Slashdot Mirror

(i) Offered to call the "customer" back on the number in question.

(ii) Offered to post the information to the customer's home address.

I am reasonable sure that their actions would be illegal under UK data protection laws, although there is of course the usual question of whether anyone could afford to sue them. We do have a commissioner who is in principle responsible for enforcing data protection laws, but they are a toothless tiger who seem primarily interested in educating organisations in the hope that they won't do it again!

..under the UK's Data Protection Act. See http://www.dataprotection.gov.uk/ for details...

Britain doesn't have the best record on privacy

except the Data Protection Act 1988 which does protect private computer data, if you want it you had better get a warrant, which needs a lot more proof than the current USA regime requires

so when it comes to data privacy Britain has a good record (or it would have a lot of bankrupt organisations)

Never went far enough for a good reason (they basically outlawed electronic spam to private addresses but not to businesses). The reason for this is that the UK government makes money from the electoral register information by selling it to direct marketing companies for postal spam(e.g. MBNA credit card offers - yay!). It would be more than a little hypocritical to criminalize a practice the government regularly makes money from .... aneeway ...

It also sells the information to amongst others Equifax. According to recent studies over those opposed to the way information is collected, over 1/3 of all Equifax records are inaccurate enough to adversely influence a credit decision.

I recently found out that for the past six years, even though I pay over $200 per month in local tax, Equifax didn't have that information on file. This meant that I was listed as having effectively avoided paying council tax for that period. I started to examine who was to take responsibility for this "oversight".

Well, the Data Protection Act is very clear on this - no-one takes responsibility for the accuracy of the data. Not Equifax, not the local council, not even the people providing the information (or failing to provide the information). No-one. It is a veritable black hole of responsibility. A key point of the "Data Protection Act 1998" is that it is not there to protect the data subject, but to protect the data controller (yep, Equifax) from recourse by the data subject.

Who is the "data subject"? Well, that's YOU of course.

Agencies like Equifax are answerable to no-one and they have a lot of not quite so accurate information on you which they use to make influential decisions on how you live. They are the single best candidate (and best latter-day substitute) for the incompetent and overpaid bureacrat.

In the UK it already is as it breaches Data Protection legislation going back to the 80s. Even before considering the sale of the data, simply collecting the data without consent is an offence in its own right.

To stay the right side of the law, data users have to follow the Data Protection Principles which are a high-level summary of the law.

As well as the basic penalties of fines and jail for directors, the Information Commissioner can walk into any company and turn off their databases on simple suspicion of data misuse pending an investigation, as happened to a major utilities company who were thought to be wrongly passing data between two separate arms of the company (energy supply and domestic appliances).

Thanks for the link. There's also a related web site for the U.K. Information Commissioner, http://www.dataprotection.gov.uk/.

In the UK and EU there is the Data Protection Act, so why isn't this understood anywhere else?

Should a company be able to break a physical law just because it is being carried out digitally. They can't trace packages you send, so why can they trace the files you send?

Look at this site and you might see what I mean.

Surely that makes more sense?

ICSTIS, who regulate the premium rate telephone market - most of my SMS spams are shilling premium rate numbers, claiming that "I have won a prize" or that "someone likes me". ICSTIS have fined many spammers thousands of pounds.

There is also the Advertising Standards Authority who are now accepting complaints.

It is also illegal to use an automated dialler, but the bunch of lazy jobsworths at the Data Protection Agency can't be bothered to prosecute.

Here in the UK it would be a breach of the Data Protection Act 1998 and possibly the Computer Misuse Act 1990. Oh and the psychological evaluation would fall under the Access to Health Records Act. These carry serious fines (but not jail sentences) if organisations disobey them. The DPA '98 is based on an EC directive and came into effect a few years ago. It's run by the Information Commissioner. Of course - here you might run up against Crown immunity - which simply put means that the government can't be held liable for breaking one of its own laws. The problems of insecure wi-fi networks have been well highlighted here - especially in London - there've been many cases of drive by hacking via laptops.

Maybe send all those junk-mailers invoices for royalties?

Alternatively if you're in UK, you can register with the Mail [Fax|Phone) Preference Services, I have and it works.

