Thursday, December 14, 2006

League table of media's trade in personal information

The Information Commissioner is due to present a report today to Parliament naming some of the UK's newspapers and magazines that have bought people's personal information in search of a story. According to the latest press release,

The list was assembled following the Operation Motorman raid at premises in Hampshire which led to prosecutions of private investigators. In that operation, the Information Commissioner’s staff uncovered numerous invoices addressed to newspapers and magazines detailing prices for providing their journalists with pieces of personal information. Altogether, 305 journalists were identified as recipients of a wide range of information.

It reinforces the importance of protecting personal information and stronger penalties for those that trade in personal information. As for freedom of expression, the DPA 1998 does provide an exemption to the processing of personal information under s 32:

32. - (1) Personal data which are processed only for the special purposes are exempt from any provision to which this subsection relates if-

(a) the processing is undertaken with a view to the publication by any person of any journalistic, literary or artistic material,

(b) the data controller reasonably believes that, having regard in particular to the special importance of the public interest in freedom of expression, publication would be in the public interest, and

(c) the data controller reasonably believes that, in all the circumstances, compliance with that provision is incompatible with the special purposes.
There will be the public interest defence available, so claims about curtailing freedom of speech seems to be slightly far-fetched. The Information Commissioner also gave a recent interview on this. See

Thursday, November 30, 2006

Why spam is still a problem

The European Commission has published a report into the growth of spam showing that it accounts for between 50 and 80 per cent of all e-mails, at a worldwide cost of €39 billion (£26 billion). According to its latest press release:

The new Communication on Spam acknowledges that legislative tools to fight these threats already exist, in particular the EU-wide “ban on spam” adopted in 2002 as part of the ePrivacy Directive (see IP/03/1015). However, implementation is still a problem in most EU Member States. To improve, they should now lay down clear lines of responsibility to use the tools available under EU law effectively. Because of the criminal trend in spam and its cross border aspects, good cooperation between enforcement authorities is paramount. In the Commission's view, spam fighters should have sufficient resources. The Dutch fall in spam was achieved through prosecutions by spam fighter OPTA, with just 5 full-time employees and €570,000 invested in equipment. Although we have the Directive on Privacy and Electronic Communications 2002/58/EC, more still needs to be done to tackle this problem.
See also:

Saturday, November 04, 2006

Surveillance Society

Whilst there has been much debate about living in a surveillance society (particularly as highlighted in the 28th International Conference on Data Potection Commissioners), and the strategies that could be adopted in regulating such surveillance, one of the interesting aspects that arose from the report (pdf) commissioned by the Information Commissioner is the idea of a privacy impact assessment test (PIA) and even a surveillance impact assessment test. There is quite a lot to digest from this report, but here is an excerpt on the PIA:

‘an assessment of any actual or potential effects that an activity or proposal may have on individual privacy and the ways in which any adverse effects may be mitigated’;
• ‘a process. The fact of going through this process and examining the options will bring forth a host of alternatives which may not otherwise have been considered’;
• an approach and a philosophy that holds promise by instilling a more effective culture of understanding and practice within organisations that process personal data;
• a form of risk-assessment, which therefore cannot escape the uncertainties of identifying and estimating the severity and likelihood of the various risks that may appear, to privacy, life-chances, discrimination equality and so on;
• a tool for opening up the proposed technologies or applications to in-depth scrutiny, debate and precautionary action within the organisation(s) involved;
• like PETs, premised on the view that it is better to build safeguards in than to bolt them on;
• an early-warning technique for decision-makers and operators of systems that process personal information, enabling them to understand and resolve conflicts between their aims and practices, and the required protection of privacy above or the control of surveillance;
• ideally, a public document, leading to gains in transparency and in the elevation of public awareness of surveillance issues and dangers may be realised; in turn, it may assist regulatory bodies in carrying out their work effectively.

A further point that should be added and noted in the report is that a PIA is not a compliance audit.


PIA should not be confused with compliance audits and the like, which are usually ex post facto and legally-oriented; as with environmental impact assessment, PIA assesses the likely impact of technology applications or new systems in the future, and considers a wider range of criteria.

For further reading, see pages 89 onwards in the report. Some countries such as Canada and Australia already have PIAs, but it remains to be seen whether PIAs will be adopted in the UK. See also:

Monday, October 23, 2006

Podcasts

Some of the podcasts that I find useful when keeping myself updated on freedom of information/data protection developments include:
  1. FOI Podcast service - a monthly series by Ibrahim Hasan, solicitor and information law expert on the latest developments on freedom of information law.
  2. Out-law radio - updated every Thursday, free 10 minute podcast produced by Out-Law.
  3. Privacy podcast - produced by Aaron Titus and more directed towards the protection of an individual's identity.

Tuesday, October 17, 2006

Data protection law for India?

I was reading through an article this morning about India's Information Technology Act 2000 which is likely to be amended to take account of data protection concerns. What is unclear at this stage is what these amendments will consist of and when they are likely to take effect. However, addressing data protection concerns in India have long been overdue, particularly with the recent Channel 4 documentary highlighting the security failures in a number of commercial call centres which allow detailed financial data on individuals to be gathered and sold on with ease.
Art. 25 of the Data Protection Directive 95/46/EC clearly provides that personal data is not transferred to countries outside the EEA without satisfying an adequate level of protection.
Art. 25
1. The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection.

2. The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country.
These provisions have been implemented in the UK Data Protection Act, Schedule 1, 8th data protection principle:

8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

It remains to be seen whether India's laws will be sufficiently vigorous to deal with data protection breaches, but at least, it is a move towards the right direction.

Thursday, October 05, 2006

How much is your personal information?

