QuickLinks - Data Protection (privacy)
QuickLinks - Data Protection (privacy)
Issue no. 364 - 7 July 2006
Issue no. 363 - 25 June 2006
- EU - Follow-up to ECJ ruling on passenger name records
The European Commission has adopted two initiatives to put a legally sound framework in place for the transfer of PNR data to the United States. These initiatives are the first European answers to correct the legal basis for the Agreement with the US that was struck down by the European Court of Justice on 30 May 2006. The Court ruled that the Article 95 EC-Treaty was not an appropriate legal basis for the transfer of PNR data which are essentially aiming to ensure public security and activities by public authorities in areas of criminal law. As the Agreement with the United-States remains in force under international law for a period of 90 days after it is denounced by either Party, the Commission recommends to the Council to terminate the Agreement with the US before the end of this month. At the same time the Commission asks the Council for an authorisation to open negotiations for an Agreement with the United States of America on the use of PNR data to prevent and combat terrorism and transnational crime, including organised crime.
- US - Pentagon sets its sights on social networking websites
Pentagon's National Security Agency, which specialises in eavesdropping and code-breaking, is funding research into the mass harvesting of the information that people post about themselves on social networks. And it could harness advances in internet technology - specifically the forthcoming "semantic web" championed by the web standards organisation W3C - to combine data from social networking websites with details such as banking, retail and property records, allowing the NSA to build extensive, all-embracing personal profiles of individuals.
Issue no. 362 - 11 June 2006
- EU - PNR: EDPS first reaction to the Court of Justice judgment
The European Data Protection Supervisor (EDPS) gives his initial reactions to the judgment of the Court of Justice in the two PNR-cases concerning the transfer of flight passenger's personal data to the US. The EDPS has used, for the first time in these cases, his powers to intervene before the Court in support of the Parliament. Peter Hustinx, EDPS, says: "The judgment seems to have created a loophole in the protection of European citizens whereby their data are used for law enforcement purposes. This makes it all the more important that a comprehensive and consistent legal instrument ensuring the protection of personal data outside of the first pillar is adopted without delay".
- EU court blocks data deal with US
The European Court of Justice has blocked an EU-US agreement that requires airlines to transfer passenger data to the US authorities. The court said the decision to hand over the data was not founded on an 'appropriate legal basis'. But the court gave EU member states until 30 September 2006 to find a new legal solution "for reasons of legal certainty".
Issue no. 361 - 23 May 2006
- EU - RFID tags provoke privacy concerns
(International Herald Tribune)
Radio frequency identification tags are postage-stamp-size chips that are revolutionizing the marketing and inventory businesses. But the revolution is also igniting debate in Europe over what some fear could be a new threat to personal privacy. Reflecting concern among consumer groups, the European Commission, led by Viviane Reding, the commissioner for information society and media, is holding a series of hearings and public forums on RFID tags.
Issue no. 360 - 14 May 2006
- US - Data on Phone Calls Monitored
The Bush administration has secretly been collecting the domestic telephone records of millions of U.S. households and businesses, assembling gargantuan databases and attempting to sift through them for clues about terrorist threats.
Issue no. 359 - 9 May 2006
- UK - ID Card database to be used as population register
The Government announced that data from the National Identity Register (NIR) will also be used as an adult population register for a range of novel data sharing functions. The Office of National Statistics had promoted a separate adult population register as part of the Citizen Information Project (CIP) for these functions, but the announcement states that the CIP project has been wound up and its functions incorporated into the wider use of NIR data. The announcement also changes many undertakings given to Parliament when it considered the ID Card legislation.
Issue no. 358 - 21 April 2006
- EU - Article 29 asks for safeguards on data retention
The Article 29 Data Protection Working Party has adopted its opinion on data retention directive. The privacy experts consider it to be of the utmost importance that the Directive is implemented and accompanied in each Member State by measures protecting privacy. The Directive leaves room for interpretation and therefore adequate and specific safeguards are necessary to protect the vital interests of the individual, mainly the right to confidentiality when using publicly available electronic communications services. Opinion 3/2006 on the Directive 2006/XX/EC on the retention of data processed in connection with the provision of public electronic communication services (25.03.2006)
- FR - Télécoms, internet : la loi antiterroriste est parue
Conformément à la loi antiterroriste du 23 janvier dernier, opérateurs télécoms, fournisseurs d'accès internet et propriétaires de cybercafés devront désormais conserver toutes les données pendant un an, selon le décret paru dimanche 26 mars au Journal officiel. Les opérateurs conserveront pendant cette durée les informations permettant notamment d'identifier l'utilisateur, les données relatives aux équipements terminaux de communication utilisés, les caractéristiques techniques ainsi que la date, l'horaire et la durée de chaque communication et les données permettant d'identifier le ou les destinataires de la communication.
Issue no. 357 - 26 March 2006
- EU - Data Protection Supervisor on exchange of police information Rapid - Press Releases
The European Data Protection Supervisor (EDPS) has issued an Opinion on the proposal for a framework decision on the exchange of information under the principle of availability. Introduced by the Hague program, the principle of availability means that information that is available to law enforcement authorities in one Member State should also be made accessible for equivalent authorities in other Member States. The principle raises a number of data protection issues, notably because of the sensitivity of the data and the reduced control of the use of the information.
- EU - The RFID Revolution: challenges and options for action
Viviane Reding, Member of the European Commission responsible for Information Society and Media, International CeBIT Summit, Hannover, 9 March 2006.
- European Commission consults on RFID
The European Commission has launched a debate on RFID (Radio Frequency Identification). It is seeking views on the opportunities, interoperability and compatibility issues as well as the privacy and security concerns raised by the new technology.
- FR - Une start-up française relance la géolocalisation des enfants
Les clients de l'opérateur Orange peuvent désormais localiser le mobile de leur enfant via un service proposé par Illico.net, une start-up parisienne. Un service de «géocontrôle parental» agrémenté par la Cnil. La société française Ilico.net lance, sur le réseau d'Orange, un service de géolocalisation des enfants via leur téléphone mobile. Ce système de «géocontrôle parental» repose sur un principe simple: l'adulte s'inscrit à un service en ligne, baptisé «ootay», et y enregistre les nom et coordonnées téléphoniques de son enfant.
- UK parents to get online check of 8m child workers records
The UK Government announces plans for a massive data, security and privacy own goal, in the shape of the Safeguarding Vulnerable Groups Bill. The Bill, which is intended to widen and centralise the vetting of people working with children (approximately 8 million individuals), will allow employers, including parents hiring nannies and childminders, to check the records of potential employees online.
Issue no. 356 - 27 February 2006
- Big Risks Come in Small Packages
by Bruce Schneier. Our digital devices have all gotten smaller, while at the same time they're carrying more and more sensitive information.
- EU - Data Retention Directive endorsed by Ministers
Ministers at the Justice and Home Affairs Council adopted the controversial Data Retention Directive with a qualified majority. Irish and Slovak Ministers voted against the measure. The Directive aims to harmonise Member States' provisions relating to the retention of communications data, in order to ensure that the data, which can identify the caller, the time and the means of communication, is available for the purpose of the investigation, detection and prosecution of serious crime. The Directive is not concerned with the content of the communications.
- US - Changing Technology Makes Government Surveillance More Intrusive
CDT has released a report about how privacy law has failed to keep pace with technology. The report, Digital Search & Seizure: Updating Privacy Protections to Keep Pace with Technology, calls for an in-depth Congressional review of the ways digital technology makes government surveillance easier and more intrusive. CDT's report focuses on three developments: Online storage, location technologies and keystroke loggers.
