Goodle (that is, the UK’s ICO) is friendly with Google. You can see that in its behaviour over Street View (the collection, inadvertent or otherwise, of personal wifi data while driving round the streets of the world). Germany fined Google over it. Goodle just said stop it, don’t do it again, and get rid of what you’ve got.
When Google didn’t get rid of it, Goodle had to get really tough, and say get rid of it now, because we really, really mean it this time!
But back to Article 29. Problematically, Goodle, it is one of six EU member states chosen to take enforcement action against Google. CNIL, the French regulator, has already completed its task. It has instructed Google in exactly what it must do to come into conformance with French laws. Google has three months to comply before CNIL levies a fine.
Spain is likely to be next. The Spanish regulator announced on Thursday that it has “found evidence of five serious privacy law breaches — each punishable with fines of up to 300,000 euros ($395,000).” (AFP) An enforcement notice with threats will likely follow shortly.
Germany is hardly likely to take a softer line – generally speaking it is tougher than most other EU nations on matters of personal privacy (some can remember Nazi Germany, and most can remember Stasi Germany).
Then we have Italy, the Netherlands, and of course Goodle. My bet is that Italy and the Netherlands do the same as France and Spain. But what then? What about the UK? What’s a good Goodle to do if all the other nations slap Google as hard as they can? It’s a difficult position for a loyal Google Poodle.
I’ve never been convinced on the value of the UK’s data protection regulator, the ICO. There are numerous reasons for this. Firstly, the Data Protection Act is a law. Upholding the law is a job for the police and courts, not a government-controlled quango. Secondly, to uphold the law you need a grounding in the law: the ICO should be a lawyer not a marketer. And thirdly, the whole premise of the Data Protection Act is absurd. The way it is established means that proof of compliance is not getting hacked, while proof of non-compliance is getting hacked. And getting hacked is a lottery that has little relationship to security spend.
But I think I lost all respect when the ICO published an ‘independent’ report on the GDPR last month. It was undertaken by London Economics and is reliant on statistics (a survey of 506 data protection professionals working in UK companies). Statistics always reflect the bias of the author, so they’re always pretty meaningless. But that’s not the issue. It was what the ICO said about it:
Today’s report is the latest contribution from the ICO to this debate. We’d urge the European Commission to take on board what it says, and to refocus on the importance of developing legislation that delivers real protections for consumers without damaging business or hobbling regulators.
This is gobbledygook. ‘Without damaging business or hobbling regulators’ is rather confused since it is protecting business that hobbles regulators. He claims to want ‘real protections for consumers’ when what he is advocating limits the genuinely real protections for consumers proposed by the EC.
But above all, what is the Information Commissioner doing in advocating for business rights? His mission, in his own words, “is to uphold information rights in the public interest.” Yet here he is trying to uphold business rights to the detriment of the public interest. Lobbying against the GDPR on behalf of business is none of his concern, and a betrayal of the people he is supposed to protect.
He is, however, toeing the UK government line; which in turn is toeing the US government and US corporate line. PRISM shows us that the US government cannot be trusted with our personal data. GCHQ’s involvement with PRISM and the MPs’ call to get the Snoopers’ Charter back on course show that UK politicians cannot be trusted with our personal data.
And where is the ICO on PRISM? God knows. He has published no statement, and posted no blog on the subject. Instead, he is lobbying on behalf of business to make the transfer of our personal data (via Google, Facebook, Microsoft et al) to the NSA all the easier.
It’s time for the ICO to be abolished and replaced by something more meaningful, and someone more willing to fight for the people rather than lobby for business at the behest of government.
Compliance – at least European regulatory compliance – bothers me. Whenever I speak to a security expert, those concerns are allayed for just so long as we talk; and then they come back again.
The problem is that Europe passes principle-based legislation (the US is more likely to pass rule-based legislation). The former tells you what must be achieved (the principle), while the latter tells you how it must be done (the rules).
The European Data Protection Directive is a perfect example of principle-based legislation. It says that personal information must be held securely; but it doesn’t tell you how it should be done.
Here’s my problem. Data that hasn’t been lost or stolen has, de facto, been held securely and the company is in compliance – even if it spends nothing on compliance. Data that has been lost or stolen has not, de jure, been held securely and the company fails compliance even if it has spent many ££millions on compliance. The existence or lack of infosecurity defences is irrelevant: if you lose that data, then you are in breach of the act; if you do not lose the data then you are not in breach of the act.
I’m not interested in claims that proof you spent money on security will make the ICO (a marketing man, mark you – not a lawyer) go easy on you. That’s just marketing dross to hide the underlying contradiction.
What I want to know is quite simple. How can it possibly be right to frame a law that states someone who tries to comply can fail compliance, while someone who ignores compliance can be compliant? The result is that there is no logical reason to spend money on securing personal data – just hope you don’t get hacked. This is aggravated by the common and growing perception that if you get targeted, you will get breached. So if you get targeted, you will have failed compliance whether you try to comply or not. Why bother?