User:Ryan/Data Protection

< User:Ryan

To do

  1. Finish literature review (reading list).
  2. Read MoJ call for feedback on DPA (2010?)
  3. Read Post-Implementation Review of DPA (meant to have been published at the end of January)
  4. Read ORG / EDRi submissions, see if Commission proposals take on board all points
  5. Read government's "Data Sharing Review"
  • Consider how data retention ties in to data protection issues?[1]
  • Read UK (MoJ) responses to consultation exercises, extract key issues / objections
  • Read speeches & press releases of EU Justice Commissioner Viviane Reding since 10/2010 to see how Commission thinking on DPD reform has developed since their Communication came out (about 4 speeches, 4 other docs).
  • Contact Justice Directorate-General at the EU Commission, ask how the new legislation's going

Main themes of the review of the Data Protection Directive[2]

Police and security services

Direct regulation enabled since Lisbon Treaty (Communication[3], p.4).

Notification of data breach victims

  • Expanding requirement[4][5]. Currently for telecoms, considering imposing for all data controllers.


  • Revision and simplification of the current notification system[6].
  • Getting rid altogether of the requirement for data controllers to notify / register with national data authority?[7][8]?

New technological developments

  • Biological data[9]
  • Location data
  • Data-mining / combinatorial effect[10]

Definition of personal data

  • Tightened and modernised taking into account possibilities of combining datasets.
  • Munir & Teh, 2008: Google at loggerheads with Art29 WP on whether IP addresses are or are not personal data


  • Greater clarity on its definition of and level of requirement[11]
  • UK's Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 could fall foul of this, allowing as it does that
“consent may be signified by a subscriber who amends or sets controls on the internet browser which the subscriber uses or by using another application or programme to signify consent.” (now s.3A of the Privacy and Electronic Communications (EC Directive) Regulations 2003)

One obvious question on this is its ambiguity; it suggests that changing any browser settings, even those unrelated to cookie control, could count as consent. The argument for this would supposedly be on the basis that if a user changes one setting they are assumed to know enough to have checked and approved of all their other settings. This doesn't seem fair, considering the limited understanding of most users and the complexity of modern browsers.

  • Burgstaller 2009: No justification in search engines collecting data on unregistered users, as they cannot have given any meaningful consent.
  • Article 29 Working party have sought to clarify the definition of "consent", generally raising the standard on UK practice[12]

Binding Corporate Rules

  • A greater role for BCRs[13][14]. These are significant in allowing data transfers to particular companies in unapproved countries. Must include "an element proving that BCR are binding" (*not sure what form this takes).
  • On the contractual model, Kong 2010 points out that there are currently 3 separate directives dictating how they should work and the parties' liabilities.
  • Also problem of non-recognition of third party contract rights in some countries.

Right to be forgotten[15][16]

Reinforcing existing rules

  • Principle of minimalism: gather least possible data for given use
  • Principle of "privacy by design"[17]: not sure what this means in practice yet...
  • Increased consistency across EU, resulting in lower administrative overheads, better protection[18] Current inconsistencies:
    • Who pays for data retention burden[19].
    • Ability or requirement to disclose personal information for the purposes of civil actions[20].

Problematic areas for UK government

Law enforcement

  • Need to share data to combat terrorism[21][22]
  • "we need to be nimble"
It was the use of Passenger Name Record data that enabled the identification of the terrorist facilitator at the heart of the Mumbai attacks.

The retention of communications data has also helped to identify individuals who orchestrated the influx of high grade heroin from Afghanistan to the UK.

Recently, in Britain the call data of a mobile phone helped to locate the whereabouts of a missing 14 year old girl who had a history of self-harm.

So, we must ensure that any revision to the data protection regime bears these cases in mind.[23]
  • Ministry of Justice, 'UK response to the European Commission consultation on the legal framework for the fundamental right to protection of personal data'[24], 2010-01-05.
    • Intra-European sharing in security context is ok, but
    • Concern that past ad hoc approach to agreements in this area have led to lack of coherence
    • Also concern about barriers to sharing with third countries (US, Canada, Australia mentioned)

Data breach notification

The government takes a 'risks, benefits and costs' approach to evaluating proposed reforms[22]. They ask for evidence about the costs and benefits of a required notification of breach, and of a requirement of data protection impact assessments. On one level a rational approach is to be welcomed. However, it is problematic for several reasons.

