Tuesday, 27 July 2010

Entertaining US court judgments

Google Scholar (via GoogleBlog) has extracts from some entertaining US legal opinions (judgements) - including one written entirely as song lyrics, well except for the footnotes (hats off to the judge there, Chief Judge Buchmeyer!), several in verse, even one in hard boiled detective style. I'm surprised they didn't highlight the one where the judge didn't seem to understand how mobile phones / networks work, though I can't find it on a quick look. 

Anyway, it's clever way of reminding us that Google have had US judgments (federal and state district, appellate and supreme court) on Google Scholar, freely available and searchable in full text, since last November.

I'm having trouble thinking of similarly entertaining UK judgments off the top of my head.

Of course we have Lord Denning's famous paean to cricket -

"In summertime village cricket is the delight of everyone…"

And there's Kitchin J's straight faced recitation and analysis of rap lyrics.

But it seems the Beatles having to be explained to a judge as "a popular beat combo band, m'lud" is in fact sadly just an urban legend. According to Wikipedia.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Thursday, 22 July 2010

Email disclaimers bye bye? Litig counsel's opinion

Hate long disclaimers at the end of emails, texts, IM chats etc from lawyers, or indeed anyone else? (See from as long ago as 2001 the Email Disclaimer Dafta Awards with links to the texts of the winners! None of which were law firms, perhaps surprisingly. I love this spoof. This is good too although, with my securities lawyer hat on, I sympathise.)

Aiming to eliminate or at least reduce the environmental and storage costs of long disclaimers (as well as presumably the blood pressure of recipients), the Legal IT Innovators Group Litig obtained opinions from leading counsel Martin Howe QC.

He concluded that sadly disclaimers at the end of law firm communications can't be killed off in the UK, for regulatory and other legal reasons - but they can be considerably shortened. From the Litig press release -

For a solicitors’ firm which is an LLP, I consider that the minimum information for general use on all emails is as follows:
“John Smith & Co LLP is a limited liability partnership registered under No. OC********** in England and Wales, and is regulated by the Solicitors Regulation Authority. Registered office: [postal address of reg office]””

Some Litig members are looking into putting the wording into effect. If firms want to rely on these opinions, they need to make their own individual specific arrangements with Leading Counsel - without which obviously he assumes no liability.

Of course the opinions focus on the position of law firms in the UK, but they do contain some points of more general interest.

The first opinion is mainly about whether a link in law firm emails to disclaimer wording etc would be good enough (no, he doesn't think so).

The further opinion also cover issues like -

  • confidentiality notice - with suggested short wording
  • limitations of liability for virus transmission ("pretty useless"), imitation on the ability of the sender to form a contract by email, statement that service by email will not be accepted
  • disclaimers in SMS text and IMs.

The press release says Litig plans to send copies of the opinions to relevant environmental and e-commerce associations "to establish whether they have an appetite to help drive ahead these changes further."

See -

Via SCL.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Wednesday, 21 July 2010

Privacy / data protection - Reding interview - UK behavioural advertising breach?

Interesting interview "The Facebook Age" with Commissioner Reding on social networking, "online privacy, teens doling out too much information and just what the Commission thinks of limiting such action. Is privacy over?"

She was quoted as saying in the interview (emphasis added) -

Well there was a case last summer in August [2009] involving a company in the UK, and what they were doing was they were getting information from websites without the consent of the user, and they were using this information for behavioral advertising.  The Commission started an infringement case, which means that they told the UK that the way they implemented their law in the data protection authority was not positioned to allow for the prior informed consent of the users.

I must have missed hearing about the case she mentioned. What case? Is that really what triggered the June 2010 Commission action against the UK in relation to the Data Protection Directive?

The October 2009 Commission action against the UK on the Data Protection Directive and ePrivacy Directive was because of Phorm, not this, surely. The Phorm events pre-dated August 2009 and the case she mentioned sounds like a website operator rather than someone working with an ISP.

Does anyone know anything about the case she cited? Or that she did in fact for some reason actually mean to refer to Phorm?

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Summer 2010 typos

As people start heading off for their holiday breaks, I hope you all enjoy this small selection of typos encountered by yours truly. Some are even privacy related! Just about.  

