WorldLII Home | Databases | WorldLII | Search | Feedback

Privacy Laws and Business International Report

You are here:  WorldLII >> Databases >> Privacy Laws and Business International Report >> 1999 >> [1999] PLBIRp 2

Database Search | Name Search | Recent Articles | Noteup | LawCite | Download | Help

Privacy news worldwide Australia, Latin America, New Zealand, Quebec, UK, US, (also on pages 21, 22, 23) [1999] PLBIRp 2; (1999) 47 Privacy Laws and Business International Report 2

Privacy News

Data protection rules for distance selling

The European Commission's Distance Contracts Directive (97/7) prohibits the use of automated calling systems or fax for distance selling without consumers' prior consent. The approach is the same as that of the Telecommunications Data Protection Directive (97/66). The Distance Contracts Directive, however, also gives consumers the right to object to communications sent by other means, including email. This is an important aspect, because the Telecommunications Data Protection Directive does not explicitly apply to e-mail.

It is up to the Member States to decide whether they implement the privacy provisions of the Distance Contracts Directive by an opt-in or opt-out system. It is likely that email preference services will be set up to offer consumers the opportunity to register their objections. In the UK, for example, the Direct Marketing Association intends to do so.

The Distance Contracts Directive affects everyone involved in direct marketing. It applies to selling goods or services to consumers by distance communications, such as e-mail, fax, telephone and post. As general rules for processing personal data are laid down in the Data Protection Directive (95/46), and the sectoral Telecommunications Directive, the privacy provisions in the Distance Contracts Directive ought to be implemented consistently.

The Distance Contracts Directive, adopted on 20th May 1997, needs to be implemented in EU Member States by 4th June 2000. The directive does not apply to "contracts within financial services," which will be regulated by a separate directive.

The EU Directive on the Protection of Consumers in Respect of Distance Contracts is available on the Internet at http://www.europa.eu.int/eurlex/ en/lif/dat/en_397L0007.html, or in the Official Journal No. L144 of 4th June 1997, pp.19-27. In the UK, the Department of Trade and Industry held a consultation, which finished in September, on the implementation of the directive. For further information, contact John Thorpe, Tel: + 44 (0) 171 215 0348.

US Internet privacy law threatens privacy

The Electronic Privacy Information Center's (EPIC) lawsuit against the newly adopted federal law on Child Online Protection resulted in a temporary restraining order in November. The new Act would apply to commercial websites, and aims to protect Internet users who are under 17 years of age. The lawsuit, which EPIC filed together with other online civil liberties groups, pointed out that to comply with the Act, companies are encouraged to take action that would, in effect, be counteractive to privacy protection. According to the Act, companies need parental consent for collecting personal information from children via their websites. To determine consent, companies are advised to require a credit card or adult personal identification number to allow access. Another demonstration of compliance would be to accept digital certificates proving the user's age. The privacy organisations stressed that these features threaten online privacy and anonymity.

The court's decision stopped the Act from entering into force in November. More information about the lawsuit, including daily updates from the court, is available at http://www.epic.org/free_speech/copa/

United States adopts law to prevent identity theft

The use of someone else's personal information has become a big problem in the United States. The U.S. credit reporting organisations estimate that there are at least 500,000 victims of identity theft a year. The Identity Theft and Assumption Deterrence Act (H.R. 4151) aims to change the situation.

The law makes it illegal to knowingly purchase, steal, possess or use personal information or data in order to take the identity of another person. The law covers a variety of different data: name, social security number, date of birth, driver's license or identification number, passport number, employer or taxpayer identification number, address and any unique biometric data. The problem of data being easily available, however, still remains.

The identity theft law was signed on 30th October by President Clinton. It introduces heavy penalties, up to $250,000, and appoints the Federal Trade Commission to receive complaints and help the victims.

