(This article was originally published in the iTech Supplement of the Times of Malta in April 2002)
The new Maltese Data Protection Act will create a new privacy landscape for Internet users.
Millions of Internet users around the world often surf the Web or search for information which is available on-line. These activities are, however, not risk-free from a privacy point of view.
The new data protection regime, with the Maltese Data Protection Act coming into force shortly, will create new rights for Internet users as well as new obligations for controllers of data collected on persons connecting to the Internet, such as Internet Service Providers (ISP).
Perhaps the most common activity carried out by Internet users is visiting websites for the purpose of gathering information. This involves passively viewing the content of a web page. Often, the user has to click through the web pages via a hyperlink, or click on an advertisement banner, or fill in further information in a form. All of these activities are collectively referred to as 'web surfing'. This is done by means of a web browser that connects the Internet user to a web server somewhere on the Internet. It is also possible to interact with websites in a more active way.
In the context of the Internet, a lot of information is collected and processed in a manner that is invisible to users, known in Data Protection (DP) jargon as 'data subjects'. The Internet user is sometimes not aware of the fact that his/her personal data has been collected and further processed and is consequently, available for use for any number of undisclosed purposes. This process creates a situation where the data subject does not know about the processing and therefore has no say on the processes that will take place.
On the Internet, personal data flows across oceans and countries in a split second. In this global and ultra fast environment the traditional principles of data protection, namely those concerning the rights of a data subject over the data held, as well as the specific purposes of the processing are often ignored. In many cases, users are not fully aware of the existence or capabilities of the hardware and software used for the processing of their personal data and how these technologies can slowly erode their privacy. Cookies, E.T. applications and sniffers (tools used to gather information and monitor your movements on the Internet) are only a few of the methods used to abuse away the rights of privacy of an Internet surfer.
The data subjects right to know
In Recommendation 1/99 on Invisible and Automatic Processing of Personal Data on the Internet performed by Software and Hardware, the European Union underlined clearly the importance of legitimate processing of personal data and the requirement that the data subject be informed of the processing that is taking place.
Internet software (e.g. web site) and hardware products (e.g. routers) should inform Internet users about the data they intend to collect, store or transmit, and the purpose for which these are required. Furthermore, these software and hardware products should also enable the data user to easily access any data collected about him/her at any stage.
The speed of data flows on the Internet cannot be used as an excuse for not fulfilling the obligations found under the new Data Protection Act, which is heavily based on the EU Data Protection Directive 95/46/EC.
The Internet is a medium that makes it possible to provide quick and simple information to the data subject. Whenever personal data is going to be collected, essential information should be given to the individual in a way that should ensure fair collection. The individual should be given the possibility to click somewhere on the website if he/she does not agree to the processing concerned or to have additional information about the processing that will take place.
Privacy Policies
Some websites post a privacy policy in which information is given as to the data the site owners are going to collect and process. These policies also specify the finalities of the processing, and the way in which a data subject can exercise his or her rights to access the data, as well as to rectify the data in case of mistakes. This is, however, not always the case and, even when privacy policies are posted, they do not always contain all the necessary information.
Privacy Policies are rarely read. One solution to this problem would be that the information is provided to the data subject directly on the screen. Another solution would be through the use of pop-up boxes at the point when and where data is collected, without requiring the user to take any action to access this information. Privacy and Data policies should be concise but informative, clear and well structured for them to be effective.
Unfortunately, the case today tends to be the opposite.
Finality Principle
The information that is provided to the data subject should, in all cases, contain ample and clear facts as to the finality or purpose of the processing. This 'finality' principle is clearly reflected in the local Data Protection Act as well as in the EU Directive.
This principle is especially important for websites collecting information from Internet users about their surfing behaviour, where software programs authorised by the user monitor their Internet behaviour for a specific purpose as well as for Internet Service Providers.
Internet Service Providers should in principle only collect navigation data on Internet users insofar as they need to provide a service to the user. ISPs sometimes cite the need to keep these data in order to be able to monitor the performance of their systems. It is, however, not necessary to keep identifiable data for that purpose, since it is possible to measure and monitor the performance of a system on the basis of aggregated data.
Fair Processing
Both the EU Directive and the new Maltese Data Protection Act contain a number of principles aimed at guaranteeing the fair processing of personal data. One such principle is that personal data should be kept in a formthat permits identification of data subjects for no longer than is necessary. This means that once the data is anonymised, so that it is no longer possible to link the data to the data subject, such data can then be used for other processing. For example, it can be used in the measuring of the performance of the service offered by an ISP or in the compilation of a survey of the number of visitors to a website.
If data on searching and surfing on the Internet is not anonymised, it should not be kept once the Internet session has finished.
When considering the fairness of the purpose of data processing, the DPA should be taken into consideration as it sets out several conditions for fair processing, including the consent of the individual and the balance between the legitimate interest of the data controller and the fundamental rights of the individual.
Data Security
The DPA also sets out the 'data security' principle, according to which data controllers should make sure that the processing of personal data is secure. In this aspect, providers of telecommunication services should offer adequate security measures that take into account the current technologies. These security measures should be proportional to the risks involved in the specific situation and in consideration of the type of personal data that is being processed. This provision is especially relevant to providers of routers and connecting lines as these facilities carry massive amounts of information.
No comments:
Post a Comment