DP thinker

Recommend blog posts

2010-03-23T21:46:00.002Z

For researchers working on privacy developments, here are a few suggested links to keep abreast of the latest:

1) Hunton and Williams Privacy Law Blog -
2) Datanomy, the data protection weblog
3) European Digital Rights in Europe (EDRI)
4) Pogowasright - US focussed
5) Privacy Exchange - slightly outdated, but still relevant
6) European Commission: Data Protection Commissioners
7) PrivacyOS - European Privacy Open Space

ICO Consultation

2009-08-12T12:19:00.002+01:00

Having been overwhelmed with plenty of books to read on my to do list, here is just the latest on data protection developments. The ICO is currently undergoing a public consultation (view on this later) into an online code of practice. If you have not yet aired your views, it is still not too late. By way of recap:

The code will provide comprehensive, accessible guidance on the following broad areas:

Operating a privacy-friendly website
Rights and protections for individuals
Privacy choices and default settings
Cyberspace and territoriality

We intend to publish the code in May 2010, following a public consultation exercise.

Further details can be found here.

On a different note, Oxford Brookes University and BILETA are hosting a one day event for doctoral researchers engaged in the field of IT, IP and Cyberspace law on September 11, 2009. Please mark this in your diaries. Further details about registration can be found here.

How well do you know your privacy policies?

2009-07-02T22:33:00.004+01:00

Whilst updating my reading, came across this recent update that EFF has introduced the ToS Tracker, which keeps an eye on 58 website privacy policies. Courtesy of Dark Reading:

The EFF on Thursday launched TOSBack.org, a "terms of service" tracker for Facebook, Google, eBay, and other major Websites. The idea is to give users an easy way of finding the privacy policies used by their favorite sites, and to be alerted when those policies change. TOSBack.org offers a real-time feed of changes and updates to more than three dozen policies from the Internet's most popular online services. Clicking on an update brings users a side-by-side, before-and-after comparison, highlighting what has been removed from the policy and what has been added, the EFF says. The issue of terms-of-service changes -- and how and why they are made -- was highlighted earlier this year when Facebook
modified its terms of use. Facebook users worried that the change gave the company the right to use their content indefinitely. After a user revolt, Facebook announced it would restore the former terms while it worked through the concerns users had raised "Some changes to terms of service are good for consumers, and some are bad," says EFF senior staff attorney Fred von Lohmann. "But Internet users are increasingly trusting Websites with everything from their photos to their 'friends lists' to their calendar -- and sometimes even their medical information. TOSBack will help consumers flag changes in the Websites they use every day and trust with their personal information."
ToS Tracker
EFF launches TOSBack

Art. 29 Working Party Opinion on SNS

2009-06-21T22:19:00.003+01:00

According to the latest press release, the Art. 29 Working Party has issued an opinion (pdf) on social networking sites ("SNS") . In particular, it addresses how the SNS can meet its data protection obligations by considering who is the data controller (SNS providers; application providers; users are exempt under Art. 3.2 Data Protection Directive, but leaves the possibility that they could have data controller responsibilities); information to be provided by SNS; third party access and whether retention of data under a SNS. In sum, the Art. 29 Working Party provides:

Applicability of EC Directives

1. The Data Protection Directive generally applies to the processing of personal data by SNS, even when their headquarters are outside of the EEA.
2. SNS providers are considered data controllers under the Data Protection Directive.
3. Application providers might be considered data controllers under the Data Protection Directive.
4. Users are considered data subjects vis-à-vis the processing of their data by SNS.
5. Processing of personal data by users in most cases falls within the household exemption. There are instances where the activities of a user are not covered by this exemption.
6. SNS fall outside of the scope of the definition of electronic communication service and therefore the Data Retention Directive does not apply to SNS.

Obligations of SNS

7. SNS should inform users of their identity, and provide comprehensive and clear information about the purposes and different ways in which they intend to process personal data.
8. SNS should offer privacy-friendly default settings.
9. SNS should provide information and adequate warning to users about privacy risks when they upload data onto the SNS.
11. Users should be advised by SNS that pictures or information about other individuals, should only be uploaded with the individual’s consent.
12. At a minimum, the homepage of SNS should contain a link to a complaint facility, covering data protection issues, for both members and non-members.
13. Marketing activity must comply with the rules laid down in the Data Protection and ePrivacy Directives.

Art. 29 Working Party Opinion (pdf)

Rand Report

2009-05-21T09:32:00.006+01:00

With the Rand Report finally published, some observations on a few points:

1) Common interpretations of certain provisions of the [Data Protection] Directive (charter for effective interpretation) was needed to ensure that its functions optimally in the future. In particular, reference was also made to the Swedish model, which established a set of regulations using a risk based approach (misuse-orientated approach) without undermining the Directive. According to the report, the “Swedish regulator was convinced that such a route remains legally acceptable without violating the current provisions of the Directive”. The report further commends the Swedish model, by recommending that the Charter should encourage the use of a risk-based approach to the application of the rules focusing on acts of data processing where harm can reasonably expected [read Seipel's commentary on Swedish developments in Nordic Data Protection Law and short commentary here]

2) Recommendation 2: improving the effectiveness of the Adequacy rule and facilitate the use of alternatives to the adequacy rule (it is all about “contracts” to enable the transfer of personal information from one organisation to another in a non-EEA country) [Only criticism is that this should not impact on the everyday processing such as the internet (uploading of files containing peripheral personal information such as news report; book or article should not be brought within Art. 25; even if the interpretation should be stretched, then the exemptions under Art. 26 ought to be embraced]

3) Develop more suitable privacy policies – in particular, reference is made to encouraging clearer guidelines for data controllers on communicating their policies to data subjects with reference to Creative Commons model of intellectual property right licences. In a Creative Commons model, certain standard types of licences are developed which can be communicated to end users through short, easy to understand descriptions (e.g. “attribution”, “non-commercial”, “no derivative works”,...). A comparable approach could be adopted with regard to privacy policies, by providing summary notices based on such standardised descriptions. These should be relatively easy for interested consumers to understand [on this note, any privacy policies ought to complement the existing Data Protection Directive and national Data Protection Acts 1998 - for those unfamiliar with a Privacy Commons model, a short commentary]

4) The Chief Privacy Officer role may be identified as an alternative to a privacy policy, there mainly to provide for accountability within an organisation. Regulations should be designed that would make Chief Privacy Officers personally responsible and/or criminally liable for willingly engaging in risky, unscrupulous or irresponsible behaviour by their organisations regarding the use of personal data. This would be comparable to the model of the Chief Privacy Officer in certain organisations in the US, which hold real decision making and enforcing power and are highly respected both within their organisations and by regulators and DPAs [on this recommendation, whilst making CPOs accountable, yet verging onto “criminally liable” is one which would be considered too onerous a measure and would likely inhibit “would be” Privacy Officers (data protection officers in the UK). Furthermore, the level of responsibilities by Privacy Officers in an organisation may be varied and it is unclear whether they would be considered to be solely responsible only for the oversight of privacy rules. In other words, CEOs, Directors may also play a role].

Book Review

2009-05-17T13:44:00.003+01:00

Whilst ploughing through Privacy Advocates (and marking to complete), particularly on the role of the Privacy Consultant (in the UK, data protection/privacy officers), came across this sage advice:

"The role of academics within the privacy advocacy community raises larger questions about the responsibility of intellectuals within the society. Should academic work be driven by the pressing social problems of the day?... Here is Stanley Fish's advice..."Do your job; don't try to do someone else's job, as you are unlikely to be qualified...don't confuse your academic obligations with the obligation to save the world; and don't surrender your academic obligations to the agenda of a non-academic constituency... don't cross the boundary between academic work and partisan advocacy, whether the advocacy is yours or someone
else's...The job of the academic is not to change the world, as Karl Marx said, but to interpret it"

Thought provoking analysis for privacy researchers!

Data Protection Developments

2009-04-29T17:16:00.006+01:00

The ICO has recently published its press release entitled: Data Protection in the EU: promising themes for reform:

The Review of the EU Directive prepared for my Office by RAND Europe has been presented to participants at this conference as a draft. The presentation by Neil Robinson and Hans Graux has highlighted their main findings and short and long-term recommendations. Peter Hustinx has added some very perceptive and important observations. We plan to publish the final version of the RAND Report in May – shortly before the conference which has been convened by Commissioner Jacques Barrot. We have always been clear that the RAND study is intended to provide food for thought and to stimulate debate. It is a not a blueprint for reform, still less does it contain the draft of a new Directive. We are equally clear that any reform will take many years, but the debate must start somewhere. That debate has started here in Edinburgh today. As the draft Edinburgh Declaration which will be discussed tomorrow makes clear, the fundamental role for Commissioners in this debate is that of Leadership

The press release goes into detail over the strengths of the DPD including:

The Directive is comprehensive, broadly-drafted and sets out a basic framework
of protection, drawing on OECD and Council of Europe approaches.

• It sets standards which are widely seen as “High” and has a strong Human
Rights resonance, with sharp focus on fundamental rights’ and freedoms.

• It has given people important and usable access and other rights.

• The basic Data Protection Principles have stood the test of time well
and are flexible in their drafting and application.

• The Directive seeks to be largely neutral in terms of technology.

• The Directive can claim significant success in harmonising DP rules and promoting an internal market across the European Union.

The press release also identifies the following:

There must be more emphasis on the benefits of maximum and genuine transparency, for example:

• Privacy by Design and the use of published Privacy Impact Assessments.

• There is much more scope to encourage and require organisations to adopt Privacy Policies, make them easily available and – of course - hold them to account for fulfilment.

• There is more scope for trust marks, accountability agents and 3rd party certification.

• More controversially, perhaps, we can envisage greater use of self-certification.

• And we must improve the use and content of Privacy Notices, getting the right information to the right people in the right language at right time.

More details can be found in their press release (pdf).
Update: The full report is now available including its recommendations with commentaries from Out-law and H&W.

Phorm saga

2009-04-14T16:57:00.004+01:00

According to press release from Out-Law News, in the latest on the Phorm saga, the European Commission has issued proceedings against the UK over its implementation of the European Union Directives:

UK laws protecting the privacy of people's communications are inadequate, the European Commission has said. The Commission has launched a legal case against the UK over its implementation of European Union Directives.

The Commission's investigation was sparked by outrage over trials by BT of a system which monitors web use and tries to match advertising to people's perceived interests. The trials were done without BT customers' knowledge or permission. The Commission has investigated complaints made to it and to police and has found the UK's laws inadequate in protecting the privacy of communications. "The Commission has concerns that there are structural problems in the way the UK has implemented EU rules ensuring the confidentiality of communications," said a Commission statement. BT used technology made and promoted by Phorm to track users' online activity. It has since run trials in which it did ask users' permission. The Commission said that BT's trials have been the subject of complaints to privacy regulator the Information Commissioner's Office (ICO) and to police. The Commission believes that UK laws do not properly implement two Directives aimed at protecting privacy, the Privacy and Electronic Communications Directive and the Data Protection Directive.

Update:

Commentary from:
Open Rights.org

Reading list

2009-04-02T11:56:00.003+01:00

Having been slightly disorganised over the last week, and with plenty of reading to do over the Easter, including a recommended book by Clay Shirky titled "Here comes everybody" this post will diverge from discussion over data protection developments.

Short excerpt of the book:

Welcome to the new future of involvement. Forming groups is easier than it’s ever been: unpaid volunteers can build an encyclopaedia together in their spare time, mistreated customers can join forces to get their revenge on airlines and high street banks, and one man with a laptop can raise an army to help recover a stolen phone. The results of this new world of easy collaboration can be both good (young people defying an oppressive government with a guerrilla ice-cream eating protest) and bad (girls sharing advice for staying dangerously skinny) but it’s here and, as Clay Shirky shows, it’s affecting … well, everybody. For the first time, we have the tools to make group action truly a reality. And they’re going to change our whole world.

As for forthcoming conferences, that researchers ought to go to include (not exhaustive):

Google Streetview

2009-03-26T21:11:00.005Z

According to the latest UK ICO press release on Google Streetview:

Google's Street View includes a facility which allows vehicle registration marks and faces to be blurred. Individuals who feel that an image does identify them (and are unhappy with this) should contact Google direct to get the image removed. Individuals who have raised concerns with Google about their image being included - and who do not think they have received a satisfactory response - can complain to the [UK] ICO.

See also:

BBC Press clip: Call to "shut down" Street View, 24 March 2009

Art. 29 Working Party's Opinion on Personal Data

2nd Privacy OS Conference

2009-03-26T20:39:00.003Z

The 2nd Privacy OS Conference will be held in Berlin, 1-3 April 2009. More details of the Conference can be found here. A brief background of PrivacyOS:

About PrivacyOS

PrivacyOS is a European project aimed at bringing together industry, SMEs, government, academia and civil society to foster development of privacy infrastructures for Europe and is coordinated by the Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (ULD), which is also the office of the Privacy Commissioner of the German State of Schleswig Holstein. The general objectives of PrivacyOS are to create a long-term collaboration in the thematic network and establish collective interfaces with other EU projects. Participants exchange research and best practices, as well as develop strategies and joint projects following four core policy goals: Awareness-rising, enabling privacy on the Web, fostering privacy-friendly Identity Management, and stipulating research.

Further information can be found at http://www.privacyos.eu/ .

Phorm and Websites

2009-03-23T20:29:00.002Z

In the latest saga on Phorm and websites, according to Beeb:

"Seven of the UK's biggest web firms have been urged to opt out of a controversial ad-serving system. Phorm - aka Webwise - profiles users' browsing habits and serves up adverts based on which sites they visit. In an open letter, the Open Rights Group (ORG) has asked the firms to block Phorm's attempts to profile their sites, to thwart the profiling system. Before now, Phorm has defended its technology saying that it does not break data interception la ws. Legal view Chief privacy officers at Microsoft, Google/Youtube, Facebook, AOL/Bebo, Yahoo, Amazon and Ebay have been sent copies of the letter signed the digital rights campaign group and anti-phorm campaigners."

Open Rights Group has more on this.

BBC: Big websites urged to avoid Phorm

Art. 29 Working Party Opinion on E-Privacy Directive

2009-03-02T12:31:00.004Z

According to SCL, the Art. 29 Working Party has issued its third opinion on proposals amending the Directive on Privacy and Electronic Communications 2002/58/EC. More from SCL:

In a further official Opinion on the e-Privacy Directive, dated 10 February and now available online, the Article 29 Working Party has emphasised some of its concerns about the impending e-Privacy Directive. While much of the Opinion retreads old ground, the tone of the comments on the data breach notification aspects of the Directive is arresting.
The Working Party believes that: ‘an extension of personal data breach notifications to Information Society Services is necessary given the ever increasing role these services play in the daily lives of European citizens, and the increasing amounts of personal data processed by these services. Online transactions including access to e-banking services, private sector medical records and online shopping are few examples of services that may be subject to personal data breaches causing significant risks to a large number of European citizens. Limiting the scope of these obligations to publicly available electronic communications services would only affect a very limited number of stakeholders and thus would significantly reduce the impact of personal data breach notifications as a means to protect individuals against risks such as identity theft, financial loss, loss of business or employment opportunities and physical harm.’

UPDATE: In a further development of proposed data breach notification laws, according to Out-law, the Council of Ministers have rejected plans to expand the scope of the European Union security breach law beyond telecoms companies. More from Out-Law.

Surveillance Report

2009-02-08T22:37:00.008Z

The House of Lords Constitution Committee has recently published a report discussing the expansion of 'surveillance society', reiterating the warning that the right to privacy is being undermined by pervasive and routine electronic surveillance and collection of personal data:

The report makes over forty recommendations, including statutory regulation of the use of CCTV cameras, a clear legislative framework for the DNA database, a review of the provisions of the Regulation of Investigatory Powers Act, and amendments to the Data Protection Act to provide for 'privacy impact assessments' before any new surveillance regime is introduced. A complaints procedure for breaches of Article 8 should be established, and "where appropriate", legal aid should be made available for Article 8 claims. Compensation should be paid to the victims of "unlawful surveillance" by public authorities. The report also endorses tighter controls within government and a new joint parliamentary committee on surveillance and data powers, to which the Information Commission, whose powers should be strengthened, could report.
Source: 5RB
Open Rights Group considers this in more detail.
See:

House of Lords Constitution Committee Report

DS Breaches

2009-02-08T22:28:00.010Z

According to the latest findings, data breaches appear to become a common occurence:

The personal information of UK citizens is being lost and stolen at an unprecedented rate, the UK’s privacy watchdog said today. Nearly 100 data breaches were reported to the Information Commissioner’s Office (ICO) in the last three months alone, with millions of bank details, addresses, emails, private health information and employee salary statements lost or stolen in 2008. Data breaches jumped by 36 per cent last year, the ICO said. Personal information is now lost - on average - more than once a day.

In June, Virgin Media lost a CD containing private information on more than 3,000 customers while a hospital in Wembley recently had two computers stolen which contained the unencrypted details on 400 patients. Richard Thomas, the Information Commissioner, said it was “unacceptable” that private companies - responsible for 112 of the 376 data breaches last year - could not be investigated by the ICO without their permission.

Source: The Times, 8 Feb. 2009

Ensuring technical security standards by organisations is covered under the 7th data protection principle within the UK Data Protection Act 1998. Getting a privacy audit (or a privacy impact assessment test) of the organisation's technical security procedures would be a starting point. More details can be found on the ICO website.

Search engines - IP addresses

2009-01-29T18:50:00.003Z

Whilst the issue of data retention of search log data has been the subject of much discussion, notwithstanding the Art. 29 Working Party's opinion, that the Data Retention Directive 2006/24/EC does not apply to search engines, yet the retention policies of search engines continues to be a discussion point:

Google - 9 months retention policy

Yahoo - 3 months

Ixquick - 48 hours (as of 28/1/09 - no IP addresses are not stored)

Ixquick appears to be the preferred search engine for its retention policy, having been awarded the European Privacy Seal - whether other search engines will reduce their retention policy remains to be seen.

See also:

EU Law Blog

Data Protection Day

2009-01-29T18:39:00.002Z

Marking aside, the Data Protection Day took place yesterday, 28th January: the ICO launched the Personal Information Promise:

On 28 January 2009 the Information Commissioner’s Office celebrated European Data Protection Day by launching the Personal Information Promise, which was signed by major stakeholders at One Great George Street, Westminster, London.

See also:

ECJ's Judgment

2008-12-29T11:25:00.021Z

Having had a short break from blogging (with teaching and marking to do), this ECJ's judgment in Tietosuojavaltuutettu v Satakunnan Markkinapörssi Oy (C-73/07) on the interpretation of Art. 9 of the Data Protection Directive 95/46/EC is worth noting, though it does not resolve the difficulty of the continuing interface between data protection and the journalistic, literary and artistic exemption (as provided under Art. 9) in the context of Data Protection Directive 95/46/EC. Out-Law provides a brief summary:

A company that sends text messages revealing the income of Finland's wealthiest citizens is subject to European data protection laws but could be protected by an exemption for journalism, according to a ruling by the European Court of Justice (ECJ). The processing of personal data made available by Finnish tax authorities may be the subject of a derogation from the EU's data protection regime if it is carried out solely for journalistic purposes, the ECJ ruled. Unlike in the UK, details of taxes paid by individuals in Finland are made publicly available. For several years, a company called Markkinapörssi has collected public data from the Finnish tax authorities for the purposes of publishing extracts from those data in the regional editions of the newspaper Veropörrsi each year...In its judgment ..., the ECJ ruled that the activities of Markkinapörssi and Satamedia "must be considered as the 'processing of personal data' within the meaning of [the Data Protection Directive]" – even though the files of the public authorities that are used comprise only information that has already been published in the media.

On the issue of Art. 9, the ECJ provides that:

54 Article 9 of the directive refers to such a reconciliation. As is apparent, in particular, from recital 37 in the preamble to the directive, the object of Article 9 is to reconcile two fundamental rights: the protection of privacy and freedom of expression. The obligation to do so lies on the Member States.

55 In order to reconcile those two ‘fundamental rights’ for the purposes of the directive, the Member States are required to provide for a number of derogations or limitations in relation to the protection of data and, therefore, in relation to the fundamental right to privacy, specified in Chapters II, IV and VI of the directive. Those derogations must be made solely for journalistic purposes or the purpose of artistic or literary expression, which fall within the scope of the fundamental right to freedom of expression, in so far as it is apparent that they are necessary in order to reconcile the right to privacy with the rules governing freedom of expression.

56 In order to take account of the importance of the right to freedom of expression in every democratic society, it is necessary, first, to interpret notions relating to that freedom, such as journalism, broadly. Secondly, and in order to achieve a balance between the two fundamental rights, the protection of the fundamental right to privacy requires that the derogations and limitations in relation to the protection of data provided for in the chapters of the directive referred to above must apply only in so far as is strictly necessary.