Issue no. 355 - 5 February 2006
- FAQ: When Google is not your friend
by Declan McCullagh. Google's recent legal spat with the U.S. Department of Justice highlights not only what information search engines record about us but also the shortcomings in a federal law that's supposed to protect online privacy. CNET News.com has surveyed Google, Microsoft, Yahoo and AOL to find out their privacy practices, and assembled these answers to frequently asked questions.
- UK - Mobile phone tracking, girlfriend stalking and the law
A service has launched in the UK which allows you to track any mobile phone around the globe and follow its movements from your own computer. The Guardian ran a feature on it yesterday called 'How I stalked my girlfriend'. It painted a scary picture.
Issue no. 354 - 31 January 2006
- EU privacy chief wants tweaks to anti-terror database plan
The European Data Protection Supervisor (EDPS) has welcomed the inclusion of data protection requirements in EU proposals to improve access to a forthcoming EU-wide database known as VIS. He also suggested possible improvements. The VIS, also known as the Visa Information System, is intended to be a system for the exchange of visa data between Member States and is primarily an instrument to support the common visa policy. It will also facilitate checks at the external borders and within the Member States, assisting the exchange of data between Member States on applications and on the decisions in respect of those applications.
- UK - Lords defeat for ID cards scheme
The government has been defeated in the Lords as peers said its controversial ID cards scheme could not go ahead until its full costs were revealed. Ministers say it will cost £584m a year to issue cards but say revealing costings for the full scheme could make it harder to get a good value deal. Peers voted by 237 votes to 156 to block the scheme until the National Audit Office and MPs vet the figures. The government is likely to try to overturn the defeat in the Commons.
- US - Google refuses White House search request
Google is resisting a White House subpoena to hand over the records of the searches internet users are asking it to perform, it has emerged. The White House argues that a list of all requests entered into its search engine over a single week - which could span tens of millions of queries - will help it build up a profile of internet use it needs to defend an online pornography law. It also wants a million randomly selected addresses from the index of websites that Google searches. The papers said Google's search record 'would assist the government in its efforts to understand the behavior of current web users [and] to estimate how often web users encounter harmful-to-minors material in the course of their searches'.
Issue no. 352 - 18 December 2005
- EU - MEPs approve Data Retention Directive
The European Parliament approved a draft Directive on data retention that will see ISPs and telcos retain phone and internet records for up to two years for use in investigation of criminal and terrorist offences. Backroom talks ensued and MEPs voted to adopt the Directive with 378 votes in favour, 197 against and 30 abstentions. The Directive sets out an EU-wide system of retaining communications data - data that identifies the caller, the time and the means of communication (e.g. subscriber details, billing data, e-mail logs, personal details of customers and records showing the location where mobile phone calls were made). It does not allow for the retention of the content of the communications, but will retain details of connected, but unanswered calls. The inclusion of these so-called "los" calls is controversial, and had been one of the sticking points between MEPs and Ministers. MEPs were concerned that telcos do not currently register such calls, because no bills are issued in respect of them, and it would be expensive for these firms to adapt their systems. The data will be retained for a minimum of six months and a maximum of 24, and will be made available to the police and judiciary in order to investigate terrorism and serious crime. The data retained will only be disclosed in specific cases and will be subject to strict data protection rules. Any abuse of the data will be subject to sanctions. see also Ireland to contest data retention law at EU Court (EUobserver.com).
Issue no. 351 - 11 December 2005
Issue no. 350 - 4 December 2005
- EU - Commission proposes changes to JLS databases
With a view to achieving a higher level of EU internal security the European Commission today adopted a package of measures consisting of: (a) a proposal for a Council Decision concerning the access for consultation to the Visa Information System (VIS) to authorities of Member States responsible for internal security and to Europol for the purposes of the prevention, detection and investigation of terrorist offences and of other serious criminal offences, and (b) a communication on the medium- and long-term development of the three common European databases in the field of justice and home affairs: the Schengen Information System (SIS), the Visa Information System (VIS) and EURODAC, the database containing fingerprints of asylum seekers and illegal immigrants.
- EU - The clock is ticking for EU administration's compliance with data protection
The European Data Protection Supervisor (EDPS) sends a paper to the heads of the EU administration, in which he addresses the Data Protection Officer's (DPOs) role as a strategic partner in ensuring compliance with the data protection regulation (45/2001) without delay. One of the key messages is that also all EU bodies need to appoint a DPO, although the appointment in itself does not automatically mean full compliance with the regulation. A second key message is that the DPOs must be notified more adequately of personal data processing within their entity and that they must notify the EDPS of any processing which entails specific risks for the people concerned and therefore need a prior check.
- UK - ID Card Bill powers need more scrutiny, says Select Committee
The Select Committee on Delegated Powers and Regulatory Reform has concluded that Parliamentary scrutiny of the ID Card Bill needs to be enhanced. It described powers being sought in the Bill by the Home Secretary as 'inappropriate.' Unlike three other Parliamentary Committees which have criticised the substance of the Government's ID Card proposals, this Committee was established in the 1990s to counter 'the considerable disquiet over the problem of wide and sometimes ill-defined order-making powers which give Ministers unlimited discretion'. In other words, the Committee looks at whether the executive arm of Government is seeking excessive powers or whether the powers being sought are subject to sufficient scrutiny by Parliament.
- US - FTC approval of application for revised safe harbor program
The Commission has approved an application submitted by the Entertainment Software Rating Board (ESRB) asking that it be allowed to revise its safe harbor program in accordance with the Children?s Online Privacy Protection Act (COPPA). Under COPPA and the FTC?s COPPA Rule, the Commission may approve self-regulatory guidelines that are substantially similar to those in the Rule and that ensure adequate monitoring and enforcement. An organization that is in compliance with such an FTC-approved "safe harbor" program is considered to be in compliance with the Rule.
Issue no. 349 - 27 November 2005
- EU - Annul passenger data decisions, says Advocate General
European Commission and Council decisions that led to a controversial agreement permitting the transfer of air passenger data to the US should be annulled because they do not have an adequate legal basis, according to Advocate General Phillipe Léger.
- EU - Ausschuss segnet Kompromiss zur TK-Vorratsdatenspeicherung ab
Der federführende Ausschuss für Bürgerrechte, Justiz und Inneres des EU-Parlaments hat sich für zahlreiche Änderungen an der heftig umstrittenen EU-Richtlinie zur Vorratsspeicherung von Telekommunikationsdaten stark gemacht. Laut dem mit großer Mehrheit verabschiedeten Votum der Fachpolitiker, das als Empfehlung für eine voraussichtlich schon im Dezember stattfindende 1. Lesung des Gesetzesvorschlags im Plenum gilt, sollen die Standort- und Telefonverbindungsdaten sowie die IP-Adressen beim Internet-Zugang künftig zwischen sechs und zwölf Monate lang archiviert werden. Angaben zum E-Mail-Verkehr oder zu MAC-Adressen von PC-Netzwerkkarten müssten nicht gespeichert werden, wenn die vom Ausschuss beschlossenen Korrekturen angenommen werden.
Issue no. 348 - 13 November 2005
- EU - Article 29 WP rejects data retention once more
EU privacy commissioners (the Article 29 Working Party) have criticised both the Council and the Commission policies on data retention. The Article 29 Working Party calls for restraint and safeguards that have to date not appeared in any national or EU policy. 'The Working Party questions whether the justification for an obligatory and general data retention coming from the competent authorities in Member States is grounded on crystal-clear evidence. The Working Party also doubts whether the proposed data retention periods in the draft Directive are convincing.' And when it comes to safeguards, the Working Party states: 'imposing the said data retention obligations on communication service providers without having first realised adequate, specific safeguards is not to be accepted within the existing European legal framework.'
