WorldLII Home | Databases | WorldLII | Search | Feedback

Privacy Laws and Business International Report

You are here:  WorldLII >> Databases >> Privacy Laws and Business International Report >> 2000 >> [2000] PLBIRp 33

Database Search | Name Search | Recent Articles | Noteup | LawCite | Download | Help

Privacy news worldwide Germany, EU, Netherlands, UK, OECD, Switzerland, Isle of Man, Hungary [2000] PLBIRp 33; (2000) 55 Privacy Laws and Business International Report 2

Privacy News

Germany adopts a draft Bill

The German Government adopted a draft Bill on 14th June 2000. It is hoped that the Bill will be finally adopted in spring 2001. The new Act is not expected to enter into force until January 2003.

At the state level, there are State Data Protection Acts. By July, five of the sixteen states had adopted a new law implementing the directive's requirements. These states are Brandenburg, Hesse, Schleswig- Holstein, Nordrhein-Westfalen and Baden-Wurttenburg. The European Commission's view is that the directive is not fully implemented until all the states have adopted new laws. Some of the most important fields with data protection implications are within the jurisdiction of state legislation in Germany, for example police, health, education etc.

The Bill (in German) is available at http://www.datenschutz-berlin.de/ ueber/aktuell.htm#topofnews (see news item of 19th June).

EU e-commerce Directive adopted

The Electronic Commerce Directive, 2000/31/EC (PL&B April 2000 p.2) was adopted on 8th June and published in the Official Journal on 17th July. The directive seeks to lay down a general framework for electronic commerce and ensure consumer protection.

The protection of personal data is not regulated by this directive, but it refers to the EU Data Protection Directive and the Telecommunications Data Protection Directive, both of which are fully applicable to information society services. Furthermore, the implementation of this directive should be made in full compliance with the data protection principles already established.

The directive covers all information society services, for example on-line databases, online financial services and online marketing. The directive applies only to service providers established within the EU and not those established outside. It also defines the place of establishment as the place where an operator actually pursues an economic activity through a fixed establishment, irrespective of where websites or servers are situated, or where the operator has a mail box.

The sending of commercial communications by e-mail is not addressed by this directive, as far as consent is concerned. However, Member States that allow the sending of unsolicited e-mail without prior consent have to ensure that the service providers consult and respect the opt-out registers.

To see the full text, visit http://www. europa.eu.int/comm/internal_market /en/media.

Netherlands adopts a new data protection law

The Netherlands adopted a new Data Protection Act on 6th July which implements the EU Data Protection Directive. It is not yet known when the law will enter into force. The December issue of the Privacy Laws & Business newsletter will include a full report on the law.

An unofficial English translation of the new law can be found at the website of the Netherlands' Data Protection Authority at http://www.registratiekamer.nl (see under texts in English).

UK adopts an e-mail snooping Act

The House of Commons adopted, on 26th July, the House of Lords' amendments to the Regulation of Investigatory Powers (RIP) Bill thereby passing the bill. The RIP Bill received Royal Assent on 28th July.

The Act, which allows the police and security services to spy on private encrypted e-mails, has been much debated. While the bill aims at catching criminal activity on the Internet, at the same time, it infringes personal privacy.

The Act grants police the power to demand encryption keys to decode messages. The Government thinks that, in most cases, companies will be able to hand over the text in print rather than have to disclose their encryption keys.

Security experts have already said that the Act is technically inept, and will not stop criminals committing or planning criminal activity on the net. It is feared that allowing the police to snoop on e-mail messages will have a damaging effect on the UK's e-commerce activity, and stop foreign companies starting operations in the UK.

The monitoring scheme will allow the police to install black boxes to work Internet Service Providers' computers. The Home Secretary will have to authorise any interception warrants, and companies may be asked to install monitoring equipment. The cost of such equipment will be met by the Government.

The Government is adamant that the RIP Act will not conflict with the UK Human Rights Act 1998, which explicitly guarantees the right to privacy. The Human Rights Act will enter into force in October this year. The RIP Act is expected to enter into force in the autumn.

The text of the Act is available at http://www.homeoffice.gov.uk/ ripa/ripact.htm

Use of UK electoral roll to be restricted

The UK Government aims to stop use of the electoral register for some commercial purposes. The register, which is the largest database of names and addresses in the UK, is commonly used for purposes of proving residence, as well as a source for mass mailings. The Government is committed to providing individuals with an opt-out from commercial uses. It is being suggested that there will be two registers, a full one, which will be mainly used for electoral purposes, and an edited register. It is assumed that 64% of people will opt out.

Draft regulations are expected in the autumn. After a period of consultation, the Government hopes to finalise the regulations by the end of the year. The right to opt-out would become effective from September 2001. It is still to be decided whether the full register could be used to make identity checks for e-commerce. Noncompliance with the regulations will be a criminal offence.

For further information, please contact the Department of Trade and Industry, Tel: + 44 (0)20 7215 5000.

Review of the new UK Act

The Home Office is making an early appraisal of the UK's Data Protection Act 1998 now that it has been in force for six months. The purpose of the review is to assess the new regime's immediate effect, in particular those elements that are new to UK law or substantially different from the 1984 Data Protection Act.

