CFP on Consumer Privacy

CFP for this special issue, Journal of Consumer Affairs:

"Journal of Consumer Affairs Call for Papers on Privacy

The Journal of Consumer Affairs plans a special issue on Privacy Literacy -- How Consumers Understand and Protect Their Privacy. Here is the Call for Papers:

Special Issue Guest Editors

Jeff Langenderfer Anthony Miyazaki
Meredith College Florida International University

Consumers increasingly confront a wide array of privacy-related information and are called upon to make decisions impacting their privacy in a growing number of arenas and contexts. Existing research suggests that many consumers do not understand the decisions they are forced to make nor the impact of those decisions. For this special issue of the Journal of Consumer Affairs, manuscripts are being solicited devoted to the effects of privacy literacy on consumer welfare. The goal of this special issue is to extend our theoretical and practical knowledge of how consumers obtain, process, and use information and mechanisms that relate to their privacy. We seek contributions from multiple disciplines including communications, consumer education, economics, finance, law, public policy, psychology and marketing. Authors may submit empirical studies or conceptual work. Papers that are theoretically grounded and also contain significant implications for consumer welfare are especially appropriate.

Topics that would be appropriate for this special issue include, but are not limited to:

• Consumer understanding of privacy and privacy-related information
• The interplay between privacy knowledge and consumer behavior
• Cost assessments for the surrender of personal information
• Tradeoffs between the surrender of private information and online access
• Deceptive or covert practices in information exchange
• Measurement and assessment of privacy literacy
• Legal and regulatory issues in privacy
• How consumers respond to solicitations for private information
• Consumer understanding of privacy certifications, trustmarks, and seals of approval
• Methods to improve privacy literacy
• The privacy literacy of vulnerable consumers (e.g., children, low-income, etc.)
• Relationships between desire-for-privacy, privacy concern, trust, and privacy knowledge
• Disclosure versus practice regarding privacy-related behaviors
• Consumer awareness regarding seller use of private information
• Consumer understanding of medical and financial privacy practices and disclosures

Submission Information

Manuscripts are due by June 1, 2008. Please follow the submission guidelines for The Journal of Consumer Affairs as detailed under "JCA Author Guidelines" on the Blackwell Publishing web site (http://www.blackwellpublishing.com/submit.asp?ref=0022-0078&site=1). Authors wishing to submit a manuscript should send two (2) electronic copies of their manuscript (one with the full title page and one copy cleaned of all information that identifies the authors) to the special issue co-editor."

RFIDs

Excerpt (courtesy of surveillance mailing list):

"http://www.rfidjournal.com/article/articleview/3981/1/1/

RFID JOURNAL : THE WORLD'S RFID AUTHORITY

THE WORLD'S RFID AUTHORITY

Companies, Agencies Use Clandestine RFID Systems to Catch Thieves

The NOX system includes RFID readers embedded in walls, surveillance cameras and—in some cases—luminescent dust to track the movement of personnel and assets.

By Claire Swedberg

March 20, 2008—A handful of government agencies and private companies such as electronics suppliers are employing a clandestine RFID system known as NOX that allows them to use RFID interrogators hidden in walls, in conjunction with video surveillance and, in some cases, luminescent dust, to thwart theft or other unauthorized activities within their facilities.

The NOX system is the creation of SimplyRFID, a company based in Warrenton, Va. Founded in 2002 by its president, Carl Brown, SimplyRFID has developed RFID solutions for a number of clients, including Stamps.com, UPS, FedEx, the U.S. Postal Service and Target, and its Pro-Tags product line is aimed at suppliers to the U.S. Department of Defense (DOD). During the past few years, Brown says, the company has moved into the clandestine market, following government interest in the use of RFID to prevent theft, or to monitor the movements of personnel wearing RFID-tagged badges.

Because of its location near Washington, D.C., SimplyRFID attracted the attention of several government agencies, including the FBI, which visited the company's office to purchase RFID readers and tags, but brought the hardware back to their location and installed the equipment themselves. "What we found was that they were happy to have any technology that would help them [with security]," Brown says. So the company began developing a more comprehensive security solution that included RFID with video surveillance and, in some cases, "optically charged" dust that could be tracked with cameras.