- EU - Datenschützer: Tiefer Eingriff in Privatsphäre durch Vorratspeicherung von TK-Daten
Die Datenschutzbeauftragten der EU-Mitgliedsstaaten haben sich auf einer Sondersitzung in Brüssel entschieden gegen das Vorhaben der EU-Kommission und des EU-Rates gestellt, über eine Richtlinie die elektronischen Spuren der 450 Millionen EU-Bürger pauschal aufzuzeichnen und auf Vorrat zu speichern. Die Hüter der Privatsphäre, die in der EU in der so genannten Artikel-29-Gruppe organisiert sind, weisen in ihrer Stellungnahme zu dem Gesetzesentwurf der Kommission auf die "historischen Dimension" der Einführung der heftig umstrittenen pauschalen Überwachungsmaßnahme. "Die Anbieter von Telekommunikations- und Internetdiensten würden zum ersten Mal gezwungen, Milliarden von Telefon- und Internetdaten aller Bürger für Ermittlungszwecke zu speichern", gab der Bundesdatenschutzbeauftragte Peter Schaar als Vorsitzender der Datenschützergruppe zu bedenken.
- EU - European Data Protection Supervisor newsletter
The European Data Protection Supervisor has started an e-mail newsletter to inform a general public about his activities such as opinions, policy papers and publications. The October newsletter contains brief information and links to the EDPS's involvement in PNR and the Visa Information System. The newsletter also mentions a policy paper on the conflict between two fundamental rights: access to information and data protection.
- EU - European Parliament: no retention of internet data
Behind closed doors, the European Parliament is engaged in a monumentous battle with the Council of ministers of Justice over the plans for mandatory data retention. After a first meeting of the leading parliamentary committee on Civil Liberties, Justice and Home Affairs (LIBE) on Monday 24 October, it looks like a majority of social-democrats, greens and some liberals is ready to delete internet data from the proposal all together, focus on a very limited set of telephony data and store them for only 3 months, while deleting the abhorred 'comitology procedure'.
- EU - Privacy watchdog warns of 'fuzzy' data sharing plans
The European Data Protection Supervisor (EDPS) has called for better privacy protection in the European Commission's plans for revising a system that enables authorities to share information about the movement of people across the EU. The EDPS is Peter Hustinx, the person responsible for monitoring the processing of personal data by the Community institutions and bodies. His opinion on three proposals related to the Second Generation Schengen Information System, known as SIS II.
- Experts call for global biometrics agency
Biometrics experts have called for an international standards agency to monitor usage of the technology to ensure that it is deployed as efficiently as possible across multiple countries.
- FR - La Cnil dit non à la police automatique de la musique
Non au repérage automatique des «pirates» sur les réseaux. La Commission nationale de l'Informatique et des Libertés (CNIL) a rejeté la demande de quatre sociétés d'auteurs et de producteurs qui voulaient repérer automatiquement, par des dispositifs informatiques, les internautes qui mettent de la musique à disposition sur les sites de «peer to peer» (P2P). La Cnil leur a également refusé le droit d'envoyer à ces internautes, après détection, des messages de prévention par le biais de leurs fournisseurs d'accès à internet (FAI). Voir Echos des séances (CNIL).
FR - Cinéma: l'industrie et les FAI s'accordent enfin sur la riposte graduée
- Swedish DPA: music industry may collect IP addresses
According to the Swedish e-zine The Local, the Swedish Data Inspection Board now allows the Swedish anti-piracy group Antipiratbyrån and the record industry group IFPI to collect the IP addresses of file-sharers.
- UK - Identity Cards Bill has inadequate safeguards, says Parliamentary Committee
The all-party House of Lords Constitution Committee has published a critical report which reiterates concerns about insufficient safeguards in the Identity Cards Bill. see also Further official criticism about ID Card database and the lack of privacy. The Information Commissioner, the Joint Committee on Human Rights (JCHR) and Law Society have added to the criticism of the ID Card Bill prior to its second reading in the House of Lords.
