Thursday, May 31, 2007

Google Saga

In the latest saga on Google's policy to keep its server log data for more than 18 months, the Art. 29 Working Party has published its letter to Google dated 16th May:

Although Google's headquarters are based in the United States, Google is under legal obligation to comply with European laws, in particular privacy laws, as Google's services are provided to European citizens and it maintains data processing activities in Europe, especially the processing of personal data that takes place at its European centre. As you are aware, server logs are information that can be linked to an identified or identifiable natural person and can, therefore, be considered personal data in the meaning of Data Protection Directive 95/46/EC. For that reason their collection and storage must respect data protection rules.The Article 29 Working Party considers a reduced storage period for server logs generated by the users of Google services as a valuable step to improve Google's privacy policies. However, it is of the opinion that the new storage period of 18 to 24 months on the basis indicated by Google thus far, does not seem to meet the requirements of the European legal data protection framework.The Article 29 Working Party is concerned that Google has so far not sufficiently specified the purposes for which server logs need to be kept, as required by Article 6(1)(e) of Data Protection Directive 95/46/EC. Taking account of Google's market position and ever-growing importance, the Article 29 Working Party would like further clarification as to why this long storage period was chosen. The Working Party would also be keen to hear Google's legal justification for the storage of server logs in general.

See also:

Saturday, May 26, 2007

Data theft - Call Centres

Newsnight presented a short excerpt on data theft, and in particular, the worrying problem of the ease with which personal information can be obtained from call centres located in India. Outsourcing of personal information to companies overseas is not new. However, the questions that will need to be asked (in the context of data protection) is the extent to which a UK organisation(s) (engaged in outsourcing activity) complies with the Data Protection Act 1998? Is there a data protection officer employed? If customer information is being outsourced to a company in India, are there adequate safeguards in place to ensure that data protection rules are in place? Just another reminder that the Data Protection Act 1998 (Sch. 1) contains eight data protection principles:
1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless-

(a) at least one of the conditions in Schedule 2 is met, and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

4. Personal data shall be accurate and, where necessary, kept up to date.

5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

6. Personal data shall be processed in accordance with the rights of data subjects under this Act.

7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

It is the eight data protection principle which is particularly relevant. A list of factors to take into account when considering an adequate level of protection can be found in Sch. 1, Part. II, para. 13 of the UK Data Protection Act 1998:

13. An adequate level of protection is one which is adequate in all the circumstances of the case, having regard in particular to-

(a) the nature of the personal data,

(b) the country or territory of origin of the information contained in the data,

(c) the country or territory of final destination of that information,

(d) the purposes for which and period during which the data are intended to be processed,

(e) the law in force in the country or territory in question,

(f) the international obligations of that country or territory,

(g) any relevant codes of conduct or other rules which are enforceable in that country or territory (whether generally or by arrangement in particular cases), and

(h) any security measures taken in respect of the data in that country or
India does not currently have data protection laws and the proposal to amend their existing Information Technology Act 2000 is likely to raise questions over the remedies available for breach of data privacy. This (ie. remedies) will need to be strengthened if it has not already been addressed and secondly, there will be a need for better enforcement mechanisms against organisations (based in the UK that outsource the processing of personal information of customers etc. overseas) that do not adhere to the UK DPA 1998. This can be particularly problematic, if an individual based in UK finds that his or her rights under the UK Data Protection Act 1998 is not adhered to because his personal information is processed abroad without the adequate legislative safeguards in place. First point would be to complain to the organisation that holds your personal information. If this is unsatisfactory, then the next point of call would be to contact the UK Information Commissioner's Office. Finally, the amendments to the current India Information Technology Act 2000 under the proposed Amendment Bill (2006) will be worth following. See also:

Thursday, May 24, 2007

Anti-ID theft

The European Commission is proposing legislation against identity theft. How much the proposals will complement the existing European Data Protection Framework (via the Data Protection Directive 95/45/EC and the Directive on Privacy and Electronic Communications 2002/58/EC) is less clear, but reading from the latest press release, this appears to be part of a Cyber crime initiative:

