Compromise on ID Cards

A compromise has finally been reached on the UK ID cards bill. Anyone who applies for a passport will not need to apply for an ID card until 2011, but their details will be put on a national ID database. The House of Lords have finally supported this compromise by 287 votes to 60. What is still uncertain is how much these ID cards will cost and who has access to the national ID database?

Under clause 22 of the bill, a National Identity Scheme Commissioner will be appointed whose principal role will be to supervise the operation of this bill (once enacted). Clause 17-21 inclusive are relevant in determining the circumstances under which information about an individual can be provided. This includes a government department (under clause 17(5)) and where it was necessary in the public interest (clause 17(7)). One awaits to read the final version of the bill when it becomes law, but certainly, there are more questions that need to be answered.

Links:

• ID cards bill
• BBC: Q&A Identity card plans

ID cards rejected for the 5th time

I received a press release that the ID cards Bill has been rejected by the House of Lords for the 5th time. This time, it was by a majority of 28 (219-191). The main issue is whether ID cards should be linked to passport applications - the HL argue that this should be voluntary and not a compulsory measure. The Bill will now go back to the House of Commons.

Here are the links to:

• House of Lords Debate
• Spy Blog: Identity Cards Bill - before the HL rejected the Bill
  

Tor system

I was listening to the latest podcast and found an interesting development about anonymizing internet communications. The system is called Tor.

Tor is a toolset for a wide range of organizations and people that want to improve their safety and security on the Internet. Using Tor can help you anonymize web browsing and publishing, instant messaging, IRC, SSH, and other applications that use the TCP protocol. Tor also provides a platform on which software developers can build new applications with built-in anonymity, safety, and privacy features.

Anyway, for more details, visit their website or listen to the podcast!

Internet privacy case

I came across this latest press release about legal action being brought against Gratis, an internet company based in Washington DC. According to the reports, the New York Attorney General Eliot Spitzer has filed suit against Gratis on the grounds that it had sold personal information obtained from millions of consumers despite a promise of confidentiality. Allegations include selling access to lists of millions of Gratis’s customers to three independent email marketers.

For more, see:

• The complaint (pdf)
• Office of the New York State Attorney
  
• Out-Law: Website operator charged with privacy breach
  

Google

The court in California has ruled that Google should hand over some search data (including 50,000 web addresses) to the Department of Justice, but the Judge has denied request that a list of people's search requests should be handed over.

"The expectation of privacy by some Google users may not be reasonable," Judge Ware wrote, "but may nonetheless have an appreciable impact on the way in which Google is perceived, and consequently the frequency with which users use Google."

Questions should be raised over the extent in which Google holds the search requests of users. How long is it held and what are their policies? The Data Protection Directive 95/46/EC stipulates the conditions under which personal data are processed and applies within the European Union. The Directive on Privacy and Electronic Communications 2002/58/EC specifies the conditions under which "traffic data" (Art. 6) and "location data" (Art. 9) are held. More discussion and awareness is needed (whether academics, practitioners or the public) about the laws that apply to search engines.

See also:

• Findlaw: Judge to order Google to give up some data

Freedom of Information Website

The freedom of information website has recently been revamped with a new design. It continues to provide useful information about this area. Certainly, it is relevant when we look at how the roles of the data protection commissioners have changed (to include oversight of freedom of information laws). The aim of the website is to provide a:

One-stop portal for critical resources about freedom of information laws and movements around the world. The site describes best practices and lessons learned, compares campaign strategies, and links the efforts of freedom of information advocates globally.

Anyway, well worth visiting!

Latest on ID Cards Bill

In this battle over the ID cards bill, the House of Commons have rejected the compromise by the House of Lords to make the scheme of ID cards voluntary until 2011. Therefore, anyone applying for a passport would be required to apply for an ID card from 2008. So the bill now returns to the House of Lords.

ID Cards - part 2

Further to my earlier blog on ID cards bill, the House of Lords (HL) had rejected the ID cards bill yesterday and have suggested a compromise proposal to keep the scheme voluntary until 2011 – after the next general election. I am including:

• The compromise amendments by the HL (pdf)
• ID cards bill (pdf)

We await to see whether the House of Commons will accept this compromise.

ID cards - latest

I am beginning to lose count over the number of times the ID cards bill is being sent from one House to another. Today, we will expect more discussion about the ID cards in the House of Commons. If the latest news reports are correct, then we may see a compromise made by the Liberal Democrats and Conservative peers in the House of Lords should the amendments be rejected by the House of Commons. According to the reports, it is suggested that the Bill's requirement that people must get an ID card when applying for a passport is voluntary for five years and will become compulsory in 5 years ie. 2012. I am including a link to the progress of the ID cards. We'll have to wait and see what developments arises, but hopefully, the Parliament Act will not be invoked to force this Bill through.

