Empty response from the EU Commission’s contact team

I recently noticed that the French CNIL, much like the British ICO, will only deal with complaints once the complainant has contacted the organisation in question. This in my opinion is a dereliction of duty as it represents an unreasonable barrier to making complaints. Contacting the organisation may not always be possible, and if unauthorised processing of information has already taken place then contacting them may only end up letting them know that the details they have are accurate.

As a result I decided to send the following email to the EU commission via their own contact form on their website:

It would appear that the French CNIL refuses to deal with data protection complaints until the organisation that is the subject of the complaint has been contacted. 

There will be cases however where contacting them may be either impossible or be undesirable. Making such a demand seems to represent an unwarranted barrier to the enforcement of data protection related rights and frankly seems to be more about avoiding providing the help needed by the public than doing their job.

Is it acceptable in your view for member state regulators to be making such demands as a prerequisite to any investigation?

It’s a simple yes/no question, but they decided to reply with this:

We would like to inform you that your enquiry is not specifically addressed in the General Data Protection Regulation (GDPR). However, there is a right to judicial remedy for complainants.

If you believe that the data protection authority (DPA) has not handled your complaint correctly, or if you aren’t satisfied with its reply, or if it doesn’t inform you with regard to the progress or outcome within 3 months from the day you lodged your complaint, you can bring an action directly before a court against the DPA. 

Further information is available here:

https://commission.europa.eu/law/law-topic/data-protection/reform/rights-citizens/redress/what-should-i-do-if-i-think-my-personal-data-protection-rights-havent-been-respected_en 

https://commission.europa.eu/law/law-topic/data-protection/reform/rights-citizens_en

So basically no answer to the one question I asked..

Does James Sunderland still support Boris Johnson?

It seems appropriate for Johnson to resign now that he has been fined for breaking his own laws (and still faces the possibility of more fines yet to come). The majority of his colleagues in parliament however still seem intent on continuing to support Johnson.

Like many others I wanted at the time to let my MP know about both my strength of opinion on this matter as well as wanting to know his stance on the issue. In my case this would be the Bracknell MP James Sunderland.

Liars and criminals like Johnson have no place occupying positions of trust and authority. Unlike so many of his colleagues my MP took the time to reply to my concerns. My email also made reference to other matters, but on the subject of Johnson his reply included the following (emphasis added by me):

I also note that alongside your comments on Plan B, you have also shared your view on recent events in No10 which have been laid out in the media. I regret that I know no more than you do about recent political decisions or events at No.10 last year.  But like many, I am furious at the apparent lack of grip shown by officials and will be seeking assurances that appropriate action will be taken, even 12 months after the eventLike most people in the UK, my own family and I followed the rules and it does stick in the throat that some clearly did not.  Something has also clearly gone wrong with the political machine at No.10 and it seems to have affected wider judgements too.
 
In respect of the PM, this has not been a good month and investigations are underway. I am not going to begin to defend against recent media reports on multiple issues as I am appalled, but daft things do sadly happen in politics, the salient facts are bound to emerge, and I am sure that appropriate action will be taken.

Perhaps the cynicism in politics is beginning to get to me, but when I read this part of his reply a few things come to mind: firstly the use of ‘lack of grip’ implies to me that there is more disquiet caused by the fact Johnson was caught out rather than his involvement with something so repugnant in the first place.

Secondly: ‘daft things do happen’. It might be the cynicism again, but personally this apparent attempt to minimise what was done is a little offensive. This isn’t something that can easily be dismissed, and despite all the claimed fury James Sunderland has yet to do anything of substance in response to recent events.

We also now know more about what happened since fines have been issued. Johnson is by definition guilty (why else would he pay the fine rather than contest it?). He is also by definition a criminal (in this case the fixed penalty notice or FPN was a way of dealing with a criminal offense and should not be confused with civil offenses or minimised by comparing it with more minor acts that can also result in fines).

So now that we all know, what will James Sunderland and other MPs like him be doing in response? Will they either actively support keeping a criminal liar in office or stay silent and do nothing to stop it? Or will he actually do something about it?

Ignorance is no longer an excuse.

