Take yourself back to May 2011, the month that changes to the ePrivacy Directive (Article 5(3)) were supposed to be transposed into national laws across Europe; the purpose of the changes was to better protect European Citizens from unauthorised behavioural tracking of their online activities. This was a change I had pushed for over the previous years through my privacy work, so obviously I was looking forward to seeing the outcome of what had been a very tiring and long process.
Things were looking good at the beginning of the month, the Information Commissioner's Office were making very positive noises about the changes and it looked like everything was going to go ahead without a glitch.
Enter Ed Vaizey (Minister for Department of Culture, Media and Sport - DCMS) from stage left - Ed is very industry friendly and had been lobbied relentlessly by the advertising industry to weaken the changes when adding them to UK law - in fact the UK had already tried to have the wording changed in the Directive by sending a memo to the European Commission in November 2009 - they failed in that endeavour, largly thanks to the resolve of Commissioner Reding, but they did manage to get a Recital added to the final implementation of the Directive (Recital 66) suggesting that browser controls might be a valid form of consent removing the need for prior informed consent (a suggestion which has been widely debunked since by various European Commissioners and the Article 29 Data Protection Working Party).
Around the same time, Google held a "Big Tent" event in the UK and it was brought to my attention that Eric Schmidt had been seen entering 10 Downing Street around the same date. Over the course of the next few weeks leading up to the deadline to implement the changes into national laws, there was a significant shift from the Information Commissioner who eventually issued a statement that they would not begin taking enforcement action until 12 months after the law was changed - which in itself was problematic as they were effectively ignoring the law they have a duty to enforce.
Obviously I was concerned, I had worked very hard on these issues, they had been my life for the previous 3 years and I became suspicious given the information I had been passed by various third parties. So I decided to apply for disclosure under the Freedom of Information Act 2000 to find out whether the Information Commissioner's Office (which is supposed to be independent of Government) had been coerced into their 180 degree change of position by a government agency, specifically the Department for Culture, Media and Sport.
I sent the following request for information to DCMS on 27th May 2011:
"Dear Department for Culture, Media and Sport,
It has come to my attention that Ed Vaizey held a private meeting with Eric Schmidt on (or around) 18th May 2011.
Please provide details of the purpose of this meeting.
Please also provide minutes of this meeting and if no minutes were taken please explain why.
Please provide copies of any correspondence between DCMS or Ed Vaizey and Google or Eric Schmidt regarding the upcoming changes to UK Law in relation to the changes to 5(3) of the ePrivacy Directive."I received a response as follows:
From: Matt Brittin
Sent: 06 May 2011 14:48
To: [Ed Vaizey]
Subject: Revised ePrivacy Directive
Dear Ed,
Google welcomed the UK Government's recent positive response on the revised ePrivacy directive. In particular, how a user will gain consent in the context of clarity about the purposes of access to their information. We also welcomed the Government's support for the cross-industry self-regulatory initiative for behavioural advertising in meeting the requirements of the Directive.
We will also continue to work with the Government to enhance users' ability to understand and organise web browser settings and other applications to their choice. Our agreed approach was to make participants in the advertising value chain responsible for the provision of clear information to the user alongside straightforward tools for managing the use of cookies and data.
However, the drafting of the Statutory Instrument (which the Internet Advertising Bureau (IAB) has shared confidentially with us and which we are disappointed to hear has already been laid) adds new language to that of Recital 66 to the effect that consent is given by the subscriber or user via the amendment or setting of controls. We are extremely concerned about the implications of this. This is not the wording in the Directive and therefore is not the approach that the DCMS consulted upon last year. As such, it appears to be `gold-plating' a European Directive in a way we understand the Coalition Government has committed not to do. The language of Recital 66 itself is quite sufficient without making it technically prescriptive in this way. It says: "Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user's consent to processing may be expressed by using the appropriate settings of a browser or other application".