I was reading through an article where the leader of leader of Bracknell Forest BC has suggested that people who allow their data to be sold to marketing firms could receive council tax cuts. There is more to this:
Paul Bettison told a Conservative party conference fringe meeting that the information from the council's smartcard system could be sold if controls on government databases were loosened."If I could use the information on the 45,000 residents who carry cards, I believe I could be the first council in the country to have a zero council tax," Bettison, e-champion of the Local Government Association (LGA), told the Conservative Technology Forum on 2 October 2006.Such use of the data gathered through the E+ cards, previously known as Edge smartcards, would be voluntary for residents – but for those who did not wish to take part, "it will be £1,400 for a band D," Bettison said.He added that the data held by the council, such as library books borrowed, indications of income and family, could allow companies to target direct mail with enough accuracy to stop it being annoying, as it would present people with offers that were of genuine interest. "Targeted junk mail isn't junk mail," he said. "It's welcome if it's relevant to me.
According to the same article, the Council has indicated that it has no plans to follow up on the idea, but it raises broader questions not only on the privacy of individuals to control their personal information, but also their right to use their information for a commercial incentive. Certainly, supermarkets have already started this line where you sign up for their store cards and build up points on the card in exchange for discounts such as money off coupons etc... I should add one does not have any objection with anyone signing up for a store card. However, if we ponder about the profiles that are being formed about consumers' shopping habits, then this information is certainly valuable to any marketer.

Thursday, September 07, 2006

Information Commissioner's website

The UK Information Commissioner's website has recently been revamped. There is information about dealing with nuisance calls and spam and environmental information. What is unclear is why put emphasis on environmental information? Anyway, the website also contains details about the upcoming Data Protection Commissioners' conference, which will be held on 2-3rd November 2006 and there will be an open session on the theme "a surveillance society." Finally, on the topic of surveillance, the European Commission has issued a consultation paper (pdf) on the use of surveillance technology in civil society.

Friday, August 11, 2006

Russian Data Protection Law

Not being an expert in Russian law, but this brief article (pdf) did catch my attention. Two new laws, About Personal Data 2006 and (160-03) and About Information, Information Technologies and Protection of Information 2006 (No. 149-03) were signed by the President Vladimir Putin on July 27, 2006. This would mean that the law on personal data will take effect in February 2007, bringing Russia into line with the other European countries that have enacted data protection laws.
The laws are meant to give effect to the European Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, ratified by Russia last year....

About Personal Data (The Personal Data Act) regulates the processing of personal data by Russia’s federal and regional governments, municipal authorities, legal entities and natural persons. It applies to both automatically and manually processed data. The aim is to protect an individual’s rights and freedoms, in particular the right to privacy, and private and family secrets...

The data protection laws are certainly beginning to make its headway. May it long continue...

Wednesday, August 02, 2006

28th International Data Protection and Privacy Commissioner's Conference

The 28th International Data Protection and Privacy Commissioners' Conference will be held in London on the 2 and 3 November 2006 and hosted by the Information Commissioner. One of the main themes of discussion will be surveillance. The ICO has commissioned a report into the the theme "Are we sleep walking into a surveillance society? The threats to individuals and the challenges for data protection authorities."

One of the challenges facing us today is the amount of personal information that can be collected, be it on the internet, supermarket or at our place of work. The Data Protection Act 1998, which implements the Data Protection Directive 95/46EC goes some way to regulate the collection of personal data. With the subject of ID cards raising its head again and the possibility of a national ID card database, the question is not so much about whether we are sleep walking into a surveillance society, but the implications (socially or politically) about the personal information that are collected of an individual/group of individuals? There is much scope for debate, but for an interesting read, see David Brin's work The Transparent Society.

Wednesday, July 19, 2006

UK Spam laws

I came across an article about strengthening the UK anti-spam laws introduced back in 2003. The Privacy and Electronic Communications Regulations was introduced to implement the Directive on Privacy and Electronic Communications 2002/58/EC. Yet, three years on, the law has been criticised for its weakness in not stopping spam being sent to businesses. From a legal standpoint, this is interesting given that the regulations were originally intended to prevent spam being sent to individuals. In its latest annual report (pdf), the UK Information Commissioner's Office took the view that the powers confered under the Privacy and Electronic Communications Regulations were insufficient to deal with the problem of spam. This is particularly the case when spam originates from countries outside the EU. Certainly, more can be done, but one will wait and see whether the government consider revising its laws.

Tuesday, July 04, 2006

ICO E-Newsletter

The UK Information Commissioner has published its first e-newsletter (April 2006). Certainly, a good idea and raises more awareness of data protection issues. Also includes a link to the report arising from the one-day conference "Data protection: the next 21 years".

Interesting Reading

I came across a recent article that described the current state of developments on data protection in Singapore. The article is entitled European Union Data Protection Directive: Adequacy of Data Protection in Singapore. My initial thoughts when reading this was that Singapore did not have any data protection laws as yet and even though there has been some discussion about whether to introduce such laws, to date, this has not yet materialised. In any case, the article is well worth reading and in some respects, I do agree that with the suggestions for introducing a framework to meet the requirements of the European Data Protection Directive. As a taster, here is the abstract:

The European Union Data Protection Directive requires member states to place restrictions on transfers of personal data to countries that cannot guarantee an adequate level of data protection. Countries that do guarantee adequate protection enjoy a smooth business environment and an enhanced ability to participate in trade. In this paper I examine the adequacy of Singapore’s data protection regime, and in particular the Model Data Protection Code. I suggest various amendments to the regime to enable Singapore to meet the Directive requirements. To carry out the assessment,I use a framework developed by the Article 29Working Party, the body that in practice carries outthe official adequacy assessments for the EU.

Friday, June 23, 2006

US privacy laws

Well, I have been taking a break from this, having been putting my head down with writing. Anyway, returning to my usual blog, I came across a recent press release that caught my attention. According to the this press release, some of the major tech companies including Google and Microsoft are calling for stronger privacy laws in the US.

The time has come for a serious process to consider comprehensive harmonized federal privacy legislation to create a simplified, uniform but flexible legal framework," said the CPL Forum's statement. "The legislation should provide protection for consumers from inappropriate collection and misuse of their personal information and also enable legitimate businesses to use information to promote economic and social value.

Whilst such efforts for stronger privacy laws in the US should be commendable, it is unclear whether the laws will in anyway be modelled on the European model on data protection. One can only await to see whether their calls are brought to fruition!

