This is ORG's Policy Update for the week beginning 11/09/2017.

If you are reading this online, you can also subscribe to the email version or unsubscribe.

ORG’s work

Following the First Reading of the Data Protection Bill in the House of Lords, we have started preparing a briefing outlining our concerns about the current clauses in the Bill.

Save the date for ORGCon -it will take place on Saturday 4 November at Friends House on Euston Road in London. We have a second smaller event planned on Sunday 5 November in a different location (TBC). This year is all about the Digital Fightback. Confirmed speakers so far are Graham Linehan, Noel Sharkey, Helen Lewis, Jamie Bartlett and Nanjira Sambuli. Tickets are on sale now!

Planned local group events:

Join ORG Glasgow for a free screening of The Internet’s Own Boy on 2 October. The Internet’s Own Boy tells the life story of programmer, writer, political and internet activist Aaron Swartz, an internet pioneer and free speech campaigner. Following the screening, Scotland Director Matthew Rice will be available for a discussion and will give information about how to get involved in initiatives in Glasgow and Scotland.

Join ORG Leeds o 21 September for an evening of talks and discussion where they will explore the current state of digital rights, why they matter and the dangers of mass surveillance to our democracy.

Official meetings

Jim Killock met with John Whittingdale regarding various privacy issues; and with Lord Errol to discuss age verification.

Javier Ruiz gave evidence to the GLA Oversight Committee of the London Assembly. He was in a panel on privacy and the use of personal data with Elizabeth Denham, the Information Commissioner, and Renate Samson from Big Brother Watch. The committee discussed the Met Police face recognition plans, road pricing and mobile tracking by TfL, among other issues.

UK Parliament

Parliament is back on recess as the party conference season is on.

The Data Protection Bill is in the House (of Lords)

The House of Lords read the Data Protection Bill (pdf), (explanatory notes - pdf) for the first time this week. The Second Reading of the Bill is scheduled for 10 October.

The DPBill is the implementation of the EU’s General Data Protection Regulation which should be in place across the EU Member States by May 2018.

The new Bill will make changes to consent given to data collecting and processing allowing only unticked opt-in boxes to signify it. It will also place restrictions on children consenting to data collection and processing without parental authorisation under a certain age. Other changes will include the right to have one’s data be “erased” in certain circumstances, changes to notifications of data subjects affected by data breaches. The Bill deals with law enforcement and implements the new EU requirements for data protection law in this area.

The Bill will allow individual data subjects to bring complaints to the Information Commissioner’s Office if their data has not been processed in compliance with the law and demand compensation from data controllers.

Section 173 of the Bill allows data subjects to designate a body or other organisation (which meet specific criteria) to exercise certain rights on their behalf. The GDPR provided a derogation to the Member States to allow organisations raise complaints on data processing without a named data subject. The UK decided not to implement this option.

This approach to data protection policy will stop many dubious or harmful data processing practices from being investigated. Affected data subjects may often wish not to have their names publicly associated with certain companies. In many cases, they will not realise they have been affected.

In such situations, an independent privacy group should be able to lodge a complaint.

UK national developments

IPT refers bulk data collection to the EU court

The Investigatory Powers Tribunal (IPT) ruled last week (pdf) that the European Court of Justice (CJEU) should decide on the legality of the UK’s mass surveillance legislation in the case brought against the intelligence agencies (MI5, MI6, GCHQ) by Privacy International.

Privacy International has been trying to prevent the government from collecting and retaining bulk communications data (BCD) and bulk personal data sets (BPD). At the latest hearing, the IPT considered whether the collection and retention of BCD and BPD are lawful under the EU law - Charter of Fundamental Rights of the European Union and the Treaty of the European Union.

The IPT did not expedite the case to the CJEU which means that it could take years before the final judgment is handed down.

The Government publishes new National Cyber Security Strategy

The Government published their National Cyber Security Strategy for 2016-2021. The Strategy sets out the Government’s plan to make the UK secure and resilient in cyberspace.

The Government plans to work towards three objectives which they name as:

Defend - to defend the UK against evolving cyber threats, to respond effectively to incidents, to ensure UK networks, data and systems are protected and resilient.

Deter - to make the UK a difficult target for aggression in cyberspace by detecting, understanding, investigating and disrupting hostile actions.

Develop - to cultivate growing cyber security industry.

Furthermore, the Government plans on pursuing international action and invest in existing and new partnerships through the EU, NATO and the UN. The strategy relies on capabilities of cyber security industry to minimise phishing attacks, filtering known bad IP addresses, and actively blocking malicious online activity.

The Government announced in the strategy that they will launch two new cyber innovation centres to drive the development of cutting-edge cyber products and dynamic new cyber security companies.

IPO plans a crackdown on set-top boxes

The Intellectual Property Office published the new IP Crime Report for the period 2016 to 2017. The report offers a recap of the year’s fight against copyright infringement accompanied by insights from the Police Intellectual Property Crime Unit and Crown Prosecution Service.

