Tuesday, December 18, 2007

Petition on Data Security Breaches

Came across this petition:

"We the undersigned petition the Prime Minister to require all organisations notify customers immediately of any personal data security breaches. "

"The UK Government waited more than 10 days before telling Parliament and the Public it has accidentally lost sensitive personal details of 25 million individuals.

Under current US laws, the Government would have had to notify immediately.

The petition calls on the Prime Minister to place a legal duty on public and private sector organisations, so that affected customers are informed immediately if the security of their personal data has been compromised.

Individuals have a right to know straight away when this has occurred to protect against identify theft.

Mandatory notification would make organisations more careful and more accountable for the use of personal information."


Monday, December 17, 2007

Data Security Lapse

According to the latest press releases, it appears that 3 million L-driver details for the driving theory test have gone missing:
"The details of three million candidates for the driving theory test have gone missing, Ruth Kelly has told MPs.

Names, addresses and phone numbers - but not financial data - were among details on a computer hard drive which went missing in the US in May.

It belonged to a contractor working for the Driving Standards Agency, the transport secretary told MPs.

It is the latest in a series of data losses since discs with 25m people's details on were lost by HM Revenue.

Ms Kelly said the details of learner drivers had been formatted specifically for the contractor, Pearson Driving Assessments Ltd, and was not readily accessible or usable by third parties.

Risks 'not substantial'

She said the details were not sent in the post - but the hard drive had not been found where it had been expected to be, in the "security facility" in Iowa.

She said the Information Commissioner had judged the risks presented by the loss were not "substantial" as the details did not include bank account details, National Insurance numbers, driving licence numbers or dates of birth.

But she apologised for anyone for any "uncertainty or concern" caused to anyone whose details might have been included - who took a driving theory test between September 2004 and April 2007...

However her Tory shadow Theresa Villiers said the government was failing in its duty to obey its own laws on data security and said it was further evidence of a "systemic failure" by the government in handling people's private data."

Source: BBC Millions of L-Driver Details Lost

The scale of the data lost is unfathomable - again, the Data Protection Act 1998 is clear, under the 7th data protection principle that:

"Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."

This is further elaborated under Part 2 of Sch. 1 of the Data Protection Act 1998:

Having regard to the state of technological development and the cost of implementing any measures, the measures must ensure a level of security appropriate to—

(a) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and

(b) the nature of the data to be protected.

10 The data controller must take reasonable steps to ensure the reliability of any employees of his who have access to the personal data.

11 Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller must in order to comply with the seventh principle—

(a) choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and

(b) take reasonable steps to ensure compliance with those measures.

12 Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller is not to be regarded as complying with the seventh principle unless—

(a) the processing is carried out under a contract—

(i) which is made or evidenced in writing, and

(ii) under which the data processor is to act only on instructions from the data controller, and

(b) the contract requires the data processor to comply with obligations equivalent to those imposed on a data controller by the seventh principle.

Rights of those affected - The Data Protection Act 1998 (DPA) is clear to provide rights to data subjects affected by breaches under the DPA 1998.

s 10 of the DPA 1998 Right to prevent processing likely to cause damage or distress AND

s 13 of the DPA 1998 Compensation for failure to comply with certain requirements

For more information on this, visit the UK ICO's website. More powers for the ICO including a new criminal offence for knowingly or recklessly flouting data protection principles has been called for, so one awaits to see whether we will see a strengthening of the Data Protection Act 1998!

See also:

Thursday, December 13, 2007

Data Protection Developments Updates

Some latest developments on data protection:

  • The ICO called for a review of the data protection laws including a need for a data security breach notification, criminal sanctions and audit power. The transcript (uncorrected at present) is available here.
  • According to the latest press release, the ICO is currently investigating Facebook, following a complaint that one user could not delete his account. "Facebook does allow people to 'deactivate' their accounts. This means that most of their information becomes invisible to other viewers, but it remains on Facebook's servers - indefinitely." The data protection principles under the UK Data Protection Act 1998 is fairly clear that "personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes" (5th data protection principle). It seems slightly odd that a user on FB account, who wishes to remove their profile from FB could not have their personal data deleted. One awaits to see what developments arise on this front. See also an interesting article on the social implications arising from the use of FB here.
  • Adequate level of data protection in Jersey and the Faroe Islands: "The Working Party adopted two Opinions, on the adequate level of data protection in both Jersey and the Faroe Islands, which will enable the Commission to take further steps towards a Commission decision on adequacy. In the past the Commission has adopted adequacy decisions on such countries as Switzerland and Argentina after receiving the advice of the Art. 29 Working Party. The Commission decision makes the transfer of personal data to such countries much easier than to third countries in relation to which such a decision has not been adopted." (Art. 29 Working Party Press Release, October 2007).
Update: Headed by Richard Thomas and Dr Mark Walport, there is consultation on the use and sharing of personal information in the public and private sectors as part of their independent Data Sharing Review. The closing date is 15 February 2008. Further details of the consultation can be found here.

Monday, December 10, 2007

Highlights of the LSPI Conference 2007

Having been absent for a week in Beijing to attend the LSPI Conference, there was the opportunity to visit the various "touristy" places including the Forbidden City and the Summer Palace.

As for the conference, this was held at the Communications University, Beijing. The theme centred on "Cyberlaw, Security and Privacy". There were some very interesting papers given including (not exhaustive):

The European proposal concerning the structure of the Internet has offered a more international and rounded approach to the debate surrounding Internet Governance. Encouraging the formation of ‘alliances’ by a certain number of governments, who wish to proceed to specific policy decisions, ‘enhanced cooperation’ is viewed as the viable solution that would potentially remove the control of the Internet outside the United States Government. However, can ‘enhanced cooperation’ meet the democratic mandate of how the Internet should be governed?

With its future still undetermined, even within the confines of the European Union, ‘enhanced cooperation’ could work as the catalyst for either the unification or the segregation of the medium. The current structure of the Internet does not encourage the creation of a ‘Constitution’, due to its domination by a specific segment of governments and private entities. Due to this state of affairs, the setting of basic principles and policies with the active participation of all interested parties – Governments, the Private Sector, Civil Society and the International Corporation for Assigned and Numbers (ICANN,) is vital. Otherwise, if not used appropriately, ‘enhanced cooperation’ can “support” coalitions of specific groups, leaving outside actors, whose role is significant.

This proposal’s starting point is the notion that, before we proceed in any governance of the Internet, first we need to identify the principles that we need to secure and, based on that premise, shape the boundaries and effects of the European proposal. Otherwise ‘enhanced coopeartion’ or any other proposal for that matter will have a detrimental effect and might even cause more problems than solutions.

