Research Report Federated Identities, 'Circles of Trust ... · PDF fileResearch Report...

Research Report

Federated Identities, 'Circles of Trust' & Decentred Regulation in M-commerce (RES-341-25-0029)

Contents

Background ....................................................................................................................................................1Objectives .......................................................................................................................................................3Methods ..........................................................................................................................................................5Results .............................................................................................................................................................6Activities .........................................................................................................................................................8Outputs ...........................................................................................................................................................8Impacts............................................................................................................................................................9Future Research Priorities............................................................................................................................9Ethics Statement..........................................................................................................................................10

Background

The background to this project can be described in substantive, theoretical and methodological terms.

1. Substantive The research project initially arose from discussions with senior legal representatives at Vodafone Group Legal, about the privacy issues implicated in the development of open technical specifications for federated network identity by the Liberty Alliance project (LAP). The LAP is an industry-sponsored open standards organization developing and promoting open technical protocols/standards for federated identity management (FIM). Its 160+ members include Vodafone, Sun Microsystems, AOL, Ericsson, American Express, and DoCoMo. In the course of its work, an LAP working group had identified a need for examination of the existing data privacy regulatory framework to assess how this related to proposed technical solutions for federated identity management.1

These concerns meshed with the research I was engaged in at the time, which was suggesting that the existing EU data privacy regulatory framework, based on Directive 95/46/EC on data protection, was poorly designed for the challenges of new forms of personal data use. That regulatory framework was predicated upon perceived risks inherent in 1990s data environments; primarily large-scale highly-structured paper/electronic datasets, held by readily identifiable data controllers. In such circumstances, data subjects were able to locate parties who had data protection obligations and against whom they wished to assert their data privacy rights. However, if this rights/obligations framework was rendered ineffective, accidentally or deliberately, the existing regulatory techniques could fail to provide adequate protection for data subjects. 2 The m-commerce environment potentially provided an example of such failure, primarily because FIM systems seemed to break the clear link between data subjects and those using their data - a data subject might know their data was being

1 See Varney, C. (2003) LAP Privacy and Security Best Practices, Version 2.0 http://www.projectliberty.org/liberty/content/download/374/2681/file/final_privacy_security_

best_practices.pdf2 Charlesworth, A. (2003). "Information Privacy Law in the European Union: E Pluribus Unum or

Ex Uno Plures." Hastings Law Review 54: 931-969.

1

To cite this output:Charlesworth, Andrew (2007). Federated Identities, 'Circles of Trust' & Decentred Regulation in M-Commerce : Full Research Report.ESRC End of Award Report, RES-341-25-0029. Swindon: ESRC

processed within a FIM system, but be unable to identify against whom to exercise their data privacy rights.

A further issue was that while the EU data privacy regulatory framework had been amended since Directive 95/46/EC, e.g. the requirements of Directive 2002/58/EC on privacy and electronic communications, it was clear from the review of Directive 95/46/EC carried out by the Commission in 2003, that significant changes to the data subject/data controller framework were not on the agenda.

The question posed was thus whether it was possible to develop a model data privacy regulatory instrument or instruments, within the existing EU legislative framework, which could address both the broad goals expressed by the regulators e.g. the EU national Information Commissioners (NICs), and the practical requirements of public and private sector organisations wishing to engage in m-commerce.

2. Theoretical Until recently, most UK academics researching in the field of information technology law tended not to perceive their work in the context of regulatory theory, despite a large and well developed regulatory theory literature focusing on areas such as environmental regulation, utilities regulation, and telecommunications regulation. This research, by explicitly referencing and utilising elements of that literature, specifically that relating to ‘regulatory decentring’ and ‘regulatory conversations’, can be seen as part of a larger ongoing trend to develop a coherent strand of research bringing together the two fields. The theory underlying this research is grounded in a body of work developed at the LSE’s ESRC Centre for Analysis of Risk and Regulation, in particular the work of Black, Murray, and Scott.3 This research sought to utilise that work to underpin a qualitative empirical study that provided both a theoretical basis for surveying future developments in data protection law, whilst providing practical outputs for legislators, regulators, commercial associations and organisations. Thus, broad policy and practice issues were the main focus of the research, rather than the requirements of a particular technology.

3. Methodological The methodological background to the project derived from the perception that despite the abundant theories in socio-legal and political writings about regulation and policy processes, these remained largely untested in terms of empirical material about privacy, surveillance and personal information. When the project was being designed, it was clear that despite the importance of data privacy to developments in the eSociety, contemporary accounts of data privacy regulation tended to lack insights into how existing legislation was translated through the regulatory practices of the NICs, what organisational and cultural influences informed that translation, and what impact this had on possibilities for regulatory innovation. Equally, there was little more than anecdotal evidence about the perceptions those regulated had of the purpose and style of NIC regulatory practices, and how regulatees reacted to particular regulatory strategies. The project thus sought to create, through qualitative research (primarily semi-structured interviews and focus groups), an initial set of insights that could be used to inform

3 E.g. Black, J. (2001). "Decentring Regulation: Understanding the Role of Regulation and Self Regulation in a "Post-regulatory" World." Current Legal Problems 54: 103-146; Black, J. (2002). "Regulatory Conversations." Journal of Law & Society 29(1): 163-196; Murray, A. and C. Scott (2002). "Controlling the New Media: Hybrid Responses to New Forms of Power." Modern Law Review 65(4): 491-516; Murray, A. D. (2003). "Regulation and Rights in Networked Space." Journal of Law & Society 30(2): 187-216.

2


contemporary debate about the effectiveness of forms of regulatory strategy concerning data privacy.

Objectives

When originally proposed, the project had 4 main objectives structured around 5 key research questions. The research questions were, broadly:

Can the existing EU data privacy regulatory framework effectively/efficiently address realistic risks to data subjects in proposed models of m-commerce, or are new ‘decentred’ regulatory strategies more appropriate?

What variables influence the NICs perceptions of the purpose, operation and effectiveness of data privacy regulation, and of their own role within it, and will ‘decentred’ regulatory strategies clash with those perceptions?

How do FIM service providers cope organisationally with the impact of regulatory strategies - what ‘regulatory-oriented conversations’ occur?

How do ‘regulatory-oriented conversations’ inside and between FIM service providers impact on the general ‘regulatory conversation’ between regulators and regulated?

Will ‘decentred’ regulation of data privacy risk effective regulatory capture by industry and would this always necessarily be undesirable?

The objectives of the research were thus to:

undertake a set of semi-structured interviews with senior representatives of NICs in the EU Member States to provide data for the first, second, fourth and fifth research questions. This would be facilitated by attendance at the 26th International Conference of Data Protection and Privacy Commissioners in Warsaw (14-16 September 2004) in order to publicise the work of the project, and make preliminary contact with the ICs.

undertake a set of semi-structured interviews with representatives selected from a purposive sample (e.g. different commercial sectoral interests) of LAP consortium members to provide data for the fourth and fifth research questions, and to identify themes

carry out a a case study (interviews, meeting attendance and focus groups) of the implementation of a FIM project based on the LAP standards at Vodafone plc to provide data for the third and fourth research questions

develop and a model data privacy regulatory instrument mix for the m-commerce environment, based on the qualitative analysis in the first three stages..

The research programme was designed to take place in a relatively short period of time (18 months), and was geared to developments in the commercial sector around the roll-out of FIM technologies. Applications for Phase 2 of the eSociety programme were submitted in November 2003. It was expected that decisions would be made in June 2004, and that projects would start in September 2004.

This project was time-sensitive on a number of levels, firstly because the Liberty Alliance Project would be working on privacy issues during the early to mid-phase of the research, and, secondly, because Vodafone intended to begin work on a project utilising the Liberty Alliance guidelines at around the same time. The project was thus placed to take advantage of those developments. However, initial funding decisions were not made

3


until August 2004, and a funding letter did not reach my institution’s Finance Office until mid-October 2004, by which time the project was already supposed to have started. This meant that we still had to hire a member of research staff for the project, a process that normally takes approximately 6-8 weeks from receipt of funds.

This was delay was further exacerbated by difficulties in appointing the research assistant (RA) to do the fieldwork. As one of the proposal referees had pointed out might be the case, obtaining the quality of RA required for a limited duration (18 months) project post was extremely difficult. Although there were 2 suitably qualified applicants initially interested in the post (1 internal and 1 external to the University), by the time the funding was forthcoming from the ESRC and the post was advertised, they had both secured research posts elsewhere. There were some 8 external applicants for the post of whom only one was adequately qualified to undertake the necessary fieldwork (although they had limited legal research experience). However, that person was an Australian national, and despite having previously been working at the University of Sussex, was obliged to return to Australia to obtain a new work permit. Thus, the hiring decision was made on 8 December 2004, but the RA was only able to take up their post in June 2005, by which time the project was 10 months behind its original envisaged start date. By this time the Liberty Alliance development work had essentially finished, and Vodafone had decided not to go ahead with their project as initially envisaged. While access had been anticipated as a potential problem with the LAP, and there are always risks in dealing with commercial organisations, the significant delays in funding and further lengthy delays in obtaining an RA had not been expected. In combination, those delays, and what turned out to be a limited window of access opportunity at both the LAP and Vodafone, significantly reduced the scope of work that could be carried out on the second and third objectives.

