Thursday, April 27, 2006

Guidance on Outsourcing

The UK Information Commissioner has issued some guidance on outsourcing. This is particularly important if companies intend to outsource their operations to countries outside the EEA because Art. 25 of the Data Protection Directive 95/46/EC (DPD) prohibits the transfer of personal data to third countries (outside the EEA) unless it satisfies the adequacy requirement under Art. 25 DPD. This is implemented under the 8th data protection principle of Schedule 1, Data Protection Act 1998. There are exemptions to Art. 25 under Art. 26 including obtaining consent from the data subject (customers/staff etc); transfer is necessary for the conclusion or performance of a contract and so forth. For more details, see:

Monday, April 24, 2006

Data Retention Directive

The Data Retention Directive 2006/24/EC (pdf) is now available. However, according to latest news reports, the US has taken an interest in the Directive. What is unclear is whether they will follow the EU's example.

In the meantime, it will be worth reading the Data Retention Directive. At first glance, the Directive should be implemented by 15 September 2007 (Article 15). The application of the Directive to the retention of communications data relating to internet access, internet telephony and email can be postponed by each member state until 15 March 2009. Art. 15(3) provides as follows:

Until 15 March 2009, each Member State may postpone application of this Directive to the retention of communications data relating to Internet Access, Internet telephony and Internet e-mail. Any Member State that intends to make use of this paragraph shall, upon adoption of this Directive, notify the Council and the Commission to that effect by way of a declaration. The declaration shall be published in the Official Journal of the European Union.

Saturday, April 22, 2006

Panel discussion

With two weeks to go before I present (at a conference on privacy), there is a panel discussion that I will be involved in with two other academics. The theme of the panel discussion is Privacy: inroads and threats to privacy. One is reminded of Scott McNealy's famous words back in 1999 "You have zero privacy anyway--Get over it".

We should not forget that privacy is not absolute and the law (Art. 8 of the European Convention of Human Rights) provides for exceptions to the protection of privacy. Has technology eroded privacy? To a greater extent - examples I can think of include RFIDs; mobile phones which have a camera facility as well as a possibility of revealing the location of individuals; computer databases of individual profiles etc. One book worth reading is Daniel Solove's book entitled The Digital Person. Technology has moved on in great strides with legislation trailing behind. In any case, I'm not entirely convinced that legislation is necessarily the best approach to deal with the protection of privacy. In other words, let technology deal with technological problems. For example, if you find spyware on your computer, you use software to remove it. Laurence Lessig's book on Code and other laws of cyberspace is also another book worth reading!


Just a reminder that there will be the Privacy Laws & Business 19th Annual International Conference. The theme is:

Privacy Crisis Ahead?
Investing enough in data protection to strengthen and defend your reputation

July 3-5th, 2006, St. John's College, Cambridge, UK

Programme is available at

As I will be unable to attend, anyone who attends, let me know how it goes.

Monday, April 17, 2006

Further reading

As this is the bank holiday, I was reading through the latest developments on data protection and freedom of information. For those who want to do further reading, see:


I received an email purporting to be from PayPal and asking for login details to PayPal account. Having researched and worked in the field of data protection, I decided to look at the link (see This is an exact copy/replicate of PayPal website. You can email PayPal at so that they can check whether this is genuine. Again, if you receive emails asking for personal details, it is always advisable to delete this and doublecheck with the company by forwarding the email to the company. Anyway, there are a few websites on phishing activities.


Wednesday, April 12, 2006

DTI Survey

In the latest UK DTI survey, it was found that UK businesses were still failing to protect an individual's personal information.

With increasing amounts of business being conducted online, data protection is ever more important, the DTI said. While most large organisations have adopted best practices regarding network and data protection, small companies have not. Fewer than a third of them encrypted the data they received.

This is particularly worrying for individuals who regularly use the internet, whether for buying goods, checking their bank statements etc. The UK Information Commissioner has provided guidance about the Data Protection Act 1998, but more needs to be done to raise awareness amongst the smaller businesses that it is vitally important to adhere to the Data Protection Act 1998. In particular, the seventh data protection principle (schedule 1 DPA 1998) requires that appropriate technical and organisational measures are taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

For more details see:

Tuesday, April 11, 2006

Art. 29 Working Party's opinion on the retention of data

The Art. 29 Working Party (established under Art. 29 Data Protection Directive) has published its recent opinion on the retention of data. It takes the following view:

Therefore, the Art. 29 Working Party proposes a uniform, European-wide implementation of the Directive. This approach should guarantee a harmonized application of the provisions of the Directive whilst respecting the highest level possible of protecting personal data. This should also be done with a view to reducing the considerable costs to be borne by the service providers when complying with the provisions of the Directive. In order to transpose the provisions of the Directive in a uniform way and to comply with the requirements of Article 8 of the European Convention on Human Rights, Member States should implement adequate and specific safeguards.

We do not yet have the actual Directive, but here is the latest draft (pdf) to the retention of data. See also:

Friday, April 07, 2006

Photographs and privacy

Here is another press release about a photo published without the consent of the individual in the photo. According to the Press Complaints Commission, the photo was published in a newspaper article. I will not go into details of the case. The Press Complaints Commission has ruled, however, that the publication of a photo of the individual in his home without his consent was a breach of his privacy. It is interesting to note that the photo was taken in the complainant's home and not in public.
Although the Press Complaints Commission self-regulates the newspaper/magazine industry in the UK to ensure that they (newspapers/magazines) follow the codes of practice, we should not forget that there is the UK Data Protection Act 1998.
Some cases that came to mind (and may be of interest) are the decisions (by the House of Lords) in Campbell v MGN and the European Court of Human Rights in the Von Hannover v Germany. Both were concerned with the publication of details concerning the complainant's private lives. However, the European Court of Human Right's decision was far-reaching because it held that photos taken in public of public figures had to fulfil this condition: Pictures that were published in newspapers had to show that they were serving the 'public interest', there has to be some contribution towards a debate of general interest.
I could go on, but it would be more appropriate to have this written in an article. Food for thought!

Guidance from the ICO on buying and selling a database

I have been slightly pre-occupied over the last few days, having had to attend and chair a conference. I heard some very interesting papers and discussions.
Anyway, returning to my usual blog, I came across a few press releases on data protection. The UK Information Commissioner has published some guidance on buying and selling a database. The guidance is clear in stating that it is not a breach of the UK Data Protection Act 1998 to sell a database containing customers' details. However, companies/organisations (who plan to do this) must meet certain conditions/requirements. This includes obtaining the customer's consent and making sure that the customer understands the purpose for which the data was originally collected.
Guidance in this area is long overdue. However, it is still unclear the extent to which these databases are sold to other companies and whether customers know that their data are being transferred. More research and awareness in this area is much needed.
Guidance can be found here (pdf).

Monday, April 03, 2006

A good read!

I have almost finished reading the book entitled Just Law by Baroness Helena Kennedy and would recommend it to anybody who has not read this. Not only does the book cover issues such as the legal profession, criminal justice and police powers, there is even a section on "Big brother" (including ID cards). It is well-argued and written in such a way that anybody (without a legal background) is able to understand. Definitely worth reading!