The European Commission is considering new legislation against identity theft. The proposal is contained in a just-published policy on EU-wide plans to fight cybercrime. The European Commission's policy on fighting cybercrime in Europe is the product of many years of consultation and focuses on greater co-operation between European police forces. Though the Commission said that it did not believe that new legislation would be useful at this stage in stopping the fast growth of cybercrime, it said it will consider anti-ID theft laws later this year. "No general legislation on the fight against cyber crime can be expected to be effective at this moment," said a Commission statement. "However … targeted legislative actions may also prove to be appropriate or needed in specific areas. As an example, the Commission will consider an initiative
regarding European legislation against identity theft in 2007. Legislative action could also include developing a regulation on the responsibility of different actors in the relevant sector." Overall, the Commission said that its cyber crime fighting policies would depend on improved co-operation and communication between law enforcement forces across Europe. "The main feature of this policy instrument is a proactive policy in reinforcing the structures for operational law enforcement cooperation," said the Commission statement." The Commission will launch a reflection on how this cooperation can be strengthened and improved."

See: Out-Law: Europe mulls anti-ID theft

Saturday, May 19, 2007

New book on Privacy and Technology

There is a recent book published by the National Academies Press entitled Engaging Privacy and Information Technology in a Digital Age:

Privacy is a growing concern in the United States and around the world. The spread of the Internet and the seemingly boundary less options for collecting, saving, sharing, and comparing information trigger consumer worries. Online practices of business and government agencies may present new ways to compromise privacy, and e-commerce and technologies that make a wide range of personal information available to anyone with a Web browser only begin to hint at the possibilities for inappropriate or unwarranted intrusion into our personal lives. Engaging Privacy and Information Technology in a Digital Age presents a comprehensive and multidisciplinary examination of privacy in the information age. It explores such important concepts as how the threats to privacy evolving, how can privacy be protected and how society can balance the interests of individuals, businesses and government in ways that omote privacy reasonably and effectively? This book seeks to raise awareness of the web of connectedness among the actions one takes and the privacy policies that are enacted, and provides a variety of tools and concepts with which debates over privacy can be more fruitfully engaged. Engaging Privacy and Information Technology in a Digital Age focuses on three major components affecting notions, perceptions, and expectations of privacy: technological change, societal shifts, and circumstantial discontinuities. This book will be of special interest to anyone interested in understanding why privacy issues are often so intractable.

The book is fairly lengthy, but a number of recommendations have been made including the establishment of a privacy commissioner. Here is a short extract from the executive summary, but worth reading the actual book:

Individuals can take a number of steps to enhance the privacy of their personal information and to become better informed about the extent to which their privacy has been compromised, although the effectiveness ofthese measures is bound to be limited. The committee thus recommends that if policy choices require that individuals shoulder the burden of protecting their own privacy, law and regulation should support theindividual in doing so. Firms and other organizations can design and implement self-regulatory regimes for protecting the privacy of the personal informationthey collect. Self-regulation is limited as a method for ensuring privacy,although it nevertheless offers protections that would not otherwise beavailable to the public. The committee offers a number of concrete recommendations to enhance the effectiveness of privacy policies. Specifically, organizations with self-regulatory privacy policies should take both technical and administrative measures to ensure their enforcement, routinely test whether their stated privacy policies are being fully implemented, produce privacy impact assessments when they are appropriate, strengthen their privacy policy by establishing a mechanism forrecourse if an individual or a group believes that they have been treated in a manner inconsistent with an organization’s stated policy, and establish an institutional advocate for privacy. The committee found that governmental bodies have important roles to play in protecting the privacy of individuals and or groups and in ensuring that decisions concerning privacy are made in an informedfashion. However, the U.S. legal and regulatory framework surrounding privacy is a patchwork that lacks consistent principles or unifying themes. Accordingly, the committee concluded that a less decentralized and moreintegrated approach to privacy policy in the United States could bring agreater degree of coherence to the subject of privacy. Two recommendationsf ollow from this conclusion. First, the committee recommends that the U.S. government should undertake a broad systematic review of national privacy laws and regulations. Second, the committee recommends that government policy makers should respect the spirit of privacy-related law.
See also

Friday, May 11, 2007

Privacy Enhancing Technologies

A recent press release from the European Commission on the promotion of Privacy enhancing technologies ("design information and communication systems and services in a way that minimises the collection and use of personal data and facilitate compliance with data protection rules") :

