Tag Archives: ico

Reflections on ‘Freedom of Information’ at 250

Freedom of Information Act Sweden and Finland 1766

In December 2016, the Information Law and Policy Centre co-organised an event celebrating the 250th anniversary of the world’s first law providing a right to information. It was hosted by free expression NGO, Article 19 at the Free Word Centre and supported by the Embassies of Sweden and Finland. A full programme of the event and the audio files are available on the Campaign for Freedom of Information website. In this post, Judith Townend and Daniel Bennett reflect on a few of the key themes discussed at the event. 

Accessing information may no longer feel like a pressing problem. We live in an age of global telecommunications, the internet and the smartphone with access to ubiquitous 24/7 media coverage on demand. Our data is collected, tracked, mapped and analysed by social media networks, search engines, commercial enterprises, governments and public authorities around the world. And yet, 250 years after the first law providing for a right to information was passed, the right for us – the public – to access information relating to the administration of state power remains a struggle.

Our ‘Freedom of Information at 250’ event sought to put this struggle into its historical context. The event celebrated and commemorated the signing into law of ‘His Majesty’s Gracious Ordinance Relating to Freedom of Writing and of the Press’ on 2nd December 1766.¹ Enacted by the Riksdag (parliament) of Sweden – which then also included Finland – this was the world’s first law to promise public access to governmental information. Continue reading

Freedom of Information at 250: now on Storify

Last week, Article 19 held the ‘Freedom of Information at 250‘ event at the Free Word Centre. The aim of the event was to commemorate, celebrate and scrutinise the adoption of the first freedom of information law in Sweden and Finland in 1766.

Participants also discussed the relevance and significance of the law today and the future of freedom of information, in a national and global context.

There was a range of speakers on the day including Maurice Frankel and Des Wilson from the Campaign for Freedom of Information (CFOI), the new Information Commissioner, Elizabeth Denham, and Lord James Wallace of Tankerness, former member of Scottish Government, who piloted the Freedom of Information Act through the Scottish Parliament.

We have collected a number of tweets from participants at the event using #FOI250 and published them on Storify to help capture the flavour of the discussions which took place.

The collection documents the two moderated discussions and the evening panel. There is also a list of resources and reaction at the end of the collection. Click here or on the image below to view the Storify collection.

foi250-event-storify

Freedom of Information at 250 was an Article 19 event held at the Free Word Centre with the support of the Information Law and Policy Centre at the Institute of Advanced Legal Studies, and the Embassies of Sweden and Finland.

Data Retention and the Automated Number Plate Recognition (ANPR) System: A Gap in the Oversight Regime

ANPR Intercept

The Advocate General’s Opinion in the recent Watson/Tele2 case re-emphasises the importance of considered justification for the collection and storage of personal data which has implications for a variety of data retention regimes. In this post, Lorna Woods, Professor of Internet Law at the University of Essex, considers the legal position of the system used to capture and store vehicle number plates in the UK.

The Data Retention Landscape

Since the annulment of the Data Retention Directive (Directive 2006/24/EC) (DPD) with Digital Rights Ireland (Case C-293/12), it has become clear that the mass retention of data – even for the prevention of terrorism and serious crime – needs to be carefully justified. Cases such as Schrems (Case C-362/14) and Watson/Tele2 (Case C-698/15) re-emphasise this approach. This trend can be seen also in the case law of the European Court of Human Rights, such as Zakharov v. Russia (47143/06) and Szabo v Hungary (11327/14 and 11613/14).

Not only must there be a legitimate public interest in the interference in individuals’ privacy and data protection rights, but that interference must be necessary and proportionate. Mechanisms must exist to ensure that surveillance systems are not abused: oversight and mechanisms for ex ante challenge must be provided.  It is this recognition that seems part of the motivation of the Investigatory Powers Bill currently before Parliament which deals – in the main – with interception and surveillance of electronic communications.

Yet this concern is not limited to electronic communications data, as the current case concerning passenger name records (PNR) data before the Court of Justice (Opinion 1/15) and other ECtHR judgments on biometric data retention (S and Marper v. UK (30562/04 and 30566/04)) illustrate.  Despite the response of the UK government to this jurisprudence, there seems to be one area which has been overlooked – at least with regard to a full oversight regime. That area is automated number plate recognition (ANPR) and the retention of the associated data. Continue reading

Eerke Boiten: Privacy watchdog takes first step against those undermining right to be forgotten

This guest post by Eerke Boiten, University of Kent, considers the implications of granting an individual the right to be de-listed from online search results: should new articles about de-listed content be removed too? 

The UK’s data privacy watchdog has waded into the debate over the enforcement of the right to be forgotten in Europe.

The Information Commissioner’s Office issued a notice to Google to remove from its search results newspaper articles that discussed details from older articles that had themselves been subject to a successful right to be forgotten request.

The new reports included, wholly unnecessarily, the name of the person who had requested that Google remove reports of a ten-year-old shoplifting conviction from search results. Google agreed with this right to be forgotten request and de-linked the contemporary reports of the conviction, but then refused to do the same to new articles that carried the same details. Essentially, Google had granted the subject’s request for privacy, and then allowed it to be reversed via the back door.

The ICO’s action highlights the attitude of the press, which tries to draw as much attention to stories related to the right to be forgotten and their subjects as possible, generating new coverage that throws up details of the very events those making right to be forgotten requests are seeking to have buried.

There is no expectation of anonymity for people convicted of even minor crimes in the UK, something the press takes advantage of: such as the regional newspaper which tweeted a picture of the woman convicted of shoplifting a sex toy. However, after a criminal conviction is spent, the facts of the crime are deemed “irrelevant information” in the technical sense of the UK Data Protection Act.

The arrival of the right to be forgotten, or more accurately the right to have online search results de-linked, as made explicit by the EU Court of Justice in 2014, does not entail retroactive censorship of newspaper reports from the time of the original event. But the limited cases published by Google so far suggest that such requests have normally been granted, except where there was a strong public interest.

Stirring up a censorship storm

It’s clear Google does not like the right to be forgotten, and it has from early on sent notifications to publishers of de-listed links in the hope they will cry “censorship”. Certainly BBC journalist Robert Peston felt “cast into oblivion” because his blog no longer appeared in search results for one particular commenter’s name.

It’s not clear that such notifications are required at all: the European Court of Justice judgment didn’t call for them, and the publishers are neither subject (as they’re not the person involved) nor controller (Google in this case) of the de-listed link. Experts and even the ICO have hinted that Google’s efforts to publicise the very details it is supposed to be minimising might be viewed as a privacy breach or unfair processing with regard to those making right to be forgotten requests.

The Barry Gibb effect

De-listing notifications achieve something similar to the Streisand effect, where publicity around a request for privacy leads to exactly the opposite result. I’ve previously called the attempt to stir up publisher unrest the Barry Gibb effect, because it goes so well with Streisand. So well, maybe it oughta be illegal.

[youtube https://www.youtube.com/watch?v=nVyeNZCENZA?wmode=transparent&start=0]

Some publishers are happy to dance to Google’s tune, accumulating and publishing these notifications in their own lists of de-listed links. Presumably this is intended to be seen as a bold move against censorship – the more accurate “List of things we once published that are now considered to contain irrelevant information about somebody” doesn’t sound as appealing.

In June 2015, even the BBC joined in, and comments still show that readers find salacious value in such a list.

Upholding the spirit and letter of the law

While some reporters laugh at the idea of deleting links to articles about links, this misses the point. The ICO has not previously challenged the reporting of stories relating to the right to be forgotten, or lists of delisted links – even when these appear to subvert the spirit of data protection. But by naming the individual involved in these new reports, the de-listed story is brought straight back to the top of search results for the person in question. This is a much more direct subversion of the spirit of the law.

Google refused the subject’s request that it de-list nine search results repeating the old story, name and all, claiming they were relevant to journalistic reporting of the right to be forgotten. The ICO judgment weighed the arguments carefully over ten pages before finding for the complainant in its resulting enforcement notice.

The ICO dealt with 120 such complaints in the past year, but this appears to be the only one where a Google refusal led to an enforcement notice.

The decision against Google is a significant step. However, its scope is narrow as it concerns stories that unwisely repeat personally identifying information, and again it only leads to de-listing results from searches of a particular name. It remains to be seen whether other more subtle forms of subversion aimed at the right to be forgotten will continue to be tolerated.

Eerke Boiten is Senior Lecturer, School of Computing and Director of Academic Centre of Excellence in Cyber Security Research at University of Kent.

This article was originally published on The Conversation. Read the original article.

The Conversation