Is DRM beat?

You might have thought news that music tracks with no digital rights management (DRM) technology are now available from iTunes would be a good thing. But the cloud attached to this silver lining is that the DRM-free tracks are reported to contain personal data of those buying them.

Data protection lawyers are watching with interest for Apple's comment on this story, and whether it will result in a change to Apple's privacy policy. Are those purchasing tracks aware that their personal data is used in this way?

Philips' Rules OK

The Information Commissioner decided last week that Philips' binding corporate rules (BCR) were sufficiently robust to justify an authorisation for Philips to share the personal data of employees and clients within the Philips group internationally.  The Data Protection Act 1998 restricts the transfer of personal data outside the EEA unless certain minimum requirements are met (eg using authorised BCR, using standard model contracts, obtaining the consent of data subjects, or otherwise ensuring "adequate" protection for the rights of the data subjects - see here for further information).

We previously reported on the decision to authorise GE to share data.  Given the publicity BCR have received, it is perhaps surprising that there remain only two BCR authorisations from the Information Commissioner to date.  Note also that the authorisation only applies to the extent that Philips' international data transfers are within the jurisdiction of the Information Commissioner - Philips will now have use the UK authorisation to apply for approval from the other relevant EU jurisdictions from which it transfers data internationally using the so-called "co-operation procedure".

It's a fair e-cop?

The EC Data Protection Directive (95/46/EC) provides for each Member State to implement their own national legislation, ensuring a minimum standard for data protection across the EU.The European Council is trying to agree an extension to the existing directive to facilitate personal data sharing between police organisations. This would create a de facto minimum standard in relation to police authority personal data sharing across the EU.

This proposal has concerned several Member States, most notably the UK. One worry is that the proposed provisions will facilitate too liberal a sharing of personal data between law enforcement agencies. This in part arises from the fact that the European Council Policing Committee appears to be leading the discussions. Their principle concern is likely to be the improvement of policing, rather than the protection of privacy. This is probably one reason why the European Data Protection Supervisor (the individual responsible for data protection law across the EU) is expressing concern.

Varying standards between states in this area are likely to cause problems, both in relation to the extent and quality of information obtained and the potential for abuse of this data. This is similar to problems which have recently been encountered in relation to SWIFT and PNR airline passenger data sharing.

The Council is due to report back this month, so watch this space.

Compromise reached over Airline Passenger Data Sharing

The US and the EU have concluded an interim agreement under which they will continue to share airline passenger data. Following the terrorist attacks of 9/11, US authorities requested that all airlines flying passengers from Europe provided 34 pieces of data per passenger, including credit card details, to help spot potential terrorists. Airlines which failed to provide such information faced fines of up to $6,000 per passenger or the withdrawal of landing rights.

The European Commission had originally agreed the handover of passenger data, however the European Parliament opposed it on the grounds that it breached data protection principles and the privacy rights of travellers.  The ECJ ruled that the agreement was technically flawed and that a new one should be made, but did not rule on the substance of the agreement.

Under the new agreement US authorities will not have automatic and direct access to all data from airline computer systems but will have to make an official request for passengers’ information. However, it appears that this is just a temporary fix as the agreement will only apply until the end of July 2007, whereupon a new deal will have to be agreed.

Government Departments Don't Share

Data, that is, according to the Department for Constitutional Affairs.

In their recent 'Information Sharing Vision Statement', the Department for Constitutional Affairs pointed out that, within the current legal framework, more information can be shared than is being at present. Government departments appear to be unaware of the actual provisions of the law, and are therefore reluctant to share information. The vision statement is the first step to changing attitudes in this area.

The vision statement's aim is to help produce more 'joined up government' and to develop 'customer focused public services'. However, the proposed increased sharing of data will not infringe the individuals right to privacy; the existing law protects this to a sufficient degree, according to the Department for Constitional Affairs. Apparently, this new approach to data sharing will provide better public services, aid the disadvantaged and, perhaps most encouragingly, 'fight crime'.

