ECJ's Judgment

Having had a short break from blogging (with teaching and marking to do), this ECJ's judgment in Tietosuojavaltuutettu v Satakunnan Markkinapörssi Oy (C-73/07) on the interpretation of Art. 9 of the Data Protection Directive 95/46/EC is worth noting, though it does not resolve the difficulty of the continuing interface between data protection and the journalistic, literary and artistic exemption (as provided under Art. 9) in the context of Data Protection Directive 95/46/EC. Out-Law provides a brief summary:

A company that sends text messages revealing the income of Finland's wealthiest citizens is subject to European data protection laws but could be protected by an exemption for journalism, according to a ruling by the European Court of Justice (ECJ). The processing of personal data made available by Finnish tax authorities may be the subject of a derogation from the EU's data protection regime if it is carried out solely for journalistic purposes, the ECJ ruled. Unlike in the UK, details of taxes paid by individuals in Finland are made publicly available. For several years, a company called Markkinapörssi has collected public data from the Finnish tax authorities for the purposes of publishing extracts from those data in the regional editions of the newspaper Veropörrsi each year...In its judgment ..., the ECJ ruled that the activities of Markkinapörssi and Satamedia "must be considered as the 'processing of personal data' within the meaning of [the Data Protection Directive]" – even though the files of the public authorities that are used comprise only information that has already been published in the media.

On the issue of Art. 9, the ECJ provides that:

54 Article 9 of the directive refers to such a reconciliation. As is apparent, in particular, from recital 37 in the preamble to the directive, the object of Article 9 is to reconcile two fundamental rights: the protection of privacy and freedom of expression. The obligation to do so lies on the Member States.

55 In order to reconcile those two ‘fundamental rights’ for the purposes of the directive, the Member States are required to provide for a number of derogations or limitations in relation to the protection of data and, therefore, in relation to the fundamental right to privacy, specified in Chapters II, IV and VI of the directive. Those derogations must be made solely for journalistic purposes or the purpose of artistic or literary expression, which fall within the scope of the fundamental right to freedom of expression, in so far as it is apparent that they are necessary in order to reconcile the right to privacy with the rules governing freedom of expression.

56 In order to take account of the importance of the right to freedom of expression in every democratic society, it is necessary, first, to interpret notions relating to that freedom, such as journalism, broadly. Secondly, and in order to achieve a balance between the two fundamental rights, the protection of the fundamental right to privacy requires that the derogations and limitations in relation to the protection of data provided for in the chapters of the directive referred to above must apply only in so far as is strictly necessary.

EU law blog, Lex Ferenda also gives their analysis on this case.

• ECJ's Judgment

Events

Just a reminder re: forthcoming data protection events taking place over the course of this month:

1) Computers, Privacy and Data Protection Conference: Data Protection in a Profiled world, 16-17 January 2009, Brussels.

2) E-Discovery Webinar: Data Protection, corporate investigations and e-discovery: insurmountable conflicts?, 15th January 2009, more details available at http://www.e-comlaw.com/dataguidancewebinars.

ECtHR ruling in Marper

Whilst busying away with marking, this recent judgment from the ECtHR (via International Herald Tribune) on the retention of DNA:

BRUSSELS, Belgium: Europe's top human rights court says British police should not be allowed to retain DNA profiles and fingerprints of people suspected but not convicted of crimes. The European Court of Human Rights says in a ruling Thursday that Britain was violating the suspects' right to a private life by retaining information on their DNA and fingerprints. The court based in Strasbourg, France, has ordered British authorities to pay €42,000 US$53,000) to two people who brought the complaint.

Source: International Herald Tribune, 4 December 2008

Update: ECtHR Judgement is available here.

CFP on Privacy Symposium

(via Surveillance network)

RESEARCH SYMPOSIUM - THE TRANSFORMATIONS OF PRIVACY POLICY 2-4 July 2009

Institutions, Markets Technology Institute for Advanced Studies (IMT), Lucca (Italy), in collaboration with International Comparative Policy Analysis-Forum & Journal of Comparative Policy Analysis

CALL FOR PAPERS

Abstract deadline (500 words): January 18, 2009 Submission of Abstract to Workshop Convenor and Guest Special Issue Editor: Professor Bruno Dente, Professor of Public Policy Analysis, Politecnico di Milano and IMT bruno.dente@polimi.it & paola.coletti@polimi.it

Notification of accepted proposals: February 8, 2009 Draft paper deadline: June 15, 2009

Workshop Date and Accepted Paper Presentation: July 2-4,2009

Invitation:This EU based Comparative Research Symposium will be the first among a series of international Research Symposia enhancing a comparative exchange on policy research. It will focus on data protection (privacy policy) that has garnered growing attention in many countries in recent years. The evolution of public policy around this issue has been affected in unpredictable ways by the latitude of the issue, as well as by the changes in the social and technological environment. For instance, despite the fact that in the EU privacy regulation stems from official legislation, the member states have implemented different approaches, developing peculiar instruments and building very different institutions.The basic aim of the workshop is to understand the evolution of the policy in different countries, and if these transformations stem from exogenous factors (e.g., technological advances, the war on terrorism, and others) or endogenous factors (e.g., processes of institutionalization or bureaucratization, heterogenesis of ends, policy failures, and others).Our definition of privacy policy is rather broad and includes the content of the protected goods, the policy instruments employed, the organizational dimension of the authorities in charge, and so on.

