The flaws in data protection law
OUT-LAW Radio, 26/07/2007
We look at how data protection laws from Europe are implemented
poorly.
A text transcription follows.
This transcript is for anyone with a hearing impairment or who
for any other reason cannot listen to the MP3 audio file.
The following is the text spoken by OUT-LAW journalist Matthew
Magee.
Hello and welcome to OUT-LAW Radio, the weekly podcast that
keeps you up to date on all the twists and turns in the world of
technology law. Every week we bring you the latest news and in
depth features that help you to make sense of the ever-changing
laws that govern technology today.
My name is Matthew Magee, and this week we look for problems in
the way European privacy laws have been put into practice.
But first the news:
- Facebook founder accused of idea theft; and
- firms can change contracts via websites
The founder of Facebook stands accused of stealing the ideas and
business plan of three men behind a rival social networking
site. But a Boston Judge this week told Connect Use founders that
they must produce more evidence to support its claims.
Before starting Facebook Mark Zuckerberg worked with Divya
Narendra and Cameron and Tyler Winklevoss on Harvard Connection a
website which later became ConnectU. All four were Harvard students
and the three ConnectU founders hired Zuckerberg after hearing that
he was a talented web programmer.
The three men behind the suit say that 23-year-old Zuckerberg
was hired in November 2003 to write computer code for the site for
delivery by June 2004.
Facebook was launched in February 2004 but Massachusetts
District Court Judge Douglas Woodlock told ConnectU’s founders that
they need to produce more evidence to back their claims. Describing
their case as gossamer thin on equation of contract they have been
given until the 8th August to file a revised complaint. A company
cannot change its contract with consumers simply by posting revised
conditions on its website the US Appeals Court has ruled. The
position is similar in the UK according to an e-commerce legal
expert.
A customer of Talk America has won a court ruling over a
consumer contract which was amended online without his knowledge.
The ruling clears the way for the customer to take a class action
suit against Talk America.
Joe Douglas signed up for long distance telephone service with
America Online, Talk America acquired the service from AOL and
tried to change the terms of the contract by positing a message on
its website.
The US Court has said that the contact is an agreement between
two parties and that one party could not change it without further
acceptance by the other.
Jon Fell is a partner with Pinsent Masons, the law firm behind
OUT-LAW, and he said that the UK Court would likely come to the
same conclusion when faced with these facts “I am not at all
surprised by the ruling,” he said, “unilateral changes to a
contract, particularly a consumer contract will always struggle to
stand up in court.”
That was this weeks OUT-LAW News.
Data protection laws have fundamentally changed the way that
people, companies and government interact. Increased privacy rights
bring heavy, technical administrative and even legal burdens and
privacy activists argue that those are more crucial than ever in
these surveillance heavy times.
The picture seems bright all EU countries now have official
privacy watchdogs, they all have laws based on the Data Protection
Directive and companies and governments must take greater care of
privacy than ever before.
But there are problems emerging with the Directive. The European
Commission has published a report claiming that it has been poorly
implemented by member states. Now EU watchdog the European Data
Protection Supervisor says that not only has a directive not been
properly implemented but the counter-terrorism powers threaten its
aims. Joaquin Bayo Delgrado is the Assistant European Data
Protection Supervisor he outlined for us some of his office’s
concerns about how countries have implemented the Directive.
Bayo Delgrado: There are areas in which
the concepts we use in the Directive disturb some specific
analysis. I could mention in this respect the definition of
personal data which is crucial for the application of the Directive
but there are other issues like, for example, the roles of
processors and controllers of data, the rules on the applicable law
etc. There are many aspects to which deserve some attention in the
implementation of the Directive.
The European Commission was more specific. It said that a number
of EU counties have failed in their data protection laws. It is
concerned that data protection supervisors in some countries are
not powerful or independent enough of government.
“These authorities are key building blocks in the system of
protection conceived by the Directive, and any failure to insure
their independence and powers has a wide ranging negative impact on
the enforcement of the data protection legislation” it said.
Even in those countries which have fully implemented the
Directive it is under threat according to the Data Protection
Supervisor. Bayo Delgrado says that the growing scope of
anti-terrorism laws and practices is a threat to the fundamental
privacy principles protected by the Directive.
Bayo Delgrado: The fundamental right of
privacy and data protection as recognised in international
instruments develops these fundamental rights, so regardless of the
need to take care of specific problems, specific limitations,
specific safeguards etc. in the different areas and the area of
justice might be a good example. The fundamental right, as the word
says fundamental, has to be kept as such so we cannot desegregate
from the essentials of these fundamental right. I would say that in
some cases we are worried because we think that the level of
protection is not the one that we think we would be the proper one.
In some cases we are worried because the exceptions, let’s say, go
too far and we do not see the need for such broad exceptions.
I asked Bayo Delgrado whether the trend toward sharing
information between security services runs counter to data
protection principles at a fundamental level.
Bayo Delgrado: Perhaps the expression goes
counter is too much an assessment of the situation, but in many
cases they introduce some exceptions which are somehow
worrying.
One such programme of information exchange is a passenger named
records transfer scheme, whereby airlines pass European passengers’
details onto US authorities before landing. A new deal has just
been agreed, but as OUT-LAW reveals this week, EU statements around
it misleadingly suggest that far less information than before is
transferred in the new deal.
A joint EU/US statement said that the number of data fields
passed to the US was reduced from 34 to 19. OUT-LAW has revealed
that only two actual pieces of information fewer are now passed to
authorities, though the remaining 32 pieces of information are
squeezed into 19 categories not 32. Bayo Delgrado said that the PNR
Deal was just the sort of behaviour that it is concerned about.
Bayo Delgrado: We are really worried about
the terms in which this agreement has been reached. We are not
pleased, that is clear, we are not pleased by the results and our
wishes would have been to have a different outcome of the
negotiations.
Bayo Delgrado says that his office wants to try further
harmonise the data protection laws between the EU member states and
to try to make privacy an integral part of all their laws.
That's all we have time for this week, thanks for listening.
Why not get in touch with OUT-LAW Radio? Do you know of a
technology law story? We'd love to hear from you on radio@out-law.com.
Make sure you tune in next week; for now, goodbye.
OUT-LAW Radio was produced and presented by Matthew
Magee for international law firm Pinsent Masons.
