Blog


July 20, 2016 | Jim Killock

Is the CJEU passing the buck on data retention?

It is an increasing feature of debates about the mass retention of data that nobody wants to be the person that says yes or no. It is so clearly problematic to retain huge amounts of personal data, and in some cases to analyse it, that it is hard to see how it could ever be reconciled with the right to privacy.

cjeu_cc-by-sa-sprklg-flickr

However, who is prepared to stand up against these practices when police or others say it is necessary for their work?

That is the dilemma facing the Court of Justice of the European Union (CJEU) in their decision on the Davis-Watson (now just Watson) challenge to the Data Retention and Investigatory Powers Act (DRIPA). The CJEU were asked by the UK courts how EU law might restrict domestic data retention law, as the EU court had found the EU’s Data Retention Directive 2006 to be unlawful, after a challenge from Digital Rights Ireland (DRI). Open Rights Group intervened in the Watson case with Privacy International, and made oral submissions at the CJEU, thanks to the many hundreds of supporters that joined to help us challenge DRIPA in the courts.

The Advocate General’s opinion on this essentially appears to say that it may be possible – if difficult – to justify mass data retention, when there is literally no other means of solving serious crimes. However, he says that this decision has to be made in a national context, and is therefore up to national courts. In his Opinion, he states that the extent of EU law is to set compulsory minimum guidelines around any data retention scheme, that they must only relate to metadata, rather than content, and to insist that any scheme must protect the “essence” of the right to privacy.

Retention schemes must relate to serious crimes, not other, less important concerns. As with what the “essence” of the right to privacy could be interpreted to mean by our domestic courts, the same problem exists for what should be classified as a “serious” crime. There is no continuously applicable definition of what a serious crime is across English criminal law. Should “serious” crime be interpreted to mean: offences that are indictable only (which means they can only be tried in the Crown Court) such as murder, rape and false imprisonment; offences which are so serious that only the National Crime Agency should investigate them, such as human trafficking, kidnap and extortion; or offences which could attract Serious Crime Prevention Orders under the Serious Crime Act 2007 in the interests of public protection, such as drug and firearms trafficking. Or will the bar be set so low as to include offences which could attract a maximum of a six month custodial sentence at the Magistrates’ Court, such as common assault or criminal damage under £5,000?

The Opinion makes it clear that independent authorisation of access requests is absolutely critical to safeguard any retention scheme. It also notes that this is absent from the UK’s regime, which allows police officers to make these decisions. By reiterating the original criteria that the CJEU outlined for data retention in the DRI judgment, the Advocate General makes it clear that he believes a UK court should insist on independent authorisation as part of the minimum requirements under EU law.

The CJEU leaves it open to make further challenges to the proportionality of data retention. In the UK, this would require our Supreme Court and possibly the European Court of Human Rights to decide whether our own schemes are proportionate.

In some senses, this may be the natural balance, in the absence of more codified EU requirements and the longstanding assumption that domestic courts apply EU law directly, but it is also something of a cop out. If the UK becomes increasingly out of step with EU norms, would it still be reasonable to say that national courts should decide these balances, when it is every EU citizen that engages with the UK whose rights are affected? Why should different member states, each with the same right to privacy, come to wildly different conclusions about the legitimacy of data retention? And they have, with many EU countries simply ruling data retention incompatible with domestic constitutional privacy rights.

The interesting and difficult problem with data and Internet based services is that free expression and privacy are very often impacted. Unlike the sale of many traditional goods, human rights have to be a consideration.

This problem will not go away, even if the UK leaves the ambit of the CJEU and perhaps EU law altogether. The EU’s legal framework would insist that guarantees exist. This led Max Schrems to speculate that there could be a challenge to any data protection arrangement between a Brexit UK and the EU if our current surveillance laws are still in place. The new Investigatory Powers Bill (IP Bill), which will replace DRIPA, would in his view make a nonsense of the UK’s claims to protect data and privacy.

The government may be tempted to play down or ignore these concerns, as it has done in the past. This is tempting, as the IP Bill will need to be challenged afresh.

