When Is It Legitimate to Process Personal Data To Develop AI Models And What Happens If It Was Not?

EU data protection regulators have announced their final Opinion on some key issues related to the processing of personal data in AI models. Below is a summary for information purposes only. If you need legal advice, please get in touch.

When is an AI model considered as anonymous?

This can only be decided case-by-case, and there's a non-prescriptive, non-exhaustive list of methods to demonstrate anonymity. In broad terms:

For a model to be anonymous, it should be very unlikely (1) to directly or indirectly identify individuals whose data was used to create the model, and (2) to extract such personal data from the model through queries. 

When/how is 'legitimate interest' an appropriate legal basis for processing personal data to create, update, develop or deploy an AI model? 

Considerations here include a 'three-step test' that assesses:

1. Pursuit of a legitimate interest by the controller or by a third party; 
2. The necessity of the processing to pursue the legitimate interest; 
3. Balance.

In short, the regulator will consider whether the controller's interest is lawful, clear and precisely articulated, real and present; the processing is shown to be strictly necessary; and is balanced in terms of respecting the individual's rights.

What are the consequences for an AI model developed by unlawful processing of personal data? 

Like the FTC in the US (which has ordered some infringing models to be destroyed), an AI model that has been developed with unlawfully processed personal data could also be considered to be unlawfully deployed (unless perhaps the model is anonymised) and regulators have wide investigative and assessment powers, and can take appropriate, necessary and proportionate action depending on the facts of the case.

This post is a summary for information purposes only. If you need legal advice, please get in touch.

Pay-or-Consent Ignores the Elephant-in-the-Room

European consumer bodies have united to file 8 local data protection complaints against Meta, claiming that "to ask consumers using Facebook and Instagram to give their consent to the processing of their personal data for advertising purposes or alternatively to pay a fee of up to €311 per year" does not cure various problems under the General Data Protection Regulation in the way it processes their customers' personal data. This also likely affects the status of training data that Meta has drawn from Facebook and Instagram to power it artificial intelligence systems. Previous complaints have resulted in changes to Meta privacy policies, but no real change in the underlying data collection and processing. Customers' investment of time and effort in their accounts and Meta's market dominance makes switching unrealistic. If the complaints are successful, it would suggest both free and paid-for functionality will be much more limited in future, but perhaps subscription revenue might make up for any lost ad revenue. Meta obviously disputes the claims.

The consumer bodies say that Meta collects way more personal data about its users than is necessary for the purposes claimed, such as performing its contracts with users, and this also fails to meet the GDPR requirement to minimise the personal data collected. 

In addition, there is too little transparency and explanation of the use or purpose for collecting each type of personal data, and the legal basis relied upon. That would mean Meta isn't clear what types of data must be processed for contractual purposes and which types are covered by user consent, for example. It would also mean that any consent relied upon was not fully informed and therefore was not validly given (similarly, it would also be unclear what type of data collection and processing you are paying a fee to avoid - and whether you had really avoided what you did not wish to consent to).

While this calls into question the ability for Facebook and Instagram can use their customer's personal data to power behavioural advertising and the related revenues, it would also taint the use of such personal data as training data for Meta's AI tools and systems.

The claims in more detail (which Meta obviously would deny strenuously) are:

• Meta’s personal data processing for advertising purposes lacks a valid legal basis because it relies on consent which has not been validly collected for the purposes of the GDPR; 
• Some of Meta’s processing for advertising purposes appears to rely invalidly on contract; 
• Meta cannot account for the lawfulness of its processing for content personalisation since it is not clear – and there is no way to verify – that all of Meta’s profiling for that purpose is (a) necessary for the relevant contract and (b) consistent with the principle of data minimisation; 
• It is not clear – and there is no way to verify – that all of Meta’s profiling for advertising purposes is necessary for that purpose and therefore consistent with the principle of data minimisation; 
• Meta’s processing in general is not consistent with the principles of transparency and purpose limitation; and 
• Meta’s lack of transparency, unexpected processing, use of its dominant position to force consent, and switching of legal bases in ways which frustrate the exercise of data subject rights, are not consistent with the principle of fairness.

Previous complaints have resulted in changes to privacy policies, to try to clarify the purpose and legal basis of processing, but the consumer bodies say this has not interrupted the underlying processing that they say is illegal. Meta would obviously dispute this. 

While it's tempting to think users can simply vote with their feet, the amount of time consumers have invested in their accounts - and Meta's market dominance - means that is not a realistic option.

If the complaints are successful, it would suggest both free and paid-for functionality will be much more limited in future, but perhaps subscription revenue might make up for any lost ad revenue...

What this space.

Transferring Prepaid Card Programmes Is Non-Trivial

Ominous news that the UK e-money subsidiary of scandal-ridden Wirecard AG is "intending to wind-down its FCA-regulated business" and that "the business will continue to trade while alternative arrangements are being made with its card providers." 

Having advised on the creation and transition of various prepaid card programmes and customers, I'm aware this is highly technical from an e-money and payments regulation standpoint, and will involve intensive 'customer due diligence' under the anti-money laundering regime, as well as a careful approach to the processing of personal data. 

The FCA claims to be "working closely with Wirecard throughout this process to ensure that its customers are treated fairly," so programme managers any e-money issuer(s) taking them and their programmes on will need to tread carefully.

Needless to say, I'm here to help the transferring programme managers or their new e-money service providers either in the UK or in relation to any EEA programmes via Ireland.

 

UK Firms: Why Not Simply Process EEA Residents' Personal Data In the EEA?

It's time for UK businesses to get creative in dealing with Brexit and all its uncertainties. As I've explained here, the processing of personal data relating to EEA residents is a particular problem. The UK is 13th on the list of countries that will be waiting for the European Commission to declare the UK personal data regime to be 'adequate' to transfer that data as of right (as happens now).

