Have you 'Googled' the privacy policy?

Privacy and data protection appears to be the topic of the moment, with many new cases being reported on, and publicity surrounding data protection breaches.  We have mentioned a number of these cases on our blog over the past few weeks. 

The BBC has reported last week on some complaints being made about the positioning of Google's privacy policy.  Prompted by this, I wanted to see just how accessible Google have made their policy. I discovered that at the bottom of the i-Google home page there is a link to the policy: however the page reached from clicking on that link is not actually the policy but a 'privacy notice' which then links to a 'privacy policy' with a further one or two clicks depending on the link selected.

The complaints about Google's site have been made in the US, and in the context of compliance with the online privacy protection act 2003 applicable in California.  Not being a US lawyer, I am not going to comment on whether Google comply or not in this case. But I thought a brief mention about privacy policies and why they are so important to include on websites might be useful to readers. 

Anyone who runs a website needs to be aware of the legal requirements surrounding the use of personal data, as these not only come into play where the site actually asks users to enter personal information about themselves.  Even the use of cookies to track on-line movements of users of the website, and other data obtained about traffic using the site including location data, and browsing activities, could amount to what's known as 'processing of personal data'. Under UK law, users of any website should be informed if their personal data is going to be 'processed', and how the information obtained about them will be used and stored. The best way of notifying users is by including an easily accessible privacy policy on your site, with clear and obvious links to it from your home page.  The privacy groups in the US were complaining that Google had not got this right under US law.

Under UK law, website owners must also be careful to be data protection compliant with what they do with the data, and consent is required to be obtained from individuals before certain types of processing can be undertaken (for example use for direct marketing by email, disclosure to third parties) of personal data.  It is important to note that inclusion of a privacy policy of itself if not sufficient to ensure compliance with the Data Protection Act 1988.

Expelliamus!

JK Rowling has recently won a privacy ruling on behalf of her son.

David Murray, now 5, was the subject of covertly taken photographs when aged 19 months, when out with his mother on a public street. Joanne Murray and her husband objected to this on the basis that it was an intrusion into David’s right to privacy. When summarizing the reasons for endorsing their case, Master of the Rolls Anthony Clarke stated “if a child of parents who are not in the public eye could reasonably expect not to have photographs of him published in the media, so too should the child of a famous parent”.

This effectively overturns an earlier judgment that David had no arguable case that he had a right to privacy in a public place. It opens the door to further legal action, rather than being a conclusive result.

This case is also interesting in that it further bolsters the view that a breach of the right to privacy could automatically lead to a breach of the data protection act. If the right to privacy is breached, then use of that personal data may also constitute ‘unlawful and unfair’ use of a person’s personal data.

My opinion is that, at a simple level, this judgment is potentially a helpful clarification of the existing law of privacy in a specific context. The judgment does not extend the existing right to privacy. Rather it looks at the right to privacy afforded to the children of celebrities. J K Rowling was not trying to secure a ruling that she should be afforded a right to privacy in a public place, rather she was trying to secure a ruling that her child should not be subject to any more intrusion than any other child, notwithstanding her celebrity status.

The case will now proceed to full trial (assuming the parties do not settle) in due course.

Larry's still not happy

Mark and I went along to the SCL's annual lecture last night to see Prof Larry Lessig talk about "corruption 2.0".  I'd not seen him speak before (though I've followed the output from his blog for some time).  Once I'd got used to his staccato powerpoint style (does every word really need a separate slide for emphasis?), I was (predictably) wowed and convinced by many of his arguments.

I particularly liked his (more familiar) arguments about the scope and effect of copyright insidiously expanding to make contemporary "read write" culture illegal - though his point that legislators do just get things wrong (climate change, copyright extension, recommended diets) - and the lack of US privacy legislation - made me feel suitably indignant.  As I was supposed to feel.

And the "remix" section was great too.  It's never a bad thing to be reminded about some of those classic YouTube moments, such as Blair and Bush duetting to Lionel Ritchie's "Endless Love".  I've always been a big fan of some of the "mashups" my pal William puts on his Christmas compilation CDs, notably including the Beatles' "Christmas Time Is Here Again" with Boston's "More Than a Feeling".

I was only sad that there weren't more people there to see the performance.  In a theatre holding up to 460, I reckon there were no more than 100 people present.  Was this because the SCL had been over-ambitious in its choice of venue?  Or the conflict with the Chelsea v Liverpool match?  Or the fact it was a Wednesday night?  Or is Prof Lessig too radical for the taste of most tech lawyers?

