The House of Lords today refused Big Picture (UK) Ltd's petition for leave to appeal against the Court of Appeal's interim ruling in the privacy claim involving photographs of J. K. Rowling's son. In March this year the Court of Appeal held that the claimant had an arguable case on both the misuse of private information and the Data Protection Act points, overturning the August 2007 decision to strike the claim out. The effect of the House of Lords' ruling is that the claim should now proceed to trial, as the Court of Appeal envisaged. The claim, which alleges misuse of private information and breach of the DPA 1998, centres on a series of photographs of David Murray, which were taken when he was a 1 year-old, being pushed down a street in Edinburgh by his parents in his pushchair at a time when his mother was pregnant with David's younger sister. In August 2007 Mr Justice Patten acceded to an application by the remaining Defendant - Big Pictures (UK) Ltd, a photographic agency - to strike the claim out. However, in March 2008 the Court of Appeal decided that the Judge had been wrong to conclude that the claim was unarguable and reinstated the claim, directing that the issues between the parties be tried. An application by Big Pictures for permission to appeal against this decision was refused by the Court of Appeal. In June, Big Pictures petitioned the House of Lords for leave to appeal. It is this petition that the House of Lords has refused today.
Thursday, October 30, 2008
The European Union's data protection authorities have published amended guidance on how companies can legally share customer and staff personal data with parts of the firm located outside the European Union. The Article 29 Working Party, which consists of the data protection watchdogs of the EU member countries, has created a mechanism for transferring data within organisations but to countries to which it would usually be illegal to send personal information. U data protection laws restrict transfers of personal data to countries whose data protection regimes have not been judged by the European Commission to be adequate. The list of those countries deemed to offer adequate protection is very short. The Working Party created Binding Corporate Rules to allow companies to send data to other parts of the organisation in countries whose data protection regime has not been designated as adequate.
Monday, October 27, 2008
European data breach notification laws applying to all online information service providers could be in force by 2011, according to the European data protection supervisor Peter Hustinx. The current data breach notification proposals apply to just ISPs and telcos, but Hustinx backed calls for the law to apply to all “information service providers, including banks and medical sites”. He added, “I would welcome this as fair and in line with reality.”
Speaking to vnunet.com at the RSA Conference Europe show in London, which kicked off today, Hustinx explained that the proposals are still open to change as the Council of Ministers and parliament are working on slightly different texts. “We will probably have some threshold [for disclosure] but a very low one, and notification will be to users and authorities,” he said. “There is also likely to be some variation on the basis of individual member states, which will be a challenge.”
Hustinx added that if the current proposals are adopted in spring 2009, they could become law two years after that. Hustinx also argued that the UK government should consider giving its data protection watchdog, the Information Commissioner, greater powers in order to “restore confidence” to public sector handling of data [the Criminal Justice and Immigration Act 2008, s 77 and s 144 already strengthens remedies for ICO].
Saturday, October 25, 2008
The government has scrapped plans to push through the controversial Communications Data Bill this parliamentary session and will hold a second public consultation in the new year.
Thursday, October 23, 2008
Update: Out-Law Press release on SNS ground rules
Monday, October 20, 2008
The European Court of Justice Advocate General on Tuesday (14 October) delivered a blow to member states hoping to overturn an EU law on harmonising telephone and internet data retention rules, saying the case is an internal market matter, not a justice and home affairs issue.
The directive - which was approved by a qualified majority of EU states in February 2006 - sets a time period of six months to two years during which telecom operators are to keep phone and internet data, in the name of fighting terrorism and crime and increasing security.
Sunday, October 19, 2008
Websites such as Facebook, Myspace and Bebo have become immensely popular over the past few years, promoting the sharing of personal information and photographs among friends.
But is social networking just a bit of fun or is splashing our private lives all over the internet potentially harmful? We hear conflicting personal stories of success and disaster.
The link can be found here.
A recent press release has also indicated that SNS should indicate the low level of protection here.
Thursday, October 16, 2008
Early plans to create a giant "Big Brother" database holding information about every phone call, email and internet visit made in the UK were last night condemned by the Government's own terrorism watchdog...Some reactions over this proposed database:
Under the proposal, internet service providers and telecoms companies would hand over millions of phone and internet records to the Home Office, which would store them for at least 12 months so that the police and security services could access them. It is understood that more than £1bn has been earmarked for the database.
Richard Thomas, the Information Commissioner, has described the plans as "a step too far for the British way of life". Yesterday his office added: "It is clear that more needs to be done to protect people's personal information, but creating big databases... means you can never eliminate the risk that the data will fall into the wrong hands."
Shami Chakrabarti, director of the human rights group Liberty, said: "This is another example of the Government's obsession with gathering as much information on each of us as possible in case it might prove useful in the future. Like the discredited ID card scheme this will have a massive impact on our privacy but will do nothing to make us safer.
Monday, October 13, 2008
Update: Decision is available in German and can be accessed here and here.