EU law blog, Lex Ferenda also gives their analysis on this case.

ECJ's Judgment

Events

2008-12-29T11:25:00.016Z

Just a reminder re: forthcoming data protection events taking place over the course of this month:

1) Computers, Privacy and Data Protection Conference: Data Protection in a Profiled world, 16-17 January 2009, Brussels.

2) E-Discovery Webinar: Data Protection, corporate investigations and e-discovery: insurmountable conflicts?, 15th January 2009, more details available at http://www.e-comlaw.com/dataguidancewebinars.

ECtHR ruling in Marper

2008-12-04T11:34:00.004Z

Whilst busying away with marking, this recent judgment from the ECtHR (via International Herald Tribune) on the retention of DNA:

BRUSSELS, Belgium: Europe's top human rights court says British police should not be allowed to retain DNA profiles and fingerprints of people suspected but not convicted of crimes. The European Court of Human Rights says in a ruling Thursday that Britain was violating the suspects' right to a private life by retaining information on their DNA and fingerprints. The court based in Strasbourg, France, has ordered British authorities to pay €42,000 US$53,000) to two people who brought the complaint.

Source: International Herald Tribune, 4 December 2008

Update: ECtHR Judgement is available here.

CFP on Privacy Symposium

2008-12-04T11:03:00.002Z

(via Surveillance network)

RESEARCH SYMPOSIUM - THE TRANSFORMATIONS OF PRIVACY POLICY 2-4 July 2009

Institutions, Markets Technology Institute for Advanced Studies (IMT), Lucca (Italy), in collaboration with International Comparative Policy Analysis-Forum & Journal of Comparative Policy Analysis

CALL FOR PAPERS

Abstract deadline (500 words): January 18, 2009 Submission of Abstract to Workshop Convenor and Guest Special Issue Editor: Professor Bruno Dente, Professor of Public Policy Analysis, Politecnico di Milano and IMT bruno.dente@polimi.it & paola.coletti@polimi.it

Notification of accepted proposals: February 8, 2009 Draft paper deadline: June 15, 2009

Workshop Date and Accepted Paper Presentation: July 2-4,2009

Invitation:This EU based Comparative Research Symposium will be the first among a series of international Research Symposia enhancing a comparative exchange on policy research. It will focus on data protection (privacy policy) that has garnered growing attention in many countries in recent years. The evolution of public policy around this issue has been affected in unpredictable ways by the latitude of the issue, as well as by the changes in the social and technological environment. For instance, despite the fact that in the EU privacy regulation stems from official legislation, the member states have implemented different approaches, developing peculiar instruments and building very different institutions.The basic aim of the workshop is to understand the evolution of the policy in different countries, and if these transformations stem from exogenous factors (e.g., technological advances, the war on terrorism, and others) or endogenous factors (e.g., processes of institutionalization or bureaucratization, heterogenesis of ends, policy failures, and others).Our definition of privacy policy is rather broad and includes the content of the protected goods, the policy instruments employed, the organizational dimension of the authorities in charge, and so on.

Submission of Papers: Proposed papers should (a) relate to research on any one of the aspects above, or propose additional research angles,(b) focus on the incremental or radical changes that the policy has undergone, (c) shed light on policy problems and policy related dynamics and interventions, (d) present research on aspects of the different national approaches or cases from which comparative lessons can be drawn.The workshop is interdisciplinary in nature, and therefore perspectives related to all fields of social science (including political science, economics, law, policy analysis, sociology, etc.) will be accepted.The criteria for selection are quality and fit to the subject matter. The articles submitted must be in line with the mission statement of the JCPA and ICPA-Forum of fostering the theory, empirical research and methods of cross-national comparative policy analysis. Please note the Aims and Scope of the JCPA and explicit comparative criteria at www.jcpa.ca. While papers need not necessarily present comparisons among countries, they must explicitly lend themselves to lesson drawing.Papers accepted and presented at the workshop may be published in a Special Issue of the JCPA edited by Professor Bruno Dente, subject to fit in the Special Issue and the blind-fold referee procedures of the JCPA.Location and Organization: The convenors of the workshop will cover the travel and accommodation costs of the selected participants. Lucca is a beautiful historical city located 25 km from Pisa international airport. IMT is a post-graduate University offering PhD Programs in the fiend of Political Systems and Institutional Change, Bio-robotics, Science & Engineering, Computer Science & Engineering, Economics, Markets, Institutions & Technology, and Management of Cultural Heritage. The Workshop will be co-sponsored by IMT, Politecnico di Milano, ICPA-Forum and Routledge.

Revisiting data security breaches

2008-11-25T19:24:00.002Z

Opinion: In a recent press statement on whether there ought to be data security breach notifications, it is slightly unusual for the Government to reject calls for a law that would require significant data security breaches to be notified to a country's privacy regulator.

The Government has rejected calls for a law that would require significant data security reaches to be notified to the country's privacy regulator. It said that notification to the Information Commissioner should be a matter of good practice, not law. The announcement came in a Ministry of Justice report on the Information Commissioner's inspection powers and funding arrangements, one of two reports published by the Ministry yesterday. Most states in the US have passed laws that already require organisations to notify significant data breaches. Europe is introducing a law that will apply such a requirement to telecommunications firms; and Peter Hustinx, the European Data Protection Supervisor, said in April that that law should be extended to banks, businesses and medical bodies. A House of Lords committee said in 2007 that "a data security breach notification law would be among the most important advances that the United Kingdom could make in promoting personal internet security". However, the Information Commissioner's Office (ICO) has said that it does not want such a law in the UK. The Ministry of Justice said yesterday that it agrees. "As a matter of good practice any significant data breach should be brought to the attention of the ICO and that organisation should work with the ICO to ensure that remedial action is taken," said the Ministry's report.

Source: Out-law news

Yet, given the lapses in recent losses of personal information, it is odd that this view is taken. Proposals are already in place at a European level to amend the Directive on Privacy and Electronic Communications (hereinafter "DPEC") which will include data security breach notifications by electronic communications providers. Whether this will be extended beyond electronic communications providers is not yet clear, but there appears to be a level of support for this. The rationale is not simply good data management practice but that users/consumers are fully aware of the privacy policies within an organisation and whether the data protection standards are fully in place.

HL refuses appeal

2008-10-30T20:12:00.006Z

Courtesy of 5RB, the House of Lords has refused leave to appeal against the Court of Appeal's interim ruling in the privacy claim involving photographs of J. K. Rowling's son.

The House of Lords today refused Big Picture (UK) Ltd's petition for leave to appeal against the Court of Appeal's interim ruling in the privacy claim involving photographs of J. K. Rowling's son. In March this year the Court of Appeal held that the claimant had an arguable case on both the misuse of private information and the Data Protection Act points, overturning the August 2007 decision to strike the claim out. The effect of the House of Lords' ruling is that the claim should now proceed to trial, as the Court of Appeal envisaged. The claim, which alleges misuse of private information and breach of the DPA 1998, centres on a series of photographs of David Murray, which were taken when he was a 1 year-old, being pushed down a street in Edinburgh by his parents in his pushchair at a time when his mother was pregnant with David's younger sister. In August 2007 Mr Justice Patten acceded to an application by the remaining Defendant - Big Pictures (UK) Ltd, a photographic agency - to strike the claim out. However, in March 2008 the Court of Appeal decided that the Judge had been wrong to conclude that the claim was unarguable and reinstated the claim, directing that the issues between the parties be tried. An application by Big Pictures for permission to appeal against this decision was refused by the Court of Appeal. In June, Big Pictures petitioned the House of Lords for leave to appeal. It is this petition that the House of Lords has refused today.

Updated BCR Guidelines

2008-10-30T20:10:00.004Z

Updated guidelines on BCR (courtesy of Out-Law news) have been published the Art. 29 Working Party.

The European Union's data protection authorities have published amended guidance on how companies can legally share customer and staff personal data with parts of the firm located outside the European Union. The Article 29 Working Party, which consists of the data protection watchdogs of the EU member countries, has created a mechanism for transferring data within organisations but to countries to which it would usually be illegal to send personal information. U data protection laws restrict transfers of personal data to countries whose data protection regimes have not been judged by the European Commission to be adequate. The list of those countries deemed to offer adequate protection is very short. The Working Party created Binding Corporate Rules to allow companies to send data to other parts of the organisation in countries whose data protection regime has not been designated as adequate.

Data Security Breach notifications in sight

2008-10-27T17:52:00.009Z

Courtesy of Pogo and Vnunet, comes this recent news on European data breach notification laws (part of the amendments to the Telecommunications framework at a European level:

European data breach notification laws applying to all online information service providers could be in force by 2011, according to the European data protection supervisor Peter Hustinx. The current data breach notification proposals apply to just ISPs and telcos, but Hustinx backed calls for the law to apply to all “information service providers, including banks and medical sites”. He added, “I would welcome this as fair and in line with reality.”

Speaking to vnunet.com at the RSA Conference Europe show in London, which kicked off today, Hustinx explained that the proposals are still open to change as the Council of Ministers and parliament are working on slightly different texts. “We will probably have some threshold [for disclosure] but a very low one, and notification will be to users and authorities,” he said. “There is also likely to be some variation on the basis of individual member states, which will be a challenge.”

Hustinx added that if the current proposals are adopted in spring 2009, they could become law two years after that. Hustinx also argued that the UK government should consider giving its data protection watchdog, the Information Commissioner, greater powers in order to “restore confidence” to public sector handling of data [the Criminal Justice and Immigration Act 2008, s 77 and s 144 already strengthens remedies for ICO].

Consultation on proposed database

2008-10-25T17:35:00.004+01:00

There is likely to be a public consultation over the proposed database over the controversial Communications Data Bill (which is intended to implement the Data Retentions Directive 2006/24/EC). The Art. 29 Working Party (3/2006) has already issued its opinion on the implementation of Directive 2006/24/EC. However, according to Computer Weekly:

The government has scrapped plans to push through the controversial Communications Data Bill this parliamentary session and will hold a second public consultation in the new year.

What is unclear at this stage is whether Liberty would mount a legal challenge over the proposed Communications Data Bill. One awaits to see developments on this front. The ICO has already expressed the view 'that a single database of phone and internet usage records would undermine the "British way of life". The privacy watchdog has said that it will scrutinise Government plans for storing that information.' More from Out-Law.

SNS revisited (not) again!

2008-10-23T11:45:00.007+01:00

Social networking websites (SNS) have been the subject of much discussion, and given the numerous views about the benefits and negativities of this, the recent debates, however, is of interest. Given the high level of engagement, one is certainly drawn to the view that there is enough literature, and warnings about the potential negativities of SNS, such that it is fair to argue that users enter SNS at their own risk. Discussion about the current legal framework particularly with the recent case of Firsht v. Raphael [2008] EWHC 1781 (brief commentary here) have already shown repercussions. The law has not been slow to respond and provides an element of certainty on this. According to Facebook, reactions to the case:

Facebook was reported to have stated in a statement following the reporting of the court’s decision, “Facebook does not permit fake profiles on its site. Fake profiles are an abuse of our terms of use and they will be removed… When fake profiles are reported we thoroughly investigate and remove profiles found to be in violation of our terms of use – just as we did in the case of Mathew Fircsht [sic].

Actual case details can be found here. In the meantime, for those who wish to follow up on the recent debates on social networking, worth visiting here for a starting point.

Update: Out-Law Press release on SNS ground rules

Updates

2008-10-20T11:14:00.011+01:00

Courtesy of Pogo, this recent Adv. General ruling on the Data Retentions Directive 2006/24/EC is worth reading up, whilst awaiting the ECJ's judgment. According to the EU observer,

The European Court of Justice Advocate General on Tuesday (14 October) delivered a blow to member states hoping to overturn an EU law on harmonising telephone and internet data retention rules, saying the case is an internal market matter, not a justice and home affairs issue.

The directive - which was approved by a qualified majority of EU states in February 2006 - sets a time period of six months to two years during which telecom operators are to keep phone and internet data, in the name of fighting terrorism and crime and increasing security.

Irish telecoms operators and internet service providers currently face tougher rules and must keep the data for up to three years, according to the Irish Times.

More from:

C-301/06 Ireland v Parliament and Council (pdf) and online version
Digital Rights Ireland

SNS Programme

2008-10-19T19:28:00.009+01:00

Beeb has recently put this programme on social networking titled Are networking sites a good or bad thing: Here is a snapshot:

Websites such as Facebook, Myspace and Bebo have become immensely popular over the past few years, promoting the sharing of personal information and photographs among friends.

But is social networking just a bit of fun or is splashing our private lives all over the internet potentially harmful? We hear conflicting personal stories of success and disaster.
The link can be found here.
A recent press release has also indicated that SNS should indicate the low level of protection here.

Proposed Database

2008-10-16T10:36:00.010+01:00

This latest development should be no surprise to any academic researcher working in the field of data protection and privacy in the UK (as here). Particularly, when surveillance is becoming "normalised" with countless CCTVs etc. Out goes "privacy" and in comes "surveillance". Amidst the latest data security breaches, according to The Independent, details are emerging over the current plans for a database:

Early plans to create a giant "Big Brother" database holding information about every phone call, email and internet visit made in the UK were last night condemned by the Government's own terrorism watchdog...

Under the proposal, internet service providers and telecoms companies would hand over millions of phone and internet records to the Home Office, which would store them for at least 12 months so that the police and security services could access them. It is understood that more than £1bn has been earmarked for the database.

Some reactions over this proposed database:

Richard Thomas, the Information Commissioner, has described the plans as "a step too far for the British way of life". Yesterday his office added: "It is clear that more needs to be done to protect people's personal information, but creating big databases... means you can never eliminate the risk that the data will fall into the wrong hands."

Shami Chakrabarti, director of the human rights group Liberty, said: "This is another example of the Government's obsession with gathering as much information on each of us as possible in case it might prove useful in the future. Like the discredited ID card scheme this will have a massive impact on our privacy but will do nothing to make us safer.

See:

The Independent: Storm over Big Brother Database

UPDATE: By way of update (courtesy of Out-law) there is likely to be consultation on the proposed new law. However, it is still unclear as there seems to be mixed messages over recent news that everyone who has a mobile phone will be compelled to register their identity on a national database (compulsory mobile phone register). More details can be found here. Q. How have other countries implemented the Data Retentions Directive 2006/24/EC? Probably this book and here will enlighten us a little bit more.

Another case: this time on IP addresses

2008-10-13T12:12:00.012+01:00

Whilst there have been plenty of views re: the status of IP addresses, particularly from the Art. 29 Working Party and the Data Protection Authorities, in an unusual case from the District Court of Munich (file no. 133 C 5677/08; September 30, 2008), the court held that IP addresses (contrary to other German courts), of a user of a website was not personal data, because the user concerned could only be identified if the user's access provider (illegally) identified the user and (illegally) forwarded the name of the user to the operator of the website. Therefore, the storage of the IP address of a user by a website operator in a server logfiles was permitted. Whilst this decision is unlikely to have any effect upon recent opinions made by the Art. 29 Working Party, one is not convinced that IP addresses are not personal data as evidenced by recent incidents exemplified here , here and here. However, if the recent press report is to be believed, then according to one view, "Businesses have a responsibility to protect sensitive data. The public should not expect the government to protect them."

Update: Decision is available in German and can be accessed here and here.

Additions to the Casebook!

2008-10-12T19:12:00.002+01:00

Some latest cases and updates that will need to be included in my casebook on data protection:

1) The Criminal Justice and Immigration Act 2008 received the RA on 8 May 2008. Some of the main provisions worth noting and commenting is ss 77-78 CJIA and s 144 which amends the UK DPA 1998 by adding s 55 A to increase the ICO's powers to impose monetary penalties (ie. the ICO has the power to serve monetary penalty notices to organisations for breach of the UK DPA 1998).

2) Roberts v Nottinghamshire Healthcare NHS Trust [2008] EWHC 1934

In brief, this case hinged on whether the Trust was in breach of its obligations under the DPA 1998 by refusing R access to a report prepared on him by the Trust employer on the grounds that this was exempt from disclosure. Art. 13 of the Data Protection Directive 95/46/EC on exemptions and Recitals 42 and 43 of the Directive were considered in the judgment. Reference was made to the case of Durant and Auld LJ's judgment:

A number of general points can be made about the court's role under section 7(9). First, its role is to review the decision of the data controller rather than to act as primary decision maker. In Durant v Financial Services Authority [2003] EWCA Civ. 1746; [2004] IP & T 814 Auld LJ said at [60]:

"Parliament cannot have intended that courts in applications under section 7(9) should be able routinely to "second guess" decisions of data controllers, who may be employees of bodies large or small, public or private or be self-employed. To so interpret the legislation would encourage litigation and appellate challenge by way of full rehearing on the merits and, in that manner, impose disproportionate burdens on them and their employers in their discharge of their many responsibilities under the Act."

And then, after referring to the Data Protection Directive and to Article 8 of the European Convention on Human Rights, Auld LJ continued at [60]:

"Under both international legal codes, it is for the Member State to justify, subject to a margin of national discretion, any provisions enabling refusal of disclosure in terms of necessity and proportionality, and similarly, data controllers should have those notions in mind when considering under section 7(4)-(6) whether to refuse access on that account. So also should courts on application by way review of any such decision under section 7(9). But it does not follow that the courts should assume, if and when such a question reaches them, the role of primary decision-maker on the merits."

Secondly, the court must determine, with the benefit of sight of the data, whether the data controller has appropriately concluded that one of the exemptions provided for under the Act or an Order applies. The burden of proof is on the data controller, to the civil standard. Given the right involved, however, the court will approach the matter with a heightened sense of what is at stake, what has been described in other contexts as "anxious scrutiny". Auld LJ's judgment is helpful in indicating how that issue is to be approached, "in terms of necessity and proportionality". Necessity as a test originates in the directive, as can be seen from recital 43. Proportionality as an approach no doubt derives from the relevance of the European Convention on Human Rights to the issue. The twin requirements of necessity and proportionality constrain the data controller in any decision to refuse release of the data. In the light of all of this the court then reviews the decision of the data controller. It is not a decision on the merits but a consideration of whether the data controller's decision is flawed on public law grounds whether, for example, irrelevant matters have been taken into account or the decision not to release is such that no reasonable data controller would have arrived at that conclusion.

The court denied the application to disclose the report on the following grounds:

In light of the very serious concerns and unusual circumstances in this case I have exercised my duty of "anxious scrutiny" to determine whether the defendant has complied with its obligations under the Data Protection Act 1998. In my judgment the defendant has clear and compelling reasons based on cogent evidence to support its decision not to release the report. Moreover, I have been persuaded that disclosure of the reasons for this conclusion are not appropriate in this case. As to what I have described as the half-way house, disclosure to the claimant's legal representatives but not the claimant, in my judgment the court has no power to order it. There is no such power in the Data Protection Act 1998. The other grounds which were advanced as a basis for that power are besides the point once it is recognised that, absent specific authorisation, legal representatives cannot keep relevant information or knowledge from a client. In this case the claimant has agreed to abide by the half-way house but that is no ground for the exercise of any discretion on my part to order disclosure of the report, given the statutory position and my conclusion that no injustice is caused to the claimant by not doing so.

Surveillance Demonstration

2008-10-11T20:40:00.006+01:00

According to this recent press release, there was a privacy rally organised against surveillance:

Source: Earth Times

Berlin - Some 15,000 demonstrators marched in Berlin on Saturday to demand greater privacy, accusing the German government of creating a "surveillance state."The Stop This Surveillance Madness rally ended at the Brandenburg Gate. Organizers said 100,000 people took part, but police on crowd duty said they had not seen more than about 15,000 present at any one time.

The German privacy movement is upset at European Union data- retention laws that require phone companies to keep for six months computerized lists of the numbers that their customers call.

See:

EDRI

Consultation Paper

2008-10-06T11:41:00.004+01:00

One will give blogging a rest, but just a reminder that there is a consultation paper issued by the European Commission titled Radio Frequency Identification (RFID) in Europe: steps towards a policy framework. Some details of this consultation are included below:

The Communication on the Internet of Things will propose a policy approach addressing the whole range of political and technological issues related to the move from RFID and sensing technologies to the Internet of Things. It will focus especially on architectures, control of critical infrastructures, emerging applications, security, privacy and data protection, spectrum management, regulations and standards, broader socio-economic aspects.

