UK Data Retention (EC Directive) Regulations 2007

As noted in my previous post, the UK Data Retention (EC Directive) Regulations 2007 will take effect on 1st October 2007. These regulations implement the Data Retentions Directive 2006/24/EC and apply to public communications providers. Public communications providers are defined under Regulation 2(d) as

(i) a provider of a public electronic communications network; or

(ii) a provider of a public electronic communications service;

Data will be retained for a period of 12 months from the date of communication (Regulation 4(2)). What is less than clear is whether a public communications provider can retain data for more than 12 months. The types of data to be retained are telephone numbers and mobile numbers (Regulation 5(1) and 5(2)). Under Regulation 8, the UK ICO continue to monitor the application of these regulations. The Regulations do not cover Internet access, Internet e-mail or Internet telephony to be retained (Regulation 4(5)). The Data Retention Directive, however. allows Member States to extend the rules to internet data at a later date, provided these rules are in force by 15 March 2009 (Art. 15(3)).

Luxembourg: Data Protection

(via Privacy, Laws and Business)

"On 1 September, Luxembourg modified its data protection law, removing some obligations to notify data processing to the CNPD (the national data protection authority) and simplifying other regulations.

The most common data processing in business and administration, such as that for human resources, no longer must be notified to the CNPD. Data processing by some professionals (lawyers, notaries, doctors, journalists, for example) will be considered to be sufficiently protected by professional ethics. The lists and conditions regarding the new rules on notification are on the CNPD website (www.cnpd.lu).

Data processing notification rules are also simplified for scientific research and health professionals, including clinical research for pharmaceutical companies. Data processing officers in charge of data protection for firms can now be employees of the firm (formerly they could only be external consultants). This means that these companies are exempt from notification requirements.

Perhaps the most significant change is that Luxembourg no longer extends protection to the privacy of legal persons, such as companies, as it does to natural persons. Of course, personal data processed by legal persons is covered by the amended data protection law."

See also:

• CNPD - includes some recent caselaw decisions
  

UK's Implementation of the Data Protection Directive

Out-Law has recently put this post up (they have been successful in making an FOI request):

"EXCLUSIVE: The UK's Data Protection Act (DPA) does not implement European law properly, according to the European Commission which is investigating problems in the UK's implementation of 11 of the Data Protection Directive's articles, almost a third of the entire Directive.

Using freedom of information legislation, OUT-LAW.COM has learned that 11 articles are the subject of two Commission letters to the UK Government, even though the Government has refused to provide these details to Parliament. The Ministry of Justice has rejected the Commission's claims and told OUT-LAW.COM that the UK Government believes it has implemented the Directive fully.

In June 2005, Labour MP Harry Cohen asked the Government exactly what problems the Commission had identified when it said that the DPA was a defective implementation of the Directive.

Parliamentary undersecretary Bridget Prentice refused to answer.

"We currently have no plans to disclose the detail of those discussions as the formal Commission investigation process is still taking place," she said. "If the Government were to disclose the information requested, it would prejudice the negotiating process between the UK and the Commission and so prejudice UK interests".

The articles of the Directive which the Commission claims have not been implemented properly are articles 2, 3, 8, 10, 11, 12, 13, 22, 23, 25 and 28 – just under a third of the 34 articles in the Directive.

These Articles relate to: the definitions used in the Directive (e.g. the meaning of personal data); the scope of the Directive's application to manual files; the conditions when sensitive personal data can be processed; the fair processing notices give to individuals; the rights granted to data subjects; the application of exemptions from these rights; the ability of individuals to seek a remedy when there is a breach; the liability of organisations for breaches of data protection law; the transfer of personal data outside European Union; and the powers of the Information Commissioner.

Data Protection expert Dr Chris Pounder of Pinsent Masons, the law firm behind OUT-LAW.COM, said that the extent of the objections reflects official attitude towards data protection policy. "All UK Governments involved in implementing the Directive have had a policy of minimising the Data Protection Directive's effect," he said. "The number of problems raised by the Commission seem to indicate that the UK Government may have misjudged the situation and minimised the effect of too many obligations".

"The fact that the Commission has a problem with so many of the articles in the Directive is a surprise," he said. "I had expected just a handful of objections linked to the Court of Appeal decision in the Durant case."

That landmark ruling from 2003, in Michael Durant's dispute with the Financial Services Authority, narrowed the scope of what constituted personal data under the Data Protection Act.