So, rather than bring personal data into the UK from the EEA, you could - as many already have - simply incorporate an entity within the EEA to hold the data and determine the means and purposes of processing there. That EEA entity could do the processing itself within the EEA or outsource that to an EEA-based processor with the right experience and expertise. Ireland, for example, is the top AI hub in the EU and it can be a simple matter to transfer existing English law contracts to a new entity there, particularly as Irish law is so similar.  

Only the aggregated results would need to come in to the UK.

Any Form Of Brexit Means #NoDeal For Export Of British Services

An excellent event at the Institute of Directors today on the impact of Brexit on Britain's trade in services - congratulations to all the speakers. This is vital to understand and address in some detail, because services amount to 80% of the UK economy, 80% of UK jobs, a third of UK exports of which 40% go to other EU countries based on the principle of free movement of services. Yet most services are not covered by free trade deals with third countries. So even if Britain were to leave the EU and eventually negotiate trade deals, that wouldn't help UK exporters of services. There will always be "No Deal" for most services, so the UK's "No Deal" warnings are permanent for services. This is why Liz Truss is suddenly making "liberalising trade in digital and services" one of three priorities at the WTO. She's too late, and it will never happen for the reasons given below, so it's time to get cracking on mitigation...

While the problem for services post-Brexit isn't news to me, I'm still absolutely stunned to see so little information about it in the media. Partly it's the age-old assumption that 'business' means 'big business' while nearly all UK businesses are small - 99% of UK businesses (5.7m) employ fewer than 250 people. Only 8,000 UK businesses employ more than 250 people.  

5.4m UK businesses are 'micro-enterprises' who are either sole traders or employ up to 9 people.

'Businesses' are people - many of them sole traders selling their time and expertise across the EU. Eve online, business is personal.

I've posted on the impact of Brexit on services many times, here and on Pragmatist and for several law firms. I've tended to focus on the Brexit impact on financial services because that's my main area of expertise - and they are the largest of the UK's services exports, relying on valuable EU passporting rights which they will lose. As a result, 7000 jobs have moved so far, with more to follow if Brexit proceeds, and the costs of splitting capital/liquidity to support separate EU subsidiaries will cost customers €60bn a year by 2030.

But I've also mentioned the need for a new basis for transferring personal data from the EU27 to the UK, and I've even shared my own personal Brexit-proofing journey in adding Irish qualifications and consulting to an Irish law firm, for the same reason that it makes sense to switch EU contracts from English law to Irish law.

So I was thrilled to learn of today's event and I was not disappointed. I'm sharing my notes (anonymised) and I understand the video will be available via the IoD site. Worth watching! 

What laws govern the export of services?

Every country regulates what services can be offered to its residents to some degree. Regulations get tougher the more money residents might lose, or the greater the gap in knowledge between the service provider and the customer - that's why financial services are so heavily regulated.

Permitting foreign service providers to sell their goods or services in your country is a matter of trust and control, or political will and legislation ("trust is good but control is better").

Trade law on goods developed first, and rules on services followed - in particular:

1. EU membership entitles firms to free movement of services based on mutual recognition of professional/trade qualifications and legislation that ensures individual member states don't drop their standards or supervision. That freedom falls away on Brexit day (subject to any agreed transition).
2. Some services remain unregulated today (e.g. management consultants) and some are given mutual recognition status only at trade body level rather than by governments (e.g. architects). That shouldn't change on Brexit.
3. Some regulation is based on outcomes, rather than dictating how qualifications are actually obtained or what subjects have to be studied to gain 'equivalence' or 'mutual recognition' (e.g. lawyers). This could diverge on Brexit, and 'equivalence' findings and mutual recognition will not automatically apply, can take a long time to be granted and are subject to withdrawal on little notice without appeal.
4. Financial services passporting represents the most advanced form of free movement in services, since authorisation in one EU member state allows certain services to be provided in all member states. That will not be possible after Brexit (subject to any transition).
5. In stark contrast to financial services passporting, the 'equivalence' regime that is available to third countries (and post-Brexit UK) is only available for certain types of financial infrastructure (e.g. exchanges) and some investment services, and can be withdrawn without appeal on 30 days notice (e.g. Swiss stock exchange) - so equivalence is not reliable.
6. Other services that can be supplied to EU countries after Brexit will be based on a patchwork of national access rights, which vary in terms of scope and conditions.
7. Outside the scope of EU trade rules (and where only minimum standards are set), the member states (like any other country in the world) can set tougher standards where they see greater potential adverse impact. The UK will be treated like any other non-EU country for that purpose. The UK government has tried to helpfully list where different EU countries have different rules for different services (will that stay up to date?). 
8. There is a WTO rule (article 7 of GATS) aimed at preventing one member country from discriminating against another member ('most favoured nations' or 'MFN').  Free trade agreements also contain MFN clauses that require one party to offer the other any similar benefit that has been offered to another country. The EU seems to ignore the WTO requirement (which the Swiss have complained about to no effect so far), but does allow MFN clauses in its free trade deals with very limited scope (won't cover mutual recognition or equivalence decisions, for example, just legislation and 'national treatment'). Critically, the EU insists on its own regulatory autonomy. Only the  European Commission (and ultimately the European Court of Justice) can decide whether a service etc meets EU rules. 

Immigration and visa restrictions go hand-in-hand with constraints on services, since people often have to be physically present to provide services.  So free movement of labour is also critical to the free movement of services. That freedom entitles Brits to live, work and retire freely in 30 countries, but is lost on Brexit. Related entitlements to healthcare and so on will also fall away...

What are the practical impacts of Brexit?

