Archive for January, 2012

RNIB launches web accessibility discrimination claim against BMI Baby

I see that the RNIB has announced that it is taking action against BMI Baby over the failure of the airline to make its website accessible to blind and partially sighted customers.

If it goes to court, this will be the first court case in the UK in relation to website accessibility. My understanding is that whilst a number of previous actions have been threatened by the RBIB, these have all been settled on a confidential basis before the action has reached court. In this case, it looks like the RNIB have been trying the same approach of education and agreement before taking action, but following inaction on the part of BMI Baby the RNIB has finally lost it’s patience.

So watch this space. Given the early publicity by the RNIB it will be interesting to see whether this one goes all the way.

For more on the law here (the Equality Act 2010), see this blog post.

e-update on the draft data protection regulation – what price harmonisation?

Following on from my blog on the implications of the new draft data protection regulation for outsourcing in the UK, and John’s blog on the remainder of the draft regulation, we’ve pulled together an e-update summarising the key issues.

In particular, we question whether the cost savings that organisations will gain through harmonised laws throughout the EU and a simplified approach to regulatory oversight will be outweighed by additional compliance costs in other areas.

You can read the e-update by following this link.

If you’d like to join our e-update mailing list to receive regular e-updates on outsourcing, IT and information law issues, please follow this link.

The draft data protection regulation – a summary of the key provisions

European Union Justice Commissioner Viviane Reding has announced a proposal for a new General Data Protection Regulation for the protection of personal data in the European Union.

The proposals retain the general principles of data protection law, but also introduce some significant changes around:

  • Fines;
  • Consent;
  • Notification (including 24-hour notification of breaches);
  • New obligations on data processors;
  • Compulsory Data Protection Officers;
  • Data subject rights;
  • Collection of child data; and
  • The “one stop shop” approach

Firstly, as Martin noted in his earlier blog on the impact for organisations engaged in outsourcing, the regulation has direct effect. Once passed, it will not be subject to local implementation in each member state. This is intended to ensure that the laws are applied consistently across the EU.

Powers to fine
The official announcement follows last month’s leaked proposals which suggested that companies breaching data protection law might face fines of up to 5% of their annual turnovers. While this level of fine is not advanced by the official proposal, companies will still be subject to a fairly stringent sliding-scale of fines:

  • a maximum of 0.5% of annual turnover for failures such as not responding properly to requests by data subjects;
  • a maximum of 1% of annual turnover for failures such as leaving inaccurate data uncorrected, or failing to adopt internal policies to comply with the new Regulation; and
  • a maximum of 2% of annual turnover for the most serious violations, including “risky processing operations”, or failing to obtain data subject consent.

Another key change being proposed is that data controllers can no longer rely on implied consent. Instead, controllers will have to prove that they have been provided with “explicit” consent from the data subject, while consent may not be relied upon if there is a “clear imbalance between the data subject and the controller” (which will make it difficult for, for example, employers to rely on consent from employees, as grounds for processing).

As an alternative to obtaining explicit consent, “other legitimate interests” of a controller will provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding.

Whilst this change is consistent with the opinions that have been issued by the Article 29 Working Party, this change will be particularly felt in the UK, where much of the UK Information Commissioner’s guidance has focussed on the concept of “implied consent”. For example, the Information Commissioner’s view on website privacy policies has generally been that the data controller does not need to flag up in flashing lights processing that is obvious. It will be interesting to see how guidance changes in this area.

Controllers will no longer have to notify data protection authorities that they are processing data -instead they will be asked to make available upon request evidence demonstrating their data protection policies and procedures, including “privacy by design and default” mechanisms, and privacy impact assessments.

Data breach notification
Controllers will also be expected to notify data protection authorities of data breaches within 24 hours. Where notification within 24 hours is not possible – and 24 hours looks like an onerous requirement – an explanation of the reasons for the delay should accompany the notification. Data processors, meanwhile, will be expected to “assist” controllers in cases of data breach or loss, and will be deemed joint controllers if they process personal data other than as instructed by the controller.

