28 August 2001

Elizabeth Brownsden

1. Introduction

The rapid growth of the Internet and e-commerce has greatly enhanced the capacity of e-businesses to collect, store, transfer and analyse vast amounts of data from and about customers who visit their websites. This has given rise to particular concerns regarding the privacy of on-line customers and has been a contributing factor to the implementation of data protection and privacy legislation on a world-wide basis. This article aims to give an insight from a UK perspective, on the impact of European/UK data protection legislation on e-businesses located in the UK and elsewhere.

2. The Applicable Legislation

The European Data Protection Directive (95/46 EC) was introduced to harmonise data protection laws across the European Economic Area ("EEA")1 and to ensure that individuals across Europe would be entitled to similar minimum privacy rights. In the UK, the Directive has been implemented by the Data Protection Act 1998 ("DPA").

Both the Directive and the DPA apply to personal data which are processed by a data controller and understanding such concepts is key to understanding the impact of the DPA on e-businesses.

"Personal data" are defined by the DPA as data which relate to a living individual who can be identified from those data or from those data and other information which is in the possession or likely to come into the possession of a data controller. Most commercial websites will collect personal data from their users, often to enable them to register or to order goods and services. Such information will normally include name, postal address, e-mail address and/or telephone number. In some cases, websites will request additional information such as gender, health or occupation and as such may find themselves unintentionally collecting "sensitive personal data" 2 which are treated more strictly by the DPA. Furthermore, the DPA will apply to personal data only if they are held on computers (as will be the case with most e-businesses) or if they are ordinary paper records which are within the definition under the DPA of a "relevant filing system."

"Processing" is defined very broadly, so that almost any use of personal data will be covered, including collecting, storing, analysing and deleting or destroying the data.

However, despite coming into force on 1 March 2000, the impact of the DPA has not yet been fully felt as the DPA contained substantial transitional provisions which broadly continued to apply earlier legislation, the Data Protection Act 1984, to eligible processing. This earlier Act had limited obligations on businesses processing personal data. However, many of these transitional provisions are due to end on 23 October 2001, after which most businesses (either dot coms or otherwise) which are processing personal data in the UK will need to comply fully with the DPA.

3. Who will the DPA Apply to?

The DPA will apply to a data controller who is either:

(a) established in the UK and the data are processed in the context of that establishment; or

(b) not established in the UK (or any other EEA state) but uses equipment in the UK for the processing the data other than for the mere transit of data through the UK.

A data controller is someone who determines the "purposes and manner" in which personal data are processed. The Information Commissioner takes the view that it is the determination of the purposes which is of most importance to the definition and a business can make this determination jointly or in common with other businesses. If a business falls within this definition of a data controller, then the DPA will apply to it regardless of whether it exists solely as a dot com with no physical presence in any country or as a small high street company with no internet presence.

A company who operates a website is likely to be a data controller even where it uses another company to host the website and as such will potentially be subject to the DPA.

The DPA distinguishes between a "data controller" and a "data processor", who merely processes data on behalf of someone else. A data processor itself does not have to comply with any obligations under the DPA but the data controller must ensure that there is a written contract between the parties which must require the data processor to act only on the controller's instructions and to comply with the security obligations which the DPA imposes on the controller. The controller must also select a processor which can provide suitable guarantees as regards the technical and organisational measures which will govern the security of the processing to be carried out and must take reasonable steps to ensure compliance with these measures.

As mentioned above, if the website operator is established in the UK, the DPA will apply. The Directive gives us some guidance on the meaning of establishment (Recital 19) and explains that it implies the effective and real exercise of activity through stable arrangements. This is likely to include limited companies, branches or subsidiaries.

Website operators not established in the UK but elsewhere in the EEA will be subject to the data protection laws of the countries where they are established. Most of these countries (with the exception of Germany, France, Ireland and Luxembourg) have already implemented the Directive. A website operator may be established in more than one EEA country.

However, in some circumstances, website operators established outside the EEA might also be subject to the DPA. As set out above, if a website operator is established outside the EEA but uses equipment in the UK to process personal data, the processing will be subject to the DPA even though the operator is not established in this country. The data controller does not have to own the equipment on which the processing takes place. This might be the case where the operator's site is hosted in the UK or where the operator places a "cookie" on the computer of a UK internet user in order to create a profile of that individual's on-line behaviour (see Section 6 below). If the website operator is using equipment in the UK for the processing of personal data then it must appoint a representative established in the UK.

Under the DPA, a data controller is required to notify its processing to the Office of the Information Commissioner on an annual basis. Organisations who fail to do so or who maintain an inaccurate notification will have committed a criminal offence.

4. Fair and Lawful Processing

The DPA imposes eight obligations of good personal data-handling practice upon data controllers. The most important of these requires that personal data shall be processed "fairly and lawfully". This principle is expanded on in Schedule 1, Part II and Schedules 2 and 3 to the DPA. These introduce:

  • information obligations, as part of the "fair processing code"; and
  • preconditions to processing, which may require individuals to give consent.

As part of the fair processing code, businesses are obliged to make the following information 'readily' available to data subjects:

  • the identity of the person or organisation responsible for operating the website and anyone else who collects personal data through the site;
  • details of any UK representative if the business is established outside the UK;
  • the purposes for which it is intending to process the data e.g. providing goods or services, marketing; and
  • any other information which, in the circumstances is necessary for the processing to be fair. This may include advising individuals if their data is being disclosed to third parties or if their data is being transferred overseas.

Many on-line businesses will choose to incorporate the above information into a privacy statement which appears on the website. However, such statements should clearly be brought to the attention of users and basic messages and choices should be prominently displayed wherever personal data are collected. Simply stating "Click here to view our privacy statement" is not sufficient.

In addition to complying with the fair processing code, personal data may only be processed where certain statutory preconditions are satisfied. A business must be able to satisfy at least one of the conditions set out in Schedule 2 to the Act for all personal data which it processes. Further where a business processes sensitive personal data, then an additional condition in Schedule 3 must be satisfied.

The most relevant conditions to an e-business in Schedule 2 are that (i) the customer has given consent (ii) the processing is necessary for the performance of a contract to which the data subject is a party or (iii) the processing is necessary for compliance with any legal obligation other than an obligation imposed by contract or (iv) the processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party to whom the data are disclosed.

Where sensitive personal data are being processed, one possible condition that can be satisfied is that the customer has given 'explicit consent' to the processing.

If the conditions relating to consent are to be relied upon, then the Directive requires this to be a "freely given specific and informed indication of...wishes by which the data subject signifies his agreement." The Directive requires the data subject to "signify" his agreement i.e for there to be an actual communication from the data subject. It is generally considered that for most personal data, giving the user the option of opting out of the processing is sufficient. However, the Information Commissioner has suggested that where sensitive personal data are involved, then the consent must be absolutely clear (i.e the user must actively "opt-in" to the processing). Furthermore, this may mean notifying the data subject of the precise data involved, the type of processing and to whom the data will be disclosed.

5. Restrictions on Transfers of Data

Another key obligation on data controllers under the Act is the Eighth Principle of Data Protection which prohibits the transfer of personal data to a non-EEA country unless there is adequate protection. This could apply to a UK company which transfers personal data obtained from its website to its US parent. If a data controller breaches this principle then it could be the subject of an enforcement notice by the Commissioner and in theory could be liable to compensate data subjects.

The DPA does not define "transfer" but it is not the same as the mere transit of data from country to country which is allowed under the DPA.

It is the data controller's responsibility to assess the "adequacy" and this is determined by a number of factors, the most important of which are: the nature of the data, the country of origin, the country of final destination, the purposes of the processing; the laws and codes of conduct in force; and the security measures in place. The European Commission has formally decided that Switzerland and Hungary provide an adequate level of protection as well as recently deciding that the Safe Harbor Principles which have been negotiated in the US also offer an adequate level of protection. The Safe Harbor is a scheme for self-certified privacy protection which most US organisations receiving sources of personal data from within the EU may adopt and so qualify as providing adequate protection3. To date, not many organisations have subscribed to these Principles.

However, there are a number of exceptions to the Eight Data Protection Principle. In particular, data may be transferred where the data subject has given consent (see section 4 above) or where such transfer is necessary either to perform a contract with the data subject, or to take steps, at the data subject's request, with a view to entering into a contract with him. Where a data subject wishes to purchase goods or services from an overseas supplier, then this latter derogation may apply.

In addition, the European Commission has recently approved Standard Contractual Clauses for the Transfer of Personal Data to Third Countries (the "Model Clauses"). Data exporters and data importers who contract on the basis of the Model Clauses and comply with their terms will have provided "adequate" protection for personal data. The Model Clauses are effective as from 3 September 2001 and are available at www.europa.eu.int/comm/internal_market.

6. The Doubleclick Decision

It is worth noting the recent US decision made in relation to Doubleclick Inc4 which may have implications for European data controllers and for those who wish to transfer personal data to the US, as well as for recipients in the US of personal data sourced from within the EEA.

In this case, the US District Court held that Doubleclick, a substantial Internet market profiler, was not in violation of US Federal electronic privacy and computer abuse laws by using "cookies"5 to collect information from visitors to Doubleclick's clients' websites.

However, the decision was based on detailed provisions in the US Federal Statutes and in fact is unlikely to be followed by EU privacy regulators (including the Information Commissioner in the UK). It has been suggested earlier in this Article that the implantation of a cookie by a non-EEA organisation on the hard drive of a user located in the UK will be sufficient for the DPA to apply to that organisation as it will be "using equipment" in the UK. As such, the organisation will be bound to process any personal data fairly and lawfully. The Information Commissioner has taken the view that profiles based on cookies that are used to deliver targeted marketing messages to particular individuals are personal data and therefore in order to ensure their processing is fair, a user must be informed wherever a cookie or similar tracking system (including the collection of IP addresses or use of web bugs) enables the collection of personal data. This could be done either via the website's privacy statement or via an on-line notification that appears before the data collection begins. The user should also be given the opportunity to refuse or disable the tracking system before any data is collected.

Doubleclick's practices are also likely to contravene the Safe Harbor Principles which also require an organisation to notify individuals about the purposes for which it collects and uses the information about them.

7. Conclusion

Data protection, or privacy as it may more appropriately be termed in a global context, is of growing international concern. Many non-EEA countries have either developed, or are developing, their own national laws in this area and e-traders who hope to attract business from outside the UK need to be aware of the risk of contravening the national laws of their potential non-UK customers.

There is as yet no accepted international standard of informational privacy protection which conveniently matches all national laws but the 1981 OECD Guidelines are the model from which many national laws have derived their respective principles. It is also true that the EU's Data Protection Directive, to which the DPA conforms or is believed to conform, has set a standard which is widely regarded as providing adequate protection for the informational privacy rights of individuals: from this it follows that e-traders who conform to the DPA's standards of protection will stand a good chance of conforming to the privacy requirements of other national laws, both within and beyond the EEA. Nevertheless, conformity with the DPA is not conclusive of conformity with the laws of all other countries which may, for example, have regulatory and other concerns going beyond privacy.

UK e-traders who hope to attract business from outside the UK need to keep a look out for emerging trends in consumer protection, product liability, intellectual property and privacy protection in other countries in which they are likely to trade if they want to stay clear of trouble.

1 The Member States of the EU together with Norway, Iceland and Liechtenstein.
2 Sensitive personal data are information as to a person's racial or ethnic origin; political opinions; religious or similar beliefs; trade union membership; physical or mental health; sexual life commission of criminal offences; or involvement in criminal proceedings.
3 More information on Safe Harbor can be found at www.ita.doc.gov/td/ecom/tfn2.htm
4 US District Court of New York (Southern District) 28 March 2001.
5 In simple terms, "cookies" are small pieces of computer code used by a website or a server which are sent to a user's computer and are used as a means of building up a profile of a particular user (often without the user knowing that it is happening.)

Elizabeth Brownsdon was assisted in this article by Simon Charlton, a consultant with Bird & Bird.