First, the benefits of preventing a negative outcome, in this case breaches of data integrity and personal privacy, are difficult, if not impossible, to realistically measure. In the same way that one cannot measure numbers of "crimes not being committed" or "people not dying of lifestyle-related diseases". Increased arrests or heart-bypasses performed are a poor proxy measure which end up skewing resource allocation.

Furthermore, the goal in question here is the protection of a set of fundamental rights of European citizens. An immediate recourse to economic arguments in such a debate may not be appropriate at all; it may indeed result in obscuring the underlying nature of that legal right, diminishing its importance in relation to competing political and economic goals.

Exploitation of new technology

Right to be forgotten

  • Real problems
    • conflict with free speech
    • possibly unattainable standard in digital world, eroding legitimacy of any law
  • Spurious problems
    • Businesses rely on data (eg medical records, credit histories). I don't believe anyone's suggested the right to erase either of those!

"Extra-territoriality" / International data transfers

The existing arrangements for the transfer of personal data outside of the EU are no longer suitable[22].
  • Assessment based not on third country's standards, but on standards of company in question[25][22]?
    • How could this work?
      • Development of standardised set of check-box criteria for companies to meet.
      • Actions for breach brought against data exporting company in the UK (but how would claimant collect information about the nature of the breach?)
    • Problems:
      • This would massively increase administrative burden on companies
      • Likewise could paralyse ICO with burden of approving countless companies, instead of simply approving a country's standards and letting them enforce them.
      • It does not deal with the critical issue of enforcement. Even if jurisdictional issues were overcome, UK authorities and claimants would be very poorly placed to prosecute a data protection breach in a far-flung third country. The costs involved would be prohibitive for many claimants and a waste of public money on the part of public authorities.
      • Even if standard criteria were developed, oversight would need to be ongoing. In the alternative, where a country's laws are approved, a victim would at least be assured of being able to pursue a claim where the breach happened.
  • Enforceability?
    • (see above)
    • Any caselaw on extra-territorial enforcement of data protection breaches?
  • Reciprocity? (will we have to import data protection regulations from outside the EU)
    • Would this be a real problem? Are there regimes with higher standards? (see literature review)

Regulation of data controllers?



Viviane Reding, European Commission VP for Justice, Rights and Citizenship (media site).

Peter Hustinx, European Data Protection Supervisor.

Christopher Graham, UK Information Commissioner.

Ken Clarke, UK Lord Chancellor & Justice Secretary. Opposed to EU centralisation of DP regulations[26].


European Data Protection Supervisor (EDPS): "The general mission of the EDPS is to ensure that the fundamental rights and freedoms of individuals - in particular their privacy - are respected when the European institutions and bodies process personal data or develop new policies."

Article 29 Working Party: Group established by Art.29 of the DPD 1995, composed of the data commissioners of all EU states. Generally "pro-citizen" pronouncements on Commission proposals / ECJ rulings / member state shenanigans.


1984-07-12: UK institutes its first Data Protection Act. Principles for handling data set out in Schedule 1.

1995-10-24: European Council adopts 'Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data'[27].

1998-07-16: Parliament passes the Data Protection Act[28], writing EU Directive 95/46/EC[27] into British law.

2000-07-28: Parliament passes the Regulation of Investigatory Powers Act[29][30].

2008-07-11: Data sharing review published[31]. Ministry of Justice commissioned Information Commissioner Richard Thomas and Wellcome Trust Director Mark Walport to review the Data Protection Act 1998. Focus on relationship between government and society, whereas our audit will encompass consumer-commercial relationships and the international dimension.

2008-11-27: European Council adopts "Framework Decision on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters (2008/977/JHA)"[32][33][34]. First time EU regulates data protection in law enforcement field.

2009-04-06: UK's Data Retention Regulations[35][36] come in to force.

2009-05-19,20: EC hold conference "Personal data - more use, more protection?" on reform of Data Protection Directive[37], and launch public consultation period[38].

2009-12-31: End of Public consultation, 168 responses[38].

2010-06-25: EU moves to second stage of procedure against UK over DPD non-compliance[39].

2010-07-01: EC hold further "targeted stakeholder consultation"[40].