Data protection officers
All public sector bodies will be required to appoint a Data Protection Officer, as will private sector bodies with more than 250 staff (or whose core activities consist of processing operations).

The “right to be forgotten” and other new restrictions
Last month’s leaked document suggested that the new proposals would contain a controversial “right to be forgotten”, and many stakeholders were already pondering how such a right could possibly be guaranteed or enforced. The official proposals are less explicit regarding this right, proposing that a controller shall carry out erasure of data “without delay, except to the extent that the retention of the personal data is necessary” for a variety of grounds, including “public interest” and “compliance with a legal obligation”.

Potentially more interesting is a new right for data subjects not to be subject to a “measure based on profiling”, meaning that organisations will be potentially barred from profiling individuals based on automatic processing seeking to predict a person’s creditworthiness, economic situation, location, health, personal preferences, reliability or behaviour. This may well impact upon Amazon’s religious beliefs patent (as blogged about by Martin last month).

It’s also worth noting that under the new proposals the processing of personal data of a child below the age of 13 years shall only be lawful if and to the extent that consent is given or authorised by the child’s parent or custodian. This concept of a “child” and the parental consent requirements will almost certainly conflict with many organisations’ current practices.

The “one stop shop approach”
Finally, the draft proposes that controllers and data subjects will have a one stop shop in terms of regulators. If a data subject wishes to complain about processing by a data controller in another EU country, it will complain to its local regulator who will raise the issue with the regulator in the data controller’s home country.

Given that non-EU data controllers collecting data from EU data subjects will also be subject to the new regulation, this will surely increase the administrative burden on the various national regulators.

These are just some of the changes to the present European data protection regime which are being proposed. It’s worth remembering that these proposals will need to be approved by the European Union’s member states and ratified by the European Parliament before they can come into effect. Given the extent of the proposed changes, that process might take up to 2 years, if not longer.

What the proposed data protection regulation means for outsourcing by UK organisations

John will be blogging separately on the draft data protection regulation published by Commissioner Reding earlier today, but I thought I’d share some thoughts in relation to its impact on outsourcing in the UK.

To date, data controllers in the UK have had a degree of flexibility when entering into outsourcing agreements that involve the processing of personal data outside the EEA.

Under the Data Protection Act 1998, which implemented the 1995 EU directive in the UK, transfers outside the EEA may broadly take place in the following circumstances:

  • Where the European Commission has made a finding of adequacy in relation to the level of protection offered to personal data in the country or territory in question (including, for example, the US Safe Harbor scheme);
  • Where the transfer is made pursuant to contract on terms approved by the European Commission (AKA the EU model clauses for data transfers);
  • Where the organisation has put in place binding corporate rules that have been approved by the relevant data protection regulators; and
  • Where the data controller has made a finding of adequacy in respect of the proposed transfer.

Findings of adequacy
The ability to make a finding of adequacy is particularly useful for data controllers, as it allows the data controller to make a reasoned decision based upon its diligence on the proposed data processor and the actual contractual terms that are put in place.

In particular, it allows the data controller to deviate from the approved model clauses without needing to go through the administrative burden of having those clauses approved by the Information Commissioner. For example, the data controller may wish to outsource a service through a single contracting entity on behalf of various group data controllers, rather than enter into multiple model clause agreements between each data controller and the end data processor.

The ability to make a finding of adequacy is not carte blanche to do anything – the data controller still needs to be able to justify its actions to the Information Commissioner, but it does provide some significant commercial flexibility.

The position outside the UK
But that permissive and flexible approach in the last bullet does not apply everywhere in the EU. In a number of EU member states, any deviation from the model clause agreements needs to be notified and approved by the national data protection regulator. In some member states even the use of the model clause agreements needs to be notified to the regulator.

So what will happen under the new law?
If passed as it stands, the regulation would have direct effect. Unlike a directive, there would be no need for local implementation by individual member states. The intention of the regulation is to have a uniform data protection law across the whole of the EU – a law that is not subject to local variations and differing interpretations by different parliaments, regulators and courts.

The consequence of this is that the rules on cross-border data transfers will be unified.