- Warcraft game maker in spying row
Game maker Blizzard has been accused of spying on the four million players of World of Warcraft. Net activists branded software used to spot cheats 'spyware' because it gathers information about the other programs running on players' PCs.
Issue no. 347 - 19 October 2005
- EU - Commission steps up personal data safeguards to strengthen police and judicial co-operation
Faced with organised crime and terrorism which are increasingly operating across borders, the European Commission has today presented new proposals to reinforce the protection of personal data and allow for a more effective exchange of information between national law enforcement agencies. The proposal for a framework decision on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters - together with a recent proposal on the retention of data by communication providers - reflect the Commission's overall approach of strengthening international co-operation to ensure security and protection for citizens while at the same time safeguarding fundamental freedoms, particularly the right to privacy and data protection.
- EU - Justice ministers agree compromise on data retention
EU justice ministers have backed down on a council proposal on data retention and instead decided to seek the help of the commission and parliament to reach a decision. nable to reach an agreement on a data retention proposal of their own, the justice ministers decided at a council meeting in Luxembourg to move ahead with a 'compromise proposal' from the commission. Data shall be stored for between 6 months and 2 years, according to the new proposal. The council proposal implied a minimum of 1 year and as long as up to 4 years of storage.
- FR - Nouvelle censure judiciaire d´un système d´alerte éthique
Dans la même logique que la délibération « McDonald´s » de la Cnil sur les systèmes d´alerte éthique, le tribunal de Libourne (Gironde) a demandé à BSN-Glasspack, filiale française d´une société américaine, de retirer son dispositif d´alerte éthique. Dans son ordonnance de référé, il prononce ces mesures conservatoires en raison de « la seule existence d´un dommage potentiel imminent pour les libertés individuelles de salariés victimes de dénonciations anonymes recueillies par le biais d´un dispositif privé échappant à tout contrôle, sans que l´intérêt de l´entreprise ne permette sérieusement de le justifier ».
- UK - Clarke pledges ID card data will be limited to information on passports
The home secretary, Charles Clarke, will guarantee that the personal details contained on the national identity card will not go beyond those currently held on passports. He is to announce that he will write the guarantee into the legislation which passes through its final stages in the Commons.
Issue no. 346 - 2 October 2005
Issue no. 345 - 25 September 2005
- Data Protection Commissioners Conference in Montreux
The 27th international conference of data protection commissioners took place in Montreux/Switzerland from 13 to 15 September 2005. The commissioners in their closed session on 16 September adopted the Montreux Declaration. It calls for the spread of universal privacy principles around the world, including through the U.N.; cooperation with NGOs around the world; and for intergovernmental organisations (like ICAO, creator of the biometric/RFID passport standard) to comply with such principles and to appoint privacy officers. The conference also passed resolutions on biometric identity documents and on the use of personal data for political communications.
- EU - Commission proposes rules on communication data retention
The European Commission has adopted a proposal for a Directive on the retention of communications traffic data. The proposal provides for an EU-wide harmonisation of the obligations on providers of publicly available electronic communications, or a public telecommunications network, to retain data related to mobile and fixed telephony for a period of one year, and internet communication data for six months. The proposed Directive would not be applicable to the actual content of the communications. It also includes a provision ensuring that the service or network providers will be reimbursed for the demonstrated additional costs they will have. see also Memo on Data Retention Directive and EDRI reaction.
Index page see also Security and encryption
Links to news items about legal and regulatory aspects of Internet and the information society, particularly those relating to information content, and market and technology.
QuickLinks consists of
QuickLinks is edited by Richard Swetenham email@example.com
- a free newsletter appearing approximately once a week. The newsletter is distributed by electronic mail through an "announcement only" mailing list.
- a Web site with frequent updates, an events page, news items organised by category as well as chronologically by issue and full text search.
This work is licensed under a Creative Commons Licence.