Some commentators, however, seem more sceptical as to the rationale behind this proposal. Fuller guidance should be published in April 2007.

Fingerprinting children without parental consent

Primary and secondary schools are collecting biometric details from pupils, often without the consent of their parents.  The Department for Education and Skills and the Information Commissioner have confirmed that parents cannot necessarily prevent schools from taking their children's fingerprints.  Under the Data Protection Act 1998 a child, if of sufficient maturity, can give the necessary consent for processing of their personal data, and is up to the school to determine whether a child is capable of fully understanding the proposed use of their data and therefore being of a sufficient age to consent to their biometrics being taken.

Schools are using their pupils' fingerprints for registration purposes and for library management systems.  It is argued that such systems are a means of effective administration.  Staff are no longer needed to take registers as the children scan their fingers before entering a class.  Librarians are no longer needed in schools where libraries are designed to be self-service - children simply give their fingerprint each time they take out a book.

Parents are now campaigning to have the use of biometrics in schools strictly regulated and closely monitored, with a statutory requirement for parental consent.  An EU committee is currently considering the issue of fingerprinting children, however no decision has yet been announced.   

B4U appeal

A website which uses electoral roll information and has prompted some 1600 complaints to the Information Commissioner (the body responsible for ensuring compliance with data protection legislation) will be able to continue using the data after its operators filed an appeal.

Naked Law understands from the Information Commissioners Office that B4U Business Media Ltd filed an appeal at the Information Tribunal on 28 July 2006 against the ICO's enforcement notice dated 4 July 2006 (see also earlier article).  The Information Tribunal is waiting for the Commissioner's reply to the appeal, but pending a decision, B4U can continue to use pre-2002 electoral roll information on their website.

If the appeal fails and B4U continue to use the electoral roll information the ICO said they would consider taking further action.

Has SWIFT been too quick to release data?

The Guardian reports today that the Information Commissioner is investigating a possible breach of the data protection directive relating to transfers of personal data by the Society for Worldwide Interbank Financial Telecommunication (or SWIFT) to the CIA, including information relating to millions of British bank transactions.  The Guardian quotes a spokesman for the Information Commissioner's office as saying that any disclosures to the CIA were "likely to be a breach of EU data protection legislation".

This story follows parliamentary questions about the compliance of any such disclosures with the Human Rights Act.  SWIFT has stated that:

"In the aftermath of the September 11 attacks, SWIFT responded to compulsory subpoenas for limited sets of data from the Office of Foreign Assets Control of the United States Department of the Treasury"

Edward Balls, economic secretary from the Treasury, stated in a written response to the question brought by an MP that: "The UK Government are aware of the arrangement between the US Government and SWIFT."

SWIFT's statements on compliance do not throw much light on the justification under the data protection legislation for these transfers.  This latest story follows the ECJ judgment earlier this year that annulled an agreement between the European Commission and US Govenment on transfers of airline data to the US and reflects the difficulty of balancing privacy obligations with law enforcement and national security concerns.

b4uvote

The Information Commissioner's Office has served an enforcement notice on b4usearch.com ordering it to stop using pre-2002 electoral roll information, in breach of the Data Protection Act 1998 (see story on Kablenet).

Anyone eligible to vote in the UK is required to provide their name and address to their local council.  Prior to 2002, local councils were able to sell all of this data.  However, electoral roll data has been treated differently following a complaint by retired accountant Brian Robertson against his local council, the City of Wakefield Metropolitan District Council (see the resultant legislation here). 

UK readers with an eye for small print may have noticed that you can now object to electoral roll data being used for marketing purposes and an edited register is produced including only those folk who are happy for their data to be used for marketing purposes - surprisingly many people still wish to be on the marketing list.

The ICO has received some 1600 complaints from people unhappy about the use of their personal electoral roll data by b4usearch.com.  The ICO has found that "damage or distress to individuals is likely to have been caused by information being processed in this way".  Damages can be awarded under the Data Protection Act and the Human Rights Act for privacy breaches.

