The ICO has agreed not to issue the Health Board with an enforcement notice, as the Health Board has instead agreed to written undertakings to ensure that all staff including clinical staff are made aware of their data protection policies and receive sufficient training. The Board agreed to take other steps, including processes to confirm patient identity before sending out correspondence.

The Information Commissioner’s Office had agreed with the FSA’s decision, but now the Information Rights Tribunal has ruled that the names should not have been withheld as they did not amount to “personal data”. To be “personal data” under the Data Protection Act, the data needed to be biographical to affect the people’s privacy. Just providing the name was not something so as to affect their privacy. That might have been different, however, if the nature of the people’s involvement gave away other information about them and their views, such as if they worked for an organisation that conducted experiments on animals. That was not the case here, though.

Paul Gershlick, a Partner at Matthew Arnold & Baldwin LLP, comments: “In my view, these are breaches of the Act, but not really serious breaches. Considering the flagrant breaches of data protection laws carried out by some, it would be unfortunate if an organisation’s mistake that did not reveal very private categories of data went punished when it does so much good. However, it should still be a salutary lesson to always have regard to data protection laws.”

It will no longer be enough to obtain consent automatically on a general basis through a user’s browser; other steps will be needed. This has led to concerns as to how it will affect the user-friendliness of sites. But the law is clear – consent is needed. How to show consent is not clearly set out in the new law. The Information Commissioner’s Office has provided some guidance with suggestions. The type of consent the user must give will vary according to what the cookie contains, at what point in the process it is placed and also according to what the user may already have agreed to. See the guidance here. However, despite the guidance being updated in late 2011, it does not give totally definitive answers.

We have already been advising clients on how to comply with this new law and have come up with some practical suggestions of our own. If you would like to obtain our advice, please contact us on mark.weston@mablaw.com or paul.gershlick@mablaw.com.

Another survey by the UK’s data protection regulator showed that 1 in 10 people had admitted to not deleting data from mobile phones, computers or laptops. In addition, 65% hand on their old phones, computers and laptops to another user, with 44% giving it away to somebody else for free and around one in five (21%) selling it to somebody else.

The Information Commissioner, Christopher Graham, said: “We live in a world where personal and company information is a highly valuable commodity. It is important that people do everything they can to stop their details from falling into the wrong hands.”

Paul Gershlick, a Partner at Matthew Arnold & Baldwin LLP, comments: “The results of the survey are surprising only in the sense that they are not worse. Many individuals and businesses either do not wipe data properly before dumping or selling them or fail to do so or use appropriate service providers who carry out this function properly. Businesses which fail to properly erase their data to a high enough standard could find that they are not only in breach of the Data Protection Act, but their valuable trade secrets are then used by competitors, possibly without their knowledge. For more information on what to do to comply with the law and protect your valuable assets, please contact me.”

For more on the ICO surveys, click here: http://www.ico.gov.uk/news/latest_news/2012/ico-report-finds-people-becoming-a-soft-touch-for-online-fraudsters-25042012.aspx.

Social networking sites can process the photos without breaching data protection law if that processing is being done to check whether consent has been obtained, but, once that check has been finalised, the site must delete that information.

Facebook currently uses facial recognition technology to suggest the names of people featured in photographs to the uploaders. The name tags used by the uploaders can be viewed by other Facebook users.

Aside from consent, the Article 29 Working Party said that the social networking sites would need to take adequate technical measures such as encryption while the images are being uploaded. They should also use technical controls to try to safeguard against the images being used by third parties for purposes for which the user had not consented. To add to the regulatory burden, the body added that compliance with EU data protection law also meant giving the data subjects sufficient access rights to their images and not storing more data than was necessary for the tagging purpose.

The Working Party’s opinion also included some comments on the use of facial recognition technology by search engine providers and gaming services.

The Opinion is not legally binding, but it is best practice to comply with it, particularly as it gives an indication as to the action that the regulators would take to enforce the law.

