Tuesday, July 08, 2008

Revisiting the DPA 1998

This has been widely reported:

Addressing the annual conference on Privacy Laws and Business in Cambridge, UK's Information Commissioner, Richard Thomas, has emphasised the need to bringing out necessary changes in European Data Protection Laws.

The Information Commissioner has stated that the existing laws are outdated and excessively bureaucratic, and these laws aren't in line with the modern internet age.

The Information Commissioner's Office (ICO) has commissioned RAND Europe, a research group, to assessing the current laws, and to come up with the key areas of improvement in existing structure.

Thomas also added that the research will help in designing more straightforward and effective laws, without putting extra burden on enterprises.

A representative from RAND has mentioned that the assessment process will involve small interviews and workshops, with a significant participation of small organizations. The group is expected to publish its report in April 2009.

However, Thomas admitted that the reform process would be slow, and the proposed changes may not be applicable till five years down the line, but the start can't be delayed any further.

Whilst these developments are being considered, there are several issues that will need to be revisited not least:

1) Scope of "Personal data" as laid down under the European Data Protection Directive 95/46/EC

2) Distinction drawn between sensitive and non-sensitive data as applied online under Art. 8.1 of the Directive.

3) Onset of social networking (user-generated content)

4) The ease with which information can be easily transferred (Art. 25 of the Data Protection Directive 95/46/EC) will need to be revisited.

5) Scope of the exemptions laid down under Art. 9 of the Data Protection Directive 95/46/EC - processing of personal data for the purposes of artistic, literary and journalistic purposes.

On a separate note, however, identity principles ("identity commons") has been discussed to a greater extent:

"Id Commons is defined in Wiki-Commons as:

The following Purpose and Principles are the "core DNA" of Identity Commons as an organization. We use this term since all Identity Commons working groups agree to inherit these, i.e., each one is accomplishing a specialization of this Purpose, and each one is operating in accordance with a specialization of these Principles. See Background and see our old Wiki for more about how we got here. Feel free to leave comments or make suggestions as to how this statement of Purpose and these Principles can be further improved.

The purpose of Identity Commons is to support, facilitate, and promote the creation of an open identity layer for the Internet, one that maximizes control, convenience, and privacy for the individual while encouraging the development of healthy, interoperable communities."

This could work alongside the current EU legal framework, but remains to be seen how effective this would be.


Monday, July 07, 2008

Google Street View

Having had to take a break from blogging, Google Street - views raises more unusual privacy issues (not least data protection). Out-Law has the latest press release:

A privacy pressure group has told Google that its Street View photography service will break the law. But the company says that its technical measures will safeguard people's privacy.

Street View allows users of Google's maps to view 360 degree photographs of streetscapes in towns and cities that have been catalogued by Google cameras. The company's distinctive cars with cameras attached were spotted on the streets of London for the first time last week.

Pressure group Privacy International wrote to Google's senior privacy counsel Jane Horvath last week to explain its reservations. "You may be aware that Privacy International has stated, both privately to Google legal staff and to the media, that we are concerned about a number of potential violations of national law that this technology may create," wrote Simon Davies of Privacy International.

Davies said that if Google did not satisfy him that it had taken great enough account of users' privacy he would complain about the service to the Information Commissioner's Office (ICO).

Google, though, has implemented blurring technology in order to protect the identities of people and vehicles pictured. The technology blurs faces and vehicle number plates allowing high quality images to contain indistinct people and number plates.

Horvath has written back to Davies explaining that the face and number plate blurring technology has been in place since May. Though she conceded that it is not perfect, she said that it does protect privacy.

Source: Out-Law news

Wednesday, July 02, 2008

Surveillance case

The ECtHR has recently ruled on an important case (58243/00) concerning surveillance laws and privacy. According to Liberty:

"In a significant judgement today, the European Court of Human Rights found that UK surveillance laws had lacked the necessary clarity and accountability to prevent abuses of power when used to intercept cross-border communications.The ECHR agreed with human rights group Liberty that surveillance law and practice must be tighter to protect individual privacy rights.

Alex Gask, Liberty’s Legal Officer who brought the case, said:

“The Court of Human Rights has rightly found that greater accessibility and accountability is required to ensure respect for the privacy of thousands of innocent people. While secret surveillance is a valuable tool, the mechanisms for intercepting our telephone calls and e-mails should be as open and accountable as possible, and should ensure proportionate use of very wide powers.”

The ECHR referred to German authorities as an example of best practice in surveillance techniques, in part, because they ensured that monitoring of communications is suited to each investigation and required bi-annual reviews of the need to store the materials.

Gareth Crossman, Liberty’s Policy Director and leading expert on privacy rights, said:

“This judgement highlights the wider problem of excessive surveillance undermining public trust. Whether it’s fishing expeditions of our overseas phone calls or local councils using targeted surveillance to check on school catchment areas, we need a prompt review of the broad powers in RIPA.”

In the judgement, the ECHR states that it, “does not consider that the domestic law at the relevant time indicated with sufficient clarity, so as to provide adequate protection against abuse of power, the scope or manner of exercise of the very wide discretion conferred on the State to intercept and examine external communications. In particular, it did not, as required by the Court’s case-law, set out in a form accessible to the public any indication of the procedure to be followed for selecting for examination, sharing, storing and destroying intercepted material. The interference with the applicants’ rights under Article 8 (the right to privacy) was not, therefore, “in accordance with the law.”

Mark Kelly, Director of the Irish Council for Civil Liberties, added that:

“The Court has found that the United Kingdom’s relatively sophisticated rules on data interception have failed to prevent unlawful interference with privacy rights. This has clear implications for many other Council of Europe member states, including Ireland. Our lax data interception regime will require a thorough overhaul in order to ensure that it meets the standards required by the European Court of Human Rights under Article 8.”