HomepageCommercial LawPrivate LawPublic Law & Human RightsCriminal LawEU & International LawCareers

Accessibility

Have Irlen Syndrome, or need different contrast? Click the button below for options.

Background Colours

Subscribe

Enter you email address below to subscribe to free customisable article notifications.

Alternatively, click the button below for our various RSS Feeds (available journal wide, or per section).

How Long Until Privacy Prevails?

About The Author

Chris Bridges (Executive Editor)

Chris is an IT and Data Protection solicitor at a top 20 full service firm and the founder of Keep Calm Talk Law. He also contributes to Computers and Law and other sector specific publications.

[Read More]

To many “privacy enthusiasts”, myself included, proper privacy protection has been a long time coming, and the constant privacy issues seen in the press in recent years, and indeed recent weeks, only accelerates this sentiment and passes it on to others.

Whether questions over the availability of NHS ‘anonymised’ health information, the right to be forgotten, or most recently the recent hack of Apple’s iCloud server, resulting in the dissemination of nude photos of celebrities, privacy is certainly hitting the headlines, but rather irritatingly, coverage evaporates, and the chance of progress being made evaporates with it.

Disappointingly, and rather disconcertingly, it is not an issue many people seem to care about unless it is screamed in their faces by the tabloids and six o’clock news. For those of us that do not have nude photos to be found (or if you do, there is no reason anyone would be interested), there can be an illusion of distance from privacy issues; many people simply are not aware of the implications poor privacy control can have on every single one us.

Unfortunately, as we all know too well, governments (the current, or any other), tend to put legislative plans on a back burner unless there is political capital involved, particularly in the run up to a general election, which always feels six months at most after the preceding election. This creates somewhat of a vicious circle in instances such as this; citizens are not aware of the need for proper privacy protection, and because of this, the government of the day fail to legislate to protect the people.

Often, this is where the common law shines. Unfortunately, it is very rare for some of the key issues surrounding privacy to come before a court, most likely due to the lack of awareness, or for those that are aware, the lack of funds to pursue legal proceedings.

That said, every now and then, someone does bring such an issue before the courts as we saw in Vidal -Hall & Ors v Google Inc earlier this year, where the judge swung his sword in defence of privacy where Google’s anonymised advert tracking was pulled into question. (See my article “Google to get a slap on the wrist for ‘stalking adverts’?” for further detail on this). However, this is a rare occurrence.

What the privacy movement needs is a champion, a figurehead to lead the charge, someone who has enough influence to get something done.

Well, this may have just happened for privacy, with Lord Neuberger, President of the UK Supreme Court, recently speaking out about the need for privacy law reform given the day and age we live in. Data transfer speeds are faster than we could have ever imagined a decade ago, the internet is ‘growing’ exponentially, and with it, the availability of private information outside UK jurisdiction. It is not just the means of sharing data that has come on leaps and bounds, but also the ease of recording conversations, often clandestinely, Neuberger notes in his speech to the Hong Kong Foreign Correspondents’ Club. Could my favourite judge be the William Wallace of the privacy movement?

Alas, as much as I admire the man, I do not really believe he can be privacy’s William Wallace; he does not have the political heavyweight to get something done in Westminster, nor the [physical] battle skills or war cry of Mel Gibson in Braveheart. That said, I still believe he can help, but others must join him. He raises some interesting, albeit brief points, that many of us have been thinking for a while, but he holds enough influence to encourage practising lawyers and their aspiring counterparts to support privacy, and in turn, that may just help.

What Issues Might Privacy Legislation Cover?

Unfortunately, Lord Neuberger did not go into much detail at all on what he would like to see in any future privacy law, therefore, based on my own thoughts and opinions, I have made a few guesses at a few of the key things he might like to see, and explained why they are important.

Explicit opt-in for the sharing of data, including anonymised data

All too many people are guilty of checking ‘I agree to the terms and conditions and privacy policy and have read these in full’ without actually reading them. Congratulations, you may have just sold your soul. Maybe not quite, but without reading them, how do you know where your data is going?

Ever wonder how cold-callers get your number, how email spammers get your email (although when feeling lethargic, these can be very entertaining to read through), or how you receive marketing mail addressed specifically to you, from an organisation you have never contacted or even heard of? Enough said. Whilst not all websites that use such a line are guilty of such practices, how do you know without reading? Keep Calm Talk Law uses such a line, but due to my views on privacy, we do not share any data whatsoever, nor do we use third party software or services to manage our contact or subscription databases.