Submission of Papers: Proposed papers should (a) relate to research on any one of the aspects above, or propose additional research angles,(b) focus on the incremental or radical changes that the policy has undergone, (c) shed light on policy problems and policy related dynamics and interventions, (d) present research on aspects of the different national approaches or cases from which comparative lessons can be drawn.The workshop is interdisciplinary in nature, and therefore perspectives related to all fields of social science (including political science, economics, law, policy analysis, sociology, etc.) will be accepted.The criteria for selection are quality and fit to the subject matter. The articles submitted must be in line with the mission statement of the JCPA and ICPA-Forum of fostering the theory, empirical research and methods of cross-national comparative policy analysis. Please note the Aims and Scope of the JCPA and explicit comparative criteria at www.jcpa.ca. While papers need not necessarily present comparisons among countries, they must explicitly lend themselves to lesson drawing.Papers accepted and presented at the workshop may be published in a Special Issue of the JCPA edited by Professor Bruno Dente, subject to fit in the Special Issue and the blind-fold referee procedures of the JCPA.Location and Organization: The convenors of the workshop will cover the travel and accommodation costs of the selected participants. Lucca is a beautiful historical city located 25 km from Pisa international airport. IMT is a post-graduate University offering PhD Programs in the fiend of Political Systems and Institutional Change, Bio-robotics, Science & Engineering, Computer Science & Engineering, Economics, Markets, Institutions & Technology, and Management of Cultural Heritage. The Workshop will be co-sponsored by IMT, Politecnico di Milano, ICPA-Forum and Routledge.

Revisiting data security breaches

Opinion: In a recent press statement on whether there ought to be data security breach notifications, it is slightly unusual for the Government to reject calls for a law that would require significant data security breaches to be notified to a country's privacy regulator.

The Government has rejected calls for a law that would require significant data security reaches to be notified to the country's privacy regulator. It said that notification to the Information Commissioner should be a matter of good practice, not law. The announcement came in a Ministry of Justice report on the Information Commissioner's inspection powers and funding arrangements, one of two reports published by the Ministry yesterday. Most states in the US have passed laws that already require organisations to notify significant data breaches. Europe is introducing a law that will apply such a requirement to telecommunications firms; and Peter Hustinx, the European Data Protection Supervisor, said in April that that law should be extended to banks, businesses and medical bodies. A House of Lords committee said in 2007 that "a data security breach notification law would be among the most important advances that the United Kingdom could make in promoting personal internet security". However, the Information Commissioner's Office (ICO) has said that it does not want such a law in the UK. The Ministry of Justice said yesterday that it agrees. "As a matter of good practice any significant data breach should be brought to the attention of the ICO and that organisation should work with the ICO to ensure that remedial action is taken," said the Ministry's report.

Source: Out-law news

Yet, given the lapses in recent losses of personal information, it is odd that this view is taken. Proposals are already in place at a European level to amend the Directive on Privacy and Electronic Communications (hereinafter "DPEC") which will include data security breach notifications by electronic communications providers. Whether this will be extended beyond electronic communications providers is not yet clear, but there appears to be a level of support for this. The rationale is not simply good data management practice but that users/consumers are fully aware of the privacy policies within an organisation and whether the data protection standards are fully in place.

HL refuses appeal

Courtesy of 5RB, the House of Lords has refused leave to appeal against the Court of Appeal's interim ruling in the privacy claim involving photographs of J. K. Rowling's son.

The House of Lords today refused Big Picture (UK) Ltd's petition for leave to appeal against the Court of Appeal's interim ruling in the privacy claim involving photographs of J. K. Rowling's son. In March this year the Court of Appeal held that the claimant had an arguable case on both the misuse of private information and the Data Protection Act points, overturning the August 2007 decision to strike the claim out. The effect of the House of Lords' ruling is that the claim should now proceed to trial, as the Court of Appeal envisaged. The claim, which alleges misuse of private information and breach of the DPA 1998, centres on a series of photographs of David Murray, which were taken when he was a 1 year-old, being pushed down a street in Edinburgh by his parents in his pushchair at a time when his mother was pregnant with David's younger sister. In August 2007 Mr Justice Patten acceded to an application by the remaining Defendant - Big Pictures (UK) Ltd, a photographic agency - to strike the claim out. However, in March 2008 the Court of Appeal decided that the Judge had been wrong to conclude that the claim was unarguable and reinstated the claim, directing that the issues between the parties be tried. An application by Big Pictures for permission to appeal against this decision was refused by the Court of Appeal. In June, Big Pictures petitioned the House of Lords for leave to appeal. It is this petition that the House of Lords has refused today.

Updated BCR Guidelines

Updated guidelines on BCR (courtesy of Out-Law news) have been published the Art. 29 Working Party.

The European Union's data protection authorities have published amended guidance on how companies can legally share customer and staff personal data with parts of the firm located outside the European Union. The Article 29 Working Party, which consists of the data protection watchdogs of the EU member countries, has created a mechanism for transferring data within organisations but to countries to which it would usually be illegal to send personal information. U data protection laws restrict transfers of personal data to countries whose data protection regimes have not been judged by the European Commission to be adequate. The list of those countries deemed to offer adequate protection is very short. The Working Party created Binding Corporate Rules to allow companies to send data to other parts of the organisation in countries whose data protection regime has not been designated as adequate.

Data Security Breach notifications in sight

Courtesy of Pogo and Vnunet, comes this recent news on European data breach notification laws (part of the amendments to the Telecommunications framework at a European level:

European data breach notification laws applying to all online information service providers could be in force by 2011, according to the European data protection supervisor Peter Hustinx. The current data breach notification proposals apply to just ISPs and telcos, but Hustinx backed calls for the law to apply to all “information service providers, including banks and medical sites”. He added, “I would welcome this as fair and in line with reality.”

Speaking to vnunet.com at the RSA Conference Europe show in London, which kicked off today, Hustinx explained that the proposals are still open to change as the Council of Ministers and parliament are working on slightly different texts. “We will probably have some threshold [for disclosure] but a very low one, and notification will be to users and authorities,” he said. “There is also likely to be some variation on the basis of individual member states, which will be a challenge.”

Hustinx added that if the current proposals are adopted in spring 2009, they could become law two years after that. Hustinx also argued that the UK government should consider giving its data protection watchdog, the Information Commissioner, greater powers in order to “restore confidence” to public sector handling of data [the Criminal Justice and Immigration Act 2008, s 77 and s 144 already strengthens remedies for ICO].

More from:

• Vnunet.com European data breach laws could land in 2011
• Identity and Privacy Blog
• Managing data security breaches
• ICO Guidance on Data Security Breach Management

Consultation on proposed database

There is likely to be a public consultation over the proposed database over the controversial Communications Data Bill (which is intended to implement the Data Retentions Directive 2006/24/EC). The Art. 29 Working Party (3/2006) has already issued its opinion on the implementation of Directive 2006/24/EC. However, according to Computer Weekly:

The government has scrapped plans to push through the controversial Communications Data Bill this parliamentary session and will hold a second public consultation in the new year.

