TUESDAY 9 MARCH 1999

MRS ELIZABETH FRANCE AND MR DAVID SMITH

480  On the question of law enforcement, are you unhappy with the current interceptions in terms of communications? What sort of problems do you have with that?

  (Mrs France) It does not currently impinge on my responsibilities to the extent that it will in the future. We talk a lot at the moment about convergence; clearly convergence of technologies is going to mean that those areas are going, by necessity, to come more closely within my remit than they have done previously. We have expressed concerns about IOCA; we welcome the fact that the DTI and Home Office papers says the time is right to review it—though our reasons for reviewing it might be slightly different from theirs, and we would want to look at the fact that it relies on a Secretary of State warrant as opposed to a judicial warrant for interception. As far as we have been concerned, under the 1984 Act exemptions from the law are only on a case-by-case basis, although the exemptions for national security are broader. I have had some concerns about the definition of national security for data protection purposes and whether perhaps too broad an exemption has been claimed. It is something I wrote to the Secretary of State about, both under the previous Government and under the present Government. Indeed, we are hoping that some review of that boundary will be undertaken before the 1998 Act comes into force.

481  You say you are "hoping", but are you confident that the review will improve the situation?

  (Mrs France) All I can say is that under the 1998 Act there are greater powers to question that than there were under the 1984 Act. Under the 1984 Act if the Secretary of State for the Home Department issued a certificate saying the national security exemption applied there was nothing we could do to challenge that. Under the 1998 Act there is the possibility of appeal to the Data Protection Tribunal if an individual feels that the exemption has been too widely claimed.

482  What controls do you think should apply to law enforcement agencies wanting to decrypt encryptable material?

  (Mrs France) I use the same principles that I apply in other law enforcement areas: you start on the assumption we have a fundamental right to privacy and you only start to erode or invade that in limited circumstances on a case-by-case basis. My concern in relation to encrypted material also goes beyond that and relates to whether you should actually compromise a key in any circumstances. There are two issues: should there be any circumstances in which it is open to law enforcement agencies to look at encrypted messages? I have to draw the conclusion that, yes, there will be such circumstances. However I would like those to be closely controlled and I would like us to be looking to judicial warrant or the sorts of tests you would expect to find if somebody were coming into my house to search for materials in the more traditional way, that I might choose to cooperate or you might have to go and get a warrant. The additional issue when talking about encryption is that there are circumstances in which, as with tapping of telephones, it may be they would have justification for intercepting without the knowledge of the person sending the message; and in those cases I would be very concerned about the possible compromising of the key; and I would like us to consider whether in fact that is ever necessary, or whether the warrant could be applied where appropriate to the trusted third party and the information provided to the law enforcement agencies in plain text.

483  Let us pursue the point of third parties and the keys. Is there a role for you in ensuring standards or laying down standards or even monitoring that situation?

  (Mrs France) I think there will be a role. I see that the DTI consultation paper, which came out last Friday, says they intend to give OFTEL the primary role. I think OFTEL would have the technical expertise in this area to undertake that role, and that is what we had expected to be said. It also expands on the earlier question you asked me about technical expertise. We are working very closely now with OFTEL on the enforcement of the telecommunications regulation under the EU Telecommunications Directive, some parts of which come into force on 1 May. I would have expected the dual approach to be a sensible way of working, with OFTEL taking primary responsibility for technical standards but involving us where issues relating to the potential abuse of personal data arise.

484  Who is involved in debating these issues: is it yourself or the DTI?

  (Mrs France) We have not been directly involved in discussions leading to the production of the most recent consultation document, for example. I am not a civil servant, I am independent of government; and, therefore, when things are being discussed, to give advice to ministers, sometimes we are involved and sometimes we are not. Having said that, we have been involved in wider discussions about these issues over a long period of time; we have submitted evidence to the earlier DTI paper; we are in constant touch with officials in the DTI and the Home Office on these issues, but not specifically on the proposals being put together.

485  Could you say a little more about ensuring standards, because you took me back to something earlier in reply to my question. Exactly how are you going to tackle the question of standards along with OFTEL?

  (Mrs France) Are we talking about standards purely in relation to encrypted messaging or generally in relation to data protection?

486  It is both in actual fact.

  (Mrs France) In terms of data protection law generally, we have within the law eight high level principles—a different eight in the 1998 Act than the 1984 Act—which set out the high level standards that anybody processing personal data must comply with. I have power to enforce those by administrative enforcement action. What we normally do is try to work pro-actively to avoid the need for enforcement action by working, for example, on codes of practice to establish standards. We are very keen in the web context on working at privacy statements and encouraging audit of web sites. There are a range of ways in which we can try and look at standards. Under the new Act we have increased powers in relation to codes of practice. Under the 1984 Act I can encourage codes of practice, and some have been encouraged. Under the 1998 Act not only can I continue to do that but I can issue codes of practice myself, and those codes of practice can then be prayed in aid in any enforcement action. There are two areas where I have promised early codes of practice, and they are the use of CCTV and data matching. There is no reason why we should not go on to look at generic codes of practice in other areas; or indeed why we should not go to groups, such as internet service providers, and suggest to them they should come forward to us and work with us to produce codes of practice which could then be considered as codes of practice laid under the 1998 Data Protection Act.

