ORG policy update/2017-w49

This is ORG's Policy Update for the week beginning 04/12/2017.

If you are reading this online, you can also subscribe to the email version or unsubscribe.

ORG’s work

ORG have begun to prepare briefings for peers in the House of Lords for the upcoming Report Stage of the Data Protection Bill (see below).
ORG is running a petition against the Government’s proposals to criminalise repeated viewing of online terrorist propaganda and compelling internet companies to police their own networks. Sign the petition here!
In case you couldn’t come to ORGCon, you can now watch the talks online! Have a look at our YouTube channel.

Planned local group events:

ORG Birmingham are hosting an introduction to the Indieweb on Monday 11 December. Tired of Twitter? Fed up with Facebook? Miss the variety and quirkiness of the open web? Be the change you want to see in the world by visiting their introduction to the Indieweb!
ORG London are hosting a presentation on the 'Cryptobar' installation on Tuesday 12 December. Cryptobar is a project aimed at spreading the word about privacy (and privacy-enhacing technologies) in an artistic and accessible way.

Official meetings

Jim Killock gave a lecture on the "Nothing to Hide, Nothing to Fear" argument to students at Arcadia University.
Myles Jackman and Alex Haydock attended a Court of Appeal hearing on Friday 8 December to hear progress in the Davis/Watson case against DRIPA.
Jim Killock spoke at 89up's Assemble event about the benefits that GDPR will give campaigners.
Myles Jackman and Alex Haydock met with David Allen Green to discuss ORG's progress as interveners in the Cartier case.
ORG Staff attended a preview screening of forthcoming film The Post.

UK Parliament

Joint Committee on Human Rights publishes note about Data Protection Bill

On 6 December, the Deputy Counsel to the Joint Committee on Human Rights published a note about the human rights implications of the Data Protection Bill. Crucially, among the key considerations they highlight for the Committee to consider are a number of issues of interest to ORG.

Article 80(2) amendments were debated two weeks ago, which would allow consumer groups like the Open Rights Group to take independent action against entities who have been abusing data protection law. In their note, the Counsel addresses Article 80(2), noting that the Committee:

may wish to consider whether the Government's ommission of Article 80(2) may diminish the protection of privacy rights and, if so, whether civil society organisations ought to be empowered to bring complains and seek effective remedies in the public interest.

The Committee also considered the proposed exemption to data protection which would remove all rights to personal data when disclosure would prejudice “effective immigration controls". Such an exemption has never existed before. Requests for information under data protection (subject access requests) are an integral part of most immigration cases, and will be critical for anyone going through an immigration process in the future, such as the three million EU citizens resident in the UK. The document notes that the Committee:

may wish to consider whether an exemption for effective immigration control is necessary and proportionate given the broad reach this exemption would have. The Committee may wish to make further enquiries of the Government as to the justification for this exemption.

Report sittings on the Data Protection Bill will be held in the House of Lords on 11 December, 13 December, and 11 January. The most recent amendments submitted for the Bill's report stage can be found here. The Bill's third reading will be held on 17 January.

ICO publishes Lords' briefing on Data Protection Bill

In preparation for the upcoming Report stage of the Data Protection Bill, the ICO have published a briefing for the House of Lords raising many of the same issues for consideration as the report published by the Joint Committee on Human Rights.

The briefing refers to the immigration exemption, noting:

This exemption could potentially render personal data unobtainable to the data subject and this could be detrimental to individuals who are appealing asylum decisions for example. If the exemption is applied, individuals will not be able to access their personal data to identify any factual inaccuracies and it will mean that the system lacks transparency and is fundamentally unfair.

The ICO also makes reference to Article 80(2), noting that they support the amendment, which would give civil interest groups like ORG the right to seek redress on behalf of data subjects without needing to be directly instructed by them:

As was highlighted in the Committee Stage debate, there are circumstances where data subjects may not necessarily be aware of what data about them is held by organisations, and more importantly what is being done with it. In such instances data subjects could not be expected to know whether and how they could exercise their rights under data protection law. Furthermore, in the context of wider discussion of the Bill and children’s rights, the relevance of this point is of particular importance where young and vulnerable data subjects are involved – these groups being less likely to have the means and capability to exercise their rights on their own behalf. The Commissioner continues to support the derogation at Article 80(2) being exercised to provide representative bodies with this right of action.

