ORG policy update/2017-w42

This is ORG's Policy Update for the week beginning 16/10/2017.

If you are reading this online, you can also subscribe to the email version or unsubscribe.

ORG’s work

  • Save the date for ORGCon 2017 - it will take place on Saturday 4 November at Friends House on Euston Road in London. We have a second smaller event planned on Sunday 5 November in a different location (TBC). This year is all about the Digital Fightback. Confirmed speakers include Graham Linehan, Noel Sharkey, Helen Lewis, Jamie Bartlett and Nanjira Sambuli. Tickets are on sale now!

Planned local group events:

  • ORG Aberdeen and FSFE Aberdeen are organising a Cryptonoise event on 26 October. Join them to discuss current digital rights issues and learn how you can help to protect your rights.
  • Join ORG Birmingham for a Halloween social on 30 October. Fancy dress is encouraged! They will be organising some spooky games and activities before heading to a pub.
  • Next ORG Glasgow monthly meetup will be on 2 November. The local group will discuss new ideas for public events and presentations.

Official meetings

  • Jim Killock attended an introductory meeting with the Investigatory Powers Commissioner.

UK Parliament

Labour tabled an amendment implementing Article 80(2)

The Data Protection Bill will be scrutinised in the Committee in the House of Lords on 30 October.

Last week, the Bill was read the second time in the HoL (transcripts 1, 2).

ORG prepared a briefing prior to the debate. We have argued for the need of implementing the General Data Protection Regulation Article 80(2). The article would allow independent privacy bodies to bring complaints on behalf of consumers without the need of a named data subject. This provision could be instrumental in investigating harmful data processing practices.

The debate showed cross-party support for the implementation of the article in order to improve consumer rights. However, the Government indicated that they do not intend to bring the provision forward.

Labour have already tabled an amendment that would make it possible for independent privacy bodies to raise complaints on behalf of users without having a named data subject.

This amendment is only for processing that applies to GDPR, which is a good start. However, it is necessary to get the same power for independent privacy bodies for processing that does not apply to GDPR. ORG intends to work closely with Peers to develop that language.

The Bill, however, has more issues that need to be addressed. These include:

  • The lack of a “representative”. Originally, the EU’s General Data Protection Regulation covers the processing of personal data of EU data subjects by data controllers (companies) not established in the EU. In such circumstances, the EU requires companies who are based outside of the EU but wish to offer services to people in the EU to establish a representative in a Member State. Without a “representative” it will be impossible to enforce all rights and obligations on non-UK companies offering services to the people in the UK if something goes wrong.
  • Too wide exemption for processing of data for immigration purposes removes any obligation on the collector to provide information to the individual, before during, or after collection, or to abide by the seven data protection principles. The exemption also removes the right for the individual to request the information held about them from a data controller.
  • One of the conditions for processing special categories of personal data is “substantial public interest”, however, the Bill does not include a definition of substantial public interest.
  • National Security Certificates - provisions in the Bill include even wider exemptions than those in the current Data Protection Act.
  • Unfettered powers for cross-border transfers of personal data by intelligence agencies without appropriate levels of protection.

Other national developments

MI5 & MI6 might be sharing bulk data illegally

A challenge brought to the Investigatory Powers Tribunal by Privacy International alleges that MI5 and MI6 sharing bulk personal data with their foreign partners is illegal.

The argument behind the challenge is that most of the bulk personal datasets relate to UK citizens who are not of legitimate intelligence interest. GCHQ requires its foreign partners to adopt the equivalent level of safeguards but MI5 and MI6 do not follow the same practices.

Documents revealed that the agencies did not inform watchdogs of sharing bulk personal datasets and bulk communications data with third parties. The letter from the newly appointed Investigatory Powers Commissioner Lord Justice Fulford declares that his predecessors he Intelligence Services Commissioner (ISCom) and the Interception of Communications Commissioner (IOCCO) were informed of such practice.