Paul Gershlick, a Partner at Matthew Arnold & Baldwin LLP, comments: “The Working Party has once again taken a strict pro-privacy stance in providing an opinion. This is similar to the tough line it took against social networking sites and others in its opinion last year on geo-location services. For more on that geo-location opinion, click here: http://www.mablaw.com/2011/06/article-29-working-party-geo-location-data/.”

Paul Staines, who runs the “Guido Fawkes” political blog, published the “Blue Book” section of the files from Operation Motorman, which included a list of journalists who had instructed private investigators on blagging assignments and the instructions those journalists allegedly gave.

The ICO said that Staines’ actions were “irresponsible” and potentially themselves also a breach of data protection laws. It has also said that those concerned that they were victims of blagging in relation to Operation Motorman could contact the ICO for a fast-tracked data subject access request. In addition, the on-going Leveson inquiry into press standards was considering the issue of publication.

Staines has defended his actions by claiming that the publication will help victims of blagging to take action against offenders and that it was in the public interest, a potential defence under the Act to the unlawful obtaining, disclosing or procuring of personal data. However, not all of the journalists on the list may have necessarily committed an offence.

1)    Guidance on identifying data controllers and data processors

The guidance focuses on the key issues to consider when determining who is a data controller or a data processor. The guidance makes it clear that it will not always be clear-cut and that there will be some instances where the line between data controller and data processor will be blurred.

For example, a data controller may be made up of two bodies acting jointly, usually a client and a service provider where the service provided is the processing of personal data. The client will usually be the data controller and the service provider the data processor, but the distinction is not as clear-cut where the service provider is given flexibility in carrying out the client’s instructions or where the service provider provides the service in accordance with externally imposed professional standards.

The guidance recognises that, where there is a joint data controller, there needs to be flexibility to allow for practical arrangements to be made to fulfil the data protection obligations of both; for example, one obligation can be taken on by only one of them provided that it reflects the reality of the relationship between the parties.

2)    Guidance on the use of the section 31 exemption

Section 31 of the DPA can be used by regulatory bodies to withhold information requested or to be provided under the subject information provisions defined in section 27 of the DPA. The exemption applies where the application of the subject information provisions might prejudice the regulator’s discharge of its functions. The guidance makes clear that this test for this prejudice of its functions is a strict one.

The guidance adds that:

a)    the section 31 exemption cannot be used in relation to internal investigations or complaints handling functions; and

b)    where a business (such as a bank) supplies data to an ombudsman in relation to a customer complaint, as the ombudsman can rely on section 31 to resist a subject access request, the business can withhold data as if covered by section 31 even though it would not normally be covered.

The Guidance can be found here: www.ico.gov.uk/~/…/Data_Protection/…/disproportionate_effort.pdf.

The app had been downloaded from iTunes 70,000 times before its withdrawal. It allowed users to access the location data of nearby users and also to access profiles of nearby users in a map format.

The consultation relates to draft guidance published by the ICO on the conduct of security audits. The consultation focuses on the form of the guidance rather than its content.

The opinion also outlined other concerns that the Article 29 Working Party has about the proposed Regulation, such as the obligation on regulators to impose fines in the event of a breach (rather than a discretion to impose a fine) and the way that regulatory responsibility had been drafted in the proposed Regulation.

Its attacks included calling the requirement for all organisations with more than 250 employees to have a dedicated data protection officer disproportionate. It also criticised the data breach notification requirements as leading to unhelpful notification that may negatively impact on the quality of analysis that data controllers carry out before notifying; the CBI advocate a more risk-based approach, with notifications when there was an identified threat of material harm. In addition, it said the “right to be forgotten” was misleading as some organisations such as financial services and employers had to retain data and other organisations would be unable to guarantee whether third parties had reproduced the data anyway.