The delays in funding also impacted on the first objective, in that by the time the funding was arranged, after (on the strong advice of the ESRC panel) viring money from other headings to increase the finances available for RA salary and overheads, the proposed attendance at the 26th Conference on Data Protection and Data Commissioners in Warsaw in late September 2004, which was to have been used to establish links with the various Data Protection Commissioners, could not be fulfilled as the project had not officially started by the date of the Conference. The ESRC would not permit either viring the funds from that heading to salary or overheads, or retention of the money in order to attend the following years’ conference in Montreux in September 2005 - it was simply removed from the grant (both Award Holder and RA did eventually attend the Montreux conference as financing was eventually obtained from other sources). Viring of funding was primarily from funds initially earmarked for attending LAP meetings, which had completed by the time the project was underway, to salary and overheads.

The final difficulty with the project was that the RA hired to do the fieldwork was unable to either conduct sufficient interviews, or to complete the analysis on the fieldwork materials gathered. The extent of this deficit only became fully apparent towards the end of the project, at which point there was insufficient time to adequately remedy the situation during the period of the award. It is unclear to what extent the failure to conduct interviews was affected, as was alleged at the time, by difficulties in access to relevant personnel, at either the national Information Commissioners, the LAP, or Vodafone, as the RA failed to provide a full set of their working materials by their termination date (some have since been obtained), including details of correspondence. Subsequent enquiries currently suggest that both interview requests, and follow-up correspondence, were entered into intermittently, or not at all. There was evidence that the RA was affected by serious personal circumstances during the mid-late period of the

4


project, when this work should have been carried out. However, there can be no doubt that this issue should have been caught sooner in the project, although weekly oral reporting on progress did not indicate problems of this degree - it is debatable as to whether a written research diary would have helped.. There was a resulting underspend on the project of approximately £7 000, which has been returned to the ESRC.

Interviews were carried out with a representative sample of NICs, and representatives of the LAP and Vodafone, as was an interview and 2-day shadowing exercise with Vodafone’s UK data protection officer, which has meant that data was available for analysis for research questions 1-3 and 5. In addition, new non-ESRC funding has been secured to continue and expand the research permitting a wider range of NIC interviews, and funding additional interviews at Vodafone, and with representatives of different commercial sectoral interests, by the Award Holder. It is anticipated that this work will be completed by mid-2007. As a result of the foregoing difficulties, while it was not possible to obtain an extension for the project, a month’s extension was granted by the ESRC for the End of Award Report.

Methods

Given the relative dearth of contemporary qualitative research data available relating to NIC regulatory practices, and the resulting internal and external responses of regulatees, the main methods of the project were qualitative research-based utilising semi-structured interviews at the NICs and with representatives of organisations involved in commercial FIM development to gather initial data, and focus groups to test the generalisability of the project interim conclusions and outputs. The interviews followed a set of themes outlined in a pre-prepared interview schedule, which was updated and amended as particular matters were identified as key trends, or new issues were raised by interviewees that suggested alternative lines of enquiry. Interviews were transcribed and analysed, following which secondary written questions were prepared to elicit further information on specific topics, or to seek clarification of key points.

The research accessed a sample of NICs, with the aim of assessing the influence of a range of background factors that affected: their perspectives on their role as regulators; their perceptions as to how they were regarded by those they regulated; the type of regulatory practices they adopted; and their relationship/communications with other NICs. The sample covered NICs in long-standing EU Member States (e.g France), recent Accession States (e.g. Slovenia), and EEA states (e.g. Norway); as well as NICs in highly developed digital markets, and those in immature digital markets.

As the initial goal of researching internal regulatee ‘regulatory conversations’, via the medium of following discussions surrounding a specific FIM project, was ruled out by a combination of delays to the start of the research, and changes in Vodafone corporate strategy in the m-commerce area, the decision was taken to approach this part of the research by means of targeted semi-structured interviews with staff from various parts of the Vodafone Group and ‘shadowing’ of a senior member of Vodafone UK’s data protection staff, as they met with members of different organisational sub-groupings within Vodafone Group.

The final phase of the research involved analysing the information collected from the NICs, and Vodafone with the aim of constructing a plausible proposal for decentred regulation of FIM frameworks within the EU. It became apparent at this point that the work of the project overlapped to some degree with the work of another project run by the Award Holder, and funded by the Joint Information Systems Committee (JISC) of the Higher Education Funding Council (HEFC), looking at records management in FE

5


and HE, and that the proposal was thus likely to be applicable to a number of forms of disaggregated data environments (DDEs) that we have termed ‘structured DDEs’. Examples of these include most commercial FIM e-commerce/m-commerce systems, and government department data holdings that are capable of combination for data-sharing purposes. They can be contrasted with ‘unstructured DDEs’, of which, currently, the internet (or more specifically, the aggregation of data from web-based services, including long-standing services such as static websites and e-mail archives, and Web2.0 services such as blogs, planets, social networks, Flickr and YouTube) is the primary example.

Results

Some difficulty was noted with engagement with long-established NICs, although recent accession NICs was extremely enthusiastic about participation. The enthusiasm of the latter group may in part be attributable to limited exposure to media interest and academic surveys, but generally appeared connected to a desire to take advantage of access to research in an area in which they had little current experience, or access to information. It became apparent early in the fieldwork that involvement with the area of mobile e-commerce was outwith the experience of all but NICs in the most highly developed digital markets, and that in states with developing digital markets, there was very little (if any) experience of dealing with issues raised by DDEs, either structured or unstructured. While it is clear that mobile telephony is achieving high levels of penetration in the latter group of states, it appears that the data protection issues relating to the services provided are not currently generating high levels of citizen concern, and were thus of low priority to NICs.

The size and resourcing of NICs plays a key role in their regulatory strategies. NICs in accession states were often only staffed at a level that could deal with complaints raised by data subjects against clearly defined data controllers. Such NICs were usually aware that DDEs might be problematic in the future, but assigned low priority to proactive strategies to address any deficiencies in their current procedures that DDEs might expose. Research into developing technologies was limited, and whether research into a new technology occurred might be wholly dependent on a staff member’s personal interest. There was usually no structured means of conducting research into developing issues, and often insufficient funding to commission research from third parties. NICs did discuss regulatory challenges and responses, and the smaller NICs were frequent users of the closed website/mailing list available to EU/EEA NICs.

NICS in long-standing Member States with developed digital markets were more familiar with issues arising from to DDEs (primarily the internet), and were more likely to have dealt with citizen complaints relating to them. Responses to increased numbers of structured DDEs or more complaints about use of information on the internet were mixed. Most NICs felt that the EU data privacy regulatory framework provided sufficient discretion in the use of regulatory mechanism, but there were divisions as to how such discretion should be exercised. Some NICs felt that their existing regulatory strategies could cope with both types of DDE, and were generally resistant to suggestions about a possible change in their regulatory role (particularly if it appeared to distance the NIC from direct involvement with data subjects), or in the nature of their personnel (e.g. a shift in the balance between lawyers and technologists). However, those strategies tended to involve a case-by-case assessment, which in the case of a structured DDE might involve tracing the origin of a citizen complaint back through a chain of companies, or government departments, rather than having direct access to a discrete data controller. This did not appear a particularly practical approach for a regulator

6


(particularly one with limited resources) to take with structured DDEs, and seemed a potentially unworkable one with unstructured DDEs.

In the m-commerce environment, there is an expressed desire on the part of regulatees to ensure the public is confident their data privacy is respected, for pragmatic business reasons. They are concerned, however, that simply ensuring formal compliance with current regulatory requirements will be an insufficiently flexible method of meeting public expectations, and that more effective solutions may not be perceived as compliant with the EU regime by NICs. While ‘regulatory conversations’ took place between the regulators and the regulatees, there were obvious difficulties in expressing often highly technical commercial exercises, and their associated privacy solutions, to regulators with out technical expertise. These concerns directly underpin the privacy-related activities of industry groupings such as the Liberty Alliance Project.

