26 May 2015

Our open letter to the House of Commons on the importance of respecting the democratic process as UK surveillance laws are being revised

Dear Readers,

As many of you are aware, following vairous media outlets` coverage, today we have sent an open letter to all members of the House of Commons on the importance of respecting the democratic process as UK surveillance laws are being revised.

You can find a copy of the full letter below.

An open letter to all members of the House of Commons,

Dear Parliamentarian,

Ensuring the Rule of Law and the democratic process is respected as UK surveillance law is revised

Actions Taken Under the Previous Government

During the past two years, the United Kingdom’s surveillance laws and policies have come under scrutiny as the increasingly expansive and intrusive powers of the state have been revealed and questioned in the media. Such introspection is healthy for any democracy. However, despite a need for transparency in all areas of lawmaking, and in particular in areas of controversy, the previous Government repeatedly resisted calls for an open and transparent assessment and critique of UK surveillance powers. Instead, in response to legal challenges, it extended the powers of the state in the guise of draft Codes of Practice and “clarifying amendments.” As we welcome a new Government we expect another round of revisions to UK surveillance laws, with the likelihood that the Queen’s Speech will signal a revival of the Communications Data Bill. At this time we call on the new Government, and the members of the House, to ensure that any changes in the law, and especially any expansions of power, are fully and transparently vetted by Parliament, and open to consultation from the public and all relevant stakeholders.

Last year, in response to the introduction of the Data Retention and Investigatory Powers Bill (“DRIP”), a number of leading academics in the field – including many of the signatories to this letter – called for full and proper parliamentary scrutiny of the Bill to ensure Parliamentarians were not misled as to what powers it truly contained. Our concern emanated from the Home Secretary’s attempt to characterise the Bill, which substantially expanded investigatory powers, as merely a re-affirmation of the pre-existing data retention regime.[1]

Since that letter was written, it has become apparent that the introduction of the DRIP Bill was not the only time an expansion of surveillance powers was presented in a way seemingly designed to stifle robust democratic consideration. In February 2015, the Home Office published the draft Equipment Interference Code of Practice.[2] The draft Code was the first time the intelligence services openly sought specific authorisation to hack computers both within and outside the UK. Hacking is a much more intrusive form of surveillance than any previously authorised by Parliament. It also threatens the security of all internet services as the tools intelligence services use to hack can create or maintain security vulnerabilities that may be used by criminals to commit criminal acts and other governments to invade our privacy. The Government, though, sought to authorise its hacking, not through primary legislation and full Parliamentary consideration, but via a Code of Practice.

The previous Government also introduced an amendment via the Serious Crimes Act 2015, described in the explanatory notes to the Bill as a ‘clarifying amendment’.[3] The amendment effectively exempts the police and intelligence services from criminal liability for hacking. This has had an immediate impact on the ongoing litigation of several organisations who are suing the Government based in part on the law amended, the Computer Misuse Act 1990.[4]

The Way Ahead

The new Conservative Government has announced its intention to propose new surveillance powers through a resurrection of the Communications Data Bill. This will require internet and mobile phone companies to keep records of customers’ browsing activity, social media use, emails, voice calls, online gaming and text messages for a year, and to make that information available to the government and security services. We also anticipate this Parliament will see a review of the Regulation of Investigatory Powers Act 2000, which currently regulates much of the Government’s surveillance powers. The Independent Reviewer of Terrorism Legislation, David Anderson QC, has conducted an independent review of the operation and regulation of investigatory powers, with specific reference to the interception of communications and communications data. The report of that review has been submitted to the Prime Minister, but has yet to be made public: when it is made public, parliamentary scrutiny of the report and any recommendations made following it will be essential.

As the law requires that surveillance powers must be employed proportionate to any harm to privacy caused (as required by Article 8 of the European Convention on Human Rights and Article 12 of the Universal Declaration of Human Rights) we believe that any expansion or change to the UK’s surveillance powers should be proposed in primary legislation and clearly and accurately described in the explanatory notes of any Bill. The Bill and its consequences must then be fully and frankly debated in Parliament. When reaching an assessment of the proportionality, of any measure that restricts rights, both our domestic courts and the European Court of Human Rights place great stock on the degree and quality of Parliamentary involvement prior to any measure being adopted. If the matter ever came to before the courts one issue examined would be the nature of any “exacting review” undertaken by MPs into the necessity of extending these powers. The Government should not be permitted to surreptitiously change the law whenever it so desires, especially where such changes put our privacy and security at risk.

This letter has been prepared and signed by 38 academic researchers. We are comprised of people from both sides of this issue - those who believe that increased powers are a reasonable response to an emerging threat, and those who think them an unjustified extension of state interference. Our common goal is to see the Rule of Law applied and Parliamentary oversight reasserted. We are calling on all members of the House of Commons, new and returning, and of all political persuasions to support us in this by ensuring Parliamentary scrutiny is applied to all developments in UK surveillance laws and powers as proposed by the current Government.  


