Slashdot Mirror

Seeing as a shockingly large amount of tabloid citation/"content" is from twitter, I presume this will apply to microblogging too?...

Just another largely unenforcable rule which will have little effect on anyone apart from the consumer... I can't imagine the EU cookie law has had much effect other than to annoy us... http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_guide/cookies.aspx

No, it's not the maximum fine under UK law - that's £500K. See http://www.theregister.co.uk/2010/04/05/ico_power_analysis/

The summary isn't even about it being the highest fine imposed so far by the ICO for a breach of the Data Protection Act. There was a £325K fine imposed on an NHS trust. See http://www.ico.gov.uk/news/latest_news/2012/nhs-trust-fined-325000-following-data-breach-affecting-thousands-of-patients-and-staff-01062012.aspx

Depends on the jurisdiction.

Under the terms of the Data Protection Act 1998 (which itself aligns the UK with EU legislation), the individual has rights with respect to data held about them.

This includes the right to access a copy of the information comprised in their personal data, so you are effectively a joint owner of all data concerning you, except where it runs into one of the exceptions like purposes of national security, crime, taxation, and data held merely domestically.

The data holder is permitted to charge you a "reasonable fee" to process the data if you request a copy.

In the US, the PATRIOT act can compel someone to hand over the information without any real judicial oversight and a requirement they don't tell anybody. I assume the UK is about the same.

As far as I know, you still need a court order in the UK. http://www.ico.gov.uk/for_organisations/data_protection/the_guide/~/media/documents/library/Data_Protection/Detailed_specialist_guides/SECTION_29_GPN_V1.ashx

A large UK based multi-national org that I've worked for has the exact problem of hosting all its data centres in the USA. The big problem is that there are USA laws that apply that there is no equivalent in the UK/EU and there are contradictory laws where a lawyer would just choose the best jurisdiction. With-holding keys would be an offence under UK law (RIPA) but not under USA law.

e.g. in the UK, Freedom of Information only applies to government entities.

So, If a UK consumer (who knew the data was hosted in the USA) wished to find out information that extends further than a DSIR they could get a US Attorney to do a FOI request at the US host and get information that normally they could not get at an EU host.

...that any company which holds personally identifiable information (so that's all of them - it goes from CRM databases to employee records and payroll) has a Statutory obligation to register Company details with the Information Commissioner's Office and to report any breaches to the Information Commissioner.

For the definition of "breach", read: lost or stolen mobile phone, laptop, notepad, application or registration document, tablet, audio recording, video capture, or any other method, known or unknown, of recording personally identifiable information.

The problem is that state officials fail to see that cyber-security is a fundamental component of doing business over the internet, on a level with paying for the electricity. Our duties as techies is to point this out as frequently as possible in verifiable documents so that when the breaches occur there can be no doubt about who failed to make sure the budget was enough. The story of the UK police force that was fined for a data breach http://www.ico.gov.uk/news/latest_news/2012/police-force-pays-120000-penalty-for-data-breach-16102012.aspx has probably frightened a lot of local government people here. OTOH the observation that this was a 'Deloitte' funded report does remind us that there's money to be made here.

It really doesn't matter what I think. This is how the standard was designed and implemented, and IE using it in its current form is clearly abuse.

When you start Win8 or run IE10 for the first time, it'll ask you to configure some settings. One of them is DNT. You can choose "express", which will set it to on, among other things - but it will also tell you that it'll do so before you choose. Kinda like this.

So, yes, this is user choice. Ad companies may not like the fact that it's easier to enable DNT than it is to disable it, but that's another story.

If DNT ever does get worked into law such that ignoring it carries fines and/or legal penalties

It's already here.

You can always pursue it yourself ...

How to claim compensation

I hate to burst everyone's babble with facts, but here you are:

http://www.ico.gov.uk/for_organisations/privacy_and_electronic_communications/the_guide/cookies.aspx

important key points:

• Implicit consent is valid in many cases
• some cookie uses are exempt, especially session ids, shopping carts, etc.

Sorry for brutally slaughtering half the comments posted so far.

As I read it, what this basically asks me to do is put an information that my site uses cookies somewhere with a link to a page that explains what I use the cookies for. If you're doing the usual stuff (session ids), you're probably done with two sentences.

