Tag Archives: launch event

Daithí Mac Síthigh: Computers and the Coalition

This is a version of Dr Daithí Mac Síthigh’s talk at the launch of the Centre for Law and Information Policy at the Institute of Advanced Legal Studies on 24 February 2015. It previously appeared on his own blog, Lex Ferenda.

Introduction

LS1335_0014As we approach the 2015 General Election in the UK, and mark the launch of this new Centre, it seems appropriate to look back on the record of the outgoing Coalition government regarding law and information policy.   The agreement between the Conservative and Liberal Democrat parties specifically emphasised the importance of information and of technology on a number of occasions, as I will highlight where appropriate. Beyond specific commitments, other issues of significance and controversy emerged during the lifetime of the Government.  It’s fair to say that this administration has been perceived (at least at times) as engaged with questions of law and technology, but is that an accurate observation?

I have reviewed the legislation adopted by Parliament during this period, referring back to the Coalition agreement where appropriate. I have also considered the more significant instances of secondary legislation and policy documents, including EU measures (but primarily those measures where Member States had some discretion in implementation or where there is a meaningful link with a national-level debate or controversy.

I group the work of the Coalition into four categories: rollback, rebalancing, re-regulation, and projects.

Rollback

My first category of Coalition activity can be described as ‘rollback’, on the grounds that the avowed intention of the Government was to repeal or substantially amend existing legislation and/or practice.  Typically, these changes were flagged up in the Coalition agreement, and appeared in one (or both) of the party manifestos.

An early piece of relevant legislation was the Identity Documents Act 2010. This repealed the 2006 legislation on identity cards, as part of the Coalition’s commitment to abandon the scheme. Not only was the legislation adopted, but the responsible Minister (Damien Green) was pictured assisting with the physical destruction of hard drives on which ID card information was stored.

A broader package of changes, again highlighted in the Coalition agreement, was included in the Protection of Freedoms Act 2012. This Act included provisions on DNA retention, biometrics, oversight of CCTV, and amendments to the Regulation of Investigatory Powers Act (RIPA) 2000. Perhaps these are not true ‘rollback’ in isolation, but the deliberate packaging of them in legislation on freedoms demonstrates the high water mark of the libertarian strand of thinking in the Government.

However, evidence of this approach is not only found in big-ticket legislative proposals. Take for example the changes in the Enterprise and Regulatory Reform Act 2013 sch 21, and related secondary legislation, removing the duty on television retailers to record and report the details of customers (to support the TV Licence system).

A good example of a rollback amendment, albeit not included in the Coalition agreement and not yet in force, is the proposed repeal of sections 17/18 Digital Economy Act 2010. These provisions, adopted in the very last days of the previous Parliament, were a move towards a statutory system for Internet blocking injunctions. However, in practice the expansive interpretation of section 97A CDPA 1988 (inserted in 2003), and latterly the use of wider powers (in the context of EU legislation), has meant that such injunctions are readily available against ISPs, on the application of affected rights holders. Ofcom was in 2010 critical of the feasibility of these provisions (in response to a request from the new Government), and the Government committed in 2011 not to implement them and then in 2012 to their repeal. The Deregulation Bill, which remains before Parliament, would do this.

Rebalancing

My second category is ‘rebalancing’. In this category, we find major, established areas of private law, where the Government has researched and/or successfully proposed changes that, taken as a whole, amend the balance between the different interests affected by the law in a clearly demonstrable fashion.

The first such example is the Defamation Act 2013. The Coalition agreement included a commitment to “review libel laws to protect freedom of speech”. Thus, both the intention and purpose were connected. The resulting legislation was indeed a reform project with a goal in mind, rather than a general review/update. The new provisions, including single publication, jurisdiction, yet another form of protection for Internet intermediaries (including the newly minted ‘operator of a website’), and changes to the threshold for making out the cause of action, generally favour the interests of libel defendants. These changes were not without criticism, but were broadly welcomed and supported by interests including publishers, journalists, and scientists.

