Data Protection Developments

The ICO has recently published its press release entitled: Data Protection in the EU: promising themes for reform:

The Review of the EU Directive prepared for my Office by RAND Europe has been presented to participants at this conference as a draft. The presentation by Neil Robinson and Hans Graux has highlighted their main findings and short and long-term recommendations. Peter Hustinx has added some very perceptive and important observations. We plan to publish the final version of the RAND Report in May – shortly before the conference which has been convened by Commissioner Jacques Barrot. We have always been clear that the RAND study is intended to provide food for thought and to stimulate debate. It is a not a blueprint for reform, still less does it contain the draft of a new Directive. We are equally clear that any reform will take many years, but the debate must start somewhere. That debate has started here in Edinburgh today. As the draft Edinburgh Declaration which will be discussed tomorrow makes clear, the fundamental role for Commissioners in this debate is that of Leadership

The press release goes into detail over the strengths of the DPD including:

The Directive is comprehensive, broadly-drafted and sets out a basic framework
of protection, drawing on OECD and Council of Europe approaches.

• It sets standards which are widely seen as “High” and has a strong Human
Rights resonance, with sharp focus on fundamental rights’ and freedoms.

• It has given people important and usable access and other rights.

• The basic Data Protection Principles have stood the test of time well
and are flexible in their drafting and application.

• The Directive seeks to be largely neutral in terms of technology.

• The Directive can claim significant success in harmonising DP rules and promoting an internal market across the European Union.

The press release also identifies the following:

There must be more emphasis on the benefits of maximum and genuine transparency, for example:

• Privacy by Design and the use of published Privacy Impact Assessments.

• There is much more scope to encourage and require organisations to adopt Privacy Policies, make them easily available and – of course - hold them to account for fulfilment.

• There is more scope for trust marks, accountability agents and 3rd party certification.

• More controversially, perhaps, we can envisage greater use of self-certification.

• And we must improve the use and content of Privacy Notices, getting the right information to the right people in the right language at right time.

More details can be found in their press release (pdf).

Update: The full report is now available including its recommendations with commentaries from Out-law and H&W.

Phorm saga

According to press release from Out-Law News, in the latest on the Phorm saga, the European Commission has issued proceedings against the UK over its implementation of the European Union Directives:

UK laws protecting the privacy of people's communications are inadequate, the European Commission has said. The Commission has launched a legal case against the UK over its implementation of European Union Directives.

The Commission's investigation was sparked by outrage over trials by BT of a system which monitors web use and tries to match advertising to people's perceived interests. The trials were done without BT customers' knowledge or permission. The Commission has investigated complaints made to it and to police and has found the UK's laws inadequate in protecting the privacy of communications. "The Commission has concerns that there are structural problems in the way the UK has implemented EU rules ensuring the confidentiality of communications," said a Commission statement. BT used technology made and promoted by Phorm to track users' online activity. It has since run trials in which it did ask users' permission. The Commission said that BT's trials have been the subject of complaints to privacy regulator the Information Commissioner's Office (ICO) and to police. The Commission believes that UK laws do not properly implement two Directives aimed at protecting privacy, the Privacy and Electronic Communications Directive and the Data Protection Directive.

Update:

Commentary from:

• Open Rights.org

Reading list

Having been slightly disorganised over the last week, and with plenty of reading to do over the Easter, including a recommended book by Clay Shirky titled "Here comes everybody" this post will diverge from discussion over data protection developments.

Short excerpt of the book:

Welcome to the new future of involvement. Forming groups is easier than it’s ever been: unpaid volunteers can build an encyclopaedia together in their spare time, mistreated customers can join forces to get their revenge on airlines and high street banks, and one man with a laptop can raise an army to help recover a stolen phone. The results of this new world of easy collaboration can be both good (young people defying an oppressive government with a guerrilla ice-cream eating protest) and bad (girls sharing advice for staying dangerously skinny) but it’s here and, as Clay Shirky shows, it’s affecting … well, everybody. For the first time, we have the tools to make group action truly a reality. And they’re going to change our whole world.

As for forthcoming conferences, that researchers ought to go to include (not exhaustive):

• BILETA
• Privacy, Laws and Business, 22nd Annual International Conference 6-8 July 2009
• 5th Annual Freedom of Information Conference, 12-13th May 2009