This is ORG's Policy Update for the week beginning 20/03/2017.

If you are reading this online, you can also subscribe to the email version or unsubscribe.

ORG’s work

ORG has been working on a paper about UK-US intelligence sharing.

We started a series of local group talks on the Espionage Act. The most recent ones were held in London with ORG’s Pam Cowburn and in Birmingham with Jim Killock.

The threat of 14 years in prison for handling classified and secret documents could stop journalists and whistleblowers from exposing corruption and government wrongdoing. Sign the petition!

Planned local group events:

Join ORG Aberdeen on Thursday 30 March to learn how to protect your communications and content over the Internet. Everyone can learn, the only thing you need is a laptop or smartphone!

Join ORG Cambridge on Tuesday 4 April for their monthly meetup to discuss the current state of digital rights, what they've done in the past month and what they are planning to do in the upcoming month.

ORG Brighton is hosting an evening of talks all about the proposed changes to the Espionage Act on Tuesday 4 April.

Join ORG Leeds on Wednesday 12 April to find out from Jim Killock what the new law means for journalists and whistleblowers and what you can do to stop the Law Commission's proposals.

Join a Local Group! Our groups around the country meet with like-minded people to take action on current campaigns and have a huge role in our work.

Official meetings

Jim Killock, Charlie Tunmore and Slavka Bielikova are attending the EDRi General Assembly in Amsterdam this weekend.

Parliament

DEBill

The last two sittings of the Report stage of the Digital Economy Bill were scheduled for this week. Lords discussed age verification and data sharing but made no mention of any potential changes to copyright provisions.

You can access transcripts 20 March here: 1 & 2

The sitting on 22 March did not take place because of the attacks in Westminster on that day. It should be rescheduled.

The list of amendments discussed on 20 March can be found here.

The Third Reading was scheduled for 29 March. It is unclear whether it will take place on this date since the replacement date for the last Report sitting has not been announced.

Age verification

The Government stressed at the beginning of the debate that they do not want to censor the Internet but to protect children. However the amendments passed later did not show any reduction in the powers of censorship given to the age-verification regulator.

Lords accepted Government proposed amendments addressing the criticism made by the Delegated Powers and Regulatory Reform Committee. Despite the Committee’s criticism, the Government did not include an amendment on privacy requirements for age-verification providers. Lord Paddick (Lib Dem) tabled a privacy amendment in his name but when pressed to a vote, the amendment was voted down without Labour’s support.

A number of other proposed Labour and Lib Dem amendments were voted down, including an amendment on setting up an independent regulator for appeals processes.

During the debate, the government minister Lord Ashton said that they aim for the age-verification system to be in place by Spring 2018. If no other amendments are tabled and passed, it appears that the system will be without privacy safeguards and with an unclear division of responsibilities between several regulators and an administrator of the appeals processes.

Lord Ashton also stated that Codes of Practice for age verification were published last week. Unfortunately, these do not appear to be available anywhere online.

Lord Paddick summed up the debate in an opinion piece on LibDem Voice.

This blog post by Jim Killock explains what exactly needs to be changed in the age-verification provisions.

Data sharing

The debate on data sharing provisions continued in a similar manner. The Government passed amendments that tackled criticism by the Delegated Powers and Regulatory Reform Committee.

There were several outstanding questions regarding protection of the shared data and different language used in the Data Protection Act and DEBill. This discrepancy made it unclear whether personal data to be shared between departments could be covered by the Data Protection Act. The Government stated during the debate that the DPA will apply but did not amend the language of the DEBill.

The Government also promised to review the Codes of Practice for data sharing before the EU General Data Protection Regulation comes into force in May 2018 (the UK intends to implement the GDPR fully).

Our blog from last week outlines the outstanding issues that remain after the Government introduced their amendments.

Growing up with the Internet

The House of Lords Select Committee on Communications published a report this week on children and their interaction with the Internet.

The report called on industry to introduce minimum standards of child-friendly design, filtering, privacy, data collection, and report and response mechanisms for complaints.

The Select Committee welcomed the commitment by the major ISPs – BT, Virgin Media, TalkTalk and Sky – to provide child friendly filters; however the Committee also expressed that they do not think filters reach far enough.

The Committee would like to see child filters to be on by default (so far, only Sky has filters on by default). They recommended minimum standards for online filters. These should include a system to manage website overblocking.

Several points of criticism were already raised by the Internet Service Provider Association (ISPA). They consider universal filters on by default to be disproportionate for business and machine-to-machine services.

Additionally, the report also called for school lessons about online responsibilities, risks and appropriate behaviours.

Question on email account service providers

Chi Onwurah MP asked the Minister for Culture, Media and Sport, what responsibility email account service providers have to return data to consumers when their services end.

Matthew Hancock MP responded that the Department expects providers to responsibly manage the way that consumers receive data when their services end. They are also expected to give their customers sufficient notice of the closure of services and oblige by the Data Protection Act.

Question on data sharing

Justin Tomlinson MP asked the Minister for the Cabinet Office, what estimates they have made of potential savings arising from increased data sharing and whether they recently assessed efficacy of data sharing across government.

Chris Skidmore MP responded that the Government Transformation Strategy includes an assessment of how data sharing could be made more efficient. The potential of data sharing to save time and resources was analysed as part of the data sharing measures in the Digital Economy Bill. Industries outside of the public sector are also supposed to benefit by being able to lower their costs.

