This is ORG's Policy Update for the week beginning 26/06/2017.

If you are reading this online, you can also subscribe to the email version or unsubscribe.

ORG’s work

Our newly appointed Scotland Director Matthew Rice has been setting up meetings with local groups across Scotland.

Official meetings

Jim Killock attended a meeting on 27 June with Google policy staff to discuss future legislation.

Jim Killock attended an EDRi Network meeting and discussed the future makeup and rules for the EDRi board.

Javier Ruiz participated in a workshop organised by Involve, Carnegie Trust and Understanding Patient Data on Better use of Data: Balancing Privacy and Public Benefit.

Javier Ruiz participated at a Symposium on Managing Risk in the Digital Society in Barcelona speaking about ethics and compliance in data protection, as part of our EU-funded work in the VIRT-EU project.

Jim Killock met with policy staff from Oath on 30 June to discuss future legislation.

Parliament

Queen’s Speech

Following the General Election 2017 results and Theresa May’s attempt to form a government, the Queen delivered her speech to both Houses of Parliament on 21 June.

The Conservative Government appears to have dropped several pre-election manifesto commitments, including the introduction of compulsory sex and relationship education in schools. In her speech, the Queen referred to the Government’s plans in three areas that will have an impact on digital rights: Digital Charter, Data Protection Bill and Counter-terrorism Review and Commission for Countering Extremism. The latest blog by Jim Killock offers a brief analysis.

Digital Charter

The Queen said that

”proposals for a new digital charter will be brought forward to ensure that the United Kingdom is the safest place to be online.”

This directly follows promises made in the Conservative manifesto.

”A Conservative government will develop a digital charter, working with industry and charities to establish a new framework that balances freedom with protection for users, and offers opportunities alongside obligations for businesses and platforms. This charter has two fundamental aims: that we will make Britain the best place to start and run a digital business; and that we will make Britain the safest place in the world to be online.”

The speech made it clear that this is a charter, not a bill, which suggests that this might be a voluntary framework. However, to ensure that free speech is not just placed in the hands of private companies, the Charter should be backed up by a regulatory framework including independent or judicial oversight of material. Relying solely on enforcement by private companies brings issues of accountability. It is unclear who would be responsible for the rules on making the Internet safe and what, if any, ways of appeal would be available.

This Government continues in their efforts to “regulate the online world in the same way the offline world is regulated” — a claim which does not however recognise that most of the changes they want would be dealt with by police and courts rather than private companies in the offline world. They aim to tackle harmful behaviours and harmful content online (extremist, abusive or harmful to children), and they plan to compel technology companies to do more to protect their users and improve safety online. Such an approach could make online rights weaker than offline rights, and subject to commercial rather than public concerns, in contrast to their demand to end to treat both online and offline in the same way.

The Government recognises that these challenges can be international in their nature and they intend to work with other “like-minded democracies to develop a shared approach”.

Theresa May meeting with the French Prime Minister last week to discuss a joint campaign to tackle online radicalisation would suggest that this strategy is already under way. Their plans involve creating a new legal liability for tech companies if they fail to remove content. Just this week, Germany already passed a law that would allow them to fine social media companies with more than 2 million users if they fail to remove hate speech or other criminal material within 24 hours. The fines can go up to 50 million EUR.

The Queen’s Speech and Background Notes accompanying it did not provide enough detail to assess potential harms of this policy. However, enforcement powers in the hands of private companies are highly problematic.

Counter-terrorism Review

”The government’s counter-terrorism strategy will be reviewed to ensure that the police and security services have all the powers they need and that the length of custodial sentences for terrorism-related offences are sufficient to keep the population safe.”

The notes on the speech detail that the review will cover:

counter-terrorism powers and other powers the Government can use to fight terrorism;

sentences for those convicted of terror offences;

working with online companies to reduce and restrict the availability of extremist material online.

The Conservative Party included similar but more extensive demands on online companies in their manifesto. Both Google and Facebook have already issued statements explaining how they intend to tackle online extremism.

Commission for Countering Extremism

“A commission for countering extremism will be established to support the Government in stamping out extremist ideology in all its forms, both across society and on the internet, so it is denied a safe space to spread.”

The Commission will:

Identify examples of extremism and expose them;

Help the Government to identify new policies to tackle extremism;

Support the public sector and civil society in promoting and defending pluralistic values across all our communities.

The Commission’s work is likely to include online extremism. This policy appears to be an approach to create new ideas to counter extremism. In order to be successful, the Commission will have to act impartially and ensure that fundamental rights are respected in all of their future policy suggestions.

The Government did not make it clear whether the Commission for Countering Extremism is a short-term "policy commission" or a long term body with permanent duties

Data protection

”A new law will ensure that the United Kingdom retains its world-class regime protecting personal data.”

The Data Protection Bill will replace the Data Protection Act 1998. The DPA is being removed by the EU General Data Protection Regulation that is coming into force in May 2018.

At the moment, it is not clear if the text of the GDPR will be brought into this Bill, or whether it supplements it.

The main benefits and elements specified in the QS background notes suggest that the Bill will implement some of the derogations in the GDPR and will include new rules for law enforcement agencies. The latter rules come from the EU Directive on the protection of natural persons with regard to the processing of personal data by authorities.

Privacy groups, including ORG, are asking the government to implement the optional right in the GDPR for organisations to bring collective complaints on data protection without the need for affected individuals to instruct them.

Other national developments

Tech companies establish the Global Internet Forum to Counter Terrorism

Facebook, Twitter, Microsoft and YouTube announced the formation of the Global Internet Forum to Counter Terrorism this week.

The aim to formalise and structure areas of collaboration between the four companies, smaller tech companies, civil society groups and academics and supra-national bodies (the European Union and United Nations).

The companies are going to cooperate on developing new technological solutions to detect online content that needs to be removed, research and knowledge sharing.

Jim Killock discussed in a blog if tech companies can do more to eradicate safe spaces online. You can read his take on the problems they face here.

Bulk data sharing by spy agencies was never reviewed by commissioners

Privacy International brought a case against bulk collection of data carried out by the GCHQ and MI5 in October 2016. The Investigatory Powers Tribunal ruled that several of these activities have been unlawful.

A follow-up hearing earlier this June revealed that there has never been a formal audit of information sharing. The lack of oversight became apparent from the letter authored by the Interception of Communications Commissioner’s Office and the Intelligence Services Commissioner. Their letter is a response to a request from Privacy International who asked for more information on the auditing of bulk communications and personal data.

The letter states that

"Neither commissioner with responsibility for the intelligence agencies, nor their inspectors, has ever conducted a formal inspection or audit of industry in this regard."

The Investigatory Powers Tribunal was also to consider the proportionality of the level of communication interference and the impact of EU law on mass data collection. The case has not concluded and will likely see more hearings.

Scotland

Scottish Parliament

Debate on cybersex trafficking

The Scottish Parliament debated the issue of live online streaming of sexual abuse of children. During the debate, MSPs commended the efforts of the International Justice Mission in highlighting child slavery and exploitation overseas and the Internet Watch Foundation for their work on taking down websites.

Finlay Carson (Conservative) suggested during the debate that the Scottish Parliament should consider more carefully “how privacy and encryption methods are now used and can make it more difficult for the perpetrators to be caught”.

Carson said that

”When Governments suggest that there should be more access to people’s internet logs, there is often an outcry about breaching human rights. Perhaps, in demanding human rights, we are abusing the rights of children who get abused.”

Responding to his comments, Stewart Stevenson (SNP) said that

”the […] unfortunate truth, however, is that that would simply not work. If someone encrypts what is going through, we do not know what is in the encrypted package. Yet encryption is an important part of protecting certain kinds of data on the internet, so we cannot ban it on the internet. That is simply not possible.”

Instead, Stevenson suggested using the “follow the money” approach and cut these websites from their cash flow and make it impossible for them to carry out their activities.

Europe

European Commission’s new legislation would allow police access tech firms data

The European Commission plans to propose new legislation that would allow EU police and law enforcement agencies to obtain electronic evidence from US companies.

The plans are the Commission’s response to the recent terrorist attacks across EU countries. The EU Justice Commissioner Vera Jourova introduced three options:

police/law enforcement agency in one EU state could directly ask a firm in another member state for data without consulting the state first

tech firms would be forced to share data with any force in any of the Member States

police and law enforcement would gain direct access to servers (e.g.cloud servers) and they would be able to retrieve and copy data themselves

The states are supposed to discuss what types of data would fall within the scope of the new legislation at a later stage, These could include location, traffic data or personal communications.

The suggested plans have not involved a judicial process for obtaining the data. Judicial process for data acquisition is crucial to ensure the law enforcement requests are necessary and proportionate.

The official documentation has not been published yet. The Commission is expected to present policy options at the end of 2017 or early 2018.

LIBE's draft report on e-Privacy Regulation asks to prohibit removal of encryption

Marju Lauristin, rapporteur for the European Parliament Committee Civil Liberties, Justice and Home Affairs (LIBE) presented a draft report on E-Privacy Regulation to the European Parliament on 21 June.

The e-Privacy Regulation will regulate electronic communications services, including instant messaging services, web based email and IoT devices. The legislation is to supplement the General Data Protection Regulation providing a similar type of protection to individuals.

In her report, Lauristin introduced several amendments that would have positive impacts on privacy protections for individuals.

1.The report offers strong support for end-to-end encryption and do-not-track technology.

It clearly states that

”when encryption of electronic communications data is used, decryption, reverse engineering or monitoring of such communications shall be prohibited.”

2. The draft report widened the scope of the application of the legislation to machine-to-machine communications.

3. Lauristin amended the regulation to further limit the legal grounds to process communications’ content and metadata. The original proposals merely required the consent of one of the participants, the amendment requires both parties in the electronic communication to consent to allow data processing.

