Wednesday, May 31, 2006

Interesting article

I came across an interesting article that was published in the latest issue of the Computer Law and Security Report. The title of the article was on the Directive 95/46/EC: Ten years after. Yes, it is correct. It has been 10 years since the Data Protection Directive 95/46/EC was passed. A quick glance at the abstract will show this:

A birthday offers a unique opportunity to remember what has already been achieved along the way and to envisage what comes net, taking into account the lessons of the past. This paper offers some reflections on 10 years of experience with the Data Protection Directive. The following comments are offered in the knowledge that they will cover the whole picture and may well be considered partial.

For anyone who has studied data protection, undoubtedly, 10 years is a remarkable achievement for the Data Protection Directive 95/46/EC (hereafter "DPD") with all the member states of the European Union having implemented the DPD within their national laws. However, and there comes the "But", there are still areas that the DPD does not adequately address. Indeed, the article picks up on some of the points.

1) Is the Directive effectively applied? According to the Privacy Eurobarometers survey in 2003, the results indicate that if 'privacy is a concern, the legal guarantees and requirements are broadly being ignored and are not, therefore, very effective.

2) The role of the data protection authorities - Again, the Eurobarometers survey show that the lack of impact that data protection authorities have had. One should note that the survey was back in 2003, so it is not clear whether this situation has improved. In my view, however, I do not entirely agree with this. If one considers the work of the UK Information Commissioner (IC), the office has been quite proactive in raising the attention of businesses to comply with the Data Protection Act 1998. Furthermore, the IC has recently called for stricter penalties for those who obtain personal data without permission of the data subject.

3) Increasing role of the Art. 29 Working Party - The Art. 29 Working Party was established under the Data Protection Directive and is responsible for giving advice and recommendations to European institutions on privacy issues. It has produced a number of opinions including the application of data protection to RFID; internet issues and so on.

I could go on, but 10 years is an achievement, but also a cause for reflection. This is particularly the case, when looks at the recent judgment by the European Court of Justice in Lindqvist. Certainly, there have been tensions between the protection of privacy and the freedom of expression and one would even say that it is felt more in Sweden. There is still more work that needs to be done to raise the awareness of data protection issues.

Finally, one should not underestimate the impact of the DPD. Already some countries (outside the EEA) have introduced laws that are similar to the DPD. Examples include Hungary and Switzerland. On the Asian side, Hong Kong already has data protection laws; Japan has introduced privacy laws and one awaits to see whether Singapore will do the same.

Tuesday, May 30, 2006

Transfer of Passenger Data

The European Court of Justice has blocked the EU-US agreement to transfer airline passenger data to the US authorities. The main reason (I have yet to read the legal judgment) is that the decision was not founded on an "appropriate legal basis." You can read more at the BBC press release. The legal action was brought by the Council and the European Commission and was based on the Data Protection Directive 95/46/EC. I have still yet to explore the implications of this decision. I don't think we will have heard the last of this. Here is a quote from the same press release.
As the executive officer of the British Air Transport Association Bob Preston told the BBC European airlines could potentially be left in a "difficult position, between a rock and a hard place". "If we don't supply the information to the United States authorities then we're liable to fines of up to $6,000 per passenger and the loss of landing rights," he said. "And if we do supply the data, potentially we're breaking the law [on data protection].

Wednesday, May 24, 2006

Semantic Web and Privacy

There was an article about the semantic web and why this may be a problem with privacy. According to one academic:

Privacy problems could occur, he said, because the semantic web deliberately combines multiple sources of information about people and places.

However, even if semantic web should create a problem for privacy, I think it would be naive to think that privacy even exists on the internet. For example, if someone had created a web page and included their personal information, then he/she had waived some of their rights to their privacy by making some of their personal details available to the public. Probably, a more pertinent example is companies/individuals collecting information about other users online. A recommended book to read is Solove's book on The Digital Person!

Thursday, May 18, 2006

Art. 29 Working Party to investigate the processing of personal data in the health insurance sector

According to the latest press release (pdf), the Art. 29 Working Party is launching an investigation into the processing of personal data in the private health sector early March 2006. The principal aim is to 'analyse whether and how the data protection regulations are being complied with in the private health insurance sector across the EU.'

The investigation will be carried out through a questionnaire which is the same for each EU Member State, with questions focused on six areas in which data processing plays a particularly important role. The responses received will be evaluated both at national and at EU level. Based on the results, the Article 29 Working Party could subsequently decide to issue practical guidance for the sector at large and identify areas for future action with a view to improving compliance in the least burdensome way.

One awaits to see the results of these developments. One would not be surprised with the varied approaches adopted by each member state towards the protection of personal data in the private health sector, taking into account that data relating to the health of the data subject constitutes the processing of "sensitive data" as defined under Art. 8 of the Data Protection Directive 95/46/EC. Therefore, stricter measures are imposed under Art. 8 when processing such data.

Saturday, May 13, 2006

Stronger data protection laws

I was listening to a radio interview yesterday and Richard Thomas, the UK Information Commissioner had argued for stricter penalties under the current Data Protection Act 1998 when individual's personal information were being sold. He has written a report entitled What price privacy? which 'reflects his deep concern that confidential information can be too easily obtained improperly from public and private organisations, causing significant harm and distress to individuals.' I do agree with his views about the ease with which personal information can be obtained and raising the threshold for penalities. One awaits to see whether there will be any changes made to the existing Data Protection Act 1998.

Monday, May 08, 2006

FOI request

I recently made a freedom of information request to the UK Information Commissioner concerning the number of complaints involving the processing of personal data on the internet. I have finally received a reply. Unfortunately, the office cannot give me the number of complaints that they receive because their electronic system does not enable them to search through a specific criteria (ie. keyword search). What was interesting however, was their response to information published on the websites.

We have in the past received correspondence about data published on websites run by private individuals, such as amateur genealogy websites and personal home pages. Processing in these cases is often exempt from the DPA (Data Protection Act 1998) by virtue of the exemption at section 36 (which states that personal data processed by an individual only for the purposes of that individual's personal, family or household affairs (including recreational purposes) are exempt from the DPA.

Although this approach is pragmatic, it does not take account of the narrow interpretation given by the European Court of Justice in Lindqvist of Art. 3(2) of the Data Protection Directive on domestic purposes and presents a particular problem. Is this provision (section 36) in line with Art. 3(2) Data Protection Directive? I have yet to consult my legal colleagues on this matter, but I am beginning to wonder whether the Data Protection Act and its application on the internet has any relevance in the UK? Perhaps I should write an article on this.

Sunday, May 07, 2006

Interesting developments

I have been away for a conference and the paper I gave was well received. I expect that the paper will be published at some point.

Anyway, returning to this, I received some interesting news about data protection developments. According to the Irish Times,

Ireland's Minister for Justice, Equality and Law Reform, Michael McDowell, is currently drafting the core elements of a new Privacy Bill. Rather than granting citizens new rights, the legislation will more clearly illustrate rights currently available under the Constitution and the European Convention on Human Rights.

Secondly, a government committee in Singapore is studying how well Singapore laws protect the privacy of personal information. It aims to produce its recommendations by the middle of this year. To date, there is no Singapore data protection laws and it appears quite odd to me that there is no appetite to introduce legislation on data protection. There is one article written on the Singaporean developments in the International Journal of Law and Information Technology.