call +44 20 7096 1079

Blog


June 26, 2013 | Jim Killock

Prophetic analysis warned about US-based cloud

One of the weak points in the new European data protection regulation that privacy advocates have been warning about is the ease by which data can be exported from the EU into FISAAA-ready services in the USA. In short, the European Commission have been trying to make “data exports” easier, but in the process have made it harder to enforce our fundamental privacy rights.

The Commission's position on data exports relates to their cloud strategy. They see the use of cloud computing as a way to enable EU businesses to save costs and become more efficient. They hope this will increase European competitiveness in a global marketplace. The argument runs that current data protection rules make full use of cloud computing impossible because of the restrictions it imposes on data exports, as all the big cloud providers are non-EU.

As Caspar Bowden and Judith Rauhofer point out in their recent paper, this argument leads to a position where data protection rights are highly unenforceable as soon as data moves outside the EU via data exports. In short, if the US enacts FISAAA laws and initiates PRISM, there’s not much that the new data protection laws can do to help, especially as they are currently drafted.

Rauhofer and Bowden also reference a paper produced back in January by the European Economic and Social Committee.The EESC pointed out the problem with the Commission’s economic argument. They say that an increase in the uptake of cloud services provided by mostly US-based companies will lead to a loss of sovereignty by EU businesses and public sector, not only over personal data, but also over commercially sensitive information and trade secrets:

Page 5-6:

Recent decades have demonstrated the significance of the dependency of the Member States - or even of Europe as a whole - regarding various sources of energy: petrol, gas, electricity, etc. Should European citizens', businesses' and public services' data in future be hosted, managed and controlled by non-European CC operators, there would be legitimate concerns surrounding the impact of this dependency:

  • protection of particularly sensitive data that are crucial to strategic competition between European and non-European countries, such as in the aviation, automotive, pharmaceutical and research sectors;
  • the availability of data in the event of international tensions between "host" countries and Member States;
  • equality of treatment of consumers of digital energy depending on whether or not they are citizens or organisations of a "friendly" country;
  • job and wealth creation from the production of digital energy, and also from the entire service development ecosystem, in the host countries, thus disadvantaging countries that are simply "cloud-friendly" users of digital energy. …

3.5 Currently, although there are some differences between the Member States' regulations, they are close to the European texts, standards and directives; hence users' fears - in some cases justified - of their data being stored outside Europe, leading to difficulties and legal stalemates in the event of disputes.

In addition, the greatest cause for concern among users is the "Patriot Act". This act came out of the war on terror (following the September 11 attacks), and allows the US government or a federal judge to access any data hosted and controlled by an American company, whether or not the owner of the data is American and including data hosted in a centre on European soil. Above all, the owner of the data cannot be informed that the host has disclosed the hosted data.

After Edward Snowden’s revelations about PRISM, now that the public and EU Parliament are more aware of the effects of FISAAA as well as the Patriot Act, there is a very high risk that EU businesses will lose trust in cloud services to everyone’s detriment.

This also creates an opportunity: data protection law can allow citizens and businesses to manage the risks. The increased privacy of European-based services could make them more competitive, especially for businesses who must protect their confidentiality, as the EESC point out. But the EU Parliament will have to be open to making some significant changes, including improving notification and insisting that US and other states’ surveillance laws are only to be applied to EU data in the context of international laws and agreements. This was the intention of Article 42 – which should now be reinstated.

[Read more] (2 comments)


June 24, 2013 | Jim Killock

Questions for the UK government

The Guardian’s revelations about the Tempora programme, including global Internet and telecoms surveillance, leave the UK’s reputation in great danger. Using legal loopholes, and hiding the extent of these programmes from the public eye, the UK has breached the rights of both our own citizens, and those of every country whose citizens’ data has been harvested.

GCHQ Bude

Not everything set out by these leaks is new or unknown, but what is new is the confirmation of the existence of the programmes, and the pressure on governments to come clean and explain what they have done.

While governments can claim a need for secrecy around specific investigations, they cannot reasonably claim a need for secrecy around the programmes they initiate. By making such a massive operation secret, they have undermined the rule of law, denied us democratic accountability and breached legal commitments to human rights that have been made in public to the peoples of other countries.

The position seems to be that the UK government believes it can wiretap whatever it likes, so long as the tapping takes place outside of the UK (ie, the tap is placed on an undersea cable a few miles west of Bude) and involves communications that are not simply UK citizen to UK citizen.

