Monday, September 29, 2008

Phorm developments

Last post of the day, some developments are emerging from the controversial Phorm project (courtesy of PC Pro), which has been the subject of much discussion:

BT's third Webwise trial will begin tomorrow, with 10,000 random customers asked to participate.

"BT customers are being invited to take part in the trial, which will take place over a number of weeks. Following successful completion of this trial and an appropriate period of analysis and planning, it is currently expected that Phorm's platform will be rolled out across BT's network," says an announcement released by Phorm today.

Two previous trials have been conducted in secret by the companies, causing controversy among customers and privacy advocates.

Pressure groups such as Bad Phorm have sprung up to counter the scheme, and the City of London Police questioned BT over the legality of the experiments.

The third test was expected to start in June this year, when it was announced that the trial was to begin imminently. However, the launch was delayed by the surrounding controversy.

This negative attention has now subsided somewhat after the police announced last week that it would not be conducting a formal investigation. The trial also got the go-ahead from the Information Commissioner's Office earlier this year - as long as it was conducted on an opt-in basis. The company is still under the watchful eye of the EU, though.

See also:

Getting to grips!

This article is worth reading and stems from a previous post sometime back on Professor Pausch's lecture on "Time management". In her abstract, the author discusses some of the issues raised on higher education. The title of the article is Two jobs, two lives and a funeral: legal academics and work-life balance (2004):

"Changes in higher education over the last twenty years have led to a huge increase in the workload of legal academics. At the same time, there are many more choices as to how to spend time outside the workplace. Research shows that academics around the world are finding the maintenance of work-life balance an increasingly difficult issue. This article uses data from a qualitative study of legal academics in the U.K. to illustrate the particular effects of changes in higher education policy on the workload of those working in law schools. While no easy solutions are offered, it is suggested that it is time for legal academics to engage in some Socratian self-examination."

"The latter interpretation of Four Weddings and a Funeral has many resonances for contemporary legal academics, particularly in relation to the problem of work-life balance. Just as for Charles, the problems are immediate, pressing and difficult. They cannot be shelved for later consideration, because life moves on – in the same way as the threat of Carrie’s imminent marriage puts pressure on Charles, legal academics are faced with the immediate prospect of children growing up, partners getting older, ties with friends becoming weaker and opportunities for personal growth being lost. At the same time law schools are making ever-increasing demands upon the time and energy of their staff. It is almost inevitable that when faced with choices about the balance between different strands of their lives individual legal academics will sometimes behave like Charles; they will prevaricate, procrastinate and make mistakes (the latter in itself a potentially humiliating experience for those whose professional life is so intimately bound up with making rational judgements). "

The article is useful and highlights some issues for scholars contemplating of entering into legal academia in the UK. What would be useful is how this compares with other professions such as journalism etc. Some final thoughts from the same author:

"Perhaps the obvious answer is that we need to engage in some serious philosophical analysis. The unexamined life, said Socrates, is not worth living. If our lives are to be worth living, both in Socrates’ sense and at a more pragmatic level, we need to be able to examine our lives and make reasoned choices about how we spend our time. Others within the academy who observe the inhabitants of law schools may consider that a plea to live a fully examined life in the Socratian sense may be a bit of a challenge for the academic lawyer, since doctrinal legal training, at least, provides a poor background for the consideration of values. As a result of the pervasive influence of legal positivism, generations of law students have been taught to see the law in purely technical terms, while its moral content is regarded as irrelevant (Nicolson & Webb, 1999, p. 67). Thornton has referred to the ‘technocentrism’ of the doctrinal tradition, in which law is seen as autonomous, with discernible boundaries between law and morality, as well as between law and other academic disciplines. The pedagogical practice which is found in law schools, she notes “...focuses primarily on legal rules [and] creates a law school environment in which the technocratic is normalized, ...” (Thornton, 1998, p. 372).

