The EDPS has been at it again. Only a couple of days ago, the online Official Journal of the European Union was resonating to the exciting buzz of the Opinion of the European Data Protection Supervisor on the proposal for a Regulation of the European Parliament and of the Council establishing an Agency for the operational management of large-scale IT systems in the area of freedom, security and justice, and on the proposal for a Council Decision conferring upon the Agency established by Regulation XX tasks regarding the operational management of SIS II and VIS in application of Title VI of the EU Treaty. Apart from having some specific and highly constructive comments regarding the content of the proposals, and suggesting that the two be merged into a single legislative implement, the EDPS also doubts the purported legal basis upon which they are made under Europe's new … Continue Reading ››
The purpose specification or limitation principle is often thought to offer significant (or some) protection to data subjects; and the provision of consent is, among other things, to specified processing. But what does it all amount to, on examination?

In the most general terms, meaningful human action must take place in a reason bound or purposive framework. It isn’t possible to act without a reason, purpose or intention. So the data protection requirement cannot be saying that organisations (to put it a bit crudely) must always act with a purpose or intention and avoid doing otherwise. But it seems to me that the principle as currently formulated derives its sense from the possibility of excluding a non-purpose.

It follows then, that one purpose is just as good as another, when it comes to specifying a purpose, and no purpose, narrow or wide, is excluded. Any purpose will do, … Continue Reading ››
It's not often that Datonomy has much to report from Ghana, but the splendidly-named My Joy Online reports that the country's Communications Minister Haruna Iddrisu has announced that his government has decided to enact the Data Protection Bill by the end of this year. This, he said, would give security to all personal data, including those related to mobile telephony. The Minister also discussed prospects for enhancing the security of electronic money transfer services and the portability of mobile phone numbers.
A recast version of the Opinion of the European Data Protection Supervisor on the proposal for a Council Regulation on administrative cooperation and combating fraud in the field of value added tax appears on today's online version of the European Union's Official Journal. So what does the EDPS say about the proposal? While, like all good citizens, he and his office are opposed to VAT fraud, is the proposal acceptable in data protection terms?

Broadly speaking, the proposal is not quite as DP-friendly as it might be. Concludes the EDPS's report:

"60. The EDPS is aware of the importance of enhancing the effectiveness of measures against cross-border fraud and of achieving better collection of VAT in cross-border
situations. The EDPS furthermore acknowledges that in order to achieve these purposes it is inevitable that personal data are processed. The EDPS underlines
however that the … Continue Reading ››

One of the most tricky questions for data protection practitioners advising clients in commercial deals which involve the transfer of personal data can be identifying whether the receiving entity is a joint "data controller" or a mere "data processor" in a given scenario.

In complex 21st century transactions, involving technology platforms not envisaged by the late 20th century legislators, the line between a controller and processor may not be as clear cut as it was when the legislation was conceived.



However, as Datonomy readers will know, the distinction is of critical practical importance; it will determine what contractual obligations the transferring entity needs to impose on the recipient, in the case of transfers outside the EEA it will determine which set of model contracts should be used, and in liability terms, the buck will always stop with the data controller, … Continue Reading ››
As previously posted, the power to serve assessment notices and audit will come into force in April. Initially the powers will only apply to public sector bodies, but the new legislation provides for the powers to extend to private sector data controllers. The new code of practice will be published on 6 April 2010 at the same time as the ICO's extended audit powers in relation to data protection enter into force. The draft code sets out the audit process from start to finish and clarifies when and how assessment notices will be used.
The draft code provides for two forms of audit, a voluntary or consensual audit and a compulsory audit. Assessment notices only apply in relation to the compulsory audit and will be issued when a data controller declines an audit. The ICO's decision as to whether or not an organisation needs an audit will be based on … Continue Reading ››
Yesterday's International Law Office carries an article, "Data Protection Board issues new tax data processing decision" by Sakari Aalto (Roschier Attorneys Ltd, Helsinki). This discusses the Board's ruling in a matter involving a publication, Veropörssi ('Tax Exchange'), which was remitted to it by the Supreme Administrative Court. The happy ending, if you are a tax payer, is that the Board has now complied with the demands of the data protection ombudsman, ordering Veropörssi's publishers Satakunnan Markkinapörssi Oy and Satamedia Oy to stop processing and publishing tax data from relating to individuals and which had been collected from the tax authorities.

Together with Satamedia (a related company), Markkinapörssi had signed an agreement with a telephone operator to put in place a pay-for text message service which would enable mobile telephone users to receive information published in Veropörssi. According to the Board, only tax … Continue Reading ››