What is unclear at this stage is whether Liberty would mount a legal challenge over the proposed Communications Data Bill. One awaits to see developments on this front. The ICO has already expressed the view 'that a single database of phone and internet usage records would undermine the "British way of life". The privacy watchdog has said that it will scrutinise Government plans for storing that information.' More from Out-Law.

SNS revisited (not) again!

Social networking websites (SNS) have been the subject of much discussion, and given the numerous views about the benefits and negativities of this, the recent debates, however, is of interest. Given the high level of engagement, one is certainly drawn to the view that there is enough literature, and warnings about the potential negativities of SNS, such that it is fair to argue that users enter SNS at their own risk. Discussion about the current legal framework particularly with the recent case of Firsht v. Raphael [2008] EWHC 1781 (brief commentary here) have already shown repercussions. The law has not been slow to respond and provides an element of certainty on this. According to Facebook, reactions to the case:

Facebook was reported to have stated in a statement following the reporting of the court’s decision, “Facebook does not permit fake profiles on its site. Fake profiles are an abuse of our terms of use and they will be removed… When fake profiles are reported we thoroughly investigate and remove profiles found to be in violation of our terms of use – just as we did in the case of Mathew Fircsht [sic].

Actual case details can be found here. In the meantime, for those who wish to follow up on the recent debates on social networking, worth visiting here for a starting point.

Update: Out-Law Press release on SNS ground rules

Updates

Courtesy of Pogo, this recent Adv. General ruling on the Data Retentions Directive 2006/24/EC is worth reading up, whilst awaiting the ECJ's judgment. According to the EU observer,

The European Court of Justice Advocate General on Tuesday (14 October) delivered a blow to member states hoping to overturn an EU law on harmonising telephone and internet data retention rules, saying the case is an internal market matter, not a justice and home affairs issue.

The directive - which was approved by a qualified majority of EU states in February 2006 - sets a time period of six months to two years during which telecom operators are to keep phone and internet data, in the name of fighting terrorism and crime and increasing security.

Irish telecoms operators and internet service providers currently face tougher rules and must keep the data for up to three years, according to the Irish Times.

More from:

• C-301/06 Ireland v Parliament and Council (pdf) and online version
  
• Digital Rights Ireland

SNS Programme

Beeb has recently put this programme on social networking titled Are networking sites a good or bad thing: Here is a snapshot:

Websites such as Facebook, Myspace and Bebo have become immensely popular over the past few years, promoting the sharing of personal information and photographs among friends.

But is social networking just a bit of fun or is splashing our private lives all over the internet potentially harmful? We hear conflicting personal stories of success and disaster.

The link can be found here.

A recent press release has also indicated that SNS should indicate the low level of protection here.

Proposed Database

This latest development should be no surprise to any academic researcher working in the field of data protection and privacy in the UK (as here). Particularly, when surveillance is becoming "normalised" with countless CCTVs etc. Out goes "privacy" and in comes "surveillance". Amidst the latest data security breaches, according to The Independent, details are emerging over the current plans for a database:

Early plans to create a giant "Big Brother" database holding information about every phone call, email and internet visit made in the UK were last night condemned by the Government's own terrorism watchdog...

Under the proposal, internet service providers and telecoms companies would hand over millions of phone and internet records to the Home Office, which would store them for at least 12 months so that the police and security services could access them. It is understood that more than £1bn has been earmarked for the database.

Some reactions over this proposed database:

Richard Thomas, the Information Commissioner, has described the plans as "a step too far for the British way of life". Yesterday his office added: "It is clear that more needs to be done to protect people's personal information, but creating big databases... means you can never eliminate the risk that the data will fall into the wrong hands."

Shami Chakrabarti, director of the human rights group Liberty, said: "This is another example of the Government's obsession with gathering as much information on each of us as possible in case it might prove useful in the future. Like the discredited ID card scheme this will have a massive impact on our privacy but will do nothing to make us safer.

See:

• The Independent: Storm over Big Brother Database

UPDATE: By way of update (courtesy of Out-law) there is likely to be consultation on the proposed new law. However, it is still unclear as there seems to be mixed messages over recent news that everyone who has a mobile phone will be compelled to register their identity on a national database (compulsory mobile phone register). More details can be found here. Q. How have other countries implemented the Data Retentions Directive 2006/24/EC? Probably this book and here will enlighten us a little bit more.

Another case: this time on IP addresses

Whilst there have been plenty of views re: the status of IP addresses, particularly from the Art. 29 Working Party and the Data Protection Authorities, in an unusual case from the District Court of Munich (file no. 133 C 5677/08; September 30, 2008), the court held that IP addresses (contrary to other German courts), of a user of a website was not personal data, because the user concerned could only be identified if the user's access provider (illegally) identified the user and (illegally) forwarded the name of the user to the operator of the website. Therefore, the storage of the IP address of a user by a website operator in a server logfiles was permitted. Whilst this decision is unlikely to have any effect upon recent opinions made by the Art. 29 Working Party, one is not convinced that IP addresses are not personal data as evidenced by recent incidents exemplified here , here and here. However, if the recent press report is to be believed, then according to one view, "Businesses have a responsibility to protect sensitive data. The public should not expect the government to protect them."

Update: Decision is available in German and can be accessed here and here.

Additions to the Casebook!

Some latest cases and updates that will need to be included in my casebook on data protection:

1) The Criminal Justice and Immigration Act 2008 received the RA on 8 May 2008. Some of the main provisions worth noting and commenting is ss 77-78 CJIA and s 144 which amends the UK DPA 1998 by adding s 55 A to increase the ICO's powers to impose monetary penalties (ie. the ICO has the power to serve monetary penalty notices to organisations for breach of the UK DPA 1998).