"The Global Positioning System (GPS) has slowly permeated into the civilian community and has become an essential accessory for the modern individual. Various commercial applications heavily rely on GPS technology. GPS has also started receiving attention in court cases, where it has been admissible as evidence leading to convictions or proving innocence. However, GPS is a radio-navigation system and is prone to vulnerabilities that may be introduced intentionally or unintentionally. The legal literature has not debated the possibility of human alteration of GPS data in judicial reasoning which raises the prospect of forged GPS data being presented to courts by individuals who have the motive and the technical knowledge to do so. By exposing the weaknesses present, this paper aims to draw the attention of the legal fraternity to these issues which may put the legal system in a dilemma as over-reliance on GPS technology may produce disastrous results, especially when innocence or guilt largely depends on GPS evidence."

"The EU has developed a comprehensive framework for Information Society law that spans various areas ranging from a liberal regulation of e-commerce to a stringent legislation in the area of copyrights in the Information Society. This article discusses the evolution of the EU approach to the regulation of e-commerce in the Single Market and demonstrates the most important aspects of the current regulations relevant to this area."

In Internet governance transparency issues merit more extensive consideration: The Internet offers valuable opportunities for transparent communication and for the achievement of open access to discussion topics, thereby enhancing communication and dialogue between the governance-related institutions and the interested parties concerned. Transparency could also promote the mobilisation of new actors and the participation of the civil society; such development would increase the level of democratic legitimization through active involvement. ICANN has recognized the need to improve the transparency framework with its structures; the ongoing attempts should be strengthened by scholar research supporting the effort of the ICANN bodies in the present consultation phase. Since a transparent methodology for rule-making processes based on revisable procedures reduces mistrust, transparency should become a persistent objective of governance mechanisms.

The dichotomy between personal privacy and free access to information, which has come increasingly to the fore with the advance of information technology, justifies a reconsideration of these traditional values and interests. In this article, it is contended that privacy, as a constitutional right, is subject to changing norms as a result of the advent of the information society. In today’s information society, citizens weigh the importance of protecting privacy against the advantages of free access to information. The criterion they use is a rational one: an evaluation of which option provides the individual with the most benefit. The protection of privacy is no longer an unconditional good. For state organisations to champion privacy at any cost is, therefore, out of step with this development. A new balance has to be established between the citizen’s right to privacy and their right to know, taking into account this shift in values. In order to prevent on the one hand overzealous protection and, on the other, the abuse of information, it is necessary to set up the monitoring function in a new way.

Although one's paper concentrated on the subject of network neutrality, a topic which has received less attention in the UK and Europe, the feedback was very useful.

I hope to follow up on the feedback received from the two panel discussions convened on social networking (with diverse opinions/perspectives given). Again, the feedback has been extremely useful - my thanks to the delegates for making this topic a lively discussion even if some of us did not manage to agree! - a topic which has been covered to a greater extent! For those interested in the privacy implications and social networking, see the Clip below as an example:

Sunday, December 09, 2007

Lecture online

Further to my previous post on Sir Alec Jeffrey's lecture on Genetic fingerprinting and beyond, this is now available online.

"DNA fingerprinting, accidentally invented in 1984, has revolutionised many areas of Biology, most notably in forensic and legal medicine. This lecture will describe how DNA typing can be used to solve casework and will review the latest developments, including the creation of major national DNA databases that are already proving extraordinarily effective in the fight against crime."

Monday, November 26, 2007

Online advertising

According to this latest press release, the Art. 29 Working Party is investigating behaviour targetting and ads sent to people based on their web surfing. Although it does not touch upon this directly, one has explored the extent to which clickstream data can be protected under the current Data Protection Framework, particularly in the light of the Data Protection Directive 95/46/EC - a topic worthy of some academic discussion at some point. In the meantime, the following report:

"As online advertising comes under greater scrutiny in the United States, European authorities reportedly are also preparing to take a closer look at whether some marketing techniques violate privacy.

The Article 29 Working Party, an arm of the European Union that regulates protection of consumer data, is about to embark on an investigation of behavioral targeting--or sending ads to people based on their Web-surfing history--according to Reuters.

While any rules the EU issues won't directly affect companies in the United States, some companies as a practical matter will implement changes across the board. For example, in response to separate concerns of the EU Working Party, Google recently said it would "anonymize" search logs after 18 months, making it harder to connect specific IP addresses to search queries. That change is taking effect in the United States as well as Europe, although Google didn't face similar regulatory pressure here.

The Article 29 group's move to investigate behavioral targeting comes as privacy groups and consumer advocates in the United States are urging the Federal Trade Commission and other authorities to more closely regulate such techniques. Last month, a coalition of groups proposed that the FTC create a do-not-track list for consumers who don't wish online advertising companies to monitor the Web sites they visit and then send them ads based on their presumed interests.

Earlier this month, the FTC held a two-day town hall meeting about some of the privacy issues raised by behavioral targeting. Ad industry groups like the Interactive Advertising Bureau and Online Publishers Association weighed in against a do-not-track list, arguing that many companies allow consumers to opt out of behavioral targeting. Currently, many big U.S. ad networks participate in the Network Advertising Initiative--a group that formed in 2000 in response to privacy concerns, and that requires member companies to allow consumers to opt out of behavioral targeting programs.

Online ad industry executives also argued to the FTC that behavioral targeting doesn't compromise privacy because the ad companies don't collect so-called personally identifiable information, like names or addresses.

In the last few weeks, however, new variations of online advertising that arguably affect privacy have emerged. Most famously, Facebook earlier this month launched its Beacon program, which informs users' friends about purchases made at other sites. While users can opt out of sharing that data, some people say that Facebook shouldn't publicize information about purchases unless users have affirmatively consented to the program.

Last Tuesday, advocacy group MoveOn.org started a group on Facebook to protest the Beacon program. MoveOn is calling for Facebook to make the program opt-in rather than opt-out. By Sunday evening, around 20,000 Facebook members had joined the group, "Petition: Facebook, stop invading my privacy!"

Some privacy advocates say that any new regulation of online ad techniques abroad will inevitably lead to new policies in the United States as well. "It's a global business," says Jeff Chester, executive director of the Center for Digital Democracy, adding that behavioral targeting companies aren't likely to give consumers more privacy protections in Europe than the U.S. The Center for Digital Democracy argues that companies shouldn't use behavioral targeting techniques unless consumers explicitly consent.

Not all online ad industry executives think the EU investigation will necessarily lead to new regulation. Tacoda founder Dave Morgan, now executive vice president, global advertising strategy at AOL, says he's hopeful that reviews such as the EU's "will spur the online ad industry to adopt more and stronger consumer notice regimes and will drive greater participation in self-regulatory programs like the Network Advertising Initiative."