Andrew Murray (contact signatory)
Paul Bernal (contact signatory)
Professor of Law
London School of Economics
Lecturer in Information Technology, Intellectual Property and Media Law University of East Anglia

Anne Barron
Associate Professor of Law
London School of Economics

Subhajit Basu
Associate Professor of Law
University of Leeds

Sally Broughton Micova
Deputy Director LSE Media Policy Project, Department of Media and Communications
London School of Economics

Abbe E.L. Brown
Senior Lecturer
School of Law
University of Aberdeen

Ian Brown
Professor of Information Security and Privacy
Oxford Internet Institute
Ray Corrigan
Senior Lecturer in Maths, Computing and Technology
Open University

Angela Daly
Postdoctoral Research Fellow
Swinburne Institute for Social Research
Swinburne University of Technology
Richard Danbury
Postdoctoral Research Fellow
Faculty of Law
University of Cambridge

Catherine Easton
Lecturer in Law
Lancaster University School of Law

Lilian Edwards
Professor of E-Governance
Strathclyde University
Andres Guadamuz
Senior Lecturer in Intellectual Property Law
University of Sussex

Edina Harbinja
Lecturer in Law
University of Hertfordshire

Julia H├Ârnle
Professor in Internet Law
Queen Mary University of London
Argyro P Karanasiou
Senior Lecturer in Law
Centre for Intellectual Property, Policy & Management (CIPPM)
Bournemouth University

Theodore Konstadinides
Senior Lecturer in Law
University of Surrey

Douwe Korff
Emeritus Professor of International Law
London Metropolitan University
Associate of the Oxford Martin School, University of Oxford

Mark Leiser
Postgraduate Researcher
Strathclyde University

Orla Lynskey
Assistant Professor of Law
London School of Economics

David Mead
Professor of UK Human Rights Law
UEA Law School
University of East Anglia

Robin Mansell
Professor, Department of Media and Communication
London School of Economics

Chris Marsden
Professor of Law
University of Sussex

Steve Peers
Professor of Law
University of Essex

Gavin Phillipson
Professor, Law School
University of Durham

Julia Powles
Faculty of Law
University of Cambridge

Andrew Puddephatt
Executive Director
Global Partners Digital
Judith Rauhofer
Lecturer in IT Law
University of Edinburgh

Chris Reed
Professor of Electronic Commerce Law
Queen Mary University of London

Felipe Romero-Moreno
Lecturer in Law
University of Hertfordshire

Burkhard Schafer
Professor of Computational Legal Theory
University of Edinburgh

Joseph Savirimuthu
Senior Lecturer in Law
University of Liverpool

Andrew Scott
Associate Professor of Law
London School of Economics

Peter Sommer
Visiting Professor
Cyber Security Centre, De Montfort University

Gavin Sutter
Senior Lecturer in Media Law
Queen Mary University of London

Judith Townend
Director of the Centre for Law and Information Policy
Institute of Advanced Legal Studies
University of London

Asma Vranaki
Post-Doctoral Researcher in Cloud Computing
Queen Mary University of London
Lorna Woods
Professor of Law
University of Essex

14 May 2015

Dear Google: open letter from 80 academics on 'right to be forgotten'

Our open letter to Google published in today`s Guardian seeking the disclosure of compliance data in relation to its implementation of the right to be forgotten.

And Google`s response. Let`s see how this balancing exercise translates in practice and what concrete outputs are circulated. 

12 May 2015

Cloud Investigations by European Data Protection Authorities

You can find the recent draft of my book chapter entitled 'Cloud Investigations by European Data Protection Authorities: An Empirical View' on SSRN.

The full citation for the chapter is:

Vranaki, Asma A.I., Cloud Investigations by European Data Protection Authorities: An Empirical Account (March 31, 2015). Vranaki Asma, 'Cloud Investigations by European Data Protection Authorities: An Empirical Account,' in Rothchild John A (ed), Research Handbook on Electronic Commerce Law (Edward Elgar, 2016). Available at SSRN: http://ssrn.com/abstract=2602216

Let me know your thoughts!

30 March 2015

Cloud Investigations by EU Data Protection Authorities

I was delighted to present part of my current research on the cloud investigations conducted by European data protection authorities at the recent launch of the Centre for Law and Information Policy at the Institute of Advanced Legal Studies.

My current research forms part of the 'Accountability for Cloud' research project which is a major European research project. I have designed and conducted a qualitative socio-legal research project which investigates how and why investigations of companies offering cloud computing technologies or services ('Cloud Providers') are being conducted by European data protection authorities. 