2) Roberts v Nottinghamshire Healthcare NHS Trust [2008] EWHC 1934

In brief, this case hinged on whether the Trust was in breach of its obligations under the DPA 1998 by refusing R access to a report prepared on him by the Trust employer on the grounds that this was exempt from disclosure. Art. 13 of the Data Protection Directive 95/46/EC on exemptions and Recitals 42 and 43 of the Directive were considered in the judgment. Reference was made to the case of Durant and Auld LJ's judgment:

A number of general points can be made about the court's role under section 7(9). First, its role is to review the decision of the data controller rather than to act as primary decision maker. In Durant v Financial Services Authority [2003] EWCA Civ. 1746; [2004] IP & T 814 Auld LJ said at [60]:

"Parliament cannot have intended that courts in applications under section 7(9) should be able routinely to "second guess" decisions of data controllers, who may be employees of bodies large or small, public or private or be self-employed. To so interpret the legislation would encourage litigation and appellate challenge by way of full rehearing on the merits and, in that manner, impose disproportionate burdens on them and their employers in their discharge of their many responsibilities under the Act."

And then, after referring to the Data Protection Directive and to Article 8 of the European Convention on Human Rights, Auld LJ continued at [60]:

"Under both international legal codes, it is for the Member State to justify, subject to a margin of national discretion, any provisions enabling refusal of disclosure in terms of necessity and proportionality, and similarly, data controllers should have those notions in mind when considering under section 7(4)-(6) whether to refuse access on that account. So also should courts on application by way review of any such decision under section 7(9). But it does not follow that the courts should assume, if and when such a question reaches them, the role of primary decision-maker on the merits."


Secondly, the court must determine, with the benefit of sight of the data, whether the data controller has appropriately concluded that one of the exemptions provided for under the Act or an Order applies. The burden of proof is on the data controller, to the civil standard. Given the right involved, however, the court will approach the matter with a heightened sense of what is at stake, what has been described in other contexts as "anxious scrutiny". Auld LJ's judgment is helpful in indicating how that issue is to be approached, "in terms of necessity and proportionality". Necessity as a test originates in the directive, as can be seen from recital 43. Proportionality as an approach no doubt derives from the relevance of the European Convention on Human Rights to the issue. The twin requirements of necessity and proportionality constrain the data controller in any decision to refuse release of the data. In the light of all of this the court then reviews the decision of the data controller. It is not a decision on the merits but a consideration of whether the data controller's decision is flawed on public law grounds whether, for example, irrelevant matters have been taken into account or the decision not to release is such that no reasonable data controller would have arrived at that conclusion.

The court denied the application to disclose the report on the following grounds:

In light of the very serious concerns and unusual circumstances in this case I have exercised my duty of "anxious scrutiny" to determine whether the defendant has complied with its obligations under the Data Protection Act 1998. In my judgment the defendant has clear and compelling reasons based on cogent evidence to support its decision not to release the report. Moreover, I have been persuaded that disclosure of the reasons for this conclusion are not appropriate in this case. As to what I have described as the half-way house, disclosure to the claimant's legal representatives but not the claimant, in my judgment the court has no power to order it. There is no such power in the Data Protection Act 1998. The other grounds which were advanced as a basis for that power are besides the point once it is recognised that, absent specific authorisation, legal representatives cannot keep relevant information or knowledge from a client. In this case the claimant has agreed to abide by the half-way house but that is no ground for the exercise of any discretion on my part to order disclosure of the report, given the statutory position and my conclusion that no injustice is caused to the claimant by not doing so.

Surveillance Demonstration

According to this recent press release, there was a privacy rally organised against surveillance:

Source: Earth Times

Berlin - Some 15,000 demonstrators marched in Berlin on Saturday to demand greater privacy, accusing the German government of creating a "surveillance state."The Stop This Surveillance Madness rally ended at the Brandenburg Gate. Organizers said 100,000 people took part, but police on crowd duty said they had not seen more than about 15,000 present at any one time.

The German privacy movement is upset at European Union data- retention laws that require phone companies to keep for six months computerized lists of the numbers that their customers call.

See:

• EDRI

Consultation Paper

One will give blogging a rest, but just a reminder that there is a consultation paper issued by the European Commission titled Radio Frequency Identification (RFID) in Europe: steps towards a policy framework. Some details of this consultation are included below:

The Communication on the Internet of Things will propose a policy approach addressing the whole range of political and technological issues related to the move from RFID and sensing technologies to the Internet of Things. It will focus especially on architectures, control of critical infrastructures, emerging applications, security, privacy and data protection, spectrum management, regulations and standards, broader socio-economic aspects.

The Commission's Staff Working Paper: As a first contribution to the debate, the Commission has released a Staff Working Paper that can be found here. Stakeholders are invited to send comments on the issues addressed in this paper. Concrete suggestions of possible actions or initiatives that should be taken are particularly welcome. Target group: Universities and research centres, public authorities, private organisations addressing horizontal issues (e.g. infrastructure, security) and/or vertical components in major application areas (e.g. retail, logistics, manufacturing, e-energy, finance, public sector), European and international standards organisations, consumers' organisations, trade-unions, civil society groups. Answering Process: Respondents are invited to provide their feedback on a stand-alone document which can be found here. Unless otherwise indicated by the respondent, the answers received to this consultation will be published. There are no-predefined questions but respondents are invited to respect the following format: • Use the first page to identify themselves • Limit themselves to a maximum of 10 pages (regular fonts and spacing) • File should be in '.pdf' format Respondents are invited to send their response by email at infso-iot-europe@ec.europa.eu by 28th November 2008 at the latest. Answers received after this deadline will not be taken into account. Results of the consultation:

The contributions received in the public consultation will serve for elaborating a Commission Communication on the Internet of Things addressed to the Council and the European Parliament during the second quarter of 2009. The Communication on the Internet of Things will be made public through the usual communication channels of the European Commission.

On the subject of RFIDs, there has been a lot of discussion on this issue including the Art. 29 Working Party's opinion. However, perhaps, the most interesting aspect of RFIDs was given in a talk that I attended last year, where RFIDs had become everyday life from RFID library cards to RFID passports. Indeed, the talk went so far not so much about regulation but how to circumvent RFID tags through the use of skimming. However, my understanding is that this practice is likely to be outlawed. For researchers working on RFIDs, a good starting point is here and here.

Phorm Storm

Slightly delayed post on this issue. The title of this post is "Phorm Storm" primarily because there has been a lot written on the latest saga of Phorm, which is likely to deliver targeted advertising based on user browsing habits by using deep packet inspection. For those who want to read up further, Wikipedia provides a detailed account. Whilst BT has already started trials of Phorm, the ICO has already indicated that Phorm would only be legal, if users OPT-IN (based on Privacy and Electronic Communications Regulations).

The service, which will be marketed to end-users as "Webwise", would work by categorising user interests and matching them with advertisers who wish to target that type of user. "As you browse we're able to categorise all of your Internet actions", said Phorm COO Virasb Vahidi. "We actually can see the entire Internet."

It is claimed that data collected would be completely anonymous, and that Phorm will never be aware of the identity of the user or what they have browsed.

Some queries at this stage, what is there to guarantee the anonymity of data collected? Take a different approach or query: why would you want to anonymise the data, when this could be valuable "commodity" for any other company for marketing purposes? After all, we are dealing with user's surfing habits. It is also working towards the build-up of online profiling of individuals (apologies for the scepticism). Online profiling discussion will have to be another topic in its own right. Imagine the following hypothetical scenario:

Fred Blogs, a regular shopper decides to use his laptop to go online and visits Widgets Bookshop and checks his gmail account before switching over to read his regular dose of The Times . He also decides to pay a few bills online. His son, Joe Blogs, 12 years of age, asks his father whether he can use his laptop. Happily, Fred Blogs allows his son to do so. Joe Blogs logs onto his MySpace account then decides to go onto another website, let's say, KaZAA filesharing website and downloads his favourite music. Joe Blogs then emails his friends on his MySpace account to arrange a party do. Probably a good case discussion.

Whilst this is a hypothetical scenario, assuming that Fred Blogs naively subscribes to this Phorm program, so that it can deliver targetted ads. What is there to guarantee that it will be completely anonymous? If Joe Blogs logged onto a filesharing website on his father's user account, then questions may arise as to his surfing habits and whether it would land him into trouble with the law? It should be remembered that the General Data Protection Directive 95/46/EC is applicable (including Member States that implement this: ie. UK's Data Protection Act 1998). Given that Phorm is providing the software to the ISPs, it appears that the ISPs would be regarded as a "data controller" and thus, be required to comply with the UK's Data Protection Act 1998. Questions have arisen about whether Phorm could be the "data controller". There has been some discussion from the Art. 29 Working Party, which has indicated in its recent opinion, that the notion of personal data is defined broadly, and would include IP addresses (as held by several Data Protection Authorities including Germany and Sweden) that identify individuals. There is a strong argument that if there is any possibility of identifying individual's through their surfing habits, then the Data Protection Directive or the EU Member States that have implemented the Data Protection Directive 95/46/EC would take the view clearly that we are dealing with personal information. For an indepth analysis on the EU Member State's implementation of the Data Protection, visit here for more information.

If one were to subscribe to the Phorm program, it would simply be to test how robust the system and identify fundamental flaws in this technical system that claims to anonymise surfer habits. However, a report has already been written on this.

Putting on a sceptical hat, given that the arguments in favour of stronger rights for the privacy of personal information (in particular, the DPA 1998) is relatively weak in the UK (other than recent changes to strengthen the UK Data Protection Act 1998), this is a further step towards a gradual erosion towards privacy in the UK.

Final point: Warren and Brandeis seminal article on the right to privacy was written out of concerns of press intrusion, however, the privacy discussion here is not so much about the protection of privacy as the willing acceptance or acknowledgment by individuals that there is simply nothing that can be done to protect privacy. Switching ISPs is only one solution. Opting out of the system is another way. Targetting advertising is certainly unwelcome for the privacy conscious. Yet, one can foresee that the only route may have to be litigation! Discuss...

FOI Survey

The UCL Constitution Unit is to evaluate the impact of Freedom of Information (FOI) in the UK. FOI is intended to make government transparent, participatory, effective and responsive to its constituents. First, some brief information about the Project:

The primary aims of this project are:

• to clarify the theoretical reasoning behind the introduction of FOI
• to evaluate the performance of FOI against its policy objectives
• to assess the impact of FOI on the working of the Whitehall model.

Preliminary research has identified six policy objectives which will be tested in the course of the research. We will investigate to what extent the following objectives of the UK FOI Act are being achieved:

• Greater transparency
• Increased accountability
• Better public understanding of government decision making
• More effective public participation in the political process
• Increased public trust and confidence in government
• Better quality of government decision making

At the same time, we will examine how the introduction of FOI has affected the Whitehall model, in particular five key characteristics of the model:

• Civil service neutrality
• Cabinet system
• Ministerial accountability to Parliament
• The culture of secrecy
• Effective government.

More details of the survey can be found here.

Biographies to read

One of the books that one will have to start reading is the story of the relationship between JR Tolkien and CS Lewis (leave discussion of data protection for another day). Here is a short synopsis, why the authors, known for their works, were also very different in their ways of work and thinking:

The friendship between J.R.R. Tolkien and C.S. Lewis lasted over forty years and was for each the most important creative collaboration in their lives. The two met at Oxford in 1926. They were both survivors of the First World War, both academics and, as children, their lives were both dominated by imagination. However, they had very different religious upbringings. Tolkien was a Roman Catholic while Lewis, initially Protestant, later advocated what he called 'mere Christianity' - a faith in the supernatural, the historical Jesus and the reality of sin and judgement. Thus by different routes both Lewis and Tolkien found a way to express truths that lie deeper than surface appearance. Colin Duriez's book is the first to focus primarily on this remarkable literary association, exploring the origins of the mythological worlds which both writers placed at the centre of their fiction. He does not flinch from exploring their differences - Tolkien did not have a high opinion of some of Lewis's Christian writings and Lewis famously found Tolkien's elves too much of a good thing....

Best known works of CS Lewis include Mere Christianity. Orwellian works (such as Animal Farm) including his diaries will have to be left for another day.

Phorm developments

Last post of the day, some developments are emerging from the controversial Phorm project (courtesy of PC Pro), which has been the subject of much discussion:

BT's third Webwise trial will begin tomorrow, with 10,000 random customers asked to participate.