Well, if you're among the 5.4m 'micro-enterprises' and export goods or services to the EU, the VAT rules will be a big problem. You currently benefit from hard-fought exceptions under the VAT Mini One Stop Shop (MOSS), but those will disappear on Brexit day (what if part way through contracts?). The HMRC warning states:

Businesses that want to continue to use the MOSS system will need to register for the VAT MOSS non-Union scheme in an EU member state. This can only be done after the date the UK leaves the EU. The non-Union MOSS scheme requires businesses to register by the 10th day of the month following a sale. Alternatively, a business can register in each EU member state where sales are made.

EU consumers are already ceasing to buy from UK suppliers, and EU suppliers are geo-blocking UK customers and suppliers from applying to their sites. So forget bidding for service contracts from the UK, and many EU business people have stopped traveling to do business in the UK.

Work permits will be needed after Brexit, but can’t be applied for before then. These may be needed for speaking at conferences (unless asked a question first), giving training sessions, working on projects and so on.

Booze cruise etc to the EU for cheaper, duty free consumer goods may impact small retailers and their service providers.

If you're a director of a company, you have a duty to promote the success of the company, as well as a duty to exercise reasonable care, skill and diligence. You need to be able to demonstrate that in the context of Brexit - which is a known unknown. That would likely include: board discussions, a sub-committee, minutes, briefing papers, presentations, risk registers, scenario planning, supply chain analysis to identify suppliers at risk who may need to be replaced/helped (using the wrong type of pallet, say, or their trucks may be allowed into the UK by UK authorities, but will struggle to back into EU); and resolutions taking action to address threats and opportunities.

What can you do if your services are impacted? It depends on threats and opportunities identified, but some examples:

• Set up a new subsidiary in an EU27 member state;
• Rewrite contracts with new governing law and other pertinent changes;
• Establish a new basis for transferring personal data from EU customers/suppliers to the UK;
• Consider the tax impact of moving business activity to an EU27 country (or, for instance, whether withholding tax exemptions still work for entities owned by UK companies)

Time to get cracking!

#PSD2: An Account Information Service Is Not Really A Payment Service

There are good reasons why an "account information service" (AIS) became a regulated "payment service" under the not-so-new Payment Services Directive (PSD2). Chief among them was retail banks' decades-long refusal to allow retailers and other unregulated service providers access to the data in their antiquated systems at all, let alone seamlessly via 21st century "application programming interfaces" (APIs) that are now commonplace. Resolving those concerns sparked formal registration and other complex regulatory and technical requirements on service providers wishing to enable the sharing of payment data (AISPs), including a lot of unfortunately necessary detail in the Directive about customer authentication and information security. Yet years after PSD2 was set in stone confusion still reigns over exactly what an AIS actually is or is not, both as defined in local payments regulation implementing PSD2 and how such services work commercially - especially because an AIS rarely stands alone...

The FCA is doing its best to clarify the regulatory scope of an AIS, including confusion about who might be the AISP, when a firm would require formal registration as an agent and how to benefit from the exclusion for 'technical service providers' (see Q25A of its Perimeter Guidance on payment services). But those issues are merely the tip of the iceberg.

The major problem is that an AIS is primarily a data service (and one which involves personal data at that). This means an AIS attracts the need for several sets of regulatory consents and specific information to be included in customer contracts, as well as the typical series of contractual licences to receive and use the data itself. 

The challenge to getting all this right is that it's rare for payments regulatory specialists to know very much about data licences, or for lawyers who specialise in data licensing to know anything about PSD2. It still feels strange to me to have spent a career on both sides of that divide - veering from financial information service licensing at Reuters, to e-commerce specialist at DLA, to payments specialist at Earthport, to P2P lending at Zopa (which involved licensing of user-generated content and market data) and back to payments at Amazon and WorldPay. And even though I've also continued to advise private clients on all types of services since 2005, there's still very much a sense of 'switching hats' when working through the various issues. 

So what are they?

Regulatory requirements for an AIS

From a regulatory standpoint the multiple sets of rights needed to supply an AIS include:  

• explicit consent from the customer for the supply of the AIS itself (under payments regulation) - note that that 'customer' does not include a third party with whom the customer wants to share the data; and
• under data protection regulation, explicit consent (or some other legitimate basis) for the collection, processing, sharing etc of the data itself, to the extent required to deliver it to a third party - as well as for the processing etc of that data by the third party (which may be tackled via the third party's own privacy policy and data consents).

In addition, payment services regulation specifies certain information that must be included in either an ongoing or single use service contract with the customer.

Meeting these requirements is complicated by the fact that the customer is also likely to be using the AISP's platform to be receiving and sharing data from other types of personal account that are not regulated. So the payment-specific regulatory requirements have to be met within a context where unregulated data services are also being provided.

Commercial requirements

From a commercial standpoint, there are numerous copyright licensing issues to consider regardless of whether the data being shared comes from a payment account or some type of unregulated account. Indeed, the data being contributed and shared could come from the customer herself (user-generated information or 'UGC'). In effect, even the information coming from the user's accounts with third parties is effectively user-generated, particularly in terms of whether the service provider takes responsibility for its accuracy and so on.

These licensing issues must also be considered in terms of what licences are required 'upstream' from the customer, the service provider and any sources of data, as well as downstream licenses - and usage restrictions - from the standpoint of the service provider, the customer and third parties receiving the data. These licences are likely to be reflected in an array of different contracts, including customer terms and commercial agreements. Appropriate disclaimers, exclusions and limits on liability must also be considered.

This is where the sanity of specifically regulating payment account information services becomes questionable, as some of the typical commercial requirements may conflict with the liability and information requirements relating to an AIS, in which case it would need to be 'carved-out'.

Conclusion

These are not the only issues related to the supply of account information services or other data services, but they do illustrate the complex challenges arising from the fact that AISPs had to be subjected to regulation for banks to cooperate with them, and yet an AIS involves the supply of data in a way that other regulated payment activity does not, often in combination with other data services.

EU Parliament Resolution on Distributed Ledger Technologies

The European Parliament has adopted a non-legislative Resolution on distributed ledger technologies (DLT), including blockchain. 

