Thursday 15 November 2018

Data protection in the EU-UK Withdrawal Agreement - Are we being framed?

A few weeks ago, TJ McIntyre of University Collage Dublin and Digital Rights Ireland, alerted us to a little-noticed section in the UK Information Commissioner’s guidance on international data transfers under the GDPR that advises controllers that they "are only making a transfer that is restricted under Chapter V of the GDPR (Transfer of Personal Data to Third Countries or International Organisations), if they are sending personal data, or making it accessible, to a non-EEA receiver to which the GDPR does not apply". 

The ICO’s General Counsel, Ms. Emma Bate, has then apparently explained this guidance to mean that “a transfer of personal data outside the EEA is not restricted by Chapter V of the GDPR, if the data, when held by the non-EEA recipient, is still protected by the extra-territorial scope of the GDPR. The rationale being that no additional protection is needed as the GDPR still applies, so this is not a transfer outside the protection of the GDPR.

Now, this was an odd thing to say, even then, given that it would effectively authorise data transfers from inside the EU to any big non-EEA internet provider qua the extra-territorial provisions of Article 3 of the GDPR without any need of those providers to either be established in a country that provides adequate protection, or use one of the appropriate safeguards, or rely on one of the derogations in Article 49. 

Which sounds like absolute nonsense if you take into account the wording of Article 3 of the GDPR, which quite clearly states that its territorial application only extends in this way where the processing activities themselves are related to either the offering of goods or services or the monitoring of data subjects behaviour. The territorial scope provisions does not therefore create a "mini-safe harbour" in those controllers for all manner of other processing and it is unlikely that this was what the legislator likely had in mind when adopting that provision.

TJ duly made an FOI request to the ICO to find out more and was recently bequeathed a reply that explained…absolutely nothing.

As oddities go in these turbulent times, this was maybe not the oddest we have come across, and Matron put it out of her mind until this morning when she had a look at the data protection provisions of the draft EU-UK Withdrawal Agreement. 

Which provides in Article 71(1) that:

“Union law on the protection of personal data shall apply in the United Kingdom in respect of the processing of personal data of data subjects outside the United Kingdom, provided that the personal data

(a) were processed in accordance with Union law in the Union Kingdom before the end of the transition period; or

(b) are processed in the United Kingdom after the end of the transition period on the basis of this Agreement.”

And all of a sudden, everything seems to make so much more sense!

Because, if we take those two things together, the implications for the UK (and EU data subjects) could be highly interesting.

Lets say the ICO’s guidance is accepted by the Commission, the EDPB and/or the DPAs of other member states. 

And lets further assume that - at least for the period of the transition period-  the GDPR still applies in the UK to the processing of EU data subject's personal data. Which it arguably does under Section 2 and 4 of the Data Protection Act 2018 (with a few exceptions here and there).

So, would this be a way to ensure that, in practice, the UK does not acquire full “third country” status under Article 44 of the GDPR on leaving the EU on 29 March 2019 but that, instead, 

  1. its controller can continue to receive personal data from inside the EU, at least during the transition period, without a need to put in place one of the Chapter V routes (adequacy, appropriate safeguards or one of the derogations);
  2. those data transfers would be outside the jurisdiction, at least with regard to Chapter V compliance, of the CJEU,  which might otherwise want to take a look at the UK's dubious electronic surveillance laws as part of a Schrems-like challenge?

If so, this would be an extraordinary fudge of the EU legislative legislative framework that deserves detailed attention by civil society and the regulators, given that it would not only give the UK and the EU ample time to negotiate an adequacy agreement as part of the final trade deal, but that the repercussions of this fudge would likely be felt way beyond UK borders and well into the future.

Should we be worried?

Monday 23 July 2018

A fool and their data are easily parted: Is "data portability" really all it's cracked up to be?

Last week, Microsoft, Facebook, Google and Twitter announced plans to introduce a new open source initiative for consumer data portability, called the Data Transfer Product. A noble endeavour, many will argue, which obeys both the letter and the spirit of the new data portability requirement in Article 20 of the GDPR. That Article requires data controllers transmit, under certain circumstances and on the request of a user, that user's personal data to another controller "in a structured, commonly used and machine-readable format" and " without hindrance from the controller to which the data have been provided".  Data portability is generally seen as A Good Thing and the industry has long been lambasted for dragging its feet on this on the assumption, made by many, that individual providers don't want to share their users' personal data because they see them as their own business's commercial assets. But, true as that may have been all the way back in the 90s, is that really still the case in today's data-driven society?