"This intellectual background does not necessarily equip lawyers to engage in sophisticated philosophical reasoning about work-life balance (or any other forms of sophisticated moral reasoning, for that matter). Granted, there are exceptions within doctrinal law; the study of jurisprudence may involve consideration of moral issues, for instance, but overall, legal positivism is not interested in the analysis of values. Socio-legal and critical legal scholars have, of course, been quick to point this out, and consideration of the values and attitudes subsumed within the law are a main feature of their work. Nevertheless, familiarity with philosophy is not generally a mainstream feature of the legal syllabus, and it is understandable that, in intellectual terms, legal academics have long been regarded with suspicion by other members of the academy Sugarman notes that a need to gain credibility and acceptance from a sceptical academy was one of the top priorities for early legal academics (Sugarman, 1986). Becher’s work suggests that this is still the case; legal academics are regarded by their peers in other disciplines as not really academic, but engaged in unexciting and uncreative activities; typically, they are thought to be ‘...arcane, distant and alien; an appendage to the academic world’ (Becher, 1989, p. 30). Such opinions may bring forth howls of protest from the inhabitants of law schools, but setting them to rest is not the focus of the current argument. The question is, when faced with the problem of work-life balance, can legal academics, despite their somewhat unpromising intellectual background, engage successfully in the critical self-examination which is one of the crucial elements of a cultivated human being? If we, like Charles in Four Weddings and a Funeral continue to prevaricate, we may as Martha Nussbaum suggests, be cultivating humanity in our students – but only at the expense of failing to cultivate our own."

Gems for the Day

Whilst listening to Lanz's new album, Painting the Sun, the reading on my list for today will include Lord Denning's judgments. By way of introduction:

"Alfred Thompson 'Tom' Denning, Baron Denning, OM, PC (23 January 18995 March 1999) was an English veteran of the First World War, a mathematics graduate, jurist, barrister and judge. A native of Hampshire, he became a Law Lord and Master of the Rolls (the senior civil judge in the Court of Appeal of England and Wales).

Lord Denning was a judge for 38 years before retiring at the age of 83 in 1982. Lord Denning instigated many important concepts that would become pillars of the common law and many more which would ultimately be rejected in the House of Lords (such as the doctrine of fundamental breach)."

Some of the books, Lord Denning wrote have included: Freedom under the Law (1949), The Changing Law (1953), The Road to Justice (1955), The Discipline of Law (1979), The Due Process of Law (1980), What Next in the Law (1982) and Landmarks in the Law (1984).

Some of the cases, that law students have had to grapple with (including myself) is the famous High Trees case and the "red-hand rule" in Spurling v Bradshaw.

Best quotes that Lord Denning gave:

On legislation

"Parliament does it too late".

Modern society

Some persons, who would otherwise be good and worthy citizens, are deliberately breaking the law."


"Without religion, no morality; without morality, no law."


"I have all the Christian virtues - except resignation".

Saturday, September 27, 2008

Smartening up!

Whilst details are still emerging over the recent loss of yet more data, the question then hinges not so much on how individuals ought to protect their personal information, but how organisations secure this data and more precisely, how individuals will now have to "smarten up" in the non-disclosure of their personal information, unless this is absolutely necessary (do you really need to give your identity to organisations in exchange for this freebie? What if you don't?). Frequent incidents of data loss have "de-sensitised" us into the usual moans/groans (constant whining) and a great deal of apathy, responses from"not again" to "how can we give over our information" to such incompetent bodies but with no adequate solutions (other than resort to the usual route of compensation)? Whilst the Data Protection Act 1998 is being strengthened with more remedies (ie. heavier penalties), it is now up to individuals to exercise their rights if they have been affected by data losses. The law is there. Even if this is a long, laborious process, ultimately, it will be worth it. In the long-term, it is not simply being alerted to the recent breaches of data losses, but rather a complete change in the "privacy landscape/culture". In other words, accountability of organisations to account for the loss of their data - this is already happening at a European level, with data security breach notices being considered in the forthcoming EU legislation, but this is just the beginning. The questions: at a national/local level, the way organisations handle databases of personal information will need to be questioned - is it centralised/decentralised? What security measures are in place? Who is responsible for the security of personal information? Security questions asked of individuals needs to be changed (forget about mother's maiden name; pet name etc.)? Do they have a privacy policy? We do not want the policy in "small writing" but in "large writing" and be simple (sometimes, the policies can be verbose where only a few people can understand). How about awarding organisations for the best privacy practices they have and highlighting the bad organisations that have lax procedures (no, one is not referring to the work of Privacy International), but have in place simple procedures to ascertain what privacy audits/practices are in place (just simple common sense).