Saturday, June 10, 2006

Data Protection Award

This is the first time I have heard, but there is a European award for best practice in data protection. According to the press release, the UK Information Commissioner is encouraging the public sector organisations to put in an application which must be received by 5 October 2006. The criteria is as follows:

  • procedures in place for ensuring quality of the personal data processed
  • design of an efficient system for furnishing mandatory information to citizens
  • respectful and efficient procedures to manage consent
  • existence of specific rules or procedures for processing sensitive data
  • security measures in place
  • procedures for the communication or disclosure of data to third parties
  • arrangements in place for access to the data by third parties
  • the planning and design of procedures which enable people to access and challenge content, and seek any correction or deletion
More information can be obtained from the Information Commissioner. Well, it is another way of raising awareness of data protection laws and promoting good practice! Why not!

Wednesday, June 07, 2006

ECJ judgment available

Following the ruling by the European Court of Justice (ECJ) on the joined Cases C-317/04 and C-318/04 European Parliament v Council and Commission on 30 May 2006 concerning the EU-US agreement that required airlines to transfer the personal data of their passengers to the US authorities, the judgment is now available.

The ECJ held that the Council Decision 2004/496/EC of 17 May 2004 on the conclusion of an Agreement between the European Community and the USA on the processing and transfer of Passenger Name Record ("PNR") data by Air Carriers to the US Department of Homeland Security, Bureau of Customs and Border Protection (see the Department's fact sheet on the agreement), and Commission Decision 2004/535/EC of 14 May 2004 on the adequate protection of personal data contained in the PNR of air passengers transferred to the United States Bureau of Customs and Border Protection, should be annulled.

Well, time to read up on the judgment!

Wednesday, May 31, 2006

Interesting article

I came across an interesting article that was published in the latest issue of the Computer Law and Security Report. The title of the article was on the Directive 95/46/EC: Ten years after. Yes, it is correct. It has been 10 years since the Data Protection Directive 95/46/EC was passed. A quick glance at the abstract will show this:

A birthday offers a unique opportunity to remember what has already been achieved along the way and to envisage what comes net, taking into account the lessons of the past. This paper offers some reflections on 10 years of experience with the Data Protection Directive. The following comments are offered in the knowledge that they will cover the whole picture and may well be considered partial.

For anyone who has studied data protection, undoubtedly, 10 years is a remarkable achievement for the Data Protection Directive 95/46/EC (hereafter "DPD") with all the member states of the European Union having implemented the DPD within their national laws. However, and there comes the "But", there are still areas that the DPD does not adequately address. Indeed, the article picks up on some of the points.

1) Is the Directive effectively applied? According to the Privacy Eurobarometers survey in 2003, the results indicate that if 'privacy is a concern, the legal guarantees and requirements are broadly being ignored and are not, therefore, very effective.

2) The role of the data protection authorities - Again, the Eurobarometers survey show that the lack of impact that data protection authorities have had. One should note that the survey was back in 2003, so it is not clear whether this situation has improved. In my view, however, I do not entirely agree with this. If one considers the work of the UK Information Commissioner (IC), the office has been quite proactive in raising the attention of businesses to comply with the Data Protection Act 1998. Furthermore, the IC has recently called for stricter penalties for those who obtain personal data without permission of the data subject.

3) Increasing role of the Art. 29 Working Party - The Art. 29 Working Party was established under the Data Protection Directive and is responsible for giving advice and recommendations to European institutions on privacy issues. It has produced a number of opinions including the application of data protection to RFID; internet issues and so on.

I could go on, but 10 years is an achievement, but also a cause for reflection. This is particularly the case, when looks at the recent judgment by the European Court of Justice in Lindqvist. Certainly, there have been tensions between the protection of privacy and the freedom of expression and one would even say that it is felt more in Sweden. There is still more work that needs to be done to raise the awareness of data protection issues.

Finally, one should not underestimate the impact of the DPD. Already some countries (outside the EEA) have introduced laws that are similar to the DPD. Examples include Hungary and Switzerland. On the Asian side, Hong Kong already has data protection laws; Japan has introduced privacy laws and one awaits to see whether Singapore will do the same.

Tuesday, May 30, 2006

Transfer of Passenger Data

The European Court of Justice has blocked the EU-US agreement to transfer airline passenger data to the US authorities. The main reason (I have yet to read the legal judgment) is that the decision was not founded on an "appropriate legal basis." You can read more at the BBC press release. The legal action was brought by the Council and the European Commission and was based on the Data Protection Directive 95/46/EC. I have still yet to explore the implications of this decision. I don't think we will have heard the last of this. Here is a quote from the same press release.
As the executive officer of the British Air Transport Association Bob Preston told the BBC European airlines could potentially be left in a "difficult position, between a rock and a hard place". "If we don't supply the information to the United States authorities then we're liable to fines of up to $6,000 per passenger and the loss of landing rights," he said. "And if we do supply the data, potentially we're breaking the law [on data protection].

Wednesday, May 24, 2006

Semantic Web and Privacy

There was an article about the semantic web and why this may be a problem with privacy. According to one academic:

Privacy problems could occur, he said, because the semantic web deliberately combines multiple sources of information about people and places.

However, even if semantic web should create a problem for privacy, I think it would be naive to think that privacy even exists on the internet. For example, if someone had created a web page and included their personal information, then he/she had waived some of their rights to their privacy by making some of their personal details available to the public. Probably, a more pertinent example is companies/individuals collecting information about other users online. A recommended book to read is Solove's book on The Digital Person!

Thursday, May 18, 2006

Art. 29 Working Party to investigate the processing of personal data in the health insurance sector

According to the latest press release (pdf), the Art. 29 Working Party is launching an investigation into the processing of personal data in the private health sector early March 2006. The principal aim is to 'analyse whether and how the data protection regulations are being complied with in the private health insurance sector across the EU.'

The investigation will be carried out through a questionnaire which is the same for each EU Member State, with questions focused on six areas in which data processing plays a particularly important role. The responses received will be evaluated both at national and at EU level. Based on the results, the Article 29 Working Party could subsequently decide to issue practical guidance for the sector at large and identify areas for future action with a view to improving compliance in the least burdensome way.