The project identified a number of overlapping regulatory mechanisms, largely derived from existing (but not necessarily ubiquitous) regulatory practices in the EU which, taken as a whole, provided the basis for a proposed regulatory framework for structured DDEs, and also suggested possible elements that could support regulation of unstructured DDEs. The regulatory framework is co-regulatory in nature, aiming to draw upon the interest of regulatees in ensuring trust in their processes amongst the public. In brief, for a structured DDE, the framework would consist of:

A regulatory licensing process (based loosely on existing practice in Norway) - prior to operating a structured DDE a licence would have to be obtained from the regulator. Licensing would require the production of a technical overview of the DDE, identification of classes of user, and demonstration of adequate inter-user agreements with regard to data privacy. Failure to adhere to good practice would result in revocation of the licence by the regulator.

A form of binding contractual agreement between parties to the DDE - similar in nature to the binding corporate agreement between elements of the same corporate entity e.g. that adopted by GE and approved by the UK NIC - but between independent corporate entities, or government departments.

An independent agent - ‘Personal Data Guardian (PDG)’ - embedded in the structured DDE system to ensure compliance of parties to the DDE with the licence, and the binding contractual agreement (similar to the Swedish governmental DP ‘ombudsman’ scheme), with the power (via the binding contractual agreement) to take action against parties that breach their DP obligations, and with reporting duties to the regulator, including the obligation to reveal breaches. The PDG would include data subject representatives to reduce regulatory capture risks, and materials used in support of the licensing process would be made publicly available.

The minimum standard of DP protection would be the DP Directive baseline, but structured DDEs would be able to offer a higher standard, perhaps as a means of competitive advantage. Where a higher standard was offered, the PDG and regulator would hold parties liable for performance to that standard (as with the position taken by the FTC in the US).

The aims of the framework are that adequate information about the operation of the structured DDE is made available to the public and to the regulator. The PDG oversees members of the DDE, interacts with public and regulator, and is subject to regulator audit. Breach of binding rules by parties to the DDE is subject to initial internal sanction by the PDG which reports to the regulator. Failure of the PDG to carry out its

7


functions appropriately would result in regulator sanctions, including possible loss of licence.

Activities

The work carried out during the project has been of considerable interest to a range of research users; both in government and business (see impacts below). Andrew Charlesworth was invited to take part in the following events during the project as a result of publicity relating to the work:

Office of Science and Technology - Delivered a paper on ‘Personal Datasets, Data Privacy & Trust’ at Data Sharing in Government Seminar at the Wellcome Trust, London, 18 January 2005.

UK Department for Constitutional Affairs - Information Rights Division Workshop on Data Protection and Freedom of Information, futurefocus@dti, London, March 2005.

Vodafone - Privacy & Security Law Practice Group workshop Rome 21-22 November 2005 (Sean Smith attended).

Information Commissioner’s Office - Conference Data Protection: the next 21 years?Manchester, 29 November 2005.

Information Society and Media Directorate General, European Commission - International High Level Research Seminar Trust in the Net, Museum of Modern Art, Vienna, Austria, February 2006.

Business for Social Responsibility - Stakeholder dialogue on freedom of expression and privacy in the use of information and communication technologies worldwide - primary corporate stakeholders, Vodafone, Google, Microsoft, and Yahoo!, Vodafone House, London, October 2006. (One of only two invited UK academic participants)

DTI Knowledge Transfer Networks - Seminar A fine balance – Encouraging technology and protecting privacy Royal Society, London, 8 November

Outputs

1. Publications

Charlesworth, A. (2006) ‘The Future of Data Protection Law’ Information Security Technical Report 11: 46-54. ISSN: 1363-4127.

2. Conference Papers

Charlesworth, A. & Smith, S. ‘Designing an Effective European Regulatory Mix for Data Privacy in Disaggregated Digital Data Environments’ eSociety Programme Wide Meeting, University of York, 18-19 September 2006.

Charlesworth, A. & Smith, S. ‘Data Privacy Regulation in Disaggregated Digital Data Environments’ Society for Computers & Law Policy Forum Decentring internet regulation: the changing roles of government and the private sector in determining and enforcing acceptable on-line behaviour at Herbert Smith LLP, London, EC2A 2HS, 26-27 October 2006.

8


3. Forthcoming Publications (contracted)

Charlesworth A. (2008) ‘Data Privacy Regulation in Disaggregated Digital Data Environments’. In Charlesworth A (ed.) Regulating the Internet: Government, the Private Sector, and Decentralisation of Enforcement Cheltenham: Edward Elgar.

4. Forthcoming Conference Papers (accepted)

Charlesworth A. ‘Data Privacy Regulation, Digital Memory and the Legal Value of Forgetting’ at the eSociety Programme Conference Surveillance & Privacy in an e-Society,London, 11 April 2007

Charlesworth A. & Smith, S. ‘Rethinking EU regulatory approaches to informational privacy in disaggregated data environments’ at the European Consortium for Political Research Workshop Privacy and Information: Modes of Regulation, Helsinki 7 -13 May 2007

Impacts

Thus far, two government Departments have shown specific interest in the project’s results: the DTI, who are interested in how current data protection laws mesh with modern business practices in the context of using Information Communication Technologies (ICTs) to realise productivity gains similar to those found in the US. They are proposing to cite this research in a report released later this year:

Work by Charlesworth has questioned whether the current data protection regime is appropriate given the development of new technology-based business models, particularly given the increasing sophistication of mobile technologies. Greater decentralisation of processes and systems make it more difficult for data controllers to match their business practices with regulatory requirements.

The Department for Education and Skills are also interested in the model proposed by the research for ‘personal data guardians’ as they develop the use of data sharing in the education sector in the Managing Information Across Partners (MIAP) project. This connection was made via work being carried out by Andrew Charlesworth for the Joint Information Systems Committee (JISC) on legal issues relating to record and data management in the FE/HE sectors. Details of the project’s work have also been requested by the eGovernment Unit of the Cabinet Office, and the Information Rights Division of the Department of Constitutional Affairs. There has also been corporate interest, with researchers at companies such as Orange, O2, Computer Associates and Symantec requesting information. Recent contacts include Garlik, the on-line data privacy and security company, via the Enterprise Privacy Group.

Future Research Priorities

Several possible research areas can be pursued:

The project has demonstrated that the regulatory strategies pursued by EU NICs are influenced by their relationship with national governments, their perceptions of their own role and degree of influence, their staffing composition and size, and their desire/ability to be proactive to the implications of new technologies, rather than reactive. Equally, the effectiveness of those strategies depends upon the extent to which those regulated can see the value of organisationally internalising business practices which support those regulatory goals, so that compliance is more than a matter of simply meeting the letter of privacy legislation - something which the research suggests is often removed from the practical protection of data privacy. There is scope for widening this research, firstly using the project methodology to examine NIC practices outside the EU, for example in Canada and

9


Australia, and secondly by comparing the effectiveness of those practices to the largely self-regulatory US regime, in part by assessing how multinational companies adopt internal data privacy strategies to cope with the different regimes. There are a variety of potential funding sources for such research, either by the Award Holder independently, or in collaboration with other research teams. Sources include the UK Information Commissioner, the Canadian Federal Information Commissioner, and EU Framework 7.

The project has identified an overlapping set of regulatory mechanisms for use in the structured DDE environment; a key element of which is the emplacement of a PDG within structured DDEs, to provide localised expert oversight for data privacy compliance and trust assurance. There may be scope to investigate the PDG model further as a compliance tool, through the medium of developing corporate FIM networks, or through proposed government data sharing projects.

The issues raised by unstructured DDEs, e.g. the internet, still appear to fall outside the scope of the solutions suggested by the project for structured DDEs, such as m-commerce ‘circles of trust’, and e-government data sharing operations. It is not clear whether, in such circumstances, appropriate targets for the proposed decentred regulatory processes can be isolated. What is clear, is that the question of unstructured DDEs will loom larger in the future. While, to date, storage issues have meant that online digital data has often been ephemeral in nature, rapid advances in relevant technologies, driven by the storage requirements of cutting edge science, such as ‘Grid Computing’ and particle physics research, suggest that, in the near future, searchable storage of data in the exabyte range will be possible. Scientific researchers are already working on the practical implications of having accessible and searchable storage capacity on such a scale. This includes work in the area of ‘Memories for Life’, a major project funded by the EPSRC, examining the implications of being able to store and access/search lifetimes’ worth of memories. The social and legal implications of the availability of technological ‘near-perfect’ recall are immense. Current concepts of ‘surveillance’ and ‘privacy’ will require a radical rethinking in circumstances where increasing amounts of ‘incidental’ data capture can be mined to produce ‘targeted’ profiles - take the current potential connectivity of data from public and private CCTV cameras, the Oyster card, and congestion charging cameras in London to produce a profile of a person moving about London, even though that person was not targeted specifically by those systems - and imagine a scenario where individuals routinely video-capture their daily routine, and that of those around them. Concepts embedded in our legal system, such as ‘forgiveness’ and ‘forgetting,’ will require re-evaluation - does it matter if the law says our convictions are ‘spent’ after a period of time, if both the act we committed, the records of our trial, and the sentence we received, are through one means or another irrevocably available for review in the public domain? Future research will thus need to address regulatory mechanisms for personal data use in super-scale unstructured DDEs.