Making this apparent to the political class, reversing the situation, and introducing genuine accountability will not be easy, but is vital. Here are some reasons why we need an unparalleled outbreak of political honesty, to live up to the opportunity that Edward Snowden has given us.

Senior politicians have misled Parliament and the public

Tempora was implemented under Labour, and has carried on under the Conservative-Lib Dem coalition. Some senior politicians including Jacqui Smith, Alan Johnson and Theresa May failed to inform the public and the vast majority of Parliament about Tempora. William Hague has been guilty of making similarly bland justifications and reassurances following revelations about PRISM. MPs should be especially wary of the executive’s justifications for Tempora. They have the most to lose, personally and politically.

However, the members of the three parties, their democratically elected committees and the delegates to their conferences did not know of these programmes. It is also highly unlikely that many MPs knew and it is even probable that many former and current ministers were never told about the programmes. Creating and continuing with Tempora will have been a decision taken by a very narrow group of people.

This places the UK’s political class in a troubling situation, and they badly need guidance from the public.

Malcolm Rifkind and the Snoopers’ Charter cheerleaders

Malcolm Rifkind chairs the Parliamentary committee responsible for overseeing the intelligence agencies, and has recently shown himself to be very much a willing hand of the Home Office. He has reassured everyone that these programmes are highly likely to be working within the law, and recording everyone’s communications is nothing to worry about, since there is too much to read. In essence, Rifkind believes, if you have nothing to hide, you have nothing to fear.

Even four hundred years ago, Cardinal Richelieu understood that this was not a compelling argument:

If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him.

and he was hardly a major proponent of universal human rights.

Given Rifkind’s beliefs, can we trust his leadership of the Intelligence and Security Committee to guide the only major inquiry that is currently planned by the UK Parliament?

Rifkind is a particularly powerful example of a kind of UK politician that makes a habit of justifying secret service and Home Office demands. He was one of the first people to argue for the return of the Snooper’s Charter. Others, including Lord Carlile, Lord Reid and Jack Straw have been wheeled out to make the same arguments, as if their experience implementing hardline rollbacks of civil liberties in some way made them the right people to explain to us why we need to trust the secret state. Their credibility is shattered.

Foreign policy

The UK is a major gateway for Internet traffic cross the Atlantic. The volumes of traffic are immense, and provide a major wiretapping opportunity

The UK government clearly thinks it benefits from being close to the US intelligence and helping out by providing such access to them.

Both the UK and the USA need to ask if it is reasonable to use their positions to surveil global communications without regard to individuals’ inalienable human rights, or other nations’ and allies’ legitimate interests. We cannot reasonably expect other countries to behave better, if we do not ourselves. Our position also seems to be at odds with our human rights commitments, which is angering many very reasonable countries, such as Germany.

Damage to the Internet economy

The global Internet economy has become more centralised, with a great deal of data being handled and stored by a few US companies, such as Facebook, Apple, Microsoft, Yahoo and Google. This, as Tim Wu observed at ORGCon, makes them easy to compel. Surveillance benefits from this kind of centralisation. This centralisation is also reflected in the small number of entry and exit points for Internet communications. Such ‘choke points’ increase the ease of surveillance.

However, the confidence of the public and businesses depends on a sense of trust. This balance has been thrown by the Snowden revelations. Internet privacy is not an abstract concern.

Surveillance from the USA and UK will include gathering intelligence for their ‘economic wellbeing’. Why should either nation be trusted when companies think about choosing ecommerce and cloud services? The ‘national interest’ of the UK and USA could easily override the privacy and security of a company based in Germany or France. Taking such an approach is surely bad for business.

Who is really threatened?

There are many threats to individuals from accessing data. These can include:

  1. Businesses, who may be communicating confidential information of interest to competitors;
  2. Businesses who are specifically competing against businesses in the US or UK, when our governments regard their competition as against our ‘national interest’;
  3. Journalists, who need to communicate privately with sources;
  4. Whistleblowers, especially those who act against the will of their government – think of Daniel Ellsberg perhaps;
  5. Anyone whose personal position could be leveraged by security services for their benefit;
  6. Members of groups like Anonymous;
  7. Everyone, as our data might be leaked to a third party against our will

The wider threat is to our democratic culture. If people fear being listened to, or becoming of interest to security services, then they change and limit their behaviour. This is a loss to the whole of society, whether or not you think the specific threats are likely to affect you.

