WRITTEN ON June 20th, 2009 BY William Heath AND STORED IN Foundation of Trust, Political engagement, We told you so..., What do we want?

My FIPR colleague Douwe Korff points out the opinion of the article 29 working party on proposed amendments to the e-privacy directive (Opinion 1/2009 of 10 february 2009, WP159)…

It covers important issues, such as:

* security breach notification:

– the WP strongly argues for “an extension of personal data breach notifications to Information Society Services” (the council wants to limit
it to publicly available electronic communications services, which the WP finds unacceptable as it would leave out, eg medical records);
– the WP wants both notification to the DPAs and to individuals, with separate criteria and very limited exceptions, and serious penalties for
failure to notify);
– the WP “recommends that security breaches should be notified to data subjects when they may lead to adverse effects to individuals’ privacy and
data protection.” (note: no need to show financial damage or even specific – let alone “substantial” – distress);
– the WP “objects to the creation of notification exemptions when service providers have implemented ‘appropriate technological protection
measures, and those measures were applied to the data concerned by the security breach’. This provision would significantly reduce the quality
and usefulness of the information delivered to affected persons.”

* traffic data:

– “The Working Party takes note that the wording proposed by the Commission establishes beyond all doubt that the processing of traffic
data falls within the scope of the Data Protection Directive.”;
– The Working Party is aware that ‘providers of security services’ deploy security solutions (such as anti-virus and anti-spam software, firewalls,
or intrusion detection systems) that may require the processing of traffic data for the purpose of securing personal data of the users and protecting
the service itself. Nevertheless, it is concerned that the current wording might lend legitimacy to large scale deployment of deep packet inspection,
both in the network and in user equipment such as ADSL boxes, while the current legal framework already details the cases in which traffic data
may be processed for security purposes.”

* IP addresses:

– “In this respect, [the WP] re-emphasises its earlier Opinion [WP136, with ref to WP148] that unless the service provider ‘is in a position to distinguish with absolute certainty that the data correspond to users that cannot be identified, it will have to treat all IP information as personal data, to be on the safe side’.”

* communications data retention monitoring:

– there was a proposal that the DPAs should be informed of all orders to service providers to retain communications data, and check whether these were needed, but the WP is somewhat hesitant about that, in view of the added administrative burden; it in stead proposes an annual report by such providers to the DPAs. (note: this would also cross into the territory of other regulators/supervisors, as in the UK, but that is not discussed)

* unsolicited (marketing) communications:

– SMS messages are treated as emails, and thus come under the rules requiring prior consent;
– bluetooth marketing messages should also be treated in this way.

* default settings:

– “The Working Party strongly objects to the amendment 128 adopted by the Parliament, stating that default browser settings would be a means to provide prior consent. … default browser settings should be “privacy friendly” but cannot be a means to collect free, specific and informed consent of the users, as required in Article 2 (h) of the Data Protection Directive.”
– “With regard to cookies, the Working Party is of the opinion that the controller of the cookies should inform its users in its privacy statement and may not rely on (default) browser settings. Also, the chosen wording is not limited to the current issue of cookies, but implies any othernew technology that could be used to track the users’ behaviour using their browser.”

* individual legal action:

– “The Working Party supports the Parliament’s proposal23 to introduce in Article 13 (6) the possibility for ‘any individual or legal person to take legal action in case he was affected by infringements of national provisions adopted pursuant to the ePrivacy Directive’. (note again that this would not require actual damage or substantial distress)

* other issues:

the Working Party takes note with satisfaction:
– that the legislator intends to punish phising practices;
– that the Commission, the Council and the Parliament wish to clarify that the ePrivacy Directive applies to emerging technologies, such as RFID or NFC, which rely on contactless identification devices using radio frequencies.

The full document (WP159) can be downloaded here.

Prof Korff is in my experience sometimes a lone voice in pointing out the true implications of the EU privacy laws to which we are all, including HM Government, subject. It’s bizarre and perverse (far from Ideal, in fact) to ignore this stuff when its implications are so far-reaching for policies such as Transformational Government.

Wibbi the UK not only paid attention to such stuff, but took a leading role in protecting the privacy and dignity of individuals in our information society?