Information Law & Policy Centre Blog

Subscribe to Information Law & Policy Centre Blog feed Information Law & Policy Centre Blog
Information law and policy research at the Institute of Advanced Legal Studies
Updated: 28 min 19 sec ago

Fixing Copyright Reform: How to Address Online Infringement and Bridge the Value Gap

Thu, 06/09/2018 - 10:24

In the following piece, Christina Angelopoulos (Lecturer in Intellectual Property Law at the University of Cambridge and Associate Research Fellow at the Information Law & Policy Centre) and João-Pedro Quintais (Postdoctoral Researcher and Lecturer, Institute for Information Law (IViR), University of Amsterdam) consider how to improve EU copyright reform to address online copyright infringement. The post was originally published on the Kluwer Copyright Blog.

1. Introduction

In September 2016, the European Commission published its proposal for a new Directive on Copyright in the Digital Single Market, including its controversial draft Article 13. The main driver behind this provision is what has become known as the ‘value gap’, i.e. the alleged mismatch between the value that online sharing platforms extract from creative content and the revenue returned to the copyright-holders. Yetas many commentators have argued, the obligations introduced by the proposed text are incompatible with existing EU directives, as well as with the EU Charter of Fundamental Rights, as interpreted by the CJEU. It thereby risks creating more legal uncertainty than it resolves.

We suggest that the proposal additionally suffers from a more fundamental shortcoming: it misconceives the real problem afflicting EU copyright law, i.e. the proliferation of copyright infringement online in general, not only through Web 2.0 hosts. This problem is compounded by an increasingly outdated EU copyright framework: currently, this allows infringing end-users to hide behind their online anonymity, while failing to provide any mechanism for the compensation or remuneration of right-holders for the infringements these users commit. Faced with this impasse, right-holders have shifted their focus to internet intermediaries. Yet, while the CJEU’s recent case law has waded into the tricky area of intermediary liability, no complete system of rules determining what obligations intermediaries have to prevent or remove online copyright infringement currently exists at the EU level.

Absent a more stable legal basis, targeted superstructure initiatives such as the current proposal are set up for failure. If EU copyright law is to be reformed, it is on these crucial weak spots that proposals should focus. To address them, we suggest an alternative approach that better tackles the problem of the unauthorised use of protected content over digital networks. Our proposal is two-pronged, consisting of: a) the introduction of a harmonised EU framework for accessory copyright liability; and b) the adoption of an alternative compensation system for right-holders covering non-commercial direct copyright use by end-users of certain online platforms. As we explain below, this solution avoids the difficulties encountered by the current reform proposal, while successfully targeting the copyright framework’s real failings.

2. A Better Way Forward: A Two-pronged Approach to Online Infringement

2.1. Harmonisation of Accessory Copyright Liability

One of the most prominent gaps in EU copyright law is the lack of a harmonised regime for accessory liability. In view of the ubiquity of intermediation in internet-based communications, this fragmentation is particularly problematic for online infringement. Introducing a harmonised solution would thus enable addressing such infringement, helping to resolve the ‘value gap’ controversy.

The big question, of course, is how to shape such a harmonised accessory liability framework. Helpfully, the case law of the CJEU has indicated the way forward. Instead of reinventing the wheel, we suggest that the EU legislator should take its cue from that case law.

In its recent decisions on communication to the public, the CJEU has emphasised the need both for an ‘act of communication’ and for that act to be done with some level of knowledge. Following this lead, a future EU intermediary liability copyright regime would have to comprise what we have termed a ‘conduct element’ and a ‘mental element’. While the first would focus on whether the defendant’s behaviour has contributed to an infringement, the second would consider their mindset. Where at least one of the elements is absent, the defendant should be absolved from liability. If both are satisfied, either the defendant should immediately be held liable for the infringement or they should be placed under an obligation to take appropriate action.

●      The Conduct Element of Accessory Liability

The CJEU’s decisions on the notion of an ‘act of communication’ are helpful in indicating the appropriate threshold for the conduct element. In recent years, the Court has taken an expansive approach, focusing on what it has termed ‘interventions to give access’. While initially it required that such interventions be ‘indispensable’ for the dissemination of the work to third parties, eventually, in Ziggoit broadened the notion to include any intervention without which the public would be able to enjoy the work ‘only with difficulty.’ This is in contrast to Recital 23 of the InfoSoc Directive, according to which the right of communication to the public should not cover any acts other than ‘transmissions or retransmissions’.

Following the CJEU’s model, we suggest that the ‘conduct element’ should incorporate any non-minimal participation in the copyright infringement of another party. All that is required is that, without the defendant’s involvement, ‘in principle’ infringing would be ‘more complex’. We consider that this permissive approach is appropriate. In our view, it is the defendant’s state of mind that should determine which conduct elements give rise to accessory liability.

●      The Mental Element of Accessory Liability

In addition to ‘acts of communication’, the case law of the CJEU has emphasised that a mental element must also be present. So far, the mental element has only been mentioned by the Court in accessory liability cases. It is reasonable to assume this limitation will be maintained in future, preserving the ‘strict’ nature of primary copyright liability. The result would be a divide between classic ‘transmission’ cases (governed by Recital 23), for which no mental element is necessary, and ‘intervention short of transmission’ cases, where a mental element would be required.

Two main types of mental element exist: intent and knowledgeGS MediaFilmspeler and Ziggo all indicate that the lower standard of knowledge of the primary infringement should suffice.

Further than this, we suggest that both specific and general knowledge should be accepted. Historically, national European courts have tended to opt for the stricter ‘specific’ approach; however, with the rise of modern technologies, a relaxing of the standard towards ‘general’ knowledge is suitable. Notably, in Ziggo, general knowledge that the defendant’s services were used to provide access to works published without authorisation from the right-holders was deemed sufficient by the CJEU.

Similarly, given the oft-referenced objective of EU copyright law to provide right-holders with a ‘high level of protection’, our proposal suggests that both actual and constructive knowledge should be acceptable. After all, GS Media imposed liability where the provider of a hyperlink ‘knew or ought to have known that the hyperlink he posted provides access to a work illegally placed on the internet’. At the same time, the wording ‘ought to have known’ carries real meaning: the accessory cannot be expected to go to unreasonable lengths to uncover infringements. Most importantly, the general monitoring prohibition of Article 15 of the E-Commerce Directive (ECD) must be respected, as must the limits set by the Charter of Fundamental Rights of the EU. An accessory cannot be said to have constructive knowledge where that knowledge could only be acquired through monitoring its entire platform.

●       The Violation of a Reasonable Duty of Care

The scope of the mental element should affect the consequences for the defendant where both the conduct and mental elements are present. The CJEU is again helpful here: while in GS Media, where only knowledge was considered, the Court indicated that a notice-and-takedown framework might apply to hyperlink providers, in Filmspeler and Ziggo, where there were indications of intention, this option was not discussed.

We propose that this approach be further pursued in EU accessory copyright liability. A sensible framework would require that, if an accessory intended an infringement, its behaviour should be by definition unacceptable. Liability should therefore ensue. On the other hand, if the intermediary only has knowledge of the infringement, the violation of a duty of care must first be established.

The type of duty should depend on the type of knowledge. So, as in GS Media, if the intermediary has specific knowledge of an infringement it has through its conduct supported, it will be reasonable to expect that it remove it. Depending on the circumstances, other measures (including preventive ones) might also be appropriate, e.g. the suspension of repeat infringers, notifying the authorities or the provision of identifying data on the user to the authorities. On the other hand, if the intermediary has only general knowledge of mass infringements using its systems, the removal of content would require unacceptable general monitoring. As a result, other measures must be considered. The posting of warning duties is an obvious candidate.

Where the accessory fails to take the measures due by it, assuming it had the ability to take those measures or at least ought to have ensured that it had that ability, it should be held liable. If the intermediary did not take the appropriate measures that would have been expected of it on a flagrantly persistent basis, intent may also arguably be inferred.

Undoubtedly, this system alone would not give right-holders the tools to eliminate online copyright infringement. An EU regime for accessory copyright liability can only offer part of the answer. If no liability can reasonably be imposed on the intermediary, attention should then shift to the primary liability of infringing end-users.

2.2. An Alternative Compensation System for Content-sharing Platforms

By itself, the harmonisation of intermediary liability is not a complete solution to the problem of online infringement. As such, more novel approaches are necessary. Building on precedents with a long tradition in copyright law, such as continental European private copying schemes, one such possibility is the adoption of a system that replaces direct authorisation of certain types of online activities with a scheme for licensing such use and ensuring remuneration to right-holders. In the current ‘value gap’ debate, a number of authors and policy makers have been calling for similar solutions as a supplement to the harmonisation of certain aspects of intermediary liability (see e.g. hereherehere, and here). Our proposed ‘alternative compensation system’ goes in a similar direction.

  • Statutory License and Mandatory Exception

The system we envisage involves a statutory license based on a mandatory exception for individual online users that covers the non-commercial use of works on user-generated content platforms (‘content-sharing platforms’). The exception directly covers and authorizes acts by individual natural persons who are end-users of such platforms. It would enable users that meet its conditions to freely upload and share content with legal certainty, without the risk of filtering or removal. Right-holders (and especially creators) would benefit from a clearer set of legal rules and, as explained below, an additional stream of rights revenue. The exception would also indirectly benefit certain content-sharing platforms, as it heightens the threshold required for a finding of knowledge or intent of infringement by the platform as regards uses outside the exception.

Compared to the value gap proposal, our system would also increase legal certainty for platforms by clarifying their liability for acts of their users, while preventing the extension of the exclusive right to their normal activity of encouraging/supporting online user creativity. For exempted acts of end-users, platforms would be allowed breathing space to provide their services and would not be subject to injunctions under Article 8(3) InfoSoc Directive. Finally, due to the privilege granted to users, our proposal would discourage preventive filtering of protected content by design. At the same time, there would remain ample space for reactive duties of care, such as notice-and-takedown obligations, to be imposed on platforms, upon obtaining knowledge of infringements regarding content or uses outside the exception’s scope.

  • Scope: Subject Matter and Substantive Rights

In theory, the system could apply to all types of protected works and other subject matter, domestic or foreign to an EU Member State, that is susceptible to upload and use on a content-sharing platform. In practice, for reasons of compliance with the three-step test, some subject matter exclusions might be sensible, namely for computer programs, databases and videogames. These would be justified by the idiosyncratic legal nature and market logic of these categories of works, as well as by the fact that they have largely remained outside the scope of statutory licensing and collective licensing, on which our system relies.

The exception would cover non-commercial online acts of reproduction and communication to the public by users of content-sharing platforms, under Articles 2 and 3 InfoSoc Directive. It would also apply to transformative uses (e.g. certain types of remixes or mashups), including those that lie in the grey area between reproduction and adaptation.

Only non-commercial use would be covered. This concept features in different provisions in the acquis and is central to the JURI version of Article 13 (Amend. 77). We argue that it is better understood as a legal standard (as opposed to a rule) and an autonomous concept of EU law. It should apply to the use of works by individuals that is not in direct competition with use by the copyright-holders. To determine the standard, recourse could be had to criteria that are both subjective, like the profit-making purpose of the user, and objective, such as the commercial character of the use. In the context of content-sharing platforms, where most individual users do not carry out a business activity or make profit from the platform, the application of such a standard should, as a rule, be straightforward.

The distinction between commercial and non-commercial uses could be clarified through recitals supporting the exception, listing positive and negative examples (e.g. excluding uploads to peer-to-peer platforms, as proposed by Hilty and Bauer). It could be further clarified that non-commercial use focuses on online activities by users (not platforms) for consumption, enjoyment, reference, or expression, outside of the context of a market or business activity, and excludes acts with a direct profit intention or acts for which payment is received. Grey area cases will be decided by national courts, as well as ultimately by the CJEU in the interpretation of this autonomous concept.

Lastly, only works that are freely available online (being either uploaded from an authorised source or covered by an exception or limitation) should benefit from the exception. This requirement provides a clear legal basis for right-holders to notify platforms that are otherwise (prior to this knowledge-making notification) not accessorily liable, so that they may remove or disable access to the infringing copy.

  • Fair Compensation

Our proposal relies on an exception tied to an unwaivable right of fair compensation that vests solely in the authors and holders of related rights affected thereby, i.e. those listed in Articles 2 and 3 of the InfoSoc Directive. This right of fair compensation ensures that: a) creators receive a fair share of the amounts collected under the statutory licence system (which we propose to be at least 50% of collected rights revenue); and b) they are not forced to transfer that share to publishers and other derivative right-holders in the context of unbalanced contractual negotiations.

