Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

Privacy news worldwide European Union, Germany, Japan, Sweden, United Kingdom, United States [1999] PLBIRp 24; (1999) 49 Privacy Laws and Business International Report 2

Privacy News

UK draft telecoms regulations ready

The UK Department of Trade and Industry (DTI) published, on 11th June, the draft Telecommunications Regulations implementing the Telecoms Data Protection Directive 97/66/EC. The draft Regulations deal with data protection and privacy in the telecommunications sector. They will be laid before Parliament so that the coming into force date coincides with the coming into force of the Data Protection Act 1998.

The part of the directive which has already been implemented on 1st May, namely the provisions relating to unsolicited marketing calls and faxes (PL&B Feb' 99, p. 21), will be revoked by the new Regulations. However, the substance will not change. Organisations must receive individuals' consent before sending unsolicited direct marketing faxes. Individuals can also opt-out from receiving direct marketing calls.

The rest of the draft Regulations, which have been amended in light of the consultation responses, deal with traffic and billing data, calling line identification and public directories of subscribers. Organisations need to be aware that once the regulations have been implemented, the processing of traffic and billing data is limited to what is necessary for efficient management of the telecoms system, customer enquiries, billing and the detection of fraud. However, the most important part of the regulation from the data protection point of view is that on direct marketing, as it affects most organisations.

The draft Regulations are available on the Internet at http://www.dti.gov.uk/cii/tdpd/regs2/si.html, or from the Department of Trade and Industry, tel: + 44 (0)171 215 1806, fax: + 44 (0)171 215 1800, e-mail: tdpd@ciid.dti.gov.uk.

Agreement on electronic signatures directive

The European Council accepted, on 22nd April, a proposal for a directive on a common framework for electronic signatures.

The directive will facilitate the use and recognition of electronic signatures across the European Union (PL&B July '98, p. 14).

Electronic signatures are needed for verification and authentication in online transactions and communications. The proposed directive will also regulate the use of trusted third parties. The proposal will be submitted to the European Parliament in the summer for the second reading before official adoption.

Once adopted, the text of the directive will be available on the Internet at http://europa.eu.int/comm/dg15/en/media/sign/index.htm

Cookie files have to be disclosed in Sweden

A Swedish Court has decided, on 14th May, that files of cookies are official documents. The information that cookies collect from Internet users, for example the sites visited, can provide detailed profiles of visitors for companies' and organisations' use.

This type of information has been requested in the past from government agencies by Swedish journalists, who are normally entitled to access to public documents due to strong Freedom of Information legislation. Now these agencies will have to release their cookies files.

President Clinton announces new privacy initiative

President Bill Clinton announced, on 4th May, a Financial Privacy and Consumer Protection Initiative aimed at protecting consumers' financial information against data mining and fraud.

While the United States adopted, in October 1998, a law to combat identity theft and consumer fraud (PL&B Feb '99, p.21), the law is now being backed up by the Treasury and Justice Departments, which will give higher priority to investigating these cases. Fighting Internet fraud will also receive more attention; the Justice Department will set up a national tracking centre.

Importantly, the President regards that, in order to enhance financial privacy, medical records also need to be protected. "With the growing number of mergers between insurance companies and banks, lenders potentially can gain access to the private medical information contained in insurance forms. So we propose to severely restrict the sharing of medical information within financial services conglomerates," he said.

New survey on US companies' privacy practices

A web sweep, undertaken by Georgetown University, shows that nearly 66% of US companies now display some kind of privacy statement on their websites. The industry-funded survey, which was released in May, is based on visiting 364 commercial US-based websites.

The results are promising considering that a survey, conducted in 1998, showed that only 14% of the sites had a privacy policy statement. However, the results of these two surveys are not directly comparable due to different sampling techniques.

The current survey serves as a progress report to the Federal Trade Commission, which has been encouraging companies to adopt privacy statements. The underlying reason for many companies in the US to improve online privacy is to avoid the introduction of privacy legislation.

The text of the current survey is available on the Internet at http://www.msb.edu/faculty/culnanm/gippshome.html. More information is available from Professor Mary J. Culnan, Project Director, The McDonough School of Business, e-mail: culnanm@msb.edu

Emerging Software Agents threaten privacy

The Privacy Commissioners of Ontario and the Netherlands demand that privacy considerations are taken into account when designing the technologies for Intelligent Software Agents. These agents are software programmes which are designed to complete tasks on websites on behalf of their user, but without any direct input or supervision.

The agents that are currently in use include, for example, smart Internet search engines and World Wide Web cookies. It is predicted that these kind of agents will be part of our every-day life in the future, as agents can be used to facilitate the delivery of Internet services to consumers, such as ordering goods online.

