Ex-ICO: Draft EU privacy rules will turn every citizen 'into a liar' Britain's Information Commissioner wants the force of the European Data Protection Directive to fall on rogues, not on businesses which already face mountains of paperwork. That's the message that Chris Graham will be taking to Europe when he goes there to hash out a compromise on the new European Data Protection Directive …
This coming from somebody that previously headed an organisation that failed to do the job of enforcing the law - an organization where people very conveniently end up working for the very companies that by rights should be under investigation.
*cough*Google*cough*
And he seriously thinks he should be taken seriously?
"...the EU's proposed "right to be forgotten" data protection reforms could lead citizens to expect a degree of protection that cannot be delivered in practice. The ICO warns that the EU must be realistic about the limited power EU data protection authorities may have over non- EU data controllers."
You mean European law might not apply outside Europe? Gosh! Who knew? Well, I suppose the game is up then. We might as well scrap every piece of EU law there is, because I can't see an Iranian court honouring much of it. Oh, and whilst I'm here I'll just slit my throat because, well, what's the point?
All this at the same time as we're being told that the UK would be foolish to leave the EU because frankly the rest of the world is just *insignificant* compared to the EU and we'd probably get lost or something.
The preliminary response from the ICO also states that the EU's proposed "right to be forgotten" data protection reforms could lead citizens to expect a degree of protection that cannot be delivered in practice.
I think this is an extremely good and extremely dangerous point...
Yes, we'll be lead to expect a degree of protection that cannot be delivered outside the EU.
The rest of the world's internet will gently diverge from our warm and fuzzy variant.
THE EVIL LAWLESS OUTERNET MUST BE CENSORED
Up goes the great firewall of Europe. It's the only way. Think of the children.
It won't provide the expected level of protection WITHIN the EU either. That is the point.
People will expect that when they say 'please forget me' their information will be purged from all systems and media - it won't - it can't be (for various logistic and legislative reasons). You may be removed from the active system but you will still be 'remembered' in last month's (or even last year's) backup.
There are some really cool things in that regulation.
I also know for a fact that there was a kerfuffle about some section that would have made it hard for the US to hoover up stuff with a wink and nod. It was quietly dropped under the table at some point. Muah.
Anyway... I think I shall take up a law degree.... because:
Notification of a personal data breach to the supervisory authority
"In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 24 hours after having become aware of it, notify the personal data breach to the supervisory authority. The notification to the supervisory authority shall be accompanied by a reasoned justification in cases where it is not made within 24 hours."
You have to have the lawyers all lined and on retainer PERMANENTLY for this to be even possible.
"The controller and the processor shall designate a data protection officer in any case where:
(a) the processing is carried out by a public authority or body; or
(b) the processing is carried out by an enterprise employing 250 persons or more; or
(c) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects.
The controller or processor shall designate the data protection officer on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and ability to fulfil the tasks referred to in Article 37. The necessary level of expert knowledge shall be determined in particular according to the data processing carried out and the protection required for the personal data processed by the controller or the processor."
Hehehehe.
The proposed rules are laden with paperwork and bureaucracy. So the good guys get the expense and hassle for no reason as they'd be complying anyway. And the bad guys will just continue to be bad guys - they're not going to document the fact.
However, the most interesting part is that it proposes a right to data portability explicitly thinking about social networking (Facebook won't like that). Though it also seems to completely ignore the complexity of social data for instance a 'friend' relationship involves two parties. Can the data controller hand over data to just one party on request?
"The proposed rules are laden with paperwork and bureaucracy. So the good guys get the expense and hassle for no reason as they'd be complying anyway. And the bad guys will just continue to be bad guys - they're not going to document the fact."
I may, of course, be misinterpreting the intent of this statement. I am, after all, an Idiot :-). However, both specifically and in general I (personally and entirely of my own view, not intending any broad sweeping statement to which I assume or require others to comply or with which I expect them to agree or indeed disagree) have issues with the logic expressed.
I've seen similar points of view expressed in a number of fields. To pick one, deliberately selected with the purpose of being highly emotive, I've seen it expressed in the US debate over gun regulation. To paraphrase:
"Gun regulation is a Bad Thing(tm), because it only hurts law abiding folks, since Bad Guys(tm) will get hold of guns in Bad Ways(tm) anyway, so regulation is a waste of time. Oh, and Bad(tm)."
The same argument could be mounted against tax regulations:
"The excessive red tape and regulations place an unnecessary burden on law abiding and fair minded businessess, who will of course comply in any case because they're, like, Law Abiding(tm) and Fair Minded(tm). The businesses who aren't will just hire shster lawyers,and find ways of cheating. So the regulations are a waste of time."
In the absence of rules and regulations, there are none to break. So in such a situation there are in fact no Bad Guys(tm). In the presence of simply and briefly expressed regulations, there are too many ways of attempting to claim issues of interpretation, 'they didn't really mean that', or 'it doesn't apply to me'. As examples I could cite the various interpetations of 'Thou shalt not kill', or even the purpose and intent of the Second Amendment - but I left my asbestos underwear at home, so I won't. And I didn't, so there :-P.
I would suggest that any attempt to express a regulation sufficiently concisely and clearly to eliminate or at least minimise the potential to misinterpret, evade or otherwise stand aside from it is likely to carry with it what some might consider 'excessive red tape'. But at least it reduces the potential number of 'innocent' Robert Fords, however much some might think Jesse James deserved it.
It's not a problem with regulation, but with the ossification (and cost) of those regulations into paperwork and bureaucratic procedure as required by those regulations. The simple principle that I as an individual can request information about data held on me, require that the data is corrected or deleted, require that I can have a copy of the data and get information about what my data is used for. That should be enough. Businesses then have to work out how to deliver that themselves.
If it becomes too hard/expensive to store all this data on users and to keep it somewhat confined, then maybe the problem isn't these rules, but that you are storing too much information?
If you can't keep track of the information you're colleccting, then what good is it and why then collect it?
It will only really apply to 'live' systems - no organisation will remove you from their historical records (even the DPA acknowledges just how difficult this is, so it is not enforced if it is too impractical). The reasons are simple, your information may be in a database (or even in an e-mail) which is backed-up, and depending on your tape rotation and storage it will likely be on seven daily tapes (or virtual tapes), 4 weekly ones, 12 monthly ones, and annual archive - which for financial transactions needs to be kept for 7 years.
It is totally unreasonable (and hence not expected) that all media will be remounted and purged of information relating to you (especially not e-mail systems), also this action would mean that the media in question could not be used as evidence at a later date should forensics be required (as it would had been modified since its creation).
So whilst this may sound good in theory (please remove me from your records) - it will only realistically apply to the live system - and who is to stop 'organisations' with whom we have data sharing agreements, requesting copies of previous backups? Either within or outside of the EU?
Everyone keeping data is potentially a rogue - because any of their employees might take the data and misuse it. All risks of misuse of data are limited by not keeping the data after a certain time, and by making that sort of purging an industry-standard practice.
I see difficulty around applying "right to be forgotten" to people who were in the newspapers for any reason, including something that later turned out to be not true. Perhaps newspapers can be let off from the forgetting but required to correct inaccurate stories, including in any electronic archive.
Another possible difficulty is on guarantees. If I buy an electric kettle, I'm supposed to send the manufacturer a registration card, and they give a two year guarantee in return for holding my contact details. Arguably they can givE a guarantee without that, but arguably they'd rather have my credentials for promotional use. Guarantees might even get longer as an excuse to do this, but weaker, e.g. guarantee the handle of the kettle for ten years, but not the rest of it.
I see a major problem (or loophole) looming with the 'right to be forgotten' to do with 3rd-parties.
When you give a company your details they may pass this on to 'certain 3rd-parties' - this will either be part of the T&C or written in a privacy policy.
When you as to be forgotten will this cascade to all 3rd-parties?
If the answer is YES then there will be major problems. Imagine you subscribed to a well-know IT website whose T&C stated that your information will be shared with...let's say energy suppliers. One of these could contact you and you may end up using them to provide your leccy. If you then asked to be forgotten by the IT website, and this were to be cascaded then it would also pass to the leccy company - something you don't want.
As such, I see the 'automatic cascade' option being a non-starter and so the user will have to contact all 3rd-parties individually (can you imagine following the chain of 3rd-parties and contacting each of them?)
This then leads to a nice loop-hole. You provide your info to Facepalm Global (for example) who 'as a necessity in providing the service' share this information with Facepalm UK, Facepalm FR, Facepalm US, etc (all separate companies). When you ask to be forgotten by Facepalm Global then they will remove you from the 'hub' but you are still 'live' in the 3rd-party systems. 2 months later you try to open a new account on Facepalm Global, and as part of the reciprocal data sharing agreement with Facepalm UK, etc they look you up on the 3rd-party systems...and low and behold you are back in the system with all your history.
So much for being forgotten.
Just a thought.
Surely the cascading would only apply to the data being held by the "IT website".
Thus the data that the leccy supplier has attained from said website is to be deleted, but any other dealings you have with the supplier will have their own set of data, so to speak.
I mean, that's how I interpret the intent - the feasibility of this actually being done I shall refrain from commenting on.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
