tag:blogger.com,1999:blog-198052112024-03-23T18:24:58.274+00:00DP thinkerDP Bloghttp://www.blogger.com/profile/10663628557007598205noreply@blogger.comBlogger266125tag:blogger.com,1999:blog-19805211.post-39384988138889281042010-03-23T21:46:00.002+00:002010-03-23T21:56:01.252+00:00Recommend blog postsFor researchers working on privacy developments, here are a few suggested links to keep abreast of the latest:<br /><br />1) <a href="http://www.huntonprivacyblog.com/">Hunton and Williams Privacy Law Blog</a> -<br />2) <a href="http://datonomy.blogspot.com/">Datanomy, the data protection weblog </a><br />3) <a href="http://www.edri.org/">European Digital Rights in Europe (EDRI)</a><br />4) <a href="http://www.pogowasright.org/">Pogowasright </a>- US focussed<br />5) <a href="http://www.privacyexchange.org/">Privacy Exchange </a>- slightly outdated, but still relevant<br />6) <a href="http://ec.europa.eu/justice_home/fsj/privacy/nationalcomm/index_en.htm">European Commission: Data Protection Commissioners</a><br />7) <a href="https://www.privacyos.eu/">PrivacyOS - European Privacy Open Space</a>DP Bloghttp://www.blogger.com/profile/10663628557007598205noreply@blogger.com0tag:blogger.com,1999:blog-19805211.post-11944017308865425772009-08-12T12:19:00.002+01:002009-08-12T12:38:44.578+01:00ICO Consultation<div style="text-align: justify;">Having been overwhelmed with plenty of books to read on my to do list, here is just the latest on data protection developments. The ICO is currently undergoing a public consultation (view on this later) into an online code of practice. If you have not yet aired your views, it is still not too late. By way of recap:<br /></div><br /><span style="font-style: italic;">The code will provide comprehensive, accessible guidance on the following broad areas: </span> <ul style="font-style: italic;" type="disc"><li> <span>Operating a privacy-friendly website </span> </li><li> <span>Rights and protections for individuals </span> </li><li> <span>Privacy choices and default settings </span> </li><li> <span>Cyberspace and territoriality </span> </li></ul> <p style="font-style: italic;"> <span>We intend to publish the code in May 2010, following a public consultation exercise.</span></p>Further details can be found <a href="http://www.ico.gov.uk/about_us/consultations/our_consultations.aspx">here.</a><br /><br /><div style="text-align: justify;">On a different note, Oxford Brookes University and BILETA are hosting a one day event for doctoral researchers engaged in the field of IT, IP and Cyberspace law on September 11, 2009. Please mark this in your diaries. Further details about registration can be found <a href="http://www.bileta.ac.uk/responses/1/PhD%20Event.pdf">here</a>.<br /></div>DP Bloghttp://www.blogger.com/profile/10663628557007598205noreply@blogger.com0tag:blogger.com,1999:blog-19805211.post-6567745434983708012009-07-02T22:33:00.004+01:002009-07-02T22:48:38.265+01:00How well do you know your privacy policies?<div align="justify"><a href="http://4.bp.blogspot.com/_zDxQHr1GRNM/Sk0qKX8nDaI/AAAAAAAAAVI/Uitfu3XSci0/s1600-h/logo.png"><img id="BLOGGER_PHOTO_ID_5353981889728679330" style="FLOAT: right; MARGIN: 0px 0px 10px 10px; WIDTH: 180px; CURSOR: hand; HEIGHT: 53px" alt="" src="http://4.bp.blogspot.com/_zDxQHr1GRNM/Sk0qKX8nDaI/AAAAAAAAAVI/Uitfu3XSci0/s200/logo.png" border="0" /></a>Whilst updating my reading, came across this recent update that EFF has introduced the ToS Tracker, which keeps an eye on 58 website privacy policies. Courtesy of <a href="http://www.darkreading.com/securityservices/security/privacy/showArticle.jhtml?articleID=217702061">Dark Reading</a>:<br /><em></div><div align="justify"><blockquote><p><em>The EFF on Thursday launched </em><a href="http://www.tosback.org/" target="new"><em>TOSBack.org</em></a><em>, a "terms of service" tracker for Facebook, Google, eBay, and other major Websites. The idea is to give users an easy way of finding the privacy policies used by their favorite sites, and to be alerted when those policies change. TOSBack.org offers a real-time feed of changes and updates to more than three dozen policies from the Internet's most popular online services. Clicking on an update brings users a side-by-side, before-and-after comparison, highlighting what has been removed from the policy and what has been added, the EFF says. The issue of terms-of-service changes -- and how and why they are made -- was highlighted earlier this year when Facebook<br />modified its terms of use. Facebook users worried that the change gave the company the right to use their content indefinitely. After a user revolt, Facebook announced it would restore the former terms while it worked through the concerns users had raised "Some changes to terms of service are good for consumers, and some are bad," says EFF senior staff attorney Fred von Lohmann. "But Internet users are increasingly trusting Websites with everything from their photos to their 'friends lists' to their calendar -- and sometimes even their medical information. TOSBack will help consumers flag changes in the Websites they use every day and trust with their personal information." </em></p><ul><li><a href="http://www.tosback.org/policy.php?pid=8">ToS Tracker</a></li><li><a href="http://www.eff.org/press/archives/2009/06/03-0">EFF launches TOSBack</a></em></li></ul></blockquote></div>DP Bloghttp://www.blogger.com/profile/10663628557007598205noreply@blogger.com0tag:blogger.com,1999:blog-19805211.post-43425168931213886302009-06-21T22:19:00.003+01:002009-06-21T22:37:59.870+01:00Art. 29 Working Party Opinion on SNS<div align="justify">According to the latest press release, the Art. 29 Working Party has issued an <a href="http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2009/wp163_en.pdf">opinion</a> (pdf) on social networking sites ("SNS") . In particular, it addresses how the SNS can meet its data protection obligations by considering who is the data controller (SNS providers; application providers; users are exempt under Art. 3.2 Data Protection Directive, but leaves the possibility that they could have data controller responsibilities); information to be provided by SNS; third party access and whether retention of data under a SNS. In sum, the Art. 29 Working Party provides:</div><br /><em><strong>Applicability of EC Directives</strong></em><br /><div align="justify"><br /><em>1. The Data Protection Directive generally applies to the processing of personal data by SNS, even when their headquarters are outside of the EEA.<br />2. SNS providers are considered data controllers under the Data Protection Directive.<br />3. Application providers might be considered data controllers under the Data Protection Directive.<br />4. Users are considered data subjects vis-à-vis the processing of their data by SNS.<br />5. Processing of personal data by users in most cases falls within the household exemption. There are instances where the activities of a user are not covered by this exemption.<br />6. SNS fall outside of the scope of the definition of electronic communication service and therefore the Data Retention Directive does not apply to SNS.</em></div><div align="justify"><br /><em><strong>Obligations of SNS</strong></em></div><div align="justify"><br /><em>7. SNS should inform users of their identity, and provide comprehensive and clear information about the purposes and different ways in which they intend to process personal data.<br />8. SNS should offer privacy-friendly default settings.<br />9. SNS should provide information and adequate warning to users about privacy risks when they upload data onto the SNS.