The Commission adopts today a Communication with the purpose of identifying the benefits of Privacy Enhancing Technologies (PETs) and laying down the Commission's objectives in this field, to be achieved by a number of specific actions supporting the development of PETs and their use by data controllers and consumers. The development of information and communication technologies is constantly offering new services which improve people's life. However, alongside these benefits, new risks also arise for the individual, such as identity theft, discriminatory profiling, continuous surveillance or deceit. Vice-President Frattini, Commissioner responsible for Justice, Freedom and Security, highlighted that: "To ensure that breaches of the data protection rules and violations of individual's rights are not only something forbidden and subject to sanctions under the existing legal provisions, but also technically more difficult, the Commission puts forward a set of actions aiming at developing and promoting the use of Privacy Enhancing Technologies." Viviane Reding, Commissioner for Information Society and Media added "On line services provide a lot of benefits and convenience to citizens and huge competitive advantages to European businesses. Yet for such services to enjoy large scale growth and so boost Europe's economy, people must have sufficient confidence that their personal privacy and legitimate business interests are being properly safeguarded".The use PETs can help to design information and communication systems and services in a way that minimises the collection and use of personal data and facilitate compliance with data protection rules. The use of PETs should result in making breaches of certain data protection rules more difficult and /or helping to detect them, therefore having a positive impact on consumer trust, in particular in cyberspace, all without losing the functionality of the information system. The Commission Communication adopted today reflects on the benefits of PETs, lays down the Commission's objective to promote these technologies and sets out clear actions to achieve them in the future by supporting the development of PETs and their use by data controllers and by consumers. To pursue the objective of enhancing the level of privacy and data protection in the Community, the Commission intends to clearly identify the need and technological requirements of PETs and further promote the development of these technologies (in particular through RTD projects and large-scale pilot demonstrations) and their use by industry and public authorities, involving a vast array of actors, including its own services, national authorities, industry and consumers. The aim is to provide the foundation for user-empowering privacy protection services reconciling legal and technical differences across Europe through public-private partnerships. To ensure respect for appropriate standards in the protection of personal data through PETs, standardization and coordination of national technical rules on security measures for data processing are envisaged.
See also:

Monday, May 07, 2007

European Data Protection Intensive Conference 24-25 May 2007

A two-day conference organised by Data Protection Law and Policy is being held in Amsterdam, 24-25 May 2007:

The European Data Protection Intensive is a unique event designed to solve the challenge faced by so many data protection professionals: to find authoritative information, and reliable advisors, on the data protection rules and regulations throughout Europe. Data Protection Law & Policy has organised this two-day Intensive to provide you with all the information and analysis on the legal and practical issues throughout Europe. The European Intensive is supported by the data protection specialists of Ecomlex, a network of 18 European law firms. This pan-european conference brings together leading data protection experts and a strong multinational representation. At the European Intensive you will find data protection experts from all twenty-seven EU states, plus Switzerland and Norway, who will be available to lead discussions as well as to meet for individual appointments. KEY ISSUES IN PLENARY SESSIONS The two-day Intensive will feature a day of Plenary Sessions which will focus on the key issues facing European data protection professionals, followed by a day of Group Interactive Sessions. SIX GROUP INTERACTIVE SESSIONS The Six Group Interactive Sessions will enable participants to ask experts directly about their particular concerns in any and every country in Europe. COVER EVERY COUNTRY The programme has been structured to enable participants to cover every single country, if they so choose, in the course of the second day of the Intensive.


Thursday, May 03, 2007

Revisiting the notion of "Processing" and the UK Court of Appeal's Decision in MDU v Johnson

Some who are working in the data protection field will be aware of the recent decision issued by the UK Court of Appeal over the notion of "processing" in MDU v Johnson. Without going too much into the details of the case, however, the decision by the CA, appears to run contrary to the spirit of the European Data Protection and in particular, the interpretation of what constitutes "processing" of personal data. Art. 2(b)of the Data Protection Directive 95/46/EC provides that:

(b) 'processing of personal data' ('processing') shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;

Processing is given a wide definition by the Directive and this is again, followed by other EU Member States. Perhaps, a belated response on one's part, but given the UK's implementation of the Data Protection Directive 95/46/EC, the discussion by the Courts to the Lindqvist decision was not helpful. The Lindqvist judgment provides that:

25. According to the definition in Article 2(b) of Directive 95/46, the term processing of such data used in Article 3(1) covers any operation or set of operations which is performed upon personal data, whether or not by automatic means. That provision gives several examples of such operations, including disclosure by transmission, dissemination or otherwise making data available. It follows that the operation of loading personal data on an internet page must be considered to be such processing.

