House of Commons - Trade and Industry

Select Committee on Trade and Industry Minutes of Evidence

Memorandum submitted by the Data Protection Registrar

1. The Registrar welcomes the opportunity to provide written evidence to the Committee which she understands is considering all aspects of electronic commerce. The Registrar has a statutory duty to promote respect for the private lives of individuals and in particular the privacy of their information by implementing the Data Protection Act 1984[1]. The Act gives rights to individuals abut whom information is recorded in an automatically processable form. Individuals may use their rights under the Act to find out information about themselves, challenge it if appropriate and claim compensation in certain circumstances. The Act places obligations on those who record and use personal data (data users). They must be open about that use (through the data protection register) and follow sound and proper information handling practices (the Data Protection Principles)[2] .

2. The Data Protection Act 1984 has its origins in the Council of Europe and Convention on Data Protection (Treaty 108)[3] and through this in the Council of Europe Convention on Human Rights[4]. Article 1 of Treaty 108 sets out the objective that the convention should "secure . . . for every individual . . . respect for his rights and fundamental freedoms, and in particular his right to privacy, with regard to automatic processing of personal data relating to him . . . ." The EU Data Protection Directive (95/46/EC)[5] which is shortly to be implemented in the UK in the form of the Data Protection Act 1998 also states as its primary objective that, "Member States shall protect the fundamental rights and freedoms of natural persons, and in particular the right to privacy with respect to the processing of personal data". Data Protection must therefore be viewed within a human rights context as a mechanism for preserving the privacy of the individual through protection of his or her personal information.

3. In the late Nineties advances in information technology and the convergence of communication and information technologies in global networks have posed new problems in the field of privacy protection. This new technology which has enabled the development of e-commerce and electronic government has made it easier to exchange large amounts of information including personal information, both between organisations based in the same jurisdiction and in some case globally across international networks. The most obvious examples of this is where information is exchanged over the Internet but new developments in interactive television also raise the same sorts of problems. Traditional approaches no longer provide entirely adequate solutions to the privacy problems presented by the global nature of the media involved. Different cultural approaches to privacy problems and the jurisdictional difficulties involved in attempting to impose one set of rules to websites which can be based anywhere in the world mean that any potential solution will need to bridge the gap between the different approaches, a problem which the OECD is currently trying to address[6] and which is discussed in more detail below.

4. The scope of the Committee's enquiry is very broad but the Registrar would like to limit her evidence to the consideration of two issues; the need to protect the fundamental rights of the individual in the electronic networked environment and the need to generate consumer confidence in the new medium.

5. These issues are related as without the protection of individual rights there can be no development of trust in the new media and wherever the future of electronic commerce is considered then data protection issues and the individual's right to have his or her privacy respected must also be taken into account. The importance of making it possible for consumers to trust new technologies and the organisations involved in e-commerce with their personal information has been recognised by both the Organisation for Economic Co-operation and Development[7] and the Department of Trade and Industry[8]. This is supported by research from a range or surveys, most carried out in the USA, which indicate that fears about privacy are restricting the development of e-commerce[9] and it is also reflected in the fact that electronic commerce is currently more successful in the business to business market than in the consumer market.

TRANSPARENCY

6. Although the application of the technologies involved in e-commerce are new the data protection issues which arise are not. The provisions of the Data Protection Act 1984 already apply to the obtaining and processing of personal data over the Internet.

7. Principle 1 of the Data Protection Act 1984 provides that those persons holding information about living individuals in an automatically processable form ("personal data") should obtain and process that information fairly and lawfully. In essence this means that individuals should know who is obtaining their data and the purposes for which that person intends to use the individual's information. Some uses of an individual's information may be obvious, for example the collection of a name and address to despatch goods, but other uses are not and should be explained.

8. Where information is collected by traditional means this would usually mean that a clear notification should be provided to the customer either on an application form, or orally, identifying the data user and explaining the uses that the data user intends to make of the individual's data. The first step in providing privacy and data protection for the individual is the provision of proper information, for example; via website privacy statements, which should explain the site's privacy policy, preferably based on the relevant domestic law or the OECD Privacy Guidelines[10]. This should indicate what data will be collected from visitors to the site and the uses that will be made of it. Clear notifications of the uses that will be made of any personal data should also be provided where that data is collected via on-line application forms.