A questionnaire can be found at http://www.homeoffice.gov.uk/ ccpd/dpaquest.htm. Please send comments by 27th October to Paul Henery, LGDP Unit, Room 1173, Home Office, 50 Queen Anne's Gate, London SW1H 9AT Fax: + 44(0)20 7273 3205, e-mail: Paul.Henery@homeoffice.gsi.gov.uk.

Final version of the OECD privacy policy generator

The OECD has issued the final version of its privacy policy generator. The tool helps organisations to adopt privacy policy statements. The privacy policy generator works as an educational tool providing guidance on how to review organisations' privacy practices. Based on the answers to a questionnaire, the generator then produces a privacy statement that the organisation can post on its website.

Adopting a statement developed with the help of the generator does not, however, indicate that the organisation would automatically comply with the OECD's Privacy Guidelines. The generator is available in English. Other language versions are being developed.

The privacy policy generator can be accessed at http://www.oecd.org/ dsti/sti/it/secur/index.htm.

Powergen security breach: customer data disclosed

A UK electricity and gas provider, Powergen, accidentally disclosed personal details of 7,000 customers on its website. The details included names, addresses and credit card information. Powergen has put the blame on a technical error which occurred when transferring customer data from one server to another. The company closed down the website immediately after having been informed of the security breach by a customer. However, it took them several days to inform customers and ask them to change their credit card numbers.

Powergen's Retail Managing Director, Mike Wagner said: "Initial investigations showed that the information which had been accessed was in a file which, due to a technical error, was temporarily outside the security gate of the system."

Powergen has commissioned external experts to audit the security systems. The audit will be posted on Powergen's website at http://www.powergenplc.com.

Barclays' online security failed

Barclays, a major UK-based bank, experienced a security breach at the end of July, which enabled some customers to view other peoples' account details online. The bank was forced to shut down its online banking service. Barclays claims that the breach was due to a technical error, which occurred when introducing a new system.

The bank is currently reviewing the system, and promises not to reintroduce it until it is confident that it will work.

Barclays Bank has released a press release on security, see http://www. newsroom.barclays.co.uk.

Switzerland publishes its annual report

Switzerland's Data Protection Authority released its seventh annual report on 3rd July. The report discusses surveillance at the workplace, data protection in direct marketing and telecommunications, data mining and privacy concerns over the use of e-commerce.

The Data Protection Commission makes several recommendations on how to build consumer trust in e-commerce. Most Swiss companies' privacy statements are inadequate or missing, and the Commission gives advice on how to formulate one. The Commission also recommends regulations for this field.

The annual report is available in French and German on the Privacy Commissioner's website at http://www.edsb.ch, or can be ordered by fax: +41 31 325 50 58.

Isle of Man in process of amending its data law

The Isle of Man plans to amend its existing legislation in order to demonstrate adequate protection as defined by the EU Data Protection Directive. The European Commission is assessing the adequacy of the existing legislation. The Registrar, Lynn Keig, writes in her 1999-2000 Annual Report that she believes the law to be adequate. "If this is the case, any amendments to the existing legislation will be directed towards assisting the growth of e-commerce in the island," she states.

The Annual Report is available from the Isle of Man Data Protection Registrar, PO Box 69, Douglas, Isle of Man, IM99 1EQ, Tel: +44 (0)1624 661030, e-mail: odpr@odpr.gov.im. Price: £7.50.

UK consumers suspect lack of security in e-commerce

UK consumers are not willing to disclose personal data, including credit card details, online.

According to research commissioned and published on 2nd August by the National Consumer Council, only 3% of British adults shop online, although a quarter of the population has access to the Internet. Among Internet users, half of them think online shopping is risky and do not want to disclose their credit card details.

The research was conducted by MORI between March and May 2000, and it was based on 2,000 face-to-face interviews. More information can be found at http://www.ncc.org.uk.

The Netherlands publishes an annual report

The Netherlands' Data Protection Authority has published an annual report for 1999. It discusses, for example, privacy on the Internet, the revision of the data protection law, screening of people and companies, and new technological developments that affect privacy.

An English summary of the annual report is available at http://www. registratiekamer.nl.

Hungary's eventful year

Hungary's Data Protection Commission has published its annual report for 1999. The year marked the beginning of a period of change as the country's law was recommended as ensuring adequate protection by the EU Data Protection Working Party. The EU Commission has since taken a positive decision on the law's adequacy (July 2000).

The report also includes selected cases of particular interest, and statistics about complaints.

An English version of the report is available from the Office of the Parliamentary Commissioner for Data Protection and Freedom of Information, Tel: +36 1 269 3500, e-mail: adatved@obh.hu.

New contact details

Poland's Data Protection Authority has informed PL&B of changes to their contact details. The correct telephone number is + 48 22 827 8810, and fax: +48 22 827 8811.

In the Czech Republic, a Data Protection Authority was appointed at the time of the new law entering into force, 1st June 2000. The Office for Personal Data Protection can be contacted at a new e-mail address: neuwirtk@uoou.cz, website: www.uoou.cz.

Other contact details are as published in the directory of Data Protection Authorities (see issue 54).


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback
URL: http://www.worldlii.org/int/journals/PLBIRp/2000/33.html