Monday, November 26, 2007

Online advertising

According to this latest press release, the Art. 29 Working Party is investigating behaviour targetting and ads sent to people based on their web surfing. Although it does not touch upon this directly, one has explored the extent to which clickstream data can be protected under the current Data Protection Framework, particularly in the light of the Data Protection Directive 95/46/EC - a topic worthy of some academic discussion at some point. In the meantime, the following report:

"As online advertising comes under greater scrutiny in the United States, European authorities reportedly are also preparing to take a closer look at whether some marketing techniques violate privacy.

The Article 29 Working Party, an arm of the European Union that regulates protection of consumer data, is about to embark on an investigation of behavioral targeting--or sending ads to people based on their Web-surfing history--according to Reuters.

While any rules the EU issues won't directly affect companies in the United States, some companies as a practical matter will implement changes across the board. For example, in response to separate concerns of the EU Working Party, Google recently said it would "anonymize" search logs after 18 months, making it harder to connect specific IP addresses to search queries. That change is taking effect in the United States as well as Europe, although Google didn't face similar regulatory pressure here.

The Article 29 group's move to investigate behavioral targeting comes as privacy groups and consumer advocates in the United States are urging the Federal Trade Commission and other authorities to more closely regulate such techniques. Last month, a coalition of groups proposed that the FTC create a do-not-track list for consumers who don't wish online advertising companies to monitor the Web sites they visit and then send them ads based on their presumed interests.

Earlier this month, the FTC held a two-day town hall meeting about some of the privacy issues raised by behavioral targeting. Ad industry groups like the Interactive Advertising Bureau and Online Publishers Association weighed in against a do-not-track list, arguing that many companies allow consumers to opt out of behavioral targeting. Currently, many big U.S. ad networks participate in the Network Advertising Initiative--a group that formed in 2000 in response to privacy concerns, and that requires member companies to allow consumers to opt out of behavioral targeting programs.

Online ad industry executives also argued to the FTC that behavioral targeting doesn't compromise privacy because the ad companies don't collect so-called personally identifiable information, like names or addresses.

In the last few weeks, however, new variations of online advertising that arguably affect privacy have emerged. Most famously, Facebook earlier this month launched its Beacon program, which informs users' friends about purchases made at other sites. While users can opt out of sharing that data, some people say that Facebook shouldn't publicize information about purchases unless users have affirmatively consented to the program.

Last Tuesday, advocacy group MoveOn.org started a group on Facebook to protest the Beacon program. MoveOn is calling for Facebook to make the program opt-in rather than opt-out. By Sunday evening, around 20,000 Facebook members had joined the group, "Petition: Facebook, stop invading my privacy!"

Some privacy advocates say that any new regulation of online ad techniques abroad will inevitably lead to new policies in the United States as well. "It's a global business," says Jeff Chester, executive director of the Center for Digital Democracy, adding that behavioral targeting companies aren't likely to give consumers more privacy protections in Europe than the U.S. The Center for Digital Democracy argues that companies shouldn't use behavioral targeting techniques unless consumers explicitly consent.

Not all online ad industry executives think the EU investigation will necessarily lead to new regulation. Tacoda founder Dave Morgan, now executive vice president, global advertising strategy at AOL, says he's hopeful that reviews such as the EU's "will spur the online ad industry to adopt more and stronger consumer notice regimes and will drive greater participation in self-regulatory programs like the Network Advertising Initiative."

Source: Online Media Daily

Data Protection Developments

Given the latest press coverage over the benefits data fiasco, powers of the ICO have been increased to include spot checks. However, in a separate development, Privacy International is likely to take legal action on behalf of individuals affected by this against the government.

"More than 300 members of the public have contacted Privacy International since the revelation this week that Her Majesty’s Revenue & Customs unlawfully processed, and subsequently lost, personal details relating to around 25 million individuals. Most of these complainants have requested that PI undertakes, on their behalf, legal action against the government.

Accordingly, this organisation has over the past four days consulted a range of legal experts. The overall conclusion is that there is most likely a case that can be asserted. However, we must concede that not all lawyers are presently optimistic about a positive outcome. Nevertheless, given the unprecedented severity of this case we feel it is important to take some form of action on behalf of the many distressed and vulnerable families that have contacted us. It is even more important to assert the rights of the individual in the face of such circumstances.

We have therefore decided to pursue legal action against the government directly on behalf of the complainants and of course indirectly on behalf of all those people affected by the unlawful disclosure from HMRC. Our current intention is to pursue a claim for a general (not statute-based) breach of a duty of care on the basis of negligence.

We have been made aware that there are cases in which public authorities have been found to be very seriously at fault and where the courts seemed concerned not to impose liability where the claimant was one of a large and indeterminate class of people who might be affected by the careless conduct. The position would be different if the public authority actually created the danger itself or knew or ought to have known about the risk of harm resulting. It appears that courts are more willing to find “proximity” if a smaller group of persons is at risk than the public in general.

Three key issues remain to be resolved in the next few days.

1) We need to decide whether a specific "class" of individuals should be selected from amongst the complainants (for example, those who are in a particularly vulnerable situation). This will possibly help the issue of “proximity”.

2) We need to determine which individual or what department will be the target of the action (a named individual within the government or a section of HMRC), and,

3) We need to agree which law firm will handle the case. We are currently in discussions with potential companies.

Simon Davies, Privacy International’s Director, said:

"In seventeen years as a watchdog we have never received so many complaints over a single privacy issue. People are angry and distressed. They are deeply anxious over the potential threat to their children."

"Governments have hidden behind legal protection over negligence claims for many years. Now it is time to finally resolve the question of liability and duty of care so the citizen can enjoy a remedy against such blatant disregard for personal security."

"We believe there is a case to be heard and it is a case that can be won. However we realise we're going to face an uphill struggle winning that case, but we would be abandoning our responsibilities if we failed to take action."

For further information please contact Simon Davies on simon@privacy.org"

Source: Privacy International to pursue data breach legal action against UK Government

Monday, November 19, 2007

E-Comm Data Protection Law and Policy

Latest issue of E-Comm Data Protection Law and Policy, November 2007 is now available (requires subscription), but see the latest table of contents:

Contents:

# DHS defends PNR programme against 'misplaced' EU criticisms

The US Department of Homeland Security (DHS) has described EU criticisms of the recent controversial 'PNR' agreement, as 'misplaced', rejecting claims of discrimination against EU citizens.

# ICO to review DPA as part of UK's Freedom of Information expansion

The Information Commissioner's Office (ICO) is to lead a review of how personal information is shared in the public and private sector, as part of UK Government plans to expand freedom of information. The review, to be published in 2008, will examine if the Data Protection Act 1998 is adequate to protect shared personal details in the information age and will be led by Information Commissioner, Richard Thomas and Professor Mark Walport, Director of medical research charity, the Wellcome Trust.

# Businesses fined $7.7m for six DNC violations

Businesses have been fined almost $7.7 million for violations of the Do Not Call (DNC) Registry in the United States, in six settlements reached by the Federal Trade Commission (FTC).

Features:

# Editorial: The security debate

The security v privacy debate is heating up. Since 9/11, this has become one of the main challenges for privacy regulators worldwide. Clearly, the need for intelligence is more fundamental than ever in crime prevention terms and legislative measures like the data retention directive are a sign of the things to come. Recent calls for US-style passenger collection and storage obligations in privacy-conscious Europe are another step in that direction and the list of similar measures is bound to grow.

# United States: Department of Homeland Security addresses critics

US privacy policies, such as the recent Passenger Name Record (PNR) agreement, have attracted fierce criticism from European privacy experts. In this article, Lauren Saadat and Shannon Ballard, Associate Directors for International Privacy Policy at the US Department of Homeland Security (DHS), argue why such criticisms are misplaced stating that DHS policies - through recognition of the fundamental principles of transparency, an individual's right to know, individual redress and effective data security - arguably provide greater privacy protections than those offered by equivalent European agencies.

# Opinion: The Future of Privacy: part 1 - 'Privacy 1.0': the need for change

As information technology continues to evolve, regulators, privacy practitioners and citizens are increasingly questioning the suitability of current privacy frameworks to allow the effective processing of personal data whilst safeguarding individual privacy. In the first part of a two-part article, Christopher Millard, Partner at Linklaters LLP, suggests that current approaches to privacy regulation are fundamentally flawed. In particular, Millard argues that most privacy legislation is incompatible with the architecture of the internet and that the imposition by EU member states of bureaucratic obstacles destroys the usability of pre-approved rules which are supposed to facilitate simplified compliance procedures1.

# Personal Data: ICO Guidance: interpretation and consistency with 'Durant'

The recent ICO guidance on the concept of 'personal data' sets out eight questions to help organisations determine if they are processing such data. Some of the questions are designed to assist organisations in determining if information 'relates' to an individual, a key issue which was considered in the recent Durant judgment, which the ICO were bound by in drafting this guidance. Renzo Marchini, Counsel at Dechert LLP's London office, assesses this part of the guidance and its consistency with the Durant judgment.

# New Zealand: Privacy Risk Register: a practical perspective

A service enabling a person's identity to be verified quickly and easily is being built for use by government services in New Zealand. Developing this service while respecting an individual's right to privacy required the continued use of a Privacy Risk Register. Carolyn Adams, project advisor for the Department of Internal Affairs Te Tari Taiwhenua, provides a practical guide explaining how this was achieved.

# United States: Federal Court: ban on NSL notification is unconstitutional

National Security Letters work as administrative subpoenas that allow the FBI to obtain customer records without obtaining a court order. Michael Vatis, a partner in the New York office of Steptoe & Johnson LLP, explains the Federal Court's decision that 'gag' orders, which prohibit electronic communications providers from telling customers that they have received an NSL, violate the First Amendment.

DNA Lecture

There was a lecture held at NTU with Professor Sir Alec Jeffreys discussing the groundbreaking technique of DNA fingerprinting and beyond.

"DNA fingerprinting, accidentally invented in 1984, has revolutionised many areas of biology, most notably in forensic and legal medicine. Professor Jeffrey’s lecture will describe how DNA typing can be used to solve casework and will review the latest developments, including the creation of major national DNA databases that are already proving extraordinarily effective in the fight against crime. It will also discuss how this work has led to the discovery of some of the most unstable regions of human DNA, and how these can be used to study human evolution in real time and to explore the effects of environmental exposure to agents such as radiation on heritable mutations in human DNA."

We expect the a video version to be available at some point. What was interesting, when listening to his lecture was the moral and ethical dilemmas about genetic information, not simply what the DNA can reveal about individuals, but also the genetic profiles of their relatives. The subject of genetic information and privacy implications is well documented here and here. Jeffreys also touched on the subject of DNA databases. What was disconcerting was that even a minor parking offence would mean that your DNA would be taken - sounds like huge implications for privacy here.

Revisiting the Art. 29 Working Party's guidelines on genetic data, it is vitally important that the privacy of individual's DNA and what he/she is genetically pre-disposed to (whether he/she is party to the information is another matter) is preserved. Here is short extract from their concluding remarks:

"Any use of genetic data for purposes other than directly safeguarding the data subject's health and pursuing scientific research should require national rules to be implemented, in accordance with the data protection principles provided for in the Directive, and in particular the finality and proportionality principles. The application of these principles render the blanket implementation of mass genetic screening unlawful.

Furthermore, in accordance with these principles, the processing of genetic data should be authorised in the employment and insurance fields only in very exceptional cases provided for by law, so as to protect individuals from being discriminated against on the basis of their genetic profile.

In addition, the ease with which genetic material can be obtained unbeknownst to the data subject and the relevant information can be susbsequently extracted from such material, requires strict regulations in order to prevent the dangers related to new forms of "identity theft" – which would be especially dangerous in this sector and might affect fatherhood and motherhood, or even the possibility of using the material for cloning puposes. This is why, in regulating genetic data, one should not fail to consider the legal status of the DNA samples used for obtaining the information at stake. Among the issues addressed, special importance should be attached to the application of a wide range of data subjects' rights to the management of such samples, as well as to destruction and/or anonymisation of the samples after obtaining the required information.

Finally, procedures should be put in place in order to ensure that genetic data are only processed under the supervision of qualified professionals who are entitled to such processing on the basis of specific authorisations and rules.

• In Member States where the purposes and the appropriate safeguards for the processing of genetic data are not established by law, the DPAs are encouraged to play an even more active role in ensuring that the finality and proportionality principles of the Directive are fully respected.

In this respect, the Working Party recommends that Member States should consider submitting the processing of genetic data to prior checking by DPAs, in accordance with Article 20 of the Directive. This should in particular be the case with regard to the setting up and use of bio banks."

See also (not exhaustive):


Monday, November 12, 2007

Facebook, Social ads and the Data Protection Act 1998

There has been a lot of discussion centred on the facebook social ads and the likely privacy implications arising from this:

FACEBOOK wants to put your face on advertisements for products that you like.

Mark Zuckerberg, Facebook’s founder, discussed his company’s social advertising plan with marketers in New York.

Marko Georgiev for The New York Times

Facebook.com is a social networking site that lets people accumulate “friends” and share preferences and play games with them. Each member creates a home page where he or she can post photographs, likes and dislikes and updates about their activities.

Yesterday, in a twist on word-of-mouth marketing, Facebook began selling ads that display people’s profile photos next to commercial messages that are shown to their friends about items they purchased or registered an opinion about.

Source: Story, L. Facebook is marketing your brand preferences

Question: What about the Data Protection Act 1998?

What is absent from the debate is the extent to which individuals in the UK can use the Data Protection Act 1998 to request that Facebook do not use such information without their consent:

s 11 of the Data Protection Act 1998 (on the Right to Prevent Processing for Purposes of Direct Marketing) provides that:

(1) An individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing for the purposes of direct marketing personal data in respect of which he/she is the data subject.

(2) If the Court is satisfied, on the application of any person who has given a notice under subsection (1), that the data controller has failed to comply with the notice, the court may order him to take such steps for complying with the notice as the court thinks fit.

In other words, you are entitled to request from Facebook that your profile is not used for the purposes of the Social Ads.

What about the Data Protection Principles?

There is the question whether facebook is adhering to the second data protection principle under the UK Data Protection Act 1998 that 'personal data shall be obtained only if one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.' In other words, the user's name or image for marketing is beyond the purpose for which social networking was intended to be used. Further information can also be found on the UK ICO website.

More can be written on the application of the Data Protection Act to social networking websites, but this will have to be another article at some point. So, why wait, start complaining and exercise your data protection rights!

For more on the privacy implications arising from social networking, see also:

Thursday, November 08, 2007

Personal Data - this time through the CFI

The European CFI has issued its judgment today in the case, the Bavarian Lager Co v European Commission (T-194/04). The facts of the case were briefly noted in the Times Newspaper:

"The lucrative business of lobbying is set to become more transparent in Brussels after a European court ruled that privacy laws could not be used to keep lobbyists’ names secret. The European Court of First Instance ruled today that the European Commission was wrong to refuse to identify the attendees of a crucial meeting about competition in the beer industry. The Commission claimed that identifying the attendees would have been a breach of their privacy. But this morning the court said that the Commission could only refuse in limited circumstances in which the information at stake was “personal data that are capable of actually and specifically undermining the protection of privacy and the integrity of the individual”. The court added that just because a lobbyist attends a meeting with the Commission as a representative of a collective group, it does not give them an automatic right to privacy. Such a meeting — thousands of which take place with various European institutions every year — does not fall “within the sphere of [the lobbyist’s] private life” and therefore revealing attendees names “cannot constitute an interference with his private life”. The case centred on a 1996 meeting between representatives of the beer industry and European officials. Shortly after the meeting, the Commission abandoned an investigation into whether a UK law limiting the sale of certain beers was illegal. Andrew Ronnan, founder of the Bavarian Lager Company, an importer that claims to have lost out because of these rules, has been fighting to find out who attended the meeting ever since. The Commission supplied Mr Ronnan with the minutes but erased the names of five individuals. Mr Ronnan, who said he was “delighted” with today’s decision, believes the Commission will now have to identify the five people. He told Times Online that if, as he suspects, these individuals were representatives of businesses that profited from the investigation being dropped, he would be asking his lawyers to explore a compensation claim."

What is noteworthy is the concept of "personal data", which the CFI discussed in some detail in the context of Regulation (EC) No 45/2001 (on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (OJ 2001 L 8, p. 1), was adopted on the basis of Article 286 EC):

Paras, 117 - 120:

"117 Moreover, exceptions to the principle of access to documents must be interpreted restrictively. The exception under Article 4(1)(b) of Regulation No 1049/2001 concerns only personal data that are capable of actually and specifically undermining the protection of privacy and the integrity of the individual.

118 It should also be emphasised that the fact that the concept of ‘private life’ is a broad one, in accordance with the case-law of the European Court of Human Rights, and that the right to the protection of personal data may constitute one of the aspects of the right to respect for private life (see, to that effect, the Opinion of Advocate General Leger in Parliament v Council and Commission, point 209), does not mean that all personal data necessarily fall within the concept of ‘private life’.

119 A fortiori, not all personal data are by their nature capable of undermining the private life of the person concerned. In recital 33 of Directive 95/46, reference is made to data which are capable by their nature of infringing fundamental freedoms or privacy and which should not be processed unless the data subject gives his explicit consent, which implies that not all data are of that nature. Such sensitive data may be included in those referred to by Article 10 of Regulation No 45/2001, concerning processing relating to particular categories of data, such as those revealing racial or ethnic origin, religious or philosophical beliefs, or data concerning health or sex life.

120 It follows from the whole of the above that, in order to be able to determine whether the exception under Article 4(1)(b) of Regulation No 1049/2001 applies, it is necessary to examine whether public access to the names of the participants at the meeting of 11 October 1996 is capable of actually and specifically undermining the protection of the privacy and the integrity of the persons concerned."

The decision should be welcomed not only for its certainty, but revisits the application of the scope of Art. 8 of the ECtHR.