1. United Kingdom

1.1 Government Initiatives / Consultations / Legislation

House of Lords Technology Select Committee's report on Personal Internet Security

On 10 August 2007, the House of Lords Technology Select Committee published a report on internet security. The driving force behind the report is that internet security breaches should be addressed by means of a flexible mix of incentives, regulation and direct investment. The changing nature of technology means that end-user responsibility for anything that goes wrong is becoming increasingly unrealistic, and ISPs and network operators should be held responsible.

The report states that efforts to promote best practice within the industry are hampered by the lack of commercial incentives offered to the industry to make internet products secure. Companies are ready to offload the commercial risks on consumers via licensing agreements and therefore avoid paying for the costs of lack of security.

The report makes the following recommendations:

  • legislation should be introduced to make banks responsible for losses incurred as a result of electronic fraud;
  • the "mere conduit" immunity should be removed once ISPs have detected or been notified of the fact that there is a machine sending out spam or viruses on their network. This would give third parties the opportunity to recover damages from ISPs if they suffer loss because their computer has been infected;
  • data security breach notification legislation should be introduced (as it has been in the US), incorporating a clear and workable definition of a data security breach, a mandatory and uniform central reporting system and clear rules on the form and content of notification letters to recipients (i.e. they should set out the steps that individuals should take to deal with the breach); and
  • better enforcement powers for the Information Commissioner's Office ("ICO") to make it more effective at policing security breaches and enforcing good standards of data protection across the industry.

New Criminal Justice & Immigration Bill to include custodial sentences for certain data offences laid before Parliament

The Criminal Justice and Immigration Bill, which provides for a custodial sentence of up to 12 months on summary conviction and up to two years' imprisonment for conviction on indictment for the misuse of personal data contrary to section 55 of the Data Protection Act 1998 (DPA), had its first reading in the House of Commons on 26 June 2007. As detailed in our Spring Update, these penalties are additional to the fines which are currently set out in DPA.

Exemption granted to Police to use Transport for London data for national security purposes

The Home Office has granted the Metropolitan Police real-time access to surveillance footage from Congestion Charge cameras in central London for limited purposes. Previously the Police were only able to request specific footage from the cameras, but the Home Office has now signed a certificate of exemption from the DPA for national security purposes granting them the right to be able to monitor them in real-time.

The Congestion Charge cameras in the city centre are fitted with automatic number plate recognition (ANPR) technology. It will now be possible for there to be a real-time flow of data between Transport for London and the Police. Tony McNulty, Home Office minister responsible for police and security, said "The Commissioner of the Metropolitan Police believes that it is necessary due to the enduring, vehicle-borne terrorist threat to London."

Fears as government proposes new register of all children

Government plans to create a database system, known as ContactPoint, to store the personal details of 11 million children in England as of next year have been the subject of great concern amongst social workers. The Association of Directors of Children's Services fear that the register, which will contain the name, address, medical and school and childcare details of every child under 18, has the potential to be abused by some to target the children that it is intended to protect. Concerns are further fuelled by the government's admission that the children of celebrities and politicians are not likely to be included in the system; this is seen as tantamount to an admission that the system is not secure. The ContactPoint system is reported to cost £224 million to build and another £41 million per year in running costs.

1.2 News from the ICO

ICO takes action against unsolicited faxes

The ICO has brought an action under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (EPrivacy Regs) against two debt recovery organisations. Clear Debt Solutions and ADC Organisation Limited were both issued with enforcement notices ordering them to stop sending unsolicited faxes to businesses and individuals. This action follows hundreds of complaints that were received by the ICO and the Fax Preference Service (FPS).

ICO and Ofcom agree "Letter of Understanding"

The ICO and Ofcom agreed a Letter of Understanding which sets out a basis for collaboration in the future regarding areas where they share enforcement responsibilities (such as electronic communications areas that are covered by the E-Privacy Regs). Both organisations hope that the Letter of Understanding will enable them both to use their resources most effectively, strengthen mutual cooperation and adopt recognised good regulatory practice. The organisations will decide between themselves which organisation is more suitable for investigating suspected non-compliance and will consult each other when making any public statements.

ICO issues guidance on the meaning of "personal data"

On 29 August the ICO issued guidance entitled "Determining what is personal data". Since it is often unclear whether data fall within the definition of "personal data" under the DPA, the guidance is designed to help data protection practitioners determine this issue. It provides plenty of examples which serve to illustrate circumstances where data relate to an identifiable, living individual. There is also a flowchart comprising eight questions which address issues, such as, whether the data are "obviously about" or whether they are "linked to" a particular individual. Only data that fall within the definition of "personal data" are subject to the DPA. It should be noted that in any court proceedings the ruling of the Court of Appeal on the meaning of 'personal data' in Durant v FSA will take precedence over this ICO guidance.

