India inks first data protection bill

The Lawyer reports today that India is finally likely to get around to introducing its own data protection laws, with a prediction that this will make outsourcing to India a more attractive prospect.

There has been talk of whether India needs its own data protection laws for years (see Chris Pounder's comments at Out-Law from 2004, for instance).  In truth, the lack of legislation to date does not appear to have overly discouraged businesses from outsourcing to India (and sending personal data there), despite occasional scare stories.  There are ways of managing the data protection obligations of a business even where no local laws apply (eg by using appropriate contracts, or putting in place binding corporate rules for intra-group transfers).

It will be interesting to see how far the new bill mirrors the EU's existing data protection directive, widely seen as the benchmark for privacy legislation - and whether it will be sufficient for India to achieve "adequacy" status in the EU, which would certainly simplify the business of data transfer to India for European businesses.  Currently only a handful of countries' data protection laws have been deemed sufficient to provide "adequate" protection for the rights of data subjects (Argentina, Guernsey, Canada, Switzerland and the Isle of Man).

Facebook: the small print

I have a confession to make: I am not on Facebook.

This comes as a great surprise to many people, who think that not being on Facebook must mean that either: (i) I have no friends and am worried that joining Facebook would make this all too apparent; or (ii) I am so technologically illiterate that I haven't come across Facebook yet.

However, I also have spoken to a few people who refuse to join Facebook, citing privacy concerns as the main issue. When I try to explore this in more detail, it seems there is a worry that people might get your name, address or even credit card details from your Facebook page. When I express some surprise that anyone would put their credit card number onto a Facebook page, the response I get is that they feel it isn't sufficiently clear what data is and is not needed to join Facebook, and what is made available to the public.

So what has caused this confusion? The original Facebook concept was that information on members was available only to members, and even then only limited information would be disclosed. Only specified friends were able to get full access. There are some wrinkles around "networks" where joining potentially (depending on settings) allows the network members access to all information uploaded by each member. This does need some care, as a few of the networks are very large (e.g. the 'London' network, which has over 1 million members), meaning that joining could result in lots of people getting access to a member's information.

However, Facebook has now proposed releasing member names and photos to Google, so that web searchers can find Facebook members.

How does this all match up with Facebook's privacy policy? Facebook take privacy seriously and are one of only a relatively small number of US based organisations to have signed up to the EU safe harbor provisions, intended to improve protection of personal data of EU residents when it is exported to the US (e.g. to US-hosted databases). This is set out in the privacy policy, which also has the following to say on providing information to search engines: "Your name, network names, and profile picture thumbnail will be available in search results across the Facebook network and those limited pieces of information may be made available to third party search engines."

It therefore appears as though Facebook users do give permission (by agreeing to the privacy policy) to Facebook to distribute some of their content through Google. However, there is a question of how many people actually read the detail of the privacy policy, and are aware of the implications of joining Facebook. Facebook are reported to be addressing this in relation to Google by notifying users in advance.

Processing personal data in the UK is only lawful if it is in accordance with the Data Protection Act, and that Act requires that if the consent of the individual is the justification for processing, that consent must be informed consent - i.e. the user must know what they are signing up to. As Facebook expands its global audience it will want to ensure that small print in the privacy policy is given sufficient prominence so that users are fully aware of how their data will be used, and more importantly, who will be able to access it.

So, what is my excuse for not joining Facebook?  Actually, I really don't have any friends...

Nominet consultation until 3 October 2007

Nominet today launched a consultation on the proposed introduction of a default transfer system under its Dispute Resolution Service.  The proposal resulted from a larger consultation earlier this year on the DRS in general.  In brief, the idea is that where a registrant does not respond to a DRS complaint, the complainant can pay £200 plus VAT for the transfer of the domain name (somewhat less than the £750 plus VAT currently payable for an expert's decision).  The rationale is that experts appparently order the transfer of the domain in 95% of undefended complaints.

Were the default transfer system to be adopted, it would no doubt assist in recovering .co.uk domain names from cybersquatters.  Many of our clients find that registrants frequently offer to sell the domain name to them in return for a payment covering their "administrative" costs - the requested sums vary widely but are nearly always less than £750, so that in principle it is cheaper for the registrant to pay than to seek an expert's decision under the DRS.  The lower fees for a default transfer may help to stop abusive registrants from holding genuine complainants to ransom in this way.

Obviously some safeguards will be needed to ensure that genuine registrants do not lose their domain names by mistakenly failing to respond to complaints, and there will be some mechanisms for reversing transfers.  The introduction of a new £10 plus VAT charge for commencing DRS actions (which is currently free) is also proposed to help prevent purely vexatious complaints.

Anyone with a view on the proposed default transfer system can submit their feedback here or by email to: drsconsultation@nominet.org.uk