IC focus on public sector Data Protection breaches

The Information Commissioner has recently confirmed the extent of its role in its newly published strategy paper.  The thrust of the message is that the IC will not focus on enforcement, but on reducing the risk to UK residents of misuse of personal information about them. 

At first sight one might question this message, given that it is the Information Commissioner who is specifically charged with enforcement of Data Protection law, and has specific legal powers to ensure compliance.  However, the paper makes clear that the aim is to reduce the instances of non-compliance, and minimising data protection risk for individuals and society, and also making sure that the resources are aimed at the key areas of risk.  Furthermore, enforcement of Data Protection law is only one aspect of the role of the IC, which includes education about data protection, influencing new legislation and dealing with complaints.

According to the strategy document, the ICO intends to focus on reducing unlawful trade in personal information, and monitoring increasing information sharing between organisations and undertaking data protection supervision.  Of particular note, the IC also intends to target the increasing surveillance of UK citizens.  They have also acknowledged that a focus must be made on public sector rather than private sector developments as this is where the most serious DPA breaches could arise (for example see last year's lapse by HMRC). 

Help, my brain is exploding...

In 2000 the Stewart Report was commissioned, investigating the risks of mobile phone usage. Whilst it did not come to any firm conclusions, it did suggest that the levels of radio frequency radiation emitted by mobile phones and masts had the potential to have an adverse affect on human health.

OFCOM, the industry regulator for telecommunications, took this report fairly seriously. In particular they took account of one of the key recommendations of the Stewart Report, that the government set up a database of all mobile phone base-stations and masts. This resulted in a voluntary scheme, where mobile phone operators provided information to OFCOM which was compiled into a search interface called Sitefinder. Go on, click on it, it's really user friendly, and you can check if a mast is near you right now. OFCOM manage this service, but do not provide the underlying data to users.

On 11 January 2005, a Freedom of Information Act 2000 request was made to OFCOM for the underlying data in the sitefinder database in specified file formats. OFCOM replied on 27 January 2005, declining the request and citing the Environmental Information Regulations 2004 6(1)(b) (which apply here in harmony with the Freedom of Information Act), since the information is 'already publicly available and easily accessible in another form or format'. Following some further wrangling, they also refused to disclose the information because of the Environmental Information Regulations 2004 12(5)(a) and (c), namely that they could refuse to disclose the information to the extent it would adversely affect 'international relations, defence, national security or public safety' (on the basis that it would reveal the locations of police/emergency services communications equipment) or due to 'intellectual property rights' (because the data belongs to the mobile phone operators).

The applicant did not accept this, and wrote to the Information Commissioner to ask them to review OFCOM's decision. In a detailed decision, the Information Commissioner upheld the applicant's request and dismissed OFCOM's arguments, ordering the data to be disclosed. This decision was subsequently endorsed by the Information Tribunal who upheld the Information Commissioner's judgment (albeit with some difference in reasoning).

OFCOM has reportedly decided to appeal this decision to the high court.

I must confess I'm with OFCOM on this one, despite being very much in favour of the transparency and availability of information. Some of their arguments seem relatively tenuous (prevention of terrorism being the most interesting) but their position is fairly strong overall.

As things currently stand, the public have a user friendly means to access information which belongs to the mobile phone operators. They can check if a mobile phone mast is near them, and act accordingly. The only reason I can think why anyone would want a complete dataset would be either to make some commercial gain (e.g. spotting gaps in the mobile phone network) or to use against mobile phone companies. Without parliamentary intervention, mobile phone companies shouldn't be required to provide information which can only harm their interests. Like or loathe your mobile phone company, that's just not fair.

A cautionary DPA tale...

The Data Protection Act 1998 contains a lot of obligations, some requiring substantive thought and effort to ensure compliance.

On the other hand, some of the obligations are more straightforward, such as the obligation to register with the Information Commissioner if you are a data controller. It costs £35 (per year) and, once you've worked out what activities you need to declare, probably takes about ten minutes to fill in the form. Failure to register as a data controller is a criminal offence, assuming you are a data controller.

Two London based solicitors however have failed to comply with this most basic of requirements, despite repeated warnings from the Information Commissioner. As a result they have been named, shamed and fined £815 each.

This little episode shows three things to the world at large: if you process data you need to think about data protection; the Information Commissioner is not completely toothless; and Solicitors are not above the law. Whilst the fines are not exactly gargantuan in scale, the potential loss of reputation for individuals who are trusted with personal data could be significant.

IP = ID?

I've been mulling over the news Lilian broke on Pangloss about the Article 29 Working Party's view that IP addresses amount to personal data - the point being that if an IP address is a personal data, then anyone collecting or otherwise using IP addresses will be subject to the Data Protection Act (or equivalent legislation in other European jurisdictions).

