Categories
Articles

US Consumer Privacy Bill of Rights

Having been studying Europe’s proposed Data Protection revision for several weeks, it’s interesting to compare it with the proposed Consumer Privacy Bill of Rights recently published by the White House. This, too, recognises that the Internet is different to the paper-based world, but it seems to me to put this in a more positive way […]

Categories
Closed Consultations

MoJ Evidence on EC Data Protection proposal

I’ve just sent in a Janet Submission to the Ministry of Justice’s Call for Evidence on the EU Data Protection proposals. Our response mentions the good and bad things about the proposal, as discussed here previously, for Internet Identifiers: still no clarity on when IP addresses etc. are personal data, but at least more realistic […]

Categories
Articles

Data Protection Proposal: Federated Access Management

The European Commission’s proposed Data Protection Regulation supports recent thinking in moving away from using consent as a basis for federated access management systems. The consent of the data subject is still one of the legitimate grounds for processing personal data but it cannot be used “where there is a significant imbalance” between the organisation […]

Categories
Articles

Data Protection Proposal: Privacy Breaches

In dealing with breaches of privacy the Commission’s enthusiasm to protect and reassure Internet users seems to run the risk of having the opposite effect. Article 4(9) of the proposed Regulation defines ‘personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, […]

Categories
Articles

Data Protection Proposal: Cloud Computing

Cloud computing, whose whole point is to be independent of geography, does not fit comfortably into current data protection law. The Commission’s new proposal at least shows signs that clouds were a use case that was considered during drafting, so it is more obvious which provisions apply to them. These seem to offer a mixture […]

Categories
Articles

Data Protection Proposal: Incident Response

The Commission’s proposed Data Protection Regulation seems very positive for Incident Response. Indeed Recital 39 explicitly supports the work of Incident Response Teams: The processing of data to the extent strictly necessary for the purposes of ensuring network and information security … by public authorities, Computer Emergency Response Teams … providers of electronic communications networks […]

Categories
Articles

Europe’s Data Protection Proposal

Last week the European Commission published their proposed new Data Protection legislation. This will now be discussed and probably amended by the European Parliament and Council of Ministers before it becomes law, a process that most commentators expect to take at least two years. There’s a lot in the proposal so this post will just […]

Categories
Articles

Processing personal data for third party interests

An interesting reminder from the European Court of Justice (ECJ) that the Data Protection Directive (95/46/EC) is supposed to make processing and exchanging personal data easier as well as safer. The Directive contains a number of different reasons justifying processing of personal data (gathered together as Schedule 2 of the UK Data Protection Act 1998), […]

Categories
Articles

The Definition of Consent

Although consent is a key concept in Data Protection, discussions of it often seem confused and legal interpretations inconsistent. For example the European Commission has in the past called both for a crackdown on the over-use of consent and for all processing of personal data to be based on consent! A new Opinion on the […]

Categories
Articles

Privacy Riskiness for Access Management

On a privacy course I teach for system and network managers I suggest a scale of “privacy riskiness”, the idea there being that if you can achieve an objective using information from lower down the scale then you run less risk of upsetting your users and/or being challenged under privacy law. That scale is very […]