ORG policy update/2017-w39

This is ORG's Policy Update for the week beginning 25/09/2017.

If you are reading this online, you can also subscribe to the email version or unsubscribe.

ORG’s work

  • ORG Scotland submitted a response to the consultation lead by the Independent Advisory Group on Biometrics. Read the full response on why Scotland needs a biometrics commissioner here.
  • Save the date for ORGCon 2017 - it will take place on Saturday 4 November at Friends House on Euston Road in London. We have a second smaller event planned on Sunday 5 November in a different location (TBC). This year is all about the Digital Fightback. Confirmed speakers include Graham Linehan, Noel Sharkey, Helen Lewis, Jamie Bartlett and Nanjira Sambuli. Tickets are on sale now!

Planned local group events:

  • Join ORG Glasgow for a free screening of The Internet’s Own Boy on 2 October. The Internet’s Own Boy tells the life story of programmer, writer, political and internet activist Aaron Swartz, an internet pioneer and free speech campaigner. Following the screening, Scotland Director Matthew Rice will be available for a discussion and will give information about how to get involved in initiatives in Glasgow and Scotland.
  • ORG Cambridge would like to invite you to join them on 3 October for their monthly meetup to discuss the current state of digital rights, what we've done in the past month, and what we are planning to do in the upcoming months.
  • Join ORG Edinburgh and the Open Government Network for an event on 5 October on the history of identity debates in Scotland and the UK. Our speakers will talk about the current situation and status of government proposals, and will discuss people's concerns before meeting with the Government.
  • ORG London is organising an informal pub gathering on 10 October with Myles Jackman to discuss the current state of digital rights legislation in the UK, including the progress of the Digital Economy Act.

Official meetings

  • Javier Ruiz attended a discussion with Liam Byrne organised by Demos and the Guardian.
  • Jim Killock attended a meeting with Julie Grant, Australian eSafety Commissioner, regarding the online safety agenda and the problems encountered in the UK.

UK Parliament

Both Houses of Parliament are on recess and will be back after party conferences on 10 October.

Second Reading of the DPBill will be on 10 October

The Data Protection Bill is due to be debated in the Second Reading in the House of Lords on 10 October.

ORG has been concerned about the draft Bill not containing provisions allowing independent privacy organisations to raise complaints without naming data subjects. Article 80(2) of the EU’s General Data Protection Regulation is a derogation (option) that would allow it but the UK decided not to include it in the Bill. Such a provision would help investigate harmful data processing practices.

The Bill will allow people to lodge a complaint themselves or designate a qualifying organisation to file a complaint on their behalf. However affected data subjects are not always willing to come forward as they might not wish to be publicly associated with certain companies. This is where independent privacy organisations would come in to uphold people’s right to privacy. The current data protection landscape could accommodate independent privacy groups that would be able to tackle this gap in consumer protection.

For a more detailed analysis of the draft DPBill read this blog post by Amberhawk.

Other national developments

TfL is consulting on permanently collecting customers’ data on the underground

Transport for London (TfL) intends to make £322 million by collecting and possibly selling commuters’ location data. TfL ran a data collection trial at the end of 2016. During the trial, they tracked wifi signals from people’s devices who moved around the London Underground. (Read our blog from November 2016 when the trial ran.)

At the time, TfL had said the collected data from 5.6 million users would be used to improve customer experience. They claimed the data is anonymised, however, during the trial, the data was merely pseudonymised meaning that data could eventually be identifiable.

TfL is currently in consultation about running data tracking on a permanent basis.

Sky received a response to a Freedom of Information request which revealed that TfL also anticipates a significant financial benefit to be one of the results of the scheme. The document obtained by Sky said that the scheme will enable

”TfL to achieve £322m revenue generation over the next eight years by being able to quantify asset value based on the number of eyeballs/impressions and dynamically trade advertising space."

This goal is not reflected in the messaging to the public which concentrates only on improvements to the customer experience. This discrepancy between the TfL’s goal and the public message could be considered misleading. TfL’s customers are limited to opting out of the scheme only by disabling their wifi whilst using the London Underground. For this reason, it is essential people are fully aware of the extent and use of the collected data.


Police Scotland placed 400,000 people on the Vulnerable Persons Database

An investigation conducted by the BBC revealed that more than 400,000 have been placed onto the Vulnerable Persons Database in Scotland. Officers who attend incidents and crimes can add people to the database if they consider them to be at risk of future harm.

