plans to introduce such legislation.

ORG media coverage

See ORG Press Coverage for full details.

2017-07-21-Daily Star-New UK porn block may also mean your viewing habits could be leaked online: Author: Liam Doyle; Summary: Jim Killock quoted on the information collected by the age verification systems being vulnerable to Ashley-Madison style hacks.
2017-07-25-The Guardian-Roomba maker may share maps of users' homes with Google, Amazon or Apple: Author: Alex Hern; Summary: Jim Killock quoted on companies should treat house floor plans as personal data and seek consent before sharing them.
2017-07-25-iRobot to share or sell Roomba-generated maps of users' home: Author: Myrtle; Summary: Jim Killock quoted on companies should treat house floor plans as personal data and seek consent before sharing them.
2017-07-26-Breaking News-Plans to share airline passenger details with Canada blocked by European court: Summary: Jim Killock quoted on the CJEU blocking the PNR agreement between EU and Canada having massive implications for Brexit.

ORG Contact Details

Staff page