Mail Preference Service
Phone Preference Service
Fax Preference Service

Whilst these are private sector they are subject to oversite by the UK Data Protection Commissioner.

Maybe send all those junk-mailers invoices for royalties?

Alternatively if you're in UK, you can register with the Mail [Fax|Phone) Preference Services, I have and it works.

Mail Preference Service
Phone Preference Service
Fax Preference Service

Whilst these are private sector they are subject to oversite by the UK Data Protection Commissioner.

Europe has data protection law to control who gets your personal information (click here for info about the UK's implementation). Shouldn't you have the same?

In the UK we have the Data Protection Act 1998. Basically it stipulates that if you want to hold personal data on someone you must by law be on the register of data controllers, see here. It also stipulates you can only hold someones personal information so long as you have a bona fide reason for having that information (e.g. business relationship etc). If you are holding or using personal data without authority you are committing a criminal act and the company's data controller can be held personally liable to criminal action. It is also required that the data controllers tell the registrar what they do with personal data and they are then restricted to doing only what they said they would do. Failure to comply can lead to big fines and payment of compensation to the victim.

I personally have used the act many times to look at my data, all I do is pay £10 for costs and the company/organisation has to give me everything they have on me, including CCTV footage they may have of me (suitably modified so as to obscure the identifying features of other people). If I find something amiss I can complain to the Information Commisioner who has the legal powers to put it right and award me compensation. It would seem this sort of act would prevent a case like this, by effectively shutting down information brokers. Does no such similar act exist in New Hampshire or other states?

This is Britain's implementation of (probably) the previous reply, but the .gov.uk website for it seems to have more English and less legalese, so I'll post it anyway:

dataprotection.gov.uk

I had to do a bit of stuff on this during A-Level Computing (A-Level = the academic qualification most British 16-to-19-year-olds are studying for) and it seems very sane and well thought out. America could probably benefit from something like this.

</karma-whore>

You don't see a whole lot of European spam, do you? This sort of thing could be why:

http://www.dataprotection.gov.uk/principl.htm

Note the .gov.uk domain; that page is a quick summary of British data protection law. This is Britain's implementation of a European Union law (I posted the British one because it's in English :-)

Theft of something as insubstantial as bandwidth and CPU time is difficult to build a case around, but what would happen to spammers if the USA had this sort of law? Never mind the spam, they obviously have a large pile of personally identifiable information - if selling your CDs of e-mail addresses is illegal (because they're being used for purposes other than the one they were collected for), there goes the address sharing for a start.

Logs in hand of govt means logs in hands of big corporations.

That may or may not happen in the land where the incoming president appoints all his oil business buddies to top government positions, but it sure as hell doesn't happen in the UK. We have a little matter of a Data Protection regime. This may be avoidable by the government when they pass primary legislation such as RIPA, but corporations can't just opt out of it.

If the data protection registrar discovered that corporations were receiving identifying personal information from non-legitimate sources, their databases would be closed down the same day.

Really, this is a paranoid red herring.

The Information Commissioner is the person to raise this with first, rather than your MP, even if she is a minister (or the cynical would say, especially if she is a minister...)

Unless the agreement I assume UK Tivo owners have to agree to for service covers this, isn't this some form of invasion of privacy?

Oh wait. I forgot, that's all gone in the UK.

Yeah, troll away. Be an ignorant fool all your life. Take the easy option.

For your information, the British do have some legally enshrined rights to privacy, some granted by British law, others granted by European Union law.

Included in these is Britain's Data Protection Act. Basically, the DPA governs every detail of how companies treat all the computer-held data that they have on their customers, employees, etc.

One nice benefit of the DPA is that I can demand a company disclose all the information that they have on me. They can charge a nominal fee for this (£10 ~ US$15) but they must comply within a set time limit. And, obviously, if their information is incorrect or harmful in any way they can be made to correct it (and I have the right to take appropriate legal action if I want to).

Now, I can demand that of my credit card provider, my bank, my doctor, my employer, my accountant, my gym, my golf club or anyone else who holds information about me. Try asking that of similar institutions in the US and elsewhere and see how far you get.