Under the draft regulation there is no ability for the data controller to make a finding of adequacy. If the data controller wishes to vary from the terms of the model clauses, the data controller will need to obtain the consent of the relevant data protection regulator.

Whilst not unexpected, confirmation of this restriction is disappointing and will substantially increase the red tape involved in entering into outsourcing agreements – particularly where there are complex inter-group arrangements and multiple data controllers.

The UK Information Commissioner has already issued a press release questioning this requirement, presumably with half an eye to the increased (and unnecessary) administrative burden that it will incur, when its resources are already stretched.

Of course the irony here is that as all seasoned data protection lawyers will tell you, the data processor has no direct obligations under data protection laws – it is the data controller that is responsible (contractually) for ensuring that data is securely processed. National legislation is irrelevant. Approved form processing contracts are not required within the EEA, so why should transfers outside the EEA be treated differently?

Why not simply leave it to the data controller to ensure that it has carried out its diligence and has an appropriate contract, as the law requires for outsourcing within the EEA? I’m not aware of major problems having arisen from data controllers deviating from the model clauses, so why try to fix something that isn’t broken?

It must be hoped that this change does not make it into the final draft. Those involved in outsourcing may wish to support the UK Information Commissioner in ensuring that a workable mechanism is in place for cross border outsourcing.

Not all clouds have silver linings – how information security varies between cloud providers

You may have read in the press that Google has entered into its biggest cloud-hosting deal to date. And surprisingly this deal is with one of Spain’s largest banks, BBVA.

The fact that a bank is signing up to Google Enterprise Apps for email and other collaboration services could be taken as a considerable endorsement – banks are, by nature, very security-centric: they have to ensure that they comply with strict information security and regulatory requirements. On this basis banks normally use their own servers to store and share data.

This is what makes the BBVA / Google deal so surprising. BBVA’s data will be stored on one of Google’s public servers, rather than on a private servers. BBVA will initially only use Google Apps for “internal communications” (with customer data and systems continuing to be hosted only in BBVA’s dedicated data centres), but it is assumed that over time BBVA may move more and more data to the cloud.

While I suspect that BBVA may have agreed a tailored solution and not signed up to Google’s Enterprise’s general terms and conditions, the standard Google Enterprise offering (as opposed to the free to use standard version) is rather attractive for businesses considering moving to the cloud, and in particular, using a cloud solution for data sharing and storage, such as Google Apps.

How safe is it to store data using Google Apps?
When storing data to an external server you have to make sure the data will be secure.

From an information security perspective Google Apps for Business has pretty good security credentials, so much so, that some of the US Government Departments use it. Google Apps is actually FISMA certified as being a secure way to store and share data. Google has also obtained an SSAE 16 Type II report (an independent audit) confirming that Google Docs actually adheres to the security controls it has in place and that these systems are operating effectively. The SSAE 16 report may give potential customers reassurance in relation to the effectiveness of Google’s security measures.

The other key information security concern for organisations is compliance with data protection rules and the security of personal data. Google Apps is currently hosted in the US and Europe, but Google Inc is a member of the US Safe Harbor Scheme. This is a US Federal Trade Commission scheme that allows US companies to certify compliance with a set of rules approved by the European Commission as being equivalent to the requirements of the EU Data Protection Directive.

This is important for organisations subject to EU data protection controls, as a transfer to an organisation that meets the Safe Harbor requirements allows the organisation to comply with the eighth data protection principle (which restricts transfers of data outside the EEA) without the need for putting in place model form contracts or making a finding of adequacy. This will give considerable comfort to users of Google Apps in relation to the any personal information that they store in the cloud.

However, potential customers should still be aware that Google may be obliged, under the Patriot Act, to disclose information stored in Google Apps to the US authorities.

How do other cloud services compare?
The fact that BBVA is using the Google Apps should not be taken as a green light for companies to store confidential, commercially sensitive or personal data on a similar cloud-computing solution. Google Apps is unique in terms of the FISMA and Safe Harbor accreditation and a number of cloud storage alternatives, such as Dropbox, simply don’t compare.