However, this clash is not something where Theresa May or Amber Rudd are simply in control of events, and can face down opponents. The courts will be forced to make judgments, sooner or later, and the EU and its legal system will be under increasing pressure to ensure that the UK has sufficient respect for the rule of law and fundamental rights as it concludes agreements with us as an external partner. The safe option is to do everything possible to comply with these judgements, so that they do not become a matter of dispute in our new relationship with the EU.

[Read more]


July 14, 2016 | Pam Cowburn

Could Boris Johnson’s appointment persuade the Lords that we need judicial authorisation?

Boris Johnson’s appointment as Foreign Secretary has become a listicle lover’s dream as every news outlets compiles its favourite diplomatic faux pas.

Is it penning a goat-shagging limerick about Turkey's President Erdogan? Claiming Barack Obama's Kenyan heritage means he has an “ancestral dislike of the British empire”? Or describing Hillary Clinton as having “a steely blue stare, like a sadistic nurse in a mental hospital”. While Eton-educated Alexander Boris de Pfeffel Johnson is commended for taking politics to the common man, there are concerns that his gaffe-prone tendencies mean he is unsuited to managing the diplomacy needs of a Brexiting UK that wants to secure its place on the world stage.

However there has been little discussion of one of Johnson's key responsibilities in his new role. Along with new Home Secretary Amber Rudd, Johnson will get to authorise surveillance warrants for the UK’s intelligence agencies.

While Rudd is still something of an unknown, the man who likes to respond to difficult questions with “blah blah fishcakes” is not known for his love of detail. Nor does he appear to have an aversion to breaking the rules – he was sacked by The Times for making up a quote, and from the Conservative front bench  in 2004 when he failed to come clean about an affair.  But now decisions about whether GCHQ should be permitted to hack networks or tap into fibre optic cables, will fall to a man who it is alleged did not follow procurement procedures properly while Mayor of London. Boris will of course be supported by senior officials in making these decisions. And who knows, he may scrutinise warrants with the dedication that he showed for cricket in the days after Brexit.

Flippancy aside, this is something that both Rudd and Johnson are likely to find challenging. They will need to learn the legal interpretations of necessary and proportionate, and assess what the agencies are asking of them. They will need to swiftly understand the legal frameworks as they decide who and how people are surveilled and assess whether the requests are justified. There is also a questions of logistics. Theresa May reportedly signed off the equivalent of ten warrants a day while Home Secretary.

Such complex legal decisions should not be down to politicians who may have little or no expertise in the practicalities of surveillance and the law. Most countries insist that independent judges sign off warrants for surveillance. The UK is the only Five Eyes country ( a group that includes the US, New Zealand, Australia and Canada) to allow politicians to do so. The reason is obvious. A leaked GCHQ document noted: “Senior High Court judges (they) are INDEPENDENT, non govt (sic) and not openly swayed by personal contact”.

Prime Minister Theresa May has claimed that the Investigatory Powers Bill will introduce a double lock of authorisation with Judicial Commissioners checking ministers' decisions. But the detail of the Bill means that Commissioners will be checking the process and will not have the powers to challenge surveillance decisions.

Independent judicial authorisation will do more than just ensure that surveillance decisions are necessary and proportionate. It may help the Government get the cooperation it seeks from US tech companies. In his report, A Question of Trust, the independent reviewer of Terrorism, David Anderson noted: “a number of major US companies, accustomed to the FISC procedure in the US, disliked the notion of authorisation by the Secretary of State and indicated to me that they would be more comfortable about complying with a warrant if it were judicially authorised.” (p207)

The IP Bill is currently being scrutinised by the House of Lords who can amend it to ensure that the UK has independent judicial authorisation. It's not too late to get the ‘blah blah’ details right.

[Read more]


July 13, 2016 | Javier Ruiz

Telcos threaten to pull 5G investments if EU net neutrality rules are not watered down

European telcos and big industrial conglomerates demand relaxation of Net Neutrality rules, threatening to delay major investments on new 5G mobile technology.

A public EU consultation on the future deployment of 5G mobile technology closed yesterday. The same day a coalition of Europe’s largest telecommunications companies and industrial conglomerates — from Vodafone to Siemens - sent the European Commission a “5G Manifesto”. The document is standard policy lobbying fare, describing the untold wonders that 5G’s low-latency hyper-connectivity will deliver: such as self-driving cars, remote healthcare, smart grids and immersive media; while asking for leadership, massive public funding and the softening of regulations.