Ethics Statement

No ethical issues outside those initially detailed in the original project proposal have occurred during the course of the research

10


The future of UK data protection regulation

Andrew Charlesworth

Centre for IT & Law, University of Bristol, Wills Memorial Building Queens Road, Bristol BS8 1RJ, UK

Keywords:

Data protection

Privacy

Regulation

Mobile e-commerce

Federated identity management

a b s t r a c t

The UK Data Protection Act, 1998 has been in force for nearly 5 years, and is based on a

European Directive that was initially proposed 15 years ago. In that time, both the techno-

logical environment and commercial business models have changed out of all recognition,

notably in the areas of electronic commerce and mobile communications, leading to ques-

tions about the Act’s continuing viability as the basis for an appropriate regulatory model

for data protection in the Information Society. This paper examines why data protection

regulation in the UK may have a rough ride ahead, and considers possible options for

the future.

ª 2005 Elsevier Ltd. All rights reserved.

1. Introduction

What is the purpose of data protection law? Depending upon

whose opinion is being voiced, data protection law can be

variously heard described as a means of protecting an in-

dividual’s fundamental right to privacy (Debussere, 2005),

a mechanism for validating the commodification of data, a

justification for overriding of privacy interests in the ‘public

interest’ (Leith, 2002), or a disguised barrier to entrance to

a nation’s market for international competitors (Nijhawan,

2003: 492) to provide but a limited sample of the options prof-

fered. Certainly the European Union Member States, in their

various legislative implementations and administrative inter-

pretations of the Data Protection Directive,1 seem to have

come to quite different conclusions, not just about its pur-

pose, but about its scope and the appropriate level of compli-

ance that should be required of data controllers (Bennett and

Raab, 2003; Charlesworth, 2003).

However, it is suggested in this paper that, in the UK at

least, current legal disputes over the Data Protection Act

1998 (DPA 1998), concerning, for example, the scope of the

term ‘personal data’, and the meaning of the phrase ‘relevant

filing system’2 may soon be considered of lesser import.

Equally, current regulatory enforcement activities (Informa-

tion Commissioner, 2005d), such as prosecuting organisations

and individuals for failing to notify their intention to process

personal data (Information Commissioner, 2005a,b,3 unlaw-

fully obtaining and processing personal data (Information

Commissioner, 2005c),4 or for failing to take appropriate tech-

nical and organisational measures against unauthorised or

unlawful processing or accidental loss or damage to, personal

data in their possession,5 may need to take second place to

work to determine how to regulate effectively data protection

when it is unclear when and how certain organisations will

actually be responsible for processing personal data.

This change in focus will be driven by the widespread

adoption of innovative new technologies for the purchasing

of goods and delivery of services in key areas of commercial

and government practice, which will inevitably undermine

principal components of the current data protection regime.

E-mail address: [email protected] Council Directive 95/46/EC, on the protection of individuals with regard to the processing of personal data and on the free movement

of such data, 1995 OJ (L 281), 31–50.2 See Durant v Financial Services Authority [2003] EWCA Civ 1746 (CA) – currently on appeal to the House of Lords.3 s.17, DPA 1998.4 s.55, DPA 1998.5 Seventh Principle, Sched.1 Prt.1, DPA 1998.

ava i lab le a t www.sc iencedi rec t .com

www.compseconl ine . com/publ i ca t ions /prod in f .h tm

1363-4127/$ – see front matter ª 2005 Elsevier Ltd. All rights reserved.doi:10.1016/j.istr.2005.12.002

i n f o rm a t i o n s e c u r i t y t e c hn i c a l r e p o r t 1 1 ( 2 0 0 6 ) 46 – 54


The UK regime is already showing strains as it faces a

range of technological innovations, such as:

� the advent of genetic testing, which raises serious questions

about the suitability of a regulatory framework predicated

on the protection of an individual data subject’s privacy

for dealing with the ethical problems arising from the col-

lection, use and disclosure of genetic data which do not

just provide information about the person from whom it is

collected, but also has the potential to provide information

about a range of other individuals, both in terms of immedi-

ate blood relatives, and potentially in terms of certain com-

munities (Laurie, 2002);

� the spread of CCTV surveillance systems, particularly in ur-

ban areas (Norris and Armstrong, 1999; McCahill, 2002); while

these are covered by the regulatory framework they are, due

to the rising private ownership of such systems, and the na-

ture of the technology itself, increasingly difficult to regulate

and control by means of data subject access, due to the frag-

mentation of surveillance ownership (Whitaker, 1999: 143);

� the development of on-line disaggregated or dispersed data-

sets, the distributed nature of which makes a regulatory

framework that requires an identifiable data controller or

controllers, upon whom obligations can be placed and

against whom data subject rights can be enforced, largely

redundant (Schwartz, 2000).

It is on this final point that this paper will concentrate,

arguing that while the present data protection regime may

be just about acceptable to commercial operators in terms of

provision of legal certainty,minimal disruption to commercial

practices, and relatively low costs of compliance and/or en-

forcement, it currently runs a serious risk of future impotence

in the face of ongoing shifts in technological and societal prac-

tices on-line. The paper suggests that without an equivalent

shift in thinking about the nature of a future regulatory frame-

work for data protection, we may find ourselves with a data

protection regime under which:

� data controllers in complex technological business environ-

ments are unable to, and increasingly unwilling to attempt

to, match their business practices with regulatory

requirements;

� data subjects in complex technological business environ-

ments find their data protection rights rendered largely in-

effective, and

� any chance of the long-promised development of a thriving

market in privacy enhancing products and services is finally

snuffed out.

2. The changing data protection environment

As a key aim of the EUData Protection Directive was, its funda-

mental rights rhetoric notwithstanding, to prevent economic

protectionism on the part of Member States and to maintain

the free market in personal data within the EU, both it and its

resulting national implementations were largely designed to

provide a veneer of acceptability to existing public and private

personal data processing. Because of these considerations, the

procedure through which the legislation was developed ap-

pears to have been primarily concernedwith ensuringminimal

disruption to that processing. It certainly does not appear to

have attempted to question in any depth the extent to which

the legislation met the current (or future) expectations and

needs of either those supposed to benefit from it (the data

subjects), or those to be regulated by it (the data controllers).

The focus on economic pragmatism in the Directive, which

was reflected to a greater or lesser extent in national imple-

menting legislation,6 inevitably reduced the perceived impor-

tance of engagement by national legislators with wider issues

of data protection, such as how their regulatory frameworks

might be structured to permit maximum flexibility in regula-

tory approaches to cope with future personal data usage sce-

narios. Given that the period during which the Directive was

drafted and implemented (1990–2000) coincided with a time

of rapid technological development, which in combination

with the trans-national opportunities provided by the increas-

ing popularity of free trade, were transforming commercial

practices and public expectations (Pearce and Platten, 1998;

Charlesworth, 2003: 932), this approach, unsurprisingly, has

resulted in a situation where virtually no-one appears to be

satisfied with the end result.

At present, data privacy regulation in the EUMember States

operates through the rights it provides to data subjects and

consequent obligations it places on data controllers, a key

premise of which is that data subjects are sufficiently empow-

ered to ensure data controller compliance (Charlesworth,

1999). As will be shown below, should this rights and obliga-

tions framework be rendered ineffective, whether accidentally

or deliberately, it becomes difficult, if not impossible to realis-

tically map the existing set of regulatory techniques to actual

commercial practices (Charlesworth, 2003). However, despite

the obvious need to engage both data subject and data control-

ler as fully as possible in the regulatory process in order to

maintain a proper balance between rights and obligations,

and to ensure that those rights can be fully effected, and the

obligations are neither unduly onerous nor practically un-

workable, national implementations of the Directive have

tended to make little effective provision for engagement with

data subjects or data controllers. The way in which the Direc-

tive itself is structured has moulded the Member States’ legis-

lative and administrative implementations into fairly rigid

‘command and control’ (Baldwin and Cave, 1999: 35–39) regula-

tory mechanisms based on laws backed by civil and criminal

sanctions and applied by (quasi) government agencies, such

as the UK’s Information Commissioner. These have in turn

provided limited opportunity for the consideration or adoption

of viable public/private ‘regulatory mix’ alternatives

6 Certain Member States, such as France and Spain, adopted rel-atively stringent data protection legislation, and have regulatorswho are renowned for their willingness to take action in casesof breach, whereas the UK’s combination of a more limited legis-lative implementation, a ‘light touch’ approach to regulation, anda series of restrictive judicial interpretations of the UK DataProtection Act 1998 have, at the time of writing, resulted in theEuropean Commission threatening legal action against the UK,before the European Court of Justice, for failure to adequatelyimplement the Directive.

i n f o rma t i on s e c u r i t y t e c hn i c a l r e p o r t 1 1 ( 2 0 0 6 ) 46 – 54 47


combining a variety of regulatory techniques including, for ex-

ample, self-regulation, economic incentive based approaches,

regulation through competition and market forces (Baldwin

and Cave, 1999: 39–62; Langenderfer and Cook, 2004).