The report cites figures provided by the Ministry of Justice showing that only 47 people were found guilty of copyright infringement. The number dropped from the previous year when 69 people were found guilty.

The report hints at more efforts in the next 12 months to target the set-top box threat following the judgment from the European Court of Justice which ruled that sale of pre-configured set-top boxes (which allow users to access copyright infringing material) falls within communication to the public and therefore the boxes break the copyright law.

However, it is unlikely that the current legislation will be able to tackle casual offenders and will remain focusing only the most serious cases.

Biometrics Commissioner calls for a clear policy on facial custody images

The Commissioner for the Retention and Use of Biometric Material, Paul Wiles, published his yearly report. In the report, the Commissioner outlined future biometric challenges.

Wiles identified the collection and storing of facial custody images as one of the most serious issues for the future. He emphasised the need to consider technical quality, management, interpretation, and governance and criticised the lack of independent oversight. The Commissioner called for a clear policy to correct this situation.

In the Government’s response(pdf), the Minister for Countering Extremism, Baroness Williams of Trafford, said that there should be a presumption that police will remove the custody image from their database unless there is an exceptional reason for it to be retained. The Minister said that this strikes a reasonable balance between privacy and public protection.

The Commissioner also notes that the private sector has been increasingly using the biometrics to develop big data and that it is possible for the government to do so as well. The Government’s response indicated that they will push a Biometrics strategy that will address these issues.

International developments

New iPhone X to use facial recognition

Apple announced this week a release of new models of iPhone. The iPhone X will contain the Face ID feature that will use face recognition to allow users access into their phones. The new feature will replace the fingerprint identification and will complement passcodes.

The new technology raised several security concerns regarding the coerced scanning of user’s facial features. Apple employed several security measures, for example not allowing access to the phone if user’s eyes are closed. However, in various circumstances, users could still be forced to have their faces scanned.

This feature can also prove troublesome for iPhone users when police want to gain access to the device. The law is likely to treat biometric information differently to passcodes and the users might easily be ordered to unlock their phone with a facial scan. You can read more about the legal status of facial ID scans in the US here.

Questions in the UK Parliament

Question on electronic surveillance

Lyn Brown MP asked the Secretary of State for the Home Department to make an assessment of the potential merits of wider use of equipment interference warranty in conjunction with notices requiring technology companies to maintain a capacity to provide access to individual devices as an alternative to place requirements on the companies to decrypt messages sent using their communications software.

Ben Wallace MP responded that the Government will commence the provisions of the Investigatory Powers Act 2016 concerning technical capability notices in due course and will bring forward regulations, on which we have already held a targeted consultation with relevant bodies.

Question on pornography

Chi Onwurah MP asked the Secretary of State for Digital, Culture, Media and Sport, what representations she has received on the implementation processes for age verification for online pornography; and how that data is stored and shared.

Matthew Hancock MP responded that the department is in discussion with the British Board of Film Classification as the intended age verification regulator, and those who will be involved in the regulatory framework, such as age verification providers. The Secretary of State Guidance to the Regulator will be laid in Parliament later this year.

Question on CCTV

Layla Moran MP asked the Secretary of State for the Home Department, what assessment has been made of the effectiveness of current legislation regulating the use of CCTV cameras with facial recognition and biometric tracking capabilities.

Nick Hurd MP responded that there is no legislation regulating the use of CCTV cameras with facial recognition and biometric tracking capabilities. However, the Surveillance Camera Code of Practice requires any police use of facial recognition or other biometric characteristic recognition systems to be clearly justified and proportionate in meeting the stated purpose.

Question on facial recognition

Edward Davey MP asked the Secretary of State for the Home Department, which independent oversight mechanism is responsible for overseeing the police's use of automated facial recognition technology.

Nick Hurd MP responded that the Surveillance Camera Code of Practice requires any police use of facial recognition or biometric recognition systems, in general, to be clearly justified and proportionate. The retention of facial images by the police is governed by data protection legislation and by Authorised Professional Practice governed by the College of Policing.

Question on the NHS hack

Jon Trickett MP asked the Secretary of State for Health, what changes have been made to the NHS' cyber security following the cyber attack in May 2017.

Jackie Doyle-Price MP responded that The Department developed an immediate response plan. The document Your Data: Better Security, Better Choice, Better Care accepts the 10 Data Security Standards proposed by Dame Fiona Caldicott, the National Data Guardian, and sets out the timescales for how the Government plans to deliver key actions on cyber security and data sharing.

Question on cybercrime

Jon Trickett MP asked the Minister for the Cabinet Office, what the target figure is for the objective relating to the number of online products and services coming into use being secure by default by 2021.

Caroline Nokes MP responded that there is no target figure due to the magnitude of online products and services.

ORG media coverage

See ORG Press Coverage for full details.

Staff page