"BT customers are being invited to take part in the trial, which will take place over a number of weeks. Following successful completion of this trial and an appropriate period of analysis and planning, it is currently expected that Phorm's platform will be rolled out across BT's network," says an announcement released by Phorm today.

Two previous trials have been conducted in secret by the companies, causing controversy among customers and privacy advocates.

Pressure groups such as Bad Phorm have sprung up to counter the scheme, and the City of London Police questioned BT over the legality of the experiments.

The third test was expected to start in June this year, when it was announced that the trial was to begin imminently. However, the launch was delayed by the surrounding controversy.

This negative attention has now subsided somewhat after the police announced last week that it would not be conducting a formal investigation. The trial also got the go-ahead from the Information Commissioner's Office earlier this year - as long as it was conducted on an opt-in basis. The company is still under the watchful eye of the EU, though.

See also:

• BT rolls out phorm tracking, The Times
• FIPR: Phorm project

Getting to grips!

This article is worth reading and stems from a previous post sometime back on Professor Pausch's lecture on "Time management". In her abstract, the author discusses some of the issues raised on higher education. The title of the article is Two jobs, two lives and a funeral: legal academics and work-life balance (2004):

"Changes in higher education over the last twenty years have led to a huge increase in the workload of legal academics. At the same time, there are many more choices as to how to spend time outside the workplace. Research shows that academics around the world are finding the maintenance of work-life balance an increasingly difficult issue. This article uses data from a qualitative study of legal academics in the U.K. to illustrate the particular effects of changes in higher education policy on the workload of those working in law schools. While no easy solutions are offered, it is suggested that it is time for legal academics to engage in some Socratian self-examination."

"The latter interpretation of Four Weddings and a Funeral has many resonances for contemporary legal academics, particularly in relation to the problem of work-life balance. Just as for Charles, the problems are immediate, pressing and difficult. They cannot be shelved for later consideration, because life moves on – in the same way as the threat of Carrie’s imminent marriage puts pressure on Charles, legal academics are faced with the immediate prospect of children growing up, partners getting older, ties with friends becoming weaker and opportunities for personal growth being lost. At the same time law schools are making ever-increasing demands upon the time and energy of their staff. It is almost inevitable that when faced with choices about the balance between different strands of their lives individual legal academics will sometimes behave like Charles; they will prevaricate, procrastinate and make mistakes (the latter in itself a potentially humiliating experience for those whose professional life is so intimately bound up with making rational judgements). "

The article is useful and highlights some issues for scholars contemplating of entering into legal academia in the UK. What would be useful is how this compares with other professions such as journalism etc. Some final thoughts from the same author:

"Perhaps the obvious answer is that we need to engage in some serious philosophical analysis. The unexamined life, said Socrates, is not worth living. If our lives are to be worth living, both in Socrates’ sense and at a more pragmatic level, we need to be able to examine our lives and make reasoned choices about how we spend our time. Others within the academy who observe the inhabitants of law schools may consider that a plea to live a fully examined life in the Socratian sense may be a bit of a challenge for the academic lawyer, since doctrinal legal training, at least, provides a poor background for the consideration of values. As a result of the pervasive influence of legal positivism, generations of law students have been taught to see the law in purely technical terms, while its moral content is regarded as irrelevant (Nicolson & Webb, 1999, p. 67). Thornton has referred to the ‘technocentrism’ of the doctrinal tradition, in which law is seen as autonomous, with discernible boundaries between law and morality, as well as between law and other academic disciplines. The pedagogical practice which is found in law schools, she notes “...focuses primarily on legal rules [and] creates a law school environment in which the technocratic is normalized, ...” (Thornton, 1998, p. 372).

"This intellectual background does not necessarily equip lawyers to engage in sophisticated philosophical reasoning about work-life balance (or any other forms of sophisticated moral reasoning, for that matter). Granted, there are exceptions within doctrinal law; the study of jurisprudence may involve consideration of moral issues, for instance, but overall, legal positivism is not interested in the analysis of values. Socio-legal and critical legal scholars have, of course, been quick to point this out, and consideration of the values and attitudes subsumed within the law are a main feature of their work. Nevertheless, familiarity with philosophy is not generally a mainstream feature of the legal syllabus, and it is understandable that, in intellectual terms, legal academics have long been regarded with suspicion by other members of the academy Sugarman notes that a need to gain credibility and acceptance from a sceptical academy was one of the top priorities for early legal academics (Sugarman, 1986). Becher’s work suggests that this is still the case; legal academics are regarded by their peers in other disciplines as not really academic, but engaged in unexciting and uncreative activities; typically, they are thought to be ‘...arcane, distant and alien; an appendage to the academic world’ (Becher, 1989, p. 30). Such opinions may bring forth howls of protest from the inhabitants of law schools, but setting them to rest is not the focus of the current argument. The question is, when faced with the problem of work-life balance, can legal academics, despite their somewhat unpromising intellectual background, engage successfully in the critical self-examination which is one of the crucial elements of a cultivated human being? If we, like Charles in Four Weddings and a Funeral continue to prevaricate, we may as Martha Nussbaum suggests, be cultivating humanity in our students – but only at the expense of failing to cultivate our own."

Gems for the Day

Whilst listening to Lanz's new album, Painting the Sun, the reading on my list for today will include Lord Denning's judgments. By way of introduction:

"Alfred Thompson 'Tom' Denning, Baron Denning, OM, PC (23 January 1899 – 5 March 1999) was an English veteran of the First World War, a mathematics graduate, jurist, barrister and judge. A native of Hampshire, he became a Law Lord and Master of the Rolls (the senior civil judge in the Court of Appeal of England and Wales).

Lord Denning was a judge for 38 years before retiring at the age of 83 in 1982. Lord Denning instigated many important concepts that would become pillars of the common law and many more which would ultimately be rejected in the House of Lords (such as the doctrine of fundamental breach)."

Some of the books, Lord Denning wrote have included: Freedom under the Law (1949), The Changing Law (1953), The Road to Justice (1955), The Discipline of Law (1979), The Due Process of Law (1980), What Next in the Law (1982) and Landmarks in the Law (1984).