Let Matron play Cassandra once again and say that, first of all, a joint project for data portability set up by the likes of Microsoft, Facebook, Google and Twitter is unlikely to be done solely for the benefit of users. A sane and rational part of us knows this, even if that is often the part that we choose not to listen to. But even if you have not yet joined the tribe of the "Incurably Suspicious" of which Matron is a card-carrying member, there are some points to consider here that should be clear to everyone.

You can check out any time you like...

As most us know, even if given the option, most users will likely decide to share their data with a new provider while continuing to keep that same data on the old provider‘s service “ just in case”. The online environment is our Hotel California. We don’t “leave” services, we multi-home. 

This has been a fact for the majority of people ever since before Viktor Mayer-Schönberger declared, in his book "Delete: The Virtue of Forgetting in the Digital Age", that the (time) cost of deleting [data/online content/communications] has become more expensive at roughly the same time that the (financial) cost of storing that data forever has gone down. And as long as that storage doesn't cost us a penny, most people will ask themselves, what's the harm in also keeping it on the old service, even if we no longer use it? We do it for safekeeping, or because we still use the old service for some purposes (news gathering but not photo sharing) or to communicate with some people but not others (our mothers v our friends, acquaintances or work colleagues). The point is, we mostly don't delete. And they know that.

Which is why any data portability project that focuses on “share and remain” rather than “share and delete” type user behaviour is not only an instrument that empowers users to have control over their data, but also one that facilitates the widest possible distribution - by users themselves - of their personal data between different providers. We’re not “porting” our data in the sense that we take them away from one provider and give them to another. We just duplicate them. It's all about convenience but without necessarily affecting either provider's bottom line.

Interestingly, this was one of the few things that the late Caspar Bowden and I ever disagreed on. I remember a long and heated discussion over bad coffee in some University cafeteria during some conference around 2012 when he told me about his campaign to make data portability a legal requirement. He got ever more enthusiastic, I became increasingly horrified. Because he saw portability as an instrument of user control, I saw it chiefly as a way of conning users into handing out their data to ever more different providers. And quite honestly, what’s not to like from the providers’ POV?

We are programmed to receive

Because one of the best kept secrets of the data economy now is that, contrary to popular belief, personal data is not necessarily a competitive asset. One provider doesn’t necessarily lose out, just because another provider has access to the same data too.

In fact, if the GDPR just allowed this, unfettered ubiquitous sharing of internet users' data between providers could probably be to the commercial benefit of all of them, particularly if it then also allowed for the seamless tracking of all of a user’s online activity by everyone. This is, after all,  just the raw data, which they can share. These days, the competitive element increasingly lies in what each of those providers does with those data - and this means their profiling algorithms, their means to combine those data with other data and the subsequent sale of the data product.

Open access proponents already know this. And once commercial providers "got it" too, we saw industry resistance to data portability slowly fade away.

We are all just prisoners here, of our own device

But data portability does much to assist providers in eroding principles like data minimisation, purpose limitation and storage limitation and in getting around the much more annoying conditions of those other legal grounds.

Because user consent is still a binary concept. You have it or you don't. And (depending on how good you are at writing privacy policies) once you have it, it will often allow you do things with data that you would not otherwise be allowed to do because of restrictions put in place in the context of those pesky other legal grounds - restrictions that were imposed for good reasons that we would do well to remember occasionally.

But a fool and their data are easily parted and “share and remain” data portability is just another way to facilitate the spread of personal data across the internet with minimum fuss and effort - all with the individual user's full knowledge and consent. And therein lies the problem that the GDPR has - as yet - not solved sufficiently.

This could be Heaven or this could be Hell

So is Matron categorically against data portability? No. How can she be? It’s a question of user autonomy after all. But it’s also just another example of why we need restrictions on consent. Because individual users are often not the best judge of what kind of data uses serve them and others well. So if we can’t (or don’t want to) limit users in who they share their data with, we must make sure that we limit what providers can do with those data. 

If we don’t, people will inevitably use this new instrument in the way they always do: for short-term benefit (usually accruing only to them) and against their own and (increasingly) collective or societal long-term interests.

Not for the first time, the fact that Caspar left us so early bugs the hell out of Matron. Just once she would have loved to hear him say, “you were right”.