A "Daft" Model Publication Scheme, from the Scottish Information Commissioner's website -

The perennial "Pubic", a slip of the finger in an Article 29 Working Party email -

(In which connection, the title "Director - Horizontal Affairs" (and that's no typo but a European Commission position - err, post) may trigger a giggle if your sense of humour is as wicked as mine…)

And finally, my favourite - "clod computing", from the NetImperative site. "Yes, that's the kind of computing I do", a friend said.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Tuesday, 20 July 2010

ACTA and privacy - EU privacy regulators' views

The negotiations on the proposed Anti-Counterfeiting Trade Agreement have triggered criticisms from more than one quarter.

Now, the Article 29 Working Party, comprising EU data protection regulators, has joined the fray with a letter of 15 July 2010 to EU Commissioner Karel de Gucht expressing their concerns, from a privacy and data protection viewpoint, regarding the provisions of the draft agreement targeting copyright infringement, notably -

  • three strikes out
  • notice and take down procedures, and
  • searches by customs authorities and criminalisation.

The Working Party seem to have published quite a few documents related to topics which like ACTA were on the agenda for their recent 12-13 July meeting e.g. on data retention and accountability.

At this rate we may well see more from them before the summer is out, probably in relation to the EU review of the Data Protection Directive and the draft RFID Framework Privacy Impact Assessment (which ENISA commented on recently).

(Lest anyone wonder - I'm not stalking the Working Party though I do love 'em, I do, I do. It's just that their output's been off the charts lately. Quite a job to keep up.)

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Monday, 19 July 2010

EU controller processor model clauses - FAQs from Article 29 Working Party

I previously briefly mentioned the February 2010 version of the European Commission's Model standard contractual clauses for transfer of personal data to processors outside the EU (controller to processor).

EU privacy regulators the Article 29 Working Party have now produced FAQs in order to address some issues raised by the entry into force of the EU Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC, WP 176 of 12 July 2010, with some helpful guidance.

And no, the model clauses still don't apply when personal data is transferred from an EEA-based controller to an EEA-based processor and then to a non-EEA-based subprocessor. Though they suggest some workarounds.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Privacy, data protection & accountability - EU regulators' views

Thought I'd blogged this a few days ago but I guess I forgot to hit Publish - Opinion 3/2010 on the principle of accountability, July 2010, from the Article 29 Working Party.

And the accompanying press release 16 July 2010 (p. 2 is on the accountability opinion) -

A statutory accountability principle would explicitly require data controllers to implement appropriate and effective measures to put into effect the principles and obligations of the Directive and demonstrate this on request. In practice this should translate into effective scalable compliance programs aiming at implementing the existing data protection principles, and controllers should be able to demonstrate to data protection authorities, upon their request, that their program fulfils the requirement of accountability. The type of procedures and mechanisms would vary according to the risks represented by the processing and the nature of the data.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Privacy enhancing technologies (PETs) - final study on economic benefits for Commission

Just out, Study on the economic benefits of privacy-enhancing technologies (PETs) - Final Report to The European Commission DG Justice, Freedom and Security by London Economics, July 2010. I previously mentioned their interim report.

The final report weighs in at 259 pgs. I'm still working my way through it, but from the executive summary:

  • It looks at the benefits of PETs (or privacy by design) for data controllers, not surprisingly - but particularly SMEs, and specific issues such as whether/ how the impact of PETs can be measured and whether cooperation/joint action such as Public Private Partnerships of data controllers with national authorities or international organisations would enhance economic benefits.
  • Covers 12 EU Member States selected after consultation with DG Justice, Freedom and Security - the Czech Republic; Denmark; Germany; Estonia; Spain; Ireland; Italy; Hungary; Malta; the Netherlands; Austria; and the United Kingdom.
  • Theoretical part - provides a framework for understanding PETs and the deployment decision faced by data controllers - overview of technologies that together form the ‘PETs universe’ and different classifications for PETs proposed in the literature, then determinants of PETs deployment from an economic perspective.
  • Empirical part - based on stakeholder consultations, surveys of businesses in the 12 states chosen, and detailed case studies including in more detail 6 specific services such as GENOMatch ("a complex PET designed to be used with highly sensitive personal data (genetic information) in a strictly regulated pharmaceuticals development environment),  pseudonymisation services to ensure data protection compliance on the part of public sector healthcare controllers, location based mobile services, and nightclub fingerprint identification.