A useful start would be to start questionnaire studies amongst the general public (not so much about the handling of personal information), but rather what they do in protecting their own privacy (or do they care)? Secondly, there has been the frequent discussion to educate others about the protection of their privacy, yet, often, this assumes no knowledge, when there is. Quite clearly, we know something about the Data Protection Act 1998 (for others quite enough), but not enough to make data subject access requests, to consider whether the information is accurate or not etc. There is still a long way to go in utilising other means and methods to protect the privacy of personal information.

In the previous post, the discussion centered on how secure the public databases are and the relative ease in which social networking websites have now made it easier for anyone to obtain information about others, this discussion is now how departments can effectively secure the "trust" of the public to ensure that their personal information is handled properly (even if there is a healthy scepticism).

If you trust your local Tescos and Sainsbury to handle your personal data through the use of reward cards, then what are they doing right that others are not? Another dimension to look at is that if organisations are not handling your personal data correctly, you can theoretically walk away from them (other than resorting to your usual remedies), but not so when we are dealing with those where it is compulsory to give over our data (if this were a business, it would have long lost its custom).

The time for complacency is over. The time for more pro-active dialogue is just the beginning!
Update: The ICO website also includes a Personal Information Health Check - see how well you do!

Friday, September 26, 2008

Radio Interview

The following interview from Out-Law Radio, is worth listening to:

Title: Piracy: not the enemy, but the competition,

We talk to an anti-piracy pro who says that content producers should stop trying to stifle piracy and concentrate on competing with it better

To ensure that this interview is given its proper context and is not misunderstood, here is a short extract from Out-Law:

"TV companies, film studios and record labels should spend less time fighting those engaged in piracy and more time competing with them, a leading anti-piracy expert has said.

Dr David Price told technology law podcast OUT-LAW Radio that many people turn to piracy because officially-sanctioned songs or TV programmes are of poor quality, arrive late or come with restrictions that make them hard to access.

Price is the head of piracy intelligence at Envisional, a company which monitors piracy for content producers.

"There have to be legitimate alternatives, and not just that but they have to be really good legitimate alternatives," he said. "You've got to offer as good a user experience legitimately as people can get through piracy. We can't just offer something that is so restricted that people aren't going to bother."

Price said that many users of piracy services would happily switch to legitimate ones but are attracted by the more usable, more readily-available pirated services.

"Once you get involved in downloading things illegitimately the user experience is so good it's compelling," he said. "You really get high quality content, there are so many advantages to doing it over what you can get legitimately in a wide range of countries."

Companies should learn from pirates, said Price, and embrace some of the methods of distribution they use. He said that Norwegian broadcaster NRK achieved impressive results when it seeded peer-to-peer networks with legitimate copies of one of its hit programmes."

Radio Interview

Thursday, September 25, 2008

Quite an unusual website - MyHeritage, Facial Recognition site: who do you resemble? Question for the day - who owns MyHeritage?

Wednesday, September 24, 2008

Another discussion point

Discussion Point: This is something that still needs to be refined (but would be a good essay /discussion point). Thinking about the recent SNS developments, one has to admit that Facebook, MySpace, Bebo etc. (other than the search engines such as PIPL, Zoom Info) is probably the "best" freely available public databases (searchable on PIPL , Wink etc) and accessible to anybody including marketers (irrespective of technological controls). Consider this as your "Yellow pages"/"White pages" or BT/192 directory search. Free public sector information for employers, education establishments, marketers, law enforcement agencies etc. One may "sugarcoat" it (or to stretch this further "put the icing on the cake") and call it as another means of communicating/networking, but ultimately, when stripped down to its bare minimum, it is nothing more than another public database which is operated by various companies. The question is who owns this information? You or MySpace, Bebo etc. What if this information is later extracted and added onto another database to form a personal profile (or as one author wrote "online profiling"....?)? One need only have a couple of info specialists to do this and we have another database. We are certainly not far from online profiling and it is becoming far easier to use/reuse this information. This raises another question from the context of the European Commission current consultation into the Review of the PSI Re-Use Directive. Consultation is now closed, but probably worth revisiting some of the issues (re-use). Public databases and making information available (let alone "personal information") for free.

On a different note, there will be a social networking symposium which touches on privacy issues for those interested in developing this further.

Essay question for the week: Social networking is just another freely available public database accessible to anybody. Discuss.


Telemedia Act

More reading to do on my list: The German Telemedia Act replaces the Teleservices Data Protection Act and the Teleservices Act, but there is currently no English translation of this Act. However, the available text (pdf) can be found here.
Courtesy of IRIS:

After the Bundestag (lower house of the German Parliament) had adopted the Gesetz zur Vereinheitlichung von Vorschriften über bestimmte elektronische Informations- und Kommunikationsdienste (Act on the standardisation of provisions on certain electronic information and communication services - ElGVG), the cornerstone of which is the Telemediengesetz (Telemedia Act - TMG), on 18 January 2007, it was passed by the Bundesrat (upper house of the German Parliament) on 16 February 2007.

The Telemedia Act no longer distinguishes between tele-services, which were previously covered by the Teledienstegesetz (Teleservices Act - TDG) within the framework of the Informations- und Kommunikationsdienste-Gesetz (Information and Communication Services Act - IuKDG), and media services, which were previously the subject of the Mediendienstestaatsvertrag (Inter-State Agreement on Media Services - MDStV). Instead, similar to the Neunte Rundfunkänderungsstaatsvertrag (9th amendment to the Inter-State Broadcasting Agreement - RÄStV), it combines the two concepts (see IRIS 2005-2:9 and IRIS 2006-7:9). Commercial rules for telemedia will, in future, be found in the TMG, while content-related aspects will be regulated in a specific section of the Inter-State Broadcasting Agreement and the existing Jugendmedienschutz-Staatsvertrag (Inter-State Agreement on Protection of Youth in the Media). Telecommunications services and broadcasting are distinguished from telemedia and thus excluded from the scope of the new Act.

One new rule, which has attracted particular criticism, is the obligation to make user data available to investigating authorities for crime prevention purposes. This provision, which also applies in connection with the protection of intellectual property rights, has raised serious concerns from the perspective of data protection.

Protection from unsolicited e-mails ("spam") has also been extended insofar as it is now an offence for senders to breach information obligations, such as the failure to identify their communications as advertising or the withholding of their identity.

For those reading up on data protection developments in Germany, best starting guide (again, in German) would be Simitis's Commentary on Data Protection.

See also:

Wednesday, September 17, 2008

Blogging and defamation

I came across this recent case on blogging and defamation in the UK, its implications still to be explored, but here is the latest press release (authored by S. Tuxford):
"The case of NIGEL SMITH and ADVFN Plc and others[1] concerns the application of the law of defamation to internet blogging. Mr Smith considered a number of statements published about him on a series of internet bulletin boards operated by ADVFN plc to be defamatory. He obtained so-called "Norwich Pharmacal" orders compelling ADVFN plc to release details of the bloggers responsible before bringing defamation proceedings against the persons identified (and ADVFN plc).

Faced with a large number of similar (and in some circumstances related) claims, the Court upheld an earlier order for a stay of all the claims to give each defendant an opportunity of being heard either in an oral hearing or by making written submissions. Of particular interest, and perhaps concern to claimants in defamation actions however, was the Court's characterisation of the alleged defamatory blogs.

A defamatory statement is one which tends to lower the claimant in the estimation of right-thinking members of society. Defamation is either libel or slander; libellous statements are made in permanent form and slander is defamation made in a transitory form. For slander the claimant will often have to prove that he has suffered some actual financial loss. This is not generally necessary in the case of libel, making it a more attractive action for claimants.

