Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

Privacy news worldwide [1998] PLBIRp 2; (1998) 44 Privacy Laws and Business International Report 2

Privacy News

British Gas to change policy due to tribunal decision

The UK Data Protection Tribunal has issued a notice to British Gas Trading Limited (BGTL) preventing the company using customers’ personal data for the marketing of non-gas related services without the data subjects’ consent. The Tribunal notice, issued on 7th May, resulted from the Data Protection Registrar’s enforcement notice in July 1997.

The Registrar accused BGTL of unfairly processing personal data for direct mailing campaigns promoting services completely unrelated to gas supply. It was unlawful to use personal data of customer relationships which began when British Gas was a monopoly. The customers had had no choice but to provide personal data if they needed the gas supply.

The company had sent a leaflet to its customers prior to mailing the advertising materials on non-gas related products and services. In the leaflet, the company requested that those who did not wish to receive any advertisements should respond. The Registrar’s response was that the leaflet was insufficient to establish whether customers consented to direct marketing. The leaflet produced 100 complaints, the highest number of complaints received on any one issue.

The Tribunal concluded that BGTL has processed data unfairly. Individuals’ consent will now be required for the marketing of non- gas products except when offering electricity supply. Consent may not be inferred from the failure to respond to a leaflet or other document offering the opportunity to opt out. No distinction will be drawn between new customers and those whose customer relationship was started with the monopoly. The Tribunal also considered that BGTL had contravened data protection principles 2 and 3 by holding personal data for the purpose of debt collection. This had involved unlawful disclosure of data, and use of data for a non-registered purpose.

The Registrar is now considering the implications of the decision for other utility companies. Later this summer she intends to revise the guidance given to utility companies on the use of customer data.

The tribunal decision is available on the Registrar’s web-site www.open.gov.uk/dpr/dprhome.htm. The final form of the enforcement notice, as approved by the Tribunal on 5th May, is available at the

same address.

Finland to legislate on workers’ data

Finland is preparing a specific law on the protection of employees’ personal data. The proposals are

expected to become a law at the same time, 24th October, as the new data protection law implementing the EU Data Protection Directive. A separate law was proposed as it was thought that the new general data law will not provide for strong enough protection for individuals in the workplace.

The law would impose a ban on genetic testing. The tests are sometimes used by companies to find out whether potential employees run a risk of having certain diseases because of their genetic inheritance. If the ban

becomes a reality, such tests could be authorised by the Data Protection Authority to be carried out only in exceptional circumstances.

New threats to privacy

A recent paper by Professor Peter Blume of Copenhagen University concentrates on new threats to privacy. The paper gives an overview of the challenges that new technologies pose to privacy protection, and suggests some solutions.

The paper proposes that E-mail should be treated as ordinary mail, and that programmes enabling searches on individuals on the Internet should be banned.

Professor Blume also draws attention to the privacy threats of the Schengen and Europol conventions, and the implementation of the EU Data Protection Directive. He thinks that implementation may not guarantee the same level of data protection across the Member States.

Professor Peter Blume’s paper is available from the Institute of Legal Science, Copenhagen University, Studiegå rden 6, Studiestraede,

DK-1455, Copenhagen K, Denmark, Fax: +45 35 32 32 01. Price £2..00.

US consults on

Internet privacy

The US National Telecommun- ications and Information Administration (NTIA), Department of Commerce, is currently carrying out a public consultation on Internet privacy. Comments were sought by

5th July on various aspects, including the effectiveness of self-regulation. The consultation is helping the Commerce Department in its obligation to report to the President on the functioning of self-regulation. The Clinton administration supports private sector efforts to develop a privacy-friendly, self-regulatory Internet environment, but seeks comments on when government

action may be necessary.

Responses to the consultation will be posted on the NTIA website at www.ntia.doc.gov.