The Commission's Staff Working Paper: As a first contribution to the debate, the Commission has released a Staff Working Paper that can be found here. Stakeholders are invited to send comments on the issues addressed in this paper. Concrete suggestions of possible actions or initiatives that should be taken are particularly welcome. Target group: Universities and research centres, public authorities, private organisations addressing horizontal issues (e.g. infrastructure, security) and/or vertical components in major application areas (e.g. retail, logistics, manufacturing, e-energy, finance, public sector), European and international standards organisations, consumers' organisations, trade-unions, civil society groups. Answering Process: Respondents are invited to provide their feedback on a stand-alone document which can be found here. Unless otherwise indicated by the respondent, the answers received to this consultation will be published. There are no-predefined questions but respondents are invited to respect the following format: • Use the first page to identify themselves • Limit themselves to a maximum of 10 pages (regular fonts and spacing) • File should be in '.pdf' format Respondents are invited to send their response by email at infso-iot-europe@ec.europa.eu by 28th November 2008 at the latest. Answers received after this deadline will not be taken into account. Results of the consultation:

The contributions received in the public consultation will serve for elaborating a Commission Communication on the Internet of Things addressed to the Council and the European Parliament during the second quarter of 2009. The Communication on the Internet of Things will be made public through the usual communication channels of the European Commission.

On the subject of RFIDs, there has been a lot of discussion on this issue including the Art. 29 Working Party's opinion. However, perhaps, the most interesting aspect of RFIDs was given in a talk that I attended last year, where RFIDs had become everyday life from RFID library cards to RFID passports. Indeed, the talk went so far not so much about regulation but how to circumvent RFID tags through the use of skimming. However, my understanding is that this practice is likely to be outlawed. For researchers working on RFIDs, a good starting point is here and here.

Phorm Storm

2008-10-05T21:17:00.006+01:00

Slightly delayed post on this issue. The title of this post is "Phorm Storm" primarily because there has been a lot written on the latest saga of Phorm, which is likely to deliver targeted advertising based on user browsing habits by using deep packet inspection. For those who want to read up further, Wikipedia provides a detailed account. Whilst BT has already started trials of Phorm, the ICO has already indicated that Phorm would only be legal, if users OPT-IN (based on Privacy and Electronic Communications Regulations).

The service, which will be marketed to end-users as "Webwise", would work by categorising user interests and matching them with advertisers who wish to target that type of user. "As you browse we're able to categorise all of your Internet actions", said Phorm COO Virasb Vahidi. "We actually can see the entire Internet."
It is claimed that data collected would be completely anonymous, and that Phorm will never be aware of the identity of the user or what they have browsed.

Some queries at this stage, what is there to guarantee the anonymity of data collected? Take a different approach or query: why would you want to anonymise the data, when this could be valuable "commodity" for any other company for marketing purposes? After all, we are dealing with user's surfing habits. It is also working towards the build-up of online profiling of individuals (apologies for the scepticism). Online profiling discussion will have to be another topic in its own right. Imagine the following hypothetical scenario:

Fred Blogs, a regular shopper decides to use his laptop to go online and visits Widgets Bookshop and checks his gmail account before switching over to read his regular dose of The Times . He also decides to pay a few bills online. His son, Joe Blogs, 12 years of age, asks his father whether he can use his laptop. Happily, Fred Blogs allows his son to do so. Joe Blogs logs onto his MySpace account then decides to go onto another website, let's say, KaZAA filesharing website and downloads his favourite music. Joe Blogs then emails his friends on his MySpace account to arrange a party do. Probably a good case discussion.

Whilst this is a hypothetical scenario, assuming that Fred Blogs naively subscribes to this Phorm program, so that it can deliver targetted ads. What is there to guarantee that it will be completely anonymous? If Joe Blogs logged onto a filesharing website on his father's user account, then questions may arise as to his surfing habits and whether it would land him into trouble with the law? It should be remembered that the General Data Protection Directive 95/46/EC is applicable (including Member States that implement this: ie. UK's Data Protection Act 1998). Given that Phorm is providing the software to the ISPs, it appears that the ISPs would be regarded as a "data controller" and thus, be required to comply with the UK's Data Protection Act 1998. Questions have arisen about whether Phorm could be the "data controller". There has been some discussion from the Art. 29 Working Party, which has indicated in its recent opinion, that the notion of personal data is defined broadly, and would include IP addresses (as held by several Data Protection Authorities including Germany and Sweden) that identify individuals. There is a strong argument that if there is any possibility of identifying individual's through their surfing habits, then the Data Protection Directive or the EU Member States that have implemented the Data Protection Directive 95/46/EC would take the view clearly that we are dealing with personal information. For an indepth analysis on the EU Member State's implementation of the Data Protection, visit here for more information.

If one were to subscribe to the Phorm program, it would simply be to test how robust the system and identify fundamental flaws in this technical system that claims to anonymise surfer habits. However, a report has already been written on this.

Putting on a sceptical hat, given that the arguments in favour of stronger rights for the privacy of personal information (in particular, the DPA 1998) is relatively weak in the UK (other than recent changes to strengthen the UK Data Protection Act 1998), this is a further step towards a gradual erosion towards privacy in the UK.

Final point: Warren and Brandeis seminal article on the right to privacy was written out of concerns of press intrusion, however, the privacy discussion here is not so much about the protection of privacy as the willing acceptance or acknowledgment by individuals that there is simply nothing that can be done to protect privacy. Switching ISPs is only one solution. Opting out of the system is another way. Targetting advertising is certainly unwelcome for the privacy conscious. Yet, one can foresee that the only route may have to be litigation! Discuss...

FOI Survey

2008-10-04T20:58:00.006+01:00

The UCL Constitution Unit is to evaluate the impact of Freedom of Information (FOI) in the UK. FOI is intended to make government transparent, participatory, effective and responsive to its constituents. First, some brief information about the Project:

The primary aims of this project are:

to clarify the theoretical reasoning behind the introduction of FOI
to evaluate the performance of FOI against its policy objectives
to assess the impact of FOI on the working of the Whitehall model.

Preliminary research has identified six policy objectives which will be tested in the course of the research. We will investigate to what extent the following objectives of the UK FOI Act are being achieved:

Greater transparency
Increased accountability
Better public understanding of government decision making
More effective public participation in the political process
Increased public trust and confidence in government
Better quality of government decision making

At the same time, we will examine how the introduction of FOI has affected the Whitehall model, in particular five key characteristics of the model:

Civil service neutrality
Cabinet system
Ministerial accountability to Parliament
The culture of secrecy
Effective government.

More details of the survey can be found here.

Biographies to read

2008-10-02T11:59:00.004+01:00

One of the books that one will have to start reading is the story of the relationship between JR Tolkien and CS Lewis (leave discussion of data protection for another day). Here is a short synopsis, why the authors, known for their works, were also very different in their ways of work and thinking:

The friendship between J.R.R. Tolkien and C.S. Lewis lasted over forty years and was for each the most important creative collaboration in their lives. The two met at Oxford in 1926. They were both survivors of the First World War, both academics and, as children, their lives were both dominated by imagination. However, they had very different religious upbringings. Tolkien was a Roman Catholic while Lewis, initially Protestant, later advocated what he called 'mere Christianity' - a faith in the supernatural, the historical Jesus and the reality of sin and judgement. Thus by different routes both Lewis and Tolkien found a way to express truths that lie deeper than surface appearance. Colin Duriez's book is the first to focus primarily on this remarkable literary association, exploring the origins of the mythological worlds which both writers placed at the centre of their fiction. He does not flinch from exploring their differences - Tolkien did not have a high opinion of some of Lewis's Christian writings and Lewis famously found Tolkien's elves too much of a good thing....

Best known works of CS Lewis include Mere Christianity. Orwellian works (such as Animal Farm) including his diaries will have to be left for another day.

Phorm developments

2008-09-29T22:56:00.002+01:00

Last post of the day, some developments are emerging from the controversial Phorm project (courtesy of PC Pro), which has been the subject of much discussion:

BT's third Webwise trial will begin tomorrow, with 10,000 random customers asked to participate.

"BT customers are being invited to take part in the trial, which will take place over a number of weeks. Following successful completion of this trial and an appropriate period of analysis and planning, it is currently expected that Phorm's platform will be rolled out across BT's network," says an announcement released by Phorm today.

Two previous trials have been conducted in secret by the companies, causing controversy among customers and privacy advocates.

Pressure groups such as Bad Phorm have sprung up to counter the scheme, and the City of London Police questioned BT over the legality of the experiments.

The third test was expected to start in June this year, when it was announced that the trial was to begin imminently. However, the launch was delayed by the surrounding controversy.

This negative attention has now subsided somewhat after the police announced last week that it would not be conducting a formal investigation. The trial also got the go-ahead from the Information Commissioner's Office earlier this year - as long as it was conducted on an opt-in basis. The company is still under the watchful eye of the EU, though.

See also:

Getting to grips!

2008-09-29T12:12:00.008+01:00

This article is worth reading and stems from a previous post sometime back on Professor Pausch's lecture on "Time management". In her abstract, the author discusses some of the issues raised on higher education. The title of the article is Two jobs, two lives and a funeral: legal academics and work-life balance (2004):

"Changes in higher education over the last twenty years have led to a huge increase in the workload of legal academics. At the same time, there are many more choices as to how to spend time outside the workplace. Research shows that academics around the world are finding the maintenance of work-life balance an increasingly difficult issue. This article uses data from a qualitative study of legal academics in the U.K. to illustrate the particular effects of changes in higher education policy on the workload of those working in law schools. While no easy solutions are offered, it is suggested that it is time for legal academics to engage in some Socratian self-examination."

"The latter interpretation of Four Weddings and a Funeral has many resonances for contemporary legal academics, particularly in relation to the problem of work-life balance. Just as for Charles, the problems are immediate, pressing and difficult. They cannot be shelved for later consideration, because life moves on – in the same way as the threat of Carrie’s imminent marriage puts pressure on Charles, legal academics are faced with the immediate prospect of children growing up, partners getting older, ties with friends becoming weaker and opportunities for personal growth being lost. At the same time law schools are making ever-increasing demands upon the time and energy of their staff. It is almost inevitable that when faced with choices about the balance between different strands of their lives individual legal academics will sometimes behave like Charles; they will prevaricate, procrastinate and make mistakes (the latter in itself a potentially humiliating experience for those whose professional life is so intimately bound up with making rational judgements). "

The article is useful and highlights some issues for scholars contemplating of entering into legal academia in the UK. What would be useful is how this compares with other professions such as journalism etc. Some final thoughts from the same author:

"Perhaps the obvious answer is that we need to engage in some serious philosophical analysis. The unexamined life, said Socrates, is not worth living. If our lives are to be worth living, both in Socrates’ sense and at a more pragmatic level, we need to be able to examine our lives and make reasoned choices about how we spend our time. Others within the academy who observe the inhabitants of law schools may consider that a plea to live a fully examined life in the Socratian sense may be a bit of a challenge for the academic lawyer, since doctrinal legal training, at least, provides a poor background for the consideration of values. As a result of the pervasive influence of legal positivism, generations of law students have been taught to see the law in purely technical terms, while its moral content is regarded as irrelevant (Nicolson & Webb, 1999, p. 67). Thornton has referred to the ‘technocentrism’ of the doctrinal tradition, in which law is seen as autonomous, with discernible boundaries between law and morality, as well as between law and other academic disciplines. The pedagogical practice which is found in law schools, she notes “...focuses primarily on legal rules [and] creates a law school environment in which the technocratic is normalized, ...” (Thornton, 1998, p. 372).

"This intellectual background does not necessarily equip lawyers to engage in sophisticated philosophical reasoning about work-life balance (or any other forms of sophisticated moral reasoning, for that matter). Granted, there are exceptions within doctrinal law; the study of jurisprudence may involve consideration of moral issues, for instance, but overall, legal positivism is not interested in the analysis of values. Socio-legal and critical legal scholars have, of course, been quick to point this out, and consideration of the values and attitudes subsumed within the law are a main feature of their work. Nevertheless, familiarity with philosophy is not generally a mainstream feature of the legal syllabus, and it is understandable that, in intellectual terms, legal academics have long been regarded with suspicion by other members of the academy Sugarman notes that a need to gain credibility and acceptance from a sceptical academy was one of the top priorities for early legal academics (Sugarman, 1986). Becher’s work suggests that this is still the case; legal academics are regarded by their peers in other disciplines as not really academic, but engaged in unexciting and uncreative activities; typically, they are thought to be ‘...arcane, distant and alien; an appendage to the academic world’ (Becher, 1989, p. 30). Such opinions may bring forth howls of protest from the inhabitants of law schools, but setting them to rest is not the focus of the current argument. The question is, when faced with the problem of work-life balance, can legal academics, despite their somewhat unpromising intellectual background, engage successfully in the critical self-examination which is one of the crucial elements of a cultivated human being? If we, like Charles in Four Weddings and a Funeral continue to prevaricate, we may as Martha Nussbaum suggests, be cultivating humanity in our students – but only at the expense of failing to cultivate our own."

Gems for the Day

2008-09-29T10:10:00.003+01:00

Whilst listening to Lanz's new album, Painting the Sun, the reading on my list for today will include Lord Denning's judgments. By way of introduction:

"Alfred Thompson 'Tom' Denning, Baron Denning, OM, PC (23 January 1899 – 5 March 1999) was an English veteran of the First World War, a mathematics graduate, jurist, barrister and judge. A native of Hampshire, he became a Law Lord and Master of the Rolls (the senior civil judge in the Court of Appeal of England and Wales).

Lord Denning was a judge for 38 years before retiring at the age of 83 in 1982. Lord Denning instigated many important concepts that would become pillars of the common law and many more which would ultimately be rejected in the House of Lords (such as the doctrine of fundamental breach)."

Some of the books, Lord Denning wrote have included: Freedom under the Law (1949), The Changing Law (1953), The Road to Justice (1955), The Discipline of Law (1979), The Due Process of Law (1980), What Next in the Law (1982) and Landmarks in the Law (1984).

Some of the cases, that law students have had to grapple with (including myself) is the famous High Trees case and the "red-hand rule" in Spurling v Bradshaw.

Best quotes that Lord Denning gave:

On legislation

"Parliament does it too late".

Modern society

Some persons, who would otherwise be good and worthy citizens, are deliberately breaking the law."

Religion

"Without religion, no morality; without morality, no law."

Retirement

"I have all the Christian virtues - except resignation".

Smartening up!

2008-09-27T17:02:00.012+01:00

Whilst details are still emerging over the recent loss of yet more data, the question then hinges not so much on how individuals ought to protect their personal information, but how organisations secure this data and more precisely, how individuals will now have to "smarten up" in the non-disclosure of their personal information, unless this is absolutely necessary (do you really need to give your identity to organisations in exchange for this freebie? What if you don't?). Frequent incidents of data loss have "de-sensitised" us into the usual moans/groans (constant whining) and a great deal of apathy, responses from"not again" to "how can we give over our information" to such incompetent bodies but with no adequate solutions (other than resort to the usual route of compensation)? Whilst the Data Protection Act 1998 is being strengthened with more remedies (ie. heavier penalties), it is now up to individuals to exercise their rights if they have been affected by data losses. The law is there. Even if this is a long, laborious process, ultimately, it will be worth it. In the long-term, it is not simply being alerted to the recent breaches of data losses, but rather a complete change in the "privacy landscape/culture". In other words, accountability of organisations to account for the loss of their data - this is already happening at a European level, with data security breach notices being considered in the forthcoming EU legislation, but this is just the beginning. The questions: at a national/local level, the way organisations handle databases of personal information will need to be questioned - is it centralised/decentralised? What security measures are in place? Who is responsible for the security of personal information? Security questions asked of individuals needs to be changed (forget about mother's maiden name; pet name etc.)? Do they have a privacy policy? We do not want the policy in "small writing" but in "large writing" and be simple (sometimes, the policies can be verbose where only a few people can understand). How about awarding organisations for the best privacy practices they have and highlighting the bad organisations that have lax procedures (no, one is not referring to the work of Privacy International), but have in place simple procedures to ascertain what privacy audits/practices are in place (just simple common sense).

A useful start would be to start questionnaire studies amongst the general public (not so much about the handling of personal information), but rather what they do in protecting their own privacy (or do they care)? Secondly, there has been the frequent discussion to educate others about the protection of their privacy, yet, often, this assumes no knowledge, when there is. Quite clearly, we know something about the Data Protection Act 1998 (for others quite enough), but not enough to make data subject access requests, to consider whether the information is accurate or not etc. There is still a long way to go in utilising other means and methods to protect the privacy of personal information.

In the previous post, the discussion centered on how secure the public databases are and the relative ease in which social networking websites have now made it easier for anyone to obtain information about others, this discussion is now how departments can effectively secure the "trust" of the public to ensure that their personal information is handled properly (even if there is a healthy scepticism).

If you trust your local Tescos and Sainsbury to handle your personal data through the use of reward cards, then what are they doing right that others are not? Another dimension to look at is that if organisations are not handling your personal data correctly, you can theoretically walk away from them (other than resorting to your usual remedies), but not so when we are dealing with those where it is compulsory to give over our data (if this were a business, it would have long lost its custom).

The time for complacency is over. The time for more pro-active dialogue is just the beginning!

Update: The ICO website also includes a Personal Information Health Check - see how well you do!

Radio Interview

2008-09-26T15:13:00.004+01:00

The following interview from Out-Law Radio, is worth listening to:

Title: Piracy: not the enemy, but the competition,

We talk to an anti-piracy pro who says that content producers should stop trying to stifle piracy and concentrate on competing with it better

To ensure that this interview is given its proper context and is not misunderstood, here is a short extract from Out-Law:

"TV companies, film studios and record labels should spend less time fighting those engaged in piracy and more time competing with them, a leading anti-piracy expert has said.

Dr David Price told technology law podcast OUT-LAW Radio that many people turn to piracy because officially-sanctioned songs or TV programmes are of poor quality, arrive late or come with restrictions that make them hard to access.

Price is the head of piracy intelligence at Envisional, a company which monitors piracy for content producers.

"There have to be legitimate alternatives, and not just that but they have to be really good legitimate alternatives," he said. "You've got to offer as good a user experience legitimately as people can get through piracy. We can't just offer something that is so restricted that people aren't going to bother."

Price said that many users of piracy services would happily switch to legitimate ones but are attracted by the more usable, more readily-available pirated services.

"Once you get involved in downloading things illegitimately the user experience is so good it's compelling," he said. "You really get high quality content, there are so many advantages to doing it over what you can get legitimately in a wide range of countries."

Companies should learn from pirates, said Price, and embrace some of the methods of distribution they use. He said that Norwegian broadcaster NRK achieved impressive results when it seeded peer-to-peer networks with legitimate copies of one of its hit programmes."
Radio Interview

MyHeritage.com

2008-09-25T21:30:00.004+01:00

Quite an unusual website - MyHeritage, Facial Recognition site: who do you resemble? Question for the day - who owns MyHeritage?

Another discussion point

2008-09-24T19:12:00.005+01:00

Discussion Point: This is something that still needs to be refined (but would be a good essay /discussion point). Thinking about the recent SNS developments, one has to admit that Facebook, MySpace, Bebo etc. (other than the search engines such as PIPL, Zoom Info) is probably the "best" freely available public databases (searchable on PIPL , Wink etc) and accessible to anybody including marketers (irrespective of technological controls). Consider this as your "Yellow pages"/"White pages" or BT/192 directory search. Free public sector information for employers, education establishments, marketers, law enforcement agencies etc. One may "sugarcoat" it (or to stretch this further "put the icing on the cake") and call it as another means of communicating/networking, but ultimately, when stripped down to its bare minimum, it is nothing more than another public database which is operated by various companies. The question is who owns this information? You or MySpace, Bebo etc. What if this information is later extracted and added onto another database to form a personal profile (or as one author wrote "online profiling"....?)? One need only have a couple of info specialists to do this and we have another database. We are certainly not far from online profiling and it is becoming far easier to use/reuse this information. This raises another question from the context of the European Commission current consultation into the Review of the PSI Re-Use Directive. Consultation is now closed, but probably worth revisiting some of the issues (re-use). Public databases and making information available (let alone "personal information") for free.

On a different note, there will be a social networking symposium which touches on privacy issues for those interested in developing this further.

Essay question for the week: Social networking is just another freely available public database accessible to anybody. Discuss.

See:

Public Sector Information

Telemedia Act

2008-09-24T16:04:00.003+01:00

More reading to do on my list: The German Telemedia Act replaces the Teleservices Data Protection Act and the Teleservices Act, but there is currently no English translation of this Act. However, the available text (pdf) can be found here.

Courtesy of IRIS:

After the Bundestag (lower house of the German Parliament) had adopted the Gesetz zur Vereinheitlichung von Vorschriften über bestimmte elektronische Informations- und Kommunikationsdienste (Act on the standardisation of provisions on certain electronic information and communication services - ElGVG), the cornerstone of which is the Telemediengesetz (Telemedia Act - TMG), on 18 January 2007, it was passed by the Bundesrat (upper house of the German Parliament) on 16 February 2007.

