Internet: EU plans overhaul of data protection law

The EU says that its existing law has a number of restrictions and omissions which should be remedied.

In particular, the existing law has not kept pace with the wide sharing of information by law enforcement divisions of government or by the courts and wider criminal justice systems. The EU, in its initial information about the proposed changes has not made any explicit reference to government "agencies" and quasi-independent bodies such as financial sector regulators but is is clear that they are included: "In principle, the same data protection rules apply to both the public and private sectors. This means that national authorities have to comply with the obligations in relation to transparency and controllers' responsibility, taking into account the specificities of the various sectors, such as the area of police and criminal justice."

Also "High-speed internet, web-connected mobile devices, and user-generated content have made the exchange of information easier, faster and global. These changes have pushed individuals to the forefront when it comes to the “management” of their personal data, requiring policy makers to shift their focus." In what may become known as "The Facebook Clause," the EU plans to enable users to take greater control over the use and retention of their data by social networking sites. " Social networking sites – based on personal data processing – have become extremely popular on a global scale, particularly among young people. A single social network service now counts 500 million users globally – as many as the entire EU population. The benefits of this technology to individuals, businesses and public authorities must go hand in hand with the necessary respect for personal data. Individuals' personal data must be effectively protected, whatever the technology used."

The EU says that it must take action because "data does not stop at national borders." It proposes a single, unified structure across the EU: "a unified approach at EU level will make Europe stronger in promoting high data protection standards globally."

That's a clear tilt at the USA where data protection is notoriously weak. But of equal concern are countries to where data processing (and therefore data) is outsourced. Protection in India, for example, is less than rudimentary despite a 2008 law. Some countries, for example Hong Kong, already have strong data protection laws based on the EU model.Singapore has been in the process of drafting a data protection law for some four years and so far no draft has been made public. And yet, Singapore is a primary hub for private banking. There are, however, specific laws relating to privacy of data in the financial sector, as there are in neighbouring Malaysia.

The EU plans to sell its concept on the basis that it will reduce costs for businesses operating in multiple EU states "The current divergent implementation of data protection rules across the EU raises costs and administrative burdens for data processing companies...a multinational company operating in several countries can be subject to different requirements in several Member States which leads to legal uncertainty.Further harmonisation of data protection rules is needed at EU level to ensure a true level playing field for all data controllers. To lessen the administrative burden, notifications to Data Protection Authorities could be reduced, simplified and harmonised."

The Commission is reviewing two Directives: The Data Protection Directive 1995 and The Data Retention Directive 2006.

And it's the data collected over the WWW that is most exercising the European Commission's collective minds:

"The new approach will strengthen individuals' rights by giving them a high level of protection and control over their own data.

"This is particularly important in the online environment, where data protection policies are often unclear, non-transparent and not always fully compliant with existing rules. Individuals need to be informed in a clear and transparent way by data controllers – either internet services providers, search engines or others – about how and by whom their data is collected and processed. They need to know what their rights are if they want to access, rectify or delete their data. People should be able to exercise these rights for free and without constraints."

There is an obvious issue here relating to Google Streetview and, even, Google Earth.

Google's Street View is marketed as a social information tool. Google says that it has technology to "blur" faces so as to make individuals unrecognisable. But a satellite industry has grown up with websites, mainly based in the USA, using Google's data on their own websites. An example is "streetviewfun.com." Some, with suggestive titles, get hundreds of thousands of "votes." The site promotes itself on twitter.com and facebook.com.

"For example, there should be a "right to be forgotten," which means that individuals should have the right to have their data fully removed when it is no longer needed for the purposes for which it was collected. People who want to delete profiles on social networking sites should be able to rely on the service provider to remove personal data, such as photos, completely."