The resolution highlights potential applications of DLT, such as: 

• reporting on clinical health trials. 
• improving supply chains, such as monitoring of origin of goods for consumer protection. 
• allowing households to produce and exchange alternative energy. 
• Tracking, management and protection of intellectual property rights/licensing. 
• financial intermediation and reducing transaction costs. 
• control over personal data management and data sharing. 
• reducing administrative burdens in the public sector. 

The Resolution calls for the development of a European legal framework to solve any jurisdictional problems in dealing with fraud and crime; raise awareness of DLTs; and bridge the digital divide among various member states. 

Brexit And Cross-Border Personal Data Transfers: Agree A New Basis Now!

With 6 months to go, the UK government has warned UK firms to assume that their trading partners in the European Economic Area will be unable to send them any personal data from 29 March 2019, unless they enter into formal written agreements generally required for sending data to non-EEA countries or some other basis for transfer listed below. 

It's likely that EEA trading partners may be waiting on UK firms to do the necessary work, so the government recommends that UK firms should be proactive in making contact on this issue. 

However, any agreements would need to be under the law of an EEA member state (so I would likely advise on this area via my consultancy with Leman in Ireland, rather than via Keystone Law in the UK).

 

The UK proposes to allow the free flow of personal data from the UK to the EU27, but does not mention Norway, Liechtenstein or Iceland in relation to that proposal.

The EU can make an "adequacy decision" which allows the free flow of personal data to a non-EU country where that country's level of personal data protection is essentially equivalent to that of the EU. But the process for reaching such a decision - and even agreeing a timetable for that process - could not begin until after Brexit.

Aside from having the explicit consent of the individuals concerned (or perhaps relying on one of the processing rights under the General Data Protection Regulation), alternative ways for EEA firms to make personal data transfers to UK firms are as follows:

1. A legally binding and enforceable instrument between public authorities or bodies;
2. Binding corporate rules;
3. Standard model data protection clauses adopted by the Commission;
4. Standard data protection clauses adopted by an EEA supervisory authority and approved by the Commission;
5. An code of conduct approved by an EEA supervisory authority, together with binding and enforceable commitments of the receiver outside the EEA;
6. Certification under an approved EEA certification mechanism together with binding and enforceable commitments of the receiver outside the EEA;
7. Contractual clauses authorised by an EEA supervisory authority
8. Administrative arrangements between public authorities or bodies which include enforceable and effective rights for the individuals whose personal data is transferred, and which have been authorised by an EEA supervisory authority.

Consultation: Contract Guidance for Data Controllers/Processors Under #GDPR

The Information Commissioner has published draft guidance for data controllers and processors on their contracts and liabilities under the General Data Protection Regulation, for comment by 10 October 2017. GDPR takes effect in the UK from 25 May 2018, but a lot of preparation is required, including reviewing and updating contracts for personal data processing.

The guidance is intended to explain what data controllers must include in contracts; and what responsibilities and liabilities data processors have under the GDPR.

As a sign of the complexity and uncertainty in this area, the ICO adds that its guidance "will need to continue to evolve to take account of any guidelines issued in future by relevant European authorities... as well as our developing experience of applying the law in practice"...

#PSD2: What Is An Account Information Service?

The Treasury is consulting on its proposed regulations to implement the new Payment Services Directive (PSD2) in the UK.  The consultation ends on 16 March 2017 and the regulations must take effect on 13 January 2018. The FCA will consult on the guidance related to its supervisory role in Q2 2017. Time is tight and there are still plenty of unanswered questions, which I've been covering in a series of posts. In this one, I'm exploring the issues related to the new "account information service", which is being interpreted very broadly indeed by the FCA.  Firms providing such services will need to register with the FCA, rather than become fully authorised (unless they provide other payment services); and they are spared from compliance with a number of provisions that apply to other types of payment service provider. But now is the time for assessing whether a service qualifies, and whether to restructure or become registered.

The Treasury has, naturally, copied the definition from the directive:

‘account information service’ means an online service to provide consolidated information on one or more payment accounts held by the payment service user with either another payment service provider or with more than one payment service provider (article 4(16)) - [my emphasis] - but has added:

"and includes such a service whether information is provided—

(a) in its original form or after processing;

(b) only to the payment service user or to the payment service user and to another person in accordance with the payment service user’s instructions" [which do not appear in PSD2]

This reflects the government's broad definition of the directive (para 6.27 of the consultation paper) - consistent with the UK needlessly creating a rod for its own back and particularly ironic in the light of Brexit. The account information service provider (AISP) should be granted access by the account service provider to the same data on the payment account as the user of that account (para 6.25). A firm will be considered an AISP even if it only "uses" some and not all of that account information to provide "an information service" (para 6.28).

Services that the government believes are AISs include (but are not limited to):

• dashboard services that show aggregated information across a number of payment accounts; 
• price comparison and product identification services;
• income and expenditure analysis, including affordability and credit rating or credit worthiness assessments; and 
• expenditure analysis that alerts users to consequences of particular actions, such as breaching their overdraft limit.

The services could be either standardised or bespoke, so might include accountancy or legal services, for example (para 6.30).

Some key points to consider:

• does it matter to whom the account information service is provided? The additional wording seems to suggest that the 'payment service user' must be at least one recipient of the information, but does that mean the payment service user of the payment account or the person using the account information service?  This would seem to cover every firm that prepares and files tax or VAT returns, for example, since these are usually provided to both the client and HMRC.

• the service has to be "online", but what if some of it is not?

• little seems to turn on the word "consolidated", since the Treasury says a firm only needs to use some of the information from the payment account to be offering an AIS, and it could be from only one payment account. For instance, what if a service provides a simple 'yes' or 'no' to a balance inquiry or request to say whether adequate funds are available in an account, and that 'information' or conclusion/knowledge is not drawn from the payment account itself, but merely based on comparing the balance with the amount in the customer's inquiry or proposed transaction?