The conclusions - economic benefits of PETs are technology-specific and application-specific, and can vary with the application and the business, so the net economic benefit of PETs deployment needs to be assessed on a case-by-case basis -

"There is little evidence that the demand by individuals for greater privacy is driving PETs deployment. The reasons for this include the uncertainties surrounding the risk of disclosure of personal data, a lack of knowledge about PETs, and behavioural biases that prevent individuals from acting in accordance with their stated preference for greater privacy. Data controllers, on the other hand, can derive a variety of benefits from holding and using personal data, including the personalisation of goods and services, data mining, etc. To the extent that PETs limit the ability of data controllers to use personal data, this acts as a disincentive for deployment. In particular, data controllers often favour mere data protection to protect themselves against the adverse consequences of data loss over data minimisation or consent mechanisms which can impede the use of personal data. However, the demand for PETs deployment is much more an important driver in the business-to-business market as well as in settings where individuals are represented by intermediaries that articulate privacy concerns towards data controllers. Even in cases where PETs deployment is potentially beneficial for data controllers, deployment rate may still be low. The uncertainty of some of the costs and benefits of PETs also explains why firms might rationally postpone the deployment of PETs while waiting for more information, in order not to limit their future choices. In addition, there are certain market failures, such as the existence of externalities in PETs deployment, which lead to sub‐optimal deployment rates. Finally, as already noted theories of technology adoption suggest that the adoption rates of PETs may follow an S‐shaped pattern, which means that current, low deployment rates could pick up quickly in the future as the technologies mature and become better known. The evidence considered in this study suggests that there is a role for the public sector in helping data controller realise the benefits of PETs. This can take various forms. The most effective appear to be official endorsements of PETs, including through pioneering deployment and official certification schemes, and direct support for the development of PETs, through subsidies to researchers (e.g. the European Framework Programmes).

SMEs are using fewer PETs, and are less convinced of the benefits of PETs, than larger businesses. At the same time, SMEs often store personal data from which they derive no economic benefit. However, SMEs also use less personal data, which suggests that a proportional response to promoting the use of PETs by SMEs will be required."

The point about controllers being disincentivised to use PETs because of the benefits to them of being able to use personal data fully backs up what I've said before on why businesses don't deploy privacy enhancing technologies. Although they didn't mention the stick as well as carrot. (See also thoughts on privacy-preserving identity management systems.)

This study will obviously help inform the Commission as they work on formulating their proposals, due to be published by the end of this year, for updating the EU Data Protection Directive. The EU privacy regulators the Article 29 Working Party support PETs / PbD and Commissioner Reding, in a recent speech of 14 July 2010 (text also here) at a meeting of the Working Party, emphasised the need for public authorities and businesses to apply a "privacy by design" approach (as well as conduct privacy impact assessments). So we don't need a crystal ball to predict some legally binding requirements for PETs on the horizon.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Sunday, 18 July 2010

Webcam privacy & trojans - man suspected of peeking at schoolgirls

Previously a US school was caught spying on students via webcams on school-supplied laptops, but now a German man is being questioned on suspicion of planting a Trojan to switch on webcams on the computers of over 150 schoolgirls.

The Deutsche Weller news article says "It is now believed the hacker broke into one of the girl's accounts on the ICQ chat application and sent the virus to new targets he found on the girl's contact list."

The situation was discovered by data protection advocate Thomas Floss, who helps raise awareness of safer internet practices in schools, when some girls went to him after a presentation to tell him their webcams lit up of their own accord.

Police used the man's IP address to track him to his home - so an IP address was certainly very much "personal data" on this occasion!

While all this has, rightly, further raised awareness of the risks of webcams and other electronic devices being taken over remotely, and the importance of educating users, especially children, about internet security, it has also, rather less rightly, prompted a call by a Association of German Detectives spokesman for the mandatory identification of all web surfers and "the introduction of a 'reset button for the Internet' that would allow the German chancellor to remove Germany from the Internet in the case of an emergency." Shades of proposed legislation in the USA claimed to give the President a kill switch for the internet (or, as I'd like to call it, a "Kill Bill", with apologies to movie fans…) - on which see the further analyses in Wired and (quite detailed) in TPM.