See also the latest blog:

• Spyblog: ID cards

ID cards - defeat in the House of Lords for the third time

The amendments to the ID cards bill have been rejected by the House of Lords by 218 to 183 (a majority of 35) for the third time and will return to the House of Commons for another debate. The main area of concern is that people should not be compulsorily added onto a national database and be required to apply for an ID card when they renew or apply for their passport. One awaits to see whether the Parliament Acts would be invoked. It raises questions however, about the government's initial idea that ID cards would be voluntary.

See:

• House of Lords: ID cards
• BBC: ID cards: an action network briefing
  

The latest on Google

There have been some press releases circulating about the likely verdict that the judge may give the Google case concerning the Justice Department's (DoJ) request to some search results by users. If the reports are correct, the demands by the DoJ have been reduced

The Department is now seeking only 50,000 web addresses, of which it says it will look at 10,000. It has also reduced the number of search queries sought – down to 5,000 from one million. Of these, the Department says it will only look at 1,000.

However, there was also a hint by the judge that Google may have to comply with the demand for requests.

I think we will will have to wait until the judge makes the final decision rather than speculate the outcome, but once again, one will question how long Google or any other search engine company stores search engine results and what their policies are with regard to the retention of data (such as internet search engine requests). This brings me to the Data Retention Directive, but I will return to this issue at a later date.

See also:

• LA Times: US cuts back request for Google data
• The Digital Collegian: Google: Court ruling would result in slippery slope

Google case

In the latest press release, Google is set to challenge the US's government's demands to hand over records and lists of data derived from Google's search engines today in court. Google argues the following:

Firstly, Google says it does not want to do the government's work for it, and secondly it says that it wants to protect its product. Thirdly, Google wants to show users that the company is serious about protecting their privacy.

In any case, questions are/will be raised on the extent Google holds users' data and whether users, as data subjects can request information held by Google either through their search engines or their email service. It would easier to make a data subject request if the user subscribed to Google's email service (now renamed Google mail) because there is the issue of proving one's identity for data inputted on a search engine. One will wait to see what the court's verdict will be.

• Findlaw: Justice Department v Google (Gonzales v Google)
• Boing Boing: DoJ search requests
  

Rome II regulation - amendments

I was reading through the latest blog, which referred to the recent amendments made to the proposed Rome II regulation on the law to be applicable to non-contractual relations. Several changes have been made to the proposed regulation.

For our purposes, however, it was the original Art. 6 on privacy violations that I was interested in. Just to recap, see my previous blog. However, reading through the relevant sections in the proposals, it was decided that the original Art. 6 would be deleted because the proposed amendments to Art. 6 would have been too favourable to the press:

Amendment 57 would change the substance of the rule applicable to violations of privacy, particularly by the press. The Commission cannot accept this amendment, which is too generous to press editors rather than the victim of alleged defamation in the press and does not reflect the solution taken by a large majority of Member States. Since it is not possible to reconcile the Council’s text and the text adopted by Parliament at first reading, the Commission considers that the best solution to this controversial question is to exclude all press offences and the like from the proposal and delete Article 6 of the original proposal. Other privacy violations would be covered by Article 5.

The proposed Article 5 now reads as follows:

1. Where no choice has been made under Article 4, the law applicable to a non-contractual obligation shall be the law of the country in which the damage arises or is likely to arise, irrespective of the country in which the event giving rise to the damage occurred and irrespective of the country or countries in which the indirect consequences of that event arise.
2. However, where the person claimed to be liable and the person sustaining damage both have their habitual residence in the same country when the damage occurs, the non-contractual obligation shall be governed by the law of that country.
3. Notwithstanding paragraphs 1 and 2, where it is clear from all the circumstances of the case that the non-contractual obligation is manifestly more closely connected with another country, the law of that other country shall apply. A manifestly closer connection with another country may be based in particular on a pre-existing relationship between the parties, such as a contract that is closely connected with the non-contractual obligation in question. For the purpose of assessing the existence of a manifestly closer connection with another country, account shall be taken inter alia of the expectations of the parties regarding the applicable law.

The proposed Art. 1(2)(h) excludes from the regulation violations of privacy and of personal rights by the media.

My initial reaction is one of disappointment because the original Art. 6 had to be abandoned on the basis of lack of consensus. However, we now have the proposed Art. 5. What is unclear to me is what the Commission means by other privacy violations. Violations committed by individuals other than the press? There will be a number of questions that need to be addressed or at least clarified. I think it is time for further discussion and reading...

Links to the proposed Rome Regulation II:

• European Commission: proposal for an EU regulation on the law applicable to non-contractual...
• UK House of Lords Report on Rome Regulation II (pdf)
• Diane Wallis MEP: Rome Regulation II
• ERA: Rome Regulation

VoIP - data protection implications

I came across this recent article about Voice Internet Protocol (VoIP) and the data protection implications (pdf) arising from the use of this technology. Some of the concerns include the ease with which individuals can tap into VoIP. Users are reminded to update their VoIP firmware in their end devices. I think that with the gradual take up of VoIP services, there should be more awareness by users and the German Data Protection and Freedom of Information Officer, Peter Schaar is right to point these concerns.

