First UK case on email spam

There was an article that drew my attention to the first UK case on email spam. In this case, a computer expert had instigated legal action against a company that had sent unsolicited emails. According to the article, his company had received up to 300 unwanted messages a day, which cost the company time and money to filter. The article also adds that:

He first wrote to Scotland-based Media Logistics (UK) Ltd about the unsolicited emails on contract car hire and fax broadcasting businesses, seeking an apology, damages and information on what data the company held on him.

He filed a claim at Colchester County Court when the company apologised but declined compensation and did not fully comply with his Data Protection Act information access request, he said.

The County court has ruled in the claimant's favour (the defendant company did not defend the claim), which means that he will receive compensation for breach of the The Privacy and Electronic Communications Regulations 2003/2426.

The UK Information Commissioner has published guidance (pdf) on these new regulations:

>

1st New Rule

This rule applies to all marketing messages sent by electronic mail, regardless of who the recipient is.

• The sender must not conceal their identity and • The sender must provide a valid address for opt-out requests

2nd New Rule

This rule only applies to unsolicited marketing messages sent by electronic mail to individual subscribers. • Senders cannot send such messages unless they have the recipient’s prior consent to do so. This strict “opt-in” rule is relaxed if three exemption criteria are satisfied.

These three exemption criteria are as follows

1. The recipient’s email address was collected “in the course of a sale or negotiations for a sale” 2. The sender only sends promotional messages relating to their “similar products and services” AND 3. When the address was collected, the recipient was given the opportunity to opt out (free of charge except for the cost of transmission) which they didn’t take. The opportunity to opt out must be given with every subsequent message.

Whether we will see more cases is questionable, but the regulations are there and users affected by email spam should in the first instance, contact the UK Information Commissioner about this.

Phone records at risk

I was reading about the practice of online data brokers that sold Canadian and US phone records to individuals/companies. A recent example occurred when Macleans were able to purchase the phone logs online from a U.S. data broker of the Canadian Privacy Commissioner without any questions asked. According to the newspaper report, 'online data brokers have been selling Canadian and U.S. phone records for at least three years, and haven't been shy about advertising the fact. By the count of one American privacy group, there are more than 40 websites like Locatecell vying for your snooping business. But that's not something that anyone in the highly competitive telecom industry has been warning their customers about. Or apparently doing much to stop.'

If this incident had occurred in any country within the EU, the Directive on Privacy and Electronic Communications 2002/58/EC (or national legislation implementing this Directive) would apply which requires consent from individuals before data of this nature can be disclosed. See Art. 6 and Art. 9 on traffic data and location data respectively. In addition, it is arguable that such a disclosure constitutes unfair and unlawful processing under Art. 6 of the Data Protection Directive 95/46/EC - unlawful because it was obtained without the consent of the user and subsequently disclosed to third parties.

On a separate note, there was a paper (pdf) issued on location data issued by the Data Protection Working Party. In addition, see details about wireless location privacy published by the Center for Democracy and Technology.

India: data protection laws

I was reading through the latest press release about plans by India to amend the Indian Penal Code and Information Technology Act. The changes were expected to take place this year, but has been deferred until next year. With the growth of outsourcing activity and concerns about data theft, any legal measures that would tighten data security and update existing laws should be welcomed. However, until this is achieved, companies will still have to rely on contractual clauses to safeguard individuals' data. More awareness by users about the implications of global outsourcing is needed.

Identity theft on the increase

With the concern that identity theft may be on the increase, a raft of legal measures have been introduced in the US to protect the privacy of personal information. In its white paper, Guardian Edge provides a summary of the legislation that is being proposed or has been enacted. Interestingly, the California's Notice of Security Breach Act requires that any firm that owns or licenses electronic personal information must disclose any breach of the security of the system to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. What makes the law far reaching and "effective" is that the law is applicable to any organization that conducts business in California or with California residents. For further information about Californian privacy laws, see http://www.privacy.ca.gov/califlegis.htm.

