Tier 1

2000_Bargate_TheE.U.-U.S.SafeHarbourDataProtectionAgreement-AShotgunMarriage.odt

• Should possibly be better vetting before allowing US companies into scheme
• Remedies for consumers unclear; may be unable to pursue in home courts
• Companies can only be reported to FTC by their industry group, not individuals
• Financial institutions excluded; this is bad for EU banks as well as consumers, since they need to go to extra effort to secure consent of individuals

2000_Harrington_DataProtectionAndEmailAddressesRevisited_IsTheDpaWorkable.odt

• The directive's wide wording, specifically "all the means likely reasonably to be used" to identify and identification "directly or indirectly" means that email addresses can very easily constitute personal information.
• Conclusion
  • "Attempting to enforce data protection legislation in respect of the internet is inherently difficult if not impossible"..!
  • "German law recognises an email address as constituting personal data, but German law requires service providers “to offer the user anonymous use and payment of teleservices … to the extent technically feasible and reasonable”. Deutsche Telecom accordingly generally assigns email addresses that consist only of numbers, though members may change this to an “alias” if they so wish."
    • Technical measures make a difference - see work on Privacy Enhancing Technologies.

2003_EUFocus_EULawAchievingMainAims.odt

• Commission report says full economic benefit from Directive not forthcoming due to differences in implementation.
• Some mistaken, but some due to margin of appreciation.
• Will next iteration of Directive therefore be very prescriptive, drastically limiting margin of manoeuvre?

2004_Lorber_DataProtectionAndSubjectAccessRequests.odt

• Important restrictions of rights under DPA by Court of Appeal in Durant v Financial Services Authority [2003] EWCA Civ 1746.
• Subject access rights "to enable an individual to check whether a data controller's processing of personal data infringed his privacy, rather than an automatic key to information in which the individual is named or a surrogate for the litigation disclosure process".
  • But in complex cases administrative officers may lack the contextual knowledge to make a judgment as to whether or not data is 'personal'.
  • Also, the test is what the data may be used for. In order to provide real protection, it is important that the test be made in consideration of the recipient of data in breach being a fairly resourceful and creative person with an intention to find out more information about the data subject.
• Significant narrowing of definition of personal data!
• "At a legal level, the Court's approach strains the statutory framework because the DPA does not contemplate that what is and what is not personal data depends on the use to which information happens to be put and the context in which it is used" - cf Ken Clarke's speech to British Chambers of Commerce 2011-05-26^[1].
• Excellent eg of card swipe data and point about 'fair processing' being dependant on data's 'personal' status.
• Example of relational db data
• Author holds that Auld LJ's assertion that computerised and manual files are broadly equivalent is unrealistic and unsupported in the legislation.
• Creates new 'defences' for data controllers: can refuse access requests where request is onerous or oppressive. Not supported by statute.

2007_Hijmans_DataProtectionDropsThroughEuLegalLoopholes.odt (Euro. Law. 2007, 71, 9-10)

• Beyond the fact that the 1995 DPR don't apply to law enforcement since they're under the first pillar, it is possible that no instrument drafted under the third pillar could cover the law enforcement-related activities of private companies (eg PNR given to border authorities).
• Has UK exercised some kind of 'opt-out' of law enforcement regulation under Lisbon?

2007_Ramage_DataProtectionAndCriminalJustice_SomeRecentDevelopmentsInEuAndDomesticLaw.odt

• Description of proposed framework for transferring data between law enforcement institutions in different Member States.
• Good list of different types of data subject in relation to law enforcement (suspects, convicts, victims, informants, etc).
• Transfers must be provided for by law; be necessary for specific purposes; have transferor's consent to pass on to third parties, who must be kept track of in a registry.

2007_Vilasau_TrafficDataRetentionVDataProtection_TheNewEuropeanFramework.odt (C.T.L.R. 2007, 13(2), 52-59)

• Implementation of Directive 2006/24 ignored many of the objections which the Article 29 Working Party and the EDPS had with the Proposal.
• Costs of compliance will likely be passed on to end-users

2008_Kuner_DataProtectionAndRightsProtectionOnTheInternet_ThePromusicaeJudgmentOfTheEuropeanCourtOfJustice.odt (E.I.P.R. 2008, 30(5), 199-202)

• Member states neither required to allow disclosure of personal data for civil proceedings nor prevented from so allowing.
• Threatens consistency

Tier 2

1999_Chissick_DataProtectionInTheElectronicCommerceEra.odt

• "Data subjects also have the right not to have decisions made about them which are based solely on automated processing."
• Interesting reference to early work on PETs:
  • http://www.ipc.on.ca/english/Resources/Discussion-Papers/Discussion-Papers-Summary/?id=329
  • http://www.ico.gov.uk/upload/documents/pdb_report_html/pbd_pets_paper.pdf
  • http://twit.tv/sn307
  • http://projectliberty.org/
  • http://kantarainitiative.org/
  • European Commission, 2007: Promoting data protection by Privacy Enhancing Technologies^[2][3].

2005_Zinser_TheUnitedKingdomDataProtectionAct1998_InternationalDataTransferAndItsLegalImplications.odt

• The EU Commissioner assumes that transfers outside the EU have adequate protection, since the transferors remain responsible to data subjects. However, this does not actually in itself ensure protection for data subjects, only that there will be legal recourse in the case of breach.