In copyright law, the Government set up the Hargreaves Review, which built on the work of the Gowers Review under a previous administration. This was not the only IP project (see for instance the Intellectual Property Act 2014 on designs and patents, or the provisions of Part 6 of the Enterprise and Regulatory Reform Act 2013 on performances). However, the long gestation of the changes (eventually adopted by statutory instrument in 2014) points to the significance and controversy of the project. These changes included a new statutory exception for works of parody, caricature and pastiche, various protections for libraries, archives, cultural institutions and educational institutions, and a scheme to allow private copying without remuneration (which is under challenge).  Broadly, these changes restrict the exercise of exclusive rights under copyright law, although many were supported by technology industries. The freedom of action of the Government was constrained by EU law, so the new provisions are within what is permissible under the Information Society Directive. Nonetheless, the whole package – and the extensive economic evidence assembled during and after Hargreaves – is a lasting contribution to the field of copyright.

Before leaving this category, one could also consider an area of public law – the proposed Privacy and Civil Liberties Board, which is provided for (subject to future secondary legislation) in the Counter-terrorism and Security Act 2015 s 46. This Board, which was proposed during discussion of data retention legislation (see below), would allow the Home Secretary to appoint a board (mandate to be set out by statutory instrument) to support independent reviewers of terrorism powers. Its inclusion in counter-terrorism legislation is semantically uncomfortable, but does assist the scholar in categorising it as an attempt to address the perception that one set of interests (security) dominates over another (privacy) and requires rebalancing.

Re-regulation

My third category is a more controversial one, re-regulation. In the later days of the Coalition, it has put in place a number of areas that add new forms of regulation in respect of the use of the Internet – often reversing or significantly departing from provisions adopted under predecessor Governments.

One cannot avoid starting with the controversial, speedily-adopted Data Retention and Investigatory Powers (DRIP) Act 2014. Introduced ostensibly to fill the lacuna following the Court of Justice of the European Union (CJEU)’s finding that the Data Retention Directive was not valid due to infringement of fundamental rights, it readopted in primarily legislation much of the secondary legislation initially introduced as transposition of the Directive. A number of further changes were made. The legislation was given limited consideration by Parliament in summer 2014, and the author signed a letter critical of both its provisions and the lack of time available for its consideration. Already, however, it has been extended by way of s 21 Counter-Terrorism and Security Act 2015, which provide in effect for the further retention of data that will allow the association of devices with IP addresses.

An even clearer example of the Government’s changing approach to the Internet is found in the Audiovisual Media Services Regulations 2014. These provisions amend the scheme for regulating on-demand services, which were put in place in 2009/10 following the 2007 AVMS Directive. While the UK had been a vocal critic of the perceived over-regulation of on-demand services at the time, these new provisions (essentially applying BBFC standards on explicit content to on-demand services) go well beyond those in other EU states. The issue of restricting access to and in some cases prohibiting outright online video services was a matter of some concern to the Department for Culture, Media & Sport, including a request for input from Ofcom, regular updates (and exercise of existing powers) by the designed co-regulatory body ATVOD, and ongoing consideration of how far the UK could go without contravening the Directive.

Similarly, the Gambling (Licensing and Advertising) Act 2014 was an attempt to put in place, within the bounds of EU law, further restrictions on online gambling. The Gambling Act 2005 facilitated the advertising of online services from selected jurisdictions (EU and those on a ‘whitelist’ of countries with sufficiently robust regulatory mechanisms), and did not require providers located outside the jurisdiction to be regulated by the Gambling Commission. As I have written, the 2014 Act reverses both principles; now, where a service is used or likely to be used by users in Britain (if the operator knows or should know that), the Gambling Commission has regulatory jurisdiction. Only services regulated by the Commission can lawfully advertise in the UK. This legislation was unsuccessfully challenged by Gibraltar-based operators, and clearly responded to a degree of tolerance demonstrated by the CJEU in respect of similar legislation emanating from other member states.

