EDPS opinion

The EDPS has issued its opinion (pdf) on the European Commission communication regarding improved implementation of the Data Protection Directive 95/46/EC. Some of the key points (from the opinion):

"In his assessment of the communication, the EDPS will address in particular the following perspectives that are relevant in respect of these changes:

•Improvement of the implementation of the Directive itself: how to make data protection more effective? A mix of policy instruments is needed for such an improvement varying from a better communication with society to a stricter enforcement of data protection law.

•The interaction with technology: new technological developments such as developments in data sharing, RFID systems, biometrics and identity managements systems have a clear impact on the requirements for an effective legal framework for data protection. Also, the need for effective protection of the personal data of an individual can impose limitations on the use of these new technologies. Interaction is thus two-sided: the technology influences the legislation and the legislation influences the technology.

•Global privacy and jurisdiction issues, dealing with the external borders of the European Union.

Whereas the jurisdiction of the Community legislator is limited to the territory of the European Union, the external borders become less relevant for data flows. The economy depends more and more on global networks. Companies based in the European Union increasingly outsource activities, including the processing of personal data to third countries. Moreover, recent cases like SWIFT and PNR confirm that other jurisdictions show interest in 'EU-3 See point 37 of this opinion.3originating data'. In general, the physical place of a processing operation is less relevant.

•Data protection and law enforcement: recent threats to society, whether or not related to terrorism, have led to (demands for) more possibilities for law enforcement authorities to collect, store and exchange personal data. In some cases, private parties are actively involved, as recent cases show. The dividing line with the third pillar of the EU-Treaty (in which area the Directive does not apply) becomes on the one hand more important and on the other hand more fluid. There is even a risk that in certain cases, personal data will not be protected either by first pillar or by third pillar instruments (the 'legal loophole').

•The consequences, in any event for data protection and law enforcement, of the entry into force of the Reform Treaty, now foreseen for 2009."

Although the Data Protection Directive is unlikely to be altered in the short-term, the subject of effective national data protection laws and the topic on global privacy and jurisdiction issues will continue to relevant for sometime to come. I see another article at some point!

Search engines and privacy

I've been busy with trying to get a few articles written (hence the lack of blog posts lately) - however, the latest saga on search engines and privacy continues:

"Other search engines follow Google's disputed privacy lead. The internet's major search engines are following Google's lead in limiting their collection of information about web users and their searches. Microsoft, Yahoo! and Ask.com are taking action after controversial policy changes by Google. Google announced earlier this year that it would anonymise search engine logs after between 18 and 24 months, later reducing that period to 18 months. It had previously kept the link between searches and the IP address of a user indefinitely. Though it was increasing the privacy protections afforded to users, Google was criticised by data protection officials for keeping the link between searches and a user's identity for as long as 18 months. Google's competitors have now said that they will change their retention policies as well, and have called for industry consensus on the issue. Microsoft and Ask.com have together called on the search industry to create communal safeguards for user data. Microsoft and Ask.com want academics, companies and activists to jointly create guidelines on the duration for which user behaviour can be saved. They want a single, standardised approach to replace individual privacy policies. "This is all about trust," said Peter Cullen, a chief privacy strategist for Microsoft. "It's in the interest of the companies, it's in the interest of consumers."

OUT-LAW News, 25/07/2007

Search engines are unlikely to be construed as "data controllers", but it is the companies that operate these search engines. Art. 2 (d) of the Data Protection Directive 95/46/EC defines 'controller' as the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law.

What will be of interest is the extent to which a user's online profile is collected from various sources (aside from the data protection requirements). There has been some criticism over privacy policies of some social networking websites, and the degree to which individuals can control their personal information. For further reading, visit EPIC and "Privacy Paradox: social networking in the US".

See also:

• FT: Web search groups to yield on privacy

Also worth reading:

• Digital anonymity and the law : tensions and dimensions / edited by C. Nicoll, J.E.J. Prins, M.J.M. van Dellen.

File-sharing and IP addresses

IPkat has posted a press release of a case, C-257/06 , Productores de Música de España v Telefónica de España SAU, whereby Advocate-General Juliane Kokott, has held that it is 'compatible with EU law for European countries to exclude communication of personal data in the context of a civil, as distinct from criminal, action.' We have yet to await the ECJ's ruling on this. In brief:

The case was brought by a Spanish music and audiovisual association after telecoms provider Telefonica refused to hand over the names and addresses of its Internet clients suspected of running illegal file sharing sites. The association, Promusicae, wanted to identify the clients, who used the file-sharing program KaZaA, so it could start taking action against them.