It is no secret that a reduction in the ‘command and control’

approach in data privacy regulation would suit the commercial

sector, where the preference is for greater self-regulation with

industry organisations and associations taking on regulatory

functions (Newman and Bach, 2004). However, there is pro-

found suspicion of, and considerable resistance to, the idea

of self-regulation in the EU, particularly on the part of some

national Information Commissioners, as well as amongst

the members of the EU Article 29 Working Party, who regard

increased self-regulation as leading inevitably to a weakening

of the EU data privacy baseline (Charlesworth, 2003). As in

other regulatory contexts (Sinclair, 1997), there has also been

a politically-inspired tendency to polarise the data protection

debate in terms of a stark choice between command and con-

trol regulation or self-regulation. In practice, such extreme reg-

ulatory polarisation is rare (Baldwin, 1997), and even in existing

data protection regulatory practice, there remains some scope

for discretion (and thus some flexibility) on the part of regula-

tors in determining the meaning and application of ‘the rules’.

It would seem likely therefore that a combination of self-

regulatory practices and ‘command and control’ regulation

would provide a better regulatory solution but, as noted above,

regulatory development of this type is unlikely to develop

effectively under the existing data protection framework.

It has beenwidely suggested that the EU Directive is partic-

ularly inflexible in the context of the requirements of ICT use

andmodern business practice, being predicated on dated con-

cepts of data use. This lack of flexibility is highlighted by the

continuing attempts of the EU Commission to incrementally

fill the perceived gaps left by the Directive with further legisla-

tion (Donovan, 2004). Indeed, a common complaint of com-

mercial entities operating in the EU is that there has been

little coherent effort to co-ordinate those additional pieces of

EU legislation containing data privacy elements, resulting in

a lack of clarity in Community objectives, causing further in-

consistencies in Member State implementation, and making

it extremely difficult for commercial organisations to create

consistent EU wide policies.

On this very topic, one respondent to the Commission’s

review of the operation of the Directive (European Commis-

sion, 2002) wrote complaining that:

[T]he Distance Selling Directive,7 the new Electronic Com-

munications Data Protection Directive,8 the E-Commerce

Directive9 and the Electronic Signatures Directive10 all

include provisions relevant to data protection. Some of

these adopt different approaches on the same issue (e.g.

opt in vs. opt out in relation to unsolicited emails) or im-

pose more onerous provisions in relation to certain sectors

of the market (e.g. the more stringent data protection

obligations under the Electronic Signatures Directivewhich

are imposed on certification service providers in relation to

their use of personal data). This has caused confusion

about which Directives are to be followed when, and

exactly what requirements companies have to follow

(Tite & Lewis, 2002: 3).

It appears therefore that the Directive does not provide an

adequately flexible regulatory mix via which either the Mem-

ber States or commercial entities, or a combination of the two,

could tackle the types of issues which the more recent legisla-

tion is now attempting to address.

A key set of complaints with regard to the regulatory

framework established by the EU Directive relate to:

� the difficulties that commercial entities have in complying

and/or being seen to comply with the resulting Member

State laws and administrative practices (Charlesworth,

2003);

� the perception that the process of regulatory decision-

making from the Article 29 Working Party downwards

through to the national Information Commissioners, lacks

transparency and contains little scope for consultation

and participation by either commercial entities or the

general public (ICC, 2002: 2–3);

� the perception that national Information Commissioners

lack effective accountability in their activities (ICC, 2002:

2–3).

The drafters of the Directive, and to a large extent the

drafters of the national implementations, appear to have

failed to recognise, or possibly were unconcerned with, the

importance of such issues to the longer term development

of EU data protection regulation. It certainly seems rather

odd that as the drafters of the legislation were putting in place

rules specifying that data controllers should be:

� open and transparent in their data protection processing

activities;

� flexible in their consultation of, and involvement with, data

subjects;

� accountable for their actions with regard to personal data,

that the administrative framework that was developed to

ensure the achievement of those objectives should itself be

designed in such a fashion as to render it inflexible, opaque

and difficult to comply with. In consequence, it lacks legiti-

macy in the eyes of both data controllers and data subjects:

with the former because of the difficulty in developing and

maintaining effective compliance regimes, and with the latter

because of the cumbersome mechanisms provided for indi-

viduals to assess whether data controllers are in fact acting

in compliance.

In short, the regulators need to be able to break away from

the ‘command and control’ dominated regulatory toolkit and

7 Council Directive 97/7/EC, on the Protection of Consumers inRespect of Distance Contracts, 1997 O.J. (L 144), 19–27.8 Council Directive 2002/58/EC, concerning the Processing of

Personal Data and the Protection of Privacy in the ElectronicCommunications Sector, 2002 O.J. (L 201), 37–47.9 Council Directive 2000/31/EC, June 8, 2000, on Certain Legal

Aspects of Information Society Services, in Particular ElectronicCommerce, in the Internal Market, 2000 O.J. (L 178), 1–16.10 Council Directive 1999/93/EC, December 13, 1999, on a Commu-nity Framework for Electronic Signatures, 2000 O.J. (L 013), 12–20.



be innovative in developing flexible regulatory ‘instrument

mixes’ capable of application in rapidly developing commer-

cial environments. The current framework lacks that innova-

tory dimension and thus already appears unable to adapt

effectively and efficiently to significant commercial innova-

tions/transitions in the nature of personal data use.

3. An m-commerce example

The increasing sophistication of mobile technologies suggests

amajor future role for commercial (and government) business

models which are premised on widespread adoption of those

technologies for the purchasing of goods and delivery of ser-

vices. As content delivery over wireless devices becomes

faster, more secure, and scalable, mobile e-commerce

(m-commerce) has the capacity to surpass wireline electronic

commerce (e-commerce) as the method of choice for digital

commerce transactions. However, to achieve the full potential

of the technology, new m-commerce business models will re-

quire the construction of an interoperable, decentralized and

system/application-neutral architecture to develop beyond

the classical ‘walled-garden’ business model, currently com-

mon in the mobile telecommunications sector. In a ‘walled-

garden’ business model, the consumer is able to access a

limited set of pre-defined content licensed by their service

provider from other content providers and usually offered as

a service pack to its customers. The service provider takes

care of all content layout, authentication, royalty tracking

and reporting, billing, and quality of service. At the other ex-

treme is the ‘public garden’ business model now common to

the Internet where the role of the service provider is simply

to provide a transparent conduit between consumers and con-

tent owners. While mobile e-commerce is unlikely to take the

Internet path to a ‘public garden’ business model, a mid-path,

that of the ‘semi-walled garden’ or ‘gated garden’ business

model, seems likely. In this model, the service provider main-

tains not only the content access of the ‘walled-garden’ but

also allows other content providers to offer their content in

exchange for a share of revenues. The service provider still

not only takes care of quality of service, authentication and

billing, etc., but also maintains a business-to-business (B2B)

interfacewith the content providers, who are held responsible

for the content (Alcatel, 2004: 2–3).

3.1. Federated identity management

It is claimed by the open standard organisation, the Liberty

Alliance,11 that federated identity management (FIM) systems

will be a key element in the development of this architecture/

business model (Liberty Alliance, 2003a,b). It is also suggested

that FIM systemsmay permit users to exercise greater control

over the use and transfer of their personal data (Liberty

Alliance, 2003c). Whether the latter claim is in fact likely to

be reflected in practice remains to be seen, but what is in-

creasingly apparent is that the design of federated identity

management systems, as currently envisaged, means that

they will not lend themselves readily to existing methods of

data protection regulation.

The Liberty Alliance Project’s model of m-commerce is

based around the concepts of ‘Circles of Trust’ and ‘Federated

Circles of Trust’. A Circle of Trust is said to exist when:

‘‘the user and service providers rely on Identity Providers

as trusted sources for authenticated user information.