Source: Online Media Daily

Data Protection Developments

Given the latest press coverage over the benefits data fiasco, powers of the ICO have been increased to include spot checks. However, in a separate development, Privacy International is likely to take legal action on behalf of individuals affected by this against the government.

"More than 300 members of the public have contacted Privacy International since the revelation this week that Her Majesty’s Revenue & Customs unlawfully processed, and subsequently lost, personal details relating to around 25 million individuals. Most of these complainants have requested that PI undertakes, on their behalf, legal action against the government.

Accordingly, this organisation has over the past four days consulted a range of legal experts. The overall conclusion is that there is most likely a case that can be asserted. However, we must concede that not all lawyers are presently optimistic about a positive outcome. Nevertheless, given the unprecedented severity of this case we feel it is important to take some form of action on behalf of the many distressed and vulnerable families that have contacted us. It is even more important to assert the rights of the individual in the face of such circumstances.

We have therefore decided to pursue legal action against the government directly on behalf of the complainants and of course indirectly on behalf of all those people affected by the unlawful disclosure from HMRC. Our current intention is to pursue a claim for a general (not statute-based) breach of a duty of care on the basis of negligence.

We have been made aware that there are cases in which public authorities have been found to be very seriously at fault and where the courts seemed concerned not to impose liability where the claimant was one of a large and indeterminate class of people who might be affected by the careless conduct. The position would be different if the public authority actually created the danger itself or knew or ought to have known about the risk of harm resulting. It appears that courts are more willing to find “proximity” if a smaller group of persons is at risk than the public in general.

Three key issues remain to be resolved in the next few days.

1) We need to decide whether a specific "class" of individuals should be selected from amongst the complainants (for example, those who are in a particularly vulnerable situation). This will possibly help the issue of “proximity”.

2) We need to determine which individual or what department will be the target of the action (a named individual within the government or a section of HMRC), and,

3) We need to agree which law firm will handle the case. We are currently in discussions with potential companies.

Simon Davies, Privacy International’s Director, said:

"In seventeen years as a watchdog we have never received so many complaints over a single privacy issue. People are angry and distressed. They are deeply anxious over the potential threat to their children."

"Governments have hidden behind legal protection over negligence claims for many years. Now it is time to finally resolve the question of liability and duty of care so the citizen can enjoy a remedy against such blatant disregard for personal security."

"We believe there is a case to be heard and it is a case that can be won. However we realise we're going to face an uphill struggle winning that case, but we would be abandoning our responsibilities if we failed to take action."

For further information please contact Simon Davies on simon@privacy.org"

Source: Privacy International to pursue data breach legal action against UK Government

Monday, November 19, 2007

E-Comm Data Protection Law and Policy

Latest issue of E-Comm Data Protection Law and Policy, November 2007 is now available (requires subscription), but see the latest table of contents:


# DHS defends PNR programme against 'misplaced' EU criticisms

The US Department of Homeland Security (DHS) has described EU criticisms of the recent controversial 'PNR' agreement, as 'misplaced', rejecting claims of discrimination against EU citizens.

# ICO to review DPA as part of UK's Freedom of Information expansion

The Information Commissioner's Office (ICO) is to lead a review of how personal information is shared in the public and private sector, as part of UK Government plans to expand freedom of information. The review, to be published in 2008, will examine if the Data Protection Act 1998 is adequate to protect shared personal details in the information age and will be led by Information Commissioner, Richard Thomas and Professor Mark Walport, Director of medical research charity, the Wellcome Trust.

# Businesses fined $7.7m for six DNC violations

Businesses have been fined almost $7.7 million for violations of the Do Not Call (DNC) Registry in the United States, in six settlements reached by the Federal Trade Commission (FTC).


# Editorial: The security debate

The security v privacy debate is heating up. Since 9/11, this has become one of the main challenges for privacy regulators worldwide. Clearly, the need for intelligence is more fundamental than ever in crime prevention terms and legislative measures like the data retention directive are a sign of the things to come. Recent calls for US-style passenger collection and storage obligations in privacy-conscious Europe are another step in that direction and the list of similar measures is bound to grow.

# United States: Department of Homeland Security addresses critics

US privacy policies, such as the recent Passenger Name Record (PNR) agreement, have attracted fierce criticism from European privacy experts. In this article, Lauren Saadat and Shannon Ballard, Associate Directors for International Privacy Policy at the US Department of Homeland Security (DHS), argue why such criticisms are misplaced stating that DHS policies - through recognition of the fundamental principles of transparency, an individual's right to know, individual redress and effective data security - arguably provide greater privacy protections than those offered by equivalent European agencies.

# Opinion: The Future of Privacy: part 1 - 'Privacy 1.0': the need for change

As information technology continues to evolve, regulators, privacy practitioners and citizens are increasingly questioning the suitability of current privacy frameworks to allow the effective processing of personal data whilst safeguarding individual privacy. In the first part of a two-part article, Christopher Millard, Partner at Linklaters LLP, suggests that current approaches to privacy regulation are fundamentally flawed. In particular, Millard argues that most privacy legislation is incompatible with the architecture of the internet and that the imposition by EU member states of bureaucratic obstacles destroys the usability of pre-approved rules which are supposed to facilitate simplified compliance procedures1.

# Personal Data: ICO Guidance: interpretation and consistency with 'Durant'

The recent ICO guidance on the concept of 'personal data' sets out eight questions to help organisations determine if they are processing such data. Some of the questions are designed to assist organisations in determining if information 'relates' to an individual, a key issue which was considered in the recent Durant judgment, which the ICO were bound by in drafting this guidance. Renzo Marchini, Counsel at Dechert LLP's London office, assesses this part of the guidance and its consistency with the Durant judgment.

# New Zealand: Privacy Risk Register: a practical perspective

A service enabling a person's identity to be verified quickly and easily is being built for use by government services in New Zealand. Developing this service while respecting an individual's right to privacy required the continued use of a Privacy Risk Register. Carolyn Adams, project advisor for the Department of Internal Affairs Te Tari Taiwhenua, provides a practical guide explaining how this was achieved.

# United States: Federal Court: ban on NSL notification is unconstitutional

National Security Letters work as administrative subpoenas that allow the FBI to obtain customer records without obtaining a court order. Michael Vatis, a partner in the New York office of Steptoe & Johnson LLP, explains the Federal Court's decision that 'gag' orders, which prohibit electronic communications providers from telling customers that they have received an NSL, violate the First Amendment.

DNA Lecture

There was a lecture held at NTU with Professor Sir Alec Jeffreys discussing the groundbreaking technique of DNA fingerprinting and beyond.

