Data Protection Update

November 1, 2000

Safe Harbors


On 27 July the EU accepted, by a Commission decision, that organisations in the US which adopt arrangements for the protection of personal data which conform to a set of agreed standards will be accepted as providing adequate protection for the purposes of personal data transfer from the EU. The concept (and spelling) of safe harbors has thus been formally ratified. The full papers can be found at www.europa.eu.int/comm/internal-market/en/media/dataprot – in brief the main features of the scheme are as follows.



  1. It applies to transfers of personal data from one data controller to another (thus excluding the direct obtaining of data from individuals via an Internet site by a US operator).
  2. It can be adopted only where the Directive is not applicable (thus it cannot be used where a US operator carries out processing in the EU without having an establishment here).
  3. The US entity must be subject to a statutory body which has jurisdiction to hear relevant claims against the organisation, for example the Federal Trade Commission.
  4. The US entity must ‘sign up’ to standards of data protection/privacy protection which fulfil the minimum standards set out in the safe harbor papers. This can be done in several ways – by developing its own policy that meets the standards; by participating in an industry programme (such as TrustE); or by relying on existing US sector regulation which achieves the equivalent standard.
  5. Once the entity has implemented those standards it has to self-certify its compliance to the US Department of Commerce. It must provide a list of specified information in the certificate. One of the requirements is that its privacy policy must be published and available for viewing by the public.
  6. Those entities which self-certify successfully will be listed by the Department (the list will be opened by November). The list will be available on the Department of Commerce web site at www.ita.doc.gov/ecom for interested parties to check.
  7. The entity must carry out an annual review of its data protection/privacy compliance and the certification process has to be repeated annually following that review.
  8. The entity must accept the application of an independent recourse mechanism to deal with complaints by individuals.
  9. The statutory overseer, which in most cases will be the Federal Trade Commission, will be able to take action against the entity for unfair trade practices if its behaviour does not accord with its published privacy statement.

Commission Decisions on Adequacy


There have been Commission decisions that the generally applicable data protection laws in Switzerland and Hungary afford adequate protection and discussions are now underway with Australia, Canada and Japan in relation to decisions on adequacy.


Proposed Amendment to Directive 97/66


The Commission has published a proposal for a revised telecoms directive. This would deal with some of the anomalies which have arisen in the implementation of Directive 97/66 in different Member States, give more freedom for the development of value added services in the mobile digital networks, cover location data derived from mobile networks, and relax the rules about directories. In particular, it would make clear that all electronic communication services are covered and that e-mail marketing to individuals should be carried out only with prior consent.


Guidance/Commissioner’s Publications


The Data Protection Commissioner’s First Report (June 2000) has been published since the last regular update column. It has obviously been a busy year for the Commissioner’s office. A number of the new initiatives from the DPCO described in the Report have already been covered in previous updates. In addition, the Report covers the preparations undertaken for the implementation of the new Act as well as the annual statistics on prosecutions conducted, enforcement actions taken, publications issued, policy matters considered during the previous year and a report on the annual public awareness survey. At first sight it appeared that the number of prosecutions had risen dramatically, which would be surprising given the change in the law, however closer examination shows that 81 of the offences counted were offences ‘taken into consideration’ in relation to one defendant and the underlying numbers remain fairly stable. The enforcement actions taken against the utility companies have largely been concluded. The Commissioner continues to voice concerns about some processing, for example data matching by the Audit Commission, but also (possibly with an eye to her Office’ s future potential role in handling freedom of information) airs her concerns at the use of the Data Protection Act to block the uses and disclosures of information unnecessarily.


Legal guidance which has been issued from the Commissioner’s office since the last column covers the Telecommunications (Data Protection and Privacy) Regulations, subject access and third-party data and subject access to health data.


The draft Code of Practice on Data Protection and Employment Practices is still awaited and is now anticipated in early October. The DPCO is also apparently planning to issue guidance on electronic data collection methods, for example the use of cookies, where the personal details of the individual are not known. This is an interesting area. There are a growing number of data collection technologies where the collector amasses data about the user or users of a device without necessarily knowing their terrestrial identity. A Working Party of Commissioners issued draft guidelines which it considered should apply in these circumstances earlier in the year (in May) which advised that, even though the identity of the individual user is not known (and thus no personal data is involved), there should still be notice to users of the data collection and the processing involved. Apparently the Commissioner’s Office has drafted some guidance for the UK on this issue. However, although there is a draft of this guidance in the Commissioner’ s Office, my request for a copy of it, made under the Open Government Code on Access to Information, was refused on the grounds that its disclosure would harm the frankness and candour of internal discussion and that it would be premature in relation to a planned announcement. It is apparently being re-drafted in a question and answer format although it is not clear that the substantive content is changing. No draft has been issued for consultation and it appears that it will simply emerge in its final form.


On this area a handbook on online privacy published by the U.S. Senate Judiciary Committee called Know the Rules – Use the Tools: Privacy in the Digital Age: A Resource for Internet Users is available on www.judiciary.senate.gov/privacy and gives a good overview of the issues, technologies and players in this area.


Current Enforcement


The Commissioner has taken enforcement action against two linked companies under the provisions of the Telecoms Regulations. The companies are Second Telecom Ltd and Top 20 Ltd. It is alleged that they have persisted in sending unsolicited marketing faxes to individuals. Both companies have appealed to the Data Protection Tribunal. The proceedings have been consolidated. A provisional hearing date has been set for mid-November but it is not yet clear whether the hearing will go ahead at that time.


Freedom of Information


At the time of writing it is still not clear whether the Freedom of Information Bill will have its Committee stage in the Lords before the end of the Parliamentary session. If it does not do so then the Bill will fall and is unlikely to be re-introduced by this Government.


Cases


I have only noted one case specifically on privacy related issues recently. On 28 July the High Court delivered judgment in the case of R v Worcester County Council ex parte SW which explored further the issues around the Consultancy index already canvassed by the Court of Appeal in R v Secretary of State for Health ex parte C [2000] 1 FLR 627. It is not an easy judgment to follow but of particular interest to privacy lawyers will be the final part in which the judge expresses views on the impact and application of Article 8 of the ECHR.


To put the facts into context in brief, the Consultancy Index is a referal index kept by the Department of Health. It shows the names and identifying details of individuals who have worked with children and whose previous employers have considered, on grounds that fit into the Index categories, that they are likely to be unsuitable to do so in the future. There is no other information in the Index. The Index can be searched by potential employers who are appointing people to work with children. If an individual is included, the potential employer can contact the earlier employer to ascertain the reasons for the inclusion. Not unexpectedly, inclusion on the Index is fatal to any chance of working with children again.


Clearly it serves an important purpose. There are safeguards around its use, covering the grounds for inclusion and allowing for notice to the individual of inclusion. However it has been set up by the Department of Health under its general remit rather than a specific statutory requirement so has not been subject to democratic and public scrutiny during the Parliamentary process and there is no prior independent scrutiny of inclusion. R v Worcester County Council ex parte SW provides a textbook question on Article 8.


Does inclusion in the Index amount to an interference with the individual’ s private and family life?



  • If it does so then does it have a basis in law?
  • Is the inclusion in one of the specified interests?
  • Is it proportionate to the protection of that interest?

In answer the judge concluded that it did not affect the individual’s private life as the conduct which led to inclusion on the Index related to or occurred in the course of his employment which is part of his public life. In any event, it was in accordance with law as it was carried out on the basis of the capacity of the Crown (exercising its right to do that which is not forbidden by law) and the law was expressed in guidance which was sufficiently certain, clear, forseeable and accessible to the persons affected.


It fell within the test of necessity in a democratic society.


It was proportionate and no right of appeal was required in order to achieve proportionality.


Implementation of the Directive


The DTI carried out a public consultation on the draft regulations on lawful business practice regarding the interception of communications which closed in September. The proposed regulations will provide that interception will be authorised if it is carried out for the purpose of monitoring or keeping a record of a business communication:



  • in the interests of national security
  • for the purpose of preventing or detecting crime
  • for the purpose of investigating or detecting the unauthorised use of that or any other telecommunications system
  • in order to provide evidence of communications for the purpose of either establishing the existence of facts or ascertaining compliance with practices or procedures relevant to the business carried on by the person by or at whose request the interception is effected
  • monitoring communications made to a charitable helpline.

However this will only apply if the interception is carried out in connection with the business of the person who has requested the interception on a telecommunications system provided wholly or partly in connection with the business and the interceptor have made all reasonable efforts to inform every person to whom or by whom the communication in question is made that it will or may be intercepted or otherwise have reasonable grounds to believe that every such person is aware of potential interception.


This will provide for a tough regime which employers may have difficulty meeting.


Rosemary Jay is a Senior Consultant at Masons: rosemary.joy@masons.com