One awaits to see the results of these developments. One would not be surprised with the varied approaches adopted by each member state towards the protection of personal data in the private health sector, taking into account that data relating to the health of the data subject constitutes the processing of "sensitive data" as defined under Art. 8 of the Data Protection Directive 95/46/EC. Therefore, stricter measures are imposed under Art. 8 when processing such data.

Saturday, May 13, 2006

Stronger data protection laws

I was listening to a radio interview yesterday and Richard Thomas, the UK Information Commissioner had argued for stricter penalties under the current Data Protection Act 1998 when individual's personal information were being sold. He has written a report entitled What price privacy? which 'reflects his deep concern that confidential information can be too easily obtained improperly from public and private organisations, causing significant harm and distress to individuals.' I do agree with his views about the ease with which personal information can be obtained and raising the threshold for penalities. One awaits to see whether there will be any changes made to the existing Data Protection Act 1998.

Monday, May 08, 2006

FOI request

I recently made a freedom of information request to the UK Information Commissioner concerning the number of complaints involving the processing of personal data on the internet. I have finally received a reply. Unfortunately, the office cannot give me the number of complaints that they receive because their electronic system does not enable them to search through a specific criteria (ie. keyword search). What was interesting however, was their response to information published on the websites.

We have in the past received correspondence about data published on websites run by private individuals, such as amateur genealogy websites and personal home pages. Processing in these cases is often exempt from the DPA (Data Protection Act 1998) by virtue of the exemption at section 36 (which states that personal data processed by an individual only for the purposes of that individual's personal, family or household affairs (including recreational purposes) are exempt from the DPA.

Although this approach is pragmatic, it does not take account of the narrow interpretation given by the European Court of Justice in Lindqvist of Art. 3(2) of the Data Protection Directive on domestic purposes and presents a particular problem. Is this provision (section 36) in line with Art. 3(2) Data Protection Directive? I have yet to consult my legal colleagues on this matter, but I am beginning to wonder whether the Data Protection Act and its application on the internet has any relevance in the UK? Perhaps I should write an article on this.

Sunday, May 07, 2006

Interesting developments

I have been away for a conference and the paper I gave was well received. I expect that the paper will be published at some point.

Anyway, returning to this, I received some interesting news about data protection developments. According to the Irish Times,

Ireland's Minister for Justice, Equality and Law Reform, Michael McDowell, is currently drafting the core elements of a new Privacy Bill. Rather than granting citizens new rights, the legislation will more clearly illustrate rights currently available under the Constitution and the European Convention on Human Rights.

Secondly, a government committee in Singapore is studying how well Singapore laws protect the privacy of personal information. It aims to produce its recommendations by the middle of this year. To date, there is no Singapore data protection laws and it appears quite odd to me that there is no appetite to introduce legislation on data protection. There is one article written on the Singaporean developments in the International Journal of Law and Information Technology.


Thursday, April 27, 2006

Guidance on Outsourcing

The UK Information Commissioner has issued some guidance on outsourcing. This is particularly important if companies intend to outsource their operations to countries outside the EEA because Art. 25 of the Data Protection Directive 95/46/EC (DPD) prohibits the transfer of personal data to third countries (outside the EEA) unless it satisfies the adequacy requirement under Art. 25 DPD. This is implemented under the 8th data protection principle of Schedule 1, Data Protection Act 1998. There are exemptions to Art. 25 under Art. 26 including obtaining consent from the data subject (customers/staff etc); transfer is necessary for the conclusion or performance of a contract and so forth. For more details, see:

Monday, April 24, 2006

Data Retention Directive

The Data Retention Directive 2006/24/EC (pdf) is now available. However, according to latest news reports, the US has taken an interest in the Directive. What is unclear is whether they will follow the EU's example.

In the meantime, it will be worth reading the Data Retention Directive. At first glance, the Directive should be implemented by 15 September 2007 (Article 15). The application of the Directive to the retention of communications data relating to internet access, internet telephony and email can be postponed by each member state until 15 March 2009. Art. 15(3) provides as follows:

Until 15 March 2009, each Member State may postpone application of this Directive to the retention of communications data relating to Internet Access, Internet telephony and Internet e-mail. Any Member State that intends to make use of this paragraph shall, upon adoption of this Directive, notify the Council and the Commission to that effect by way of a declaration. The declaration shall be published in the Official Journal of the European Union.

Saturday, April 22, 2006

Panel discussion

With two weeks to go before I present (at a conference on privacy), there is a panel discussion that I will be involved in with two other academics. The theme of the panel discussion is Privacy: inroads and threats to privacy. One is reminded of Scott McNealy's famous words back in 1999 "You have zero privacy anyway--Get over it".

We should not forget that privacy is not absolute and the law (Art. 8 of the European Convention of Human Rights) provides for exceptions to the protection of privacy. Has technology eroded privacy? To a greater extent - examples I can think of include RFIDs; mobile phones which have a camera facility as well as a possibility of revealing the location of individuals; computer databases of individual profiles etc. One book worth reading is Daniel Solove's book entitled The Digital Person. Technology has moved on in great strides with legislation trailing behind. In any case, I'm not entirely convinced that legislation is necessarily the best approach to deal with the protection of privacy. In other words, let technology deal with technological problems. For example, if you find spyware on your computer, you use software to remove it. Laurence Lessig's book on Code and other laws of cyberspace is also another book worth reading!

Conference

Just a reminder that there will be the Privacy Laws & Business 19th Annual International Conference. The theme is:

Privacy Crisis Ahead?
Investing enough in data protection to strengthen and defend your reputation

July 3-5th, 2006, St. John's College, Cambridge, UK

Programme is available at www.privacylaws.com/pdfs/annualconference/ac19programme.doc

As I will be unable to attend, anyone who attends, let me know how it goes.

