(no subject)

Terje Norderhaug (Norderhaug.CHI@xerox.com)
Thu, 27 Jul 1995 02:28:32 -0800

At 12:48 AM 7/27/95, James Pitkow wrote:
>rst@ai.mit.edu (Robert S. Thau) wrote:
>[example of a site with hacked session ids and its disadvantages]
>>
>> To put it another way, the ostrich approach to, say, the privacy
>> issues with session-id won't work at all. If you're concerned, try
>> something else.
>
>No sale. I remain firm in my position that privacy on the Web can be
>maintained by
>policies like those in Europe and now by MSN that do not allow data fusion
>with out
>consent. These policies forgo a lot of the technical issues.

Jim has a valid position, although I believe technology should come before
legislation in privacy protection (this is not implying that I think Jim
disagree with me on that issue, though). By creating technology that
decentralizes the storage of sensitive data as much as possible
(potentially to each user!) it become possible to create legislation that
restricts the central storage of such information, giving individuals the
ultimate power without loosing the ability to make interesting
applications. Technologists should be on the side of people as individuals
and not on the side of those that view people as a mass of consumers [Yes,
that is a political statement].

Enclosed is a relevant recent press release for those interested in keeping
updated about what happens in Europe.

-- Terje <Norderhaug.CHI@Xerox.com>
http://www.ifi.uio.no/~terjen/

----------------------------------------------------------

EUROPEAN COMMISSION PRESS RELEASE: IP/95/822

DOCUMENT DATE: JULY 25, 1995

+

COUNCIL DEFINITIVELY ADOPTS DIRECTIVE ON PROTECTION OF

PERSONAL DATA

+

The Directive on the protection of personal data has been formally adopted
by the Council of Ministers. ``I am pleased that this important measure,
which will ensure a high level of protection for the privacy of individuals
in all Member States, has been adopted with a very wide measure of agreement
within the Council and European Parliament'' commented Single Market
Commissioner Mario Monti. ``The Directive will also help to ensure the free
flow of Information Society services in the Single Market by fostering
consumer confidence and minimising differences between Member States' rules.
Moreover, the text agreed includes special provisions for journalists, which
reconcile the right to privacy with freedom of expression,'' he added. ``The
Member States must transpose the Directive within three years, but I
sincerely hope that they will take the necessary measures without waiting for
the deadline to expire so as to encourage the investment required for the
Information Society to become a reality.''

The Directive will establish a clear and stable regulatory framework
necessary to guarantee free movement of personal data, while leaving
individual EU countries room for manoeuvre in the way the Directive is
implemented. Free movement of data is particularly important for all services
with a large customer base and depending on processing personal data, such as
distance selling and financial services. In practice, banks and insurance
companies process large quantities of personal data inter alia on such highly
sensitive issues as credit ratings and credit-worthiness. If each Member
State had its own set of rules on data protection, for example on how data
subjects could verify the information held on them, cross-border provision of
services, notably over the information superhighways, would be virtually
impossible and this extremely valuable new market opportunity would be lost.

The Directive aims to narrow divergences between national data protection
laws to the extent necessary to remove obstacles to the free movement of
personal data within the EU. As a result, any person whose data are processed
in the Community will be afforded an equivalent level of protection of his
rights, in particular his right to privacy, irrespective of the Member State
where the processing is carried out.

Until now, differences between national data protection laws have resulted
in obstacles to transfers of personal data between Member States, even when
these States have ratified the 1981 Council of Europe Convention on personal
data protection. This has been a particular problem, for example, for
multinational companies wishing to transfer data concerning their employees
between their operations in different Member States.

Such obstacles to data transfers could seriously impede the future growth
of Information Society services. As the Bangemann Group report to the Corfu
European Council remarked: ``Without the legal security of a Union-wide
approach, lack of consumer confidence will certainly undermine the rapid
development of the information society.'' As a result, the Corfu European
Council called for the rapid adoption of the data protection Directive.

To prevent abuses of personal data and ensure that data subjects are
informed of the existence of processing operations, the Directive lays down
common rules, to be observed by those who collect, hold or transmit personal
data as part of their economic or administrative activities or in the course
of the activities of their association. In particular, there is an obligation
to collect data only for specified, explicit and legitimate purposes, and to
be held only if it is relevant, accurate and up-to-date.

The Directive also establishes the principle of fairness, so that
collection of data should be as transparent as possible, giving individuals
the option of whether they provide the information or not. Moreover,
individuals will be entitled to be informed at least about the identity of
the organisation intending to process data about them and the main purposes
of such processing. That said, the Directive applies different rules
according to whether information can be easily provided in the normal course
of business activities or whether the data has been collected by third
parties. In the latter case, there is an exemption where the obligation to
provide information is impossible or involves disproportionate effort.

The Directive requires all data processing to have a proper legal basis.
The six legal grounds defined in the Directive are consent, contract, legal
obligation, vital interest of the data subject or the balance between the
legitimate interests of the people controlling the data and the people on
whom data is held (i.e. data subjects). This balance gives Member States room
for manoeuvre in their implementation and application of the Directive.

Under the Directive, data subjects are granted a number of important
rights including the right of access to that data, the right to know where
the data originated (if such information is available), the right to have
inaccurate data rectified, a right of recourse in the event of unlawful
processing and the right to withhold permission to use their data in certain
circumstances (for example, individuals will have the right to opt-out free
of charge from being sent direct marketing material, without providing any
specific reason).

In the case of sensitive data, such as an individual's ethnic or racial
origin, political or religious beliefs, trade union membership or data
concerning health or sexual life, the Directive establishes that it can only
be processed with the explicit consent of the individual, except in specific
cases such as where there is an important public interest (e.g. for medical
or scientific research), where alternative safeguards have to be established.

As the flexibility of the Directive means that some differences between
national data protection regimes may persist, the Directive lays down the
principle that the law of the Member State where a data processor is
established applies in cases where data is transferred between Member States.

The Directive also establishes arrangements for monitoring by independent
data supervisory authorities, where necessary acting in tandem with each
other.

In the specific case of personal data used exclusively for journalistic,
artistic or literary purposes, the Directive requires Member States to ensure
appropriate exemptions and derogations exist which strike a balance between
guaranteeing freedom of expression while protecting the individual's right to
privacy.

For cases where data is transferred to non-EU countries, the Directive
includes provisions to prevent the EU rules from being circumvented. The
basic rule is that the non-EU country receiving the data should ensure an
adequate level of protection, although a practical system of exemptions and
special conditions also applies. The advantage for non-EU countries who can
provide adequate protection is that the free flow of data from all 15 EU
states will henceforth be assured, whereas up to now each state has decided
on such questions separately.

For their part, the Council and the Commission have made it clear that
they consider that the European Union institutions and bodies should be
subject to the same protection principles as those laid down in the
Directive.

END OF DOCUMENT