The white paper concludes with the following statements:

Congress perceives identity theft as a serious threat to the nation’s economic stability, homeland security, the development of e-commerce, and the privacy rights of Americans” and is acting swiftly with new laws designed to protect the privacy and security of personal electronic records and other forms of sensitive personal information. These proposed rules enhance existing laws and carry heavy penalties for organizations that do not adequately protect sensitive personal information.

Whilst these measures are welcomed, what is needful are data protection laws (akin to Europe) that would bring the US up to speed with this field and address the concerns of the current Safe Harbor framework between Europe and the US. For an interesting study into this, see the latest report on Safe Harbor (pdf) prepared at the request of the European Commission.

For general information and advice about identity theft, see the FTC website.

Binding Corporate Rules Scheme - GE approved

The UK Information Commissioner has approved the Binding Corporate Rules Scheme, which explains how GE's BCRs satisfy the requirements of the EU's Art 29 DP Working Party. The BCR document is detailed and covers areas, such as: jurisdiction of the Information Commissioner, evidence that GE's BCRs are legally binding, verification of compliance, description of processing and flows of information, data protection safeguards, and mechanism for reporting and recording change. More details about the BCR can be found on the European Commission's Data Protection website and the document issued by Art. 29 Working Party.

Developments on Mandatory Data Retention

The European Parliament has finally approved data retention proposals with 378 votes in favour and 197 against, 30 abstentions in the first reading of the Data Retention Directive. The Directive aims to cover traffic and location data generated by telephony, SMS and internet, but not the content of the information communicated. A number of amendments have been proposed and include the need to restric the use of retained data to ensure that the future law respects the privacy of telephone and internet users. According to the press release, 'the directive will provide for data to be retained by the telecommunications companies for a minimum of six months and a maximum of 24. MEPs also added a provision for “effective, proportionate and dissuasive” penal sanctions for companies who fail to store the data or misuse the retained information.' For further details, see http://www.europarl.eu.int/oeil/file.jsp?id=5275032 and the recent Data Retention Petition campaign at http://wiki.dataretentionisnosolution.com:81/index.php/Main_Page.

New Enforcement Strategy launched by the UK OIC

The UK Information Commissioner has launched a new enforcement strategy (pdf), which will “take a practical down to earth approach – simplifying and making it easier for the
majority of organisations who seek to handle personal information well, and tougher for the minority who do not.” According to the strategy report, it is intended to ensure that personal information is properly protected and take necessary action to ensure that this is upheld.

The main forms of regulatory action include criminal prosecution, caution, enforcement notice, s 159 Order (notice of correction to the credit reference agency), application for an injunction/enforcement order and audit. It will be interesting to see how far this will go and whether organisations will take data protection laws more seriously. For further information, see the Information Commissioner's website.

Scottish FOIA under review

According to latest posting by Out-Law news, the Scottish Executive will be reviewing the Freedom of Information Act. Its remit will cover the Act in general, 'the fees regime, statutory prohibitions to disclosure of information, general feedback on discharge of functions under the Act and any areas where difficulty is arising'. One website that I would recommend readers to visit is the Scottish Executive webpage. For an overview of the Scottish FOIA 2000, see http://www.scotland.gov.uk/government/foi/foioverview.pdf.

South Africa: consultation on Protection of Personal Information Bill

This came to my attention through a press release by Privacy Laws and Business, but the main recommendations (taken from the press release) are as follows:

a) Privacy and information protection should be regulated by a general information protection statute, with or without sector specific statutes, which will be supplemented by codes of conduct for the various sectors and will be applicable to both the public and private sector. Automatic and manual processing will be covered and identifiable natural and juristic persons will be protected [Chapter 2, clauses 3-6].

b) General principles of information protection should be developed and incorporated in the legislation. The proposed Bill gives effect to eight core information protection principles, namely processing limitation, purpose specification, further processing limitation, information quality, openness, security safeguards, individual participation and accountability. Provision is made for exceptions to the information protection principles [Chapter 3, Part A, clauses 7-23]. Exemptions are furthermore possible for specific sectors in applicable circumstances [Chapter 4, clauses 32-33]. Special provision has furthermore been made for the protection of special (sensitive) personal information [Chapter 3, Part B, clauses 24-31].