The global roadmap and standards for 5G have been developed by the International Telecommunications Union (ITU), an intergovernmental body, in collaboration with the mobile industry. The main headline of the ITU’s IMT–2020 vision is the peak data rate of speed up to 20 Gbps - 100 Mps for the user — with data taking centre stage from calls, but behind those figures there are many complex technical changes to how data is transmitted and networks configured.

Industry’s policy offensive is focused on the Net Neutrality rules that have been put forward for public consultation by BEREC, the European body of telecoms regulators that includes Ofcom.

The main argument from industry is the BEREC’s rules would hamper the development of “network slicing,” a key feature of 5G, which means creating virtual separate networks using the same physical infrastructure. These sliced networks are aimed at “industry verticals”: transport, energy, health, etc. The paper does not explain why the allowances for “specialised services”in BEREC’s proposed rules would not make this possible. The lobbyists’ manifesto simply threatens that investments will be delayed unless regulators find a way to “reconcile the need for Open Internet with pragmatic rules that foster innovation.”

The mythical golden days of the Open Internet as a geek run paradise of free expression may have passed — but we still need to keep in check these kinds of statements. For starters, it is hard to see what can be more pragmatic and innovative than the deceptively simple technical standards that built the Internet.

The protection of particular traffic and the development of specialised software based networks in itself may not be an issue. Everyone would want their self-driving car — or school bus, or street cleaning robot — to be as safe as possible. The relationship between industrial machine-to-machine traffic and human oriented traffic may not be the critical angle either. After all, media and entertainment appear in roadmaps as just another industry that can get its own slice of the cake. Net neutrality rules would appear to leave enough flexibility for such developments.

The main problem with the vision for global mobile hyper connectivity proposed by industry and the ITU is that it may hamper innovation by locking in the future profits of incumbent telcos and locking out citizens and SMEs from an internet-of-everything controlled by Siemens, Thales and other mega-conglomerates. A future mobile communications system purely driven by the needs of industry will also derail the social innovation required to get the European continent out of the current crisis. Freedom of expression may not thrive in the same way in such a controlled environment. For example, paragraph 18 of the BEREC text clearly states that machine to machine communications like smart meters are "outside the scope of the Regulation, unless they are used to circumvent this Regulation."

What the manifesto really says is that telcos are fed up with seeing connectivity becoming a commodity and will only invest if they can create a differentiated market and charge a premium for exclusivity. This is a natural demand, and fair play to them. They should explain how this will not lead to a repeat of the extortionate prices for mobile communications we are only now barely starting to leave behind. Someone will have to pick up the tab. What is more depressing is seeing the European Commission once again uncritically supporting big businesses’ demands, as if that was the only kind of industrial policy possible.

The future of mobile connectivity is too important to leave it to a small group of profit seeking organisations and bureaucrats. Society needs to be part of the discussions on strategic telecommunications such as 5G, in the same way we accept that decisions on high speed rail or nuclear power need a wider input. These developments will affect our lives and will cost taxpayers billions of dollars, euros and pounds.

It is unclear whether the mobile telephony model based on ITU top down standards, absolute government control and centralised infrastructure built by a handful of large companies can deliver the kind of ubiquitous connectivity required in the future. The Open Internet that everyone claims to protect has been a success so far precisely because it has taken a very different route based on open standards, decentralisation and multi-stakeholder governance. Large investments will certainly be required, but the role of industry and ideas of profit rewarded risk and investment may need to be questioned for projects that are too critical to fail.

[Read more]


July 12, 2016 | Ed Johnson-Williams

Net neutrality in Europe: what are the issues?

BEREC, the European telecommunications regulator, is consulting on net neutrality at the moment.

Net neutrality is the principle that Internet Service Providers should treat all data on the Internet equally. This might sound dry but it's crucial. It means that ISPs can’t arbitrarily decide that some content, applications or services should be given priority, delivered faster, or blocked.

This has helped ensure that ISPs have to compete with each other and so helps keep broadband prices down. It also minimises the restrictions on which parts of the Internet you can access and how quickly you can access them. Finally, it helps startups to compete with big Internet firms and supports innovation in the digital economy.