Some of the cases, that law students have had to grapple with (including myself) is the famous High Trees case and the "red-hand rule" in Spurling v Bradshaw.

Best quotes that Lord Denning gave:

On legislation

"Parliament does it too late".

Modern society

Some persons, who would otherwise be good and worthy citizens, are deliberately breaking the law."

Religion

"Without religion, no morality; without morality, no law."

Retirement

"I have all the Christian virtues - except resignation".

Smartening up!

Whilst details are still emerging over the recent loss of yet more data, the question then hinges not so much on how individuals ought to protect their personal information, but how organisations secure this data and more precisely, how individuals will now have to "smarten up" in the non-disclosure of their personal information, unless this is absolutely necessary (do you really need to give your identity to organisations in exchange for this freebie? What if you don't?). Frequent incidents of data loss have "de-sensitised" us into the usual moans/groans (constant whining) and a great deal of apathy, responses from"not again" to "how can we give over our information" to such incompetent bodies but with no adequate solutions (other than resort to the usual route of compensation)? Whilst the Data Protection Act 1998 is being strengthened with more remedies (ie. heavier penalties), it is now up to individuals to exercise their rights if they have been affected by data losses. The law is there. Even if this is a long, laborious process, ultimately, it will be worth it. In the long-term, it is not simply being alerted to the recent breaches of data losses, but rather a complete change in the "privacy landscape/culture". In other words, accountability of organisations to account for the loss of their data - this is already happening at a European level, with data security breach notices being considered in the forthcoming EU legislation, but this is just the beginning. The questions: at a national/local level, the way organisations handle databases of personal information will need to be questioned - is it centralised/decentralised? What security measures are in place? Who is responsible for the security of personal information? Security questions asked of individuals needs to be changed (forget about mother's maiden name; pet name etc.)? Do they have a privacy policy? We do not want the policy in "small writing" but in "large writing" and be simple (sometimes, the policies can be verbose where only a few people can understand). How about awarding organisations for the best privacy practices they have and highlighting the bad organisations that have lax procedures (no, one is not referring to the work of Privacy International), but have in place simple procedures to ascertain what privacy audits/practices are in place (just simple common sense).

A useful start would be to start questionnaire studies amongst the general public (not so much about the handling of personal information), but rather what they do in protecting their own privacy (or do they care)? Secondly, there has been the frequent discussion to educate others about the protection of their privacy, yet, often, this assumes no knowledge, when there is. Quite clearly, we know something about the Data Protection Act 1998 (for others quite enough), but not enough to make data subject access requests, to consider whether the information is accurate or not etc. There is still a long way to go in utilising other means and methods to protect the privacy of personal information.

In the previous post, the discussion centered on how secure the public databases are and the relative ease in which social networking websites have now made it easier for anyone to obtain information about others, this discussion is now how departments can effectively secure the "trust" of the public to ensure that their personal information is handled properly (even if there is a healthy scepticism).

If you trust your local Tescos and Sainsbury to handle your personal data through the use of reward cards, then what are they doing right that others are not? Another dimension to look at is that if organisations are not handling your personal data correctly, you can theoretically walk away from them (other than resorting to your usual remedies), but not so when we are dealing with those where it is compulsory to give over our data (if this were a business, it would have long lost its custom).

The time for complacency is over. The time for more pro-active dialogue is just the beginning!

Update: The ICO website also includes a Personal Information Health Check - see how well you do!

Radio Interview

The following interview from Out-Law Radio, is worth listening to:

Title: Piracy: not the enemy, but the competition,

We talk to an anti-piracy pro who says that content producers should stop trying to stifle piracy and concentrate on competing with it better

To ensure that this interview is given its proper context and is not misunderstood, here is a short extract from Out-Law:

"TV companies, film studios and record labels should spend less time fighting those engaged in piracy and more time competing with them, a leading anti-piracy expert has said.

Dr David Price told technology law podcast OUT-LAW Radio that many people turn to piracy because officially-sanctioned songs or TV programmes are of poor quality, arrive late or come with restrictions that make them hard to access.

Price is the head of piracy intelligence at Envisional, a company which monitors piracy for content producers.

"There have to be legitimate alternatives, and not just that but they have to be really good legitimate alternatives," he said. "You've got to offer as good a user experience legitimately as people can get through piracy. We can't just offer something that is so restricted that people aren't going to bother."

Price said that many users of piracy services would happily switch to legitimate ones but are attracted by the more usable, more readily-available pirated services.

"Once you get involved in downloading things illegitimately the user experience is so good it's compelling," he said. "You really get high quality content, there are so many advantages to doing it over what you can get legitimately in a wide range of countries."

Companies should learn from pirates, said Price, and embrace some of the methods of distribution they use. He said that Norwegian broadcaster NRK achieved impressive results when it seeded peer-to-peer networks with legitimate copies of one of its hit programmes."

Radio Interview

MyHeritage.com

Quite an unusual website - MyHeritage, Facial Recognition site: who do you resemble? Question for the day - who owns MyHeritage?

Another discussion point

Discussion Point: This is something that still needs to be refined (but would be a good essay /discussion point). Thinking about the recent SNS developments, one has to admit that Facebook, MySpace, Bebo etc. (other than the search engines such as PIPL, Zoom Info) is probably the "best" freely available public databases (searchable on PIPL , Wink etc) and accessible to anybody including marketers (irrespective of technological controls). Consider this as your "Yellow pages"/"White pages" or BT/192 directory search. Free public sector information for employers, education establishments, marketers, law enforcement agencies etc. One may "sugarcoat" it (or to stretch this further "put the icing on the cake") and call it as another means of communicating/networking, but ultimately, when stripped down to its bare minimum, it is nothing more than another public database which is operated by various companies. The question is who owns this information? You or MySpace, Bebo etc. What if this information is later extracted and added onto another database to form a personal profile (or as one author wrote "online profiling"....?)? One need only have a couple of info specialists to do this and we have another database. We are certainly not far from online profiling and it is becoming far easier to use/reuse this information. This raises another question from the context of the European Commission current consultation into the Review of the PSI Re-Use Directive. Consultation is now closed, but probably worth revisiting some of the issues (re-use). Public databases and making information available (let alone "personal information") for free.