Back to the webcam situation, the Deutsche Weller article quotes a riposte to the "reset button" suggestion, made by Constanze Kurz of German hacker association Chaos Computer Club who stressed the importance of internet anonymity: "Put a sticker over the lens".

Of course, everyone should always use a firewall, keep regularly updating malware and virus checkers, and regularly scan their computers for malware. But as anti-malware makers are usually playing catchup with the bad guys, physically covering the lens of web-enabled cameras when not in use really isn't such a bad idea.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

MPs' expenses - ICO response to Independent Parliamentary Standards Authority (IPSA)

The UK privacy regulator, the ICO, have published The Information Commissioner’s response to the Independent Parliamentary Standards Authority (IPSA) consultation paper on their publication proposals, responding to IPSA's June 2010 Consultation on IPSA’s Publication Proposals which consulted on their proposed publication scheme under the Freedom of Information Act, including proposals as to what info will be published on MPs' expenses etc as well as procedural matters, trying to strike a balance between privacy / data protection and openness.

The Independent Parliamentary Standards Authority (IPSA) is a new independent statutory body established by the Parliamentary Standards Act 2009 to devise and administer an expenses regime for MPs and to administer MPs’ salaries and pension contributions. IPSA produced new rules on expenses, removing allowances and establishing clear, transparent guidelines on what MPs can and cannot claim for. "Following the 2010 general election, IPSA has sole responsibility for processing, validating and paying or rejecting MPs’ claims for expenses. In the interests of transparency, IPSA will publish on its website every claim made by every MP."

The ICO broadly agrees with the proposed scheme (they had input into it) but stressed the need for guidance to be produced to assist MPs in ensuring that their staff and third parties who might be affected are adequately informed about how they may be affected by the publication of expense details.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Saturday, 17 July 2010

EU - RFID privacy & data protection impact assessment framework- ENISA opinion

EU cybersecurity agency ENISA have issued ENISA Opinion on the Industry Proposal for a Privacy and Data Protection Impact Assessment Framework for RFID Applications [of March 31, 2010], July 2010.

They strongly support the integration of privacy by design and have made some recommendations for substantially improving the draft Privacy and Data Protection Impact Assessment (PIA) framework for RFID applications of March 2010. Their suggestions on the procedural and technical rather than legal front.

The draft framework was also sent to the EU privacy regulators the Article 29 Working Party, and they considered it at their recent meeting, but haven't published their views yet.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Thursday, 15 July 2010

Data retention illegally implemented, EU privacy regulators say

The EU Data Retention Directive 2006/24/EC, which enables governments to force ISPs, mobile network operators and telephone companies to keep certain data about citizens' phone calls and emails etc for later government inspection, has been implemented unlawfully.

So says a report adopted on 13 July 2010 by EU privacy regulators the Article 29 Working Party, with the long name of "Report 01/2010 on the second joint enforcement action: Compliance at national level of Telecom Providers and ISPs with the obligations required from national traffic data retention legislation on the legal basis of articles 6 and 9 of the e-Privacy Directive 2002/58/EC and the Data Retention Directive 2006/24/EC amending the e-Privacy Directive", WP 172.

The report followed an inquiry by the Working Party mainly on security measures and preventing abuse, compliance with storage limit obligations, and types of retained information.

Their investigations showed that the Directive hasn't been implemented in a harmonised way, with significant discrepancies between the member states especially on retention periods - which vary from 6 months to up to 10 years (well beyond the supposed permitted maximum period of 24 months).

Equally important and perhaps more worrying, they found that more data are being retained than the law allows.

The Directive specified a limited list of the data to be kept, all to do with traffic data (not the content of communications but metadata - e.g. who communicated with who when, but not what they said). Further, it explicitly banned retention of data relating to the content of communications.

Yet the inquiry found that some content data was still being retained (and handed over to government authorities):

  • Internet traffic data - several service providers kept URLs of
    websites visited
    , destination IP addresses, full headers of e-mail messages, as well as all recipients of e-mail messages in “CC”-mode at the destination mail server, and even the port number allocated to users by ISPs.
  • Phone traffic data - not just the location of the telephone caller was retained at the start of the call, but also their location was being monitored continuously!