What needs to happen

Everyone should think about how we rein in the security services. Some of the things that are needed include:

  1. The EU draft Data Protection Regulation must allow people to control their data, so they can manage the security threats to their personal data. It should reinstate Article 42, which requires data disclosures from companies should be governed by international agreements.
  2. Transparency calls in the USA must be heeded, immediately
  3. UK law must be revised to remove indiscriminate data collection
  4. US and UK surveillance activities must be brought into a transparent international legal framework

[Read more] (7 comments)


June 21, 2013 | Javier Ruiz

EE Dragging its Feet on Mobile Data Transparency

Mobile company EE has been quite open in explaining the sale of data analytics based on their customers data in partnership with Ipsos MORI. But we are concerned that they think the storm is over and can return to business as usual. We may need your support to make them listen.

EE has already met with ORG to explain how their data services work, how they aggregate data and what general legal framework they operate. For this, we commend EE on their openness and hope that it continues.

We asked EE for a technical meeting with independent experts, but have not received any reply. In order to reassure mobile users over their concerns it’s very important to establish the exact data EE collects, stores and uses for its data products.

The first step in improving transparency would be for EE to allow an independent technical check-up on their data collection and processing. Our proposed technical expert, Richard Clayton, who is based at the Computer Laboratory of the University of Cambridge, has carried out similar work requiring balancing public information with commercial and customer confidentiality. Richard Clayton did a similar study in 2008 with behavioural advertising company PHORM.

EE’s privacy policy explains that they collect and use a wide range of data, including purchasing habits and app use. They have also told us that their data products allow for cross referencing of location data with web history and other parameters. Clearly, there is a lot going on here and customers need more information.

On the 5th of June we held a public debate in Parliament on this issue, kindly hosted by Julian Huppert. The panel included representatives from EE, Ipsos MORI, the Information Commissioner Office (ICO) and Joss Wright from the Oxford Internet Institute. At that meeting Iain Bourne from the ICO made it clear that transparency is a fundamental principle of data protection and there is room for improvement in the way the companies explain to consumers what they are doing with customer data.

We may need your help soon to get EE and other companies to continue being open about their practices. They need to know that these issues are not going away and customers are more aware of what happens to their data.

[Read more]


June 17, 2013 | Jim Killock

Jargon File blocked by O2, Youtube by Orange

We regularly collect blocking reports from mobile users, via blocked.org.uk – and we've recently had some interesting ones.

Youtube content blocked at Orange, error reportReport your blocks here. Please keep them coming! [Note: These blocks are happening on the mobile networks' child safety filtering services. These are switched on by default by all networks except Three. For more detail on mobile network filtering, see our report.]

Orange blocking Youtube videos

www.youtube.com

Orange are blocking Youtube as unsafe for children. Interestingly, this is the first time we've seen this site blocked by a major telco for child protection. The reasoning seems pretty poor. It shows the scale to which default blocks can adversely impact people. Musn't let kids watch the sneezing panda or Justin Bieber!

[UPDATE: Orange deny Youtube is blocked by Safeguard. We demo the block here; if you are on Orange and have Safeguard switched on, let us know what happens for you]

[Update 2: Orange block YouTube under the higher of two settings on their "Safeguard" child protection filters. Under the setting "Safeguard On", user generated content sites including YouTube and Twitter are blocked.  You can read a little more about these settings on the Everything Everywhere site. So this is deliberate blocking on the highest child safety filter, rather than an accidental or mistaken block for all users or for those on the "Safeguard Light" setting". The Safeguard Lite setting is switched on by default, whereas the Safeguard On setting is by choice.]

The Jargon File

catb.org/~esr/jargon/

Venerable Internet and Hacking slang guide, around since the 1970s the Jargon File is hosted by Eric S Raymond. It is currently blocked by O2, presumably because it is classed as a "circumvention" tool. Mustn’t let kids learn how to use their computers!

However, a bug with the O2 URL checker means we can't check web pages with a tilda in them to see what the classification reasoning is, or to appeal it.

[UPDATE: using http://catb.org/%7Eesr/jargon/ shows it is blocked as “hacking”)

Brains of Steel: blocked by O2

brainsofsteel.co.uk

This is a personal blog and it is difficult to see why it is classified as 'self harm' by O2. But perhaps the talk of weight loss without dieting is picked up as pro-anorexia?

[Update, 20th June 2013: This has now been reclassified and unblocked on O2]

Campaign against political correctness 

www.capc.co.uk/

Not really clear how the CAPC is harmful to children, but it is blocked by O2 as 'hate speech'. The campaign is backed by Philip Davies MP and Andrew Percy MP. Blocked by Orange and O2.