Most recently, provisions in the Criminal Justice and Courts Act 2015 will, when they come into force, create or extend criminal offences of some significance. The Act extends the penalty for breach of the Malicious Communications Act 1988. It also extends the scope of the ‘extreme pornography’ provisions enacted by the previous Parliament. This was presented at various stages as a ‘possible loophole’ or ‘loophole’, although the evidence was in my view more nuanced and contested than this.  Famously, the Act also contains a new offence of ‘disclosing private sexual photographs and films with intent to cause distress’ – often, but not entirely accurately, called the ‘revenge pornography’ clause. Although without doubt a difficult and sensitive issue, these provisions were introduced without a committee stage in the House of Commons, and with limited research or consultation. The use of new approaches and definitions is interesting (note the focus upon distress, or the defining of sexual as including something that a reasonable person would consider to be sexual). However, unfortunately it is another example, in Internet-related criminal law, of the creation of a new offence without the methodical consideration of existing offences or an attempt to put in place a meaningful set of workable, understandable provisions. Taking along with the MCA changes and pornography provisions, we see the gradual growth of criminal sanctions in an area that surely demands a proper look (perhaps along the lines of the House of Lords Communication Committee’s 2014 report on social media and criminal offences).

Projects

A final category is major projects – here, I highlight open data, juries, consumer law, creative industries tax relief, local media, and the Leveson Inquiry.

Starting with the big one – open data. This is an area where the Government has been very active, at least in terms of policy statements and reports. The manifesto included commitments to openness in principle and further points of detail. Since then, we have seen a White Paper (2012), a review on public sector information, another review on anonymisation, and more. Open Data Strategies have been adopted at department level, prompted by a letter from the Prime Minister. Data.gov.uk is a repository of data and a shopfront for innovative uses.  An Open Data Institute, with a focus on private-sector activity, has been created. Legislatively, the changes were at a smaller scale. The Protection of Freedoms Act included an amendment to the FOI Act in support of the release of usable datasets. More controversially, the Health & Social Care Act 2012 put in place various regimes in relation to health data, which have already proven to be controversial (e.g. the care.data events of 2014). Interestingly, though, much of the work here has been non-legislative, confirmed by the statement in the 2012 White Paper that “we don’t want to use legislation too readily – that would sit at odds with our core principle to reduce bureaucracy”.

A smaller project, perhaps, is the work that the Law Commission has done on jurors, in the context of contempt of court. New provisions were included in the Criminal Justice and Courts Act 2015, dealing with matters including the carrying out of research by jurors and the use of electronic devices. The Law Commission’s project was wide-ranging, and led to timely legislation.

The consumer law reform project is an interesting one. There wasn’t much detail on this in the Coalition agreement (beyond a general commitment to “introduc(ing) stronger consumer protections, including measures to end unfair bank and financial transaction charges.” Initial steps came in the transposition of the Consumer Rights Directive, which had at one time been a planned overhaul of the EU consumer law acquis, but turned out to be something a lot less extensive. In this gap, then, came the Consumer Rights Bill, which remains before Parliament. The Bill, in line with the recommendations of a number of reports, addressed a long-standing potential gap in consumer law, which has a firm distinction between the sale of goods and the supply of services, without properly addressing the position of ‘digital content’. The new Bill creates a three-tier structure, with much (but not all) of the existing or reframed requirements for goods being applied to the new digital content category.

Creative industries tax relief was the subject of a notable shift in direction. The incoming Government initially abandoned video games tax relief, on the grounds that it was ‘poorly targeted’. However, it subsequently introduced a new relief for games, high-end television and animation. The games scheme was delayed pending consideration by the European Commission, but ultimately approved – and is now in force. Indeed, a follow-up set of changes introduces relief for theatre as well.  As I have written elsewhere, the adopting of this scheme highlights the ability of the Government to promote it within the UK as an industrial measure, while reassuring the European Commission that its objectives were truly cultural.

Local media was an early theme of the Department for Culture, Media and Sport, with the initial Secretary of State frequently wondering why local TV was in a better state in Birmingham, Alabama than in Birmingham, England. Beyond the soundbite, a number of specific changes were made. The Communications Act was amended twice: first in 2011 to liberalise some cross-ownership requirements, and then again in 2012 to put in place a new form of licence for local TV stations; some of them are now up and running.