The amount of compensation should reflect the harm suffered by right-holders. In the absence of an actual market to determine the price for non-commercial uses, this can be calculated by measuring users’ willingness to pay for such a system through methods of contingent valuation. The calculation should also take into consideration mitigating factors already recognized in the acquis, adjusted to the context of content-sharing platforms: the de minimis nature of a use, prior payments for such use, and the application of technological protection measures. If a type of use does not cause economic harm to right-holders, it should not give rise to an obligation to pay fair compensation.

  • Payment Obligations and Safeguards for Platforms

The obligation to pay compensation would lie with content-sharing platform providers whose users benefit from the exception. Like with existing levy-systems, platforms would have the option of either shifting the burden of the compensation to users (e.g. as a subscription fee) or absorbing part of that cost, e.g. by financing it out of advertising revenue. The platforms payment obligation should be counterbalanced by safeguards. Importantly, the alternative compensation system should operate harmoniously with the accessory liability framework set out above. Thus, the new regime should clarify and strengthen the prohibition on the imposition of general monitoring obligations of Article 15 ECD. Platforms should only be subject to obligations to take action against infringing content where: a) it can be shown that they intend to cause infringement or b) after obtaining knowledge of a copy of a work being uploaded in contravention of the exception.

3. Conclusion

There are no perfect solutions to the challenge of online infringement. Any new proposal will have to be built on top of a fragmented and highly complex EU legal framework. Its benefits and drawbacks should therefore be measured not against an ideal system, but rather compared to the current ‘value gap’ proposal and its potential impact on the acquis. A pragmatic approach is thus appropriate. We propose the parallel implementation of two legal mechanisms: one geared at improving the EU law on intermediary copyright liability and the second directed at providing compensation to right-holders for at least some online infringement. Our solution, like most levy-based systems, undoubtedly represents a ‘rough justice’ response to a real-world problem. Nevertheless, it could contribute to achieving the ‘fair balance’ between the rights and interests of right-holders and users that the CJEU places at the heart of EU copyright law. The joint operation of the two proposed mechanisms would increase legal certainty for all stakeholders, enable the development of the information society, and provide fair compensation for right-holders for uses of their works in the online environment.


Note: This proposal builds upon the authors’ pre-existing research into the respective areas of intermediary liability and alternative compensation systems. A more detailed version will be published in an upcoming academic article (on file with the authors). For further information, see: C Angelopoulos, European Intermediary Liability in Copyright: A Tort-Based Analysis (Kluwer Law International 2016) and JP Quintais, Copyright in the Age of Online Access: Alternative Compensation Systems in EU Law (Kluwer Law International 2017).

Richard Danbury: Cliff Richard and Private Investigations

Fri, 27/07/2018 - 11:06

This article was written by Richard Danbury and originally published on UKCLA.

There is an old joke, in which a man is driving through the countryside, lost. He stops his car in a small village to ask a local for directions. The local responds by saying: ‘you want to get where? Oh, to get there, I wouldn’t start from here.’

It’s a joke my children wouldn’t get, from another era, from an age before satnav and Google maps. Perhaps it should be retired. But it remains of contemporary relevance at least as a way of understanding the recent judgment of Richard v BBC. This is because it highlights the issue of framing: the way one perceives an issue dictates, to some extent, the way one attempts to deal with it. Framing is well known in journalism, as the way a journalist perceives an event – frames it – influences the way she will report on it. It also can be helpful in law. The way an advocate persuades a tribunal to perceive an event – frames it – dictates, to some extent, the conclusion the tribunal will reach. Every advocate knows that to get to a particular destination, it’s important to get the judge or jury to start from the right place.

Reading the 454 paragraphs of Mann J’s clear prose in Richard v BBC, we are left with little doubt how he framed the case. A well-beloved celebrity, Sir Cliff Richard, was unfairly accused of a horrendous crime, and was investigated, as was only right, by the police. But the police told the BBC this private information, which they shouldn’t have done, because they were pressurised into doing so by the BBC. The BBC prepared a report, dispatched a helicopter to shoot video through Sir Cliff’s windows of policemen searching his flat, and then published this to the world. This harmed Sir Cliff, who sued the police for informing the BBC, and the BBC for informing the world. Justice was done to Sir Cliff when Mann J resolved the dilemmas with which he was presented in favour of Sir Cliff.

Indeed, Mann J seems to have resolved all the dilemmas with which he was faced in favour of Sir Cliff. Many of these findings might be challenged, and some are supported by stronger reasoning than others. The BBC has indicated that it is considering appealing. This blog concentrates on one finding that can be challenged, as it is one that potentially has the most impact on public interest journalism. This is Mann J’s conclusion in paragraph 248 that a person under police investigation has a prima faciereasonable expectation of privacy in respect of that fact. The blog argues that, while an understandable conclusion given Mann J’s framing of Sir Cliff’s case, this finding erects a significant and substantial hurdle for those undertaking public interest journalism. That is a problem.

The notion of framing is useful in explaining why, for there are other ways of framing the dilemma with which the learned judge was presented. One is epitomised by the Jimmy Savile scandal. (Indeed, to be fair, this was recognised by the judge at paragraph 281). Savile, as is well known, was a serial sexual abuser, who hid in plain sight behind his fame. One thing that made it possible for him to hide in this way was the law of defamation, for it was the law of defamation that chilled investigations into his conduct by journalists such as Meirion Jones. Yet such investigations, and the coruscating sunlight of publicity they can bring with them, would likely have stopped Savile from assaulting and abusing other victims.

Is it too much to say, then, that, but for the stringency of British defamation law, fewer people would have been sexually assaulted by Savile? Perhaps so. This is because there are so many other features of Savile’s abuse beyond its legal context and the effect of such law on journalists. But it is at least one way of framing the question faced by Mann J as to whether the law of privacy should be made more stringent. Indeed, when he found that all those under investigation by the police have a prima facie reasonable expectation of privacy, removing the ambiguity that had until this point been present in the law, this is what Mann J did. The problem is that such a finding will make the public interest investigative journalism into people like Savile – and indeed, into the police – harder. It is likely that, as a result, there will be fewer of them.

This observation leads to another way of framing Richard v BBC, which is also helpful in seeing why Mann J’s finding is a problem. Consider media law in the UK as a whole. Many recent cases have inhibited public interest investigative journalism. For example the Supreme Court in Ingenious Media v HMRC narrowed the availability of the ‘defence’ of public interest in actions for Breach of Confidence, and the Court of Appeal in Lachaux v Independent Print Ltd interpreted in a restrictive way (from the point of view of defendants) the phrase ‘serious harm’ in section 1 of the Defamation Act 2013. This made it easier for some defendants to issue claims in defamation. (The case is currently also on appeal to the Supreme Court.) One can also look at the reported increased use of data protection as a cause of action for claimants. When considered individually, framed by claimant advocates in each case, these decisions are eminently justifiable. Yet together, changes in media law have made the work of public interest investigative journalism harder. This difficulty has been bolstered by Richard v BBC.

This, by itself, is no criticism of Mann J’s judgment. It is, as is well known, how the Common Law works. Individual judges make decisions on the case with which they are presented: they weave a particular thread. As a matter of principle, they are seldom asked to rule on how appropriately that thread fits of the fabric of the law, seen as a whole, or on the law itself. After all, very few cases will require a judge to consider how the issue being litigated interacts with other elements of the law that operate on a defendant. Such is the job of the legislature, or the Law Commission.

But there are also particular concerns with the route by which Mann J came to his conclusion. These can be found in paragraphs 231 to 248, the basis for the decision on the privacy right of those under investigation. It is here that the learned judge surveyed relevant case law, and took notice of extra-judicial sources, not least the Leveson report. In doing so, as can be expected, he articulated both the doctrinal and policy reasons for concluding that the subject of an investigation had a reasonable expectation of privacy. But what he failed to do sufficiently is discuss the policy reasons and arguments againstthere being a reasonable expectation of privacy. These policy arguments can be supplemented by the doctrine of open justice. This is because the position of an individual being investigated by the police is comparable in relevant ways to that of an individual being tried in a court. In court, an individual may be said to have an expectation of privacy, but it is not likely to be prima facie reasonable, and the same can be said to someone under investigation. As he omitted to consider these, the judge’s reasoning does not support his conclusion.

It is not completely unbalanced. To be fair to Mann J, some of the policy arguments why an expectation of privacy may not be reasonable are indeed canvassed in his judgment. One is what Mann J calls ‘shaking the tree’, namely the idea that publicity will encourage other complainants or witnesses to come forward. (This is not an argument that was advanced on behalf of the BBC – see paragraph  252.) But this is not a strong argument against the existence of a reasonable expectation of privacy. It is, rather, an argument about why privacy in such situations should not overcome freedom of expression, when the two rights are balanced. More pertinent are other arguments. Three can be presented here.

The first is the classic, Benthamite justification for Open Justice, namely that it keeps the judges, while judging, under trial, and so inhibits misfeasance by those in authority. If this is applicable to judges, surely it is even more applicable to police when they investigate. It provides a rationale why an individual’s expectation of privacy in relation to an investigation may be prima facie unreasonable: the police need policing, and journalistic investigations can assist in this. Secondly, there is the concern that where the actions of a state are obscured and un-reportable, it incurs suspicion in the public’s minds. As Milton observed ‘forbidd’n writing is thought to be a certain spark of truth that flies up in the faces of them who seeke to tread it out’. This, more recently, has been part of Munby J’s arguments as to why the operation of the Family Courts should be subject to more publicity. The fear in relation to police investigations is that if journalists cannot report on those being investigated by the police, that suspicion and conspiracy theories will tend to flourish about what the police are up to, and this may harm public trust in the system.

The third argument against there being a prima facie reasonable expectation of privacy is that this impedes the public being informed about an important political fact of which they ought to be informed. The operation of the criminal justice system is a central aspect of a liberal democracy, and a key subject on which people form political opinions, influencing their decision on how to vote. It is clearly important that the public are informed about police investigations. None of these arguments were canvassed by Mann J in his judgment, and surely this is a flaw. If they had been, they should have supported the view that the law ought not to recognise a prima facie right to privacy in respect of a police investigation.

This is not to say that there never can be a right to privacy in an investigation. But what should happen is that whether privacy is engaged in an investigation should be a question of fact to be determined in each case, rather than a presumption of law to be applied in all. Such a resolution is acceptable in a broader range of the ways cases such as Richard v BBC can be framed. It is also less likely to chill public interest investigative journalism.

Dr Richard Danbury, Associate Professor, De Montfort University, and Associate Research Fellow, Institute for Advanced Legal Studies

(Suggested citation: R. Danbury, ‘Cliff Richard and Private Investigations’, U.K. Const. L. Blog (25th Jul. 2018) (available at

Bethany Shiner: How Does the Data Protection Act 2018 Empower the Information Commissioner to Tackle the Misuse of Personal Data in Political Campaigns?

Tue, 24/07/2018 - 16:34

This article was written by Bethany Shiner and originally published on UKCLA.


Following on from an earlier piece on this blog which highlighted some of the gaps in the legal framework relating to the use of personal data for political purposes in campaign material, this will consider whether the Data Protection Act 2018, which implements the General Data Protection Regulations (GDPR), provides the regulator with enough investigatory and enforcement powers to better tackle the misuse of data in political campaign practices in future.

The Information Commissioner’s Office

The Information Commissioner’s Office (ICO) published an update on its ongoing investigation into the use of data analytics in political campaigns indicating some preliminary findings of breaches of one or more of the data protection principles as well as some of the enforcement actions it has taken. This update, along with its Democracy Disrupted? report, will feed into the Digital Culture Media and Sport Select Committee’s Fake News inquiry, which is preparing its interim report. The ICO investigation needs to establish whether there had been breaches of the Data Protection Act 1998 and the Privacy and Electronic Communications Regulations 2003 and to do that it had to examine how political campaigns use personal data to micro-target voters with political adverts and messages.

Eleven political parties were served with warning letters and assessment notices for audits and the ICO has concluded that there are ongoing risks and concerns arising from the purchasing of marketing lists and lifestyle information from data brokers without sufficient due diligence, a lack of fair processing, the use of third party data analytics companies with insufficient checks around consent, and the provision of members contacts lists to social media companies. During this investigation the ICO has used the powers available to it under the Data Protection Act 1998 and the 2018 Act, which came into effect in May 2018, including issuing formal notices for information, powers of entry under warrant, and audit and inspection powers.