On a different note, there will be a social networking symposium which touches on privacy issues for those interested in developing this further.

Essay question for the week: Social networking is just another freely available public database accessible to anybody. Discuss.

See:

• Public Sector Information

Telemedia Act

More reading to do on my list: The German Telemedia Act replaces the Teleservices Data Protection Act and the Teleservices Act, but there is currently no English translation of this Act. However, the available text (pdf) can be found here.

Courtesy of IRIS:

After the Bundestag (lower house of the German Parliament) had adopted the Gesetz zur Vereinheitlichung von Vorschriften über bestimmte elektronische Informations- und Kommunikationsdienste (Act on the standardisation of provisions on certain electronic information and communication services - ElGVG), the cornerstone of which is the Telemediengesetz (Telemedia Act - TMG), on 18 January 2007, it was passed by the Bundesrat (upper house of the German Parliament) on 16 February 2007.

The Telemedia Act no longer distinguishes between tele-services, which were previously covered by the Teledienstegesetz (Teleservices Act - TDG) within the framework of the Informations- und Kommunikationsdienste-Gesetz (Information and Communication Services Act - IuKDG), and media services, which were previously the subject of the Mediendienstestaatsvertrag (Inter-State Agreement on Media Services - MDStV). Instead, similar to the Neunte Rundfunkänderungsstaatsvertrag (9th amendment to the Inter-State Broadcasting Agreement - RÄStV), it combines the two concepts (see IRIS 2005-2:9 and IRIS 2006-7:9). Commercial rules for telemedia will, in future, be found in the TMG, while content-related aspects will be regulated in a specific section of the Inter-State Broadcasting Agreement and the existing Jugendmedienschutz-Staatsvertrag (Inter-State Agreement on Protection of Youth in the Media). Telecommunications services and broadcasting are distinguished from telemedia and thus excluded from the scope of the new Act.

One new rule, which has attracted particular criticism, is the obligation to make user data available to investigating authorities for crime prevention purposes. This provision, which also applies in connection with the protection of intellectual property rights, has raised serious concerns from the perspective of data protection.

Protection from unsolicited e-mails ("spam") has also been extended insofar as it is now an offence for senders to breach information obligations, such as the failure to identify their communications as advertising or the withholding of their identity.

For those reading up on data protection developments in Germany, best starting guide (again, in German) would be Simitis's Commentary on Data Protection.

See also:

• German Telemedia Act
• German Law Archive -nb: only contains the German Teleservices and German Teleservices Data Protection Act
• Privacy International (PHR 2006)
  

Blogging and defamation

I came across this recent case on blogging and defamation in the UK, its implications still to be explored, but here is the latest press release (authored by S. Tuxford):

"The case of NIGEL SMITH and ADVFN Plc and others[1] concerns the application of the law of defamation to internet blogging. Mr Smith considered a number of statements published about him on a series of internet bulletin boards operated by ADVFN plc to be defamatory. He obtained so-called "Norwich Pharmacal" orders compelling ADVFN plc to release details of the bloggers responsible before bringing defamation proceedings against the persons identified (and ADVFN plc).

Faced with a large number of similar (and in some circumstances related) claims, the Court upheld an earlier order for a stay of all the claims to give each defendant an opportunity of being heard either in an oral hearing or by making written submissions. Of particular interest, and perhaps concern to claimants in defamation actions however, was the Court's characterisation of the alleged defamatory blogs.

A defamatory statement is one which tends to lower the claimant in the estimation of right-thinking members of society. Defamation is either libel or slander; libellous statements are made in permanent form and slander is defamation made in a transitory form. For slander the claimant will often have to prove that he has suffered some actual financial loss. This is not generally necessary in the case of libel, making it a more attractive action for claimants.

As blogs remain displayed online, they may quite reasonably be considered to give rise to libel actions only. The Court (Mr Justice Eady) questioned this analysis, opining that blogs may amount to slander:

"[Blogs] are read by relatively few people, most of whom will share an interest in the subject-matter; they are rather like contributions to a casual conversation (the analogy sometimes being drawn with people chatting in a bar) which people simply note before moving on; they are often uninhibited, casual and ill thought out; those who participate know this and expect a certain amount of repartee or "give and take"...their identities will often not be known to others. This is no doubt a disinhibiting factor affecting what people are prepared to say in this special environment...People do not often take a "thread" and go through it as a whole like a newspaper article. They tend to read the remarks, make their own contributions if they feel inclined, and think no more about it."

However, Mr Justice Eady did note "I would not suggest for a moment that blogging cannot ever form the basis of a legitimate libel claim." so the position is far from certain; whether a defamatory blog amounts to libel or slander will depend on all the circumstances."

Source: Bristows, Sept. 2008

There have been relatively few cases on this, so this strikes me as one worth reading up on.

Browsers and privacy, part 2

As an update on web browsers and privacy, Mozilla Firefox is also working towards a privacy mode:

"Privacy seems to be the magic word in the browsers world these days. Surfing without leaving any trace seems to be the ultimate offer for any browser out there. Internet Explorer has it, Google Chrome offers it and now it seems like the next version of Firefox, Firefox 3.1, will add it as well.

Since the release of Google Chrome, every browser maker has entered in an emergency mode and it seems like Mozilla is paying attention to what is happening with the competition.

According to note from Mozilla Wiki, the next version of Firefox will offer a Private Mode. In fact, the feature was intended to be released in the version 3.0, but it was dropped to keep the browser on schedule.

Mike Connor, Firefox lead develop, has a pretty good description on how the Private feature will look like.

“Ensure that users can't be tracked when doing "private" things. There should be a clear line drawn between your "public" and "private" browsing sessions. It is acceptable to let things touch magnetic storage, as long as the cleanup mechanism is robust enough to clean up,” he wrote in a note.

”Non-goal for 3.1: Separate process sharing (some) data. When we get process-per-tab we can make it more IE-like, but doing this also means that we have to have something like their "hey, you're in private browsing mode" banner on the URL bar for all the world to see. Which, to me, is fail” Connor also wrote."