October 4^th 2010 by James Goudie QC

The European Commission has decided (IP/10/1215) to refer the United Kingdom to the ECJ for not fully implementing EU rules on the confidentiality of electronic communications such as e-mail or internet browsing. Specifically, the Commission considers that UK law does not comply with EU rules on consent to interception and on enforcement by supervisory authorities. The EU rules in question are laid down in the ePrivacy Directive 2002/58/EC and the Data Protection Directive 95/46/EC. The infringement procedure was opened in April 2009 (IP/09/570), following complaints from UK internet users notably with regard to targeted advertising based on analysis of users’ internet traffic. These complaints were handled by the Information Commissioner’s Office, the UK personal data protection authority, and the police forces responsible for investigating cases of unlawful interception of communications. The Commission previously requested the UK authorities in October 2009 (IP/09/1626) to amend their rules to comply with EU law.

The Commission considers that existing UK law governing the confidentiality of electronic communications is in breach of the UK’s obligations both under the ePrivacy Directive and under the Data Protection Directive in three specific areas:

•  there is no independent national authority to supervise the interception of some communications, although the establishment of such authority is required under the ePrivacy and Data Protection Directives, in particular to hear complaints regarding interception of communications
• current UK law authorises interception of communications not only where the persons concerned have consented to interception but also when the person intercepting the communications has ‘reasonable grounds for believing’ that consent to do so has been given. These UK provisions do not comply with EU rules defining consent as “freely given, specific and informed indication of a person’s wishes”
• current UK law prohibiting and providing sanctions in case of unlawful interception are limited to ‘intentional’ interception only, whereas EU law requires Member States to prohibit and to ensure sanctions against any unlawful interception regardless of whether committed intentionally or not.

Viviane Reding Vice-President of the European Commission responsible for Justice, Fundamental Rights and Citizenship, made a speech entitled “Towards a true Single Market of data protection” at a Meeting in Brussels, on July 14, 2010.  In her speech she said that we need a comprehensive and coherent approach so that the fundamental right to data protection is fully respected within the EU and beyond. She put forward five proposals.

 First, individuals’ rights should be strengthened by ensuring that they enjoy a high level of protection and maintain control over their data. Individuals need to be well and clearly informed, in a transparent way, by data controllers – be it services providers, search engines or others – about how and by whom their data are collected and processed. They need to know what their rights are if they want to access, rectify or delete their data. And they should be able to actually exercise these rights without excessive constraints.

Secondly, the internal market requires not only that personal data can flow freely from one Member State to another, but also that the fundamental rights of individuals are safeguarded. Provided that all data protection guarantees are in place and properly applied, personal data should freely circulate within the EU and, where necessary and appropriate, be transferred to third countries. This requires a level playing field for all economic operators in different Member States. This is currently not the case: indeed, one of the main concerns expressed by businesses in recent consultations is the lack of harmonisation and the divergences of national measures and practices implementing the 1995 Directive.  Further harmonisation and approximation of data protection rules at EU level is needed.

Thirdly, the current rules on data protection in the area of police cooperation and judicial cooperation in criminal matters should be revised.  Derogations to general data protection principles should be limited. They should not go beyond what is necessary and proportionate in order to pursue objectives of general interest, such as the fight against terrorism and organised crime, or the need to protect the rights and freedoms of others.

Fourthly, personal data must be adequately protected when transferred and processed outside the EU. To that end, the current procedures for international data transfers, including in the areas of police cooperation and judicial cooperation in criminal matters, will be improved, strengthened and streamlined.

Fifthly, EU monitoring of the implementation and enforcement by Member States of the existing rules to guarantee that individuals’ rights are actually respected will be a priority; the role of data protection authorities should be strengthened; and data protection authorities should be provided with the necessary powers and resources to be able to properly exercise their tasks both at national level and when cooperating with each other.

James Goudie QC

 

The European Commission has requested the UK to strengthen the powers of its data protection authority so that it complies with the EU’s Data Protection Directive. The Commission request takes the form of a reasoned opinion – the second stage under EU infringement procedures. The UK has two months to inform the Commission of measures taken to ensure full compliance with the Directive.

 

In the Commission’s view data rules in the UK are curtailed in several ways that leave the standard of protection lower than required.  The Commission is concerned about limitations upon the Information Commissioner’s powers, in particular that he cannot monitor whether third countries’ data protection is adequate, assessments which should come before international transfers of personal information, and he can neither perform random checks on people using or processing personal data, nor enforce penalties following the checks. Also the Commission is concerned that Courts in the UK can refuse the right to have personal data rectified or erased, and that the right to compensation for moral damage when personal information is used inappropriately is also restricted.

James Goudie QC

The Scotsman reports that Moray Council has become the first in Scotland to put every FoI request it receives, and the responses, on its website. Private details of the requester are witheld. The requests are placed into groups, such as individuals, media, government researchers, etc. This will enable the public to see where requests are coming from, what sort of information is being asked for, what level of detail can be provided, and the level of investigation required by council staff to produce the information.” Headline perhaps : ” Tartan Transparency