As blogs remain displayed online, they may quite reasonably be considered to give rise to libel actions only. The Court (Mr Justice Eady) questioned this analysis, opining that blogs may amount to slander:

"[Blogs] are read by relatively few people, most of whom will share an interest in the subject-matter; they are rather like contributions to a casual conversation (the analogy sometimes being drawn with people chatting in a bar) which people simply note before moving on; they are often uninhibited, casual and ill thought out; those who participate know this and expect a certain amount of repartee or "give and take"...their identities will often not be known to others. This is no doubt a disinhibiting factor affecting what people are prepared to say in this special environment...People do not often take a "thread" and go through it as a whole like a newspaper article. They tend to read the remarks, make their own contributions if they feel inclined, and think no more about it."

However, Mr Justice Eady did note "I would not suggest for a moment that blogging cannot ever form the basis of a legitimate libel claim." so the position is far from certain; whether a defamatory blog amounts to libel or slander will depend on all the circumstances."

Source: Bristows, Sept. 2008

There have been relatively few cases on this, so this strikes me as one worth reading up on.

Friday, September 12, 2008

Browsers and privacy, part 2

As an update on web browsers and privacy, Mozilla Firefox is also working towards a privacy mode:

"Privacy seems to be the magic word in the browsers world these days. Surfing without leaving any trace seems to be the ultimate offer for any browser out there. Internet Explorer has it, Google Chrome offers it and now it seems like the next version of Firefox, Firefox 3.1, will add it as well.

Since the release of Google Chrome, every browser maker has entered in an emergency mode and it seems like Mozilla is paying attention to what is happening with the competition.

According to note from Mozilla Wiki, the next version of Firefox will offer a Private Mode. In fact, the feature was intended to be released in the version 3.0, but it was dropped to keep the browser on schedule.

Mike Connor, Firefox lead develop, has a pretty good description on how the Private feature will look like.

“Ensure that users can't be tracked when doing "private" things. There should be a clear line drawn between your "public" and "private" browsing sessions. It is acceptable to let things touch magnetic storage, as long as the cleanup mechanism is robust enough to clean up,” he wrote in a note.

”Non-goal for 3.1: Separate process sharing (some) data. When we get process-per-tab we can make it more IE-like, but doing this also means that we have to have something like their "hey, you're in private browsing mode" banner on the URL bar for all the world to see. Which, to me, is fail” Connor also wrote."

Tuesday, September 09, 2008

Google Chrome

This is an interesting press release regarding web browsers and privacy:

Germany's Federal Office for Information Security says that Google's new browser Chrome "should not be used for surfing the Internet." The problem, according to a translation from Blogoscoped, is that joined with email and search, Chrome gives Google too much data about its users. The government also said Chrome should be avoided because its still in beta. Here's the real deal, though: Germans hate Google because like Microsoft with Windows and Apple with iTunes, its a big American company that's so popular it seems like a monopoly. For those keeping score at home — or trying to use the Web in Germany — that rules out Chrome, Apple's Safari, Internet Explorer and Mozilla's Firefox because it runs on Google money. What's left? The Opera browser, conveniently built in Europe.

See also:

Monday, September 08, 2008

Advocate-General's Opinion

The Advocate General's Opinion has been published on the recent case involving data protection issues: Satakunnan Markkinapörssi and Satamedia (C-73/07). The main questions referred to the ECJ are as follows:
Is an operation in which data on the earned income, income from capital and the wealth of natural persons arecollected from documents in the public domain held by the tax authorities and processed for publication,published alphabetically in a printed publication by income bracket and municipality in the form of extensive lists,disclosed onward on CD-ROM to be used for commercial purposes, andprocessed for the purposes of a text messaging service whereby mobile phone users can, by indicating an individual's name and home municipality and texting to a given number, receive in reply data on the earned income, income from capital and wealth of the individual indicated,to be regarded as the processing of personal data within the meaning of Article 3(1) of Directive 95/46/EC? 1