2010-09-30: EU refers UK to ECJ for non-compliance with Data Protection Directive over Phorm[41][42].

2010-11-04: EC publish a Communication[3] detailing intentions for reform legislation in 2011[43], and start subsidiary consultation on their conclusions[44].

2010-11-30: Speech[16] by European Commission VP for Justice Viviane Reding at the European Data Protection and Privacy Conference on the Commission's direction with DPD reform.

2011-01-15: Subsidiary consultation closes, 288 responses[44].

2011-01-28: "Data Protection Day"[45], marking 30th anniversary of the Council of Europe's Convention 108[46], ("Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data"). Council of Europe launches consultation on updating the Convention. This could have binding effect on signatories alongside any EU directive, although in practice it's unlikely to go further?

2011-03-16: Speech[47] by Viviane Reding to the Privacy Platform in Brussels on "The Review of the EU Data Protection Framework". Sets out four main "pillars":

  • Right to be forgotten
  • Transparency - providing the knowledge to allow people to exercise their rights
  • Privacy by default - cf Facebook!
  • Protection regardless of location - extra-territoriality, ability of national privacy watchdogs to investigate and bring proceedings abroad when EU citizens' rights are in question.

Also mentioned:

  • Data protection applies to data retention
  • Law enforcement not exempt from principles
  • National data protection authorities: stronger and more collaboration
  • Legislative proposal due Summer Due November - see email from Commission 2011-06-24.

2011-03-31: Speech[48] by Viviane Reding at EPP Group Public Hearing on "Who pays for data protection?"

Costs are carried by businesses, administrations and citizens – actually by society as a whole. But I believe that companies have specific responsibility because data is often their main economic asset.

Five points to make life easier for businesses:

  1. More internal regulatory consistency
  2. Increase "trust" in online services to support innovation: "Citizens are limited in their use of new technologies because of a lack of trust in the digital environment and fears about possible misuse of their data."
  3. (same as 1?)
  4. Recognition of BCRs, and "mutual recognition" within Europe (only need approval in one member state). After new legislation voluntary schemes for "groups of companies" will be considered.
  5. Reduced obligations to notify DPAs of all data processing activity (but obligation will remain for "more delicate personal data").

2011-05-18: Speech[5] by Viviane Reding to the European Business Summit in Brussels on "The reform of the EU Data Protection Directive: the impact on businesses". Focus on reducing business burden by reducing requirements to notify / register with national data authorities, and by greater harmonisation. On cloud computing / extra-territorial issues:

  • We need more EU-based clouds
  • EU rules will apply to non-EU providers
  • protection by design
  • rules for evaluating adequacy of third countries to be simplified
  • possible voluntary mechanism for third-country companies to adhere to EU standards: "EU Safe Harbour system".
I will introduce a mandatory data breach notification requirement – the same as I did for telecoms and Internet access when I was Telecoms Commissioner, but this time for all sectors: banking data, data collected by social networks or by providers of online video games.

2011-05-26: UK Justice Secretary Ken Clarke gives speech on data protection to British Chamber of Commerce in Belgium. Accepts aspects of DP law need updating and advocates an approach based on shared principles. Argues against a prescriptive, detailed approach from Europe[26].

2011-06-20: Speech[49] by Viviane Reding to the British Bankers' Association on 'Assuring Data Protection in the Age of the Internet'.

  • More talk of consistency and streamlining of requirements. What was notification meant to achieve, and why is it now considered "unnecessary and ineffective"? What consequences will this have for the UK ICO?
  • Why only notify for serious breaches? Isn't this the least data subjects can expect? I'd change this language to non-trivial.
  • Notes coalition commitments to end fingerprinting in school and "ending of storage of internet and email records without good reason".
  • Refusal to compromise on extra-territoriality.

2011-07-15: Article 29 Working Group publish opinion on the definition of "informed consent", which if it feeds into the currently gestating new Directive would raise the bar on the lax / fuzzy definitions taken on by the English courts / ICO[12].

2011-11-xx: "The proposal for a new comprehensive legal framework for the protection of personal data in the EU is foreseen for November 2011."


