Press releases

Press releases

NHS Must Explain Role Of Surveillance Company


Reacting to news that surveillance company Palantir is in discussion with the NHS to “clean” and analyse bulk health data, including tracking of spare beds, ventilators and calls to 111. Open Rights Group and Privacy International emphasised the impact on trust in the NHS's anti-COVID-19 measures this may have, without full transparency and safeguards over the companies’ role.

Palantir’s past work has involved tracking of migrants and provision of espionage tools.

Jim Killock, Executive Director of Open Rights Group said:

“Everybody’s goal must be to build trust in the national response to COVID-19.

“Palantir have a poor reputation, as engaging in activities which threaten personal privacy and may lead to other human rights abuses.

“The NHS therefore needs to be extremely cautious and transparent in its dealings with Palantir. They must explain how people’s data may be handled and protected and how they will ensure that Palantir does not acquire or abuse information.

“The last thing that we need as a nation at this time is for ill-thought out arrangements to generate a privacy backlash.”

Privacy International said:

"It's absolutely right that we do everything we can to support the NHS amid this public health emergency, but what does this mean for the long term? In the past, Palantir clients are reported to have faced extreme difficulties accessing the analysis produced by Palantir when trying to end a contract. Vendor lock-in is a real risk here which must be appropriately mitigated."



Jim Killock



Palantir, a data firm loved by spooks, teams up with Britain’s health service

Coronavirus: NHS unveils 'data platform' to track beds, staff and ventilators:

There's a Fight Brewing Between the NYPD and Silicon Valley's Palantir

Palantir‘s past activities:


[Read more]

Campaigners welcome the creation of a Commissioner to oversee use of biometrics by Police in Scotland


Following the news that the Scottish Parliament has voted in favour of creating a Scottish Biometrics Commissioner, Matthew Rice, Scotland Director, Open Rights Groups said:

It has been a long time coming but we applaud the Scottish Parliament have voted to create a Scottish Biometrics Commissioner. Scotland deserves modern, effective institutions and when it comes to the collection, retention and use of our sensitive biometric data, the challenge has never been greater. Open Rights Group have been leading the campaign for this over the last three years and we are delighted to see such a successful result.

While facial recognition dominates the headlines we should recognise that biometrics is way more than that, from fingerprints and DNA to new generation biometrics such as iris, and gait recognition. This institution will have a vital role to play in ensuring that biometric data of all types from all people is underpinned by a lawful framework that respects the fundamental right to privacy. 

The Commissioner will have a significant role to play in making sure that biometrics data is underpinned by proper rules and that the public are fully informed and engaged in a debate about what is acceptable use of biometrics in Scotland. Open Rights Group wishes them all the best in this challenge and welcome their addition to the Scottish environment.


Open Rights Group have been campaigning for the creation of a Scottish Biometrics Commissioner since 2017, having submitted evidence to the Independent Advisory Group on the use of Biometrics in Scotland.

A consultation by the Scottish Government was held and Open Rights Group ran a campaign to generate responses to demonstrate the public interest in creating an institution.

The Scottish Government subsequently committed to establishing a Commissioner in their legislative programme for 2018-19.

The Commissioner will create a binding code of practice that applies to Police Scotland, they will have powers to issue compliance notices requiring Police Scotland to change practices and policies, it will also establish an individual complaints mechanism allowing for members of the public to raise concerns about the use of their biometrics directly to the Commissioner for them to investigate.

[Read more]

Political parties deny true scale of using personal data for campaigning to Select Committee


The House of Lords Democracy and Digital Technologies Committee have received written evidence from the Liberal Democrats, Labour, and the Conservatives on their digital campaigning practices. Since the Cambridge Analytica scandal of 2016, the legality and ethics of using personal data in political campaigning has been questioned. 

The parties provided several justifications for doing so. Specifically, Labour and the Conservatives stated that they rely upon the lawful basis of ‘democratic engagement’, which is in the public interest. Labour also claimed that the processing of personal data, including political opinions, was ‘absolutely necessary’ for modern political campaigning. By contrast, the Liberal Democrats said they do not process individual’s political opinions as part of their campaigning.  

Both Labour and the Lib Dems denied employing data brokers or companies that monitor the public’s online activity. The Conservatives denied using data brokers but admitted to using analytics provided by social media companies. Both of these statements are false or incomplete. Both Labour and the Conservatives employ Experian, a credit ratings agency, to provide profiles of voters. The Lib Dems employ CACI, which advertises its services as a “database of the UK population (that) is the most comprehensive in the industry with hundreds of pieces of information on each individual. It covers everything from contact details… financial products owned and charities supported through to media consumption, digital interaction and channel preferences.”

Pascal Crowe, Data and Democracy Project Officer for Open Rights Group, said: 

“Politcal parties think they can treat the public’s personal information as their plaything and justify that under public interest. They are wrong. Democratic engagement and electioneering are not the same.

The political parties are deliberately concealing the true extent of their use of personal data from the House of Lords and the public. These are weasel words, when they should be showing moral leadership.

Open Rights Group welcomes the Committee’s recognition of our call to investigate the political parties’ use of personal data.”  

Notes to Editors

For further information please contact Open Rights Group, at or 0207 0961079.

Written evidence from the political parties to the Select Committee can be found here: 



[Read more]

Google move endangers UK privacy

Moving UK users’ data to the USA makes bulk surveillance easier, and data protection harder.

Jim Killock, Executive Director of Open Rights Group, said:

“Moving people's personal information to the USA makes it easier for mass surveillance programmes to access it. There is nearly no privacy protection for non-US citizens.

"We have no reason to trust a Donald Trump government with information about UK citizens. The possibilities for abuse are enormous, from US immigration programmes through to attempts to politically and racially profile people for alleged extremist links.

"Data protection rights will also become more fragile, and are likely to be attacked in trade agreements pushing 'data flows'.

"Google's decision should worry everyone who think tech companies are too powerful and know too much about us. The UK must commit to European data protection standards, or we are likely to see our rights being swiftly undermined by 'anything goes' US privacy practices."

Notes to the editor

[Read more]

Online Harms Regulation Threatens Free Speech

Appointing state regulator for online speech creates censorship incentives: ‘duty of care’ is vague and an undefined concept

Jim Killock, Executive Director of Open Rights Group said:

“This is a dangerous proposal that could cause vast restrictions on free speech. The police recently included Extinction Rebellion in their guidance on terrorism. Private companies would be deciding what is legal or illegal, and will always remove more than they need, rather than less.

“Duties could also create a vast surveillance capability to monitor content as it is posted online.

“The government proposes a state regulator overseeing the speech of millions of citizens. Yet this will regulate press content by the backdoor, when posted to social media.

“The state should not police the speech of its citizens. That is an obvious conflict, which is why it is left to the courts.

“Instead, the government should seek to ensure that companies have sufficient independent scrutiny of their actions. This is known as co-regulation, and could be supervised by Ofcom.”

Additionally, ORG warns that the proposed ‘duty of care’ remains an open-ended and vague concept that needs vastly clearer definition. 



Jim Killock 07894498127 /

Notes to the editor

Government ‘minded’ to appoint Ofcom as Internet regulator:

[Read more]

ORG response to child’s rights groups letter to Facebook

Open Rights Group, responding to today’s reports of a child's rights groups letter to Facebook, responded:

Encryption provides a secure internet for all, including children, and while well-meaning, these efforts are misguided. 

End-to-end encryption is the backbone of retaining a secure Internet. It protects the privacy of billions everyday from banking transactions to messaging. It protects whistleblowers and activists around the world from repressive regimes. It even protects the politicians jumping on today’s bandwagon.

Undermining encryption creates an opportunity for hackers, criminals, even abusers, to gain access to the private lives of those that deserve protection. Through this call these groups may be placing users at risk of exploitation. This is not a straightforward trade-off.

A national survey from the Information Commissioner’s Office ranked children’s privacy and cyber security as people’s top data protection concerns. Encryption responds to these two concerns and it should not be used as a political football to make politicians look tough on social media platforms.



Information Commissioner’s Office Age Appropriate Design Code: page 3 for the quote on cyber security

For further information please contact Federica Dadone, Communication Officer for Open Rights Group, at or 0207 0961079.


[Read more]

Government must pledge to uphold data privacy

The Open Rights Group have today - International Data Protection Day – called on all MPs to pledge to uphold data privacy standards.

In a letter to all MPs, ORG explains data protection in the UK is under threat following claims earlier this year by government sources that they wish to diverge from European privacy standards. (1)

However, moving away from European data protection and accepting weak US-style privacy laws - would mean accepting very low standards and undermining trust in the technology, finance and health sectors.

In December last year, a “government source” told the Times that the UK would want to diverge from European data protection standards. (2) That same month in the Times, economists highlighted the desires of the US to be able to access patient healthcare information under any future trade agreement. (3)

The likelihood of a loose trade agreement with the EU will mean the UK will come under pressure to dilute data privacy standards, especially to allow US companies to access UK markets without high levels of data protection.

The letter from ORG explains to MPs that:

“There will be pressure from many companies, such as insurance, bank credit agencies and some large Internet companies, to lower standards. Pressure will come from the US government, who will want to make "data flows" more important than "data protection" in future trade agreements.

“Data protection matters to your constituents. It protects their sensitive personal data such as health data from being exploited, it seeks to protect them online and give them more control over who can use their personal data. In 2019, a Eurobarometer survey found 73% of people in the United Kingdom were concerned about not having complete control over the information they provide online.”

The letter asks for commitments from the government that:

  1. Data Protection standards will continue to apply across all industries, protecting personal data from abuse;

  2. Trade agreements will not be used to dilute, undermine or circumvent existing data protection standards.

The letter concludes that:

Now that we are facing an uncertain future it is more important than ever for the United Kingdom to commit to respecting the right to privacy.

The letter was delivered to all MPs in the House of Commons earlier today, and included an offer to meet to discuss privacy advocates concerns in more detail.


Contact: Jim Killock ‭+44 20 7096 1079‬ /

Notes to the editor

(1) The full text of the letter is available at:

(2) See

(3) See 

[Read more]

Data Regulator pushes ahead with age gates

The ICO's Age Appropriate Design Code released today includes changes which lessen the risk of widespread age gates, but retains strong incentives towards greater 'age gating' of content.


Over 280 ORG supporters wrote to the ICO about the previous draft code, to express concerns with compulsory age checks for websites, which could lead to restrictions on content.

Under the code, companies must establish the age of users, or restrict their use of data. ORG is concerned that this will mean that adults only access websites when 'age verified' creating severe restrictions on access to information.

The ICO's changes to the Code in response to ORG's concerns suggest that different strategies to establish age may be used, attempting to reduce the risk of forcing compulsory age verification of users.

However, the ICO has not published any assessment to understand whether these strategies are practical or what their actual impact would be.

The Code could easily lead to Age Verification through the backdoor as it creates the threat of fines if sites have not established the age of their users.

While the Code has many useful ideas and important protections for children, this should not come at the cost of pushing all websites to undergo age verification of users. Age Verification could extend through social media, games and news publications.

Jim Killock, Executive Director of Open Rights Group said:

"The ICO has made some useful changes to their code, which make it clear that age verification is not the only method to determine age.

"However, the ICO don't know how their code will change adults access to content in practice. The new code published today does not include an Impact Assessment. Parliament must produce one and assess implications for free expression before agreeing to the code.

"Age Verification demands could become a barrier to adults reaching legal content, including news, opinion and social media. This would severely impact free expression.

"The public and Parliament deserve a thorough discussion of the implications, rather than sneaking in a change via parliamentary rubber stamping with potentially huge implications for the way we access Internet content."



Jim Killock


ICO Age Appropriate Design Code, section 3:

[Read more]

Age Verification Judicial Review endangers UK citizens' privacy

Judicial Review launched by Tech companies to force Age Verification for adult content under the Digital Economy Act 2016 to start would endanger privacy.

Reacting to the Judicial Review launched by Tech companies to force Age Verification for adult content to be implemented (1) Jim Killock, Executive Director of the Open Rights Group said: 

"These companies are asking us to trust them with records of millions of people's sexual preferences, with huge commercial reasons to use that data for profiling and advertising. 