The Telemedia Act no longer distinguishes between tele-services, which were previously covered by the Teledienstegesetz (Teleservices Act - TDG) within the framework of the Informations- und Kommunikationsdienste-Gesetz (Information and Communication Services Act - IuKDG), and media services, which were previously the subject of the Mediendienstestaatsvertrag (Inter-State Agreement on Media Services - MDStV). Instead, similar to the Neunte Rundfunkänderungsstaatsvertrag (9th amendment to the Inter-State Broadcasting Agreement - RÄStV), it combines the two concepts (see IRIS 2005-2:9 and IRIS 2006-7:9). Commercial rules for telemedia will, in future, be found in the TMG, while content-related aspects will be regulated in a specific section of the Inter-State Broadcasting Agreement and the existing Jugendmedienschutz-Staatsvertrag (Inter-State Agreement on Protection of Youth in the Media). Telecommunications services and broadcasting are distinguished from telemedia and thus excluded from the scope of the new Act.

One new rule, which has attracted particular criticism, is the obligation to make user data available to investigating authorities for crime prevention purposes. This provision, which also applies in connection with the protection of intellectual property rights, has raised serious concerns from the perspective of data protection.

Protection from unsolicited e-mails ("spam") has also been extended insofar as it is now an offence for senders to breach information obligations, such as the failure to identify their communications as advertising or the withholding of their identity.

For those reading up on data protection developments in Germany, best starting guide (again, in German) would be Simitis's Commentary on Data Protection.

See also:

German Telemedia Act
German Law Archive -nb: only contains the German Teleservices and German Teleservices Data Protection Act
Privacy International (PHR 2006)

Blogging and defamation

2008-09-17T10:24:00.004+01:00

I came across this recent case on blogging and defamation in the UK, its implications still to be explored, but here is the latest press release (authored by S. Tuxford):

"The case of NIGEL SMITH and ADVFN Plc and others[1] concerns the application of the law of defamation to internet blogging. Mr Smith considered a number of statements published about him on a series of internet bulletin boards operated by ADVFN plc to be defamatory. He obtained so-called "Norwich Pharmacal" orders compelling ADVFN plc to release details of the bloggers responsible before bringing defamation proceedings against the persons identified (and ADVFN plc).

Faced with a large number of similar (and in some circumstances related) claims, the Court upheld an earlier order for a stay of all the claims to give each defendant an opportunity of being heard either in an oral hearing or by making written submissions. Of particular interest, and perhaps concern to claimants in defamation actions however, was the Court's characterisation of the alleged defamatory blogs.
A defamatory statement is one which tends to lower the claimant in the estimation of right-thinking members of society. Defamation is either libel or slander; libellous statements are made in permanent form and slander is defamation made in a transitory form. For slander the claimant will often have to prove that he has suffered some actual financial loss. This is not generally necessary in the case of libel, making it a more attractive action for claimants.
As blogs remain displayed online, they may quite reasonably be considered to give rise to libel actions only. The Court (Mr Justice Eady) questioned this analysis, opining that blogs may amount to slander:

"[Blogs] are read by relatively few people, most of whom will share an interest in the subject-matter; they are rather like contributions to a casual conversation (the analogy sometimes being drawn with people chatting in a bar) which people simply note before moving on; they are often uninhibited, casual and ill thought out; those who participate know this and expect a certain amount of repartee or "give and take"...their identities will often not be known to others. This is no doubt a disinhibiting factor affecting what people are prepared to say in this special environment...People do not often take a "thread" and go through it as a whole like a newspaper article. They tend to read the remarks, make their own contributions if they feel inclined, and think no more about it."

However, Mr Justice Eady did note "I would not suggest for a moment that blogging cannot ever form the basis of a legitimate libel claim." so the position is far from certain; whether a defamatory blog amounts to libel or slander will depend on all the circumstances."

Source: Bristows, Sept. 2008

There have been relatively few cases on this, so this strikes me as one worth reading up on.

Browsers and privacy, part 2

2008-09-12T14:28:00.006+01:00

As an update on web browsers and privacy, Mozilla Firefox is also working towards a privacy mode:

"Privacy seems to be the magic word in the browsers world these days. Surfing without leaving any trace seems to be the ultimate offer for any browser out there. Internet Explorer has it, Google Chrome offers it and now it seems like the next version of Firefox, Firefox 3.1, will add it as well.
Since the release of Google Chrome, every browser maker has entered in an emergency mode and it seems like Mozilla is paying attention to what is happening with the competition.

According to note from Mozilla Wiki, the next version of Firefox will offer a Private Mode. In fact, the feature was intended to be released in the version 3.0, but it was dropped to keep the browser on schedule.

Mike Connor, Firefox lead develop, has a pretty good description on how the Private feature will look like.

“Ensure that users can't be tracked when doing "private" things. There should be a clear line drawn between your "public" and "private" browsing sessions. It is acceptable to let things touch magnetic storage, as long as the cleanup mechanism is robust enough to clean up,” he wrote in a note.
”Non-goal for 3.1: Separate process sharing (some) data. When we get process-per-tab we can make it more IE-like, but doing this also means that we have to have something like their "hey, you're in private browsing mode" banner on the URL bar for all the world to see. Which, to me, is fail” Connor also wrote."

Google Chrome

2008-09-09T15:32:00.003+01:00

This is an interesting press release regarding web browsers and privacy:

Germany's Federal Office for Information Security says that Google's new browser Chrome "should not be used for surfing the Internet." The problem, according to a translation from Blogoscoped, is that joined with email and search, Chrome gives Google too much data about its users. The government also said Chrome should be avoided because its still in beta. Here's the real deal, though: Germans hate Google because like Microsoft with Windows and Apple with iTunes, its a big American company that's so popular it seems like a monopoly. For those keeping score at home — or trying to use the Web in Germany — that rules out Chrome, Apple's Safari, Internet Explorer and Mozilla's Firefox because it runs on Google money. What's left? The Opera browser, conveniently built in Europe.

See also:

GoogleChrome receives heavy criticism in Germany

Advocate-General's Opinion

2008-09-08T14:00:00.005+01:00

The Advocate General's Opinion has been published on the recent case involving data protection issues: Satakunnan Markkinapörssi and Satamedia (C-73/07). The main questions referred to the ECJ are as follows:

Is an operation in which data on the earned income, income from capital and the wealth of natural persons arecollected from documents in the public domain held by the tax authorities and processed for publication,published alphabetically in a printed publication by income bracket and municipality in the form of extensive lists,disclosed onward on CD-ROM to be used for commercial purposes, andprocessed for the purposes of a text messaging service whereby mobile phone users can, by indicating an individual's name and home municipality and texting to a given number, receive in reply data on the earned income, income from capital and wealth of the individual indicated,to be regarded as the processing of personal data within the meaning of Article 3(1) of Directive 95/46/EC? ¹

Is Directive 95/46/EC to be interpreted as meaning that the various operations listed in question 1(a) to (d) can be regarded as the processing of personal data carried out solely for journalistic purposes within the meaning of Article 9 of the Directive, having regard to the fact that data on over one million taxpayers has been collected from data which are in the public domain under national legislation on the right of public access? Does the fact that publication of those data is the principal aim of the operation have any bearing on the assessment in this case? Is Article 17 of Directive 95/46/EC to be interpreted in conjunction with the principles and purpose of the Directive as precluding the publication of data collected for journalistic purposes and its onward disclosure for commercial purposes?

Can Directive 95/46/EC be interpreted as meaning that personal data files containing, solely and in unaltered form, material that has been published in the media fall altogether outside its scope?

Unfortunately, the opinion is available in French, Spanish, German etc. not English, so here is the French decision. As one awaits the ECJ's judgment on this, it is likely to be of interest when considering the scope of Art. 9 of the Data Protection Directive.

Using Knol

2008-09-08T13:20:00.004+01:00

Having had a look at Google's Knol, (this post, as you may gather has nothing to do with data protection developments), I have started to experiment with this and have recently posted an article up on Google Kno l to make it more accessible. It is quite easy to use and also gives the option of asking for other authors to collaborate. The only main criticism is that the search index is not as good or thorough when finding articles etc. on a given specific topic.

Bluespam

2008-09-05T14:19:00.003+01:00

Just came across this interesting paper written in the latest BNA World Data Protection Report on the legal status of "bluespam":

"Bluespam: Is it legal?" examines whether so called bluespam falls within the restrictions imposed by the Privacy and Electronic Communications Directive [2002/58/EC] and whether organisations can therefore be prevented from marketing via bluetooth without first obtaining consent. It also considers the practicality of obtaining consent from bluetooth users and discusses the options for Bluetooth users who do not wish to receive bluespam.

Increasingly, we are seeing Bluetooth technology being used for the purposes of direct marketing to mobile phones.

"There are options for those that do not wish to receive direct marketing via Bluetooth – you can turn the Bluetooth on your mobile phone or other device off or “hide” your phone. However, many will take the view that they should not have to take such steps to avoid receiving what is termed as “Bluespam”.
Whilst at first glance Bluespam appears to fall into the same category as unsolicited direct marketing via email, telephone and SMS spam (all of which are caught by the terms of the Privacy and Electronic Communications Directive (Directive 2002/58/EC), there is legal uncertainty as to whether the Directive does catch it. In short, the Directive captures communications over “public” networks, but at least arguably, the only network used in Bluespam is that created on an ad hoc basis between the transmitting device and the handset in the hands of the recipient."

A copy of the full text paper can be found here (pdf).

Direct marketing

2008-09-04T19:45:00.011+01:00

Courtesy of H&W, this decision was recently made by the German Federal Court of Justice on the use of consent for marketing purposes.

German Federal Court of Justice issues important Decision on the Use of Consent for Marketing purposes.

"In a decision of July 16, 2008, concerning the lawfulness of certain clauses in the application form for a loyalty card, the German Federal Court of Justice (Bundesgerichtshof) issued important guidance to companies that carry out direct marketing in Germany (Urteil vom 16. Juli 2008 – VIII ZR 348/06). In the case, the Court found the following clause to be partially invalid The decision has significant consequences for conducting advertising inGermany. Most importantly, it makes clear that opt-in rather than opt-out consent is necessary to send electronic marketing, and that the German courtswill not hesitate to invalidate clauses that do not meet this requirement. Moreover, it indicates that any consent to the sending of electronic marketing must be specific, rather than be mixed together with consent for other matters (such as receiving other types of marketing).This means that companies may have to consider redesigning their onlineprivacy policies and consent forms to conform to German legal requirements. (translation of the clause from the original German):

With my signature I agree that the data which I have provided above as well as the discount data (products/services, price, amount of discount, place and date of transaction) will be exclusively stored and used by L. Partner Limited and the partner companies according to number 2 of the attached data protection notice for the purposes of advertisements directed at me (e.g., information on special offers, promotional discounts) via post and, if applicable, by requested services (SMS or email newsletter), as well as for market research purposes.

[ ] Please tick this box if you wish to opt out. ...

The Court held that the wording of this clause may fulfil legal requirements for postal marketing, but that it violates unfair competition law for email and SMS marketing. The Court’s decision was based on the clause in essence allowing electronic marketing under an “opt-out”standard, rather than an “opt-in” standard as required by the relevant section of the German Unfair Competition Act that implements EU E-Privacy Directive 2002/58. Moreover, the Court stated that a specific declaration that the user opts in to receive electronic marketing is necessary. Advertising by post According to the Court, sending advisements by post does not require opt-in consent, and is permitted as long as the customer does not object to the advertisement (though the customer must be properly informed about his right to opt out). Advertising by email and SMS. The Court stated that advertising by means of email or SMS is governed not by the Federal Data Protection Act, but by section 7 para. 2 no. 3 of the Unfair Competition Act, and that this requires a separated declaration indicating opt-in consent.

[According to H&W], the decision has significant consequences for conducting advertising in Germany. Most importantly, it makes clear that opt-in rather than opt-out consent is necessary to send electronic marketing, and that the German courts will not hesitate to invalidate clauses that do not meet this requirement. Moreover, it indicates that any consent to the sending of electronic marketing must be specific, rather than be mixed together with consent for other matters (such as receiving other types of marketing). This means that companies may have to consider redesigning their online privacy policies and consent forms to conform to German legal requirements."

For further reading:

See: Federal Court of Justice Decision (German)

ECHR case: I v Finland

2008-09-01T14:46:00.003+01:00

The European Court of Human Rights (I v Finland, 20511/03) has recently ruled on this recent case surrounding the privacy protection of medical data. I have still yet to read through this judgment, but have a look at a short summary (via blogger Where is my Data):

On 17^th July 2008, at the ECHR (Strasbourg), in the case “I” v Finland the court found against Finland, and awarded “I” €13,771 in damages and €20,000 in costs.

Outline of the Case:

The applicant “I”, now 48, stated that her private medical records were accessed by the other people (as a result of which she possibly lost her job as a nurse).

The access was not recorded, as there was no records of this at the time (around 1992)

The Court decided that as the hospital was controlled by the State, and as such Finland was responsible for the actions there. The court also stated that personal information relating to a patient undoubtedly belongs to his or her private life. Therefore Article 8, freedom to a private life, is applicable in this case.
The European Court of Human Rights found that a person’s right to respect for their private life (under the ECHR,) may be breached where the State fails to take appropriate steps to secure data, so that it cannot be accessed improperly.

While Article 8 not means the government must not interfere, but may also have to undertake positive actions to prevent such interference, e.g the adaption of systems/controls to protect data.
While Article 8 not means the government must not interfere, but may also have to undertake positive actions to prevent such interference, e.g the adaption of systems/controls to protect data.

In this case there is no statement that there was deliberate and unauthorized access of data, only that there was failure to secure the data appropriately. i.e a breach of Finland’s positive obligations under Article 8. The court found in favour of the Applicant.

Summary: The ECHR found that if personal data is not secured adequately, and the State does not take positive steps to do so (and not just legislation but technical and procedural steps as well), then the state is in breach of Article 8.

Nice tip!

2008-09-01T11:24:00.005+01:00

Will get back to data protection developments at some point. Continuing the theme on time management, this nifty little tip on inbox zero from the Times:

There are two things you can do about your e-mail inbox: you can let it rule you, or you can take control yourself. Merlin Mann is a San Francisco blogger (he gets called a “productivity guru”) who has been spreading the Inbox Zero gospel since 2006, prescribing a ruthless programme of culling your inbox into one of five categories:
Delete, Delegate, Respond, Defer, Do. At the end of the process, you have Inbox Zero.

– At this point, many people feel the urge to celebrate. They take a picture of their e-mail inbox and post it to the Inbox Victory page.

– But getting to Inbox Zero is like losing a few pounds in January. The trick is keeping it empty. Fortunately, Merlin is there to help, with numerous blog posts and videos of his lectures on the subject to be found on Google.

Update: Clip on this

Where has the time gone?

2008-08-28T09:31:00.006+01:00

A frequent query that I get is where has the time gone? Often difficult to prioritise, but have just been going through this book Shopping for time: how to do it all and not be overwhelmed by Mahaney, Whitacre, and Bradshaw. This is quite useful, and will need to start cutting down on a few activities and learning to say "no" to things. In the meantime, I enjoyed listening to this lecture on "Time Management" by Professor Randy Pausch:

Privacy by Design Principle

2008-08-27T14:55:00.007+01:00

More research reading: Just been reading this latest (courtesy of H&W) on "privacy by design" principle:

On April 28, 2008, the European Data Protection Supervisor Peter Hustinx released a policy paper entitled “The EDPS and EU Research and Technological Development”, according to which privacy and data protection requirements should be introduced as soon as possible in the life cycle of new technological developments. Hustinx stated that the principle of “privacy by design” should represent an inherent part of the European Commission’s 7th Framework Program. The EDPS plans to assist the Commission in the evaluation of data protection issues of project proposals, promote the education of managers and designers, contribute to research advisory boards, and advise companies in order to ensure that privacy and data protection issues are included at an early stage in technology research and development projects.

More details can be found here (pdf). On this note, not to forget, the EU PRIME Project on identity management systems, which is worth reading. More at a later stage.

See also:

EDRI press release

Privacy Audits

2008-08-26T09:54:00.002+01:00

OPINION: With the recent incident surrounding the loss of data on a USB memory stick, one of the discussions that have been absent from the debate is privacy audits of government departments. What do I mean by privacy audits? This is often referred to as "Privacy Impact Assessments" :

"PIAs are a process of ensuring that privacy concerns are identified at the early stage of an initiative so that these can be addressed and safeguards built in rather than bolted on as an expensive afterthought. We have called for the use of these in the past with major public policy developments like ID cards and reinforced the need for these impact assessments in evidence to parliamentary enquiries and in our other publications such as the Information Sharing Framework Code of Practice.

PIAs go wider than simply a data protection compliance check and are aimed at looking at all aspects affecting privacy. The approach we are recommending involves a number of elements including an initial screening process and, depending upon the results, two possible levels of assessment (small scale and full scale) together with a data protection law checklist. The important thing about PIAs is the process of undertaking the assessment where the organisation considers the impact on privacy and whether there are more privacy friendly alternatives. Although a report is produced at the end and is usually published this is will not be subject to an approval process by the ICO."

Other than the handbook, some of the basic procedures still need to be addressed:

1) WHO are your data protection officers? HOW regular is the training about data protection laws?

2) What are the security procedures? Do we understand the data protection principles laid down under the Data Protection Act 1998? In particular, the 7th Data Protection principle that provides that "appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."

3) What are the complaints procedures? How many data subject access requests do we have? Do we keep a regular record? Is personal information accessible on the internet?

Privacy compliance check is available here, but certainly more needs to be done not simply at an organisational level, but also a recognition that privacy (storage of personal information) should be kept securely.

Ixquick Search Engine

2008-08-23T15:07:00.007+01:00

Ixquick search engine was awarded the first European privacy seal on July 14th:

Ixquick is a meta-search engine (www.ixquick.com) which
forwards search requests of its users to several search engines, gathers and
combines their results and presents the results to the requesting users. Privacy
is ensured by using several data-minimization techniques: personal data like IP addresses are deleted within 48 hours, after which they are no longer needed to
prevent possible abuse of the servers. The remaining (non-personal) data are
deleted within 14 days. Ixquick serves as a proxy, i.e. IP addresses of users
are not disclosed to other search engines.

This is quite a good search engine and shows all the relevant searches. Not sure why other search engines including Google have not cottoned on to this. Might as well start using this from now on!

More data loss!

2008-08-22T11:29:00.003+01:00

More sensitive data loss (this time, on a unencrypted memory stick!) - Beeb has reported:

"Details of 84,000 prisoners in England and Wales were lost by private firm PA Consulting. The Home Office said a full investigation was being conducted.
The information commissioner's office described it as "deeply worrying".
PA Consulting has searched its premises and looked at CCTV recordings in an attempt to recover the missing memory stick - a commonly used portable storage device for computer files. It is not clear how it came to be lost."

Probably worth reading Ubisurv's comments on this.

Stricter privacy laws - Germany

2008-08-22T11:02:00.004+01:00

This is the latest press release (courtesy of DataGuidance News) regarding recent developments about privacy laws in Germany:

Minister of Justice calls for stricter privacy laws after data trade scandal

The German Minister of Justice, Birgitte Zypries, has called for stricter privacy laws following the recent data trade scandal, which unveiled that German citizens’ personal data are easy to find for sale on the internet.

The Ministry of Justice, who has responsibility in Germany for most consumer issues, proposed that companies should only be able to transfer consumer’s data to other companies with the prior consent of the data subjects involved. “At the moment, it is legal for companies to transfer certainkinds of data, such as names, age and addresses of customers, to other companies for marketing analysis purposes”, a Ministry of Justice spokesperson said to DataGuidance on 20 August 2008. “This provision does not apply to bank account information, and customers have the possibility to opt-out from their data being shared at any time”.

The Ministry of Justice also suggested that controllers should have an obligation to notify a data breach to the subjects involved and that companies should be forced to return any profits made with the illegal collection and processing of data.

The Ministry of Justice spokesperson clarified that Mrs Zypries made the recommendations “as a politician and as a member of the Social Democratic Party, and not in her formal position as the Minister of Justice”.

“Having responsibility for consumers’ rights, the Minister of Justice felt that German consumers expected her to express an opinion on the data trade scandal”, the spokesman explained to DataGuidance. “It is then up to the Ministry of Interior to take the recommendations on board and take any steps necessary to amend the law”.

In August 2008, an employee of a call centre engaged in fraudulent activities delivered a disc containing the names, contact information and bank account details of 17,000 German citizens to the Schleswig-Holstein consumer agency. The call centre would have used the information on the disc to contact the subjects involved and ask them to confirm their banking details in order to withdraw money from their accounts.