The Data Protection Act 2018

If there were to be another snap-election or a second UK-EU referendum, and the same practices were alleged, what would the ICO be able to do differently now that a new legislative framework is in place? There are two classes of people found to be engaged in the (mis)use of personal data in politics: 1. elected representatives, political candidates and political parties, and 2. companies including data brokers, political consultancy firms, and social media platforms. As demonstrated by the investigation into the UK-EU referendum, breaches can flow between both classes.

Elected representatives, political parties and candidates are empowered to access and use certain information (for example, the electoral register) to communicate with the electorate and members of the local constituency and respond to inquiries arising from constituency surgeries. Access to such data was established under the 1998 Act and have been carried over to the 2018 Act by sections 22 and 23 of Schedule 1.  Section 8 of the 2018 Act provides a lawful basis for processing personal data founded on public interest for an ‘activity that supports or promotes democratic engagement’ such as communicating with electors, campaigning activities, and opinion gathering inside and outside election periods. Although the section 8 exemption will still be subject to the six key principles established by the GDPR, including lawful, fair and transparent processing, this was an unnecessary additional exception  because the article 6 GDPR consent or legitimate interests legal bases are more appropriate justifications for processing personal data. The legitimate interest basis enables a balancing test between whether the legitimate interests are overridden by the interests or fundamental rights and freedoms of the data subject. This test ensures that organisations do not use a broad legal basis to legitimise micro-targeting and the other campaigning techniques the ICO was investigating at the time the amendment was inserted into the Bill. How this broad exemption will apply to the future use of data in political campaigning may rely on its interpretation, but the explanatory notes offer little guidance.

The 2018 Act provides some powers which were not available under the 1998 Act. It was perceived that the limitations of the previous regime were played out when the Information Commissioner had to wait five days for a warrant to enter the premises of Cambridge Analytica to seize evidence of data breaches. In actual fact, the ICO had already been in negotiation with the company for almost a month after it put the company on notice of its intention to demand access to the premises before finally applying for a warrant. However, this saga did enable the Commissioner to draw attention to her requests for greater investigatory and enforcement powers to be written into the Data Protection Bill which was being debated at the same time.

The GDPR does incorporate preventative mechanisms, but to investigate and enforce the law, the ICO needs to be able to move at pace in response to allegations such as the ones currently under investigation. Because the particulars of such potential data breaches are hard to detect on social media platforms and other online sources it is critical that the ICO has access to servers and other evidence to trace where data has come from, how the data was used and who it was shared with. Information notices facilitate the acquisition of the information the ICO needs to assess whether the law has been broken. In the ongoing investigation, 23 information notices have been served on 17 organisations (information notices can now be issued to individuals – such as ex-employees of companies – data processors, as well as data controllers) and have been a key tool in the investigation. For example, Facebook was asked about how its platform was used to mine data.

Now, the ICO can issue urgent information notices that have to be complied with in 24 hours. Further, following the Commissioner’s request, it can apply for a court order to compel compliance with information notices so that failure to comply is not solely penalised with a fine. The ICO was concerned that in the absence of compulsion, fines alone would encourage organisations and individuals to simply buy themselves out of data breaches by refusing to reveal the evidence or information relating to such breaches.

The Assessment notice provisions within the 2018 Act enable the ICO to complete urgent inspections to assess compliance with the data protection legislation. Section 148 creates a criminal offence for an organisation to destroy, dispose, block, conceal, alter or falsify information or documents the ICO intends to pursue a warrant to remove. This offence is meant to act as a deterrent and attracts a summary conviction. Section 4(1) of schedule 15 repeats the provision contained in schedule 9 of the 1998 Act for warrants to be sought more quickly if giving the owners of the premises the standard seven days’ notice would defeat the object of entry, or the Commissioner requires access to the premises in question urgently.

Enforcement notices can be issued to stop the processing of data, a power that existed under section 40(1) of the 1998 Act but there are more grounds for an enforcement notice as per section 149 of the 2018 Act. An enforcement notice was served on Aggregate IQ requiring it to ‘cease processing any personal data of UK or EU citizens obtained from UK political organisations or otherwise for the purposes of data analytics, political campaigning, or any other advertising’ within 30 days. The grounds were that contrary to articles 5(1)(a)-(c) and 6 of the GDPR the processing of personal data was in a way data subjects were not aware of, for purposes they would not have expected, without a lawful basis and the processing was incompatible with the purpose of the original data collection. The enforcement notice can be appealed, by virtue of section 162(1)(c), and if appealed, in all but exceptional circumstances, the notice need not be complied with pending determination or withdrawal of that appeal.  Failure to comply with the enforcement notice is not a criminal offence but does attract a fine of 4% GPR or £17million. How the ICO can enforce this when Aggregate IQ has no base in the UK or any other EU member state remains to be seen.


The ICO has had to conceive itself as a regulator of the democratic process. Elizabeth Denning is cognizant of concerns that our democracy may be under threat and has called for an ‘ethical pause’ (not a regulatory halt) on the use of data in politics to allow relevant parties to ‘reflect’ on their responsibilities in the era of big data ‘before there is a greater expansion in the use of new technologies’. Of course, parliamentarians are captured by these practices themselves often seeking the most effective ways to direct their messages to selected members of the electorate.

The ICO has embraced its developing role in protecting the electorate from data misuse but this is a role that has emerged with the use of campaign techniques that rely on information about the electorate obtained from the analysis of personal data. The ICO’s investigation into the official referendum campaigns is particularly significant as both campaigns were led by senior ministers. Does the ICO possess enough power to hold those that seek to gain from the misuse of data to account? This is being tested now and the final report on the ongoing investigation is due in October 2018.

Bethany Shiner, Lecturer at Middlesex University and solicitor-advocate

(Suggested citation: B. Shiner, ‘How Does the Data Protection Act 2018 Empower the Information Commissioner to Tackle the Misuse of Personal Data in Political Campaigns?’, U.K. Const. L. Blog (20th Jul. 2018) (available at

“The Internet: To Regulate or Not To Regulate” – ILPC written evidence

Tue, 12/06/2018 - 16:24

The ILPC have submitted a piece of written evidence in response to the recent call for evidence on ‘The Internet: To Regulate or Not to Regulate’ from the House of Lords Select Committee on Communications.

The written evidence outlines four key issues of internet regulation: the protection of human rights, the protection of freedom of expression, the use of deceased’s data and the role of the UK as a world leader in internet regulation.

The publication is available to read here.


ILPC Annual Conference 2018 Call for Papers

Wed, 06/06/2018 - 14:59


Transforming Cities with Artificial Intelligence: Law, Policy, and Ethics

We are pleased to announce this call for papers for the Information Law and Policy Centre’s Annual Conference on 23 November 2018 at IALS in London, this year supported by Bloomsbury’s Communications Law journal. You can read about our previous annual events here.

We are looking for high quality and focused contributions that consider information law and policy within the context of improving the governance of the public interest within cities through the use of AI-based systems. Whether based on doctrinal analysis, or empirical research, papers should offer an original perspective on the implications posed by the use of algorithms and data-driven systems for improving the effectiveness of the public sector whilst also ensuring that such processes are governed by frameworks that are accountable, trustworthy, and proportionate in a democratic society.

Topics of particular interest in 2018 include:

  • Explainability and transparency of algorithms
  • Smart cities
  • Data privacy and ethics
  • Internet of Things
  • Cyber security
  • Open Data and Data Sharing
  • Public-private partnerships
  • AI and Digital education
  • The EU General Data Protection Regulation


The conference will take place on Friday 23rd November 2018 and will include the Information Law and Policy Centre’s Annual Lecture and an evening reception.

The ILPC is delighted to announce that Baroness Onora O’Neill, a leading philosopher in politics, justice, and ethics, who is also a Crossbench Member of the House of Lords and Associate Fellow of the University of Cambridge Leverhulme Centre for the Future of Intelligence (CFI) will deliver this year’s Annual Lecture.

Attendance will be free of charge thanks to the support of the IALS and our sponsors, although registration is required as places are limited. Registration to the Annual Conference is available here.

The best papers will be featured in a special issue of Bloomsbury’s Communications Law journal, following a peer-review process. Those giving papers will be invited to submit full draft papers to the journal by 1st November 2018 for consideration by the journal’s editorial team.

How to apply:

Please send an abstract of between 250-300 words and some brief biographical information to Eliza Boudier, Fellowships and Administrative Officer, IALS: by Friday 13th July 2018 (5pm, BST).

Abstracts will be considered by the Information Law and Policy Centre’s academic staff and advisors, and the Communications Law journal editorial team.

About the Information Law and Policy Centre at the IALS:

The Information Law and Policy Centre (ILPC) produces, promotes, and facilitates research about the law and policy of information and data, and the ways in which law both restricts and enables the sharing, and dissemination, of different types of information.

The ILPC is part of the Institute of Advanced Legal Studies (IALS), which was founded in 1947. It was conceived, and is funded, as a national academic institution, attached to the University of London, serving all universities through its national legal research library. Its function is to promote, facilitate, and disseminate the results of advanced study and research in the discipline of law, for the benefit of persons and institutions in the UK and abroad.

About Communications Law (Journal of Computer, Media and Telecommunications Law):

Communications Law is a well-respected quarterly journal published by Bloomsbury Professional covering the broad spectrum of legal issues arising in the telecoms, IT, and media industries. Each issue brings you a wide range of opinion, discussion, and analysis from the field of communications law. Dr Paul Wragg, Associate Professor of Law at the University of Leeds, is the journal’s Editor in Chief.

ILPC Seminar: EU Report on Fake News and Online Disinformation, 30th April 2018

Wed, 09/05/2018 - 12:36


The term “fake news” has become a prominent nomenclature in public discourse. Indeed, the idea of “fake news” has brought to the fore a number of key concerns of modern global society, including if and how social media platforms should be regulated, and more critically, the potentially subversive role of online disinformation (and its spread on such platforms) to undermine democracy and the work of democratic institutions.


In response to the growing concerns over “fake news” and online disinformation, the European Union established an independent High Level Expert Group in early 2018 to establish policy recommendations to counter online disinformation. In March 2018, the HLEG published a report entitled ‘A Multidimensional Approach to Disinformation’ which sets out a series of short and longer term responses and actions for various stakeholders, including media practitioners and policymakers, to consider in formulating frameworks to effectively addressing these issues. The report recognises that online disinformation is both a complex and multifaceted issue, but is also a symptom of the broader social move toward globalised digitalism.


The Information Law and Policy Centre (ILPC) at the Institute for Advanced Legal Studies, University of London, convened a seminar at the end of April to discuss the report of the HLEG and the phenomenon of “fake news”. The seminar forms part of the ILPC’s public seminar series where contemporary issues regarding various aspects of information law and policy are discussed and deliberated with key stakeholders and experts in the field. Held on the evening of the 30th April 2018, the seminar consisted of an expert panel of discussants from both academia and the media.


Chaired by ILPC Director, Dr Nóra Ni Loideain, the panel included Professor Rasmus Kleis Nielsen, Professor of Political Communication at the University of Oxford and Director of Research at the Reuters Institute for the Study of Journalism and member of the HLEG, Dr Dimitris Xenos, Lecturer in Law at the University of Suffolk, Matthew Rogerson, Head of Public Policy at Guardian Media Group, and Martin Rosenbaum, Executive Producer, BBC Political Programmes.


After an introduction and overview of the report by the Chair, Professor Nielsen (speaking in his personal capacity) began the panel discussion by noting that “fake news” is part of a broader crisis of confidence between the public, press and democratic institutions. Professor Nielsen cautioned against the use of the term “fake news”, highlighting that it is dangerous and misleading, having been sensationalised for political use. Stressing that the HLEG has taken deliberate steps to quell the further populism of the term by not using it in reports and policy documents, he also pointed out that significant steps to redress the issue cannot take place until we have a deeper understanding of just how widespread the problem is or is not. That being said, Professor Nielsen emphasised that in addressing such issues, we must start from the principles we seek to protect, and particularly, freedom of expression and open democracy.


Accordingly, Professor Nielsen set out what he saw to be the six key recommendations from the HLEG’s report, noting that these recommendations come as a package to be realised and implemented together.