Sunday, October 12, 2008
2) Roberts v Nottinghamshire Healthcare NHS Trust  EWHC 1934
A number of general points can be made about the court's role under section 7(9). First, its role is to review the decision of the data controller rather than to act as primary decision maker. In Durant v Financial Services Authority  EWCA Civ. 1746;  IP & T 814 Auld LJ said at :
"Parliament cannot have intended that courts in applications under section 7(9) should be able routinely to "second guess" decisions of data controllers, who may be employees of bodies large or small, public or private or be self-employed. To so interpret the legislation would encourage litigation and appellate challenge by way of full rehearing on the merits and, in that manner, impose disproportionate burdens on them and their employers in their discharge of their many responsibilities under the Act."
And then, after referring to the Data Protection Directive and to Article 8 of the European Convention on Human Rights, Auld LJ continued at :"Under both international legal codes, it is for the Member State to justify, subject to a margin of national discretion, any provisions enabling refusal of disclosure in terms of necessity and proportionality, and similarly, data controllers should have those notions in mind when considering under section 7(4)-(6) whether to refuse access on that account. So also should courts on application by way review of any such decision under section 7(9). But it does not follow that the courts should assume, if and when such a question reaches them, the role of primary decision-maker on the merits."
Secondly, the court must determine, with the benefit of sight of the data, whether the data controller has appropriately concluded that one of the exemptions provided for under the Act or an Order applies. The burden of proof is on the data controller, to the civil standard. Given the right involved, however, the court will approach the matter with a heightened sense of what is at stake, what has been described in other contexts as "anxious scrutiny". Auld LJ's judgment is helpful in indicating how that issue is to be approached, "in terms of necessity and proportionality". Necessity as a test originates in the directive, as can be seen from recital 43. Proportionality as an approach no doubt derives from the relevance of the European Convention on Human Rights to the issue. The twin requirements of necessity and proportionality constrain the data controller in any decision to refuse release of the data. In the light of all of this the court then reviews the decision of the data controller. It is not a decision on the merits but a consideration of whether the data controller's decision is flawed on public law grounds whether, for example, irrelevant matters have been taken into account or the decision not to release is such that no reasonable data controller would have arrived at that conclusion.
The court denied the application to disclose the report on the following grounds:
In light of the very serious concerns and unusual circumstances in this case I have exercised my duty of "anxious scrutiny" to determine whether the defendant has complied with its obligations under the Data Protection Act 1998. In my judgment the defendant has clear and compelling reasons based on cogent evidence to support its decision not to release the report. Moreover, I have been persuaded that disclosure of the reasons for this conclusion are not appropriate in this case. As to what I have described as the half-way house, disclosure to the claimant's legal representatives but not the claimant, in my judgment the court has no power to order it. There is no such power in the Data Protection Act 1998. The other grounds which were advanced as a basis for that power are besides the point once it is recognised that, absent specific authorisation, legal representatives cannot keep relevant information or knowledge from a client. In this case the claimant has agreed to abide by the half-way house but that is no ground for the exercise of any discretion on my part to order disclosure of the report, given the statutory position and my conclusion that no injustice is caused to the claimant by not doing so.
Saturday, October 11, 2008
Source: Earth Times
The German privacy movement is upset at European Union data- retention laws that require phone companies to keep for six months computerized lists of the numbers that their customers call.
Monday, October 06, 2008
The Communication on the Internet of Things will propose a policy approach addressing the whole range of political and technological issues related to the move from RFID and sensing technologies to the Internet of Things. It will focus especially on architectures, control of critical infrastructures, emerging applications, security, privacy and data protection, spectrum management, regulations and standards, broader socio-economic aspects.
The Commission's Staff Working Paper: As a first contribution to the debate, the Commission has released a Staff Working Paper that can be found here. Stakeholders are invited to send comments on the issues addressed in this paper. Concrete suggestions of possible actions or initiatives that should be taken are particularly welcome. Target group: Universities and research centres, public authorities, private organisations addressing horizontal issues (e.g. infrastructure, security) and/or vertical components in major application areas (e.g. retail, logistics, manufacturing, e-energy, finance, public sector), European and international standards organisations, consumers' organisations, trade-unions, civil society groups. Answering Process: Respondents are invited to provide their feedback on a stand-alone document which can be found here. Unless otherwise indicated by the respondent, the answers received to this consultation will be published. There are no-predefined questions but respondents are invited to respect the following format: • Use the first page to identify themselves • Limit themselves to a maximum of 10 pages (regular fonts and spacing) • File should be in '.pdf' format Respondents are invited to send their response by email at email@example.com by 28th November 2008 at the latest. Answers received after this deadline will not be taken into account. Results of the consultation:
On the subject of RFIDs, there has been a lot of discussion on this issue including the Art. 29 Working Party's opinion. However, perhaps, the most interesting aspect of RFIDs was given in a talk that I attended last year, where RFIDs had become everyday life from RFID library cards to RFID passports. Indeed, the talk went so far not so much about regulation but how to circumvent RFID tags through the use of skimming. However, my understanding is that this practice is likely to be outlawed. For researchers working on RFIDs, a good starting point is here and here.