Even though the preliminary reference does not touch on the subject of the Data Protective 95/46/EC, there is an interesting dimension when exploring data protection online. Static IP addresses are considered by the Art. 29 Working Party (pdf) and some Data Protection Authorities as personal data.

Example No. 15: dynamic IP addresses The Working Party has considered IP addresses as data relating to an identifiable person. It has stated that "Internet access providers and managers of local area networks can, using reasonable means, identify Internet users to whom they have attributed IP addresses as they normally systematically “log” in a file the date, time, duration and dynamic IP address given to the Internet user. The same can be said about Internet Service Providers that keep a logbook on the HTTP server. In these cases there is no doubt about the fact that one can talk about personal data in the sense of Article 2 a) of the [Data Protection] Directive. Especially in those cases where the processing of IP addresses is carried out with the purpose of identifying the users of the computer (for instance, by Copyright holders in order to prosecute computer users for violation of intellectual property rights), the controller anticipates that the "means likely reasonably to be used" to identify the persons will be available e.g. through the courts appealed to (otherwise the collection of the information makes no sense), and therefore the information should be considered as personal data. A particular case would be that of some sorts of IP addresses which under certain circumstances indeed do not allow identification of the user, for various technical and organizational reasons. One example could be the IP addresses attributed to a computer in an internet café, where no identification of the customers is requested. It could be argued that the data collected on the use of computer X during a certain timeframe does not allow identification of the user with reasonable means, and therefore it is not personal data. However, it should be noted that the Internet Service Providers will most probably not know either whether the IP address in question is one allowing identification or not, and that they will process the data associated with that IP in the same way as they treat information associated with IP addresses of users that are duly registered and are identifiable. So, unless the Internet Service Provider is in a position to distinguish with absolute certainty that the data correspond to users that cannot be identified, it will have to treat all IP information as personal data, to be on the safe side.

Source: Art. 29 Working Party 4/2007 on the Concept of Personal Data

There have been relatively few cases in the UK that touches on IP addresses and filesharing, but one interesting case study to consider the is APB's case, whereby the APB collected IP addresses to ascertain the identity of filesharers, details which I won't go into, but have read through at http://www.slyck.com/story823.html and here.

PNR Agreement

Some will be aware of the recent PNR agreement between the EU and the US. However, there is still some disquiet over by MEPs of the substance of this agreement.

The European Parliament looked into the recent agreement signed by the EU-US dministration for the transfer of air passengers' data and concluded in its resolution that the new deal still fails to offer an adequate level of data protection and it has been concluded without any involvement of parliaments from both sides, lacking democratic oversight. While recognising the difficult conditions under which the negotiations took place, MEPs regret that the EU-US agreement for the transfer of Passenger Name Records (PNR) is "substantively flawed", in particular by "open and vague definitions and multiple possibilities for exception". Even though Parliament welcomed the provision that existing data protection law for US citizens (US Privacy Act) will be extended administratively to EU citizens' data processed in America, MEPs felt there is still much more to be improved. Some of their main concerns regarding the new agreement re: USE: The handling, collection, use and storage of personal data from air passengers by US Department of Homeland Security is not founded on a legal agreement but on non-binding assurances remitted in a letter, which can be unilaterally changed.

PURPOSE: PNR transfer is not limited to fighting terrorism, it can also be used for other "unspecified additional purposes" by the US government.

SENSITIVE DATA: Information regarding ethnic origin, political opinions, sex life of the individual, etc. will be also made available and can be used by the US Homeland Security Department in exceptional cases.

ACCESS: The fields of data which can be accessed from each PNR file have been reduced from 34 to 19, but "the reduction is largely cosmetic due to the merging of data fields instead of actual deletion."

RETENTION PERIOD: Data can be retained for longer periods with the new agreement: from 3.5 years to 15. Besides that, PNR data will be kept for seven years in "active analytical databases", leading to a big risk of massive profiling, contrary to EU principles.

THIRD COUNTRIES: Parliament strongly opposes to the fact that third countries in general may be given access to PNR data if adhering to specified conditions by the US government. The EU has accepted "not to interfere" concerning the protection of EU citizens' PNR data shared by the US with third countries. Finally, MEPs demand the Commission to clarify Commissioner Frattini's statements regarding the possible creation of an EU PNR system to be used in Europe and called national parliaments of Member States to examine the present draft agreement carefully.

Source: European Parliament: Justice and Home Affairs Press release 12/7/07

See also:

• EPIC: EU-US Airline Passenger Data Disclosure
• Art. 29 Working Party 2/2007 on information to passengers about transfer of PNR data to US Authorities (pdf)

Additional powers for the ICO

Following the Radio 4 interview this morning with the UK ICO on the number of organisations breaching data protection rules (and no doubt, there will be a lot more press on this, one of the issues arising out of this is whether ICO's powers should be increased to protect that of the consumer). Here is a short extract:

A "horrifying" number of companies, government departments and other public bodies have breached data protection rules in the past year, a report says. The UK's Information Commissioner Richard Thomas said bosses must take the personal data of both customers and staff seriously. Orange, Barclays and NatWest are three of the firms he has rapped this year. The Ministry of Justice said prison sentences could be given to those who deliberately misuse personal data. Mr Thomas received nearly 24,000 enquiries and complaints about personal information issues in 2006-07. His report said 56.5% of these required only advice and guidance, while a breach was likely to have happened in 35% of cases, of which a further 77% resulted in remedial action. "Frankly these are inexcusable. None of this is really rocket science - security is fundamental," he told BBC Radio 4's Today programme.

Just a reminder of the data protection principles under the Data Protection Act 1998 and in particular, the 7th data protection principle:

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless-

(a) at least one of the conditions in Schedule 2 is met, and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

4. Personal data shall be accurate and, where necessary, kept up to date.

5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

6. Personal data shall be processed in accordance with the rights of data subjects under this Act.

7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

For any organisations that handle personal information, a few questions (not exhaustive, but let me know if there are any more) that will need to asked:

• Who is your data protection officer?
• Are there training sessions to raise awareness of the importance of data protection?
• Who do I complain to where there is a security breach?
• What are my rights? (On this, visit the UK ICO website)

Forthcoming Privacy Conferences

Pipeda blog has compiled a list of privacy conferences to go to (with an rss feed) - great idea for privacy practitioners etc) to keep themselves abreast with the latest developments.

Summer time reading

With the summer break almost approaching (I certainly need a break), and a busy teaching schedule in the next term, here are a few books that are worth having on your bookshelf (I have still yet to update my reading list):

• Kuner, Christopher. European Data Protection Law, 2nd ed, 2007
  
• Bainbridge, David. Data Protection Law, 2005

Art. 29 Working Party Opinion on "Personal Data"

The Art. 29 Working Party has now published its working opinion (4/2007) (pdf) on the concept of personal data. Not only does it maintain its position that "personal data" is a broad definition, but it also gives a detailed analysis of the definition - ie. "any information relating to an identified or identifiable natural person."

"As a general consideration it has been noted that the European lawmaker intended to adopt a broad notion of personal data, but this notion is not unlimited. It should always be kept in mind that the objective of the rules contained in the Directive is to protect the fundamental rights and freedoms of individuals, in particular their right to privacy, with regard to the processing of personal data. These rules were therefore designed to apply to situations where the rights of individuals could be at risk and hence in need of protection. The scope of the data protection rules should not be overstretched, but unduly restricting the concept of personal data should also be avoided. The Directive has defined its scope, excluding a number of activities, and allows flexibility in the application of rules to activities that are within its scope. Data protection authorities play an essential role infinding an appropriate balance in this application (see paragraph II).

The Working Party’s analysis has been based on the four main “building blocks” that can be distinguished in the definition of “personal data”: i.e. “any information”, “relating to”, “an identified or identifiable”, “natural person”. These elements are closely intertwined and feed on each other, but together determine whether a piece of information should be considered as “personal data”. The analysis is supported by examples from the national practice of European DPAs.

• The first element – “any information” – calls for a wide interpretation of the concept, regardless of the nature or content of the information, and the technical format in which it is presented. This means that both objective and subjective information about a person in whatever capacity may be considered as “personal data”, and irrespective of the technical medium on which it is contained. The opinion also discusses biometric data and the legal distinctions with human samples from which they may be extracted (see paragraph III.1).

• The second element – “relating to” – has so far been often overlooked, but plays a crucial role in determining the substantive scope of the concept, especially in relation to objects and new technologies. The opinion provides three alternative elements – i.e. content, purpose or result – to determine whether information “relates to” an individual. This also covers information that may have a clear impact on the way in which an individual is treated or evaluated (see paragraph III.2).

• The third element – “identified or identifiable” – focuses on the conditions under which an individual should be considered as “identifiable”, and especially on “the means likely reasonably to be used” by the controller or by any other person to identify that person. The particular context and circumstances of a specific case play an important role in this analysis. The opinion also deals with “pseudonymised data” and the use of “key-coded data” in statistical or pharmaceutical research (see paragraph III.3).

• The fourth element – “natural person” – deals with the requirement that “personal data” are about “living individuals”. The opinion also discusses the interfaces with data on deceased persons, unborn children and legal persons (see paragraph III.4).

The opinion finally discusses what happens if data fall outside the scope of the definition of “personal data”. Different solutions may be available to deal with issues in these cases, including national legislation outside the scope of the Directive, provided that other community law is respected (see paragraph IV). "

Full text: Opinion 4/2007 on the concept of Personal Data (pdf)

PETS- protecting personal data

Another press release about privacy enhancing technologies (PETs):

MPs have joined the European Commission in backing the use of privacy enhancing technologies (PETs) to protect personal data, despite UK government fears it could limit the activities of security and law-enforcement agencies. The European Union (EU) wants to encourage the development of standards for the processing of personal data using Pets. Such a move could lead to international standardisation of technical rules on security measures for data protection, according to a report from the Commons European Scrutiny Committee.

Source: http://www.vnunet.com/computing/news/2193412/mps-back-plans-personal-privacy

For more on PETS, see:

• CDT: Privacy enhancing technologies
• European Information: PETs

C-73/07 Reference for a Preliminary Ruling

This is a reference to the ECJ under Art. 234 for a preliminary ruling lodged in Finland on 12 February 2007.

Case C-73/07: Reference for a preliminary ruling from the Korkein hallinto-oikeus (Finland) lodged on 12 February 2007 - Tietosuojavaltuutettu Official Journal C 95, 28/04/2007 p. 19

The main questions to the ECJ are:

1. Is an operation in which data on the earned income, income from capital and the wealth of natural persons area

(a) collected from documents in the public domain held by the tax authorities and processed for publication

(b) published alphabetically in a printed publication by income bracket and municipality in the form of extensive lists,

c) disclosed onward on CD-ROM to be used for commercial purposes, and

d) processed for the purposes of a text messaging service whereby mobile phone users can, by indicating an individual's name and home municipality and texting to a given number, receive in reply data on the earned income, income from capital and wealth of the individual indicated, to be regarded as the processing of personal data within the meaning of Article 3(1) of Directive 95/46/EC (1)

2. Is Directive 95/46/EC to be interpreted as meaning that the various operations listed in Question 1(a) to (d) can be regarded as the processing of personal data carried out solely for journalistic purposes within the meaning of Article 9 of the Directive, having regard to the fact that data on over one million taxpayers has been collected from data which are in the public domain under national legislation on the right of public access? Does the fact that publication of those data is the principal aim of the operation have any bearing on the assessment in this case?

3. Is Article 17 of Directive 95/46/EC to be interpreted in conjunction with the principles and purpose of the Directive as precluding the publication of data collected for journalistic purposes and its onward disclosure for commercial purposes?

4. Can Directive 95/46/EC be interpreted as meaning that personal data files containing, solely and in unaltered form, material that has been published in the media fall altogether outside its scope?


The judgment is likely to take some time (as in the case of Lindqvist), but points worth noting is:

a) Extensive interpretation of what constitutes "processing" under Art. 3(1), definition under the Data Protection Directive is fairly wide.

b) Interpretation of Art. 17 of the Data Protection Directive - odd to have the discussion on the security of processing to be included in the question.

c) Journalistic purposes are covered under Art. 9 of the Data Protection Directive. Art. 9 also covers the processing of personal data for literary and artistic purposes. The Art. 29 Working Party has published guidelines (pdf) on Art. 9 quite a while ago in 1997.

Some new developments

Just a few things I came across, whilst updating myself on data protection. The Art. 29 Working Party has adopted a new document interpreting the notion of "personal data". The aim is to introduce a uniform interpretation of the Data Protection Directive. The document has not yet been published, so one awaits. This is certainly useful, as we now have the ECJ's decision on Lindqvist interpreting what sensitive personal data is and also the UK's position (Durant vFSA) on what constitutes personal data.

See:

• Art. 29 Working Party Press Release 21 June 2007 (pdf)

Passenger Data Sharing - EU and US

Here is the latest that has been in the press on the provisional agreement (subject to approval by the 27 Member States) between the EU and the US on passenger data sharing

European negotiators reached a provisional deal with the United States on Wednesday, ending a year of wrangling over how to share information about trans-Atlantic air passengers that Washington says is needed to fight terrorism. The tentative agreement will be put to envoys from all 27 European Union nations Friday for approval, said the diplomats, who spoke on condition of anonymity because the deal has not been finalized. Differences over how to balance security needs with concerns over passengers' privacy had deadlocked negotiations since a 2004 deal on data sharing was voided by an EU court last year for technical reasons.

Source: http://www.cbsnews.com/stories/2007/06/28/world/main2991408.shtml

However, see also Statewatch, which has also published the minutes dated 19 June 2007 at http://www.statewatch.org/news/2007/jun/eu-usa-pnr.pdf which provides some details on the provisional deal.