Why anonymised data also? Because it is not as anonymous as you think. Through automated processes, it is possible to piece together several distinct sets of information (i.e. sold anonymised database records) to form a full profile. This is achieved by matching two or more (more becomes more reliable) pieces of information that are common to both sets of data. This is known as data dredging, data snooping, or data fishing, and is a form of data mining.

If you know anything about SQL, you will know how simple this is. For those that do not, the below is a typical SQL query (SQL is essentially a language that speaks to databases and extracts records based on matched criteria, it is the foundation of most database applications), and is relatively easy to follow with common sense.

SELECT * FROM nhs_data LEFT JOIN website_data ON date_of_birth = ‘XX-XX-XXXX’ AND gender = X AND post_code = ‘XXX XXX’

This is a very basic SQL query, but demonstrates the point nicely. Our data dredger here has two databases. The anonymised NHS patient data is in nhs_data, which according to the NHS website contains “Your date of birth, full postcode, NHS Number and gender” as well as health data. The second database has been obtained from a website that has sold anonymised data: your data of birth, gender, postcode and email address. The website owner has left out your name so you are anonymised. The first three pieces appear to be for profiling, so they can send marketing emails that will appeal to someone of your age, gender and in a certain area.

The above query will return all the results where those three pieces of information match between the databases. Chances are, there is only one person with your postcode, date of birth and gender. The more pieces of information that can be correlated, the more likely it is to be accurate. However, as a rule, these three pieces of information will often produce a single match. The data dredger can now link your health data to your email address, and for simplicity puts this into a new database (‘my_evil_plan’). If the dredger had another database (‘marketing_data’) with your name, email and postal address, all it takes to match your name and address to health records is:

SELECT private_health_data, address, full_name FROM my_evil_plan LEFT JOIN marketing_data ON email = ‘me@me.com’

The NHS thinks it is doing a good deed for research. The website just thought it was selling marketing data. They both thought they were keeping the data subject safe, but instead they have just sold out their patient and customer respectively. This is just one very simple application of how a data dredger might exploit several database to get some very personal information. I am sure you can think of many other things they might be able to discover with different databases.

Okay, so people are free to let others do what they want with their data, and you might blame the consumer for not reading the privacy statement of the websites they visit. Nevertheless, let us be honest, who reads every single one? Is it fair to blame the victim here? (See Paul Bernal’s recent blog post on the problems with victim-blaming).

By requiring an explicit opt-in to data sharing, and preferably a statement of the risks along with this, we can combat the true culprits relying on data subject’s and data controller’s ignorance.

Legislation at a European level, and international privacy treaties

Lord Neuberger made particular reference to the rise of technology in his speech, namely “the ease with which information can be transmitted and received across the world”. He implies that due to technological advances, privacy law is becoming increasingly hard to enforce, and if unenforced he states ‘It undermines the rule of law’.

The internet unfortunately does not have boundaries. Services such as Twitter make the dissemination of information extremely fast, and consequently extremely hard to prevent, or punish after the fact. Furthermore, as Twitter is a US company, it has previously been able to dodge the argument that they should not host tweets contravening super injunctions. The only way to truly enforce UK privacy law abroad at the present time would be to impose restrictions on browsing within the UK, an idea that that we as a nation are quick to condemn others for (E.g. Iran, Turkey, China).

Whilst little can be done to stop Tweeters tweeting, there may well be a solution to tackle the issue of foreign companies hosting material that infringes UK privacy law. If the EU were to legislate for European wide privacy enforcement, we as a country would have protection across Europe. Due to necessity, this is one of the few areas in which I would like Europe to take a more proactive role. Whilst this would not cover the world, it is better than nothing. If we were to include the US by means of treaty, this would be much more powerful, namely due to the USA’s extra-territorial enforcement powers against American companies hosting material abroad (although, these powers in other contexts are undoubtedly a bad thing).

Of course, this is all easier said than done. At a European level, concessions would undoubtedly have to be made where countries could not agree on the level of protection required, never mind the enforcement options. This is not to say it is impossible, with similar steps being taken in the intellectual property sphere with the Unified Patent Court and the Community Trade Mark.