The Tribunal hearing continues.

Europe

LIBE Committee maintains good levels of privacy protection in ePrivacy Regulation

The European Union has been in the process of updating the ePrivacy regulation. The new proposal from the European Commission was voted on in the leading Committee for Civil Liberties (LIBE).

LIBE passed the Report on the ePrivacy Regulation and voted in favour of all the compromise amendments from the opposition MEPs. In this instance, compromise amendments have improved the level of privacy offered to the EU citizens.

The report as amended by the LIBE Committee will next be voted on in Plenary of the European Parliament by all MEPs. Then the ePrivacy Regulation will be discussed with the Member States in the Council.

Prior to the vote in the Committee, various Internet companies who benefit from tracking their users were heavily lobbying the EU officials. This report by the Corporate Europe Observatory shows in detail which companies were in touch with the European Commission about their proposals.

It is important the revised ePrivacy rules maintain at the minimum the same level of protection that is offered to the EU citizens by the General Data Protection Regulation. The ePrivacy is a specialised legislation which complements the more general GDPR legislation. This means that when the two regulations contain rules for the same situation, the ePrivacy rules should take precedence. If the levels of protection provided by the two legislations differ, the ePrivacy is likely to end up in front of the European Court of Justice which could invalidate the rules.

Civil rights groups sign an open letter against Article 13 of Copyright Reform

ORG together with other organisations signed an open letter to President of the European Commission Jean-Claude Juncker and other EU officials regarding the proposals for compulsory proactive copyright filters.

The plans to modernise the European copyright (as part of the Digital Single Market strategy) include new proposals (Article 13 of the Copyright Reform) that would require some online service providers to proactively detect and filter allegedly infringing copyright works, uploaded to their platforms by users.

The letter emphasises that the obligations placed on Internet companies and Internet service providers will inevitably lead to mistakes made due to caution. Upload filter, as defined by Article 13, does not allow for the application of any of the exceptions to copyright.

This provision requires Internet companies to police copyright infringement. This approach will lead to overblocking since the companies will face fines if they fail to remove infringing content.

The letter also warns that Article 13 could also be illegal since it contradicts case law of the European Court of Justice. The e-Commerce Directive already requires Internet companies to remove infringing content once they have been notified of its existence. Article 13 would force the monitoring of uploads. This would go against the ‘no general obligation to monitor‘ rules present in the Directive and would violate freedom of expression set out in Article 11 of the Charter of Fundamental Rights.

Previously, six Member States (Belgium, Czech Republic, Finland, Hungary, Ireland and the Netherlands) submitted their questions on proportionality and compatibility of the new clauses with the existing law.

The vote in the European Parliament on the Copyright Reform is scheduled for November.

EU approves Privacy Shield in the annual review

The European Commission conducted the first annual review of the EU-US Privacy Shield agreement. The review was assessing whether the US commitment to the protection of the European citizens’ data is sufficiently protected when transferred from the EU to the US.

The results of the review show that the Commission believes the data sharing agreement continues to ensure adequate protection of Europeans’ personal data.

However, it has been reported that the Commission will make some recommendations. Among others, the Commission wants to suggest to the US improvements regarding the practical implementation of the Privacy Shield through a tougher monitoring of the compliance of companies with its privacy rules.

The EU Commissioner Věra Jourová previously stated that she wants the US to appoint a privacy ombudsperson who would deal with complaints from EU citizens about the US.

Questions in the UK Parliament

Question on the responsibility of Internet companies

Wendy Morton MP asked the Minister of State for the Home Department, whether he agrees that some of the world’s leading Internet companies could do more to ensure that extremist propaganda is taken down immediately.

Ben Wallace MP responded that Internet companies could do more with their technology, could do much more to recognise that they have a responsibility for content that is hosted on their sites, and they could do more to take it down.