Dropbox – Information security risks
Dropbox and similar cloud-drive services are becoming an increasingly popular option for storing and sharing large files and for accessing documents from multiple devices. But, looking at the Dropbox terms and conditions, it appears to pose a number of potential information security risks which users may be overlooking.

Storing information
Firstly, Dropbox doesn’t have the greatest reputation as far as security is concerned.

Putting hacking to one side, there is a lack of certainty over what happens to your data once you remove it from the system. Normally, when you are storing confidential information on a third party’s system you want the comfort that at your request all of the confidential information is permanently deleted from the system. However, the Dropbox terms and conditions state that they are ‘likely’ to continue to hold the information on their back-up systems once you have deleted the data.

Releasing information
Another key concern is how readily Dropbox will share your data (confidential, personal or otherwise) with third parties. While there is a general obligation to release information when ordered to do so by a court order, Dropbox will seemingly release your files rather readily. In comparison, Google will inform you of the request and give you the opportunity to object.

Lack of independent certifications
Most importantly for potential customers within Europe, Dropbox states that it does not have Safe Harbor certification, nor is it able to provide a SAS 70 or SSAE 16 report in respect of its information security measures. This causes problems from a data protection perspective, and also means that their is no independent verification of the controls that Dropbox claims to have put in place.

The moral of the story is that you should carefully consider what data you are uploading to a data sharing  cloud – particularly if it is commercially sensitive or personal information – and, as boring as it is, read the site’s terms and conditions and carry out some due diligence on how your information will be protected.

Leigh Kirktpatrick

Why Apple’s iBook Author EULA is not as frightening as it might first appear

Following Apple’s launch earlier this week of iBooks 2 and the iBooks Author (iBA) app, there’s been a bit of internet outrage (here, here, here, and also here) about the apparently unfair terms of the EULA applying to iBA.

iBooks 2 now allows content distributors to create textbooks, with interactive content – such as video and diagrams etc. To allow such content to be created, Apple has created a (free) app for the Mac – iBA. I haven’t played with the app yet, but I’m guessing that as well as allowing users to create all singing and dancing interactive e-textbooks, it will also allow users to self-publish more conventional literary works onto the iBooks platform (although given that iBooks can already read normal epub files, this isn’t exactly breaking new ground).

The catch is that (as the EULA makes clear) iBA content may only be distributed through Apple’s iBookstore.

So what’s the concern?
The source of the anger appears to be this clause in the EULA:

B. Distribution of your Work. As a condition of this License and provided you are in compliance with its terms, your Work may be distributed as follows:

    (i) if your Work is provided for free (at no charge), you may distribute the Work by any available means;
    (ii) if your Work is provided for a fee (including as part of any subscription-based product or
    service), you may only distribute the Work through Apple and such distribution is subject to the following limitations and conditions: (a) you will be required to enter into a separate written agreement with Apple (or an Apple affiliate or subsidiary) before any commercial distribution of your Work may take place; and (b) Apple may determine for any reason and in its sole discretion not to select your Work for distribution.

In essence, this clause says that if you want to distribute your work for free then go ahead. But if you want to charge users for downloading your literary work, then you have to enter into a contract with Apple, under which Apple will presumably take a cut.

Cue outrage.

Dispelling a couple of myths
But I think this outrage is a little misplaced.

Firstly, the clause in the contract does not transfer ownership of the work to Apple. It simply states that if you want to commercially exploit it on the iOS platform (to users of Apple’s iBooks app), then Apple will take a cut. This is no different to the way in which the App Store, Newsstand or in-app purchases work. In each case, Apple will take a cut (30% in the case of apps) of each sale that is made. That 30% covers Apple’s commission for providing distribution through the relevant App store, and payment processing.

Secondly, the EULA only applies to the work that you create using iBA. It does not apply to the underlying content that you include in that work. At present, it appears that iBA works can only be read by iBooks 2 – it uses a proprietary format. There is no option to export the work in another rich format. This is important, as it means that even without the EULA works created through iBA would not be accessible on other ebook readers anyway. If iBA used an open format, and purported to restrict use, that would be a different matter.