9. In many ways the nature of electronic commerce makes it easier for organisations collecting information via websites to provide effective notifications to the individual. It is not difficult for a site owner to build in screens explaining to consumers what is happening to their information and to provide icons they can click on to exercise choices. Many companies already display privacy statements or codes of practice on their websites and a few organisations have also developed guides to help produce these statements.

10. A significant development in this area is the project undertaken by OECD who have developed a 'wizard' to help organisations design privacy policies and statements based on the OECD Privacy Guidelines. This is currently being piloted on the OECD website, (although access is currently restricted to a number of private and public sector organisations) and the Registrar has supported the OECD in this work which she believes can provide an approach acceptable to both EU and US based organisations despite their different cultural approaches to regulation, which are discussed in more detail later.

11. Even more stringent provisions relating to the transparency of processing are imposed by the Data Protection Act 1998 which we expect will come into force this year and which implements the EU Directive on Data Protection. Those processing personal data when the new Act comes into force will have to show that they have legitimate grounds for the processing of personal data. This should cause few problems but where sensitive data is concerned the clear consent of the data subject will be needed to authorise the processing. This level of consent will be difficult to achieve if no clear notifications are provided to individuals.

SURREPTITIOUS COLLECTION OF PERSONAL INFORMATION

12. The collection of information as a result of electronic transactions is subject to the same rules as the collection of information by traditional methods but at present individuals are often unaware that they may leave electronic footprints when visiting websites and using on line services. Current Internet software is capable of processing personal data in an invisible and unfair way and marketing companies operating on the Internet use this software to collect information such as click stream data, which provides a trace on the websites visited by the surfer and the dates of any visits, as well as information about the type of computer and software used by the surfer and keywords typed into Internet search engines. In addition to this e-mail addresses are often captured surreptitiously from visitors to websites or collected from chat rooms and used for marketing.

13. Consumers should be in control of the access to their data and how they are used. It cannot be assumed that consumers understand what is happening, particularly if those less at home on the Internet are to be attracted to electronic commerce. Without knowing whether or not his or her information is being collected, an individual cannot assess the costs and benefits of participating in an electronic transaction.

14. The verification of customer and trader identity, which is commonly seen as essential for the development and growth of e-commerce, may also present problems in this area. Clear identification of individuals can facilitate more extensive tracking and profiling of customer activity. This has already been developed in the conventional retail environment in which loyalty cards and other tracking systems are being deployed. In the on-line world the potential for surveillance is increased even further as it becomes possible not only to record transaction information but even to track the customers progress down the virtual high street recording information about the shop windows he or she stops to look at. Surreptitious tracking of an individual's activity is always likely to involve the unfair obtaining and processing of consumer data.

SECURITY

15. The security of information collected electronically is also an issue and Principle 8 of the 1984 Act and Principle 7 of the Data Protection Act 1998 require that those processing personal data take adequate security measures to protect it. This has implications for those collecting personal data over the Internet, especially where that data is of a sensitive or financial nature. The Registrar expects to see organisations collecting information over the Internet putting appropriate technical safeguards in place to prevent unauthorised access to the information they hold. Techniques such as encryption should also be used as part of that process where appropriate.

16. The Registrar developed an approach to the use of commercial cryptography in connection with the DTI Consultation on Trusted Third Parties (TTPs)[11] . It is her view that the use of encryption techniques should not be constrained but that anyone should be free to use whatever technique they wish to protect information content, and for authentication and for validation purposes. The Third of the OECD Guidelines for Cryptography Policy[12] "Market driven development of cryptographic methods" support this approach stating that "Cryptographic methods" should be developed in response to the needs, demands and responsibilities of individuals, businesses and governments".