The law is available at http://thomas.loc.gov/bss/d105/ d105laws.html. For more information about identity theft and data protection, look at http://www.pimall.com/nais/n.idt.html and the Ontario Privacy Commissioner's site at http://ipc.on.ca/web_site.eng/ matters/sum_pap/papers/ident-e.htm

BSI guidance on the UK 1998 Data Protection Act

The British Standards Institution (BSI) advises businesses to start preparing for the 1998 Data Protection Act immediately even if the Act in not in force yet. Changes may be required not only to IT systems but also to business processes. Businesses can now develop:

• Privacy enhancing technologies (PETS), such as encrypted biometric identification systems

• New standards for manual filing systems

• Model contracts for exporting data to third countries

• Insurance against risk of legal action by data subjects.

The BSI, in association with the Office of the Data Protection Registrar (ODPR), is currently planning a guide which would provide practical advice on transitional requirements. The guide is expected to be published in early 1999, and would build on the advice issued by the ODPR.

For further information about the forthcoming guide, contact Bernadette Shine at BSI/DISC, Tel: + (44) 181 996 7440, Fax: + (44) 181 996 7448, e-mail: disc_data_ protection@bsi.org.uk

New UK regulations on marketing calls and faxes

The new telecommunications regulations, which implement Article 12 of the Data Protection Telecommunications Directive (97/66), will come into force in the United Kingdom on 1st May. The regulations deal only with unsolicited marketing calls and faxes. The other articles of this directive (apart from Article 5) will be implemented when the new Data Protection Act comes into force later this year.

The current regulations aim to stop organisations from sending direct marketing faxes, unless they have the individuals' consent. Both corporate subscribers and individuals can avoid receiving direct marketing calls by opting-out. In practice, this will mean registering with a centralised list of subscribers who do not wish to receive these calls. In this context, "individuals" include sole traders and partnerships in England and Wales.

An additional requirement for companies involved in direct marketing by fax and phone is to provide their names and addresses so that individuals can contact them. The regulations will be enforced by the Data Protection Registrar. However, opt-out schemes will be administered by the Director General of Telecommunications, who will contract out these services.

The Telecommunications Regulations, published on 18th January, are available on the Internet at http://www.dti.gov.uk/cii/tdpd/regs, or from the DTI, Tel: +(44) 171 215 1808.

Latin American countries to legislate on privacy

Latin American countries have made progress in their efforts to adopt privacy and data protection laws. There are two privacy bills in the Brazilian Congress: one of them addresses specifically Internet issues. It is proposed that international data transfers are the responsibility of the data controller, as the Government does not want to interfere.

In Argentina a new bill is under discussion. Apparently, the bill copies 95% of the one vetoed in 1997. Mexico has issued a norm defining minimum standards for data protection. However, there is no bill yet. Chile has introduced a bill which follows the EU directive quite closely. Peru and Colombia have not taken any measures yet.

In addition, the Justice Ministers of Latin American countries, Portugal and Spain agreed a declaration at their conference, held in Lisbon last July, to draw up an international data protection convention. Dr Seabra Lopes, Director General of the the Justice Ministry, Portugal, explained to PL&B at the Data Protection Commissioners' International Conference last year that the countries plan to have the text ready for discussion at their conference in Havana, Cuba, in 2000.

For further information about the draft laws, contact Pedro John Meinrath, e-mail: telemaker@ originet.com.br, who spoke at the Privacy & American Business 5th Annual Conference last December.

UK Registrar initiates project on public registers

The UK Data Protection Registrar, Elizabeth France, has launched a project on the use of personal information in public registers. The Registrar is concerned about the use of public registers for direct marketing purposes and for tracing individuals. The project, which will be completed by the end of May, will look at different types of public registers, such as shareholders' registers and the electoral register.

As a good source of names and addresses for direct marketers, the electoral register is vital for commercial users. The Direct Marketing Association argued, in a Home Office consultation on the commercial use of the register last year, that the main use is the validation and correction of names and addresses. This, they said, is a way of ensuring that organisations fulfil the requirements of the Data Protection Act to keep records accurate and up-to-date.

The Registrar has awarded the project to Professor C.Oppenheim and Dr. J.E. Davies at Loughborough University. She intends to publish the findings in a report, and if needed, propose new measures to protect individual rights.

For further information, contact Assistant Registrar, David Smith, Tel: +44 (0)1625 545 700

Quebec reviews public bodies' security systems

The Commission d'accès à l'information urges Quebec's public bodies to raise awareness of data protection in the civil service. Nearly ninety organisations, acting at the Commission's initiative, carried out a self-assessment of security measures between February and August last year.

The assessment revealed that Government employees feel helpless about some of the issues raised by the new information and communication technologies. They are not well-informed about the laws governing data protection, and need more training.

The Commission recommended in its report, released 6th October 1998, that the Government should bring together the various organisations involved with security of information. Public organisations could set up security committees reporting to top management, and implement the security plans established during self-assessment.

The process was based on the MARION method, which analyses information system risks.

EU legislation now available on-line

The texts of European Union legislation are now available centrally on the EUR-Lex website. Apart from legislation that has come into force, the site also includes other material from the Official Journal such as treaties and Court of Justice decisions. The texts are available in the eleven official EU languages, and can be found using a search function. The EUR-Lex website is at http:// europa.eu.int/eurlex/en/index.html

New Zealand reviews its Privacy Act

The New Zealand Privacy Commissioner, Bruce Slane and his Assistant Commissioner, Blair Stewart have finished the review of the 1993 Privacy Act. The report, which was tabled in Parliament on 15th December 1998, is the first review of the Act since it came into force. Although Bruce Slane considers the Act to be working well in practice, he has made more than 150 recommendations on how to improve its effectiveness and reduce compliance costs. Some recommendations simply aim to make the Act more understandable, while others address the concerns raised by the EU Data Protection Directive.

"I consider the Act is firmly on the right track. The recommendations I make do not imply any major change in direction," said Bruce Slane.

The suggestions include a new right for individuals to have their details deleted from marketing lists, and limitations on large-scale use of public registers, such as the electoral roll, for direct marketing purposes. The Commissioner also recommends that it should be illegal for prospective employers to ask applicants to provide records of convictions before obtaining jobs (enforced subject access).

The recommendations also take into account the developments of new technology, such as computer browsing, which may be brought within the information privacy principles. With regard to transborder data flows, the Commissioner suggests that the Act be amended to include an express provision on international data transfers. A mechanism should be developed to enable mutual assistance in situations where countries may try to use New Zealand as a conduit for transfers in order to avoid EU or other privacy laws. Also, special restrictions are needed for sensitive data.

The 437-page report is now being considered by the Minister of Justice. It is public and can be obtained from the Office of the Privacy Commissioner, Fax: + 64 9302 2305, e-mail: privacy@iprolink.co.nz, at a cost of $152.25 including delivery. A shorter document highlighting the most important themes is available on the Internet at http://privacy.org.nz/news4.html.

Article 29 Group publishes annual report

The EU Data Protection Working Party, also known as "the Article 29 group," published its second annual report on 30th November last year. The report includes short country reports on data protection developments in EU member states during 1997, as well as an account of developments at the community level. Some attention is also given to developments within the Council of Europe, and some non-EU countries, including Norway, and Eastern and Central European countries. Reports from other non- EU countries cover the United States, Australia and Japan.

The report is available on European Commission / DGXV website at http://www.europa.eu.int/comm/dg15/en/index.htm (look under "Documents adopted by the Data Protection Working Party").

Australian Privacy Commissioner leaves

Following Moira Scollay's resignation, her position has been temporarily filled by the Deputy Privacy Commissioner, Timothy Pilgrim. Ms Scollay took up a position as Chief Executive Officer of the Australian National Training Authority in mid-January.


WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback
URL: http://www.worldlii.org/int/journals/PLBIRp/1999/2.html