OECD Recommendations

Here is a new post, I came across on a plan agreed by the OECD on privacy enforcement co-operation between countries transferring personal data.

"The world's most developed economies will co-operate to uphold privacy laws in the face of increasing amounts of cross border data transfer. The member countries of the Organisation for Economic Cooperation and Development (OECD) have agreed the plan. The new deal updates a 25 year old agreement on the upholding of privacy laws. A new deal was needed in order to guard against the privacy risks of the increasing amounts of personal data currently being sent from country to country. "The initiative is motivated by a recognition that changes in the character and volume of cross-border data flows have elevated privacy risks for individuals and highlighted the need for better co-operation among the authorities charged with providing them protection," said a statement from the OECD. The OECD recommendation outlines the ways in which member governments have agreed to help each other to protect privacy by increasing the amount of international cooperation on privacy laws. It also outlines how countries will assist one another in the enforcement of privacy laws."

Source: Out-law International effort on privacy protection is launched

See:

• OECD Recommendation on Cross-Border Co-operation in the Enforcement of Laws protecting privacy (pdf)

Social Networking

I have been busy lately with trying to get my head down on writing a few articles (one which is due in a fortnight) whilst attending the SCL annual conference (theme was Web 2.0) which was quite interesting. On the theme of social networking, there is a recent report published on Teens, privacy and online social networks by Pew Internet Project showing how the majority of teens manage their online profiles.

The majority of teens actively manage their online profiles to keep the information they believe is most sensitive away from the unwanted gaze of strangers, parents and other adults. While many teens post their first name and photos on their profiles, they rarely post information on public profiles they believe would help strangers actually locate them such as their full name, home phone number or cell phone number. At the same time, nearly two-thirds of teens with profiles (63%) believe that a motivated person could eventually identify them from the information they publicly provide on their profiles. A new report, based on a survey and a series of focus groups conducted by the Pew Internet & American Life Project examine how teens, particularly those with profiles online, make decisions about disclosing or shielding personal information. Some 55% of online teens have profiles and most of them restrict access to their profile in some way. Of those with profiles, 66% say their profile is not visible to all internet users. Of those whose profile can be accessed by anyone online, nearly half (46%) say they give at least some false information. Teens post fake information to protect themselves and also to be playful or silly.

Even without having to look at the law itself (either data protection, privacy etc.) this report sheds light on how individuals (teens) protect their identities when using social networking such as MySpace.

• Pew Internet Project: Teens, privacy and online social networks (pdf)

• Pew Internet Project: Riding the waves of Web 2.0

Webcast on Identity Management

There is an interesting webcast on The Management of Identity and Personal Information on the Internet: Public and Private Initiatives for Addressing the Problems. Speakers on this panel include Sir David Normington (Keynote Speaker) Professor Brian Collins; Dr Stefan Brands, Jonathan Bamford, Assistant Information Commissioner (Open Public Panel Chair). The picture (on the right - source: Source: Semantic Pool.de), perhaps, encapsulates the types of personal information we give online. In the meantime, here is the abstract of what the webcast is about:

There is much debate, and a number of competing initiatives, but the problems of identity and personal-information management over the Internet remain unsolved. These problems range from issues of convenience, such as requirements for multiple usernames and passwords, to the inability to carry out many transactions that require authentication of the user, to the security of systems that hold personal information, including identity information. Why do these problems persist? What are the opportunities in sight for moving ahead, and what risks are entailed in mitigating these concerns, including the failure to address these issues?

The Oxford Internet Institute organized a public panel to discuss this topic, chaired by Jonathan Bamford of the Information Commissioner's Office, and with a keynote by Sir David Normington, the permanent secretary at the Home Office. Other speakers include Professor Brian Collins (who combines the roles of academic, civil servant, and IT practitioner) and Dr Stefan Brands (an expert in privacy-enhancing technologies). The panel concludes with questions and an open discussion.