That is a forlorn hope: there is a mushrooming business of reposting google's images under the heading "bloopers" or similar. For example, streetview.fun.com has a screen-grab of a Google Street View image headed "what is the girl doing?" The answer is that she is squatting behind a car peeing in the gutter. The number plates on cars in the photo are blurred out. Google has removed the image from its website but it remains public having been reposted. This is a particular problem in relation to republishing in the USA: where copyright laws are weak and barely enforced except for software and entertainment media infringements. Worse, the provisions of the USA's Digital Millennium Copyright Act are often interpreted as authorising the re-use of libellous or other detrimental material with impunity so long as it was found on the 'web. That, in the eyes of the wider internet "blogging" community, has been incorrectly interpreted as giving an unrestricted right to republish anything found on the 'web.

"Similarly, users should know and understand about how their internet use is being monitored for the purposes of behavioural advertising. For example, people should be aware when online retailers use previously viewed web sites as a basis to make product suggestions."

This provision takes aim not just at Google where advertisements are clearly displayed and are an obvious commercial message but also at Facebook's recent development of tracking data to which advertisers have access. Earlier this month, Facebook admitted that some of its independent contractors working on the advertising programming had accessed and sold user data: it said "we discovered some instances where a data broker was paying developers for Unique IDentifiers." (http://developers.facebook.com/blog/post/422) The company went on to say "we determined that no private user data was sold and confirmed that transfer of these UIDs did not give access to any private data." That clearly depends on how the term "private data" is interpreted. Facebook appears to take a narrow view - that a tracking cookie is not "private data." Others may say that anything that allows the collection of information relating to a person's activities is "private." Again, the EU is going to have to find that individuals have "a right to privacy" before it can decide what data is private and how it should be collected, managed and used.

Amazon.Com uses previously viewed webpages within its own site to make recommendations: to do so it analyses what pages the customer has visited, what purchases he has made - and what others visiting the same page and making similar purchases viewed. This "intra-site" analysis appears to be outside the scope of the EC's current review.

"It is also important that individuals are informed when their data has been unlawfully accessed, altered or destroyed by unauthorised persons. The Commission is therefore considering extending the obligation to notify personal data breaches beyond the currently covered telecommunications sector to other areas, such as the financial industry."

This is similar to a law that has been in force in California for several years. There is, currently, a skirmish in the UK where it has been found that unscrupulous journalists and others have unlawfully accessed the voicemail boxes of mobile phone users. The coverage incorrectly uses the term "hacked." In fact, by guesswork or bribery of a member of staff at a mobile phone operator, the voicemail box password was used to access the system. Pop star Robbie Williams said last week that he has not had a mobile phone for two and a half years "for exactly that reason." However, what the EC is not putting front and centre is were data is lost e.g. where unencrypted data is sent by post and goes missing.

The fact that passwords could be bought proves that data protection laws are of limited use if individuals are willing to gain access to data for the purposes of redistribution whether for sale or otherwise.

That, surely is a huge mistake. In the UK alone state secrets, security documents, information on members of the armed forces and millions of taxpayer records have been lost by government staff. No action has been taken by the UK Data Commissioner against any government department. However, he has fined banks for similar failings.

Special mention is made of transfer of data abroad. "

To ensure that personal data is adequately protected when transferred and processed outside the EU, the Commission intends to improve, strengthen and streamline the current procedures for international data transfers, including the so-called "adequacy procedure." Under this procedure, the Commission verifies that a third country ensures an "adequate" level of protection of personal data and allows personal data to be transferred from the EU to that third country.When data is exported outside the EU, the Commission will ensure that EU citizens enjoy the same rights ­– including judicial redress – as third country nationals have in the EU."

That will create special problems for foreign businesses operating in the EU. It will impose on all businesses a regulatory regime similar to that which applies, for other purposes, to the financial sector where companies must abide by the stronger "home or host" law.

The EC says "The public can respond to the Communication until 15 January. The Commission will then translate the objectives and issues raised in the Communication into legislative proposals in 2011. In particular, it will propose legislation to revise and strengthen data protection rules regarding all EU policies, including law enforcement and crime prevention. At the same time, the Commission will pursue non-legislative measures, such as encouraging self-regulation and exploring the feasibility of privacy seals."