After the incident, the Federation of German Consumer Organisations (VZBV) appointed a journalist to conduct an undercover research on the trade of personal data. “We instructed a journalist to find out how easy it would be to buy German citizens’ personal data on the internet”, a VZBV spokesperson explained to DataGuidance on 20 August 2008. “Within hours, our investigator was offered a database containing the personal data of 6 million people and the bank details of 4 million people for EU 850”.

VZBV are still investigating the sources of the illegally sold data. “We have no confirmation yet as to who made the data available for sale on the internet”, said the VZBZ spokesperson, “however we are aware of the involvement of lottery companies that unlawfully collect personal data”.

Dr. Jochen Lehmann, Partner at German law firm Görg, said: ”While data protection has only been the subject of discussions among experts in Germany, it is now all over the headlines. This suggests that the debate over the unlawful collection and use of data will not simply fade away this time, and the involvement of the Minister of Justice is certainly a strong sign. Should the Minister’s recommendations be put into practice even partially, the data protection landscape in Germany will be considerably affected.”

Amendments to the Data Protection Act 1998

2008-08-21T21:55:00.002+01:00

The Criminal Justice and Immigration Act 2008 received the Royal Assent on 8th May 2008, which amends the UK Data Protection Act 1998 and gives the ICO the power to impose substantial fines on organisations that deliberately or recklessly commit serious breaches of the Data Protection Act 1998. The main provisions to consider is s 77 Criminal Justice and Immigration Act 2008. The other main change is s 78 on new defences for the purposes of journalism and other special purpose when processing personal data. Explanatory note provides that:

"Section 78 inserts a new defence into section 55 of the Data Protection Act 1998. The defence applies when a person acts for journalistic, literary or artistic purposes with a view to the publication of journalistic, literary or artistic material and in the reasonable belief that their actions were justified as being in the public interest." (notwithstanding Pepper v Hart , will need to read through Hansard to look into the background of this as to why this amendment is necessary)

See also:

Forthcoming Privacy Conferences

2008-08-07T20:03:00.004+01:00

Forthcoming privacy conferences to note in your diary:

1) Third International Legal, Security, Privacy and Issues 2008, Czech Republic

2) 7th Annual Data Protection Compliance Conference, London, 2-3rd October 2008

CoE DP Treaty

2008-08-04T12:00:00.004+01:00

Privacy, Laws and Business reports the following:

"The Council of Europe Convention on Data Protection, for the first time since it was opened for signature in 1981, is inviting non-European countries with data protection laws to sign and ratify it. The Convention’s Consultative Committee recommended “that non-member states, with data protection legislation in accordance with Convention 108, should be allowed to accede to the Convention”, and it “invited the Committee of Ministers to take note of this recommendation and to consider any subsequent accession request accordingly”. The Committee of Ministers, on 2 July 2008, “agreed to examine any accession request in the light of this recommendation” and “instructed the Secretariat to disseminate information about the Convention”.

See:

Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data 1981

Google Maps and privacy

2008-08-04T12:00:00.003+01:00

According to Out-Law News:

"Google's Street View service has received the blessing of UK privacy watchdog the Information Commissioner, who has said that the safeguards Google has put in place for people's privacy are 'adequate'.

The Street View service works by taking photographs of a city's streets and publishing them together so that they form a kind of photo-map of a city. It has raised privacy concerns because people are identifiable in the photos.

Google, though, has always said that it will change the service according to the privacy laws of the countries in which it operates. Cameras gathering data for the service have been spotted for the first time on UK streets in recent weeks.

We are satisfied that Google is putting in place adequate safeguards to avoid any risk to the privacy or safety of individuals, including the blurring ofvehicle registration marks and the faces of anyone included in Streetview images," said a statement from the Information Commissioner's Office (ICO)."

The Data Protection Act 1998 clearly gives rights to individuals (as data subjects) to request for information held about them and Google would be no exception. The Art 29 Working Party's opinion goes into greater detail over the broad notion of personal data, which one will not elaborate.

Revisiting the DPA 1998

2008-07-08T21:18:00.005+01:00

This has been widely reported:

Addressing the annual conference on Privacy Laws and Business in Cambridge, UK's Information Commissioner, Richard Thomas, has emphasised the need to bringing out necessary changes in European Data Protection Laws.

The Information Commissioner has stated that the existing laws are outdated and excessively bureaucratic, and these laws aren't in line with the modern internet age.

The Information Commissioner's Office (ICO) has commissioned RAND Europe, a research group, to assessing the current laws, and to come up with the key areas of improvement in existing structure.

Thomas also added that the research will help in designing more straightforward and effective laws, without putting extra burden on enterprises.

A representative from RAND has mentioned that the assessment process will involve small interviews and workshops, with a significant participation of small organizations. The group is expected to publish its report in April 2009.

However, Thomas admitted that the reform process would be slow, and the proposed changes may not be applicable till five years down the line, but the start can't be delayed any further.

Whilst these developments are being considered, there are several issues that will need to be revisited not least:

1) Scope of "Personal data" as laid down under the European Data Protection Directive 95/46/EC

2) Distinction drawn between sensitive and non-sensitive data as applied online under Art. 8.1 of the Directive.

3) Onset of social networking (user-generated content)

4) The ease with which information can be easily transferred (Art. 25 of the Data Protection Directive 95/46/EC) will need to be revisited.

5) Scope of the exemptions laid down under Art. 9 of the Data Protection Directive 95/46/EC - processing of personal data for the purposes of artistic, literary and journalistic purposes.

On a separate note, however, identity principles ("identity commons") has been discussed to a greater extent:

"Id Commons is defined in Wiki-Commons as:

The following Purpose and Principles are the "core DNA" of Identity Commons as an organization. We use this term since all Identity Commons working groups agree to inherit these, i.e., each one is accomplishing a specialization of this Purpose, and each one is operating in accordance with a specialization of these Principles. See Background and see our old Wiki for more about how we got here. Feel free to leave comments or make suggestions as to how this statement of Purpose and these Principles can be further improved.

The purpose of Identity Commons is to support, facilitate, and promote the creation of an open identity layer for the Internet, one that maximizes control, convenience, and privacy for the individual while encouraging the development of healthy, interoperable communities."

This could work alongside the current EU legal framework, but remains to be seen how effective this would be.

Google Street View

2008-07-07T18:16:00.003+01:00

Having had to take a break from blogging, Google Street - views raises more unusual privacy issues (not least data protection). Out-Law has the latest press release:

A privacy pressure group has told Google that its Street View photography service will break the law. But the company says that its technical measures will safeguard people's privacy.

Street View allows users of Google's maps to view 360 degree photographs of streetscapes in towns and cities that have been catalogued by Google cameras. The company's distinctive cars with cameras attached were spotted on the streets of London for the first time last week.

Pressure group Privacy International wrote to Google's senior privacy counsel Jane Horvath last week to explain its reservations. "You may be aware that Privacy International has stated, both privately to Google legal staff and to the media, that we are concerned about a number of potential violations of national law that this technology may create," wrote Simon Davies of Privacy International.

Davies said that if Google did not satisfy him that it had taken great enough account of users' privacy he would complain about the service to the Information Commissioner's Office (ICO).

Google, though, has implemented blurring technology in order to protect the identities of people and vehicles pictured. The technology blurs faces and vehicle number plates allowing high quality images to contain indistinct people and number plates.

Horvath has written back to Davies explaining that the face and number plate blurring technology has been in place since May. Though she conceded that it is not perfect, she said that it does protect privacy.

Source: Out-Law news

Surveillance case

2008-07-02T20:25:00.004+01:00

The ECtHR has recently ruled on an important case (58243/00) concerning surveillance laws and privacy. According to Liberty:

"In a significant judgement today, the European Court of Human Rights found that UK surveillance laws had lacked the necessary clarity and accountability to prevent abuses of power when used to intercept cross-border communications.The ECHR agreed with human rights group Liberty that surveillance law and practice must be tighter to protect individual privacy rights.

Alex Gask, Liberty’s Legal Officer who brought the case, said:

“The Court of Human Rights has rightly found that greater accessibility and accountability is required to ensure respect for the privacy of thousands of innocent people. While secret surveillance is a valuable tool, the mechanisms for intercepting our telephone calls and e-mails should be as open and accountable as possible, and should ensure proportionate use of very wide powers.”

The ECHR referred to German authorities as an example of best practice in surveillance techniques, in part, because they ensured that monitoring of communications is suited to each investigation and required bi-annual reviews of the need to store the materials.

Gareth Crossman, Liberty’s Policy Director and leading expert on privacy rights, said:

“This judgement highlights the wider problem of excessive surveillance undermining public trust. Whether it’s fishing expeditions of our overseas phone calls or local councils using targeted surveillance to check on school catchment areas, we need a prompt review of the broad powers in RIPA.”

In the judgement, the ECHR states that it, “does not consider that the domestic law at the relevant time indicated with sufficient clarity, so as to provide adequate protection against abuse of power, the scope or manner of exercise of the very wide discretion conferred on the State to intercept and examine external communications. In particular, it did not, as required by the Court’s case-law, set out in a form accessible to the public any indication of the procedure to be followed for selecting for examination, sharing, storing and destroying intercepted material. The interference with the applicants’ rights under Article 8 (the right to privacy) was not, therefore, “in accordance with the law.”

Mark Kelly, Director of the Irish Council for Civil Liberties, added that:

“The Court has found that the United Kingdom’s relatively sophisticated rules on data interception have failed to prevent unlawful interference with privacy rights. This has clear implications for many other Council of Europe member states, including Ireland. Our lax data interception regime will require a thorough overhaul in order to ensure that it meets the standards required by the European Court of Human Rights under Article 8.”

Data Protection Developments

2008-06-26T14:54:00.003+01:00

Having been bogged down with marking, finally had some time to catch-up with the latest data protection developments:

Profiling on the internet is back on the agenda: Out-Law has recently posted this press release on Electronic Commerce:

A new set of consumer contract laws to harmonise the rules that govern online selling across the EU will be proposed this autumn by the European Commission. The EU's consumer chief also promised fresh guidance on viral adverts and profiling technology.

Addressing a roundtable on digital issues in London on Friday, European Consumer Commissioner Meglena Kuneva said that while e-commerce is succeeding at national level, cross-border e-commerce is failing to keep pace. The European Commission believes that simpler and better-harmonised consumer laws will boost the sector.

The results of EU surveys among 26,000 consumers and 7,200 businesses were announced by Kuneva on Friday. They show that while a third of the EU's 490 million consumers have bought something online, only seven percent have bought from foreign suppliers. Of those with web access at home, 56% have bought online; but only 13% have made a cross-border purchase.

These figures underline how much work we still have to do to boost confidence in the online internal market," said Kuneva.

Probably more of interest is the discussion on privacy and in particular that of "targeted advertising.

Kuneva expressed concern about the targeting of adverts in what might be interpreted as a reference to recent controversy over Phorm, an advertising technology firm.

"If you watch tennis over the internet, you will be targeted with ads for tennis items. If you read about home improvement, chances are that you will receive ads for repair services and new furniture," she said. "But there are some concerns that the amounts of personal data collected over the internet without the awareness of users, let alone their consent, is getting too large and a bit out of control." [on this point, the UK ICO has published its opinion on Phorm technology - consent of users will be required under Regulation 7 of the PECR)

"Currently many websites offer to click for 'enhanced services'. Is this an informed consent? How many people actually know that this amounts to consent to having their behaviour tracked, to have that data stored and then used commercially? What would be fair terms in an agreement to allow tracking? Publishers currently have privacy policies that allow the installation of tracking devices that are not themselves covered by their privacy policy. Is this a fair term? I believe that informed consent is the central issue that consumer policy must next address."

"I want to step up our work to develop core consumer principles that feed into policy across sectors and technologies delivering a more consistent approach the conditions surrounding tracking and profiling," she said."

Leaving aside whether individuals consent to targetted advertising or not, as discussed before, profiling takes place when individuals visit any websites (not least their clickstream data is captured by search engines; websites etc.). For those interested in researching profiling and data protection issues, recommended reading at this stage is Bygrave's Data Protection Law: approaching its law, rationale and limits.

See also:

Annual P&LB Conference on Data Protection

2008-05-26T19:14:00.003+01:00

The Annual P&LB 21st Conference will be held in Cambridge 2008. The theme will be "Value Privacy, secure your reputation, reduce risk", 7-9th July 2008, St John's College, Cambridge, UK.

For further details, see

http://www.privacylaws.com/templates/Page.aspx?id=835.

Spam, spam, spam

2008-05-26T18:41:00.004+01:00

Courtesy of DataGuidance, this recent development was drawn to my attention:

Spam will become a criminal offence on the 26 May 2008, when the Consumer Protection from Unfair Trading Regulations 2008 will come into force. According to Schedule 1 of the new Regulations, Œmaking persistent and unwanted solicitations by telephone, fax, email and other remote media, except in circumstances and to the extent justified to enforce a contractual obligation, will be deemed unfair commercial practice in all circumstances. The maximum penalty for spamming is a two years imprisonment.

The regulations also cover Œdisplaying a trust mark, quality mark or equivalent without having obtained the necessary authorisation¹, and Œconducting personal visits to the consumer¹s home ignoring the consumer¹s request to leave¹.

The Consumer Protection from Unfair Trading Regulations 2008 implements the Unfair Commercial Practices Directive (UCPD) into UK Law.

The unusual thing is that we already have the Directive on Privacy and Electronic Communications 2002/58/EC (Art. 13) which deals with spam and is implemented in the UK Privacy and Electronic Communications Regulations, but this takes it one step further and makes it a criminal offence. Note, there are technological measures to deal with spam (not least e-mail filters) or as some prefer to use, Mailinator and SpamGourmet.

See:

Data Portability

2008-05-20T14:04:00.002+01:00

Tech Crunch has recently posted this development in the social networking sphere, which raises some questions about the ease with which personal information can be transferred from one social networking website to another.

"How much are your friends worth? That is the question behind the big debate going on around social networks and data portability. In the last ten days, Facebook, Google, and MySpace have all announced ways to let people access their data (including friends lists) from other sites, except that what they are really trying to do is erect new walled gardens by positioning themselves as the primary repository of that personal and social data. This is valuable data and none of the big players want to cede any more of it than is necessary, which is why Facebook banned Google from tapping into its members’ social data. But here’s a little secret. All of this data is already leaking out in ways that Facebook and other social networks can hardly control. Startups are finding ways around their official APIs to get the data consumers want into their own systems. For instance, Zude, a personalized Webpage service, recently launched a feature called SocialMix that lets people import friends lists, photos, profile information, status updates, comments, and other data from Facebook, MySpace, Bebo, Orkut, and hi5. (See the screen shot below, which shows my Facebook friends on Zude). “What we are doing is taking the information and normalizing it and making it available in any manner you want,” claims Zude CTO Steve Repetti. He was tired of waiting around for true data portability to arrive, so he figured out a hack to offer it on his own (and it doesn’t involve screen scraping). Taking a different approach, Minggl has found a way to access your social data through a browser plug-in. And Media6° is placing cookies through the ads themselves on Facebook to collect social data for advertisers. If you click on an ad with one of its cookies, then the same ad will be shown to all of your friends, who supposedly are two to ten times more likely to click on the ad than other people. Media6° also should be able to target Facebook members as they wander across the Web (as long as a cookie has been placed in their browsers and they come across an ad with the Media6° Javascript code embedded in it). I’ve come across other startups who claim to be able to pull profile and friend data from Facebook. Facebook can go after them and shut them down, but it is rightly more concerned about Google gaining free and unfettered access to that data. Google is the bigger competitor and the bigger threat. But in the meantime, all of these little startups are finding ways to get at the same social data being so ferociously guarded by Facebook. In fact, they already have it, and Facebook is going to have a hell of a time trying to put it back in the barn."

Whilst users may want to control their "data" (by this, their personal information) and be able to transfer this from one network to another, what is unclear is the extent to which this is happening on a large scale? Secondly, a further complicated dimension to this is that the "profile" is not necessarily about an individual, but rather friends' data being held in another social networking environment, which leads to the question of the applicability of the Data Protection Directive 95/46/EC. There is no question that the processing of data other than yourself constitutes the processing of personal data under the Data Protection Directive (or corresponding national data protection laws), but some theoretical analysis: would Art. 3.2 of the Data Protection Directive 95/46/EC (processing personal information even of friends for private purposes) (and corresponding national data protection laws) be applicable? This would depend on whether the data is easily accessible on the internet. The ECJ's decision has been fairly clear in Lindqvist that Art. 3.2 is not applicable given that the the internet is likely to be accessible to anyone. However, whilst the Data Protection Directive 95/46/EC (and the corresponding national data protection laws) are relevant, the question will now hinge on the applicability of the the exemptions as covered under Art. 9 (artistic, literary and journalistic purposes) and Art. 13 of the Data Protection Directive 95/46/EC (and corresponding national data protection laws), which will need to be considered in more scope.

See:

Data Retentions Directive and ISPs

2008-05-15T20:19:00.006+01:00

Out-law has recently posted this press release concerning the Communications Data Bill which will implement the Data Retentions Directive 2006/24/EC ("DRD"):

"Phone and internet companies will soon be forced to keep logs of internet usage to be made available to the police under a new law announced by Prime Minister Gordon Brown this week.

The law, the Communications Data Bill, will implement the remainder of the European Union's Data Retention Directive.

Last October the Government enacted regulations which said that telcos must keep records of phone calls to and from land lines and mobile telephones. That requirement will be extended to records of customers' internet usage, email usage and voice over internet protocol (VoIP) records.

“The aim of the [Directive] is to ensure that certain data is retained to enable public authorities to undertake their lawful activities to investigate, detect and prosecute crime and to protect the public," said a Home Office spokeswoman.

“The first part of the [Directive] was transposed into UK law in October 2007 but the Government made a declaration … to postpone its application to the retention of communications data relating to internet access, internet telephony and internet email until 2009. So the measures referred to in the Communications Data Bill will complete the transposition of the Directive for IP [internet protocol] communications data," said the Home Office spokeswoman."

See also:

ICO Powers

2008-05-12T20:34:00.003+01:00

According to the latest post from PL&B, the Criminal Justice and Immigration Act has received the Royal Assent, which would include strengthening the powers of the ICO to impose fines for serious breaches of the DPA 1998 -

Organisations now face substantial fines for deliberately or recklessly committing serious breaches of the Data Protection Act. The Criminal Justice and Immigration Act, which received Royal Assent (the final legislative stage) on 8 May, introduces a civil penalty rather than a criminal penalty, the result of an amendment adopted by the House of Lords last month.

The Information Commissioner can impose fines when organisations ‘knew or ought to have known that there was a risk that the contravention would occur, and that such a contravention would be of a kind likely to cause substantial distress or damage, but failed to take reasonable steps to prevent the contravention..’

Although not what it asked for, ICO welcomes the new penalty.

David Smith, Deputy Information Commissioner said: “This change in the law sends a very clear signal that data protection must be a priority and that it is completely unacceptable to be cavalier with people’s personal information. The prospect of substantial fines for deliberate or reckless breaches of the Data Protection Principles will act as a strong deterrent and help ensure that organisations take their data protection obligations more seriously.

“This new power will enable some of the worst breaches of the Data Protection Act to be punished. By demonstrating that the law is being taken seriously tougher sanctions will help to reassure individuals that data protection matters and give them confidence that organisations have no choice but to handle personal information properly.

See also:

Criminal Justice and Immigration Act

ICO gets powers to fine for privacy breaches

Facebook Trust

2008-05-05T14:52:00.002+01:00

Aside from the privacy issues, there is a discussion forum taking place with Stanford students on the psychology of facebook looking at "high-trust contexts" in Facebook. Beeb has recently written an article on this project:

"A group of students at Stanford University in the heart of Silicon Valley have turned their attention towards a unique course that blends popular culture with the more time-worn principles of psychology. The Psychology of Facebook is the brainchild of Professor B J Fogg, a pioneering persuasion psychologist who founded the Persuasive Technology Lab at Stanford.

He says: "When Facebook came along I was one of the developers at the launch and what struck me was how there was this new form of persuasion. This mass interpersonal persuasion."