  • The government demands an evidence based approach to revising data protection rules[22], and on the other hand the Commission too demands evidence against expansion[50][51]. The question is the burden of proof: is the case to be made in the first instance that of the benefits of increased data protection, or conversely, should those opposed to strengthening of protections have to make the case that the price is too high?
    • For reasons pointed out above, I think the answer must be the latter. See thinking of Ahron Barak on the process of balancing rights against costs to individuals and society[52].
  • "No-one ever thinks it'll happen to them" - The PSN hack highlighted that even mature companies cut corners regarding digital security. This is probably a combination of ignorance, laziness, and business pressures (ie don't spend money you don't have to). How can the cost-benefit equation be changed or even just re-spun so that data controllers take the necessary precautions?
  • What are the arguments against automatic notification requirement to victims of data breaches, aside from cost?
  • Does the non-requirement of recording content accessed under Directive 2006/24 actually mean anything in the case of web access? Might not the content be recoverable in many situations where the access time and destination is known?
    • OTOH, this slight separation of information does help protect the privacy of individuals who are not under particular investigation.
  • What are the moral boundaries of 'value-added' services from search engines, and how do these affect their legal responsibilities?

in their role as providers of value-added operations, search engines help to make publications on the internet easily accessible to a worldwide audience. By retrieving and grouping widespread information of various types about a single person, search engines can create a new picture, with a much higher risk to the data subject than if each item of data posted on the internet remained separate. The representation and aggregation capabilities of search engines can significantly affect individuals, both in their personal lives and within society, especially if the personal data in the search results are incorrect, incomplete or excessive[53].

    • Does 'receiving and grouping' mean using some intelligence / semantics like DDG?
    • Or is it part of the normal function of search engines, simply making much more information easily searchable and accessible than would otherwise be the case?
  • What does the Article 7(f) of Directive 95/46 basis for lawful processing of information ("necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1 (1)") actually mean?
    • Article 1(1) is the general right to privacy with respect to the processing of personal data.
    • In what situations may personal data be processed in the legitimate interests of the controller in a way which is not overridden by the interests of privacy?
    • Compliance with requests from rightsholders to avoid civil liability?

Themes for academic research

  • The cost-benefit analysis of data protection or similar responsibilities for companies and public bodies.
  • The changing nature of what constitutes Personally Identifiable Information as volume of data increases along with the ability to cross-reference it easily.
  • How has privacy been redefined by the internet's potential for instant, global publication and searchability?
    • Eg: traditionally one is not entitled to expect 'privacy' in a public place since one necessarily can be observed by other people there.
    • However, one would not necessarily expect to be observed by millions of people while at the supermarket or a restaurant, as may be the effect of publishing pictures or video of one online.
    • Not only scale, but searchability: once media are online they have high permanence and are supremely accessible, presenting opportunities for observation to people separated by both space and time, which would not otherwise be available.
  • What writing / investigation has been done on the practical exercise of anonymising data?
    • Just removing obvious PII like name / addr / tel / email[10]?
    • Purposeful obfuscation?
    • How do the requirements change with the addition of different data sources?


Data Retention Directive 2006[54]: Self explanatory, but this page has some good references.

Framework Decision: No longer used since 2009. These were meant to coordinate the harmonisation of members' laws.

Data controller: "a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed", including where required to do so by law (s.1(4)).

Data processor: "any person (other than an employee of the data controller) who processes [personal] data on behalf of the data controller".