Yes, our laws are different. Yes, you have some rights that you'd cut off your right arm than give up (gun ownership anyone?) but, remember, we have some that you'd cut off the other one too to have.

Compare and contrast that travesty with UK Data Protection Act 1998. To summarise

Anyone processing personal data must comply with the eight enforceable principles of good practice. They say that data must be:

• fairly and lawfully processed;
• processed for limited purposes;
• adequate, relevant and not excessive;
• accurate;
• not kept longer than necessary;
• processed in accordance with the data subject's rights;
• secure;
• not transferred to countries without adequate protection.

Personal data covers both facts and opinions about the individual. It also includes information regarding the intentions of the data controller towards the individual, although in some limited circumstances exemptions will apply. With processing, the definition is far wider than before. For example, it incorporates the concepts of 'obtaining', holding' and 'disclosing'.

The Full explanation of the principles can be found here

(source: http://www.dataprotection.gov.uk/principl.htm)

Note that last point - the US at present does not have 'adequate protection' (ie protection to an equivalent level). This proposed bill takes it further away.

Something else to note - the enforcement of this will only get stricter when the new Data Protection Commissioner takes office.

Compare and contrast that travesty with UK Data Protection Act 1998. To summarise

Anyone processing personal data must comply with the eight enforceable principles of good practice. They say that data must be:

• fairly and lawfully processed;
• processed for limited purposes;
• adequate, relevant and not excessive;
• accurate;
• not kept longer than necessary;
• processed in accordance with the data subject's rights;
• secure;
• not transferred to countries without adequate protection.

Personal data covers both facts and opinions about the individual. It also includes information regarding the intentions of the data controller towards the individual, although in some limited circumstances exemptions will apply. With processing, the definition is far wider than before. For example, it incorporates the concepts of 'obtaining', holding' and 'disclosing'.

The Full explanation of the principles can be found here

(source: http://www.dataprotection.gov.uk/principl.htm)

Note that last point - the US at present does not have 'adequate protection' (ie protection to an equivalent level). This proposed bill takes it further away.

Something else to note - the enforcement of this will only get stricter when the new Data Protection Commissioner takes office.

At a time when trade barriers are (generally) being lowered between the EU and US, the fact that this directive is required is a sad reflection on privacy in the United States.

Of course, even here enforceability is an issue - some small LLC can always pop up, harvest data, and then go bankrupt a couple of months later.

What's worse than that is the fact British data protection laws covering the treatment of personal data make the US laws (or lack thereof) look like a fucking shambles, any company can drive a lorry through that gap.

Don't confuse some CCTV camera on a public street with personal privacy laws, if you issue a data protection request to the CCTV operator they're bound by law to give you CCTV footage, if they deny the request then you can sue them.

" I think we need a law that forces companies to have a large checkbox in their sign-up forms saying "I don't mind having my personal information sold to other companies". This should be un-checked by default. I'm sure some countries probably have this already. "

As you are from the UK, you might be interested in the things covered by the Data Protection Act (DPA). The DPA can be used in the UK to protect yourself from people misusing your personal information. A quick guide can be found here Companies can be quized as to how they use the information and what information they hold on you. For as little as £10

In addition you have the right to sue the company for any loss resulting from faulty information they use, and you can have data removed / corrected as approriate (see here for details)

As passport is based in the US I'm doubt you have any rights covered by this act (although you might as they are providing the service in this country). However I think this is a step in the right direction, in the UK this covers most companies and data including credit ratings. This is a brilliant set forward and offers hope to all those people who are screwed because of faulty information, or just pissed off with companies sending them letters ;)

For certain types "sensitive" of information a company will have to get your explicit permission before using your information eg. race, religion etc.

I am intending to write to the Information Commisioner to ask about Microsofts information gathering activities in this country and if they can be stopped / modified to ensure that they conform to the DPA. Maybe if enough people do this we can get a result for the UK.