Monday, April 17, 2006

Further reading

As this is the bank holiday, I was reading through the latest developments on data protection and freedom of information. For those who want to do further reading, see:

Phishing

I received an email purporting to be from PayPal and asking for login details to PayPal account. Having researched and worked in the field of data protection, I decided to look at the link (see http://www.paypal.com/cgi-bin/webscr?cmd=login-run). This is an exact copy/replicate of PayPal website. You can email PayPal at spoof@paypal.com so that they can check whether this is genuine. Again, if you receive emails asking for personal details, it is always advisable to delete this and doublecheck with the company by forwarding the email to the company. Anyway, there are a few websites on phishing activities.

See

Wednesday, April 12, 2006

DTI Survey

In the latest UK DTI survey, it was found that UK businesses were still failing to protect an individual's personal information.

With increasing amounts of business being conducted online, data protection is ever more important, the DTI said. While most large organisations have adopted best practices regarding network and data protection, small companies have not. Fewer than a third of them encrypted the data they received.

This is particularly worrying for individuals who regularly use the internet, whether for buying goods, checking their bank statements etc. The UK Information Commissioner has provided guidance about the Data Protection Act 1998, but more needs to be done to raise awareness amongst the smaller businesses that it is vitally important to adhere to the Data Protection Act 1998. In particular, the seventh data protection principle (schedule 1 DPA 1998) requires that appropriate technical and organisational measures are taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

For more details see:

Tuesday, April 11, 2006

Art. 29 Working Party's opinion on the retention of data

The Art. 29 Working Party (established under Art. 29 Data Protection Directive) has published its recent opinion on the retention of data. It takes the following view:


Therefore, the Art. 29 Working Party proposes a uniform, European-wide implementation of the Directive. This approach should guarantee a harmonized application of the provisions of the Directive whilst respecting the highest level possible of protecting personal data. This should also be done with a view to reducing the considerable costs to be borne by the service providers when complying with the provisions of the Directive. In order to transpose the provisions of the Directive in a uniform way and to comply with the requirements of Article 8 of the European Convention on Human Rights, Member States should implement adequate and specific safeguards.

We do not yet have the actual Directive, but here is the latest draft (pdf) to the retention of data. See also:

Friday, April 07, 2006

Photographs and privacy

Here is another press release about a photo published without the consent of the individual in the photo. According to the Press Complaints Commission, the photo was published in a newspaper article. I will not go into details of the case. The Press Complaints Commission has ruled, however, that the publication of a photo of the individual in his home without his consent was a breach of his privacy. It is interesting to note that the photo was taken in the complainant's home and not in public.
Although the Press Complaints Commission self-regulates the newspaper/magazine industry in the UK to ensure that they (newspapers/magazines) follow the codes of practice, we should not forget that there is the UK Data Protection Act 1998.
Some cases that came to mind (and may be of interest) are the decisions (by the House of Lords) in Campbell v MGN and the European Court of Human Rights in the Von Hannover v Germany. Both were concerned with the publication of details concerning the complainant's private lives. However, the European Court of Human Right's decision was far-reaching because it held that photos taken in public of public figures had to fulfil this condition: Pictures that were published in newspapers had to show that they were serving the 'public interest', there has to be some contribution towards a debate of general interest.
I could go on, but it would be more appropriate to have this written in an article. Food for thought!

Guidance from the ICO on buying and selling a database

I have been slightly pre-occupied over the last few days, having had to attend and chair a conference. I heard some very interesting papers and discussions.
Anyway, returning to my usual blog, I came across a few press releases on data protection. The UK Information Commissioner has published some guidance on buying and selling a database. The guidance is clear in stating that it is not a breach of the UK Data Protection Act 1998 to sell a database containing customers' details. However, companies/organisations (who plan to do this) must meet certain conditions/requirements. This includes obtaining the customer's consent and making sure that the customer understands the purpose for which the data was originally collected.
Guidance in this area is long overdue. However, it is still unclear the extent to which these databases are sold to other companies and whether customers know that their data are being transferred. More research and awareness in this area is much needed.
Guidance can be found here (pdf).

Monday, April 03, 2006

A good read!

I have almost finished reading the book entitled Just Law by Baroness Helena Kennedy and would recommend it to anybody who has not read this. Not only does the book cover issues such as the legal profession, criminal justice and police powers, there is even a section on "Big brother" (including ID cards). It is well-argued and written in such a way that anybody (without a legal background) is able to understand. Definitely worth reading!

Friday, March 31, 2006

Compromise on ID Cards

A compromise has finally been reached on the UK ID cards bill. Anyone who applies for a passport will not need to apply for an ID card until 2011, but their details will be put on a national ID database. The House of Lords have finally supported this compromise by 287 votes to 60. What is still uncertain is how much these ID cards will cost and who has access to the national ID database?
Under clause 22 of the bill, a National Identity Scheme Commissioner will be appointed whose principal role will be to supervise the operation of this bill (once enacted). Clause 17-21 inclusive are relevant in determining the circumstances under which information about an individual can be provided. This includes a government department (under clause 17(5)) and where it was necessary in the public interest (clause 17(7)). One awaits to read the final version of the bill when it becomes law, but certainly, there are more questions that need to be answered.
Links:

Tuesday, March 28, 2006

ID cards rejected for the 5th time

I received a press release that the ID cards Bill has been rejected by the House of Lords for the 5th time. This time, it was by a majority of 28 (219-191). The main issue is whether ID cards should be linked to passport applications - the HL argue that this should be voluntary and not a compulsory measure. The Bill will now go back to the House of Commons.

Here are the links to:

Tor system

I was listening to the latest podcast and found an interesting development about anonymizing internet communications. The system is called Tor.
Tor is a toolset for a wide range of organizations and people that want to improve their safety and security on the Internet. Using Tor can help you anonymize web browsing and publishing, instant messaging, IRC, SSH, and other applications that use the TCP protocol. Tor also provides a platform on which software developers can build new applications with built-in anonymity, safety, and privacy features.
Anyway, for more details, visit their website or listen to the podcast!

Friday, March 24, 2006

Internet privacy case

I came across this latest press release about legal action being brought against Gratis, an internet company based in Washington DC. According to the reports, the New York Attorney General Eliot Spitzer has filed suit against Gratis on the grounds that it had sold personal information obtained from millions of consumers despite a promise of confidentiality. Allegations include selling access to lists of millions of Gratis’s customers to three independent email marketers.