There is an agreed upon identity sharing protocol that sep-

arates control of the identity from its usage. This fosters

a relationship in which the members in the Circle of Trust

can reduce identity theft, minimize intrusion of privacy

and simplify the task of identification and authentication.’’

(Sun Microsystems, 2002: 7).

This allows the consumer the choice of supplying their

identity details directly to the merchant, or via the Identity

Provider who managed their identity profile on their behalf.

Where a consumer wishes to conduct a business transaction

with amerchant, the merchant can authenticate the consum-

er’s identity via the Identity Provider. This is the basic Circle of

Trust model. For example, I might set up an identity profile

with Vodafone, the mobile telecommunications provider,

which supplies my mobile phone. Because of their position

in the mobile services supply chain, Vodafone might act as

an Identity Provider for a circle of merchants whom I access

throughmymobile phone. Thus I might deal with a merchant

via Vodafone, or directly, and if I deal with the merchant

directly, the merchant has the option to verify my identity

via Vodafone. Neither Vodafone nor the merchant need to

disclose any other information about me than is required for

the verification process.

A Federated Circle of Trust sees the federation, or linking,

of Circles of Trust into networks. Here, an Identity Provider

may provide identity profile services not just within its own

Circle of Trust, but link with other Identity Providers to permit

identity profile sharing with merchants in other Circles of

Trust allowing consumers to seamlessly move between

them, without constant need for reauthentication. For exam-

ple, my identity profile with Vodafone, which is acting as an

Identity Provider, may allow me to access not just the mer-

chants within the Circle of Trust for which Vodafone is Iden-

tity Provider, but also the merchants within Circles of Trust

for which other mobile telecommunications providers, such

as Orange, Verizon, Virgin and Telstra, are acting as Identity

Providers (Sun Microsystems, 2002: 6–8). In an FIM system,

both Identity Providers and merchants must trust their part-

ners to vouch for their users. Equally, users must trust that

Identity Providers and merchants are exchanging only such

data as is required to facilitate the authentication and provi-

sion of services processes.

Both the Circle of Trust and Federated Circles of Trust

models of m-commerce map poorly to the EU framework of

data privacy regulation, as they:

� enable distribution of personal data across a range of Iden-

tity Providers and service providers from which end-user

profiles can be aggregated without a permanent aggregate

record being held at any one service provider or centralized

location – this blurs the issue of data controllership;11 The Liberty Alliance Project – http://www.projectliberty.org/.



� allow seamless cross-border transactions involving per-

sonal data between the various Identity Providers and

service providers – this potentially falls foul of the require-

ment that data not be transferred to a non-EEA country

unless that country ensures an adequate level of protection

for the rights and freedoms of data subjects in relation to the

processing of personal data;

� provide the consumer with seamless access to goods and

services provision by means of a default process of trusted

data exchange between Identity Providers and service pro-

viders – a further blurring of the issue of data controllership,

and adding a new degree of complexity to data subject

access to their personal data;

� require a high degree of flexibility and granularity to effi-

ciently balance the privacy risk to the individual against

the level of trusted authentication required by commercial

entities for particular types of transaction – achieving effec-

tive and efficient security for transactions in this environ-

ment will require acceptance of a more flexible range of

means of ensuring data privacy than via databases amend-

able to current subject access.

All of these criteria either potentially expose organisations

participating in Circle of Trust and Federated Circles of Trust

models of m-commerce to breaches of current data protection

regulation, or make the application of that law more likely to

be disruptive of innovative commercial practice, and ulti-

mately more costly to implement (Liberty Alliance, 2005).

3.2. Regulatory failure

The poor fit between m-commerce business models and the

existing EU data protection regulatory framework means

that despite the limited degree of regulatory flexibility avail-

able to Member State Information Commissioners (ICs) that

framework is unlikely to generate a workable regulatory solu-

tion in the absence of the key factors which ground its rights/

obligations. For example, the DPA 1998 places heavy reliance

upon the data subject being able to effectively query a data

controller, or group of data controllers, about the personal

data that they hold on that data subject, the uses to which it

is being put, and the 3rd parties to whom it is being supplied.

It then makes the assumption that the data subject is able to

use the information obtained from the data controller to de-

termine whether their data are being used in accordance

with the requirements of the DPA 1998. If, as is suggested is

the case with the m-commerce example above, this approach

cannot be applied effectively and efficiently, or cannot be ap-

plied at all, then the DPA 1998 is likely to be broadly ineffective

in the m-commerce arena – it will thus suffer from what reg-

ulatory theorists term ‘instrument failure’ (Black, 2001).

In addition, if the speed of development, and the complex-

ity of the m-commerce technological architecture militates

against data subjects, the UK Information Commissioner, or

the courts developing sufficient working knowledge to use-

fully apply or interpret the existing legislation via the mecha-

nisms provided by the Act, then there will also be what is

termed ‘information failure’.

Further, if data subjects cannot make effective use of their

rights under the Act, the UK Information Commissioner does

not have the powers (or the administrative skills) to overcome

the information gap, and the courts cannot provide an inter-

pretative solution within the narrow confines of the legisla-

tion – the legislation cannot be implemented as intended.

The result is likely to be that data subjects are discouraged

from engaging with the regulatory process, this means that

its primary mechanism for encouraging the compliance of

data controllers – data subject pressure – is significantly, if

not fatally, weakened. Because of the way the UK Information

Commissioner’s compliance and enforcement powers are

structured, loss of data subject engagement also removes

a significant informational element from him – data subject

feedback about data controller compliance – and thus limits

the ability to effectively monitor and enforce compliance –

this is termed ‘implementation failure’.

Finally, without incentives to enter into compliance – data

subject pressure and Information Commissioner monitoring

and enforcement – data controllers are unlikely to be moti-

vated to comply with the Act at all, or to innovate to maintain

and develop the level of privacy protection in new ICTs that

were envisaged by the drafters of the Act – this is termed

‘motivation failure.’ (Black, 2001).

In theory, if such a scenario was to come about, then either

the technologies or the innovative business models based on

them could not be implemented, or they would be effectively

beyond the reach of data protection legislation. In practice,

where the particular attributes of new technologies make it

difficult or impossible for service providers to utilize them

within the regulatory framework, then either the technology

cannot be adopted or, more likely, some regulatory accommo-

dation must be reached (Kent and Millett, 2003).

3.3. Changing the mix

It will be essential, prior to an attempt to determine what type

of regulatory instrumentmixmight be applied to the scenario,

to consider carefully the nature of the privacy interests at

stake. Legislators will not be in a position to provide coherent

answers to privacy ‘hard cases’ such as this until they have

derived answers to more general questions relating to which

privacy interests they wish to protect, why they wish to pro-

tect those interests, from whom the interests are to be pro-

tected and the extent of the protection to be afforded. When

considering the use of federated identity management in

m-commerce, the individual privacy interests may be seen

as follows.

The data subject’s interest is in having some measure of

control over:

� who is processing data about them

� what data are being processed

� why the data are being processed

� where the data are being processed

� the data’s accuracy, relevance and freshness

� the data being held only for as long as is required

� the data being processed for the reasons supplied

� the data being protected against unauthorised processing

� the data being protected against accidental loss or damage

� the data being processed under conditions where their

legally protected privacy interests can be enforced.



This list largely reflects the requirements of the EU Direc-

tive, but as noted above, the m-commerce federated identity

management architecture does not easily permit data subject,

or regulator, access to distributed data holdings in order to

easily verify that these interests are being respected, as can

be achieved in the traditional data controller/data subject

relationship under the existing regulatory framework. The

immediate possibilities as potential points of control within

the Circle of Trust and Federated Circles of Trust model are

the Identity Providers, but as already noted, even the Identity

Providers are unlikely to maintain a complete record of the

data held on an individual within Circles of Trust and Feder-

ated Circles of Trust. To require some centralized data holding

by Identity Providers or other entities in a Circle of Trust

would seem to run counter to the effectiveness and efficiency

of the m-commerce model, and would perhaps pose greater

risks to individual data privacy interests, by creating a more

inviting target for hackers and identity thieves. Indeed, pro-

ponents of federated identity management systems have

suggested that the disaggregated nature of the personal data

holdings in those systems may not just simplify the task of

identification and authentication, but also reduce the risks

of identity theft, and minimize intrusion into individual

privacy (Sun Microsystems, 2002: 7).

3.4. Regulatory roles

It is clear that government has the ability to set a baseline for

data protection, for example theOECD’s Fair Information Prin-

ciples,12 as well as the ability to provide formal regulatory

processes and oversight bodies, such as the current data

protection legislation and the Information Commissioners.