Now this is a question that I've always thought has a typically lawyery sort of answer: an IP address can amount to personal data, but whether it does will depend on the facts.  The Act says (essentially) that personal data means data by which a living individual can be identified (either from those data or with other available information).  So if I live alone and have a PC, there's a pretty good chance that I can be identified from my IP address.  But if I use a PC in an internet cafe, there's a pretty good chance that I can't be identified from that PC's IP address.  In fact, I think that this is rather close to what the Working Party has said (ie an IP address will be personal data if it can be used to identify someone).

Website operators have tended to address the issue by sticking some standard wording about the collection of IP addresses in their privacy policies (see references in the Beeb's here or Mills & Reeve's here, for instance).  As long as the use of IP address data doesn't go beyond the obvious, it's unlikely that collecting the information will require consent; the website operators will argue that their have complied with their "fair processing" obligation by notifying users about website logging.

As Pangloss points out, though, this could have interesting implications for the likes of Google.  The Working Party's report is due out later this year.

Bowled over by data protection reform?

In the aftermath of the catalogue of high-profile data protection breaches that have hit the headlines recently, we saw a number of new initiatives announced by the Government (including the review now being conducted by Richard Thomas, with a consultation period ending next month).

I must admit that my initial reaction was a mixture of enthusiasm (at last people are taking data protection seriously!) and cynicism.  It's very easy to announce a review; implementing substantive change is more challenging.  After the England cricket team's dismal performances in Australia and at the World Cup, the "Schofield Review" was announced, which made a number of recommendations ... but appears to have resulted in very little happening: a few administrative tweaks and David Graveney losing his job.  Will the same be true for data protection, particularly when the public's attention has shifted elsewhere?

The situation is complicated for data protection in that the law derives from a European directive ... so any changes are likely to consist mostly of tinkering around the edges.  In the light of this, I thought Rosemary Jay's opinion piece on Out-law was persuasive:

"No doubt [the measures being taken] ... will result in recommendations on practice or interpretation, but no major change seems likely .... their effect is likely to be muted, and few changes in the law can be expected any time soon."

Still, the Information Commissioner's powers to investigate and take action for breach remain in the spotlight, and he has capitalised on this by setting out his proposals for change in a new document here.

You can check out but you'll never leave...

Facebook has drawn the attention of the UK Information Commissioner over its policy around deletion of user accounts.

If you change your mind about joining Facebook and try and delete your account, the account is "deactivated", but the content is retained by Facebook - in case you change your mind again and want to reinstate the account.

If you really want to permanently delete your account, you would need to delete each individual piece of information, which for regular Facebook users, would take some time (to put it mildly).

The Information Commissioner is also planning a wider review of Facebook's privacy policy, and this will include looking at the issue of embedded applications. At present, when certain third party applications available through Facebook are accessed, the user must first agree to the authors of the application having access to their personal data, and the reason for this is not always clear.

ENISA faces up to social networking risks

The European Network and Information Security Agency (ENISA) have this October published a report, compiled by a range of experts on data protection and internet security, on the risks, present and future, of social networking sites.

The report makes a number of recommendations, including the review and revision of current data protection laws in Europe. One of the most interesting future risks identified is that of ‘face recognition technology’, which could enable the possessor of the software to search the internet for all uploaded photos of a person if they have a precedent picture to start with. This is because a photo is in effect a binary identifier and as the efficiency of face recognition algorithms improve, the possibility of a comparison of large numbers of images becomes increasingly likely.

The idea that someone could access, let’s say, a persons photo on a corporate profile, and then use this technology to search for other images of that person (or at least people with similar facial characteristics) that may exist on other sites should be regarded as troubling considering the lassez-faire approach many people take to their profiles/images on social networking sites and the increase in images available.  This may pose a serious risk to a person's control of personal data. Many sites that allow people to post photos with the promise of anonymity to the general public (such as dating sites which have grown enormously in popularity) could find their users exposed by this new technology.

This is further exacerbated by the problems which arise from persons being identified by others on social networking sites, for example by tagging on Facebook, which doesn’t require consent (there is a right to remove a ‘tag’, although it is very easy to simply ‘retag’ the unflattering photo of friend/partner/colleague).

A photo may be personal data in the UK where it can be used to identify a living individual, in which case existing data protection laws would apply.  However, reviews of the law in this field will need to be on-going to keep pace with innovation.  The report is particularly worth reading for those of us who are unphotogenic, in trepidation of future technology or those wanting to know more about the risks of adding that friend on Facebook with the armoury of photos from headier days.