I had the great privilege to debate the pros and cons of ‘The Right To Be Forgotten’ at The Law Society... Read More
I had the great privilege to debate the pros and cons of ‘The Right To Be Forgotten’ at The Law Society this evening, the home of the Solicitors’ Professional of England and Wales. One of my sparring partners was Mark Stephens, a true great on the UK legal stage. I was in a tag team with the Information Commissioner’s Jonathan Bamford, a good man and friend. Mark’s partner was Jodie Ginsberg, a fine and intelligent advocate against censorship on the web.
The decision of the Court of Justice of the European Union in the Google Spain case is controversial due to its subject matter, the result and the quality of the judgment. The balance between privacy rights and freedom of expression is polarising by it’s very nature. These are cherished human rights after all and it would be odd if they did not arouse passions. Scrub that: it would be sad if they did not arouse passion. Scrub that again: the passion they trigger is to be applauded and celebrated.
But back to the point.
The controversies within the judgment are multiple. Is it right to demand ‘data death’ at the search engine, when the original publisher of the offending content is left free to continue publication? Is it right to burden (or empower) a private sector internet giant with censorship obligations, rights and powers, which are exercised in private rooms and corridors outside of public scrutiny? Is it right to execute judgment on a publisher who is not consulted or given a right of defence or reply? Does it make sense to promote a legal regime that can be easily bypassed through out-of-jurisdiction search and IP address masking?
These are all legitimate concerns in my humble opinion. And I agree that it is a shame that the Judgment of the Court isn’t deep or instructive. It is regrettable that so much of the law is still opaque and uncertain. Many lawyers would not have written a judgment so as important as this one in the same or similar terms.
But this doesn’t mean that the decision is wrong. The critical legal issues of controllership and establishment are intellectually sustainable on the face of the wording of the Data Protection Directive. In an economic, organisational and functional sense, global web search looks very much like data controllership to me, as defined by the Directive. Likewise, for establishment.
So we are where we are. What is important from here is the next step. This is acceptance of the judgment and building an acceptable model for its operationalisation, which needs a calmness of mind, maturity of thought and certainty of purpose. I expect that these virtues will be the foundation stones for success. Simple cries of outrage and blanket denial or disagreement do not provide a solution to the problems and challenges that the Judgment has thrown up. We have to get on with it and make the Judgment work.
We are living during the time of the Digital Industrial Revolution. These are uncertain times, but exciting too. There will be big winners and losers and the win/lose gap of this Industrial Revolution will be bigger than it’s predecessors. But the Google Spain case is not a loss for anyone. It is not sinister censorship. It is not the death of media, newspapers, journalism, criticism or honest debate. It is simply an inevitable step in the development of the law during a Revolutionary age, one that understands the basic truth of cyber space, Digital and the Internet, which is that due to the functional performance of advanced technology the barrier between the private space and the public space is thinner than ever before. Therefore, the private space must acquire better legal protections. The decision of the Court of Justice was an inevitable and logical progression.
Here’s a link to a blog that was recently posted on IAPP’s ‘Privacy Perspectives’ blog, where I consider the idea that... Read More
Here’s a link to a blog that was recently posted on IAPP’s ‘Privacy Perspectives’ blog, where I consider the idea that privacy regulation is now in a technical age. The core point that I’m trying to make is that the regulators have acquired skill, experience and expertise through their years of engagement with controllers and other regulated entities, so that they now pose a significant threat during the course of investigations and enforcement actions. This leaves regulated entities with a simple choice: up your game. If you don’t you’re just gambling.
The status of the proposed EU General Data Protection Regulation is still up in the air at the moment, but there... Read More
The status of the proposed EU General Data Protection Regulation is still up in the air at the moment, but there is a greater sense of optimism around that the reform agenda will complete fairly soon, i.e., in the medium term, say by the end of 2015. The European Parliament elections depressed sentiment for a while, but they are now history. And the reform agenda has received a considerable boost from the CJEU decisions in the Google Spain case and the Digital Rights Ireland case, by Snowden’s disclosures and by the growth of citizen and pressure group litigation (e.g., Max Schrems’ cases against Facebook and the pressure group litigation about Prism and Tempora). People connected into the political scene are detecting clear shifts in policy formation too, as the political classes tune-in to the pro-privacy vibes in the air.
That is all ‘big picture’ stuff however. As I was discussing with a close friend in the privacy community the other day, I sense that we are entering the ‘post-regulatory’ phase of data protection, ironic as that sounds.
What I mean by this, is that when the phenomena of regulation is viewed for what it is – basically a mechanism to cure imperfections in market behaviours – a time should be reached when regulation has done its job. Take telecoms regulation from the 1980s. The core aim was to liberalise the markets, by breaking up monopolies. Clearly, that regulatory goal was successfully achieved. Thus, for that aspect of telecoms, we are in a post-regulatory age. No one seriously believes in telecoms monopoly anymore, although people used to.
Data protection as a concept has moved past the initial regulatory goals, of creating principles-based norms for good behaviours. I believe that we no longer need regulation to teach the economy that data protection is important. The case has been proved and accepted. Only foolhardy businesses will think that shoddy attitudes will be good for the bottom line.
Thus, the nature of the conversation that professional services providers (like me) have with businesses has changed. Scanning back five years or so, the argument might have been described as a ‘fear sell’ in some quarters, because the argument was ‘bad data protection has bad consequences’. Now the conversation is about how good data protection adds value.
This transition is the hallmark of a post-regulatory environment. The status quo, or the norm, is now about data protection as a positive. This includes security too. Good security adds value and enables business. We should not be talking about how security strangles or suffocates business. That would be stupid.
For business, the evidence is building up. There a number of factors at play and they are all interrelated. The newsworthiness of data protection and cyber security is clearly a huge part of the picture. The more the story is played out in public, the greater is the impact on the minds of individuals. Of course, regulatory actions have been another big factor. But, the real drivers of change are the positions of ordinary individuals. We all wear many different hats. We are customers, employees, business partners, shareholders (and so on), so we hold all the power. Cumulatively, the effects that we are having on business and corporate minds is profound. Principally, we are causing businesses to look at data protection and security in terms of trust, confidence, brand and reputation.
This translates into something in economic terms. We sometimes try to define the effect as ‘goodwill’, but it is hard to put a pound-value on goodwill. Yet that doesn’t matter, because businesses instinctively understand the connection between goodwill and profit.
This explains why, if you work in the space that I do, you find significant shifts in attitudes towards data protection compliance in business. Sure, lots of businesses are performing sub-optimally, but the improvements in recent years have been immense.
Hence, we have entered the post-regulatory age. Of course, this is not to say that we do not need regulation or a new Data Protection Regulation. Market imperfections change, develop and evolve. Oversight, sometimes light touch, sometimes heavy, is a thing to embrace, welcome and support, provided that the regulators themselves act properly, proportionately and fairly.
... Read More
The Information Commissioner’s Head of Enforcement has published a blog about
The Information Commissioner’s Head of Enforcement has published a blog about financial penalties that shines a bright spotlight on the ICO’s thinking around how to deal with nuisance marketing. The backdrop to the story is the overturning of the record Monetary Penalty by the Information Tribunal, which the ICO imposed on two company directors who were sending out spam SMS marketing messages on an industrial scale. The basic problem in the case – as far as the Tribunal is concerned – is that the financial penalty regime requires ‘substantial’ harm to be caused by the offending practice before a fine can be imposed. In the Tribunal’s judgment, a spam SMS causes only minor irritation. To get around this problem the ICO argued that the aggregate affect of many thousands of irritating texts amounts to a substantial harm. The Tribunal was having none of this, and the fine was unwound.
So where does this leave the ICO? In a nutshell, ICO is saying that the financial penalties regime for direct marketing problems has been destroyed by the judgment. In the ICO’s view, the law is now ‘bad’. There is only one thing that can be done to restore the law to a credible state, which is to amend it, to lower the threshold for fines.
I’m not going to tackle the substance of ICO’s arguments here. It’s the insights that the blog gives into the mind of the regulator and the likely impacts for marketers (if the law is amended) that are most interesting to me.
If the ICO’s case for amendment of
the law is accepted by Parliament, it will place marketers into an unprecedented zone of legal peril. Nuisance level fines are unprecedented in this country. The triggers to fines will be so low that every business that engages in electronic direct marketing will be at risk if the recipients of their messages complain en mass.
Do people complain en mass? Sure they do. ICO tell us every year that complaints are increasing. And, of course, it would be easy for pressure groups to drum up significant volumes of complaints. The initiative launched by Max Schrems in his Austrian litigation against Facebook is a good example of this dynamic. There are plenty of others.
And where should the lowering of the threshold end? If it is right to lower it for directing marketing, what about for other data protection matters? Security breaches are more serious than direct marketing problems, aren’t they? Well that depends on your point of view, but why not impose nuisance fines for them? What about data accuracy? Or how about international data transfers? Aren’t many thousands of people irritated by the transfer of their data to foreign jurisdictions?