As using these services often requires releasing personal data, for example, address details for the delivery of goods, companies can easily build consumer profiles of all the information they can find online about an individual.

The Privacy Commissioners say that these agents could present a significant threat to privacy, as they will possess a wealth of personal data. The lack of direct supervision by the user may cause the user to lose control over the use of his personal data.

In order to use intelligent software agents in a secure and privacy-friendly way, the Commissioners recommend the use of privacy enhancing technologies such as an identity protector. An identity protector can be placed between the user and the agent, preventing the agent from collecting any personal data without prior consent from the user.

Also, a special privacy software agent could be developed to enable individuals to protect themselves against privacy intrusions.

The Privacy Commissioners of Canada and the Netherlands present these views in a study entitled Intelligent Software Agents - "Turning a Privacy Threat into a Privacy Protector." The main authors of the study are: J.J. Borking, B.M.A van Eck and P. Siepel. The study was published in April by the Information and Privacy Commissioner of Ontario, Canada, and the Netherlands' Data Protection Authority. The full text of the report is available on the Internet at: http://www.ipc.on.ca/WEB_SITE.ENG/MATTERS/SUM_PAP/PAPERS/isat.htm

Japan adopts Freedom of Information Act

Japan will soon grant access to documents prepared by Government agencies, reports the Japan Times. The Freedom of Information Act, adopted on 7th May, will come into force in April 2001. According to Japan Times, "the law allows individuals, Japanese or foreign, to examine administrative information upon request, including data that has been recorded on magnetic tape, floppy disk or any other electronic medium." Many local governments in Japan already allow access to their documents.

For more information on the Japanese FOI Act, see the website of Japan Times at http://www. japantimes.co.jp/news/news5-99/news5-7.html

Freedom of Information bibliography now available

The United Kingdom's Advisory Group on Openness in the Public Sector has produced a comprehensive list of literature and other texts on freedom of information issues. The bibliography is divided into five parts under the following headings: UK, European experience, Freedom of Information in other similar jurisdictions (New Zealand, USA, Canada, Australia, Ireland), cultural change and large organisations and Internet sites. Each section gives details of both official publications and other works. The Advisory Group, which was established in March to facilitate the introduction of freedom of information legislation in the UK, is chaired by the Home Office Minister, Lord Williams.

The group welcomes suggestions for amendments to the list; contact Cliff Johnrose, Advisory Group Secretariat, Freedom of Information Unit, Home Office, 50 Queen Anne's Gate, London SW1H 9AT Tel: + 44 (0)171 273 3602, e-mail advisory_group.ho@gtnet.gov.uk The bibliography, dated 19th May, is available at http://www.homeoffice.gov.uk/foi/survey.htm

DGXV upgrades its website

The Directorate which is responsible for data protection in the European Commission, DGXV, has updated its website at http://europa. eu.int/comm/dg15. New features include Single Market News (a newsletter of DGXV), an alphabetical index of the site's contents and more language options. Most importantly, the site includes links to all recommendations and opinions by the EU Data Protection Working Party (p. 16), which advises the Commission on implementation issues surrounding the EU Data Protection Directive.

Germany's Annual Report asks for consumer awareness

The German Federal Data Protection Authority has published its Annual Report for 1997-98. The report, which was presented to the Parliament on 4th May, calls for improvements to data protection in the private sector, and consumer awareness - individuals are encouraged to take responsibility for their personal data by considering carefully before releasing any data. This applies particularly on the Internet. The Commission hopes that an internationally binding agreement will be made soon. The OECD's privacy conference in Ottawa in October 1998 is seen as the first step in this direction. The Commissioner also stresses the need to adopt regulations on video surveillance (PL&B Dec '98, p.23). Although Germany has regulated police video surveillance, it is not clear in which circumstances surveillance is legal in private properties.

A press release, which summarises the report (in German), is available on the Internet at http://www.bfd.bund.de/aktuelles. The whole document is available from the Data Protection Commissioner's office (contact details on page 23).

UK publishes draft secondary legislation

Some of the secondary legislation (p. 14) for the UK Data Protection Act 1998 has been published in draft form (on 11th May and 13th July). The first nine of the 19 instruments needed are now awaiting to be laid before Parliament.

The Subject Access Modification (Education) Order applies to education records, and provides a partial exemption from the subject access provisions.

The Subject Access Modification (Social Work) Order principally applies to (1) data processed by local authorities in relation to their social services and education welfare functions, (2) health authorities to whom such data are passed, (3) probation committees and (4) the National Society for the Prevention of Cruelty to Children. The Order provides a partial exemption from the subject access provisions for certain data.

