Tuesday, February 28, 2006

ID Card & Data Retintion in Kuwait

ID Cards and Data retention in KUWAIT:
According to the Civil Information Act (32/1982) the Public Authority for Civil Information has been established in order to be a unified public data bank for civil information. Since then, all individuals, who live permanently in Kuwait, are obliged to register with the Authority. A civil ID Card is issued by the Authority for registered individuals, including their identity information, in particular the Civil ID Number.
In my country the Civil ID Card is the main reliable document almost in all formal dealings, and it is compulsory required when deal with public firms.
However, what seems special in the Kuwaiti System is that the individual’s data can be provided by the Authority for any other public firm whenever it is asked.
Also, data can be provided for individuals and private sector firms .However, this should be done under specific and justified circumstances.

(http://www.paci.gov.kw/paci.asp )


The origin of the word spam.

Monday, February 27, 2006

UK data retention

The UK has just been awarded the ISPA Internet Villian Award for attempting to push through its "tough" data retention laws. BT had a short lived SMS service with no respect for their users' privacy. Here are the privacy policies for BT, for Vodafone, for Bulldog and for MSN Messenger.

US privacy activists call for updated digital privacy regulation

Centre for Democracy and Technology report just released.

ID Cards and Data Retention in Mexico

Under Mexican legislation, the scope of the use of identity cards is currently limited to electoral purposes. Article 144 of the Federal Electoral Code (Codigo Federal de Instituciones y Procedimientos Electorales) provides the obligation of every and each Mexican citizen to register before the Electoral Authorities in order to receive the so called "Voting Card" which contains among other information, a colour picture, fingerprint, address and an individual identification number. In theory this ID serves only to electoral purposes, however in practice it is the only valid ID card accepted in Mexico.

On the other hand, data retention regulation in Mexico is still being discussed in the congress along with the other data protection legislation.

Additional question requested

Here's a fifth topic:
Under what circumstances can direct commercial electronic marketing be conducted legally in Europe? Illustrate your argument with reference to the 2002/58 Directive and case law, showing which legal issues have arisen from [1] cookies; [2] spyware; [3] email 'spam'.

Friday, February 24, 2006

ID card and data retention in Thailand

It surprised me so much when I found this article about introducing of new ID card in my country. I've never thought that my country will come this far for ID card. I knew that we use smart card before (partly, mostly in big cities). And it's only about 2-3 years to become the biometrics. In Thailand, individuals have to apply for ID cards when we turn 15 and renew every 6 years (same as passport). The old ID card which I carry now contains ID number, address, DOB, blood type, religion, photo, and signature. We use ID card to identify ourselves, for example, before voting, open the bank account, use as the fundamental document when sign any contracts, apply for job, etc.
About data retention, I cannot find the legislation (at least on-line), so I've tried to e-mail some mobile companies and waiting for them to reply. For other data, for example, helth data, this is hand written and the hospital or clinic will store it as long as our life and/or may can be transferred to family members as a reference of health investigation. But we don't have the system that can merge all the information together. I mean each hospital and each clinic work independently.
I will post again as soon as I receive the information from the companies.

Proposed essay titles

1. Is data retention a proportionate response to the terrorist threat? Explain with regard to three bodies of evidence; [1] case law; [2] the Article 29 Working Party's opinions; [3] the legislative debate in the UK and one other EU country.
2. Is the Safe Harbour provision in Directive EC/46/95 contrary to free trade rules? Has its implementation demonstrated any real potential adverse consequences for companies operating in third countries?
3. Do you consider Information Commissions effective in upholding individual rights to personal data? Explain using evidence from at least two jurisdictions in the EU.
4. Do identity cards protect individual rights? Illustrate your argument with reference to the proposed UK Identity Cards Bill 2006 and one other jurisdiction.

Thursday, February 23, 2006

ID cards in Greece and Data Retention in Telecommunications

According to Law 1599/1986, the greek identity cards are issued by the Police Authorities after the interested party has submitted an application along with a series of supporting documents and four photos.The applicant's data on the application are verified by a witness.
The Directive concerning the retention of data drawn from telephone conversations and the use of internet, aiming to eliminate terrorism, reached a majority from the European Parliament. However, some countries raised objections that there could be an abusive use of the data retention systemby national authorities.
As soon as the Directive will be adopted, all the telecommunications companies will have the obligation to save data concerning the activities of their clients. In particular, the source and the recipient of every phone call, sms and e-mail, along with their precise time, but not their contents.
According to the Greek Minister of Justice, the details concening the type of crimes and the exact time of data retention will be regulated nationally.

With the contribution of Maroula.

22 February: EU passes controversial data retention law

From EU Observer
EU justice and interior ministers have sealed a landmark data-retention law, forcing telephone operators and internet service providers to store data in the fight against terrorism and organised crime. The data retention directive was approved by ministers in Brussels on Tuesday (21 February), putting an end to a heated debate in and outside EU institutions for over a year and a half. The directive aims at tracking down terrorists, paedophiles and criminal gangs, but civil liberties campaigners have argued it damages basic privacy rights and breaches the European Convention on Human Rights. According to the directive, member states will have to store citizens' phone call data for six to 24 months, but the deal does not stipulate a maximum time period, cooling anger among member states who want longer storage periods. The data would only detail the caller and receiver's numbers, not the actual conversations themselves, while so-called failed calls - calls that do not get through - will not be covered.EU countries have 18 months to implement the rules, which already have the backing of the European Parliament."This is a wonderful example of how co-operation between the council [member states], the commission and the parliament can work," Austrian justice minister Karin Gastinger, hosting the ministers' meeting, said. Terror attacks trigerred actionThe data retention directive was tabled after the Madrid bombings in March 2004 and then fast-tracked under the British EU presidency after the London underground attacks last July.Britain, France and Sweden have stressed the need to retain data in order to trace terrorists using modern technology.Swedish justice minister Thomas Bodstrom said on Tuesday he was satisfied with the deal, arguing that fast-moving changes in the telecom market made it important to force phone companies to comply. Telephone call records are usually saved for a month for billing purposes, but ever more popular pre-paid subscription contracts have led some companies to ditch paperwork. "In five years, the police would have been faced with a catastrophy, if this deal had not been clinched today," Mr Bodstrom said.
EU oversteps mark?
Ireland and Slovakia voted against the law, saying they regard national security as a matter for member states not the EU. "This remains our position and we believe that provision for data retention should be made by way of a framework decision under the third pillar," an Irish official indicated.The third pillar is a technical term relating to intergovernmental decisions made by unanimity, while so-called first pillar decisions are typically made in conjunction with the European Parliament by qualified majority. "In the circumstances, and for the legal reason I have indicated, we would merely wish to formally record…the fact that Ireland cannot support the adoption of the proposed directive," he added. Dublin insisted that Ireland retains its veto in justice matters, and is currently cosulting the Irish attorney general about how to proceed with an appeal to the European Court of Justice (ECJ).The ministry of justice in Slovakia said Bratislava agreed with the content of the directive but also objected to placing it under the first pillar.

Wednesday, February 22, 2006

Reading and research for 28 February

1. Read Lloyd Chapter 8 - you might want to read ahead on telecoms data protection.
Also read the short report by the European Data Protection Commissioners which is available from Hayley.
2. Spend no more than 30 minutes searching on Google and posting to the blog:
[a] your country's law on ID cards - please provide a 3 sentence summary;
[b] your country's law or voluntary agreement by telecoms companies on data retention - i.e. keeping telephone/mobile/ISP/Instant Messenger records of previous days/weeks/months. How long do they keep records?
3. Read the Explanatory Notes to the ID Cards Bill here:

Data protection and information security

An interesting discussion in the Register about the loss of a laptop containing 550,000 full credit histories in the US - do you think the individual who lost the data or his company should be liable?

Friday, February 17, 2006

Article 29 WP issues guidance for companies on 'whistle-blowers'

The idea is to advise companies on how to encourage reports from employees about criminal or unethical behaviour - a key concern of the Sarbanes-Oxley Act in the US. Here's an article expalining in simple terms what the reprot contains.

