Monday, June 21, 2021

Sharon Horgan does the Coronavirus care homes maths

The BBC has finally had the guts to criticise the UK government handling of the pandemic.

Not BBC news operations which is as craven and as terrified of the Tory government as ever.

But BBC drama, in Dennis Kelly's excellent Together, with terrific performances from Sharon Horgan and James McAvoy.

Horgan's searing 9 minute monologue on the government's appalling incompetence and culpability in the killing of care home residents should be compulsory viewing. 

Horgan's unnamed character's mother dies, having contracted Covid-19 at her care home.

Hogan's avoidable care home tragedy dialogue starts 49 minutes and 51 seconds into the iPlayer version of Together

"I can't escape the feeling that my mother didn't die.

She was killed.

The problem is that people don't understand the word 'exponential'. They think it means 'a lot' or quite fastly, like you see it on TV, you know or in bad sci-fi movies. Good God this alien mass is growing exponentially. And you think: Yeah, that's a lot but, em,  it;s worth taking the time to understand the mathematics of exponential growth.

Right. So you, eh, you start with 1 and you double it, say, every 3 days... you, you you're doubling it every 3 days. So by the end of the first week you've got 4. 1 has become 4 in, in a week. And by the end of the 2nd week, you have 16. By the end of the 3rd week you have 128. And, as the month draws to a close, you have 512.

After just 4 weeks.

Ok. So that a lot more than 1 but, you know, no so much. But if you carry on, the 5th week gives you 2048. the 6th gives you 8192.

The 7th

The 7th gives you 65,536.

The 8th gives you 262,144.

And if you go one week more, pretty much as near as dammit to the... to the, to the two calendar months from when this whole thing started, you get one million, forty eight thousand, five hundred and seventy six (1,048,576).

So the difference between the start of the 1st week and the end of the 1st week is 4.

And the difference between the start of the 9th week and the end of the 9th week is 786,432.

So, the same amount of days.

Hugely different numbers.

This isn't an illustration of coronavirus, by the way. This isn't what actually happened. You know we didn't quite go 9 weeks before the 1st lockdown. There wasn't just one person who brought it into the country. There was probly as many as 1,300 patient zeroes and this doesn't take into account, you know, pre-lockdown efforts to to battle the virus, track and trace, people changing behaviour.

Wha what actually happened is far more complex than what I've just done. What I...what I've just done is illustrate the word 'exponential' an' it and it doesn't mean 'quite fastly'. What is means is...what it means is timing matters.

I... it's said that if we'd locked down 1 week earlier, just 1 week, that we could have saved twenty thousand (20,000) lives. So it seems to me that the word exponential is not understood. But I've just explained it to you in...

[at this point she turns to McAvoy who provides a time check from his mobile phone]

... 1 minute 34 seconds.

And, you geddit... right? It's not that hard, is it?

In January 2020, the care provider, Alliance, contacted the Department of Health & Social Care and said "What should we be doing about this new coronavirus?" And they were told "Nothing. Don't do anything different." And they contacted them a week later and said "What should we what should we be doing now? I mean should we be, you know, should we be self isolating, should we be restricting visits from family and or friends? Should we should we like should we wear masks? And this time they weren't told nothing. This time they were told... well this time they weren't told anything. This time they weren't told anything at all.

And it wasn't until a month later...that they were...given guidance. This is, this is the end of February. Now an, an, and the guidance was that they... you do not need to wear masks and it remains very unlikely that people receiving care, in care homes, will become infected.

And I am gonna to... I'm gonna repeat that, I'm gonna repeat that advice for the Department of Health & Social Care: It remains very unlikely that people receiving care, in care homes, will become infected.

You can look that up. There'll still be links for it.

And this is...this is 1 week before our prime minister is walking around just boasting about shaking hands with coronavirus patients.

And then, the Imperial College points out that, if left unchecked, the the virus could kill half a million people and the government are, like,

Oh, Oh fuck...really?

Oh shit. Fuck.

And then, then the panic kicks in.

The NHS is going to be overwhelmed, we're, we're gonna be like Italy. Oh, please God, don't let us be like Italy and ministers order 15,000 hospital beds to be vacated.

And the the guidance given to hospitals is that it shouldn't take more than than 3 hours. So patients are taken out of hospitals and they're, they're dumped into care homes, and and and they're not being tested. Because and again I'm gonna quote here, that "Covid sufferers can be safely cared for in care homes."

So while the, while the the NHS, the burden on the NHS was being so hotly debated an, an, an wh while, you know, the fact that there was no, not enough PPE gear to go around. While all of that was being discussed, the care homes were given next to nothing. I mean, they were given dribs and drabs while the prices shot up.

