web version International NL 80 - Nov.qxp - Privacy Laws & Business

INTERNATIONAL NEWSLETTEREU-wide police access totelecoms data means highercosts and less privacy, saysbusiness and DPAsOn December 14, the European Parliament approved acompromise on mandatory retention of communications data.Legal challenges are likely to follow. Dugie Standeford reportsAkey plank in the EU’santi-terrorism platform is itsproposal to require telephoneand Internet companies to store - andto make available to law enforcementauthorities - extensive informationabout the transmission of phone calls,emails and other communications.The push for EU-wide legislationmandating retention ofcommunications traffic data, begun inApril 2004 at the request of the UK,France, Ireland and Sweden, has beenmired in controversy. The question iswhether the EU can balance thesenew measures alongside as littleintrusion to privacy as possible.Making it easier for police toco-operate in fighting organized crimeand terrorism investigations has beenhigh on the EU’s agenda since theMadrid bombings. Telecomcompanies and ISPs have traditionally,and lawfully, stored some traffic datafor limited periods of time for billingand commercial purposes. ButInternet phone-calls, pre-paid mobilecards and other new technologies andservices have changed the nature ofthe data which communicationsoperators need to store. Faced with apatchwork of national laws andbusiness practices, the EU is seekingto expand and harmonize retentionrequirements to ensure that the dataare available, if needed.The four countries’ vision ofmandatory retention wasencapsulated in a draft frameworkdecision by the Justice and HomeAffairs Council. In September, theEuropean Commission, dissatisfiedwith aspects of the Council plan,unveiled a draft directive, and thetwo proposals travelled the legislativetrack in parallel. However, strongopposition to data retention from theEuropean Parliament, civil libertiesgroups and CommunicationsServices Providers (CSPs) stalledprogress on the measures.In an effort to enact mandatorydata retention into law before it handsthe Presidency to Austria in January2006, the UK government brokeredseveral compromise packages, thelatest of which won agreement fromthe European Commission, leaders ofthe European Parliament’s twolargest political parties, and, onDecember 15, from the Parliamentitself, by 387-197 votes.Recently added to the mix - onOctober 12 - is another proposedCommission measure aimed atfacilitating law enforcementexchanges of existing personalinformation, including telephonenumbers and other communicationsdata, fingerprints, and DNA profiles.Continued on p.3NEWS & ANALYSIS2 - CommentEuropean DPAs say US Privacy Actignores privacy rights of Europeans5 - NewsECJ’s Advocate General calls forannulment of European Council andCommission decisions • Privateinvestigator abuses T-Mobile Austria’snetwork data • Canadian Bank cleared7 - News analysisSouth Africa launches consultation onProtection of Personal Information Bill. TheLaw Reform Commission seeks feedbackMANAGEMENT & STRATEGY8 - UK DPA approves GE’s BCRsWe focus on the drafting processLEGISLATION & REGULATION10 - 10th anniversary of the DirectiveA look at the challenges facing theEuropean Commission in its 2006 review12 - CNIL: whistle-blowing guidelinesThe French Data Protection Authoritypublishes guidlelines for companieswishing to implement whistle-blowinghotlines; Court orders BSN to pay compensation14 - Data protection in AustriaAn analysis of the difficulties facingcompanies with the Data ProtectionCommission and the courts17 - Hong Kong: Interception ofCommunicationsWhy the Hong Kong government’s lawenforcement bodies are facing anunexpected challengeCONSULTATION & INITIATIVES18 - The risks of using commercial dataA public workshop in Washington,organised by the US Department of HomelandSecurity, tackles competing privacy andsecurity interestsTECHNOLOGY21 - Domain name databases dilemmaEfforts to balance privacy and access23 - Anti-piracy v pro-privacyThe Netherlands witnesses an ongoing battle

EDITORIALINTERNATIONALDECEMBER 2005EDITORIAL DIRECTOR & PUBLISHERStewart H Dresnerstewart@privacylaws.comEDITORLucy FisherLucy.fisher@privacylaws.comASSOCIATE EDITORLaura LinkomiesLaura@privacylaws.comNEWSLETTER SUBSCRIPTIONSGlenn Daif-BurnsGlenn@privacylaws.comISSUE 80 CONTRIBUTORSJoe FiguieredoFIT servicesProfessor Graham GreenleafUniversity of New South Wales, andAsia-Pacific Editor, Privacy Laws & BusinessJane HorvathPrivacy Laws & BusinessSuzanne Innes-StubbWhite & Case LLP (Brussels)Dr Rainer KnyrimAttorney-at-law, Preslmayr, AustriaRobin McLeishBarrister, and former Deputy PrivacyCommissioner, Hong KongDugie StandefordFreelance journalistPUBLISHED BYPrivacy Laws & Business,5th Floor, Raebarn House,100 Northolt Road, Harrow, Middlesex,HA2 0BX, United KingdomTel: +44 (0)20 8423 1300,Fax: +44 (0)20 8423 4536Website: www.privacylaws.comThe Privacy Laws & Business InternationalNewsletter is produced five times a year and isavailable on an annual subscription basis only.Subscription details are at the back of thenewsletter. Whilst every care is taken to provideaccurate information, the publishers cannot acceptliability for errors or omissions or for any advicegiven. No part of this publication in whole or inpart may be reproduced or transmitted in any formwithout the prior permission of the publishers.Design by ProCreative +44 (0)20 8429 2400Printed by Direct Image +44 (0)20 7336 7300ISSN 0953-6795©2005 Privacy Laws & BusinessRoom for better understandingTo mark the 10th anniversary of the EU Data Protection Directive, thismonth’s issue includes a focus on what has already been achieved (p.10).The European Commission carried out two independent studies in2001 and 2003 on the practical functioning of the directive. Theconclusion was that there was much scope for improving the way inwhich it is implemented (PL&B International May/June 2003 pp. 22-23). The European Commission will conduct a further review in 2006.The fight against terrorism remains a vast privacy challenge. We takea look at the careful balancing act that Europe (p.1), the USA (pp.18-20), Hong Kong (p.17), and, by extension, the Peoples Republic ofChina, need to carry out in order to seek to protect their societies fromterror, whilst protecting privacy rights. The battlefield extends to theInternet in terms of law enforcement agencies’ access to the people andorganisations behind domain names (p.21-22). The European DataProtection Supervisor, Peter Hustinx explains (p.11) that whencontroversial proposals for new legislation are evaluated, both theDPAs and European national governments must take into accountArt. 8 of the European Convention on Human Rights which providesfor a right to respect for private life.Peter Schaar, German Federal DP Commissioner, representing the EUDP Commissioners, as chair of the Art. 29 DP Working Party,commented on the US Privacy Act 1974 at a Department forHomeland Security Data Privacy and Integrity Advisory CommitteeMeeting in Washington DC on December 6. He said that he wasdissatisfied with the scope of the US Privacy Act because it is restrictedto US citizens and legal permanent residents. Therefore, the EuropeanData Protection Authorities could not rely on the US Privacy Act toprotect the privacy of Europeans travelling to the US. In Europe, thedata protection laws cover everyone’s personal data, not merely thatof citizens. These differences, together with those that have arisen overthe conflict between the US Sarbanes-Oxley Act and France’s dataprotection law (p.12), suggest that more effort by the USAdministration to understand the framework of privacy law in otherjurisdictions may help to minimise such tensions in the futureIn addition to all of this, we offer the latest data protection news andanalysis from countries as diverse and far-afield as Austria, Germany,South Africa, Canada, New Zealand, and Malaysia.Lucy Fisher, EditorPRIVACY LAWS & BUSINESSContribute to PL&B publicationsDo you have a case study or opinion you wish us to publish? Contributionsto this publication and books for review are always welcome. If you wish tooffer reports or news items, please contact Lucy Fisher on Tel: +44 208 4231300, or e-mail: lucy.fisher@privacylaws.com.2 DECEMBER 2005, ISSUE 80 PRIVACY LAWS & BUSINESS INTERNATIONAL NEWSLETTER

NEWSContinued from p.1Privacy concernsData retention and exchange posesignificant privacy threats to industryand private citizens. Although thecontent of phone and Internetcommunications will not be captured,the transmission and location data to beretained provide an enormous amountof information - who is calling ore-mailing whom; when and where; howoften; and so forth. Mobile phonerecords helped police investigate theMadrid and London attacks, a factfrequently cited by EU officials and UKHome Secretary Charles Clarke tosupport the need for data retention.The sheer magnitude of the scheme isstartling. The list of data in the variousretention proposals includes transmissioninformation on fixed-network and mobiletelephony; Internet access; phone calls ande-mail; and records of unsuccessful callattempts. More draconian retentionperiods are now reduced to six to 24months for Internet and telephony traffic,at member states’ discretion, thoughcountries are able to derogate from thoseterms under certain conditions. MEPswere successful in amending the latestcompromise text to require “effective,proportionate and dissuasive” penaltiesfor companies failing to store the data ormisusing the retained information. Otheramendments passed require memberstates to establish independent authoritiesto monitor use of