Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

Privacy news worldwide: European Union, Hungary, United Kingdom, Portugal, Canada, United States, Finland, Netherlands [1999] PLBIRp 37; (1999) 50 Privacy Laws and Business International Report 2

Privacy News

EU Commission tired of waiting for Directive's implementation

The European Commission decided, at the end of July, to send reasoned opinions to France, Luxembourg, the Netherlands, Germany, the United Kingdom, Ireland, Denmark, Spain and Austria for failing to implement the EU Data Protection Directive in time. The reasoned opinions are part of formal infringement proceedings. Unless the Member States provide a satisfactory response within two months, the Commission may resort to referring the cases to the European Court of Justice.

The deadline for implementing the Data Protection Directive was 24th October 1998. Only Greece, Portugal, Sweden, Italy, Belgium and Finland have so far implemented the Directive in full. Denmark has partially implemented the Directive. The United Kingdom has adopted a new Act to implement the Directive, but still needs to adopt secondary legislation before the new law is in force. The UK has announced that the commencement date for the new law will be 1st March 2000.

Organisations need to remember that, as a result of the direct effect of the Directive, individuals in any EU Member State are entitled to new rights under the Directive, and can in some cases seek compensation, even if the national legislation is not yet in place.

Recommendation on Hungary's adequacy

The EU Data Protection Working Party recommends that Hungary should be included in those countries offering an adequate level of data protection. The need for adequacy stems from a prohibition in the EU Data Protection Directive of the transfer of personal data to countries outside the European Economic Area (see pp. 3-4).

The recommendation, published on 7th September, has been submitted to the European Commission, which will make the final decision regarding the matter.

The text can be found on the Internet at http://europa.eu.int/comm/dg15.

Elizabeth France reappointed as Registrar

The UK Data Protection Registrar, Elizabeth France, was appointed for a second term at the end of August. The Home Secretary, Jack Straw commented on her reappointment: "I am confident that she is the best person to take this work forward and oversee the transition to the Data Protection Act 1998 when it comes into force on 1st March 2000."

UK Registrar's new website address

The Office of the UK Data Protection Registrar has a new address for its website: http://www.dataprotection.gov.uk. The site includes the latest guidance on the 1998 Data Protection Act.

New Portuguese Commission

Mr. João Labescat has been appointed as the new President of the Portuguese Data Protection Commission. The Commission is an independent body, which consists of seven members. The other commissioners are Mr. Amadeu Guerra, Mr. Varges Gomes, Mr. Luís Barroso, Mr. Simões de Almeida, Ms. Catarina Castro and Ms. Paula Veiga. The new commission started its mandate in July.

EU to protect its own personal data

The European Commission is proposing a Regulation to protect personal data within the European Union's institutions. The data protection rules in the proposed Regulation, published on 15th July, are based on the EU Data Protection Directive. As the Directive binds only the Member States, personal data within EU institutions and bodies is not protected under it. However, the Amsterdam Treaty amending the EU Treaty now obliges the EU to take these measures. The EU handles personal data for example in connection with its customs and police co-operation.

The current proposal would establish a European Data Protection Authority to deal with complaints from EU citizens whose data protection rights have not been respected by the EU bodies. The Data Protection Authorities of EU countries were a driving force behind getting the issue on the EU agenda. The proposed Regulation now has to be adopted by the Council of Ministers and the European Parliament.

UK Telecommunications Regulations soon in force

The new UK regulations on unsolicited marketing calls and faxes, which come into force simultaneously with the Data Protection Act on 1st March 2000 have now been published. The Regulations will make it illegal to send unsolicited marketing faxes unless the individual has given prior consent. Cold calling is also banned to individuals who have previously notified that they do not wish to receive any calls, or if the individual is registered with the Telephone Preference Service. Individuals can also register with the Fax Preference Service.

The Regulations are available from the Stationery Office, Tel: + 44 (0) 171 873 9090 and on the Internet at http://www.hmso.gov.uk.

Canadian privacy bill faces strong opposition

The Canadian Bill C-54, which would extend privacy protection to the federally regulated private sector (PL&B Dec '98 p.22), is facing strong opposition by the Canadian provinces. The provinces would have to follow suit and pass harmonising legislation within three years of the federal law coming into force.

Privacy Files (Nos 5&6), a Canadian privacy newsletter, reports that some business sectors as well as the provinces oppose the new Bill. Credit report agencies and life and health insurance companies are particularly sceptical about the Bill. There is also pressure from the neighbouring United States, which would like Canada to follow its selfregulatory approach. Parliamentary debate on the Bill continues after 20th September, and the Bill could become law by the end of the year.

US businesses lobby for selfregulation in e-commerce

A group of the world's largest computing firms, including IBM, Apple, Dell, Hewlett-Packard and Intel, have submitted an open letter to US business leaders and policymakers to avoid regulation in electronic commerce. The group believes that it is possible to protect privacy and create consumer trust in electronic commerce by technological means. The report discusses existing privacy-enhancing technologies, such as anonymous payment mechanisms and pseudonyms, and sheds light on new technologies that are being developed.