Thirdly, because the EULA only applies to the distribution of the file created by iBA, there is nothing stopping users using the same underlying content to generate a standard epub file (using another publishing app) to distribute that content on other platforms – for example Kindle, or one of the many other ebook readers available on iOS.

So, yes if you want to sell your iBA-created work to users of iBooks Apple will take a cut, and yes it can decide not to approve your work for distribution. But that doesn’t stop the user from distributing that content full stop – simply the iBA created file.

Why Apple had no choice
The point to take from this is that no one is being forced to use iBA (unless they wish to create an e-textbook that takes advantage of iBooks 2’s latest features), and Apple is not claiming ownership (or even restricting use) of the underlying content. iBA is a free app, and this is the way that Apple is monetising it. The app is a free tool that allows the masses to publish to a previously closed platform.

Indeed, to apply a different policy for iBA users would completely undermine Apple’s in-app purchase policy and its current iBookstore and Newsstand distribution agreements with publishers. If you want to use the tool to publish to the iBooks platform, then you need to play by the same rules that everyone else has signed up to. Apple has spent time building a catalogue of content on the iBookstore and Newsstand. If iBA didn’t include these conditions on iBA users, then it large publishers could simply circumvent the iBookstore and sell directly to consumers. This would be commercial suicide for Apple and the iBooks platform.

Whether this model will be commercially successful* with individuals and small publishers is another question, and it may be that the commercials will vary. In return for its cut, Apple will distribute iBA created works through the iBooks store, and provide payment processing services. That alone may be sufficient incentive for publishers (large and small) to sign up to Apple’s terms.

*Or survives potential competition law issues – see my previous blog on the policy that Apple introduced last year on in-app purchases, and potential competition law issues.

Update – 3/2/2012: Apple has today issued iBook Author 1.01, which contains an updated EULA which clarifies this issue and expressly states that the restrictions on charged-for distribution apply *only* to .ibooks files created using iBA, thus vindicating what I have said above. So you can even use iBA to create a book in PDF format and charge for that outside the iBookstore ecosystem – Apple only is only interested in files distributed through the iBookstore platform.

Data protection breaches – time for a rethink on the ICO’s right to fine?

The news last week that the Information Commissioner’s Office has served Brighton and Sussex University Hospitals NHS Trust with a notice of intention to impose a monetary penalty notice for a whopping £350,000 got me thinking about the rationale underlying the ICO’s fine regime.

The ICO’s guidance on the exercise of his power to fine
In his guidance on how he will exercise his power to fine, the Commissioner explicitly recognises that in determining the appropriate level of any fine he must consider the impact that any fine would have on the controller. In particular, the Commissioner’s guidance states that:

  • The Commissioner will take into account the sector, for example, whether the data controller is a voluntary organisation and also the size, financial and other resources of the data controller.
  • The Commissioner will consider the likely impact of the penalty on the data controller, in particular financial and reputational impact.
  • The Commissioner will take into account any proof of genuine financial hardship which may be supplied. The purpose of a monetary penalty notice is not to impose undue financial hardship on an otherwise responsible data controller.

Many of the monetary penalties issued by the Commissioner to date have been imposed on public on public sector bodies, such as NHS trusts (and councils for that matter). Levying fines on the public sector raises tricky issues, particularly in this financial climate. When budgets are already stretched, there is a real risk that large fines will hit front line services and that, of course, would ultimately hit the public – the very people the Commissioner is trying to protect.

It’ll be very interesting to hear what level of fine is ultimately imposed on the NHS Trust in question. From the press reports, it does seem that the contravention of the DPA was particularly serious and so a substantial fine is inevitable. No doubt, in it’s representations to the ICO, the Trust will address the issue of the financial impact any fine of this scale will have on its operations.

Time for an alternative approach?
If the idea behind monetary penalty notices is really change the culture within organisations and move away from the attitude that data loss incidents are “inevitable” (c.f. “preventable”), maybe it’s time to start thinking about whether the ICO should have power to fine individuals themselves within the organisations whom he finds to be culpable.