The Miscellaneous Subject Access Exemptions Order provides certain exemptions from data subjects' access rights. The data which are exempt include: human fertilisation and embryology information in the UK, information contained in adoption and parental order records, and reports and statements of the special educational needs of children.

The Crown Appointments Order exempts certain processing from the subject access provisions, i.e. processing for the purposes of assessing any person's suitability for certain offices to which appointments are made by the Queen (such as Archbishops in the Church of England).

The Functions of Designated Authority Order defines the Data Protection Commissioner's functions with regard to foreign data protection authorities. The Commissioner must provide information on request, and also assist persons resident outside the UK in exercising their rights. There is also another order on international co-operation.

The Fees under section 19(7) Order proposes that the fee to the public for the supply of a duly certified copy of a register entry is £2.

The Subject Access Fees Order provides that the maximum fee which a data controller may charge is £10, apart from requests for credit reference information, where the maximum fee is £2. The maximum fee for subject access requests relating to health records is £50.

The Designated Codes of Practice Order provides that compliance with certain media codes may be taken into account when determining whether the publication is in the public interest, as described in the Data Protection Act 1998.

The draft instruments are available on the Home Office website at http://www.homeoffice.gov.uk.

Most Europeans will disclose personal data for benefits

More than half of the European consumers surveyed are happy for companies to use their personal data if they receive more personal service in return. The results of a survey, commissioned by NCR Corporation suggest that consumers in the UK, France, Germany, Italy, the Netherlands and Spain are willing to disclose personal data if they receive discounts and loyalty points. This seems to be the case especially with the under 25-year olds. However, the Dutch are more concerned about the use of personal data: only one in four consumers want their personal data to be used to offer them more personal service.

On the other hand, the survey reveals that a quarter of European consumers interviewed believe that companies do not respect their privacy, or give a fair opportunity to opt-out from direct marketing. Mark Hurd, Senior Vice President of NCR's National Accounts Solutions Group, said that the message from consumers is clear. "Consumers are telling us that the privacy issue is a serious one."

The survey is based on interviews conducted in the above mentioned countries in April. NCR's interest in consumer attitudes stems from its core business: providing data warehousing solutions for marketers.

The survey, published on 26th April, is available on the Internet at http://www3.ncr.com/press_release/pr042699e.html

Transatlantic business group supports Safe Harbour

A group of European and American businesses, the Transatlantic Business Dialogue (TABD) has indicated its support for the proposed Safe Harbour Principles which seek to ensure an adequate level of data protection in the United States (PL&B May '99, p.13, Feb' 99, p.15).

The group, formed in 1995 to facilitate trade between Europe and the US, released its Mid- Year Report on 10th May. With regard to data protection, the report recommends avoiding over-regulation, implementing the EU Directive in a flexible way, promoting third party audits and codes of conduct.

The report states that the US industry favours the OECD 1980 Guidelines as the benchmark for the EU-US Safe Harbour discussions. The US industry will further promote contractual solutions on the question of transborder data flows. In addition, industry will oppose any attempt to codify the EU Data Protection Directive into ISSS/CEN technical standards.

An executive summary of the report is available at http://www.tabd.com. Contact TABD EU office at 115 Rue Froissard, 1040 Brussels, Belgium, Tel: + 32 2 231 1728, Fax: + 32 2 231 0254, or the US office at 1401 H Street, NW, Washington D.C 20006, United States, Tel: + 1 202 414 1298, Fax: + 1 202 414 1217.

Privacy and interception of telecommunications

The EU Data Protection Working Party (p. 16) adopted, on 3rd May, a Recommendation on respecting privacy in the context of interception of telecommunications including telephone calls, e-mail, faxes and the Internet.

The Working Party expresses its concern about the European Council Resolution of 17th January 1995, which is currently being revised. The Council hopes to develop technical measures for intercepting telecommunications jointly with states which are not subject to the European Convention of Human Rights and the EU Data Protection Directive.

The Working Party stresses that using the most advanced techniques of interception must not lead to lowering the level of confidentiality of communication and the protection of privacy of individuals.

The Recommendation 2/99 is available on DGXV's website at http://www.europa.eu.int/comm/ dg15/en/index.htm (look under "Documents adopted by the Data Protection Working Party").

New Commissioner for British Columbia, Canada

From August 1st, David Loukidelis succeeds Dr David Flaherty as BC's Information & Privacy Commissioner for a six year non-renewable term. He is a lawyer in private practice and an open government advocate.