Re-identifying folks from anonymised data will be a crime in the UK The British government is planning to impose criminal sanctions on people who intentionally re-identify individuals from data that should have protected their identities. The plans will be set out in the Blighty's Data Protection Bill – due to be introduced to Parliament next month – and could see an unlimited fine levied on …
"Are they cancelling out their own snoopers charter?"
Well, the document says Our vision is to make the UK the safest place to live and do business online. With the increasing volumes of personal data there is an increasing need to protect it. so they'll have to, won't they? Won't they?
encrypted traffic which is essentially anonymised data is safe
Encryption != anonymisation..
(I understand that you were trying to make a point about the snoopers charter - however, it's much more helpful to make a point that's supported on a solid foundation and not an error.)
@CrazyOldCatMan
I see where you're coming from. However...
It is essentially anonymised if more than one person uses the associated internet connection and/or encrypted service.
You can't specifically attribute an encrypted data stream to a specific person without decrypting the data.
Just because X person is paying for a VPN service doesn't mean they are the sole consumer of it.
Case in point, Daddy might pay for VPN services to protect his family and route all traffic over it using OpenWRT. Guests might visit and use his wifi.
Coincidence != Causality.
The only way to know for sure (if the VPN service is outside appropriate jurisdictions) who is doing what is to decrypt (and therefore deanonymise) the traffic.
RE "permission ping-pong"
It shouldn't work out like that. Under GDPR if you don't choose to grant permission then they can't use that as a reason to refuse you access to the service, except where such permission is absolutely required to provide the service.
So, Amazon can refuse to deliver a parcel to you if you refuse to share your address, because without knowing your address there's no way for them to deliver to your house, but Google can't refuse to let you use their search if you refuse to allow them to harvest your data.
Interesting times ahead, depending on how this all shakes out, but it has the potential to properly bugger up entities which make their money solely out of harvesting user data. In my opinion, that's no bad thing, and the new regulations appear to have been well-written enough that they don't leave any obvious loopholes like the whole "implied consent accept our cookies" bullshit that plagued the last iteration.
"So, Amazon can refuse to deliver a parcel to you if you refuse to share your address, because without knowing your address there's no way for them to deliver to your house"
Actually they could deliver a parcel to an Amazon locker without knowing your home address so they couldn't actually refuse to do business on that account.
You're entirely correct, but you're also agreeing with me. Note that I specifically stated they could not deliver to your home address without knowing it.
GDPR states that if it isn't neccesary (and your locker example is a good illustration of that) then they can't refuse to take your order without that information.
There may be an issue where billing address is required for card validation but if you were paying with a voucher then that wouldn't be relevant.
but it has the potential to properly bugger up entities which make their money solely out of harvesting user data
Please, please - I really, really hope it does this. But it does need for everyone to at least understand the basics of GDPR (or at least the UK version) and to make sure that they hammer the organisations that fail.
Maybe it's something that should be taught at school - preferrably by someone who knows about the subject and not by a harassed and overwhelmed teacher delivering a lesson plan that they've never seen before.
>where oblivious users will grant permission via installing an app and accepting terms to harvest data
"by clicking this link you agree that your data will not be anonymised, thus protecting you from cyber-criminals who wish re-identify individuals from anonymised data."
I am confident my mum would click that link ...
"Even the most eye-watering fines found only rebound on a CEO by their being sacked."
Define "eye-watering". I bet if I cost my company a "ten years' profit" fine, not only would I be sacked but also I wouldn't get the golden parachute and nor would I be offered the chance to walk straight into another job.
> Define "eye-watering".
A long time ago in another country, the CEO of a company I worked for sent out this message:
"I have no desire to go to jail for something one of my staff has done, therefore I wish to state in no uncertain terms that in light of recent legislation, undertaking the following activities is expressly prohibited for employees of this company at any level from the coalface to the boardroom."
That's the kind of thing that gets attention.
Existing law is rarely enforced in the UK. Just look at the farce that was the Google/NHS trials if you want one example, or the ICO's failure to act when 3UK proposed giving Shine/Rainbow the browsing habits of their customers.
Huge fines have already been available for quite some time but the ICO seems to prefer using their toothless 'undertakings', and even getting that far seems to take an inordinate amount of effort.
As for criminal offences, it might be worth remembering that the City of London Police were wined and dined by the very people that happened to be the subject of one of their investigations (Phorm) before conveniently closing it without prosecuting anybody.
Forgive me if I fail to see anything changing any time soon.
Why should those flouting the rules now be any more less confident about breaking them when GDPR/data protection bill comes into force? The price of avoiding justice seems to be little more than that of a good meal. We also have a regulator so keen to avoid enforcement that it's difficult to stop from asking ourselves why we should bother with them.
