PhD Thesis

In case you’re interested, my #PhD #thesis (previously embargoed for commercial purposes) is available via – Cher Devey PhD Thesis

Updated page on my contributions

I have updated my various contributions.

My presentation on the Children’s Code

As part of my secondee role as an Engagement Specialist at the ICO, I presented the Children’s Code at the Data Protection Forum on 1st June 2021. I’m sharing the slides here.
Children’s Code slides presented at the Data Protection Forum, June 2021

My talk on the Children’s Code

Welcome to browse on the BCS website for further details and also you can download the presentation slides (pdf).

R.I.P. my dearest friend

SMO v TikTok

On BBC news: TikTok faces legal action from 12-year-old girl in England.

SMO v TikTok judgment

Some interesting remarks/statements – additional info/comments enclosed in brackets () and italics- are extracted from the Judgment:

‘This is a pre-action application for anonymity on behalf of a child claimant in an intended claim for breach of privacy‘.

‘The papers explained that the urgency stemmed from the fact that the end of the Brexit transition period on 31 December 2020 will bring about changes in the law which are, or are at least said to be, relevant to the intended claim. One change relates to the GDPR. It is said that under the law as it stands before the end of the period this Court has jurisdiction over that aspect of the claim and over the Second Intended Defendant, which is a company registered in England and Wales. The position from 1 January 20201 is “less clear”; jurisdiction will be decided on the basis of the common law rules “which may prejudice the ability of the claimant to bring the claim and/or defend any jurisdictional challenge brought by the Intended Defendants (i.e. defendants outside UK. What about the UK GDPR?)’.

‘Some of the claimant’s paperwork devotes attention to the importance of keeping the claimant’s address a secret. I do not regard that as an issue of particular significance in the context of this case. It is said that its disclosure might give rise to a risk of harm, regardless of the facts of the case, as it would increase the risk of attention from people who intend the claimant serious harm. That appears to me to be unsupported by the evidence. In any event, the claimant’s address is not a weighty aspect of open justice, save in so far as it may lead to the identification of the claimant. The real issue is whether the claimant should be identified. If not, an order for non-disclosure of the address would seem to follow.

‘The common law exceptions did not include the rights or interests of children, other than in the context of wardship. But by virtue of the Human Rights Act 1998 there is now, effectively, a statutory exception. The Court must act compatibly with the Convention Rights, including the right to respect for private life protected by Article 8. And Article 6 provides that the general rule of open justice may be departed from
“where the interests of juveniles or the protection of the private life of the parties so require.” This does not provide any automatic protection for children, regardless of the circumstances: see ZH (Tanzania) v Secretary of State for the Home Department [2011] UKSC 4 [46] (Lord Kerr), ETK v News Group Newspapers Ltd [2011] EWCA Civ 439 [19] (Ward LJ). A balance must always be struck, and attention must be paid to the specifics of the individual case, not just generalities. But, as Mr Ciumei QC has pointed out in presenting his client’s case, Article 3(1) of the United Nations Convention on the Rights of the Child and other international and domestic instruments require the Court to accord “a primacy of importance” to the best interests of a child: ZH (Tanzania) ibid. (NB: UNCRC Art 3(1) provides the balancing or tipping act when it comes to a child’s privacy rights).

‘It is reasonable to suppose that some of that attention would be focussed on the claimant, if their identity was known. But that is not enough of itself to justify anonymity. Nor is the mere fact that the claimant is 12 years old. It is necessary to consider the nature of the likely attention, and the harm that it could cause. (NB: the likely attention is a trigger for harm).

‘The Commissioner’s witness statement identifies a risk of direct online bullying by other children or users of the TikTok app; and a risk of negative or hostile reactions from social media influencers who might feel their status or earnings were under threat. Both appear to me to be realistic assessments. That is not to say that such behaviour is inevitable, but it is reasonably foreseeable. (NB: risk associated with social media influencers).

‘…the intended claim involves serious criticisms of what may be key aspects of the platform’s (TikTok) mode of operation’

‘I accept the Commissioner’s evidence that children are particularly sensitive to the sort of attention and scrutiny to which she has referred, and that such attention can have a marked and detrimental impact on a child’s mental health, and emotional and educational development. I would characterise the risk of harm as significant

‘The assessment of the parents deserves respectful attention.’

‘The main characteristics of importance appear to be age and use of TikTok, and those are shared with all the represented parties. The evidence is that the damages claim will not be peculiar to the circumstances of the claimant, as for instance with a claim to compensate for distress. As in Lloyd v Google, the claim will be for a standard “tariff” figure to compensate the claimant and each of the represented parties for the abstract “loss of control” over personal data. In all likelihood, the main focus of attention for those who wish to understand and scrutinise the workings of the justice system in the intended litigation will be the activities or alleged conduct of TikTok and the role of the defendant companies in its operation’.