<br />11. Users should be advised by SNS that pictures or information about other individuals, should only be uploaded with the individual’s consent.<br />12. At a minimum, the homepage of SNS should contain a link to a complaint facility, covering data protection issues, for both members and non-members.<br />13. Marketing activity must comply with the rules laid down in the Data Protection and ePrivacy Directives.</em></div><div align="justify"><em></em> </div><ul><li><div align="justify"><a href="http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2009/wp163_en.pdf">Art. 29 Working Party</a> <a href="http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2009/wp163_en.pdf">Opinion</a> (pdf)</div></li></ul>DP Bloghttp://www.blogger.com/profile/10663628557007598205noreply@blogger.com0tag:blogger.com,1999:blog-19805211.post-53602197143319605552009-05-21T09:32:00.006+01:002009-05-21T10:28:47.794+01:00Rand Report<a href="http://2.bp.blogspot.com/_zDxQHr1GRNM/ShUeO4MbFYI/AAAAAAAAAUo/wB3GFlepLiM/s1600-h/rand_flex.jpg"><img id="BLOGGER_PHOTO_ID_5338206174269085058" style="FLOAT: right; MARGIN: 0px 0px 10px 10px; WIDTH: 176px; CURSOR: hand; HEIGHT: 156px" alt="" src="http://2.bp.blogspot.com/_zDxQHr1GRNM/ShUeO4MbFYI/AAAAAAAAAUo/wB3GFlepLiM/s200/rand_flex.jpg" border="0" /></a>With the <a href="http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/review_of_eu_dp_directive.pdf">Rand Report </a>finally published, some observations on a few points:<br /><br /><br /><div><div align="justify">1) Common interpretations of certain provisions of the [Data Protection] Directive (<em>charter for effective interpretation</em>) was needed to ensure that its functions optimally in the future. In particular, reference was also made to the Swedish model, which established a set of regulations using a risk based approach (misuse-orientated approach) without undermining the Directive. According to the report, the “Swedish regulator was convinced that such a route remains legally acceptable without violating the current provisions of the Directive”. The report further commends the Swedish model, by recommending that the Charter should encourage the use of a risk-based approach to the application of the rules focusing on acts of data processing where harm can reasonably expected <span style="color:#000099;">[read Seipel's commentary on Swedish developments in <a href="http://www.amazon.com/Nordic-Data-Protection-Peter-Blume/dp/9176784665/ref=sr_1_1?ie=UTF8&s=books&qid=1242897135&sr=8-1">Nordic Data Protection Law</a> and short commentary <a href="http://www.law.ed.ac.uk/ahrc/script-ed/vol2-1/wong.asp">here]</a></span></div><br /><br /><div align="justify">2) Recommendation 2: improving the effectiveness of the Adequacy rule and facilitate the use of alternatives to the adequacy rule (it is all about “contracts” to enable the transfer of personal information from one organisation to another in a non-EEA country) <span style="color:#000099;">[Only criticism is that this should not impact on the everyday processing such as the internet (uploading of files containing peripheral personal information such as news report; book or article should not be brought within <a href="http://www.cdt.org/privacy/eudirective/EU_Directive_.html#HD_NM_45">Art. 25</a>; even if the interpretation should be stretched, then the exemptions under <a href="http://www.cdt.org/privacy/eudirective/EU_Directive_.html#HD_NM_23">Art. 26 </a>ought to be embraced]</span></div><br /><br /><div align="justify">3) Develop more suitable privacy policies – in particular, reference is made to encouraging clearer guidelines for data controllers on communicating their policies to data subjects with reference to Creative Commons model of intellectual property right licences. In a Creative Commons model, certain standard types of licences are developed which can be communicated to end users through short, easy to understand descriptions (e.g. “attribution”, “non-commercial”, “no derivative works”,...). A comparable approach could be adopted with regard to privacy policies, by providing summary notices based on such standardised descriptions. These should be relatively easy for interested consumers to understand <span style="color:#000099;">[on this note, any privacy policies ought to complement the existing Data Protection Directive and national Data Protection Acts 1998 - for those unfamiliar with a Privacy Commons model, a </span><a href="http://arstechnica.com/tech-policy/news/2009/02/a-creative-commons-for-privacy.ars"><span style="color:#000099;">short commentary]</span></a></div><br /><div align="justify"></div><br /><div align="justify">4) The Chief Privacy Officer role may be identified as an alternative to a privacy policy, there mainly to provide for accountability within an organisation. Regulations should be designed that would make Chief Privacy Officers personally responsible and/or criminally liable for willingly engaging in risky, unscrupulous or irresponsible behaviour by their organisations regarding the use of personal data. This would be comparable to the <span style="color:#000000;">model</span> of the Chief Privacy Officer in certain organisations in the US, which hold real decision making and enforcing power and are highly respected both within their organisations and by regulators and DPAs <span style="color:#000099;">[on this recommendation, whilst making CPOs accountable, yet verging onto “criminally liable” is one which would be considered too onerous a measure and would likely inhibit “would be” Privacy Officers (data protection officers in the UK). Furthermore, the level of responsibilities by Privacy Officers in an organisation may be varied and it is unclear whether they would be considered to be solely responsible only for the oversight of privacy rules. In other words, CEOs, Directors may also play a role].</span></div><div align="justify"><span style="color:#000099;"></span></div><br /><div align="justify"><span style="color:#000000;">See also Commentary from:</span></div><br /><div align="justify"></div><ul><li><div align="justify"><a href="http://www.out-law.com/page-10005">Out-law</a></div></li><li><div align="justify"><a href="http://www.huntonprivacyblog.com/2009/05/articles/european-union-1/rand-report-commissioned-by-the-uk-information-commissioners-office/">H&W</a></div></li></ul></div>DP Bloghttp://www.blogger.com/profile/10663628557007598205noreply@blogger.com0tag:blogger.com,1999:blog-19805211.post-26138840420296918462009-05-17T13:44:00.003+01:002009-05-17T13:58:32.759+01:00Book Review<div align="justify">Whilst ploughing through <em><a href="http://www.amazon.com/Privacy-Advocates-Resisting-Spread-Surveillance/dp/0262026384/ref=sr_1_1?ie=UTF8&s=books&qid=1242565044&sr=8-1">Privacy Advocates</a> </em>(and marking to complete), particularly on the role of the Privacy Consultant (in the UK, data protection/privacy officers), came across this sage advice:</div><div align="justify"></div><div align="justify"><em><blockquote>"The role of academics within the privacy advocacy community raises larger questions about the responsibility of intellectuals within the society. Should academic work be driven by the pressing social problems of the day?... Here is Stanley Fish's advice..."Do your job; don't try to do someone else's job, as you are unlikely to be qualified...don't confuse your academic obligations with the obligation to save the world; and don't surrender your academic obligations to the agenda of a non-academic constituency... don't cross the boundary between academic work and partisan advocacy, whether the advocacy is yours or someone<br />else's...The job of the academic is not to change the world, as Karl Marx said, but to interpret it"</blockquote></em></div>Thought provoking analysis for privacy researchers!DP Bloghttp://www.blogger.com/profile/10663628557007598205noreply@blogger.com1tag:blogger.com,1999:blog-19805211.post-38731860366105251862009-04-29T17:16:00.006+01:002009-05-13T20:06:13.400+01:00Data Protection DevelopmentsThe <a href="http://www.blogger.com/www.ico.gov.uk">ICO</a> has recently published its press release entitled: <em>Data Protection in the EU: promising themes for reform</em>:<em><br /><br /></em><em><div align="justify"><blockquote><p><em>The Review of the EU Directive prepared for my Office by RAND Europe has been presented to participants at this conference as a draft. The presentation by Neil Robinson and Hans Graux has highlighted their main findings and short and long-term recommendations. Peter Hustinx has added some very perceptive and important observations. We plan to publish the final version of the RAND Report in May – shortly before the conference which has been convened by Commissioner Jacques Barrot. We have always been clear that the RAND study is intended to provide food for thought and to stimulate debate. It is a not a blueprint for reform, still less does it contain the draft of a new Directive. We are equally clear that any reform will take many years, but the debate must start somewhere. That debate has started here in Edinburgh today. As the draft Edinburgh Declaration which will be discussed tomorrow makes clear, the fundamental role for Commissioners in this debate is that of Leadership</em></em></p></blockquote></div><p>The press release goes into detail over the strengths of the DPD including:</p><em><blockquote><em></em></blockquote><blockquote>The Directive is comprehensive, broadly-drafted and sets out a basic framework<br />of protection, drawing on OECD and Council of Europe approaches. </blockquote><blockquote>• It sets standards which are widely seen as “High” and has a strong Human<br />Rights resonance, with sharp focus on fundamental rights’ and freedoms.<br /><br />• It has given people important and usable access and other rights.<br /><br />• The basic Data Protection Principles have stood the test of time well<br />and are flexible in their drafting and application.<br /><br />• The Directive seeks to be largely neutral in terms of technology.<br /><br />• The Directive can claim significant success in harmonising DP rules and promoting an internal market across the European Union. </em></blockquote><p>The press release also identifies the following:</p><em></em><em><blockquote><p align="justify"><em>There must be more emphasis on the benefits of maximum and genuine transparency, for example:<br /><br />• Privacy by Design and the use of published Privacy Impact Assessments.<br /><br />• There is much more scope to encourage and require organisations to adopt Privacy Policies, make them easily available and – of course - hold them to account for fulfilment.<br /><br />• There is more scope for trust marks, accountability agents and 3rd party certification.<br /><br />• More controversially, perhaps, we can envisage greater use of self-certification.<br /><br />• And we must improve the use and content of Privacy Notices, getting the right information to the right people in the right language at right time.</em></em></p></blockquote><blockquote><p>More details can be found in their <a href="http://www.ico.gov.uk/upload/documents/library/corporate/notices/data_protection_in_the_eu.pdf">press release</a> (pdf). </p><p align="justify"><strong>Update: </strong>The <a href="http://www.ico.gov.uk/upload/documents/library/data_protection/detailed_specialist_guides/review_of_eu_dp_directive.pdf">full report </a>is now available including its recommendations with commentaries from <a href="http://www.out-law.com/page-10005">Out-law</a> and <a href="http://www.huntonprivacyblog.com/2009/05/articles/european-union-1/rand-report-commissioned-by-the-uk-information-commissioners-office/">H&W</a>.<br /></p><em></em><br /><p></p></blockquote>DP Bloghttp://www.blogger.com/profile/10663628557007598205noreply@blogger.com0tag:blogger.com,1999:blog-19805211.post-39953990135067495782009-04-14T16:57:00.004+01:002009-04-14T17:04:23.731+01:00Phorm saga<div align="justify">According to press release from <a href="http://www.out-law.com//default.aspx?page=9945">Out-Law News</a>, in the latest on the Phorm saga, the European Commission has issued proceedings against the UK over its implementation of the European Union Directives:</div><div align="justify"><br /><em><blockquote><div align="justify"><em>UK laws protecting the privacy of people's communications are inadequate, the European Commission has said. The Commission has launched a legal case against the UK over its implementation of European Union Directives.<br /></em><a href="http://www.out-law.com//page-6024"></a><br /><em>The Commission's investigation was sparked by outrage over trials by BT of a system which monitors web use and tries to match advertising to people's perceived interests. The trials were done without BT customers' knowledge or permission. The Commission has investigated complaints made to it and to police and has found the UK's laws inadequate in protecting the privacy of communications. "The Commission has concerns that there are structural problems in the way the UK has implemented EU rules ensuring the confidentiality of communications," said a Commission statement. BT used technology made and promoted by Phorm to track users' online activity. It has since run trials in which it did ask users' permission. The Commission said that BT's trials have been the subject of complaints to privacy regulator the Information Commissioner's Office (ICO) and to police. The Commission believes that UK laws do not properly implement two Directives aimed at protecting privacy, the Privacy and Electronic Communications Directive and the Data Protection Directive.</em></div><div align="justify"></div><div align="justify"> </div><div align="justify">Update: </div><div align="justify"></div><div align="justify"> </div><div align="justify">Commentary from:</div><ul><li><div align="justify"><a href="http://www.openrightsgroup.org/2009/04/14/eu-commission-moves-against-uk-government-and-phorm/">Open Rights.org</a></div></li></ul><div align="justify"><em></em></div></blockquote></em></div>DP Bloghttp://www.blogger.com/profile/10663628557007598205noreply@blogger.com0tag:blogger.com,1999:blog-19805211.post-71251618308649651732009-04-02T11:56:00.003+01:002009-04-02T12:09:48.567+01:00Reading list<div align="justify">Having been slightly disorganised over the last week, and with plenty of reading to do over the Easter, including a recommended book by Clay Shirky titled "Here comes everybody" this post will diverge from discussion over data protection developments. </div><br />Short excerpt of the book:<br /><br /><div align="justify"><em>Welcome to the new future of involvement. Forming groups is easier than it’s ever been: unpaid volunteers can build an encyclopaedia together in their spare time, mistreated customers can join forces to get their revenge on airlines and high street banks, and one man with a laptop can raise an army to help recover a stolen phone. The results of this new world of easy collaboration can be both good (young people defying an oppressive government with a guerrilla ice-cream eating protest) and bad (girls sharing advice for staying dangerously skinny) but it’s here and, as Clay Shirky shows, it’s affecting … well, everybody. For the first time, we have the tools to make group action truly a reality. And they’re going to change our whole world</em>. </div><br />As for forthcoming conferences, that researchers ought to go to include (not exhaustive):<br /><br /><ul><li><a href="http://www.winchester.ac.uk/?page=9871">BILETA</a> </li><li><a href="http://www.privacylaws.com/templates/AnnualConferences.aspx?id=641">Privacy, Laws and Business, 22nd Annual International Conference 6-8 July 2009</a></li><li><a href="http://www.foiconference.co.uk/">5th Annual Freedom of Information Conference, 12-13th May 2009</a></li></ul>DP Bloghttp://www.blogger.com/profile/10663628557007598205noreply@blogger.com0tag:blogger.com,1999:blog-19805211.post-12072054180537624142009-03-26T21:11:00.005+00:002009-03-26T21:33:27.697+00:00Google Streetview<a href="http://4.bp.blogspot.com/_zDxQHr1GRNM/ScvwRiX8vAI/AAAAAAAAAUg/FMmkRVoBs80/s1600-h/street_view.jpg"><img id="BLOGGER_PHOTO_ID_5317607969116699650" style="FLOAT: right; MARGIN: 0px 0px 10px 10px; WIDTH: 175px; CURSOR: hand; HEIGHT: 130px" alt="" src="http://4.bp.blogspot.com/_zDxQHr1GRNM/ScvwRiX8vAI/AAAAAAAAAUg/FMmkRVoBs80/s200/street_view.jpg" border="0" /></a>According to the latest UK <a href="http://www.telegraph.co.uk/scienceandtechnology/technology/google/5041999/Google-Street-View-formal-privacy-complaint.html">ICO press release </a>on Google Streetview:<br /><br /><div align="justify"><br /><em>Google's Street View includes a facility which allows vehicle registration marks and faces to be blurred. Individuals who feel that an image does identify them (and are unhappy with this) should contact Google direct to get the image removed. Individuals who have raised concerns with Google about their image being included - and who do not think they have received a satisfactory response - can complain to the </em>[UK]<em> </em><a href="http://www.ico.gov.uk/"><em>ICO.</em></a></div><div align="justify"></div><div align="justify"></div><div align="justify"> </div><div align="justify">See also: </div><div align="justify"></div><div align="justify"></div><ul><li><div align="justify">BBC Press clip: Call to "shut down" Street View, 24 March 2009 </div></li></ul><div align="justify"></div><div align="justify"><object style="WIDTH: 447px; HEIGHT: 235px" height="235" width="447"><param name="movie" value="http://news.bbc.co.uk/player/emp/2.10.7938_7967/player.swf"><param name="allowFullScreen" value="true"><param name="allowScriptAccess" value="always"><param name="FlashVars" value="config_settings_showUpdatedInFooter=true&playlist=http://news.bbc.co.uk/media/emp/7960000/7960300/7960374.xml&config=http://news.bbc.co.uk/player/emp/config/default.xml?1.3.105_2.10.7938_7967_20090323125300&config_settings_language=default&config_settings_showFooter=true&config_plugin_fmtjLiveStats_pageType=eav6"><embed src="http://news.bbc.co.uk/player/emp/2.10.7938_7967/player.swf" type="application/x-shockwave-flash" allowfullscreen="true" allowscriptaccess="always" width="512" height="400" flashvars="config_settings_showUpdatedInFooter=true&playlist=http://news.bbc.co.uk/media/emp/7960000/7960300/7960374.xml&config=http://news.bbc.co.uk/player/emp/config/default.xml?1.3.105_2.10.7938_7967_20090323125300&config_settings_language=default&config_settings_showFooter=true&config_plugin_fmtjLiveStats_pageType=eav6"></embed></object><br /><br /></div><div align="justify"></div><div align="justify"></div><div align="justify"></div><ul><li><div align="justify"><a href="http://dataprotectionthinker.blogspot.com/2007/07/art-29-working-party-opinion-on.html">Art. 29 Working Party's Opinion on Personal Data </a></div></li></ul>DP Bloghttp://www.blogger.com/profile/10663628557007598205noreply@blogger.com0tag:blogger.com,1999:blog-19805211.post-64218534120744552042009-03-26T20:39:00.003+00:002009-03-26T20:50:30.053+00:002nd Privacy OS Conference<a href="http://3.bp.blogspot.com/_zDxQHr1GRNM/ScvplEMNe0I/AAAAAAAAAUY/kRDLRoMGutw/s1600-h/invitation_berlin.jpg"><img id="BLOGGER_PHOTO_ID_5317600608030391106" style="FLOAT: right; MARGIN: 0px 0px 10px 10px; WIDTH: 180px; CURSOR: hand; HEIGHT: 200px" alt="" src="http://3.bp.blogspot.com/_zDxQHr1GRNM/ScvplEMNe0I/AAAAAAAAAUY/kRDLRoMGutw/s200/invitation_berlin.jpg" border="0" /></a> <div>The 2nd Privacy OS Conference will be held in Berlin, 1-3 April 2009. More details of the Conference can be found <a href="https://www.privacyos.eu/index.php?option=com_content&view=frontpage&Itemid=1">here</a>. A brief background of PrivacyOS:</div><br /><div></div><br /><div align="justify"><em><strong>About PrivacyOS</strong><br /><br />PrivacyOS is a European project aimed at bringing together industry, SMEs, government, academia and civil society to foster development of privacy infrastructures for Europe and is coordinated by the Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (ULD), which is also the office of the Privacy Commissioner of the German State of Schleswig Holstein. The general objectives of PrivacyOS are to create a long-term collaboration in the thematic network and establish collective interfaces with other EU projects. Participants exchange research and best practices, as well as develop strategies and joint projects following four core policy goals: Awareness-rising, enabling privacy on the Web, fostering privacy-friendly Identity Management, and stipulating research.<br /><br />Further information can be found at </em><a href="http://www.privacyos.eu/"><em>http://www.privacyos.eu/</em></a><em> .</em></div>DP Bloghttp://www.blogger.com/profile/10663628557007598205noreply@blogger.com0tag:blogger.com,1999:blog-19805211.post-38875608657165292302009-03-23T20:29:00.002+00:002009-03-23T20:35:39.913+00:00Phorm and WebsitesIn the latest saga on Phorm and websites, according to <a href="http://newsvote.bbc.co.uk/1/hi/technology/7959099.stm">Beeb</a>:<br /><em><em></em></em><br /><div align="justify"><em><em>"Seven of the UK's biggest web firms have been urged to opt out of a controversial ad-serving system. Phorm - aka Webwise - profiles users' browsing habits and serves up adverts based on which sites they visit. In an open letter, the Open Rights Group (ORG) has asked the firms to block Phorm's attempts to profile their sites, to thwart the profiling system. Before now, Phorm has defended its technology saying that it does not break data interception la ws. Legal view Chief privacy officers at Microsoft, Google/Youtube, Facebook, AOL/Bebo, Yahoo, Amazon and Ebay have been sent copies of the letter signed the digital rights campaign group and anti-phorm campaigners</em>." </em></div><em></em><br /><a href="http://www.openrightsgroup.org/">Open Rights Group</a> has more on this.<br /><ul><li><a href="http://newsvote.bbc.co.uk/1/hi/technology/7959099.stm">BBC: Big websites urged to avoid Phorm</a></li></ul>DP Bloghttp://www.blogger.com/profile/10663628557007598205noreply@blogger.com0tag:blogger.com,1999:blog-19805211.post-7361038427054193162009-03-02T12:31:00.004+00:002009-03-03T10:17:44.372+00:00Art. 29 Working Party Opinion on E-Privacy Directive<div align="justify">According to SCL, the Art. 29 Working Party has issued its third opinion on proposals amending the Directive on Privacy and Electronic Communications 2002/58/EC. More from SCL:</div><div align="justify"></div><div align="justify"><em><blockquote><div align="justify"><em>In a further official Opinion on the e-Privacy Directive, dated 10 February and now available online, the Article 29 Working Party has emphasised some of its concerns about the impending e-Privacy Directive. While much of the Opinion retreads old ground, the tone of the comments on the data breach notification aspects of the Directive is arresting.