487  Going back to a question I asked you earlier in relation to where the debate was taking place—you indicated you advised ministers and you were some distances away when it came to debate with government agencies and that sort of thing. Do you think you should be more involved in the study? Is that what you were suggesting? Do you feel you have been left out of the debate?

  (Mrs France) No, I do not think we feel we are being left out of the debate. We have every opportunity to speak publicly. There are pros and cons in being involved on the inside in these discussions. We are free to express independent views and we do that. Our views on the DTI paper that was issued last autumn were published. We have opportunities to ask to see ministers on any issues which arise. I have a useful power, one I have not used but perhaps you are encouraging me that I should use it more often, which is the right to make reports to Parliament at any time. The opportunity to speak before a committee of this kind perhaps gives me a similar opportunity.

488  You do not have any problems, if you hear about something, in pursuing that with the government or any other agency?

  (Mrs France) No.

489  The National Consumer Council, when they came to us, suggested that data protection regulation "has always gone the way of business" and that consumers should be asked to opt in to having their personal data used by firms for marketing. How do you respond to that?

  (Mr Smith) The general standard at the moment is that individuals will opt out of the use of their information for marketing; but when you come to electronic commerce, and that marketing is by e-mail, our view certainly of the law as it is developing with implementation of the Distance Selling Directive, and even the recently introduced telecoms regulations, is that prior consent will be needed where you are talking about what is essentially spamming or bulk e-mailing. This is because that is an automated process more akin to use of fax which in future will be outlawed without prior consent. Our view of the law as it is developing is that we are moving towards that standard anyway, certainly in relation to electronic commerce—it is a slightly different question in relation to the more traditional forms of marketing.

490  The OECD are putting forward a proposal that credit card companies should collect information which might then be used for the collection of VAT from distance selling. Is this something you have had an input into; do you have a view on it?

  (Mrs France) I did not know it was an OECD proposal, but we have made some enquiries about it.
  (Mr Smith) The position, as we understand it, is that for it to work credit card companies have to collect more information than they currently collect from individuals. At the moment if I purchased books on the internet from Amazon in the States all the credit card company would know was that it was from Amazon, the amount and their location, but they would not know what I had purchased. I do not know the United States tax regime, but in the United Kingdom the tax rate is different on books than if I had purchased a CD. This would suggest that credit card companies at the very least would need to start collecting information on what had been purchased, not just the value of purchases; and that raises a great deal of privacy concerns if credit card companies are going to be able to track not just where I spend the money but what I have actually bought with it as well.

491  They would not necessarily have to do that; they would just need to report to Customs and Excise that a transaction had taken place, and Customs and Excise could get on to the customer and say, "What did you buy, and have you paid VAT?"

  (Mrs France) If that was the approach it would be more privacy-friendly, but I do not think it would be very attractive to Customs and Excise. We would be very worried about such a proposal, because there is already sufficient potential for profiling a customer's behaviour, and we have to watch that closely as it is. This would be going further and collecting more information. I do not know that credit card companies would find it an attractive proposal, and certainly we would want to scrutinise it very carefully if it were something that were to get further consideration.

492  How do you think the Government should tax these on-line transactions?

  (Mrs France) We have to have a totally different approach once we are talking about the global marketplace, and I am no expert on taxation. You only have to look at the debates going on, on intellectual property rights and copyright, to see we do have to take a new approach to some of these issues. I would not pretend to know what the solution should be, but I think to look at traditional ways might not be, in the long-term, the way forward.

493  Have you been asked to give a view on this?

  (Mrs France) No, we have not.

494  Before we finish could I just return to this jurisdictional question. Within the European Union there is going to be established a regime and it may have difficulties but, by and large, folk will know the rules. What is going to happen outside of European with countries like Russia and China with whom we are meant to be doing increasing amounts of trade but whose legal structures, whose concepts of the law of contract, are perhaps not as well developed as our own?

  (Mrs France) I think we are going to have to rely on the approach we take within the European Union jurisdictions. If it is a business-to-business transfer we are going to have to (and indeed the law does) put the onus on the European-based controller to make sure that proper safeguards are in place if he exports. There is a problem for us in the United Kingdom if we rely on contracts for redress at the moment; because at the moment there is the concept of privity of contract, which means if a United Kingdom company contracts with a company somewhere outside Europe in order to put safeguards in place by virtue of contract, there is no way in which a third party can ally themselves to that contract and get redress. However, that matter is now being addressed and there is legislation proposed to amend that law, so that contract might be one way forward. The other way forward is education. Where we are talking about individuals getting involved themselves on-line with business opportunities or being encouraged to pass their data to countries outside Europe, then we would be trying to educate them on the sorts of symbols they should look for; and I have already mentioned the OECD are working on what they call a "wizard", which is a way of generating a privacy statement which will say what that site will do with your personal information; we have tried it out ourselves to see what sort of statement it produces for my office, and it is being worked on as a pilot at the moment. We are very keen to see developed the self-regulation that organisations like TRUST-E and BBB On-line are providing. If we can educate consumers (and we shall never be 100 per cent. successful in that) and if we can encourage consumers only to part with their personal data in circumstances where they see a symbol they can rely on, or where they are given an assurance their data is not going outside a jurisdiction which gives them rights, then that is another approach to the problem. I am not suggesting for one moment it will be watertight.

  Chairman:Thank you very much, Mrs France and Mr Smith. There may be one or two other points we would like to pick up with you in writing. It has been very helpful this morning, thank you very much.