We know that Johnson broke his own laws.

We know that he lied about it, possibly even misleading parliament in the process.

There simply is no excuse that can possibly justify him remaining in office.

Those that continue to support him claim that now is the wrong time to change leaders, but I would ask them this: if Johnson is incapable of understanding laws he created and that he begged us on national TV to follow on a daily basis then how is he even remotely suitable to be leading the country during a time of crisis?

I have sent the email included below to James Sunderland after the first fines were announced.

I will post the reply here if and when I receive one, but I really do hope that he will accept that loyalty goes both ways. It’s all very well the Prime Minister demanding loyalty but Johnson must also provide something worthy of that loyalty in the first place. In that respect Johnson is failing miserably.

How can James Sunderland continue to show any sort of loyalty to a Prime Minister completely incapable of demonstrating even basic common human decency, much less the sort of honesty and standards we ought to be able to expect from our elected representatives?

One final note: for anybody wanting to contact their MP I strongly recommend using the website www.writetothem.com. You only need to know your own post code to be able to find them and email them using that service.

Dear James Sunderland,

Now that we know that Boris Johnson has been given at least one fine for law breaking and may face several more in the coming days I was wondering if you could say if you still support having a criminal who was unwilling to comply with the rules he himself had defined as Prime Minister?

The anger hasn't dimmed and the situation hasn't changed. The loved ones people lost are still gone. The more vulnerable in society till feel abandoned and imprisoned in their own homes. Friends were still left to die without contact from others.

Nothing has changed.

The expectations haven't changed either: criminals, serial liars and frauds have no place occupying positions of high office. This goes well beyond party politics and it should hardly come as a surprise that many of us expect the biggest liar of all to leave his job, either willingly or otherwise.

Yet propping up frauds and criminals is exactly what many of your colleagues seem to be supporting each time they visibly support Johnson.

The idea that we shouldn't change leader in the middle of a war is equally farcical when - despite government claims to the contrary - we aren't leading efforts and such a replacement isn't new & has already happened before in much more serious circumstances (if any of your colleagues continue to put forward that argument, perhaps you could ask them what they think Chamberlain and Churchill would have made of such claims?)

It really is ludicrous to use that as an excuse to dismiss multiple acts of illegal and morally questionable behaviour where each act would constitute a resigning matter in its own right.

So I would like to ask you: will you be calling for Johnson to resign, and if not why not?

Yours sincerely,

Patrick Seurre

Cash for Peerages and the Appointments Commission

Many of you will still remember the recent allegations of peerages being given for donations made to the Conservative party. Those that benefitted from this were conviently named party treasurer for a short amount of time in order to legitimise their nomination.

What isn’t immediately obvious however is that all nominations made by a political party have to be vetted by the House of Lords Appointments Commission (their website can be found here). Part of this vetting process involves statements provided by both the party nominating the candidate and the candidate themselves that make certain assertions, some of which include details involving donations made to the party concerned.

I was concerned that this is the sort of thing that could easily happen repeatedly, since the political party gets all the attention whilst those doing the vetting seem to get none. I made the following Freedom of Information request to the House of Lords Appointments Commission:

* A list of checks made against each candidate when verifying their suitability.
* What changes, if any, the commission plans to make to the vetting process to try and ensure that these apparent failures are not repeated.
* With respect to all conservative ex-party treasurers put forward as potential peers within the past seven years, and irrespective of whether they were finally given peerages:
	* How many were approved by the commission?
	* How many were rejected by the commission?
	* What checks for suitability, if any, did they fail?
	* How many acknowledged any donations to the conservative party in the requisite statement provided by them to the commission?

This was sent on the evening of 14th November, and I finally got a response today. Technically it was late but for all intents and purposes it was pretty much on time, and they still managed to do far better than many of my previous attempts at contacting any national government organisation when making FoI requests.

That said the actual content of the response was sadly lacking in my opinion, using section 21 (information already publicly available) to refuse to give a list of checks made, despite the page they llink to only having a vague list at best.

With respect to my second question, I got this reply:

I can confirm that the Commission does not hold any information regarding your second question.