the information and toensure use of the data is restricted tospecific purposes related to specific formsof serious criminal activities such asterrorism and organized crime.So unpopular is data storage with civillibertarians that European Digital Rights(EDRI) and Dutch Internet servicesproviders (ISP) XS4All launched an onlinecampaign earlier this year urging theEuropean Parliament and Commission to“examine the proposal for dataretention very critically and uphold theprotection of human rights, includingprivacy, in these difficult times.” Dataretention is an “invasive tool” thatinterferes with people’s private lives andviolates the European Convention onHuman Rights, the petitionat dataretentionisnosolution.com proclaims.Over 58,000 people signed the petition.Business and DPAs agreeon risks“The worrying thing for businesses thataren’t CSPs is that service providerswill potentially have to keep verysensitive data about their customers orclients,” says Richard Nash, EuropeanInternet Service Providers Association(EuroISPA) regulatory affairs manager.“Once you start putting a large amountof data in one place, on this occasionfor law enforcement, there areobviously going to be threats to thesecurity of those data, no matter howthey are stored.”European Data ProtectionSupervisor (EDPS) Peter Hustinxagrees. Citizens and businesses alike“will be exposed to more risks, rangingfrom unlawful access - includinghacking and other breaches of security- to finding themselves involved inserious crime investigations withoutgood reason,” Hustinx says. “Asexperience in totalitarian societiesshows, large scale surveillance of thiskind is bound to have an inhibitingeffect on civil liberties, freedom ofbusiness, and so forth.”“Companies might not like businessintelligence on their communicationsand website visits potentially to beavailable to their competitors” viahackers or corrupt insiders atcommunications firms, says EDRIboard member Ian Brown.Data retention could pose problemsfor organisations that process sensitiveinformation, said Joe McNamee, EUpolicy director of Brussels consultinggroup Political Intelligence. “If you’ve gota sexually transmitted disease clinic, Iguess you’re less happy about details ofyour correspondence being stored byyour ISP, the customers’ ISP, allintermediary Internet Protocol transportservices, your e-mail filtering provider andtheir e-mail filtering provider - it mightjust be easier and safer to use the fax.”Weak data protection?The Council and Commission schemesacknowledged that data retentionmeasures must be balanced by privacyprotections. Both proposals madeapplicable the provisions of the 1998 EUData Protection Directive and theDirective on Privacy and ElectronicCommunications to protect personalinformation from misuse. In addition, ina recent technical briefing for MEPs,Commission representatives made clearthat once data have been obtained fromCSPs and processed by the competentlaw enforcement authorities, they will becovered by applicable national legislation.The final document was not available atdeadline but the compromise on which itis based is also subject to the two dataprotection directives.This is where the Commission’sproposal to facilitate exchange by lawenforcement agencies of existing personaldata comes in. It is part of a legislativepackage whose second piece is a plan toharmonize national data protection laws.The latter measure is necessary, theCommission says, because the DataProtection Directive does not apply tothe processing of personal information inthe context of police and judicialco-operation in criminal matters. Themeasure will not only ensure that privacyrights are respected but that lawenforcement attempts to exchangepersonal data are not thwarted bydifferent levels of data protection in the25 EU member states.Among other things, the draftframework decision addresses generaland specific rules on the lawfulness ofprocessing personal information; rightsof data subjects; and the confidentialityand security of processing. It setsjudicial remedies and sanctions formisuse of data. It calls for theestablishment of supervisory authoritiesand a working party to oversee theprocessing of personal data in criminalmatters. It also contemplates an EUlevelmechanism for ensuring thatpersonal information is exchanged onlywith those countries outside the EU thathave adequate data protection schemes.But data protection authorities fearprivacy rights will not be adequatelysafeguarded either under the variousdata retention proposals or the dataprotection document in their currentform. In September, the EDPS issuedan opinion on the then Commissiondata retention draft. (He was not askedto comment on the Council frameworkdecision). Hustinx questioned the needfor storage of communications trafficdata for anti-terrorism and criminalinvestigations, but stressed that if sucha measure is adopted, retention can bePRIVACY LAWS & BUSINESS INTERNATIONAL NEWSLETTER DECEMBER 2005, ISSUE 80 3