• the payment account that the information relates to must be 'held by the payment service user' with one or more PSPs, so presumably this would not include an online data account or electronic statement that shows the amount of funds held for and on behalf of a client in a trust account or other form of safeguarded or segregated account which is in the name of, say, a law firm or crowdfunding platform operator (albeit designated and acknowledged as holding 'client money' or 'customer funds');

• it seems impossible for the relevant data to provided in its 'original form', since data has to be processed in some way to be 'provided' online, but this could cover providers of personal data stores or cloud services that simply hold a copy of your bank data for later access;

• what is meant by 'after processing':

1. it may not be clear that a firm is providing information 'on a payment account', as opposed to the same information from another type of account;

2. does this mean each data processor in a series of processors is providing an AIS to its customer(s) - which brings us back to whether it matters who the customer is - or does interim processing 'break the chain' so that the next processor can say that the information was not 'on a payment account' but came from some other service provider's database (whether or not it was an AIS), such as a credit reference agency?

3. what about accounting/tax software providers providers who calculate your income and expenditure by reference to payment account information but may not necessarily display or 'provide' the underlying data - although presumably the figures for bank account interest income (if any) in a tax return might qualify?

Sorry, more questions than answers at this stage!

Update on 21 April 2017:

The FCA has indicated in Question 25A of its proposed draft changes to the Perimeter Guidance that:

"Account information service providers include businesses that provide users with an electronic “dashboard” where they can view information from various payment accounts in a single place, businesses that use account data to provide users with personalised comparison services, and businesses that, on a user’s instruction, provide information from the user’s various payment accounts to both the user and third party service providers such as financial advisors or credit reference agencies." [my emphasis added]

Privacy Not Core To Your Business? Take The ICO's 12-Step Programme

Though years in the making, it's possible that word of the EU's data protection reforms has yet to penetrate some boardrooms, let alone the IT development roadmaps of UK plc, and the UK Information Comissioner is very concerned that Britain will not be ready to comply. So much so that it has created a new website to urge preparation for the new law - even though the draft directive is not due to be passed until after the UK's referendum on EU membership, and will not take effect until mid-2018. 

Brexit fans should still be concerned. The US will tell you that appropriate privacy safeguards are just one cost of doing business with Europe, and the UK will also need to comply in substance if it is to qualify for cosy trade deals as a non-member of the EU. 

The ICO recommends starting with this 12-step programme.

Now Damages for Searches Revealing Good Memories About Bad Memories

A hat-tip to Miquel Peguera of Stanford for his analysis of a recent Spanish case in which Google Spain SL was ordered to pay compensation to one Sr Domingo for the 10 months it took to prevent access to certain information about him as ordered by the Spanish Data Protection Authority. The case arose from a claim for damages by Sr Domingo under the Spanish equivalent of section 13 of the UK's Data Protection Act 1998.

 

As in the recent González case in the European Court, the 'bad' information being linked to had been published by law. In fact, in this case the material was a Royal Decree granting a pardon for a previous criminal conviction for violating health regulations. The problem appears to be that the pardon (naturally) referred to the conviction for which the pardon was granted.

 

I'm really struggling here, I must say. 

 

Is there no public interest in being able to locate Royal Decrees generally through search engines?

 

If it is somehow wrong to reveal the details of a pardon, why doesn't the State remove the details of both the previous criminal proceedings and the pardon, so that none of the details are available for search engines - or anyone else - to find?

 

If the pardon and previous conviction must remain a matter of public record, isn't the pardon actually good news?

Maybe the appeals court will make sense of all this. But I'm not holding my breath.

Porting Midata Seems Simple Enough

LinkedIn (and Amazon.com) have demonstrated how easy it can be to transfer your transaction data from one service or application to another. This should be of interest to anyone interested in Midata.

LinkedIn recently took the decision to replace the function which allowed you to add third party applications to your LinkedIn profile with the ability to add direct links material hosted elsewhere. It appears that the third party applications had been necessary to enable the storage and display of the material on the LinkedIn platform. Ending that third party application programme will mean all the data you've loaded for display via at least some of those applications will no longer be available on your profile. The data would need to be transferred from the LinkedIn platform to a third party's systems in order to display or use it in similar fashion.

Unfortunately, I missed any notification of this decision, and only went looking for information in the Help pages when I found I could no longer add a book to my "Amazon Reading List by Amazon" app. (a nice way of tracking interesting books you've read). That I missed the news was a bit strange, as I'm a frequent LinkedIn user with over 900 connections, so maybe the commuication of this decision and its implications could have been handled a little better. 

However, the instructions for obtaining and displaying my reading list data were simple enough, and I am now the proud owner of a profile on Shelfari, the literary network facilitated by Amazon.com, into which I have imported my data from the application on LinkedIn.

Whether I can then display a list of books I've read to my followers on LinkedIn is a matter for LinkedIn. But it did seem that the updates to the reading list, rather than the list itself, was what sparked comment and discussion.

Midata Thoughts No. 2

I attended a meeting of the midata Transmission working group this week, which reviewed a set of scenarios based on those described in my previous post on this topic. I've updated my legal presentation by way of an overall summary, and will embed it below shortly. The working group scenarios are likely to go into a bit more detail and involve additional sub-scenarios. I assume they will be available once they have been reviewed by all the working groups and are considered in final form - possibly as part of a final report.