For more, see:

Google

The court in California has ruled that Google should hand over some search data (including 50,000 web addresses) to the Department of Justice, but the Judge has denied request that a list of people's search requests should be handed over.

"The expectation of privacy by some Google users may not be reasonable," Judge Ware wrote, "but may nonetheless have an appreciable impact on the way in which Google is perceived, and consequently the frequency with which users use Google."

Questions should be raised over the extent in which Google holds the search requests of users. How long is it held and what are their policies? The Data Protection Directive 95/46/EC stipulates the conditions under which personal data are processed and applies within the European Union. The Directive on Privacy and Electronic Communications 2002/58/EC specifies the conditions under which "traffic data" (Art. 6) and "location data" (Art. 9) are held. More discussion and awareness is needed (whether academics, practitioners or the public) about the laws that apply to search engines.

See also:

Thursday, March 23, 2006

Freedom of Information Website

The freedom of information website has recently been revamped with a new design. It continues to provide useful information about this area. Certainly, it is relevant when we look at how the roles of the data protection commissioners have changed (to include oversight of freedom of information laws). The aim of the website is to provide a:

One-stop portal for critical resources about freedom of information laws and movements around the world. The site describes best practices and lessons learned, compares campaign strategies, and links the efforts of freedom of information advocates globally.

Anyway, well worth visiting!

Wednesday, March 22, 2006

Latest on ID Cards Bill

In this battle over the ID cards bill, the House of Commons have rejected the compromise by the House of Lords to make the scheme of ID cards voluntary until 2011. Therefore, anyone applying for a passport would be required to apply for an ID card from 2008. So the bill now returns to the House of Lords.

Tuesday, March 21, 2006

ID Cards - part 2

Further to my earlier blog on ID cards bill, the House of Lords (HL) had rejected the ID cards bill yesterday and have suggested a compromise proposal to keep the scheme voluntary until 2011 – after the next general election. I am including:

We await to see whether the House of Commons will accept this compromise.

ID cards - latest

I am beginning to lose count over the number of times the ID cards bill is being sent from one House to another. Today, we will expect more discussion about the ID cards in the House of Commons. If the latest news reports are correct, then we may see a compromise made by the Liberal Democrats and Conservative peers in the House of Lords should the amendments be rejected by the House of Commons. According to the reports, it is suggested that the Bill's requirement that people must get an ID card when applying for a passport is voluntary for five years and will become compulsory in 5 years ie. 2012. I am including a link to the progress of the ID cards. We'll have to wait and see what developments arises, but hopefully, the Parliament Act will not be invoked to force this Bill through.

See also the latest blog:

Thursday, March 16, 2006

ID cards - defeat in the House of Lords for the third time

The amendments to the ID cards bill have been rejected by the House of Lords by 218 to 183 (a majority of 35) for the third time and will return to the House of Commons for another debate. The main area of concern is that people should not be compulsorily added onto a national database and be required to apply for an ID card when they renew or apply for their passport. One awaits to see whether the Parliament Acts would be invoked. It raises questions however, about the government's initial idea that ID cards would be voluntary.

Wednesday, March 15, 2006

The latest on Google

There have been some press releases circulating about the likely verdict that the judge may give the Google case concerning the Justice Department's (DoJ) request to some search results by users. If the reports are correct, the demands by the DoJ have been reduced

The Department is now seeking only 50,000 web addresses, of which it says it will look at 10,000. It has also reduced the number of search queries sought – down to 5,000 from one million. Of these, the Department says it will only look at 1,000.


However, there was also a hint by the judge that Google may have to comply with the demand for requests.

I think we will will have to wait until the judge makes the final decision rather than speculate the outcome, but once again, one will question how long Google or any other search engine company stores search engine results and what their policies are with regard to the retention of data (such as internet search engine requests). This brings me to the Data Retention Directive, but I will return to this issue at a later date.

See also:

Tuesday, March 14, 2006

Google case

In the latest press release, Google is set to challenge the US's government's demands to hand over records and lists of data derived from Google's search engines today in court. Google argues the following:

Firstly, Google says it does not want to do the government's work for it, and secondly it says that it wants to protect its product. Thirdly, Google wants to show users that the company is serious about protecting their privacy.


In any case, questions are/will be raised on the extent Google holds users' data and whether users, as data subjects can request information held by Google either through their search engines or their email service. It would easier to make a data subject request if the user subscribed to Google's email service (now renamed Google mail) because there is the issue of proving one's identity for data inputted on a search engine. One will wait to see what the court's verdict will be.

Monday, March 13, 2006

Rome II regulation - amendments

I was reading through the latest blog, which referred to the recent amendments made to the proposed Rome II regulation on the law to be applicable to non-contractual relations. Several changes have been made to the proposed regulation.
For our purposes, however, it was the original Art. 6 on privacy violations that I was interested in. Just to recap, see my previous blog. However, reading through the relevant sections in the proposals, it was decided that the original Art. 6 would be deleted because the proposed amendments to Art. 6 would have been too favourable to the press:

Amendment 57 would change the substance of the rule applicable to violations of privacy, particularly by the press. The Commission cannot accept this amendment, which is too generous to press editors rather than the victim of alleged defamation in the press and does not reflect the solution taken by a large majority of Member States. Since it is not possible to reconcile the Council’s text and the text adopted by Parliament at first reading, the Commission considers that the best solution to this controversial question is to exclude all press offences and the like from the proposal and delete Article 6 of the original proposal. Other privacy violations would be covered by Article 5.

The proposed Article 5 now reads as follows:
1. Where no choice has been made under Article 4, the law applicable to a non-contractual obligation shall be the law of the country in which the damage arises or is likely to arise, irrespective of the country in which the event giving rise to the damage occurred and irrespective of the country or countries in which the indirect consequences of that event arise.
2. However, where the person claimed to be liable and the person sustaining damage both have their habitual residence in the same country when the damage occurs, the non-contractual obligation shall be governed by the law of that country.
3. Notwithstanding paragraphs 1 and 2, where it is clear from all the circumstances of the case that the non-contractual obligation is manifestly more closely connected with another country, the law of that other country shall apply. A manifestly closer connection with another country may be based in particular on a pre-existing relationship between the parties, such as a contract that is closely connected with the non-contractual obligation in question. For the purpose of assessing the existence of a manifestly closer connection with another country, account shall be taken inter alia of the expectations of the parties regarding the applicable law.
The proposed Art. 1(2)(h) excludes from the regulation violations of privacy and of personal rights by the media.
My initial reaction is one of disappointment because the original Art. 6 had to be abandoned on the basis of lack of consensus. However, we now have the proposed Art. 5. What is unclear to me is what the Commission means by other privacy violations. Violations committed by individuals other than the press? There will be a number of questions that need to be addressed or at least clarified. I think it is time for further discussion and reading...
Links to the proposed Rome Regulation II:

VoIP - data protection implications

I came across this recent article about Voice Internet Protocol (VoIP) and the data protection implications (pdf) arising from the use of this technology. Some of the concerns include the ease with which individuals can tap into VoIP. Users are reminded to update their VoIP firmware in their end devices. I think that with the gradual take up of VoIP services, there should be more awareness by users and the German Data Protection and Freedom of Information Officer, Peter Schaar is right to point these concerns.

Thursday, March 09, 2006

UK OIC issues updated guidance on Durant

Although the UK Information Commissioner has issued further guidance (pdf) concerning the Durant case, I do not think we should conclude that this is going to be the end of the matter (concerning the interpretation of "personal data"). The European Commission is currently looking at UK's implementation of the Data Protection Directive and Durant is considering of submitting an appeal to the European Court of Human Rights.
In short, the guidance provides that
  • A living individual must be able to be identified from the data in question. In the Durant case, the Court of Appeal did not focus on this element of the definition; and
  • The data must 'relate to' the individual identified. It is this issue with which the Court was most concerned, explaining ‘relate to’ as “information that affects [a person’s] privacy, whether in his personal or family life, business or professional capacity”.

Whatever the case may be, the ruling in Durant stands until we hear anything more.

Tuesday, March 07, 2006

Email tracking services

In the latest press release about email tracking services, Art. 29 Working Party has expressed its strongest disapproval of the service, didtheyreadit.com, from Florida-based Rampell Software, LLC. So, the question is what is the main problem arising under this service? Firstly, the service offers no opportunity to accept or refuse the tracking.

It also provides additional details to senders: the date and time when the email was opened; where, geographically, the email was opened; for how long; and whether it was forwarded.

Subscribers who use Yahoo!, Hotmail or AOL email services can simply add ".didtheyreadit.com" to the end of a recipient's e-mail address to have an email tracked. Users of Outlook simply download a piece of software to add the secret tracking ability.
The recipient's unambiguous consent should be obtained before senders use this type of email tracking service.

While services are being offered (such as the one above) to users, there is still a need for greater awareness by companies to ensure that they do not infringe data protection laws. Otherwise, we may find that recipients to such services invoking the data protection laws to protect their privacy rights!

Monday, March 06, 2006

ID card bill defeated in the HL

Further to my earlier posting, the House of Lords (HL) has defeated the ID card bill by a majority of 61 (227 to 166 against the government). The main area of disagreement is the requirement to have ID cards if anyone applies to renew their passport (or apply for a passport). So, where does that leave us? The bill will now return to the House of Commons for another round of debate. If there is no compromise between the two Houses, then we may see the Parliament Act being invoked.

I am including details of the latest press release, Parlimentlive TV (once the clip is available), the ID card bill and UK OIC's view on ID cards.

Although the bill is going through Parliament, we need to be reminded whether the bill is proportionate or goes further than what is necessary (ie. holding biometric data such as fingerprints/irises)? Similarly, it is hard to see how a database containing everyone's personal data could reconcile with the need to safeguard fundamental data protection principles such as fair processing? This is particularly the case if this data should become available to commercial organisations - no plans as yet, but the possibility is still there and we should not quickly dismiss this option!

ID cards in the House of Lords

The ID cards Bill expected to be debated in the House of Lords (HL) today. The question is whether the HL will accept the amendments agreed by the House of Commons (HC)? Just to recap, the ministers have decided against the need for the government to carry out a report on ID cards (despite uncertainty about the actual costs for ID cards). The HC also agreed that people who apply for their passports (on renewal or first time) are also given ID cards (costs still undecided. However, the 'Home Secretary Charles Clarke had said that a stand-alone ID card would cost £30, while one linked to a passport would cost £93') and have their personal information held on a database. We await to see whether the HL will oppose these amendments.

Thursday, March 02, 2006

Court records online

This latest press release came to my attention, which raises interesting perspectives about how we view personal information online. According to the report, the Administrative Office of Pennsylvania Courts is formulating a policy to govern which records - and what case information - will be available over the Internet.

Larry Frankel, the Pennsylvania legislative director for the American Civil Liberties Union, was among several people who argued that criminal case records should not be on the Internet before a defendant is adjudicated guilty. Frankel said many people wrongly consider an arrest equivalent to a conviction.

The report raises broader issues about the general publication of personal information online. It should be added that the US does not have data protection laws, but have an arrangement known as Safe Harbor between the US and the EU. It is unclear at this stage how much personal information should be included in a court record, but there was some discussion about whether to include date of births. However, there is some concern (see below):

The 13,000-lawyer Philadelphia Bar Association believes posting information about someone who has not been found guilty could unfairly tarnish their reputation, said Alan M. Feldman, the association's chancellor.

Certainly, the potential of confusion between individuals (without further detailed information such as d.o.b) may arise, but at the same time, one is wary about the amount of personal data that should be available in a court record online. This is certainly a difficult area, but it would be interesting to see what kind of policy is formulated.