There's a very useful and impressive Annex to the report, with tables showing for each of the EU member states:

  • the implementation status and implementing legislation,
  • exactly what kind of traffic data is retained for fixed phones, mobile phones and internet use (the UK entry is so long it goes beyond the bottom of the cell!)
  • retention period and communication channel towards LEAs i.e. how law enforcement authorities then get their mitts on the retained data (in Bulgaria, but it seems only Bulgaria, a court order is needed first; UK authorities prefer to just login via SSL)
  • security measures taken in respect of the retained data, both logical and physical (in the UK data at rest is not encrypted but hey, access to it is strictly restricted by requiring id/password, so that's all right then)
  • any specific personnel training for traffic data, backup and disaster recovery, data separation and retention abroad.

The EU data protection authorities have urged the European Commission to take account of their findings when deciding whether to repeal or amend the Directive. (The Commission's evaluation of the Directive is expected to be published quite soon, in September 2010. Ian Brown linked to the leaked draft of their review and produced a chart of EU government requests for user data in 2008 based on the draft.)

The Working Party say their report has made clear that the need for the Data Retention Directive still hasn't been shown. (It was rushed through as a claimed essential anti-terrorism measure after the 2004 Madrid bombings and the 2005 London 7/7 bombings.) States don't provide enough or indeed any statistics on how they've used the retained data, making it impossible for data protection authorities to evaluate independently the necessity or even usefulness of data retention, which has cost service providers (and ultimately citizen taxpayers) a fair few bob to implement.

Statistics are vital for the accountability of government authorities, of course, in order to check abuses of state power. For instance, the European Court of Human Rights just a few months ago in the Gillan & Quinton case found the United Kingdom (again) in violation of human rights, in relation to excessively wide stop and search powers under section 44 of the Terrorism Act 2000. They noted that:

…In his Report into the operation of the Act in 2007, Lord Carlile noted that while arrests for other crimes had followed searches under section 44, none of the many thousands of searches had ever related to a terrorism offence; in his 2008 Report Lord Carlile noted that examples of poor and unnecessary use of section 44 abounded, there being evidence of cases where the person stopped was so obviously far from any known terrorism profile that, realistically, there was not the slightest possibility of him/her being a terrorist, and no other feature to justify the stop…

…While the present cases do not concern black applicants or those of Asian origin, the risks of the discriminatory use of the powers against such persons is a very real consideration, as the judgments of Lord Hope, Lord Scott and Lord Brown recognised. The available statistics show that black and Asian persons are disproportionately affected by the powers, although the Independent Reviewer has also noted, in his most recent report, that there has also been a practice of stopping and searching white people purely to produce greater racial balance in the statistics (see paragraphs 43-44 above). There is, furthermore, a risk that such a widely framed power could be misused against demonstrators and protestors in breach of Article 10 and/or 11 of the Convention.

The use of physical stop and search powers may be a different situation from data retention, but that example illustrates very well that if you give authorities (or indeed any human being) excessive powers, they will use them, and probably misuse them for the wrong purposes and the wrong reasons. It's only human nature. The best solution to that problem is, don't give authorities too-wide powers in the first place and cut down broad powers to what's really necessary and proportionate. I'm with those who feel that increasing state surveillance and intrusion into the everyday lives of citizens, the vast majority of whom are law-abiding, is not the right way to fight terrorism or crime, and in some cases may be counter-productive, triggering resentment and anger that may positively tip some people over the edge into crime or terrorrism. The best anti-terrorism measure is fostering a fair, just, free and happy society.

Back to data retention, the Working Party report recommends increased harmonization, more secure data transmission and standardized data handover procedures - and also not allowing states to impose additional data retention obligations on providers, reducing the maximum retention period to a single, shorter term, reconsideration by the Commission of the overall security of traffic data, clarification at member state level of the concept of “serious crime”, and disclosure to all relevant stakeholders of the list of the entities authorised to access retained data.

The new UK government coincidentally recently announced an urgent review of security and counter-terrorism, which will look at things like the very stop and search powers that have been so criticised, and also the use of the Regulation of Investigatory Powers Act 2000 by local authorities and "access to communications data in general". We'll see the full report in autumn 2010; let's hope they cut down the types of data retained and improve security of retained data as well as severely narrow down exactly which authorities are allowed to have access to our communications data. A court order before they're allowed to peek at retained data would be good, but I'm not holding my breath.

