A Social Media Working Group from Brussels

Ah! social data will soon be ‘a type of personal data’. Will we see policymakers talking about personal-social or social-personal data? Note this press release from Brussels on ‘A Social Media Working Group (SMWG)

Would the ‘voice’ from this new SMWG on the Facebook-Cambridge Analytica scandal add fresh insights to the many ‘voices’ coming from various fronts in the UK and in the US?

I just did a quick scan of my latest tweets from the ICO @ICOnews and Cambridge Analytica @CamAnalytica). All pretty dull tweets/news compared to the snapshots of the Mark Zuckerberg Congressional hearing or ‘grilling’ or interrogation.
For the first time in American history, it’s not ‘The State of the Nation’ hearing but ‘The State of the Network’ – from Bloomberg newsflash!

Anonymisation & GDPR

Yesterday evening, 29th March 2018 I attended a BCS Law Specialist Group event – GDPR: Anonymisation,re-identification risk and GDPR profiling. The talk was presented by Dr. Amandine Jambert from the French Data Authority CNIL. The anonymisation slide is interesting.

I asked whether the WP29 thinking (& their opinions) about the 3 properties are for the ‘direct and indirect’ way of identification of the personal data. The answer was not in the method itself but that the properties are for ‘all data types’ i.e. any dataset. Her exact wordings ‘ use by anyone on any dataset’. Also, the DPA (DPO/Organisation?) needs to prove (or justify or show) that the dataset has indeed been anonymised (using any of the 2 options). My understanding is that the anonymisation if done (risk-based, database and/or algorithmic-driven) should not enable the direct and indirect re-identification of the individual(s).
As noted on this slide: ‘No single technique eliminates all risks’.

It’s near impossible to identify/isolate ‘all the direct/indirect re-identification risks’ associated with any dataset, assuming the dataset is available and not hidden in some Cloud and/or in a chain of hidden registers.

We really need to re-think personal data in terms of ‘the harm to individuals’ as there’s no absolutely sure way of preventing re-identification risks (i.e. singling out, linkability or inference/deduction etc.)

Overall a great talk.

I just noticed the slides and talk are available online: BCS Law talk 29th March 2018

ICO statement: investigation into data analytics for political purposes

The ICO statement on 24th March 2018.
I assume this is not the first-time such a civil & criminal investigation by the ICO.

The ICO’s investigation on the DeepMind-NHS saga (not a scandal?) revealed this:

However, an investigation by the ICO discovered several shortcomings in how the data was handled, including that patients were not adequately informed that their data would be used as part of the test. (Extracted from ‘review-agrees-that-deepmind-nhs-deal-lacked-clarity’)

Based on the reported news the Facebook-Cambridge Analytica (CA) scandal (Top EU privacy watchdog calls Facebook data allegations the ‘scandal of the century) and the DeepMind-NHS saga did not involve a breach of technical security and/or organisational security measures (excluding privacy policies and app/SLA-type driven contractual agreements).

What data protection and privacy principles have been violated/breached?

Would ethics be a yardstick in the final determination of the Facebook-CA scandal?

social data – Facebook

A well-crafted post by Mark Zuckerberg:

GDPR press briefing

I started using Shapr early this year out of curiosity to ‘test’ and to ‘play’ with the app. So far I’ve met up with a barrister and we had interesting exchanges, including the GDPR.

Hard to imagine that I got interested in data protection and privacy way back in 2000. Back then I was a consultant (Business Architect role) working on an internet banking project. The governance/compliance & team communications aspects of the project drove me to do a law course at Queen Mary College. I did the Data Protection, IP and advanced IP modules. I subsequently completed the Post-Graduate Diploma in Internation Commercial Arbitration.

When the GDPR was drafted in 2012, I gave a talk at the BCS which I’ve posted here.

Also, during my time at the City, University of London I’ve initiated Privacy Day events.

This year, to mark the GDPR coming into effect on 25th May 2018, together with my colleagues at City, we will be hosting a GDPR press media event on the 17th April.

More to follow…

Privacy-by-design framework

#privacy-by-design framework for the collection and
processing of behavioural #data -an #OASIS COEL TC deliverable http://bit.ly/2Hck3W9

The url:


Article 29 WP revised guidelines on personal data breach notification

Latest (final?) revised ‘Guidelines on Personal data breach notification under Regulation 2016/679 (wp250rev.01) available here

UK Data Protection (HL Bill) & GDPR

This is an amendment of my blog done last Sunday (4th Feb 2018).
The latest UK Data Protection Bill – HL Bill 153 (The Bill) is published here and the Explanatory Notes published here.

It’s going to take more of my free Sunday afternoons to plough through the Bill, the Explanatory Notes and also this Keeling Schedule (GDPR effected by the Bill!).

Data protection (under current DPA) appeal cases

Just catching up on my tweets and found an interesting post curated by “The Data Chain” an online paper (setup by me).

This interesting post: “Data protection in the Court of Appeal & the right to be forgotten” – not #GDPR-related – but will be significant post-GDPR era (from 25th May 2018 onwards).
The appeal cases extracted from the post are:

- DB v General Medical Council (application of mixed data provisions in s. 7 DPA) – due to be heard in March 2018,
- TLT v Home Office (accidental online disclosure of information relating to asylum seekers) – due to be heard in April 2018 – (note, the appeal does not address the quantum of the awards made in that case but instead focuses on the question of whether compensation ought in principle to have been awarded to individuals who were not referred to by name in the disclosed spreadsheet but who were nonetheless affected by the disclosure);
- Stunt v Associated Newspapers (challenge to the stay mechanism under s. 32 DPA) – due to be heard in June 2018 and, last but most certainly not least,
- Various Claimants v WM Morrison Supermarket PLC (group litigation data breach case) – due to be heard by the Court of Appeal before the end of 2018.

The UK Data Protection Bill [HL]

The published Bill- 218 pages.

Will review the Bill soon…