The ICO might be right in its case. Or it might be wrong. That’s not the point of this analysis. What is sure, if the ICO is right, is that data protection regulatory risk will increase exponentially. That’s something that data controllers everywhere ought to be aware of. This is part of the ‘Regulatory Bear Market’ that I keep talking about.
Of course, a simple retort to these concerns is that no one acting lawfully will be fined. That’s correct, but the realities of direct marketing, data protection, regulation and enforcement are somewhat different from the purely theoretical aspects. When the totality of the situation is considered, a number of core realities become visible. For instance, there isn’t yet a bright line test to enable people to be sure whether they are acting on the right or wrong side of the law. Consider the recent debates about the meaning of consent for the setting of cookies and you’ll see that an authoritative consensus view hasn’t yet emerged. Also, consider the realities of databases and data acquisition: legacy systems, old data, aged consents, list broking, mergers and acquisitions, joint ventures. How many organisations are certain of their consent profiles for all aspects of marketing? Also, consider the corporate attitudes to monetisation. How many want to ‘push the envelope’, or want to abut the ‘creepy line’? These are just some of the many difficult aspects of data controllership that feed into assessments of lawfulness.
In other words, the organisations that will be vulnerable with a lower threshold for fining will be more much that the deliberate, industrial spammers.
What we are seeing in these cases is the next stage of development of the “Bear Market’ for privacy, data protection and security. A Bear Market is a time of negative sentiment, pessimism and loss of confidence, the opposite of a Bull Market, when optimism is rising. The negativity in the environment stems simply from a trust problem. People do not trust what is happening to their data. The first stage in the development of the Bear Market was the ‘Regulatory Bear Market’, when the cudgels against bad data processing were taken up by the data protection authorities and other regulators, who have made more frequent use of their powers of intervention, investigation and enforcement to challenge and censure bad data processing, while at the same time campaigning for more and tougher powers. As awareness levels around privacy issues and data breaches has increased, the regulators have been joined by pressure groups, individuals and businesses in the contentious aspects of the law.
This a natural part of the cycle of development of the law and we will reach a point relatively soon when disputes and litigation over privacy, data protection and security are just part and parcel of doing business, as has happened in so many other areas of the law.
Putting it another way, how many sane business leaders now scratch their heads, in ponderance about the risk of employment or health and safety disputes and litigation? Obviously, the answer is none. Everyone sane accepts that if you run a business, you will need to insure or protect yourself against employment and health and safety litigation problems. Eventually, the same attitude will prevail for privacy, data protection and security.
Yet despite knowing that they are sailing in treacherous waters, many data controllers are simply not yet ready for the contentious environment. There is a feeling that many will not see the iceberg before it’s too late to take evasive action. Reflecting again on the Google ‘right to be forgotten’ case, there is an increasing sense that they did not see the outcome as being remotely likely and that they were taken by surprise by the court’s decision. They knew they were in treacherous waters, but the first time they saw the ‘berg was at the point of the judgment being handed down, after which they were stunned into silence for a few days, which was followed by a defeated public sigh of compliance. Google’s positions on controllership and establishment had been truly holed by the privacy iceberg and the regulators are taking increasing advantage.
There are many steps that controllers can take to improve their positions and to lessen their exposures to contentious business. The way security and security breaches are handled in some organisations could not be worse if deliberately designed that way: smoking guns’ are liberally sprinkled around audit reports, internal reports and memoranda (and every regulator and litigator knows this and where to look) while the benefits of legal privilege are ignored, or shunted into the sidings. Really risky projects, like ‘Binding Corporate Rules’, are regularly undertaken without the slightest consideration of the contentious exposures that are created, such as grants of regulatory audits that, sooner or later, are going to be used against the controller.
The prudent captain of a ship traveling through treacherous water will keep a proper lookout for the icebergs ahead and around. In this Privacy Bear Market, the prudent controller will consider the contentious risks and will plot a course around them. Those that do not will hit the bergs and they will be holed. The fights around privacy and security are only going to be more frequent and tougher. It is best to be ready.
Many lawyers will have had a restless night’s sleep following the Information Commissioner’s warning yesterday that he has us in his spotlights due to a recent increase in security breach notifications by the profession. While his press release refers to both barristers and solicitors being at risk, his reference to legal professionals who ‘also often carry around large quantities of information in folders or files when taking them to or from court, and may store them at home’ and his work with the ‘The Bar Council to update the Information Security Guidance provided to Barristers’ seem to suggest that its our bewigged friends who have the most immediate cause for concern.