This law is actually very sensible. There are exemptions for non-tracking cookies, stuff like session tokens used by online shops or banks, misc preferences and so forth.

That is the whole point: there is not an exemption for session cookies -- only an exemption where they are strictly necessary -- which is a very high standard, also the legislation does not distinguish between a site specific session cookie and a 3rd party cross site cookie. This is what is stupid about it.

See: cookies_guidance_v3 page 12:

Where the setting of a cookie is deemed 'important' rather than 'strictly necessary', those collecting the information are still obliged to provide information about the device to the potential service recipient and obtain consent.

Note the v3, they keep on tweaking what they expect people to do.

Exactly. Few sites are going to want to do that. They might try what the UK government does on the ICO site (check the bar at the top): http://ico.gov.uk/. However few users is going to click yes in that bar.

People need to actively accept that you are tracking them.

Nope. They've muddied it with "implied consent". Also, you can require it as parts of terms and conditions when signing up (doesn't work for already registered). Couldn't find much on specific details of opting out, except for "must inform about loss in functionality", but my guess is "Well, we're disabling your account, then" might be acceptable. In other words, my central point still stands - users will just say "Get out of my way and let me post on my wall!" and click Accept, just like they do with EULA's and ToS's now. .

If you are using a third party tool like Google Analytics, you need to specify everything Google is going to use the data for. Since Google wont say at this point, you simply can not in any legal way use Google Analytics at this point.

Not really, ICO themselves use GA. The notification also doesn't have to be very detailed, but have a link to policy. Combined with implied consent bullshit it gives a lot of wiggle space for site owners.

People need to actively accept that you are tracking them. Just showing such text somewhere is not enough.

Actually, the ICO seems to have pulled a complete U-turn with 48 hours to go, and now says that implied consent can be enough.

Whether that will stand up to the seemingly inevitable legal challenge in the European courts remains to be seen, but I suspect even the ICO think this is a dumb law behind the scenes, and their language has been softening substantially in recent weeks relative to their early advice.

On page 3 of http://www.ico.gov.uk/news/blog/2011/~/media/documents/library/Privacy_and_electronic/Practical_application/guidance_on_the_new_cookies_regulations.ashx it states that 37% of users don't know how to manage cookies. So, we've got implied consent where 37% of users don't know how to give consent.

48 hours before the law came into force, the ICO issued new guidelines at http://www.ico.gov.uk/news/blog/2012/updated-ico-advice-guidance-e-privacy-directive-eu-cookie-law.aspx which basically reads as "If the user's browser accepts cookies, then they agree to the cookies being stored". Making the whole things pretty moot. Why they waited until the "11th hour" to state the obvious is annoying...

I can't find that in there. The nearest I can find seems to be "If the user's browser accepts cookies, and the user has a good understanding of what cookies are and how they are used then they agree to the cookies being stored", with the onus being on the site owner to prove that the users have that level of technical knowledge before setting cookies. That would probably be ok for a tech site, but not for a site aimed at the general public. The one site I manage doesn't use cookies, but if I wanted to implement analytics for example then I reckon I'll still need to implement a landing page.

The regulations are not actually as crazy as this story makes them out to be. Here are the latest guidance notes from ICO:

http://www.ico.gov.uk/news/blog/2011/~/media/documents/library/Privacy_and_electronic/Practical_application/guidance_on_the_new_cookies_regulations.ashx (PDF)

Page 10 has a summary table with some examples of banned (ie. explicit permission required) and OK cookies:

ALLOWED

shopping basket cookies
security cookies (banking, session id, etc.)
load balancing track things

BANNED

analytical cookies (eg. count unique users)
advertising, both first and third party
remembering users between sessions for trivial purposes, eg. display a "welcome back" banner

48 hours before the law came into force, the ICO issued new guidelines at http://www.ico.gov.uk/news/blog/2012/updated-ico-advice-guidance-e-privacy-directive-eu-cookie-law.aspx which basically reads as "If the user's browser accepts cookies, then they agree to the cookies being stored". Making the whole things pretty moot. Why they waited until the "11th hour" to state the obvious is annoying...

Some breaches of the UK's Data Protection Act, for example, are criminal. And the police aren't the only organ of the state to initiate criminal proceedings.

It seems that this is where distribution of child pornography (without permission of a subject who has since reached some age of consent) belongs.