" I think we need a law that forces companies to have a large checkbox in their sign-up forms saying "I don't mind having my personal information sold to other companies". This should be un-checked by default. I'm sure some countries probably have this already. "

As you are from the UK, you might be interested in the things covered by the Data Protection Act (DPA). The DPA can be used in the UK to protect yourself from people misusing your personal information. A quick guide can be found here Companies can be quized as to how they use the information and what information they hold on you. For as little as £10

In addition you have the right to sue the company for any loss resulting from faulty information they use, and you can have data removed / corrected as approriate (see here for details)

As passport is based in the US I'm doubt you have any rights covered by this act (although you might as they are providing the service in this country). However I think this is a step in the right direction, in the UK this covers most companies and data including credit ratings. This is a brilliant set forward and offers hope to all those people who are screwed because of faulty information, or just pissed off with companies sending them letters ;)

For certain types "sensitive" of information a company will have to get your explicit permission before using your information eg. race, religion etc.

I am intending to write to the Information Commisioner to ask about Microsofts information gathering activities in this country and if they can be stopped / modified to ensure that they conform to the DPA. Maybe if enough people do this we can get a result for the UK.

I took your criticism (hey, it's a flaw :) )to heart, and took it upon myself to clear my name. The Data Protection Act is one of the few good government websites we have (information? I can get to easily? Goodness!) and for all those who don't know about it, the rules are outlined concisely here. H'anyway, it says that the information must be kept secure (that's what I meant ;) ) and confirms your point on transferal to countries that don't have adequate protection. This must be possibly the only law we have in the UK that actually protects the rights of technology users, rather than hinders it. Hooray!

If the U.S. domestic response to terrorism starts to resemble Zimbabwe's, which passed a law in November making it compulsory to carry ID on pain of fine or imprisonment, well, that's something to worry about.

But until Congress passes a law like that -- and until you can't enter a movie theater without the usher checking you for priors -- there isn't all that much to get exercised about.

Er, no Frank, that's when it's too damn late to start doing anything about it.

Once you get to that stage people start becoming afraid of resisting goverments attempts to be Big Brother in all aspects of life, as it becomes a lot easier for the government to make otherwise innocent peoples life difficult by 'accidently' putting false information on the cards.

Oops. We accidentally put that you've got a criminal history on your card...oh well better luck at the next job interview.


Most of the privacy rights -- if there really are such things...

Yes, Frank such a thing does exist in the rest of the world. Here's the government body that protects my privacy and data.


For some, the real problem with smarter, more centralized ID cards is that they give bureaucrats a better chance to screw up more of your life

No there are lots of people who don't like the idea of either government or companies being able to see anymore information about them, than is absolutely necessary.

With the growth of the Internet it is getting far too easy for companies and governments to trade information about their citizens.

It may well, however, require a small fee. This is defined in the DPA as a maximum of £10.

Go to a shop (only do this in big chains, no-one wants to hurt independents). Go when it's busy. Very busy. Make sure they have plenty of CCTV cameras. Make sure you get in as many of them as possible. This increases your impact.

Then, go to an employee. Under the DPR's `Code of Practice,' `All staff should be aware of individuals' rights.' If not, ask to see the `Data Protection Controller' or, the Manager.

You may well need to fill out a Data Protection Subject Access form, or write a letter with proof of identity to the Shop's Data Controller.

You are entitled:

to be told if any personal data are held about you AND, if so:
to be given a description of the data;
to be told for what purposes the data are processed and
To be told the recipients or the classes of recipients to whom the data may have been disclosed.

Also:
to be given a copy of the information with any unintelligible terms explained;
to be given any information available to the controller about the source of the data;

So, they'll be required to give you copies of information they hold about you. You probably don't want this, but the administrative burden is the aim here.

If they don't provide the said details with 40 days, complain to the DPR and they will be likely to be fined.

• Yucky Lotus Notes Subject Access FAQ
• Code of practice for CCTV press release

...all you do is hurt the industry's profit margin...
An industry that survives on sending me things I didn't ask for seems very unfriendly to me and deserves to loose out.

...it will mean less prepad envelopes...
Not a bad thing, if you ask me :-)

...And then you won't have prepaid envelopes for the stuff you actually want to send for.
If it's something I need then I'm happy to pay for it.