The CBI’s report follows a recent appraisal by the Information Commissioner’s Office in which the UK’s data protection regulator had not been totally behind the new rules. For more on the ICO’s reaction, see here: http://www.mablaw.com/2012/03/information-commissioner%e2%80%99s-office-eu-data-protection-laws/. The CBI’s report can be found here: http://www.cbi.org.uk/media-centre/press-releases/2012/03/eu-data-protection-reforms-risk-strangling-innovation-cbi/.

Google had consolidated all of its privacy policies into one so that personal data collected through one Google service could be shared with other Google services such as YouTube, Gmail and Blogger. Google’s aim behind having one privacy policy across its services is to make its position on privacy easier to understand and to improve the experience of its users – Google hopes to be able to use data between its services to offer a more personalised experience to users when they login to their user accounts. Critics have expressed concern that the new privacy policy gives citizens less control over the use of their data as it is freely transferable across services.

The report can be found here: https://www.trustwave.com/global-security-report.

Lancashire Constabulary has admitted breaching the Act, and has signed an undertaking with the ICO, promising to take better care of personal data, particularly if it involves sensitive personal data such as ethnicity and sexuality. Amongst the undertakings are promises to keep data to a minimum when taken outside of police stations and only take hard copy documents incorporating the personal data when absolutely necessary. The undertakings can be found here: http://www.ico.gov.uk/news/latest_news/2012/lancashire-constabulary-receives-penalty-after-loss-of-missing-person-report-14032012.aspx.  

Since 2010, the ICO has been entitled to fine organisations up to £500,000 for serious breaches of the Act.

Paul Gershlick, a Partner at Matthew Arnold & Baldwin LLP, comments: “After many years of problems for EU organisations of doing business with people in the US because of the US’s lack of data protection laws, this looks to be a major step forward in international trade. We need to await what the new law will look like. But this is promising.”

The High Court refused to continue the injunction. The High Court ruled that whether (i) JS had a reasonable expectation of privacy and (ii) public interest should allow disclosure, were issues on which both parties had a reasonable prospect of success; as a result, the High Court considered whether, and accepted that, damages could be an adequate remedy for JS if disclosure was permitted. As such, the High Court refused to continue the interim injunction.

This ruling is interesting in that, although refusing to extend the interim injunction, the High Court made clear that the lack of an injunction did not give the media complete freedom to publish anything – rather, if the media did publish private information about JS, it might be subject to a claim for damages in relation to infringing JS’s privacy, which the court would consider on a case by case basis.

The guidelines follow a period in which there has been increasing concern about how apps use personal data after the operators of the Path and Hipster apps admitted data breaches. The guidelines state that users must be given certain information about how the app uses their data before it is activated on their mobile device, and also that users of social networking apps must be given the option to delete their account and have all personal information about them removed.

However, the move has come in for serious criticism. Before the plan was implemented, the Article 29 Working Party urged Google to postpone any action to allow an investigation to take place to ascertain whether the plan was lawful, and the French data protection regulator, the CNIL, appointed by the European Union to perform that investigation, expressed concern that there were “strong doubts” as to whether it was compliant with European Union data protection laws.

Now that Google has put the plan in action, the European Union’s justice commissioner has also come out and said that the changes are in breach of European Union law. The CNIL is to send Google a list of questions about the move in the next few weeks to further its investigation.