"DNA fingerprinting, accidentally invented in 1984, has revolutionised many areas of biology, most notably in forensic and legal medicine. Professor Jeffrey’s lecture will describe how DNA typing can be used to solve casework and will review the latest developments, including the creation of major national DNA databases that are already proving extraordinarily effective in the fight against crime. It will also discuss how this work has led to the discovery of some of the most unstable regions of human DNA, and how these can be used to study human evolution in real time and to explore the effects of environmental exposure to agents such as radiation on heritable mutations in human DNA."

We expect the a video version to be available at some point. What was interesting, when listening to his lecture was the moral and ethical dilemmas about genetic information, not simply what the DNA can reveal about individuals, but also the genetic profiles of their relatives. The subject of genetic information and privacy implications is well documented here and here. Jeffreys also touched on the subject of DNA databases. What was disconcerting was that even a minor parking offence would mean that your DNA would be taken - sounds like huge implications for privacy here.

Revisiting the Art. 29 Working Party's guidelines on genetic data, it is vitally important that the privacy of individual's DNA and what he/she is genetically pre-disposed to (whether he/she is party to the information is another matter) is preserved. Here is short extract from their concluding remarks:

"Any use of genetic data for purposes other than directly safeguarding the data subject's health and pursuing scientific research should require national rules to be implemented, in accordance with the data protection principles provided for in the Directive, and in particular the finality and proportionality principles. The application of these principles render the blanket implementation of mass genetic screening unlawful.

Furthermore, in accordance with these principles, the processing of genetic data should be authorised in the employment and insurance fields only in very exceptional cases provided for by law, so as to protect individuals from being discriminated against on the basis of their genetic profile.

In addition, the ease with which genetic material can be obtained unbeknownst to the data subject and the relevant information can be susbsequently extracted from such material, requires strict regulations in order to prevent the dangers related to new forms of "identity theft" – which would be especially dangerous in this sector and might affect fatherhood and motherhood, or even the possibility of using the material for cloning puposes. This is why, in regulating genetic data, one should not fail to consider the legal status of the DNA samples used for obtaining the information at stake. Among the issues addressed, special importance should be attached to the application of a wide range of data subjects' rights to the management of such samples, as well as to destruction and/or anonymisation of the samples after obtaining the required information.

Finally, procedures should be put in place in order to ensure that genetic data are only processed under the supervision of qualified professionals who are entitled to such processing on the basis of specific authorisations and rules.

• In Member States where the purposes and the appropriate safeguards for the processing of genetic data are not established by law, the DPAs are encouraged to play an even more active role in ensuring that the finality and proportionality principles of the Directive are fully respected.

In this respect, the Working Party recommends that Member States should consider submitting the processing of genetic data to prior checking by DPAs, in accordance with Article 20 of the Directive. This should in particular be the case with regard to the setting up and use of bio banks."

See also (not exhaustive):

Monday, November 12, 2007

Facebook, Social ads and the Data Protection Act 1998

There has been a lot of discussion centred on the facebook social ads and the likely privacy implications arising from this:

FACEBOOK wants to put your face on advertisements for products that you like.

Mark Zuckerberg, Facebook’s founder, discussed his company’s social advertising plan with marketers in New York.

Marko Georgiev for The New York Times

Facebook.com is a social networking site that lets people accumulate “friends” and share preferences and play games with them. Each member creates a home page where he or she can post photographs, likes and dislikes and updates about their activities.

Yesterday, in a twist on word-of-mouth marketing, Facebook began selling ads that display people’s profile photos next to commercial messages that are shown to their friends about items they purchased or registered an opinion about.

Source: Story, L. Facebook is marketing your brand preferences

Question: What about the Data Protection Act 1998?

What is absent from the debate is the extent to which individuals in the UK can use the Data Protection Act 1998 to request that Facebook do not use such information without their consent:

s 11 of the Data Protection Act 1998 (on the Right to Prevent Processing for Purposes of Direct Marketing) provides that:

(1) An individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing for the purposes of direct marketing personal data in respect of which he/she is the data subject.

(2) If the Court is satisfied, on the application of any person who has given a notice under subsection (1), that the data controller has failed to comply with the notice, the court may order him to take such steps for complying with the notice as the court thinks fit.

In other words, you are entitled to request from Facebook that your profile is not used for the purposes of the Social Ads.

What about the Data Protection Principles?

There is the question whether facebook is adhering to the second data protection principle under the UK Data Protection Act 1998 that 'personal data shall be obtained only if one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.' In other words, the user's name or image for marketing is beyond the purpose for which social networking was intended to be used. Further information can also be found on the UK ICO website.

More can be written on the application of the Data Protection Act to social networking websites, but this will have to be another article at some point. So, why wait, start complaining and exercise your data protection rights!

For more on the privacy implications arising from social networking, see also:

Thursday, November 08, 2007

Personal Data - this time through the CFI

The European CFI has issued its judgment today in the case, the Bavarian Lager Co v European Commission (T-194/04). The facts of the case were briefly noted in the Times Newspaper:

"The lucrative business of lobbying is set to become more transparent in Brussels after a European court ruled that privacy laws could not be used to keep lobbyists’ names secret. The European Court of First Instance ruled today that the European Commission was wrong to refuse to identify the attendees of a crucial meeting about competition in the beer industry. The Commission claimed that identifying the attendees would have been a breach of their privacy. But this morning the court said that the Commission could only refuse in limited circumstances in which the information at stake was “personal data that are capable of actually and specifically undermining the protection of privacy and the integrity of the individual”. The court added that just because a lobbyist attends a meeting with the Commission as a representative of a collective group, it does not give them an automatic right to privacy. Such a meeting — thousands of which take place with various European institutions every year — does not fall “within the sphere of [the lobbyist’s] private life” and therefore revealing attendees names “cannot constitute an interference with his private life”. The case centred on a 1996 meeting between representatives of the beer industry and European officials. Shortly after the meeting, the Commission abandoned an investigation into whether a UK law limiting the sale of certain beers was illegal. Andrew Ronnan, founder of the Bavarian Lager Company, an importer that claims to have lost out because of these rules, has been fighting to find out who attended the meeting ever since. The Commission supplied Mr Ronnan with the minutes but erased the names of five individuals. Mr Ronnan, who said he was “delighted” with today’s decision, believes the Commission will now have to identify the five people. He told Times Online that if, as he suspects, these individuals were representatives of businesses that profited from the investigation being dropped, he would be asking his lawyers to explore a compensation claim."

What is noteworthy is the concept of "personal data", which the CFI discussed in some detail in the context of Regulation (EC) No 45/2001 (on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (OJ 2001 L 8, p. 1), was adopted on the basis of Article 286 EC):

Paras, 117 - 120:

"117 Moreover, exceptions to the principle of access to documents must be interpreted restrictively. The exception under Article 4(1)(b) of Regulation No 1049/2001 concerns only personal data that are capable of actually and specifically undermining the protection of privacy and the integrity of the individual.

