Although the Data Protection Directive is unlikely to be altered in the short-term, the subject of effective national data protection laws and the topic on global privacy and jurisdiction issues will continue to relevant for sometime to come. I see another article at some point!
Friday, July 27, 2007
Wednesday, July 25, 2007
"Other search engines follow Google's disputed privacy lead. The internet's major search engines are following Google's lead in limiting their collection of information about web users and their searches. Microsoft, Yahoo! and Ask.com are taking action after controversial policy changes by Google. Google announced earlier this year that it would anonymise search engine logs after between 18 and 24 months, later reducing that period to 18 months. It had previously kept the link between searches and the IP address of a user indefinitely. Though it was increasing the privacy protections afforded to users, Google was criticised by data protection officials for keeping the link between searches and a user's identity for as long as 18 months. Google's competitors have now said that they will change their retention policies as well, and have called for industry consensus on the issue. Microsoft and Ask.com have together called on the search industry to create communal safeguards for user data. Microsoft and Ask.com want academics, companies and activists to jointly create guidelines on the duration for which user behaviour can be saved. They want a single, standardised approach to replace individual privacy policies. "This is all about trust," said Peter Cullen, a chief privacy strategist for Microsoft. "It's in the interest of the companies, it's in the interest of consumers."
OUT-LAW News, 25/07/2007
Also worth reading:
- Digital anonymity and the law : tensions and dimensions / edited by C. Nicoll, J.E.J. Prins, M.J.M. van Dellen.
Wednesday, July 18, 2007
The case was brought by a Spanish music and audiovisual association after telecoms provider Telefonica refused to hand over the names and addresses of its Internet clients suspected of running illegal file sharing sites. The association, Promusicae, wanted to identify the clients, who used the file-sharing program KaZaA, so it could start taking action against them.
Example No. 15: dynamic IP addresses The Working Party has considered IP addresses as data relating to an identifiable person. It has stated that "Internet access providers and managers of local area networks can, using reasonable means, identify Internet users to whom they have attributed IP addresses as they normally systematically “log” in a file the date, time, duration and dynamic IP address given to the Internet user. The same can be said about Internet Service Providers that keep a logbook on the HTTP server. In these cases there is no doubt about the fact that one can talk about personal data in the sense of Article 2 a) of the [Data Protection] Directive. Especially in those cases where the processing of IP addresses is carried out with the purpose of identifying the users of the computer (for instance, by Copyright holders in order to prosecute computer users for violation of intellectual property rights), the controller anticipates that the "means likely reasonably to be used" to identify the persons will be available e.g. through the courts appealed to (otherwise the collection of the information makes no sense), and therefore the information should be considered as personal data. A particular case would be that of some sorts of IP addresses which under certain circumstances indeed do not allow identification of the user, for various technical and organizational reasons. One example could be the IP addresses attributed to a computer in an internet café, where no identification of the customers is requested. It could be argued that the data collected on the use of computer X during a certain timeframe does not allow identification of the user with reasonable means, and therefore it is not personal data. However, it should be noted that the Internet Service Providers will most probably not know either whether the IP address in question is one allowing identification or not, and that they will process the data associated with that IP in the same way as they treat information associated with IP addresses of users that are duly registered and are identifiable. So, unless the Internet Service Provider is in a position to distinguish with absolute certainty that the data correspond to users that cannot be identified, it will have to treat all IP information as personal data, to be on the safe side.
Source: Art. 29 Working Party 4/2007 on the Concept of Personal Data
There have been relatively few cases in the UK that touches on IP addresses and filesharing, but one interesting case study to consider the is APB's case, whereby the APB collected IP addresses to ascertain the identity of filesharers, details which I won't go into, but have read through at http://www.slyck.com/story823.html and here.
