Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

Privacy news worldwide UK, EU, Sweden, South Africa, Hong Kong, USA, Iceland [2000] PLBIRp 12; (2000) 53 Privacy Laws and Business International Report 2

Privacy News

New UK Act now in force

The Data Protection Act 1998, together with the supporting secondary legislation, entered into force on 1st March (see p. 12-13). The secondary legislation includes the detail of the new notification scheme, processing of sensitive data and provides exemptions from providing subject access to health, education and social work records.

Although it was expected that the Government would define the categories of "assessable processing" in the secondary legislation, an order dealing with prior checking has not yet been adopted. The Home Office may return to this question later.

The secondary legislation is discussed in the Privacy Laws & Business Compliance Guide 4, which was published on 6th March. In addition, the Office of the Data Protection Commissioner has published guidance on the new notification system. The guidance can be found at http://www.dpr.gov.uk.

The new statutory instruments are available from the Stationery Office, Tel: 0870 600 5522, or from the Home Office website: http://www. homeoffice.gov.uk (look under "What's new 1st March").

Proposal for an e-commerce directive

The European Union is considering a proposal for a directive that would regulate certain aspects of electronic commerce within the European Union, COM (1999) 427. A political agreement on the text was reached on 7th December 1999. The proposal is now awaiting a formal common position and the second reading in the European Parliament. The proposal deals with, among other things, the right to refuse unsolicited e-mail. The EU Commission proposes opt-out registers.

Following the proposal, the EU Data Protection Working Party consisting of Data Protection Commissioners adopted an opinion on data protection aspects with regard to electronic commerce. The opinion states that European data protection laws apply to electronic commerce. All data protection principles must be complied with, and the implementation of the ecommerce directive will have to be in line with the existing national laws.

In the view of the Working Party, if a company intends to mail someone whose e-mail address has been received directly from that person, the company must inform the individual of the possible use of his e-mail address by that company or third party at the time of collecting the data. If an e-mail address is acquired in a public space on the Internet, such as newsgroups or directories, its use for an electronic mailing is unfair processing of data.

The proposal for a Directive on Certain Legal Aspects of Electronic Commerce was published in the Official Journal C 30/4. The Working Party's opinion 1/2000, adopted on 3rd February, is available on http://www.europa.eu.int/comm/ dg15/en/media/dataprot/index/htm

Sweden planning an e-mail preference service

Sweden is proposing a national register of e-mail opt-outs, against which direct marketers could purge their mailing lists. The Government plans that such a register would be run and financed by industry. In the future, the preference service could be operated in connection with other countries' preference services.

The proposal of the Swedish Government is available, in Swedish, on the website of the Swedish Data Protection Authority, http://www. datainspektionen.se, e-mail: datainspektionen@datainspektionen.se

TrustUK accreditation now in operation

A UK-based accreditation body for e-commerce codes was launched on 17th February. The body, TrustUK, will accredit e-commerce codes that contain the minimum standards of consumer protection, such as the protection of privacy. E-traders that have been accredited are entitled to post the TrustUK hallmark on their websites to inform consumers of good practice.

Consumers will have the opportunity to address their possible complaints first to the organisations or bodies behind the e-commerce codes, and eventually to TrustUK, which has an independent appeal mechanism.

TrustUK is a not for profit organisation run by industry, but with the support of the UK Government. For more information, visit their website at http://www.trustuk.org.uk

New study on legal persons

The Internal Market Directorate of the European Commission published, at the beginning of February, a study on the protection of personal data of legal persons. Currently, only four EU Member States have data protection legislation that applies to legal persons: Italy, Austria, Denmark and Luxembourg. The study discusses the situation in these countries, and compares it with other Member States. The differences in national laws may create obstacles to intra- Community transfers of personal data on legal persons.

The author of the report, Douwe Korff, a UK-based privacy consultant, suggests that harmonisation of data protection rules relating to legal persons needs to be achieved in certain key areas, such as direct marketing and credit reference agencies. Some data protection rules already apply to legal persons due to the Telecommunications Data Protection Directive 97/66/EC.

The study is available on the Internet at http://www.europa.eu. int/comm/dg15

South Africa grants access rights to data subjects

South Africa adopted, on 4th February, a law which gives consumers the right to access their personal data held by public or private sector organisations. The Promotion of Access to Information Act 2000 applies to all records regardless of when they were created. Organisations are entitled to charge a fee, and the requested information needs to be provided within 30 days.

The country's constitution was amended in 1996 to include the right of access to personal information. The Promotion of Access to Information Act is a result of lengthy discussions, and has its origins in the Open Democracy Bill of 1998.

The text of the law is available on the Internet at http://www.pmg. org.za/odb/odb.htm

Hong Kong publishes Antispam draft Code of Practice

The Hong Kong Internet Service Providers Association (HKISPA) published, in February, draft recommendations on sending unsolicited e-mail (spam). The code is primarily directed to HKISPA members, but other organisations providing Internet access to the general public may also adopt the code.