  • Abandon the term “fake news”;
  • Set aside funding for independent research in order to develop a better understanding of the scope and nature of the issue, noting too that little is known about the issue outside of the West and Global North countries;
  • Call for platform companies to share more data with fact checkers, albeit privacy complaint;
  • Call for public authorities at all level to share machine readable data to better enable professional journalists and fact-checkers;
  • Invest in media literacy at all levels of the population; and
  • Develop collaborative approaches between stakeholders.



Our second discussant, Dr Xenos, offered a light critique of the HLEG’s report. He agreed with the HLEG group’s focus on ‘disinformation’ relating to materials and communications that can cause ‘public harm’, and its contextual targets involving parliamentary elections and important ‘sectors, such as health, science, finance’, etc. He pointed out that as the institutions of powers (such the EU’s organs) are very often the original sources of such information that is subsequently treated by various media organisations and communicative platforms, the same standards and safeguards should apply to the communications and materials that are produced and published by the institutions. Dr Xenos referred to his contribution and the recent reports of the EU Ombudsman, involving the EU Commission, the EU Council and their very wide range of experts which highlight serious deficiencies in decision and policy-making, undermining the basic democratic safeguards which the HLEG’s report targets, such as transparency, accountability, avoidance of conflicts of interests, and access to relevant information. In this respect, Dr Xenos argues that the proposal for a fact-checking system of media communications covering decisions and policies of the institutions of power is unrealistic when such a system and safeguards do not apply to the original communications, materials and decisions of these institutions that the media may (if and when) subsequently cover. He emphasised the need for an independent academic insight that can offer analysis of events ex ante, in contrast to the traditional ex post analysis of journalism. However, Dr Xenos also said that the role of academics is undermined if appropriate research focus is lacking or there is a conflict of interest – an issue, he believes, concerns also those media organisations and platforms controlled by private corporations. In support of his claims, he referred to a recent study and its subsequent coverage by both the UK and US media. He welcomed the HLEG’ suggestions for access and analysis of platforms’ data and algorithm accountability in the dissemination of information.


Responding to Dr Xenos, Dr Ni Loideain noted that the report consistently emphasised the need for evidence-based decision- and policy-making.


Following from Dr Xenos’ remarks, Matt Rogerson from the Guardian Media Group emphasised the critical role online disinformation can play in determining the outcome of elections. Matt noted that current politics are marginal, with over a hundred constituencies won or lost with a swing vote of under 10%, which Facebook, for example, can greatly influence, given the high numbers of people who gain their news updates only from this source. Matt noted, too, how in the wake of the Cambridge Analytica scandal, tech companies are becoming increasingly hesitant to be open about their policies and activities. Matt further highlighted that the knowledge and understanding of citizens of the various news agencies and news brands varies, pointing to a study which demonstrated how citizens had a greater trust for the news items offered in certain broadsheet newspapers as opposed to particular tabloid presses.


Recognising, therefore, that there is strong media diversity and pluralism of news brands at present, Matt spoke of how this must be preserved and protected. One important issue, Matt noted, was the need for stronger visual queues on platforms such as Facebook, so users could readily distinguish between the branding of the Guardian news items, in comparison to other less-trusted news sources. Matt also raised concerns about the impact of programmatic digital advertising, which effectively decouples brand advertising from the context in which it is seen via online platforms, reducing the accountability of the advertiser as a result.


In terms of how to create trust between news organisations and the wider public, Matt drew our attention to the importance of diversity within media houses and social media platforms. Highlighting the lack of gender and ethnic diversity within the tech industry, as well as the related monopoly of Silicon Valley companies over the industry as a whole, Matt noted how the effect of this meant that there was little competition between platforms to raise standards and do the right thing by society. Matt recommended revisiting competition regulation to drive competition and diversity.


Martin Rosenbaum from the BBC and speaking in his personal capacity was the final discussant to offer their response on the report. Martin echoed the sentiments of Matt and Professor Nielsen in cautioning against downplaying the issue of disinformation and the effect it can have on society. Martin made note of the fact that disinformation can occur in various forms, including users sharing information despite not knowing or caring whether it is true or otherwise. Moreover, Martin emphasised how disinformation more broadly can foster a lack of trust in trusted news agencies and public institutions by generating, as Professor Nielsen spoke of too, a general crisis of truth.


Martin additionally mentioned how the ready consumption and splurge of news users receive on Facebook represents a divorce between the source of the information (for example, the BBC) and the way in which it is distributed and reaches the consumer. Martin explained how this works to undermine the trustworthy-ness of certain kinds of media and information.


In speaking of mechanisms through which to counter disinformation, Martin noted the BBC’s code on journalism that is accurate, fair and impartial, which underlies its position as one of the most trustworthy news sources globally. He further noted how the BBC has put in place various accountability mechanisms to handle complaints effectively. Martin additionally spoke of the need for media literacy and involving younger generations in news-making, reporting, and spotting “fake news”.


Responding to the claims made earlier by Dr Xenos, Martin assuaged that specialist journalists are most often best placed to fact-check news stories. And lastly, Martin also pointed out how chat apps were also complicit in the dissemination of “fake news” items, and that these platforms were much harder to regulate and monitor in terms of the content they handle.


Following from Martin’s contribution, the discussion opened up and various questions were posed to the panel regarding the scope and definition of disinformation and how this issue overlaps the fundamental principle of freedom of expression. There was a broad consensus to steer away from unnecessary government regulation that may impact upon free speech. Other issues raised included the tension between the call for open data and data sharing and the coming into effect of the GDRP this month.

Dr Rachel Adams, ILPC Early Career Researcher

Money, law and courage: the varied roles of the UK Information Commissioner

Wed, 18/04/2018 - 11:49

This post is re-posted from the ICO’s website with kind permission. Original web entry available here

Original script may differ from delivered version

Elizabeth Denham delivered the CRISP (Centre for Research into Information, Surveillance and Privacy) annual lecture 2018 at the University of Edinburgh on 14 March.

She spoke about the many roles she must play as UK Information Commissioner and set out the challenges and opportunities ahead. Introduction

Many thanks for the invitation to speak today. I have a connection with CRISP and William Webster, Kirstie Ball and Charles Raab that predates my time in the UK – British Columbia OIPC is a partner in Big Data Surveillance Project with David Lyon and others in Canada. I have long been aware of the importance of the CRISP doctoral training school.

One of the wonderful aspects of privacy and data protection is the extremely rich and interdisciplinary scholarly research community.

Data Protection raises questions of law, politics, sociology, computer science, communications studies, business and management, psychology, urban studies, geography, and so many other areas of scholarship.

For all the regulatory and legal challenges, privacy and data protection continue to raise fascinating intellectual issues.

CRISP is a wonderful model of interdisciplinary research and training for young researchers.

I am very glad to have received the support of the broad and vibrant academic community involved in research on privacy and surveillance since taking up this job.

I am also proud to have launched a new program to fund independent research and help consolidate the network of privacy researchers in the UK.

I am hopeful that this will continue for many years.

Money, law, courage

The title, Money, Law and Courage – signifies, of course, that the contemporary data protection authority (DPA), of which the ICO is the largest in the world in terms of personnel and budget, cannot do its work without a clear legislative framework, the necessary technical and financial resources and the courage to do our jobs well. My office is responsible for the effective enforcement of no fewer than eleven statutes and regulations.

They say: “Money makes the world go around . . .”

Well, we have a budget of £24 million pounds, following the introduction of the new funding model this will be £34m in 2018/19. We’ve been busy over the last year recruiting more staff and currently have a headcount of around 500.

We expect staffing numbers to continue to increase, passing 600 by 2019 increasing to an approximate FTE of 650 during 19/20.

We will be assessing demand as the GDPR goes live and beyond, adjusting our plans accordingly. To give you a sense of we are fixed now, we’ve got around 200 case-workers working on issues raised by the public, a 60-strong enforcement department taking forward our investigations and a similar number charged with developing our information rights policies and engaging with the stakeholders and organisations that need to implement them.

Coming from an office of under 40 in British Columbia, the scale of the management tasks is obviously far more complex and challenging.


I had – I have – Great Expectations for this job.

But there’s one aspect of the job that I did not expect, and it stems from the very governance structure of the ICO.

My job combines the role of Commissioner, which has a variety of regulatory and quasi-judicial functions, with that of a CEO. It is based on the “Corporation Sole” Model.

That’s highly unusual for a large regulatory body like the ICO.

The implications of this model are that I perform a wide range of management functions in my capacity as the ICO’s CEO.

I would say that as well as my regulatory role, I must also work alongside my excellent staff on administrative duties involving organisation, finance, human resources, and negotiations with the unions.

Much activity of late has been about recruitment and retention issues. I am pleased to report that the Treasury has given me pay flexibility to address the gap in wages when compared to the external market.

Everyone is looking for data protection expertise.

I am also looking at new ways to bring in talent – through secondments from the private and government sectors, and through technology fellowships for post-doctoral experts. 


It’s not just about the money, it’s also about the resources. And I have many tools in the toolbox. 20 years ago, the toolbox was not global.

Now there is a common recognition that all DPAs need to make creative use of all the tools in the toolbox.

And as in a toolbox, each tool (the hammer, the drill, the screwdriver, the chisel) is suited to a different purpose.

But most of these tools can be used separately, and not in conjunction with another. Throw away the screwdriver or the drill, and the hammer still remains and is still capable of driving in the nail.

At the same time, it cannot drill the hole, or screw in the screw – assuming, of course, that the user can tell the difference.

For the person with the hammer, everything can tend to look like a nail, right?

The tools in the privacy toolbox, however, are designed to be used in conjunction with one another. They do form an integrated package, all of which are now necessary and none sufficient on their own.

Of course the tools are all for nothing if the Commissioner and her team don’t have a good plan for what we are building and why.

The Law

So now to the law. This global repertoire of instruments is reflected in the General Data Protection Regulation (GDPR), that will apply in the UK from May: privacy by default and design; codes of practice; privacy seals; Data Protection Impact Assessments (DPIA); data protection officers; accountability mechanisms for good privacy management.

The Europeans have made vigorous efforts to learn from abroad and to embrace policy instruments that were pioneered in other countries, such as Canada, and to incorporate them into the GDPR.

Positive results in data protection are not just attributable to decisions from the top.

They are “co-produced” by a widespread network of actors (regulators, businesses, consumer organisations, media, researchers, and individuals).

I see the ICO as the facilitator of this network, a convener as much as the regulator.

My varied roles

Over ten years ago, Charles Raab and Colin Bennett published The Governance of Privacy: Policy Instruments in Global Perspective1.

In that book, they defined the contemporary roles of the DPA as: ombudspersons, auditors, consultants, educators, policy advisers, negotiators, enforcers, and international ambassadors.

Different authorities played these roles in different ways and with shifting emphasis over time. I, and my staff, also play these roles.

Data Protection “Ombudsman”

Any DPA has to be attentive to its main clients – the citizenry who may have concerns and questions about how their personal data is captured and processed.

We all play the classic role of the “ombudsperson.”

Demand for this role is high and increasing. In 2016-17, the ICO received and dealt with over 18000 data protection complaints, 90% of which were resolved within three months of receipt.

This year we will be over the 21,000 mark and next year we expect over 24,000 complaints as people become more aware of their rights.

Prominent concerns include complaints about timely and comprehensive access to personal information, about the use of CCTV, and take-down requests from search engines. We are dealing with a wide range of complaints, most relate to general business, including the financial and insurance sectors, but they also cover the important relationship and services between the state and the citizen, including local and central government, health, policing and education.


The auditing role is central, and will become more so under GDPR. That embraces more proactive assessments of organisational accountability and expands our work to the private sector in a way not seen before. But we now also have a more nuanced understanding of what a data protection audit actually entails, and make important distinctions between full-blown audits, risk reviews and advisory audits.

In 2017-18, we delivered 24 full audits providing advice and recommendations, 37 information risk reviews, 18 follow-up audits, and 47 advisory audits to SMEs.


We are also consultants and often give advice to organisations that come to us with requests to comment on new products and services.

We are happy to hear of new developments and to give advice about whether new systems are compliant with the law, and about how to minimize risks to privacy. This role too will increase under the GDPR – organisations will be increasingly pressured to get the advice of regulators before systems are developed and services are launched.

They will be expected to implement privacy by design, and by default, and will need advice about how to accomplish those goals.

In this regard, my office is establishing a regulatory “sandbox” that provides beta testing of new initiatives in private and public sectors.

This strategy allows us to keep up with new technological developments, and at the same time ensure that appropriate protections and safeguards are built-in.

This is what the law requires.

The strategy is based on the strong belief that privacy and innovation are not mutually exclusive. New technology is both a risk and an opportunity. The strategy also allows us to boost the technical expertise of our staff.


I spend a lot of my time in education – both of the general public and of organisations. We have launched a guide to the GDPR, which has had over 3 million hits since publication.

I have given several dozen speeches to organisations over the last two years, and use those as an opportunity to spread the word to key audiences. We are also active in social media, and broadcast podcasts on significant questions. I also write blogs on key issues – including a series of GDPR myth busting blogs.

In April, we will launch a public education campaign, Your Data Matters, to educate the public on their new rights under the law.

The campaign is the ICO’s but we are collaborating with private sector and civil society partners to assist us in disseminating information about the use of personal data in everyday life, complete with real-life scenarios and story-telling content. The aim is to increase the public’s trust and confidence in how organisations use their data. And that’s my priority.

Policy Adviser 

With the GDPR, and Brexit, I have spent a lot of time with parliamentary committees, ministerial staff in giving policy advice about legislative and regulatory change. I spend around 2-3 days a week in London since I took up the position because of heavy parliamentary and Whitehall business. We have opened a London office and formed a parliamentary team.


My staff and I need strong negotiation skills staking out principled positions, but being prepared to compromise. We negotiate with government agencies, and with corporations. We negotiate, for instance, over codes of practice, such as the one currently being developed on direct marketing.. The role of negotiator is critical in an area of law where there are often no clear black and white answers, and few “bright-line” rules.

We are also involved in negotiation with other regulators and oversight agencies. There are many other players in this space – from the NCSC in matters of cyber security, the Surveillance Camera Commissioner to the Childrens’ Commissioners. In fact I met with Bruce Adamson the Children and Young People’s Commissioner Scotland just this morning.

We work hard to develop a framework that allows us to work in a co-ordinated manner in the best interest of UK citizens.

I played all those roles in Canada (in Ottawa and in British Columbia). But they are now played out on a bigger stage, and with far greater implications.

There are two roles I’ve yet to speak about – the enforcer and the international ambassador.

These are far more prominent in my role as UK Information Commissioner than they ever were in Canada. And these are the ones that I would like to discuss in greater detail in the rest of this talk.


My office possesses a greater range of enforcement and sanctioning powers than those in Canada.

As an illustration, companies could find themselves subject to severe penalties for not complying with the GDPR, which states the maximum amounts that companies could be liable to as £17m, or 4% of the organisation’s total annual worldwide turnover in the preceding year, whichever is higher.

We also have powers to suspend or amend processing or transfers.

The enforcement notice can be more intrusive than the fine. These are significant fining and directing powers, and they have to be to be used predictably, consistently and judiciously.

To that end, my office is developing a Regulatory Action Policy to provide greater clarity and focus to our roles.

So, when I look at the contemporary inventory of regulatory tools at my disposal, it is now a long list that operates on a sliding continuum, or hierarchy of regulatory action.

That’s quite a list, right?

We aspire to select the most appropriate regulatory instrument based on a risk assessment of the nature and seriousness of the breach, the sensitivity of the data, the number of individuals affected, the novelty and endurance of the concerns, the larger public interest, and whether other regulatory authorities are already taking action in respect of the matter.

We also reserve the right to take into account the attitude and conduct of the organisation, whether relevant advice has been heeded, and whether accountability measures have been taken to mitigate risk.

Now might be a good time to tell you about our ongoing investigation into the use of personal data by political parties and campaigns. The use of data analytics for political purposes has not been examined by any other DPA.

It is a complex investigation involving over 30 organisations including political parties, data analytics companies, and social media platforms.

We hope to shed light on the mysteries and complexities of the data driven campaign and election. And we hope that our work will be an important contribution to the wider legal and ethical discussions about the use of personal data to mobilize voters.


All privacy and data protection commissioners are increasingly international ambassadors for their domestic data protection regimes and approaches.

We advance the interests of our citizens, and also to some extent our businesses, in a variety of regional and international forums.

As UK Information Commissioner, I am now of course on a far more visible international stage then I ever was in Canada.

To help navigate these uncertain international waters, my office has published an international strategy that recognizes the importance of agility in an ever changing world.

As you know, the GDPR will apply in the UK as of May 25th 2018. We have been giving guidance to British businesses on how to comply with the GDPR, on issues such as automated decision-making, profiling, personal data breach notification, and the processing of data on children.

We have also tried to explode some of the unfortunate myths concerning compliance.

As we have a more longstanding experience with some of the instruments in the GDPR, we hope that our practical guidance can have an influence beyond the UK.

At the same time, we have been trying to influence the new Data Protection Bill, which had its Second Reading debate in the Commons last week, and which aims to align UK law with the GDPR.

Overall, I am encouraged that the interests of the government, UK industry and civil society are broadly aligned around the need to apply the provisions of the GDPR within the UK with minimum divergence. The government has prioritised the issue of data protection and data flows in the Brexit negotiations because data underpins the digital economy, trade and criminal justice.

I am striving for what I have called a “holy trinity of outcomes”: uninterrupted data flows to Europe and the rest of the world; high standards of data protection for UK citizens and consumers, wherever their data resides; and legal certainty for business.


We intend to play a full role in EU institutions until the UK leaves the EU, we are preparing for the post-Brexit environment in order to ensure that the information rights of UK citizens are not adversely affected.

But several questions remain, and which will be inescapably determined by the final contours of the relationship between the UK and the European trading bloc. There is agreement that there will be a transition period – necessary to untangle a 40-year regulatory regime. During the transition period, to avoid a cliff edge harmful for business and citizens, the intent is that the regulatory regimes – from data protection to aviation, food standards and the environment will be maintained.

When it comes to the arrangements post-Brexit for international transfers, achieving a bespoke agreement on data flows in the commercial and security sectors, or an adequacy finding from the European Commission may be the most elegant ways of ensuring the continued frictionless flow of data between the EU and the UK.

And there is no doubt that having domestic laws that achieve a high standard of data protection, harmonized with those of the EU, will be a significant advantage in a special arrangement.

Should the UK leave the EU without a data deal in place, EU organisations will need to have binding contractual arrangements in place every time they wish to share new information and data with their UK partners.

Even with the GDPR translated into UK law, interpretation of the law is the responsibility of the ICO, and the UK courts.

Our interpretation might be influenced by decisions made through consistency mechanisms within the GDPR and the European Data Protection Board, but there is no guarantee – leading to possible divergences of interpretation and confusion for companies that do business in the UK and the EU.

Perhaps the most significant “unknown” from my point of view is the exact nature of relationship with our DPA colleagues across Europe.

Is the ICO going to have a seat on the European Data Protection Board with voting rights or will we be an observer without voting rights; or not even allowed to have a seat around the table? Is the UK going to be a partner, helping to set policy, or will we have the status of a third country – like Canada or Japan?

And then there is the “onward transfer” problem of how to protect the data of EU citizens exported from UK organisations to other areas of the world, and which will be a critical issue in the determination of adequacy. Will the UK have a mirror agreement, similar to that enjoyed currently by Switzerland? Or will UK businesses have to default to various accountability mechanisms, such as binding corporate rules.

And what, then, of data flows from the UK to the United States? Will there be a separate UK-US Privacy Shield arrangement?

There is uncertainty over the legal arrangements in the transition period and the repercussions of this unprecedented process, but the one certainty is that the European Union will continue to advance the highest standards of protection for the personal data of people in the EU, and the UK shares and has committed to maintain these high standards.

I expect that when it comes to rights such as the right to privacy and data protection, the EU and the UK will continue to pursue common strategies; and I expect to maintain substantial dialogue and work with my EU colleagues. The ICO is the largest DPA in Europe and contributes heavily to the work of the Article 29 Working party. Its influence should, and will, continue to be felt post-Brexit.


But none of those resources, legal tools and relationships are sufficient, unless the Commissioner has the courage of leadership and inspires teamwork to advance the rights of UK citizens in the face of some strong global, technological and organisational pressures. But courage is not just manifested in enforcement – in using the legal powers of the office to punish and sanction.

It is also a matter of hard work, commitment, perseverance and a skill in knowing what instrument to use, at what time.

Any data protection or privacy Commissioner has to be pragmatic, and be aware of the various policy tools and instruments at his or her disposal. At a superficial level, the job does involve knowing when to use the ‘carrot’ or ‘the stick’. But those choices are now more complex.

So that simple distinction may be misleading – there are now many types of ‘carrot’ and many types of ‘stick’.

At the end of the day, all privacy and data protection commissioners are looking for an ounce of prevention.

That has been generally argued by observers of the work of privacy commissioners, going back to David Flaherty’s 1989 pioneering book, Protecting Privacy in Surveillance Societies2.

Offices like mine, like the ICO are more effective when they can act proactively, and can give general policy guidance to minimize the needs for complaints, and for enforcement actions.

Prevention is better than cure.

But this is a goal that is not easy to realise, when the office is continually expected to respond to the unexpected: the data breach, the high-profile media story, the sudden policy initiative from government, the significant court decision and so on.

We do try to operate an intelligence function that gathers data on the implementation of data protection, surveys companies and monitors practices.

We have a new team that focuses on priority files, and these cases, investigations or audits are run by cross office groups directed by the senior leadership team. We are then able to understand any general patterns and take proactive measures accordingly.

We also work with civil society and consumer groups – and take their complaints about systemic issues.

GDPR will give us more tools for education, for encouraging accountability, for building in privacy by design and by default. Of course, it is essential to keep the legal sanctions in the background, be ready to use them, and make organisations aware that we are ready to use them.

That general conclusion about the importance of the proactive and general policy work, over the more reactive enforcement work, was also true of my work in Canada and BC.

It is just that I now have more money, more staff, more laws, more tools in my toolbox, a larger audience, a brighter media spotlight and a more extensive range of organisations to regulate.

So, I have the resources to do the job and the law to back me up.

I’ll let you be the judge as to whether I and my team have the courage!


1 C.J Bennett and C.D Raab, The Governance of Privacy: Policy Instruments in Global Perspective (Cambridge MA: MIT Press, 2006).

2 D.H Flaherty, Protecting Privacy in Surveillance Societies: The Federal Republic of Germany, Sweden, France, Canada and the United States (Chapel Hill: University of North Carolina Press, 1989).

Event: Joining The Circle: capturing the zeitgeist of ‘Big Tech’ companies, social media speech and privacy

Mon, 09/04/2018 - 11:40

Event: Joining The Circle: capturing the zeitgeist of ‘Big Tech’ companies, social media speech and privacy

Professor Robin Barnes (Global Institute of Freedom and Awareness) and Peter Coe (Aston University) have organised a panel session at the Inner Temple, London, on Wednesday 23 May 2018. The session is entitled: ‘Joining The Circle: capturing the zeitgeist of ‘Big Tech’ companies, social media speech and privacy’.

It is based on Dave Egger’s book, The Circle, which tells the story of an all-powerful new media company that seeks to totally monopolize its market place and remake the world in its image. Although fictional, the book captures the zeitgeist surrounding ‘Big Tech’ companies exerting ever-increasing influence over our lives by altering our perceptions and expectations of the media (including citizen journalists), free speech and privacy, and how our personal information is used and protected.

The panel consists of seven experts from academia and practice who are currently engaging with these issues, including: Peter Coe, Professor Barnes; Dr Paul WraggRebecca Moosavian (both University of Leeds), Dr Paul Bernal (University of East Anglia), Dr Laura Scaife (BBC) and Jacob Rowbottom (University of Oxford). Professor Ian Cram (University of Leeds) will open the conference. These experts will present and discuss their thoughts on these issues, and their potential implications, both now and in the future.

This event will be of interest to practising and academic lawyers with expertise in Media Law generally (including free speech, privacy and data protection), journalists and other media professionals, and those engaged in research and teaching relating to journalism and the wider media.

The event is free to attend, and includes lunch and refreshments. Registration will begin at 9.00am and the panel will finish at around 4.00pm. Following the close of the panel session there will be an opportunity to network with the panel members and other delegates.

Delegate places are limited. Therefore, places are available on a first come first served basis. If you would like to attend, please email Peter Coe as soon as possible:


New approach to media cases at the Royal Courts of Justice is a welcome development

Mon, 09/04/2018 - 11:24

Guest post by Dr Judith Townend.

This is an edited version of an article which first appeared in Communications Law journal, volume 23, issue 1 (Bloomsbury Professional) and PA Media Lawyer.

In 2012 Mr Justice Tugendhat, ahead of his retirement in 2014, made a plea for more media specialist barristers and solicitors to consider a judicial role: “As the recruiting posters put it: Your country needs you.”

He emphasised the particular burden of freedom of expression cases, which require judges, for example, to consider the rights of third parties, “even if those third parties choose not to attend court” and to provide reasons for the granting of injunctions at very short notice.

Without expert knowledge of the applicable law, this is no easy task. Fortunately, media law cases have not fallen apart with the respective retirements of Sir Michael Tugendhat and Sir David Eady, and recent specialists to join the High Court include Mr Justice Warby in 2014, and Mr Justice Nicklin in 2017 – both formerly of 5RB chambers.

The arrival of Mr Justice Warby, who was given the newly created role of Judge in charge of the Media and Communications List, has provided a welcome opportunity to propose changes to the procedure of media litigation in the Queen’s Bench Division, where the majority of English defamation and privacy claims are heard.

Since taking on responsibility for the cases involving one or more of the main media torts – including defamation, misuse of private information and breach of duty under the Data Protection 1998 – Mr Justice Warby has spoken about his hopes and plans for the list, and also conducted a consultation among those who litigate in the area, as well as other interested parties.

The consultation considered the adequacy of Civil Procedure Rules and Practice Directions; the adequacy of the regime for monitoring statistics on privacy injunctions; and support for the creation of a new committee.

As a socio-legal researcher rather than legal practitioner, my interest was piqued by the latter two questions.

For some time, I have been concerned that efforts by the Judiciary and the Ministry of Justice to collect and publish anonymised privacy injunction data have been insufficient, and also that the availability of information about media cases could be improved more generally.

My own efforts to access case files and records in 2011-13, to update research conducted by Eric Barendt and others in the mid 1990s, and to interrogate assertions of defamation’s “chilling effect”, proved largely unsuccessful and I was astonished how rudimentary and paper-based internal systems at the Royal Courts of Justice appeared to be.

Although public observers are entitled to access certain documents – such as claim forms – the cost and difficulty in locating claim numbers prohibits any kind of useful bulk research which would allow more sophisticated qualitative and quantitative analysis of media litigation.

I jumped, therefore, at the opportunity of the consultation to raise my concerns about the injunctions data, and to support the creation of a new user group committee.

My submission, with Paul Magrath and Julie Doughty, on behalf of the Transparency Project charity, made suggestions for revising the injunctions data collection process, including the introduction of an audit procedure to check information was being recorded systematically and accurately.

Following the consultation, Mr Justice Warby held a large meeting at the Royal Courts of Justice for all respondents and other interested parties at which he shared a table of proposals from the consultation, provisionally ranked as “most feasible”, “more difficult” and “most difficult”.

The last category also included proposals which would require primary legislation, which would be a matter for Parliament rather than the Judiciary.

I was pleased that our initial proposals on the transparency of injunctions data have been deemed practical and feasible in the first instance.

Also considered achievable are some of the proposals related to case management and listings, updating the pre-action protocol (PAP), the Queen’s Bench Guide, and civil practice directions in light of developments in privacy, data protection and defamation litigation and press regulation (not least to reflect the Defamation Act 2013).

This meeting also established the creation of a new Media and Communications List User Group (MACLUG) to which a range of representatives have been appointed.

The group comprises members of the Bar and private practice solicitors (including both claimant and defendant specialists), in-house counsel, clerks, and a costs practitioner.
Additionally, I have joined as a representative of public interest groups – i.e. those engaged in academic research and third sector work. The new committee met for the first time at the end of 2017, and members have formed smaller working groups to take forward the “feasible” proposals, which will be discussed with our respective constituencies in due course, and where relevant, eventually proposed to the Civil Procedure Rule Committee to consider.

In a speech to the Annual Conference of the Media Law Resource Center in September last year Mr Justice Warby identified his overall aims for the “big picture” and landscape of media litigation: to resolve disputes fairly, promptly, and at reasonable cost.

All of which were “easier said than done”, in his words. Quite so. But it is right that it should be attempted, and with judicial input where appropriate.

Mr Justice Warby’s efforts to date are to be applauded, and in particular, his open approach in addressing some of the flaws and inconsistencies of current practice, and evaluating structural and systemic issues.

That said, a committee formed by the judiciary is constrained in its remit, quite rightly. The consideration of changes to primary legislation should fall to Parliament.

It is therefore important that media law practitioners and other stakeholders should also work with the Ministry of Justice and HM Courts and Tribunals Service to inform ongoing work on courts modernisation, and push for wider consultation and involvement in reforms. A further challenge is to persuade government and parliamentarians to take on any issues requiring changes to legislation.

Part I of the Leveson Inquiry addressing, in part, the relationship between media proprietors, editors and politicians showed that the process of consultation on public policy affecting the news media has been subject to undue influence by certain private interests, and insufficiently transparent.

To this end, perhaps the new Lord Chancellor and Secretary of State for Justice, David Gauke MP, and the new Secretary of State for Digital, Culture, Media and Sport, Matt Hancock MP, might consider ways in which they can consult more openly and fairly in their development of policy and draft legislation on freedom of expression, reputation and privacy.

Dr Judith Townend is lecturer in media and information law at the University of Sussex and a member of the Queen’s Bench Division Media and Communications List User Group Committee.

Featured image: courtesy of Dave Pearce (@davebass5) on Flickr.

LSE Experts on T3: Omar Al-Ghazzi

Mon, 09/04/2018 - 10:47

This post is re-posted from the LSE Media Policy Project Blog.

As part of a series of interviews with LSE Faculty on themes related to the Truth, Trust and Technology Commission, Dr Omar Al-Ghazzi  talks to LSE MSc student Ariel Riera on ‘echo chambers’ in the context of North Africa and the Middle East.

AR: The spread of misinformation through social media is a main focus of the Commission. Are there similar processes in the Middle East and in the North Africa region?

OA: Questions about trust, divisions within society, and authoritarian use of information or what could be called propaganda are very prevalent in the Middle East and North Africa. So in a way a lot of the issues at hand are not really new if we think about communication processes globally. Much of the attention that misinformation has been getting is in relation to Trump and Brexit. But Syria, for instance, is actually a very productive context to think through these questions, because with the uprising and the war, there was basically an information blackout where no independent journalist could go into the country. This created an environment where witnesses and citizen journalists and activists fill that gap. So it is now a cliché to say that the war in Syria is actually the most documented war. But all that information has not led to a narrative that people understand in relation to what’s happening. And that has to do with trust in digital media and the kind of narratives that the government disseminates. The echo chamber effect in the way people access information from online sources they agree with is also as prevalent in the Middle East as it is globally.

AR: And in these countries, who are the perpetrators of fake news and misinformation and what are the channels?

OA: It is a complicated question because if we talk about the war in Syria, the communication environment is much more complex than the binary division between fake and real. For instance, I am interested in the reporting on the ground in areas that are seeing or witnessing war and conflict. I will give you an example. Now in the suburbs of Damascus, where there is a battle between rebels and the government, there are several cases of children and teenagers doing the reporting. So how should this be picked up by news organisations, and what are the consequences? CNN recently called one of the teenagers based in Eastern Ghouta, Muhammed Najem, a ‘combat reporter’. What are the ethical considerations of that? Does that encourage that teenager to take for instance more risks to get to that footage? How is what he produces objective if first he has obviously no journalism training as a very young person and second he is in a very violent context where his obvious interest lies in his own survival and in getting attention about his and his community’s suffering. He has a voice that he wants to be heard and which should be heard. But why is the expectation, if he is dubbed a ‘combat report’, that what he produces should be objective news reporting?

Beyond this example of the complex picture in war reporting, I think the Middle East region also teaches us that when there is a lack of trust in institutions of any country in the world, when there is division in society about a national sense of belonging, about what it means to be a patriot or a traitor, that would produce mistrust in the media. Basically, a fractured political environment engenders lack of trust in media, and engenders that debate around fake or real. So there is a layer beyond the fakeness and realness that’s really about social cohesion and political identity.

AR: Nationalist politicians all over the world have found in social media a way to bypass mainstream media and appeal directly to voters. What techniques do they use to do this?

OA: Perhaps in the Middle East you don’t find an example of a stream of consciousness relayed live on Twitter like the case is with President Trump, but, like elsewhere in the world, politicians are on Twitter and even foreign policy is often communicated there. Also, a lot of narratives that feed into conflicts, like the Arab-Israeli conflict, take shape on social media. So without looking at social media you certainly don’t get the full picture even of the geopolitics in the region. Without social media, one would not grasp how government positions get internalised by people and how people contribute- whether by feeding into government policies, or maybe resisting them as well.

AR: Based on your observations in North Africa and the Middle East, can mistrust or even distrust of mainstream media outlets be a healthy instinct? For example, if mainstream media is a place where only one voice is heard.

OA: Even though a lot of the media are politicised in the Arab world because they are government owned, people have access to media other than their own governments because of a common regional cultural affiliation, a shared language and the nature of the regional media environment. So actually people in the Arab world are sophisticated media users because they have access to a wide array of media outlets. Of course, there are outlets that are controlled by governments wherever one may be situated and things vary between different countries, but audiences can access pan-Arab news media such as Al Jazeera, Al Arabiya and Al Mayadeen. They have access to a wide array of online news platforms as well as broadcast news. So you really have a lot of choices. If you are a very informed audience member you would watch one news outlet to know, let’s say, what the Iranian position on a certain event is, and then you watch a Saudi funded channel to see the Saudi. But of course, most people don’t do that because you know they just access the media that offers the perspective they already agree with.

We have to remember that in the context of the Middle East there is a lot of different conflicts, there is war, which obviously heightens the emotions of people and their allegiances and whatever their worldview is. So we are also talking about the context that, because of what is happening on the ground, people feel strongly about their political positioning which feeds into the echo chamber effect.

AR: You wrote that, at least linked to the Arab Spring, there was a ‘diversity of acts referred to as citizen journalism’. What differentiates these practices from the journalism within established media?

OA: Basically, in relation to the 2011 Arab uprisings, there were a lot of academic and journalistic approaches that talked about how these uprisings were Facebook or Twitter revolutions, or only theorising digital media practices through the lens of citizen journalism. But I argued that we cannot privilege one lens to look at what digital media does on the political level because a lot of people use digital media, from terrorist organisations to activists on the ground to government agents. So one cannot privilege a particular use of digital media and focus on that and make claims about digital media generally, when actually the picture is much more complicated and needs to be sorted out more.

Of course the proliferation of smartphones and social media offered ordinary people the opportunity to have their own output, to produce witness videos or write opinions. It is a very different media ecology because of that. However, we cannot take for granted how social media is used by different actors. In social science we have to think about issues of class, literacy, the urban rural divide, the political system, the media system. And, within that complexity, locate particular practices of social media rather than make blanket statements about social media doing something to politics generally and universally.

Dr Omar Al-Ghazzi is Assistant Professor in the Department of Media and Communications at LSE. He completed his PhD at the Annenberg School for Communication, the University of Pennsylvania, and holds MAs in Communication from the University of Pennsylvania and American University and a BA in Communication Arts from the Lebanese American University.



Recent developments on freedom of expression, Dr David Goldberg

Fri, 16/03/2018 - 10:23

This post brings us some recent developments on freedom expression from Dr David Goldberg, Senior Visiting Fellow, Institute of Computer and Communications Law in the Centre for Commercial Law Studies, Queen Mary, University of London, and member of the Information Law and Policy Centre’s Advisory Board.

Dr Goldberg has recently co-organised a symposium at the Southwestern Law School, Los Angeles, on “Fake News and Weaponized Defamation”. The event took place on the 26th January 2018. Further information on the event can be found at: Photos from the event are available at

Dr Goldberg delivered a presentation at the event calling for enhancing media literacy, and cautioning against over-relying on the law to deal with the so-called phenomenon of fake news. Dr Goldberg’s presentation will be available in a forthcoming publication.

In addition, Dr Goldberg has recently published a chapter entitled ‘Dronalism, Newsgathering Protection and Day-to-day Norms’ in Responsible Drone Journalism (2018) edited by Astrid Gynnild and Turo Uskali. The book is available at

Lastly, following up on the ‘Freedom of Information at 250’ event held at the Free Word Centre in December 2016 with the support of the Information Law and Policy Centre at the Institute of Advanced Legal Studies, and the Embassies of Sweden and Finland, the publication Press Freedom 250 Years: Freedom of the Press and Public Access to Official Documents in Sweden and Finland – A Living Heritage from 1766 is now available in English. The publication of this translation has been in large part due to the efforts of Dr David Goldberg, Mark Weiler and Staffan Dalhoff. The book was launched on 2nd December 2016 at the Swedish Parliament, and the free PDF is available at

To order the book for libraries, contact:
Riksdag Printing Office, SE 100 12 Stockholm

ILPC Annual Conference and Annual Lecture 2017 Children and Digital Rights: Regulating Freedoms and Safeguards

Tue, 13/03/2018 - 17:07

ILPC Annual Conference and Annual Lecture 2017
Children and Digital Rights: Regulating Freedoms and Safeguards

The Internet provides children with more freedom to communicate, learn, create, share, and engage with society than ever before. Research by Ofcom in 2016 found that 72 percent of young teenagers in the UK have social media accounts. Twenty percent of the same group have made their own digital music and 30 percent have used the Internet for civic engagement by signing online petitions or by sharing and talking about the news.

Interacting within this connected digital world, however, also presents a number of challenges to ensuring the adequate protection of a child’s rights to privacy, freedom of expression, and safety, both online and offline. These risks range from children being unable to identify advertisements on search engines to being subjects of bullying or grooming or other types of abuse in online chat groups.

Children may also be targeted via social media platforms with methods (such as fake online identities or manipulated photos and images) specially designed to harm them or exploit their particular vulnerabilities and naivety.

These issues were the focus of the 2017 Annual Conference of the Information Law and Policy Centre (ILPC) based at the Institute of Advanced Legal Studies, University of London. The ILPC produces, promotes, and facilitates research about the law and policy of information and data, and the ways in which law both restricts and enables the sharing and dissemination of different types of information.

The ILPC’s Annual conference was one of a series of events celebrating
the 70th Anniversary of the founding of the Institute of Advanced Legal Studies. Other events included the ILPC’s Being Human Festival expert and interdisciplinary panel discussion on ‘Co-existing with HAL 9000: Being Human in a World with Artificial Intelligence’.

At the 2017 ILPC Annual Conference, leading policymakers, practitioners, regulators, key representatives from industry and civil society, and academic experts examined and debated the opportunities and challenges posed by current and future legal frameworks and the policies being used and developed to safeguard these freedoms and rights.

These leading stakeholders included Rachel Bishop, Deputy Director of Internet Policy at the Department of Digital (DCMS); Lisa Atkinson, the Information Commissioner’s Office (ICO) Head of Policy; Anna Morgan, Deputy Data Protection Commissioner of Ireland; Graham Smith, Internet law expert at Bird & Bird LLP), Renate Samson, former CEO of privacy advocacy organisation Big Brother Watch, and Simon Milner, Facebook’s Policy Director for the UK, Africa, and Middle East.

The legal systems under scrutiny included the UN Convention on the Rights of the Child and the related provisions of the UK Digital Charter, and the UK Data Protection Bill, which will implement the major reforms of the much anticipated EU General Data Protection Regulation (2016/679) (GDPR) which will soon enter into force on 25 May 2018. Key concerns expressed at the conference by delegates included the effectiveness in practice and lack of evidence-based policy for the controversial age of consent for children and their use of online information services provided for under the GDPR.

Further questions were raised with respect to what impact in practice will there be for children’s privacy, their freedom of expression, and their civil liberties as a result of the new transparency and accountability principles and mechanisms that must be implemented by industry and governments when their data processing involves the online marketing to, or monitoring, of children.

Given the importance and pertinence of these challenging and cutting-edge policy issues, the Centre is delighted that several papers, by regulators and academic experts from institutions within the UK, the EU, and beyond, which were presented, discussed, and debated at the conference’s plenary sessions and keynote panels, feature in a special issue of the leading peer-review legal journal of Communications Law, published by Bloomsbury Publishers.

This special issue also includes the Centre’s 2017 Annual Lecture delivered by one of the country’s leading children’s online rights campaigners, Baroness Beeban Kidron OBE, also a member of the House of Lords and film-maker, on ‘Are Children more than Clickbait in the 21st Century?’

For IALS podcasts of the 2017 ILPC Annual Lecture delivered by Baroness Kidron and presentations from the Annual Conference’s Keynote Panel, please see the IALS website at:

Nora Ni Loideain
Director and Lecturer in Law,
Information Law and Policy Centre,
IALS, University of London.

5th Winchester Conference on Trust, Risk, Information and the Law Wednesday 25 April 2018, Winchester, UK

Mon, 12/03/2018 - 11:37

5th Winchester Conference on Trust, Risk, Information and the Law Wednesday 25 April 2018, Holiday Inn, Winchester, UK

Theme: Public Law, Politics and the Constitution: A new battleground between the Law and Technology?

Keynote speakers will be Michael Barton, Chief Constable of Durham Constabulary who has spoken recently about the need to reclaim ‘sovereignty’ over the Internet, and Jamie Bartlett, Director of the Centre for the Analysis of Social Media for Demos in conjunction with the University of Sussex, and author of several books including ‘Radicals’ and ‘The Dark Net’.  Breakout sessions will explore fake news, the use of algorithms in the public sector, infringements over the Internet and other issues.  The conference will include the launch of the University of Winchester’s new Centre for Parliament and Public Law, with a presentation highlighting the ongoing work of the Department of Culture, Media & Sport in the area of Data Ethics & Innovation.


For the full conference programme, please visit


To book, please go to

British government’s new ‘anti-fake news’ unit has been tried before – and it got out of hand

Tue, 06/02/2018 - 13:44

In this guest post, Dan Lomas, Programme Leader, MA Intelligence and Security Studies, University of Salford, explores the British government’s new ‘anti-fake news’ unit.

The decision to set up a new National Security Communications Unit to counter the growth of “fake news” is not the first time the UK government has devoted resources to exploit the defensive and offensive capabilities of information. A similar thing was tried in the Cold War era, with mixed results.

The planned unit has emerged as part of a wider review of defence capabilities. It will reportedly be dedicated to “combating disinformation by state actors and others” and was agreed at a meeting of the National Security Council (NSC).

As a spokesperson for UK prime minister Theresa May told journalists:

We are living in an era of fake news and competing narratives. The government will respond with more and better use of national security communications to tackle these interconnected, complex challenges.


Parliament’s Digital, Culture, Media and Sport Committee is currently investigating the use of fake news – the spreading of stories of “uncertain provenance or accuracy” – through social media and other channels. The investigation is taking place amid claims that Russia used hundreds of fake accounts to tweet about Brexit. The head of the army, General Sir Nick Carter, recently told the think-tank RUSI that Britain should be prepared to fight an increasingly assertive Russia.

Details of the new anti-fake news unit are vague, but may mark a return to Britain’s Cold War past and the work of the Foreign Office’s Information Research Department (IRD), which was set up in 1948 to counter Soviet propaganda. The unit was the brainchild of Christopher Mayhew, Labour MP and under-secretary in the Foreign Office, and grew to become one of largest Foreign Office departments before its disbandment in 1977 – a story revealed in The Guardian in January 1978 by its investigative reporter David Leigh.

This secretive government body worked with politicians, journalists and foreign governments to counter Soviet lies, through unattributable “grey” propaganda and confidential briefings on “Communist themes”. IRD eventually expanded from this narrow anti-Soviet remit to protect British interests where they were likely “to be the object of hostile threats”.

Read more:
Good luck banning fake news – here’s why it’s unlikely to happen

By 1949, IRD had a staff of just 52, all based in central London. By 1965 it employed 390 staff, including 48 overseas, with a budget of over £1m mostly paid from the “secret vote” used to fund the UK intelligence community. IRD also worked alongside the Secret Intelligence Service (SIS or MI6) and the BBC’s World Service.

Playing hardball with soft power

Examples of IRD’s early work include reports on Soviet gulags and the promotion of anti-communist literature. George Orwell’s work was actively promoted by the unit. Shortly before his death in 1950, Orwell even gave it a list of left-wing writers and journalists “who should not be trusted” to spread IRD’s message. During that decade, the department even moved into British domestic politics by setting up a “home desk” to counter communism in industry.


IRD also played an important role in undermining Indonesia’s President Sukarno in the 1960s, as well as supporting western NGOs – especially the Thomson and Ford Foundations. In 1996, former IRD official Norman Reddaway provided more information on IRD’s “long-term” campaigns (contained in private papers). These included “English by TV” broadcast to the Gulf, Sudan, Ethiopia and China, with other IRD-backed BBC initiatives – “Follow Me” and “Follow Me to Science” – which had an estimated audience of 100m in China.

IRD was even involved in supporting Britain’s entry to the European Economic Community, promoting the UK’s interests in Europe and backing politicians on both sides. It would shape the debate by writing a letter or article a day in the quality press. The department was also involved in more controversial campaigns, spreading anti-IRA propaganda during The Troubles in Northern Ireland, supporting Britain’s control of Gibraltar and countering the “Black Power” movement in the Caribbean.

Overthrown: President Sukarno of Indonesia. Going too far

IRD’s activities were steadily getting out of hand, yet an internal 1971 review found the department was still needed, given “the primary threat to British and Western interests worldwide remains that from Soviet Communism” and the “violent revolutionaries of the ‘New Left’”. IRD was a “flexible auxiliary, specialising in influencing opinion”, yet its days were numbered. By 1972 the organisation had just over 100 staff and faced significant budget cuts, despite attempts at reform.

IRD was eventually killed off thanks to opposition from Foreign Office mandarins and the then Labour foreign secretary, David Owen – though that may not be the end of the story. Officials soon set up the Overseas Information Department – likely a play on IRD’s name – tasked with making “attributable and non-attributable” written guidance for journalists and politicians, though its overall role is unclear. Information work was also carried out by “alongsiders” such as the former IRD official Brian Crozier.

The history of IRD’s work is important to future debates on government strategy in countering “fake news”. The unit’s effectiveness is certainly open to debate. In many cases, IRD’s work reinforced the anti-Soviet views of some, while doing little, if anything, to influence general opinion.

In 1976, one Foreign Office official even admitted that IRD’s work could do “more harm than good to institutionalise our opposition” and was “very expensive in manpower and is practically impossible to evaluate in cost effectiveness” – a point worth considering today.

IRD’s rapid expansion from anti-communist unit to protecting Britain’s interests across the globe also shows that it’s hard to manage information campaigns. What may start out as a unit to counter “fake news” could easily spiral out of control, especially given the rapidly expanding online battlefield.

Government penny pinching on defence – a key issue in current debates – could also fail to match the resources at the disposal of the Russian state. In short, the lessons of IRD show that information work is not a quick fix. The British government could learn a lot by visiting the past.

This article was originally published on The Conversation. Read the original article.

Annual Conference 2017 Resources

Tue, 06/02/2018 - 12:16

The Information Law and Policy Centre held its third annual conference on 17th November 2017. The workshop’s theme was: ‘Children and Digital Rights: Regulating Freedoms and Safeguards’.

The workshop brought together regulators, practitioners, civil society, and leading academic experts who addressed and examined the key legal frameworks and policies being used and developed to safeguard children’s digital freedoms and rights. These legislative and policy regimes include the UN Convention on the Rights of the Child, and the related provisions (such as consent, transparency, and profiling) under the UK Digital Charter, and the Data Protection Bill which will implement the EU General Data Protection Regulation.

The following resources are available online:

  • Full programme
  • Presentation: ILPC Annual Conference, Baroness Beeban Kidron (video)
  • Presentation: ILPC Annual Conference, Anna Morgan (video)
  • Presentation: ILPC Annual Conference, Lisa Atkinson (video)
  • Presentation: ILPC Annual Conference, Rachael Bishop (video)

Co-existing with HAL 9000: Being Human in a World with AI

Tue, 23/01/2018 - 11:53

This event will focus on the implications posed by the increasingly significant role of artificial intelligence (AI) in society and the possible ways in which humans will co-exist with AI in future, particularly the impact that this interaction will have on our liberty, privacy, and agency. Will the benefits of AI only be achieved at the expense of these human rights and values? Do current laws, ethics, or technologies offer any guidance with respect to how we should navigate this future society?

Organisations: Institute of Advanced Legal Studies Event date: Monday, 20 November 2017 – 5:30pm Visit the event page

Emotion detection, personalisation and autonomous decision-making online

Tue, 23/01/2018 - 11:18

05 Feb 2018, 17:30 to 05 Feb 2018, 19:30
Institute of Advanced Legal Studies
Institute of Advanced Legal Studies, 17 Russell Square, London WC1B 5DR

Speaker: Damian Clifford, KU Leuven Centre for IT and IP Law

Panel Discussants: Dr Edina Harbinja, Senior Lecturer in Law, University of Hertfordshire.

Chair: Dr Nora Ni Loideain, Director and Lecturer in Law, Information Law and Policy Centre, Institute of Advanced Legal Studies


Emotions play a key role in decision making. Technological advancements are now rendering emotions detectable in real-time. Building on the granular insights provided by big data, such technological developments allow commercial entities to move beyond the targeting of behaviour in advertisements to the personalisation of services, interfaces and the other consumer-facing interactions, based on personal preferences, biases and emotion insights gleaned from the tracking of online activity and profiling and the emergence of ‘emphathic media’.

Although emotion measurement is far from a new phenomenon, technological developments are increasing the capacity to monetise emotions. From the analysis of inter alia facial expressions, voice/sound patterns, to text and data mining, and the use of smart devices to detect emotions, such techniques are becoming mainstream.

Despite the fact there are many applications of such technologies which appear morally above reproach (i.e. at least in terms of their goals (e.g. healthcare or road safety) as opposed to the risks associated with their implementation, deployment and their potential effects), their use for advertising and marketing purposes raises clear concerns in terms of the rationality-based paradigm inherent to citizen-consumer protections and thus the autonomous decision-making capacity of individuals.

In this ILPC seminar, Visiting Scholar Damian Clifford will examine the emergence of such technologies in an online context vis-à-vis their use for commercial advertising and marketing purposes (construed broadly) and the challenges they present for EU data protection and consumer protection law. The analysis will rely on a descriptive and evaluative analysis of the relevant frameworks and aims to provide normative insights into the potential legal challenges presented by emotion commercialisation online.

Discussant:  Dr Edina Harbinja is a Senior Lecturer in Law at the University of Hertfordshire. Her principal areas of research and teaching are related to the legal issues surrounding the Internet and emerging technologies. In her research, Edina explores the application of property, contract law, intellectual property and privacy online. Edina is a pioneer and a recognised expert in post-mortem privacy, i.e. privacy of the deceased individuals. Her research has a policy and multidisciplinary focus and aims to explore different options of regulation of online behaviours and phenomena. She has been a visiting scholar and invited speaker to universities and conferences in the USA, Latin America and Europe, and has undertaken consultancy for the Fundamental Rights Agency. Her research has been cited by legislators, courts and policymakers in the US and Europe as well. Find her on Twitter at @EdinaRl.

A wine reception will follow this seminar.

This event is FREE but advanced booking is required.

Book now

Personal Data as an Asset: Design and Incentive Alignments in a Personal Data Economy

Wed, 17/01/2018 - 12:07

19 Feb 2018, 17:30 to 19 Feb 2018, 19:30
Institute of Advanced Legal Studies, 17 Russell Square, London WC1B 5DR

Personal Data as an Asset: Design and Incentive Alignments in a Personal Data Economy  Description of Presentation:  Despite the World Economic Forum (2011) report on personal data becoming an asset class  the cost of transacting on personal data is becoming increasingly high with regulatory risks, societal disapproval, legal complexity and privacy concerns.  Professor Irene Ng contends that this is because personal data as an asset is currently controlled by organisations. As a co-produced asset, the person has not had the technological capability to control and process his or her own data or indeed, data in general. Hence, legal and economic structures have been created only around Organisation-controlled personal data (OPD).  This presentation will argue that a person-controlled personal data (PPD), technologically, legally and economically architected such that the individual owns a personal micro-server and therefore have full rights to the data within, much like owning a PC or a smartphone, is potentially a route to reducing transaction costs and innovating in the personal data economy. I will present the design and incentive alignments of stakeholders on the HAT hub-of-all-things platform (

Key Speaker:

Professor Irene Ng, University of Warwick

Professor Irene Ng is the Director of the International Institute for Product and Service Innovation and the Professor of Marketing and Service Systems at WMG, University of Warwick. She is also the Chairman of the Hub-of-all-Things (HAT) Foundation Group ( A market design economist, Professor Ng is an advisor to large organisations, startups and governments on design of markets, economic and business models in the digital economy. Personal website

Panel Discussants:



Dr Nora Ni Loideain, Director and Lecturer in Law, Information Law & Policy Centre, IALS


Wine reception to follow.


People don’t trust AI – here’s how we can change that

Tue, 16/01/2018 - 12:54

In this guest post, Vyacheslav Polonski, Researcher, University of Oxford  examines the key question of trust or fear of AI and we interact with it.

Artificial intelligence can already predict the future. Police forces are using it to map when and where crime is likely to occur. Doctors can use it to predict when a patient is most likely to have a heart attack or stroke. Researchers are even trying to give AI imagination so it can plan for unexpected consequences.

Many decisions in our lives require a good forecast, and AI agents are almost always better at forecasting than their human counterparts. Yet for all these technological advances, we still seem to deeply lack confidence in AI predictions. Recent cases show that people don’t like relying on AI and prefer to trust human experts, even if these experts are wrong.

If we want AI to really benefit people, we need to find a way to get people to trust it. To do that, we need to understand why people are so reluctant to trust AI in the first place.

Should you trust Dr. Robot?

IBM’s attempt to promote its supercomputer programme to cancer doctors (Watson for Onology) was a PR disaster. The AI promised to deliver top-quality recommendations on the treatment of 12 cancers that accounted for 80% of the world’s cases. As of today, over 14,000 patients worldwide have received advice based on its calculations.

But when doctors first interacted with Watson they found themselves in a rather difficult situation. On the one hand, if Watson provided guidance about a treatment that coincided with their own opinions, physicians did not see much value in Watson’s recommendations. The supercomputer was simply telling them what they already know, and these recommendations did not change the actual treatment. This may have given doctors some peace of mind, providing them with more confidence in their own decisions. But IBM has yet to provide evidence that Watson actually improves cancer survival rates.

On the other hand, if Watson generated a recommendation that contradicted the experts’ opinion, doctors would typically conclude that Watson wasn’t competent. And the machine wouldn’t be able to explain why its treatment was plausible because its machine learning algorithms were simply too complex to be fully understood by humans. Consequently, this has caused even more mistrust and disbelief, leading many doctors to ignore the seemingly outlandish AI recommendations and stick to their own expertise.

As a result, IBM Watson’s premier medical partner, the MD Anderson Cancer Center, recently announced it was dropping the programme. Similarly, a Danish hospital reportedly abandoned the AI programme after discovering that its cancer doctors disagreed with Watson in over two thirds of cases.

The problem with Watson for Oncology was that doctors simply didn’t trust it. Human trust is often based on our understanding of how other people think and having experience of their reliability. This helps create a psychological feeling of safety. AI, on the other hand, is still fairly new and unfamiliar to most people. It makes decisions using a complex system of analysis to identify potentially hidden patterns and weak signals from large amounts of data.

Even if it can be technically explained (and that’s not always the case), AI’s decision-making process is usually too difficult for most people to understand. And interacting with something we don’t understand can cause anxiety and make us feel like we’re losing control. Many people are also simply not familiar with many instances of AI actually working, because it often happens in the background.

Instead, they are acutely aware of instances where AI goes wrong: a Google algorithm that classifies people of colour as gorillas; a Microsoft chatbot that decides to become a white supremacist in less than a day; a Tesla car operating in autopilot mode that resulted in a fatal accident. These unfortunate examples have received a disproportionate amount of media attention, emphasising the message that we cannot rely on technology. Machine learning is not foolproof, in part because the humans who design it aren’t.

A new AI divide in society?

Feelings about AI also run deep. My colleagues and I recently ran an experiment where we asked people from a range of backgrounds to watch various sci-fi films about AI and then asked them questions about automation in everyday life. We found that, regardless of whether the film they watched depicted AI in a positive or negative light, simply watching a cinematic vision of our technological future polarised the participants’ attitudes. Optimists became more extreme in their enthusiasm for AI and sceptics became even more guarded.

This suggests people use relevant evidence about AI in a biased manner to support their existing attitudes, a deep-rooted human tendency known as confirmation bias. As AI is reported and represented more and more in the media, it could contribute to a deeply divided society, split between those who benefit from AI and those who reject it. More pertinently, refusing to accept the advantages offered by AI could place a large group of people at a serious disadvantage.

Three ways out of the AI trust crisis

Fortunately we already have some ideas about how to improve trust in AI. Simply having previous experience with AI can significantly improve people’s attitudes towards the technology, as we found in our study. Similar evidence also suggests the more you use other technologies such as the internet, the more you trust them.

Another solution may be to open the “black-box” of machine learning algorithms and be more transparent about how they work. Companies such as Google, Airbnb and Twitter already release transparency reports about government requests and surveillance disclosures. A similar practice for AI systems could help people have a better understanding of algorithmic decisions are made.

Research suggests involving people more in the AI decision-making process could also improve trust and allow the AI to learn from human experience. For example,one study showed people were given the freedom to slightly modify an algorithm felt more satisfied with its decisions, more likely to believe it was superior and more likely to use it in the future.

We don’t need to understand the intricate inner workings of AI systems, but if people are given at least a bit of information about and control over how they are implemented, they will be more open to accepting AI into their lives.

This article was originally published on The Conversation. Read the original article.

A Prediction about Predictions

Tue, 19/12/2017 - 11:33

In this guest post, Marion Oswald offers her homage to Yes Minister and, in that tradition, smuggles in some pertinent observations on AI fears. This post first appeared on the SCL website’s Blog as part of Laurence Eastham’s Predictions 2018 series. It is also appearing in Computers & Law, December/January issue.

Humphrey, I want to do something about predictions.

Indeed, Minister.

Yes Humphrey, the machines are taking over.

Are they Minister?

Yes Humphrey, my advisers tell me I should be up in arms.  Machines – ‘AI’ they call it – predicting what I’m going to buy, when I’m going to die, even if I’ll commit a crime.

Surely not, Minister.

Not me personally, of course, Humphrey – other people.  And then there’s this scandal over Cambridge Analytica and voter profiling.  Has no-one heard of the secret ballot?

Everyone knows which way you would vote, Minister.

Yes, yes, not me personally, of course, Humphrey – other people.  Anyway, I want to do something about it.

Of course, Minister.  Let me see – you want to ban voter and customer profiling, crime risk assessment and predictions of one’s demise, so that would mean no more targeted advertising, political campaigning, predictive policing, early parole releases, life insurance policies…

Well, let’s not be too hasty Humphrey.  I didn’t say anything about banning things.

My sincere apologies Minister, I had understood you wanted to do something.

Yes, Humphrey, about the machines, the AI.  People don’t like the idea of some faceless computer snooping into their lives and making predictions about them.

But it’s alright if a human does it.

Yes…well no…I don’t know.  What do you suggest Humphrey?

As I see it Minister, you have two problems.

Do I?

The people are the ones with the votes, the AI developers are the ones with the money and the important clients – insurance companies, social media giants, dare I say it, even political parties..

Yes, yes, I see.  I mustn’t alienate the money.  But I must be seen to be doing something Humphrey.

I have two suggestions Minister.  First, everything must be ‘transparent’.  Organisations using AI must say how their technology works and what data it uses.  Information, information everywhere…

I like it Humphrey.  Power to the people and all that.  And if they’ve had the information, they can’t complain, eh.  And the second thing?

A Commission, Minister, or a Committee, with eminent members, debating, assessing, scrutinising, evaluating, appraising…

And what is this Commission to do?

“Do” Minister?

What will the Commission do about predictions and AI?

It will scrutinise, Minister, it will evaluate, appraise and assess, and then, in two or three years, it will report.

But what will it say Humphrey?

I cannot possibly predict what the Commission on Predictions would say, being a mere humble servant of the Crown.


But if I had to guess, I think it highly likely that it will say that context reigns supreme – there are good predictions and there are bad predictions, and there is good AI and there is bad AI.

So after three years of talking, all it will say is that ‘it depends’.

Yes Minister.

In homage to ‘Yes Minister’ by Antony Jay and Jonathan Lynn 

Marion Oswald, Senior Fellow in Law, Head of the Centre for Information Rights, University of Winchester

The Fifth Interdisciplinary Winchester Conference on Trust, Risk, Information and the Law will be held on Wednesday 25 April 2018 at the Holiday Inn, Winchester UK.  Our overall theme for this conference will be: Public Law, Politics and the Constitution: A new battleground between the Law and Technology?  The call for papers and booking information can be found at