Yes, the organisations themselves should be responsible but perhaps also it is time to recognise that individuals whose conduct is deliberate or reckless and below the standard of someone who is reasonably competent, should also be at risk of being fined personally.

Just a thought…

Opinion piece on behavioural advertising and cookies

I have an opinion piece in this week’s edition of Computing magazine. The article is based on my blog a couple of months ago following my experience with the and Guardian websites.

What do you think? Is transparency and information about behavioural advertising an issue? Did you know how it would work when you accepted the cookie, or do you not care? Add your opinion in the commments.

Windows close on Comet

Surrounded by Apple Macs, iPods, and iPhones, I sit in my iVory (sic) tower, happily proclaiming that Apple devices don’t get viruses

I’m therefore not entirely familiar with the concept of Microsoft Windows recovery CDs, but it seems that they are for use when your Windows, er, closes. That is, you use the recovery CD to load back up the Windows operating system if your PC or laptop crashes.

All Windows PCs and laptops used to come packaged with a recovery CD. However that practice stopped in 2008, with customers being encouraged to create their own CDs. Not all customers found this arrangement convenient however, or didn’t think about making a recovery CD until after their PC had crashed and it was too late.

Comet therefore decided to help out by manufacturing around 94,000 of the recovery CDs somewhere in a field (factory) in Hampshire.  Comet sold these CDs and generated an estimated profit of over £1m.

Microsoft’s claim
Microsoft has taken a dim view of Comet’s actions, and has decided to sue for the manufacture and sale of what it calls “counterfeit CDs”.

Comet claim that it has not infringed Microsoft’s IP. It will be interesting to see what defences it offers.

On the one hand, each copy of Windows is still only licensed for a single user. Under section 50A(1) of the Copyright, Designs and Patents Act 1988 it’s not an infringement of copyright for a “lawful user” of a copy of a computer program to make any back-up copy of it, which is necessary for it to have for the purpose of its lawful use.

On the other hand Comet isn’t the “lawful user” (the customer is), and the £14.99 they were charging looks fairly steep for simply burning a CD to help out a customer. Given that the CDs were made by Comet in advance (probably before the customer had even bought their new computer), it’s difficult to see how Comet could argue that it was acting as an agent or on the instructions of the lawful user in making the back-up CD.

Microsoft’s loss?

Under the Copyright, Designs and Patents Act 1988, if Microsoft’s claim is successful it will entitled to damages for the infringement. 

It may however difficult to quantify what loss Microsoft has suffered. Whilst apparently excessive for the the few seconds that it would take to burn a CD, the £14.99 perhaps represents the price consumers are willing to pay for someone to do the techie stuff for them. Microsoft has not lost any sales (and as far as I’m aware was not offering this service itself).

That said, this “counterfeit CDs” action is likely to do little for the “recovery” of the precarious finances of the Comet group.

BIS consultatation on the effectiveness of TUPE regulations

The Department for Business, Innovation and Skills (BIS) launched a consultation before Christmas on the effectiveness of the Transfer of Undertakings (Protection of Employment) Regulations 2006 – in particular concerns that the UK implementation of the Acquired Rights Directive is “gold-plated”.

The consultation asks covers a number of areas that are of relevance to organisations that either outsource services or provide outsourced services to third parties:

  • whether the amendments introduced under the 2006 Regulations have been effective in providing greater clarity and transparency as to the application of TUPE?
  • have the 2006 Regulations reduced the need for legal advice and/or the number of tribunal claims?
  • should TUPE apply to the provision of professional services?
  • is the absence of a mechanism to harmonise terms and conditions across a workforce post transfer a burden? If this right is desired, how should it work?
  • should more be done to clarify the application of TUPE upon an insolvency situation?
  • is the guidance on the application of the economic, technical or organisational reason sufficiently clear?

The consultation is open until 31 January 2012. You can access the papers here.

Twitter: @BrodiesTechBlog feed

January 2012
« Dec   Feb »

%d bloggers like this: