HL refuses appeal

Courtesy of 5RB, the House of Lords has refused leave to appeal against the Court of Appeal's interim ruling in the privacy claim involving photographs of J. K. Rowling's son.

The House of Lords today refused Big Picture (UK) Ltd's petition for leave to appeal against the Court of Appeal's interim ruling in the privacy claim involving photographs of J. K. Rowling's son. In March this year the Court of Appeal held that the claimant had an arguable case on both the misuse of private information and the Data Protection Act points, overturning the August 2007 decision to strike the claim out. The effect of the House of Lords' ruling is that the claim should now proceed to trial, as the Court of Appeal envisaged. The claim, which alleges misuse of private information and breach of the DPA 1998, centres on a series of photographs of David Murray, which were taken when he was a 1 year-old, being pushed down a street in Edinburgh by his parents in his pushchair at a time when his mother was pregnant with David's younger sister. In August 2007 Mr Justice Patten acceded to an application by the remaining Defendant - Big Pictures (UK) Ltd, a photographic agency - to strike the claim out. However, in March 2008 the Court of Appeal decided that the Judge had been wrong to conclude that the claim was unarguable and reinstated the claim, directing that the issues between the parties be tried. An application by Big Pictures for permission to appeal against this decision was refused by the Court of Appeal. In June, Big Pictures petitioned the House of Lords for leave to appeal. It is this petition that the House of Lords has refused today.

Updated BCR Guidelines

Updated guidelines on BCR (courtesy of Out-Law news) have been published the Art. 29 Working Party.

The European Union's data protection authorities have published amended guidance on how companies can legally share customer and staff personal data with parts of the firm located outside the European Union. The Article 29 Working Party, which consists of the data protection watchdogs of the EU member countries, has created a mechanism for transferring data within organisations but to countries to which it would usually be illegal to send personal information. U data protection laws restrict transfers of personal data to countries whose data protection regimes have not been judged by the European Commission to be adequate. The list of those countries deemed to offer adequate protection is very short. The Working Party created Binding Corporate Rules to allow companies to send data to other parts of the organisation in countries whose data protection regime has not been designated as adequate.

Data Security Breach notifications in sight

Courtesy of Pogo and Vnunet, comes this recent news on European data breach notification laws (part of the amendments to the Telecommunications framework at a European level:

European data breach notification laws applying to all online information service providers could be in force by 2011, according to the European data protection supervisor Peter Hustinx. The current data breach notification proposals apply to just ISPs and telcos, but Hustinx backed calls for the law to apply to all “information service providers, including banks and medical sites”. He added, “I would welcome this as fair and in line with reality.”

Speaking to vnunet.com at the RSA Conference Europe show in London, which kicked off today, Hustinx explained that the proposals are still open to change as the Council of Ministers and parliament are working on slightly different texts. “We will probably have some threshold [for disclosure] but a very low one, and notification will be to users and authorities,” he said. “There is also likely to be some variation on the basis of individual member states, which will be a challenge.”

Hustinx added that if the current proposals are adopted in spring 2009, they could become law two years after that. Hustinx also argued that the UK government should consider giving its data protection watchdog, the Information Commissioner, greater powers in order to “restore confidence” to public sector handling of data [the Criminal Justice and Immigration Act 2008, s 77 and s 144 already strengthens remedies for ICO].

More from:

• Vnunet.com European data breach laws could land in 2011
• Identity and Privacy Blog
• Managing data security breaches
• ICO Guidance on Data Security Breach Management

Consultation on proposed database

There is likely to be a public consultation over the proposed database over the controversial Communications Data Bill (which is intended to implement the Data Retentions Directive 2006/24/EC). The Art. 29 Working Party (3/2006) has already issued its opinion on the implementation of Directive 2006/24/EC. However, according to Computer Weekly:

The government has scrapped plans to push through the controversial Communications Data Bill this parliamentary session and will hold a second public consultation in the new year.

What is unclear at this stage is whether Liberty would mount a legal challenge over the proposed Communications Data Bill. One awaits to see developments on this front. The ICO has already expressed the view 'that a single database of phone and internet usage records would undermine the "British way of life". The privacy watchdog has said that it will scrutinise Government plans for storing that information.' More from Out-Law.

SNS revisited (not) again!

Social networking websites (SNS) have been the subject of much discussion, and given the numerous views about the benefits and negativities of this, the recent debates, however, is of interest. Given the high level of engagement, one is certainly drawn to the view that there is enough literature, and warnings about the potential negativities of SNS, such that it is fair to argue that users enter SNS at their own risk. Discussion about the current legal framework particularly with the recent case of Firsht v. Raphael [2008] EWHC 1781 (brief commentary here) have already shown repercussions. The law has not been slow to respond and provides an element of certainty on this. According to Facebook, reactions to the case:

Facebook was reported to have stated in a statement following the reporting of the court’s decision, “Facebook does not permit fake profiles on its site. Fake profiles are an abuse of our terms of use and they will be removed… When fake profiles are reported we thoroughly investigate and remove profiles found to be in violation of our terms of use – just as we did in the case of Mathew Fircsht [sic].

Actual case details can be found here. In the meantime, for those who wish to follow up on the recent debates on social networking, worth visiting here for a starting point.

Update: Out-Law Press release on SNS ground rules

Updates

Courtesy of Pogo, this recent Adv. General ruling on the Data Retentions Directive 2006/24/EC is worth reading up, whilst awaiting the ECJ's judgment. According to the EU observer,

The European Court of Justice Advocate General on Tuesday (14 October) delivered a blow to member states hoping to overturn an EU law on harmonising telephone and internet data retention rules, saying the case is an internal market matter, not a justice and home affairs issue.

The directive - which was approved by a qualified majority of EU states in February 2006 - sets a time period of six months to two years during which telecom operators are to keep phone and internet data, in the name of fighting terrorism and crime and increasing security.

Irish telecoms operators and internet service providers currently face tougher rules and must keep the data for up to three years, according to the Irish Times.

More from:

• C-301/06 Ireland v Parliament and Council (pdf) and online version
  
• Digital Rights Ireland

SNS Programme

Beeb has recently put this programme on social networking titled Are networking sites a good or bad thing: Here is a snapshot:

Websites such as Facebook, Myspace and Bebo have become immensely popular over the past few years, promoting the sharing of personal information and photographs among friends.

But is social networking just a bit of fun or is splashing our private lives all over the internet potentially harmful? We hear conflicting personal stories of success and disaster.

The link can be found here.

A recent press release has also indicated that SNS should indicate the low level of protection here.

Proposed Database

This latest development should be no surprise to any academic researcher working in the field of data protection and privacy in the UK (as here). Particularly, when surveillance is becoming "normalised" with countless CCTVs etc. Out goes "privacy" and in comes "surveillance". Amidst the latest data security breaches, according to The Independent, details are emerging over the current plans for a database:

Early plans to create a giant "Big Brother" database holding information about every phone call, email and internet visit made in the UK were last night condemned by the Government's own terrorism watchdog...

Under the proposal, internet service providers and telecoms companies would hand over millions of phone and internet records to the Home Office, which would store them for at least 12 months so that the police and security services could access them. It is understood that more than £1bn has been earmarked for the database.

Some reactions over this proposed database:

Richard Thomas, the Information Commissioner, has described the plans as "a step too far for the British way of life". Yesterday his office added: "It is clear that more needs to be done to protect people's personal information, but creating big databases... means you can never eliminate the risk that the data will fall into the wrong hands."

Shami Chakrabarti, director of the human rights group Liberty, said: "This is another example of the Government's obsession with gathering as much information on each of us as possible in case it might prove useful in the future. Like the discredited ID card scheme this will have a massive impact on our privacy but will do nothing to make us safer.

See:

• The Independent: Storm over Big Brother Database

UPDATE: By way of update (courtesy of Out-law) there is likely to be consultation on the proposed new law. However, it is still unclear as there seems to be mixed messages over recent news that everyone who has a mobile phone will be compelled to register their identity on a national database (compulsory mobile phone register). More details can be found here. Q. How have other countries implemented the Data Retentions Directive 2006/24/EC? Probably this book and here will enlighten us a little bit more.

Another case: this time on IP addresses

Whilst there have been plenty of views re: the status of IP addresses, particularly from the Art. 29 Working Party and the Data Protection Authorities, in an unusual case from the District Court of Munich (file no. 133 C 5677/08; September 30, 2008), the court held that IP addresses (contrary to other German courts), of a user of a website was not personal data, because the user concerned could only be identified if the user's access provider (illegally) identified the user and (illegally) forwarded the name of the user to the operator of the website. Therefore, the storage of the IP address of a user by a website operator in a server logfiles was permitted. Whilst this decision is unlikely to have any effect upon recent opinions made by the Art. 29 Working Party, one is not convinced that IP addresses are not personal data as evidenced by recent incidents exemplified here , here and here. However, if the recent press report is to be believed, then according to one view, "Businesses have a responsibility to protect sensitive data. The public should not expect the government to protect them."

Update: Decision is available in German and can be accessed here and here.

Additions to the Casebook!

Some latest cases and updates that will need to be included in my casebook on data protection:

1) The Criminal Justice and Immigration Act 2008 received the RA on 8 May 2008. Some of the main provisions worth noting and commenting is ss 77-78 CJIA and s 144 which amends the UK DPA 1998 by adding s 55 A to increase the ICO's powers to impose monetary penalties (ie. the ICO has the power to serve monetary penalty notices to organisations for breach of the UK DPA 1998).

2) Roberts v Nottinghamshire Healthcare NHS Trust [2008] EWHC 1934

In brief, this case hinged on whether the Trust was in breach of its obligations under the DPA 1998 by refusing R access to a report prepared on him by the Trust employer on the grounds that this was exempt from disclosure. Art. 13 of the Data Protection Directive 95/46/EC on exemptions and Recitals 42 and 43 of the Directive were considered in the judgment. Reference was made to the case of Durant and Auld LJ's judgment:

A number of general points can be made about the court's role under section 7(9). First, its role is to review the decision of the data controller rather than to act as primary decision maker. In Durant v Financial Services Authority [2003] EWCA Civ. 1746; [2004] IP & T 814 Auld LJ said at [60]:

"Parliament cannot have intended that courts in applications under section 7(9) should be able routinely to "second guess" decisions of data controllers, who may be employees of bodies large or small, public or private or be self-employed. To so interpret the legislation would encourage litigation and appellate challenge by way of full rehearing on the merits and, in that manner, impose disproportionate burdens on them and their employers in their discharge of their many responsibilities under the Act."

And then, after referring to the Data Protection Directive and to Article 8 of the European Convention on Human Rights, Auld LJ continued at [60]:

"Under both international legal codes, it is for the Member State to justify, subject to a margin of national discretion, any provisions enabling refusal of disclosure in terms of necessity and proportionality, and similarly, data controllers should have those notions in mind when considering under section 7(4)-(6) whether to refuse access on that account. So also should courts on application by way review of any such decision under section 7(9). But it does not follow that the courts should assume, if and when such a question reaches them, the role of primary decision-maker on the merits."


Secondly, the court must determine, with the benefit of sight of the data, whether the data controller has appropriately concluded that one of the exemptions provided for under the Act or an Order applies. The burden of proof is on the data controller, to the civil standard. Given the right involved, however, the court will approach the matter with a heightened sense of what is at stake, what has been described in other contexts as "anxious scrutiny". Auld LJ's judgment is helpful in indicating how that issue is to be approached, "in terms of necessity and proportionality". Necessity as a test originates in the directive, as can be seen from recital 43. Proportionality as an approach no doubt derives from the relevance of the European Convention on Human Rights to the issue. The twin requirements of necessity and proportionality constrain the data controller in any decision to refuse release of the data. In the light of all of this the court then reviews the decision of the data controller. It is not a decision on the merits but a consideration of whether the data controller's decision is flawed on public law grounds whether, for example, irrelevant matters have been taken into account or the decision not to release is such that no reasonable data controller would have arrived at that conclusion.

The court denied the application to disclose the report on the following grounds:

In light of the very serious concerns and unusual circumstances in this case I have exercised my duty of "anxious scrutiny" to determine whether the defendant has complied with its obligations under the Data Protection Act 1998. In my judgment the defendant has clear and compelling reasons based on cogent evidence to support its decision not to release the report. Moreover, I have been persuaded that disclosure of the reasons for this conclusion are not appropriate in this case. As to what I have described as the half-way house, disclosure to the claimant's legal representatives but not the claimant, in my judgment the court has no power to order it. There is no such power in the Data Protection Act 1998. The other grounds which were advanced as a basis for that power are besides the point once it is recognised that, absent specific authorisation, legal representatives cannot keep relevant information or knowledge from a client. In this case the claimant has agreed to abide by the half-way house but that is no ground for the exercise of any discretion on my part to order disclosure of the report, given the statutory position and my conclusion that no injustice is caused to the claimant by not doing so.

Surveillance Demonstration

According to this recent press release, there was a privacy rally organised against surveillance:

Source: Earth Times

Berlin - Some 15,000 demonstrators marched in Berlin on Saturday to demand greater privacy, accusing the German government of creating a "surveillance state."The Stop This Surveillance Madness rally ended at the Brandenburg Gate. Organizers said 100,000 people took part, but police on crowd duty said they had not seen more than about 15,000 present at any one time.

The German privacy movement is upset at European Union data- retention laws that require phone companies to keep for six months computerized lists of the numbers that their customers call.

See:

• EDRI

Consultation Paper

One will give blogging a rest, but just a reminder that there is a consultation paper issued by the European Commission titled Radio Frequency Identification (RFID) in Europe: steps towards a policy framework. Some details of this consultation are included below:

The Communication on the Internet of Things will propose a policy approach addressing the whole range of political and technological issues related to the move from RFID and sensing technologies to the Internet of Things. It will focus especially on architectures, control of critical infrastructures, emerging applications, security, privacy and data protection, spectrum management, regulations and standards, broader socio-economic aspects.

The Commission's Staff Working Paper: As a first contribution to the debate, the Commission has released a Staff Working Paper that can be found here. Stakeholders are invited to send comments on the issues addressed in this paper. Concrete suggestions of possible actions or initiatives that should be taken are particularly welcome. Target group: Universities and research centres, public authorities, private organisations addressing horizontal issues (e.g. infrastructure, security) and/or vertical components in major application areas (e.g. retail, logistics, manufacturing, e-energy, finance, public sector), European and international standards organisations, consumers' organisations, trade-unions, civil society groups. Answering Process: Respondents are invited to provide their feedback on a stand-alone document which can be found here. Unless otherwise indicated by the respondent, the answers received to this consultation will be published. There are no-predefined questions but respondents are invited to respect the following format: • Use the first page to identify themselves • Limit themselves to a maximum of 10 pages (regular fonts and spacing) • File should be in '.pdf' format Respondents are invited to send their response by email at infso-iot-europe@ec.europa.eu by 28th November 2008 at the latest. Answers received after this deadline will not be taken into account. Results of the consultation:

The contributions received in the public consultation will serve for elaborating a Commission Communication on the Internet of Things addressed to the Council and the European Parliament during the second quarter of 2009. The Communication on the Internet of Things will be made public through the usual communication channels of the European Commission.

On the subject of RFIDs, there has been a lot of discussion on this issue including the Art. 29 Working Party's opinion. However, perhaps, the most interesting aspect of RFIDs was given in a talk that I attended last year, where RFIDs had become everyday life from RFID library cards to RFID passports. Indeed, the talk went so far not so much about regulation but how to circumvent RFID tags through the use of skimming. However, my understanding is that this practice is likely to be outlawed. For researchers working on RFIDs, a good starting point is here and here.

Phorm Storm

Slightly delayed post on this issue. The title of this post is "Phorm Storm" primarily because there has been a lot written on the latest saga of Phorm, which is likely to deliver targeted advertising based on user browsing habits by using deep packet inspection. For those who want to read up further, Wikipedia provides a detailed account. Whilst BT has already started trials of Phorm, the ICO has already indicated that Phorm would only be legal, if users OPT-IN (based on Privacy and Electronic Communications Regulations).

The service, which will be marketed to end-users as "Webwise", would work by categorising user interests and matching them with advertisers who wish to target that type of user. "As you browse we're able to categorise all of your Internet actions", said Phorm COO Virasb Vahidi. "We actually can see the entire Internet."

It is claimed that data collected would be completely anonymous, and that Phorm will never be aware of the identity of the user or what they have browsed.

Some queries at this stage, what is there to guarantee the anonymity of data collected? Take a different approach or query: why would you want to anonymise the data, when this could be valuable "commodity" for any other company for marketing purposes? After all, we are dealing with user's surfing habits. It is also working towards the build-up of online profiling of individuals (apologies for the scepticism). Online profiling discussion will have to be another topic in its own right. Imagine the following hypothetical scenario:

Fred Blogs, a regular shopper decides to use his laptop to go online and visits Widgets Bookshop and checks his gmail account before switching over to read his regular dose of The Times . He also decides to pay a few bills online. His son, Joe Blogs, 12 years of age, asks his father whether he can use his laptop. Happily, Fred Blogs allows his son to do so. Joe Blogs logs onto his MySpace account then decides to go onto another website, let's say, KaZAA filesharing website and downloads his favourite music. Joe Blogs then emails his friends on his MySpace account to arrange a party do. Probably a good case discussion.