Question on Equifax

Jon Trickett asked the Secretary of State for Digital, Culture, Media and Sport, what steps the Government is taking to improve protection for people's private data and finances as a result of the Equifax data breach.

Matthew Hancock MP responded that the National Cyber Security Centre (NCSC) published updated advice on its website, advising members of the public on password re-use, avoiding related phishing emails and fraudulent phone calls, as well as giving information on how to report a cyber incident to Action Fraud.

Question on personal data

Stephen Gethins asked the Secretary of State for Exiting the European Union, whether it is his policy to refrain from entering any UK-EU model for exchanging and protecting personal data if the framework requires oversight from the European Court of Justice.

Robin Walker MP responded that they will bring an end to the direct jurisdiction of the CJEU. Walker said that they will respect the internal judicial processes of the EU just as we respect the internal judicial processes of our other international partners.

Question on data protection

Darren Jones asked the Secretary of State for Digital, Culture, Media and Sport, what oversight and powers the Government will have in relation to guidance issued by the Information Commissioner on the application of the General Data Protection Regulation.

Matthew Hancock MP responded that the Data Protection Bill will require the Information Commissioner to prepare statutory data sharing and direct marketing codes of practice. The Secretary of State may also require the Commissioner to prepare additional codes giving guidance on good practice in other data processing areas.

Question on counter-terrorism

Jim Cunningham MP asked the Secretary of State for Foreign and Commonwealth Office, what recent steps they have taken to support the implementation of the Government’s counter-terrorism strategy overseas.

Boris Johnson MP responded that the Prime Minister has been leading in countering online radicalisation and taking more than 270,000 pieces of illegal terrorist material off the internet.

Question on pupils’ personal records

Darren Jones asked the Secretary of State Education, whether third party organisations have access to data on the National Pupil Database (NPD).

Nick Dibbs responded that the Department may legally share the NPD, or parts of it, with third parties, using powers set out in Section 537A of the Education Act 1997 and the Education (Individual Pupil Information) (Prescribed Persons) (England) Regulations 2009. Organisations requesting access under those powers must show how it will be used to promote pupils’ education, through evidence or research.

Dibbs said that where the police or Home Office have evidence that a child may be at risk or evidence of criminal activity, limited data including a pupil’s address and school details may be requested from the NPD.

ORG media coverage

See ORG Press Coverage for full details.

2017-10-13-ISP Review-UK ISP Filters Criticised for Blocking Lots of Safe and Legal Websites
Summary: ORG mentioned in relation to Blocked - project identifying unjustly blocked websites by ISPs.
Topics: Online censorship
2017-10-14-Breitbart-British Police Arrest At Least 3,395 People for ‘Offensive’ Online Comments in One Year
Author: Jack Montghomery
Summary: Jim Killock quoted on “offensive” comments being an insufficient ground for prosecution.
Topics: Online censorship
2017-10-16-Huge power imbalance between firms and users whose info they grab
Author: Rebecca Hill
Summary: Jim Killock quoted on mass data gathering to have huge effects on things like competition between companies and access to services.
Topics: Data protection
2017-10-17-IPPro-Article 13 of DSM proposals should be deleted, says the EFF
Author: Barney Dixon
Summary: ORG mentioned in relation to a letter against Article 13 signed by civil liberties organisations.
Topics: Copyright
2017-10-19-Complete Music Update-Now the digital rights groups write to the EU about safe harbour reform
Author: Chris Cooke
Summary: ORG mentioned in relation to a letter against Article 13 signed by civil liberties organisations.
Topics: Copyright
2017-10-19-Torrent Freak-Anti-Piracy Group Joins Internet Organization That Controls Top-Level Domain
Author: Andy
Summary: ORG mentioned in relation to a letter against Article 13 signed by civil liberties organisations.
Topics: Copyright

ORG Contact Details

Staff page

Retrieved from "https://wiki.openrightsgroup.org/w/index.php?title=ORG_policy_update/2017-w42&oldid=51442"