The reality is that data protection risk is not the same throughout the legal profession. Many solicitors and barristers have very little to do with client personal data in their daily practices. Corporate lawyers, commercial litigators and the like aren’t processing much client personal data at all. For many of them, the most they will touch on a daily basis is email addresses. The picture is very different for personal injury lawyers, employment lawyers, family lawyers, criminal lawyers and general litigators. Their practices will churn through some of the most sensitive personal data imaginable. As a guide, the further the lawyer is from massive City practices, the greater is the probability that they will be within the regulatory scope. This means that individual lawyers, like barristers, sole practitioners and smaller high street firms are carrying the greater regulatory risk. It follows, perhaps, that the regulatory burden is inverse to the ability to carry it or discharge it.
But security risk and regulatory risk is not just about data protection. The Solicitors Regulatory Authority (SRA) has warned in a number of recent guidance papers that security risk gives rise to confidentiality risk and, of course, the maintenance of client confidentiality is one of the sacrosanct principles within the professional Code of Conduct. So, a security breach at a law firm affecting non-personal client data might put the law firm into conflict with its professional regulator, regardless of the position under the Data Protection Act. Similarly, if security breaches affect the resilience of the law firm, that can be a regulatory problem under the Code of Conduct.
A similar warning to the Commissioner’s was sounded at the beginning of the year, in relation to cyber security. The publication of the government-backed ‘Cyber Security in Corporate Finance’ report underscored the fact that insecure law firms constitute one of the weakest links in the City, the economic engine room of the country. This message is understood by both the SRA and The Law Society, so its easy to see the ramifications for City lawyers.
Similarly, corporate clients are hearing and heeding the messages of security and many are starting to ask questions of their legal advisors about the resilience of their businesses. The last thing a FTSE company wants to do is to put its sensitive commercial data or intellectual property into an insecure bucket. Lawyers are just one component within the commercial supply chain and they get no special privileges or special pleadings just because they are trusted advisors. They have to be secure, just like everyone else.
The Information Commissioner’s warning yesterday is part of troubling trend for lawyers everywhere. Whether or not we deal with personal data, the point is the same. The legal obligations for security are as real in the legal profession as they are everywhere else.
I’m deep in the process of writing my new book at the moment. It will be the second edition of my... Read More
I’m deep in the process of writing my new book at the moment. It will be the second edition of my last book, ‘Butterworth’s Data Security Law and Practice’, which was published in late 2009, but it will be renamed ‘Butterworths Cyber and Data Security law and Practice’, reflecting the crashing way that the topic of cyber security has risen to prominence here in the UK and internationally. I did refer to the topic of cyber security in the first edition, of course, but the discussion did not fill even one page! In contrast, the second edition will be dominated by cyber security.
Shortly after publication of the first edition I put together a short movie, to get across some of the key ideas within my argument that there is a new legal framework for data security. Watching the movie this morning, I was struck by just how far the law has progressed in four short years. The key ideas within my argument still hold good and its clear that the trajectory of law making remains the same as it was back then, but what has happened is that the law has moved forward in a substantive sense. For instance, transparency through breach disclosure is now the norm and will soon be compulsory for the entire economy, if the General Data Protection Regulation completes its journey into law. Security breach fines are now routine events. The government’s policy framework continues to extend its tentacles further and further into the ordinary business of security. Disputes and litigation are becoming more common by the week.
I’m putting together an updated version of the movie right now, but here’s the original.
Here’s a short movie from PwC’s fantastic cyber security team, seeking applications from people who want to join them. What are... Read More
Here’s a short movie from PwC’s fantastic cyber security team, seeking applications from people who want to join them. What are you waiting for? If you want to apply, click here.
The UK’s national cyber security strategy, published in 2011, has significant legal effects. Building upon the country’s first national strategy, published in 2009, it has borne much fruit, within which the seeds of new legal obligations for cyber security are found. Many of these seeds of new law have germinated into strong saplings, some of which are growing fast.
The idea that the UK government is creating new legal obligations for cyber security may be a surprising assertion, seeing that the government is lukewarm (at best) in its attitude towards the EU’s ambitions for a Cyber Security Directive, but legal effects do not always need legislation. Law is built in many different ways.
The common law provides one of the most fertile grounds for the growth of new legal duties. Case law in this country already tells us that where an equitable duty of confidence exists for confidential information, a parallel duty of care for security can co-exist, within the common law tort of negligence. The tortious duty for security wraps a legal envelope around the confidential relationship, to require the taking of security measures to help preserve the confidentiality of the information. If the confidential information exists in ‘cyber space’ (as most electronic information does), then the duty for security can be properly called a duty for cyber security. When cyber security law is viewed in this way, it become obvious that the UK national cyber security strategy is having legal effects in this area of the law, due to its programme for awareness-raising, including at Board level and within the general population (these aims are served by projects such as the FTSE 350 Cyber Governance Health Check and the Cyber Streetwise campaign, as well as through the alerts issued by CISP and CERT-UK). One of the foundational requirements for the creation of duties within the tort of negligence is that risks and harms should be foreseeable. Awareness-raising addresses this requirement head on. Due to the government’s work it is now harder than ever for organisations to deny that cyber threats and harms are foreseeable.
