According to press cover the recent theft of vouchers from 2000 Tesco on-line customers was based on the collation of data already available over the darker parts of the Internet. So what should Tesco have notified, to whom, under the EU Data Protection Directive and Regulation currently under discussion, since it had no “breach” of its own to notify?
Over half of all on-line transactions are now via mobiles, increasingly “infected” with apps (many from bucket shops in Florida) which not only capture what you key in but also use the camera to view your banking transactions. Their “surveillance” is a greater threat to most of us than anything the NSA might, or might not, do, including via Angry Birds (and the NSA’s most cost-effective use of taxpayers funds).
One again, who should notify what, and to whom?
The EU is pressing ahead with a new Data Protection Directive and “Regulation“, both fine-tuning approaches designed for the age of mainframes – as relevant to the privacy of the users of today as using the 1896 Infantry Manual (instead of the 1911 Manual) was for Kitchener’s New Army of 1916. In parallel it has an equally well-intentioned, but also equally flawed, Directive concerned with Network and Information Security and an Electronic Identity Regulation supported only by those seeking to promote services which no-one will trust with their own money.
I was dismayed at the lack of response at the PICTFOR meeting on 4th February when Bill Cash MP, chairman of the European Scrutiny Committee of teh House of Commons delivered a robust call for industry to help with inputs to help improve the legislation coming out of Brussels. Yesterday at the UK Internet Governance Forum a very good point was made on the need to subject the US based filtering operations, (on which those implementing UK Child Protection Policy place such dependence), to local scrutiny. Meanwhile the EU is pressing ahead with policies which, (by driving major operations off-shore), will decrease rather than increase such scrutiny, leaving only the supervision of the Irish Data Protection Commissioner for those running their EU operations via Dublin instead of Luxembourg.
I am delighted to note that the Digital Policy Alliance now has increasingly strong groups bringing together some of the major players (professional bodies, trade associations and those with large numbers of customers across Europe who will be made less competitive with the rest of the world), helping UK officials and Ministers and also MEPs, with informed scrutiny in all three areas, including in the context of attempts to make a reality of the Digital Single Market. My successor has succeeded where I failed, in getting major players to work together across sector boundaries.
In just under a fortnight, the DPA plans to bring together players for the launch of a new group to look at the how Network and Information Security Directive can be focussed on that which could and should be done at EU level, without distracting effort into tick box activities which are irrelevant to improving practical co-operation. This first scoping meeting will amost certainly be for members and guests. Those who are serious about working together to ensure effective political action to help improve their safety of themselves and their customers, as opposed to bleating afterwards about another layer of irrelevant overhead, should therefore get their membership applications in now. The subscription charges have not increased in over a decade. They are now much better value than when I was Secretary General and it was called EURIM (Euroepan Informatics Market) and failed to live up to its name because …. But that is another story and we need to look forward, not back … before it is too late.
For those who want a more public debate, there are still some places at the Real Time Club dinner debate next week. I have jsut taken a sneal look at who has booked so far. We are in for a lively evening.