PS. Bruce Schneier pointed to an excellent article "Does Surveillance Make Us Morally Better?". And see also a recent academic article Trusting Children: How do surveillance technologies alter a child's experience of trust, risk and responsibility?

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Wednesday, 14 July 2010

UK Information Commissioner's annual report out

A press release earlier today from the UK's privacy / data protection and freedom of information regulator announced the issue of the Information Commissioner’s Annual Report for 2009/10. (There's a summary too.)

They're busier than ever, but on top of things. Information Commissioner Christopher Graham says: “Technology, concerns about data security and the welcome focus on transparency of official information mean information rights are centre stage."

With a new ICO mission statement and increased regulatory powers, Mr Graham uses his annual report to call for the Information Commissioner to report directly to Parliament, as in the case of the Parliamentary and Health Service Ombudsman, to increase transparency around the reporting and financing arrangements of the ICO.

Christopher Graham, Information Commissioner, says:

“I believe that the ICO has not just to be independent of government, but be seen to be independent. To carry out my duties effectively and with the full confidence of all parties, now is the time to formalise the governance arrangements for the Information Commissioner, suitable for an independent public official whose accountability is fully to Parliament, rather than primarily via Departments of State.”

Hear hear. I may query their site's electronic accessibility and usability, but the people from the Information Commissioner's Office generally do an excellent job. Full independence - and, as important, more powers with real teeth plus resources for the ICO (even though they seem to be coping rather well) - would be even better.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Wednesday, 7 July 2010

Personal data online - UK guidance issued

UK data protection regulator the Information Commissioner today issued his office's official Personal Information Online Code of Practice on privacy and data protection on the internet, following a consultation and summary of responses.

Personal information online guides - direct links

Here are direct links to the info you'll need, in a usable format - in this instance PDF -

  1. Personal information online code of practice, Information Commissioner's Office, July 2010
  2. Personal information online - small business checklist, Information Commissioner's Office, July 2010
  3. Protecting your personal information online, Information Commissioner's Office, July 2010 - short guide for individual consumers.

Feel free to skip this usability rant

I listed the links above to make life easier for readers because unfortunately the IC press release links to an (accessibility- and user- unfriendly) ebook, which you can only print out page by laborious page - all 40-odd of them. Furthermore it's stored using a folder structure or redirect which seems to assume they'll only ever have one ebook, which means any saved or bookmarked links to that document would break in future when they publish more papers in ebook format, if they want to give the files names which help indicate the content.

My own "Providing public information online code of practice" would require online press releases of all government departments and regulators (and indeed anyone else who publishes information on the web or by email) to link to a single webpage per publication, which in turn lists links to the different versions of the document - webpage HTML as well as PDF  - clearly indicating which link opens which file format. And, if they must, by all means do also include links to Flash-y things or ebooks which are DRM'd to the hilt so that users can't easily print or copy and paste extracts from them. But even then, HTML and PDF versions ought still to be made readily available in addition. (How many people in the UK have ebook readers anyway? Maybe in 5 years press releases linking by default to ebooks might make some sense.)

Press releases should always be published as simple web pages i.e. in HTML format as well as PDF too. Here endeth (nearly) the usability rant.

I am reminded of the recent news that UK government departments spent thousands of pounds of taxpayers' money on developing iPhone apps even though (just by the number of handset sales in the first quarter of 2010, according to Gartner) Nokia has a 35% market share and Apple just 2.7%.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Tuesday, 6 July 2010

UK - data protection - MoJ seeks views on how laws are working

The UK Ministry of Justice has issued a call for evidence on current data protection laws, seeking views on:

  • how the European Data Protection Directive and the UK Data Protection Act are working
  • the impact of data protection on individuals and business, and
  • whether the Information Commissioner's powers and penalties could be strengthened.

Direct link - Call for Evidence on the Current Data Protection Legislative Framework, 6 July 2010.

The responses will be assessed and used to inform the UK’s position in negotiations on a new EU instrument for data protection, "which are expected to begin in early 2011". This fits in with the expected publication by end 2010 of the Commission's draft of the new EU data protection legislation.

