Changes to UK Data Protection Regime

The UK's Data (Use and Access) Act 2025 (DUA) has been passed, though much of it is yet to take effect. There are some important tweaks to the UK's data protection laws (Data Protection Act 2018/UK GDPR and cookies regulation (PECR)). Firms will need to reconsider their privacy policies relating to research, (direct) marketing, cookies and AI in particular. There are now the same potential fines for cookie violations as for UK GDPR breaches - note that the Information Commissioner seems to care more about cookies and automatically scans for non-compliance. If you need legal advice on any of this, please let me know.

A New Framework For Transferring Personal Data From the EU to the US

My piece for Ogier Leman on this is available here.

From 1 January 2021, any EEA-based organisation wishing to transfer personal data from the EEA to any non-EEA country will need to be able to show that the processing will receive the same protection as under EU's General Data Protection Regulation (GDPR). Many firms might consider this to be impracticable from a cost and administration standpoint, particularly in light of certain new recommendations on which the EU data protection authorities are now consulting. These are briefly explained below. This will affect "thousands" of firms and could prove severely disruptive for cross-border services ranging from payroll and benefits, to e-commerce marketplaces to social media services. If you need assistance in Ireland/EEA please let us know.

Options for transferring personal data from the EEA  

An EEA-based business can only transfer personal data to a non-EEA country, if one of three situations apply: 

1. the European Commission has ruled that country's personal data protection laws to be ‘adequate’;
2. there are appropriate safeguards or 'transfer tools' in place to protect the rights of data subjects (including 'Standard Contractual Clauses'); or
3. certain 'derogations' or exemptions apply to allow the processing as of right.  

No adequacy decision for the UK in the near term

Like the US, the UK as a key example of a non-EEA country without an adequacy finding. For many reasons it is best to assume there will not be an EU adequacy decision relating to the UK’s data protection regime by 1 January 2021, as that process is long and complex, and there are some features of the UK regime which present significant problems, including: 

• the UK’s use of mass surveillance techniques;
• intelligence sharing with other countries such as the US;
• the questionable validity of the UK immigration control exemption;
• the lack of a ‘fundamental right’ to data protection under UK law; 
• UK adequacy findings for other countries’ personal data regimes that the EU does not deem adequate; and 
• the potential for future divergence from EU data protection standards if the UK GDPR is further modified post Brexit. 

The Problem with Standard Contractual Clauses

As a result of the decision of the European Court of Justice in the case against Facebook (‘Schrems II’), a data exporter relying on Standard Contractual Clauses (or other contractual 'transfer tools') must first verify that the law of the third country ensures a level of protection for personal data that is equivalent to GDPR. If that level is considered sub-standard, the data exporter may be able to use certain measures to plug the gaps, but this process would need to be carefully documented and is the subject of the main recommendations from the European data protection authorities, discussed below.  

The extent to which you can usefully rely on the derogations, either before considering the other appropriate safeguards or 'transfer tools', or if those other options are not available, is also somewhat doubtful, as I will explain.

Assessing whether personal data transfers outside the EEA are appropriate 

To help data exporters evaluate whether the use of transfer tools will be appropriate, the forum of all the EEA data protection authorities (the European Data Protection Board or 'EDPB'), is now consulting on recommendations for: 

• measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data; and
• certain European Essential Guarantees for evaluating surveillance measures. 

The EDPB's first set of recommendations contain steps outlined below. The European Essential Guarantees enable data exporters to determine if the rights for public authorities to access personal data for surveillance purposes can be regarded as a justifiable interference with the rights to privacy and the protection of personal data. Basically:

A. Processing should be based on clear, precise and accessible rules;

B. Necessity and proportionality with regard to the legitimate objectives pursued need to  be demonstrated;

C. An independent oversight mechanism should exist;

D. Effective remedies need to be available to the individual.

The steps involved in assessing the appropriateness of transfer tools must be documented. These involve:

• mapping the proposed transfers;
• choosing the basis for transfer (adequacy decision, 'transfer tool' or derogation);
• unless an adequacy decision has been made by the EU, working with the data importer to assess whether the law or practice of the third country may impinge on  the  effectiveness  of  the  appropriate  safeguards  of the  transfer tools you are relying  on,  in  the context  of  your  specific  transfer (legislation, especially where ambiguous or not  publicly  available; and/or certain reputable third party findings such as those in Annex 3),  and not rely  on  subjective factors such as the perceived likelihood of public authorities’ access to your data in a manner not in line with EU standards;
• considering whether any supplementary tools might avoid any problems with the third country's laws (various use-cases and suggested tools are explained in the Annex 2 to the recommendations);
• taking any formal steps to implement the relevant tool;
• re-evaluate the assessment periodically or on certain triggers, such as changes in the law (which you should also oblige the data importer to keep you informed about).

Data exporters must thoroughly record their assessment process in the context of the transfer, the third country law and the transfer tool on which they propose to rely. But it may not be possible to implement sufficient supplementary measures in every case, meaning the transfer must not proceed. As the Commission points out, there are "no quick fixes, nor a one-size-fits-all solution for all transfers." 

 

The problem with relying on 'derogations' 

The EDPB's first set of recommendations state (at para 27) that "If your transfer can neither be legally based on an adequacy decision, nor on an Article 49 derogation, you need to continue with... ” assessing whether the proposed transfer tool is effective. However, that order of approach is not consistent with Article 49, which provides that:

1. In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions:

 

(a) the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;

(b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request; 

(c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;

...

