This is ORG's Policy Update for the week beginning 09/10/2017.
If you are reading this online, you can also subscribe to the email version or unsubscribe.
- We’ve launched a new action asking people to email their MEP about the ePrivacy Regulation. We are concerned about pressure from Facebook and Google to water down the regulation. You can get in touch with your MEP here.
- ORG submitted a briefing to the House of Lords before the Second Reading of the Data Protection Bill. Read about our concerns here.
- Save the date for ORGCon 2017 - it will take place on Saturday 4 November at Friends House on Euston Road in London. We have a second smaller event planned on Sunday 5 November in a different location (TBC). This year is all about the Digital Fightback. Confirmed speakers include Graham Linehan, Noel Sharkey, Helen Lewis, Jamie Bartlett and Nanjira Sambuli. Tickets are on sale now!
- Jim Killock attended a roundtable meeting about the Internet Commission 2020.
Government is against Article 80(2)
The Data Protection Bill went through its Second Reading in the House of Lords on 10 October. Lords predominantly outlined their positions on the Bill and indicated areas they would like to amend.
The Bill will be discussed by peers in Committee on 30 October.
ORG prepared a briefing prior to the debate. We have argued for the need of implementing the General Data Protection Regulation Article 80(2). The article would allow independent privacy bodies to bring complaints on behalf of consumers without the need of a named data subject. This provision could be instrumental in investigating harmful data processing practices.
During the debate, Article 80(2) received cross-party support from various peers, however, the Government indicated that they do not intend to implement the Article into the DPBill. Instead, Baroness Williams (on behalf of the Government) said that
“It is important to note that not-for-profit organisations will be able to take action on behalf of data subjects where the individuals concerned have mandated them to do so. This is an important new right for data subjects and should not be underestimated.”
Other issues discussed during the debate included:
- Age of consent - difference between Scotland and the rest of UK
- Post-Brexit data flows and adequacy
- Henry VIII clauses and impossibility of making the Bill future-proof
- Need for transparent and effective regime for assessment of the right to be forgotten requests
- Bill’s interaction with blockchain
- Call for NHS patient data to be protected as a national asset
- Limitation for single processing for special purposes
There is a number of other issues in the Bill that need to be addressed:
- The lack of a “representative”. Originally, the EU’s General Data Protection Regulation covers the processing of personal data of EU data subjects by data controllers (companies) not established in the EU. In such circumstances, the EU requires companies who are based outside of the EU but wish to offer services to people in the EU to establish a representative in a Member State. Without a “representative” it will be impossible to enforce all rights and obligations on non-UK companies offering services to the people in the UK if something goes wrong.
- Conditions for processing special categories of personal data - one of the conditions for processing is “substantial public interest”, however, the Bill does not include a definition of substantial public interest.
- National Security Certificates - provisions in the Bill include even wider exemptions than those in the current Data Protection Act.
- Unfettered powers for cross-border transfers of personal data by intelligence agencies without appropriate levels of protection.
Other national developments
Government set up a new national hate crime hub
The Government has announced a new national hub to tackle online hate crime. The hub’s primary aim is to improve the police response to the problem of hate crime online.
The Government aims to provide better support for victims and increase the number of prosecutions. Specialist officers are supposed to advise victims on how to report online hate speech to platforms hosting external content online.
The hub will allow people to report online hate crime cases to police who will then assess them and assign them to local forces. They will also refer appropriate cases to online platforms hosting external content so that hateful material can be removed. This change comes after the Crime Prosecution Service recently committed to treating online hate crime as seriously as offline hate crime.
The issue of removing online hate crime has been more prominent in the EU where the European Commission already passed new rules applying to social media and Internet companies. The rules require them to remove hateful online content and terrorist material within 24 hours of being notified. The UK Government has not made an official statement on online hate content regulation but will likely follow the example set by online terrorist propaganda.
UK to become the safest place in the world to be online?