</em></div><div align="justify"><em></em></div><div align="justify"><em><p>The Working Party believes that: ‘an extension of personal data breach notifications to Information Society Services is necessary given the ever increasing role these services play in the daily lives of European citizens, and the increasing amounts of personal data processed by these services. Online transactions including access to e-banking services, private sector medical records and online shopping are few examples of services that may be subject to personal data breaches causing significant risks to a large number of European citizens. Limiting the scope of these obligations to publicly available electronic communications services would only affect a very limited number of stakeholders and thus would significantly reduce the impact of personal data breach notifications as a means to protect individuals against risks such as identity theft, financial loss, loss of business or employment opportunities and physical harm.’</em></p></div></blockquote></em><em></em></div><ul><li><div align="justify"><a href="http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2009/wp159_en.pdf">Art. 29 Working Party on Proposals amending the Directive on Privacy and Electronic Communications 2002/58/EC</a> (pdf)</div><p></p></li><li><div align="justify"><a href="http://www.out-law.com/page-9800">Bruce Schneier's view on personal data breach notification laws</a></div></li></ul><p align="justify">UPDATE: In a further development of proposed data breach notification laws, according to <a href="http://www.out-law.com//default.aspx?page=9841">Out-law</a>, the Council of Ministers have rejected plans to expand the scope of the European Union security breach law beyond telecoms companies. More from <a href="http://www.out-law.com//default.aspx?page=9841">Out-Law</a>.</p>DP Bloghttp://www.blogger.com/profile/10663628557007598205noreply@blogger.com0tag:blogger.com,1999:blog-19805211.post-46548126378799593202009-02-08T22:37:00.008+00:002009-02-09T13:03:53.946+00:00Surveillance Report<div align="justify">The House of Lords Constitution Committee has recently published a report discussing the expansion of 'surveillance society', reiterating the warning that the right to privacy is being undermined by pervasive and routine electronic surveillance and collection of personal data:</div><div align="justify"></div><div align="justify"></div><blockquote><br /><p align="justify"><em>The report makes over forty recommendations, including statutory regulation of the use of CCTV cameras, a clear legislative framework for the DNA database, a review of the provisions of the Regulation of Investigatory Powers Act, and amendments to the Data Protection Act to provide for 'privacy impact assessments' before any new surveillance regime is introduced. A complaints procedure for breaches of Article 8 should be established, and "where appropriate", legal aid should be made available for Article 8 claims. Compensation should be paid to the victims of "unlawful surveillance" by public authorities. The report also endorses tighter controls within government and a new joint parliamentary committee on surveillance and data powers, to which the Information Commission, whose powers should be strengthened, could report.</em></p><p align="left">Source: 5RB</p><p align="left"><a href="http://www.openrightsgroup.org/2009/02/06/lords-constitution-committee-report-on-surveillance-and-privacy/">Open Rights Group </a>considers this in more detail.<br /></p><p align="justify">See:<br /></p></blockquote><ul><li><div align="justify"><a href="http://www.publications.parliament.uk/pa/ld200809/ldselect/ldconst/18/1802.htm">House of Lords Constitution Committee Report</a></div></li></ul>DP Bloghttp://www.blogger.com/profile/10663628557007598205noreply@blogger.com1tag:blogger.com,1999:blog-19805211.post-52357080607835177972009-02-08T22:28:00.010+00:002009-02-09T13:03:14.226+00:00DS BreachesAccording to the latest findings, data breaches appear to become a common occurence:<br /><br /><div align="justify"><em>The personal information of UK citizens is being lost and stolen at an unprecedented rate, the UK’s privacy watchdog said today. Nearly 100 data breaches were reported to the Information Commissioner’s Office (ICO) in the last three months alone, with millions of bank details, addresses, emails, private health information and employee salary statements lost or stolen in 2008. Data breaches jumped by 36 per cent last year, the ICO said. Personal information is now lost - on average - more than once a day.</em><br /><br /><p><em>In June, Virgin Media lost a CD containing private information on more than 3,000 customers while a hospital in Wembley recently had two computers stolen which contained the unencrypted details on 400 patients. Richard Thomas, the Information Commissioner, said it was “unacceptable” that private companies - responsible for 112 of the 376 data breaches last year - could not be investigated by the ICO without their permission.</em> </p></div><div align="justify"></div><div align="justify">Source: The Times, 8 Feb. 2009</div><br /><div align="justify"></div><div align="justify">Ensuring technical security standards by organisations is covered under the 7th data protection principle within the UK Data Protection Act 1998. Getting a privacy audit (or a <a href="http://www.ico.gov.uk/upload/documents/pia_handbook_html/html/10-fullbackground.html">privacy impact assessment test</a>) of the organisation's technical security procedures would be a starting point. More details can be found on the ICO website.</div>DP Bloghttp://www.blogger.com/profile/10663628557007598205noreply@blogger.com0tag:blogger.com,1999:blog-19805211.post-50305890060444371552009-01-29T18:50:00.003+00:002009-01-29T19:13:04.327+00:00Search engines - IP addresses<div align="justify">Whilst the issue of data retention of search log data has been the subject of much discussion, notwithstanding the <a href="http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2008/wp148_en.pdf">Art. 29 Working Party's opinion</a>, that the Data Retention Directive 2006/24/EC does not apply to search engines, yet the retention policies of search engines continues to be a discussion point: </div><div align="justify"><br />Google - 9 months retention policy<br /><br />Yahoo - 3 months<br /><br />Ixquick - 48 hours (as of 28/1/09 - no IP addresses are not stored)</div><div align="justify"></div><p align="justify">Ixquick appears to be the preferred search engine for its retention policy, having been awarded the European Privacy Seal - whether other search engines will reduce their retention policy remains to be seen. </p><p align="justify">See also:</p><div align="justify"><ul><li><a href="http://eulaw.typepad.com/eulawblog/2008/04/privacy-and-sea.html">EU Law Blog</a></li></ul></div>DP Bloghttp://www.blogger.com/profile/10663628557007598205noreply@blogger.com0tag:blogger.com,1999:blog-19805211.post-16337768656625075752009-01-29T18:39:00.002+00:002009-01-29T18:49:03.227+00:00Data Protection Day<div align="justify">Marking aside, the Data Protection Day took place yesterday, 28th January: the ICO launched the Personal Information Promise:</div><br /><div align="justify"><em>On 28 January 2009 the Information Commissioner’s Office celebrated European Data Protection Day by launching the Personal Information Promise, which was signed by major stakeholders at One Great George Street, Westminster, London.