And , and some local authorities threatened to withhold money from care homes, if they didn't take in confirmed coronavirus patients.

So they were sent into these places like biological warfare.

They, they were like, like, like blankets laced with smallpox. the 1st lockdown, it's said that 40% of the people who died from coronavirus were from care homes. 40%.

So you see, I can't escape the felling that my mother was killed.

And not by a car or a, or a, or a gun, or a knife, or a cricket bat or, even, the virus.

She was, she was killed by stupidity.

She was killed by dumb fuckery.

She was killed by someone looking at something, coming at them at the, at the speed of a freight train. And just being, like, Oh, let's just carry on shall we? Let's just ... you know, it's a, it's a bit, it's a bit fucking Dunkirk spirit. You know. A bit...bit stiff upper lip. Let's just carry on, old man.

And my mother. My, my... mum"

At this point McAvoy's character intervenes and says: "I think that's it" Horgan's character, emotionally drained, continues a little longer:

"Do you, do you remember when we were supposed to lockdown and then we didn't. And then we came out and and they said, you know, don't go to, to, to clubs or, or, or restaurants, you know, unless you bloody well want to or something? That was when Spain an, an, an France and Lituania and Malaysia, they were all locking down."

McAvoy: "Is that it?"

Horgan: "Is that it?"

She then runs out of energy to go on any further. 

Only people whose loved ones died as a result of government Covid-19 negligence and incompetence can truly understand the pain of the loss and the added insult of the complete absence of accountability.

It really is time the mainstream media outfits like the BBC started behaving like a democracy enhancing 4th estate and poured some energy and resources into speaking turth to power and holding power to account.

Congratulations to Horgan, McAvoy, the writer Dennis Kelly, the production team and everyone involved, constructively, in bringing Together to air.

If BBC news remain too scared to do their job, then hopefully the drama side of the institution will continue to step up. Just a reminder, though, from the BBC's own editorial guidelines:

"The BBC is committed to achieving due accuracy in all its output...

The BBC must not knowingly and materially mislead its audiences. We should not distort known facts, present invented material as fact or otherwise undermine our audiences’ trust in our content...

The BBC is committed to achieving due impartiality in all its output...

It does not require absolute neutrality on every issue or detachment from fundamental democratic principles, such as the right to vote, freedom of expression and the rule of law...

We must always scrutinise arguments, question consensus and hold power to account with consistency and due impartiality..."

Thursday, May 27, 2021

Court of Appeal Declare Data Protection Act Immigration Exemption Unlawful

On Wednesday, 26 May, 2021, the UK Court of Appeal issued a decision in The Open Rights Group & Anor, R (On the Application Of) v The Secretary of State for the Home Department & Anor [2021] EWCA Civ 800 declaring the unconscionable immigration exemption in the 2018 Data Protection Act (Paragraph 4 of Part 1, Schedule 2) unlawful.

The case was brought by the Open Rights Group and the3million and supported by the ICO.

The result brought some cheer to a week in which the European Court of Human Rights effectively accepted, in the case of Big Brother Watch & others v UK, that mass surveillance was compatible with the European Convention on Human Rights. The thin edge of a substantial fundamental rights offending wedge. The sole exception, among the 18 judges was Portuguese justice, Paulo Pinto de Albuquerque who, in concluding his dissenting judgment, said:

59. This judgment fundamentally alters the existing balance in Europe between the right to respect for private life and public security interests, in that it admits non-targeted surveillance of the content of electronic communications and related communications data, and even worse, the exchange of data with third countries which do not have comparable protection to that of the Council of Europe States. This conclusion is all the more justified in view of the CJEU’s peremptory rejection of access on a generalised basis to the content of electronic communications , its manifest reluctance regarding general and indiscriminate retention of traffic and location data and its limitation of exchanges of data with foreign intelligence services which do not ensure a level of protection essentially equivalent to that guaranteed by the Charter of Fundamental Rights . On all these three counts, the Strasbourg Court lags behind the Luxembourg Court, which remains the lighthouse for privacy rights in Europe. 

60. For good or ill, and I believe for ill more than for good, with the present judgment the Strasbourg Court has just opened the gates for an electronic “Big Brother” in Europe. If this is the new normal that my learned colleagues in the majority want for Europe, I cannot join them, and this I say with a disenchanted heart, with the same consternation as that exuding from Gregorio Allegri’s Miserere mei, Deus."

I hope to get round to a more detailed assessment of the Big Brother Watch case another time but having been partly consoled by the thought that at least the immigration exemption was toast, a close reading of the Court of Appeal decision led to the unfortunate conclusion that it is still very much alive and kicking.