Is Directive 95/46/EC to be interpreted as meaning that the various operations listed in question 1(a) to (d) can be regarded as the processing of personal data carried out solely for journalistic purposes within the meaning of Article 9 of the Directive, having regard to the fact that data on over one million taxpayers has been collected from data which are in the public domain under national legislation on the right of public access? Does the fact that publication of those data is the principal aim of the operation have any bearing on the assessment in this case? Is Article 17 of Directive 95/46/EC to be interpreted in conjunction with the principles and purpose of the Directive as precluding the publication of data collected for journalistic purposes and its onward disclosure for commercial purposes?

Can Directive 95/46/EC be interpreted as meaning that personal data files containing, solely and in unaltered form, material that has been published in the media fall altogether outside its scope?
Unfortunately, the opinion is available in French, Spanish, German etc. not English, so here is the French decision. As one awaits the ECJ's judgment on this, it is likely to be of interest when considering the scope of Art. 9 of the Data Protection Directive.

Using Knol

Having had a look at Google's Knol, (this post, as you may gather has nothing to do with data protection developments), I have started to experiment with this and have recently posted an article up on Google Knol to make it more accessible. It is quite easy to use and also gives the option of asking for other authors to collaborate. The only main criticism is that the search index is not as good or thorough when finding articles etc. on a given specific topic.

Friday, September 05, 2008


Just came across this interesting paper written in the latest BNA World Data Protection Report on the legal status of "bluespam":

"Bluespam: Is it legal?" examines whether so called bluespam falls within the restrictions imposed by the Privacy and Electronic Communications Directive [2002/58/EC] and whether organisations can therefore be prevented from marketing via bluetooth without first obtaining consent. It also considers the practicality of obtaining consent from bluetooth users and discusses the options for Bluetooth users who do not wish to receive bluespam.

Increasingly, we are seeing Bluetooth technology being used for the purposes of direct marketing to mobile phones.

"There are options for those that do not wish to receive direct marketing via Bluetooth – you can turn the Bluetooth on your mobile phone or other device off or “hide” your phone. However, many will take the view that they should not have to take such steps to avoid receiving what is termed as “Bluespam”.

Whilst at first glance Bluespam appears to fall into the same category as unsolicited direct marketing via email, telephone and SMS spam (all of which are caught by the terms of the Privacy and Electronic Communications Directive (Directive 2002/58/EC), there is legal uncertainty as to whether the Directive does catch it. In short, the Directive captures communications over “public” networks, but at least arguably, the only network used in Bluespam is that created on an ad hoc basis between the transmitting device and the handset in the hands of the recipient."
A copy of the full text paper can be found here (pdf).

Thursday, September 04, 2008

Direct marketing

Courtesy of H&W, this decision was recently made by the German Federal Court of Justice on the use of consent for marketing purposes.

German Federal Court of Justice issues important Decision on the Use of Consent for Marketing purposes.

"In a decision of July 16, 2008, concerning the lawfulness of certain clauses in the application form for a loyalty card, the German Federal Court of Justice (Bundesgerichtshof) issued important guidance to companies that carry out direct marketing in Germany (Urteil vom 16. Juli 2008 – VIII ZR 348/06). In the case, the Court found the following clause to be partially invalid The decision has significant consequences for conducting advertising inGermany. Most importantly, it makes clear that opt-in rather than opt-out consent is necessary to send electronic marketing, and that the German courtswill not hesitate to invalidate clauses that do not meet this requirement. Moreover, it indicates that any consent to the sending of electronic marketing must be specific, rather than be mixed together with consent for other matters (such as receiving other types of marketing).This means that companies may have to consider redesigning their onlineprivacy policies and consent forms to conform to German legal requirements. (translation of the clause from the original German):

With my signature I agree that the data which I have provided above as well as the discount data (products/services, price, amount of discount, place and date of transaction) will be exclusively stored and used by L. Partner Limited and the partner companies according to number 2 of the attached data protection notice for the purposes of advertisements directed at me (e.g., information on special offers, promotional discounts) via post and, if applicable, by requested services (SMS or email newsletter), as well as for market research purposes.