26. It remains to be determined whether such processing is wholly or partly by automatic means. In that connection, placing information on an internet page entails, under current technical and computer procedures, the operation of loading that page onto a server and the operations necessary to make that page accessible to people who are connected to the internet. Such operations are performed, at least in part, automatically.

27. The answer to the first question must therefore be that the act of referring, on an internet page, to various persons and identifying them by name or by other means, for instance by giving their telephone number or information regarding their working conditions and hobbies, constitutes the processing of personal data wholly or
partly by automatic means within the meaning of Article 3(1) of Directive 95/46.

The UK Court of Appeal in MDU v Johnson at paras. 33-34 stated that:

I should also note that reference was made to the decision of the European Court of Justice [ECJ] in Case C-101/01 [2004] QB 1014 (Lindqvist). A web page containing personal information about L and some of her fellow parishioners was composed by L on her home computer and placed on the internet. She was prosecuted for processing personal data by automatic means. The national court referred to the ECJ the question:

Does it constitute 'the processing of personal data wholly or partly by automatic means' to list on a self-made internet home page a number of persons with comments and statements about their jobs and hobbies etc?

The ECJ held that the listing of the parishioners was the processing of their personal data, and that the process had been "performed, at least in part, automatically" because of the loading of the page on to the server. The selection of the data had been purely manual, yet there was no suggestion that the processing taken as a whole was not automatic. It is, however, important to remind ourselves of the terms of the question that was asked in Lindqvist, which was limited to whether using the computer to place the list on the net was processing. Plainly it was, for the reason given by the ECJ. By the same token, when Dr Roberts caused the computer to transmit her conclusions to the RAG data was being processed. But it does not help [J] to establish the latter point, because what he complains of is unfair conduct in the reaching of those conclusions, before that processing of the conclusions took place. I think that in the end it was agreed by the appellant that Lindqvist does not assist in our present concerns. But [Counsel] has more formidable support from authority nearer home, the decision of this court in Campbell v MGN Ltd [2003] QB 633.

That case was regarded by the Judge as conclusive in [J's] favour on the processing issue, and it must therefore be analysed in some detail.

The judgment is slightly lengthy and warrants another article to be written. At this stage, however, much work is still needed (whether by academics, policy makers, lawyers etc) to inform not only the public about the European Data Protection Directive 95/46/EC and what it is intended (see also the UK Information Commissioner's Website), but that if the UK Data Protection Act 1998 continues to be narrowly construed (in the light of cases such as Durant and Johnson), data protection laws in the UK may, in all but name, be considered weak!

ONI Conference: The Future of Free Expression on the Internet

There is a conference being held on the 18th May and hosted at the Oxford Internet Institute, which judging by the website is well worth going:

The OpenNet Initiative is holding its first public conference to discuss the current state of play of Internet filtering worldwide. The conference will be hosted by the Oxford Internet Institute on May 18, 2007. The conference is free of charge and open to the public.

Results from the first global study of Internet filtering carried out by the OpenNet Initiative will be on the table for a day of discussion involving ICT development experts, speech and human rights advocates, journalists and bloggers, international laywers and scholars, and others interested in state responses to online information flows. We hope you will join us in exploring interpretations and implications of our data and helping to shape the OpenNet Initiative's evolving research agenda.

The day will conclude with a debate hosted by the Oxford Union - Resolved: the Internet is the greatest force for democracy around the world.

Further details can be found at:

Wednesday, May 02, 2007

House of Lords Decision in Douglas v Hello

As some may be aware, there has been a lot of press coverage about the House of Lords judgment on the Douglas v Hello case. This time, it is about the Hello and OK magazine. The judgment is fairly lengthy, but a good summary is provided by 5RB:

Facts: Michael Douglas and Catherine Zeta-Jones entered into an agreement with OK! magazine by which OK! were given exclusive rights to publish photographs of the Douglas-Zeta-Jones wedding. At the wedding and reception photography was prohibited; employees signed agreements not to take photographs and guests were searched for cameras. Shortly after the wedding OK! became aware that Hello! magazine planned to publish surreptitiously taken photographs of the wedding. OK! brought claims against Hello! for breach of confidence and causing loss by unlawful means (the Douglases also brought proceedings but these were no longer in issue).Lindsay J held Hello! liable for breach of confidence. The Court of Appeal reversed the judge’s decision on the ground that the obligation of confidence for the benefit of OK! attached only to the photographs which the Douglases authorized them to publish and not to any others. OK! appealed.