The latest discussion focuses on high-contextualised trust:

"These are the high-level questions we should strive to answer to understand how trust works. The materials address one or more of these questions:

What Defines and Affects Trust?
How Do We Act in a Trusted vs. Untrusted Environment?
How Does Trust Level Compare on Facebook vs. Internet vs. "Real World"
Trust Creation: Slow, Gradual, Painstaking
Trust Destruction: Instant, Deadly, Spectacular

Trust as a Function of "Perception of Risk

One way to think about trust is by examining the flipside - potential downside of opening up and sharing. Trusted environment is one where our perception of risk (something bad happening) is low. Untrusted environment is one we perceive as dangerous in some way. What could affect the perception of risk:

Anonymity vs. accountability for your actions

Your demographics / psychographic profile (compare Gen Y vs. Boomers)
Comfort with the environment (sense of control)
Strength & number of connections (social proof is critical to trust creation)
Social pressure to participate (downside of being excluded)
Understanding the potential abuse and how to prevent it
Predictability of the environment"

See:

BBC: Learning what makes Facebook ticks

Social networking

2008-04-26T19:49:00.004+01:00

Having returned from a roundtable discussion on social networking and identity and privacy at Leuven, ICRI, a few things to draw attention:

1) The International Working Group on Data Protection (pdf) has issued a report on social networking with the following:

"With respect to privacy, one of the most fundamental challenges may be seen in the fact that most of the personal information published in social network services is being published at the initiative of the users and based on their consent. While ”traditional” privacy regulation is concerned with defining rules to protect citizens against unfair or unproportional processing of personal data by the public administration (including law enforcement and secret services), and businesses, there are only very few rules governing the publication of personal data at the initiative of private individuals, partly because this had not been a major issue in the “offline world”, and neither on the Internet before social network services came into being. Furthermore, the processing of personal data from public sources has traditionally been privileged in data protection and privacy legislation."

Some points from the same report:

"Regulators

1. Introduce the option of a right to pseudonymous use – i.e. to act in a social network service

under a pseudonym –, where not already part of the regulatory framework.

2. Ensure that service providers are honest and clear about what information is required for the
basic service so that users can make an informed choice whether to take up the service, and that users can refuse any secondary uses (at least through opt-out), specifically for (targeted) marketing. Note that specific problems exist with consent of minors (note the work of the data protection commissioners)

3. Introduction of an obligation to data breach notification for social network services. Users will only be able to deal especially with the growing risks of identity theft if they are notified of any data breach. At the same time, such a measure would help to get a better picture of how well companies secure user data, and provide a further incentive to further optimise their security measures.

4. Re-thinking the current regulatory framework with respect to controllership of (specifically third party-) personal data published on social networking sites, with a view to possibly attributing more responsibility for personal data content on social networking sites to social network service providers (on this point, the Data Protection Directive is fairly clear about the obligations of data controllers)

5. Improve integration of privacy issues into the educational system. As giving away personal data online becomes part of the daily life especially of young people, privacy and tools for informational self-protection must become part of school curricula." (note the work of the data protection commissioners)"

2) Discussion on the changes made to the existing Electronic Communications Framework: has focussed more on:

– breach notification provisions - not merely the remit of ISPs, and network operators, but extended to
– better protection against spam and malware, particularly on strengthening the powers of ISPs against spammers
– better enforcement

3) Phorm was discussed briefly - the UK ICO has already indicated that opt-in consent of users will be required before the ISPs could use this:

"Phorm and the ISP will also have to comply with the Privacy and Electronic Communications Regulations 2003 (PECR) even where they do not process personal data. Under Regulation 6 of PECR a user must be informed when a cookie is placed on their computer, given clear and comprehensive information about the purpose of the storage and given the ability to refuse it being placed on the system. The information we have seen so far indicates that users will be informed by the ISP about the use of cookies as part of the process of being told about the service and given a choice about whether or not to participate. Users will also be able to configure their internet browser to block all cookies from Phorm and therefore prevent any profiling without a cookie being loaded. How this operates in practice will not be apparent until the trials by the ISP get underway or the product is rolled out but it should be possible for the ISPs and Phorm to achieve compliance with Regulation 6.

Regulation 7 of PECR will require the ISP to get the consent of users to the use of their traffic data for any value added services. This strongly supports the view that Phorm products will have to operate on an opt in basis to use traffic data as part of the process of returning relevant targeted marketing to internet users.

Whether or not the deployment of the Phorm products raise matters of concern to the Commissioner will depend on the extent to which the assurances Phorm has provided so far are true. The Commissioner has no reason to doubt the information provided by Phorm but some technical experts have publicly expressed concerns. The Commissioner welcomes the efforts Phorm is making to engage with concerned technical experts and believes that it is only by allowing its technology to be subject to detailed scrutiny by independent technical experts that it will be able to prove their assertions regarding privacy which will be important for the commercial success of the product."

See also:

Data notification breaches

2008-04-18T20:04:00.004+01:00

The European Data Protection Supervisor has called for a data breach notification law (via Out-law) -

"The privacy watchdog for EU institutions has called for a planned requirement for telecoms companies to publish details of information security breaches to be extended to banks, businesses and medical bodies.

The European Commission has proposed a data breach notification law which would force telecoms companies to tell customers when personal information had been lost. The requirement was among other proposed changes to the Privacy and Electronic Communications Directive published last autumn.

The European Data Protection Supervisor (EDPS) has said that if the proposal is designed to help prevent identity theft it must be extended to include banks, businesses and others.

"While the EDPS is pleased with the security breach notification system … he would have favoured their application at a wider scale to include providers of information society services," said the EDPS's response. "This would mean that online banks, online businesses, online providers of health services etc would also be covered by the law."

Proposals to reform the European Electronic Communications Framework is likely to take place in Autumn this year. The main proposals to amend the Directive on Privacy and Electronic Communications 2002/58/EC include the following:

- introducing mandatory notification of security breaches resulting in users’ personal data being lost or compromised;

- strengthening implementation provisions related to network and information security to be adopted in consultation with the Authority;

- strengthening implementation and enforcement provisions to ensure that sufficient measures are available at Member State level to combat spam;

- clarifying that the Directive also applies to public communications networks supporting data collection and identification devices (including contactless devices such as Radio Frequency Identification Devices);

- modernising certain provisions that have become outdated, including the deletion of some obsolete or redundant provisions.

Some clarity is further given under the proposals over the use of spyware:

"In Article 5(3): this ensures that use of “spyware” and other malicious software remains prohibited under EC law, regardless of the method used for its delivery and installation on a user’s equipment (distribution through downloads from the Internet or via external data storage media, such as CD-ROMs, USB sticks, flash drives etc.)."

However, other than this, it should be noted that this can easily be removed by anti-spyware software (see this article) and stopbadware project.

See also:

Data Protection Developments

2008-04-15T20:28:00.004+01:00

The latest issue of E-Commerce Law Report s (Vol. 7 Iss. 5 April 2008) is now available, which includes:

PRIVACY

In 'Promusicae v Telefónica', the European Court of Justice rules on the obligation of member states to order the disclosure of personal data on copyright infringers in civil actions (on the case of Promusicae v Telefónica, this has been discussed in a recent SCL article)

BROADCAST RIGHTS

In 'Karen Murphy v Media Protection Services', a pub landlord loses her appeal over the broadcast of live FA Premier League football matches using a foreign satellite system which is capable of decoding and broadcasting foreign satellite signals.

SUBJECT ACCESS RIGHTS

In Ezsias v Welsh Ministers, the High Court sets out the obligations placed on data controllers when faced with subject access requests under the Data Protection Act.

PUBLIC ACCESS

In an application to the Administrative Court by The Times, The Guardian and Financial Times, the Court applies a purposive construction to the CPR in facilitating public access to court documents.

BROADCAST RIGHTS

In 'The FA Football Association Premier League Limited v QC Leisure', the High Court considers the use of Article 81 of the EC Treaty as a defence to allegations of circumventing the cost of broadcasting FA Premier League matches using foreign satellite systems

DOMAIN NAMES

In MySpace, Inc v Total Web Solutions Ltd, MySpace wins the right to the 'myspace.co.uk' domain name, despite the respondent registering it approximately six years before MySpace was founded.

PATENTS

In 'Ingenico v Pendawell', the UK Intellectual Property Office revokes the patentability of an electronic payment system using assessment criteria which is at odds with European Patent Office caselaw.

IMAGE RIGHTS

In Grütter v Lombard, the South African Supreme Court of Appeal delivers a judgment paving the way for recognition and protection of image rights under South African common law.

PATENTS

In 'Astron Clinica Limited', the UK Patents Court considers whether patent claims could ever be granted for computer programs.

Ofcom's Study into Social networking

2008-04-04T10:28:00.002+01:00

Having returned from a 2-day conference, Surveillance and Society, held at University of Sheffield (more to follow at a later stage), there has been a recent study published by Ofcom on Social networking. Some of the results stems from attitudes to social networking websites (no surprises about the likely usergroups):

Social networkers differ in their attitudes to social networking sites and in their behaviour while using them. Ofcom’s qualitative research indicates that site users tend to fall into five distinct groups based on their behaviours and attitudes. These are as follows:

Alpha Socialisers (a minority) – people who used sites in intense short bursts to flirt, meet new people, and be entertained.
Attention Seekers – (some) people who craved attention and comments from others, often by posting photos and customising their profiles.
Followers – (many) people who joined sites to keep up with what their peers were doing.
Faithfuls – (many) people who typically used social networking sites to rekindle old friendships, often from school or university.
Functionals – (a minority) people who tended to be single-minded in using sites for a particular purpose.

Non-users of social networking sites also fall into distinct groups

Non-users also appear to fall into distinct groups; these groups are based on their reasons for not using social networking sites:

Concerned about safety – people concerned about safety online, in particular making personal details available online.
Technically inexperienced – people who lack confidence in using the internet and computers.
Intellectual rejecters – people who have no interest in social networking sites and see them as a waste of time.

Although privacy was not given a high priority, some of the reasons that Ofcom has identified:

a lack of awareness of the issues;
an assumption that privacy and safety issues have been taken care of by the sites themselves;
low levels of confidence among users in their ability to manipulate privacy settings;
information on privacy and safety being hard to find on sites;
a feeling among younger users that they are invincible;
a perception that social networking sites are less dangerous than other online activities, such as internet banking; and, for some,
having consciously evaluated the risks, making the decision that they could be managed.

Whilst one is not wholly convinced about the lack of awareness, given that the ICO has published guidelines on the use of social networking, the use certainly has become more mainstream.

See:

Ofcom: Engaging with social networking sites

CFP on Consumer Privacy

2008-03-25T11:21:00.003Z

CFP for this special issue, Journal of Consumer Affairs:

"Journal of Consumer Affairs Call for Papers on Privacy

The Journal of Consumer Affairs plans a special issue on Privacy Literacy -- How Consumers Understand and Protect Their Privacy. Here is the Call for Papers:

Special Issue Guest Editors

Jeff Langenderfer Anthony Miyazaki
Meredith College Florida International University

Consumers increasingly confront a wide array of privacy-related information and are called upon to make decisions impacting their privacy in a growing number of arenas and contexts. Existing research suggests that many consumers do not understand the decisions they are forced to make nor the impact of those decisions. For this special issue of the Journal of Consumer Affairs, manuscripts are being solicited devoted to the effects of privacy literacy on consumer welfare. The goal of this special issue is to extend our theoretical and practical knowledge of how consumers obtain, process, and use information and mechanisms that relate to their privacy. We seek contributions from multiple disciplines including communications, consumer education, economics, finance, law, public policy, psychology and marketing. Authors may submit empirical studies or conceptual work. Papers that are theoretically grounded and also contain significant implications for consumer welfare are especially appropriate.

Topics that would be appropriate for this special issue include, but are not limited to:

Consumer understanding of privacy and privacy-related information
The interplay between privacy knowledge and consumer behavior
Cost assessments for the surrender of personal information
Tradeoffs between the surrender of private information and online access
Deceptive or covert practices in information exchange
Measurement and assessment of privacy literacy
Legal and regulatory issues in privacy
How consumers respond to solicitations for private information
Consumer understanding of privacy certifications, trustmarks, and seals of approval
Methods to improve privacy literacy
The privacy literacy of vulnerable consumers (e.g., children, low-income, etc.)
Relationships between desire-for-privacy, privacy concern, trust, and privacy knowledge
Disclosure versus practice regarding privacy-related behaviors
Consumer awareness regarding seller use of private information
Consumer understanding of medical and financial privacy practices and disclosures

Submission Information

Manuscripts are due by June 1, 2008. Please follow the submission guidelines for The Journal of Consumer Affairs as detailed under "JCA Author Guidelines" on the Blackwell Publishing web site (http://www.blackwellpublishing.com/submit.asp?ref=0022-0078&site=1). Authors wishing to submit a manuscript should send two (2) electronic copies of their manuscript (one with the full title page and one copy cleaned of all information that identifies the authors) to the special issue co-editor."

RFIDs

2008-03-21T18:15:00.001Z

Excerpt (courtesy of surveillance mailing list):

"http://www.rfidjournal.com/article/articleview/3981/1/1/

RFID JOURNAL : THE WORLD'S RFID AUTHORITY

THE WORLD'S RFID AUTHORITY

Companies, Agencies Use Clandestine RFID Systems to Catch Thieves

The NOX system includes RFID readers embedded in walls, surveillance cameras and—in some cases—luminescent dust to track the movement of personnel and assets.

By Claire Swedberg

March 20, 2008—A handful of government agencies and private companies such as electronics suppliers are employing a clandestine RFID system known as NOX that allows them to use RFID interrogators hidden in walls, in conjunction with video surveillance and, in some cases, luminescent dust, to thwart theft or other unauthorized activities within their facilities.

The NOX system is the creation of SimplyRFID, a company based in Warrenton, Va. Founded in 2002 by its president, Carl Brown, SimplyRFID has developed RFID solutions for a number of clients, including Stamps.com, UPS, FedEx, the U.S. Postal Service and Target, and its Pro-Tags product line is aimed at suppliers to the U.S. Department of Defense (DOD). During the past few years, Brown says, the company has moved into the clandestine market, following government interest in the use of RFID to prevent theft, or to monitor the movements of personnel wearing RFID-tagged badges.

Because of its location near Washington, D.C., SimplyRFID attracted the attention of several government agencies, including the FBI, which visited the company's office to purchase RFID readers and tags, but brought the hardware back to their location and installed the equipment themselves. "What we found was that they were happy to have any technology that would help them [with security]," Brown says. So the company began developing a more comprehensive security solution that included RFID with video surveillance and, in some cases, "optically charged" dust that could be tracked with cameras.

The NOX system uses RFID readers that can be embedded in walls, as well as surveillance cameras that can be hidden if so desired by a user. The system integrates the two functions to enable users to track theft or other undesirable behavior on their property. By linking RFID tracking with video footage, Brown says, users can not only know which items might be missing by tracking the locations of their assets, they can also link to video footage to determine what has occurred.

"The big problem in selling RFID is that it is not always a solution by itself," Brown states. Instead, he adds, RFID offers part of a security solution by helping users track activity without requiring them to watch it around the clock. But in conjunction with video surveillance, he says, users have information about activities that have occurred—such as which items were moved, as well as where and at what time—reinforced by a visual image of what transpired.

Brown likens RFID technology to a fence, which still has vulnerabilities. People can find ways around that fence, he explains, by not wearing their badge, by wearing someone else's badge or by tampering with an RFID sticker. Such vulnerabilities make video surveillance and optical dust a strong addition to RFID. The optically charged dust consists of microporous fibers that glow when exposed to low-power laser light. This luminescence is not visible to the human eye but can be detected by a video camera. The dust is scattered in areas where there is a risk of unauthorized activity, or where entry is generally forbidden.

A camera can be programmed to watch for any dust that a person might inadvertently pick by walking through an unauthorized area. When that individual passes in front of the camera, it detects the glow as the dust is illuminated by a laser and triggers an alarm. According to Brown, this system provides perimeter security from trespassers or wild animals that might enter a secured property.

Following interest from government agencies, SimplyRFID began providing its solution to the private sector, with clients (all of which wished to be unnamed for this article) located in such states as California, Texas and Florida. The systems allow them to track their employees, as well as high-value assets that, in many cases, pass through their facilities in large quantities and can end up missing.

One common practice for thieves, Brown says, is to load extra items—such as TVs or computers—onto a shipment, or to take assets to the recycling or trash area, where they can then be removed by another party. In some instances, these thefts can occur in extremely high volume, Brown says, adding that companies have had entire trailers loaded with assets disappear. Most firms, he notes, aren't interested in prosecuting, as much as in putting an end to the thievery. "The just want to find out who's doing it and stop it," he says

By placing tags on assets, as well as on personnel badges and such items as garbage cans, companies can track what is moving, and where. The cameras, Brown says, record all activity in their area and are generally used for forensic purposes. If items are determined to have been shipped when they were not ordered, and if that occurred repeatedly with one specific employee, a company can view video footage at the time of the occurrences to see what happened.

Brown says SimplyRFID uses RFID interrogators from Thing Magic and Motorola, among other vendors. A reader is typically installed in a wall at night, or during off-hours, and is connected via an Ethernet cable to a Dell computer server so the data can be reviewed by the company's security personnel.

Companies often install four or five clandestine readers, and about the same number of cameras, at sites where items have disappeared. In other cases, companies arm every doorway and dock door with an RFID interrogator and tag every item inside. Of the private customers for which NOX has been available since 2007, Brown says, "We have three in full deployment and nine others in pilot phases. We are adding about one new install per month."

The companies use the RFID readers to capture ID numbers and send that data to a Dell computer server capable of managing up to 100 interrogators. NOX software allows integration of RFID tag data and video imagery—also stored on the server—so that an image from the time and place of a specific RFID tag read can be automatically displayed on a computer screen, along with the name and ID numbers of the tagged assets and employees wearing RFID-enabled badges.

Most cameras are supplied by Axis Communications, Brown says. The NOX system uses Avery Dennison EPC Gen 2 UHF tags.

The cost for a NOX deployment can be around $40,000 for four or five readers, cameras and software. For larger deployments with more than 30 antennas and 15 cameras, Brown says, the cost averages $100,000 to $150,000. SimplyRFID also offers installation services, he adds, though users often do some of the work themselves, such as installing the cables connecting the interrogators, cameras and server. Other end users, including government agencies, prefer to handle installation entirely on their own."

ICO's Survey

2008-03-20T12:20:00.003Z

According to the ICO's latest commissioned survey, eight out of ten now take greater care in the way they look after their personal information. The survey shows that eighty eight per cent have started to check their regular bank statements and 85% now refuse to give their personal details. However, it also identified that:

"Fifty three per cent say we no longer have confidence in the way organisations such as banks, local authorities and government departments handle our personal information."

The ICO has produced a short checklist on data protection rights: Here it is:

• An organisation should tell you what it is going to do with your information before you provide any details unless this is obvious.

• Your information should only be used for the reason it was collected in the first place (unless you give your consent to your information being used in other ways).

• An organisation should not collect any information which is unnecessary. You only need to provide the basic information which is required to deliver the service required.

• Your information should be kept accurate and up to date – if you ask any organisation to make changes to your details, it should do this.

• An organisation should not keep your details if they are no longer needed.

• An organisation must provide you with copies of all information held on you - if you ask. You can also ask an organisation to stop using your personal information if it is causing you damage or distress or if you wish to stop it being used for marketing purposes.

• An organisation must keep your personal information secure at all times.

• An organisation should not transfer your personal details to another country unless adequate data protection arrangements are in place.

Report by Parliamentary Committee

2008-03-18T14:06:00.002Z

The Joint Committee on Human Rights has published its recent report on data protection and human rights (also mentioned in Out-Law news). Main conclusions to be drawn from the report:

"Conclusions and recommendations

1. We agree that data sharing is not, in human rights terms, objectionable in itself. Indeed, the sharing of personal data may sometimes be positively required in order to discharge the State's duty to take steps to protect certain human rights, such as the right to life, and it is also in principle capable of being justified by sufficiently weighty public interest considerations. However, the sharing of personal data will inevitably raise human rights concerns, and the more sensitive the information the stronger those concerns will be. Government must show that any proposal for data sharing is both justifiable and proportionate, and that appropriate safeguards are in place to ensure that personal data is not disclosed arbitrarily but only in circumstances where it is proportionate to do so. (Paragraph 14)

2. We fundamentally disagree with the Government's approach to data sharing legislation, which is to include very broad enabling provisions in primary legislation and to leave the data protection safeguards to be set out later in secondary legislation. Where there is a demonstrable need to legislate to permit data sharing between public sector bodies, or between public and private sector bodies, the Government's intentions should be set out clearly in primary legislation. This would enable Parliament to scrutinise the Government's proposals more effectively and, bearing in mind that secondary legislation cannot usually be amended, would increase the opportunity for Parliament to hold the executive to account. (Paragraph 20)

3. The attention paid to human rights, outside of the legal department, is likely to be very scant if the concept is regarded solely in terms of compliance with the Human Rights Act. In our view, the same is true of data protection and the Data Protection Act. Setting out the purposes of data sharing and the limitations on data sharing powers in primary legislation would give a clear indication to the staff utilising such powers of the significance of data protection. (Paragraph 21)

4. Having heard the Minister's comments, we are concerned that the role of data protection minister is far too limited, being related exclusively to the maintenance of the legislative framework for data protection. It is clearly sensible to require Government departments to take responsibility themselves for abiding by the Data Protection Act, but we would expect there to be a degree of inter-departmental co-ordination to share best practice and help deal with the fall-out from significant breaches of data protection by departments. We heard no evidence that any co-ordinating activity of this sort is currently carried out: if it is, then the data protection minister is not involved. (Paragraph 25)

5. We recommend that the role of data protection minister should be enhanced. In addition to overseeing the data protection legislation, the data protection minister should have a high-profile role within Government, championing best practice in data protection and ensuring that lessons are learnt from breaches of data protection. (Paragraph 26)

6. Recent breaches in data protection appear mostly to have resulted from human error and procedural lapses rather than technological problems. However, it would be wrong to see these errors and lapses as unfortunate "one-off" events. In our view they are symptomatic of the Government's persistent failure to take data protection safeguards sufficiently seriously by defining data sharing powers more tightly in primary legislation and including detailed safeguards against arbitrary or unjustified disclosure. The rapid increase in the amount of data sharing has not been accompanied by a sufficiently strong commitment to the need for safeguards. The fundamental problem is a cultural one: there is insufficient respect for the right to respect for personal data in the public sector. (Paragraph 27)

7. We are surprised, and disappointed, to find that senior public officials need to be reminded of the main principles of the Data Protection Act. (Paragraph 28)

8. It is clear to us from a great deal of our work, and in particular recently our inquiries into human rights of older people in healthcare and adults with learning disabilities, as well as from this inquiry, that human rights are far from being a mainstream consideration in Government departments. The Minister has identified the cultural barrier to ensuring that personal data is adequately protected by the staff who handle it, but much more needs to be done to tackle this problem successfully. We have so far seen no evidence that the human rights champions in departments have made any impact, particularly in relation to front line staff. We will continue to scrutinise their work carefully. (Paragraph 34)

9. We await the outcomes of the various reviews of data protection with interest. We expect the Government to keep us informed about its proposals for reform in this area. We recommend that, in its responses to the reviews, the Government should acknowledge the close connection between data protection and human rights; and explain how it proposes to ensure that a culture of respect for personal data is fostered throughout Government. (Paragraph 35)

10. We see the Information Commissioner as an important defender of human rights in relation to data protection and freedom of information. His office should be regarded as an important part of the national human rights machinery. We support proposals to enhance the Commissioner's powers and the resources at his disposal to ensure that he can discharge his responsibilities more effectively.(Paragraph 39)

11. We support initiatives to ensure that data protection issues are dealt with at an early stage in the planning of Government projects, including legislative proposals. We intend to scrutinise how privacy impact assessments are used in practice. (Paragraph 40)

12. Recent breaches in data protection by Government departments do not encourage us to feel confident about the security of data collected as part of the National Identity Register project. We intend to take a close interest in the Government's detailed proposals for the National Identity Register as and when they emerge. (Paragraph 47)

13. We regret that it has taken the loss of personal data affecting 25 million people - a "train crash", in the words of the Information Commissioner - for the Government to take data protection seriously. Data protection is a human rights issue and should not be treated as a fringe concern, a matter for rarely-consulted policy documents and procedures which are all too easily ignored. The recent data protection breaches have revealed the complacency of the Government's repeated refusal to accept our recommendations that more detailed limits and safeguards be included in Government bills which authorise the sharing of personal data. The problem is symptomatic of a deeper problem to which we have drawn attention in recent reports and on which we recently commented in our annual Report on our work for 2007: the failure to root human rights in the mainstream of departmental decision-making. (Paragraph 49)

14. We note that the Government has launched a number of reviews of data protection legislation and practice. Once those reviews have been completed, we expect the Government to take action to foster a positive culture for the protection of personal data by public sector bodies. This will enable the Government to reap the benefits of data sharing, where it is considered desirable, without calling into question the right of ordinary people for respect for their personal lives. (Paragraph 50)"

Another petition - this time on Phorm and ISPs

2008-03-17T13:08:00.002Z

On the same theme about petitions, here is another one which has over 5,000 signatures:

"We petition the Prime Minister to investigate the Phorm technology and if found to breach UK or European privacy laws then ban all ISP's from adopting it's use. Additionally the privacy laws should be reviewed to cover any future technologies such as Phorm. The UK's three largest ISP's, Virgin Media, BT and TalkTalk are all in talks with a view to introducing the Phorm technology. This would result in the browsing habits of the majority of the UK population being sold to a third party for advertising purposes. The opt out system for this technology is vague and unproven, even when opting out your every move on the Internet might be recorded. Surely this must be a breach of privacy laws, if not then the privacy laws need to be changed to cover such invasive technology."

This sounds more like clickstream data under the breadth of the definition of "personal data" under the Data Protection Directive 95/46/EC and the recent opinion by the Art. 29 Working Party seems to cover this.

Further details can be found here.

See also:

Web Creator rejects net tracking

Response from the petition on data security breaches

2008-03-17T13:05:00.003Z

Here is the response from the petition on notification about data security breaches:

"The Government acknowledges public concerns over recent losses of personal data in both the public and private sectors. Although the Data Protection Act 1998 (DPA 1998) does not currently require data controllers to report breaches of security which result in the loss, release or corruption of personal data, data controllers have a statutory responsibility to ensure appropriate and proportionate security of the personal data they hold. This is reflected in the 7th Principle of the DPA 1998. In October 2007, the Prime Minister asked Richard Thomas, the Information Commissioner and Dr Mark Walport, Director of the Wellcome Trust, to undertake an independent review into the way personal information is shared and protected in the public and private sectors. The review is going to consider whether there should be any changes to the way the DPA operates in the UK and the options for implementing any such changes. The review will include recommendations on the powers and sanctions available to the regulator and courts in the legislation governing data sharing and data protection. It will also make recommendations about how data sharing policy should be developed in a way that ensures proper transparency, scrutiny and accountability. The Government awaits the outcome of the review with interest and will consider any recommendation that calls for legislative changes relating to breach notifications. In the meantime, we understand that the Office of the Information Commissioner plans to publish helpful guidance to all data controllers on breach management and notification. The Prime Minister has also asked Sir Gus O'Donnell, the Cabinet Secretary, with advice from the Government's security experts, to work with Departments to ensure that all Departments and agencies check their procedures for the storage and use of data. A full report will be published in Spring 2008."

Some more cases

2008-03-10T21:34:00.004Z

Some cases which is likely to take some time before we hear the ECJ's ruling:

1) C-553/07 Reference for a preliminary ruling - Raad van State (Netherlands) lodged on 12 December 2007 - College van burgemeester en wethouders van Rotterdam v M.E.E. Rijkeboer: The question that has been referred to the ECJ under Art. 234 is as follows:

"Is the restriction, provided for in the Netherlands Law on local-authority personal records, on the communication of data to one year prior to the relevant request compatible with Article 12(a) of Directive 95/46/EC ¹ of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, whether or not read in conjunction with Article 6(1)(e) of that directive and the principle of proportionality?"

2) C-518/07 Commission of the European Communities v Federal Republic of Germany:

This is more to do with the independence of the supervisory authorities (Data Protection Authorities) and whether Art. 28.1 of the Data Protection Directive has been incorrectly transposed re: the complete independence of the supervisory authorities.

"Forms of order sought: Declare that the Federal Republic of Germany has failed to fulfil its obligations under the second sentence of Article 28(1) of Directive 95/46/EC¹, by making the supervisory authorities responsible for the monitoring of data processing within the private sector in the Länder Baden-Württemberg, Bayern, Berlin, Brandenburg, Bremen, Hamburg, Hessen, Mecklenburg-Vorpommern, Niedersachsen, Nordrhein-Westfalen, Rheinland-Pfalz, Saarland, Sachsen, Sachsen-Anhalt, Schleswig-Holstein and Thüringen subject to State supervision and thereby incorrectly transposing the requirement of 'complete independence' of the data protection supervisory authorities;

Pleas in law and argument:

The second sentence of Article 28(1) of Directive 95/46/EC of the European Parliament and of the Council puts Member States under an obligation to make 'one or more public authorities' responsible for monitoring 'the application ... of the provisions adopted by the Member States pursuant to this Directive', that is to say, of provisions on data protection. The second sentence of Article 28(1) of the directive requires the 'complete independence' of the supervisory authorities responsible. By virtue of its wording, the provision provides that the supervisory authorities are not to be subject to influence from other authorities or from outside of the State administration; the rules of the Member States must therefore preclude external influence from being exercised on the decisions of the supervisory authorities and on the implementation thereof. The wording 'complete' independence implies not only that there should be no dependence on any party, but also that there should be no dependence in any respect whatsoever.

It is thus incompatible with the second sentence of Article 28(1) of the directive to make the supervisory authorities which are responsible for the monitoring of data processing in the private sector subject to technical, legal or administrative supervision by the State, as has occurred in all 16 Länder of the Federal Republic of Germany. As the legislation of every Land makes the supervisory authority subject to those three types of supervision in varying combinations, the legislation of every Land constitutes a failure by the Federal Republic of Germany to fulfil the obligation in the second sentence of Article 28(1) of the directive to ensure the 'complete independence' of the supervisory authorities. Irrespective of the differences between legal, technical and administrative supervision, all these types of supervision constitute an infringement of the independence required by the directive.

From a teleological point of view, the Community legislature regarded complete independence as necessary so that the functions which the supervisory authority was intended to have under Article 28 of the Directive could be carried out effectively. Furthermore, light is also shed on the concept of 'complete independence' by the legislative background to the provision. The requirement of 'complete independence' of the supervisory authorities of the Member States also fits in systematically with the Community acquis existing in the area of data protection law. In addition, Article 8 of the Charter of Fundamental Rights of the European Union requires that compliance with the rules on the protection of personal data must be 'subject to control by an independent authority'.

The concept of relative independence advocated by the Federal Republic of Germany, that is to say, the independence of the supervisory authority only from that which is being supervised, cannot in any event be brought into conformity with the unambiguous, comprehensive wording of the directive, which requires 'complete' independence. In addition, on that interpretation, the second sentence of Article 28(1) would be completely meaningless. Furthermore, the argument that Article 95 EC, as the relevant legal basis for the directive, and the principles of subsidiarity and proportionality suggest a restrictive interpretation of the requirement of 'complete independence' must be rejected. The Court has already held that the directive was adopted in accordance with the areas of competence of the European Parliament and of the Council and that a restrictive interpretation of its provisions in non-economic situations is out of the question. Furthermore, the provision which is at issue does not exceed the limits of that which is necessary to achieve the objectives which the directive, in accordance with Article 95 EC and the principle of subsidiarity, pursues."

3) Case C-557/07 - LSG-Gesellschaft zur Wahrnehmung von Leistungsschutzrechten GmbH v Tele2 Telecommunication GmbH - Art. 234 preliminary ruling on the following questions:

- Is the term 'intermediary' in Article 5(1)(a) and Article 8(3) of Directive 2001/29/EC of the European Parliament and of the Council of 22 May 2001 on the harmonisation of certain aspects of copyright and related rights in the information society ¹ to be interpreted as including an access provider who merely provides a user with access to the network by allocating him a dynamic IP address but does not himself provide him with any services such as e-mail, FTP or file-sharing services and does not exercise any control, either in law or in fact, over the services which the user makes use of?

If the first question is answered in the affirmative:

-Is Article 8(3) of Directive 2004/48/EC of the European Parliament and of the Council of 29 April 2004 on the enforcement of intellectual property rights, ² having regard to Article 6 and Article 15 of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector, to be interpreted (restrictively) as not permitting the disclosure of personal traffic data to private third parties for the purpose of civil proceedings for alleged infringements of exclusive rights protected by copyright (rights of exploitation and use)?" (NB. the recent ECJ's decision in C-275/06 Productores de Música de España (Promusicae) v Telefónica de España SAU).

Social Networks and Newspapers: drawing the boundaries?

2008-03-01T11:56:00.008Z

Came across this recent Beeb press release concerning the use of information obtained from social network websites by newspapers including images and texts from Bebo, MySpace and Facebook:

P rivate data, public interest? (29th February 2008):

The use of material taken from personal profiles on social networks by newspapers is to be the subject of a major consultation undertaken by industry watchdog the Press Complaints Commission (PCC).

This comes in the wake of increasingly numbers of newspaper stories that include images and text taken from sites like Bebo, MySpace and Facebook.

But the subjects of press reports are not always happy with the use of content they have uploaded.

Tim Toulmin, director of the PCC, in an interview with BBC Radio 4 says the organisation was getting complaints from people about material, "that is being republished when they themselves are the subject of news stories".

Mr Toulmin says it would be useful to establish principles to guide the press in their use of social network content.

"It's down to the PCC to set the boundaries in a common sense way about what sort of information it is acceptable to re-publish," he says.

To that end the PCC has commissioned research by Ipsos MORI into public attitudes.

The newspaper watchdog wants to discover if people are aware that material they upload could be used in newspaper reports.

It also wants to discover if people would change their behaviour if they knew that information about them could be published in the media.

No doubt, this would need to be assessed in the light of the UK Data Protection Act 1998 and whether the data protection principles is adhered to (just to recap):

"Data Protection Principles

1 Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless—

(a) at least one of the conditions in Schedule 2 is met, and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

2 Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

3 Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

4 Personal data shall be accurate and, where necessary, kept up to date.

5 Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

6 Personal data shall be processed in accordance with the rights of data subjects under this Act.

7 Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

8 Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data."

The first data protection principle, whether processing by newspapers constitutes "fair" and "lawful" processing before users' profiles are obtained. What procedures are in place to ensure that personal profiles obtained by newspapers will not be used for any other purpose?"

A second point to consider is whether the processing would be exempt under s 32 of the Data Protection Act 1998, which provides that:

"(1) Personal data which are processed only for the special purposes are exempt from any provision to which this subsection relates if—

(a) the processing is undertaken with a view to the publication by any person of any journalistic, literary or artistic material,

(b) the data controller reasonably believes that, having regard in particular to the special importance of the public interest in freedom of expression, publication would be in the public interest, and

(c) the data controller reasonably believes that, in all the circumstances, compliance with that provision is incompatible with the special purposes."

Special purposes is defined under s 3 of the UK Data Protection Act 1998 as the "processing for the purposes of:

(a) the purposes of journalism,

(b) artistic purposes, and

Whilst users on websites such as Facebook, MySpace and Bebo should not expect that information they post, is necessarily private, the ICO's guidelines does warn about the types of personal information given on such social networking websites. A general question that is often asked is how do you guarantee that information of users are not obtained out of context? Views welcome.

Another landmark case on privacy!

2008-02-29T16:30:00.005Z

An important case (via Bendrath): implications still yet to be explored:

"The Court published on 27 February 2008 a landmark ruling about the constitutionality of secret online searches of computers by government agencies. The decision constitutes a new "basic right to the confidentiality and integrity of information-technological systems" as derived from the German Constitution.

The journalist and privacy activist Bettina Winsemann, the politician Fabian Brettel (Left Party), the lawyer and former federal minister for the interior Gerhart Baum (Liberal Party), and the lawyers Julius Reiter and Peter Schantz had challenged the constitutionality of a December 2006 amendmend to the law about the domestic intelligence service of the federal state of North-Rhine Westphalia. The amendmend had introduced a right for the intelligence service to "covertly observe and otherwise reconnoitre the Internet, especially the covert participation in its communication devices and the search for these, as well as the clandestine access to information-technological systems among others by technical means" (paragraph 5, number 11). Parts of the challenges also addressed other amendmends which are not covered here.

The decision of today is widely considered a landmark ruling, because it constitutes a new "basic right to the confidentiality and integrity of information-technological systems" as part of the general personality rights in the German constitution. The reasoning goes: "From the relevance of the use of information-technological systems for the expression of personality (Persönlichkeitsentfaltung) and from the dangers for personality that are connected to this use follows a need for protection that is significant for basic rights. The individual is depending upon the state respecting the justifiable expectations for the integrity and confidentiality of such systems with a view to the unrestricted expression of personality." (margin number 181). The decision complements earlier landmark privacy rulings by the Constitutional Court that had introduced the "right to informational self-determination" (1983) and the right to the "absolute protection of the core area of the private conduct of life" (2004)."

Petition on Data Security Breaches

2007-12-18T20:41:00.000Z

Came across this petition:

"We the undersigned petition the Prime Minister to require all organisations notify customers immediately of any personal data security breaches. "

"The UK Government waited more than 10 days before telling Parliament and the Public it has accidentally lost sensitive personal details of 25 million individuals.

Under current US laws, the Government would have had to notify immediately.

The petition calls on the Prime Minister to place a legal duty on public and private sector organisations, so that affected customers are informed immediately if the security of their personal data has been compromised.

Individuals have a right to know straight away when this has occurred to protect against identify theft.

Mandatory notification would make organisations more careful and more accountable for the use of personal information."

See:

Data Security Lapse

2007-12-17T19:01:00.000Z

According to the latest press releases, it appears that 3 million L-driver details for the driving theory test have gone missing:

"The details of three million candidates for the driving theory test have gone missing, Ruth Kelly has told MPs.

Names, addresses and phone numbers - but not financial data - were among details on a computer hard drive which went missing in the US in May.
It belonged to a contractor working for the Driving Standards Agency, the transport secretary told MPs.
It is the latest in a series of data losses since discs with 25m people's details on were lost by HM Revenue.
Ms Kelly said the details of learner drivers had been formatted specifically for the contractor, Pearson Driving Assessments Ltd, and was not readily accessible or usable by third parties.
Risks 'not substantial'
She said the details were not sent in the post - but the hard drive had not been found where it had been expected to be, in the "security facility" in Iowa.
She said the Information Commissioner had judged the risks presented by the loss were not "substantial" as the details did not include bank account details, National Insurance numbers, driving licence numbers or dates of birth.
But she apologised for anyone for any "uncertainty or concern" caused to anyone whose details might have been included - who took a driving theory test between September 2004 and April 2007...
However her Tory shadow Theresa Villiers said the government was failing in its duty to obey its own laws on data security and said it was further evidence of a "systemic failure" by the government in handling people's private data."

Source: BBC Millions of L-Driver Details Lost

The scale of the data lost is unfathomable - again, the Data Protection Act 1998 is clear, under the 7th data protection principle that:

"Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data."

This is further elaborated under Part 2 of Sch. 1 of the Data Protection Act 1998:

Having regard to the state of technological development and the cost of implementing any measures, the measures must ensure a level of security appropriate to—
(a) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and

(b) the nature of the data to be protected.

10 The data controller must take reasonable steps to ensure the reliability of any employees of his who have access to the personal data.

11 Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller must in order to comply with the seventh principle—

(a) choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and

(b) take reasonable steps to ensure compliance with those measures.

12 Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller is not to be regarded as complying with the seventh principle unless—

(a) the processing is carried out under a contract—

(i) which is made or evidenced in writing, and

(ii) under which the data processor is to act only on instructions from the data controller, and

(b) the contract requires the data processor to comply with obligations equivalent to those imposed on a data controller by the seventh principle.

Rights of those affected - The Data Protection Act 1998 (DPA) is clear to provide rights to data subjects affected by breaches under the DPA 1998.

s 10 of the DPA 1998 Right to prevent processing likely to cause damage or distress AND

s 13 of the DPA 1998 Compensation for failure to comply with certain requirements

For more information on this, visit the UK ICO's website. More powers for the ICO including a new criminal offence for knowingly or recklessly flouting data protection principles has been called for, so one awaits to see whether we will see a strengthening of the Data Protection Act 1998!

See also:

Data Protection Developments Updates

2007-12-13T15:02:00.001Z

Some latest developments on data protection:

The ICO called for a review of the data protection laws including a need for a data security breach notification, criminal sanctions and audit power. The transcript (uncorrected at present) is available here.

According to the latest press release, the ICO is currently investigating Facebook, following a complaint that one user could not delete his account. "Facebook does allow people to 'deactivate' their accounts. This means that most of their information becomes invisible to other viewers, but it remains on Facebook's servers - indefinitely." The data protection principles under the UK Data Protection Act 1998 is fairly clear that "personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes" (5th data protection principle). It seems slightly odd that a user on FB account, who wishes to remove their profile from FB could not have their personal data deleted. One awaits to see what developments arise on this front. See also an interesting article on the social implications arising from the use of FB here.

UK ICO calls for Privacy Impact Assessments (pdf)- see their press release here.

Adequate level of data protection in Jersey and the Faroe Islands: "The Working Party adopted two Opinions, on the adequate level of data protection in both Jersey and the Faroe Islands, which will enable the Commission to take further steps towards a Commission decision on adequacy. In the past the Commission has adopted adequacy decisions on such countries as Switzerland and Argentina after receiving the advice of the Art. 29 Working Party. The Commission decision makes the transfer of personal data to such countries much easier than to third countries in relation to which such a decision has not been adopted." (Art. 29 Working Party Press Release, October 2007).

Update: Headed by Richard Thomas and Dr Mark Walport, there is consultation on the use and sharing of personal information in the public and private sectors as part of their independent Data Sharing Review. The closing date is 15 February 2008. Further details of the consultation can be found here.

Highlights of the LSPI Conference 2007

2007-12-10T14:46:00.000Z

Having been absent for a week in Beijing to attend the LSPI Conference, there was the opportunity to visit the various "touristy" places including the Forbidden City and the Summer Palace.

As for the conference, this was held at the Communications University, Beijing. The theme centred on "Cyberlaw, Security and Privacy". There were some very interesting papers given including (not exhaustive):

Aristocracy and Internet Governance by Dr. Konstantinos Komaitis

The European proposal concerning the structure of the Internet has offered a more international and rounded approach to the debate surrounding Internet Governance. Encouraging the formation of ‘alliances’ by a certain number of governments, who wish to proceed to specific policy decisions, ‘enhanced cooperation’ is viewed as the viable solution that would potentially remove the control of the Internet outside the United States Government. However, can ‘enhanced cooperation’ meet the democratic mandate of how the Internet should be governed?

With its future still undetermined, even within the confines of the European Union, ‘enhanced cooperation’ could work as the catalyst for either the unification or the segregation of the medium. The current structure of the Internet does not encourage the creation of a ‘Constitution’, due to its domination by a specific segment of governments and private entities. Due to this state of affairs, the setting of basic principles and policies with the active participation of all interested parties – Governments, the Private Sector, Civil Society and the International Corporation for Assigned and Numbers (ICANN,) is vital. Otherwise, if not used appropriately, ‘enhanced cooperation’ can “support” coalitions of specific groups, leaving outside actors, whose role is significant.

This proposal’s starting point is the notion that, before we proceed in any governance of the Internet, first we need to identify the principles that we need to secure and, based on that premise, shape the boundaries and effects of the European proposal. Otherwise ‘enhanced coopeartion’ or any other proposal for that matter will have a detrimental effect and might even cause more problems than solutions.

Legal and Ethical Implications of GPS vulnerabilities by Muhammad Usman Iqbal and Samsung Lim, University of New South Wales (UNSW), Australia.

"The Global Positioning System (GPS) has slowly permeated into the civilian community and has become an essential accessory for the modern individual. Various commercial applications heavily rely on GPS technology. GPS has also started receiving attention in court cases, where it has been admissible as evidence leading to convictions or proving innocence. However, GPS is a radio-navigation system and is prone to vulnerabilities that may be introduced intentionally or unintentionally. The legal literature has not debated the possibility of human alteration of GPS data in judicial reasoning which raises the prospect of forged GPS data being presented to courts by individuals who have the motive and the technical knowledge to do so. By exposing the weaknesses present, this paper aims to draw the attention of the legal fraternity to these issues which may put the legal system in a dilemma as over-reliance on GPS technology may produce disastrous results, especially when innocence or guilt largely depends on GPS evidence."

An overview of information society law in the European Union by Paul Przemyslaw Polanski, University of Warsaw.

"The EU has developed a comprehensive framework for Information Society law that spans various areas ranging from a liberal regulation of e-commerce to a stringent legislation in the area of copyrights in the Information Society. This article discusses the evolution of the EU approach to the regulation of e-commerce in the Single Market and demonstrates the most important aspects of the current regulations relevant to this area."

The Enhancement of Transparency in Internet Governance by Dr. Rolf Weber

In Internet governance transparency issues merit more extensive consideration: The Internet offers valuable opportunities for transparent communication and for the achievement of open access to discussion topics, thereby enhancing communication and dialogue between the governance-related institutions and the interested parties concerned. Transparency could also promote the mobilisation of new actors and the participation of the civil society; such development would increase the level of democratic legitimization through active involvement. ICANN has recognized the need to improve the transparency framework with its structures; the ongoing attempts should be strengthened by scholar research supporting the effort of the ICANN bodies in the present consultation phase. Since a transparent methodology for rule-making processes based on revisable procedures reduces mistrust, transparency should become a persistent objective of governance mechanisms.

Privacy protection and the right to information: in search of a new symbiosis in the information age by Pieter Kleve and (Richard) V. De Mulder. Erasmus University of law.

The dichotomy between personal privacy and free access to information, which has come increasingly to the fore with the advance of information technology, justifies a reconsideration of these traditional values and interests. In this article, it is contended that privacy, as a constitutional right, is subject to changing norms as a result of the advent of the information society. In today’s information society, citizens weigh the importance of protecting privacy against the advantages of free access to information. The criterion they use is a rational one: an evaluation of which option provides the individual with the most benefit. The protection of privacy is no longer an unconditional good. For state organisations to champion privacy at any cost is, therefore, out of step with this development. A new balance has to be established between the citizen’s right to privacy and their right to know, taking into account this shift in values. In order to prevent on the one hand overzealous protection and, on the other, the abuse of information, it is necessary to set up the monitoring function in a new way.

Although one's paper concentrated on the subject of network neutrality, a topic which has received less attention in the UK and Europe, the feedback was very useful.

I hope to follow up on the feedback received from the two panel discussions convened on social networking (with diverse opinions/perspectives given). Again, the feedback has been extremely useful - my thanks to the delegates for making this topic a lively discussion even if some of us did not manage to agree! - a topic which has been covered to a greater extent! For those interested in the privacy implications and social networking, see the Clip below as an example:

Lecture online

2007-12-09T00:21:00.000Z

Further to my previous pos t on Sir Alec Jeffrey's lecture on Genetic fingerprinting and beyond, this is now available online.

"DNA fingerprinting, accidentally invented in 1984, has revolutionised many areas of Biology, most notably in forensic and legal medicine. This lecture will describe how DNA typing can be used to solve casework and will review the latest developments, including the creation of major national DNA databases that are already proving extraordinarily effective in the fight against crime."

Online advertising

2007-11-26T13:51:00.000Z

According to this latest press release, the Art. 29 Working Party is investigating behaviour targetting and ads sent to people based on their web surfing. Although it does not touch upon this directly, one has explored the extent to which clickstream data can be protected under the current Data Protection Framework, particularly in the light of the Data Protection Directive 95/46/EC - a topic worthy of some academic discussion at some point. In the meantime, the following report:

"As online advertising comes under greater scrutiny in the United States, European authorities reportedly are also preparing to take a closer look at whether some marketing techniques violate privacy.

The Article 29 Working Party, an arm of the European Union that regulates protection of consumer data, is about to embark on an investigation of behavioral targeting--or sending ads to people based on their Web-surfing history--according to Reuters.

While any rules the EU issues won't directly affect companies in the United States, some companies as a practical matter will implement changes across the board. For example, in response to separate concerns of the EU Working Party, Google recently said it would "anonymize" search logs after 18 months, making it harder to connect specific IP addresses to search queries. That change is taking effect in the United States as well as Europe, although Google didn't face similar regulatory pressure here.

The Article 29 group's move to investigate behavioral targeting comes as privacy groups and consumer advocates in the United States are urging the Federal Trade Commission and other authorities to more closely regulate such techniques. Last month, a coalition of groups proposed that the FTC create a do-not-track list for consumers who don't wish online advertising companies to monitor the Web sites they visit and then send them ads based on their presumed interests.

Earlier this month, the FTC held a two-day town hall meeting about some of the privacy issues raised by behavioral targeting. Ad industry groups like the Interactive Advertising Bureau and Online Publishers Association weighed in against a do-not-track list, arguing that many companies allow consumers to opt out of behavioral targeting. Currently, many big U.S. ad networks participate in the Network Advertising Initiative--a group that formed in 2000 in response to privacy concerns, and that requires member companies to allow consumers to opt out of behavioral targeting programs.

Online ad industry executives also argued to the FTC that behavioral targeting doesn't compromise privacy because the ad companies don't collect so-called personally identifiable information, like names or addresses.

In the last few weeks, however, new variations of online advertising that arguably affect privacy have emerged. Most famously, Facebook earlier this month launched its Beacon program, which informs users' friends about purchases made at other sites. While users can opt out of sharing that data, some people say that Facebook shouldn't publicize information about purchases unless users have affirmatively consented to the program.

Last Tuesday, advocacy group MoveOn.org started a group on Facebook to protest the Beacon program. MoveOn is calling for Facebook to make the program opt-in rather than opt-out. By Sunday evening, around 20,000 Facebook members had joined the group, "Petition: Facebook, stop invading my privacy!"

Some privacy advocates say that any new regulation of online ad techniques abroad will inevitably lead to new policies in the United States as well. "It's a global business," says Jeff Chester, executive director of the Center for Digital Democracy, adding that behavioral targeting companies aren't likely to give consumers more privacy protections in Europe than the U.S. The Center for Digital Democracy argues that companies shouldn't use behavioral targeting techniques unless consumers explicitly consent.

Not all online ad industry executives think the EU investigation will necessarily lead to new regulation. Tacoda founder Dave Morgan, now executive vice president, global advertising strategy at AOL, says he's hopeful that reviews such as the EU's "will spur the online ad industry to adopt more and stronger consumer notice regimes and will drive greater participation in self-regulatory programs like the Network Advertising Initiative."

Source: Online Media Daily

Data Protection Developments

2007-11-26T13:24:00.000Z

Given the latest press coverage over the benefits data fiasco, powers of the ICO have been increased to include spot checks. However, in a separate development, Privacy International is likely to take legal action on behalf of individuals affected by this against the government.

"More than 300 members of the public have contacted Privacy International since the revelation this week that Her Majesty’s Revenue & Customs unlawfully processed, and subsequently lost, personal details relating to around 25 million individuals. Most of these complainants have requested that PI undertakes, on their behalf, legal action against the government.

Accordingly, this organisation has over the past four days consulted a range of legal experts. The overall conclusion is that there is most likely a case that can be asserted. However, we must concede that not all lawyers are presently optimistic about a positive outcome. Nevertheless, given the unprecedented severity of this case we feel it is important to take some form of action on behalf of the many distressed and vulnerable families that have contacted us. It is even more important to assert the rights of the individual in the face of such circumstances.

We have therefore decided to pursue legal action against the government directly on behalf of the complainants and of course indirectly on behalf of all those people affected by the unlawful disclosure from HMRC. Our current intention is to pursue a claim for a general (not statute-based) breach of a duty of care on the basis of negligence.

We have been made aware that there are cases in which public authorities have been found to be very seriously at fault and where the courts seemed concerned not to impose liability where the claimant was one of a large and indeterminate class of people who might be affected by the careless conduct. The position would be different if the public authority actually created the danger itself or knew or ought to have known about the risk of harm resulting. It appears that courts are more willing to find “proximity” if a smaller group of persons is at risk than the public in general.

Three key issues remain to be resolved in the next few days.

1) We need to decide whether a specific "class" of individuals should be selected from amongst the complainants (for example, those who are in a particularly vulnerable situation). This will possibly help the issue of “proximity”.

2) We need to determine which individual or what department will be the target of the action (a named individual within the government or a section of HMRC), and,

3) We need to agree which law firm will handle the case. We are currently in discussions with potential companies.

Simon Davies, Privacy International’s Director, said:

"In seventeen years as a watchdog we have never received so many complaints over a single privacy issue. People are angry and distressed. They are deeply anxious over the potential threat to their children."

"Governments have hidden behind legal protection over negligence claims for many years. Now it is time to finally resolve the question of liability and duty of care so the citizen can enjoy a remedy against such blatant disregard for personal security."

"We believe there is a case to be heard and it is a case that can be won. However we realise we're going to face an uphill struggle winning that case, but we would be abandoning our responsibilities if we failed to take action."

For further information please contact Simon Davies on simon@privacy.org"

Source: Privacy International to pursue data breach legal action against UK Government

E-Comm Data Protection Law and Policy

2007-11-19T18:01:00.000Z

Latest issue of E-Comm Data Protection Law and Policy, November 2007 is now available (requires subscription), but see the latest table of contents:

Contents:

# DHS defends PNR programme against 'misplaced' EU criticisms

The US Department of Homeland Security (DHS) has described EU criticisms of the recent controversial 'PNR' agreement, as 'misplaced', rejecting claims of discrimination against EU citizens.

# ICO to review DPA as part of UK's Freedom of Information expansion

The Information Commissioner's Office (ICO) is to lead a review of how personal information is shared in the public and private sector, as part of UK Government plans to expand freedom of information. The review, to be published in 2008, will examine if the Data Protection Act 1998 is adequate to protect shared personal details in the information age and will be led by Information Commissioner, Richard Thomas and Professor Mark Walport, Director of medical research charity, the Wellcome Trust.

# Businesses fined $7.7m for six DNC violations

Businesses have been fined almost $7.7 million for violations of the Do Not Call (DNC) Registry in the United States, in six settlements reached by the Federal Trade Commission (FTC).

Features:

# Editorial: The security debate

The security v privacy debate is heating up. Since 9/11, this has become one of the main challenges for privacy regulators worldwide. Clearly, the need for intelligence is more fundamental than ever in crime prevention terms and legislative measures like the data retention directive are a sign of the things to come. Recent calls for US-style passenger collection and storage obligations in privacy-conscious Europe are another step in that direction and the list of similar measures is bound to grow.

# United States: Department of Homeland Security addresses critics

US privacy policies, such as the recent Passenger Name Record (PNR) agreement, have attracted fierce criticism from European privacy experts. In this article, Lauren Saadat and Shannon Ballard, Associate Directors for International Privacy Policy at the US Department of Homeland Security (DHS), argue why such criticisms are misplaced stating that DHS policies - through recognition of the fundamental principles of transparency, an individual's right to know, individual redress and effective data security - arguably provide greater privacy protections than those offered by equivalent European agencies.

# Opinion: The Future of Privacy: part 1 - 'Privacy 1.0': the need for change

As information technology continues to evolve, regulators, privacy practitioners and citizens are increasingly questioning the suitability of current privacy frameworks to allow the effective processing of personal data whilst safeguarding individual privacy. In the first part of a two-part article, Christopher Millard, Partner at Linklaters LLP, suggests that current approaches to privacy regulation are fundamentally flawed. In particular, Millard argues that most privacy legislation is incompatible with the architecture of the internet and that the imposition by EU member states of bureaucratic obstacles destroys the usability of pre-approved rules which are supposed to facilitate simplified compliance procedures1.

# Personal Data: ICO Guidance: interpretation and consistency with 'Durant'

The recent ICO guidance on the concept of 'personal data' sets out eight questions to help organisations determine if they are processing such data. Some of the questions are designed to assist organisations in determining if information 'relates' to an individual, a key issue which was considered in the recent Durant judgment, which the ICO were bound by in drafting this guidance. Renzo Marchini, Counsel at Dechert LLP's London office, assesses this part of the guidance and its consistency with the Durant judgment.

# New Zealand: Privacy Risk Register: a practical perspective

A service enabling a person's identity to be verified quickly and easily is being built for use by government services in New Zealand. Developing this service while respecting an individual's right to privacy required the continued use of a Privacy Risk Register. Carolyn Adams, project advisor for the Department of Internal Affairs Te Tari Taiwhenua, provides a practical guide explaining how this was achieved.

# United States: Federal Court: ban on NSL notification is unconstitutional

National Security Letters work as administrative subpoenas that allow the FBI to obtain customer records without obtaining a court order. Michael Vatis, a partner in the New York office of Steptoe & Johnson LLP, explains the Federal Court's decision that 'gag' orders, which prohibit electronic communications providers from telling customers that they have received an NSL, violate the First Amendment.

DNA Lecture

2007-11-19T17:21:00.000Z

There was a lecture held at NTU with Professor Sir Alec Jeffreys discussing the groundbreaking technique of DNA fingerprinting and beyond.

"DNA fingerprinting, accidentally invented in 1984, has revolutionised many areas of biology, most notably in forensic and legal medicine. Professor Jeffrey’s lecture will describe how DNA typing can be used to solve casework and will review the latest developments, including the creation of major national DNA databases that are already proving extraordinarily effective in the fight against crime. It will also discuss how this work has led to the discovery of some of the most unstable regions of human DNA, and how these can be used to study human evolution in real time and to explore the effects of environmental exposure to agents such as radiation on heritable mutations in human DNA."

We expect the a video version to be available at some point. What was interesting, when listening to his lecture was the moral and ethical dilemmas about genetic information, not simply what the DNA can reveal about individuals, but also the genetic profiles of their relatives. The subject of genetic information and privacy implications is well documented here and here. Jeffreys also touched on the subject of DNA databases. What was disconcerting was that even a minor parking offence would mean that your DNA would be taken - sounds like huge implications for privacy here.

Revisiting the Art. 29 Working Party's guidelines on genetic data, it is vitally important that the privacy of individual's DNA and what he/she is genetically pre-disposed to (whether he/she is party to the information is another matter) is preserved. Here is short extract from their concluding remarks:

"Any use of genetic data for purposes other than directly safeguarding the data subject's health and pursuing scientific research should require national rules to be implemented, in accordance with the data protection principles provided for in the Directive, and in particular the finality and proportionality principles. The application of these principles render the blanket implementation of mass genetic screening unlawful.

Furthermore, in accordance with these principles, the processing of genetic data should be authorised in the employment and insurance fields only in very exceptional cases provided for by law, so as to protect individuals from being discriminated against on the basis of their genetic profile.

In addition, the ease with which genetic material can be obtained unbeknownst to the data subject and the relevant information can be susbsequently extracted from such material, requires strict regulations in order to prevent the dangers related to new forms of "identity theft" – which would be especially dangerous in this sector and might affect fatherhood and motherhood, or even the possibility of using the material for cloning puposes. This is why, in regulating genetic data, one should not fail to consider the legal status of the DNA samples used for obtaining the information at stake. Among the issues addressed, special importance should be attached to the application of a wide range of data subjects' rights to the management of such samples, as well as to destruction and/or anonymisation of the samples after obtaining the required information.

Finally, procedures should be put in place in order to ensure that genetic data are only processed under the supervision of qualified professionals who are entitled to such processing on the basis of specific authorisations and rules.

• In Member States where the purposes and the appropriate safeguards for the processing of genetic data are not established by law, the DPAs are encouraged to play an even more active role in ensuring that the finality and proportionality principles of the Directive are fully respected.

In this respect, the Working Party recommends that Member States should consider submitting the processing of genetic data to prior checking by DPAs, in accordance with Article 20 of the Directive. This should in particular be the case with regard to the setting up and use of bio banks."

See also (not exhaustive):

Facebook, Social ads and the Data Protection Act 1998

2007-11-12T12:22:00.001Z

There has been a lot of discussion centred on the facebook social ads and the likely privacy implications arising from this:

FACEBOOK wants to put your face on advertisements for products that you like.

Mark Zuckerberg, Facebook’s founder, discussed his company’s social advertising plan with marketers in New York.

Marko Georgiev for The New York Times

Facebook.com is a social networking site that lets people accumulate “friends” and share preferences and play games with them. Each member creates a home page where he or she can post photographs, likes and dislikes and updates about their activities.

Yesterday, in a twist on word-of-mouth marketing, Facebook began selling ads that display people’s profile photos next to commercial messages that are shown to their friends about items they purchased or registered an opinion about.

Source: Story, L. Facebook is marketing your brand preferences

Question: What about the Data Protection Act 1998?

What is absent from the debate is the extent to which individuals in the UK can use the Data Protection Act 1998 to request that Facebook do not use such information without their consent:

s 11 of the Data Protection Act 1998 (on the Right to Prevent Processing for Purposes of Direct Marketing) provides that:

(1) An individual is entitled at any time by notice in writing to a data controller to require the data controller at the end of such period as is reasonable in the circumstances to cease, or not to begin, processing for the purposes of direct marketing personal data in respect of which he/she is the data subject.

(2) If the Court is satisfied, on the application of any person who has given a notice under subsection (1), that the data controller has failed to comply with the notice, the court may order him to take such steps for complying with the notice as the court thinks fit.

In other words, you are entitled to request from Facebook that your profile is not used for the purposes of the Social Ads.

What about the Data Protection Principles?

There is the question whether facebook is adhering to the second data protection principle under the UK Data Protection Act 1998 that 'personal data shall be obtained only if one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.' In other words, the user's name or image for marketing is beyond the purpose for which social networking was intended to be used. Further information can also be found on the UK ICO website.

More can be written on the application of the Data Protection Act to social networking websites, but this will have to be another article at some point. So, why wait, start complaining and exercise your data protection rights!

For more on the privacy implications arising from social networking, see also: