Spam reading and SIS2

Next week, we'll look at the Schengen Information System 2 - read the article that will be provided by Hayley.

On spam, see OECD presentation at the ASEMEC workshop, the ITU workshop, and resources page, and Richard Clayton's website.

Also the spam conviction site at The Register.

Korea has a new anti-spam law: amended Information Network and Privacy Protection Act (“INPPA”) of Korea. INPPA sets out the minimum procedural requirements for lawful online transmissions in Korea whereby transmissions of advertised materials against recipients’ refusal to accept are strictly prohibited. Although these rules are applicable to unsolicited commercial e-mails via the internet, they were intended to apply to all modes of telecommunication such as cellular phones, facsimiles, etc.

Official: Questions for 4000 word dissertation

1. 'Privacy is not a right in itself. Attempts by the European Court of Human Rights to apply it to data protection cases risk undermining the economic lifeblood of the Internet: marketing.' Discuss with respect to ECHR case law and economic analysis.
2. Under what circumstances can direct commercial electronic marketing be conducted legally in Europe? Illustrate your argument with reference to the 2002/58 Directive, academic articles and case law (including US cases), showing which legal issues have arisen from [1] cookies; [2] spyware; [3] email 'spam'.
3. Does the Data Retention Directive demonstrate a proportionate response to terrorism? Illustrate your answer with respect to ECHR caselaw, academic arguments and the evidence presented in the course of the passage of the Directive.
4. 'Europe is the de facto global lawmaker for data protection only where American companies overstep the mark egregiously.' Discuss with reference to the Microsoft .Net Passport service and the airline passenger data sharing agreement.
5. Is the work of Information Commissions more important in advising governments about new law, advising companies about compliance or enforcing individual complaints? Illustrate your answer with examples from current practice including the Schengen Information System.

Data Protection in Turkey

1.LEGAL FRAMEWORK: Although there is no special act regulating data protection in Turkey, there are specific provisions concerning data protection in several acts or secondary legislation, some of them are mentioned below:
TAX PROCEDURE LAW (Law No 213): There is a special provision to prevent access on the data and documents on tax confidence, except for expressly entitled authorities by law, in Article 5 of Tax Procedure Law.
TURKISH PENAL CODE (Law No 5237): Unlawful recording, disseminating, sharing with third parties of personal data is penalized by the articles 135-140 of Turkish Penal Code No 5237.
SOCIAL SECURITIES AND GENERAL HEALTH INSURANCE LAW (Law No 551)
In Article 78 of Social Securities and General Health Insurance Law No 5510, it is stated that data regarding to health of assured person and his or her dependants’ are confidental and protection of these data should be designated by Ministry of Labour and Social Security.
GUIDELINE FOR CONFIDENTIALITY OF CANCER RECORD UNITS: In this Guideline of Ministry of Health, the rules are stipulated for protection of data occurred in the activities of Cancer Record Units.

2. DRAFT LAW ON DATA PROTECTION: Preparations for the draft law for harmonisation are at the final stage. Draft Law on Data Protection was drafted by Ministry of Justice and sent to Office of Prime Minister in 9/11/2005. With the Draft Law, where all personal data on an identified or identifiable individual is undergoing automatic processing, the following issues will be regulated; respect for and protection of rights and fundamental freedoms, in particular the right to privacy; ensuring that the data stored is obtained and processed fairly and lawfully, for specified and legitimate purposes and not used in a way incompatible with those purposes, is adequate, relevant and not excessive in relation to the purposes for which it is stored, is accurate and up-to-date, and where necessary corrected or erased; safeguarding personal data revealing racial origin, political opinions or religious or other beliefs, as well as personal data concerning health or sexual life; recognition of the right to be informed on and access to one’s own personal data. The Draft Law foresees the establishment of a Supervisory Authority (Personal Data Protection Institution), the Higher Board on Personal Data Protection and its administrative units.

