Regulatory Developments

Last updated: 
3 months 3 weeks ago
Blog Manager
Log in to request membershipHide blog description
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Recent members:

ICO Comments on EU Data Protection proposal

Wednesday, June 6, 2012 - 11:20

The Information Commissioner has published his initial analysis of the EU Data Protection proposals. His comments on general matters are summarised by others such as Out-law and Dataguidance. On the Internet matters that I’ve been concentrating on, I’m delighted to see that we seem to be thinking on very similar lines.

On Internet Identifiers

There is currently considerable uncertainty over the status of IP addresses, cookie identifiers and similar information generated online. The ICO’s approach has been to advise organisations, as far as is possible, to treat this information as though it were personal data. Whilst this might work well in practice, it does not provide legal certainty for organisations or citizens.

Noting that the draft Regulation does not really help clarify the situation, he suggests an interesting alternative definition:

where IP addresses or similar identifiers are processed with the intention of targeting particular content at an individual, or otherwise treating one person differently from another, then the identifier will be personal data and, as far as is possible, the rules of data protection will apply.

This approach seems a good match for the actual risk to privacy, but it recreates the possibility (currently in UK law but which the Regulation seems to remove) that the same information may be personal data in one person’s hands and not in another. For example when a packet travels across the Internet from the originating Internet Access Provider (who knows the real identity of the user) via a backbone provider (who does not, and treats all packets alike) to a website that uses the origin IP address to decide what content to serve (thereby “treating one person differently from another”), it seems that the source address of the packet changes from personal to non-personal and back again. If this approach is taken up, it will be important to ensure that these transitions are recognised and responsibilities clearly assigned to the right parties.

The ICO spots that it may not be possible to comply with all the Data Controller duties if you only use pseudonymous identifiers:

Given the wide scope of ‘personal data’ we consider, based on our regulatory experience, particularly in the online world, that it may be unrealistic to expect all the requirements of the Regulation to apply fully to all forms of personal data that fall within its scope. We welcome the partial recognition of this in Art.10 but would like to see it more explicitly stated, perhaps in the recitals.

And

We presume that [Art.10] is intended to deal with situations where organisations only hold ‘non-obvious’ identifiers about a person, for example an IP address linked to a particular device, and may then be faced with the problem of dealing with requests for subject access to the information.

Finally, there’s also the first official recognition I’ve seen of a problem I have been pointing out for years – that the uncertain status of pseudonymous identifiers could actually discourage their use. Reducing the burdens on those who choose not to target individuals...

...is particularly important in relation to pseudonymisation as there needs to be positive encouragement to data controllers to use pseudonymisation wherever possible

On consent

There is recognition that if consent is to be used less often then other justifications will be needed to replace it.

It is important that where consent cannot be valid – for example, because it cannot be freely given in a particular situation – alternative means of legitimising the processing can be found where the processing is otherwise necessary and legitimate or in the data subject’s interests. The welcome strengthening of consent should not leave data controllers without a lawful basis for processing which is either necessary or unobjectionable.

In developing international systems for federated access management we have discovered that some European countries either failed to transpose some of the justifications provided by the current Directive or imposed additional limits on them. It is good to have this official confirmation that all the justifications really are needed.

On Breach Notification

There are doubts about the 24 hour time limit:

We are strongly in favour of a legal requirement for data controllers to notify data breaches in certain circumstances. However, it is important that the law puts proportionate breach notification ‘triggers’ in place. Otherwise, there is danger that supervisory authorities will be swamped with notifications of trivial or inconsequential breaches. Although the Commission has suggested that there will be a ‘trigger’, there is nothing on the face of the Regulation that guarantees this. We can understand the need to require data controllers to notify breaches promptly, but a target of 24 hours appears unrealistic. In any event, as the Article stands, it would be open to data controllers to argue that it was not ‘feasible’ to comply within 24 hours. However, this involves providing a ‘reasoned justification’ to the supervisory authority. If, in practice, few if any breaches can be notified within the 24-hour period, then data controllers will be faced with unnecessary administrative burdens of providing a justification when they should be focusing on dealing with the breach. A simple requirement for notification ‘without undue delay’ would be preferable. This is, after all, the wording used in the revised e-Privacy Directive (2009/136/EC) and using it in the Regulation would ensure a degree of consistency.

And there's an interesting take on personal data protected by strong encryption (in Regulation-speak “technological protection measures that render data unintelligible to any person who is not authorised to access it”):

In any case we are not convinced that the loss or disclosure of information that is rendered inaccessible constitutes a personal data breach.

On International transfers

There is a call to move from prescribing measures that must take place before a transfer is permitted to simply making Data Controllers accountable for what they do:

The ICO has in the past called for a radical rethink of the way transfers of personal data overseas are treated under data protection law. Given the sheer scale of international transfers, we have significant doubts as to how meaningful any attempt by supervisory authorities to closely monitor, control or authorise transfers can be. Our own favoured approach would be to ensure that data exporters are aware of their responsibilities – wherever the processing takes place – and have the tools necessary to assess risk and to ensure compliance. Failure to do so would, as with a failure to meet the other requirements of this Regulation, leave the data controller open to enforcement action by supervisory authorities and claims from individuals.

And

In our opinion ‘ordinary’, routine transfers should be [permitted] where the transfer is in the data controller’s legitimate interests and where the necessary safeguards have been put in place, in other words where there is adequate protection. This would be a less burdensome approach to transfers and would not, in reality, undermine the protection afforded to data subjects. ... The data exporter’s assessment of adequacy should be recognised as a proper ground for transferring data by way of appropriate safeguards under Article 42.

Access Management
Breach Notification
Data Protection Regulation
Privacy
  • Twitter logo
  • LinkedIn logo
  • Google+ logo
  • Reddit logo
  • StumbleUpon logo