Wednesday, February 15, 2006

Data Protection in Greece

In Article 9A of the Greek Constitution the right of protection against the processing of data is secured. This article also provides the legal framework for the establishment of the Hellenic Data Protection Authority, which has been operating since November 1997. Its actual operation scheme is based on law 2472/97 that transfers the 95/46 European Directive in national law.

Post drafted with the contribution of Maroula and Dimosthenis.

Essential reading for 21st February

You should have read Chapters 3-7 of Lloyd by now - that's 5 chapters in 5 weeks.
You also need:
[1] to complete your entry in the blog - 6 of you have blogged by now (assuming 2 to each blog);
[2] to have read the Directive and Recitals to EC/46/1995;
[3] to read the entry on exemptions from last year's students - see how they blog the exact provisions of the exemptions to the Directive. This is the key to the implementation of the Directive.
[4] Also read the article which will be printed for you - it will be very useful for the 28 February guest lecture by Dr Ian Brown.
I do expect everyone to arrive at 2pm - unless you are ill. Its essential for the class.

Tuesday, February 14, 2006

Data Protection Regulation in Mexico

A Data Protection federal statute is currently in full force and effect in Mexico (together with several regulations deriving therefrom), however such legal instruments are exclusively directed to the public sector. The referred statute is called Federal Law for Transparency and Access to Public Government Information ("Ley Federal de Acceso a la Informacion") and a synthesis (in English) can be found at www.ifai.gob.mx)

IFAI has recognized the urgent need to create a new law capable to regulate the private sector activity with respect to data processing (in fact some references to international laws can be found in their webpage at http://www.ifai.org.mx/datos_personales/internacionales.htm)

As a result of the above, several efforts have been made by certain Mexican MP's which have presented a federal law initiative on data protection currently approved by the Camara de Senadores ("House of Lords") in 2003 and is pending for the approval of the Camara de Diputados ( "House of Commons") (the Spanish version of such initiative can be found at http://www.cddhcu.gob.mx/servicios/datorele/cmprtvs/1po2/set/2.htm)

In my opinion, this initiative follows a hybrid method (as most of Mexican statutes do) because on one hand it tries to follow the American approach (as it is stated in some of its Recitals), but on the other hand there are some provisions that are apparently based on the 1995 EC Directive (e.g. the language contained in Article 6 is apparently based on Recital (30) of the EC Directive 1995 when stating that the processing of personal data must be carried out with the consent of the data subject)

However, a more deeply analysis to this initiative has to be made in order to be able to establish an accurate opinion

Finally, only two Mexican States (i.e. Colima and Coahuila) have approved a Regional Data Protection Law aimed to the Private Sector

Bainbridge on the 1998 Data Protection Act

Critical article written in 2000 before the Human Rights Act came into force.

South American data protection law

Article by Edinburgh professor Andres Guadamuz.

History of privacy and the law

Mr Justice Douglas's dissent in Warden v. Hayden is an excellent primary source.

Blog your research on national data protection laws!

Before class.

Monday, February 13, 2006

UK National ID Cards

There have been criticisms targeted at different elements of the national ID card scheme, including:

• You need two if you're a transvestite
• A big database creates a so-called honeypot effect - with more people granted access, the database becomes more vulnerable; a greater traget.
• They are of little value in fighting terrorism, an initial justification for their introduction.
• Will not carry address or phone cumber on the card, so will not be usable as a proof of address - identification of this variety is essential for many businesses eg banks.
• Cost for banks etc of investing in equiptment may be more than simply absorbing the costs of unscrupulous use.
• Two fingers not enough to provide sufficient accuracy in the biometric element of the card
• There was an interesting passage here on the different types of cards that have been anticipated

Dataprotection in Thailand

here are the relevent web sites that i've found
ecommerce organization
guideline for data protection in thailand

Saturday, February 11, 2006

Information Commissioner can't stop spam

Story from weekly journal Computing

Tuesday, February 07, 2006

Week 3 reading

Lloyd Chapters 3,4,5,10 - collect the second part of Directive 19995/46/EC.
Implementation: look at EC website.