Question on health data research

John Baron MP asked the State for the Health Department, what assessment he has made of the potential effects of the EU General Data Protection Regulation (GDPR) on the availability of data for research in the health sector.

Nicola Blackwood MP responded that the Department fully engaged with the health and research sector to ensure beneficial application of the GDPR. The Department have set up a sub-group to examine the impact. The sub-group is hosted by the Wellcome Trust and includes the Health Research Authority’s confidentiality advisory group, the NHS Confederation, the Medical Research Council, the Department of Health, and the PHG Foundation.

Question on databases

Craig Tracey asked the MInister for the Cabinet Office, what steps they are taking to facilitate effective data-sharing across government.

Ben Gummer MP responded that more effective data sharing will be enabled by new provisions in the Digital Economy Bill. Additionally, the Government Transformation Strategy sets out specific opportunities for improvements which will be overseen by a new Chief Data Officer and a Data Advisory Board.

Question on trade agreements and data sharing

Barry Gardiner MP asked the Secretary of State for International Trade, whether he plans to include cross-border data flows in a future trade agreement with the US and the EU.

Mark Garnier MP responded that they are considering a range of options. Garnier said they will consider carefully how best to maintain the ability to share, receive and protect EU data with other EU member states. They aim to do the same with the transatlantic relationship.

Other national developments

IPAct implementation

The Home Office posted a tender (link 1, 2, 3) on the UK Government Digital Marketplace calling on businesses to help develop a new independent communications data authorising body. This tender suggests that the Government has acknowledged that they will have to make changes to technical capabilities.

The tender stated that:

“The ECJ has recently upheld an appeal which challenges the current UK communications data retention and acquisition regime.”

The judgment from the European Court of Justice (ECJ) set criteria for data retention in national law, requiring independent authorisation. Up until now it was unclear whether the Home Office had any plans to make practical arrangements according to the judgment.

These steps taken by the Government are welcomed but they also show the lack of transparency in their approach. Matters such as these should be discussed in Parliament.

The ECJ set out several criteria for access to communications data. These include independent authorisation, circumscribed to serious crime, notification to those affected and restrictions on data being sent outside the EU.

The Court also ruled generalised data retention unlawful and said retention should be targeted.

It is unclear if and how the Government plans to ensure that UK legislation meets all of these criteria.

Local authorities unprepared for GDPR

The Information Commissioner’s Office conducted a survey among councils in the UK and found that many were not prepared for the stricter regime to come under the General Data Protection Regulation in May 2018.

The survey results showed that many local authorities failed to even hire a data protection officer. This will be a requirement under the upcoming legislation. The results also revealed that only half of the surveyed councils are ensuring that third-party data processors have contractual obligations to meet security criteria.

The ICO found it worrying that staff do not have sufficient knowledge about data protection as this has been the cause of previous information security incidents in the local government sector, according to the ICO.

Biometrics Commissioner’s response to Home Office

The Biometrics Commissioner Paul Wiles responded to the Home Office review into the retention of custody images.

The Government previously proposed that police force is to be required only to consider requests for deletion of custody images of people who have not been convicted. The Commissioner said that capturing, storing and searching such images is intrusive to individuals’ privacy.

Wiles stressed that

“there is a need to ensure that the use of facial images is within a governance framework that strikes an acceptable and proportionate balance between public benefit and individual privacy.”

He urged the Home Office to introduce a “presumption in favour of deletion” and a “strong presumption” in cases of under 18s. Police should still have the possibility to refuse an application for deletion.

The Government’s proposal would leave the process of decision making in the hands of police. This is particularly risky because facial images are no longer used merely for custody purposes but they are also used by police in public places.

The Commissioner concluded that

“Future public confidence might require a greater degree of independent oversight, transparency and assurance than is proposed.”

Europe

Copyright Reform report

The European Parliament's Legal Affairs (JURI) Committee discussed a draft report on EU Copyright Reform this week. The report by the Rapporteur Therese Comodini Cachia pushed back against several proposed articles in the upcoming legislation.

The proposed Directive on Copyright in the Digital Single Market contains measures restricting the reuse of press content online and forcing platforms to censor user uploaded content. These measures predominantly favour media companies rather than in support of a stronger European digital sector.

The report proposes the deletion of the Commission’s proposal for a new right for publishers that would establish fees for the use of snippets of articles in search engine query results. Comodini rejected the argument that the Internet is intrinsically damaging to the press.

Instead, she proposed a sensible amendment that would give press publishers legal standing to represent authors and sue in their own name to protect the rights of the authors.

Comodini also proposed to amend Article 13 of the Directive. The article sets out obligations for online platforms to monitor and filter user content. The report recommends restricting these obligations to ensuring that agreements are concluded with rightsholders for the use of their works. Online platforms would not be forced to prevent the availability of user-uploaded materials that breach copyright on their services.

The report further stressed that copyright exceptions must be respected in any measures implemented and users should have access to a court to challenge incorrect enforcement.

Javier Ruiz explored in more detail in a blog what other potential problems there still could be if the Directive remains unamended.

The draft report will now be open for amendments by MEPs from the Legal Affairs (JURI) Committee until 30 March.

ORG media coverage

See ORG Press Coverage for full details.

Staff page