Consultation / draft Code of Practice on sharing personal data

On 13 August 2007 the ICO launched a consultation on its new code of practice for sharing personal data. The ICO's aim is that organisations will formulate their own codes of practice based on this one, picking and choosing from aspects of the code but making sure that it covers issues such as information security, accuracy of information and retention periods.

ICO issues updated CCTV Code of Practice

On 2 August the ICO launched a consultation on its updated code of practice concerning the use of CCTV by organisations. The revised code is aimed at helping businesses that routinely capture footage of their employees on their CCTV systems to comply with the DPA. It updates the previous code of practice to reflect technological advances and changes to the way that CCTV is used to monitor individuals. The updated code states that CCTV should not be used to record conversations between members of the public and it provides advice on the period for which video footage should be retained. In deciding whether or not to use CCTV surveillance, it suggests that businesses carry out an impact assessment to see if its use is justified. The consultation will close on 31 October 2007.

Data Protection Strategy Consultation

The ICO is conducting a consultation on its new data protection strategy, which runs until 28 September 2007. The strategy sets out how it plans to minimise its data protection risk and sets out its enforcement strategy.

Littlewoods and Orange provide undertakings to the ICO

Following an investigation into the way in which they process personal data, the ICO found Orange Personal Communications Services Limited and Littlewoods Home Shopping in breach of the DPA. The ICO previously received complaints regarding the fact that Orange allowed members of its staff to share passwords for accessing the company IT systems. It, therefore, found that Orange was in breach of the DPA for not keeping its customers' personal information sufficiently secure. The ICO also found Littlewoods in breach of the DPA for failing to stop sending marketing material to one of its customers following complaints from that customer. Copies of the signed undertakings are available on the ICO website.

Satcover Limited and Satellite Direct UK Limited provide undertakings

Satellite Direct UK Limited and Satcover Limited, both based in Hove, East Sussex, have been required to sign formal undertakings by the ICO for failing to cease making unsolicited marketing telephone calls to individuals after they had been expressly requested not to by the individuals or the individuals had signed up with the Telephone Preference Service. If the organisations breach the undertakings, the ICO has the power to take them to court immediately to obtain a court order.

Annual Report 2006/2007

The ICO has released its annual report for the period 2006-2007. The report reveals that the ICO received almost 24,000 complaints and enquiries concerning personal data during this period. The Commissioner's call for a debate on the UK's "surveillance society" sparked two Parliamentary inquiries. The ICO has also prosecuted 16 individuals and organisations within this period.

The ICO has also dealt with 75% of the 6,000 complaints that it has received under the Freedom of Information Act 2000. 82% more decision notices were issued during this financial year than during the previous financial year.

1.3 News from the Courts

BBC loses privacy case regarding rights of documentary participants (T v BBC [2007] EWHC 1683 (QB)).

The BBC has been ordered by the High Court to obscure the identity of a woman who consented to participate in a documentary about adoption in order to protect her privacy. The woman, who suffers from a mental disorder, was held to be a vulnerable adult and therefore not capable of giving informed consent to participate in the programme which depicts her last meeting with her two year old daughter before she was given to her adoptive parents. Mr Justice Eady said that the balance of issues weighed heavily in favour of the woman's right to privacy (under Article 8 of the European Human Rights Convention) as opposed to the BBC's right to free speech.

Chester fraudster sentenced to 20 months in prison for bogus notification requests

A 37 year old man from Chester was sentenced to 20 months in prison by Liverpool Crown Court for fraudulently obtaining over £400,000 from businesses in the region by pretending to be an agent of the ICO and requesting between £95 and £135 as a notification fee. He is also subject to further investigation and financial confiscation under the Proceeds of Crime Act.

JK Rowling loses privacy battle

JK Rowling and her husband (on behalf of their son David) lost a court battle over the publication of a photograph of their son which appeared in the Sunday Express magazine. They brought proceedings against the photographic agency Big Pictures (UK) and Express Newspapers for damages/an account of profits and sought an injunction to ban further publication of the photograph. They alleged breach of confidence, a violation of David's basic human right to privacy and the misuse of private information under the Data Protection Act 1998.

