Information law – Page 95

Knowing I’m On the Street Where You Live? Well, Google Does.

Posted on 21st June 2013 | by Christopher Knight

Following on from yesterday’s French enforcement announcement, the ICO announced on 21 June 2013 that the collection of personal data by Google’s Street View cars – including email addresses, URLs and passwords relating to thousands of individuals – was required to be deleted within 35 days. This payload data was, according to Google, accidentally collected by the cars when they travelled around the UK. Google has undertaken to comply and delete the data, so an appeal against the Enforcement Notice is not expected.

The terms of the Enforcement Notice can be seen here.
The ICO’s press release can be seen here.

Christopher Knight

Google and Data Protection Across Europe

Posted on 21st June 2013 | by Christopher Knight

On 20 June 2013 the Commission nationale de l’informatique et des libertés (the CNIL) – the French data protection agency – issued a statement in relation to its investigation into Google’s privacy policy. It formed part of co-ordinated action by data protection agencies in France, Germany, Italy, the Netherlands, Spain and the United Kingdom. The CNIL announced that Google was in breach of the French data protection legislation, mirroring findings in other European jurisdictions. The full text of the statement reads:

“From February to October 2012, the Article 29 Working Party (“WP29”) investigated into Google’s privacy policy with the aim of checking whether it met the requirements of the European data protection legislation. On the basis of its findings, published on 16 October 2012, the WP29 asked Google to implement its recommendations within four months.

After this period has expired, Google has not implemented any significant compliance measures.

Following new exchanges between Google and a taskforce led by the CNIL, the Data Protection Authorities from France, Germany, Italy, the Netherlands, Spain and the United Kingdom have respectively launched enforcement actions against Google.

The investigation led by the CNIL has confirmed Google’s breaches of the French Data Protection Act of 6 January 1978, as amended (hereinafter “French Data Protection Act”) which, in practice, prevents individuals from knowing how their personal data may be used and from controlling such use.

In this context, the CNIL’s Chair has decided to give formal notice to Google Inc., within three months, to:
◾Define specified and explicit purposes to allow users to understand practically the processing of their personal data;
◾Inform users by application of the provisions of Article 32 of the French Data Protection Act, in particular with regard to the purposes pursued by the controller of the processing implemented;
◾Define retention periods for the personal data processed that do not exceed the period necessary for the purposes for which they are collected;
◾Not proceed, without legal basis, with the potentially unlimited combination of users’ data;
◾Fairly collect and process passive users’ data, in particular with regard to data collected using the “Doubleclick” and “Analytics” cookies, “+1” buttons or any other Google service available on the visited page;
◾Inform users and then obtain their consent in particular before storing cookies in their terminal.

This formal notice does not aim to substitute for Google to define the concrete measures to be implemented, but rather to make it reach compliance with the legal principles, without hindering either its business model or its innovation ability.

If Google Inc. does not comply with this formal notice at the end of the given time limit, CNIL’s Select Committee (formation restreinte), in charge of sanctioning breaches to the French Data Protection Act, may issue a sanction against the company.

The Data Protection Authorities from Germany, Italy, the Netherlands, Spain and the United Kingdom carry on their investigations under their respective national procedures and as part of an international administrative cooperation.

Therefore,
◾The Spanish DPA has issued to Google his decision today to open a sanction procedure for the infringement of key principles of the Spanish Data Protection Law.
◾The UK Information Commissioner’s Office is considering whether Google’s updated privacy policy is compliant with the UK Data Protection Act 1998. ICO will shortly be writing to Google to confirm their preliminary findings.
◾The Data Protection Commissioner of Hamburg has opened a formal procedure against the company. It starts with a formal hearing as required by public administrative law, which may lead to the release of an administrative order requiring Google to implement measures in order to comply with German national data protection legislation.
◾As part of the investigation, the Dutch DPA will first issue a confidential report of preliminary findings, and ask Google to provide its view on the report. The Dutch DPA will use this view in its definite report of findings, after which it may decide to impose a sanction.
◾The Italian Data Protection Authority is awaiting additional clarification from Google Inc. after opening a formal inquiry proceeding at the end of May and will shortly assess the relevant findings to establish possible enforcement measures, including possible sanctions, under the Italian data protection law.”

