Category: U.K.

An open letter to the CJEU from L

by

23 July 2020

09:56

1 Comment on An open letter to the CJEU from L

Canada, European Union, U.K., U.S.

, , ,

Read a view of the Schrems’ decisions from the other side of the great pond, in the U.S. I found this to be an informative, serious but fun read through the spectacles of Lydia F de la Torre, EU & US Counsel (Spain/California) and a lecturer of Privacy Law at Santa Clara University School of Law. Grab a coffee, it is long and its climax is an open letter to the CJEU which I’ve copied below 🙂

Everyone knows the story of the Privacy Shield. Or at least they think they do. But, I’ll let you in on a little secret. Nobody knows the real story, because nobody has ever heard my version of it. I am a lecturer at Santa Clara Law. You can call me L.

The blogpost by Lydia covers the Schrems I and II saga. From reading this I gained some insight which I hadn’t really bothered to dig into earlier, but I am not alone in this. One example is Schrems I resulted in the fall of Safe Habor, we all know this, but what is not common knowledge, is that it seems that even Max himself was unaware that Facebook were using SCCs, if he’d known earlier there would have been no Schrems II because it would have been taken at the beginning.

You really should read the complete Post from Lydia, it is actually entertaining 😉

To: The Court of Justice of the European Union (Grand Chamber)

In regards: Overdue homework

Dear Grand Chamber:

I have been waiting for years for you to give us a hint as to what is the essence of the european right to data protection.

I know you know the right to a private life and the right to data protection are two different rights, but I am starting to suspect you can’t tell them apart as you keep citing to them as if they were twins.

And that is a scary proposition, since the ECtHR is not going to steal your thunder because the European Convention of Human Rights (that the ECtHR has the authority to adjudicate on) does not recognize a right to data protection.

Perhaps reading member state caselaw on the right to data protection could get your creative juices flowing? Jurisprudence under Article 35 of the Portuguese Constitution or Article 18(4) of the Spanish Constitution? How about the German classics on Recht auf informationelle Selbstbestimmung?

And yes, I know you are not bound to follow preceding from the Constitutional Courts of Member States.

But let’s be honest.

You can’t claim copyright over the EU Charter of Fundamental Rights either. We all know the Charter it is just a compilation of the rights granted on Europeans, initially, by Member State law.

So please, do your homework next time you rule on a GDPR case and hand down something that tells us what the core of the European right to data protection exactly is. Is data localization absent essential equivalence for a cross-border transfer part of it? If Privacy Shield had passed muster from a privacy perspective, would a violation of Article 47 of the Charter (since the Ombudsperson did not equate to a tribunal within the meaning) trigger a violation of the fundamental right to data protection under Article 8.3of the Charter?

Looking forward hearing from you soon.

Sincerely,

L

Nelsonian blindness and Consent

by

4 September 2015

08:54

Leave a comment on Nelsonian blindness and Consent

Data Protection Directive, U.K.

,

1130702.largethumbA really great post on Panopticon legal blog (again :-))

Apparently Optical Express (OE) has been sending SMS messages to individuals who had not opted-in to this service. In fact 4,600 registered concern on OEs marketing practices. It’s pretty interesting as OE seems to be blind to the fact that they have not received explicit consent, they claim that it was sufficient that Thomas Cook, who stated that personal data would be shared, with whom, or how much, etc., is not made clear in the statement.

I have to make a quote from the post, as the author seems to be a lawyer with a sense of humour…

“OE appears not to have seen any problem with texting people who had never previously dealt with it, believing they had sufficient consent. Whether their laser eye surgery offers would have assisted this possible case of Nelsonian blindness is unclear.”

Read post on Panopticon blog

Fill the holes in RIPA with DRIP ;-)

by

31 July 2014

09:33

Leave a comment on Fill the holes in RIPA with DRIP ;-)

European Union, Legislation, U.K.

, ,

IDripping Tap love what UK is doing to keep alive the data retention directive that died an untimely death recently with DRIP 😉

Some debate that it ‘extends’ the powers of RIPA. UK government officials claim it is just to cover the loss of the EU data retention requirements temporarily until they think of some new that is more manageable. Read what Panopticon blog is saying and decide for yourself?

UK Citizens! Does the Protection of Freedom Act 2012 really protect you?

by

17 June 2013

20:20

Leave a comment on UK Citizens! Does the Protection of Freedom Act 2012 really protect you?

Legislation, U.K.

,

Sorry I’ve been so verbose today, but there is just so much going on right now!

Here I am again, popping online to check, when this pops up on the Panopticon blog. This blog is cool because it is seriously legal. You know real legal experts writing about threats to our personal privacy. I wish my legal expertise was more seriously legal 😉

Well now they are talking about new legislation going through in the UK, CCTV, surveillance stuff, with all this Snowden excitement.