Issue (1) Whether Hello! were lable to OK! for breach of confidence;(2) Whether Hello! were liable to OK! for interfering with their business interests by unlawful means.

Held Allowing the appeal by a 3-2 majority:(1) Reversing the judgment of the Court of Appeal; OK! had paid £1m for the benefit of the obligation of confidence imposed upon all those present at the wedding in respect of any photographs of the wedding and were entitled to enforce that obligation. It had no claim to privacy nor could it make a claim parasitic on the Douglases rights. (Per Lord Nicholls and Lord Walker dissenting) The unapproved photographs contained nothing not in the approved photographs and therefore, once the latter had been published, there could be no breach of confidence. (Per Lord Walker dissenting) The law would not protect exclusivity in a ‘spectacle’.

(2) If it were necessary to consider this, Hello! had the necessary intention to cause loss but had not used unlawful means to interfere with the actions of the Douglases.
See also:

No doubt, there will be some academic discussion about the law of torts in this area (particularly, the protection of an individual's image). Commitments permitting, one will have to start writing an article on this.

European Data Protection Supervisor's Annual Report

The European Data Protection Supervisor's Annual Report 2006 has been published. For those who do not want to read the full report, provides a summary:

The number of complaints to the European Data Protection Supervisor (EDPS) almost doubled in 2006, but only 20% were valid complaints for the privacy watchdog of the EU institutions, its annual report has said. The number of complaints remained small, rising from 27 in 2005 to 52 in 2006. All but 10 of the complaints should have been directed to national data protection authorities and not the European Supervisor. In 2005 all but five of the complaints were similarly misdirected. The EDPS is still a new body, having only been formed in 2004. It increased in size last year from having 19 staff to having 24, and its budget increased from €3 million to €4m. "A large majority of the complaints received continued to fall outside of the supervisory competences of the EDPS, for instance because they dealt exclusively with processing of personal data on the level of the member states, where national Data Protection Authorities are competent," said the report. The report revealed that the body is conducting an audit of Eurodac, the database of fingerprints of illegal immigrants and applicants for asylum. The in-depth security audit is due to report by the middle of this year, the EDPS said. The report acknowledged that the EDPS still has not managed to make data protection an automatic part of working life for EU bodies. "[One challenge] is the implementation of data protection rules and principles in the whole EU administration and to develop a data protection culture as part of good governance," said the report..

See also:

Tuesday, May 01, 2007

ICO to call for more powers

This is a recent press release from the UK's ICO office calling for new privacy safeguards against a surveillance society:

The Information Commissioner, Richard Thomas, is today proposing new safeguards – including privacy impact assessments and inspection powers –to ensure public confidence in initiatives and technologies which could otherwise accelerate the growth of a surveillance society.Giving evidence before the Home Affairs Select Committee the Information Commissioner will also call for stronger powers to allow his Office (the ICO) to carry out inspections and audits. Currently the Commissioner must gain consent before inspecting an organisation for compliance with the Data Protection Act. Information Commissioner, Richard Thomas, said: “People now understand that data protection is an essential barrier to excessive surveillance. But it is wrong that my Office cannot find out what is happening in practice without the consent of each organisation. The risks that arise from excessive surveillance affect both individuals and society as a whole. As well as risks such as identity mistakes and security breaches there can be unnecessary intrusion into people’s lives and loss of personal autonomy. There is also a concern that too much surveillance will create a climate of fear and suspicion. It is essential that before new surveillance technologies are introduced fullconsideration is given to the impact on individuals and that safeguards are inplace to minimise intrusion.”The introduction of privacy impact assessments will ensure organisations set out how they will minimise the threat to privacy and address all the risks of new surveillance arrangements prior to their implementation...

See also:

On Privacy Impact Assessments, see also: