Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

Privacy news worldwide Australia, Council of Europe, European Union, France, Germany, Isle Of Man, Israel, Japan, Sweden, United Kingdom, United States [1999] PLBIRp 13; (1999) 48 Privacy Laws and Business International Report 2

Privacy News

US appoints a privacy counsellor

President Bill Clinton appointed, at the beginning of March, Professor Peter Swire as First Chief Counsellor for Privacy. Professor Swire will review US federal and private sector privacy issues created by new technologies, as well as international issues. He takes the view that some government regulation may be necessary, as the industry's selfregulatory efforts seem to be insufficient. The new post is based at the White House's Office of Management and Budget.

UK to legislate on e-commerce

The United Kingdom Government is committed to introduce legislation on electronic commerce in the current Parliamentary session. A consultation paper, published on 5th March, includes proposals on digital signatures, encryption, trusted third parties (holders of encryption keys) and spamming (sending of unsolicited e-mail). The Government suggests that digital signatures would become legally binding in order to facilitate e-commerce. Some European countries, such as Italy and Germany, already have laws on electronic signatures.

With regard to cryptography services, the Government is proposing a voluntary licensing scheme. It is likely that the Government will designate OFTEL (UK's telecom watchdog) as the initial licensing authority. Organisations wanting to apply for a license would then have to satisfy the technical and security requirements set out in the proposal.

A controversial aspect of the proposal is that it seeks to grant police the authority to require disclosure of the encryption keys.

The Government is also seeking views on whether more than the current initiatives are needed to tackle spamming. The Distance Selling Directive, which needs to be implemented by 4th June 2000, will enable UK citizens to object to receiving unsolicited e-mails. Also, the Direct Marketing Associations in the UK and the USA are considering the development of an international e-mail preference service.

A further suggestion from the UK Government is to prevent Internet service providers from sending unsolicited bulk e-mail.

The consultation paper was prepared jointly by the DTI and the Home Office. Responses were sought by 1st April 1999. The paper is available at http://www.dti.gov.uk/CII/elec/elec_com.html

Privacy Laws & Business developing audit manual

Privacy Laws & Business has won the contract for developing an audit methodology for the Office of the UK Data Protection Registrar. The audit manual will be used by the Registrar to carry out her audit function required by the 1998 Data Protection Act. Once the manual is published, organisations can use it to audit their compliance with the Act.

Privacy Laws & Business is currently working on developing the manual, and is inviting five organisations to participate in pilot audits, which are designed to test the audit methodology. Your organisation will retain the results of the audits whilst Privacy Laws & Business would use them to assess the adequacy of the manual. The audits, which will take one day each, will take place towards the end of May. If your organisation would like to be audited, please contact Shelley Malhotra as soon as possible at Privacy Laws & Business , Tel: 0181 423 1300, fax: 0181 423 4536, e-mail: shelley@privacylaws.co.uk

New guidance for UK utilities

The UK Data Protection Registrar has issued a guidance note on the uses and disclosures of customer information by utility companies. The guidance, published in November last year, applies the decision of the Data Protection Tribunal in the case of British Gas Ltd v The Data Protection Registrar, in order to offer guidance to other utility companies.

The Registrar advises utility companies to inform the customers of any wider uses or disclosures of their personal data. This normally applies when offering a range services or goods that are not related to the core product supplied. New customers should be given the opportunity to either consent or object to the use of their data for additional purposes. Utility companies may not assume that the customers consent to receiving information about additional services if they do not respond to mailings. However, there are some marketing opportunities that do not contravene the principle of fair processing even if individuals' consent has not been specifically sought. For example, utility companies may advertise servicing and repair of appliances to purchasers of the core service.

The guidance note, Uses and Disclosures of Customer Information by Utility Companies, is available at the Registrar's website: http://www.open.gov.uk/dpr/utility.htm

New Israeli privacy authority appointed

Following Sarah Barsela's retirement, Ms Yosefa Tapiyero was appointed as Israel's Registrar of Databases in October last year. Ms Tapiyero was formerly Legal Adviser of the Municipality of Holon.

France appoints new Privacy Commissioner

On February 3rd, the French Data Protection Commission (CNIL) appointed Michel Gentot as President of the Commission, and Hubert Bouchet and Raymond Forni as Vice-Presidents. The previous President, Jacques Fauvet, served the Commission for fourteen years.

New Australian Privacy Commissioner

The Australian Human Rights Commission has appointed Mr Malcolm Crompton as the new Federal Privacy Commissioner. Mr Crompton, who took up the position on 20th April, has extensive private and public sector management experience.

Ulf Widebäck Sweden's new Commissioner

Ulf Widebäck, who was appointed temporarily last November, has now been appointed Sweden's Privacy Commissioner. Mr Widebäck has worked in the Privacy Commission (Datainspektionen) since 1994.

EU data directives apply to the Internet

The EU Data Protection Working Party has clarified that the Data Protection Directive 95/46/EC, and the Telecommunications Data Protection Directive 97/66/EC apply in the Internet environment. A working document, issued on 23rd February, states that the processing of personal data on the Internet has to follow the same data protection principles as those complied with off-line.

The Working Party has set up a specific Task Force to tackle the complex issue of privacy protection on the Internet. The Task Force has already issued its first recommendation (1/99, adopted on 23rd February). The Recommendation, Invisible and Automatic Processing of Personal Data on the Internet Performed by Software and Hardware, addresses the use of cookies and browsers to collect information. The Task Force recommends that users should always be given the option to accept or reject the sending and storage of cookies. The configuration of browser software should, by default, process only the minimum amount of information necessary for establishing an Internet connection.

The documents are available on the European Commission/DGXV website at http://www.europa.eu.int/ comm/dg15/en/index.htm

EU to streamline access to public sector information

The European Commission published, in January, a Green Paper on Public Sector Information in the Information Society. The Commission aims to co-ordinate the various different strategies of the member states with regard to access to public sector information. Most importantly, the Commission would like to ensure more transparency so that non-confidential public sector information will be available.

The Green Paper introduces several questions for consideration, including copyright and data protection. Privacy considerations arise because some of the commercially interesting information held by public bodies, for example vehicle registers, include personal data. Personal data within the public sector is, however, covered by the EU Data Protection Directive. At the same time, there will be pressures for releasing the information. It is up to public sector organisations to decide for themselves the cases in which the data protection considerations override the need for that information. Under which circumstances could commercial interests justify access to publicly held personal data? This is just one of the questions raised in the Green Paper.

In the meantime, the European Ombudsman has urged the Commission to publish a register of incoming and outgoing documents. In his view, the right of access is meaningless without a register of documents, which would help individuals to exercise this right.

The Green Paper is available on the Internet at http://www.echo.lu/legal/en/access.html. All interested parties are encouraged to submit their views on the proposal by 1st June 1999 to the following address: European Commission, Mr Huber, Head of Unit, DG XIII/E-1, Bâtiment EUROFORUM, Office 1174, Rue Alcide de Gasperi, L-2920 Luxembourg. E-mail: pubinfo@cec.be

Standard opt-out proposed for UK

The UK National Consumer Council is developing a standard wording for opt-out boxes with the aim of improving consumer protection by making the boxes easily recognisable. The standard form of opt-out would mean that all companies would use the same wording. The idea is being tested by focus group research. The Council has also consulted the Direct Marketing Association and the Office of the Data Protection Registrar. More information will be available in late summer.

Japan developing a privacy mark

Japan is taking additional data protection measures to ensure privacy in electronic commerce. The Ministry of International Trade and Industry (MITI) has established a system of privacy protection marks which was planned to be implemented by April.

Companies which have adopted sufficient data protection measures, may be granted a privacy mark on application. The marks may then be displayed on websites and in general advertising in order to increase consumers' confidence in privacy protection with regard to e-commerce.

There are several requirements for acceptance. For example, companies need to appoint a data protection manager, and agree to undertake annual audits. Once the companies gain certification to the system, it is valid for two years.

The privacy mark system supplements the Japanese 1997 Guidelines Concerning the Protection of Computer Processed Personal Data in the Private Sector, and the 1988 law which applies to government agencies only. The privacy mark system will be administered by the Japan Information Processing Development Center (JIPDEC), and monitored by MITI, which established a Supervisory Authority for the Protection of Personal Data for this purpose in February 1998.

Companies wanting to apply for a mark, which may be purchased, should contact JIPDEC Headquarters at Kikai Shinko Kaikon Building, 3-5-8 Chibakouen, Manato-ku, Tokyo 105-0011 Japan, Tel: + 81(0)3 3432 9371, Fax: +81 (0)3 3432 9379, E-mail: webmaster@jidpec.or.jp

Most Americans concerned about privacy

A recent survey, published in December 1998, reveals that 88% of American consumers are concerned about their privacy, of which 55% are very concerned. These figures, and other findings of the 1998 Privacy Concerns & Consumer Choice Survey, confirm the assumption that US citizens are becoming increasingly aware of privacy matters. Three out of four of 1800 people interviewed said that they have refused to give personal information to a company. When the same question was asked nine years ago, only four in ten said that they had refused. Alarmingly, the 1998 survey reveals that 41% of consumers thought they had been victims of improper invasion of privacy by a business.

The survey, conducted by Robert Leitman, President of Louis Harris & Associates, and Dr. Alan Westin, Editor of Privacy and American Business, also asked about direct marketing calls. Nearly all consumers would opt out from receiving such calls if given the opportunity.

An Executive Summary of the survey is available on the Internet at http://www.privacyexchange.org. The 140-page study can be purchased from Privacy & American Business, e-mail: pab@mail.idt.net, Tel: + 1 201 9961154. Price $25 + shipping fee. The survey is available free of charge for government agencies, non-profit organisations and libraries. Dr Alan Westin will conduct a similar study in the UK during 1999, and will give a presentation of the comparative results at the Privacy Laws & Business Annual International Conference at Cambridge, 28-30th June.

EU planning an Internet Charter

The European Commission newsletter Cordis (8th Feb '99) reports that the Commission and the Parliament are proposing an Internet Charter which would set out internationally agreed objectives and principles in areas such as taxation, liability and data protection.

The idea of this legally nonbinding document was introduced by the Commission, and supported in a Parliamentary session on 13th January by an Italian MEP Franco Malerba who represents the Economic Committee.

Commissioner Martin Bangemann, who is responsible for information technology, was pleased that the Commission and the Parliament agreed on the need for a Charter, but reminded readers that the proposal is just a part of the Information Society initiatives. Discussions on the matter will continue.

Council of Europe adopts recommendation on privacy

The Council of Europe adopted, on 23rd February 1999, a Recommendation on the Protection of Privacy on the Internet. The Recommendation is in the form of guidelines that can be incorporated or annexed to codes of conduct. Mainly aimed at users of the Internet and Internet service providers, the guidelines set out principles of fair processing in an on-line environment, and apply to all types of information highways.

The guidelines give practical information on what to be aware of when using the Internet. They also encourage users to take action in order to ensure that their Internet Service Provider complies with privacy principles.

Internet Service Providers (ISPs) are advised to inform users of the privacy risks presented by the use of the Internet before they subscribe to the service. The ISPs are also encouraged to tell users about possibilities of accessing the Internet anonymously. Also, ISPs should post privacy policies on their websites. The statement should be clearly visible on the introductory page, and be hyper-linked to a page where a detailed policy can be found. With regard to transferring personal data to third countries, the guidelines suggest that ISPs seek advice, for example from the data protection authorities, as to whether such transmission is permissible.

The guidelines (recommendation No R (99)5), are available at http://www.coe.fr.

Isle of Man simplifies registration

The Isle of Man's (United Kingdom) new Data Protection Order (Registration Particulars) entered into force on 1st February. In order to simplify registration and subject access requests, new registration forms have been designed, and the register has been made easier to use. Business names as well as trade names need to be registered now to help data subjects when applying for subject access. The current fee of £35 has increased to £40 per enquiry per year. Registered charities continue to receive a 50% discount.

For more information, contact the Isle of Man Office of the Data Protection Registrar, PO Box 69, Douglas, IM99 1EQ, Tel + (44) 1624 661030, Fax + (44) 1624 661088.

New German privacy website

The German Federal Data Protection Commission has launched a new website at http://www.bfd.bund.de. The website informs organisations and individuals about their rights and duties under the German data protection law.