Directory of privacy professionals

Privacy Journal has published an updated version of the Directory for Privacy Professionals (PL&B Dec

’97 p18). It includes contact details of privacy organisations and individuals in the privacy field in the USA.

The 65-page directory, published in April, costs $16.50. It can be ordered from Privacy Journal, PO Box 28577, Providence RI 02908, USA,

e-mail: 5101719@mcimail.com.

American Express denies accusations of selling personal data

American Express claims that the news stories about its consumer privacy practices published in the USA at the beginning of May are incorrect. For example, USA Today allegedly reported that American Express was planning to sell detailed information about its customers to KnowledgeBase Marketing. American Express has issued a statement saying that the company does not sell or provide information on transactions to any third party. For the purpose of its own direct marketing campaigns, the company notifies card holders annually, offer- ing them the possibility of an opt- out.

UK government explains transitional provisions The UK Data Protection Bill’s transitional provisions include special arrangements for “processing already under way” immediately before 24th October. Basically, virtually all automated data currently processed would be exempt from most new provisions until

23/10/2001. Manual data falling into this category would be exempt until 23/10/2007.

There has been a great deal of confusion about what kind of processing is meant by "processing already under way.” The Government provided the House of Lords with a written answer on the

14th May, which clarified that the expression includes, among other things, amendments to existing personal data, the addition of personal data on existing data subjects, the addition of personal data on new data subjects, and essential programme and software changes to enable such processing to continue.

Council of Europe drafts guidelines for Internet use The Council of Europe has published draft guidelines which it would like to see included in codes of conduct for users and Internet Service Providers. The draft guidelines, prepared by the Project Group on Data Protection and made public on 12th May, explain in simple language how to apply common data protection principles to the Internet environment, and how users can themselves protect their privacy.

It is proposed that service providers should inform users of privacy risks related to the use of the Internet before they start using services. Providers should also provide information on the privacy enhancing technologies available, and design their systems to be privacy friendly. Some of the recommendations reflect the

forthcoming implementation of the EU’s General and Telecommun- ications Data Protection Directives. For example, direct marketing should be stopped if consumers, after having been consulted, object to receiving such communications. When sensitive data is processed, explicit consent is required.

The text was prepared in co- operation with the European Commission. Following the current public consultation, the text will be submitted to the Project Group on Data Protection in October, and after- wards to the Committee of Ministers for adoption. It is expected that the guidelines will be the first step towards an international agreement on privacy protection on the Internet.

The draft guidelines for Protecting Privacy on the Internet are available at www.coe.fr/dataprotection.

UK Registrar publishes guidance for the finance sector

The Office of the UK Data

Protection Registrar has issued a series of guidance notes on data protection related to the marketing and selling of financial products through intermediaries. Advice is provided specifically for insurance brokers, independent financial advisers, credit brokers, appointed representatives and tied agents of insurance companies. These guidance notes, published in March, will be followed by a paper on the collection and use of personal data obtained from confidential client questionnaires.

The guidance notes are available free of charge by sending a fax to

+44 (0)1625 524510. The documents are also available on the Registrar’s web-site at www.open.gov.uk/dpr/ dprhome.htm.

UK consultation on privacy protection in telecommunications

The Department of Trade and Industry plans to issue draft regulations on the implementation of the Telecommunications Data Protection Directive (97/66/EC) in July. The first part of the public

consultation was carried out by 1st of June. The second part will provide an opportunity to comment on the draft regulations.

The text should be available

in July and can be obtained by faxing a request to the DTI

on Tel: +44 (0)171 215 4161.

Ontario appoints Cavoukian as Commissioner

Dr Ann Cavoukian has been appointed as the Ontario Information and Privacy Commissioner. The appointment was expected as Dr Cavoukian has just completed two six-month terms as interim Commissioner. She has served the Commission since 1987, first as Director of Compliance and then as Assistant Commissioner from 1990 onwards. Dr Cavoukian’s five-year term as Commissioner starts on 1st July.