If the tracking data does not allow for identification of the individual then it is not personal data and the Directive does not apply.

(a) 'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;

The UK Information Commissioner provides a step-by-step quick reference [PDF] appears to confirm anonymous phone signals are not "personal data".

Although the United States of America (US) is not included in the European Commission list, the Commission considers that personal data sent to the US under the “Safe Harbor” scheme is adequately protected. When a US company signs up to the Safe Harbor arrangement, they agree to: follow seven principles of information handling; and be held responsible for keeping to those principles by the Federal Trade Commission or other oversight schemes. Certain types of companies cannot sign up to Safe Harbor. View a list of the companies signed up to the Safe Harbor arrangement on the US Department of Commerce website. In July 2007, the EU and the US signed an agreement to legitimise and regulate the transfer of passenger name record information (PNR) from EU airlines to the US Department of Homeland Security (DHS). This agreement is regarded as providing adequate protection for the personal data in question.

But those rights are limited: you can basically only prevent processing that is actively harmful to you. Which is why I phrased my question as I did. European law *does not* prevent Facebook storing information about you if they want to, as long as they do not use that information in a way that prejudices your legitimate interests.

I don't think that's true in general. For example, you would be on shaky ground if you were storing and processing personal data without the subject's knowledge and consent, such as if data about one subject was provided to you by someone else without the subject's knowledge, which was the example scenario that Kenja described. There are various other conditions under which processing is also allowed, but it's hard to see how Facebook could appeal to any of them in such a case.

Although there are certain EU-wide minimum standards, it's also worth keeping in mind that some nations implement stricter privacy and data protection controls than others. For example, while the UK is relatively easy-going (perhaps too much so IMHO), Germany tends to be very protective of individual rights in such matters (understandably, given their history). Presumably the most relevant jurisdiction in this case is Ireland, but I don't know off the top of my head where on the spectrum they fall.

That is true for companies with which you have a contract that involves sending them personal information.

No, it's true for all companies that hold personal information. See the ICO for more details (for the UK).

They are not from a EU country

http://www.facebook.com/terms.php

The website under www.facebook.com and the services on these pages are being offered to you by:

  Facebook Ireland Limited
  Hanover Reach, 5-7 Hanover Quay, Dublin 2 Ireland

You are correct, in the UK the fee is "up to £10". See here.

Because the University had to be ordered to release the information, are you implying that the University was paid off by the oil and coal lobby to not release the information?

I don't think Murdoch's company was the only one to use phone hacking.

Many papers did, through arms-length dealing with private detectives.

The UK government caught some detectives stealing private information, and published which newspapers were buying it Read page 11 of this report.

The top three newspaper companies buying illegal information were Trinity Mirror (1679 times), Daily Mail and General Trust (1387 times), then News International (only 256 times).

It's not the quantity of hacking, but who got hacked. The public didn't really care about celebrities being hacked, but went apeshit when they heard a little girl got hacked.

The above supports my refutation of your original point that communications were to be disclosed.

I asserted that "any individual has the right to make a subject access request to any firm for all communications concerning him personally". Perhaps you read that as "right to make a request for all communications". What I actually said was the right to make an SAR. Now:

1. A subject access request can, if you wish, apply to all communications concerning you;
2. The SAR entitles you to a copy of all personal data within those communications;
3. As the above link demonstrates, the definition of "personal data" is fairly broad, including, "any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual."

So, while you don't have the right to the full and exact wording of a whole document containing personal data, you have the right to the substance of all personal data within the document. This is obviously open to abuse in practice, but the principle is clear.

This supports my original point about being interested not being reason enough for a valid SAR.

Erm, of course you can't ask for arbitrary information stored by some firm just because they're interested - but you can ask for all personal information (in the sense covered by the DPA) just because you're interested.

Firstly, clicking in the comment box NINE FUCKING TIMES to add text, because each click causes another comment to load further up in the page, does not a good interface make - but is anyone at Slashdot going to sort their shit out? They haven't in the months since this issue was first noted...

Ok, on to the reply.

I'm afraid that the Governments guidance to businesses contradicts your interpretation:

Subject access provides a right to see the information contained in personal data, rather than a right to see the documents that include that information.

The above supports my refutation of your original point that communications were to be disclosed. I was not making any comment about other things required to be disclosed under the act - just that you do not get the email, you get the personal information within the email.