The short version of the story is that Lord Justices Warby, Singh and Underhill have indeed declared the immigration exemption unlawful but only on a technicality. Essentially the government didn't get all their legislative ducks in a row when passing the law and didn't follow the UK GDPR rules on how to implement a contemptible measure like this. The immigration exemption itself was not thrown out on principle. 

Basically, if the UK government want to implement something like the immigration exemption circumventing data protection rights, they have to do so according to specific GDPR Article 23 rules. They failed to follow the rules, so the exemption is unlawful. 

"29. The argument has been wide-ranging but I would suggest that, if my Lords agree, this appeal can and should be decided on the following short and straightforward basis. There presently exists no legislative measure that contains specific provisions in accordance with the mandatory requirements of Article 23(2) of the GDPR. In the absence of any such measure, the Immigration Exemption is an unauthorised derogation from the fundamental rights conferred by the GDPR, and therefore incompatible with the Regulation. For that reason, it is unlawful. The appeal succeeds on this aspect of Ground 2, and it is unnecessary to reach conclusions on the other issues raised."

For the Brexiters, btw, shouting we are no longer in the EU, the GDPR is indeed directly applicable in EU member states only and applied from 25 May 2018. The UK has exited the EU but the UK parliament decided to keep substantially the same law in place in the UK. As the appeal court judges say at paragraph 12,

"(1) Sections 2, 3 and 6 of the European Union (Withdrawal) Act 2018 (“EUWA”) provided for certain aspects of EU law to remain in force, as part of English law, notwithstanding withdrawal. This is known as “retained EU law”. The GDPR, DPA 2018, and relevant CJEU case-law pre-dating IP completion day all fell into this category. 


” The Immigration Exemption is “pre-exit domestic legislation”. 

(3) A statutory instrument of 2019 made amendments to the GDPR and DPA 2018 with effect from IP completion day. 1 As a result the GDPR, as it applies domestically, is now known as “the UK GDPR”. But the UK GDPR has the same legal status today as the GDPR had before IP completion day. Article 23 is now in slightly amended terms, but the amendments are not material. In Article 23(1), references to “the Union” and “Member State” are deleted and the power to restrict is now conferred on the Secretary of State. There is no change to Article 23(2). The Immigration Exemption is unamended."

So, the judges were free to declare the immigration exemption incompatible with article 23 of the GDPR and article 23 of the UK GDPR and to strike it out.

In paragraphs 14 to 18 the judgment is not exactly complementary on Home Office activities in this area, referring to their extensive use of the immigration exemption to deny people access to their data in 10,823 cases, "authoritative reports that cast doubt on the accuracy and reliability of the Home Office decision-making in the arena of immigration and data protection"  and that "it is clear that the Immigration Exemption plays a significant role in practice as a brake on access to personal data".

When dealing with the original judge's decision approving the immigration exemption, the Court says he relied on UK domestic case law to side with the government and say they were not obliged to follow the black letter requirements of GDPR article 23. In other words he felt the technicalities of article 23 were irrelevant in this context.

The appeal court decided he got this wrong. A clear line of judgments from the Court of Justice of the European Union supports the Open Rights Group, the3million and the ICO argument that the government do have to follow the rules of article 23 if they want to ignore data protection rights in connection with immigration cases. In the Digital Rights Ireland (2014), Tele 2 & Watson (2016), EU-Canada PNR (2017), Privacy International and La Quadrature du Net (2018, decided on the same day), the CJEU was "alert to the risk of over-broad derogations from fundamental rights; requires any derogation from fundamental rights to be justified by proof of strict necessity; and does not consider that this, or the requirement of proportionality, can be satisfied unless the appropriate safeguards are built into the legislative measure."

The CJEU was aware that member states would make end runs around fundamental rights when they felt like it and wanted to set up some hurdles to negotiate if that was the aim. And the UK government's argument that we should not worry our little heads about them taking away the rights of people because, like, they can always try another law if they are worried, didn't pass muster with Lord Justice Warby and his two colleagues.

"48. As I have indicated, however, I would prefer to decide this case on a narrower basis. I do not believe Article 23 should be construed as merely requiring the state to provide a general legal framework that contains guarantees of necessity and proportionality, and other safeguards. That might be a legitimate interpretation of Article 23(1), if it stood alone. But our analysis must reflect the fact that when updating and strengthening EU data protection law in the GDPR the legislature chose to depart from the approach to derogation that it had adopted in Article 13 of the Data Protection Directive. It particularised the requirements of Article 23(1), at some length, and in some detail, in Article 23(2). It seems to me that the respondents’ argument fails to explain or account for this and, in the process, leaves Article 23(2) with no significant purpose or function. In one sense, Article 23(2) clearly does provide a checklist. But I do not consider it plausible that Article 23(2) was intended to amount to nothing more than a sort of high level aide-memoire to the state about the kinds of matters it should have in mind when deciding whether to derogate from fundamental rights, in pursuit of one of the specified aims. The checklist is cast in mandatory terms, and calls for “specific” provisions. Sir James’s submission that these “specific provisions” can be found in general principles of human rights or administrative law, or in existing Articles of the GDPR is unconvincing. Article 23(2) itself – on the face of it – requires them to be contained in “any legislative measure referred to in paragraph 1

49. It may be that this wording is not to be read entirely literally; but it is remarkably specific and surely must be given some meaning. At any rate, in my judgment the better view, in the light of the CJEU jurisprudence, is that Article 23(2) requires any derogation to be effected by a “legislative measure” that is tailored to the derogation, legally enforceable, and contains provisions that are specific to the listed topics - to the extent these are relevant to the derogation in question - precise, and produce a reasonably foreseeable outcome. It can, I think, be said that this interpretation follows from the CJEU decision in La Quadrature. As I read that decision, the Court adopted and applied in the context of Article 23 of the GDPR the body of jurisprudence it had built up over the preceding years when dealing with Article 15 of the e-Privacy Directive and the Data Retention Directive. More generally, in this respect the Luxembourg jurisprudence and the language of Article 23(2) seem to me to be broadly if not precisely in step. The CJEU has repeatedly rejected submissions to the effect that domestic legislation should be held to pass muster on the basis that sufficient safeguards could be found elsewhere in the overall legal framework. The language of Article 23(2) seems to me to reflect the lines of reasoning enunciated in Digital Rights Ireland [54] and Tele2 [117-118], and the legislature may properly be considered to have intended an outcome on the same lines. 

50. The essence of the reasoning, as I see it, is that broad legal provisions, such as those that require a measure to be necessary and proportionate in pursuit of a legitimate aim, are insufficient to protect the individual against the risk of unlawful abrogation of fundamental rights. The legal framework will not provide the citizen with sufficient guarantees that any derogation will be strictly necessary and proportionate to the aim in view, unless the legislature has taken the time to direct its attention to the specific impacts which the derogation would have, to consider whether any tailored provisions are required and, if so, to lay them down with precision. This approach will tend to make the scope and operation of a derogation more transparent, improve the quality of decision-making, and facilitate review of its proportionality. To my mind the evidence to date as to the relevant decision-making tends to emphasise the importance of characteristics such as these." 

The good judge also takes comfort to note his conclusions "are consistent with paragraphs 45-46 of the Guidelines 10/2020 on restrictions under Article 23 GDPR published by the European Data Protection Board (“EDPB”)".It is clear that the immigration exemption in the Data Protection Act does not comply with GDPR article 23.

"The Exemption itself contains nothing, specific or otherwise, about any of the matters listed in Article 23(2). Even assuming, without deciding, that it is permissible for the “specific provisions” required by Article 23(2) to be contained in some separate legislative measure, there is no such measure."

What happens next remains to be seen. The Court has declared the immigration exemption unlawful but stopped short of striking it out, declaring the next steps the "subject of separate argument" for another day.

"55. The claim form seeks a declaration that the Immigration Exemption is incompatible with the Charter and the GDPR, and an order that it be disapplied, or alternatively a more limited form of declaration, specifying the conditions under which the Exemption might be lawfully applied. But at the conclusion of the hearing it was common ground that if we were in favour of the appellants the question of what relief should follow our decision would need to be the subject of separate argument...

56. The appropriate remedy in a case of incompatibility is a sensitive matter... Here, I have identified an omission that is, in principle, capable of remedy by measures that amend or supplement the existing provision. In the circumstances, I see merit in the cautious approach of both sides. I would defer a decision on relief, inviting further submissions on that issue in the light of these reasons."

The bottom line is that the reprehensible immigration exemption in the 2018 Data Protection Act is unlawful in its current form but it lives to fight another day. So, with the highest of plaudits due to the Open Rights Group and the3million for pursuing the case (and kudos to the ICO for supporting them), the knowledge that the exemption remains and the government essentially gets a license to reshape it, in a more legally acceptable form, is depressing.

Monday, May 24, 2021

Discriminatory code: R, the academic formerly known as Ray

Issues of digital identity are always complex.

Recently my long-time employer, the Open University, implemented a blanket email format change, incorporating first names in the email addresses of all staff, except for a handful of us who became aware of an option and took steps to opt out. This was done in spite of several prior warnings about the discriminatory effects of such real names policies.

I am deeply disappointed that my university has gone ahead with this policy which I consider is institutionally sexist, racist, anti-LGBTQ, discriminatory against other marginalised groups and wholly at odds with our values.

There is a long history of real/proper/full names policies creating disproportionately adverse consequences for different ethnic groups, women, neurodiverse and LGBTQ people. There are a multitude of reasons why people would choose not to include their first name in an email address and it is incumbent upon the Open University to respect those wishes.

The opt out, incidentally, consisted of those who were concerned, in advance and sufficiently alert to the potential fallout from the imposition of the format change, that, currently, most have neither the time nor energy to expend exhausted cognitive resources upon, engaging, on an individual basis, in DIY human resources system administration to change their preferred first name to an initial, in the requisite field/s.

In essence, I am now known officially, in OU systems, as R, not Ray.

Anecdotally, in two separate Open University Adobe Connect meetings last week, I was explicitly called out by the host/s as someone with a name they could not identify.

"I see there is an R.Corrigan who I don't know..."

"R.Corrigan, I'm not sure who you are..."

Proceedings were more or less paused to invite me to say who I was.

I declined and, on the second occasion, simply left the meeting.

Consider a member of a marginalised community placed in the same predicament.

We know about the discriminatory effects of architecture and built environments.

Communications infrastructure discriminatory effects are also very real and very serious.

The Open University should not be engaging in or perpetuating them. 

There was no intention, on the part of the people at the OU who conceived and implemented this policy or on the part of the University's executives who approved it, to discriminate. However, they were very clearly and repeatedly warned of the issues in advance of the policy implementation. They pressed ahead anyway. Additionally, once such infrastructure is in place, it is wholly irrelevant whether the architects intended to discriminate or not - the discriminatory effects are built in and there is no simple flick of a switch available to negate or reverse them. That is the nature of computer code.

The Open University is a unique and invaluable public service.

I expect much better of this venerable institution.

Friday, January 15, 2021

UKCRC/CPHC/UKRI/BCS policy engagement workshop

I spent the morning at a joint UKCRC/CPHC/UKRI/BCS workshop on policy engagement. There were a selection of interesting contirbutions from Jane Hillston Chair UKCRC, Edmund Robinson chair of CPHC, James Dracott of UKRI, Alastair Irons of the BCS, Chris Hankin of ICL and Chris Johnson, PVC, Queens University Belfast, who was repeatedly described as the hero who does  much of the heavy lifting on policy engagement & consultation work for UKCRC.

James Dracott, Sarah Main of the Campaign for Science and Engineering (CaSE) and chief government adviser, Anthony Finkelstein, particularly focussed on the practicalities of effective policy engagement with really engaging talks.

I liked James's reminder of Wiio's laws of communication.

  1. Communication usually fails, except by accident.
    1. If communication can fail, it will.
    2. If communication cannot fail, it still most usually fails.
    3. If communication seems to succeed in the intended way, there's a misunderstanding.
    4. If you are content with your message, communication certainly fails.
  2. If a message can be interpreted in several ways, it will be interpreted in a manner that maximizes the damage.
  3. There is always someone who knows better than you what you meant with your message.
  4. The more we communicate, the worse communication succeeds.
    1. The more we communicate, the faster misunderstandings propagate.
  5. In mass communication, the important thing is not how things are but how they seem to be.
  6. The importance of a news item is inversely proportional to the square of the distance.
  7. The more important the situation is, the more probable you had forgotten an essential thing that you remembered a moment ago.

Sarah had a great example of CaSE's influence on immigration policy.

Firstly, they asked government to exempt scarce skills STEM areas from the tier 2 visa cap. They produced and coordinated co-signed letters and petitions engaging authoritative other organisations in a broad STEM and business coalition, emphasising the cap was causing problems. They got the media to pick up the cause and it got traction. There was significant pressure on the Home Secretary, Amber Rudd at the time, from a range of issues, not least of which was the Windrush scandal. Ms Rudd then got replaced by Savid Javid. The combination of Windrush, unfilled vacancies in an under-pressure NHS and the CaSE campaign eventually led to government exempting NHS roles from the tier 2 visa cap. Now, post Brexit, The Home Office support for a global talent visa is particularly pertinent to the STEM agenda.

In summary, Sarah concluded that effective policy engagement requires:

1.       A substantive body of evidence underpinning your case

2.       The building of relationships in the policy space

3.       Collaboration with other organisations to work together

4.       Good timing

Policy decisions are multifactorial decisions and we cannot expect to be considered the most important voice but should work to bring evidence-based influence to bear.

Anthony Finkelstein rounded off the morning with a no nonsense collection of ten things to know and do to make a policy impact. Firstly you have to know the politics. Many academics may have soft liberal or left tendencies but must recognise that the current government is Tory. Do not believe what you read in the papers – reacting to newspaper speculation often leads to circular discussion and debate bubbles that don’t make useful contributions. Remember you are one voice amongst many. Be active in being in right place at right time. If the issue is current, you are probably too late. If you are reacting to a research funding call you are a year too late. What is needed is foresight and preparation. Authority and tone count. Speaking with authority of national academies, UKCRC, high quality peer reviewed literature carries weight. A whiny critical tone will not be attended to. Know 'who and where' – know the 'geography of government.' The person handling your material is probably pretty junior. The central civil service is now very thin and very stretched. Junior civil servants welcome help (backed with evidence) not criticism. In government money is in short supply. Everything that happens does so at the expense of something else. Manage your own political capital. If your point is made elsewhere by and with authority don’t repeat it. Leverage other good voices. CaSE are brilliant at this. Encourage your students to become civil servants. It is a rich career. These people are in great demand. They will also make government technological capability better. Use government chief scientific advisers. They have significant influence and can reach directly into Downing St if needed, have regular meetings with Patrick Vallance and can reach their own permanent secretaries when they need to. In short:

1.       Issues matter and service is noble

2.       Know the politics

3.       Do not believe what you read in the papers

4.       Remember you are one voice amongst many … If the issue is current you are probably too late

5.       Authority counts, tone matters

6.       Know who and where. The person handling this is probably pretty junior (and will not welcome criticism but will welcome help, generally evidence)

7.       Money is in short supply – time and people are too

8.       Manage your political capital

9.       Encourage your students to be civil servants

10.   Use the Chief Scientific Advisors


Tuesday, November 10, 2020

UK-Japan trade deal data laundering threat

Upon prompting by the Open Rights Group, I've written to my MP, Layla Moran, about the data laundering provisions of the UK-Japan trade agreement.

Dear Layla,

You may or may not be aware that that new UK-Japan trade agreement includes expansive data transfer clauses posing a threat to our privacy. These provisions essentially create a surreptitious process for your data to be transferred to other jurisdictions with poor data protection records, including the US.

MPs seem to have been deliberately kept in the dark about these measures which amount to turning the UK into a data laundering haven for unaccountable multinational corporations and countries with weak data protection standards.

I would encourage you and your MP colleagues to call for the freezing of these sections of the treaty - as happened with the unconscionable intellectual property chapters of the Trans Pacific Partnership agreement.

The dangerous undermining of UK citizen and other residents' rights is likely to be an ongoing feature of the government's desperate rush to enter into trade deals they can promote as Brexit successes. In these challenging times, significant vigilance will be required on the part of all our parliamentary representatives to protect fundamental rights in the UK.

I this instance I would ask you to ask the government to “freeze data transfer clauses from the new UK-Japan trade agreement”. This will allow the agreement to go ahead but would freeze (stop) the harmful clauses endangering our privacy.

Thank you.

Yours sincerely,

Ray Corrigan

You can find the  UK-Japan Comprehensive Economic Partnership Agreement documents containing treaty information and a summary of the agreement online.

Jim Killock and Heather Burns at the Open Rights Group have prepared a succinct explanation of the issues. The agreement  contains brand new clauses which priotise the “free flow of data” between the UK and Japan, and from there on to other trade partners, over and above data protection rights.

"A “free flow of data” approach would be a radical departure from the current position. Today, UK companies must only transfer your personal data where they can guarantee that you continue to have similar rights over access, correction and deletion of that data. The UK Japan agreement would force the UK to accept lower data protection frameworks, including voluntary self-regulation, as compatible with the UK’s world leading privacy framework, in Article 8.80 and 8.84.

The UK-Japan agreement, together with the UK adequacy decision, would create a “gateway” for your data to flow to other countries that also have “free flow of data” trade arrangements with Japan. Worryingly, this will permit UK data to be transferred to the USA, without it being kept under GDPR-style protections.

Once data is exported from the UK to the USA via Japan under this agreement, your rights would vastly reduce. In the USA, there is no automatic right for you to know where the data is held, or by whom; you cannot prevent resale, reuse, or the data being put to new uses. There is no right to prevent your data from being used in ways that are discriminatory, or unfair. You cannot ask for your data to be deleted. If it is lost, then there is no legal barrier to a third party from obtaining it and using it. And there is no simple recourse to you if your data is breached or sold...

It is likely to prove impossible for the EU to conclude a data protection adequacy decision for the UK while these unrestricted data flows with Japan, and its trade partners are in place. The EU specifically excluded data flows from their trade agreement with Japan. Although Japan has an adequacy decision from the EU, it had to put specific arrangements in place for EU data to stay in Japan.