The European Parliament adopted a new regulation on net neutrality in October 2015. There are good things in the regulation including the requirement for Internet providers to tell customers in contracts what the minimum, average and maximum bandwidth of any Internet access connection is.

Unfortunately, some areas of the text are not clear and are open to abuse. Because the text is unclear, the European Parliament in effect left it to BEREC - the European telecoms regulator to decide how to interpret the text.

BEREC published its draft guidelines on how it was going to interpret the net neutrality regulations and a consultation on those guidelines in June 2016. The consultation is open until 1pm on Monday 18th July (UK time). The Regulation says that BEREC will have to publish its final guidelines on Tuesday 30th August 2016.

The SavetheInternet.eu campaign is asking people to contact the BEREC consultation to call for the rules to protect ordinary Internet users and the online economy. You can take part in the consultation through SavetheInternet.eu here before Monday 18th July 1pm (UK time).

Major concerns remain in particular about three areas: specialised services, traffic management, and zero rating.

Specialised services
There are concerns that the BEREC's guidelines could allow companies to pay ISPs to become Specialised Services - whereby the Internet traffic from their service would be delivered more quickly. This is one of the headline concerns of net neutrality campaigners - that big companies could pay to join an Internet 'fast lane' to the detriment of smaller companies.

SavetheInternet.eu is calling for BEREC to ensure rules and systems are in place to guarantee that if a company is granted a specialised service that the optimisation is objectively necessary for the service to be accessed. If there is a comparable service on the open Internet, a specialised service should not be granted. SavetheInternet.eu also calls for ISPs to ensure that if the quality of Internet traffic to and from specialised services is improved, that the quality of Internet access for everybody else is not harmed.

Traffic management
ISPs can manage traffic on their networks. This means they can prioritise certain traffic and restrict the speed of others. SavetheInternet.eu's position is that traffic management should be used for a specific purpose, with the least intrusive measures possible, and for limited time when it is genuinely necessary to achieve a legitimate goal. There are also concerns that because ISPs cannot tell what services or applications their customers are using when they use encrypted connections, such data may automatically put in a “slow lane” and that this may disincentivise the use of encryption.

Zero rating
Zero rating is the commercial practice of Internet Service Providers not counting data downloaded from certain applications or services towards a customer's download cap. Although it may appear to save consumers money, the effect of it can be that the ISP becomes a gatekeeper on which services you can use or are incentivised to use. It helps big companies to protect their position in the market and harms their competition. It is common in some parts of the world but we are unable to find examples of it in the UK. The SavetheInternet.eu campaign is calling for BEREC to clearly prohibit zero rating.

There is a comprehensive list of FAQs on these issues on the SavetheInternet.eu website.

Remember you can take part in the consultation through SavetheInternet.eu here before 1pm on Monday 18th July.

[Read more]


July 08, 2016 | Javier Ruiz

Overview of the Digital Economy Bill 2016

Our first impressions on the Digital Economy Bill 2016. We will be looking each section in more detail over the coming weeks.

Digital Economy Bill 2016

The Digital Economy Bill 2016 was announced in the Queen’s Speech 2016, and has its first reading in the House of Commons this week. It will deliver several policy initiatives that ORG has engaged with over the past two years. Over the coming weeks, we will provide further analysis and campaign around the many issues raised by this far reaching Bill.

The Digital Economy BIll looks like the drawer where all the "fix the internet" ideas that the current government has been considering over the past few years have ended up. Digital rights activists will be busy for some time.

• Part 1: Access to Digital Services

This part of the bill seems the least controversial and likely welcome. The government is introducing a new broadband Universal Service Obligation (USO) of 10Mps and enhancing Ofcom’s powers to demand more transparency and compliance. We will be looking at this part of the Bill to see if there are any potential pitfalls, or improvements that can be presented as amendments.

• Part 2: Digital Infrastructure

This part includes a highly technical series of measures dealing with a range of infrastructural issues, from land acquisitions to spectrum management. There seem to be few digital rights issues.

• Part 3: Online Pornography

This is a very problematic section. After several years of discussions, the government is finally making it compulsory for all porn websites available in the UK to implement age verification. The Bill covers all commercial websites designed for sexual arousal, including materials classified as 18 and not only R18 (the hardcore that must be sold only in sex shops), located anywhere in the world. On demand services are excluded, and there are issues with the definition of commercial, but the intent is to capture as many websites as possible.