For more details about this, see:

• VoIP - guidance by the German Data Protection and Freedom of Information (in German)
• VoIP - Part 2 (in German)
• BFDI: Communications
  

UK OIC issues updated guidance on Durant

Although the UK Information Commissioner has issued further guidance (pdf) concerning the Durant case, I do not think we should conclude that this is going to be the end of the matter (concerning the interpretation of "personal data"). The European Commission is currently looking at UK's implementation of the Data Protection Directive and Durant is considering of submitting an appeal to the European Court of Human Rights.

In short, the guidance provides that

• A living individual must be able to be identified from the data in question. In the Durant case, the Court of Appeal did not focus on this element of the definition; and
• The data must 'relate to' the individual identified. It is this issue with which the Court was most concerned, explaining ‘relate to’ as “information that affects [a person’s] privacy, whether in his personal or family life, business or professional capacity”.

Whatever the case may be, the ruling in Durant stands until we hear anything more.

Email tracking services

In the latest press release about email tracking services, Art. 29 Working Party has expressed its strongest disapproval of the service, didtheyreadit.com, from Florida-based Rampell Software, LLC. So, the question is what is the main problem arising under this service? Firstly, the service offers no opportunity to accept or refuse the tracking.

It also provides additional details to senders: the date and time when the email was opened; where, geographically, the email was opened; for how long; and whether it was forwarded.

Subscribers who use Yahoo!, Hotmail or AOL email services can simply add ".didtheyreadit.com" to the end of a recipient's e-mail address to have an email tracked. Users of Outlook simply download a piece of software to add the secret tracking ability.

The recipient's unambiguous consent should be obtained before senders use this type of email tracking service.

While services are being offered (such as the one above) to users, there is still a need for greater awareness by companies to ensure that they do not infringe data protection laws. Otherwise, we may find that recipients to such services invoking the data protection laws to protect their privacy rights!

ID card bill defeated in the HL

Further to my earlier posting, the House of Lords (HL) has defeated the ID card bill by a majority of 61 (227 to 166 against the government). The main area of disagreement is the requirement to have ID cards if anyone applies to renew their passport (or apply for a passport). So, where does that leave us? The bill will now return to the House of Commons for another round of debate. If there is no compromise between the two Houses, then we may see the Parliament Act being invoked.

I am including details of the latest press release, Parlimentlive TV (once the clip is available), the ID card bill and UK OIC's view on ID cards.

Although the bill is going through Parliament, we need to be reminded whether the bill is proportionate or goes further than what is necessary (ie. holding biometric data such as fingerprints/irises)? Similarly, it is hard to see how a database containing everyone's personal data could reconcile with the need to safeguard fundamental data protection principles such as fair processing? This is particularly the case if this data should become available to commercial organisations - no plans as yet, but the possibility is still there and we should not quickly dismiss this option!

ID cards in the House of Lords

The ID cards Bill expected to be debated in the House of Lords (HL) today. The question is whether the HL will accept the amendments agreed by the House of Commons (HC)? Just to recap, the ministers have decided against the need for the government to carry out a report on ID cards (despite uncertainty about the actual costs for ID cards). The HC also agreed that people who apply for their passports (on renewal or first time) are also given ID cards (costs still undecided. However, the 'Home Secretary Charles Clarke had said that a stand-alone ID card would cost £30, while one linked to a passport would cost £93') and have their personal information held on a database. We await to see whether the HL will oppose these amendments.

Court records online

This latest press release came to my attention, which raises interesting perspectives about how we view personal information online. According to the report, the Administrative Office of Pennsylvania Courts is formulating a policy to govern which records - and what case information - will be available over the Internet.

Larry Frankel, the Pennsylvania legislative director for the American Civil Liberties Union, was among several people who argued that criminal case records should not be on the Internet before a defendant is adjudicated guilty. Frankel said many people wrongly consider an arrest equivalent to a conviction.

The report raises broader issues about the general publication of personal information online. It should be added that the US does not have data protection laws, but have an arrangement known as Safe Harbor between the US and the EU. It is unclear at this stage how much personal information should be included in a court record, but there was some discussion about whether to include date of births. However, there is some concern (see below):

The 13,000-lawyer Philadelphia Bar Association believes posting information about someone who has not been found guilty could unfairly tarnish their reputation, said Alan M. Feldman, the association's chancellor.

Certainly, the potential of confusion between individuals (without further detailed information such as d.o.b) may arise, but at the same time, one is wary about the amount of personal data that should be available in a court record online. This is certainly a difficult area, but it would be interesting to see what kind of policy is formulated.

UK IOC publishes Good Practice Note for professionals

Just received a press release that the UK OIC has published a good practice notice (about 3 pages long) for professionals when complying with the Data Protection Act 1998.

The Data Protection Act gives everyone a right to see information that is held about them including any opinions,” said David Smith, Deputy Information Commissioner. “Professionals need to be aware of this and understand what action is required when an individual challenges one of their opinions."

For more on this, see here (pdf).