Luxury lingerie

www.thehouseofseduction.com

Blocked by Vodaphone / Virgin mobile; allowed on Orange and O2. Sells lingerie but probably not much more pornographic than an average Argos catalogue.

Mari Thomas Jewellery

Online jewellery site Mari Thomas is blocked by O2 and Orange. O2 classify the site as an 'anonymiser', for reasons that are entirely unclear.

Another gift shop blocked over Christmas 

In January we wrote about how Orange had blocked another shop www.foreverandeternity.co.uk over December of last year. Despite reporting the block in early December it took a month to get it unblocked. The reason seemed to be that the site sold engraved lighters and was categorised as smoking related. The site was thus blocked at a key commercial moment. If blocking on such a broad scale becomes more widespread, who is liable?

[Read more] (1 comments)


June 14, 2013 | Javier Ruiz

Open Data: Government Responds to Shakespeare's Review

The government has responded to the independent review of Public Sector Information (PSI) carried out by Stephan Shakespeare, chair of the Data Strategy Board. Here are our first impressions.

A National Data Strategy?

The tone of the Government's response (PDF and ODT) is of general agreement, but without a clearcut commitment to embark on the open data supply revolution asked for by Shakespeare. There will be a process to define a “National Information Infrastructure” composed of the most important datasets held by Government. This is preferred to the term “core reference data”.

A new set of criteria published on data.gov.uk will be used to assess the usefulness and transformative potential of datasets. This is a very good approach, but there is no equivalent of the US executive order forcing departments to simply do it. There are long winded references to the new EU PSI directive that will come into force in 2015. The Transparency Team at the Cabinet Office is going to help departments apply those criteria to identify the key datasets. But the Transparency Team is already quite stretched, so it will be hard to do this without extra resources.

The government will also try to involve local authorities and other public bodies, but with the Trading Funds we can only expect incremental change. There are some good ideas regarding access for micro-businesses and non-profits including a commitment to allow them increased access to the Postcode Address File.

ORG has been campaigning for the file to be freely accessible and we welcome this as a positive step, while acknowledging there is more to be done:

Recognising the continued importance of the Postcode Address File (PAF) to private sector growth and the efficient running the public sector, we have agreed with Royal Mail that they will provide the PAF for free to independent micro-businesses for one year and to and independent small charitable organisations. Royal Mail will consult in July on a radical simplification of the licensing regime for all users.

Simplified governance of Open Data policy

The government promises to tackle the proliferation of open data responsibilities, so ironically the review may cost Shakespeare his post. The one concrete commitment so far is the merger of the Data Strategy Board with the Transparency Board. The remit, authority and oversight of the new board will be an important aspect of this policy until it becomes truly embedded in the departments.

Fuzzy response on privacy

The title of the response section on privacy is Maximising the benefit from personal data. There the government expresses agreement with Shakespeare’s general approach, which they claim is reflected in the UK government’s approach to the new EU Data Protection Regulation.

This approach is meant to balance privacy with growth and innovation. Unfortunately, the evidence in relation to the UK’s engagement with the Data Protection regulations is that protection of rights comes second to perceived business interests. The UK has consistently tried to undermine the progressive proposals in the original regulations.

The response provides few concrete proposals in this area though. This is not surprising given the complexity of privacy regulation and the processes already in place in Brussels. For example, Shakespeare asked for custodial sentences for data protection breaches, but the response is that these are already possible via other legislation, such as the Computer Misuse Act.

There are some worrying moves in relation to data-sharing among departments. The Law Commission is working on a scoping project to see if there are any real legal obstacles to the free flow of data across government. This is an area we will be watching closely.

[Read more]


June 14, 2013 | Lee Maguire

Has the NSA "poisoned the well" for responsible disclosure?

Will secret arrangements between tech companies and US intelligence affect how independent security researchers disclose vulnerabilities?

Revelations about the PRISM project involve US tech companies have been compelled to provide special assistance to US intelligence agencies. This has also drawn fresh attention to "responsible disclosure" systems regarding information about security vulnerabilities in those companies' products.

Early access to security vulnerabilities, flaws in the code or design that would allow an attacker to gain privileged access to computers - from smartphones to servers - and the data they hold, is desired by governments. The information can then be used both in a defensive capacity (protecting their own systems) and offensive (attacking systems they would, for whatever reason, like access to).

