Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

Ireland sets restrictions on Internet telephone directories Art 29 Group's opinion on electronic directory reverse searches [2000] PLBIRp 52; (2000) 56 Privacy Laws and Business International Report 14

Ireland sets restrictions on Internet telephone directories

A CASE ON ELECTRONIC PUBLISHING of telephone directories in Ireland illustrates an issue relevant to all EU countries. Consumer consent is required before personal details can be published in a searchable electronic directory.

Ireland's Data Protection Commissioner investigated last year the case of a telecommunications company which, in addition to publishing subscribers' personal details in a paper-based directory, later put the information on a CD-ROM and on the Internet. The task was performed by a subsidiary.

The Data Protection Authority received several complaints from individuals who were unhappy to have their information published in an electronic format. The individuals considered that electronic publishing allowed new search methods that were not possible with a manual directory, and this might jeopardise their privacy. For example, it was possible to conduct searches based on an address rather than the individual's name. This caused concern as it was thought that burglars could identify empty houses by obtaining telephone numbers for particular addresses.

REVERSE SEARCHES BANNED

The case is one of those included in the Data Protection Authority's Annual Report for 1999. The then Data Protection Commissioner, Fergus Glavey, first thought that if individuals had released their details, it could be reasonably assumed that these individuals would not object to having their information published in another form, unless they had chosen to be ex-directory. Electronic publishing as such does not pose any additional privacy risks provided that sufficient security procedures are in place.

The Commissioner, however, later considered that the search capabilities added another dimension to this case, and decided that the telecommunications company could not assume that the individuals had consented to this further use of their data. He requested the company to stop making the directory available on the Internet, and not to publish, for the time being, the CD-ROM version of the directory. The company agreed to modify the electronic version of the directory so that it would not be possible to make reverse searches based on address details. The new version of the electronic directory is now more or less similar to the paper version.

EUROPEAN RESPONSE

Since the Irish case was resolved, the EU Data Protection Commissioners' Working Party (the so-called Article 29 Group), has been considering the issue of reverse telephone directories. On 2nd November the group issued a statement (below), based on Ireland's experience, that individuals' consent is required before a telecoms company publishes its customer database in a searchable electronic format.

OTHER CASE STUDIES

Other case studies discussed in Ireland's Annual Report deal with data collection by a UK-based marketing company with the help of lifestyle questionnaires; access to customer data of a life insurance company by an ex-employee; disclosure of names and addresses to a motor distributor by the Vehicle Registration Unit; a subject access request concerning word-processed documents (the question was whether they constitute "data" or not); an inaccurate credit rating given by a financial institution; creating a database of debtors by a debt-collecting agency; and identification of the data controller where control of a database was disputed.

EMPLOYMENT NEWS

The report also discusses data protection in the workplace. The Commissioner has received many enquiries which deal with either questions relating to the collection of data from employees, or employee monitoring.

One of the key issues here is that the data must be fairly obtained and necessary. Employers should not collect data that is not relevant in the employment context, such as details about political or religious beliefs. While this part of the equation is fairly straightforward, the monitoring of employee e-mails and web browsing is much more complex.

The Commissioner writes that "Much will depend on the culture of the particular employment in question... If a culture has been developed within an organisation that is consistent with the use by employees of e-mail as a personal resource, then this consideration, in my view, may well circumscribe the freedom of action available to an employer who wishes to monitor employee e-mails. If employees have been using the company e-mail system for personal correspondence, with the tacit agreement of the employer, then I think it most unlikely that an employer may access those personal items of correspondence without contravening the Data Protection Act."

The Commissioner's office recommends that organisations draft e-mail statements which state clearly what the company policy is on e-mails. He also welcomes any comments on these matters, and envisages that, in the future, a specific code of practice may be needed.

The Annual Report 1999, published in September, is available from the Office of the Data Protection Commissioner, Block 4, Irish Life Centre, Talbot Street, Dublin 1 Ireland. Tel: + 353 1 874 8544 Fax: + 353 1 874 5405 e-mail: info@dataprivacy.ie Fergus Glavey has now completed his term as Data Protection Commissioner, and a new Commissioner has been appointed (see p. 19).

Art 29 Group's Opinion on Electronic Directory Reverse Searches

The new liberalised telecommunications market offers low cost extended capabilities for the processing of all information contained in telephone directories. It is now possible to gather much more data than individuals would have imagined when agreeing to have their telephone numbers in a directory. For example, the telephone number could now reveal the person's name, address and the names and numbers of everyone living in the same street. Searches can reveal profession, and also location data, such as city maps with photographs of each house. Itemised billing can reveal names and addresses of all recipients of calls during a specific period of time.

This multi-critera searching represents a new purpose for directories which is not compatible with their original purpose. The issue of reverse searches has been brought into prominence because several Data Protection Authorities are currently handling cases. Since the issue is not yet addressed in the draft EU Directive on the Protection of Privacy in the Electronic Communications Sector, the Article 29 Group has decided to support informing subscribers about all the possible uses of electronic directories. They propose that individuals should be offered a choice of subscription format, and also of including only limited data revealing no private information.

The Working Party's common position underlines the importance of informed and prior consent of data subjects to this new use of their personal data. Furthermore, since directories can be edited by everybody, transmissions of data from a telecommunications operator/provider to a directory are illegal without respect for the choices expressed free of charge by subjects to the initial provider. The issue of determining the duration of a license to keep the data on CD Roms raises additional problems.