Mark this day and keep it clear: Tuesday 27 September. That’s this coming Tuesday. It’s the day of Infosecurity’s Autumn Virtual Conference. And it’s packed full of goodies: secure software development, responsible breach disclosure, tablets in the enterprise, governance and compliance, e-crime, a career in security and, of course, APTs.
And the speakers! Marc van Zadelhoff, Director of Strategy at IBM Security Solutions; Professor John Walker; Microsoft’s Jeremy Dallman; Raj Samani, Strategy Advisor for the Cloud Security Alliance and CTO EMEA at McAfee; Chenxi Wang from Forrester; Paul Simmonds, co-founder of the Jericho Forum; and many more.
Oh yes. And me. E-crime. 11:00am. 27 September. Be there.
The European Data Protection Supervisor is like Cnut facing down a tide of bureaucratic encroachment into our privacy
I should preface this post with two comments:
- My degree is in English Language and Literature. This leaves me sadly unqualified to understand European legalese, for which the minimum of a two-one in Contorted Logic is required.
- I like Peter Hustinx. I respect the European Data Protection Supervisor. But I cannot see him as anything other than a latter-day Cnut merely demonstrating that nothing can stop the tide of bureaucratic incursion into our personal privacy.
It is with this background that I looked at his latest ‘Opinion’ on the Proposal for a Regulation of the European Parliament and of the Council on European statistics on safety from crime. I own that I struggled as much to understand it as I did to stay awake; and had little success with either.
Article 8(2) to (4) of Directive 95/46/EC and Article 10(2) to (4) of Regulation (EC) No 45/2001 contain exceptions to the prohibition of processing these categories of data. In the present case, Article 8(4) of Directive 95/46/EC and Article 10(4) of Regulation (EC) No 45/2001, which allow the processing of such data for reasons of “substantial public interest”, could apply.
So I readily admit that I have not a clue what this Opinion is about, other than it appears that the EDPS is exhorting the EU to obey EU laws. And that might be the problem. EU law is a complex, contradictory mess. It can be accepted by most people that personal data can be kept private by making it anonymous. If data cannot be associated with any particular individual, then that personal data is confidential and effectively remains anonymous.
The problem is, the EU doesn’t seem to understand what this means.
As regards the possibility of identifying data subjects, two different notions are relevant in the EU legislation on statistics: “confidential data” and “anonymous data”. According to Regulation (EC) No 223/2009, data which allow statistical units (which might be natural persons, households, economic operators or other undertakings) to be “identified, either directly or indirectly”, are considered “confidential data” and are therefore subject to statistical confidentiality. However, Regulation (EC) No 831/2002 defines confidential data as data “which allow only indirect identification”.
Throughout this Opinion, poor Mr Hustinx has continually to specify which piece of EU legislation to which the EU should, in his opinion, adhere. That much is simply a farce. But the actual definition of legal anonymity beggars belief:
…the definition provided in Recital 26 of Directive 95/46/EC and Recital 8 of Regulation (EC) No 45/2001, according to which personal data are “rendered anonymous” when the data subject is “no longer” identifiable, taking into account “all the means likely reasonably to be used either by the controller or by any other person to identify the said person”
I have no idea what this means. But this is what it sounds like to me: anonymous does not legally mean anonymous, it means obfuscated. And obfuscation can be described as anonymous if the process of clarification would defeat the script kiddie in his bedroom. This means that data is still defined as legally anonymous even though it is not anonymous to the supercomputers of our own and/or foreign law enforcement or other agencies; or any other person or organization willing to use more resources than is likely reasonably to be used. In short, anonymous is meaningless.
So the moral of this little post is simple. If any European agency asks for your personal data and promises anonymity, don’t give it up. Europe lies in the classic Orwellian fashion: it redefines the truth.
I’ve commented on Neelie Kroes’ and Viviane Reding’s EU desire to get more women into the higher echelons of business (Net neutrality and business gender neutrality in the EU) and absolutely endorse the intent. Here in the UK we have our own poor man’s (sorry about the sexism) Kroes/Reding double act in the Harman/Cooper comedy pairing.
Tomorrow, with thanks to Guido pointing to the excellent WomenOn blog, Harman/Cooper will be hosting a ladies-only meeting + Ed Miliband. Guido, of course, sees the funny side of things:
…Harriet Harman and Yvette Cooper are hosting a ‘What Women Want’ meeting tomorrow at Labour Party conference. What they apparently don’t want is men at the meeting. However Mrs Dromey and Mrs Balls are giving Ed Miliband a sex change for the day and making him an honorary woman so that he can address the meeting of the wimmin.
Ed Miliband to Have Sex Change Tomorrow
WomenOn sees the tragic side:
This is an outrage… It makes all those involved look out-of-touch, but more importantly, it does untold damage to the cause of equality for women. Why should men support equality for women if they are treated in this way?
Men, know your place! Harriet Harman doesn’t want to hear you
And that’s what it is: funny and tragic. The tragedy is that serious businessmen will continue to consider women as a lunatic fringe. All the good work done by Kroes/Reding, and indeed WomenOn, will be undone by the absurdly funny Harman/Cooper double act.