Pounder continued: "Instead, there are unexpected issues, for example, in relation to transfers, fair processing notices, exemptions, powers of the Commissioner, penalties and remedies."

The Commission's investigations were not prompted by a complaint. They were initiated by the Commission itself, though they are thought to have been provoked by the Durant ruling.

A statement issued to OUT-LAW by the Ministry of Justice on Friday said: "The European Commission, as part of its review of the implementation of the 1995 Data Protection Directive by each member state, have raised a number of issues with the UK."

"We are in discussion with the Commission about these issues. We believe that the UK has properly implemented the Data Protection Directive via the Data Protection Act 1998 and other relevant provisions of UK law," it said.

The Commission sent the UK Government its first letter on the issue in 2004, setting out the problems with the Data Protection Act. Until now, those objections have remained secret. The letter threatened proceedings before the European Court of Justice if negotiations with the UK stalled."

Data Protection Developments: Indian IT Act to be amended

(via NewIndPress.com)

"NEW DELHI: In its effort to face the upcoming tough challenges in cyber crime, India is all set to bring comprehensive amendments in Information Technology Act 2000.

IT and Communications Minister A Raja on Friday announced that the proposed amendments would address a number of serious concerns such as data protection, data theft, e-commerce frauds, child pornography, identity theft, privacy issues and immunity to intermediaries among others.

An official indicated that the proposed changes would include stiffer quantum of punishment, especially in areas such as child pornography, ID theft and privacy issues.

The proposed changes in the Act are based on our experience during the last seven years and inputs received from various international bodies, Raja said at the concluding day of the 7th Interpol Cyber Crime conference held in New Delhi from September 12 to 14.

Before placing the amended Act in public domain for comments, the IT Ministry is holding discussions with various stakeholders to fine tune the amendments.

Discussions are being held with the stakeholders, including private companies, CBI and other investigative agencies, he said."

See:

• India: The Information Technology Act 2000 (as it stands)
• Commentary (pdf)
• Naavi.org
  

Google and Internet Privacy

FT reports the following story:

"Google will on Friday attempt to take the high ground in the debate over internet privacy, by calling for new international laws to be set up to protect personal information online. An International body such as the United Nations or the OECD should draw up new guidelines, Peter Fleischer, global privacy counsel for Google will tell Unesco members at a conference in Strasbourg on Friday. Google has become a focal point for a debate on internet privacy since European Union data protection bodies earlier this year questioned the length of time the company kept data on individuals using its search engine. Google was also criticised by Privacy International, the human rights group, as being potentially “hostile” to privacy. Since then, Google has taken steps to improve its image. It agreed to limit the time it keeps search data to just 18 months, and has started working with Privacy International in order to be removed from the organisation’s blacklist. Going further on the offensive, Mr Fleischer on Friday will say he believes existing internet privacy rules are out of date. The OECD’s guidelines on privacy and personal data, for example, were set up in 1980, well before the invention of the internet, and even the European Commission directive on privacy dates back to 1995, when the internet was still in its infancy. “Privacy laws have not kept up with the reality of the internet and technology, where we have vast amounts of information and every time a credit card is used online, the data on it can move across six or seven countries in a matter of minutes,” Mr Fleischer told the Financial Times ahead of his speech. Eric Schmidt, chief executive of Google, is expected to add his voice to the campaign over the next few weeks. Google is proposing that the privacy framework adopted in Asia by ministers at the Asia-Pacific Economic Co-operation conference in 2004 could be used as a basis of a broader, international agreement. The Apec agreement is relatively loose, setting out general principles, such as notifying individuals when their data is collected, but leaving enforcement up to individual countries. Simon Davies, director of Privacy International, said: “There seems to be a perceptible shift within the company. Over the past few months it seems that senior people have understood that privacy issues can affect the value of the company.” Mr Davies said the steps Google was taking were “symbolically huge and significant, but whether they have any meaning beyond that, no one can yet tell”. Analysts say it is crucial for Google to maintain an impeccable reputation on privacy, or it may begin losing users. A number of smaller search engine companies are already using the recent concerns over Google’s data policies as an opportunity to poach users."

However, one should also note the recent development, when OECD published its recommendation on cross-border co-operation in the enforcement of laws protecting privacy.