This to me is actually quite worrying, since we have serious allegations of wrongdoing and yet the body tasked with policing admissions is doing nothing. The most the general public is getting from them is a gallic shrug with no real action being taken, and in not doing anything manage to give the impression of being complicit in all those questionable situations.

They also chose to use s.37 to deny any answer to my 3rd question. s.37 of the Freedom of Information Act can be found here, and is what’s known as a qualified exemption. This means that the use of this exemption is subject to a public interest test.

The wealth of those allegedly buying the peerages is extreme. £3 million might seem like a huge fortune to most of us, but it seems highly unlikely that it holds the same importance to those wealthy individuals willing to hand it over to a political party.

The conservative party have reduced membership of an important element of our democracy to little more than a cheap toy found in Christmas crackers during one of the many parties attended by the party donors. The public interest in handing over the information is therefore high, and any claim that releasing the information somehow harms trust in how the system is operated is laughable, especially when the we take a closer look at the likely harm done by withholding the information.

Finally they chose the use s.40 to refuse to answer question 3 in my request. This is the oddest one of all, since on one hand they claim they don’t want to release personally identifiable information, whilst also admitting in the same response that they publish the identities in their reports. I was also careful to phrase that question in such a way that did not request any personally identifiable information: if they provided simple answers then there would be no way of linking the information provided to any one person.

As you might expect I have asked for an internal review of my request, and will post the result of that here once I receive it.

Response from Keir Starmer

I recently wrote to Keir Starmer with the aim of trying to get Labour to seek an extension to the transition period. They have rather predictably refused to do so. The full text of the email has been included below:


Dear Patrick, 

Thank you for your email to Keir Starmer MP in relation to Britain’s withdrawal from the E.U. At this point in time, Keir’s mailbag is so full that he has asked me to respond on his behalf. I’m very sorry for the delay in getting back to you.

Your views and assertions have been noted and shared with the relevant team.

The UK has left the European Union and Labour wants the best possible deal for this country. Negotiations on our future relationship with the EU have continued through the coronavirus crisis. The Tories have said they will still get a deal by the end of the year. It is their responsibility to do that.  

The first test for them will be the planned summit in June at which both sides will determine whether “sufficient” progress has been made to secure agreement by December. Number 10 has rightly focused its energies on fighting the coronavirus but it is of great concern that negotiations have been reduced in scale while negotiators have so far failed to make any significant progress.  

The Tories have said that they have a mandate to ‘Get Brexit Done’, so the deal should at the very least deliver on the promises they made at the last election in the Conservative Party’s 2019 manifesto, which said “we have a great new deal that is ready to go”.  

That is the minimum against which Labour will hold the Government accountable in these negotiations. The Government has a responsibility to protect jobs, protect our food and medical supplies and protect our citizens’ safety and security. Now is not the time to put those things at risk.  

Coronavirus will have a huge economic impact. There are devastating predictions of job losses in the UK. We must not make that situation worse with tariffs and barriers to trade with our biggest market.  

The UK has left the European Union. Labour wants the best possible deal for this country, which should: 

·         Protect jobs and the economy through trade deals for goods and services which minimise disruption to business.  

·         Maintain the security of the UK by retaining existing co-operation as far as possible.  

·         Respect the Good Friday Agreement in line with the Northern Ireland Protocol.  

·         Enable continued collaboration in areas of mutual benefit, such as health and research.  

Labour has argued that deal should be based on a close economic relationship and alignment on protections for workers, consumers and the environment.  

Our policy is made democratically, through discussion and consultation with members, the public, businesses, experts and civil society groups. You can take part in the conversation online at www.policyforum.labour.org.uk. Join discussions with politicians and representatives from across the Labour Party and share your ideas with us, so that when the time comes – we can serve our country again in government. 

Best wishes, 

Lee

Membership Services and Correspondence 

The Labour Party

3UK and Rainbow

Some of you may recall the trials 3UK ran last year of systems provided by Shine. These trials were supposed to test systems aimed at blocking adverts at the network level. The problem though was that this required both the interception and sharing of personal and private communications of those using 3UK’s network. To do so without proper consent would be a criminal offence under s1(1) of RIPA as confirmed by IoCCO when I enquired about it.