2007_Wright_PromotingDataProtectionByPrivacyEnhancingTechnologies.odt

• Reference to privacy seals, see Mozilla's work
• Art 29 on PETs: http://ec.europa.eu/justice/policies/privacy/workinggroup/wpdocs/index_en.htm#pets

2008_MunirTeh_GooglingDataProtection_DontBeEvil.odt

• In general, search engine's liability limited to the area of tracking and aggregating information on individuals.
• Art29 WP's vs Google's take on whether IP addresses are personal data (p.185-186) (see WP 136).

2009_Burgstaller_SearchEnginesAndTheExtra-territorialDimensionOfTheEcDataProtectionLaw.odt

• Search engine's index as 'content' - "with regard to the removal of personal data from their index and search results, search engines have sufficient control to consider them as controllers (either alone or jointly with others) in those cases"
• Also serving pages from cache considered content
  • This all seems to fly in the face of the role of the intermediary having any principled basis and reduce it to a matter of technical fact.
  • No consideration of how these propositions would relate to eg liability for copyright infringement or illegal content
• Search engines not subject to Data Retention Directive (as it records only traffic metadata, not content)
• No justification for using unregistered users' data as they cannot have consented
• Don't need personal information for oft-quoted legitimate interest of improving services
• Requirement of SEs to clear / update certain cache contents on request?

2010_Kong_DataProtectionAndTransborderDataFlowInTheEuropeanAndGlobalContext.odt

• Extra-territorial aspect of EU DP law impossible to enforce without falling back on 'contractual' model
• Some countries too strict and some too lax on extra-territorial transfers
• "The European Commission is very likely to adopt another decision to unify" their standard contracts (p.448).
• 2001/497/EC implements joint and several liability between data exporters and third-country importers. 2002/16/EC says that data subjects should be able to take action against and receive compensation from data exporters. But 2004/915/EC institutes a standard of "due diligence" and reasonable steps. Confused?
• Some countries don't recognise third party contractual rights!

2011_Sithigh_IdTellYouEverything_PoliticalExpressionAndDataProtection.odt

• Data protection law (requirement to opt-in to phone contact) is detrimental to legitimate political outreach

Tier 3

1995_RoweJabbour_TheProposedDataProtectionDirectiveAndTheDataProtectionAct1984.odt
1996_Taebi_ApprovalByTheEuropeanUnionOfTheDirectiveOnDataProtection.odt
1997_Hogg_DataProtection_GovernmentsProposals.odt
2001_LegalInfoManagement_TheDataProtectionAct1998_ABriefSummary.odt
2001_SzafranOverstraeten_DataProtectionAndPrivacyOnTheInternet_TechnicalConsiderationsAndEuropeanLegalFramework.odt

• Doesn't reach same conclusion as Bargate (2000) on the US Safe Harbour system
  • Notes, "Ultimately, individuals will be entitled to go to court and invoke misrepresentation" - unclear how useful that will be though, without having gone through industry led process.
  • Member states' DP authorities can suspend data flow to a US organisation where "there is a substantial likelihood of violation leading to a risk of serious harm to individuals, which cannot be settled timely by means of the enforcement mechanism" - ball still very much in US court.

  • "If the Commission shows evidence that a body responsible for compliance with the Principles does not fulfil its role, it must notify the U.S. Department of Commerce and may propose measures with a view to reversing or suspending the Decision or limiting its scope. In other words, the Commission can exclude an ineffective U.S. enforcement body or even reverse its Decision to grant the safe harbour arrangement adequate protection status."

    • But the second statement there is much stronger than, and probably not an accurate reflection of, the first.

2002_Wadham_DataProtectionDetentionHumanRightsImmigrationPolicePowersAndDutiesTerrorism.odt

• Implications of Anti-Terrorism Act 2001 for various human rights / civil liberties, incl. data protection
• Part 3: Disclosure of Information
  • Lower standard of suspicion, police no longer need warrant.
• Part 12: Retention of Communication Data
  • How do these requirements differ from RIPA?

2011_Dubois_Article29WorkingPartysOpinion8-2010.odt

• Clarification of Article 4(1)(a) and (c) of Directive 95/46.
• Use of cookies does invoke the Directive
• Can't hide behind lack of knowledge about physical workings of cloud services; if cookies or scripts are sent and executed within the EEA the Directive applies.
• Proposal for "Service-oriented approach" - This would offer wider protection, and greatly simplified protection.

2011_Taylor_HealthResearchDataProtectionAndThePublicInterestInNotification.odt

• Interesting proposition about how competing public interest arguments should be resolved.
• Asserts that notification is currently not necessary where Patient Care Records are used without patients consent, and that even where the patient's consent is not sought or needed they should at least be told that their records have been used, in order for the system to have any legitimacy.
• Patients must absolutely be told if there is an intention that their data will be used for research purposes, due to DPA98's Schedule I Part II.
• UK's implementation in terms of 'so far as is practicable', "appears to leave English Law out of step with the Directive that it is supposed to implement"
• And the continued distinction between direct collection and collection via a third party is incomprehensible: "it is not clear how what is ‘practicable’ is to be distinguished from that which involves a ‘disproportionate effort’"
• [Notification]: No clarity as to whether there is a requirement to inform data subjects of subsequently conceived research uses; ie, whether the duty to inform is at the time of collection or is ongoing.
• [Identifiable]: UK Act misapplied Directive with regard to when data is "anonymised"? pp.294-296 (should consider info available with anyone, not only data controller; see Lord Hope in Common Services Agency v Scottish Information Commissioner, [2008] UKHL 47 [26].
• There are several reasons why requiring notification even for use of anonymised data would be good, for both subjects and researchers.

References