</em><br /></div><div align="justify">See also: </div><div align="justify"> </div><ul><li><div align="justify"><a href="http://www.intel.com/policy/dataprivacy.htm">Intel Data Privacy Day 2009</a></div></li><li><div align="justify"><a href="http://www.privacylawyer.ca/blog/2009/01/happy-data-privacy-day.html">PIPEDA Blog</a></div></li></ul>DP Bloghttp://www.blogger.com/profile/10663628557007598205noreply@blogger.com1tag:blogger.com,1999:blog-19805211.post-14270245743341085422008-12-29T11:25:00.021+00:002008-12-29T15:56:10.923+00:00ECJ's Judgment<div align="justify">Having had a short break from blogging (with teaching and marking to do), this ECJ's judgment in <em>Tietosuojavaltuutettu v Satakunnan Markkinapörssi Oy</em> (C-73/07) on the interpretation of Art. 9 of the Data Protection Directive 95/46/EC is worth noting, though it does not resolve the difficulty of the continuing interface between data protection and the journalistic, literary and artistic exemption (as provided under Art. 9) in the context of Data Protection Directive 95/46/EC. Out-Law provides a brief summary:</div><br /><div align="justify"><em><blockquote><em>A company that sends text messages revealing the income of Finland's wealthiest citizens is subject to European data protection laws but could be protected by an exemption for journalism, according to a ruling by the European Court of Justice (ECJ). The processing of personal data made available by Finnish tax authorities may be the subject of a derogation from the EU's data protection regime if it is carried out solely for journalistic purposes, the ECJ ruled. Unlike in the UK, details of taxes paid by individuals in Finland are made publicly available. For several years, a company called Markkinapörssi has collected public data from the Finnish tax authorities for the purposes of publishing extracts from those data in the regional editions of the newspaper Veropörrsi each year...In its judgment ..., the ECJ ruled that the activities of Markkinapörssi and Satamedia "must be considered as the 'processing of personal data' within the meaning of [the Data Protection Directive]" – even though the files of the public authorities that are used comprise only information that has already been published in the media. </em></blockquote></em><em></em></div><div align="justify">On the issue of Art. 9, the ECJ provides that:</div><br /><div align="justify"></div><div align="justify"><blockquote><div align="justify"><em>54 Article 9 of the directive refers to such a reconciliation. As is apparent, in particular, from recital 37 in the preamble to the directive, the object of Article 9 is to reconcile two fundamental rights: the protection of privacy and freedom of expression. The obligation to do so lies on the Member States.</em></div><div align="justify"><br /><a name="point55"><em>55</em></a><em> In order to reconcile those two ‘fundamental rights’ for the purposes of the directive, the Member States are required to provide for a number of derogations or limitations in relation to the protection of data and, therefore, in relation to the fundamental right to privacy, specified in Chapters II, IV and VI of the directive. Those derogations <strong>must be made solely</strong> for journalistic purposes or the purpose of artistic or literary expression, which fall within the scope of the fundamental right to freedom of expression, in so far as it is apparent that they are necessary in order to reconcile the right to privacy with the rules governing freedom of expression. </em></div><br /><div align="justify"><a name="point56"><em>56</em></a><em> In order to take account of the importance of the right to freedom of expression in every democratic society, it is necessary, first, to interpret notions relating to that freedom, such as journalism, broadly. Secondly, and in order to achieve a balance between the two fundamental rights, the protection of the fundamental right to privacy requires that the derogations and limitations in relation to the protection of data provided for in the chapters of the directive referred to above must apply only in so far as is strictly necessary. </em></div><div align="justify"></div></blockquote></div><div align="justify"><a href="http://eulaw.typepad.com/eulawblog/2008/12/privacy-and-freedom-of-the-press-case-c-7307.html">EU law blog</a>, <a href="http://www.lexferenda.com/17122008/a-taxing-case-on-data-protection-and-journalism/">Lex Ferenda </a>also gives their analysis on this case. </div><br /><div align="justify"></div><ul><li><a href="http://curia.europa.eu/jurisp/cgi-bin/form.pl?lang=en&newform=newform&alljur=alljur&jurcdj=jurcdj&jurtpi=jurtpi&jurtfp=jurtfp&alldocrec=alldocrec&docj=docj&docor=docor&docop=docop&docav=docav&docsom=docsom&docinf=docinf&alldocnorec=alldocnorec&docnoj=docnoj&docnoor=docnoor&typeord=ALL&docnodecision=docnodecision&allcommjo=allcommjo&affint=affint&affclose=affclose&numaff=&ddatefs=16&mdatefs=12&ydatefs=2008&ddatefe=16&mdatefe=12&ydatefe=2008&nomusuel=&domaine=&mots=&resmax=100&Submit=Submit">ECJ's Judgment</a></li></ul>DP Bloghttp://www.blogger.com/profile/10663628557007598205noreply@blogger.com0tag:blogger.com,1999:blog-19805211.post-75585546148498921952008-12-29T11:25:00.016+00:002008-12-29T15:53:20.240+00:00Events<a href="http://3.bp.blogspot.com/_zDxQHr1GRNM/SVjyHM8Aj-I/AAAAAAAAAUE/usIdmzG0ak4/s1600-h/Diary-719430.jpg"><img id="BLOGGER_PHOTO_ID_5285240368265203682" style="FLOAT: right; MARGIN: 0px 0px 10px 10px; WIDTH: 114px; CURSOR: hand; HEIGHT: 153px" alt="" src="http://3.bp.blogspot.com/_zDxQHr1GRNM/SVjyHM8Aj-I/AAAAAAAAAUE/usIdmzG0ak4/s200/Diary-719430.jpg" border="0" /></a> <div align="justify">Just a reminder re: forthcoming data protection events taking place over the course of this month: </div><br /><br /><div align="justify">1) Computers, Privacy and Data Protection Conference: <a href="http://www.cpdpconferences.org/">Data Protection in a Profiled world,</a> 16-17 January 2009, Brussels.<br /></div><br /><p align="justify">2) E-Discovery Webinar: Data Protection, corporate investigations and e-discovery: insurmountable conflicts?, 15th January 2009, more details available at <a href="http://www.e-comlaw.com/dataguidancewebinars" target="_blank">http://www.e-comlaw.com/dataguidancewebinars</a>. </p>DP Bloghttp://www.blogger.com/profile/10663628557007598205noreply@blogger.com0tag:blogger.com,1999:blog-19805211.post-29472194797766949412008-12-04T11:34:00.004+00:002008-12-04T15:01:02.257+00:00ECtHR ruling in Marper<div align="justify">Whilst busying away with marking, this recent judgment from the ECtHR (via International Herald Tribune) on the retention of DNA:</div><br /><div align="justify"><a id="articleLocation" title="Click to view map" href="http://www.iht.com/articles/ap/2008/12/04/europe/EU-European-Court-Britain-DNA.php#"><em>BRUSSELS, Belgium</em></a><em>: Europe's top human rights court says British police should not be allowed to retain DNA profiles and fingerprints of people suspected but not convicted of crimes. The European Court of Human Rights says in a ruling Thursday that Britain was violating the suspects' right to a private life by retaining information on their DNA and fingerprints. The court based in Strasbourg, France, has ordered British authorities to pay €42,000 US$53,000) to two people who brought the complaint.