17. However the Registrar also recognises that regulation offers consumer protection and data protection legislation seeks to protect the individual's privacy by protecting his personal data. There are connections between data protection and consumer protection. In the case of the TTP user the protection of the individual's privacy and the protection of the consumer may come together. In our view, seeking to protect the interests of those using TTP services by regulation parallels seeking to protect the interests of users of other services (for example, banking services) by regulation. Indeed in the absence of any regulation it is difficult to see how users of TTP services, particularly those without technical expertise, can assess the quality of those services. There is therefore merit in establishing a regulatory regime for those who are providing encryption services to others in order to set and assure the standard of those services.

18. Effective and efficient TTPs that fulfil their functions in a recognisable and trustworthy way should promote justifiable confidence in their services and also in those systems and services dependent upon their encryption services. Electronic Commerce can only benefit from this increased confidence. The use of trusted methods of cryptography will make it easier to authenticate transactions without necessarily identifying the particular individuals involved in those transactions. Cryptography an therefore serve a dual purpose by increasing the security surrounding transactions involving personal data and working as a privacy enhancing technology safeguarding the privacy of the individual. The European Commission have also recognised the importance of developing a uniform approach towards the regulation of TTPs and use of electronic signatures and cryptographic methods and have proposed an Electronic Signatures Directive which seeks to create a consistency of approach within the Member States in this area.[13]

LAWFUL ACCESS

19. The Registrar accepts that law enforcement agencies should have reasonable access to encrypted and unencrypted information provided or created as a result of e-commerce transactions however such access should only be exercised where it is in accordance with the public policy objectives set out in Article 8(2) of the European Human Rights Convention[14] which recognises the legitimacy of interference by a public authority in the exercise of an individual's rights to respect for his private and family life, his home and correspondence where it is necessary "in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals or for the protection of the rights and freedoms of others". In order to ensure that access is not abused the Registrar believes that it should be necessary to obtain this type of information via a warrant. Access to information in transit such a information contained in an e-mail or transaction information is currently achieved via warrant under the Interception of Communications Act 1985. However the Registrar is unhappy with the current situation because IoCA warrants are not subject to judicial scrutiny either at the point of issue or, because the information obtained is not admissible as evidence, by a court at a later date, and she believes that it is now time to amend IoCA so that an application for a warrant to obtain this type of information is subject to judicial consideration.

20. Where information is encrypted the position is even more complicated as allowing law enforcement agencies access to decryption keys could permanently prejudice the integrity of that key. Where an individual is informed that the law enforcement agency has been given access to the key then the problem is avoided but in cases where it is not possible to inform the individual that the integrity of the key has been compromised the Registrar would prefer to see a TTP decrypt the information for the law enforcement agencies allowing them access to plain text only. In this way the integrity of the key could be preserved and many of the concerns which have recently been expressed about lawful access to encrypted information could be circumvented.

TRANSBORDER DATA FLOW

21. The Data Protection Act 1998 also includes a new Principle 8 which restricts the transfer of personal data to countries and territories outside the EEA unless that third country can provide adequate safeguards for the data and these provision will have implications for those making personal data available on the Internet as such action would make the information globally accessible and would be considered to be a transfer of the information world wide. However the provisions need not be a barrier to e-commerce as transfers will still be able to take place where the transfer is with the consent of the consumer or is necessary for performance of a contract, and what is an adequate safeguard will depend on the circumstances in a particular case, such as the final destination of the data or whether or note the data is sensitive. Nevertheless this provision should mean that consumers are able to maintain some control over the final destination of their data and have some reassurance that their details will not be passed to countries where there is inadequate protection of their privacy.

JURISDICTIONAL PROBLEMS AND NON LEGISLATIVE SOLUTIONS

22. The Working Party set up under Article 29 of the EU Directive on Data Protection (95/46/EC) has already established that the provisions of the EU Data Protection Directive apply to the Internet and there is no argument that the provisions of the Directive should apply to the processing of data in relation to on-line services and the application of existing UK data protection law to the Internet has also been acknowledged by the Department of Trade and Industry[15]. The Registrar also believes that the Telecoms Directive[16], (to be implemented in the UK by the Telecommunications (Data Protection and Privacy) Regulations) and the Distance Selling Directive[17] will increase the regulation on those wishing to make unsolicited marketing approaches using electronic communications. However, the application of the law to this new technology may not always be consistent even throughout the Member States and the global nature of the medium means that there are jurisdictional problems protecting personal data originating from EU citizens when it is collected on a website based outside the EU.

