The 32nd International Conference of Data Protection and Privacy Commissioners met in Jerusalem in October, where the working theme was Privacy: Generations – the New Generations of Technologies, Users and Governance.  It’s a nice idea, Generations, if question begging, because after all the problem is the nature and degree of the changes and the transitions we are currently facing.  Another difficulty with the Generational approach is that the Directive has a rather different model of the relationship between users and technology – which it conceives of as master and servant. As Recital 2 puts it “ Whereas data-processing systems are designed to serve man..”.  The idea of the technology as a servant is more or less compatible with the idea of it being neutral, because the servant follows commands and doesn’t think. The Directive pictures the technology as an obedient neutral clerk, as pure means. This leaves the data controller and data subject … Continue Reading ››
Although the UK's Information Commissioner handed out monetary penalties for serious breaches of the Data Protection Act for the first time this week, a new survey has suggested that UK consumers support even tougher sanctions for organisations that are guilty of losing personal data. In a poll of 5000 consumers, conducted for LogRhythm by OnePoll, 62 percent of consumers felt that organisations should receive large fines for data loss with 31 percent going as far as to suggest company directors should be subject to criminal proceedings. Further information about the survey and its findings can be found at the following URL: http://www.logrhythm.com/Company/PressReleases/UKsupportscompulsorydatalossdisclosure.aspx
The UK's Information Commissioner has today announced that it has imposed the first monetary penalties for serious breaches of the Data Protection Act. The Commissioner's powers to impose fines of up to £500,000 went live on 6 April 2010, as reported in our previous post here. The circumstances in which fines may be issued and the factors which will influence the ICO's exercise of its powers are set out here .  Since then, privacy pundits and data controllers alike have been waiting with baited breath to see who would be the first to incur the new fines. On this occasion, the ICO has chosen to make an example of organisations in both the public and private sector. In the public sector "category", a fine of £100,000 goes to Hertfordshire County Council for two incidents involving the faxing of highly sensitive details of child abuse matters and care … Continue Reading ››
On 3 June 2010, the European Commission warned Finland that the Finnish Data Protection Law may infringe the Data Protection Directive (Directive 95/46/EC) because it does not protect personal tax information published in the media. This will lead to an amendment of the Finnish Personal Data Act in the near future. The Commission referred to the case considered by the European Court of Justice (ECJ) and the Supreme Administrative Court of Finland, where a company had annually published the tax data of 1.2 million persons in a local newspaper and transferred such data to another company on a CD to be processed in connection with a chargeable SMS service. Section 2.4 of the Finnish Personal Data Act states that the Act does not apply to personal data files containing, solely and in unaltered form, data that has been published by the media. Additionally, according to Section 2.5 of the Personal Data Act, … Continue Reading ››
Austria is not the only EU Member State in trouble with the European Commission. Following last week's post by Datonomy's Austrian correspondent, the UK Government has responded to the Commission's recent censure by publishing proposals to tighten up rules on the interception of Internet and email communications. At the end of September, the European Commission referred the UK to the ECJ over failure to fully implement EU rules on the confidentiality of Internet and email communications (see the 7 October post by Gemma) and this week the Home Office published its proposals for closing the relevant loopholes in the UK statute book. Regular readers of Datonomy will recall that this debacle dates back to early 2009 and was triggered by concerns about the privacy issues raised by the online behavioural advertising service Phorm. To recap, the Commission identified a mismatch between certain requirements of the ePrivacy Directive and the UK's … Continue Reading ››
On 28 October 2010, the European Commission decided to refer Austria to the Court of Justice for its lack of independent data protection authority (see press release IP/10/1430). The Commission deemed that provisions setting up the so-called Data Protection Commission (Datenschutzkommission) do not conform to EU rules, which require Member States to establish a completely independent supervisory body to monitor the application of Directive 95/46/EC ("Data Protection Directive"). Even though the Austrian Data Protection Act 2000 (Datenschutzgesetz 2000) sets forth that the members of the Data Protection Commission shall be "independent and not bound by instructions in the exercise of their duties", the Commission considers that “complete independence,” as required under Article 28 para 1 of the Data Protection Directive, is not guaranteed. The Commission alleges that the Data Protection Commission remains under the supervision of the Federal Chancellor because it is integrated into the Chancellery in terms of its organisation and staff … Continue Reading ››
Article 2(b) of Directive 95/46/EC determines that “processing of personal data (processing) shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means...”  The definition of processing is neutral as to the technology, because it is so basic – it is meant to define the scope of the Directive, rather than identify the specifics of the technology. Once the processing is in the framework, because it is “automatic”, the technology issue falls away. The UK DPA specifies equipment operating automatically in response to instructions for that purpose, envisaging a person issuing instructions to the equipment, while at the same time pursuing the purposes listed elsewhere in the Act. This is a MS-DOS picture of interacting with a computer, if you can remember that.  In which case, how, within the data protection framework, do you deal with problems arising from the new technologies?  One answer … Continue Reading ››