The deadline for compliance with the enforcement notice has not been published by the ICO, but b4usearch.com may of course decide to appeal against the ruling.

The UK Data Protection legislation implements EU legislation that itself articulates broader international Human Rights law - essentially article 8 of the European Convention on Human Rights protecting privacy.  EU member states are given some degree of freedom to decide how the law is enforced and what the penalties will be for non-compliance.  The EU has already expressed concerns at lenient enforcement of the legislation in the UK compared to other member states.  It would be interesting to see how the b4usearch.com issue would have been dealt with in other countires where fines are apparently more common for invasion of privacy.

Alarms but no surprises over live data testing

Another story of the ignorance among businesses about their obligations under the Data Protection Act hit the headlines recently: firms are "falling into data protection pitfalls" (ZDNet), playing "data protection roulette" (Techworld) and "gambling with [the] Data Protection Act" (PC Advisor).  This follows research conducted for Compuware indicating that 44% of senior IT managers use "live" customer data to test applications and that 48% of them are only "vaguely" aware of their obligations under the Act.

In short, businesses using the personal data of their customers risk breaching the Act in a number of ways: they may fall short of their obligation to use appropriate technical and organisational measures to protect the data (seventh principle); and the use may be outside the scope of the original purposes for which the data were collected (first and second principles).  Data protection practitioners will not be surprised to hear that companies are sailing close to the wind with the uses to which they put customer data.

This story follows news of the recent security breaches in India and the Information Commissioner's decision to issue his first enforcement notice against the owners of a website for using electoral roll data from before 2002 following 1,600 complaints received by the ICO's office.

Sun heats up New Delhi data security fears

Financial services organisations who send their customers' data to India will not have welcomed the recent story in The Sun about Karan Bahree, who apparently offered to sell to a journalist the personal data of thousands of UK residents.  The precise details are disputed (and Bahree has now been sacked by his employers), but apparently he was able to obtain personal details from call centre operators who were willing to sell the data.  The Sun reported that high street banks including Barclays, the Woolwich, HSBC and Lloyds TSB were affected.

UK businesses holding personal data are subject to the Data Protection Act; often, when a UK business uses a call centre in India, the call centre acts as a subcontractor and a "data processor", subject to the terms of its contract with the UK business; the UK business is still the "data controller" and as such remains liable for any breaches of the Act.  I suspect that in many instances, the financial services organisations who were implicated in The Sun's sting will be checking the agreements with their Indian sub-contractors for the terms dealing with data security ...

OECD Anti-Spam Toolkit Launched

The OECD has published an anti-spam toolkit to help governments coordinate the global scourge of spam.  There is an international patchwork of laws of varying effectiveness across the globe dealing with spam, but the global nature of cyberspace requires a global approach to enforcement.  The OECD has provided its “Recommendation on Cross-Border Co-operation in the Enforcement of Laws against Spam”, that prompts governments to "ensure that their laws enable enforcement authorities to share information with other countries and do so more quickly and effectively".  There are also recommendations that enforcement is beefed up and that people are better educated on the risks associated with spam and how to deal with them.

The OECD's aims are admirable, but it is not looking to eradicate spam altogether, merely to deal with it.  As technology develops over time there will be more and more ways to produce spam. Over recent years, peer-to-peer and VOIP "spam" and the phenomenon of "splogging" have demonstrated this.  It is unfortunate that some form of self-regulation has not been sufficient to deal with the problem and increasing government intervention is inevitable in order to enusre that the Internet is preserved as "a global facility available to the public" (as defined at the World Summit on the Information Society - WSIS Declaration of Principles).

General Electric first to be switched on to Binding Corporate Rules

On 15 December 2005 the UK Information Commissioner authorised the transfer of employee information within a multinational company for the first time, using a procedure known as binding corporate rules (“BCRs”).  General Electric has been commended by the Information Commissioner’s Office for its commitment to the concept of BCRs and its responsible approach to data protection.  The BCRs of General Electric are in the public domain on the company’s website.

The 8^th principle of the Data Protection Act 1998 prohibits the transfer of personal information outside the EEA (being the EU Member States plus Norway, Liechtenstein and Iceland) unless the data subjects have given consent or certain requirements are met.  The transfer of personal information to a company’s non-EEA branches can only be made where there is adequate protection for that information, i.e. to a country or territory that has been deemed by the European Commission to have adequate rules.  Alternatively transfers of information can be made to the USA where the company is a signatory to a ‘Safe Harbor’ agreement.

Also, when a multinational organisation adopts approved codes of corporate conduct (BCRs) then adequate procedures can be in place even where employee data is transferred to a part of a multinational company which is outside of the EEA or the Safe Harbor.

The Article 29 working party has adopted a model checklist (WP108) which describes the information required to make an application to a data protection authority for approval of potential BCRs. 

It remains to be seen how many other multinationals will follow GE’s lead and undertake the BCRs approval process.  GE can be said to be at the forefront of global data protection law, being the first company to have a BCRs scheme approved by the Information Commission and going through this process to completion. 

A number of corporates have shown interest in BCRs such as Accenture, Phillips, Citigroup, KPMG and Daimler Chrysler though it is interesting that no companies have yet followed GE and obtained approval from the UK Information Commissioner.

When does a DPA breach get an IC stare?

The Information Commissioner has announced an increased focus on serious data protection offenders in its latest strategy document, reflecting its policy of taking a "targeted, risk-driven approach".  Instead of routine enforcement, the IC's office will concentrate on areas of deliberate and persistent flouting of data protection laws and where individuals are seriously prejudiced by the breaches.  Launching the new strategy, Deputy Information Commissioner David Smith stated:

"Regulatory action will focus on those whose failure to comply with data protection results in serious consequences, either serious (perhaps career-threatening) harm to one individual, or less serious harm to many people. Other criteria for taking action includes deliberate, willful or cavalier conduct, or the need to set an example or clarify the law. We will be devoting less attention to minor or technical breaches where the consequence is less serious, because this will enable us to concentrate on abuses of significant public concern, especially where those responsible have been warned, or must know, that they are breaking the law."

This announcement comes as no surprise and reflects the IC's existing approach to enforcement.  Though he has a number of powers (ranging from investigations and cautions to enforcement notices, injunctions and criminal prosecutions), the majority of tribunal decisions have involved large-scale breaches of the Data Protection Act (often involving direct marketing).  When HFC Bank inadvertantly disclosed the email addresses of 2,600 customers last year, the IC decided not to act, presumably on the basis that HFC had apologised, given £50 to each customer, and contacted the IC immediately to admit the breach and try to rectify the situation.  This reflects the IC's policy of intervening only where necessary.

The IC's announcement should not encourage small-scale offenders to ignore their obligations, however; there remains the risk of civil action from individuals for losses caused by breaches of the Act and the possibility of bad publicity for bad data handling practices. In addition, the IC will continue to act against those deliberately flouting their obligations or where it wants to make an example of someone.

Information Commissioner targets law firms

The Information Commissioner - who oversees compliance with data protection legislation in the UK - has launched a "crackdown" on solicitors that fail to register as data controllers.  A statement from the Information Commissioner's Office claims that a third of solicitors are "likely to be in breach".

The Data Protection Act 1998 applies to anyone processing personal data on computers and certain manual filing systems.  These "data controllers" are required to notify the Information Commissioner of their processing unless they are exempt, but the exemptions are unlikely to apply to many law firms.

Spam prosecution in Oz

The Australian Communications Authority is bringing its first prosecution under Australia's Spam Act against an alleged global spammer based in Perth.  This action follows the successful prosecution in the US of Jeremy Jaynes (apparently the world's 8th most prolific spammer), who in April was sentenced to 9 years in jail under the federal CAN-SPAM Act.  No such luck over here in the UK - not a single prosecution has been brought against spammers under the Privacy and Electronic Communications Regulations since they came into force in 2003.