c) A statutory regulatory agency should be established. Provision has been made for an independent Information Protection Commission with a full-time Information Commissioner to direct the work of the Commission [ Chapter 5, Part A, clauses 34-46]. The Commission will be responsible for the implementation of both the Protection of Personal Information Act and the Promotion of Access to Information Act, 2000. Responsible parties will be under an obligation to notify the Commission of any processing of personal information before they undertake such processing [Chapter 6, Part A, clauses 47-51] and provision has also been made for prior investigations to be conducted where the information being collected warrants a stricter regime [Chapter 6, Part B, clauses 52-53].

d) Enforcement of the Bill will be through the Commission using as a first step a system of notices where conciliation or mediation has not been successful. Failure to comply with the notices will be a criminal offence. The Commission may furthermore assist a data subject in claiming compensation from a responsible party for any damage suffered. Obstruction of the Commission’s work is regarded in a very serious light and constitutes a criminal offence [Chapter 8, clauses 63-87 and Chapter 9, clauses 88-92].
e) A flexible approach should be followed in which industries will develop their own codes of conduct (in accordance with the principles set out in the legislation) which will be overseen by the regulatory agency. Codes of conduct for individual sectors may be drawn up for specific sectors on the initiative of the specific sector or of the Commission itself. This will include the possibility of making provision for an adjudicator to be responsible for the supervision of information protection activities in the sector. The Commission will, however, retain oversight authority. Although the codes will accurately reflect the information protection principles as set out in the Act, it should furthermore assist in the practical application of the rules in a specific sector [Chapter 7, clauses 54-62].

f) It is the Law Commission’s objective to ensure that the legislation provides an adequate level of information protection in terms of the EU Directive. In this regard a provision has been included that prohibits the transfer of personal information to countries that do not, themselves, ensure an adequate level of information protection [ Chapter 10, clause 94].

Although this is in its early stages, it will be interesting to see what developments arise from this consultation, taking into account that the European Commission is considering of reviewing data protection within the European Union in the next year. In any event, the consultation should be welcomed as a further step towards the recognition of the need to protect an individual's personal data.

Durant - Another opportunity missed!

Durant recently petitioned to the UK House of Lords against the Court of Appeal decision, which limited the scope of the definition of "personal data". The Court held that the 'mere mention of the data subject in a document held by a data controller does not necessarily amount to his personal data. Whether it does so in any particular instance depends on where it falls in a “continuum of relevance or proximity to the data subject as distinct, say, from transactions or matters in which he may have been involved to a greater or lesser degree.' In explaining the definition of "personal data", the Court of Appeal held that 'the first is whether the information is biographical in a significant sense, that is, going beyond the recording of the putative data subject’s involvement in the matter or an event that has no personal connotations…. The second is one of focus. The information should have the putative data subject as its focus rather than some other person with whom he may have been involved or some transaction or event in which he may have figured or have had an interest.' Further guidance from the Information Commissioner provides the following, which will not be regarded as "personal data":

• mere reference to a person’s name where the name is not associated with
  any other personal information;
• incidental mention in the minutes of a business meeting of an individual’s
  attendance at that meeting in an official capacity; or
• where an individual’s name appears on a document or e-mail indicating only
  that it has been sent or copied to that particular individual, the content of that
  document or e-mail does not amount to personal data about the individual
  unless there is other information about the individual within it.

The House of Lords recently refused leave to appeal by Durant primarily on the basis that the case could not be won. Even if D was able show that the narrow definition provided by the Court of Appeal could not be upheld, it was doubtful, whether the catalogue of information held by the FSA was within the "relevant filing system". The definition of "data" under s 1 DPA 1998 was recently changed by the Freedom of Information Act 2000 to include data held by public authorities. Given the restrictive ruling, it appears that D is considering an appeal to the European Court of Human Rights under Article 6, concerning the right to a fair trial and Article 8, the right to privacy.

In any case, it was an opportunity lost to reconsider the restrictive interpretation of "personal data". What was surprising was that no referral was made by the Court of Appeal (known as an Art. 234 preliminary ruling) to the ECJ to define this. Such a definition should be in line with the Data Protection Directive 95/46/EC. One awaits to see what developments arise from this saga..