Self Regulation

23. At the recent ministerial conference in Ottawa[18] the OECD addressed the problem of the divergent approaches to regulation currently adopted by the USA and the European Union, the EU favouring a legislative approach while the USA supports self regulation and committed the OECD countries to reaching a compromise which would "build bridges" between the different approaches. The Registrar is supportive of this goal as she does not see legislation and self regulation as mutually exclusive.

24. Whilst the Registrar believes that a primarily legislative approach to regulation of e-commerce provides the greatest safeguards for the individual she recognises that the global nature of electronic commerce presents jurisdictional problems which cannot easily be overcome. Self-regulation and other non-legislative approaches to these problems have an important part to play in regulating the media and the development of common standards for data protection is to be encouraged. However such standards must provide an adequate level of protection and should be based at the very least on the OECD privacy guidelines which it has now been recognised can apply to the Internet. At present standards are being developed independently of recognised privacy criteria and there is a danger that consumers will be confused by too many privacy seals of approval all of which might be based on different and in some cases inadequate criteria. Governments need to address the question of how best to encourage consistent and effective and industry standards.

Technological Solutions

25. In their recent proposal for an electronic agenda for the UK[19] the DTI recognises that a key factor in the success of e-commerce is the level of trust which consumers place in the technological infrastructure. The Registrar considers it important that those developing hardware and software are aware of the privacy implications of their designs. The recent controversy surrounding the introduction of INTEL's Pentium III chip which allocates each chip a unique processor serial number (PSN)[20] making it difficult for individuals to remain anonymous on the Internet, illustrates the problem of ensuring that those developing the technology take privacy issues into account. However the Registrar believes that that technology can also provide one of the most effective mechanisms for improving privacy protection and has been monitoring and encouraging the development of these privacy enhancing technologies (PETs) as part of her work with the Article 29 Committee and the OECD[21].

26. Rating systems are being developed to indicate the ways in which commercial web sites will use personal data and to allow for negotiation and choice. The Open Profiling Standard has been proposed by Microsoft and Netscape and the P3P project, a privacy preference system which can be built in to browsers and which allows the individual to decide how much information he or she provides to a site, is being developed by W3C (The World Wide Web Consortium). The development of this type of privacy enhancing software is welcome; however the Article 29 Committee have recently expressed reservations that P3P[22] appears to be based on the lowest common standards of data protection rather than the higher standards set by the OECD Privacy Guidelines. The controversy over the effectiveness of P3P illustrates the problems which can arise when PETs are developed without reference to existing standards and safeguards which must be addressed if technology is to play an effective part in providing a solution to the privacy problems related to e-commerce.

27. The success of privacy enhancing technologies will also ultimately depend on whether or not the average Internet user is sophisticated enough to employ the technology in order to protect his or her information. Software providers must ensure that privacy enhancing technologies are as easy to use as possible to ensure that unsophisticated users are not put at a disadvantage and can play an important part in advancing the education of the average Internet user.

Education

28. Education can also play an important role in alerting data subjects to the threats to their privacy that arise on line and can help them understand how to avoid divulging more information than necessary. The Council of Europe has recently produced guidance for both data subjects and data controllers which the Registrar welcomes but there is also a need for those organisations involved in offering services on the Internet to provide clear advice and information to data subjects on line, for example through privacy statements. The Registrar also believes that data protection authorities can play a role in educating data subjects and is currently developing her own guidance.