Friday, July 13, 2007
The European Parliament looked into the recent agreement signed by the EU-US dministration for the transfer of air passengers' data and concluded in its resolution that the new deal still fails to offer an adequate level of data protection and it has been concluded without any involvement of parliaments from both sides, lacking democratic oversight. While recognising the difficult conditions under which the negotiations took place, MEPs regret that the EU-US agreement for the transfer of Passenger Name Records (PNR) is "substantively flawed", in particular by "open and vague definitions and multiple possibilities for exception". Even though Parliament welcomed the provision that existing data protection law for US citizens (US Privacy Act) will be extended administratively to EU citizens' data processed in America, MEPs felt there is still much more to be improved. Some of their main concerns regarding the new agreement re: USE: The handling, collection, use and storage of personal data from air passengers by US Department of Homeland Security is not founded on a legal agreement but on non-binding assurances remitted in a letter, which can be unilaterally changed.PURPOSE: PNR transfer is not limited to fighting terrorism, it can also be used for other "unspecified additional purposes" by the US government.SENSITIVE DATA: Information regarding ethnic origin, political opinions, sex life of the individual, etc. will be also made available and can be used by the US Homeland Security Department in exceptional cases.ACCESS: The fields of data which can be accessed from each PNR file have been reduced from 34 to 19, but "the reduction is largely cosmetic due to the merging of data fields instead of actual deletion."RETENTION PERIOD: Data can be retained for longer periods with the new agreement: from 3.5 years to 15. Besides that, PNR data will be kept for seven years in "active analytical databases", leading to a big risk of massive profiling, contrary to EU principles.THIRD COUNTRIES: Parliament strongly opposes to the fact that third countries in general may be given access to PNR data if adhering to specified conditions by the US government. The EU has accepted "not to interfere" concerning the protection of EU citizens' PNR data shared by the US with third countries. Finally, MEPs demand the Commission to clarify Commissioner Frattini's statements regarding the possible creation of an EU PNR system to be used in Europe and called national parliaments of Member States to examine the present draft agreement carefully.Source: European Parliament: Justice and Home Affairs Press release 12/7/07
Wednesday, July 11, 2007
A "horrifying" number of companies, government departments and other public bodies have breached data protection rules in the past year, a report says. The UK's Information Commissioner Richard Thomas said bosses must take the personal data of both customers and staff seriously. Orange, Barclays and NatWest are three of the firms he has rapped this year. The Ministry of Justice said prison sentences could be given to those who deliberately misuse personal data. Mr Thomas received nearly 24,000 enquiries and complaints about personal information issues in 2006-07. His report said 56.5% of these required only advice and guidance, while a breach was likely to have happened in 35% of cases, of which a further 77% resulted in remedial action. "Frankly these are inexcusable. None of this is really rocket science - security is fundamental," he told BBC Radio 4's Today programme.
Just a reminder of the data protection principles under the Data Protection Act 1998 and in particular, the 7th data protection principle:
1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless-
(a) at least one of the conditions in Schedule 2 is met, and
(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, kept up to date.
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
For any organisations that handle personal information, a few questions (not exhaustive, but let me know if there are any more) that will need to asked:
- Who is your data protection officer?
- Are there training sessions to raise awareness of the importance of data protection?
- Who do I complain to where there is a security breach?
- What are my rights? (On this, visit the UK ICO website)
Monday, July 09, 2007
Wednesday, July 04, 2007
"As a general consideration it has been noted that the European lawmaker intended to adopt a broad notion of personal data, but this notion is not unlimited. It should always be kept in mind that the objective of the rules contained in the Directive is to protect the fundamental rights and freedoms of individuals, in particular their right to privacy, with regard to the processing of personal data. These rules were therefore designed to apply to situations where the rights of individuals could be at risk and hence in need of protection. The scope of the data protection rules should not be overstretched, but unduly restricting the concept of personal data should also be avoided. The Directive has defined its scope, excluding a number of activities, and allows flexibility in the application of rules to activities that are within its scope. Data protection authorities play an essential role infinding an appropriate balance in this application (see paragraph II).
The Working Party’s analysis has been based on the four main “building blocks” that can be distinguished in the definition of “personal data”: i.e. “any information”, “relating to”, “an identified or identifiable”, “natural person”. These elements are closely intertwined and feed on each other, but together determine whether a piece of information should be considered as “personal data”. The analysis is supported by examples from the national practice of European DPAs.