4. The report does not allow using consent to tracking users to be a prerequisite to using a service. A user should still be able to use a service, even though they decline to track their communications.

5. The amendments make clear that tracking users’ location or collecting information emitted through their wifi needs a prior consent.

6. The draft extends the maximum fines threshold to up to 20 million EUR or four percent of the company’s global turnover for violations of tracking rules for information stored on user’s device and information emitted by a device.

7. The report allows non-for-profit organisations to make complaints on behalf of users.

The draft report will be subject to a vote in the European Parliament (most likely) in Autumn 2017. If adopted, the different versions of the report will then be discussed between the Parliament, Council and Commission.

The draft report clashes with the proposals of the European Commission articulated earlier by Vera Jourova who revealed three possible ways of how the law enforcement could compel tech companies to afford them access to users’ communications and potentially prohibit encryption.

International development

UN Privacy Rapporteur calls for tackling of Internet regulation and censorship

The UN Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, David Kaye, demanded in his latest report that governments and companies tackle major threats of deliberate shutdowns of Internet access, censorship and data collection.

The report found that telecommunication companies and Internet service providers are increasingly becoming the essential players in monitoring expression online and enforcement of its suppression.

The report made recommendations for state and companies. The recommendations for states include:

independent assessments of interferences with privacy - the rapporteur suggests that at a minimum, states should ensure that surveillance is authorised by an independent judicial body and its scope is proportional and necessary;

review of all states activities into obtaining network access - the report recommends states review these activities in order to assess if they are lawful, necessary and proportionate;

state prohibition of prioritising certain types of Internet content for payment or commercial benefits - states should not be promoting the economic gain of private companies over users’ rights and freedom of expression.

The Rapporteur recommended that private companies strengthen their role in advancing users’ rights freedom of expression. The report further suggests that when states request corporate involvement in censorship or surveillance, they should attempt to prevent the adverse human rights impacts of their involvement as far as it is allowed by law.

The report was made to the UN Human Rights Council in Geneva. The human rights chief Zeid Ra’ad al-Hussein criticised Theresa May this week for her response to the recent terror attacks in Manchester and London.

UK Parliament Questions

Question on content creators

Tom Watson MP asked the Secretary of State for Business, Energy and Industrial Strategy, if he will ensure content creators are paid for the content they make available online.

Jo Johnson MP responded that the Government is currently working on these issues as part of the EU Digital Single Market strategy. Johnson said that the Government will continue to ensure there is a system for protection of intellectual property once the UK has left the EU.

Question on online sources of extremist propaganda

Lord Naseby asked the Government what measures they are taking to combat terrorist and extremist propaganda on social media and other online sources.

Baroness Williams of Trafford responded that they continue their cooperation with tech companies. She further said that they support the use of strong encryption but they want to ensure that the law enforcement and security and intelligence agencies are able to access the communications of criminals.

Question on online content removal

Nigel Huddleston MP asked the Prime Minister during her statement on the European Council, whether the Government would be willing to enact legislation if internet companies do not make sufficient progress with the removal of inappropriate content.

Theresa May MP responded that the Government is certainly willing to consider legislation. She stressed that she believes that the international pressure and cooperation will pressure the tech companies to do it themselves.

Question on the NHS hack

Jon Ashworth MP asked the Secretary of State for Health:

how sensitive data is protected in the NHS,

what steps the Department has taken to improve cyber-security in the NHS following the cyber attack on 12 May 2017,

what was the total cost of emergency measures put in place to address the attack,

how many similar incidents there have been since 2010, and

how many incidents there have been where patients’ data has been accessed or compromised and patient care has been interrupted.

Jackie Doyle-Price MP responded that the Department changed the NHS contract to include cyber security measures from April 2017. She noted that the use of unsupported systems is being reduced.

Doyle-Price said that the Chief Information Officer for health and care is undertaking a review into the attack and is expected to conclude in autumn 2017.

The cost of emergency measures to respond to the attack amount to £180,000. The Department refused to comment more widely on security matters.

Question on technical capability notices and encryption

Lyn Brown MP asked the Home Secretary, if she intends to activate the Section 253 of the Investigatory Powers Act 2016 regarding messaging services providing end-to-end encryption.

Ben Wallace MP responded that the Government will commence the Technical Capability Notice provision in due course. The will bring forward regulations setting out obligations which can be imposed on on telecommunications and postal operators. The secondary regulation will be subject to debate and a vote in both Houses of Parliament before they come into effect.

The Government refused to comment on which companies are going to be subject to these obligations.

Question on counter-terrorism review

Dan Jarvis MP asked the Home Secretary, what the timescale will be for the review of the Government’s counter-terrorism strategy.

Ben Wallace MP did not include any reference to the timescale in his response. Instead, he specified that MI5 and the police are conducting an internal review into the recent attacks in Manchester and London. David Anderson QC will provide assurance of the MI5 and police review.

ORG media coverage

See ORG Press Coverage for full details.

Staff page