• It welcomes the continued exemption for domestic processing, although it says that it would be helpful to clarify that personal commercial activity such as selling something for oneself on an online auction site – is within the exemption.
• The ICO is pleased to see non-EU data controllers fall within the law, but it questions how it can be enforced, and also who would be caught – for example, would a US site merely offering goods that happen to be seen by someone in the EU have to comply with the EU laws?
• It wishes to see clarity over whether online identifiers such as Internet Protocol addresses and cookie identifiers count as personal data. The ICO believes it should depend on the context, so that where the details are used to target a particular individual, that would be personal data. 
• Clarity that, for consent to apply, this would need a clear affirmative action such as clicking a tick-box or taking some other positive step.
• The ICO wishes to see a default position of processing being able to take place except where it overrides the data subject’s fundamental rights and freedoms.
• The ICO wonders why some categories of data such as trade union membership are given heightened status of “sensitive personal data”, whereas others that data subjects would think of as being more sensitive (such as financial data) are not considered as such.
• It welcomes the new “right to be forgotten”, being the right of individuals to have their data (such as at online social networking sites) removed. However, this could be misleading to data subjects as in many cases their data cannot be totally “forgotten” and will still appear on the Internet.
• Perhaps the strongest criticism comes in relation to notification of data breaches. Whilst the ICO is strongly in favour of such a duty, it should be proportionate with only the serious breaches (such as financial loss occurring) being notified to avoid the danger that regulators will receive more notifications than it can cope with. In addition, the proposed timing should be changed so that the requirement should be without undue delay rather than within 24 hours, as too early a notification could lead to meaningless information and a distraction from dealing with the breach.

Mr Graham blasted the “chicken feed fines” of £200 that had to be handed out to someone guilty of an offence of data blagging under the Data Protection Act, on the same day as other people were jailed under the Fraud Act for the same activity. Under the Criminal Justice and Immigration Act, the Justice Secretary has the power to introduce new regulations that would provide for jail as an option, but this has not yet been done.

For more on the cases and the ICO’s views, click here: http://www.ico.gov.uk/news/latest_news/2012/letting-agent-unlawfully-accessed-tenants-benefit-details-27022012.aspx.

Google’s aim behind having one privacy policy across its services is to make its position on privacy easier to understand and to improve the experience of its users – Google hopes to be able to use data between its services to offer a more personalised experience to users when they login to their user account.

The Article 29 Working Party, which is made up of representatives from the data protection regulators of each European Union (EU) member state, has now asked Google not to introduce the changes until the French data protection regulator, the CNIL, has assessed what impact the single policy might have on EU citizens, with many critics expressing concern that the new policy will mean citizens will have less control over the use of their data as it will be freely transferable across services.

Google has responded to criticism by arguing that users will still be able to use many of its services without having a user account and disclosing personal data to Google, and those that do sign up to an account will be able to review the privacy policy and use various privacy tools to dictate how Google can actually use their information. Google has also indicated that it may not be willing to postpone the launch of the new policy, citing the fact that the European Commission and various data protection regulators have already been consulted when the single privacy policy was being put together.

The call for evidence is open until 6 March, and the responses will be summarised in a report that will be published in June.

In Croydon’s case, papers relating to a child sex abuse court case were stolen from a social worker in a pub and the Information Commissioner’s Office was unhappy that the Council had failed to communicate its data protection guidance to staff and carry out adequate checks to make sure people understood it. Norfolk’s case involved a hand-delivered report about a child’s emotional well-being being delivered to the next-door-neighbour with the Council having failed to have appropriate data protection training or have a system of double-checking colleagues’ work on sensitive personal data.

These punishments demonstrate the ICO’s willingness to hand out substantial fines for just single errors. Once again, the cases have involved the public sector.

The apps have now been updated to remove the problem by specifically asking for consent. Path has since stated that the data was sent to its servers in an encrypted format, and all the data had been deleted from its servers.

The issue has caused some to express concern as to whether Apple, in reviewing and approving apps for active use, is doing enough to protect iPhone users if these aspects of the apps were not picked up before approval.

When Mr Patel complained to Unite about the postings, Unite took the forum offline and released a statement that the allegations against Mr Patel were unfounded; but Unite failed to respond to Mr Patel’s request for the identification of those responsible.

The BASSA website was subject to terms of use, which warned users that their personal data might be disclosed subject to data protection and privacy law.