See also:

• OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data 1980
• Montreux Declaration back in 2005

Surveillance and Society Conference 2008

InVisibilities: The Politics, Practice and Experience of Surveillance in Everyday Life

A two-day international conference hosted by the Centre for Criminological Research, University of Sheffield in association with the Surveillance Studies Network

Wednesday 2nd April - Thursday 3rd April 2008

Introduction

While many of the world’s nations are becoming surveillance societies, the nature of life with surveillance in those societies is far from homogeneous, and is not widely researched or theorised. This conference focuses on the lived realities of surveillance and is keen to encourage empirical studies which document its everyday experience.

By its very nature surveillance makes populations visible, and differentiates between their members; surveillance itself features varied techniques, intensities and foci. Whether as workers, consumers, children, patients, criminals, web surfers or travellers we are made visible in different ways, through different technologies and administrative regimes. Visibility is not always total, unproductive or oppressive – visibility is necessarily partial. For some it is actively embraced: lives are lived in visibility.

Nevertheless, widespread ambivalence towards surveillance has been noted in academic, policy and media circles. As surveillance confers benefits and incurs costs on individuals, personal information economies of surveillance emerge. In building personal strategies which involve surveillance practices, invisibilities are negotiated to mediate, limit and exploit exposure to surveillance. How individuals, groups, organizations and societies negotiate, experience, resist, comply with, and enjoy surveillance are critical empirical questions, which appeal to surveillance scholars from a wide range of social science disciplines.

Key themes to include:

• Experiencing Surveillance and Visibility
• Participatory and Voluntary Surveillance
• Theorising (in)visibility
• Histories of Surveillance and Visibility
• Surveillance of the Other - Visibility and Difference
• Representations of Surveillance in Film/Art/Literature/Media
• State Surveillance and Identification
• Surveillance, visibility and the welfare state
• Surveillance and consumer visibility
• The transparent body
• Electronic visibilities
• (In)visibility and labour
• Negotiating (in)visibility
• Researching (in)visibility
• Spatial visibilities
• Surveillance futures

Submission of Abstracts and Expressions of Interest

If you would like to give a paper please submit your abstract to Lisa Burns at the University of Sheffield by January 31st 2008. Abstracts should be no longer than 500 words. Your abstract should also contain the following information.

• Name
• Country of residence
• Institutional affiliation
• Institutional address
• Telephone number
• Email address

On the same theme about surveillance, Queen's University, Kingston has been working on the Surveillance Project.

Surveillance Seminar

Researchers working on surveillance:

Seminar: 'Surveillance in Scotland: Current Practices and Future Prospects'

The University of Edinburgh's Public Policy Network and the Scottish Regional Office of the (UK) Information Commissioner's Office (ICO) are pleased to invite you to a one-day seminar on Friday, 5th October 2007 on the nature, extent and diversity of surveillance practices, systems and technologies in the private and public sectors, including the collection and sharing of personal information and databases, as well as video surveillance, DNA and biometric identification systems, and many other forms of monitoring people's movement, habits and behaviour.

Surveillance has become an important and controversial public issue as the needs of commerce and government press forward to use citizens' and customers' personal information for a host of purposes, including marketing, banking, law enforcement, counter-terrorism, and the delivery of public services. Questions of privacy and civil liberties are implicated in these developments. The aim of the seminar is to inform and to encourage a wider public debate about these issues, especially as they affect daily life in Scotland now and in the future.

Drawing upon the widely acclaimed report, 'A Surveillance Society', specially commissioned from the Surveillance Studies Network (SSN) by the Information Commissioner's Office (available at http://www.ico.gov.uk/about_us/news_and_views/current_topics/Surveillance_society_report.aspx), the seminar will feature presentations by authors of the SSN report and the ICO, as well as by representatives of Scottish Government, ICO, the police, and the worlds of industry, politics and human rights protection. The seminar will be held at the University's Moray House College of Education, Holyrood Campus, from 9. 30 am to 4 pm on the 5th October. There is no charge for attendance at the seminar, which will include a buffet lunch. Details of the venue and programme will be circulated by e-mail to those attending.

Attendance will be limited, so to secure your place please RSVP to the Information Commissioner's Office at Scotland@ico.gsi.gov.uk before the 24th September.

Professor Charles Raab (PPN, University of Edinburgh) Dr. Ken Macdonald (ICO)

UK National DNA Database

A national debate is emerging on the discussion about UK National DNA Databases: Times reports:

"A senior judge has said the entire UK population and every visitor to the country should be on the national DNA database.

