Who regulates the Regulator?

Privacy International’s pugnacious Director Simon Davies had an ace up his sleeve for Right to Know Day last week. Internet Eyes is a daft system where people get access to small business CCTV, in the hope of spotting crime and winning a cash prize. Lonely people poring over grainy images of often unidentifiable convenience store shoppers or empty aisles isn’t the worst crime against DP or privacy I’ve heard of, but I agree with Davies that it is hard to reconcile the system with the law.

Privacy International complained to the ICO when images from Internet Eyes appeared on YouTube. The ICO asked Internet Eyes for an undertaking and squeaked out a press release on a busy news day. PI then made an FOI request for background correspondence, and found an email where ICO staff mentioned burying bad news. They released the emails on Right to Know Day to much ironic comment. So far, 1-0 to Privacy International for a neat illustration of how the ICO doesn’t always live up to its own values (one of which is being ‘A Model of Best Practice’). But Davies’ quote for the story went postal:
“We have criticized the Information Commissioner’s Office for many years over its failure to uphold privacy rights in the UK but this episode has cast a more sinister and disturbing light on the activities of the regulator. It is clear that the Office is now incapable of fulfilling its statutory responsibilities and that it has become a danger both to openness and to privacy.”
The FT further quoted him saying:It is up to the government to decide if the ICO is fit for purpose.”
Given that the Freedom Bill makes the ICO more independent, the Government’s position is pretty obvious. Meanwhile, the Information Commissioner’s own response was withering: “Given the complainants’ long track record of media stunts misrepresenting the ICO’s actions it is perhaps understandable that there was consideration of the presentational issues around the publication of the undertaking we had secured.”
This should have been an Emperor’s New Clothes moment, yet the Commissioner appears to be saying that his invisible threads are still the business. Indeed, we’re to infer that the instinct to bury bad news is Davies’ fault.  Privacy International does a noble job in highlighting privacy issues around the world, but in the UK, every time Davies’ ups the ante, the resulting silence gets harder to ignore. Graham’s response gives the impression that his office doesn’t care what Davies thinks, and by extension, probably doesn’t rate Privacy International highly either.
In April 2009, Privacy International called for a ”root and branch overhaul” of the ICO by Parliament. In November 2010, Davies demanded that Parliament “scrutinise the investigatory processes within the ICO and… help the Office become the Watchdog that the public expects it to be”. Three months later, he used his blog to formally invite Nick Clegg to a ‘summit’ to plan the abolition of both the ICO and the DPA in favour of a new Privacy Act. Given that Privacy International’s website describes Davies as being “widely-recognised as the world’s leading privacy advocate”, perhaps he doesn’t need to email his invites. I doubt I can use the same technique, but just in case, if Nick, Dave or Ed aren’t busy, I’ll be using the Wi-Fi at the Gateway in Parrs Wood on Thursday lunchtime if you fancy a chat and the burger and a pint deal.
The demand to Kill Data Protection isn’t just a one-off showstopper to get a debate going, but nothing has come of Davies’ meaty demands. While the Freedom Bill does give Parliament the power to defenestrate a Commissioner who breaks the law or goes bankrupt, it also makes his office more operationally independent. Meanwhile, Davies gives flogging a dead horse a bad name.
The courts uphold UK privacy rights by enforcing the Human Rights Act. Calling for the ICO’s head because it’s not in his job description has all the effect of a heckle, while describing his office as “sinister” and “disturbing” wildly overstates the case. I’d happily call the ICO timid and maladroit, but that’s not going to get me quoted in the Daily Mail. And a threat to privacy? Soon after Davies’s intervention, the Home Secretary Teresa May said that she wanted to repeal the Human Rights Act. There is no comment on PI’s website or Davies’ blog about this sinister and disturbing threat to privacy and openness at the time of writing, though there is a brand new post about a security flaw in some of HTC’s smartphones. Even if Ms May was only trying to appease hangers and floggers before the Tory Conference, Liberty took the trouble to draw an apposite, measured comparison between our record of defending human rights abroad while undermining them at home. I think that’s how to do it.
The ICO’s record on taking strong action is far from perfect. Chris Graham’s tenure hasn’t seen a DP Enforcement Notice since the Consulting Association ones in Summer 2009, and they were the fruit of Richard Thomas’s time. The current approach to DP action is a succession of unenforceable, name-and-shame undertakings for self-reported security breaches, spiced up a smattering of fines for, erm, self-reported security breaches. Either we’re blessed with a situation where security in the public sector is the only thing wrong with personal data in the UK, or the ICO is only taking action on straightforward security cases that the offenders tell them about.
The ICO should always be under pressure, but a serious examination of where they need to improve is lost in Davies’ all-or-nothing hyperbole. Every statement throws down a gauntlet, demands overhauls, resignations, abolitions, and other milestones that will be conspicuous by their absence. Meanwhile, Graham keeps his cool and gets off the hook for things that may well deserve some scrutiny because although his office could do better, it does not deserve to be abolished and neither does he. Chris Graham is a former journalist whose media assurance could outflank much sharper assaults than PI’s current blunderbuss strategy.
In 2008, facing criticism for an alleged conflict of interest, Simon Davies explained his private sector work with the controversial Phorm company on the basis that “engagement is more constructive than non-engagement unless there is no alternative”. In my opinion, if he can’t find a more nuanced and engaged alternative to the current blood and thunder, Davies is flirting with the same obsolescence he ascribes to his ICO foes. I am a passionate supporter of DP and privacy, but he does not currently speak for me. Google, the BBC and many others commonly call Privacy International a ‘watchdog’, but at the moment, all I can hear is barking.