Mr Justice Nicholas Patten, in the High Court, dismissed the suit before it reached trial saying that legal action had no reasonable or realistic chance of success. He described the case as "unusual", and added that David was not alleged to have "suffered any personal distress" as a result of the picture being taken. Rowling and her husband were ordered to pay £40,000 interim costs to Big Pictures, pending the outcome of an appeal. A temporary ban has been placed on publication of the photograph until the appeal has taken place.

1.4 Miscellaneous

YouTube implicated in DPA breach

A pregnant woman published a video on YouTube showing a meeting that she had with social services personnel in which she and her husband were told that, although they posed "no immediate threat" to their child, the council would seek a court order once it was born that it go into foster care. Calderdale council accused the woman of breaching the DPA by recording the social workers "without their knowledge or consent" and publishing the video on YouTube. The council has also taken legal action against YouTube to have the video removed from the website. It has concerns that "because the case involves court proceedings, it could prejudice child protection and safeguarding outcomes".

The exemption in section 36 of the DPA (use for domestic purposes) is unlikely to apply because the video was published on the internet and made freely available.

Chinese Privacy Law will be introduced next year

In order to combat the recent rapid increase in the misuse of personal data, China is expected to introduce a national data protection law next year. The draft law, which is about to be submitted to the State Council Legal Affairs Office, sets out basic principles that organisations should follow when they are handling the personal information of individuals and contains penalties such as fines and/or imprisonment for anyone who breaches the law.

Privacy breach causes loss of personal data from Monster.com

US job-seeking website, Monster.com, was the subject of the theft of personal data from its website when someone hacked into it and stole the personal data of 1.3 million users. The hackers, pretending to be potential employers, sent emails to job seekers requesting their bank account details. The emails also contained links leading to downloads of malicious software. This has reignited the debate over whether companies that are subject of data security breaches such as this should notify the relevant authorities.

2. European Community

Copland v United Kingdom

In the recent case of Copland v UK (62617/00 [2007] ECHR 253), the European Court of Human Rights in Strasbourg confirmed that employees' use of telephone, internet and email at work for personal purposes is included within the definition of "private life" and "correspondence" for the purposes of Article 8 of the European Convention on Human Rights.

The applicant in this case, Lynette Copland (a UK national) was employed in 1991 by Camarthenshire College, a statutory body administered by the state. Ms Copland's telephone, email and internet usage at work was monitored for several months in order to ascertain whether she was making excessive use of the College facilities for personal purposes.

As Ms Copland had not been given any warning that she may be subject to monitoring, the Court held that she had a reasonable expectation as to the privacy of the telephone calls that she made, the internet sites that she visited and the emails that she sent at work. Accordingly, the College's actions amounted to an infringement of Ms Copland's Article 8 rights.

At the time of the monitoring in the late 1990s, there were no provisions, either in the College rules and policies or in domestic law, regulating the circumstances in which employers could monitor employees' telephone, email and internet usage. On that basis, the Court held that the College's interference with Ms Copland's Article 8 rights was not "in accordance with the law".

It is likely that the decision in this case would have been different if Ms Copland had been made aware of a lawful policy of monitoring telephone, email and internet usage at the College. Also, the Lawful Business Practice Regulations 2000 (made under the Regulation of Investigatory Powers Act 2000), which allow employers to monitor employees' communications subject to certain conditions, were not in force at the time of the acts complained of.

Article 29 Working Party Opinion re: SWIFT

The Society for Worldwide Interbank Financial Telecommunication (SWIFT) is a Belgian based cooperative owned by roughly 7,800 financial institutions in more than 200 countries. SWIFT facilitates the international transfer of funds between institutions and processes an average of 12 million messages daily relating to the financial transactions of EU and US citizens.

In June 2006, it was revealed that SWIFT had provided personal data relating to international banking transactions to the US Department of the Treasury (UST) since the end of 2001. Information was provided on the basis of subpoenas for terrorism investigations purposes but without prior notice to the customers involved. UST said the access was essential for its global drive to deprive suspected terrorists of funding sources.

On 27 September 2006 the Belgian data protection authority decided that the transfer by SWIFT of personal data to SWIFT's US operation centre was in breach of Belgian data protection laws. On 22 November 2006 the Article 29 Working Party adopted an Opinion on the processing of personal data by SWIFT concluding that SWIFT and the financial institutions were jointly liable for the violation of the Data Protection Directive (95/46/EC) by transferring personal data "in a confidential, non-transparent and systematic manner for years." The Opinion concluded that SWIFT had violated EC data protection rules in two ways: (i) by transferring messages containing personal data about EU citizens to its US operation centre; and (ii) disclosing the data to the UST in response to subpoenas.