The NOX system uses RFID readers that can be embedded in walls, as well as surveillance cameras that can be hidden if so desired by a user. The system integrates the two functions to enable users to track theft or other undesirable behavior on their property. By linking RFID tracking with video footage, Brown says, users can not only know which items might be missing by tracking the locations of their assets, they can also link to video footage to determine what has occurred.

"The big problem in selling RFID is that it is not always a solution by itself," Brown states. Instead, he adds, RFID offers part of a security solution by helping users track activity without requiring them to watch it around the clock. But in conjunction with video surveillance, he says, users have information about activities that have occurred—such as which items were moved, as well as where and at what time—reinforced by a visual image of what transpired.

Brown likens RFID technology to a fence, which still has vulnerabilities. People can find ways around that fence, he explains, by not wearing their badge, by wearing someone else's badge or by tampering with an RFID sticker. Such vulnerabilities make video surveillance and optical dust a strong addition to RFID. The optically charged dust consists of microporous fibers that glow when exposed to low-power laser light. This luminescence is not visible to the human eye but can be detected by a video camera. The dust is scattered in areas where there is a risk of unauthorized activity, or where entry is generally forbidden.

A camera can be programmed to watch for any dust that a person might inadvertently pick by walking through an unauthorized area. When that individual passes in front of the camera, it detects the glow as the dust is illuminated by a laser and triggers an alarm. According to Brown, this system provides perimeter security from trespassers or wild animals that might enter a secured property.

Following interest from government agencies, SimplyRFID began providing its solution to the private sector, with clients (all of which wished to be unnamed for this article) located in such states as California, Texas and Florida. The systems allow them to track their employees, as well as high-value assets that, in many cases, pass through their facilities in large quantities and can end up missing.

One common practice for thieves, Brown says, is to load extra items—such as TVs or computers—onto a shipment, or to take assets to the recycling or trash area, where they can then be removed by another party. In some instances, these thefts can occur in extremely high volume, Brown says, adding that companies have had entire trailers loaded with assets disappear. Most firms, he notes, aren't interested in prosecuting, as much as in putting an end to the thievery. "The just want to find out who's doing it and stop it," he says

By placing tags on assets, as well as on personnel badges and such items as garbage cans, companies can track what is moving, and where. The cameras, Brown says, record all activity in their area and are generally used for forensic purposes. If items are determined to have been shipped when they were not ordered, and if that occurred repeatedly with one specific employee, a company can view video footage at the time of the occurrences to see what happened.

Brown says SimplyRFID uses RFID interrogators from Thing Magic and Motorola, among other vendors. A reader is typically installed in a wall at night, or during off-hours, and is connected via an Ethernet cable to a Dell computer server so the data can be reviewed by the company's security personnel.

Companies often install four or five clandestine readers, and about the same number of cameras, at sites where items have disappeared. In other cases, companies arm every doorway and dock door with an RFID interrogator and tag every item inside. Of the private customers for which NOX has been available since 2007, Brown says, "We have three in full deployment and nine others in pilot phases. We are adding about one new install per month."

The companies use the RFID readers to capture ID numbers and send that data to a Dell computer server capable of managing up to 100 interrogators. NOX software allows integration of RFID tag data and video imagery—also stored on the server—so that an image from the time and place of a specific RFID tag read can be automatically displayed on a computer screen, along with the name and ID numbers of the tagged assets and employees wearing RFID-enabled badges.

Most cameras are supplied by Axis Communications, Brown says. The NOX system uses Avery Dennison EPC Gen 2 UHF tags.

The cost for a NOX deployment can be around $40,000 for four or five readers, cameras and software. For larger deployments with more than 30 antennas and 15 cameras, Brown says, the cost averages $100,000 to $150,000. SimplyRFID also offers installation services, he adds, though users often do some of the work themselves, such as installing the cables connecting the interrogators, cameras and server. Other end users, including government agencies, prefer to handle installation entirely on their own."

ICO's Survey

According to the ICO's latest commissioned survey, eight out of ten now take greater care in the way they look after their personal information. The survey shows that eighty eight per cent have started to check their regular bank statements and 85% now refuse to give their personal details. However, it also identified that:

"Fifty three per cent say we no longer have confidence in the way organisations such as banks, local authorities and government departments handle our personal information."

The ICO has produced a short checklist on data protection rights: Here it is:

• An organisation should tell you what it is going to do with your information before you provide any details unless this is obvious.

