UK's implementation of the Data Protection Directive

The Guardian reported the following story yesterday:

"Europe's concern over UK data protection 'defects' revealed. Clare Dyer, legal editor, Monday October 1, 2007, The Guardian

The European Commission is threatening legal action against the UK government for failing to properly safeguard individuals' personal data. The commission has raised questions over the way the Data Protection Act and other legislation have implemented 11 articles of the 34-article European data protection directive - almost one-third of the whole. It has warned that it could take the UK to the European court of justice in Luxembourg if negotiations over the alleged defects fail. The investigation has been going on for more than three years, but the extent of the alleged shortcomings in UK law has been kept secret. Ministers have refused to release details of the negotiations to parliament, but the EC, in response to a freedom of information request, has now revealed the wide range of its concerns. The disclosure comes as a new law, coming into force today, compels phone companies to retain information about all landline and mobile phone calls, and make the data available to more than 700 official organisations, including police, security services, tax authorities, NHS trusts and local councils. The move brings into UK law a European directive, the data retention directive, aimed at "the investigation, detection and prosecution of serious crime". It has attracted little notice because it was put into UK law by a statutory instrument, made under the European Communities Act 1972, rather than by a new act of parliament. The government also plans to extend the powers to cover email and internet activity. The information commissioner, Richard Thomas, will monitor the security of the data kept under the new data retention rules. He also plays a major role under the Data Protection Act in making sure individuals' privacy is protected when their personal data is processed and used. But as part of its investigation into UK data protection laws the European Commission accuses the UK of not giving the commissioner strong enough powers."

In the meantime, the UK ICO has, issued its latest guidance notes on the notion of "personal data", taking into acccount Art. 29 Working Party's recent guidance.

IASTED Law and Technology

Having been absent for the last week for the IASTED Law and Tech Conference, which was held in Berkeley, California and ran concurrently with the CNIS and FEA. There were some interesting papers given (though not as well attended as one would have anticipated). To name a few (not exhaustive):

S. Marco and M. Doris (UK): Online Gambling – Reconciling New Technology and the International Consumer Interest - described the current situation of online gambling at a UK and European level.

S.R. Cross. Consumer Protection Compliance in Agent Negotiated Business to Consumer Transactions - particuarly whether agents could theoretically contract in B2C environment

G. Finocchiaro, E. Pelino, and A. Ricci (Italy). Legal Issues Related to Privacy and Anonymity in Mobile Objects Communications - the notion of the "control of personal information" and "anonymity" was discussed.

Mr David Molnar (US) on the use of RFIDs in Berkeley, California - describing this from a technological perspective and the current framework (Californian).

There have been a few papers written on RFIDs and data protection, so the use of RFIDs (be it library cards, passports etc.) and its prevalence over there raises the question, whether the debate on RFIDs and surveillance is just a matter of time in the UK.

See also:

• Art. 29 Working Party. Working Document on Data Protection Issues related to RFID Technology, 2005 (pdf)
• Surveillance Studies Network. A report on the Surveillance Society. September 2006 (pdf)