In your last example, the personal data would be part of the disclosure, but not the communications themselves - if there was a decision making process that needed to be explained, then that explanation would include the personal details, the decision and the reason for the decision, but again not the communications themselves.

Under the right of subject access, an individual is entitled only to their own personal data, and not to information relating to other people (unless they are acting on behalf of that person). Neither are they entitled to information simply because they may be interested in it.

This supports my original point about being interested not being reason enough for a valid SAR.

http://www.ico.gov.uk/for_organisations/data_protection/the_guide/principle_6/access_to_personal_data.aspx

I think you underestimate the power of the law.

In particular, you don't have to provide a good reason beyond "the law says I can have this information". (You may need to provide a good reason to ask them to destroy certain types of data held about you, e.g. to declare that the processing is causing you distress.) Nor do you get "only the data itself": the logic of any automated decision-making must be explained if requested and, per the link, "the purposes for processing the information and who the organisation is sharing the information with" must also be provided.

There are, of course, examples of data processing where the law must be interpreted to decide whether records must be released. For example, if two employees were to pass e-mail between each other about you in which they discussed your eligibility for something, would a SAR require you to disclose archives of those e-mails?

This isn't true. Session cookies *are* included. All cookies are. The law actually covers all technologies for storing information on a user's device, including flash cookies, and does not state anywhere that I have been able to find that it only applies to tracking.

As far as exempting cookies "necessary for the functioning of the website" is concerned what the latest advice (PDF) from the ICO says is "The only exception to this rule is if what you are doing is ‘strictly necessary’ for a service requested by the user" (emphasis mine). The example it gives is a shopping cart. I doubt a breadcrumb trail, for example, will count.

Read the full advice - it's going to be a tricky bastard to implement.

The UK's Information Commissioner issued some advice which isn't really finished but provides a good starting point. The big problem is that we don't have a good enough definition of what "strictly necessary" for the function of the site means. I've seen it interpreted (I think it was by a spokesman for the European Commission, but I didn't make a note at the time) as meaning cookies needed to perform a function requested by the user. The example given was a shopping cart - the user requests you to put an item in the cart, so you don't need to ask permission to use a cookie to associate that cart with the user.

Third party analytics software seems to be the target they're really shooting for, so I think we're going to have to move towards asking permission for those.

Have you actually read the update to the law? I'm betting no.

6 (1) Subject to paragraph (4), a person shall not store or gain
access to information stored, in the terminal equipment of a subscriber
or user unless the requirements of paragraph (2) are met.
(2) The requirements are that the subscriber or user of that terminal
equipment--
(a) is provided with clear and comprehensive information about the
purposes of the storage of, or access to, that information; and
(b) has given his or her consent.

Source

The bit not in bold is the law before 26th May - the bit in Bold is now in effect. It doesn't differentiate between different types of cookie, their functionality or anything else. Consent must be gained for any use.

It leaves open hundreds of questions, but under no interpretation can you say "it only applies to tracking cookies".

From the guidelines (pdf):

The only exception to this rule is if what you are doing is ‘strictly necessary’ for a service requested by the user. This exception is a narrow one but might apply, for example, to a cookie you use to ensure that when a user of your site has chosen the goods they wish to buy and clicks the ‘add to basket’ or ‘proceed to checkout’ button, your site ‘remembers’ what they chose on a previous page. You would not need to get consent for this type of activity.

So, by my reading of that, you do not need further consent merely for logins/session cookies:

This exception needs to be interpreted quite narrowly because the use of the phrase “strictly necessary” means its application has to be limited to a small range of activities and because your use of the cookie must be related to the service requested by the user. Indeed, the relevant recital in the Directive on which these Regulations are based refers to services “explicitly requested” by the user. As a result our interpretation of this exception therefore has to bear in mind the narrowing effect of the word “explicitly”. The exception would not apply, for example, just because you have decided that your website is more attractive if you remember users’ preferences or if you decide to use a cookie to collect statistical information about the use of your website.

Apple users in the UK can make a Subject Access Request. Apple must provide this within 40 days and may not charge more than £10 (about $16).

I suspect that it could cost them more than £10 to provide the information. It would piss Jobs off considerably - but it is UK law - it would be interesting to see what Apple would do, especially if enough people do this. I don't own an iPad/iPhone otherwise I would.