Mr Patel successfully applied to the High Court for a “Norwich Pharmacal” order, which required Unite to provide the identities, addresses and Internet Protocol addresses of the users responsible. Instead, Unite maintained that the information requested had in fact been deleted. Mr Patel and his solicitors pushed Unite to make further efforts to recover the information, without success. Mr Patel therefore sought a further Norwich Pharmacal order for an independent expert to be given access to Unite’s database on the grounds that the continued failure to provide the information must be, at best, as a result of incompetence or technical ignorance. Unite objected to a further order on data protection grounds.

The High Court ruled that Unite had not provided sufficient evidence that it had carried out the reasonable search required by the first Norwich Pharmacal order, and Unite had not shown that it had actually followed up the information provided by Mr Patel in order to carry out that search. The High Court noted that the additional order that Mr Patel was asking for was intrusive, but that it was proportionate and necessary to give the order so that Unite would comply with Mr Patel’s information request. The High Court considered the fact that the website terms of use warned users that Unite might disclose a user’s identity, subject to data protection and privacy law, and that, without the order, those responsible would not be identified. Whilst the order was given by the High Court, it was strictly limited to an expert appointed jointly by both parties and only to the disclosure of the information which would identify those responsible, or which explained why identification was not possible.

In a press release, the EC outlined the main changes that will be made to the data protection regime in the EU::

-          There will be one set of rules across the EU, rather than each EU Member State having its own rules.

-          The scope of the people caught by the data protection law will be increased. The rules will apply to data controllers who are not established within the EU if the data processing relates to offers of goods or services to data subjects within the EU or a monitoring of EU data subjects’ behaviour. Clearly, this is intended to cover large online players from the US such as Google.

-          In addition, what counts as personal data is being widened. Data will be personal data if it is not just data held by the data controller that can identify the individual but also data held by a third party which, in combination with the data held by the data controller, could identify. This could catch rights holders that hand over Internet Protocol addresses to Internet service providers for enforcement of copyright infringement under the Digital Economy Act 2010.

-          There will no longer be an obligation for organisations to notify (or register) all data protection activities to data protection regulators (such as the Information Commissioner’s Office (ICO) in the UK), but only data breaches will need to be notified; however, that will need to take place within 24 hours of becoming aware of the breach. Organisations will need to have continuous monitoring and reporting systems in place at all times. Security breaches must also be notified to data subjects “without undue delay”.

-          In place of general notification obligations, organisations will have to maintain documentation and records showing their processing activities, and be subject to strict audit requirements and produce that to the authorities on demand.

-          Data controllers will also have to comply with training requirements.

-          People will be able to access and transfer their own data more easily. They will have a right to be given their data in a convenient portable format such as a disk or MP3 file. They will also have a right to be told how long their data will be kept for.

-          Data subjects will have a right to be told where the data controller got their data from.

-          There will be a “right to be forgotten” where people will be able to delete their data if there are no grounds for it being retained. This will put a huge burden on Internet businesses in particular, which will have to do what they can to ensure links to the data is deleted by others even after they have deleted it.

-          Member State regulators, such as the ICO, will be strengthened to allow them to better enforce the rules, with possible fines of up to 2% of a company’s global turnover or €1m for other bodies. The amount of the fine will depend on the nature, gravity and duration of the breach; whether the breach was deliberate or negligent; previous history of breaches; what security measures had been put in place; and the level of co-operation with the authorities.

-          All organisations will have to appoint data protection officers unless they have fewer than 250 employees, in which case they will be exempt from this requirement.

-          Clearer rules for the transfer of data across borders within multi-national organisations will be introduced. In addition, national data protection authorities will need to approve bespoke agreed clauses as an alternative to the standard contractual clauses for transfers between an organisation in one EU country and another organisation outside of the EU.

-          Any consent from a data subject will have to be explicit rather than implied. Any written consent such as a tick-box will need to be distinguishable from other consents. This would mark a change from current online acceptance practice.

-          Data access policies will have to be not only fair but also transparent.

