Data protection, privacy, and the law

Data protection, privacy, and the law

Are there any examples of privacy issues blowing up in the open and resulting in severe damages whether financially and/or to reputation? Should we really be worried?

The biggest fines and most publicised scandals have arisen in the financial services or public sector. For example the investigations into banks found to have dumped customer details in bins or government departments who have lost laptops or files with data in them. The highest figure fines in the UK have in fact been imposed, not by data protection regulators, but their financial services counterparts. In the UK there have not been any fines for misuse of location data to date.

This is not to say that there are no risks for those in other sectors. Member States have been left to determine their own sanctions for failing to comply with the rules on use of location data (explained in more detail below). This means that the approach to enforcement does vary throughout Europe. Most States provide for the application of fines, publicising enforcement action and providing the ability for individuals to bring an action for damages. Failure to comply with certain requirements (such as having a data protection notification) or with an enforcement notice is generally a criminal offence.

The media and public are increasingly interested in stories about 'spying' and 'big brother' tactics however so damage to reputation is often a more immediate risk. Users of such data should also be alert to the fact that failures may result in a breach of contract with other suppliers (for example a mobile operator) which can certainly have an important knock-on impact on business.

What restrictions apply to anonymous geo-data?

Data protection laws are intended to protect information that relates to a living individual, so one would think that would mean you can do anything with anonymous data. This isn't the case.

Firstly, although data may be anonymous in and of itself, if it can be related back to an individual with other information, even if not immediately, then it can still constitute personal data. A classic analogy often used here is that of a postcode. A postcode is, at first sight, just a bunch of letters and numbers. However, if you know my name and my postcode in East London, it potentially reveals something about me as a person, my tastes and background. If you only know a postcode but not a name, it could still be personal data, for example if you can ascertain that it corresponds with a house at which only one person lives.

It is this potential to make links back to an identifiable individual that makes this area so complex. It raises questions such as who has access to the information that forms this link, and, even if a service provider does not itself have this linked information, does the fact that the service inevitably allows other users to make such a link mean that the provider is still responsible or does it shift to the user?

It is simple to see that location data will often be personal data in the hands of a mobile phone operator since, unless privacy enhancing technologies are used, they can link it to the identity of the individual subscriber whose handset is located there (even if they do not do so). In practice, however, the nature of the services and their deployment is far more complex than the legislation truly anticipated.

Second, even if an individual can not be identified from location data, there are obligations on a provider to ensure that it has taken 'appropriate technological and organisational measures to safeguard the security' of its electronic communications service. Further, there are prohibitions on the use of covert devices that store or gain access to information on terminal equipment of a user. Aimed at cookies and spyware, it is often forgotten that this can have wider application.

Third, some providers need to be aware of rules on data retention , which have recently gone through further change in Europe.

Who is responsible for complying with location and personal data rules? How is the responsibility shared/divided along the supply chain? What are the obligations?

Under data protection laws, it is the person who is the "controller" of personal data who is legally responsible (although culpability can attach to anyone for acquiring data unlawfully). To work out who the controller is, it is necessary to determine who the person or entity is who decides the purposes and manner in which the personal data will be processed. This need not be a company; it can be an individual.

A controller will have to comply with general data protection laws. In addition, a subsequent European Directive (adopted in 2002) specifically places further obligations on the use of location data since it is seen as a potentially sensitive category of data. This law requires that, if an individual can be identified from the data, then a service provider will have to give certain information, obtain consent to the use of location data (burying this in terms and conditions is not enough!) and allow users to withdraw consent at any time. A user must also be able to temporarily disable the function for any particular call using simple means and free of charge.

In terms of the supply chain, a mobile operator will nearly always be a controller since they hold subscriber data. In addition, if they also have access to the location data, they would be the party responsible for the additional consent requirements.

Frequently location-based services are not provided through the operator, however. In this respect, a provider of location-based services further down the chain may be responsible, but this will be dependent, as discussed above, on whether they can link back the location data to an identifiable individual. If they cannot, arguably the data protection and consent requirements will not impact them.

However, as I have highlighted above, in practice, determining what they can identify or what and who they allow others to identify is rarely straight forward. The question as to whether a service provider can simply turn a blind eye to how others use their services and put the onus on them to comply with relevant laws or take care of their own privacy is an important one and has yet to be properly looked at by the regulators.

What is the responsibility of end-users towards their own privacy?

There is no legal responsibility on an individual for failing to protect his own privacy; but perhaps there should be a duty of common sense!

Individuals should be able to inform themselves about who is processing their data and for what purposes, since laws have been specifically developed to make sure this information is made available as discussed above.

However, evidence shows that few people take the time to actually read such information. In a research report from late-2007 prepared by Dubit Research (and published on the UK data protection regulator's site), only 14% of young respondents said they 'always read and understand privacy policies' and 32% said that they never do. Figures for checking a company's data protection notification would inevitably be minimal.

One touted explanation is that a new generation is emerging – individuals that simply have fewer concerns about privacy and knowingly disclose information on social networking sites or are happy for location data to be collected about them. They recognise they have a choice, and their choice is to be relaxed about the issue.

Others argue that education is needed to ensure that individuals fully understand the implications of giving consent to data capture and disclosing potentially personal details. This argument states that the right type of information – in a more reader-friendly and simple form that individuals can fully understand – should be given in order to provide the basis for anyone to make an informed decision and enabling them to act responsibly.

In this respect, data protection regulators have, in the last few years, published guidance notes with tips on exercising caution when revealing personal details for children and parents. Some educational establishments have also incorporated such guidance into their curriculum. There has also been a sensible push recently to require that privacy policies and other data notices be written a simpler, easy to read and understandable form.

How can consent be obtained from under-16s?

Some would argue you just can't capture a consent until a person is 18 (so you would have to get it from the parent or guardian). Others argue that, at 16, you are fully able to make up your own mind.

The problem for industry is that there is no consensus at law either, and European guidance simply points to the need to adhere to 'national laws' that are themselves usually opaque.

For instance, in the UK there are differing opinions put forward by the data protection regulator, industry bodies and the Office of Fair Trading. There is not even a consensus as to the age at which someone ceases to be a "child".

The European independent advisory body, Article 29 Working Party, considered the difficulties in November 2005, recognising that service providers have a difficult balancing act to contend with. On one hand, if parents want to monitor children, this may be seen as a social/family contract issue, but on the other hand, we still need to be mindful of the principles of the International Convention on the Rights of the Child (no child shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home or correspondence), national laws and consent of the user.

In short, therefore, there is – frustratingly – no simple answer, and providers will have to take expert advice based on national laws and the specific characteristics of the service in question.

For more information on data protection, see Olswang's datonomy blog.

Leave a comment

Your email address will not be published. Required fields are marked *