...or write to that giant clearinghouse to be taken off the main list.
With the majority of spam I receive, I didn't ask to be on the list in the first place, so the company doesn't deserve to receive any decency from me. Neither does the company who gave them my details. Instead of asking to be taken off the list, would it not make better sense to threaten whoever gave them your personal details with the Data Protection Act? (or your country's equivalent)

If you didn't specifically ask to receive correspondance then the company is not allowed to spam you. Simply having a box on forms that says "tick here if you don't want us to send you stuff" is now illegal in the UK - it must say "tick here if you do want to receive stuff from us.

if you are registered with the DMA (Direct Marketing Association), or equivalent service.

I also find that the majority of spam e-mail senders I've seen can be prosecuted under an Advertising standards law (in the UK the ASA / Advertising Standards Authority will deal with anyone using false statements to advertise their product or service).

No common law countries have ID cards, they may have the most cameras but they also have the strongest Data Protection laws.

First of all, British Citizens have never been 'subjects', that was reserved for people in the colonies.

If you think Britain is bad then you may want to watch developments in the USA post Sept 11th, I'm sure new cameras will be instituted, and it may well end up 'worse' than the UK since the USA has very weak data protection laws due to corporate interests.

Schadenfreude has a nasty habit of coming back and biting you in the arse.

I think this would be illigal in the uk but I can't connect to the Data Protection web site to check.
IIRC you must supply an easy way to remove someone from a mailing list.

Oh the irony here is quite appauling, the UK adopts very strict EU data protection laws, remember all those articles about the EU objecting to the lack of control or any safe guards when it comes to information being passed to the US companies?

In the UK personal information is the property of the individual, not the company that owns the database, you simply licence the company to use your information, it can be revoked at anytime and cannot be passed on without your explicit consent.

You have the right to view all your data, you put a request into the company with £10 and they have 40 days to reply, if they fail you can then lodge a complaint with the DPA and persue a legal route.

The CCTV cameras are quite different from impling there are lapse data protection laws, in fact the reason people are unconcerned about the camera is probably due to the DPA. The £10 procedure described above applies to CCTV fiotage of your person, some comedians have had some fun with this (i.e. Mark Thomas).

The Data Protection Act is enforced by government through the Information Commissioner (formerly the Data Protection Agency.

Now if we look at the situation in the US it doesn't take much to work out that corporate interests have killed any bill that relates to data protection, given the advococy given to privacy in the US it's suprising that privacy bills are continually shot down, it's one of those contradictions where the evil land of Big Brother has better protections than the US itself, this is why prevailent CCTV in the US could be quite ugly.

What is left in the US is a self-interested self governing system where companies voluntarily sign up to a lapse agreement, there is no come back if the company then goes and breaks the agreement, there is no legal path or any enforcement to check if the policies are even being enforced. You do not have any explicit right to see information gathered about yourself, even to check if its correct, and the company is free to sell the demographics to the highest bidder since it's their property, some companies may allow you to opt-out of this default procedure, it's not easy though.

Also, your presumptions about the BBC are quite misleading, remember they're not a commercial enity, they don't have to worry about advertisers, shareholders or profits.

It's an interesting peice, however it seems the opinionated view of the author has introduced a number of misleading themes and factual inaccuracies into the article. This guy has an ax to grind?

"There were cameras on the backs of buses to record people who crossed into the wrong traffic lane."

Erm... no, he probably confused the British meaning 'on the backs of buses' to mean physically located on the back of the bus on the outside, then extrapolated his view on from there. Some double-decker buses do have cameras on them *inside* the bus so they can indenty vandales post event. They don't put cameras on outside of buses.

"We had a match! But no, it was a false alarm. The license plate that set off the system was 8620bmc, but the stolen car recorded in the database was 8670amc"

That is clearly made up... no British numberplate is that format, even private ones. Until last month they were like so : Y123 ABC with the Y denoting the year of registration (Feb 01), they used to be ABC 123Y until the late 70's (reversed). The new ones introduced last month are as the following : BY51 ABC, the BY denotes the registration area (Birmingham in this case) 51 means the car was registered in the second half of 2001, and the ABC is random (exluding rude words). Even going back pre-war they used to be like the following "POP 303".