Google not covered by the Data Retention Directive

In the next stage of Google's saga, the Data Retention Directive 2006/24/EC does not cover search engine logs. According to Out-Law news:

Google is not bound by the Data Retention Directive when it comes to search engine logs, Europe's data protection committee has said. Google has used the Directive to justify keeping data, but OUT-LAW has learned that the law does not apply. Google has come under increasing pressure in Europe to anonymise its server data, but the company says that it will wait until 18–24 months have passed before anonymising. Among its reasons for this was the Data Retention Directive. However, a senior European data protection official told OUT-LAW today that Google cannot rely on that law as justification for its retention. "The Data Retention Directive applies only to providers of publicly available electronic communications services or of public communication networks and not to search engine systems," said Philippos Mitletton. Mitletton works for the European Commission's Data Protection Unit, which itself is represented on the Article 29 Working Party, the committee of Europe's data protection authorities." Accordingly, Google is not subject to this Directive as far as it concerns the search engine part of its applications and has no obligations thereof," he said. Google offers other services that will be caught by the Directive – notably its email service, Gmail, and its internet telephony
service, Google Talk. If Google's search function were caught by the Directive, it could alarm operators of any site with a search function – i.e. most large websites – because potentially they would be similarly caught and therefore need to store details of every search conducted and the addresses of the computers that instruct each search.

Whilst this provides clarity over the scope of the Data Retentions Directive, one should not forget that we have the Data Protection Directive 95/46/EC (DPD) that applies to the automated processing of personal information and to a lesser extent manual files (if it can be shown that it formed part of a filing system such as card indexes) and the Directive on Privacy and Electronic Communications 2002/58/EC (complementing the DPD). For more on this, visit the European Commission, FSJ website at http://ec.europa.eu/justice_home/fsj/privacy/law/index_en.htm.

See also:

• Data Retention Directive 2006/24/EC (pdf)
• EPIC: Data Retentions Directive

Talk about Google!

Here is the latest on Google's data retention policy:

Google on Tuesday said it would cut the time for which it retains users’ personal search data to 18 months from 18-24 months, in a fresh concession to European Union data protection officials. The Article 29 working party, a group of national officials that advises the European Union on privacy policy, sent a letter to Google last month asking the company to justify its policy of keeping information on individuals’ internet searches for up to two years. Peter Fleischer, the internet search group’s global privacy counsel, wrote to Peter Scharr, chairman of the Article 29 group, confirming the move to cut the data retentoin period but pointing out that future data retention laws “may obligate us to raise the retention period to 24 months.” In a posting on the the official Google blog, Mr Fleischer wrote: “The internet is a global medium, and the principles at stake – privacy, security, innovation and legal obligations to retain data – have an impact beyond Europe, and outside of the realm of privacy. These principles sometimes conflict: while shorter retention periods are good for privacy, longer retention periods are needed for security, innovation and compliance reasons. We believe we’ve struck a reasonable balance between these various factors.”

Source: FT: Google to limit data retention to 18 months

Privacy Watchdog in India?

Came across this latest press release:

A data privacy watchdog is to be set up in India to oversee the country's IT industry amidst international concerns about the security of outsourced customer records and data. India does not have any data protection law equivalent to that in the UK and there have been recent cases of information being leaked from call centres to criminals who have then blackmailed the companies involved. The Data Security Council of India (DSCI) is being set up by Indian IT industry group Nasscom.

Reading to do

I have not had chance to read this recent report published by the Select Committee on Home Affairs, but according to the latest press release from Out-Law News:

"We consider that in the area of data protection there is evidence of insufficient political appetite for protective measures as compared to law enforcement ones," said the Committee's just-published Third Report. "We note the Minister's expression of continuing Government support for the Data Protection Framework Decision. However, if proposals for a Framework Decision were to be superseded by the data protection provisions in the Prüm Treaty, we would have serious concerns as to whether these were adequate."

Here is the full-text of the report:

• Select Committee on Home Affairs
• "Inside the EU: the need for better protection" In this Report

See also:

• Out-Law news: Government failing our privacy when sharing our data, says MPs