A legal commercial market for security vulnerabilities exists. But many security researchers choose to disclose vulnerabilities to companies and agree to wait for a set period of time before publicly disclosing their findings. That is considered 'responsible disclosure'.

However, a report by Bloomberg today highlights the arrangement between companies such as Microsoft and intelligence agencies through which advance information about vulnerabilities is disclosed. These disclosures will be done in the knowledge that the information can be used both defensively or offensively. No implication is made that these arrangements are legally compelled rather than voluntary.

But as the secret arrangements between US tech firms and intelligence services becomes a cause for concern, will this affect how disclosure arrangements are percieved? Will researchers see themselves as assisting US intelligence? If, when they share their findings with service providers, those service providers simply share the details with intelligence agencies, aren't service providers undermining incentives to responsibly disclose? Will foreign governments regard their own citizens participating in responsible disclosure as providing electronic-arms to a foreign power?

[Read more] (1 comments)


June 14, 2013 | Peter Bradwell

EU Commission caved to US demands to drop anti-PRISM privacy clause

...and how European policy makers can undo their mistake.

Reports this week revealed that the US successfully pressed the European Commission to drop sections of the Data Protection Regulation that would, as the Financial Times explains, “have nullified any US request for technology and telecoms companies to hand over data on EU citizens.

The article, (as you can read below), would have prohibited transfers of personal information to a third country under a legal request, for example the one used by the NSA for their PRISM programme, unless “expressly authorized by an international agreement or provided for by mutual legal assistance treaties or approved by a supervisory authority.”

The relevant section is Article 42, which you can read in a leaked draft Data Protection Regulation from late 2011, available from State Watch.

The Article was deleted from the draft Regulation proper, which was published shortly afterwards in January 2012. The reports suggest this was due to intense pressure from the US. Commission Vice-President Viviane Reding favoured keeping the the clause, but other Commissioners seemingly did not grasp the significance of the article. The FT explains:

“the move came after repeated visits to Brussels by senior Obama administration officials, including Cameron Kerry, the commerce department’s top lawyer and brother of US secretary of state John Kerry, who chairs an inter-agency task force responsible for vetting EU data-exchange laws.”

In the wake of the PRISM stories and increased awareness of the powers available to the NSA through "FISAAA" (the law enabling the PRISM programme), this looks like a major error of judgment – surrendering Europeans' data and, potentially, damaging the competitive advantage that cloud services based within the EU could have offered.

In response to such strong public concerns, and the fact that EU citizens have no rights protecting their data under FISAAA, the Commission and other European policy makers need to show some leadership and stand up for the citizens they are supposed to represent, by reinstating the Article.

This is the second example that we have publicised this week of European policy makers weakening the Data Protection Regulation and thus making the NSA FISAAA surveillance on European citizens easier. We blogged this week about Baroness Ludford's amendment that would delete your right to know if your data will be transferred to a third country or international organisation. We hope the Baroness withdraws this amendment.

We thought it would be helpful to post up the relevant deleted sections, which are copied below. The full leaked Regulation that includes Article 42 in available from State Watch.

For an introduction to the FISAAA law, watch the video of Caspar Bowden's excellent ORGCon talk on this.  

From the introduction:

"Article 42 clarifies that in accordance with international public law and existing EU legislation, in particular Council Regulation (EC) No 2271/9633, a controller operating in the EU is prohibited to disclose personal to a third country if so requested by a third country's judicial or administrative authority, unless this is expressly authorized by an international agreement or provided for by mutual legal assistance treaties or approved by a supervisory authority."

Article 42

Disclosures not authorized by Union law

1. No judgment of a court or tribunal and no decision of an administrative authority of a third country requiring a controller or processor to disclose personal data shall be recognized or be enforceable in any manner, without prejudice to a mutual assistance treaty or an international agreement in force between the requesting third country and the Union or a Member State.

2. Where a judgment of a court or tribunal or a decision of an administrative authority of a third country requests a controller or processor to disclose personal data, the controller or processor and, if any, the controller's representative, shall notify the supervisory authority of the request without undue delay and must obtain prior authorisation for the transfer by the supervisory authority in accordance with point (b) of Article 31(1).

3. The supervisory authority shall assess the compliance of the requested disclosure with the Regulation and in particular whether the disclosure is necessary and legally required in accordance with points (d) and (e) of paragraph 1 and paragraph 5 of Article 41.