-          The law will move from data being permitted if “not excessive” to effectively minimising the data as it will only be legitimate if the purpose cannot be fulfilled by processing non-personal data.

-          Data processors (people who process data on behalf of data controllers and do not take any decisions in respect of the data) are currently not subject to the data protection requirements. They are only caught under contract law when data controllers (as they are required to do) enter into a written agreement with the data processor to contain certain safeguards. That will change. Under the new regime, data processors will have specific direct obligations to maintain security of data under the law.

-          Data controllers will generally not be able to charge data subjects for data subject access requests.

The proposals will be sent to the European Parliament and the Council of Ministers for discussion, and will take effect two years after they have eventually been adopted.

Paul Gershlick, a Partner at Matthew Arnold & Baldwin LLP, comments: “This proposed law makes depressing reading. The Commission has trumpeted the ease of cost to business, but such a statement totally ignores all the other increases in regulation that this law would introduce. On balance, this will involve much more red tape for business to have to comply with. At a time when SMEs need a helping hand to grow and help to rescue the EU’s economy, this development is not going to be welcomed. Instead of considering SMEs’s legitimate interests, the Commission seems to have been too focused on protecting EU citizens against big US Internet businesses.

“The one plus side is that the new data protection law will be implemented in one consistent way across the whole EU; the major downside, though, is that it will involve much stricter obligations than businesses currently face, including tougher internal programmes and records and quick reports to the regulators and data subjects of data breaches. And there will now be much bigger fines for breaches. Let’s hope some of the provisions are softened before the law is passed.”

The Information Tribunal has disagreed with the Information Commissioner’s ruling, and ruled that, if the email still existed, it was still “held” and therefore the University should disclose the email or issue a valid refusal notice.

Whilst this ruling relates to the Environmental Information Regulations, it is based on the same principles as disclosures under the Freedom of Information Act 2000 and is an interesting precedent.

Whilst this ruling relates to the Environmental Information Regulations, it is based on the same principles as disclosures under the Freedom of Information Act 2000 and is an interesting precedent.

Paul Gershlick, Head of Pharmaceuticals and Life Sciences at Partner at Matthew Arnold & Baldwin LLP and a data protection law specialist, comments: “We need to understand the facts as the ICO sees them and then make a judgement, but such a large fine seems harsh given that the hospital appear to have been the victim and no data actually got into the public domain through the hospital’s action with the police when the items appeared on eBay. This action signals the tough intentions of the UK’s data protection regulator in dealing with data security breaches involving people’s health data.”

The ICO sets out a plan of 5 Es: eduate, empower, engage, enable and enforce. It is not purely about enforcement as it wants to educate and help too, but that is clearly the end result if there are problems. It wants to target its limited resources to the areas in which it perceives are the greatest need to act to protect individuals. It will consider the volume, nature and sensitivity of the data and the number of people affected. Ultimately, it will consider what is in the public interest.

The ICO wants to ensure that its activities are conducted transparently, proportionately, consistently, targeted and in an accountable way. It also wants to see a high proportion of the public aware of their privacy rights and how to enforce them.

The Information Rights Strategy can be found here: http://www.ico.gov.uk/about_us/plans_and_priorities/information_rights_strategy.aspx.

Paul Gershlick, a Partner and Head of the Pharmaceutical and Life Sciences sector at Matthew Arnold & Baldwin LLP, says, “It is absolutely crucial to protect patient data. However, privacy groups again appear to be pursuing a single concern agenda – ie privacy. What about improving patient care and improving or saving lives? Instead of criticising the Government’s healthcare data strategy for being pursued too fast, people worried about privacy should instead be working with the Government to make sure the privacy safeguards are in place so that the health benefits can be achieved as soon as possible. The longer any delays take, the fewer number of people who will benefit from any reforms. When people’s lives are at stake, there should be no time to lose.”

The fine follows a similar incident last year where public parts of a document about another child were sent to the same member of the public by the council. The ICO admonished the council, with the council promising to improve its processes.

In addition to the fine, the council has been ordered to retrain all staff in relation to data protection before the end of March 2012, with refresher training to follow every three years.

The “Article 29 Working Party”, which is a committee of national regulators from each EU State (including the UK’s Information Commissioner’s Office), will provide the basis for the new board. The board will offer support to each country’s regulator and, it is hoped, will bring about more harmonisation between the data protection laws in each Member State.

Paul Gershlick, a Partner and Head of the Pharmaceutical and Life Sciences sector at Matthew Arnold & Baldwin LLP, comments: “This case shows that any organisations involved with people’s health data must be careful to ensure that their employees do not misuse the data and that they take adequate safeguards to protect it. Health data about individuals falls within the category of sensitive personal data and is a higher class of data that is protected under data protection laws. That said, this outcome would probably have been the same regardless of the fact that the data misused was within the category of sensitive personal data.”

Some have raised privacy concerns over the proposals.  Big Brother Watch has said it should be for patients to decide what happens with their medical information rather than governments.  Meanwhile, Patient Concern warns that the plans would be the death of patient confidentiality.

However, Paul Gershlick, a Partner and Head of the Pharmaceutical and Life Sciences sector at Matthew Arnold & Baldwin LLP, disagrees with those concerns and welcomes the Government’s initiative.  He says: ”It is clear from the Government plans that patient data will be anonymous so that any one individual will not be identified during the data sharing.  If that is the case, why should there be any fuss from privacy campaigners? Under UK data protection law, people lose rights over “their” data if that data is anonymised. 

“Surely, as long as patient data is protected through anonymity, the main objective must be to improve patient care and make people’s lives better.  As a society, we must do all we can to improve the quality of care through helping to achieve faster drug development and introduction. If the NHS works together with the private sector to help to develop or bring out new drugs quicker, that has got to be a good thing if it saves anyone’s lives or makes them more comfortable.  And if this has the added bonus of generating more business in the UK by making it a more attractive place to do business in the pharmaceutical and life sciences sector particularly in these economic uncertain times, so much the better.”

The EU has proposed several changes to the current data protection regime, including granting individuals a “right to be forgotten” by allowing them to force organisations to delete personal data they hold and making non-EU based organisations subject to EU data protection law if they store personal data of EU citizens in the “cloud” (i.e. storing the data on an Internet-based network rather than on local servers).

The Culture Minister responded that:

-          A “right to be forgotten” would give the public false expectations. His argument was based on the ease and speed with which data can be copied and circulated on the Internet, to the extent that the Government would be unlikely to pass a law into force that it was impossible to enforce.  After all, how could one organisation promise that someone’s photos had been permanently deleted when someone else may have copied them from that original site?

-          It was questionable how feasible it would be to enforce EU law against non-EU organisations and there was the possibility that the law would stifle innovation and economic growth in the sector.

The full text of the speech can be found here.

ENISA also expressed concern in relation to security and privacy risks from such practices. The report suggests that users are becoming increasingly dependent on websites storing their personal information to make their future visits quicker and easier; whilst this is a benefit to a user, it makes fraud and unauthorised access easier, with the potential for not only financial loss but also possible reputational harm, discrimination and even exclusion from websites altogether.

The report suggests that the other effect of the practice is that website operators are being put under increasing pressure to store and protect personal information in a legally compliant way, which they may not have the knowledge or financial means to undertake.

ENISA suggested that privacy-friendly mechanisms should be incorporated into new websites and software, with clear instructions for users explaining the risks involved in a personalised service.

The World Wide Web Consortium (W3C) has published two draft standards to allow users to express privacy preferences in relation to cookies.  W3C released details of:

1. the “Tracking Preference Expression”, which defines mechanisms for users to express cross-site tracking preferences, and for websites to indicate whether these preferences are complied with; and
2. the “Tracking Compliance and Scope Specification”, which defines the meaning of a “Do Not Track” mechanism for notifying websites of a preference and set out best practice for website compliance.

It is hoped that the documents will culminate in the development of software that can be used and developed further by browser operators to protect users from cookies and tracking mechanisms. It is intended that the new standards will allow a user to express a preference for how their data is collected for tracking purposes and alert users as to whether a website honours their preferences or not.

The documents have been developed by a working group within W3C which includes representatives of Apple, Facebook, Google, IBM, Microsoft and Yahoo.

W3C is hopeful that the standards will be in operation in 2012.

In her statement, Reding said consumers should be more “empowered”. She also issued a warning that cloud computing service providers would face stricter provisions. Cloud computing refers to the making available of software and data on a network such as the Internet rather than on the user’s own servers.

Paul Gershlick, a Partner at Matthew Arnold & Baldwin LLP and editor of Upload-IT, comments: “This statement will send shockwaves through businesses. Currently, there are a number of grounds on which organisations can process data. They include if it is for their legitimate interests and it does not cause the data subject unwarranted harm. The statement is short so something may be lost in the translation, but at face value it suggests that the only grounds for processing data will be with explicit consent and that consent must be given in advance. That could prevent many businesses from functioning efficiently if they need to obtain explicit consent first every time.

“The new laws will also look to address the problem of social media site users saying something embarrassing and then never being able to remove it later, leaving them in an awkward position when a prospective interviewer checks them out on the web before a job interview. There has not yet been any clarity over users’ position when someone else posts a comment, photo or video clip about them on the web without their consent – if someone is featured in someone else’s posted content, will the subject be able to pull it?

“Further, the statement issues a warning for cloud computing service providers, but does not give any indication about how exactly their businesses may be affected.

“Overall, the statement leaves more questions than answers and is not particularly helpful for businesses looking to plan ahead to the new regime. They will have to watch this space over the next few weeks to see what the impact will be.”

The statement can be found here: http://europa.eu/rapid/pressReleasesAction.do?reference=MEMO/11/762&type=HTML.

The Information Commissioner’s Office (ICO) have been informed of the breach and the business secretary, or his office, could be liable for a fine of up to £500,000 if the ICO finds that data protection law has been seriously breached.

The report can be found here: http://www.publications.parliament.uk/pa/cm201012/cmselect/cmjust/1473/147302.htm.

The ECJ ruled that those individuals that were the subject of stories published online not only had the choice of suing the publisher either in the country where the publisher is based or in the country where the individual had their “centre of interests”, but they also had the choice of bringing the claim in a country where the story or content was accessible (although only for the damage suffered in that country). In such an instance, the ECJ ruled that the relevant national courts could not apply a stricter law to the case than that applied by the courts in the country where the publisher was actually based.

In an age where content spreads so easily on the Internet, the waters have suddenly become more muddied for a publisher – it is now much easier than previously thought for a person who is the subject of a story to take action.

The 65 requests received in that period covered more than 300 individual items, and came from the UK government and courts. Six of the requests related to videos that raised national security concerns on YouTube, and several other were court orders relating to defamation and privacy.

Details of the requests can be found here.

Of particular concern in the pharmaceutical sector is that out of 47 undertakings that the ICO has agreed with organisations that have breached the Data Protection Act since April, 40% of those have been in the healthcare sector.

The ICO’s press release can be found here.

The first report considered how 14 social networking websites had implemented the 2009 agreement. This second report considered nine social networking websites, which included a range of blogging, gaming, file-sharing and personal social-networking functionality, and found that only two of the websites had default settings which made a child’s information visible only to approved contacts; the other websites shared a large amount of that information beyond a child’s approved contacts.

The EC has said that it will take into account the two reports when it undertakes a comprehensive initiative to empower and protect children when using new technologies, which is set to take place later this year.