The implementation guide attached to the code defines spam as sending unsolicited e-mail to more than 25 e-mail users. Subscribers must not send spam messages. If they do so, the service provider is entitled to close the subscriber's e-mail account.

The draft code is available on http://www.hkispa.org.hk/ antispam/cop.html

American Privacy Officer Programme

Privacy Laws & American Business (P&AB) launched, at the end of February, a year long training programme for data protection managers within organisations. The programme will train Chief Privacy Officers on how to best protect privacy both off and online. The programme consists of training days, access to White Papers on developing trends written by P&AB staff, a news service, and two places at this year's P&AB Annual Conference in Washington in November.

For more information, e-mail P&AB at ctrslr@aol.com.

Majority of US citizens in favour of privacy laws

New research carried out by Business Week reveals that 57% of US citizens favour some sort of privacy laws regulating the collection and use of personal data. Of those who shop online, 41% are very concerned about their privacy. Also 63% of people who surf the web, but do not make purchases, are very concerned about privacy. The majority of computer users were not familiar with the concept of "cookies," files downloaded onto the user's computer to track his online behaviour. Privacy policies were marginally better known - 55% of respondents had seen privacy notices on websites.

The opinion poll, published in Business Week on 20th March, was based on telephone interviews with 1,014 adults between 2nd and 6th of March. The poll was conducted by Harris Interactive.

An online version of the opinion poll can be found at http://www. businessweek.com/2000

Updated directory of privacy contacts

The recently updated Directory of Privacy Professionals, published by a US-based publication Privacy Journal, lists more than 500 individuals and organisations who deal with privacy issues.

The 26-page directory lists details of public-interest groups, experts, lawyers, corporate and government privacy officers, journalists, academics, and authors worldwide.

The directory can be ordered from Privacy Journal, PO Box 28577, Providence RI 02908, USA, e-mail: privacyjournal@prodigy.net, Internet: www.privacyjournal.net. Price: $12.50 plus $4 handling fee.

Iceland sells its medical records

Icelanders' privacy is at stake as the Government has sold the medical records of nearly all of its 275,000 citizens to a private medical research company. The US-funded company, DeCode, intends to conduct genetic research. It is easy to isolate genes in a homogenous population such as the Icelanders, and the company hopes to find cures to genetic diseases.

The Government has allowed citizens to opt-out from having their genetic records stored in this database. So far, only 5% of Icelanders have decided not to release their data.

The nation's genetic information will be stored on a centralised data bank. The genealogy information will be encrypted by Iceland's Data Protection Commission in order to keep the individuals' identities secret. However, the Commission had previously warned about privacy risks involved with the project (PL&B Dec '98 p.22-23).

For more information, see http://www. cnn.com/2000/WORLD/europe/ 03/03/iceland.genes/index.html

US medical privacy regulations face criticism

The proposed US rules for medical privacy have been criticised by the American Civil Liberties Union (ACLU). The organisation claims that the proposed regulations include several loopholes, such as allowing enforcement agencies virtually unlimited access to medical records.

"The administration's proposed regulations are an important first step toward comprehensive federal privacy protections," said Ronald Weich, an ACLU Legislative Consultant. "But there are so many loopholes to the administration's overall rule that medical records are private, that the exceptions threaten to become the rule."

ACLU released its comments on 17th February. They can be seen at http://www.aclu.org. ACLU has also launched a special webcampaign to focus public attention on new threats to individual freedom and liberty. Information about the campaign can be found on their website until the end of May.

EPIC releases a report on cryptography

The Electronic Privacy Information Centre (EPIC) released, on 3rd April, a survey "Cryptography and Liberty 2000: An International Survey of Encryption Policies." The survey confirms that the majority of countries now allow free use, manufacture and selling of cryptography products.

The expansion of electronic commerce and the need for privacy online have resulted in policies that support strong cryptography. However, in some countries, governments propose that users could be forced to disclose keys or decrypted files to government agencies.

EPIC Executive Director, Marc Rotenberg, said that the report will contribute significantly to the ongoing discussion about the right to communicate freely and in private in the digital age.

"Strong encryption is critical for the development of networks that will safeguard personal communications," he said.

An online version of the report is available at: http://www2.epic.org/ reports/crypto2000. The printed, book version of "Cryptography and Liberty 2000: An International Survey of Encryption Policy" (154 pages, softcover, ISBN: 1893044076, $20) is available to order at: http://www.epic.org/crypto&/

Compliance advice on UK law for e-businesses

Paisner & Co, a London-based law firm launched, at the beginning of March, an online compliance programme to help businesses involved with e-commerce to comply with the new UK Data Protection Act. The programme consists of five separate modules, which deal with the main aspects of the Act, notification rules, privacy policies, subject access requests and international transfers.

The programme includes interactive elements. For example, when a company fills in a form about their data processing and sends it online to Paisner, the law firm prepares and sends by e-mail a draft privacy policy.

For more information, contact Eduardo Ustaran, Paisner & Co, Tel + 44 (0)20 7427 1237, or see http://www.complytoday.com.