118 It should also be emphasised that the fact that the concept of ‘private life’ is a broad one, in accordance with the case-law of the European Court of Human Rights, and that the right to the protection of personal data may constitute one of the aspects of the right to respect for private life (see, to that effect, the Opinion of Advocate General Leger in Parliament v Council and Commission, point 209), does not mean that all personal data necessarily fall within the concept of ‘private life’.

119 A fortiori, not all personal data are by their nature capable of undermining the private life of the person concerned. In recital 33 of Directive 95/46, reference is made to data which are capable by their nature of infringing fundamental freedoms or privacy and which should not be processed unless the data subject gives his explicit consent, which implies that not all data are of that nature. Such sensitive data may be included in those referred to by Article 10 of Regulation No 45/2001, concerning processing relating to particular categories of data, such as those revealing racial or ethnic origin, religious or philosophical beliefs, or data concerning health or sex life.

120 It follows from the whole of the above that, in order to be able to determine whether the exception under Article 4(1)(b) of Regulation No 1049/2001 applies, it is necessary to examine whether public access to the names of the participants at the meeting of 11 October 1996 is capable of actually and specifically undermining the protection of the privacy and the integrity of the persons concerned."

The decision should be welcomed not only for its certainty, but revisits the application of the scope of Art. 8 of the ECtHR.

Tuesday, October 02, 2007

UK's implementation of the Data Protection Directive

The Guardian reported the following story yesterday:

"Europe's concern over UK data protection 'defects' revealed. Clare Dyer, legal editor, Monday October 1, 2007, The Guardian

The European Commission is threatening legal action against the UK government for failing to properly safeguard individuals' personal data. The commission has raised questions over the way the Data Protection Act and other legislation have implemented 11 articles of the 34-article European data protection directive - almost one-third of the whole. It has warned that it could take the UK to the European court of justice in Luxembourg if negotiations over the alleged defects fail. The investigation has been going on for more than three years, but the extent of the alleged shortcomings in UK law has been kept secret. Ministers have refused to release details of the negotiations to parliament, but the EC, in response to a freedom of information request, has now revealed the wide range of its concerns. The disclosure comes as a new law, coming into force today, compels phone companies to retain information about all landline and mobile phone calls, and make the data available to more than 700 official organisations, including police, security services, tax authorities, NHS trusts and local councils. The move brings into UK law a European directive, the data retention directive, aimed at "the investigation, detection and prosecution of serious crime". It has attracted little notice because it was put into UK law by a statutory instrument, made under the European Communities Act 1972, rather than by a new act of parliament. The government also plans to extend the powers to cover email and internet activity. The information commissioner, Richard Thomas, will monitor the security of the data kept under the new data retention rules. He also plays a major role under the Data Protection Act in making sure individuals' privacy is protected when their personal data is processed and used. But as part of its investigation into UK data protection laws the European Commission accuses the UK of not giving the commissioner strong enough powers."

In the meantime, the UK ICO has, issued its latest guidance notes on the notion of "personal data", taking into acccount Art. 29 Working Party's recent guidance.

Monday, October 01, 2007

IASTED Law and Technology

Having been absent for the last week for the IASTED Law and Tech Conference, which was held in Berkeley, California and ran concurrently with the CNIS and FEA. There were some interesting papers given (though not as well attended as one would have anticipated). To name a few (not exhaustive):

S. Marco and M. Doris (UK): Online Gambling – Reconciling New Technology and the International Consumer Interest - described the current situation of online gambling at a UK and European level.

S.R. Cross. Consumer Protection Compliance in Agent Negotiated Business to Consumer Transactions - particuarly whether agents could theoretically contract in B2C environment

G. Finocchiaro, E. Pelino, and A. Ricci (Italy). Legal Issues Related to Privacy and Anonymity in Mobile Objects Communications - the notion of the "control of personal information" and "anonymity" was discussed.

Mr David Molnar (US) on the use of RFIDs in Berkeley, California - describing this from a technological perspective and the current framework (Californian).

There have been a few papers written on RFIDs and data protection, so the use of RFIDs (be it library cards, passports etc.) and its prevalence over there raises the question, whether the debate on RFIDs and surveillance is just a matter of time in the UK.

See also:

Friday, September 21, 2007

UK Data Retention (EC Directive) Regulations 2007

As noted in my previous post, the UK Data Retention (EC Directive) Regulations 2007 will take effect on 1st October 2007. These regulations implement the Data Retentions Directive 2006/24/EC and apply to public communications providers. Public communications providers are defined under Regulation 2(d) as

(i) a provider of a public electronic communications network; or

(ii) a provider of a public electronic communications service;

Data will be retained for a period of 12 months from the date of communication (Regulation 4(2)). What is less than clear is whether a public communications provider can retain data for more than 12 months. The types of data to be retained are telephone numbers and mobile numbers (Regulation 5(1) and 5(2)). Under Regulation 8, the UK ICO continue to monitor the application of these regulations. The Regulations do not cover Internet access, Internet e-mail or Internet telephony to be retained (Regulation 4(5)). The Data Retention Directive, however. allows Member States to extend the rules to internet data at a later date, provided these rules are in force by 15 March 2009 (Art. 15(3)).

Luxembourg: Data Protection

(via Privacy, Laws and Business)

"On 1 September, Luxembourg modified its data protection law, removing some obligations to notify data processing to the CNPD (the national data protection authority) and simplifying other regulations.

The most common data processing in business and administration, such as that for human resources, no longer must be notified to the CNPD. Data processing by some professionals (lawyers, notaries, doctors, journalists, for example) will be considered to be sufficiently protected by professional ethics. The lists and conditions regarding the new rules on notification are on the CNPD website (www.cnpd.lu).

Data processing notification rules are also simplified for scientific research and health professionals, including clinical research for pharmaceutical companies. Data processing officers in charge of data protection for firms can now be employees of the firm (formerly they could only be external consultants). This means that these companies are exempt from notification requirements.

Perhaps the most significant change is that Luxembourg no longer extends protection to the privacy of legal persons, such as companies, as it does to natural persons. Of course, personal data processed by legal persons is covered by the amended data protection law."

See also:

Monday, September 17, 2007

UK's Implementation of the Data Protection Directive

Out-Law has recently put this post up (they have been successful in making an FOI request):

"EXCLUSIVE: The UK's Data Protection Act (DPA) does not implement European law properly, according to the European Commission which is investigating problems in the UK's implementation of 11 of the Data Protection Directive's articles, almost a third of the entire Directive.