In essence, our discussion this week focused on: 

• clarifying the likely use-cases and consumer/small business benefit: the first few scenarios reflect how midata currently flows (e.g. release of current account data via online banking) which we agree is not terribly consumer friendly. The later scenarios reflect a more likely outcome, as new analytical and 'dynamic switching' services arise, for example, or as consumers begin to negotiate specific products or pricing (whether alone or in collaboration with others); and

• differentiating the various types of services that may be offered by new intermediaries (previously called 'personal information managers'): 

•  Midata Store: this service would only involve the provider acting as a reasonably passive repository of midata on the Customer's behalf, (e.g. merely holding it, or displaying and/or transmitting it without any alteration) could be called, say, a "Midata Store". It was also considered necessary to distinguish between a Midata Store that only receives midata from the Customer, and one that receives midata directly from a Current Supplier via a direct interface ("Linked Midata Store");

•  Midata Service Provider: this type of service would involves the receipt of midata on the Customer's behalf for the purpose of analysis, combining that data with other data and/or producing some kind of reliable result for the purpose of negotiating with Current Supplier or Third Party Supplier would involve processing on a greater scale.  This would clearly involve more technological (as well as contractual and co-regulatory) safeguards.

It was considered that Midata Stores and Midata Service Providers are likely to evolve their own specific technology/transmission standards and self-regulatory codes quite quickly, in addition to any trnsmission guidelines etc produced by the Midata programme. However, it would be difficult to mandate the creation of a specific trade body or related code at this point.

The next meeting I am due to attend is a meeting of the legal and regulatory working group at the end of this month.

Midata thoughts 121212 v2.0 from Simon Deane-Johns

Midata Thoughts No. 1

Hard on the heels of the government's recent warning shot, we're now into the working group phase of the voluntary Midata programme.

I'm involved in the working groups on Transmission and Data Protection Regulation & Enforcement. Other members of the Interoperability Board are also looking at Identification; Data Storage; and Onward Data Release to Third Parties. In due course, we will draw those aspects together, with the exact form and format of the output to be decided.

Of course, this is not intended as a 'closed shop' and I have tried to be transparent, via this blog, about my involvement. This has included publishing a summary of my response to the Midata consultation over the summer. In keeping with that, I am now embedding below a presentation of my initial thoughts following discussions on the roles of participants, process flows, the developing co-regulatory environment, risks, controls and challenges. I have also included scenario diagrams covering the three types of scenarios involved.

I welcome any comments, queries or suggestions you may have. I will post further updates in due course.

Midata Thoughts No. 1 from Simon Deane-Johns

 

Caution On Payday Loans Cap: It's A Midata Problem

The government is right to resist automatically capping interest rates for short term or 'payday' loans, and to insist on an evidence-based approach to the market which takes account of unintended consequences. Powers to cap rates, prevent endless renewals and aggressive, unsupportive collections activity are important. But it's critical to understand the real problem confronting the payday borrower before leaping to solutions.

Until now, the popularity of short term loans has been positioned in Parliament as a moral problem (rich for MPs!) for which an interest rate cap is the solution. 

But the annualised percentage rate (APR) for short term loans is misleading and unhelpful for borrowers in context. It only enables comparison of one short term loan against another. And it produces such a strange result against longer term loans that borrowers ignore it - especially, as those loans may not be available to short term borrowers anyway.

Typically, a short term loan is applied for when other debts are due, fees are about to be incurred and other consequences are biting or about to bite. The relevant data points include the cost of unauthorised overdrafts, default fees on card accounts, the consequences of missing the rent, failing to pay a phone or energy bill, and so on. Borrowers react to the worst of the known consequences when borrowing, but may not be aware of them all, let alone take them all into account when assessing the best option.

This is a data problem, not an interest rate problem associated with just one of the options available to the borrower.

What would be helpful is a tool that enables comparison of all the options facing a short term borrower in the borrowing context.

Such applications are evolving, and it's important to note that the government is also playing a role to foster that evolution.

The Midata initiative, for instance, is aimed at producing solutions to meet exactly this kind of challenge. It aims to drive the development of simple applications that will access a person's own transaction data (including fees) to enable that person to make better purchasing decisions. Initially, the government is targeting suppliers in markets for energy, mobile phones, current accounts and credit cards. But it has issued a warning to others. 

If only we could get our MPs to focus on proportionate solutions to the root causes of society's problems rather than embarking on populist moral crusades and fiddling their expenses!

Warning Shot Fired Over Midata

The government is preparing the way for regulations to enable consumers and small businesses to request all their transaction data related to energy, mobile phones, current accounts and credit cards. If considered necessary, regulations could be in place in 2013, and may target other markets where certain factors point to consumer detriment.

The decision follows a consultation in the summer, and the full  response is here.

The proposals should add momentum to the voluntary Midata programme fostered by the Department for Business Innovation and Skills to help industry and consumer representatives resolve some of the key challenges in the 'core' consumer markets.

The Information Commissioner’s Office would take the lead role in enforcing any regulations, while concurrent enforcement powers could be given to sector-specific regulators.

The 'transaction data' at stake are the records of a consumer’s own purchases or consumption from a supplier - what the consumer bought, where and how much they paid for it - not the supplier's subsequent analysis. The data would have to be released in computer-readable format to enable it to be analysed by the consumer or a service provider of his/her choosing. This would help prevent suppliers gaining an unfair pricing advantage over consumers, for example, and make it easier for consumers to figure out the product right for them.

Factors the government might consider when deciding whether to expand the programme to other sectors include: 

• the market is not working well for consumers, e.g. consumers find it difficult to make the right choice or their behaviour affects pricing it's difficult to predict that behaviour;

• there's a one-to-one, long-term relationship between the business and the customer, with a stream of ongoing transactions;

• consumer engagement is limited, e.g. low levels of switching or competition; and

• suppliers don't voluntarily provide transaction/consumption data to customers at their request in portable electronic format.

I should add that I am involved in the Midata programme, as a member of the Interoperability Board, and on working groups considering issues related to data transmission and law/regulation.