2.2 NATIONAL PROGRAMME (for the Adoption of the Acquis)
1- Being a signatory to the “Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data” (Strasbourg, 28 January 1981), and,
2- Alignment with the EU Acquis on Personal Data Protection by adopting the principles (“Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data” and “Commission Decision No 95/46/EC of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries, under Directive 95/46/EC”) into national law by the “Law on Personal Data Protection”, are declared “Priority 24.9 Alignment with the EU Acquis on Personal Data Protection” in the National Programme.
Also see: Ordinance on Personal Information Processing and Protection of Privacy in The Telecommunications Sector

DATA PROTECTION IN BULGARIA

Article 32 of Constitution stress that “The privacy of citizens shall be inviolable. Everyone shall be entitled to protection against any illegal interference in his private or family affairs and against encroachments on his honour, dignity and reputation. No one shall be followed, photographed, filmed, recorded or subjected to any other similar activity without his knowledge or despite his express disapproval, except when such actions are permitted by law”. In the light of that provision and in conformity with Directive 95/46/EC due to the aim of Bulgaria to become a EU member state[1], the Personal Data Protection Act was adopted on 21 December 2001 and came into force on 1 January 2002. The Act applies to the processing of personal data and aims to “guarantee the inviolability of individuals and their privacy through protecting natural persons against illegitimate processing of personal data related to them and through providing right to access such data, which has been collected or processed.”[2]

The Act established the Commission for Personal Data Protection, an independent supervisory authority, consisting of a Chairman and four members, elected by the Parliament for a period of five years, in order to ensure “the protection of individuals in the processing of their personal data and in the access thereof, as well as the monitoring of the observance of this Act”[3]. In addition, the Act involves provisions regarding obligations of personal data administrators, personal data protection, rights of individuals, provision of personal data to third parties, appeal against actions of personal data administrators and administrative penal provisions.

Nevertheless, the Commission still criticizes Bulgaria, because of the inconsistency of the legislation with the acquis communautaire and institutional and financial incompetence of the Commission for Personal Data Protection[4].

Snejana Georgieva -Are we ready?http://xdata.gateway.bg/images/downloads/Are%20we%20ready_eng.pps
Polina Roussinova -Private or public information?http://xdata.gateway.bg/images/downloads/Poli_eng.pps
Mina Shoylekova - Personal data protection in Bulgaria – Frequently asked questionshttp://xdata.gateway.bg/images/downloads/Centre_eng.pps
[1] Bulgaria has become a member state of EU since 1 January 2007.
[2] Personal Data Protection Act, Article 1.
[3] Ibid, Article 6.
[4] Communication From The Commission, Monitoring report on the state of preparedness for EU membership of Bulgaria and Romania, COM(2006) 549 final, Brussels, 26.9.2006.

PRIVACY AND DATA PROTECTION LAW IN SOUTH AFRICA

Currently, the South African Law Reform Commission is conducting an investigation entitled “Privacy and Data Protection” in an attempt to enact a legislation which would ensure the safeguard of people’s rights to privacy. Concern about information protection has increased worldwide as a result of the expansion in the use of computer and telecommunications technologies. The recognition and recognition of the right to privacy as a fundamental human right in the Constitution (South African) provides an indication of its importance. It is, however, not an absolute right and in protecting a person’s personal information, consideration should also be given to competing interests such as the administering of national social programmes, maintaining law and order, and protecting the rights, freedoms and interests of others, including the commercial interests of industry sectors such as banking, insurance, direct marketing, health care, pharmaceuticals and travel services.

The preliminary recommendations of the Commission, as set out in the Bill accompanying the Discussion Paper, can be summarised as follows:
(1) The protection of personal information in the public and the private sector should be regulated in an act of general application, called the Protection of Personal Information Act, supplemented by codes of conduct for specific sectors. Both automatic and manual processing of information will be covered and identifiable
natural and juristic persons will be protected.
(2)The proposed Bill gives effect to eight core information protection principles which, inter alia, prescribes the following duties and obligations for responsible parties and provides for the following rights for data subjects (i.e. persons whose information is being collected):
(i) information can only be collected or stored if it is necessary for or directly related to a lawful, explicitly defined purpose and does not intrude upon the privacy of the data subject to an unreasonable extent;
(ii) information must be collected directly from and with the consent of the data subject;
(iii) data must be informed of the purpose of any such collection and of the intended recipients of the information, at the time of collection;
(vi) information must not be kept for any longer than is necessary for achieving the purpose for which it was collected;
(v) information must not be distributed in a way incompatible with the purpose for which is was collected;
(vi) reasonable steps must be taken to ensure that the information processed is accurate, up to date and complete;
(vii) appropriate technical and organizational measures have to be taken to safeguard the data subject against the risk of loss, damage, destruction of or unauthorized access to personal information;
(viii) data subjects are allowed a right of access to their personal information and a right to demand correction if such information should turn out to be inaccurate.
(3) Exceptions to the information protection principles are provided for and exemptions are furthermore possible for specific sectors in applicable circumstances. Special provision has furthermore been made for the protection of special (sensitive) personal information such as those revealing racial or ethnic origin, political
opinions, religious beliefs, philosophical or ethical persuasions, trade union membership, health and sexual life.
(4) Provision has been made for an independent Information Protection Commission with a full-time Information Commissioner to direct the work of the Commission. The Commission will be responsible for the implementation of both the new, envisaged Protection of Personal Information Act and the current Promotion of Access to Information Act 2 of 2000.Data subjects will be under an obligation to notify the
Commission of any processing of personal information before they undertake such processing. Provision has also been made for investigations to be conducted by the Commission prior to commencement of the processing to establish whether it complies with the law in instances where the nature of the information being collected warrants a stricter regime.
(5) Enforcement of the Bill will be through the Commission using as a first step a
system of notices where conciliation or mediation has not been successful. Failure
to comply with the notices will be a criminal offence. The Commission may
furthermore assist a data subject in claiming compensation from a responsible party
for any damage suffered. Obstruction of the Commission’s work is regarded in a
very serious light and constitutes a criminal offence .
(6) A flexible approach will be followed in which industries will develop their own codes of conduct (in accordance with the principles set out in the legislation) which will be overseen by the regulatory agency. Codes of conduct for individual sectors may be drawn up for specific sectors on the initiative of the specific sector or of the Commission itself. This will include the possibility of making provision for an adjudicator to be responsible for the supervision of information protection activities in the sector. The Commission will, however, retain oversight authority. Although the codes will accurately reflect the information principles as set out in the Act it should furthermore assist in the practical application of the rules in a specific sector.
(7) It is the Law Commission’s objective to ensure that the legislation provides an adequate level of information protection in terms of the EU Directive. In this regard a provision has been included that prohibits the transfer of personal information, except under special circumstances, to countries that do not, themselves, ensure an adequate level of information protection.
It should be noted that the promulgation of information protection legislation in South Africa will necessarily result in amendments to other South African legislation, most notably the Promotion of Access to Information Act (No. 2) of 2000, the Electronic Communications and Transactions Act (No.25) of 2002 and the, still to be enacted, National Credit Bill [B18-2005]. All these Acts contain interim provisions regarding information protection in South Africa.

CCTV Regulation Eyed for Privacy

Extracted from the Korea Times (Feb, 21, 2007):
The government plans to employ tighter restrictions on the use of close circuit television (CCTV) cameras in public spaces over privacy concerns.

According to plans announced by the Ministry of Government Administration and Home Affairs Wednesday, policymakers are also considering lowering the voting age to 19 for local elections as they prepare to introduce recall elections in July that allow voters to remove an elected official from office.

``We expect to produce legal guidelines by the end of the year that will regulate the installment and use of CCTV cameras to protect the privacy of individuals and reduce infringements,’’ said Home Affairs Minister Park Myung-jae in a news conference at the central government complex in Seoul.

Although the ministry did not reveal details of the regulations, there are a number of related bills being discussed in the National Assembly.

The suggestions include limiting the buildings and public spaces where the surveillance cameras can be used and employing stricter guidelines on the storage of images and their availability.