8670amc or 8620bmc is simply not possible, you never find the letter '8' on any British numberplate because and the format is all wrong.

ANPR (numberplate recognition) was implemented in The City to make companies feel more comfortable after the Docklands bombing.

Facial recognition (the Mandrake system) is only currently used in Newham and is not commonly found anywhere in the country, so some of the exgurations in the article are a little unfounded, however his concerns are quite just. The Mandrake system is utterly fallable though, up until a point that it's laughalbe, there's been quite a few programmes (e.g. Mark Thomas Product) that have clearly ripped the system apart. And since the premise of CCTV lies soley upon perception, Mandrake isn't taken seriously. So I'm not really very concerned at this at all at the moment, the problems they face implementing a reliable system areinsurmountable, give it 20 years then I may take these concerns seriously.

Society itself is still very anonymous if you hang round City's that have cameras then it's pretty easy to see that the cameras have a very limited field of view, if I wanted to get away from them it would be extremely easy. I believe when criminals finally realise how fallible the cameras are they will take no notice of them and since CCTV is purely about perception and nothing else, they will become useless. You are starting to see some very overt criminals that do the crime right in front of the camera without a care, they know very well the vast majority of cameras are not actively monitored, and if they are, the operator has at least two-dozen cameras to monitor. When they show the footage of these criminals the quality is that poor it's impossible to even see who the person is, let alone whether they're male or female.

I'd be more worried about my personal private and data being looked into, ironicly, the data protection laws in the US are very weak, YOUR details can be owned by a company and therefore be sold to the highest bidder and used in various ways. In Europe, data about the person is the property of that person, you simply 'licence' a company to use it when you give up personal details, which can be revoked at any time.

The UK has intensive surveillance in the City's but very strong data protection laws, the US has the opposite, which means if the US does get cameras it could be a lot more nasty than the UK. I'm amazed how the US seems to value its privacy but does not enshrine laws that reflect those sentiments, corporate interests I guess.

I can't see how it over-reaches territory, if you deal with a foreign country then you must abide by their domestic laws, this has always been the case. As a US company, if you try and sell a product into the UK and it doesn't meet their safety requirements or whatever, it will be deemed illegal, despite the fact it may be legal under US law. This isn't imposing law on another country since you can still sell the (potentially) unsafe product to your US citizens legally.

Remember this only affects data concerning EU citizens, if you're an EU company then you cannot sell data on EU citizens to countries that have questionable data practices, if you're a US company dealing with EU people they you must do the same, obviously a US company can do whatever it likes with data on US citizens.

This does in fact does make some sense, if they didn't put restrictions on foreign countries then EU companies would just move their customer databases abroad and then do whatever they like with it, and because the country is outside EU law, citizens would have no legal control of their data, this would just undermine the whole purpose of the law.

If you've ever seen the "UK-Info" CD, which lets you find out in depth data about households by aggregates data from the British land registry, ordiance survery, electoral roll, company house records, acorn demographics, phone listings etc, they move this data to the Cayman Isles then process and cross reference it and sell it on a CD to the UK. If the CD was cross referenced in the UK it would break a number of data protection laws. Because the information can flow abroad then be sold back to the UK in an aggregated form, it's not illegal, which makes a mockery of the law, so they're trying to ensure citizens have rights on their data if its passed abroad (and choose if it even goes abroad).

The requirements are for companies dealing with EU citizens not just companies within the EU.

I can't see any law solving this issue easily, there are too many loopholes to deal with. As with the UK Info disc, lots of disparate forms of innocuous information are obtained which in themselves aren't a problem, it's when they're cross-referenced and interlinked it becomes an issue, I can't see how the EU can stop foreign countries processing this information.

Enshrining privacy in the law is an honourable pursuit, but ultimately frivolous, if they don't get industry backing it will never work since companies will just hire lawyers to exploit any tiny loophole in the law. Therefore how do we get companies to respect our data? What is commercial incentive for a company to do so?

Strong data typing is for those with weak minds.