Using freedom of information legislation, OUT-LAW.COM has learned that 11 articles are the subject of two Commission letters to the UK Government, even though the Government has refused to provide these details to Parliament. The Ministry of Justice has rejected the Commission's claims and told OUT-LAW.COM that the UK Government believes it has implemented the Directive fully.

In June 2005, Labour MP Harry Cohen asked the Government exactly what problems the Commission had identified when it said that the DPA was a defective implementation of the Directive.

Parliamentary undersecretary Bridget Prentice refused to answer.

"We currently have no plans to disclose the detail of those discussions as the formal Commission investigation process is still taking place," she said. "If the Government were to disclose the information requested, it would prejudice the negotiating process between the UK and the Commission and so prejudice UK interests".

The articles of the Directive which the Commission claims have not been implemented properly are articles 2, 3, 8, 10, 11, 12, 13, 22, 23, 25 and 28 – just under a third of the 34 articles in the Directive.

These Articles relate to: the definitions used in the Directive (e.g. the meaning of personal data); the scope of the Directive's application to manual files; the conditions when sensitive personal data can be processed; the fair processing notices give to individuals; the rights granted to data subjects; the application of exemptions from these rights; the ability of individuals to seek a remedy when there is a breach; the liability of organisations for breaches of data protection law; the transfer of personal data outside European Union; and the powers of the Information Commissioner.

Data Protection expert Dr Chris Pounder of Pinsent Masons, the law firm behind OUT-LAW.COM, said that the extent of the objections reflects official attitude towards data protection policy. "All UK Governments involved in implementing the Directive have had a policy of minimising the Data Protection Directive's effect," he said. "The number of problems raised by the Commission seem to indicate that the UK Government may have misjudged the situation and minimised the effect of too many obligations".

"The fact that the Commission has a problem with so many of the articles in the Directive is a surprise," he said. "I had expected just a handful of objections linked to the Court of Appeal decision in the Durant case."

That landmark ruling from 2003, in Michael Durant's dispute with the Financial Services Authority, narrowed the scope of what constituted personal data under the Data Protection Act.

Pounder continued: "Instead, there are unexpected issues, for example, in relation to transfers, fair processing notices, exemptions, powers of the Commissioner, penalties and remedies."

The Commission's investigations were not prompted by a complaint. They were initiated by the Commission itself, though they are thought to have been provoked by the Durant ruling.

A statement issued to OUT-LAW by the Ministry of Justice on Friday said: "The European Commission, as part of its review of the implementation of the 1995 Data Protection Directive by each member state, have raised a number of issues with the UK."

"We are in discussion with the Commission about these issues. We believe that the UK has properly implemented the Data Protection Directive via the Data Protection Act 1998 and other relevant provisions of UK law," it said.

The Commission sent the UK Government its first letter on the issue in 2004, setting out the problems with the Data Protection Act. Until now, those objections have remained secret. The letter threatened proceedings before the European Court of Justice if negotiations with the UK stalled."

Saturday, September 15, 2007

Data Protection Developments: Indian IT Act to be amended

(via NewIndPress.com)

"NEW DELHI: In its effort to face the upcoming tough challenges in cyber crime, India is all set to bring comprehensive amendments in Information Technology Act 2000.

IT and Communications Minister A Raja on Friday announced that the proposed amendments would address a number of serious concerns such as data protection, data theft, e-commerce frauds, child pornography, identity theft, privacy issues and immunity to intermediaries among others.

An official indicated that the proposed changes would include stiffer quantum of punishment, especially in areas such as child pornography, ID theft and privacy issues.

The proposed changes in the Act are based on our experience during the last seven years and inputs received from various international bodies, Raja said at the concluding day of the 7th Interpol Cyber Crime conference held in New Delhi from September 12 to 14.

Before placing the amended Act in public domain for comments, the IT Ministry is holding discussions with various stakeholders to fine tune the amendments.

Discussions are being held with the stakeholders, including private companies, CBI and other investigative agencies, he said."


Friday, September 14, 2007

Google and Internet Privacy

FT reports the following story:

"Google will on Friday attempt to take the high ground in the debate over internet privacy, by calling for new international laws to be set up to protect personal information online. An International body such as the United Nations or the OECD should draw up new guidelines, Peter Fleischer, global privacy counsel for Google will tell Unesco members at a conference in Strasbourg on Friday. Google has become a focal point for a debate on internet privacy since European Union data protection bodies earlier this year questioned the length of time the company kept data on individuals using its search engine. Google was also criticised by Privacy International, the human rights group, as being potentially “hostile” to privacy. Since then, Google has taken steps to improve its image. It agreed to limit the time it keeps search data to just 18 months, and has started working with Privacy International in order to be removed from the organisation’s blacklist. Going further on the offensive, Mr Fleischer on Friday will say he believes existing internet privacy rules are out of date. The OECD’s guidelines on privacy and personal data, for example, were set up in 1980, well before the invention of the internet, and even the European Commission directive on privacy dates back to 1995, when the internet was still in its infancy. “Privacy laws have not kept up with the reality of the internet and technology, where we have vast amounts of information and every time a credit card is used online, the data on it can move across six or seven countries in a matter of minutes,” Mr Fleischer told the Financial Times ahead of his speech. Eric Schmidt, chief executive of Google, is expected to add his voice to the campaign over the next few weeks. Google is proposing that the privacy framework adopted in Asia by ministers at the Asia-Pacific Economic Co-operation conference in 2004 could be used as a basis of a broader, international agreement. The Apec agreement is relatively loose, setting out general principles, such as notifying individuals when their data is collected, but leaving enforcement up to individual countries. Simon Davies, director of Privacy International, said: “There seems to be a perceptible shift within the company. Over the past few months it seems that senior people have understood that privacy issues can affect the value of the company.” Mr Davies said the steps Google was taking were “symbolically huge and significant, but whether they have any meaning beyond that, no one can yet tell”. Analysts say it is crucial for Google to maintain an impeccable reputation on privacy, or it may begin losing users. A number of smaller search engine companies are already using the recent concerns over Google’s data policies as an opportunity to poach users."
See also:

Thursday, September 13, 2007

Surveillance and Society Conference 2008

InVisibilities: The Politics, Practice and Experience of Surveillance in Everyday Life

A two-day international conference hosted by the Centre for Criminological Research, University of Sheffield in association with the Surveillance Studies Network

Wednesday 2nd April - Thurs
day 3rd April 2008


While many of the world’s nations are becoming surveillance societies, the nature of life with surveillance in those societies is far from homogeneous, and is not widely researched or theorised. This conference focuses on the lived realities of surveillance and is keen to encourage empirical studies which document its everyday experience.