Where a transfer could not be based on a provision in Article 45 or 46, including the provisions on binding corporate rules, and none of the derogations for a specific situation referred to in the first subparagraph of this paragraph is applicable, a transfer to a third country or an international organisation may take place only if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data. The controller shall inform the supervisory authority of the transfer. The controller shall, in addition to providing the information referred to in Articles 13 and 14, inform the data subject of the transfer and on the compelling legitimate interests pursued. 

 

In addition, the EDPB's own guidance on article 49 itself points out (on pages 3-4) that: 

“Article 44 requires all provisions in Chapter V to be applied in such a way as to ensure that the level of protection of natural persons guaranteed by the GDPR is not undermined. This also implies that recourse to the derogations of Article 49 should never lead to a situation where fundamental rights might be breached…Hence, data exporters should first endeavor possibilities to frame the transfer with one of the mechanisms included in Articles 45 [adequacy] and 46 [transfer tools] GDPR, and only in their absence use the derogations provided in Article 49 (1)” [but even then the use of the derogations would imply the need for an assessment of the third country’s personal data protection regime by virtue of article 44].

[explore?]

Accordingly, there seems to be no alternative to running through the steps to assess whether the relevant 'transfer tools' will work (with or without supplementary measures) in the context of the transfer and the third country's law. Yet, as we've seen, many firms will likely find that process impracticable from a cost and administration standpoint, so transferring the personal data out of the EEA will not be an option.

 

#PSD2: An Account Information Service Is Not Really A Payment Service

There are good reasons why an "account information service" (AIS) became a regulated "payment service" under the not-so-new Payment Services Directive (PSD2). Chief among them was retail banks' decades-long refusal to allow retailers and other unregulated service providers access to the data in their antiquated systems at all, let alone seamlessly via 21st century "application programming interfaces" (APIs) that are now commonplace. Resolving those concerns sparked formal registration and other complex regulatory and technical requirements on service providers wishing to enable the sharing of payment data (AISPs), including a lot of unfortunately necessary detail in the Directive about customer authentication and information security. Yet years after PSD2 was set in stone confusion still reigns over exactly what an AIS actually is or is not, both as defined in local payments regulation implementing PSD2 and how such services work commercially - especially because an AIS rarely stands alone...

The FCA is doing its best to clarify the regulatory scope of an AIS, including confusion about who might be the AISP, when a firm would require formal registration as an agent and how to benefit from the exclusion for 'technical service providers' (see Q25A of its Perimeter Guidance on payment services). But those issues are merely the tip of the iceberg.

The major problem is that an AIS is primarily a data service (and one which involves personal data at that). This means an AIS attracts the need for several sets of regulatory consents and specific information to be included in customer contracts, as well as the typical series of contractual licences to receive and use the data itself. 

The challenge to getting all this right is that it's rare for payments regulatory specialists to know very much about data licences, or for lawyers who specialise in data licensing to know anything about PSD2. It still feels strange to me to have spent a career on both sides of that divide - veering from financial information service licensing at Reuters, to e-commerce specialist at DLA, to payments specialist at Earthport, to P2P lending at Zopa (which involved licensing of user-generated content and market data) and back to payments at Amazon and WorldPay. And even though I've also continued to advise private clients on all types of services since 2005, there's still very much a sense of 'switching hats' when working through the various issues. 

So what are they?

Regulatory requirements for an AIS

From a regulatory standpoint the multiple sets of rights needed to supply an AIS include:  

• explicit consent from the customer for the supply of the AIS itself (under payments regulation) - note that that 'customer' does not include a third party with whom the customer wants to share the data; and
• under data protection regulation, explicit consent (or some other legitimate basis) for the collection, processing, sharing etc of the data itself, to the extent required to deliver it to a third party - as well as for the processing etc of that data by the third party (which may be tackled via the third party's own privacy policy and data consents).

In addition, payment services regulation specifies certain information that must be included in either an ongoing or single use service contract with the customer.

Meeting these requirements is complicated by the fact that the customer is also likely to be using the AISP's platform to be receiving and sharing data from other types of personal account that are not regulated. So the payment-specific regulatory requirements have to be met within a context where unregulated data services are also being provided.

Commercial requirements

From a commercial standpoint, there are numerous copyright licensing issues to consider regardless of whether the data being shared comes from a payment account or some type of unregulated account. Indeed, the data being contributed and shared could come from the customer herself (user-generated information or 'UGC'). In effect, even the information coming from the user's accounts with third parties is effectively user-generated, particularly in terms of whether the service provider takes responsibility for its accuracy and so on.

These licensing issues must also be considered in terms of what licences are required 'upstream' from the customer, the service provider and any sources of data, as well as downstream licenses - and usage restrictions - from the standpoint of the service provider, the customer and third parties receiving the data. These licences are likely to be reflected in an array of different contracts, including customer terms and commercial agreements. Appropriate disclaimers, exclusions and limits on liability must also be considered.

This is where the sanity of specifically regulating payment account information services becomes questionable, as some of the typical commercial requirements may conflict with the liability and information requirements relating to an AIS, in which case it would need to be 'carved-out'.

Conclusion

These are not the only issues related to the supply of account information services or other data services, but they do illustrate the complex challenges arising from the fact that AISPs had to be subjected to regulation for banks to cooperate with them, and yet an AIS involves the supply of data in a way that other regulated payment activity does not, often in combination with other data services.

Consultation: Contract Guidance for Data Controllers/Processors Under #GDPR

The Information Commissioner has published draft guidance for data controllers and processors on their contracts and liabilities under the General Data Protection Regulation, for comment by 10 October 2017. GDPR takes effect in the UK from 25 May 2018, but a lot of preparation is required, including reviewing and updating contracts for personal data processing.

The guidance is intended to explain what data controllers must include in contracts; and what responsibilities and liabilities data processors have under the GDPR.

As a sign of the complexity and uncertainty in this area, the ICO adds that its guidance "will need to continue to evolve to take account of any guidelines issued in future by relevant European authorities... as well as our developing experience of applying the law in practice"...

Is The UK Framing Canada?

The economy, financial services and privacy are among the most sensitive political areas for the United Kingdom, yet with Mark Carney in charge at the Bank of England and the recent appointment of Elizabeth Denham as the UK's next Information Commissioner all these areas are now the responsibility of Canadians. Seems the UK government is looking for someone else to blame...

Response to Midata Consultation

As part of its 'midata' initiative to empower consumers, the department of Business Innovation and Skills has been consulting on a proposal to give the Secretary of State a general power that "might be exercised broadly or in a more targeted way" to compel suppliers to supply transaction data at a consumer’s request. In the interests of transparency, I've summarised below my response to the consultation. As previously explained, I should mention that I've been involved in the midata Interoperability Board from its inception in 2011.

General Comments:

'Midata' scenarios involve consumers' transaction data being returned to them in a way that enables them to use it to improve their purchasing decisions. This reflects an existing, yet evolving commercial trend that is developing positively. Many businesses provide customers with their personal transaction history through ‘my account’ functionality which enables downloads. In addition to price comparison sites, other intermediaries are evolving to help consumers identify where data is stored, as well as to gather, share and analyse it.

It is acknowledged that there are certain operational risks involved in the widespread sharing of such data and various suppliers, intermediaries, officials and consumer representatives are co-operating to address these. One example is the work done by the World Economic Forum ‘tiger-teams’ on “Rethinking Personal Data” (here's my note of the London session). Government is also playing a very helpful role in fostering an environment in which suppliers can evolve best practice in the management of operational risks, as illustrated by the Midata initiative. Official guidance in the area includes the UK Information Commissioner’s guidance on data sharing.

These initiatives are sufficiently flexible and adaptable to support innovation rather than to stifle it. There is no evidence that these approaches are failing to adequately address the operational issues identified.

Regulation, on the other hand, is more rigid and often has unintended consequences that are hard to rectify in a timely fashion, particularly where it is general in nature and not evidence-based. As a general principle, prior to granting powers there should be clarity concerning the basis for their exercise, applicable exemptions, sanctions and other checks and balances.

Risks or undesirable consequences from exercising a power to require certain data to be released electronically could also include:

• undermining the cooperative approach to addressing operational risks and the evolution of best practice described; 
• reducing the flexibility and adaptability of risk management measures and stifle innovation; 
• paralysing development until market participants are clear on the basis for the exercise of powers, applicable exemptions, sanctions and avenues of review or appeal. 

So, while it is worth exploring whether a power of the kind proposed might encourage industry participants to act appropriately, it is difficult to support it in the circumstances described above. Rather, in my view, the government should continue to foster (and participate in) an environment in which best practice can evolve rapidly and flexibly; survey the rate of take-up of appropriate services and the adequacy of operational risk management; and issue guidance where appropriate. This would enable an evidence-based approach to regulation in due course if necessary.

Obligations for Specific Sectors or Data Types?

While all suppliers with consumer or micro-businesses as customers should be encouraged to participate in the 'midata' trend, I would be concerned that a regulatory obligation to provide transaction data to such customers may cause some businesses to withdraw from those markets.

This trend should also naturally pick up useful data that is not currently in digital format. However, I would be concerned that any mandatory obligation that is focused only on data held electronically will discourage businesses who would ‘digitised’ offline data from doing so.

Impact of the Proposed Mandatory Approach

My concern is that the proposed regulatory approach would be too narrow in its focus and effect. The WEF process has established that Midata scenarios require a holistic approach to the various challenges inherent in returning data to customers electronically. The value and utility of personal data is a hugely complex dynamic that varies by:

• the context or the activity we are engaged in, 
• which persona we are using at that moment, 
• the actual data being used or provided, 
• the permissions given, 
• the rights that flow from those permissions, and 
• the various parties involved. 

We need a global set of rules that are flexible enough to address all these variables, with the protection of a person's rights at the centre. Such rules must be capable of being simplified at the customer level, understood in terms of specific rights and obligations at the legal and regulatory level, and ‘coded’ to ensure that computers handle the data consistently with these rules.

The legal aspect of this breaks down into a set of rights and duties from which liability and accountability can flow in a way that does not make it impracticable for any necessary participant in the overall process. Those rights and duties will obviously vary according to whether you are the individual data subject, the provider of a personal data store/service, a business customer relying on data about the individual or acting in a governance role. They must be compatible with public law, yet fill in many gaps where rights and duties are missing or unclear.

By way of example, the current ambition of the WEF is to agree a 'simple' set of common licences or sets of permissions which any individual can nominate to govern the use of their data in a given context (like the creative commons copyright system ). The technological solution is a 'personal data mark-up language' that will enable anyone holding the consumer's data to 'mark-up' items of data in their existing databases to correspond to the permissions they've been given.

Who Should Be Able to Request Data?

Consumers and businesses employing fewer than 10 people ("micro-businesses", most of which are owned and operated by individuals) should be entitled to request a supplier to provide their own transactional data, either to the customer or to a specified third party. Alternatively, a third party who is duly authorised by the customer should be able to seek the customer’s data in electronic format directly from the supplier.

The terms and conditions and other information that are required to be made available to the consumer under applicable law (e.g. Distance Selling Regulations) should be included with the transactional data related to the goods or services covered by those terms and conditions.

Formats and Response Times

The government should not mandate formats, since internet-based technology allows for the development of 'mark-up languages' that allow sharing of data in different formats, as described above. 

Appropriate response times will be contextual. Guidance should encourage standing ‘my account’ functionality accessible by the individual logging-in, rather than a request-and-response model. However, where a request-and-response model is adopted, the response should be ‘prompt’. 

Should Suppliers Be Able to Charge for Releasing 'midata'? 

Suppliers should not be prohibited from charging specifically for releasing transactional data, but be encouraged not to. In effect, however, ‘my account’ functionality is not really ‘free’ in any event since there is a price to the related goods or services. 

It's conceivable that some suppliers might wish to be transparent about the price of goods versus the price of supporting services. In cases where few consumers access their data, it may not be appropriate that all consumers may end up paying for the functionality. However, it is important that any directly applicable charges should be reasonably proportionate to the cost of making the data available, including a reasonable profit margin (e.g. 20%). There are similar regulatory requirements in relation to certain fees in the financial services industry, for example. 

Enforcement and Supervisory Bodies 

It is likely that access to personal transaction data will be included as a right and/or obligation in customer terms and conditions, and customers should be free to enforce these in the same manner as any other provision in that contract, including through the courts or alternative dispute resolution as necessary. 

In the event regulation  is required, any enforement activity in this area could be handled in the context of personal data regulation, general consumer regulation, or regulation related to dealing with consumers in specific sectors.  Accordingly, appropriate enforcement bodies would include those listed below, with the Information Commissioner's Office taking the lead: 

• Information Commissioner’s Office 
• Office of Fair Trading 
• Trading Standards Institute 
• Citizens Advice 
• Key sector regulators, e.g.: 
• Financial Services Authority
• Ofgem
• Ofcom

Prior to the advent of regulation, these bodies could participate in fostering an environment in which suppliers, intermediaries, officials and consumer representatives can evolve best practice in the management of those risks.

Under any necessary regulation, the enforcement bodies could be empowered to order disclosure and/or fine suppliers, intermediaries, etc for failing to disclose, security breaches and so on. 

As this trend develops, one could expect to see a decline in data subject access requests under the Data Protection Act 1998, and any related enforcement activity by the ICO. 

I'm interested in your thoughts.

Rethinking Personal Data

On Thursday I joined a World Economic Forum 'tiger team' focused on rethinking personal data, a process that aims to build on reports revealing personal data as a new asset class, and meeting the challenges this evolution brings. My thanks to Liz Brandt at Ctrl Shift for inviting me along. Apparently, as one non-legal delegate put it, "there are not enough lawyers at these sorts of events."

In essence, we are moving from a world where data about each of us is compiled into large national databases by corporations and governments (since they are the only ones with the vast resources required to do it); to a world where personal data is highly distributed and grows with every interaction with or about each of us, so that no one can keep up with it, let alone store it in a single place. 

It's therefore important to understand that a "personal data store" is not envisaged as your own personal database of all personal information about you. "Store" is not used here in the sense of 'storage' but in the retail sense of controlling what is offered or sold (which is also not exactly appropriate but does the job for now). So a 'personal data store' is really just a set of rules that determine whether and how data about you can be used - wherever that data sits. It's another type of 'personal information management service'.

The WEF process involves first 'unpacking' the big notions of 'identity', 'privacy' and the imagined benefits to be gained from sharing personal data. These concepts are too static, theoretical - and too emotive - to use as the basis for establishing detailed rules for the responsible use of personal data. The significance and value of personal data can't be captured in a single dollar amount or 'yes'/'no' answer to whether it can be used. Instead, the value and utility of personal data is a hugely complex dynamic that varies by: 

• the context or the activity we are engaged in, 
• which persona we are using at that moment, 
• the actual data being used or provided, 
• the permissions given, 
• the rights that flow from those permissions, and 
• the various parties involved.

So in order to ensure that our transactions and other day-to-day activities are as frictionless and seamless as possible, we need a global set of rules that are flexible enough to address all these variables, with the protection of a person's rights at the centre. And those rules must be readable at various levels by humans, lawyers (legislature, courts, regulators, governance panels) and machines (computers, microchips).  

A previous tiger team session identified business, legal and technology as the three primary stakeholders or perspectives in agreeing such a set of rules. The business rules must first be established clearly at the outset, then vetted from a legal and governance standpoint, then coded in such a way that everyone can be confident machines will handle the data in accordance with the rules.

The current ambition is to agree a 'simple' set of common licences or sets of permissions which any individual can nominate to govern the use of their data in a given context (like the creative commons copyright system). The technological solution is a 'personal data mark-up language' that will enable anyone holding the consumer's data to 'mark-up' items of data in their existing databases to correspond to the permissions they've been given.

The legal aspect of this breaks down into a set of rights and duties from which liability and accountability can flow in a way that doesn't represent a deal-breaker for anyone in the overall process. Those rights and duties will obviously vary according to whether you are the individual data subject, the provider of a personal data store/service, a business customer relying on data about the individual or acting in a governance role. They must be compatible with public law, yet fill in many gaps where rights and duties are missing or unclear.

An earlier tiger team had proposed a useful set of rights and duties from the standpoint of the data subject. So we focused on the rights and duties of the service provider operating the personal data store on that data subject's behalf. We also made a start on the rights and duties for the governance role. The full write-up is due in the next few weeks, but some of the key issues we covered were: 

• the need for transparency as to whether the provider of a personal data store is acting as a full agent in the fiduciary sense or as a lesser form of agent or broker; 
• the need to ensure co-operation in the timeliness, accuracy, integrity and authenticity of the personal data accessible via the service; and
• security protocols for data access and sharing. 

From a governance standpoint, it seemed critical to have both the public and private sector represented on the governance panel - just as they were both represented in the tiger team process itself - to ensure not only that the public laws are obeyed at a minimum, but that official guidance can support the additional contractual standards that are agreed to 'fill in the gaps'.

The most immediate next steps would be to flesh out the governance aspects and to address the rights and duties of businesses relying on the data. Having allocated all the necessary rights and duties amongst each of the participants should make the final step of determining the liability and accountability for each of the participants a far less combative process than I've seen in other forums ;-)

Overall, I'm very optimistic that a cohesive global framework for the responsible use of personal data is achievable. Specifically, it was very encouraging to witness how much easier it is to address the overall personal data challenge when you commit to 'unpacking' the big notions of identity, privacy and public benefit, as described above. It was also a huge relief to hear that it is considered feasible by those who've introduced data standards previously to implement a personal data mark-up language to link the flow of personal data to a set of permissions and rules. I'm also hoping this can help achieve dynamic, momentary user identification that minimises the need for large, vulnerable repositories of personal identity material.

Of course, political and commercial acceptance and 'take-up' are where all this rubber hits the road. But the fact the discussions are taking place globally via the WEF is clearly very helpful. 

Business Implications Of Privacy Law

On Tuesday, I had the pleasure of presenting to the Ctrl-Shift conference arranged for MesInfos, the French equivalent of the Midata initiative, which encourages businesses to allow consumers to download their own personal transaction data. My short presentation is embedded below. 

The ensuing discussion confirmed some critical differences between the continental and British legal landscapes. The most fundamental is the difference in citizens' expectations of the civil law and common law frameworks, on which I've commented before in the context of identity. The citizens of civil law countries expect the authorities to specify in regulation how something new may be done. Whereas the common law is expected to follow commerce - so people first agree contractually how something may be done and rely on judges to solve problems in the courts - Parliament is only there to pass laws where judges can't help. Accordingly, civil law comprises civil codes or legislation made by the state, whereas a significant amount of the law in common law countries effectively comprises judicial decisions and the contractual franeworks to which they relate. 

As a result, contracts in civil law countries can be shorter, as they only need to spell out how the parties intend to modify the operation of the civil code, where that is possible - and attempts at such modification are viewed with some suspicion. But in common law countries, contracts tend to be more involved yet more readily agreed since they are heavily relied upon as the first attempt to agree how something should be done. 

Not only do these differences have significant implications for the pace of innovation in Europe as opposed to, say, the US. But they also help explain why the European Commission's (civil law) approach to life is viewed as such a drag in the UK, which doesn't have the power to ignore it. 

The approach to privacy policies is a case in point. In the online world in particular, not only have global terms of service effectively operated as the only form of enforceable international law (witness US government reliance on the terms of PayPal etc to try to control WikiLeaks), but privacy policies underpin numerous advertising-dependent business models and effectively specify how privacy works. That is something European regulators view with distaste. They believe state-made  law should specify how privacy works, and the role of contracts should be limited to merely obtaining fully-informed consent in relation to specific facts involving the use of data. The mind-numbing 'cookie law' is the product of such pompous thinking.

The incontrovertible fact remains that commerce will grind to a halt if we are to wait for the authorities to dictate the pace and shape of innovation. Life is what happens while you're making plans. The European Commission's far-reaching "General Data Protection Regulation" will be another two years in negotiation. In the meantime, businesses and their customers in the common law world will continue to hammer out their own agreements on how things should work.

Somehow the two approaches need to coincide to enable the same, consumable result.

Business implications of evolutions in privacy law mes infos 23 04 12 - simon deane-johns

View more presentations from Simon Deane-Johns.

Privacy Must Be A Core Business Competence

The European Commission's proposed General Data Protection Regulation is just that: general regulation. No longer can businesses afford to treat data protection compliance as a 'bolt-on' to their marketing department, or even the compliance department. CEO's need to understand how the demands of personal data privacy are going to re-shape their business.

Just ask yourself whether you think the following rights go to the heart of any business that deals with individuals: the "right to be forgotten", "data portability", "data protection by design and by default", the logging/reporting of personal data security breaches, personal data processing impact assessments, prior consultation and regulatory consent for potentially risky processing. Not to mention requirements for enhanced internal controls, numerous enforcement and compliance burdens, and the obligation to appoint a data protection officer.

The trouble is, none of these concepts is straightforward, nor are the rules easily digested.

But digest them you must. Even if they don't make it onto the statute books, the genie is out of the bottle. Many of these 'rights' reflect the current concerns of at least some consumers (albeit most of them probably also happen to work for the European Commission and various consumer groups). Existing services will be judged against them as 'best practice'. Some businesses and new entrants without legacy systems will factor them into new services. And if they do make it onto the UK's statute books, you can bet they'll be gold-plated.

The Society for Computers and Law has done a great job of stimulating debate on the EC's proposals, and helping identify the implications for businesses generally. But there's a long way to go before the practical implications for businesses and business models are understood and fed back to the authorities in time for a new directive to be finalised in 2014. In fact, bitter experience suggests this won't happen at all.


At a recent seminar, Mark Watts, Chair of SCL's Privacy and Data Protection Group, polled about 100 delegates on the questions asked in the 4 week Ministry of Justice consultation on the EC's plans. The results can be downloaded via the Society for Computers and Law web site. One response made a telling point:

'Writing wide-ranging, broadly applicable laws that affect almost everything a business does but which can only be interpreted and implemented with the assistance of specialist data protection lawyers is surely not the best way to go. Laws that potentially affect so much of what ordinary business does on a day to day basis should be capable of being understood by "ordinary businessmen". The Regulation is a long way from this and will keep data protection lawyers in business for years.'

Further, As Dr Kieron O'Hara explains in relation to the technological challenges presented by the 'right to be forgotten' in his excellent article in this month's Computers & Law magazine, the EC's ambitious plan for personal privacy requires "a socio-legal construct, not a technical fix." 

An Integrated EU Market For Payments?

A Dog's Breakfast

We have until 11 April to weigh in on the European Commission's dream for "an integrated European market for card, internet and mobile payments."

Tedious as the EC's role and processes are, we mustn't forego these opportunities to feed into the EU's 'social dialogue'. If we don't participate we'll get legislation that's more reflective of canine culinary expertise rather than how various markets actually work (like the Payment Services Directive).

Some key issues in the current green paper are:

• whether we need more sunlight on how much we pay in interchange fees;

• whether it's overkill to make a retailer show on your receipt how much it costs to use your chosen payment method;

• whether non-financial service providers should be able to directly access clearing and settlement systems;

• whether you should be allowed to permit any service provider you like to show you your bank balance, rather than only your bank; and

• whether competition is being inhibited by the process of 'standardisation' and demands for "full interoperability".

My own personal view is that the short answer to all of the above is, "Yes."

The challenge to regulating payments is that service providers and regulators alike tend to view "paying" and "banking" as consumer activities in their own right. Whereas consumers don't actually "pay" - and retailers don't even "accept payment" - as distinct activities. The man from Visa who thinks the brand on my payment card is the most important brand in the context of me buying a gift for a friend on my way to a party is institutionally deluded. Actually paying for the gift is a barely considered sub-process in the course of getting to the party, and I might pay in cash.

Not only must we remember that payment occurs in the context of wider consumer activities, but we must also acknowledge that payment details are a subset of all the personal and transaction data used in retail services that are subject to broader market forces and other regulation. In particular, the impact of the EC's proposal for more comprehensive regulation of personal data processing cannot be underestimated. There seems little point in dealing with access to bank balance information in the context of payments regulation when the wider data protection regime would enable the "right to be forgotten", "data portability", "data protection by design and by default", the logging/reporting of personal data security breaches, personal data processing impact assessments, prior consultation and regulatory consent for potentially risky processing; not to mention enhanced internal controls, enforcement and compliance burdens, including the appointment of a data protection officer.

But let's glance away from the data protection elephant for a moment.

On the question of interchange, it's clear from Annex 2 of the green paper that the EC doesn't understand the lack of a direct contractual/settlement relationship between issuers and acquirers in four-party card schemes like Visa/MasterCard, even where a banking group has both an issuing business and an acquring business. Each acquirer and issuer contracts directly with the card scheme, and the card scheme settles independently with each of them. Besides, the issuing arm's cardholders won't always be making payments to the aquiring arm's merchant customers. Not only does this add an important nuance to the interchange debate, but it also has far wider implications for payment services regulation than there's time to cover here.

As consumers, of course we want retailers to keep a lid on their interchange costs (like any other overhead). That would enable them to improve their services, increase product selection or maybe reduce their prices. But unless the retailer has its own specific surcharge, I don't need the receipt to tell me the cost of using my chosen payment method, any more than I'd need to know what it cost to get the item from the warehouse to the shop. The underlying cost might be fascinating to EC officials and payments geeks, but the all-in price of the item should be enough for me to compare the efficiency of retailers' operational processes. Whether those retailers are competing properly in their own markets is a separate issue to the cost of payments in any event.  

I can also see that the cost of payments might be reduced by enabling sophisticated businesses to directly accessing clearing and settlements systems, rather than relying on financial institutions whose systems are geared to servicing the broader market. And such businesses shouldn't need to become regulated financial institutions or to join cosy industry bodies for that privilege. However, I should point out that developing an internal acquiring and settlement capability is very likely to prove an unwelcome distraction for non-financial corporate groups.

Similarly, as a consumer, I should be able to appoint a single service provider to enable access to my various bank, card and other payment accounts, without being in breach of the obligation to keep my account access details confidential. It's not beyond the wit of man to work out which provider is liable for any security breaches that might occur in that data sharing process.

Finally, we need to be really careful about requiring "standardisation" and "full interoperability" rather than merely enabling the market to develop this naturally, free of anti-competitive activity. Entrepreneurs don't have the time or resources to sit around in policy and standards meetings. Nor do they wish to telegraph to incumbents their disruptive plans. Yet there is also little meaningful distinction between "technologicial interoperability" and "commercial interoperability" in a digital world where business models are automated or 'hard coded'. I'm struggling to understand the EC's intention here. On the one hand the EC wants to see competition (which generally means less consolidation and more fragmentation - plenty of new players and competing, disruptive solutions), and on the other hand it wants to "avoid fragmentation of the market". So these aims seem incompatible. 

Interoperability and standards may be important to enable efficient, straight-through processing between participants at either end of an overall business process or system. But the more tightly that process is bound together - or the narrower the group of entities involved in the development of standards/interoperation - the harder it is for new entrants to compete by disintermediating or improving any one element of that process. This is a key reason we have been trying to avoid any preoccupation with mandating standards in relation to data release formats in the context of the 'midata' initiative, for example (formerly 'mydata'). This avoids creating an extra hurdle to the release of the data, while opening up a market for the supply of data transformation applications that collect such data in multiple formats and display or transfer it in another format. 

Paradoxically, the EC's own concerns on this front are reflected in the green paper questions as to whether card scheme management should be separated from control over card payment processing (Q's 9 and 10), as well as the competition challenge to standards-setting by the European Payments Council:

"Joaquín Almunia Commission, Vice President in charge of Competition Policy, said: "Use of the internet is increasing rapidly making the need for secure and efficient online payment solutions in the whole Single Euro Payments Area all the more pressing. I therefore welcome the work of the European Payments Council to develop standards in this area. In principle, standards promote inter-operability and competition, but we need to ensure that the standardisation process does not unnecessarily restrict opportunities for non-participants."

I rest my case.

Travelling With The ID Pioneers

Seeking a New State of Identity

If the penultimate CSFI roundtable on Identity in Financial Services was anything to go by, the final one should be a proper knock-down, drag-out affair worthy of past pioneering epics ;-) In fact, the Innholders should replace it's sign for the day, to read:

The issue that sparked the most heat (again) was whether banks might somehow be suited to be the guardians of the so-called 'hard' element our identities - the proof currently required to move our money, access our government records and so on - rather than 'soft' credentials necessary to access, say, your social media accounts. 

Spotted the flaws already? 

We shouldn't bother picking on the banks anymore (though it is fun). I mean, I seriously doubt they want to be cast in this role at all. And as Richard Martin pointed out, the banks are each wedded to different identity solutions, chosen for fairly mundane IT procurement reasons rather than any attempt to use ID services as a source of competitive advantage (banks compete?!) in offering secure access to your money their services. At any rate, to the extent that any banks are availing themselves of the latest e-ID tools to more efficiently KYC their customers, they are merely using the credit reference agency databases. So if one were to look only at the development of 'hard' identity services, one should cut through the banking platforms to the credit reference agency roadmaps and how they plan to enable access to those services in ways that are much more useful and empowering for consumers.

And while the Money Laundering Regulations do erect a reasonably heavy barricade to the usability of financial services, it's unduly trusting to pretend they amount to best practice in establishing a person's identity. Real danger lurks in this idea that social media identity is somehow 'soft'. The premise for this seemed to be that Facebook, Google, Amazon, eBay and so on don't offer any services that attract the need for 'bank-standard' ID checks and personal data protection, and couldn't operate to such high standards. Yet, many of them already operate financial institutions. And I suggest that there is more real value to the use of your identity to personalise products and pricing than in simply accessing your bank records. Even the Eurocrats are onto this. It's ironic that the person who was most pressing in his demand to know 'who owns my identity data' in a social network setting also admitted to entering a joke date of birth in a leading social media service. I guess he'd also be the first to complain if that service provider and those in its network were to hold the 'lie' against him...

But, of course, identity verification is developing in ways that mean your joke date of birth in one or more databases - and even your passport, driving licence and energy bill - won't necessarily matter amidst a far wider set of identity factors. As I've explained after the previous roundtable on this topic, what makes us unique is our collection of behaviours and the data they generate. So I'll end this post in a similar way to the last.

There are two key identity problems to be solved. As consumers, we need to be able to simply, conveniently and efficiently prove our identities in the course of any day-to-day activities.  And as a community, we need the source of that proof to be less vulnerable to being hacked or guessed, and to contain its cost.

Given those key problems, the solution cannot possibly comprise a single, static set of data that is 'held' by some institution. Rather, the solution has to involve the capability to generate a unique and momentary proof of identity by reference to a broad array of data generated by a user's own activity,  which is then immediately useless and can be safely discarded.

You Want Eggs With Your Privacy Regulation?

Well, the EuroZerozone may be disintegrating, but the European Commission is certainly doing its best to cement over the obvious cracks in the single market fantasy. Now we need more regulation of... privacy.

As with everything else that Brussels churns out, this breakfast had its origins in the primordial soup of the "Social Dialogue" and various talkfests that are helpfully identified by the city in which they were discussed. This time around something seems to have happened in Stockholm in 2009, for example. At any rate, you'll be so impressed by the rich pedigree of the grandly named:

"Proposal for a
REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

on the protection of individuals with regard to the processing of personal data and on
the free movement of such data (General Data Protection Regulation)"

that you'll gratefully submit to the wisdom of our European overlords.

As for me, I just can't wait to roll my sleeves up and get to grips with the detail... the "right to be forgotten", "data portability", "data protection by design and by default", the logging/reporting of personal data security breaches, personal data processing impact assessments, prior consultation and regulatory consent for potentially risky processing; not to mention enhanced internal controls, enforcement and compliance burdens, including the appointment of a data protection officer.

No, really.

Honest.

Just as soon as I've got my head around the idea that "Consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the controller" (Article 7(4)).

How can we really be sure there has been consent to anything?

Identity Is Dynamic, Not Static. Proof: Momentary.

On Tuesday we had a very revealing discussion on whether "banks and/or mobile operators should provide the identity infrastructure" at the CSFI's Sixth roundtable in the series on Identity and Financial Services.

Of course we began by discussing what identity actually is - not something that can be isolated or assumed, as was also apparent from the Fifth roundtable.

In this discussion, it was very clear that a bank or telco views identity as a static collection of data about an individual that can be stored or held, with varying degrees of subject access and control. In this entrenched view of the world, institutions - like banks and telcos - can compete for the privilege of 'holding' your identity and enabling you to prove who you are. In essence, those institutions are in control of your identity.

So what's stopping them providing an all-purpose identity infrastructure today?

The fact that identity is not a static concept. It's dynamic, contextual, and defined more by your various sets of activities or behaviours - "routes and routines", as Tony Fish put it - than by a picture, address and date of birth. That collection of behaviours and the data they generate are what makes us unique. Further, Dean Bubley made the point that we over-estimate the degree to which telcos (and banks), actually 'know' their customers in the sense of understanding their customers' end-to-end activities. And we over-estimate these institutions' technological ability to enable their customers to prove their identity at all, let alone conveniently in scenario's of their choosing.

A Finnish delegate also made the point that Finnish banks offer identity services, based on a government database, but make very little money out of them. Which suggests the services are not very useful or compelling.

In any event, static data repositories are vulnerable to attack; and the services that rely on them are apt to be 'gamed' by simply replicating the data held - as in the case of skimming card data or fabricating identity documents to gain control of a bank account. The fact that the individual consumer is ultimately compensated and therefore not 'harmed' in a direct financial sense is beside the point. We all pay for such inefficiencies in the form of higher interest rates, fees and retail prices.

So there are two key problems to be solved. As consumers, we need to be able to simply, conveniently and efficiently prove our identities in the course of any day-to-day activities.  And as a community, we need the source of that proof to be less vulnerable to being hacked or guessed, and to contain its cost.

Given those key problems, the solution cannot possibly comprise an "identity infrastructure" or 'service' that relies on a single, static set of data that is 'held' by some institution. Rather, the solution has to involve the capability to generate a unique and momentary proof of identity by reference to a broad array of data generated by our own activity, on the fly, which is then useless and can be safely discarded.


Image from Young Lee.

Would You Like A Cookie?

The law that applies to ‘cookies’ is changing with effect from 26 May 2011. Within a year from that date, not only must the user be given clear and comprehensive information about the purposes of cookies and use of the data they collect; but cookies can also only be placed on the user’s device after the user has given his or her consent. There is an exception where such storage or access is strictly necessary for the provision of a service that has been requested by the user (as well as where the cookie is for the sole purpose of carrying out the transmission of a communication over an electronic communications network). The UK Information Commissioner has issued guidance on how to comply.

How best to obtain consent?

This is likely to vary according to the type of cookie being set and the use to which the information is put. Cookies may be either "Session” cookies, which are temporary and deleted as soon as the user closes his or her browser; or "Persistent” cookies, which are stored on the user’s device hard drive until they expire or are removed. Where a persistent cookie is set, the consent only needs to be obtained prior to it being set the first time.

Of course, users can configure their browser to warn them whenever a new cookie is about to be stored; clear the cookies that have previously been set; and/or block specific cookies in advance. Or they can choose not to visit a website or use a service whose cookies they don’t want to receive. However, the Information Commissioner has found that most browser settings are not sophisticated enough to allow the service provider to assume the user has given his or her consent to allow your website to set a cookie. So, the Commissioner has advised that consent must be obtained in some other way.

If you are changing your terms for the use of your web site or web-based service, you have to make users aware of the changes and specifically that the changes refer to your use of cookies. You then need to gain a positive indication that users understand and agree to the changes. This is most commonly obtained by asking the user to tick a box to indicate that they consent to the new terms. Where a third party sets its own cookies or similar technologies onto “your” users’ devices, you will need to ensure your users’ consent is obtained either by you or the third party.

For sites with subscribers who must log-in to gain access, you could prompt the user to agree amendments to your privacy policy to cover the use of cookies at time of next log-in. More challenging is how to obtain consent to cookies from users who don't log-in or necessarily interact with your site in a way that would enable you to display terms of consent that could be agreed. The Information Commissioner has suggested that web site owners “place some text in the footer or header of the web page which is highlighted or which turns into a scrolling piece of text when you want to set a cookie on the user’s device. This could prompt the user to read further information (perhaps served via the privacy pages of the site) and make any appropriate choices that are available to them.”

Whichever way you decide to meet the challenge, you'll need a psychiatrist on standby for your digital design team ;-)

Image from Jefferson Park.

Do Other EU Countries' Data Protection Laws Apply To You?

A hat-tip to Claire Walker and Shona Kerr for their SCL article on the above question: "Location, Location … Guidance on Applicable Law in International Data Processing Scenarios" (cheap annual subscription applies).

The "guidance" referred to is the Opinion of the EU's Article 29 Data Protection Working Party of national data protection regulators. And, naturally, the answer to the above question is that "it depends".

In essence, the factors for businesses to consider are whether you are the data controller or processor, and whether you have an "establishment" in a given EU Member State and/or are sufficiently involved in processing personal data through "equipment" or some means of processing located in that country. There are helpful detailed examples in the Opinion, but ultimately it's a question of fact and degree that will benefit from discussion with the operational or IT staff who know what's actually going on. Guidance is also given on supervision and enforcement.

This sort of analysis is not exclusive to the law on personal data protection - many local laws and regulations may apply to your cross-border activities in another country, even if you don't operate a physical point of sale there (direct and indirect taxes being critical examples). But it's a useful illustration of the type of issues facing anyone operating on a cross-border basis.