‘…if the Court required the claimant to be named that could have a chilling effect on the bringing of claims by children to vindicate their data protection rights. On that footing, the grant of anonymity supports the legitimate and important aim of affording access to justice, and the order is necessary in order to secure the administration of justice.’

Significant events in 2020

Today is 1st January 2021 and my 1st 2021 YouTube song is ‘Auld Lang Syne‘. Somehow my new year eve was ‘quiet’ (except for the fireworks in my neighbourhood) without TV news etc. I cancelled my TV license in early 2020 mostly to avoid too many Covid related news/stories and repeats. Although I have Netflix account, somehow, I ended up watching lots of Chinese historical dramas on YouTube and various Chinese video streaming sites. A drama which started my crazy binge-watching during 2020 lockdown was ‘The Untamed’. Besides watching the drama 2x, I also discovered that there were interesting fans related or fans connected issues – involving ‘infighting’ between fans or mobs of one of the lead actors in ‘The Untamed’. Like most social media reported events, the actual stories that triggered the infighting between fans are difficult to pinpoint. However, the scale of the infighting – the so-called AO3 (fan friction site) or 227 incidents – resulted in the Chinese government banning/shutting/taking down the fan sites. It’s interesting to note that the AO3 events were triggered in early 2020 well after the release of ‘The Untamed’ and the consequences of the fans infighting escalated during the spread of the virus/Covid-19. It’s hard to imagine what it’s like being a victim caught in the crossfire in the fans friction kingdoms. There are some reported unintended consequences of the pre-and post-taking down of AO3, which the reports themselves read like fan friction but are real events involving real people.

At a personal level, 2020 is the year I started (& ended on New Year’s Eve!) binge-watching Chinese historical dramas :-) . Now I can resonate with the (Chinese dramas) fans and the power of fandoms and social media. It is so easy to get hooked or become addicted in a ‘nice’ and/or a less ‘nice’ addictive way to anything (online or offline) which grabs one’s attention like binge-watching over 40 episodes of dramas without a care of what’s going on around you. I guess one can call this a form of escapism from reality or escape into another world or kingdom – one which gives us momentary or flickering or fleeting fun/pleasure/solitude or whatever one is seeking or desiring. In my case, I happen to love Chinese culture – the language, the colourful and intense portrayal and interweaving of stories with the dramatic background, landscapes, costumes and the amazing acting and beautiful music (e.g., the music and songs in ‘The Untamed’ are simply hauntingly beautiful).

So, my 2021 resolution is no more binge-watching of Chinese historical dramas. Instead, I’ll be exploring the world of online games or gaming. Mmm… is gaming (like gambling?) ‘binge-playing’ of games? This new exploratory into online games started in late November 2020 when I started a secondment role with the Information Commissioner’s Office (ICO). The secondment title is ‘Engagement Specialist’ for the #Age Appropriate Design Code (The #Children’s Code). More information at Children’s-Code-hub.

In ushering in 2021, I can only hope that the significant life-changing 2020 events e.g. Covid-19 lockdown, binge-watching, Brexit, privacy and contact tracing, will be kinder or less significant in 2021 to me and others.

Happy binge-playing!

Anonymisation Decision-making Framework

I’ve received the following announcement from the team at UKAN, University of Manchester:

Just to let you know that the second edition of the Anonymisation Decision-making Framework has now been published.

The Framework has been given a significant overhaul and for the first time there is a systematic method for evaluating your data environment.

You can download the new book and the companion documents from here:

Many thanks to Prof Mark Eliot for sharing the book and the various companion documents.

From (Schrems): steps for EU companies

Following from the CJEU’s judgment on EU-US data transfers (SchremsII), Schrems has posted comprehensive steps and FAQs on

I tweeted the news on 24th July 2020:

International data transfer

I just browsed #Schrems on my twitter streams. We now have a sequel to SchremsI – SchremsII came into force on 16 July 2020. Never a dull day when it comes to human rights and fundamental freedoms especially when such inalienable rights shine as actionable rights against other ‘rights’.

The CJEU’s judgment and the press release have been summarised by various folks. The essence of #SchremsII – extracted from Center for Democracy & Technology:

  • The safeguards provided by U.S. laws on the access and use by public authorities of data transferred from the European Union do not satisfy the requirements of EU law because, among other things, they do not grant European citizens actionable rights against the U.S. authorities.
  • Even if the Standard Contractual Clauses (SCCs) remain valid, the competent national data protection authorities are required to suspend or prohibit a transfer of personal data to the U.S. where U.S. law fails to appropriately protect Europeans’ personal data.
  • No doubt international data transfer or international trade will continue to flow (and flourish) even without Privacy Shield as there is still GDPR Article 49. Data transfer has to be read in terms of adequacy, derogation, surveillance and also trade politics.

    For now, our inalienable rights shine until another round of drama in the courts.