I had previously asked the ICO about the nature of consent gained by 3UK during the trials. The response was far from reassuring, with the vast majority of communications withheld because of their commercially sensitive nature. This wasn’t entirely surprising, but it was nevertheless disappointing.

Now it seems that Shine have been rebranded as Rainbow and 3UK plan to go ahead with the use of their services, only now Rainbow seems to have dropped any pretence when it comes to their intentions: the service is no longer aimed at blocking adverts or helpers consumers but rather the exploitation (monetisation?) of their private communications passing over 3UK’s network.

The BBC article linked to in this post notes that the service is free for advertisers and consumers alike, but what about the networks? How much are they being paid by Rainbow to hand over the data?

More importantly what about consent?

Rainbow are providing systems that require data gained from the telecoms networks in order to function. This means that private communications still presumably need to be intercepted. Without said interception it’s likely their services simply would not work, nor would Rainbow gain all that valuable data.

3UK may try to argue that the data being provided to Rainbow has been anonymised or had identifiable details removed through other means. In my opinion this ought to be irrelevant; 3UK would still have presumably intercepted private communications, possibly without appropriate consent, and subsequently processed that private data for purposes that may well not have the consent of the customers. The systems provided by Rainbow are also not required to provide me with my phone and mobile internet services.

Given the response from IoCCO such interception without consent that would appear to be illegal, regardless of how that data was presented to 3rd parties or subsequently used. There is also the Data Protection Act to consider given that personal data is being processed for questionable purposes. Most worryingly of all there is currently no indication what consent 3UK will ask for from customers, how they will ask for it and certainly no guarantees that their communications won’t still be shared with Rainbow if they choose to deny consent.

I’ve asked the ICO to re-consider the refusal to release all correspondence between it and 3UK and/or Shine (now Rainbow) since their plans go beyond a mere trial and will affect their entire customer base. There is also a clear argument to be made that the public interest in releasing the information exceeds the commercial sensitivity of the responses previously provided to the ICO. I have also asked the ICO if they could look into this matter given the apparent threat to privacy that 3UKs plans represent.

This blog post will be updated if and when I get a response.

Write to your MP over Brexit

Don’t like where the country is heading when it comes to Brexit? Then why not write to your MP and let them know how you feel. It can’t be easier: all you need is your postcode. Enter it on the writetothem.com website to find your MP and write them an email using the form they provide.

I did so myself recently, and can’t recommend it strongly enough.

Dear Phillip Lee,

Please read this and explain why you’re still willing to play your part in putting the future of this country at risk?

https://www.ft.com/content/fde7616a-e6cf-11e6-967b-c88452263daf?accessTo ken=zwAAAVnwCZkwkdP952Fq5s8R5tOWe8iEUiY9rw.MEUCIAX1dHriKnlO-KMJn9rmIyLX9k kmdUndqfa_75xri4-FAiEAukNHmHLgDeIR2HHVKn3WDzNBqcUVAZj7MWFxJk-uTZE&sharetype =gift

The referendum was only won in the first place thanks to the lies that were told by the leave campaign, including the now infamous £350 million claim plastered on the side of a bus.

I’ve spent time in hospital attending various clinics and I’ve overheard conversations where some clearly felt betrayed when they had voted so that the NHS would be better funded. How much more betrayed do you think they will end up feeling when you follow a course of action that will end up with the destruction of the very thing they wanted protected?

The Vote Leave camp may try and repudiate the claims after the fact but it may well have been what won them the referendum, especially given the razor thin majority they had and that almost half of the voters voted to remain.

I might also add that the timeline was never something included in the referendum. The March deadline put forward by Theresa May is an entirely self-imposed limitation that was proposed without any discussion or agreement with the wider public. We never agreed to give the PM carte blanche to do whatever she wants, and in that respect MPs still have a job to do.

We may have to leave the EU, but there is nothing that says you have to unquestionably follow the path laid out by the PM, and I don’t think it’s unreasonable to expect you to stand up in defence of public services and against blindly starting courses of action that will lead to their obliteration.