The Government launched a new Internet Safety Strategy. The Strategy corresponds to the announcements of the Digital Charter made in the Conservative manifesto as well as the Queen’s Speech. The strategy is to mostly regulate social media companies. The Government intends to:
- Create a code of practice for social media companies to remove or address bullying, intimidating or humiliating online content;
- Propose an industry-wide levy on social media companies and communication service providers to raise awareness and counter Internet harms.
These measures are voluntary; however, if the targeted companies do not get involved the Government will consider implementing legislative measures.
In order to form the strategy, the Government launched a consultation that seeks views on a social media code of practice, transparency reporting and a social media levy, technological solutions to online harms, developing children’s digital literacy, support for parents, and the experience of online abuse and dating.
The implementation of a social media levy appears to be problematic. The Government will run into issues when trying to define who will have to pay and who doesn't, how the rate is calculated, or enforcement of a non-UK domiciled company. The launch of the new initiative tightening the rules for social media companies comes at the same time as the calls from Ofcom to reclassify social media companies as publishers in regards to the spread of fake news. The reclassification would make them directly responsible and liable for the content on their platforms.
Internet companies lobby against ePrivacy
The ePrivacy rules were updated in 2016 but the EU is currently reviewing them again following pressure from the online advertising industry, including corporate powerhouses such as Facebook and Google. ePrivacy regulation is supposed to complement the General Data Protection Regulation which is due to be implemented by the Member States by 25 May 2018.
The original proposal from the European Commission is a good starting point; however, there are still issues that need to be fixed. Internet and advertising companies (which profit from tracking) are trying to lobby the EU to water down these changes.
The revised ePrivacy rules are currently debated by the European Parliament and MEPs will vote on them soon (date to be announced). The ePrivacy is a specialised legislation while the GDPR is a general legislation. This means that when the two regulations contain rules for the same situation, the ePrivacy rules should take precedence. However, the ePrivacy Regulation should not lower the level of protection given to people under the GDPR. If this is the case, it is likely that the issue will have to be resolved by the European Court of Justice (CJEU). The CJEU could then potentially invalidate the provisions.
It is important the revised rules:
- maintain the use of privacy features in browsers and apps by default;
- ban cookie walls preventing people from accessing websites if they do not consent to being tracked;
- close the loophole for collecting data by third parties for analytics;
- remove any language legitimising corporate surveillance.
You can contact your MEP here.
Questions in the UK Parliament
Question on catfishing
Matthew Hancock MP responded that they will consider ways in which we can ensure Britain is the safest place in the world to be online.
Question on cybercrime
John Trickett asked the Secretary of State for Health, whether the department requires contractors to have obtained a certificate from the Government Cyber Essentials scheme.
Phillip Dunne responded that suppliers are only required to demonstrate that they meet the technical requirements prescribed by Cyber Essentials for those contracts involving the transfer of sensitive data. There is no general requirement for all suppliers to achieve Cyber Essentials certification.
Question on “denial of service” attacks
Chi Onwurah MP asked the Secretary of State for Digital, Culture, Media and Sport, what steps they have been taking to improve public and private sector organisations' protection against distributed “denial of service” attacks.
Matthew Hancock MP responded that the department is considering the need for the right incentives to be in place to build security into internet-connected products and services to help protect devices from being hijacked.
ORG media coverage
See ORG Press Coverage for full details.
- 2017-10-07-FACTS Chronicle-Uber app can secretly spy on your iPhone and you won’t know!
- Author: Mike Hardy
- Summary: Jim Killock quoted on Uber not proving itself a trustworthy company either to regulators or consumers.
- Topics: Surveillance
- 2017-10-10-World Socialist Web Site-British government prepares further draconian legislation to censor Internet
- Author: Steve James
- Summary: ORG mentioned in relation to our concerns about the Law Commission’s new proposals for the Espionage Act.
- Topics: Online censorship
- 2017-10-10-Wired-Theresa May's next cunning plan? A levy on technology firms
- Author: Matt Burgess
- Summary: Jim Killock quoted on the need for the police to police the Internet, not the Internet companies.
- Topics: Online censorship