And then, there was the Leveson Inquiry. Certainly not in the Coalition agreement, as the question of phone-hacking was yet to come to a head. When it did in 2011, the Prime Minister established the Inquiry, and the rest was history. Or was it?  Leveson’s recommendations were acknowledged in part through the inclusion of provisions in the Crime and Courts Act 2013 (linking membership of an approved regulator to the question of exemplary damages for certain media-related causes of action e.g. defamation), and the broadly-worded clause in s 96 Enterprise and Regulatory Reform Act 2013 on the relationship between Parliament and Royal Charters for specific industries. This was part of the Government’s attempt to provide for some measure of press regulation without formal statutory control, although the current Secretary of State at DCMS seems to have stepped back from this approach somewhat. Other areas of the Leveson report, especially on data protection and media pluralism, remain unimplemented at a legislative level.

Conclusion

Finally, I make three general observations, and then highlight some issues to watch in the election campaign and the formation of the next Government.

There was no major legislative project in this field during the lifetime of the Coalition. Open data as a project could be considered as information policy, although the lack of legislative underpinning is surprising for something argued to be so fundamental to a change in the way of governing. With 130 or so Acts adopted since the 2010 election, only a handful relate to information and technology, and often it was only a clause or two that were relevant.

The initial urgency of Coalition libertarianism gave way to a late enthusiasm for Internet (re)regulation.  This is not unusual for governments, and the knee-jerk response to perceived disorder or threat is not specific to the Internet, but it is remarkable how the measures in this field adopted over the last 12-18 months have been characterised by the extension of State power in a whole range of areas.

The Coalition also addressed a range of industries in varying ways. The press was pleased at the Defamation Act and (mostly) pleased with the (limited) approach to the Leveson report. IT industries were well served by changes to defamation and copyright law, but some spoke out against changes to data retention. Some in the creative industries were upset at the copyright changes, but reassured by the new tax reliefs.

Here are a few things to watch out for.

  1. Data and information. Eventually, the EU will (should?) adopt the General Data Protection Regulation, which may lead to a debate at national level for other or related issues. A consultation on ‘nuisance calls’ consultation closed in December 2014, so the proposed changes might follow (update: this has now happened). The Law Commission’s project on data sharing has so far provided a scoping report, which sets out very explicitly the complexity of the legislative changes that could be necessary to support this goal. The long-term position of data retention will need to be resolved after DRIP expires, and the Justice Committee’s post-legislative scrutiny of the FOI Act could also be a useful starting point for a future Government.

  2. Infrastructure. The Law Commission’s 2013 report on the Electronic Communications Code (which affects the building of networks) was to be implemented through the Infrastructure Bill. However, the provisions were withdrawn and a separate consultation is now taking place.

  3. A review of the sharing economy reported in November 2014, recommending various changes to the law (albeit not in much detail, and the handling of the matter was questionable, with the report being written by an ‘independent’ person, the founder of a home-swapping company). Already, the Deregulation Bill contains a specific amendment that supports private short-term letting of property in London (amending 1970s legislation). However, the controversy associated with this field, and the existence of a report, could well keep this on the agenda.

  4. Media. Many would have predicted, given DCMS activity and proposals, that this Government would have proposed a new Communications Act. The 2003 Act has been amended (mostly through secondary legislation), and other provisions are politically contentious. Will the next Parliament be asked to consider a Communications Bill?

PS: Subsequently, and quicker than I had expected, the Serious Crime Bill became the Serious Crime Act 2015. This Act contains provisions on journalistic sources (s 83), possession of any item that contains advice or guidance about abusing children sexually (s 69), sexual communication with a child (s 67), and a series of changes to the Computer Misuse Act. In the next version of this work, I’ll incorporate all that…

Dr Daithí Mac Síthigh is Reader in Law at Newcastle University, where he teaches and researches digital media law. He is a member of the Advisory Board of the Centre for Law and Information Policy. He plans to develop this talk into a full article and welcomes comments. He can be found @macsithigh on Twitter.