P.S. 'cmomitting'?
What El Reg missed, but the BBC noted, was that the GDPR right to take collective action has been omitted from the proposal. It's fairly obviously missing in the linked doc.
So enforcement by consumer groups is dependent on the outcome of the Brexit negotiations. Otherwise it's little old you vs Google, and how do you think that will go?
Same as pretty much all of our recent consumer protection legislation.
There is a difference here. The consumer protection stuff is an EU directive, which means that national parliaments are required to transpose it into national law. Some enact laws that go further than the directive, as the UK did for consumer protection. UK consumer protections go beyond the EU-mandated minima.
GDPR is a Regulation, it is an EU law that is binding as-is on all EU members without any national legislation being required.
"This seems like the best thing to come out of Brexit so far to me, provided it actually gets enforced."
It only "comes out of Brexit" in the sense that without Brexit there'd be no need for an act; GDPR would apply automatically - and would do so from between May and Brexit without the Act.
Strasbourg is much more democratic.
I'm genuinely curious about how you define "democratic".
The European parliament has 751 members, elected last time round by only 42% turnout, much lower than most national elections. The number of MPs from each member is inversely proportional to the population, smaller countries have more MEPs per head than large ones and hence more weight.
It can't decide to make law, it has to wait for the Commission to do that, after which the parliament can only change or reject it. It spends a fortune of taxpayers money every month switching between Brussels and Strasbourg to avoid upsetting the French even though most MEPs would prefer to be based solely in Brussels, but that would be vetoed by France.
Frankly it's more like a company board than a parliament, I'd argue that most national parliaments, and regional assemblies, are more democratic and more representative of their constituents than it is.
subject to the ECJ, something which Weak and Wobbly May has claimed will not happen to the UK after Brexit.
The ECJ rules on EU law. Doesn't matter where the parties involved are, it's the law in question that's the decider. Nothing about Brexit was ever going to change any of that, if you thought someone said otherwise then you misunderstood. Where the UK replaces EU law by UK law, the ECJ will not have jurisdiction. Where the UK is still affected by EU law, such as in dealings with EU countries, the ECJ will have jurisdiction. Just as it does for US, Chinese, and any other non-EU country that deals with the EU.
"Even the US will have to respect GDPR if it wants to handle data on European citizens."
Quite so. What are they doing over there to provide similar legislation? Or is any UK or EU company using US data processing services going have to cross their fingers every time they say they're compliant?
I do feel a little bit exposed in that my personal details are freely
Then ask them to be hidden. You have to provide them, but you can ask for anything other than your name to be not publically available.
And this has been the case for quite a few years - but scum DNS Registars (GoDaddy - I'm looking at you) don't necessarily tell people.
Well, not per se under existing law.
Klimas v Comcast 2003 and Robinson v Disney 2015 both ruled that the IP address alone is not PII, however when used in combination with other data sources the resultant information could be used to identify an individual.
However, insofar as you don't use it to attempt to extract or compile PII, then existing law has determined that an IP address is not PII in itself. Typical, of course, of this Government to actually ignore the existing body of law and simply make stuff up as they go along. Why this particular item has to be specifically included rather than the USE of this information being legislated is just beyond me. Far more personally identifiable is the MAC address, and if THAT is not specifically mentioned in the law... I mean, that's a hole the size of Kansas. But Mme May was notorious for that kind of sloppy thinking and lack of technical understanding when she was home secretary... I don't think she'll hold her successors to a very high standard of competence.
From REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL - (30) "Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them."
The GDPR definition is not in any way at odds with the existing body of law. It imposes upon a data controller an obligation to consider the implications to the end user of their storage of the information. It leaves the actual day to day implementation of techniques compatible with the law up to future adjudication to decide. GDPR also explicitly defines sensitive information rather than just personally identifiable information; a higher standard applies to these data.
How the UK's Act will be worded remains to be seen. The devil is in the detail.
How the UK's Act will be worded remains to be seen. The devil is in the detail.
Not just the wording of the relevant acts, but interpretation and enforcement by the regulator. The significant sounding fines under GDPR are a maximum, and the term "up to" usually includes the value of zero.
I expect post GDPR data protection to continue to be a concern for SMEs and mid-sized listed corporations, whilst the US-based mega corps are let off the hook time and again (or fined sums that are a flea bite in their enormous, tax-avoiding profits).
"Typical, of course, of this Government to actually ignore the existing body of law and simply make stuff up as they go along."
Parliament is sovereign. If they pass a Bill to designate IP addresses as being entitled to the same protection as PII they can do so.
I'd expect that attempting to use an IP address on its own to identify a user in court would still be fraught with the same problems as a present.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