CCTV cameras have been increasingly used by administrators and law enforcement officials in recent years, especially in high-income neighborhoods or business districts, to eliminate the fears of crime among residents. However, critics have been urging authorities to take a harder look at the concerns over privacy infringement.

Currently, there are about 7,500 CCTV cameras installed by the municipal government or police in Seoul, which means one camera for every 1,300 of the city’s residents.

Under the representative recall system that will be enacted in July, voters of a municipal district can sign a petition to have an incumbent official removed from office.

To enable a recall election, at least 10 percent of registered voters must sign the petition.

At least one-third of the electorate must participate in the recall election and the representative needs a majority of 50 percent plus one vote to stay in office.

The ministry also said it plans to interview leaders at 104 organizations _ including civil servants unions, civic groups, and media outlets _ through the end of next month before finalizing a framework on a new pension system for public workers. The government has been planning to cut retirement payments and raise contribution rates because of increasing concerns about shrinking pension fund assets.

Draft questions - suggestions?

1. 'Privacy is not a right in itself. Attempts by the European Court of Human Rights to apply it to data protection cases risk undermining the economic lifeblood of the Internet: marketing.' Discuss with respect to ECHR case law and economic analysis.
2. Under what circumstances can direct commercial electronic marketing be conducted legally in Europe? Illustrate your argument with reference to the 2002/58 Directive and case law, showing which legal issues have arisen from [1] cookies; [2] spyware; [3] email 'spam'.
3. Does the Data Protection Directive demonstrate a proportionate response to terrorism? Illustrate your answer with respect to ECHR caselaw, academic arguments and the evidence presented in the course of the passage of the Directive.
4. 'Europe is the de facto global lawmaker for data protection only where American companies overstep the mark egregiously.' Discuss with reference to the Microsoft .Net Passport service and the airline passenger data sharing agreement.
5. Is the work of Information Commissions more important in advising governments about new law, advising companies about compliance or enforcing individual complaints? Illustrate your answer with examples from current practice including the Schengen Information System.

Reading for 19 Feburary

We are studying the effect of the Directive on Privacy in Electronic Communications this week - in particular the problem of spam.

Read Lloyd - especially his sections on the cases of Durant (Chapter 5.8 and 5.43 and 8.17), Blomquist and Norman Baker/Hitchens (Chapter 8.30-38).

On spam, read Chater 9.30 until the end of the chapter.

Also, look at the Durant briefing note on www.ico.org.uk

THE IMPLEMENTATION OF DIRECTIVE 95/46/EC IN ITALY

Directive 95/46/EC, was initially transposed into Italian law by Act no. 675 of 31 December 1996 on the protection of individuals and other subjects with regard to the processing of personal data. This law was enacted to fully implement the Directive. However, following the application of the law especially in relation to the rules of the Directive, it was described as unsatisfactory and more cumbersome than any other national law transposing the Directive. The 1996 Act contained elements which were either inconsistent with or contradictory to the Directive. Of particular interest are the requirements for consent and the adoption of security measures. While unambiguous consent is all that is required by the Directive, in the 1996 law effective consent could only be; freely given, in a specific fashion, and documented in writing. Moreover, the rules on notification set in the Act ignored the Directive’s rules on the simplification or exemption of the notification process. The Act created more security requirements than provided for in the Directive rendering its application complex and difficult. Nonetheless the 1996 law adopted most of the Directive’s rules and ensured a considerable level of protection for Italian citizens.
The 1996 Italian data protection Act was replaced in 2004 by the Italian personal data protection code. This code is a combination of all regulations and laws on data protection existing since 1996 including, EC Directive 2002/58. This new code offers more protection for data subjects while simplifying most of the existing complex procedures and rules. And it is moreover a better adaptation of Directive 95/46/EC. The new rules on notification laid out in the code are in line with the Directive’s requirement for the simplification or exemption of the notification process unless the data subject’s rights could be adversely affected. Furthermore, according to the new code written consent would only be necessary for the processing of sensitive data and not for all forms of personal data as previously required, and the Directive’s rules on the processing of sensitive data have been fully adopted. The 2003 code also introduces a new principle of data minimisation which requires, less and when possible no use of personal data at all especially if anonymous data could be just as effective except in cases of necessity.

SOURCES
Act no. 675 of 31 December 1996 on the protection of individuals and other subjects with regard to the processing of personal data http://www.privacy.it/legge675encoord.html
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data http://www.cdt.org/privacy/eurdirective/EU_Directive_.html#HD_NM_22
Italian personal data protection code: legislative decree no.196 of 30 June 2003
http://www.privacy.it/privacycode-en-html
http:www.garanteprivacy.it/garante/document?ID=31106
CONFINDUSTRIA: Implementation of Directive 95/46/EC in Italy I http://ec.europa.eu/justice_home/fsj/privacy/docs/lawreport/paper/confindustria_en.pdf
Garante per la protezione dei dati personali: An overview of Italy’s new data protection code http://www.garanteprivacy.it/garante/doc.jsp?ID=311113
http://www.garanteprivacy.it/garante/doc-jsp?ID=1030925

DATA PROTECTION IN INDIA

Info: The Constitution of 1950 does not expressly recognize the right to privacy. However, the Supreme Court first recognized in 1964 that there is a right of privacy implicit in the Constitution under Article 21 of the Constitution, which states, "No person shall be deprived of his life or personal liberty except according to procedure established by law." There is no general data protection law in India. In June 2000 the National Association of Software and Service Companies (NASSCOM) urged the government to pass a data protection law to ensure the privacy of information supplied over computer networks and to meet European data protection standards. The National Task Force on IT and Software Development had submitted an "IT Action Plan" to Prime Minister Vajpayee in July 1998 calling for the creation of a "National Policy on Information Security, Privacy and Data Protection Act for handling of computerized data." It examined the United Kingdom Data Protection Act as a model and recommended several cyber laws including ones on privacy and encryption. No legislative measures, however, has been considered to date.

Data protection and offshoring to India
India getting data protection laws 30/07/2004
India to tighten data protection laws
Data protection regulations in India
How does European legislation impact on India’s BPO industry?
A: The EU directive 95/46/EC is specific on the requirements for the transfer of data. It states that personal data of EU nationals cannot be sent to countries that do not meet the EU "adequacy" standards with respect to privacy. The directive also sets down the principles regarding the transfer of data to third countries. Under this directive the third country should provide an adequate level of protection to personal data of the citizens of EU member states. It states: "The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country."

Article on bringing data protection law in India
The compelling and much needed mandate for providing protection to the information provided by various interested parties has again set in motion the thought process and the legislative wing of the Constitution of India is facing a situation where it has to decide whether it should bring new amendments to the already existing Information Technology Act, 2000 or to enact a separate law for the same. The choice between these options is not the real issue to be addressed presently but is ancillary to a more important and overlooked perspective relating to data protection. A law on data protection must address the following Constitutional issues on a "priority basis" before any statutory enactment procedure is set into motion:(1) Privacy rights of interested persons in real space and cyber space.(2) Mandates of freedom of information U/A 19 (1) (a).(3) Mandates of right to know of people at large U/A 21.
If these issues are sidelined in the zeal of providing data protection then it may have catastrophic results because the law(s) providing for data protection will be vulnerable to the attack of unconstitutionality on the ground of violation of Articles 19(1) (a) and 21 of the Constitution. Thus, the pre requisite for the enactment of any law dealing with data protection is to keep in mind the mandates of these rights.

BPO: In India data security cost skyrockets
India – The Emerging IT super power..need data protection laws.

Data protection in Greece

The rapid growth of new forms of information leads to the constitutional consolidation of the ‘right to information’. The revised Constitution of Greece (2001) has implemented Ar.5(a) ,which specifies that: ‘anyone’ has the right to ‘information’ as the ‘law defines’. In the same article there are cited the limitations of that right. Moreover Ar.9(a) of the Constitution reads:
‘Everyone has the right of protection from the collection, processing and use, mostly by electronical means, of his personal data, as the law defines. The protection of personal data is secured from an independent public authority, which functions as the law defines’.
For the harmonisation of the European Directive 95/46 with the Greek law the Statute of 2472/97 came into force. Hence, when the constitution reads ‘as law defines’, it refers to the abovementioned Statute. Moreover, with the scope of the protection of this constitutional right an independent authority was born, which is called ‘HELLENIC DATA PROTECTION AUTHORITY’. By enclosing everything into one concept, one could point out that the existing Greek legislation follows the path of the European one.

First, thanks for sticking with us during the technical difficulties with the presentation for Ian Brown - I'm glad you enjoyed the talk and the slides should be available by the end of the week.

Second, I'm looking forward to receiving your emails with details of the implementation of the Directive EC/95/46 in your chosen countries: remember, its a summary of information in the hyperlinks you provide to [1] the law itself; [2] an academic article on its implementation; [3] the comparison of that with what you've discovered throgh for instance Google Scholar or a recent news article. I only want 1 or at most 2 paragraphs.

Third, reading for next week. Information Commissions and their work is our focus. Read Lloyd, IT Law, Chapters 5-6. Pay particular attention to his summaries of the cases of Durant and Blomqist.

Reading for 12 February

First, thanks for sticking with us during the technical difficulties with the presentation for Ian Brown - I'm glad you enjoyed the talk and the slides should be available by the end of the week.

Second, I'm looking forward to receiving your emails with details of the implementation of the Directive EC/95/46 in your chosen countries: remember, its a summary of information in the hyperlinks you provide to [1] the law itself; [2] an academic article on its implementation; [3] the comparison of that with what you've discovered throgh for instance Google Scholar or a recent news article. I only want 1 or at most 2 paragraphs.

Third, reading for next week. Information Commissions and their work is our focus. Red Lloyd, IT Law, Chapters 5-6. Pay particular attention to his summaries of the cases of Durant and Blomqist.

French Big Brother Awards 2006

The French Big Brother Awards event that took place on 20 January 2007 has brought the exclusion from this competition of Mr. Sarkozy, for having already won three of the Orwell prizes during the last three years and thus by far outclassing his competitors. This year, the jury decided to eliminate Minister Sarkozy, the only personality having been nominated 6 times in 7 editions of the event, for multiple attacks to private life and for having actively promoted surveillance in general.
The organizers of the event, in creating the diplomas for the awards were inspired by a real picture of a fossil found in Niger in 2000, of the biggest crocodile that lived 110 million years ago, called by US palaeontologists, "Sarcosuchus imperator". The specialists considered that the reptile disappeared completely for not having intelligently foreseen the future and adapt. The organizers of the French Big Brother Awards considered that the resemblance with a present character was not fortuitous.
The winner of the State award was Jacques Lebrot, "security" sub-prefect of Seine-St-Denis for having deprived of jobs several thousand of people with police records created just on the basis of suspicion and discrimination, violating their right to the presumption of innocence.
Sony-BMG company took the enterprise award for its "rootkit", a spy software installed in the sold CDs in order to control the usage of the CD, ironically, by those who had became the rightful owners by buying the respective CD.
The Locality Orwell prize was given to Paul Anselin, Mayor of Ploërmel in Morbihan, for having installed more than 50 video-surveillance cameras in a locality with 9000 inhabitants and zero degree of delinquency and for the creation of a free number encouraging denunciations.
Orwell Novlang prize was awarded to Frédéric Péchenard, director of the Judiciary Police who supports the genetic filing of the entire population arguing that innocent persons could thus be rid of any suspicion.
The Voltaire prize for vigilance was taken, ex-aequo, by the school directors who have refused to fill in the children database (Base-eleves) and by Pierre Muller, the webmaster of Ordinateurs-de-vote.org (ex recul democratique.org), for his work in showing why the electronic vote is a false good idea and a threat to democracy.
Big Brother Awards France (only in French, 20.01.2007) http://bigbrotherawards.eu.org/Palmares-2006-des-Big-Brother-Awards-France.html