Article 2(b) of Directive 95/46/EC determines that “processing of personal data (processing) shall mean any operation or set of operations which is performed upon personal data, whether or not by automatic means...”  The definition of processing is neutral as to the technology, because it is so basic – it is meant to define the scope of the Directive, rather than identify the specifics of the technology. Once the processing is in the framework, because it is “automatic”, the technology issue falls away. The UK DPA specifies equipment operating automatically in response to instructions for that purpose, envisaging a person issuing instructions to the equipment, while at the same time pursuing the purposes listed elsewhere in the Act. This is a MS-DOS picture of interacting with a computer, if you can remember that.  In which case, how, within the data protection framework, do you deal with problems arising from the new technologies?  One answer … Continue Reading ››
The Romanian government is preparing to implement the national health insurance electronic cards. Although the details in respect to such system are not yet available at least on a public level, it has been promised by government officials that the first electronic cards will be provided to individuals in January 2011.  To this end, the Romanian Government issued in September 2010 a decision by which the state owned National Printing Company is designated as the entity which will produce the national cards. The electronic cards shall contain at least the following personal data: identification data, personal numerical code, the number of requested medical services, medical diagnostics presenting vital risks, RH and blood type.  Despite the above mentioned public announcements, the national data privacy authority has not been yet requested to issue its opinion in respect to the system implied by the above mentioned project. The opinion of the national data privacy authority … Continue Reading ››
Can an individual withdraw its consent for processing personal data? If yes, how it can be done? Are data controllers ready for such option? All these questions became very topical upon adoption of amendment to the Polish data protection regulations. The main Polish regulations regarding processing of personal data are contained in the Personal Data Protection Act of 1997 (hereinafter: PDPA) that implements Directive 95/46 into Polish law. Generally, personal data is processed on the basis of consent given to data controllers by the person whose data are processed. Hence, rules regarding consent are crucial for all those who are involved in data processing. The latest amendment to the PDPA provides a small but significant change to the existing regulations. As such it is certainly worthy of blog subscribers’ attention. Until now, one of the main controversies related to the issue of consent under PDPA was connected with the possibility of withdrawing … Continue Reading ››
Last month Datonomy reported that objections by the Republic of Ireland had delayed completion of a data adequacy agreement between Israel and the EU (see Datonomy post "Irish politicking delays Israeli EU Data Protection Deal"). However, reports in the press this week (see the article in Israel's Jerusalem Post newspaper at http://www.jpost.com/International/Article.aspx?id=192913) seem to suggest that on 25 October 2010 the EU formally approved the adequacy of Israel's "Privacy Act" despite Irish reservations. Datonomy has been unable to locate any official EU source confirming this development. [Ed - are any of our readers able to point to an official EU statement?] EU approval elevates Israel to an elite group of countries whom the EU deems have sufficiently adequate data protection laws, until this announcement that group included only Argentina, Canada, Guernsey, the Isle of Man, Jersey, Switzerland and the Faroe Islands. If confirmed, Israel's data adequacy agreement with the EU is … Continue Reading ››
The Information Commissioner's Office is considering flexing its enforcement powers in relation to Google's inadvertent collection of "pay-load" data from WiFi networks.  Datonomy was surprised that the ICO's initial report in July took a very lenient view of the issue.  The ICO described its approach at the time as "responsible and proportionate"; others described it as "farcical".  Possibly egged on by its counterparts in Germany, Spain and the Czech Republic to name but a few, the ICO yesterday released this statement: "Earlier this year the ICO visited Google's premises to make a preliminary assessment of the "pay-load" data it advertently collected whilst developing Google Street View. Whilst the information we saw at the time did not include meaningful personal details that could be linked to an identifiable person, we have continued to liaise with, and await findings of, the investigations carried out by our international counterparts. "Now that … Continue Reading ››
Bad privacy press has been plaguing Facebook for some time. The bad news for Mark Zuckerberg this week was delivered in the form of a Wall Street Journal reportwhich claimed that some of the most popular third party apps on Facebook have been transmitting users' personal data to advertising companies and data brokers in breach of Facebook's developer policy.  The WSJ reported some of the most popular applications, including Farmville (which has a whopping 59 million users), Frontierville and Texas HoldEm Poker were making available the unique Facebook user identifications (UIDs) to 25 advertising and data companies, and some transferred information relating to users' friends.  This was even possible where the user had made the information in their profile private.  The Facebook UIDs can be used to retrieve a Facebook user's real name and any information on their profile to which access was not restricted by that user's privacy … Continue Reading ››
The guardian newspaper's technology blog today reported the rather shocking statistic, (obtained from research conducted by mobile and forensics experts Disklabs) that 50% of second hand mobile phones offered for sale still contain personal data from their previous owner (see link to the article below). http://www.guardian.co.uk/technology/2010/oct/12/mobile-phones-personal-data Of the 50 handsets bought from resellers on eBay researchers found porn on nine of the devices, while video and calendar information were also still on nine handsets. Personal security information, including home address, credit card numbers and pin numbers were on 26 of the handsets. Simon Steggles, director of Disklabs labelled consumers naive in their approach to personal data - "The worst thing a consumer can do is hope or assume that the person buying the phone will remove the data," said Steggles, "Any data left on the phone is effectively open to the public domain. That could be as varied as intimate photos, videos and text messages … … Continue Reading ››