</em></div><div align="justify"><em></em></div><div align="justify">Source: <a href="http://www.iht.com/articles/ap/2008/12/04/europe/EU-European-Court-Britain-DNA.php">International Herald Tribune</a>, 4 December 2008</div><div align="justify"></div><div align="justify"> </div><div align="justify">Update: ECtHR Judgement is available <a href="http://cmiskp.echr.coe.int/tkp197/view.asp?item=1&portal=hbkm&action=html&highlight=marper&sessionid=16786288&skin=hudoc-en">here</a>. </div>DP Bloghttp://www.blogger.com/profile/10663628557007598205noreply@blogger.com0tag:blogger.com,1999:blog-19805211.post-65898617917660340942008-12-04T11:03:00.002+00:002008-12-04T11:10:28.220+00:00CFP on Privacy Symposium(via Surveillance network)<br /><br />RESEARCH SYMPOSIUM - THE TRANSFORMATIONS OF PRIVACY POLICY 2-4 July 2009<br /><br /><div align="justify">Institutions, Markets Technology Institute for Advanced Studies (IMT), Lucca (Italy), in collaboration with International Comparative Policy Analysis-Forum & Journal of Comparative Policy Analysis</div><div align="justify"></div><div align="justify"><p>CALL FOR PAPERS</p></div><div align="justify"></div><div align="justify">Abstract deadline (500 words): January 18, 2009 Submission of Abstract to Workshop Convenor and Guest Special Issue Editor: Professor Bruno Dente, Professor of Public Policy Analysis, Politecnico di Milano and IMT bruno.dente@polimi.it & <a href="mailto:paola.coletti@polimi.it">paola.coletti@polimi.it</a> </div><div align="justify"></div><div align="justify"></div><div align="justify"></div><div align="justify"><p>Notification of accepted proposals: February 8, 2009 Draft paper deadline: June 15, 2009 </p></div><div align="justify"></div><div align="justify"></div><div align="justify"></div><div align="justify"><p>Workshop Date and Accepted Paper Presentation: July 2-4,2009</p></div><div align="justify"></div><div align="justify"></div><div align="justify"></div><div align="justify">Invitation:This EU based Comparative Research Symposium will be the first among a series of international Research Symposia enhancing a comparative exchange on policy research. It will focus on data protection (privacy policy) that has garnered growing attention in many countries in recent years. The evolution of public policy around this issue has been affected in unpredictable ways by the latitude of the issue, as well as by the changes in the social and technological environment. For instance, despite the fact that in the EU privacy regulation stems from official legislation, the member states have implemented different approaches, developing peculiar instruments and building very different institutions.The basic aim of the workshop is to understand the evolution of the policy in different countries, and if these transformations stem from exogenous factors (e.g., technological advances, the war on terrorism, and others) or endogenous factors (e.g., processes of institutionalization or bureaucratization, heterogenesis of ends, policy failures, and others).Our definition of privacy policy is rather broad and includes the content of the protected goods, the policy instruments employed, the organizational dimension of the authorities in charge, and so on.</div><div align="justify"></div><div align="justify"><p>Submission of Papers: Proposed papers should (a) relate to research on any one of the aspects above, or propose additional research angles,(b) focus on the incremental or radical changes that the policy has undergone, (c) shed light on policy problems and policy related dynamics and interventions, (d) present research on aspects of the different national approaches or cases from which comparative lessons can be drawn.The workshop is interdisciplinary in nature, and therefore perspectives related to all fields of social science (including political science, economics, law, policy analysis, sociology, etc.) will be accepted.The criteria for selection are quality and fit to the subject matter. The articles submitted must be in line with the mission statement of the JCPA and ICPA-Forum of fostering the theory, empirical research and methods of cross-national comparative policy analysis. Please note the Aims and Scope of the JCPA and explicit comparative criteria at www.jcpa.ca. While papers need not necessarily present comparisons among countries, they must explicitly lend themselves to lesson drawing.Papers accepted and presented at the workshop may be published in a Special Issue of the JCPA edited by Professor Bruno Dente, subject to fit in the Special Issue and the blind-fold referee procedures of the JCPA.Location and Organization: The convenors of the workshop will cover the travel and accommodation costs of the selected participants. Lucca is a beautiful historical city located 25 km from Pisa international airport. IMT is a post-graduate University offering PhD Programs in the fiend of Political Systems and Institutional Change, Bio-robotics, Science & Engineering, Computer Science & Engineering, Economics, Markets, Institutions & Technology, and Management of Cultural Heritage. The Workshop will be co-sponsored by IMT, Politecnico di Milano, ICPA-Forum and Routledge.</p></div>DP Bloghttp://www.blogger.com/profile/10663628557007598205noreply@blogger.com0tag:blogger.com,1999:blog-19805211.post-53717772176752513502008-11-25T19:24:00.002+00:002008-11-25T19:45:54.015+00:00Revisiting data security breaches<div align="justify">Opinion: In a recent press statement on whether there ought to be data security breach notifications, it is slightly unusual for the Government to reject calls for a law that would require significant data security breaches to be notified to a country's privacy regulator. </div><div align="justify"></div><div align="justify"><em><p>The Government has rejected calls for a law that would require significant data security reaches to be notified to the country's privacy regulator. It said that notification to the Information Commissioner should be a matter of good practice, not law. The announcement came in a Ministry of Justice report on the Information Commissioner's inspection powers and funding arrangements, one of two reports published by the Ministry yesterday. Most states in the US have passed laws that already require organisations to notify significant data breaches. Europe is introducing a law that will apply such a requirement to telecommunications firms; and Peter Hustinx, the European Data Protection Supervisor, said in April that that law should be extended to banks, businesses and medical bodies. A House of Lords committee said in 2007 that "a data security breach notification law would be among the most important advances that the United Kingdom could make in promoting personal internet security". However, the Information Commissioner's Office (ICO) has said that it does not want such a law in the UK. The Ministry of Justice said yesterday that it agrees. "As a matter of good practice any significant data breach should be brought to the attention of the ICO and that organisation should work with the ICO to ensure that remedial action is taken," said the Ministry's report. </p><p>Source: <a href="http://www.out-law.com/page-9619">Out-law news</a></em></p></div><div align="justify"></div><div align="justify">Yet, given the lapses in recent losses of personal information, it is odd that this view is taken. Proposals are already in place at a European level to amend the Directive on Privacy and Electronic Communications (hereinafter "DPEC") which will include <a href="http://www.edri.org/edri-gram/number6.22/data-breach-ec">data security breach </a>notifications by electronic communications providers. Whether this will be extended beyond electronic communications providers is not yet clear, but there appears to be a level of support for this. The rationale is not simply good data management practice but that users/consumers are fully aware of the privacy policies within an organisation and whether the data protection standards are fully in place.