Privacy Online

The weekly podcast from the technology section of the Guardian recently did an item on online privacy. Although it was as informative and interesting as ever I was surprised that there was no mention of the data protection laws in place that, in theory at least, protect against many of the fears raised in the discussion.

Most European Nation data protection laws resemble, or should resemble, the European Data Protection Directive, EU 95/56/EC which is often summarized as follows:

Notice—data subjects should be given notice when their data is being collected;

Purpose—data should only be used for the purpose stated and not for any other purposes;

Consent—data should not be disclosed without the data subject’s consent;

Security—collected data should be kept secure from any potential abuses;

Disclosure—data subjects should be informed as to who is collecting their data;

Access—data subjects should be allowed to access their data and make corrections to any inaccurate data;

Accountability—data subjects should have a method available to them to hold data collectors accountable for following the above principles

From http://en.wikipedia.org/wiki/Data_Protection_Directive

At first glance, the directive appears to be fairly comprehensive and favourable to the privacy of the end user. Read deeper into the document and you find that the rules can be breached in cases of national security or public interest but otherwise is still sound.

My own experience of the directive in action came from a client in Germany for whom I was hosting a web application. They requested that I did not record the IP address of users who browsed the site as it breached the directive and they even came up with a court ruling to back up their argument. Like many web site administrators, I was recording source IP addresses for troubleshooting and security purposes but also to be able to produce statistics on the usage of the web site, particularly with regards to geographical location. Although browsing of the site was supposed to be anonymous, the IP addresses could ultimately be used to trace the individual user, which is what caused the problem with the data protection directive.

Although many of the abuses of data raised in the Guardian podcast probably occur on a regular basis, in my opinion it is not necessarily due to lack of legislation but more because of inefficient enforcement of existing rules. The directive does allow for compensation to be paid in the event of damage caused by misuse of data so I guess a few high profile cases with large payouts would help tighten up data protection law compliance.