A new regulator will be created to deal with this challenging idea. There are very serious privacy and security issues here -  the potential data breach of British citizens' porn preferences and credit card details, is a blackmailer's paradise. The mechanisms for age verification are not defined and making this work in a privacy respecting manner will be very difficult, if even possible. Simple mechanisms such as providing a card or inputting a date of birth will not cut it. The Digital Policy Alliance (DPA) has been working behind the scenes with the porn industry and other sectors to try to define an industry led standard for age verification. We have heard some vague ideas about using smart crypto and decentralised trust frameworks similar to the government initiative Verify, but there are no details available.

The main enforcement mechanism appears to be based on the wider “follow the money” approach we see in copyright debates. The regulator will work with payment providers to remove sources of income. It is very unclear how this is going to stop advertising funded websites as porn specialist ad networks may not be easy to get on board. The Bill also includes injunctions, but we need to analyse properly to what extent blocking will be used.

Original proposals to use the existing web blocking infrastructure for the mandatory blocking of all porn websites unless they complied – a whitelisting of age verified sites – seem to have been abandoned. But it is unclear if an aggressive regulator could use the powers in the Bill to block sites. We have concerns that making payment providers a core element of enforcement is part of the slippery slope away from due process and clear state responsibilities in Internet regulation.

• Part 4: Intellectual Property

The penalties for “online infringement” (communication to the public) are being increased from a maximum of two to  maximum ten year prison sentence. We ran a campaign during the consultation and it seemed that we had won the argument, but political pressure eventually bypassed the consultation process and other evidence.

Partly in an attempt to deal with headlines that this was “10 years for filesharing", the IPO has rewritten the definition of criminal liability. They told us during meetings that the new definition would make it very clear that ordinary internet users - including filesharers - would not be targeted, and raising the penalty would also mean narrowing its application to real criminals. Unfortunately the final draft appears to be as bad or worse than the original, with a very low threshold of “having a reason to believe” that the right holder will be exposed to “a risk of loss”.

• Part 5: Digital Government

This part of the BIll is the conclusion of the long process of open policy making on data sharing, where ORG has been involved throughout. There are no big surprises there, and we have summarised the issues and concerns in various blogs and consultation responses.

Some of the proposals are not too problematic, such as sharing data to help to deliver winter fuel discounts, but when put together they amount to a massive shift in data processing across government. The safeguards proposed are not always strong enough and are mostly placed in codes of practice of dubious enforceability. Some of the proposals are more worrying. We have raised concerns particularly about the bulk sharing of civil registration data - births and marriages - without any apparent purpose limitation and with thin safeguards.

The proposals to share the data of people in debt across government departments are also worrying as they could affect vulnerable people and may not deliver benefits without changes to how data is handled. Even if governemnt departments know that someone also owes money elsewhere, they cannot cancel or reprioritise the debt. Despite repeated assurances to the contrary, it is hard not to see this new power as connected with the new privatisation of debt collection across government with the Debt Market Integrator. It appears that the bill is creating the data sharing powers to enable policies that have not been properly outlined or discussed.

ORG will be seeking improvements in some areas: tightening purposes, strengthening safeguards and moving these from codes of practice to the face of the bill, and making any reviews proper sunset clauses requiring a Parliamentary reboot, rather than a ministerial nod.

We will also ask for the removal of the disproportionate powers for bulk sharing of civil registration, or at least severe restrictions on their scope.

• Part 6: Ofcom and Other Regulation

An omnibus within the omnibus Bill, this part contains a ragbag of measures around OFCOM, e.g. appeals process; but also apparently the power for the BBC and public service broadcasters to charge Sky and Virgin for retransmission. This is another area where we need further work picking up any issues.

There are also new powers for the ICO to deal with direct marketing and nuisance calls, which seem much needed, but may need improvements.

We will be campaigning on various aspects of the Bill. Get in touch or join ORG if you’d like to get involved.