In some circumstances, the Information Commissioner may

be best placed to ensure the protection of individual data pri-

vacy, for example in the relationship between a traditional

data controller and data subject. In other circumstances,

such as in the m-commerce arena, it may be more efficient

and effective to make use of sectoral collective interest

regimes, where the State encourages non-state actors to

turn self-interest or sectoral collective interest towards public

interest goals. The latter approach may be especially relevant

to the development of the Circle of Trust/Federated Circle

of Trust frameworks, where the commercial entities have

a collective interest in:

� determining both standards and policy for development of

federated identity management systems (not least to avoid

a monopoly situation in federated identity management

provision);

� developing both commercial and consumer trust in the con-

cept of federated identity management in order to ensure

a viable level of adoption;

� a community approach to liability for privacy breach, as the

nature of compliance within a Circle of Trust may require

appropriate actions to be taken throughout a chain of

service providers.

Here, then, the self-interest lies in obtaining an effective

and trusted authentication system based on identity federa-

tion and trust delegation. As such, in the case of informational

privacy regulation in the m-commerce sector, the most effec-

tive initial lever for ensuring sectoral compliance might well

be the impact that even the perception of non-compliance

would have on both public and commercial trust in the devel-

oping m-commerce framework, and the economic damage

that might stem from this.

3.5. Consumer concerns

The question of whether on-line purchasers are as concerned

with their privacy as various consumer studies have indicated

(e.g. Harris and Associates, 1996; Ipsos-Reid, 2001), is, of

course, a longstanding cause of controversy, with some critics

suggesting that most consumers in fact are largely uncon-

cerned by privacy considerations (e.g. Rubin and Lenard,

2002). However, it appears that there is an increasing aware-

ness amongst both researchers and commercial entities that

the conventional approach to examining consumer privacy

perceptions in terms of:

‘‘. [segmenting]. the population into a small group of the

unconcerned, a tiny group of privacy fundamentalists, and

a large group of privacy pragmatists is in fact seriouslymis-

leading . risk perceptions change according to context .

the category of pragmatism is too vague and capacious to

be a useful one . [and the] taxonomy bears no relation

to the ways in which we understand people to think about

other risks or other consumption relationships and prac-

tices.’’ (Perri 6, 2002).

The recognition that there is a rather more complex model

of consumer trust/privacy risk perception at play (e.g. Palen

and Dourish 2003) than earlier studies and surveys suggested

both highlights the relative poverty of the ‘command and con-

trol’ dominated response to data privacy regulation, and pro-

vides significant impetus for commercial organisations to

establish how to most effectively provide the level of privacy

likely to be required by future consumers of their services.

This is reflected in the developingmarketing research literature

exploring the factors which consumers are likely to use to as-

sess their potential privacy risks (e.g. Miyazaki and Fernandez,

2001; O’Neil, 2001; Graeff and Harmon, 2002; Dommeyer and

Gross, 2003; Milne and Culnan, 2004) and suggesting mecha-

nisms for developing and enhancing consumer trust (e.g. Luo,

2002). It is also reflected in the pragmatic acknowledgment by

the members of the Liberty Alliance Project that potential m-

commerce consumers will have a range of privacy concerns

depending upon the services provided, and that the ability, or

not, of adopters of the Liberty platform to address these

concerns will have a significant impact on the willingness of

consumers to embrace m-commerce (Liberty Alliance, 2003c).

The effect on a nascent m-commerce market, and in

particular on the mobile communications providers’ ability to

generate revenue from provision of identity services, of nega-

tive privacy publicity could therefore potentially be a signifi-

cant factor in the policing of self-regulatory standards of

data protection in Circles of Trust. A possible additional lever

12 OECD Guidelines Governing the Protection of Privacy andTransborder Flows of Personal Data of 23 September 1980[C(80)58(Final)].



will be the requirement of trust between the Identity Providers

andmerchants in vouching for users’ authenticity and accept-

ability in both Circles of Trust and Federated Circles of Trust

models – failure to abide by accepted data protection practices

would very likely also have the knock-on effect of damaging

an Identity Provider or merchant’s overall trustworthiness

within that environment. This trust-based mechanism will

be sensitive to both data subject and merchant concerns,

and is more likely to result in timely adjustments to meet

new conditions and privacy threats than state-centred regula-

tion, thus demonstrating that an effectively constituted in-

strument mix can do more than simply addressing existing

privacy regulation requirements, but can also reduce the

need for incremental legislative change to adjust for new

circumstances.

However, developing such a decentred style of data pro-

tection regulation may provide a different set of problems,

not least concerns about the capture of the regulatory

process by either the m-commerce industry, or wider com-

mercial interests, resulting in a regulatory process that ad-

dresses purely commercial goals and not public interests.

When considering proposals to alter the regulatory structure

legislators will have to assess the probability of such capture

and the likely degree of harm (Makkai and Braithwaite, 1992),

and consider suitable mechanisms to counter any undesir-

able effects.

4. Conclusion

The ongoing development of new technology-based business

models, such as m-commerce architectures incorporating so-

phisticated federated identity management systems, are

likely to present existing data protection regulatory frame-

works, based on data subject access backed by regulatory

agency oversight, with insurmountable operational difficul-

ties. This is because existing forms of data subject and regula-

tory agency access required to ensure meaningful oversight

within such frameworks are rendered impracticable by the

disaggregated nature of personal data processing within the

Circle of Trust/Federated Circle of Trust business models.

Technology-driven change in the areas of both e-com-

merce and m-commerce will require legislators and regula-

tors to engage in a significant reappraisal of the modes of

data protection regulation currently employed. It is suggested

that to continue the cautious and incremental change that has

thus far been the response to economic, social and technolog-

ical changes in the privacy environment, as exemplified by the

EU E-Commerce and Electronic Communications Data Protec-

tion Directives, would demonstrate a misunderstanding, or

misinterpretation, of the fundamental nature of the change

in personal data usage developing in the commercial arena.

Further development of data protection regulation will

require a much more sophisticated comprehension of the

contextual influences that will shape the privacy interests of

the individual data subject as they negotiate the developing

e-society (Perri 6, 2002); as well as a willingness to consider

innovative ways of protecting those interests via non-

state-centred regulatory mechanisms. Development of

such regulatory mechanisms is likely to have the effect of

encouraging innovation and competition in the provision of

privacy enhancing services (Gritzalis, 2004), as well as supply-

ingwould be Identity Providers andmerchantswith incentives

to develop meaningful self-regulatory schemes for data

protection.

Such developments would also permit private and public

organisations with innovative business models, such as the

Circles of Trust and Federated Circles of Trust described

above, to clearly assess their trading risks in terms of potential

financial losses and data privacy breaches. They could then

use those trading risks to set privacy and security standards

aswell as due diligence/compliancemeasures thatwould con-

form to regulator-set parameters (assessed by reference to the

organisations’ risk evaluation models), but which otherwise

could be negotiated between organisations based on relevant

operational criteria. This, in turn, would permit them to both

make appropriate provision for rational investment and in-

surance strategies in their area of operations and clearly dem-

onstrate due diligence/compliance with data protection rules

to consumers, Identity Providers and merchants.

The end result of these measures would be to facilitate the

development of a data protection regulatory regime for the

commercial business models that are now developing that

would be regarded as legitimate by, and accountable to, both

those regulated and data subjects; would protect data subjects

from the hazards associatedwith regulatory capture by indus-

try; and, crucially in an increasingly multinational commer-

cial environment; would be capable of being successfully

copied and applied in other jurisdictions.

r e f e r e n c e s

6, P. 2002. Who wants privacy protection, and what do they want?Journal of Consumer Behaviour 2(1): 80–100.

Alcatel. A guided approach to broadband entertainment services.Strategic White Paper, <http://www.alcatel.com/industry_analysts/secure/pdf/BroadbandEntertainment_White_Paper.pdf>; 2004.

Baldwin R. Regulation: after ‘Command and Control’. In:Hawkins K, editor. The human face of law. Essays in honour ofDonald Harris. Oxford: Clarendon Press; 1997. p. 65–84.

Baldwin R, Cave M. Understanding regulation: theory, strategyand practice. Oxford: Oxford University Press; 1999.

Bennett CJ, Raab C. The governance of privacy: policy instrumentsin global perspective. Dartmouth; 2003.

Black J. Decentring regulation: understanding the role of regula-tion and self regulation in a ‘‘post-regulatory’’ world. CurrentLegal Problems 2001;54:103–46.

Charlesworth A. Implementing the European Data Protection Di-rective 1995 in UK law: the Data Protection Act 1998. Govern-ment Information Quarterly 1999;16:203–40.

Charlesworth A. Information privacy law in the European Union:E Pluribus Unum or Ex Uno Plures. Hastings Law Review 2003;54:931–69.