  1. Feiler, Lukas (2010). "The Legality of the Data Retention Directive in Light of the Fundamental Rights to Privacy and Data Protection". European Journal of Law and Technology 1 (3).
  2. European Commission, 2010. 'A comprehensive approach on personal data protection in the European Union'. 4th November 2010, Brussels. Available at <>, accessed 14/06/2011
  3. 3.0 3.1 'A comprehensive approach on personal data protection in the European Union'. COM(2010) 609, Brussels, 2010-11-04. Available at <>, accessed 2011-07-25.
  4. European Commission, 2010. 'A comprehensive approach on personal data protection in the European Union'. 4th November 2010, Brussels. Available at <>, accessed 14/06/2011. pp.6-7
  5. 5.0 5.1 Viviane Reding, 'The reform of the EU Data Protection Directive: the impact on business'. Speech at European Business Summit, Brussels, 2011-05-18. Available at <>, accessed 2011-06-16
  6. European Commission, 2010. 'A comprehensive approach on personal data protection in the European Union'. 4th November 2010, Brussels. Available at <>, accessed 14/06/2011. p.10
  9. European Commission, 2010. 'A comprehensive approach on personal data protection in the European Union'. 4th November 2010, Brussels. Available at <>, accessed 14/06/2011. p.9
  10. 10.0 10.1 Justin Harrington, 2000. Data protection and email addresses revisited; is the DPA workable? Entertainment Law Review 11(7) 141-143; Simple example of email addresses
  11. European Commission, 2010. 'A comprehensive approach on personal data protection in the European Union'. 4th November 2010, Brussels. Available at <>, accessed 14/06/2011, pp.8-9
  12. 12.0 12.1 Article 29 Working Party, 2011. Opinion 15/2011 on the definition of consent. Published 2011-07-11, Available at: <>, accessed 2011-07-11.
  15. European Commission, 2010. 'A comprehensive approach on personal data protection in the European Union'. 4th November 2010, Brussels. Available at <>, accessed 14/06/2011. pp.7-8
  16. 16.0 16.1 Viviane Reding, 'Privacy matters – Why the EU needs new personal data protection rules'. Speech at The European Data Protection and Privacy Conference, Brussels. Available at <>, accessed 2011-07-29
  18. Data protection: report shows EU law achieving main aims. EU Focus 2003, 123, 26-27.
  19. Monica Vilasau, 2007. Traffic data retention v data protection: the new European framework. Computer and Telecommunications Law Review, 13(2), 52-59.
  20. Christopher Kuner, 2008. Data protection and rights protection on the Internet: the Promusicae judgment of the European Court of Justice. European Intellectual Property Law Review, 2008, 30(5), 199-202.
  21. Speech by Ken Clarke, 26th May 2011, p.3
  22. 22.0 22.1 22.2 22.3 22.4 Ministry of Justice, 'UK response to the Commission’s consultation on ‘a comprehensive approach on personal data protection in the European Union’', 2011-01-14
  23. Speech by Ken Clarke, 26th May 2011, pp.7-8
  24. 24.0 24.1
  25. Speech by Ken Clarke, 26th May 2011, p.4
  26. 26.0 26.1 Ken Clarke, 2011. 'Data Protection' (Speech to British Chamber of Commerce in Brussels). 2011-05-26. Available at <>, accessed on 2011-06-15.
  27. 27.0 27.1 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Available at: <>, accessed 2011-07-05.
  28. Data Protection Act 1998. Available at <>, accessed 2011-07-05.
  29. Regulation of Investigatory Powers Act 2000. Available at: <>, accessed 2011-07-05.
  30. Patrick Barkham, Julian Glover, 2000. The RIP Act., Tuesday 24th October 2000. Available at: <>, accessed 2011-07-05.
  31. R Thomas and M Walport, 2008. Data Sharing Review Report. Available at <>, accessed 15/06/2011
  34. EDRi: Data protection framework decision adopted
  35. Data Retention (EC Directive) Regulations 2009. Available at: <>, accessed 2011-07-06.
  36. Richard Taylor. Information technology: Data Retention Regulations., Thursday 18th June 2009. Available at: <>, accessed 2011-07-06.
  38. 38.0 38.1
  39. 'UK told to strengthen data protection, again', The Register, 25th June 2010. Available at <>, accessed 2011-06-14.
  41. 'EU takes Britain to court over e-mail privacy breach', Available at <>, accessed 14/06/2011.
  42. 'Phorm case sends the UK to the European Court of Justice', <>, accessed 14/06/2011
  44. 44.0 44.1
  48. Viviane Reding, 'Who Pays for Data Protection?' Speech at EPP Group Public Hearing. Available at <>, accessed 2011-06-27.
  49. Viviane Reding, 'Assuring Data Protection in the Age of the Internet'. Speech at British Bankers' Association Data Protection and Privacy Conference. Available at <>, accessed 2011-06-27.
  50. Steven Lorber, 2004. Data protection and subject access requests. Industrial Law Journal 33(2) 179-190
  51. European Commission, 2003. First report on the implementation of the Data Protection Directive (95/46/EC). Brussels, 2003-05-15. Available at <>, accessed 2011-06-17
  53. Peter Burgstaller, 2009. Search engines and the extra-territorial dimension of the EC data protection law. Computer and Telecommunications Law Review, 15(5) 104-113