</div>DP Bloghttp://www.blogger.com/profile/10663628557007598205noreply@blogger.com0tag:blogger.com,1999:blog-19805211.post-18933636072538138552008-10-30T20:12:00.006+00:002008-10-30T20:31:20.901+00:00HL refuses appeal<div align="justify"><a href="http://4.bp.blogspot.com/_zDxQHr1GRNM/SQoYT12I_3I/AAAAAAAAATc/mAV3I6zPWIw/s1600-h/gavel.jpg"><img id="BLOGGER_PHOTO_ID_5263045843686588274" style="FLOAT: right; MARGIN: 0px 0px 10px 10px; WIDTH: 172px; CURSOR: hand; HEIGHT: 110px" alt="" src="http://4.bp.blogspot.com/_zDxQHr1GRNM/SQoYT12I_3I/AAAAAAAAATc/mAV3I6zPWIw/s200/gavel.jpg" border="0" /></a> Courtesy of <a href="http://www.5rb.co.uk/news/details.asp?newsid=441">5RB</a>, the House of Lords has refused leave to appeal against the Court of Appeal's interim ruling in the privacy claim involving photographs of J. K. Rowling's son. </div><p></p><div align="justify"></div><div align="justify"><em><em><em><em><em><em><blockquote><div align="justify"><em><em><em><em><em><em>The House of Lords today refused Big Picture (UK) Ltd's petition for leave to appeal against the Court of Appeal's interim ruling in the privacy claim involving photographs of J. K. Rowling's son. In March this year the Court of Appeal held that the claimant had an arguable case on both the misuse of private information and the Data Protection Act points, overturning the August 2007 decision to strike the claim out. The effect of the House of Lords' ruling is that the claim should now proceed to trial, as the Court of Appeal envisaged. The claim, which alleges misuse of private information and breach of the DPA 1998, centres on a series of photographs of David Murray, which were taken when he was a 1 year-old, being pushed down a street in Edinburgh by his parents in his pushchair at a time when his mother was pregnant with David's younger sister. In August 2007 Mr Justice Patten acceded to an application by the remaining Defendant - Big Pictures (UK) Ltd, a photographic agency - to strike the claim out. However, in March 2008 the Court of Appeal decided that the Judge had been wrong to conclude that the claim was unarguable and reinstated the claim, directing that the issues between the parties be tried. An application by Big Pictures for permission to appeal against this decision was refused by the Court of Appeal. In June, Big Pictures petitioned the House of Lords for leave to appeal. It is this petition that the House of Lords has refused today. </em></em></em></em></em></em></div></blockquote></em></em></div></em></em></em></em>DP Bloghttp://www.blogger.com/profile/10663628557007598205noreply@blogger.com0tag:blogger.com,1999:blog-19805211.post-48408519211433164052008-10-30T20:10:00.004+00:002008-10-30T20:30:40.391+00:00Updated BCR Guidelines<div align="justify"><a href="http://2.bp.blogspot.com/_zDxQHr1GRNM/SQoZSV_ch2I/AAAAAAAAATk/5EcyaRYaShs/s1600-h/ground_rules_large.jpg"><img id="BLOGGER_PHOTO_ID_5263046917467440994" style="FLOAT: right; MARGIN: 0px 0px 10px 10px; WIDTH: 177px; CURSOR: hand; HEIGHT: 209px" alt="" src="http://2.bp.blogspot.com/_zDxQHr1GRNM/SQoZSV_ch2I/AAAAAAAAATk/5EcyaRYaShs/s200/ground_rules_large.jpg" border="0" /></a>Updated guidelines on BCR (courtesy of <a href="http://www.out-law.com/page-9546">Out-Law news</a>) have been published the Art. 29 Working Party.<em><br /></div><blockquote><p align="justify"><em>The European Union's data protection authorities have published amended guidance on how companies can legally share customer and staff personal data with parts of the firm located outside the European Union. The Article 29 Working Party, which consists of the data protection watchdogs of the EU member countries, has created a mechanism for transferring data within organisations but to countries to which it would usually be illegal to send personal information. U data protection laws restrict transfers of personal data to countries whose data protection regimes have not been judged by the European Commission to be adequate. The list of those countries deemed to offer adequate protection is very short. The Working Party created Binding Corporate Rules to allow companies to send data to other parts of the organisation in countries whose data protection regime has not been designated as adequate.</em></p></blockquote></em>DP Bloghttp://www.blogger.com/profile/10663628557007598205noreply@blogger.com0tag:blogger.com,1999:blog-19805211.post-31128302101631582962008-10-27T17:52:00.009+00:002008-10-27T18:16:43.994+00:00Data Security Breach notifications in sight<div align="justify">Courtesy of Pogo and Vnunet, comes this <a href="http://www.vnunet.com/vnunet/news/2229131/breach-notification-laws-land">recent news </a>on European data breach notification laws (part of the amendments to the <a href="http://ec.europa.eu/information_society/policy/ecomm/index_en.htm">Telecommunications framework</a> at a European level:<br /></div><div align="justify"><br /></div><blockquote><p align="justify"><em>European data breach notification laws applying to all online information service providers could be in force by 2011, according to the European data protection supervisor Peter Hustinx. The current data breach notification proposals apply to just </em><a class="iAs" style="FONT-WEIGHT: normal! important; FONT-SIZE: 100%! important; PADDING-BOTTOM: 1px! important; COLOR: darkgreen! important; BORDER-BOTTOM: darkgreen 0.07em solid; BACKGROUND-COLOR: transparent! important; TEXT-DECORATION: underline! important" href="http://www.vnunet.com/vnunet/news/2229131/breach-notification-laws-land#" target="_blank" itxtdid="7116170"><em>ISPs</em></a><em> and telcos, but Hustinx backed calls for the law to apply to all “information service providers, including banks and medical sites”. He added, “I would welcome this as fair and in line with reality.”<br /><br />Speaking to vnunet.com at the RSA Conference Europe show in London, which kicked off today, Hustinx explained that the proposals are still open to change as the Council of Ministers and parliament are working on slightly different texts. “We will probably have some threshold [for disclosure] but a very low one, and notification will be to users and authorities,” he said. “There is also likely to be some variation on the basis of individual member states, which will be a challenge.”</em></p></blockquote><blockquote><p align="justify"><em>Hustinx added that if the current proposals are adopted in spring 2009, they could become law two years after that. Hustinx also argued that the UK government should consider giving its data protection watchdog, the Information Commissioner, greater powers in order to “restore confidence” to public sector handling of data [<span style="color:#000099;"><a href="http://www.opsi.gov.uk/acts/acts2008/ukpga_20080004_en_9#pt5-pb6-l1g77">the Criminal Justice and Immigration Act 2008, s 77</a> and <a href="http://www.opsi.gov.uk/acts/acts2008/ukpga_20080004_en_16#pt11-pb4-l1g144">s 144 </a>already strengthens remedies for <a href="http://www.ico.gov.uk/">ICO</a></span>].</em></p></blockquote><div align="justify">More from:</div><ul><li><div align="justify"><a href="http://www.vnunet.com/vnunet/news/2229131/breach-notification-laws-land">Vnunet.com European data breach laws could land in 2011</a></div></li><li><div align="justify"><a href="http://yes2privacy.wordpress.com/2007/08/17/data-security-breach-notification-laws-coming/">Identity and Privacy Blog</a></div></li><li><div align="justify"><a href="http://www.itwales.com/997395.htm">Managing data security breaches</a></div></li><li><div align="justify"><a href="http://www.itwales.com/997395.htm">ICO Guidance on Data Security Breach Management</a></div></li></ul>DP Bloghttp://www.blogger.com/profile/10663628557007598205noreply@blogger.com0