Both the French and Irish Government's wording on browsers are almost verbatim from Recital 66 and are, as a result, far more business-friendly. The UK is currently the largest per capita e-commerce market in the world and we risk throwing our competitive advantage away if the UK does not reconsider its approach towards the implementation of this Directive. It is worth noting that the French seem unconcerned about transposing the Directive late in order to consult with valued industry stakeholders on their proposals. We would urge the UK to take a similar approach to ensure that industry are given a chance to feed in to the process before legislation is passed.
Best wishes,
Matt
--
Matt Brittin - MD UK & Ireland Operations, GoogleAs you might expect, I was outraged, the communication clearly shows that Google suggested the UK Government should ignore the deadline to implement the changes in to UK law - which is exactly what happened.
This illustrated to me that the DCMS had colluded with a private company to break European law (implementation of the changes was a legal requirement), it was a clear conspiracy and I wanted to know how deep it went. I spent the next 8 months thinking about how best to move forward until finally in January this year I decided to file another FOI request - this time with the Information Commissioner's Office to find out what ICO and DCMS has discussed leading up to the May deadline as follows:
"Dear Information Commissioner’s Office,
Please provide copies of all communications between the Department for Media, Culture and Sport (and/or Ed Vaizey) and the Information Commissioners Office (and/or Christopher Graham) between January 1st 2011 and May 26th 2011 with regards to changes to the ePrivacy Directive due to be transposed into UK Law by 26th May 2011."Yesterday the Information Commissioner's Office replied to the request with a copy of two letters (one from the Information Commissioner to Ed Vaizey and the other, Ed Vaizey's reply, both of which can be found
here.
There is some useful information in the exchanges but nothing particularly incriminating, I have filed a further request for disclosure of communications between Ed Vaizey and the Information Commissioner throughout 2010 including the August correspondence referred to in the letters.
However, this was only a part response, the Information Commissioner's Office refused to disclose communications between themselves and DCMS as follows:
"We have considered further correspondence between DCMS legal advisers and the ICO but have found that this is exempt under section 42 Freedom of Information Act 2000 (FOIA) Legal Professional Privilege.
Section 42(1) states that ‘information in respect of which a claim to legal professional privilege or, in Scotland, to confidentiality of
communications could be maintained in legal proceedings is exempt information’.
When considering whether to apply it in response to a request for information, we must consider a public interest test. That is, we must consider whether the public interest favours withholding or disclosing the information.
In this case the public interest factors in disclosing the emails are:
* Increased transparency in the way in which the ICO communicates with organisations important to its business
* Furthering the understanding of the implementation of new regulations
The factors in withholding the information are:
* the public interest in maintaining the ICO’s ability to be consulted on matters of importance to its interests and regulatory functions.
* the public interest in allowing organisations with shared interest the ability to consult and discuss complex legal issues with the aim of better understanding each others position. This will allow the issues of concern to the general public to be discussed and debated in details.
Having considered all of these factors we have taken the decision that the public interest in withholding the information outweighs the public interest in disclosing it. Therefore in this instance we are unable to provide you with the correspondence in question.
Further, we have considered other correspondence between relevant ICO staff and relevant members of DCMS staff and found that section 36 (2) (b) (ii) FOIA is engaged.
With regard to this information it is in the opinion of the Qualified Person that section 36 (2) (b) (ii) is engaged and that the disclosure of the information would be likely to inhibit the free and frank exchange of views for the purposes of deliberation
However, section 36 is a qualified exemption and so we turn to the public interest test.
The public interest factors in favour of disclosing the information are:
* increased transparency in the way the ICO has communicated with DCMS and the increased understanding of the issues discussed
* Furthering the public confidence that issues of importance and of interest are discussed at the appropriate level and in appropriate detail
The public interest factors in favour of withholding the information are:
* the public interest in the ICO and DCMS being able to discuss complex points in detail and share ideas prior to finalising these points
* the public interest in DCMS being able to trust that they are able to consult and communicate with the ICO in a manner appropriate to the issues in the knowledge that information provided to the ICO or discussed with the ICO will not be disseminated prematurely or at all, where appropriate
* the public interest in the ICO maintaining a position where it is able to engage with and be consulted by key external bodies in relation to matters which are of importance to its regulatory function."That is a lot of information so let me start at the top - the refusal to disclose communications between ICO and DCMS Legal Advisors under s42(1).