This stopped the data of people in the EU — including the UK — from being shifted to an overlapping legal regime and freely siphoned off to third countries. This trade deal bypasses both of those safeguards."

ORG also have a more comprehensive briefing on how the UK-Japan deal severs post Brexit data adequacy. (Pdf version available too).

There are also other serious concerns with the agreement, particularly in relation to general monitoring provisions - upload filters like the EU copyright directive's Article 17 - and bans on circumventing DRM/TPM even for the facilitation of interoperability or repair.

Given the Johnson government Svengali Cumming's obsession with eviscerating the controls on the collection and exploitation of big data, an intense and ongoing focus on resisting such dismantling of fundamental privacy and data protection rights is certainly in order.

Tuesday, October 20, 2020

DCMS Review of Representative Action Provisions, Data Protection Act 2018

Upon a prompt from Jim Killock at the Open Rights Group, I've submitted the following response to the Department for Digital, Culture, Media & Sport Review of Representative Action Provisions, Section 189 Data Protection Act 2018 consultation. (Apologies for the repetition in the paragraph about some of the worst breaches of data protection law being attached to sensitive areas of our private lives, like tracking individual’s use of mental health websites.)

[This is the first time I've used the new Blogger interface and I'm not keen. The html interface is particularly dense tiny font and challenging to read/interpret/use]

I didn't have a lot of time, so drew heavily from Jim's own and Dr Johnny Ryan's work on challenging the legality of the adtech industry's architecture and operational practices.

Department for Digital, Culture, Media & Sport Review of Representative Action Provisions, Section 189 Data Protection Act 2018

My name is Ray Corrigan. I am a senior lecturer in the Science, Technology Engineering and Mathematics Faculty at The Open University but I am responding to this consultation in a personal capacity.

I write, in particular, in relation to the department’s examination of whether to introduce new provisions to permit organisations to act on behalf of individuals who have not given their express authorisation.

I am in favour of such provisions.

Chapter VIII Article 80(2) of the General Data Protection Regulation, provides that EU Member States may provide that any not-for-profit body, organisation or association which has been properly constituted in accordance with the law, independently of a data subject’s mandate, has the right to lodge, in that Member State, a complaint with the supervisory authority which is competent pursuant to GDPR Article 77 and to exercise the rights referred to in GDPR Articles 78 (right to an effective judicial remedy against a supervisory body) and 79 (right to an effective judicial remedy against a data controller or processor), if it considers that the rights of a data subject under this Regulation have been infringed as a result of the processing.

The UK government chose not to incorporate this provision into the Data Protection Act 2018, and I would suggest it is important that this now be rectified.

The big technology and associated “ad tech” companies having been running rings round governments and regulators for too long. As Johnny Ryan of Brave points out, in this formal complaint concerning massive, web-wide data breach by Google and other “ad tech” companies under the GDPR,

“Every time a person visits a website and is shown a “behavioural” ad on a website, intimate personal data that describes each visitor, and what they are watching online, is broadcast to tens or hundreds of companies. Advertising technology companies broadcast these data widely in order to solicit potential advertisers’ bids for the attention of the specific individual visiting the website.

A data breach occurs because this broadcast, known as an “bid request” in the online industry, fails to protect these intimate data against unauthorized access. Under the GDPR this is unlawful...

Bid request data can include the following personal data:

• What you are reading or watching

• Your location

• Description of your device

• Unique tracking IDs or a “cookie match”.

• This allows advertising technology companies to try to identify you the next time you are seen, so that a long-term profile can be built or consolidated with offline data about you

• Your IP address (depending on the version of “real time bidding” system)

• Data broker segment ID, if available.

• This could denote things like your income bracket, age and gender, habits, social media influence, ethnicity, sexual orientation, religion, political leaning, etc. (depending on the version of bidding system)

Dr Ryan said “There is a massive and systematic data breach at the heart of the behavioral advertising industry. Despite the two year lead-in period before the GDPR, adtech companies have failed to comply. Our complaint should trigger a EU-wide investigation in to the ad tech industry’s practices, using Article 62 of the GDPR. The industry can fix this. Ads can be useful and relevant without broadcasting intimate personal data”.”

For all their flaws, getting the GDPR and the Data Protection Act 2018 in place as legal infrastructure for regulating the collection & processing was not a bad start. Unfortunately, with few exceptions such as the recent Belgian data protection authority declaration that the behavioural advertising industry has been engaged in routine, systematic, industrial scale, blanket data collection and management practices, in serious breach of multiple provisions of the GDPR from the day it was passed, enforcement efforts have been underwhelming, at best, so far.