• The first element – “any information” – calls for a wide interpretation of the concept, regardless of the nature or content of the information, and the technical format in which it is presented. This means that both objective and subjective information about a person in whatever capacity may be considered as “personal data”, and irrespective of the technical medium on which it is contained. The opinion also discusses biometric data and the legal distinctions with human samples from which they may be extracted (see paragraph III.1).
• The second element – “relating to” – has so far been often overlooked, but plays a crucial role in determining the substantive scope of the concept, especially in relation to objects and new technologies. The opinion provides three alternative elements – i.e. content, purpose or result – to determine whether information “relates to” an individual. This also covers information that may have a clear impact on the way in which an individual is treated or evaluated (see paragraph III.2).
• The third element – “identified or identifiable” – focuses on the conditions under which an individual should be considered as “identifiable”, and especially on “the means likely reasonably to be used” by the controller or by any other person to identify that person. The particular context and circumstances of a specific case play an important role in this analysis. The opinion also deals with “pseudonymised data” and the use of “key-coded data” in statistical or pharmaceutical research (see paragraph III.3).
• The fourth element – “natural person” – deals with the requirement that “personal data” are about “living individuals”. The opinion also discusses the interfaces with data on deceased persons, unborn children and legal persons (see paragraph III.4).
The opinion finally discusses what happens if data fall outside the scope of the definition of “personal data”. Different solutions may be available to deal with issues in these cases, including national legislation outside the scope of the Directive, provided that other community law is respected (see paragraph IV). "
Full text: Opinion 4/2007 on the concept of Personal Data (pdf)
For more on PETS, see:MPs have joined the European Commission in backing the use of privacy enhancing technologies (PETs) to protect personal data, despite UK government fears it could limit the activities of security and law-enforcement agencies. The European Union (EU) wants to encourage the development of standards for the processing of personal data using Pets. Such a move could lead to international standardisation of technical rules on security measures for data protection, according to a report from the Commons European Scrutiny Committee.
Tuesday, July 03, 2007
Case C-73/07: Reference for a preliminary ruling from the Korkein hallinto-oikeus (Finland) lodged on 12 February 2007 - Tietosuojavaltuutettu Official Journal C 95, 28/04/2007 p. 19
The main questions to the ECJ are:
(b) published alphabetically in a printed publication by income bracket and municipality in the form of extensive lists,
c) disclosed onward on CD-ROM to be used for commercial purposes, and
d) processed for the purposes of a text messaging service whereby mobile phone users can, by indicating an individual's name and home municipality and texting to a given number, receive in reply data on the earned income, income from capital and wealth of the individual indicated, to be regarded as the processing of personal data within the meaning of Article 3(1) of Directive 95/46/EC (1)
3. Is Article 17 of Directive 95/46/EC to be interpreted in conjunction with the principles and purpose of the Directive as precluding the publication of data collected for journalistic purposes and its onward disclosure for commercial purposes?
4. Can Directive 95/46/EC be interpreted as meaning that personal data files containing, solely and in unaltered form, material that has been published in the media fall altogether outside its scope?
The judgment is likely to take some time (as in the case of Lindqvist), but points worth noting is:
a) Extensive interpretation of what constitutes "processing" under Art. 3(1), definition under the Data Protection Directive is fairly wide.
b) Interpretation of Art. 17 of the Data Protection Directive - odd to have the discussion on the security of processing to be included in the question.
c) Journalistic purposes are covered under Art. 9 of the Data Protection Directive. Art. 9 also covers the processing of personal data for literary and artistic purposes. The Art. 29 Working Party has published guidelines (pdf) on Art. 9 quite a while ago in 1997.
Monday, July 02, 2007
European negotiators reached a provisional deal with the United States on Wednesday, ending a year of wrangling over how to share information about trans-Atlantic air passengers that Washington says is needed to fight terrorism. The tentative agreement will be put to envoys from all 27 European Union nations Friday for approval, said the diplomats, who spoke on condition of anonymity because the deal has not been finalized. Differences over how to balance security needs with concerns over passengers' privacy had deadlocked negotiations since a 2004 deal on data sharing was voided by an EU court last year for technical reasons.