Sunday, October 05, 2008
Some queries at this stage, what is there to guarantee the anonymity of data collected? Take a different approach or query: why would you want to anonymise the data, when this could be valuable "commodity" for any other company for marketing purposes? After all, we are dealing with user's surfing habits. It is also working towards the build-up of online profiling of individuals (apologies for the scepticism). Online profiling discussion will have to be another topic in its own right. Imagine the following hypothetical scenario:
The service, which will be marketed to end-users as "Webwise", would work by categorising user interests and matching them with advertisers who wish to target that type of user. "As you browse we're able to categorise all of your Internet actions", said Phorm COO Virasb Vahidi. "We actually can see the entire Internet."It is claimed that data collected would be completely anonymous, and that Phorm will never be aware of the identity of the user or what they have browsed.
Fred Blogs, a regular shopper decides to use his laptop to go online and visits Widgets Bookshop and checks his gmail account before switching over to read his regular dose of The Times . He also decides to pay a few bills online. His son, Joe Blogs, 12 years of age, asks his father whether he can use his laptop. Happily, Fred Blogs allows his son to do so. Joe Blogs logs onto his MySpace account then decides to go onto another website, let's say, KaZAA filesharing website and downloads his favourite music. Joe Blogs then emails his friends on his MySpace account to arrange a party do. Probably a good case discussion.Whilst this is a hypothetical scenario, assuming that Fred Blogs naively subscribes to this Phorm program, so that it can deliver targetted ads. What is there to guarantee that it will be completely anonymous? If Joe Blogs logged onto a filesharing website on his father's user account, then questions may arise as to his surfing habits and whether it would land him into trouble with the law? It should be remembered that the General Data Protection Directive 95/46/EC is applicable (including Member States that implement this: ie. UK's Data Protection Act 1998). Given that Phorm is providing the software to the ISPs, it appears that the ISPs would be regarded as a "data controller" and thus, be required to comply with the UK's Data Protection Act 1998. Questions have arisen about whether Phorm could be the "data controller". There has been some discussion from the Art. 29 Working Party, which has indicated in its recent opinion, that the notion of personal data is defined broadly, and would include IP addresses (as held by several Data Protection Authorities including Germany and Sweden) that identify individuals. There is a strong argument that if there is any possibility of identifying individual's through their surfing habits, then the Data Protection Directive or the EU Member States that have implemented the Data Protection Directive 95/46/EC would take the view clearly that we are dealing with personal information. For an indepth analysis on the EU Member State's implementation of the Data Protection, visit here for more information.
If one were to subscribe to the Phorm program, it would simply be to test how robust the system and identify fundamental flaws in this technical system that claims to anonymise surfer habits. However, a report has already been written on this.
Putting on a sceptical hat, given that the arguments in favour of stronger rights for the privacy of personal information (in particular, the DPA 1998) is relatively weak in the UK (other than recent changes to strengthen the UK Data Protection Act 1998), this is a further step towards a gradual erosion towards privacy in the UK.
Final point: Warren and Brandeis seminal article on the right to privacy was written out of concerns of press intrusion, however, the privacy discussion here is not so much about the protection of privacy as the willing acceptance or acknowledgment by individuals that there is simply nothing that can be done to protect privacy. Switching ISPs is only one solution. Opting out of the system is another way. Targetting advertising is certainly unwelcome for the privacy conscious. Yet, one can foresee that the only route may have to be litigation! Discuss...
Saturday, October 04, 2008
- to clarify the theoretical reasoning behind the introduction of FOI
- to evaluate the performance of FOI against its policy objectives
- to assess the impact of FOI on the working of the Whitehall model.
Preliminary research has identified six policy objectives which will be tested in the course of the research. We will investigate to what extent the following objectives of the UK FOI Act are being achieved:
- Greater transparency
- Increased accountability
- Better public understanding of government decision making
- More effective public participation in the political process
- Increased public trust and confidence in government
- Better quality of government decision making
At the same time, we will examine how the introduction of FOI has affected the Whitehall model, in particular five key characteristics of the model:
- Civil service neutrality
- Cabinet system
- Ministerial accountability to Parliament
- The culture of secrecy
- Effective government.
Thursday, October 02, 2008
The friendship between J.R.R. Tolkien and C.S. Lewis lasted over forty years and was for each the most important creative collaboration in their lives. The two met at Oxford in 1926. They were both survivors of the First World War, both academics and, as children, their lives were both dominated by imagination. However, they had very different religious upbringings. Tolkien was a Roman Catholic while Lewis, initially Protestant, later advocated what he called 'mere Christianity' - a faith in the supernatural, the historical Jesus and the reality of sin and judgement. Thus by different routes both Lewis and Tolkien found a way to express truths that lie deeper than surface appearance. Colin Duriez's book is the first to focus primarily on this remarkable literary association, exploring the origins of the mythological worlds which both writers placed at the centre of their fiction. He does not flinch from exploring their differences - Tolkien did not have a high opinion of some of Lewis's Christian writings and Lewis famously found Tolkien's elves too much of a good thing....Best known works of CS Lewis include Mere Christianity. Orwellian works (such as Animal Farm) including his diaries will have to be left for another day.