Further reading:

Marion Oswald: Controlling, lying and blocking – ways for the individual to win the privacy arms race?

LS1335_0034This is a version of Marion Oswald’s speech at the launch of the Centre for Law and Information Policy at the Institute of Advanced Legal Studies on 24 February 2015. It previously appeared on the SCL website.

Controlling, lying and blocking – could these activities enable an individual to win the privacy arms race against the data collection, surveillance, behavioural tracking and profiling abilities of search engines, marketers, social networking sites and others?

When we think about an arms race, we might imagine two sides evenly matched, both equally able to equip themselves with weapons and defences.  But, when it comes to individuals versus data collectors, the position is considerably unbalanced – the equivalent of a cavalry charge against a tank division.

So what about regulatory enforcement?  In the UK, it could be described as mostly polite…

It is not however as if the individual is without protections.  Let’s take consent, a key principle of European data protection law.  Consent based on privacy policies is rather discredited as an effective means of enforcing privacy rights over data held by commercial third parties.  If I might quote Lillian Edwards, ‘consent is no guarantee of protection on Facebook and its like, because the consent that is given by users is non-negotiable, non-informed, pressurised and illusory.’[i] So what about regulatory enforcement?  In the UK, it could be described as mostly polite, in the rest of Europe, sometimes a little more robust.

The FTC in the US has had some notable successes with its enforcement action based on unfair practices, with Jessica Rich, Director of the FTC’s Bureau of Consumer Protection, advocating privacy as being part of the ‘bottom line.’[ii]  It remains to be seen whether market pressures will drive good faith changes in privacy practices – alternative subscription, advertising-free business models have failed to make much headway in terms of market share.  The so-called ‘right-to-be-forgotten’ has been much debated and I would question how much the Google Spain decision[iii] adds to the individual’s armoury, the original publication remaining unaffected.  And as for personal data anonymisation, this could be subject of a long debate in itself!

What can individuals do if they want to take matters into their own hands, and become a ‘privacy vigilante’?[iv]  Here are three possibilities: first, ‘personal data stores’ (PDS) or ‘personal information management services’ (PIMS) are said by their promoters to enable individuals to take back control over their personal data and manage their relationship with suppliers.  Pentland from MIT describes a PDS as ‘a combination of a computer network that keeps track of user permissions for each piece of personal data, and a legal contract that specifies both what can and can’t be done with the data, and what happens if there is a violation of the permissions.’[v]

Secondly, blocking.  Systems could prevent tagging of individuals by third parties and set privacy defaults at the most protective.  Lifelogging technologies could prevent the display of any recognisable image unless that individual has given permission.[vi]  Individuals could deploy a recently invented Google Glass detector, which impersonates the Wi-fi network, sends a ‘deauthorisation’ command and cuts the headset’s internet connection.[vii]

 Brunton & Nissenbaum describe obfuscation as a ‘viable and reasonable method of last-ditch privacy protection’

Finally, obfuscation, by which technology is used to produce false or misleading data in an attempt, as Murray-Rust et al. put it, to ‘cloud’ the lens of the observer.[viii]  It’s the technological equivalent of what most of us will have already done online: missing off the first line of our address when we enter our details into an online form; subtly changing our birthday; accidentally/on-purpose giving an incorrect email address in exchange for a money-off voucher.  A personal data store could, for instance, be used to add ‘chaff’ (adding multiple data points amongst the real ones), or simulating real behaviour such as going on holiday.  On the face of it, obfuscation may seem to be an attractive alternative approach, providing individuals with a degree of control over how much ‘real’ information is released and some confidence that profiling activities will be hampered.

Are these methods ways for the individual to win the privacy arms race?  As things stand, I have my doubts, although that is not to say that a legal and regulatory regime could not be created to support these methods.  PDSs raise numerous questions about contract formation, incorporation, offers and counter-offers.  Service providers would need to be prepared to change their business models fundamentally if PIMS are to fulfil their potential.  In the short term, there appears to be little commercial incentive for them to do so.