It is about the the Protection of Freedoms Act 2012 expressed the incoming Coalition Government’s commitment to keeping in check the state’s surveillance of ordinary citizens. By that Act (sections 29-36), the Home Secretary was to present to Parliament a Code of Practice governing the use of surveillance camera systems including CCTV and Automatic Number Plate Recognition (ANPR). Now go and visit this site. They summarize this Act. I haven’t looked in detail yet, but what I have read it looks more that it is protecting the rights of the citizen rather than vise-versa.

The Code sets out 12 guiding principles which systems operators should follow:

(1) Use of a surveillance camera system must always be for a specified purpose which is in pursuit of a legitimate aim and necessary to meet an identified pressing need.
(2) The use of a surveillance camera system must take into account its effect on individuals and their privacy, with regular reviews to ensure its use remains justified.
(3) There must be as much transparency in the use of a surveillance camera system as possible, including a published contact point for access to information and complaints.
(4) There must be clear responsibility and accountability for all surveillance camera system activities including images and information collected, held and used.
(5) Clear rules, policies and procedures must be in place before a surveillance camera system is used, and these must be communicated to all who need to comply with them.
(6) No more images and information should be stored than that which is strictly required for the stated purpose of a surveillance camera system, and such images and information should be deleted once their purposes have been discharged.
(7) Access to retained images and information should be restricted and there must be clearly defined rules on who can gain access and for what purpose such access is granted; the disclosure of images and information should only take place when it is necessary for such a purpose or for law enforcement purposes.
(8) Surveillance camera system operators should consider any approved operational, technical and competency standards relevant to a system and its purpose and work to meet and maintain those standards.
(9) Surveillance camera system images and information should be subject to appropriate security measures to safeguard against unauthorised access and use.
(10) There should be effective review and audit mechanisms to ensure legal requirements, policies and standards are complied with in practice, and regular reports should be published.
(11) When the use of a surveillance camera system is in pursuit of a legitimate aim, and there is a pressing need for its use, it should then be used in the most effective way to support public safety and law enforcement with the aim of processing images and information of evidential value.
(12) Any information used to support a surveillance camera system which compares against a reference database for matching purposes should be accurate and kept up to date.

Unencrypted portable hard drives really are a problem!

by

23 May 2013

13:35

Leave a comment on Unencrypted portable hard drives really are a problem!

Canada, Security, U.K.

,

It’s amazing the amount of discussions there are on how to secure information in the cloud when we are walking around with sensitive information on a portable hard drive, maybe even a USB stick!

There have been two cases recently of lost personal information one was information pertaining to Canadian students and the other in April 2013, the Investment Industry Regulatory Organization (IIROC) admitted that the personal information of 52,000 clients from dozens of investment firms had equally been compromised.

Remember the UK HM Revenue and Customs that lost computer discs containing the entire child benefit records, including the personal details of 25 million people – covering 7.25 million families overall in 2007. There are loads of reported cases and probably many more unreported!

OK so how do we solve this? According to Daniel Horovitz it is about security awareness and policies that are enforced. With this I concur with completely. However I am also thinking that if no personal data was stored on any local device anywhere, that it was all web-enabled, private cloud, shared cloud. It would bring closer the BYOD device movement, and surely it must be safer than a mobile HD? Clearly security awareness and policy enforcement is essential, but it still does not seem to be working. If it was then these incidents would not be happening.

Identity Assurance (IDA) in UK

by

1 May 2013

13:56

Leave a comment on Identity Assurance (IDA) in UK

U.K.

Came across this rather interesting blog post in Computer Weekly almost a month ago. Just scroll down until you get to the sub-title “Identity Assurance” to find this, that I have quoted for your convenience below, and more if you are interested.

“The Government Digital Service (GDS) has devised a fresh approach to building online trust: the Identity Assurance (IDA) programme. The aim is to allow users to prove their identity, or other information about themselves, using services from private-sector organisations. In the IDA model, individuals and businesses will be able to ‘reuse’ existing trust relationships to interact with government (and ultimately with each other): for example, a customer might use their online banking credentials to prove their entitlement to a public authority so that they can claim benefits. GDS is working with key authorities to deliver the necessary technical, commercial and regulatory infrastructure to make this new approach possible.

GDS is also developing a market of companies wishing to act as Identity Providers (IDPs), who will have to bid for the right to do so, and undergo rigorous independent certification to ensure that their security and commercial controls are appropriate. Eight Identity Providers have been selected to provide the first set of IDA services in support of pilot activities from October 2013. Those IDPs are working together under the aegis of the Open Identity Exchange (OIX) to deliver the technology, commercial and legal approaches needed to make the service a reality.”