Wednesday, March 01, 2006

UK IOC publishes Good Practice Note for professionals

Just received a press release that the UK OIC has published a good practice notice (about 3 pages long) for professionals when complying with the Data Protection Act 1998.
The Data Protection Act gives everyone a right to see information that is held about them including any opinions,” said David Smith, Deputy Information Commissioner. “Professionals need to be aware of this and understand what action is required when an individual challenges one of their opinions."
For more on this, see here (pdf).

Tuesday, February 28, 2006

ID cards

I came across the latest press release about ID cards bill in the UK, which (if it is correct) is likely to be opposed by the Tories and Lib Dems in the House of Lords. If this is the case, we are likely to see a delay in the introduction of ID cards, if and when the Bill goes through. As I reiterated in my previous posting, I still cannot see how such an expensive measure (ID cards) could be justified, when there are other proportionate, cost effective ways that could be used. I do not know what the latest public poll is to ID cards, but even if we rely on the last survey back in November, the public is still divided over the issue. See more here.

Saturday, February 25, 2006

Data Retention Directive - latest developments

The latest developments on the Data Retention Directive is that the EU justice and interior ministers have approved the controversial Directive. The storage of data (be it telephone calls or internet) is between 6 to 24 months. It should be added that it is not details about the content of the telephone calls that are stored but rather a record that a telephone call was made. More information of the latest press release can be found here.
As a starting point, see:

Not heard the last of Durant!

I have finally finished writing my paper, but in the process of doing so, there was a press release about the latest saga to the case of Durant.
For those who are unaware of the case of Durant, please see here for more information. Anyway, Durant is expected to submit an application to the ECHR against the UK government. The principle ground is that Durant had suffered a breach of Art. 8(1) ECHR which states that 'everyone has the right to respect for his private and family life, his home and his correspondence.' Once the application is submitted, the Court in Strasbourg has to decide whether Durant has a case and a decision is not expected until several years.
If the court decides to listen to Durant's case, I would be interested to see whether Durant would contend that the state had failed to take positive measures to protect D's right under Art. 8(1) ECHR. For more on privacy and its legal interpretation, I would refer you to a chapter I wrote a few years ago on privacy.

Thursday, February 23, 2006

Photographs and other things....

Still trying to finish writing a paper, but I came across this press release about fining three photographers the equivalent of $1.37 Cdn each for invasion of privacy by taking pictures of Diana, Princess of Wales, and boyfriend Dodi Fayed the night of their fatal 1997 car crash, officials said yesterday. See here for further details.

Sunday, February 19, 2006

Privacy Officer


A report that was recently published by Marketing Improvement found that most firms within the FTSE 100 were unable to respond properly to a request to speak to the company’s Privacy Officer. Only 28% of companies were able to direct the query to the correct person. The recommendation from the report is that companies appoint a Chief Privacy Officer who can deal with queries relating to privacy and data protection. However, the appointment would also assist the company in the compliance of the relevant data protection laws. Much more work still needs to be done to raise the awareness about data protection in companies and the UK Information Commissioner has gone some way to redress this.

For more details about the report, see the link (pdf) here.

Thursday, February 16, 2006

Papers to write

I have been busy trying to write a paper which I hope to submit to a conference in Germany. As it raises some vital questions about data protection and its direction, I am keen that the paper is accepted, so that I am given the opportunity to discuss about this. I can't say anything more on this, but if accepted, I will make this available at some point later in the year.

Diverging from this slightly, Art. 29 Working Party (established under the Data Protection Directive 95/46/EC) has issued a paper on whistleblowing compliance.

The Working Party reported that cultural differences around the EU have made it impractical to issue general guidance at this stage. It has therefore chosen to focus on those areas that need guidance most – especially those affected by new legislation such as the US Sarbanes-Oxley Act, which penalises firms that do not comply with whistleblowing rules.

More details can be found here.

Wednesday, February 15, 2006

Annual report on data protection published

Just a quick note that the latest annual report on data protection by Art. 29 Working Party has been published. It also includes latest caselaw from each country and developments from countries outside the EEA (including Canada and the US).

Singapore to look at laws on privacy

I came across this latest press release about Singapore looking at laws to protect an individual's privacy. A report is expected by October this year, which will not only consider guidelines but also legislation in this area.

Information, Communications and The Arts Minister Lee Boon Yang admits that wider protection for personal information is definitely needed. Dr Lee told Parliament, "We also recognise the need to protect personal data and personal information and the possible misuse of personal information or even identity thefts. This is especially critical as infocomm technology can be misused and distributed with potentially adverse impact on the individuals concerned. MICA appreciates the need to take a wider perspective on data protection. We recognise that an effective data protection regime will be an important pillar to develop Singapore's position as a trusted IT hub."

It is certainly a step in the right direction. I am hoping to present a paper on Asian laws of privacy, so I would be interested to see what developments arise.

Tuesday, February 14, 2006

Phone records

In the latest saga to the sale of cell phone records of users in the US, the House Energy and Commerce Committee leaders are demanding answers from operators of Internet sites like "phonebust.com" and"datafind.org" that offer criminals, stalkers and any other paying customer the detailed records of a person's private calls made on cellular, wire line or Internet-based phones. More details can be found in this latest press release. I don't think we will hear the last of this matter, but if it will halt these illegitimate activities, then it will have achieved something. Whatever outcome, there is a need for stronger legal protection in the US.

Monday, February 13, 2006

ID cards - latest developments


According to the latest report, MPs have voted against making the government carry out a report on costs before introducing identity cards. However, a report is expected on costs every six months for the first 10 years of the scheme being in place. Furthermore, MPs also supported the idea that it would be compulsory for people to be given cards - and put on a register - when they apply for passports. I will say more on this later this week.


Insights

I recently attended a conference on privacy and the discussions that arose made me think about the recent cases of Campbell (supermodel) and Von Hannover case.

What was perhaps surprising was that there was less attention given about privacy on the internet. I say this because there appears to be a focus on the mainstream media such as newspapers (online/offline) and television but nothing on blogging and podcasting (where users do rely as their alternative source of information). Although the conference was both informative and interesting, I would have liked more discussion in these areas.

I would definitely recommend the book entitled Genetic privacy by Graeme Laurie. The book touches on the issues of genetics and its implications on privacy. Worth reading!