Yours sincerely,

Patrick Seurre

Three are up to their old games again

It seems Three UK have reverted to their old tactic of assuming they can bend the rules to breaking point. Many of you will already be aware of the trials run by Three recently with regards to the ad-blocking systems provided by Israeli company Shine. Particular attention should be paid to the following paragraph:

The method by which Shine blocks ads at the network level is unclear. The company says it uses “machines” that are capable of performing deep packet inspection (DPI) inside the network. Using a mixture of “real-time analysis, artificial intelligence and algorithms,” the team is able to identify ads and stop them without breaking the original webpage or app.

Emphasis was added by me. The first point is quite important, since it implies that traffic is being intercepted and processed in such a way that would require consent from both the sender and recipient under RIPA s3(1), since there is no warrant issued for the interception. s3(1) can be found here.

3 Lawful interception without an interception warrant.

 

(1)Conduct by any person consisting in the interception of a communication is authorised by this section if the communication is one which is both—

(a)a communication sent by a person who has consented to the interception; and

(b)a communication the intended recipient of which has so consented.

This is not an either-or situation. Consent is required from BOTH sender AND the recipient. Three have obtained consent from their customers but they represent only one party to the communication. It should also be noted that whilst the British government fought tooth and nail to keep implied consent within RIPA it was nonetheless removed from RIPA after legal proceedings had been initiated by the EU commission. Implied consent has not been in RIPA since 2011.

Leaving aside for a moment the questionable priorities shown by the government in their dealings with the EU commission on this matter, it should also be noted that the telecoms companies themselves cannot be trusted. Filtering is not a new thing and has been used in the past in order to prevent children from accessing inappropriate material (a course of action that was of course doomed to failure from the start).

As a Three customer myself I faced a large hurdle in removing a filter that I had neither requested nor wanted. Repeated requests to get rid of this filter changed nothing: the filter was left switched on. I was told I could go into the shop to get it switched off. I was naïve enough to believe this might work so this was tried too. Unfortunately for me however the employees in the shops showed no willingness whatsoever to even try and help me. I was turned away with no help being given, and a strong sense that they only cared about selling to new customers and cared nothing for existing customers.

In any case the Three filter also relied upon systems provided by Bluecoat.

There have been cases in the past where services provided by Bluecoat didn’t seem to work as most people would expect. Web usage was being shared with them and they subsequently visited the site as part of the filter. Again this raises other questions regarding privacy but these too will have to be left for the time being. The important point is this: when it came to other telecoms providers were concerned even when the adult filter was switched off the sharing often still continued.

I’m also a webmaster too, and would never consent to this type of interception, but then I’m never asked. I assume Three know that most webmasters would equally not allow such interception to occur, which is why they try and ignore the need to ask in the first place. I also have zero confidence in Three running their systems acceptably. Even if they did somehow managed to do so – something they have failed to do in the past – then they have still failed to outline exactly what’s happening to customers.

I sent a request to the ICO requesting details on their conversations between them and Three and/or Shine or internal conversations regarding the Shine trials. This request and the outcome can be found here. You’ll note how entire pages have been redacted from part of the response – evidently the ICO has been taking lessons from the US government when it comes to redaction. The level of secrecy surrounding their conversations with the company is also quite revealing. However the most interesting part is that the ICO themselves appear to recognise that these trials are not without unanswered questions.

ICO response

The response also indicates that there may also be problems under RIPA too. Since this is presumably the province of IoCCO I decided to send them an email too outlining my concerns. That particular complaint is still being investigated.

There is still the second point from the article to consider, and that is their assertion that adverts can be removed without breaking the website or app. This strongly suggests that content is not only being intercepted it’s also being modified before being sent on. This is an unacceptable state of affairs and represents arrogance of the highest order on Three’s part.

In any case the message is clear in my opinion: if you care about your privacy then avoid Three.

Freedom of Information, Treaties & National Security

A draft copy of a report by Sir Nigel Sheinwald recently came to public attention. This report dealt with data sharing and called for new treaties to force corporations to cooperate with government demands for access to data.

This could, as the Guardian have already pointed out that it could be used to provide an alternative to the other main proposal (commonly referred to as the ‘snoopers charter’). Unfortunately the government chose to classify the document as top secret. This decision was apparently based on the presence of commercially sensitive information in the report. Such information could, however, been redacted from any published version of the report and the presence of such information should not have prevented publication nor require the document to be classified in any way.

As a concerned citizen worried what about the impact such agreements could have on me I asked for a copy of the report. The Cabinet Office replied reasonably promptly, although to my dismay they chose to deny access and claimed that since the information was already in the public domain they had no obligation to release the information again (s.21 of the FoIA). There was one problem with that conclusion however: the information that was in the public domain wasn’t the report that I had requested but rather only a summary of the report.

A summary is not sufficient in my view especially when it involves fulfilling requests made under the Freedom of Information Act. Details could be added, removed or entirely misrepresented (either by accident or otherwise).

Those of you that follow Freedom of Information related news may already know that this isn’t the first time that summaries have been used in response to such requests. The government tried a similar tactic over recent years with access to MP expense receipts. The summaries were seen as insufficient, and appeals were made first to the ICO and then subsequently the tribunal. In both cases they sided with the reporter trying to gain access to these documents, but IPSA made the misguided and ultimately futile attempt to challenge all of these appeals. Luckily for both the reporter and the wider general public even the court of appeal agreed with the requester, the ICO and even the tribunal.

I was already aware of all of this at the time of making my request, and I must confess that the way in which they seemed to be playing games with public access to documents annoyed me.

They may want to maintain tight control over how information is presented, but once you take this out of the equation there is only one reason that comes to mind for using summaries: any such release of the full report would make the level of redaction clear to the general public. The contempt that the government has shown to the public and to the Freedom of Information Act in general would be laid bare in the large chunks of redacted text in anything they choose to release. The end result of this would be questions being raised over the validity of the use of s.23 and s.24.

They seemed to be making an effort to appear transparent whilst at the same time failing to comply with the request. I therefore decided to ask for an internal review.

They refused access again, although this time they changed their minds: now they decided to use s.23 and s.24 of the act to refuse access.

S.23 is an absolute exemption. This means that information can be refused without first having to consider any public interest argument against withholding the information. The problem I have with this argument is that the reason for using s.23 isn’t entirely clear given the subject matter of the report. This is a report involving corporations & data sharing and unless the report contains detailed examples that include details involving specific operations or the internal structure of said organisations then I fail to see how s.23 could apply here. Even if it did it should not be so difficult to release a copy of the report with any such sensitive detail redacted from it.

Personally I suspect they are using s.23 not to protect the work of government agencies, but to protect development of policies that they have already decided are the way forward, regardless of the impact they may have. I’m also left wondering if the use of s.21 in the initial response and s.23 in the internal review was an attempt to sidestep the public interest test normally applied to more appropriate exemptions such as s.35.

It should also be noted that at no stage have the Cabinet Office attempted to use s.35 to refuse my request in this case, and have relied purely on s.23 and s.24 after apparently realising that relying upon s.21 was a mistake.

In addition the use of s.24 seems to be questionable, since the result of the internal review seemed to suggest that the information protected by s.24 was distinct from the part of the report protected under s.23 and this in turn raises other questions. Apart from anything else, just what are they protecting?

It’s difficult for me to get rid of the impression that they’re using circular logic: they initially classified the report as top secret because ‘national security’, only now I wouldn’t be surprised if the use of s.24 was based on the fact that it has previously been classified. So we could have ended up with a situation where the report has been classified because of national security, and it relates to national security because it’s been classified. It’s an endless loop with no way out.

As others in the media have pointed out it’s widely believed that the report contains commercially sensitive information.

I hope that the Cabinet Office isn’t using s.24 when all that has been protected are commercial interests, or merely because they’ve arbitrarily decided to block access. That really would be appalling and serious abuse of the levels of secrecy only available to them and other parts of government.

It’s impossible to have any reasonable debate about something if you can’t understand it, and you can’t understand it if information is withheld like this. How are we, as members of the public, supposed to have faith in the legal system when the reasoning behind any changes is being withheld from us like this?

For that matter why should we trust them with such powers given the abuses by local authorities in the past? Legislation intended to help catch terrorists has already been abused to check on such ‘serious’ crimes as applying for school places outside their catchment areas and people not clearing up when the mess left by their dogs or littering.

In my opinion – whatever that may be worth – the sheer insanity that plans such as this represents coupled with other failings, notably the OPM hack in the US, significantly strengthens the public interest argument for releasing the report. Any new data sharing treaty is likely to work in both directions, and in many cases to the detriment of UK citizens (as they often seem to do in the case of extradition treaties). The end result is that whilst the UK will be able to demand cooperation from other countries, those other countries will also be able to demand that same level of cooperation from us.

The lack of rights for foreigners in other countries – or lack thereof – is a huge concern, especially since some of them have been found to share unfiltered data with yet more countries. This means that anything even remotely personal shared with those 3rd parties could end up in the hands of states not bound by any treaty that the UK has signed. Assurances such as Safe Harbour, Mutual Legal Assistance Treaties and other mechanisms intended to control access are meaningless here (not that Safe Harbour has a promising future at this stage).

If you need any evidence of this then just look at Microsoft trying to prevent US access to servers in Ireland, despite the US having established a Mutual Legal Assistance Treaty with Ireland, large corporations in the US pushing for CISA to be passed into law or the very Safe Harbour framework relied upon by those same US corporations being called into question.

The government here is being naive if it truly believes that our data is protected in any meaningful way once it leaves their control.

In any case an appeal has been lodged with the ICO. It will be interesting to see what the outcome is. I would hope that the ICO would at least agree with me that a summary is not an appropriate response to an FoIA request in such cases.

UPDATE: The CJEU has ruled against safe harbour (or harbor). This means that companies exporting data to the US from the EU cannot now rely upon it. It might also be worth adding that all other mechanisms for legalising export of data to the US – including BCRs – suffer from the same issue that resulted in safe harbour being struck down, so it will be interesting to see how regulators such as the ICO respond to recent developments.

Freedom of Information & the Private Sector

Anybody who knows me will know I’ve made a number of FoIA requests over time. It’s a valuable tool and deserves protection from interfering politicians that would prefer to be able to hide anything they would rather people didn’t think about.

Those reading this that also happen to be living in the vicinity of Heathrow will have noticed more aircraft noise over recent months. From Epsom to Bracknell and Ascot the stories often end up being the same: more noise and disruption from aircraft passing overhead or nearby. I’m one such person having to put up with more aircraft, and since I had enough of the noise I tried getting information out of NATS via an FoI request.

Imagine my surprise when I found out NATS weren’t subject to it, despite the fundamental role they play in running our transport infrastructure.

First a little background to the whole matter:

In 2014 Heathrow conducted trials. These trials involved changing the flight paths taken by aircraft going to and from Heathrow. This rather understandably prompted floods of complaints thanks the the huge disruption this caused to anybody living under the new flight paths. The discontent that resulted from the trials helped to bring about an earlier end to them than had originally been planned. The management had obviously not foreseen the furore the trials would cause and were forced to stop them.

The problems didn’t stop with the end of the trials though, since people kept on claiming that there was more noise. Time and time again Heathrow claimed that no changes had been made. The continual denials from Heathrow weren’t particularly believable, since anybody living in the area could tell quite easily that there was a difference. In addition NATS admitted recently to having failed to notify Heathrow of a change to one of the departure routes taken by aircraft when leaving Heathrow (referred to as the Compton route).

Personally speaking I find it difficult to accept that proper procedure has been followed in the case of the Compton route change, and if it has been followed then that raises more questions about the procedures themselves. NATS are forcing planes to fly in a different direction yet somehow according to them this rather confusingly was not a route change. I can understand why they might want to avoid describing it as such, since this would presumably require additional consultation and delay.

This does not, however, necessarily stop it from being a route change.

To make matters worse NATS not only swept the fact that any change had taken place under the metaphorical carpet, but they also made the change during the flight path trial being conducted by Heathrow (how this doesn’t invalidate the entire trial as a result of such ham-fisted behaviour by NATS really is beyond me).

On top of continual [incorrect] denials by Heathrow came the bloody minded refusal by NATS to revert the changes when people started pointing out the impact it was having. Any request to consider going back to the old way of handling this route was welcomed with blanket refusals claiming it was done for reasons of safety (without if I recall correctly mentioning how safety had been improved, what risks had been mitigated or why – if there were such risks – they weren’t dealt with earlier).

In any case I strongly believe that any private sector organisation running services on behalf of the government ought to be subject to the Freedom of Information Act. This doesn’t apply to just NATS but all private sector organisations providing services to national or local government.

Private sector organisations such as NATS have a vital role to play but it’s equally vital that the public are in a position to know that the responsibilities entrusted to the private sector are being dealt with in an acceptable fashion. This can’t be achieved if said organisations are being run in an opaque way where only vague excuses need be given for decisions without any further consequences or additional oversight taking place.

I have started a petition on the No. 10 website asking for this to be changed. For some reason the confirmation page doesn’t contain the text of the petition (the people running the No. 10 website naively assume that nobody will ever change the text of the email they expect to be forwarded to trick people into sponsoring a petition).

UPDATE: The petition has now gone live, and can be accessed via the link below:

https://petition.parliament.uk/petitions/105322

Amazon spamming customers and ICO apparently can’t help

Recently I started getting spam from Amazon involving ‘local deals’. These were unwanted so I subsequently reported them to spamcop. Now I’ve started getting more spam for travel offers too. Given how unhappy I was at being spammed by an organisation as big as Amazon I started looking into what my rights were.

It seems that consent is required prior to sending. There is an exception however: the current rules for marketing allow for the possibility of a ‘soft opt in’. This basically means that consent need not be given if the following conditions have been met:

• where they’ve obtained a person’s details in the course of a sale or negotiations for a sale of a product or service;
• where the messages are only marketing similar products or services; and
• where the person is given a simple opportunity to refuse marketing when their details are collected, and if they don’t opt out at this point, are given a simple way to do so in future messages.

The page on the ICO that goes into detail can be found here.

The first and third conditions have been met. I have bought items from Amazon before and there is an unsubscribe link. The second condition on the other hand has not been met. I have not looked for nor bought local offers or travel deals. However when I complained about this to the ICO they made it clear that they were not going to do anything about this (the full reply can be found below).

It would seem that the only thing you need to do when breaking the law is make sure your head office is outside the UK. You can have offices in the UK, huge warehouses in the UK, thousands of employees in the UK, services aimed purely at UK customers (not to mention take BILLIONS each year from those same customers in sales) but still not be subject to UK law for activities involving UK customers.

And why should any UK citizen dealing with services provided in the UK have to know how things work in other EU member states, especially when they might not even be understood let alone have any complaint successfully dealt with? How many languages exist in the EU and how many should we have to know just to make sure our rights are respected? How many regulatory systems do we have to learn?

This really is a ridiculous situation to be in.

This was the response they gave me (kudos for the ICO for at least replying so quickly)

Dear Sir

Thank you for your email of 20 July.

In your email you explain that you have been receiving marketing emails from Amazon. As these marketing emails contain offers that relate to totally different goods and services from the items you bought, you believe that Amazon have not complied with the soft opt in from the Privacy and Electronic Communications Regulations. You would like to know what we can do in this situation.

As far as data protection law in concerned Amazon is based in Luxembourg. They do have a London office but they are only processing personal data on the instruction of the Luxembourg offices and as such can only work to their instruction. This means that we can’t investigate the concerns you have explained in your email.

These concerns can be looked at by the Luxembourg Authority whose contact details are:

Commission nationale pour la protection des données
1, avenue du Rock’n’Roll
L-4361 Esch-sur-Alzette
Tel. +352 2610 60 1
Fax +352 2610 60 29
e-mail: info@cnpd.lu

I appreciate that this isn’t the response that you were hoping for but I hope the information is helpful. If you would like to discuss this further please call me directly on [removed] or you can call our Helpline on 0303 123 1113.

As others have noted elsewhere it’s interesting how the ICO seem to want to switch from PECR to the DPA.