Ordinary internet users are almost completely oblivious to the mechanics of the hidden personal data processing adtech architecture behind most websites; and as the Belgian data protection authority have just pointed out, the deployment and operation of that invasive technology is systemically and systematically unlawful. It is almost astonishing that we, commerce, industry & governments enabled it, but we did and it is time to do something about that.

Mass data collection, processing, onward dissemination and storage has become incredibly complex. Relying on individuals to spot misbehaviour and malfeasance in this area and initiate complaints or legal proceedings to reign in an industry out of control, is unrealistic. The woman on the Clapham omnibus simply does not have the expertise, time or resources. Not-for-profit bodies, human rights organisations or other related associations, however, which have been properly constituted in accordance with the law, do have the expertise and understanding, even if, in these difficult times, many are experiencing a shortage of resources. It is more important than ever that such organisations are given the authority in law to raise complaints, independently, about nefarious data collection and management practices. NGOs should be empowered to complain, in the public interest and to protect individual rights, to the Information Commissioner’s Office and complain to the court about controllers, processors or ICO failure.

This power must include the capacity to challenge the Information Commissioner’s Office. In September 2018, Jim Killock of the Open Rights Group and Dr Michael Veale of University College London, submitted a formal GDPR complaint to the UK Information Commissioner about “real time bidding” the core of the industry’s invasive adtech architecture. In June 2019, the ICO gave the adtech industry six months to clean up its act. In January 2020, after six months of substantive inaction on the part of the industry, the ICO threw in the towel and said they would be taking no enforcement action to remedy industry breaches.

Some of the worst breaches of data protection law are attached to sensitive areas of our private lives, like tracking individual’s use of mental health websites. The ad tech described in the extract from Dr Ryan above engages in some invisible and deeply invasive profiling. Some of the worst breaches of data protection law are attached to sensitive areas of our private lives, like tracking individual’s use of mental health websites. These areas need to be challenged but often are not because of their sensitivity.

When you visit a website, which delivers ads your personal data is broadcast to tens or hundreds of companies. What you read, watch or listen to is categorised and you are profiled into categories. Some of these are bland e.g. “football” or “jazz”. Some are hugely and outrageously sensitive. The rule making representative body for the adtech industry, the Interactive Advertising Industry (IAB) has, for example, got a “IAB7-28 Incest/Abuse Support” category. Other categories are related to sensitive or embarrassing health conditions, sexual orientation, religious affiliation etc. Google categories include “eating disorders”, political leanings etc.

These tags and profiles and trackers can stick with internet users for a long time and people have no idea of the digital baggage they are carrying round as a result. Such tags are not necessary for ad targeting. They are more a convenience for the industry to make it easier to track and profile and re-identify people. And the obscurity of the whole process, systems and mechanisms make it almost impossible for individuals to exercise their rights under the law, in the UK, the Data Protection Act 2018. We cannot find, identify, verify, correct or delete these digital shadows and profiles. The power differential and lack of transparency make it extremely difficult for individuals to take effective action to rectify unlawful and unethical activities on the part of the requisite industries.

Industry pretend they deal in anonymous or non-sensitive data which is a flat-out falsehood. Detailed, invasive personal profiles are constantly and casually created and traded as people innocently surf the internet unaware of these machinations. Industry treats this as routine business practice. It does not have to be this way and should stop. That mass privacy invasion is routine business practice on the internet does not make it right and it is time to stop it.

There is no great functional difference between adtech and techniques Cambridge Analytica used in an attempt to influence voters but, the Cambridge Analytica story, for a time, entered the realm of short attention span news cycle. The adtech data management platforms are just a longer running, invisible scandal.

It is particularly important, in the case of sensitive personal information, therefore, that qualified NGOs be given the power to bring complaints, independently, to protect individual and societal privacy. Privacy is not just an individual value but the fundamental basis of a healthy society.

A couple of final points before I close – firstly to note the necessary parallels with consumer law and secondly on Brexit.

Consumer law allows consumer organisations to initiate complaints in the public interest on the part of consumers. There is no reason, in principle, why NGOs should be prevented from engaging in an equivalent form of action in relation to consumer privacy.

On the Brexit front the UK in January 2021 will be facing the prospect of getting an approved data adequacy decision from the EU in relation to cross border flows of data. Elements of the Investigatory Powers Act 2016, the Digital Economy Act 2017 and recent government moves to pass the Internal Market Bill mean this could prove difficult. (See e.g. Brown, I. & Korff, D. The inadequacy of UK data protection law Part One: General inadequacy A move to incorporate Article 80(2) of the GDPR into UK domestic law, enabling NGOs and other lawfully constituted public interest organisations to challenge unlawful data collection and management practices, could only help the process of demonstrating the UK, post Brexit, should be held to provide “adequate” protection to personal data.