Bill supporting documents Bill in parliament

[Read more] (2 comments)


June 29, 2016 | Jim Killock

How digital rights will be affected by Brexit

The UK’s vote to leave the EU means that we no longer have a clear idea what levels and kinds of protection of digital rights we will have in the future. Nearly all the relevant law is European. A lot depends on the kind of model of leaving the EU that the UK adopts.

eu_flags_cc-by-sa-jimkillockThe short term

Nothing changes in the short term. The UK must abide by legislation, incorporate new regulations and directives as they come along. Decisions of the Court of Justice of the European Union (CJEU) must be implemented. This could produce the potential for conflict between the UK and European Union, as the EU decisions will be seen to be less politically legitimate. However, it would be unwise for the UK to pick fights and fail to abide by EU law, as this would risk a swift ejection, and certainly weaken our negotiating position. Yesterday we also discussed the implications for the Investigatory Powers Bill debate.

Legislation that we currently depend on

Data Protection laws, e-privacy, net neutrality and other telecoms regulations, copyright enforcement and copyright laws are all currently written in the EU. Data retention and Passenger Name record retention are also decided upon at EU level.

Some of this legislation is very positive. The new data protection regime will for instance provide much better enforcement of some basic privacy rights.

EU legislation also has to abide by fundamental rights, defined in the Charter of Fundamental Rights and interpreted and enforced through the Court of Justice of the European Union (CJEU). Outside of the EU, the direct influence of the CJEU on UK law will be much lessened.

Enforcement of human rights

Recently, the CJEU has made many major digital rights advances, such as limitations on data retention and requiring better privacy protections from the USA for data transfers, and thereby cancelling “Safe Harbour”. This has not always been popular with the UK government.

In the longer term the CJEU and European Court of Human Rights (ECHR) should work to the same privacy standards, so in theory the UK’s legislation will still be subject to the same considerations. However, the ECHR does not make instructions to UK legislators, but sets principles which must be taken into account when looking at laws. This leaves a lot of flexibility in the hands of legislators. In contrast, the CJEU as an EU court makes direct instructions to EU institutions about laws and decisions, which has been demonstrably effective.

The Single Market

It is possible that these laws continue to be important, depending on the level of future integration with the Single Market. If so, things will be difficult for UK digital rights advocates, and digital industries, in that we will have less opportunity to shape legislation, for instance by working with MEPs. Single Market access is commonly known as the “Norwegian model” or European Economic Area (EEA) membership.

However, many digital businesses will prefer having the legal frameworks to standing fully outside of the Single Market.

If we are in the EEA, then the CJEU is no longer involved in UK decision making regarding EU law. The EEA has its own court for these purposes. It does not consider human rights in its decisions however.

Single Market access is both economically rational and politically very difficult, especially given the debate about immigration, as free movement of labour is likely to be a requirement. There would still be payments to the EU. The major change would be control of fish and agriculture policy.

Many Conservative politicians seem to be edging towards this kind of position as a workable compromise, albeit they contend they can secure limits on free movement. EEA membership would satisfy the narrow of the referendum, .

Full Brexit

It is also possible that a ‘full Brexit’ leaving us outside of the Single Market would place all these laws into flux. At this point, the laws might be simply incorporated into UK law, or else, they would be reviewed and potentially scrapped.

For UK digital rights, this would be the most concerning. The pressure to deregulate in order to compensate for the loss of single market access would be very high. The changes could be made very swiftly, with little democratic oversight.

We would need to be confident that the UK develops much stronger constitutional protections for human rights to be fully supportive of a solution along these lines. We would need to be convinced that Parliament would be in control of the changes and would be given sufficient time to consider the changes it would be making.

There is a democratic case for a full Brexit, rather than staying within the Single Market while the EU sets laws with just consultation processes to understand the position of the UK government.

That said, the influence of EU legislation would not simply disappear. Passenger Name Record legislation may have to exist for flights to continue between the UK and EU, and data protection standards have to exist if UK companies trade with EU citizens. Even the USA has to provide these protections for Europeans. We could easily end up copying the bulk of legislation even outside of the Single Market, but of course, with even less influence over its development, and less of the economic benefits.

The digital environment is already international. There are good reasons for laws to become more consistent, rather than less. Whatever solution is adopted, this pressure will exist.

What do we do?

The Open Rights Group will engage in a discussion with supporters and experts about our preferred way forward, and how we deal with some short term issues, such as enforcement of net neutrality provisions. Decisions about the UK’s future will be based on much wider considerations, but we will explain the impacts of different models on digital rights. If you have thoughts about any of these issues, please let us know in the comments, or get in touch by email.

[Read more]


June 28, 2016 | Pam Cowburn

What does Brexit mean for the IP Bill?

The outcome of the referendum could affect the progress of the IP Bill.

One of the consistent criticisms by ORG and other civil society organisations has been that there has been insufficient scrutiny of such an important and far-reaching Bill. While parliamentarians, media and the public are preoccupied with the outcome of last week’s EU referendum, it's unlikely that such scrutiny will take place now. That’s why ORG has called for the progress of this Bill to be put on hold until we have a new Prime Minister and a clearer sense of what the UK’s political future looks like. The Government will no doubt do everything it can to keep the IP Bill on track but the political fallout of Brexit and ongoing legal cases could affect the BIll’s progress.

Watson/Davis ruling

The Court of Justice of the European Union is likely to issue its Judgment about the Data Retention and Investigatory Powers Act (DRIPA) case brought by MPs Tom Watson and David Davis. In 2015, the High Court ruled that parts of DRIPA were unlawful; the Government appealed and the case was referred to the CJEU. Their Judgment will have implications for the data retention powers outlined in the IP Bill.

In the short term, as negotiations proceed to leave, there may be a temptation to ignore CJEU rulings. However, this would be highly unwise, as it would leave the UK open to swift ejection from the EU on grounds of failing to abide by our treaty obligations. This would weaken the UK’s negotiating hand as well as angering our negotiation partners.

The European Court of Human Rights is different from the CJEU. It rules on the European Convention of Human Rights, which the UK is currently signed up to whether or not it leaves the EU – although the Home Secretary and possible Conservative Party leader Theresa May has called for the UK to withdraw from the convention.

In theory, the ECHR and Charter of Fundamental Rights set the same standards on privacy and other human rights. So in the long term, the same principles set from the CJEU judgments should eventually be set by the ECtHR in other new cases. However, this means new legal challenges that ask this court to explain the principles. And unlike the CJEU, the powers to instruct legislators to alter or delete legislation or remove decisions are absent. Instead, the ECHR gives general advice on the principles to be adhered to.

So theoretically, Brexit would have no effect on standards of privacy. In practice, if we are outside of EU law, protections related to many Internet matters will be weaker, in that they will take a lot longer to fix, and the government has much greater flexibility in addressing them.

Data protection

Under European data protection law, when companies are transferring EU citizens’ data to non- EU countries, there must be an adequate level of protection for this data. On Friday, the Information Commissioner’s Office issued a statement that said:

“If the UK is not part of the EU, then upcoming EU reforms to data protection law would not directly apply to the UK. But if the UK wants to trade with the Single Market on equal terms we would have to prove 'adequacy' - in other words UK data protection standards would have to be equivalent to the EU's General Data Protection Regulation framework starting in 2018.

“Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking to government to present our view that reform of the UK law remains necessary”.

This could mean that the IP Bill, as well as data protection law, will need to be reformed. As the Safe Harbour case brought by Max Schrems showed, the surveillance powers given to GCHQ, the police and government departments in the IP Bill could mean that UK companies cannot guarantee that they will meet the EU’s data protection standards. The consequences for UK business could be severe. Last week, Forbes reported that:

“More than three-quarters of the UK’s economy is based on services, and much of that involves the transfer of data. Digital industries represent 10 per cent of Britain’s GDP. And while the UK has historically been seen by many multinationals as a gateway to Europe, that’s a gateway that could now be slammed shut.”

General election

The new Prime Minister could call for a general election in late autumn to secure their political mandate and give the electorate the opportunity to vote on any offers negotiated about the EU. This could mean that the IP Bill is rushed through as part of the ‘wash up’ (the last few days before Parliament is dissolved). To do this with such a complex and large Bill would be unacceptable. Alternatively, the IP Bill could be put on hold until a new Government is formed. This would mean that the Data Retention and Investigatory Powers Act (DRIPA) sunset clause would expire in December 2016 but MPs could vote to extend this date before Parliament is dissolved.