In June 2007 the European Council received a letter from the US Secretary for the Treasury giving unilateral representations relating to the processing and protection of personal data subpoenaed by UST from SWIFT under the Terrorist Finance Tracking Programme (TFTP). The representations detail the controls and safeguards governing and handling the use and dissemination of data by the US authorities and take account of EU data protection concerns.

The representations comprise one of the three main components which will address SWIFT's infringement of European data protection legislation. As a second step SWIFT is in the final stages of discussion with US authorities regarding entry to the Safe Harbor scheme. This scheme provides for an adequate level of protection for data transfers from the EU to US organisations which have joined the scheme. As a third step SWIFT and the financial institutions which use its services are working to ensure that customers are properly informed that their data will be transferred to the US for commercial purposes and could be accessed by the UST under the TFTP.

Google's amends privacy policy following Article 29 Working Party opinion

Google's ability to collect and join up data on its users has attracted attention from privacy activists this year. Concern has centred around Google's market dominance, the vast amount of data that it collects and its ability to share extracted data.

In response to pressure from the Article 29 Working Party, Google has changed its privacy policy twice in four months already this year. In June, Google announced that it would anonymise search data after 18 months so that data cannot be connected to users. The earlier concession to anonymise search data after an 18 - 24 month period did not "meet the requirements of the European data protection framework" according to the Working Party.

Google has also announced that it will shorten the life of cookies from 30 years to 2 years. Cookies will auto delete after 2 years unless the user returns to a Google site within the 2 year period prompting resetting of the time period. Internet users are free to delete cookies from their web browser manually at any time and can control which cookies from which websites are stored on their computers. However, Google's changes may not have assuaged the Working Party's concerns.

Other major search engines are reported to be following Google's lead in limiting the collection of information about web users and their searches. The Article 29 Working Party, while analysing Google's response to its criticism, has announced that it will review the privacy policies of other internet search engines and consider the data protection issues raised by search engines in general.

New Agreement on Airline Passenger Data Transfers to US

In May 2006 the European Court of Justice (ECJ) annulled the Decisions of the European Commission (on adequacy findings) and the European Council (on conclusion of agreement on PNR). The ECJ made its rulings on the basis that the legal grounds for both of the Decisions were incorrect. An interim agreement between EU and US then took effect with a deadline of 31 July 2007 for a comprehensive deal to be concluded.

The new agreement (the Agreement), which was formally endorsed by the Council of Ministers on 23 July 2007, came into force on 1 August 2007 and will be valid for 7 years. The Agreement is accompanied by an Exchange of Letters in which the US provides a set of assurances to the EU regarding the way in which PNR data will be handled and the EU confirms that on that basis the level of protection of PNR data is adequate.

As from 1 January 2008, EU airlines that have a system compatible with US technical requirements will be required to "push" relevant PNR data to the US. This replaces the previous "pull" system which allowed the US to access reservations systems to seek out the data it was looking for. However, the transition to a push system does not confer on the airlines the right to decide when, how or what data to push.

The key elements of the Agreement are set out below:

  • The number of data elements collected will be 19 instead of 34. However this reduction has been described as a largely cosmetic operation, resulting from merging and renaming data fields rather than actual deletions.
  • The data will only be used for the purpose of preventing and combating terrorism and related offences that are transnational in nature and it will only be shared with other US government agencies engaged in combating terrorism and related offences.
  • Sensitive personal data must be filtered and deleted unless accessed for an exceptional case. If so, the Commission will be informed that the data has been accessed.
  • Data will be retained in an active database for up to seven years, after which time the data will be moved to dormant, non - operational status for up to eight years.
  • The implementation of the Agreement and the Letter will be periodically reviewed.
  • The US has made a policy decision to extend the access and redress mechanisms to all people irrespective of citizenship and country of residence.

Article 29 Working Party Opinion on "personal data"

The Article 29 Data Protection Working Party issued a non-binding opinion on the concept of "personal data" on 20 June 2007. Its objective is to set out common ground amongst Member States regarding the concept of "personal data". It also makes suggestions on how the Data Protection Directive 95/46/EC can be applied at a national level throughout the EU.

The Working Party interprets "information" widely in contrast to the approach adopted in the Durant case and, in particular, states that information may relate to an individual even if the individual is not the focus. The Working Party adopts a three-pronged approach to deciding whether information relates to an individual or not. The information must be looked at from the point of view of "content", "purpose" and "result". Only one of these three elements must be present when deciding whether or not data relates to an individual.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.