• Your information should only be used for the reason it was collected in the first place (unless you give your consent to your information being used in other ways).

• An organisation should not collect any information which is unnecessary. You only need to provide the basic information which is required to deliver the service required.

• Your information should be kept accurate and up to date – if you ask any organisation to make changes to your details, it should do this.

• An organisation should not keep your details if they are no longer needed.

• An organisation must provide you with copies of all information held on you - if you ask. You can also ask an organisation to stop using your personal information if it is causing you damage or distress or if you wish to stop it being used for marketing purposes.

• An organisation must keep your personal information secure at all times.

• An organisation should not transfer your personal details to another country unless adequate data protection arrangements are in place.

Report by Parliamentary Committee

The Joint Committee on Human Rights has published its recent report on data protection and human rights (also mentioned in Out-Law news). Main conclusions to be drawn from the report:

"Conclusions and recommendations

1. We agree that data sharing is not, in human rights terms, objectionable in itself. Indeed, the sharing of personal data may sometimes be positively required in order to discharge the State's duty to take steps to protect certain human rights, such as the right to life, and it is also in principle capable of being justified by sufficiently weighty public interest considerations. However, the sharing of personal data will inevitably raise human rights concerns, and the more sensitive the information the stronger those concerns will be. Government must show that any proposal for data sharing is both justifiable and proportionate, and that appropriate safeguards are in place to ensure that personal data is not disclosed arbitrarily but only in circumstances where it is proportionate to do so. (Paragraph 14)

2. We fundamentally disagree with the Government's approach to data sharing legislation, which is to include very broad enabling provisions in primary legislation and to leave the data protection safeguards to be set out later in secondary legislation. Where there is a demonstrable need to legislate to permit data sharing between public sector bodies, or between public and private sector bodies, the Government's intentions should be set out clearly in primary legislation. This would enable Parliament to scrutinise the Government's proposals more effectively and, bearing in mind that secondary legislation cannot usually be amended, would increase the opportunity for Parliament to hold the executive to account. (Paragraph 20)

3. The attention paid to human rights, outside of the legal department, is likely to be very scant if the concept is regarded solely in terms of compliance with the Human Rights Act. In our view, the same is true of data protection and the Data Protection Act. Setting out the purposes of data sharing and the limitations on data sharing powers in primary legislation would give a clear indication to the staff utilising such powers of the significance of data protection. (Paragraph 21)

4. Having heard the Minister's comments, we are concerned that the role of data protection minister is far too limited, being related exclusively to the maintenance of the legislative framework for data protection. It is clearly sensible to require Government departments to take responsibility themselves for abiding by the Data Protection Act, but we would expect there to be a degree of inter-departmental co-ordination to share best practice and help deal with the fall-out from significant breaches of data protection by departments. We heard no evidence that any co-ordinating activity of this sort is currently carried out: if it is, then the data protection minister is not involved. (Paragraph 25)

5. We recommend that the role of data protection minister should be enhanced. In addition to overseeing the data protection legislation, the data protection minister should have a high-profile role within Government, championing best practice in data protection and ensuring that lessons are learnt from breaches of data protection. (Paragraph 26)

6. Recent breaches in data protection appear mostly to have resulted from human error and procedural lapses rather than technological problems. However, it would be wrong to see these errors and lapses as unfortunate "one-off" events. In our view they are symptomatic of the Government's persistent failure to take data protection safeguards sufficiently seriously by defining data sharing powers more tightly in primary legislation and including detailed safeguards against arbitrary or unjustified disclosure. The rapid increase in the amount of data sharing has not been accompanied by a sufficiently strong commitment to the need for safeguards. The fundamental problem is a cultural one: there is insufficient respect for the right to respect for personal data in the public sector. (Paragraph 27)

7. We are surprised, and disappointed, to find that senior public officials need to be reminded of the main principles of the Data Protection Act. (Paragraph 28)

8. It is clear to us from a great deal of our work, and in particular recently our inquiries into human rights of older people in healthcare and adults with learning disabilities, as well as from this inquiry, that human rights are far from being a mainstream consideration in Government departments. The Minister has identified the cultural barrier to ensuring that personal data is adequately protected by the staff who handle it, but much more needs to be done to tackle this problem successfully. We have so far seen no evidence that the human rights champions in departments have made any impact, particularly in relation to front line staff. We will continue to scrutinise their work carefully. (Paragraph 34)

9. We await the outcomes of the various reviews of data protection with interest. We expect the Government to keep us informed about its proposals for reform in this area. We recommend that, in its responses to the reviews, the Government should acknowledge the close connection between data protection and human rights; and explain how it proposes to ensure that a culture of respect for personal data is fostered throughout Government. (Paragraph 35)

10. We see the Information Commissioner as an important defender of human rights in relation to data protection and freedom of information. His office should be regarded as an important part of the national human rights machinery. We support proposals to enhance the Commissioner's powers and the resources at his disposal to ensure that he can discharge his responsibilities more effectively.(Paragraph 39)

11. We support initiatives to ensure that data protection issues are dealt with at an early stage in the planning of Government projects, including legislative proposals. We intend to scrutinise how privacy impact assessments are used in practice. (Paragraph 40)

12. Recent breaches in data protection by Government departments do not encourage us to feel confident about the security of data collected as part of the National Identity Register project. We intend to take a close interest in the Government's detailed proposals for the National Identity Register as and when they emerge. (Paragraph 47)

13. We regret that it has taken the loss of personal data affecting 25 million people - a "train crash", in the words of the Information Commissioner - for the Government to take data protection seriously. Data protection is a human rights issue and should not be treated as a fringe concern, a matter for rarely-consulted policy documents and procedures which are all too easily ignored. The recent data protection breaches have revealed the complacency of the Government's repeated refusal to accept our recommendations that more detailed limits and safeguards be included in Government bills which authorise the sharing of personal data. The problem is symptomatic of a deeper problem to which we have drawn attention in recent reports and on which we recently commented in our annual Report on our work for 2007: the failure to root human rights in the mainstream of departmental decision-making. (Paragraph 49)

14. We note that the Government has launched a number of reviews of data protection legislation and practice. Once those reviews have been completed, we expect the Government to take action to foster a positive culture for the protection of personal data by public sector bodies. This will enable the Government to reap the benefits of data sharing, where it is considered desirable, without calling into question the right of ordinary people for respect for their personal lives. (Paragraph 50)"

Another petition - this time on Phorm and ISPs

On the same theme about petitions, here is another one which has over 5,000 signatures:

"We petition the Prime Minister to investigate the Phorm technology and if found to breach UK or European privacy laws then ban all ISP's from adopting it's use. Additionally the privacy laws should be reviewed to cover any future technologies such as Phorm. The UK's three largest ISP's, Virgin Media, BT and TalkTalk are all in talks with a view to introducing the Phorm technology. This would result in the browsing habits of the majority of the UK population being sold to a third party for advertising purposes. The opt out system for this technology is vague and unproven, even when opting out your every move on the Internet might be recorded. Surely this must be a breach of privacy laws, if not then the privacy laws need to be changed to cover such invasive technology."

This sounds more like clickstream data under the breadth of the definition of "personal data" under the Data Protection Directive 95/46/EC and the recent opinion by the Art. 29 Working Party seems to cover this.

Further details can be found here.

See also:

• Web Creator rejects net tracking

Response from the petition on data security breaches

Here is the response from the petition on notification about data security breaches:

"The Government acknowledges public concerns over recent losses of personal data in both the public and private sectors. Although the Data Protection Act 1998 (DPA 1998) does not currently require data controllers to report breaches of security which result in the loss, release or corruption of personal data, data controllers have a statutory responsibility to ensure appropriate and proportionate security of the personal data they hold. This is reflected in the 7th Principle of the DPA 1998. In October 2007, the Prime Minister asked Richard Thomas, the Information Commissioner and Dr Mark Walport, Director of the Wellcome Trust, to undertake an independent review into the way personal information is shared and protected in the public and private sectors. The review is going to consider whether there should be any changes to the way the DPA operates in the UK and the options for implementing any such changes. The review will include recommendations on the powers and sanctions available to the regulator and courts in the legislation governing data sharing and data protection. It will also make recommendations about how data sharing policy should be developed in a way that ensures proper transparency, scrutiny and accountability. The Government awaits the outcome of the review with interest and will consider any recommendation that calls for legislative changes relating to breach notifications. In the meantime, we understand that the Office of the Information Commissioner plans to publish helpful guidance to all data controllers on breach management and notification. The Prime Minister has also asked Sir Gus O'Donnell, the Cabinet Secretary, with advice from the Government's security experts, to work with Departments to ensure that all Departments and agencies check their procedures for the storage and use of data. A full report will be published in Spring 2008."

Some more cases

Some cases which is likely to take some time before we hear the ECJ's ruling:

1) C-553/07 Reference for a preliminary ruling - Raad van State (Netherlands) lodged on 12 December 2007 - College van burgemeester en wethouders van Rotterdam v M.E.E. Rijkeboer: The question that has been referred to the ECJ under Art. 234 is as follows:

"Is the restriction, provided for in the Netherlands Law on local-authority personal records, on the communication of data to one year prior to the relevant request compatible with Article 12(a) of Directive 95/46/EC ¹ of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, whether or not read in conjunction with Article 6(1)(e) of that directive and the principle of proportionality?"

2) C-518/07 Commission of the European Communities v Federal Republic of Germany:

This is more to do with the independence of the supervisory authorities (Data Protection Authorities) and whether Art. 28.1 of the Data Protection Directive has been incorrectly transposed re: the complete independence of the supervisory authorities.

"Forms of order sought: Declare that the Federal Republic of Germany has failed to fulfil its obligations under the second sentence of Article 28(1) of Directive 95/46/EC¹, by making the supervisory authorities responsible for the monitoring of data processing within the private sector in the Länder Baden-Württemberg, Bayern, Berlin, Brandenburg, Bremen, Hamburg, Hessen, Mecklenburg-Vorpommern, Niedersachsen, Nordrhein-Westfalen, Rheinland-Pfalz, Saarland, Sachsen, Sachsen-Anhalt, Schleswig-Holstein and Thüringen subject to State supervision and thereby incorrectly transposing the requirement of 'complete independence' of the data protection supervisory authorities;

Pleas in law and argument:

The second sentence of Article 28(1) of Directive 95/46/EC of the European Parliament and of the Council puts Member States under an obligation to make 'one or more public authorities' responsible for monitoring 'the application ... of the provisions adopted by the Member States pursuant to this Directive', that is to say, of provisions on data protection. The second sentence of Article 28(1) of the directive requires the 'complete independence' of the supervisory authorities responsible. By virtue of its wording, the provision provides that the supervisory authorities are not to be subject to influence from other authorities or from outside of the State administration; the rules of the Member States must therefore preclude external influence from being exercised on the decisions of the supervisory authorities and on the implementation thereof. The wording 'complete' independence implies not only that there should be no dependence on any party, but also that there should be no dependence in any respect whatsoever.

It is thus incompatible with the second sentence of Article 28(1) of the directive to make the supervisory authorities which are responsible for the monitoring of data processing in the private sector subject to technical, legal or administrative supervision by the State, as has occurred in all 16 Länder of the Federal Republic of Germany. As the legislation of every Land makes the supervisory authority subject to those three types of supervision in varying combinations, the legislation of every Land constitutes a failure by the Federal Republic of Germany to fulfil the obligation in the second sentence of Article 28(1) of the directive to ensure the 'complete independence' of the supervisory authorities. Irrespective of the differences between legal, technical and administrative supervision, all these types of supervision constitute an infringement of the independence required by the directive.

From a teleological point of view, the Community legislature regarded complete independence as necessary so that the functions which the supervisory authority was intended to have under Article 28 of the Directive could be carried out effectively. Furthermore, light is also shed on the concept of 'complete independence' by the legislative background to the provision. The requirement of 'complete independence' of the supervisory authorities of the Member States also fits in systematically with the Community acquis existing in the area of data protection law. In addition, Article 8 of the Charter of Fundamental Rights of the European Union requires that compliance with the rules on the protection of personal data must be 'subject to control by an independent authority'.

The concept of relative independence advocated by the Federal Republic of Germany, that is to say, the independence of the supervisory authority only from that which is being supervised, cannot in any event be brought into conformity with the unambiguous, comprehensive wording of the directive, which requires 'complete' independence. In addition, on that interpretation, the second sentence of Article 28(1) would be completely meaningless. Furthermore, the argument that Article 95 EC, as the relevant legal basis for the directive, and the principles of subsidiarity and proportionality suggest a restrictive interpretation of the requirement of 'complete independence' must be rejected. The Court has already held that the directive was adopted in accordance with the areas of competence of the European Parliament and of the Council and that a restrictive interpretation of its provisions in non-economic situations is out of the question. Furthermore, the provision which is at issue does not exceed the limits of that which is necessary to achieve the objectives which the directive, in accordance with Article 95 EC and the principle of subsidiarity, pursues."