A pretty good model is the UK Data Protection one:

Anyone processing personal data must comply with the eight enforceable principles of good practice. They say that data must be:

• fairly and lawfully processed;
• processed for limited purposes;
• adequate, relevant and not excessive;
• accurate;
• not kept longer than necessary;
• processed in accordance with the data subject's rights;
• secure;
• not transferred to countries without adequate protection.

Personal data covers both facts and opinions about the individual. It also includes information regarding the intentions of the data controller towards the individual, although in some limited circumstances exemptions will apply. With processing, the definition is far wider than before. For example, it incorporates the concepts of 'obtaining', holding' and 'disclosing'.

This is so much more stringent than US models that until the recent 'Safe Harbour' agreement, it was not possible to transfer personal data from the UK to the US. Obeying this will enable you to gain 'Safe Harbour' status, yet it's not hard.

• Tell your users:
  • Who you are
  • What data you're collecting
  • Why you're collecting it (for each data type)
  • How you're collecting it (for each data type)
  • Who you're intending to share that data with and why
• Take more care with sensitive data (anything to do with health, money, beliefs or sexual orientation)

And you must, must, must give people an opportunity to opt out of any data uses which are not absolutely central to the operation of your service. Actually, an opt-in is better - Seth Godin explains why (fair warning - Amazon Associates apply; circumvent if you feel the need).

As a Company trading in the UK, Tesco is subject to the Data Protection Act. This means that they have certain obligations wrt any personal data they might collect from you.

As for the particular issue of collecting information about your browser, the DPA says they must discard data as soon as they have finished using it for its legitimate purpose i.e. once the page has been constructed.

As for the fact that the web page only works for two browsers - well that is just bad programming. If I find a page that doesn't work, I always submit a bug report. In software terms, web sites are often very poorly engineered (IMHO) and a little constructive criticism may just possibly improve things a bit.

Y'see, *this* is why the EU has been unhappy about data transfers to the US - we have stringent data protection legislation.

In the UK (whose implementation I know best), data holders *must*

1. Be registered to hold and process identifying data and only do so for a proper length of time
2. Obtain data fairly (ie from you with your permission or from a reputable (ie registered)) source
3. Ensure that that data is up to date
4. Ensure that the data is only disclosed to proper persons or bodies
5. Give you the right to view your own data
6. Only use it for proper purposes

Therefore, you can view your credit history as disclosed to financial companies by writing to Equifax or Experian (the 2 big credit reference agencies) with a £2 cheque, and challenge any erroneous info they hold about you.

Offtopic but interesting The data protection registrars response to the RIP bill (Word Doc)

http://www.dataprotection.gov.uk/

Can't find Netpd/mp3police or Bruce Ward registed as data collectors on the Data Protection website either.

Section 8 is interesting, u r not allowed to transmit data outside of the European area unless you can prove that there is sufficient protection for it....

And hey if you think you are on their list you can send a couple of quid to their registered address and they have to send you a copy of all the info they have on you.

Yes. I think you can at the moment, but you definitely can when the EU directive beomes law. The changes to European Union law will be propagated into UK law effective on 1st March, according to the Data Protection Registrar's website.

The subject access rights have been extended:

Whereas under the 1984 Act the data subject was only entitled to have a copy of any data processed by reference to him, the new Act states that he is also entitled to a description of the data being processed, a description of the purposes for which it is being processed; a description of any potential recipients of his data and except in limited circumstances, any information as to the source of his data (where available).

In addition Schedule 2 provides that processing may only be carried out where one of the following conditions has been satisfied i.e., where;

• the individual has given his consent to the processing
• the processing is necessary for the performance of a contract with the individual
• the processing is required under a legal obligation
• the processing is necessary to protect the vital interests of the individual
• or to carry out public functions
• the processing is necessary in order to pursue the legitimate interests of the data controller or certain third parties (unless prejudicial to the interests of the individual).

Depends on whether Doubleclick's address tracking is "legitimate" I suppose... AFAIK, the DPA is criminal law: you don't have to sue them yourself.

Of course any technology can be used for good or bad. An important factor seems to be the amount of government regulation; personally I'm all in favour of this as the lesser of two evils. Large corporate concerns are always going to try to get away with as much as possible and need to be held firmly in check by society.

OK where are my asbestos pants ...;)

\a