The compliance (or not) of UK legislation with EU data protection requirements and the beefing up of privacy protection and remedies for individuals are no doubt going to be raised.

Anyone who wants to comment should respond (Word questionnaire) by 6 October 2010. That's not very much time, in the scale of things.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Privacy - technology & other challenges - comparative study of EU, US etc for Commission

Just seen on the European Commission website, some useful papers from a study conducted for the Commission and concluded in January 2010 (dated 20 Jan 2010, in "final final" versions no less).


Comparative study on different approaches to new privacy challenges, in particular in the light of technological developments - final report, LDRP Kantor Ltd with Centre for Public Reform (Executive Summary) and attachments -

  1. Working Paper 1 - The challenges to European data protection laws and principles, Ian Brown, Oxford Internet Institute, University of Oxford, and
  2. Working Paper 2 - Data protection laws in the EU, Douwe Korff, London Metropolitan University


Comparative chart and country reports

The study included various reports on countries across the world, not just the EU (including the UK, Germany, USA, Australia) and a comparative chart of national laws -

Comparative chart - Divergencies between data protection laws in the EU, Douwe Korff

See the EU webpage for links to the country reports on -

European countries:

Czech Republic
United Kingdom

Non-European countries and jurisdictions:

USA (Federal level, California, New Jersey)
Hong Kong

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Sunday, 4 July 2010

EU - data protection / privacy & copyright - UK, Netherlands, Poland

Study on Online Copyright Enforcement and Data Protection in Selected Member States - Netherlands, Poland and United Kingdom, April 2010 is a paper prepared by Hunton & Williams, Brussels (Christopher Kuner, Cedric Burton) for the European Commission with the assistance of lawyers in the relevant countries. It was placed online on the Commission website in June 2010.

Like the similar paper previously prepared by them for the Commission on online copyright enforcement and data protection in Austria, Belgium, France, Germany, Spain and Sweden, this paper looks at 4 key issues under the laws of the individual state concerned as at 1 April 2010, namely:

  1. Nature of an IP address - is an IP address personal data in that state?
  2. Processing and retention of IP addresses by ISPs
  3. Monitoring of the Internet (in particular of P2P networks) - including in the UK, on interception or surveillance of internet traffic, the Regulation of Investigatory Powers Act 2000, and
  4. Disclosure of the identity of Internet users (in particular of P2P users) - aka, ISPs giving up the identities of alleged fileshares or other copyright infringers to copyright owners or their agents e.g. collecting societies.

In relation to the UK, the paper touches on the Digital Economy Act 2010 with its initial regime - not yet in force - of "copyright infringement reports" by copyright holders to ISPs, and ISP being required to give notifications of certain reports to their subscribers and to place subscribers who (effectively) receive 3 notifications within 12 months onto a "copyright infringement list" available on request to relevant rights holders (who may take legal action for the disclosure of ISP subscribers' identities).

These papers are useful for a relatively concise overview of the interaction between the legal regimes on copyright and data protection / privacy in the countries covered.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.

Thursday, 1 July 2010

EU Data Protection Directive reform - Commission paper, meeting

As part of its review of the Data Protection Directive, the European Commission held a meeting ("targeted consultation") today with key non-public sector stakeholders.

The Commission's Stakeholders' Consultations “Future of data protection” Background paper, prepared for the meeting, outlines the Commission's current thinking and questions for discussion  (e.g. should data minimisation be explicitly required in the legal framework?). A useful paper, particularly as draft proposals are due out from the Commission by the end of this year, which is only a few months away.

The meeting was streamed live publicly - I tweeted that link this morning - but was going on all day, so I didn't listen to the whole thing.

I'm not sure if any recording is going to be available after the event.

Admittedly it's not the Article 29 Working Party holding meetings or workshops in public (Google's Global Privacy Counsel Peter Fleischer has taken issue with the "closed" nature of the Working Party's meetings, in the past), but still, this live streaming has to be good from a transparency and openness viewpoint generally.

See also the Article 29 Working Party's "Future of Privacy" paper and the European Data Protection Supervisor's views, on modernising and updating data protection law.

©WH. This work is licensed under a Creative Commons Attribution Non-Commercial Share-Alike England 2.0 Licence. Please attribute to WH, Tech and Law, and link to the original blog post page. Moral rights asserted.