4. The supervisory authority shall inform the competent national authority of the request. The controller or processor shall also inform the data subject of the request and of the authorisation by the supervisory authority.

5. The Commission may lay down the standard format of the notifications to the supervisory authority referred to in paragraph 2 and the information of the data subject referred to in paragraph 4 as well as the procedures applicable to the notification and information. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).

[Read more] (1 comments)


June 13, 2013 | Peter Bradwell

Baroness Ludford's proposals take away your privacy choices

Many amendments proposed by Liberal Democrat MEP Baroness Ludford to the Data Protection Regulation would leave us with less control of our personal information. In this post, we focus on consent and loopholes.

Yesterday we wrote about Baroness Ludford's amendment to the Data Protection Regulation (amendment number 1210) that would mean your data could be transferred to a third country or international organisation without you being told. In the light of the PRISM revelations, we suggested this amendment should be withdrawn.

Baroness Ludford proposed a number of other amendments that we believe would seriously weaken the Regulation and undermine the control people have over their data. In this post, we focus on two other topics – consent, and loopholes. (Overall the Baroness proposed 113 amendments – you can read them all on LobbyPlag.eu. EDRi have analysed all the amendments too.)

1. Consent

The draft Regulation defines consent as having to be 'explicit'. However, in her proposed amendment 762, the Baroness removes words including 'explicit', leaving us with a much weaker definition. Here is the amendment:

Amendment 762
Article 4 – paragraph 1 – point 8

(8) ‘the data subject’s consent’ means any freely given specific, [DELETED: informed and explicit] [INSERTED: and informed] indication of his or her wishes by which the data subject, [DELETED either by a statement or by a clear affirmative action,] signifies agreement to personal data relating to them being processed;

Consent is one of the legal bases of processing. It is frequently abused, especially online, where collection is often based on vague or confusing language. Sometimes businesses say it is enough that someone's behaviour – for example signing up to a website – implies that they consent to the use of their data.

Removing the word 'explicit' or by replacing the definition with more vague language would allow companies to continue to assume consent has been given. They would be able to continue to assume you have 'implied' your consent, or to include consent language in hard to understand terms and conditions. Implied consent is effectively what we have now in the UK, and it has allowed companies to basically make it up as they go along.

As we mentioned yesterday, in an article for LibDem Voice Baroness Ludford cites the European consumer BEUC's position on consent in support of her position. In a response sent to members of the LIBE Committee, BEUC have been strongly critical, adding that it was 'to their dismay...that...(she) referred to our position on ‘consent’ in isolation and without referring to the points included in the BEUC position.” BEUC go on to say that other amendments proposed by the Baroness would “systematically reduce the level of protection that consumers in the UK and elsewhere enjoy”.

2. Creating broad loopholes

The proposed Regulation as it stands would also make sure that those wishing to gather and use data can only do so if they satisfy one of six grounds. Amendments that widen these grounds create a risk that it will be too easy for businesses or organisations to use data in ill-defined ways, or in ways that people can't control.

Some of the Baroness' amendments do just that. Amendment 862 would permit processing simply on the basis of industry codes of practice – taking your consent away from you on the basis of an agreement put together by businesses – for example, advertising companies – in which they merely promise to play by the rules.

Amendment 862
Article 6 – paragraph 1 – point c

(c) processing is necessary for compliance with a legal obligation [INSERTED: or regulatory rule or industry code of practice, either domestically or internationally,] to which the controller is subject;

Further, we are concerned about amendment 876, which potentially means that data controllers – meaning Facebook, Google or Experian – could make assumptions about what people's 'legitimate expectations' regarding the efficient delivery of a service are, and to use personal data on that basis. This should not be a decisions in the hands of the data controller.

Amendment 876
Article 6 – paragraph 1 – point f

(f) processing is necessary for the purposes of the legitimate interests pursued by a controller [INSERTED: such as to detect crime or to prevent crime, fraud, loss or harm or to meet the legitimate expectations of the data subject in the efficient delivery of the service], except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. This shall not apply to processing carried out by public authorities in the performance of their tasks.

 

There are two further reasons, on top of amendment 1210, that we remain concerned about the damage the Baroness' amendments will do to our privacy rights. We do not believe this is an overreaction. We'll post some more tomorrow.

You can contact your MEPs on our campaign website to ask them to respect our privacy rights - just visit NakedCitizens.eu.

[Read more] (1 comments)


google plusdeliciousdiggfacebookgooglelinkedinstumbleupontwitteremail