3) Case C-557/07 - LSG-Gesellschaft zur Wahrnehmung von Leistungsschutzrechten GmbH v Tele2 Telecommunication GmbH - Art. 234 preliminary ruling on the following questions:

- Is the term 'intermediary' in Article 5(1)(a) and Article 8(3) of Directive 2001/29/EC of the European Parliament and of the Council of 22 May 2001 on the harmonisation of certain aspects of copyright and related rights in the information society ¹ to be interpreted as including an access provider who merely provides a user with access to the network by allocating him a dynamic IP address but does not himself provide him with any services such as e-mail, FTP or file-sharing services and does not exercise any control, either in law or in fact, over the services which the user makes use of?

If the first question is answered in the affirmative:

-Is Article 8(3) of Directive 2004/48/EC of the European Parliament and of the Council of 29 April 2004 on the enforcement of intellectual property rights, ² having regard to Article 6 and Article 15 of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector, to be interpreted (restrictively) as not permitting the disclosure of personal traffic data to private third parties for the purpose of civil proceedings for alleged infringements of exclusive rights protected by copyright (rights of exploitation and use)?" (NB. the recent ECJ's decision in C-275/06 Productores de Música de España (Promusicae) v Telefónica de España SAU).

Social Networks and Newspapers: drawing the boundaries?

Came across this recent Beeb press release concerning the use of information obtained from social network websites by newspapers including images and texts from Bebo, MySpace and Facebook:

Private data, public interest? (29th February 2008):

The use of material taken from personal profiles on social networks by newspapers is to be the subject of a major consultation undertaken by industry watchdog the Press Complaints Commission (PCC).

This comes in the wake of increasingly numbers of newspaper stories that include images and text taken from sites like Bebo, MySpace and Facebook.

But the subjects of press reports are not always happy with the use of content they have uploaded.

Tim Toulmin, director of the PCC, in an interview with BBC Radio 4 says the organisation was getting complaints from people about material, "that is being republished when they themselves are the subject of news stories".

Mr Toulmin says it would be useful to establish principles to guide the press in their use of social network content.

"It's down to the PCC to set the boundaries in a common sense way about what sort of information it is acceptable to re-publish," he says.

To that end the PCC has commissioned research by Ipsos MORI into public attitudes.

The newspaper watchdog wants to discover if people are aware that material they upload could be used in newspaper reports.

It also wants to discover if people would change their behaviour if they knew that information about them could be published in the media.

No doubt, this would need to be assessed in the light of the UK Data Protection Act 1998 and whether the data protection principles is adhered to (just to recap):

"Data Protection Principles

1 Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless—

(a) at least one of the conditions in Schedule 2 is met, and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

2 Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

3 Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

4 Personal data shall be accurate and, where necessary, kept up to date.

5 Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

6 Personal data shall be processed in accordance with the rights of data subjects under this Act.

7 Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

8 Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data."

The first data protection principle, whether processing by newspapers constitutes "fair" and "lawful" processing before users' profiles are obtained. What procedures are in place to ensure that personal profiles obtained by newspapers will not be used for any other purpose?"

A second point to consider is whether the processing would be exempt under s 32 of the Data Protection Act 1998, which provides that:

"(1) Personal data which are processed only for the special purposes are exempt from any provision to which this subsection relates if—

(a) the processing is undertaken with a view to the publication by any person of any journalistic, literary or artistic material,

(b) the data controller reasonably believes that, having regard in particular to the special importance of the public interest in freedom of expression, publication would be in the public interest, and

(c) the data controller reasonably believes that, in all the circumstances, compliance with that provision is incompatible with the special purposes."

Special purposes is defined under s 3 of the UK Data Protection Act 1998 as the "processing for the purposes of:

(a) the purposes of journalism,

(b) artistic purposes, and

(c) literary purpose"

Whilst users on websites such as Facebook, MySpace and Bebo should not expect that information they post, is necessarily private, the ICO's guidelines does warn about the types of personal information given on such social networking websites. A general question that is often asked is how do you guarantee that information of users are not obtained out of context? Views welcome.