In terms of blocking, systems could adopt protective measures but they don’t, because they don’t have to.  Google Glass blockers may well fall foul of computer misuse legislation if used by members of the public rather than the network owner.  In the UK, there would be a risk of a s3 offence under the Computer Misuse Act 1990 – an unauthorised act with intent to impair the operation of any computer.  Haddadi et al. suggest the ‘continuous broadcast of a Do-Not-Track beacon from smart devices carried by individuals who prefer not to be subjected to image recognition by wearable cameras’ although the success of this would depend on regulatory enforcement and whether device providers received and conformed to such requests.[x]  It would be rather ironic, however, if one had to positively broadcast one’s presence to avoid image recognition.

As for obfuscation or lying on the internet, Murray-Rust et al. distinguish between official data, where obfuscation may be a criminal offence, and other data that can be obfuscated ‘without legal consequence’.[xi]  The distinction is unlikely to be so clear-cut,: both on the civil side, and on the criminal side (fraud and computer misuse spring to mind), and this is something that I will be writing about in the future.

By continuing to shift responsibility onto the individual, is this letting society off-the-hook for finding better solutions to privacy concerns?

I would like to finish with this question about privacy vigilantism: by continuing to shift responsibility onto the individual, is this letting society off-the-hook for finding better solutions to privacy concerns?[xii]  I think it probably is.  Finding better solutions will require even closer interaction between computer scientists, lawyers and policy-makers.

Marion Oswald is Senior Fellow and Head of the Centre for Information Rights at the University of Winchester: marion.oswald@winchester.ac.uk

The 2nd Winchester Conference on Trust, Risk, Information & the Law on 21 April 2015 will be exploring the theme of the privacy arms race: click here.

Photographs: Lloyd Sturdy.

New information law and policy centre officially launched!

On 24th February 2015 we officially launched the new Centre for Law and Information Policy at the Institute of Advanced Legal Studies with an academic workshop on ‘information flows and dams’, featuring a range of leading scholars in the field, and an evening lecture by Timothy Pitt-Payne QC, barrister at 11KBW, specialist in information rights.

IALS buildingWe are now sharing some of the materials online: video of Timothy Pitt-Payne’s lecture asking ‘Does Privacy Matter?’, a selection of tweets, presentation slides from the afternoon workshop, photographs, drawings by Isobel Williams, and guest posts by the speakers.

If you are interested in the Centre’s themes, and would like to know more and to be kept informed of future activities, please email judith.townend@sas.ac.uk. Please also get in touch with ideas for what we might usefully do, to contribute to a fast-growing area of research on information law and policy and to support the work of others in the field.

Photographs: Lloyd Sturdy.

 

Upcoming event, 24 February 2015: Launch of the IALS Centre for Law and Information Policy

We had something of a ‘soft’ launch of the Centre for Law and Information Policy this week, with a lecture by James Michael, Senior Associate Research Fellow at the Institute of Advanced Legal Studies. His title was ‘Data Protection Act 1984, Freedom of Information Act 2000: 30 and 15 years on – perspectives on the past and prospects for the future‘ and set the stage for our official launch, which will take place on Tuesday 24th February at the IALS.

The launch will be in two parts: an afternoon workshop featuring presentations by a range of scholars specialising in information law topics, and an evening talk by Timothy Pitt-Payne QC, barrister at 11KBW and specialist in information law, followed by a drinks reception. The full programme can be downloaded at these links:  evening / afternoon / both, or see this page.

Both events are free to attend, but you will need to reserve your place for either or both events, as follows:

More information about the new Centre

The Centre’s aim is to promote and facilitate multi- and inter-disciplinary law and policy research, in collaboration with a variety of national and international institutions. To this end, we would be very interested to hear your ideas for how we might support existing and future research in other places, and assist communication between scholars and practitioners in this area.

Further contact

Judith Townend, director of the Centre for Law and Information Policy, judith.townend@sas.ac.uk / Twitter: @jtownend / @infolawcentre