By its very nature surveillance makes populations visible, and differentiates between their members; surveillance itself features varied techniques, intensities and foci. Whether as workers, consumers, children, patients, criminals, web surfers or travellers we are made visible in different ways, through different technologies and administrative regimes. Visibility is not always total, unproductive or oppressive – visibility is necessarily partial. For some it is actively embraced: lives are lived in visibility.

Nevertheless, widespread ambivalence towards surveillance has been noted in academic, policy and media circles. As surveillance confers benefits and incurs costs on individuals, personal information economies of surveillance emerge. In building personal strategies which involve surveillance practices, invisibilities are negotiated to mediate, limit and exploit exposure to surveillance. How individuals, groups, organizations and societies negotiate, experience, resist, comply with, and enjoy surveillance are critical empirical questions, which appeal to surveillance scholars from a wide range of social science disciplines.

Key themes to include:

• Experiencing Surveillance and Visibility
• Participatory and Voluntary Surveillance
• Theorising (in)visibility
• Histories of Surveillance and Visibility
• Surveillance of the Other - Visibility and Difference
• Representations of Surveillance in Film/Art/Literature/Media
• State Surveillance and Identification
• Surveillance, visibility and the welfare state
• Surveillance and consumer visibility
• The transparent body
• Electronic visibilities
• (In)visibility and labour
• Negotiating (in)visibility
• Researching (in)visibility
• Spatial visibilities
• Surveillance futures

Submission of Abstracts and Expressions of Interest

If you would like to give a paper please submit your abstract to Lisa Burns at the University of Sheffield by January 31st 2008. Abstracts should be no longer than 500 words. Your abstract should also contain the following information.

• Name
• Country of residence
• Institutional affiliation
• Institutional address
• Telephone number
• Email address

On the same theme about surveillance, Queen's University, Kingston has been working on the Surveillance Project.

Monday, September 10, 2007

Surveillance Seminar

Researchers working on surveillance:

Seminar: 'Surveillance in Scotland: Current Practices and Future Prospects'

The University of Edinburgh's Public Policy Network and the Scottish Regional Office of the (UK) Information Commissioner's Office (ICO) are pleased to invite you to a one-day seminar on Friday, 5th October 2007 on the nature, extent and diversity of surveillance practices, systems and technologies in the private and public sectors, including the collection and sharing of personal information and databases, as well as video surveillance, DNA and biometric identification systems, and many other forms of monitoring people's movement, habits and behaviour.

Surveillance has become an important and controversial public issue as the needs of commerce and government press forward to use citizens' and customers' personal information for a host of purposes, including marketing, banking, law enforcement, counter-terrorism, and the delivery of public services. Questions of privacy and civil liberties are implicated in these developments. The aim of the seminar is to inform and to encourage a wider public debate about these issues, especially as they affect daily life in Scotland now and in the future.

Drawing upon the widely acclaimed report, 'A Surveillance Society', specially commissioned from the Surveillance Studies Network (SSN) by the Information Commissioner's Office (available at http://www.ico.gov.uk/about_us/news_and_views/current_topics/Surveillance_society_report.aspx), the seminar will feature presentations by authors of the SSN report and the ICO, as well as by representatives of Scottish Government, ICO, the police, and the worlds of industry, politics and human rights protection. The seminar will be held at the University's Moray House College of Education, Holyrood Campus, from 9. 30 am to 4 pm on the 5th October. There is no charge for attendance at the seminar, which will include a buffet lunch. Details of the venue and programme will be circulated by e-mail to those attending.

Attendance will be limited, so to secure your place please RSVP to the Information Commissioner's Office at Scotland@ico.gsi.gov.uk before the 24th September.

Professor Charles Raab (PPN, University of Edinburgh) Dr. Ken Macdonald (ICO)

Wednesday, September 05, 2007

UK National DNA Database

A national debate is emerging on the discussion about UK National DNA Databases: Times reports:

"A senior judge has said the entire UK population and every visitor to the country should be on the national DNA database.

Lord Justice Sedley, one of the most experienced Appeal Court judges in England, said that an extended database would aid crime prevention and the current database was unfair and inconsistent.

He told BBC News: “Where we are at the moment is indefensible. We have a situation where if you happen to have been in the hands of the police, then your DNA is on permanent record. If you haven’t, it isn’t... that’s broadly the picture.”

Sir Stephen said disproportionate numbers of ethnic minorities get on to the database where there is ethnic profiling going on.

He added: “It also means that a great many people who are walking the streets, and whose DNA would show them guilty of crimes, go free”.

There are currently four million profiles held on the national DNA database.

Critics say those who commit certain offences should have their details removed after a set period.

The DNA database - which is 12 years old - grows by 30,000 samples a month taken from suspects or recovered from crime scenes. It is the largest in the world.

The data of everyone arrested for a recordable offence - all but the most minor offences - remains on the system regardless of their age, the seriousness of their alleged offence, and whether or not they were prosecuted.

It includes some 24,000 samples from young people between 10 and 17 years old, who were arrested but never convicted.

Sir Stephen said reducing the database would be a mistake. He knew of cases where a serious offender who had escaped conviction had ultimately been brought to justice by DNA evidence that may have been otherwise destroyed.

He said the only option was to expand the database to cover the whole population and all those who visit the UK.

There are four million DNA samples on the database

Professor Stephen Bain, a member of the national DNA database strategy board, warned expansion would be expensive and make mistakes more likely.

"The DNA genie can't be put back in the bottle," he said.

"If the information about you is exposed due to illegal or perhaps even legalised use of the
database, in a way that is not currently anticipated, then it's a very difficult situation."

Aside from the practicalities of a national DNA database, inevitably, there will be data protection/privacy/human rights implications on this. Irrespective of one's views on this (at this stage):

See also:

Monday, September 03, 2007

Privacy Market?

Wired has published this story concerning the privacy market. Putting on my "privacy hat" the idea of a "Privacy Market" is disagreeable - this is particularly the case when personal information is viewed as a commodity - than a human right as such (see Art. 1 of the Data Protection Directive 95/46/EC). This is not to imply that privacy is absolute (as can be seen in the exemptions under the European Data Protection Directive and the UK Data Protection Act 1998 and instances where we need to give our personal details), but once we start thinking of an individual's identity as something that can be traded commercially (property right), then this is a slippery slope into conceding that personal information is nothing more than monetary value.