[ ] Please tick this box if you wish to opt out. ...

The Court held that the wording of this clause may fulfil legal requirements for postal marketing, but that it violates unfair competition law for email and SMS marketing. The Court’s decision was based on the clause in essence allowing electronic marketing under an “opt-out”standard, rather than an “opt-in” standard as required by the relevant section of the German Unfair Competition Act that implements EU E-Privacy Directive 2002/58. Moreover, the Court stated that a specific declaration that the user opts in to receive electronic marketing is necessary. Advertising by post According to the Court, sending advisements by post does not require opt-in consent, and is permitted as long as the customer does not object to the advertisement (though the customer must be properly informed about his right to opt out). Advertising by email and SMS. The Court stated that advertising by means of email or SMS is governed not by the Federal Data Protection Act, but by section 7 para. 2 no. 3 of the Unfair Competition Act, and that this requires a separated declaration indicating opt-in consent.

[According to H&W], the decision has significant consequences for conducting advertising in Germany. Most importantly, it makes clear that opt-in rather than opt-out consent is necessary to send electronic marketing, and that the German courts will not hesitate to invalidate clauses that do not meet this requirement. Moreover, it indicates that any consent to the sending of electronic marketing must be specific, rather than be mixed together with consent for other matters (such as receiving other types of marketing). This means that companies may have to consider redesigning their online privacy policies and consent forms to conform to German legal requirements."

Monday, September 01, 2008

ECHR case: I v Finland

The European Court of Human Rights (I v Finland, 20511/03) has recently ruled on this recent case surrounding the privacy protection of medical data. I have still yet to read through this judgment, but have a look at a short summary (via blogger Where is my Data):

On 17th July 2008, at the ECHR (Strasbourg), in the case “I” v Finland the court found against Finland, and awarded “I” €13,771 in damages and €20,000 in costs.

Outline of the Case:

The applicant “I”, now 48, stated that her private medical records were accessed by the other people (as a result of which she possibly lost her job as a nurse).

The access was not recorded, as there was no records of this at the time (around 1992)

The Court decided that as the hospital was controlled by the State, and as such Finland was responsible for the actions there. The court also stated that personal information relating to a patient undoubtedly belongs to his or her private life. Therefore Article 8, freedom to a private life, is applicable in this case.

The European Court of Human Rights found that a person’s right to respect for their private life (under the ECHR,) may be breached where the State fails to take appropriate steps to secure data, so that it cannot be accessed improperly.

While Article 8 not means the government must not interfere, but may also have to undertake positive actions to prevent such interference, e.g the adaption of systems/controls to protect data.

While Article 8 not means the government must not interfere, but may also have to undertake positive actions to prevent such interference, e.g the adaption of systems/controls to protect data.

In this case there is no statement that there was deliberate and unauthorized access of data, only that there was failure to secure the data appropriately. i.e a breach of Finland’s positive obligations under Article 8. The court found in favour of the Applicant.

Summary: The ECHR found that if personal data is not secured adequately, and the State does not take positive steps to do so (and not just legislation but technical and procedural steps as well), then the state is in breach of Article 8.

Nice tip!

Will get back to data protection developments at some point. Continuing the theme on time management, this nifty little tip on inbox zero from the Times:

There are two things you can do about your e-mail inbox: you can let it rule you, or you can take control yourself. Merlin Mann is a San Francisco blogger (he gets called a “productivity guru”) who has been spreading the Inbox Zero gospel since 2006, prescribing a ruthless programme of culling your inbox into one of five categories:
Delete, Delegate, Respond, Defer, Do
. At the end of the process, you have Inbox Zero.

– At this point, many people feel the urge to celebrate. They take a picture of their e-mail inbox and post it to the Inbox Victory page.

– But getting to Inbox Zero is like losing a few pounds in January. The trick is keeping it empty. Fortunately, Merlin is there to help, with numerous blog posts and videos of his lectures on the subject to be found on Google.

Update: Clip on this