First of all some background - the exemption is based on what is commonly known as "Attorney/Client Privilege" which is a common law principle that communications between an attorney (lawyer) and their clients are confidential and no-one can be compelled to make such communications public, although the client can waive their right if they so choose.
This is a very odd exemption for ICO to have used, because first and foremost I never requested any communications between DCMS and their Lawyers, I requested communications between ICO and DCMS. So ICO's use of s42(1) would seem to suggest either one of the following:
1. ICO were clients of DCMS' Lawyers and therefore believe their communications fall under the Legal Professional Privilege (LPP) exemption; or
2. ICO were exempting communications between themselves and DCMS because they disclosed communications between DCMS and their Lawyers (which would put DCMS in the position of the client.
On point 1.ICO are supposed to be an Independent Regulator and therefore would not be permitted to accept legal advice as clients to the DCMS Lawyers due to a conflict of interests which would rightfully undermine their independence, a breach of European law which would undoubtedly lead to infringement proceedings by the European Commission and potentially result in legal action against the UK in the European Court of Justice.
So if this is the case, this clearly supports my concerns that DCMS interfered with an independent regulator as well as colluding with a private corporation to ignore the deadline to implement the changes into UK Law -a very serious situation.
On point 2.ICO's own guidance to public authorities on when s42(1) exemptions can be used (
see here) clearly states that s42(1) can only be used if the communications in question have not been shared with a 3rd party (thus removing the argument of confidentiality) - well clearly if ICO are refusing to disclose these communications they must have them which also means DCMS have shared them with a 3rd party thus waiving their LPP rights. So it seems that s42(1) exemption would be invalid.
But (and this is a huge but) even if ICO can argue that some how the LPP rights haven't been waived, this is what is known as a "
qualified exemption" meaning it must further be subjected to a public interest test. Again, in ICO's own guidance on s42(1) they state (with relevant case law cited) that if the communications impact a significant number of people, it is in the public interest and therefore disclosure should occur - one of the examples they cite is the enforcement action they took against the Government on the disclosure of the Iraq War memo written by the Attorney General to the Prime Minister.
Given that the changes to the law were to introduce protection of fundamental rights to privacy which impact the entire population, it is clear (given the case law) that the number of people impacted is enough to satisfy public interest and override the s42(1) exemption.
So no matter which way ICO try to paint the s42(1) exemption, it appears to be completely invalidated by their own guidance (ICO are the regulator responsible for enforcement of the Freedom of Information Act 2000).
Now to the second refusal to my request with regards to other relevant communications between ICO staff and DCMS staff, which ICO claim falls under
36 (2) (b) (ii) exemption.
Again this would appear to be complete nonsense as the changes have already been transposed into UK Law and ICO have already released their public guidance on how to comply with the law - so to argue that disclosure of these communications could "
inhibit the free and frank exchange of views for the purposes of deliberation" is invalid as the deliberations have already concluded so there is no way disclosing these communications now could have any impact on such deliberations.
Furthermore, this is yet again a "qualified exemption" which means that yet again, the public interest test needs to be applied in order to validate the exemption so the same argument offered above regarding public interest certainly would seem to disqualify these communications from 36 (2) (b) (ii) exemption due to the fact that these discussions impact on the entire population.
There are two very serious issues at play here:
1. ICO are the enforcement body for the Freedom of Information Act, yet they are ignoring their own guidance in order to avoid responding to an FOI request directed at themselves; and
2. It leaves little doubt that ICO actually do have something to hide with regards to whether or not their independence was compromised by DCMS.
The entire situation stinks of a conspiracy between DCMS, ICO and the advertising industry (specifically Google) and is clearly unacceptable.
I have filed a request for an Internal Review of ICOs decision not to disclose the communications, which I suspect will yield no favourable result which will require me to then file for a Tribunal. I will publish further information as it becomes available.