You can find a copy of my slides here.

9 January 2015

Programme for the Workshop entitled 'Balancing Business Innovation with Data Protection? Regulating the Digital Age' (University of Oxford)

Dear Readers

I am pleased to invite you to attend our forthcoming workshop entitled 'Balancing Business Innovation with Data Protection? Regulating the Digital Age' which will be held at the University of Oxford on 26 January 2015 at 14:00.  The workshop is organised by the Regulation Discussion Group of the Centre for Socio-Legal Studies of the University of Oxford.

Our detailed programme is pasted below.

If you wish to attend, please email me at asma.vranaki@qmul.ac.uk.



        Balancing Business Innovation with Data Protection?  Regulating the Digital Age

                                    First Technology Regulation Workshop
                          Haldane Room, Wolfson College, 26 January 2015

In recent years, there has been a rapid proliferation of a diverse range of information communication technologies, such as online social networking sites, cloud computing technologies, and, messaging applications. Hardly a day goes by without a new information communication technology being rolled out. As the world of Snapchat, Amazon Web Services, and the likes become firmly entrenched in modern society, new questions are being raised by regulators, scholars, and technologists about the risks such information communication technologies pose to the protection of ‘personal data.’ By ‘personal data’, we mean  any information which relates to an individual, who is or can be identified from the data, such as an individual’s internet protocol address, cookies, characteristics or  electronic mail address.  

The challenges which information communication technologies pose to the protection of personal data have been one of the major drivers for reforming the regulation of personal data, including the current reform of the EU data protection package.  How to strike a balance between the protection of personal data and the promotion of the European Union as a world leader in the digital economy is at the heart of the current European reform exercise. For example, the  recent ruling of the European Court of Justice in the Google Spain case has raised perplexing, pressing, and practical questions about how companies, such as Google, will deal with the additional regulatory burdens  which are now placed on them whilst continuing to drive innovation in the field of information communication technologies. Google reportedly received over 12,000 requests from individuals to remove information relating to them from the results of Google search engine within 24 hours of the Google Spain ruling.

This workshop will investigate whether it is possible for regulators and companies to strike a balance between business innovation and data protection in the Digital Age. This and many more questions will be explored during this workshop by academics, regulators, and practitioners from a range of disciplinary perspectives.

1.       What are the major patterns of data use in the digital advertising economy and what are the implications of these for regulation?

2.       In what ways can the so-called ‘co-regulation model’ empower and protect consumers?

3.       Is ‘co-regulation’ a viable option or will it lead to regulatory capture?

4.       Can privacy-enhancing technologies improve the accountability and transparency of companies’ practices in the context of self-regulation?

14:00 – 14:10
Opening remarks from the co-convenor of the Regulation Discussion Group
Dr Bettina Lange
Associate Professor in Law and Regulation
Centre for Socio-Legal Studies, University of Oxford


14:10- 14:40
Transborder Data Flow in Competing Regulatory Frameworks: The EU Perspective
Dr Christopher Kuner
Associate Professor, University of Copenhagen




Regulation by Privacy Seals and Certification
Steve Wood, Head of Policy Delivery

Review of the Practices of Self-Regulation in Digital Advertising in the UK: Innovation and Data Use
Nick Stringer, Director of Regulatory Affairs
UK Internet Advertising Bureau

Reflecting on the Distinction between Data Processors and Data Controllers: A View from Practice
Ronnie Preiskel, Partner
Preiskel & Co LLP

15:40 -16:00
Panel discussion

Moderator: Dr Bettina Lange


16:00 -16:20       Coffee break

                                      INNOVATION AND DATA PROTECTION 
16:20 -17:20
Data Sovereignty, Data Flow, and International Jurisdiction in Cloud Computing
Christopher Millard, Professor of Privacy and Information Law
Queen Mary, University of London
Net Neutrality and Personal Data Protection: Towards a Co-regulatory Solution
Christopher T. Marsden, Professor of Internet and Media Law
University of Sussex

Cloud Computing: Technical Protections and Directions

Dr Jatinder Singh, Senior Research Associate
Computer Laboratory, University of Cambridge


Panel discussion

Moderator: Dr Asma Vranaki, Post-Doctoral Researcher in Cloud Computing, Queen Mary, University of London


Organising Committee
Dr Bettina Lange, Associate Professor in Law & Regulation (University of Oxford)
Dr Asma Vranaki, Post-Doctoral Researcher in Cloud Computing (QMUL)
Janet Hui Xue, PhD Candidate in Internet Regulation (Macquarie University)           

We gratefully acknowledge the contributions of Macquarie University and the Oxford Regulation Discussion Group for this workshop.

For further details, please email Dr Asma Vranaki at asma.vranaki@qmul.ac.uk