Response to Midata Consultation

As part of its 'midata' initiative to empower consumers, the department of Business Innovation and Skills has been consulting on a proposal to give the Secretary of State a general power that "might be exercised broadly or in a more targeted way" to compel suppliers to supply transaction data at a consumer’s request. In the interests of transparency, I've summarised below my response to the consultation. As previously explained, I should mention that I've been involved in the midata Interoperability Board from its inception in 2011.

General Comments:

'Midata' scenarios involve consumers' transaction data being returned to them in a way that enables them to use it to improve their purchasing decisions. This reflects an existing, yet evolving commercial trend that is developing positively. Many businesses provide customers with their personal transaction history through ‘my account’ functionality which enables downloads. In addition to price comparison sites, other intermediaries are evolving to help consumers identify where data is stored, as well as to gather, share and analyse it.

It is acknowledged that there are certain operational risks involved in the widespread sharing of such data and various suppliers, intermediaries, officials and consumer representatives are co-operating to address these. One example is the work done by the World Economic Forum ‘tiger-teams’ on “Rethinking Personal Data” (here's my note of the London session). Government is also playing a very helpful role in fostering an environment in which suppliers can evolve best practice in the management of operational risks, as illustrated by the Midata initiative. Official guidance in the area includes the UK Information Commissioner’s guidance on data sharing.

These initiatives are sufficiently flexible and adaptable to support innovation rather than to stifle it. There is no evidence that these approaches are failing to adequately address the operational issues identified.

Regulation, on the other hand, is more rigid and often has unintended consequences that are hard to rectify in a timely fashion, particularly where it is general in nature and not evidence-based. As a general principle, prior to granting powers there should be clarity concerning the basis for their exercise, applicable exemptions, sanctions and other checks and balances.

Risks or undesirable consequences from exercising a power to require certain data to be released electronically could also include:

• undermining the cooperative approach to addressing operational risks and the evolution of best practice described; 
• reducing the flexibility and adaptability of risk management measures and stifle innovation; 
• paralysing development until market participants are clear on the basis for the exercise of powers, applicable exemptions, sanctions and avenues of review or appeal. 

So, while it is worth exploring whether a power of the kind proposed might encourage industry participants to act appropriately, it is difficult to support it in the circumstances described above. Rather, in my view, the government should continue to foster (and participate in) an environment in which best practice can evolve rapidly and flexibly; survey the rate of take-up of appropriate services and the adequacy of operational risk management; and issue guidance where appropriate. This would enable an evidence-based approach to regulation in due course if necessary.

Obligations for Specific Sectors or Data Types?

While all suppliers with consumer or micro-businesses as customers should be encouraged to participate in the 'midata' trend, I would be concerned that a regulatory obligation to provide transaction data to such customers may cause some businesses to withdraw from those markets.

This trend should also naturally pick up useful data that is not currently in digital format. However, I would be concerned that any mandatory obligation that is focused only on data held electronically will discourage businesses who would ‘digitised’ offline data from doing so.

Impact of the Proposed Mandatory Approach

My concern is that the proposed regulatory approach would be too narrow in its focus and effect. The WEF process has established that Midata scenarios require a holistic approach to the various challenges inherent in returning data to customers electronically. The value and utility of personal data is a hugely complex dynamic that varies by:

• the context or the activity we are engaged in, 
• which persona we are using at that moment, 
• the actual data being used or provided, 
• the permissions given, 
• the rights that flow from those permissions, and 
• the various parties involved. 

We need a global set of rules that are flexible enough to address all these variables, with the protection of a person's rights at the centre. Such rules must be capable of being simplified at the customer level, understood in terms of specific rights and obligations at the legal and regulatory level, and ‘coded’ to ensure that computers handle the data consistently with these rules.

The legal aspect of this breaks down into a set of rights and duties from which liability and accountability can flow in a way that does not make it impracticable for any necessary participant in the overall process. Those rights and duties will obviously vary according to whether you are the individual data subject, the provider of a personal data store/service, a business customer relying on data about the individual or acting in a governance role. They must be compatible with public law, yet fill in many gaps where rights and duties are missing or unclear.

By way of example, the current ambition of the WEF is to agree a 'simple' set of common licences or sets of permissions which any individual can nominate to govern the use of their data in a given context (like the creative commons copyright system ). The technological solution is a 'personal data mark-up language' that will enable anyone holding the consumer's data to 'mark-up' items of data in their existing databases to correspond to the permissions they've been given.

Who Should Be Able to Request Data?

Consumers and businesses employing fewer than 10 people ("micro-businesses", most of which are owned and operated by individuals) should be entitled to request a supplier to provide their own transactional data, either to the customer or to a specified third party. Alternatively, a third party who is duly authorised by the customer should be able to seek the customer’s data in electronic format directly from the supplier.

The terms and conditions and other information that are required to be made available to the consumer under applicable law (e.g. Distance Selling Regulations) should be included with the transactional data related to the goods or services covered by those terms and conditions.

Formats and Response Times

The government should not mandate formats, since internet-based technology allows for the development of 'mark-up languages' that allow sharing of data in different formats, as described above. 

Appropriate response times will be contextual. Guidance should encourage standing ‘my account’ functionality accessible by the individual logging-in, rather than a request-and-response model. However, where a request-and-response model is adopted, the response should be ‘prompt’. 

Should Suppliers Be Able to Charge for Releasing 'midata'? 

Suppliers should not be prohibited from charging specifically for releasing transactional data, but be encouraged not to. In effect, however, ‘my account’ functionality is not really ‘free’ in any event since there is a price to the related goods or services. 

It's conceivable that some suppliers might wish to be transparent about the price of goods versus the price of supporting services. In cases where few consumers access their data, it may not be appropriate that all consumers may end up paying for the functionality. However, it is important that any directly applicable charges should be reasonably proportionate to the cost of making the data available, including a reasonable profit margin (e.g. 20%). There are similar regulatory requirements in relation to certain fees in the financial services industry, for example. 