Contract law is just as fertile a place as the tort of negligence for the development of legal duties for cyber security. Contract law has long recognised the existence of implied terms, which fill the gaps between the lines that are actually written down and signed. One of the reasons to imply terms into contracts is for business efficacy. When business is done in cyber space, or in reliance upon cyber space, it is now easier than ever before, because of the government’s awareness-raising, for the Boards of business to foresee that their businesses can be interrupted because of cyber insecurity. Contract terms will not be implied if they are not truly necessary, however, nor will the law want to create a contractual duty to guard against all force majeure events, but there are endless situations where implied contractual duties for cyber security will exist as a matter of necessity. Any business providing Cloud services, or data storage or data processing services will be in this category, as will any other business that handles confidential information as part of its core services. Any businesses providing financial services, health care services or insurance services will be caught in this category also. So will every IT security company. So will professional services businesses like law and accountancy. So will businesses supplying services to IP-rich sectors, such as the media, engineering, pharmaceutical and manufacturing.
The government has also made it easier to understand the details of the legal duties to be cyber secure, through its work on the development and promotion of professional and industry standards and benchmarks for cyber security. Platform initiatives within the national strategy, such as the Cyber Essential Scheme, CBEST and the research commissioned from PwC on standards frameworks, help organisations to roll out controls and measures for cyber security in methodical ways, that build upon the consensus of professional opinion in this area. The common law for matters of expertise will always turn to the consensus of professional opinion to clarify the nature of obligations and to determine issues of liability. The government has enriched that part of the law through its work. The detail of the law is much clearer now than it was just 3 years ago.
The government is also using ‘soft law’ powers to encourage organisations to become cyber secure. The Cyber Essentials scheme contains the message that government procurement will focus on adherence to the scheme. This is a clever and subtle approach to law making that utilises the incentive of taxpayers’ money to change behaviours. It achieves everything that legislation can achieve, but not in a way that ruins the government’s ‘low regulation’ credentials. This soft law approach also weaves into the common law, as norms of behaviour provide benchmarks for judging whether the law common law has been breached.
Similarly, the benchmarks of behavioural norms feed into the regulatory law space. Statutory regulators, like the Information Commissioner, have already taken substantive steps into cyber space. The Commissioner has imposed two financial penalties for cyber security breaches affecting personal data (and many of his other data security fines concern cyber space). His work is getting easier by the day, due to the government’s awareness-raising and it’s impressing of the benchmarks into the mass consciouness. Professional regulators like the ICAEW and The Law Society have engaged with the national strategy through their participation in the ‘Cyber Security in Corporate Finance’ initiative. The Solicitors Regulatory Authority has embedded the government’s ’10 Steps to Cyber Security’ into official regulatory guidance. The government has also corralled the Critical Infrastructure regulators into the national strategy, who issued their Joint Communique in February. Thus, the national strategy is helping to make new regulatory law.
I said at the beginning that legislation for cyber security is not necessary to create new legal obligations, yet the government has moved into cyber regulation nonetheless. The new Data Retention and Investigatory Powers Act creates new security obligations for communications and internet companies, which are policed through new compulsory audit powers for the Information Commissioner. In the recent Queen’s Speech the government also said that it would amend the Computer Misuse Act, to make it more relevant to the current realities of cyber security offences. If the EU reform process completes, there will be new cyber security legislation in the UK flowing from the Cyber Security Directive, the Payment Services 2 Directive and the Electronic Identity Directive. The General Data Protection Regulation will also see some legislative changes. Likewise, so might the legal challenges to RIPA, Prism and Tempora, which are currently before the Interception of Communication Tribunal and the European Court of Human Rights.
Yes, cyber security law is developing fast and much of the momentum is generated by the national strategy and the government’s work in rolling it out. Businesses and other organisations need to apprise themselves of these realities, because legal duties come with legal liabilities. The law will soon develop even stronger consequences for cyber insecurity.
Note: The government’s key policy documents are found in the Law and Policy page of this website, under Resources.
This fantastic short movie shows the refurbishment of PwC’s flagship premises in London. This is where my new office will be in a few weeks time. I can’t believe that I’m going to working in the best office in London. It’s also the world’s best for sustainability!