Other national developments

David Anderson QC publishes report into MI5/Police intelligence-handling reviews

This week, the Home Secretary published a report by David Anderson QC into the internal reviews conducted by the Police and by MI5, concerning their handling of intelligence data prior to this year's terrorist attacks at Westminster, Manchester Arena, London Bridge and Finsbury Park.

The full report and accompanying press release can be accessed here.

Court of Appeal Hearing in Davis/Watson case against DRIPA

The Data Retention and Investigatory Powers Act 2014 (DRIPA) was the predecessor to the Investigatory Powers Act 2016 and has been subject to a legal challenge since June 2015, brought by MPs David Davis and Tom Watson.

The High Court held in 2015 that portions of the DRIPA legislation were unlawful. The case then progressed to the Court of Appeal, which began hearing the Home Secretary's appeal in 2015.

Since that time, the European Court of Justice delivered a judgment (in Joined Cases C203/15 and C698/15), which supported the High Court's position that DRIPA was unlawful. The DRIPA legislation expired at the end of December 2016.

Despite the above, the Court of Appeal case continues, as it revolves around points of law which are relevant to the Investigatory Powers Act, into Part 4 of which were incorporated many of the provisions of DRIPA, including some which were under dispute.

On Friday 8, a Court of Appeal took place to hear some final arguments in the Davis/Watson case. The court is expected to deliver a judgment soon and may choose to affirm the position of the CJEU, which would be a victory for ORG.

Europe

EU regulators threaten court challenge to EU-U.S. data transfer pact

Article 29 Data Protection Working Party adopted an opinion on the review of Privacy Shield agreement this week. Privacy Shield framework enables cross-border data transfers between EU and the US in compliance with EU data protection rules.

Article 29 is an advisory body made up of each Member State’s data protection authority representative. They were tasked with a review of the Privacy Shield framework after one year of being in place since it replaced the Safe Harbour agreement.

In their opinion, the Working Party 29 has identified a number of significant concerns that need to be addressed by both the European Commission and the US authorities. These include the appointment of an independent Ombudsperson and members of Privacy and Civil Liberties Oversight Board in the US. They note that the appointments need to be in place by 25 May 2018 (date when the General Data Protection Regulation comes into force).

Further concerns raised by the WP29 include:

Lack of guidance for the companies adhering to the Privacy Shield
Lack of clear and easily available information for EU individuals
Lack of oversight and supervision of compliance with the Principles
Application of the Privacy Shield to data processors established in the US
Lack of legal guarantees for automated profiling/decision making
Self-Certification process and cooperation between US authorities in the Privacy Shield mechanism

The data protection authorities expect these concerns to be resolved by Autumn 2018. If the EU and the US fail to do so, Article 29:

”will take appropriate action, including bringing the Privacy Shield Adequacy decision to national courts for them to make a reference to the CJEU for a preliminary ruling.”

ORG media coverage

See ORG Press Coverage for full details.

2017-12-04-Business Insider-The UK's privacy watchdog is 'making enquiries' after MPs said they hand out passwords to staff: Author: Shona Ghosh; Summary: Jim Killock quoted in a story about possible data protection breaches by MPs sharing Parliamaentary logins.; Topics: Data protection, Privacy
2017-12-04-BBC News-MP Nadine Dorries defends 'shared password' tweet: Author: BBC News; Summary: Jim Killock quoted in a story about possible data protection breaches by MPs sharing Parliamaentary logins.; Topics: Data protection, Privacy
2017-12-05-The National-Data privacy regulator warns MPs over sharing computer logins: Author: Gregor Young; Summary: Jim Killock quoted in a story about possible data protection breaches by MPs sharing Parliamentary logins.; Topics: Data protection, Privacy
2017-12-07-Gizmodo-Campaigners Are Asking the Government Not to Strip EU Citizens of Their Digital Rights: Author: Tom Pritchard; Summary: Jim Killock quoted in a story about the proposed immigration exemption to the forthcoming Data Protection Bill.; Topics: Data protection, Privacy

ORG Contact Details

Staff page