Whilst this is a hypothetical scenario, assuming that Fred Blogs naively subscribes to this Phorm program, so that it can deliver targetted ads. What is there to guarantee that it will be completely anonymous? If Joe Blogs logged onto a filesharing website on his father's user account, then questions may arise as to his surfing habits and whether it would land him into trouble with the law? It should be remembered that the General Data Protection Directive 95/46/EC is applicable (including Member States that implement this: ie. UK's Data Protection Act 1998). Given that Phorm is providing the software to the ISPs, it appears that the ISPs would be regarded as a "data controller" and thus, be required to comply with the UK's Data Protection Act 1998. Questions have arisen about whether Phorm could be the "data controller". There has been some discussion from the Art. 29 Working Party, which has indicated in its recent opinion, that the notion of personal data is defined broadly, and would include IP addresses (as held by several Data Protection Authorities including Germany and Sweden) that identify individuals. There is a strong argument that if there is any possibility of identifying individual's through their surfing habits, then the Data Protection Directive or the EU Member States that have implemented the Data Protection Directive 95/46/EC would take the view clearly that we are dealing with personal information. For an indepth analysis on the EU Member State's implementation of the Data Protection, visit here for more information.

If one were to subscribe to the Phorm program, it would simply be to test how robust the system and identify fundamental flaws in this technical system that claims to anonymise surfer habits. However, a report has already been written on this.

Putting on a sceptical hat, given that the arguments in favour of stronger rights for the privacy of personal information (in particular, the DPA 1998) is relatively weak in the UK (other than recent changes to strengthen the UK Data Protection Act 1998), this is a further step towards a gradual erosion towards privacy in the UK.

Final point: Warren and Brandeis seminal article on the right to privacy was written out of concerns of press intrusion, however, the privacy discussion here is not so much about the protection of privacy as the willing acceptance or acknowledgment by individuals that there is simply nothing that can be done to protect privacy. Switching ISPs is only one solution. Opting out of the system is another way. Targetting advertising is certainly unwelcome for the privacy conscious. Yet, one can foresee that the only route may have to be litigation! Discuss...

FOI Survey

The UCL Constitution Unit is to evaluate the impact of Freedom of Information (FOI) in the UK. FOI is intended to make government transparent, participatory, effective and responsive to its constituents. First, some brief information about the Project:

The primary aims of this project are:

• to clarify the theoretical reasoning behind the introduction of FOI
• to evaluate the performance of FOI against its policy objectives
• to assess the impact of FOI on the working of the Whitehall model.

Preliminary research has identified six policy objectives which will be tested in the course of the research. We will investigate to what extent the following objectives of the UK FOI Act are being achieved:

• Greater transparency
• Increased accountability
• Better public understanding of government decision making
• More effective public participation in the political process
• Increased public trust and confidence in government
• Better quality of government decision making

At the same time, we will examine how the introduction of FOI has affected the Whitehall model, in particular five key characteristics of the model:

• Civil service neutrality
• Cabinet system
• Ministerial accountability to Parliament
• The culture of secrecy
• Effective government.

More details of the survey can be found here.

Biographies to read

One of the books that one will have to start reading is the story of the relationship between JR Tolkien and CS Lewis (leave discussion of data protection for another day). Here is a short synopsis, why the authors, known for their works, were also very different in their ways of work and thinking:

The friendship between J.R.R. Tolkien and C.S. Lewis lasted over forty years and was for each the most important creative collaboration in their lives. The two met at Oxford in 1926. They were both survivors of the First World War, both academics and, as children, their lives were both dominated by imagination. However, they had very different religious upbringings. Tolkien was a Roman Catholic while Lewis, initially Protestant, later advocated what he called 'mere Christianity' - a faith in the supernatural, the historical Jesus and the reality of sin and judgement. Thus by different routes both Lewis and Tolkien found a way to express truths that lie deeper than surface appearance. Colin Duriez's book is the first to focus primarily on this remarkable literary association, exploring the origins of the mythological worlds which both writers placed at the centre of their fiction. He does not flinch from exploring their differences - Tolkien did not have a high opinion of some of Lewis's Christian writings and Lewis famously found Tolkien's elves too much of a good thing....

Best known works of CS Lewis include Mere Christianity. Orwellian works (such as Animal Farm) including his diaries will have to be left for another day.