Panopticon likes to deliver news from across la Manche too, and following on from Google’s involvement in the American Prism revelations, it would appear to have been a difficult couple of weeks for the leading internet search engine. Precise steps are awaited from the ICO at home.

Christopher Knight

How can this level of state surveillance be legal?

Posted on 19th June 2013 | by Timothy Pitt-Payne KC

Anya Proops addresses the above question, prompted by the recent revelations about the US Prism programme, in an article in today’s Guardian. She discusses the main legal constraints on surveillance in the UK – Article 8, the Data Protection Act, and the Regulation of Investigatory Powers Act. And she even manages a name check for Panopticon – both the Benthamite version, and this blog. The article is at page 32 of today’s print edition, and it’s online here. It’s already attracted a lot of attention, both by way of comments on the online version, and on Twitter.

New CCTV Code of Practice: surveillance and the protection of freedoms

Posted on 17th June 2013 | by Robin Hopkins

Surveillance of the covert and digital variety has been dominating the news of late. The legal contours of the practices leaked by Edward Snowden (the NSA’s obtaining of internet metadata) and covered by The Guardian (most recently, GCHQ’s monitoring of certain communications of ‘friendly’ foreign allies) may be matters of some debate.

In the meantime, the legal contours of a more overt and physical variety of surveillance – CCTV – have been somewhat clarified.

Panopticon indeed.

As its name suggests, the Protection of Freedoms Act 2012 expressed the incoming Coalition Government’s commitment to keeping in check the state’s surveillance of ordinary citizens. By that Act (sections 29-36), the Home Secretary was to present to Parliament a Code of Practice governing the use of surveillance camera systems including CCTV and Automatic Number Plate Recognition (ANPR). Following a consultation exercise – the response to which can be read here – the Home Secretary has now done so. The Code was laid before Parliament on 4 June 2013. A draft order (the Protection of Freedoms Act 2012 (Code of Practice for Surveillance Camera Systems and Specification of Relevant Authorities) Order 2013) is currently being considered by Parliament’s Joint Committee on Statutory Instruments.

Pending its coming into force, Panopticon summarises the key features of the new Code.

To whom does the Code apply?

The Code imposes duties on ‘relevant authorities’, which are those listed at section 33(5) of the Protection of Freedoms Act 2012 – in the main, local authorities and policing authorities.

The draft order proposes to add the following to the list of relevant authorities:

(a) The chief constable of the British Transport Police;

(b) The Serious Organised Crime Agency;

(d) The chief constable of the Ministry of Defence Police.

The Code recognises that concern about the use of surveillance cameras often extends beyond these sorts of full-blooded ‘public’ authorities. It recognises that the list of relevant authorities may need to be expanded in future to encompass shopping centres, sports grounds, schools, transport centres and the like.

For now, however, only those listed as ‘relevant authorities’ are subject to the duties imposed by the Code. Others who use such surveillance systems are ‘encouraged’ to abide by the Code.

What duty is imposed by the Code?

The Code imposes a ‘have regard to’ duty. In other words, relevant authorities are required to have regard to the Code when exercising any of the functions to which the Code relates. As regards its legal effects:

“A failure on the part of any person to act in accordance with any provision of this code does not of itself make that person liable to criminal or civil proceedings. This code is, however, admissible in evidence in criminal or civil proceedings, and a court or tribunal may take into account a failure by a relevant authority to have regard to the code in determining a question in any such proceedings” (paragraph 1.16).

It may well be that the Code also weighs heavily with the ICO in its consideration of any complaints about the use of surveillance cameras breaching the DPA 1998.

Remember that the Home Office Code sits alongside and does not replace the ICO’s CCTV Code of Practice.

What types of activity are covered by the new Code?

Relevant authorities must have regard to the Code ‘when exercising any of the functions to which the Code relates’. This encompasses the operation and use of and the processing data derived from surveillance camera systems in public places in England and Wales, regardless of whether there is any live viewing or recording of images and associated data.

The Code does not apply to covert surveillance, as defined under the Regulation of Investigatory Powers Act 2000.

What about third party contractors?

Where a relevant authority instructs or authorises a third party to use surveillance cameras, that third party is not under the ‘have regard to’ duty imposed by the Code. That duty does, however, apply to the relevant authority’s arrangements.

By paragraph 1.11:

“The duty to have regard to this code also applies when a relevant authority uses a third party to discharge relevant functions covered by this code and where it enters into partnership arrangements. Contractual provisions agreed after this code comes into effect with such third party service providers or partners must ensure that contractors are obliged by the terms of the contract to have regard to the code when exercising functions to which the code relates.”

The approach

The guiding philosophy of the Code is one of surveillance by consent:

“The government considers that wherever overt surveillance in public places is in pursuit of a legitimate aim and meets a pressing need, any such surveillance should be characterised as surveillance by consent, and such consent on the part of the community must be informed consent and not assumed by a system operator…. [legitimacy] in the eyes of the public is based upon a general consensus of support that follows from transparency about their powers, demonstrating integrity in exercising those powers and their accountability for doing so” (paragraph 1.5).

In a nutshell, the expectation is this:

“The decision to use any surveillance camera technology must, therefore, be consistent with a legitimate aim and a pressing need. Such a legitimate aim and pressing need must be articulated clearly and documented as the stated purpose for any deployment. The technical design solution for such a deployment should be proportionate to the stated purpose rather than driven by the availability of funding or technological innovation. Decisions over the most appropriate technology should always take into account its potential to meet the stated purpose without unnecessary interference with the right to privacy and family life. Furthermore, any deployment should not continue for longer than necessary” (paragraph 2.4).

The guiding principles

The Code then sets out 12 guiding principles which systems operators should follow:

(1) Use of a surveillance camera system must always be for a specified purpose which is in pursuit of a legitimate aim and necessary to meet an identified pressing need.

(2) The use of a surveillance camera system must take into account its effect on individuals and their privacy, with regular reviews to ensure its use remains justified.

(3) There must be as much transparency in the use of a surveillance camera system as possible, including a published contact point for access to information and complaints.

(4) There must be clear responsibility and accountability for all surveillance camera system activities including images and information collected, held and used.

(5) Clear rules, policies and procedures must be in place before a surveillance camera system is used, and these must be communicated to all who need to comply with them.

(6) No more images and information should be stored than that which is strictly required for the stated purpose of a surveillance camera system, and such images and information should be deleted once their purposes have been discharged.

(7) Access to retained images and information should be restricted and there must be clearly defined rules on who can gain access and for what purpose such access is granted; the disclosure of images and information should only take place when it is necessary for such a purpose or for law enforcement purposes.

(8) Surveillance camera system operators should consider any approved operational, technical and competency standards relevant to a system and its purpose and work to meet and maintain those standards.

(9) Surveillance camera system images and information should be subject to appropriate security measures to safeguard against unauthorised access and use.

(10) There should be effective review and audit mechanisms to ensure legal requirements, policies and standards are complied with in practice, and regular reports should be published.

(11) When the use of a surveillance camera system is in pursuit of a legitimate aim, and there is a pressing need for its use, it should then be used in the most effective way to support public safety and law enforcement with the aim of processing images and information of evidential value.

(12) Any information used to support a surveillance camera system which compares against a reference database for matching purposes should be accurate and kept up to date.

Points to note

The Code then fleshes out those guiding principles in more detail. Here are some notable points:

Such systems “should not be used for other purposes that would not have justified its establishment in the first place” (paragraph 3.1.3).

“People do, however, have varying and subjective expectations of privacy with one of the variables being situational. Deploying surveillance camera systems in public places where there is a particularly high expectation of privacy, such as toilets or changing rooms, should only be done to address a particularly serious problem that cannot be addressed by less intrusive means” (paragraph 3.2.1).

“Any proposed deployment that includes audio recording in a public place is likely to require a strong justification of necessity to establish its proportionality. There is a strong presumption that a surveillance camera system must not be used to record conversations as this is highly intrusive and unlikely to be justified” (paragraph 3.2.2).

“Any use of facial recognition or other biometric characteristic recognition systems needs to be clearly justified and proportionate in meeting the stated purpose, and be suitably validated. It should always involve human intervention before decisions are taken that affect an individual adversely” (paragraph 3.3.3).

“This [the requirement to publicise as much as possible about the use of a system] is not to imply that the exact location of surveillance cameras should always be disclosed if to do so would be contrary to the interests of law enforcement or national security” (paragraph 3.3.6).

“It is important that there are effective safeguards in place to ensure the forensic integrity of recorded images and information and its usefulness for the purpose for which it is intended to be used. Recorded material should be stored in a way that maintains the integrity of the image and information, with particular importance attached to ensuring that meta data (e.g. time, date and location) is recorded reliably, and compression of data does not reduce its quality” (paragraph 4.12.2).

Enforcement

The Surveillance Camera Commissioner is a statutory appointment made by the Home Secretary under section 34 of the Protection of Freedoms Act 2012. The Commissioner has no enforcement or inspection powers. However, in encouraging compliance with the Code, he “should consider how best to ensure that relevant authorities are aware of their duty to have regard for the Code and how best to encourage its voluntary adoption by other operators of surveillance camera systems” (paragraph 5.3). The Commissioner is/is to be assisted by a non-statutory Advisory Council with its own specialist subgroups.

Given the limited remit of the Surveillance Camera Commissioner, it may be that the Code shows its teeth more effectively in complaints to the ICO and/or the courts.

Robin Hopkins

Enhanced criminal records certificates – teachers on trial

Posted on 13th June 2013 | by Anya Proops KC

The theory that there is no smoke without fire is one which often looms large where teachers are accused of sexual offences against pupils. Even in the face of a decision by the CPS that there is insufficient evidence to proceed with a prosecution or an acquittal following a criminal trial, a teacher who has been accused of sexual offences may find it hard to escape the tainting effects of the allegations. Of course, a critically important issue for the teacher in question is whether the allegations will ultimately find their way into any enhanced criminal record certificate (ECRC). This is an issue which has been considered by the High Court in two recent cases.

In the first, R (L) v Chief Constable of Cumbria Constabulary [2013] EWHC 869 (Admin), L, a teacher, had been accused of having improperly propositioned and hugged an 18 year old pupil whilst at a pub. L had denied the allegations and no criminal prosecution had ultimately been mounted. The High Court held that inclusion in the ECRC of information relating to the allegations was unlawful as it constituted a disproportionate and hence unjustified interference with L’s Article 8 rights (see further Rachel Kamm’s more detailed post on this judgment here).

This week, the High Court has given judgment in the case of RK v (1) Chief Constable of South Yorkshire (2) Disclosure and Banning Service [2013] EWHC 1555 (Admin). RK had previously been acquitted of six counts of indecent assault and sexual activity with a child (in essence it was alleged that RK had repeatedly touched the bottoms of teenage girls in his care). Nine years later RK sought disclosure of a draft ECRC from the Constabulary. The draft included information about the allegations and referred to them as ‘offenses’. RK sought a judicial review of the draft certificate.

In a fairly damning judgment, Coulson J held that inclusion of this information was unlawful as constituting a breach of RK’s Article 8 rights. Fundamental to the court’s judgment was the conclusion that the Constabulary had impermissibly treated the allegations as if they had been proven, notwithstanding the fact that RK had been acquitted. Indeed the court lamented the ‘unblinking equation’ between the unproven allegations with the so-called sexual offences (para. 61). Whilst the judgment makes clear that an acquittal does not automatically bar the police from referencing the original allegations in the ECRC (see para. 37), it does confirm that an acquittal is likely to be an important factor weighing heavily in the balance when it comes to determining whether or not a particular disclosure should be made. On the facts of the case before him, Coulson J found that inclusion of information about the allegations relating to RK was unlawful having regard to the fact of the acquittal; the fact that, even if proven, the incidents would not have been particularly grave or serious and further the fact that there were aspects of the prosecution case which raised serious questions about the reliability of the information.

Critically the judgments in both L and RK highlight the dangers attendant on the police unthinkingly substituting their own view of an individual’s guilt or innocence in the face of an acquittal by the criminal courts or other important evidence raising questions about the reliability of the information in issue.

Anya Proops

Surveillance and RIPA: Radio 4 discussion

Posted on 12th June 2013 | by Ben Hooper

I took part in what will hopefully prove to be an interesting discussion of surveillance and RIPA in an episode of Clive Anderson’s “Unreliable Evidence” that will be broadcast at 8pm today on Radio 4 (and available on the iplayer thereafter). The show was recorded prior to the recent leaks regarding US surveillance activities, and so focuses on the UK perspective. The other panel members were Eric Metcalfe (former director of human rights policy at Justice, now a barrister at Monckton Chambers) and solicitor Simon McKay.

Ben Hooper

WordPress + Bootstrap

Category: Information law