This is ORG's Policy Update for the week beginning 18/09/2017.

If you are reading this online, you can also subscribe to the email version or unsubscribe.

ORG’s work

Save the date for ORGCon - it will take place on Saturday 4 November at Friends House on Euston Road in London. We have a second smaller event planned on Sunday 5 November in a different location (TBC). This year is all about the Digital Fightback. Confirmed speakers so far are Graham Linehan, Noel Sharkey, Helen Lewis, Jamie Bartlett and Nanjira Sambuli. Tickets are on sale now!

ORG has been preparing a briefing on the Data Protection Bill which will be debated in the House of Lords on 10 October.

Planned local group events:

Join ORG London on 25 September for a talk with Joyce Hakmeh about the use of cybercrime laws to criminalise criticism of governments in the Gulf states on social media.

Join ORG Birmingham on 25 September for a workshop on Cybersecurity for ‘real people’ on Monday 25 September. The workshop will offer practical cybersecurity advice that can be applied in daily life. The workshop is not just for digital geeks!

Join ORG Glasgow for a free screening of The Internet’s Own Boy on 2 October. The Internet’s Own Boy tells the life story of programmer, writer, political and internet activist Aaron Swartz, an internet pioneer and free speech campaigner. Following the screening, Scotland Director Matthew Rice will be available for a discussion and will give information about how to get involved in initiatives in Glasgow and Scotland.

ORG Cambridge would like to invite you to join them for their monthly meetup to discuss: the current state of digital rights, what we've done in the past month, and what we are planning to do in the upcoming months.

Official meetings

Javier Ruiz attended a meeting with EDRi and other civil society groups in Brussels regarding the implementation of the General Data Protection Regulation.

Jim Killock is giving a presentation to participants in the VOX-Pol project on online political extremism in The Hague.

UK Parliament

DPBill

Following the last week’s introduction of the Data Protection Bill in the House of Lords, the Government published several factsheets summarising what the DPBill will change for the law enforcement, national security, and general data processing.

The DPBill is the implementation of the EU’s General Data Protection Regulation which should be in place across the EU Member States by May 2018.

The Second Reading of the Bill is scheduled for 10 October.

The new Bill will make changes to consent given to data collecting and processing allowing only unticked opt-in boxes to signify it. It will also place restrictions on children consenting to data collection and processing without parental authorisation under a certain age. Other changes will include the right to have one’s data be “erased” in certain circumstances, changes to notifications of data subjects affected by data breaches. More details can be found in the factsheet on general data processing.

The law enforcement data protection factsheet shows that the DPBill will update data protection laws governing the processing of personal data by the police, prosecutors, and other criminal justice agencies and ensure that criminal justice agencies can continue to share data with the other EU Member States after Brexit.

The national security data processing factsheet gives more detail on how the Bill creates a new framework for data processing, providing for a separate regime to regulate the processing of personal data by the intelligence services.

The DPBill will allow individual data subjects to bring complaints to the Information Commissioner’s Office if their data has not been processed in compliance with the law and demand compensation from data controllers. The GDPR also provided a derogation to the Member States to allow organisations to raise complaints on data processing without a named data subject, however, the UK decided not to implement this option.

Such a provision would allow an independent privacy group to lodge a complaint which would help investigate harmful data processing practices. Affected data subject are not always willing to come forward because they might not wish to be publicly associated with certain companies.

The current data protection landscape could accommodate independent privacy groups that would be able to tackle this gap in consumer protection.

Other national developments

Theresa May calls on Internet companies to remove extremist content at the UN meeting

The Prime Minister Theresa May co-hosted a meeting on preventing terrorist use of the Internet at the United Nations General Assembly this week with French President Emmanuel Macron and Italian Prime Minister Paolo Gentiloni.

May wants Internet companies to develop new technological solutions to prevent extremist content to be uploaded in the first place. The three countries demand that take-downs of extremist material online must occur within one to two hours after posting.

The meeting was attended by several Internet companies including Microsoft, Facebook, and Twitter - they already established their presence on the Global Internet Forum to Counter Terrorism created in June 2017.

Yvette Cooper MP, the chair of the Home Affairs Select Committee which scrutinised Internet companies on their content removal policies and abilities, criticised YouTube this week over videos containing extremist content that were not taken down after months of being uploaded on the platform.

Cooper commissioned a study which identified and complained about hundreds of extremist videos over the last two months. Of those, 61 far-Right propaganda films and 60 Islamist extremist videos were still live on the site yesterday.

Government calls for views on the DEAct’s data sharing codes of practice

The Government issued a consultation on the Codes of Practice for Part 5 of the Digital Economy Act 2017.

Part 5 of the DEAct gives government new powers to share personal information across organisational boundaries in order to improve public services. It specifies what data can be shared and for which purposes.

The Codes of Practice concern the chapters on public service delivery (debt and fraud), civil registration, statistics, and research. They can be accessed here.

The consultation closes on 2 November. You can respond online following this link.

International developments

EFF pulls out of the W3C over the new web standards

The Electronic Frontier Foundation announced resignation from the W3C over the integration of DRM into web browsers in an open letter to the W3C’s CEO Jeff Jaffe and director Tim Berners-Lee.

W3C started a project in 2013 on “Encrypted Media Extensions” standards for web browsers that would make it possible for video and audio providers to discover and enable Digital Rights Management providers offered by a browser. Essentially, this will make DRM protection of online video content a default setting. The current legislation across different countries criminalises circumvention of DRM measures and the W3C’s proposals for new web standards did not incorporate any protections for accessibility or security research.

This would mean that people who attempt to bypass the browser DRM could be prosecuted for it. The EME standards will also make it more difficult for people with disabilities to change the online video content into a format accessible to them.

Since there are no arrangements for user safeguards, it will be impossible to explore any vulnerabilities in the EME standard. It will create additional challenges for new entrants to the market and inadequate specification for the Open Web. The standard will also create difficulties in supporting the specification in free software projects.

The EFF, as well as other members of W3C, raised all of these concerns but the project was backed by the W3C’s largest corporate members and leadership. The EFF proposed a compromise where W3C would deter their members from using DRM circumvention laws in connection with the EME except in combination with another cause.

Such a compromise would allow entertainment companies to enforce their copyright while not cracking down on legitimate activities such as research and modifications. This compromise was rejected.

As Cory Doctorow, on behalf of the EFF, notes in the letter

”W3C bequeaths a legally unauditable attack-surface to browsers used by billions of people. They give media companies the power to sue or intimidate away those who might re-purpose video for people with disabilities. They side against the archivists who are scrambling to preserve the public record of our era.”

Questions in the UK Parliament

Question on cybercrime

David Simpson MP asked the Minister for the Cabinet Office what plans they have to review the UK cyber-security capabilities.

Caroline Nokes MP responded that the National Cyber Security Strategy sets out objectives for defending against cyber threats, deterring adversaries, and developing skills.

Question on the IPAct’s Technical Advisory Panel

Lord Paddick asked the Government what the composition of the Technical Advisory Panel established under the Investigatory Powers Act 2016 would be.

Baroness Williams of Trafford responded that the Investigatory Powers Commissioner Lord Justice Fulford will decide upon the composition of the Panel and appoint its members.

ORG media coverage

See ORG Press Coverage for full details.

Staff page