Labour Shadow Cabinet resignations

Many members of Labour’s shadow Cabinet have resigned their posts since the referendum result and called for a change of Labour leader. Keir Starmer, who until now has been leading for Labour on the IP Bill, is among those who have resigned. ORG and others in the Don’t Spy on Us coalition have spent significant amounts of time talking to Keir Starmer to ensure that Labour were fully aware of our arguments. It is not clear who will now lead for Labour on the IP Bill but we will work to ensure that  Labour continue to be fully briefed on why the Bill is not fit for purpose.

ORG will keep campaigning for the IP Bill to be amended - please support us by joining today. 

[Read more]


June 15, 2016 | Ed Johnson-Williams

Tesco Mobile customers should think twice before viewing ads for a £3 a month discount

Tesco Mobile has announced a new optional scheme in which its customers can get £3 a month off their phone bill. In return, customers agree to see adverts on their lockscreen "every few times" they unlock their phone.

Customers have to see "at least one ad, offer or piece of content" on at least 21 days each month to get the discount.

What are people going to be giving up for that £3 a month?
The implication is that customers get the £3 discount for giving up some of their time and attention to see and open or dismiss the adverts. In reality, they are also paying with their data. Tesco Mobile are working with a company called Unlockd to deliver the ads to people's phones. Tesco Mobile customers have to agree to Unlockd's privacy policy to get their £3 a month discount.

In addition to collecting customers' mobile number, email address, age, gender and interests at the signup stage, Unlockd's privacy policy says they will:

  • collect customers' location data to serve tailored adverts
  • create 'anonymous' data records of customers' personal data and use them "for any purpose"
  • transfer customers' personal data to the USA, the UAE, and India and process it there.

The links to Unlockd's privacy policy are difficult to find. Tesco Mobile's webpage (which is all most customers are likely to see) doesn't mention any of these personal data collection issues.

This is an optional scheme and companies should be able to make contracts with their customers. But the bare minimum standard should be that customers are asked for their genuinely informed consent when giving up privacy. This kind of data collection and processing needs to be flagged up much more clearly to customers to meet this standard.

Location data
Somebody's location data can be very sensitive. It can reveal all kinds of patterns about their life. It's reasonable to think that lots of people would like to avoid constantly sharing their location with a company that will put adverts on their phone lockscreen every day.

Unlockd's privacy policy tells customers to turn off location on their phone if they want to "deactivate this feature". That's the 'feature' of having your location collected to show you ads by the way. But for many people, location-based services like maps are one of the most useful things about having a smartphone. Asking people to give up maps so that they can opt out of their location being collected for advertising purposes isn't fair or reasonable.

'Anonymised' data records
Significant amounts of research have been done illustrating ways in which identifying individuals from anonymised data is both possible and practical. Unlockd saying they can "use and disclose anonymous data for any purpose" [our emphasis] is worrying to say the least.

Personal data transferred and processed abroad
Unlockd's privacy policy says they may transfer and process personal data to countries "including, but not limited to the United States, the United Arab Emirates and India, where data protection and privacy regulations may not offer the same level of protection as in other parts of the world."

It is also worrying that people's data would be transferred to and processed in places where personal data and privacy are not as highly protected as they are in Europe. It is not made clear what the reasons are for data being transferred to and processed in these countries instead of in Europe.

Poverty and privacy
"You can save money by looking at adverts and giving up your personal data" is a message with big implications. Some people may have the means and freedom to choose to give up some privacy and attention for a discount. But for others, seeing adverts on your phone to save £3 on your phone bill might mean your family doesn't have to skip a meal. Of course it will not only be poorer people who will take Tesco Mobile up on this offer, but the incentive to give up some privacy in this case is surely stronger for poorer people.

We don't want a society where richer people can afford to retain their privacy and poorer people give up their privacy to make ends meet.

This is similar to what Christopher Soghoian, the ACLU’s principal technologist, calls the "digital security divide". Richer people are more likely to be able to afford Apple's iPhone which is encrypted by default. Most people buy cheaper Android phones which are not encrypted by default. In effect this makes it more difficult for thieves to unlock phones belonging to rich people than poorer people.

Customers should be cautious and consider the implications on their privacy before giving up their privacy for a discount. And if this business practice continues, or expands to other sectors, there is a danger that some people will feel they cannot afford not to give up their privacy.

[Read more]