NEWSjustified only if it is proportionate tothe objectives it seeks to achieve and ifadequate safeguards are in place. Hebelieves no data retention scheme canrely simply on existing data protectionlaws because they are too general.“Data protection rules in the contextof data retention should provide forlimited storage; targeted access; no fishingexpeditions; high security; audit trails onaccess; and so forth,” Hustinx says. “Thismight keep or restore public confidence, atleast to some extent.” The Commission’sdata protection proposal is “important andwelcome in itself, but does not contain anyspecific safeguards as required in thecontext of the proposed data retentiondirective.” Hustinx will analyse the dataprotection measure more fully in anopinion due out shortly.European Data ProtectionCommissioners (DPCs) have alsoslammed the idea of mandatory trafficdata retention. In an October 21 opinion,the Article 29 Working Party saidretention “interferes with theinviolable, fundamental right toconfidential communications.” Anyrestriction of that right must be “based ona pressing need, should only be allowed inexceptional cases and be the subject ofadequate safeguards.” Like Hustinx,DPCs questioned the need for datastorage, and stressed that any such generalscheme must be justified, narrowlytargeted, and regularly evaluated.Business impactCSPs, who say they will bear the brunt ofdata retention, have been among its mostvociferous critics. A major sticking pointin all the proposals has been who willcompensate phone companies and ISPsfor what they say will be the massiveadditional costs of retaining the data andconverting them into a form useful to thepolice. Operators claim existingtechnology does not permit retention ofsome types of data sought, and say theywill have to revamp their infrastructureand systems to capture the informationrequired - all of which requires money,CSPs insist, governments must pay.The final text leaves it to nationalgovernments to decide whether or notto compensate CSPs.Under the Council frameworkdecision, the decision as to whether ornot to compensate CSPs is left up tonational governments. TheCommission version, however, foreseesa provision requiring member states toreimburse any additional costs accrued.Over the summer, five keyEuropean industry groups brandedboth proposals “an active choice tomove away from a proven andconstructive approach where industry’sexpertise and good-will are used tomaximum effect to fight crime, towardsan untargeted, expensive andall-pervasive approach.”In their statement to justiceministers, the European CompetitiveTelecommunications Association, theEuropean Telecommunications NetworkOperators’ Association, EuroISPA, GSMEurope (which represents the wirelesscommunications industry), and theEuropean Cable CommunicationsAssociation warned that data retentionwould undermine Europe’scompetitiveness by hiking costs for bothCSPs and consumers. If governmentspersist in enacting data retention, they said,“industry expects a clear commitmentfrom policy makers to ensure that allindustry’s costs are covered.” Followingthe December 15 parliamentary vote, thegroups said the absence of a provisionrequiring cost reimbursement means thatgovernments “may not even be requiredto consider the proportionality” of theirdata retention laws.All CSPs who retain data must keepit secure from hacking and other attacks,so “increased data retention increasesthe burden of ensuring the data aresafe,” McNamee says. Ironically, headds, “data retention creates a securityrisk that did not previously exist.”Outsourcing risksData retention will affect other industrysectors as well. Companies thatoutsource part of theircommunications to a CSP will findinformation having to be stored by thatprovider that they themselves would nothave to retain, according to McNamee.Take MessageLabs, which filters spamand viruses from corporate e-mailsystems before they arrive in acompany’s network. “As they provide acommunications service, I’m not surehow MessageLabs could not becovered,” he says, but “what on earthwould the point? And what’s the pointof storing logs of spam/viruses for awhole year?”Next stepsThe data retention directive will bechallenged at the EU and, most likely,national level. The Irish government hasreportedly announced it will file suit inthe European Court of Justice on thegrounds that the legal basis for thelegislation is incorrect. Several countriesbelieve the issue belongs in the “thirdpillar,” where justice and security-relateddecisions are handled via unanimousconsent of national governments, ratherthan in the “first pillar,” where decisionsare made by majority voting amonggovernments with consent from theEuropean Parliament.Data retention raises troublesomeissues with respect to the rule of law,values, the need for better regulation,procedure, technical complexities,consumer rights, and risk and security,says MEP Charlotte Cederschiold ofthe Christian Democrats. “Thesematters are too far-reaching to behandled on the EU level with its weakdemocratic system.”CSPS will likely now monitornational legislators to ensure they donot impose even tougher data retentionprovisions, and lawsuits over nationalimplementation schemes may follow.How will those who process personalinformation negotiate the maze of existingand new data protection rules? CSPs willcontinue to be subject to nationalmeasures under the two EU directives aswell as those measures implementing apossible data retention law, Hustinx says.The new framework decision on dataprotection will “hopefully be compatible”with the current scheme. The distinctionbetween data protection in general anddata protection in the context of lawenforcement information-sharingactivities “exists mainly on the EU level”and is much less relevant nationally. Quitea few member states have data protectionlaws that don’t distinguish between thetwo, Hustinx says: “The need forconsistency is clear to everyone.”AUTHOR:Dugie Standeford is a freelance journalist.dstandeford@warren-news.com4 DECEMBER 2005, ISSUE 80 PRIVACY LAWS & BUSINESS INTERNATIONAL NEWSLETTER

1. Five Newsletters a yearThe Privacy Laws & Business (PL&B)International Newsletter, establishedin 1987, provides you with acomprehensive information serviceon data protection and privacy issues.We bring you the latest privacynews from 50 countries – new laws,bills, amendments, codes and howthey work in practice.2. Helpline Enquiry ServiceSubscribers may telephone, fax ore-mail us with their questions such as:contact details of Data ProtectionAuthorities, the current status oflegislation and amendments, andsources for specific issues and texts.3. E-mail updatesWe keep you informed of the latestdevelopments.4. IndexSubscribers receive annually acumulative Country, Subject andCompany index. Multiple headingsinclude advertising, data security,Internet, police, trans-border dataflows and sensitive data. The indexis updated after every issue on ourwebsite www.privacylaws.com.Electronic OptionThe newsletter is available, foran additional enterprise license fee,in PDF format for uploading ontoyour Intranet or network.This format enables you to seethe Newsletter on any computeron your network as it appears inthe paper version. It allows you toprint out pages at any location.Privacy Laws & Business hasclients in over 45 countries, includingtwo thirds of the Financial TimesUK Top 50 and half of theFortune Top 20 global companies.Privacy Laws & Business also publishes the United Kingdom Newsletter, a publication, which ranges beyond the DataProtection Act to include the Freedom of Information Act and related aspects of other laws.Send me a FREE sample of the PL&B UK/International Subscribe to PL&B International (£325/$600/€475) Subscribe to both International and UK newsletters(£520/$950/€750 or an extra £270/$490/€385 forexisting UK subscribers)Multiple subscription discounts: 2-9 copies - 30% discount(please indicate number of copies...................)Intranet license (including up to 10 printed copies): PL&B UK (£1,250/$2,300/€1,825) PL&B International (£1,625/$3,000/€2,375) Both International and UK newsletters(£2,600/$4,750/€3,750) Print PDF (please tick preferred delivery format) I wish to receive PL&B’s FREE e-mail news servicePayment Options1. Cheque payable to Privacy Laws & Business2. Bank transfer direct to our account:S. H. Dresner T/A Privacy Laws & Business,Barclays Bank PLC, 355 Station Road,Harrow, Middlesex, HA1 2AN, UK.Bank sort code: 20-37-16 Account No.: 202406643. Credit card: American Express MasterCard Visa(please indicate card and add an extra 3.75% for card charges).Credit Card Number:Name on Card:4. Please invoice me (Address of Credit Card/Accounts Dept if different):Address:Expiry Date:Data Protection Notice: Privacy Laws & Business will not pass on yourdetails to third parties. We would like to occasionally send youinformation on data protection law services. Please indicate if you do notwish to contacted by: Post E-mail TelephoneName:Postcode:Country:Position:Organisation:Address:I am interested in: Consultancy/Audits In-House Presentations/Training Recruitment ServicePostcode:Tel:E-mail:Signature:Date:Country:Please return to: Newsletter Subscriptions Department,Privacy Laws & Business, 5th Floor, Raebarn House, 100 NortholtRoad, Harrow, Middx HA2 0BX, UK Tel: +44 20 8423 1300Fax: +44 (0)20 8423 4536 e-mail: sales@privacylaws.comGuaranteeIf you are dissatisfied with the newsletter in any way, theunexpired portion of your subscription will be repaid.