On the privacy scene, privacy labels (for example TRUSTe and BBBOnLine) are mentioned as technology that is still in the development stage (see p.21). The Group recommends industry to support ongoing technology developments by participating in their adoption process. Companies are also encouraged to publish privacy policies on their websites, and to encourage product and service suppliers to do the same.

The paper, published in July, is available on the Internet at http://www.cspp.org/projects/july99_cto_report.pdf.

Hotmail in breach of customers' privacy

Hotmail, an Internet e-mail service owned by Microsoft has endangered its customers' privacy. CNN reports that, for several months, users were able to log-in without a password, and therefore access other users' e-mail. The security fault was noticed at the end of August. A group called Hackers Unite has claimed responsibility for the breach of privacy, but it is thought that the bug was caused by a normal user by accident when writing a log-in program for his own use. Microsoft itself blames the hackers, denying that there is any problem with the security of their software.

For the full story, see http://www.cnn.com/TECH/computing/9908/ 31/hotmail.folo.02/index.html

Finland bans exam results on the Internet

Some Finnish Universities which published the results of entrance examinations on the Internet have been told by the Data Protection Ombudsman not to do so.

According to law and traditional practice, those seeking a place at a university will be informed of their results by letter and on the university's notice board. As students are the most active Internet users, the universities regarded the new practice to be good customer service.

According to the Ombudsman, the publishing of such lists endangers the applicants' privacy, as the information can be used for other purposes. The Ombudsman has instructed the universities to seek consent for publishing the results. Two of the universities also use the Internet to publish ordinary exam results, but these are linked to the student registration number, not the individual's name.

UK publishes electronic commerce bill

The UK Government published, in July, its e-commerce bill. The bill deals with the question of using electronic signatures (all types will be legally admissable in court) and cryptography services.

The bill is intended to be technology-neutral. Although many Trust Service Providers (TSPs - trusted third parties to enhance confidence in the provision of cryptography services) may base their services on public key cryptography, there is no reason why other technologies (e.g. biometrics) could not be used by approved TSPs.

One of the most interesting aspects, from the point of view of data protection, is unsolicited e-mail (spamming). An earlier consultation paper sought views on spamming, and the Government has now decided that it is not necessary to take action in the context of this bill. Instead, the Government will work with industry on voluntary mechanisms and rely on existing measures.

The question of spamming will, however, be dealt with in more detail in legislation implementing the EU Distance Selling Directive (97/7/EC), which will enable individuals to object to unsolicited e-mail. This Directive has to be implemented by 4 June 2000.

The e-commerce bill is available on the Internet at http://www.dti.gov.uk/cii/elec/ecbill.html. Comments are sought by 8th October.

Prepare now for the UK Human Rights Act

The UK Human Rights Act 1998 comes into force on 2nd October 2000. The Home Office is telling organisations to start preparing now, as the Act makes it a legal obligation to comply with the European Human Rights Convention. The Act applies to public authorities, including all government agencies, central and local government, police and the courts, and also private bodies whose work includes a government-type function.

The Home Office has published a guide for organisations preparing for the new law. The introductory guide, "Putting Rights into Public Service: The Human Rights Act 1998 - An introduction for Public Authorities," and a newsletter, are available on the Home Office website at www.homeoffice.gov.uk. Further enquiries can be addressed to the Help Desk, Tel: + 44 (0) 171 2732166.

The Netherlands publishes Annual Report

The Netherlands' Data Protection Authority, Registratiekamer, has published its Annual Report for 1998. The report deals briefly with the general activities of the office, and presents, in the form of three essays, the most relevant issues that have been dealt with. The three themes are privacy and service provision in the financial sector, market forces and social security, and confidential communication (in particular in the context of e-mails and mobile phone conversations).

The report, which is in Dutch, is available from Registratiekamer, Prins Clauslaan 20, 2509 AJ, the Netherlands, Tel: + 31 70 381 1300, Fax: + 31 70 381 1301. More information about the office's work is also available on a new website at http://www.registratiekamer.nl

Hungary's Annual Report

Hungary's Commissioner for Data Protection and Freedom of Information has published his Annual Report for 1998. The report consists mainly of summaries of the cases handled last year.

Recommendations were made, for example, on publishing Internet address lists, ex-directory telephone numbers and direct marketing, and collecting personal data for issuing debit cards. The report also includes examples of cases involving the disclosure of data of public interest.

An abbreviated, English version of the report is available from the Office of the Data Protection Commissioner, H-1054 Budapest, Tüköry u.3, Hungary. Tel + 36 1 269 3500, Fax: + 36 1 269 3541, e-mail: adatved@obh.hu.