ELECTRONIC GOVERNMENT

29. The topics which we have considered so far have been related to e-commerce but there are similar considerations which must be taken into account where moves are made to develop electronic government. One of the themes running through the government.direct green paper is the fact that the public sector can learn from the experiences of the private sector (particularly banking and financial services) and it is possible to draw some parallels between the e-commerce experience of privacy issues and the problems which will be faced by the public sector. In fact if further integration of public sector and private sector services occurs the private sector may be contracted to deliver services on behalf of the government using the same technologies that have proved successful in the e-commerce environment. However it must be remembered that the state has a more complex relationship with the citizen, than the average business has with the potential consumer.

30. Many electronic government initiatives are still on the drawing board, and at the moment it is not possible to predict what some of the data protection issues will be and therefore what concerns will need to be addressed. Many of the proposals coming from government departments involve the sharing of data or the creation of common databases. There is often a tension between, on the one hand, fraud prevention and detection, collection of taxes, collection of debt and, on the other, facilitating the interaction of the citizen and the state. For instance, many local authorities would like to create systems allowing the citizen a single point of contact for all local government services, whether these be benefit claims or applications for leisure passes. On-line services would provide the mechanism for facilitating this and such services would have benefits for the individual. However, where local authorities are also under pressure from central government and district auditors to data match for the purposes of the detection of benefit fraud and the maximisation of income there is a temptation to use data collected for one purpose for something completely different and it is not difficult to see that the citizen may be reluctant to make use of the one stop shop if he mistrusts the way in which any information which he provides may be used.

31. Thus the success of electronic government rests with the level of trust which the individual is willing to invest in the new medium and as with electronic commerce data protection is central to developing that trust. The Registrar would like to see the development of codes of practice regulating the use of personal data in electronic government initiatives and is anxious to stress that data protection should be seen as a facilitator not a barrier to such initiatives.

CONCLUSIONS

32. The Registrar welcomes the development of electronic systems for delivering trade and government services and recognises that such developments can bring considerable benefits to the customer and the citizen but she would stress that these benefits need not be realised at the expense of the individual's privacy. She would therefore like to urge Government and Industry to keep individual rights in mind when developing these initiatives and to adopt a privacy enhancing approach rather than an approach which compromises the privacy of the individual.

3 March 1999

1 Mission Statement of the Data Protection Registrar see The Fourteenth Annual Report June 1998 ISBN 0105519367. Back

2 Broadly the Principles under the Data Protection Act 1984 state that personal data shall;-be processed fairly and lawfully-be held only for lawful purposes which are described in the register entry-be used and disclosed only for those or compatible purposes-be adequate, relevant and not excessive in relation to the purpose for which they are held-be accurate and where necessary, kept up to date-be held no longer than necessary for the purpose for which they are held-be surrounded by proper security. Back

3 Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, European Treaty Series 108, Strasbourg 1981 Back

4 Councilof Europe, Convention for the Protection of Human Rights and Fundamental Freedoms, European Treaty series No 5. Back

5 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Official Journal of the European Communities L281, Vol.38, 23 November 1995, ISSN 0378-6978. Back

6 OECD Ministerial Conference on Electronic Commerce "A Borderless World: Realising the Potential of Global Electronic Commerce-Ottawa October 7-9 1998 Ministerial Declaration DSTI/ICCP/REG(98)10 www.oecd.org/. Back

7 OECD Committee for Information, Computer and Communications Policy: Privacy Protection in a Global Networked Society 1998 DSTI/ICCP/REG(98)5/FINAL www.oecd.org/dsti/sti/it/secur/act/privnote.htm. Back

8 Net Benefit: The Electronic Commerce Agenda for the UK, October 1998 www.open.gov.uk/dti. Back

9 see for example Harris/Westin Survey conducted in 1998 which revealed that 90% of consumers were either concerned or very concerned about privacy on the Net. Privacy and American Business Vol 5 Number 1 March/April 1998 http://shell.idt.net-pab ISSN 1070-0536. Back

10 Guidelines on the Protection of Privacy and Transborder Flows of Personal Data www.oecd.org/dsti/sti/it/eecur/prod/priv-en.html. Back

11 For a further discussion on the implications of the regulations of TTPs see the Response of the Data Protection Registrar to the Licensing of Trusted Third Parties for the provision of Encryption Services. June 1997. Back