"The adult industry has a terrible record on data security. We're being asked to hope they don't repeat the many, many times they have lost personal data, with the result that blackmail scams and worse proliferates. (2)

"The government did the responsible thing when it admitted its plans were not ready to proceed. Age Verification must not be pushed forward until there is compulsory privacy regulation put in place."

The companies behind the legal action are not subject to tight privacy regulations. Instead, the government can only ask for 'voluntary' privacy commitments.

General data protection law is not sufficient for this industry as data breaches of this nature cannot be fixed by fines. They need to be prevented by the toughest and most specific regulation available.

Examples of sector specific privacy regulation include bank payments governed by PCI DSS, which specifies exactly how privacy and security must be implemented (3).

The BBFC, when acting as regulator, created a voluntary privacy code. This was however rushed, created without public consultation, and was criticised by ORG as too weak. (4) Additionally, at least one company 18PlusApp refused to comply with it. (5)


Jim Killock +442070961079 /


(1) Tech companies launch legal action to force Government to bring in under 18s porn ban:

(2) List of MindGeek data breaches:

(3) Compulsory banking standards for privacy and security, PCI DSS:

(4) Analysis of BBFC Age Verification Certificate Standard, June 2019:

(5) 18PlusApp opts out of BBFC privacy regulation, June 2019:


[Read more]

Data regulator ICO fails to enforce the law

Responding to ICO's announcement today that the regulator is taking minimal steps to enforce the law against massive data breaches taking place in the online ad industry through "Real-Time Bidding", complainants Jim Killock and Michael Veale have called on the regulator to enforce the law.

The complainants are considering taking legal action against the regulator. Legal action could be taken against the ICO for failure to enforce, or against the companies themselves for their breaches of Data Protection law.

The "Real-Time Bidding" data breach at the heart of RTB market exposes every person in the UK to mass profiling, and the attendant risks of manipulation and discrimination.

As the evidence submitted by the complainants notes, the real-time bidding systems designed by Google and the IAB broadcast what virtually all Internet users read, watch, and listen to online to thousands of companies, without protection of the data once broadcast. Now, sixteen months after the initial complaint, the ICO has failed to act.

Jim Killock, Executive Director of the Open Rights Group said:

"The ICO is a regulator, so needs to enforce the law. It appears to be accepting that unlawful and dangerous sharing of personal data can continue, so long as 'improvements' are gradually made, with no actual date for compliance.

"Last year the ICO gave a deadline for an industry response to our complaints. Now the ICO is falling into the trap set by industry, of accepting incremental but minimal changes that fail to deliver individuals the control of their personal data that they are legally entitled to.

"The ICO must take enforcement action against IAB members.

"We are considering our position, including whether to take legal action against the regulator for failing to act, or individual companies for their breach of data protection law."

Dr Michael Veale said: "When an industry is premised and profiting from clear and entrenched illegality that breach individuals' fundamental rights, engagement is not a suitable remedy. The ICO cannot continue to look back at its past precedents for enforcement action, because it is exactly that timid approach that has led us to where we are now".

Ravi Naik, solicitor acting for the complainants, said "There is no dispute about the underlying illiegality at the heart of RTB that our clients have complained about. The ICO have agreed with those concerns yet the companies have not taken adequate steps to address those conerns. Nevertheless, the ICO has failed to take direct enforcement action needed to remedy these breaches. 

"Regulatory ambivalence cannot continue. The ICO is not a silo but is subject to judicial oversight. Indeed, the ICO's failure to act raises a question about the adequacy of the UK Data Protection Act. Is there proper judicial oversight of the ICO? This is a critical question after Brexit, when the UK needs to agree data transfer arrangements with the EU that cover all industries."

Dr Johnny Ryan of Brave said "the RTB system broadcasts what everyone is reading and watching online, hundreds of billions of times a day, to thousands of companies. It is by far the largest data breach ever recorded. The risks are profound. Brave will support ORG to ensure that the ICO discharges its responsibilities."

Jim Killock and Michael Veale complained about the Adtech industry and "Real Time Bidding" to the UK's ICO in September 2018. Johnny Ryan of Brave submitted a parallel complaint against Google about their Adtech system to the Irish Data Protection Authority. 



Jim Killock +442070961079

Notes to the editor 

ICO Blog:


[Read more]