Again, negotiating a treaty with the US may be difficult, but is not impossible. Much wider international co-operation is also in play for copyright, with initiatives such as the Berne Convention extending across Europe, Russia and the USA. That said, things might be a little more controversial when it comes to dealing with privacy with the US, with its poor reputation hangover resulting from the Snowden leaks.

However, what form an international agreement might take is a separate topic entirely. The fact of the matter is: international protection is needed.

Stronger server security requirements

Some leaks of private data, as we have recently seen with the iCloud incident and the eBay hack earlier this year, result from poor security on the servers on which data is kept. Unfortunately, as both of these companies are based in the US, these incidents fall outside UK jurisdiction, but they provide a good example of private information being leaked due to negligent data controllers.

In the UK, data controllers are required to abide by a number of data protection principles, which are found in Schedule 1 Part 1 of the Data Protection Act 1998. The seventh principle reads ‘[a]ppropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.’

Unfortunately, this is quite fluffy. What exactly are appropriate technical and organisational measures? Whilst this flexibility allows for greater protection over more sensitive data, it does not provide universal protection.

Private information is valuable information. So why does it not receive proper IT protection through regulatory requirements? Companies that process or store credit card details must satisfy some rigorous audits on their IT infrastructure to do so, and I propose similar requirements should be imposed on data controllers. (For more on credit card processing requirements and audit, see the PCI website).

Whilst this may appear unfair on the small everyday data controller, such a scheme could be tiered, as with PCI, dependent on the amount of data you process or store on behalf of your customers. Furthermore, the storage of private information could be outsourced to specialist data storage companies, which would be required to have the highest level of accreditation, and be subject to the highest standards in audit.

It is not too onerous to require this of the private sector. The principles of privacy need to be given the recognition they deserve.

To Conclude

This article only intends to provide a brief overview of a few of the key issues surrounding privacy; there are many more which are equally important. It is vital that people start to recognise the importance of privacy, so we might then get the reform that is needed. We are living in a digital age, the age of big data. According to IBM, we create 2.5 quintillion bytes of data every day, and 90% of the data in the world was created in the last two years. This is staggering, and quite frankly scary.

This is not meaningless data. It should not be squandered. It is your identity. Share, spread the word, do your little bit for privacy.

For the latest articles straight to your inbox, you can subscribe for free. Alternatively, follow @KeepCalmTalkLaw on Twitter or Like us on Facebook.

Tagged: Commercial Law, International Law, Media, Privacy Law, Technology

Comment / Show Comments (0)

You May Also Be Interested In...

Fair Use on YouTube: The H3H3Productions Copyright Case

19th Sep 2017 by Connor Griffith

Misuse of Private Information: The Failure to Protect the Right to Privacy

10th Feb 2017 by Connor Griffith

The Ashley Madison Scandal: It’s About More Than Infidelity

14th Oct 2015 by Rachel Dean

Living in an Interconnected World – A Legal Conundrum

17th Sep 2015 by Matt Bogdan

Google to get a slap on the wrist for ‘stalking adverts’?

25th Jan 2014 by Chris Bridges

Data Privacy: Due Diligence Due?

13th Nov 2013 by Chris Bridges

Section Pick May

Impossible to Bank on it: Vicarious Liability on the Move

Editors' Pick Image

View More

KCTL News

Keep Calm Talk Law: Moving Forward

3rd Sep 2019

Changing of the Guard: Moving Keep Calm Talk Law Forward

12th Aug 2018

An Anniversary or Two: Four Years of Keep Calm Talk Law

11th Nov 2017

Rising from the Ashes: The Return of Keep Calm Talk Law

18th Nov 2016

Two Years On, Keep Calm Talk Law’s Legacy is Expanding

11th Nov 2015

Twitter

Javascript must be enabled for the Twitter plugin to function. Click below to visit us on Twitter.

Free Email Subscription

Subscribe to Keep Calm Talk Law for email updates, and/or weekly roundups. You can tailor your subscription on activation. Both fields are required.

Your occupation / Career stage is used to tailor your subscription and for readership monitoring.

Uncheck this box if you do not want to receive our monthly newsletter.

By clicking the Subscribe button, you agree to our privacy policy and terms of service. Please ensure you read these in full.

Free Subscription