Lord Justice Sedley, one of the most experienced Appeal Court judges in England, said that an extended database would aid crime prevention and the current database was unfair and inconsistent.

He told BBC News: “Where we are at the moment is indefensible. We have a situation where if you happen to have been in the hands of the police, then your DNA is on permanent record. If you haven’t, it isn’t... that’s broadly the picture.”

Sir Stephen said disproportionate numbers of ethnic minorities get on to the database where there is ethnic profiling going on.

He added: “It also means that a great many people who are walking the streets, and whose DNA would show them guilty of crimes, go free”.

There are currently four million profiles held on the national DNA database.

Critics say those who commit certain offences should have their details removed after a set period.

The DNA database - which is 12 years old - grows by 30,000 samples a month taken from suspects or recovered from crime scenes. It is the largest in the world.

The data of everyone arrested for a recordable offence - all but the most minor offences - remains on the system regardless of their age, the seriousness of their alleged offence, and whether or not they were prosecuted.

It includes some 24,000 samples from young people between 10 and 17 years old, who were arrested but never convicted.

Sir Stephen said reducing the database would be a mistake. He knew of cases where a serious offender who had escaped conviction had ultimately been brought to justice by DNA evidence that may have been otherwise destroyed.

He said the only option was to expand the database to cover the whole population and all those who visit the UK.

There are four million DNA samples on the database

Professor Stephen Bain, a member of the national DNA database strategy board, warned expansion would be expensive and make mistakes more likely.

"The DNA genie can't be put back in the bottle," he said.

"If the information about you is exposed due to illegal or perhaps even legalised use of the
database, in a way that is not currently anticipated, then it's a very difficult situation."

Aside from the practicalities of a national DNA database, inevitably, there will be data protection/privacy/human rights implications on this. Irrespective of one's views on this (at this stage):

See also:

• Radio 4 Interview
• Surveillance Society Report
• ICO
  
• Gene Watch UK

Privacy Market?

Wired has published this story concerning the privacy market. Putting on my "privacy hat" the idea of a "Privacy Market" is disagreeable - this is particularly the case when personal information is viewed as a commodity - than a human right as such (see Art. 1 of the Data Protection Directive 95/46/EC). This is not to imply that privacy is absolute (as can be seen in the exemptions under the European Data Protection Directive and the UK Data Protection Act 1998 and instances where we need to give our personal details), but once we start thinking of an individual's identity as something that can be traded commercially (property right), then this is a slippery slope into conceding that personal information is nothing more than monetary value.

Wired:

"The Privacy Market Has Many Sellers, but Few Buyers"

By Dan Tynan 09.03.07 2:00 AM

Privacy is fast becoming the trendy concept in online marketing. An increasing number of companies are flaunting the steps they've taken to protect the privacy of their customers. But studies suggest consumers won't pay even 25 cents to protect their data. In one week in July, Ask.com unveiled AskEraser, a tool that will allow users to obliterate their search histories; Microsoft announced enhanced privacy controls for its Windows Live service; and Google and Yahoo shrank the amount of time they retained IP addresses and search logs, reducing the ability of government agencies to subpoena such data. Startups are aiming to carve out a piece of the privacy market. ReputationDefender, which allows individuals to manage what people say about them online, launched the beta version of a new subscription service on Sep. 1. Its service, called MyPrivacy, lets users control how their personal data is brokered across the web (the service was announced last fall but is only now publicly available). Suddenly it seems that "privacy is the new black," as Duncan Riley wrote at TechCrunch. For $5 a month, MyPrivacy subscribers can locate their records in people-search directories, such as Yahoo People Search, 411.com, WhitePages.com, Yellowbook.com and Netscape White Pages, and click a button to remove their listing. As long as you keep paying, the service will keep you unlisted when these information brokers refresh their directories. MyPrivacy will feature at least 10 major consumer databases at launch and expects to have 75 such information brokers signed on by year end.

See also:

• Kang, J. & B. Buchner. "Privacy in Atlantis" Harvard Journal of Law and Technology, Vol. 18, No. 1, Fall 2004

Upcoming Privacy Conferences

A few conferences worth noting in the diary:

• 28th International Conference of Data Protection and Privacy Commissioners (Canada, Sept. 2007)
• International Data Protection Intensive (Sept. 2007)
• Third Surveillance and Society Conference 2008 (Sheffield, April 2008)

See also:

• PIPEDA Blog Calendar