Enforcement and Supervisory Bodies 

It is likely that access to personal transaction data will be included as a right and/or obligation in customer terms and conditions, and customers should be free to enforce these in the same manner as any other provision in that contract, including through the courts or alternative dispute resolution as necessary. 

In the event regulation  is required, any enforement activity in this area could be handled in the context of personal data regulation, general consumer regulation, or regulation related to dealing with consumers in specific sectors.  Accordingly, appropriate enforcement bodies would include those listed below, with the Information Commissioner's Office taking the lead: 

• Information Commissioner’s Office 
• Office of Fair Trading 
• Trading Standards Institute 
• Citizens Advice 
• Key sector regulators, e.g.: 
• Financial Services Authority
• Ofgem
• Ofcom

Prior to the advent of regulation, these bodies could participate in fostering an environment in which suppliers, intermediaries, officials and consumer representatives can evolve best practice in the management of those risks.

Under any necessary regulation, the enforcement bodies could be empowered to order disclosure and/or fine suppliers, intermediaries, etc for failing to disclose, security breaches and so on. 

As this trend develops, one could expect to see a decline in data subject access requests under the Data Protection Act 1998, and any related enforcement activity by the ICO. 

I'm interested in your thoughts.

Rethinking Personal Data

On Thursday I joined a World Economic Forum 'tiger team' focused on rethinking personal data, a process that aims to build on reports revealing personal data as a new asset class, and meeting the challenges this evolution brings. My thanks to Liz Brandt at Ctrl Shift for inviting me along. Apparently, as one non-legal delegate put it, "there are not enough lawyers at these sorts of events."

In essence, we are moving from a world where data about each of us is compiled into large national databases by corporations and governments (since they are the only ones with the vast resources required to do it); to a world where personal data is highly distributed and grows with every interaction with or about each of us, so that no one can keep up with it, let alone store it in a single place. 

It's therefore important to understand that a "personal data store" is not envisaged as your own personal database of all personal information about you. "Store" is not used here in the sense of 'storage' but in the retail sense of controlling what is offered or sold (which is also not exactly appropriate but does the job for now). So a 'personal data store' is really just a set of rules that determine whether and how data about you can be used - wherever that data sits. It's another type of 'personal information management service'.

The WEF process involves first 'unpacking' the big notions of 'identity', 'privacy' and the imagined benefits to be gained from sharing personal data. These concepts are too static, theoretical - and too emotive - to use as the basis for establishing detailed rules for the responsible use of personal data. The significance and value of personal data can't be captured in a single dollar amount or 'yes'/'no' answer to whether it can be used. Instead, the value and utility of personal data is a hugely complex dynamic that varies by: 

• the context or the activity we are engaged in, 
• which persona we are using at that moment, 
• the actual data being used or provided, 
• the permissions given, 
• the rights that flow from those permissions, and 
• the various parties involved.

So in order to ensure that our transactions and other day-to-day activities are as frictionless and seamless as possible, we need a global set of rules that are flexible enough to address all these variables, with the protection of a person's rights at the centre. And those rules must be readable at various levels by humans, lawyers (legislature, courts, regulators, governance panels) and machines (computers, microchips).  

A previous tiger team session identified business, legal and technology as the three primary stakeholders or perspectives in agreeing such a set of rules. The business rules must first be established clearly at the outset, then vetted from a legal and governance standpoint, then coded in such a way that everyone can be confident machines will handle the data in accordance with the rules.

The current ambition is to agree a 'simple' set of common licences or sets of permissions which any individual can nominate to govern the use of their data in a given context (like the creative commons copyright system). The technological solution is a 'personal data mark-up language' that will enable anyone holding the consumer's data to 'mark-up' items of data in their existing databases to correspond to the permissions they've been given.

The legal aspect of this breaks down into a set of rights and duties from which liability and accountability can flow in a way that doesn't represent a deal-breaker for anyone in the overall process. Those rights and duties will obviously vary according to whether you are the individual data subject, the provider of a personal data store/service, a business customer relying on data about the individual or acting in a governance role. They must be compatible with public law, yet fill in many gaps where rights and duties are missing or unclear.

An earlier tiger team had proposed a useful set of rights and duties from the standpoint of the data subject. So we focused on the rights and duties of the service provider operating the personal data store on that data subject's behalf. We also made a start on the rights and duties for the governance role. The full write-up is due in the next few weeks, but some of the key issues we covered were: 

• the need for transparency as to whether the provider of a personal data store is acting as a full agent in the fiduciary sense or as a lesser form of agent or broker; 
• the need to ensure co-operation in the timeliness, accuracy, integrity and authenticity of the personal data accessible via the service; and
• security protocols for data access and sharing. 

From a governance standpoint, it seemed critical to have both the public and private sector represented on the governance panel - just as they were both represented in the tiger team process itself - to ensure not only that the public laws are obeyed at a minimum, but that official guidance can support the additional contractual standards that are agreed to 'fill in the gaps'.

The most immediate next steps would be to flesh out the governance aspects and to address the rights and duties of businesses relying on the data. Having allocated all the necessary rights and duties amongst each of the participants should make the final step of determining the liability and accountability for each of the participants a far less combative process than I've seen in other forums ;-)

Overall, I'm very optimistic that a cohesive global framework for the responsible use of personal data is achievable. Specifically, it was very encouraging to witness how much easier it is to address the overall personal data challenge when you commit to 'unpacking' the big notions of identity, privacy and public benefit, as described above. It was also a huge relief to hear that it is considered feasible by those who've introduced data standards previously to implement a personal data mark-up language to link the flow of personal data to a set of permissions and rules. I'm also hoping this can help achieve dynamic, momentary user identification that minimises the need for large, vulnerable repositories of personal identity material.

Of course, political and commercial acceptance and 'take-up' are where all this rubber hits the road. But the fact the discussions are taking place globally via the WEF is clearly very helpful.