The database was created to collate different pieces of information about a particularly vulnerable individual into a single file. This would allow officers to get a more complex image of a person. The file can be shared with other government bodies at a supervisor’s discretion.

The Information Commissioner found the database in breach of the Data Protection Act 1998 due to the lack of rules for removing information from the database. Additionally, people were not notified they are on the system.

Police Scotland is currently in a conversation with the Information Commissioner to rectify the breach of the DPA. Their conduct diminished people’s right to privacy. To make the database fit for purpose Police Scotland should notify the people on the database and give them means to request removal from it.


European Commission wants to privatise online censorship

The European Commission published the Tackling Illegal Content Online communication this week. The document puts a lot of focus on Internet companies to remove illegal content online that they could consider illegal.

The communication contradicts the Commission’s proposed Copyright Directive in the way Internet service providers are perceived. The Copyright Directive considers hosting services that carry content in any way “active” - they are presumed to be aware of illegal activities. The communication does not consider ISPs to be in a position where they would have knowledge of illegal content.

The Commission’s communication puts the importance on speed and proportion of removals. It appears that the question of whether the content is actually illegal is secondary. The Commission intends to help the removal of illegal content by incorporating “trusted flaggers” in takedowns. “Trusted flaggers” are organisations which can be trusted to submit relevant complaints about illegal content.

The Commission’s proposal appears to fully embrace privatisation of online censorship and disregards the impacts of doing so.

EDRi offers a more in-depth analysis of the Commission’s communication here.

Questions in the UK Parliament

Question on the CJEU judgment in the Schrems case

Lord Laird asked the Government, what steps they have taken to implement the judgment and findings of the European Court of Justice (CJEU) in the Schrems v. Data Protection Commissioner case.

Lord Ashton of Hyde responded that the European Commission's adequacy decision on the Safe Harbor Agreement on personal data transfers was invalidated by the Court of Justice of the EU (CJEU) in the Schrems case. The EU-US Privacy Shield decision has since replaced the Safe Harbor agreement.

Lord Ashton noted that the Information Commissioner provides regular updates to the status of Privacy Shield and is an active member of the Article 29 Working Party Privacy Shield annual joint review team.

Question on the Privacy Shield

Lord Laird asked the Government, whether they have received a legal opinion on the Privacy Shield agreement between the EU and the US and whether they sought independent legal advice.

Lord Ashton responded that the Government does not intend to comment on or publish any legal advice they may have received on these matters.

Question on online terrorist material

Jeremy Lefroy MP asked the Secretary of State for the Home Department, among other things, how many pieces of unlawful terrorist material have been removed from the Internet.

Ben Wallace MP responded that the Counter Terrorism Internet Referral Unit (CTIRU) referred 280,000 pieces of illegal terrorist material since February 2010 to social media providers which proceeded to remove it.

ORG media coverage

See ORG Press Coverage for full details.

2017-09-21-IB Times-EU Buried Study That Found No Impact From Piracy On Entertainment Industry
Author: AJ Dellinger
Summary: ORG mentioned in relation to the criticism of EU copyright reform.
Topics: Copyright, European Union
2017-09-21-Information Age-WhatsApp rejected UK Gov request to access encrypted messages
Author: Nick Ismail
Summary: Jim Killock quoted on automated takedowns of online content inevitably leading to mistakes.
Topics: Online censorship
2017-09-26-The Inquirer-Campaigner found guilty under terrorism laws for not disclosing passwords
Author: Dave Neal
Summary: Jim Killock quoted on powers under Schedule 7 of the Terrorism Act being blanket powers not requiring suspicion.
Topics: Terrorism Act 2000
2017-09-27-Raconteur-Should tech companies enforce law?
Author: Matthew Chapman
Summary: Pam Cowburn quoted on international tech companies declining service potentially having effect on free speech.
Topics: Online censorship
2017-09-27-Gears of Biz-Campaigner found guilty under terrorism laws for not disclosing passwords
Author: Helen Clark
Summary: Jim Killock quoted on powers under Schedule 7 of the Terrorism Act being blanket powers not requiring suspicion.
Topics: Terrorism Act 2000

ORG Contact Details

Staff page