"The Privacy Market Has Many Sellers, but Few Buyers"

By Dan Tynan 09.03.07 2:00 AM

Privacy is fast becoming the trendy concept in online marketing. An increasing number of companies are flaunting the steps they've taken to protect the privacy of their customers. But studies suggest consumers won't pay even 25 cents to protect their data. In one week in July, Ask.com unveiled AskEraser, a tool that will allow users to obliterate their search histories; Microsoft announced enhanced privacy controls for its Windows Live service; and Google and Yahoo shrank the amount of time they retained IP addresses and search logs, reducing the ability of government agencies to subpoena such data. Startups are aiming to carve out a piece of the privacy market. ReputationDefender, which allows individuals to manage what people say about them online, launched the beta version of a new subscription service on Sep. 1. Its service, called MyPrivacy, lets users control how their personal data is brokered across the web (the service was announced last fall but is only now publicly available). Suddenly it seems that "privacy is the new black," as Duncan Riley wrote at TechCrunch. For $5 a month, MyPrivacy subscribers can locate their records in people-search directories, such as Yahoo People Search, 411.com, WhitePages.com, Yellowbook.com and Netscape White Pages, and click a button to remove their listing. As long as you keep paying, the service will keep you unlisted when these information brokers refresh their directories. MyPrivacy will feature at least 10 major consumer databases at launch and expects to have 75 such information brokers signed on by year end.

See also:

Tuesday, August 28, 2007

Latest issue of Data Protection Law and Policy

The latest Issue of Data Protection Law and Policy is available:

In the UK, there is a growing consensus that the Information Commissioner's Office (ICO) is toughening up. It all started with the rogue traders who passed themselves as official registrars and demanded a few hundred pounds a shot for registration. That did not go down well in Wilmslow, given that their modest registration fees make up the bulk of their own funding. Then, a handful of aggressive marketers clogging small businesses' fax machines got to see the darker side of a normally peaceful regulator. But it is the good old Principle 7 - or the lack of compliance with it - that has kept the enforcement arm of the UK data protection authority especially busy in recent times.

OPINION: PNR AGREEMENT: SETTING A BAD PRECEDENT The recently enacted EU-US agreement on the transfer of Passenger Name Records (PNR) data is intended to provide a legal framework facilitating the transfer of this data whilst safeguarding individual privacy. In this article, Sophie in't Veld, Member of the European Parliament (MEP) for the Dutch social-liberal party 'D66', sets out why the agreement is fundamentally flawed, sets a bad precedent for future agreements and represents a defeat in the fight against terrorism.


The Article 29 Data Protection Working Party's opinion on the concept of personal data, issued 20 June, interpreted the four 'building blocks' in the Data Protection Directive that determine what constitutes personal data.
Siobhan McManus of Bird & Bird explains the Working Party's findings, discussing the implications of its 'wide' interpretation of what constitutes personal data, in contrast to the 'narrow' UK position.

NETHERLANDS: DISMISSAL UNDER EMPLOYER TELEPHONE TAPPING A recent ruling by the Breda Subdistrict Court, which permitted the playing of a surreptitious recording of a telephone conversation between an employer and his employee in dismissal proceedings, has contradicted recent human rights case law concerning the privacy of employees in the workplace. Nicole Wolters Ruckert of the Dutch law firm, Kennedy Van der Laan examines the judgment and its implications for employee privacy.

ITALY: THE 'PEPPERMINT' CASE: PRIVACY V COPYRIGHT UPDATE An ongoing case in Italy concerning the desire of a German record company to obtain the identities of internet users from ISPS, over the alleged posting and downloading of copyright infringing music files on P2P networks, has attracted the attention of the Italian Privacy Commissioner over allegations of illicit monitoring of internet user activity. In this article, Daniela De Pasquale, a partner in La Scala & Associati in Milan, sets out current developments in this case and in this area at EU level.

IDENTITY THEFT: LIMITING CLASS ACTION LIABILITY FOR BUSINESSES As concern surrounding identity theft in the United States continues, financial organisations are threatened by lawsuits over failures to ensure sufficient levels of corporate security, particularly in the form of class-action lawsuits where customers are affected on a nationwide basis. R. Bruce Allensworth, Andrew C. Glass, Ryan M. Tosi and David D. Christensen of K&L Gates' Boston office report on a recent US district court case where they successfully represented the defendants and which may limit class action liability for organisations that electronically store consumer personal information."

Saturday, August 25, 2007

Standing the test of time!

Postman's book, which some have read, and is highly recommended, laments the shift of public discourse from typography to television. This made me think about whether the shift is changing with the widespread use of the internet through Web 2.0, blogs, podcasts and so forth:

"In this book, Neil Postman, Professor of Communication Arts and Sciences at New York University argues eloquently and convincingly that television is transforming our culture into one vast arena for show business in which all public affairs - politics, religion, news, education, journalism, commerce - have been turned into a form of entertainment. Amusing ourselves to death is an urgent plea for us to question what is happening before it is too late."

The book not only succinctly examines the communication medium (through television), but discusses the change from a typographic America (see chapter 3) to a "Now...This" mindset.

"This is Neil Postman's contention. Television, he argues, has taken the place of the printed word as the centre of our culture, and in so doing has trivialised the onnce serious and coherent discussion of all public affairs. Even our political and religious leaders today depend more on camera angles and showmanship than on reason and rhetoric. Using examples from America's past and present history, he makes a convincing, often wittily argued case that we are moving not towards Orwell's vision of the future but towards Aldous Huxley's Brave New World in which people become addicted to the technologies that take away their capacity to think: their critical faculties are destroyed and their sense of history is lost."

Although Postman has written a book on technology, I am more inclined to think that what is happening is another culture revolution (shift from television to the electronic medium) through the use of the internet (blogs, podcasts, videoblogs etc.) has taken. Would Postman have envisaged this? I don't know, but I leave you with a few thoughts from his book:

"Any yet there is reason to suppose that the situation is not hopeless. Educators are not unaware of the effects of television on their students. Stimulated by the arrival of the computer they discuss it a great deal - which is to say, they have become somewhat "media conscious". It is true enough that much of their conciousness centres on the question, How can we use television (or the computer, or word processor) to control education? They have not yet go to the question, How can we use education to control television (or the computer, or word processor)? But our reach for solutions ought to exceed our present grasp, or what's our dreaming for?...

What I suggest here as a solution is what Aldous Huxley suggested, as well. And I can do no better than he. He believed what H.G. Wells that we are in a race between education and disaster, and he wrote continuously about the necessity of our understanding the politics and epistemology of media. For the end, he was trying to tell us that what afflicted the people in Brave New World was not that they were laughing instead of thinking, but that they did not know what they were laughing about and why they had stopped thinking."

I would hope that the internet revolution (blogs, podcasts etc.) not only challenges the mindsets of teachers and students to be critically aware, but to evaluate the things that we read - the problem that I find is usually an information overload (not merely from the television medium, but also from the internet etc.) - evaluating the sources (whether television, internet, radio to name a few examples), sifting through the main points will be the key.