Debussere F. The EU E-privacy directive: a monstrous attempt tostarve the cookie monster? International Journal of Law andInformation Technology 2005;13(1):70–97.

Dommeyer CJ, Gross BL. What consumers know and what theydo: an investigation of consumer knowledge, awareness, anduse of privacy protection strategies. Journal of InteractiveMarketing 2003;17(2):34–51.



Donovan C. Implementation of the e-privacy directive in the UK –understanding the new rules. Computer Law and SecurityReport 2004;20(2):127–32.

Graeff TR, Harmon S. Collecting and using personal data: con-sumers’ awareness and concerns. Journal of Consumer Mar-keting 2002;19(4):302–18.

Gritzalis DA. Embedding privacy in IT applications development.Information Management and Computer Security 2004;12(1):8–26.

Louis Harris and Associates. The 1996 Equifax-Harris consumerprivacy survey. New York: Louis Harris and Associates; 1996.

Information Commissioner, Office of the UK. Press release. So-licitor fined for flouting Data Protection Act. <http://www.ico.gov.uk/cms/DocumentUploads/solictor%20fined%20fai-ling%20to%20notify.pdf>; 1 March 2005a.

Information Commissioner, Office of the UK. Press release. Twocompanies fined for flouting Data Protection Act. <http://www.ico.gov.uk/cms/DocumentUploads/two_companies_fined_for_flouting_data_protection_act.pdf>; 13 October2005b.

Information Commissioner, Office of the UK. Press release.Private detective convicted for data protection offences.<http://www.ico.gov.uk/cms/DocumentUploads/pearmac_prosecution_19_oct_05.pdf>; 19 October 2005c.

Information Commissioner, Office of the UK. A strategy for dataprotection regulatory action. Version 1.1. <http://www.ico.gov.uk/cms/DocumentUploads/data_protection_regulatory_action_strategy.pdf>; November 2005d.

International Chamber of Commerce. Comments on the review ofthe EU Data Protection Directive, <http://europa.eu.int/comm/internal_market/privacy/docs/lawreport/paper/icc_en.pdf>;28 May 2002.

Ipsos-Reid. Online security and privacy concerns on the increasein Canada, <http://www.ipsos-reid.com/pdf/media/mr011128-1.pdf>; 29 October 2001.

Kent ST, Millett L. Who goes there? Authentication through thelens of privacy. Washington DC: The National AcademiesPress; 2003.

Langenderfer J, Cook DL. Oh, what a tangled web we weave: thestate of privacy protection in the information economy andrecommendations for governance. Journal of BusinessResearch 2004;57(7):734–47.

Laurie GT. Genetic privacy: a challenge to medico-legal norms.Cambridge: Cambridge University Press; 2002.

Leith P. Genetic privacy: a challenge to medico-legal norms, byGraeme Laurie. Book review. The Journal of Information, Lawand Technology (JILT) 2002;(2), <http://www2.warwick.ac.uk/fac/soc/law/elj/jilt/2002_2/leith/>; 2002.

Liberty Alliance Project. Introduction to the liberty alliance iden-tity architecture, v.1.0, <http://www.projectliberty.org/resources/whitepapers/LAP%20Identity%20Architecture%20Whitepaper%20Final.pdf>; March 2003a.

Liberty Alliance Project. Business benefits of federated identity,<http://www.projectliberty.org/resources/whitepapers/LAP%20Business%20Benefits%20White%20Paper%20v4.pdf>;April 2003b.

Liberty Alliance Project. Privacy and security best practices, v.2.0,<http://www.projectliberty.org/specs/final_privacy_security_best_practices.pdf>; November 2003c.

Liberty Alliance Project. Circles of trust: the implications of EUdata protection and privacy law for establishing a legalframework for identity federation, <http://www.projectlib-erty.org/specs/Circles_of_Trust_Legal_Framework_White_Paper_322200522576.pdf>; February 2005.

Luo X. Trust production and privacy concerns on the Internet –a framework based on relationship marketing and socialexchange theory. Industrial Marketing Management 2002;31(2):111–8.

Makkai T, Braithwaite J. In and Out of the Revolving Door: MakingSense of Regulatory Capture. Journal of Public Policy 1992;12:61–78.

McCahill M. The surveillance web: the rise of visual surveillancein an English city. Willan; 2002.

Milne GR, Culnan MJ. Strategies for reducing online privacy risks:why consumers read (or don’t read) online privacy notices.Journal of Interactive Marketing 2004;18(3):15–29.

Miyazaki AD, Fernandez A. Consumer perceptions of privacy andsecurity risks for online shopping. Journal of Consumer Affairs2001;35(1):27–44.

Newman AL, Bach D. Self-regulatory trajectories in the shadow ofpublic power: resolving digital dilemmas in Europe and theUnited States. Governance 2004;17(3):387–413.

Nijhawan DR. The emperor has no clothes: a critique of applyingthe European Union approach to privacy regulation in theUnited States. Vanderbilt Law Review 2003;56(3):939–76.

Norris C, Armstrong G. The maximum surveillance society: therise of CCTV. Oxford: Berg; 1999.

O’Neil D. Analysis of Internet users’ level of online privacy con-cerns. Social Science Computer Review 2001;19(1):17–31.

Palen L, Dourish P. Unpacking ‘‘privacy’’ for a networkedworld. In:Proceedings of the conference on human factors in computingsystems 2003. ACM. New York: ACM Press; 2003. p. 129–36.

Pearce G, Platten N. Achieving personal data protection in theEuropean Union. Journal of Common Market Studies 1998;36:529–48.

Press Release European Commission, Data protection: commis-sion seeks views on privacy legislation (IP/02/923); 25 June2002.

Rubin PH, Lenard TM. Privacy and the commercial use of personalinformation. The Hague: Kluwer Law International; 2002.

Schwartz PM. Free speech vs. information privacy: EugeneVolokh’s first amendment jurisprudence. Stanford LawReview 2000;52:1559–72.

Sinclair D. Self-regulation versus command and control? Beyondfalse dichotomies. Law & Policy 1997;19(4):529–59.

Sun Microsystems. Strategic implications of network identity,<http://wwws.sun.com/software/sunone/wp-identity.pdf>;2002.

Tite & Lewis. Data Protection Directive 95/46/EC: response to theEuropean commission’s three yearly review, <http://europa.eu.int/comm/internal_market/privacy/docs/lawreport/paper/tite-lewis_en.pdf>; 30 August 2002.

Whitaker R. The end of privacy. New York: The New Press; 1999.

Glossary

Article 29Working Party: TheWorking Party was established byArticle 29 of Directive 95/46/EC (the Data Protection Direc-tive). It is the independent EU Advisory Body on Data Pro-tection and Privacy. Its tasks are laid down in Article 30of Directive 95/46/EC. Its primary objectives are to provideexpert opinion fromMember State level to the Commissionon questions of data protection; promote the uniform ap-plication of the general principles of the Directives in allMember States through co-operation between data protec-tion supervisory authorities; advise the Commission onany Community measures affecting the rights and free-doms of natural persons with regard to the processing ofpersonal data and privacy; make recommendations to thepublic at large, and in particular to Community institutionsonmatters relating to the protection of personswith regardto the processing of personal data and privacy in the Euro-pean Community.

Data subject: The DPA 1998 defines a Data Subject as an indi-vidual who is the subject of personal data.



Data controller:AData Controller is ‘‘a personwho (either aloneor jointly or in common with other persons) determinesthe purposes for which, and the manner in which, anypersonal data are, or are to be, processed’’. The fact thatan individual or institution holds or processes personaldata does not make them a Data Controller, if they do notdetermine the purpose and manner of that holding orprocessing.

Data processing: Data processing is ‘obtaining, recording orholding the data or carrying out any operation or set of

operations on the data.’ This includes collection,recording, organisation, storage, adaptation or alteration,retrieval, consultation, use, disclosureby transmission, dis-semination or otherwise making available, alignment orcombination, blocking, erasure or destruction. It is irrele-vant whether these actions are manual or automated. Thebreadth of the DPA 1998 definition effectively means thatfrom the moment of its collection, to the moment that it isdestroyedor fully anonymised, personal data are being pro-cessedandmust thusbe treated in accordancewith theAct.



The Centre for IT & Law Department of Computer Science School of Law

The University of Bristol Wills Memorial Building, Queens Road, Bristol, BS8 1RJ, UK

Tel: +44 (0)117 954 5633Fax: +44 (0)117 954 5208E-mail: [email protected]


Research Report Federated Identities, 'Circles of Trust ... · PDF fileResearch Report...

Documents

Transcript of Research Report Federated Identities, 'Circles of Trust ... · PDF fileResearch Report...