It'd be illegal in the UK at least; there's a law against keeping databases of personally identifiable information without fulfilling several requirements (one of which is that it cannot be disclosed to third parties without the permission of the individual involved), and it's hard to see how a dating profile could be at all useful without personally identifying information. Although the existence of such a law isn't all that surprising, what perhaps is surprising is that the law in question is actually taught in schools, as a mandatory part of the curriculum. (It has a few other interesting features too, such as saying that only an explicit opt-in counts as sufficient consent, opt-out is not enough.)

Another interesting implication of the law is that it requires people holding such information to disclose the entire relevant part of their databases to the person it's about, although they're allowed to charge a reasonable fee for the service (currently capped at £10; I suspect in practice, most companies would demand the entire thing). If you live in the UK and don't mind paying a bit of money for the privilege, it might be interesting to contact a major company like Facebook or Google and ask for a copy of all the data they hold about you (where "you" is directed at Slashdotters in general here, not the parent in particular).

A more sensible and legal approach to costing a large company like amazon money (at least in the UK) would be for people who want to protest to make a request for all personal details that amazon hold on them under the terms of the data protection act.
Information about the process is available from the information commissioner's office at http://www.ico.gov.uk/for_the_public/personal_information/how_manage/access_info.aspx

"we are primarily concerned with regulating the processing of personal data by the state, by businesses and by other organisations."

I could be wrong, but I get the impression that the ICO deals with issues of personal data abuse by organizations that personally gathered it - like the government and tax info, or survey takers and demographics. The idea that was being discussed seems broader than that - permitting people to challenge the spread of personal info' in a wide range of areas. For instance TFA mentioned a Women's Shelter asking a website to deslist their address which had somehow been added to a database.

I get the impression it was supposed to be a step below those options, a cheaper alternative

So, something like a complaint to the Information Commissioner's Office, then?

Viewing of live images on monitors should usually be restricted to the operator unless the monitor displays a scene which is also in plain sight from the monitor location.

and as an example:

Example: Monitors in a hotel reception area show guests in the corridors and lifts, i.e. out of sight of the reception area. They should be turned so that they are only visible to staff, and members of the public should not be allowed access to the area where staff can view them.

and also the following on the release of footage:

Any other requests for images should be approached with care, as a wide disclosure of these may be unfair to the individuals concerned. In some limited circumstances it may be appropriate to release images to a third party, where their needs outweigh those of the individuals whose images are recorded. Example: A member of the public requests CCTV footage of a car park, which shows their car being damaged. They say they need it so that they or their insurance company can take legal action. You should consider whether their request is genuine and whether there is any risk to the safety of other people involved.

and even better on the next page concerning responsibilities and the display of signs:

Signs should: be clearly visible and readable; contain details of the organisation operating the system, the purpose for using CCTV and who to contact about the scheme (where these things are not obvious to those being monitored); and be an appropriate size depending on context, for example, whether they are viewed by pedestrians or car drivers.

Typically the one thing you do see in any public area in the UK with CCTV, is an indication that CCTV is in operation, hopefully if the guidelines are followed and the signs go up in shops and they will see some drop in customer numbers because people are not willing to accept that level of invasion of privacy.

Viewing of live images on monitors should usually be restricted to the operator unless the monitor displays a scene which is also in plain sight from the monitor location.

and as an example:

Example: Monitors in a hotel reception area show guests in the corridors and lifts, i.e. out of sight of the reception area. They should be turned so that they are only visible to staff, and members of the public should not be allowed access to the area where staff can view them.

and also the following on the release of footage:

Any other requests for images should be approached with care, as a wide disclosure of these may be unfair to the individuals concerned. In some limited circumstances it may be appropriate to release images to a third party, where their needs outweigh those of the individuals whose images are recorded. Example: A member of the public requests CCTV footage of a car park, which shows their car being damaged. They say they need it so that they or their insurance company can take legal action. You should consider whether their request is genuine and whether there is any risk to the safety of other people involved.

and even better on the next page concerning responsibilities and the display of signs:

Signs should: be clearly visible and readable; contain details of the organisation operating the system, the purpose for using CCTV and who to contact about the scheme (where these things are not obvious to those being monitored); and be an appropriate size depending on context, for example, whether they are viewed by pedestrians or car drivers.

Typically the one thing you do see in any public area in the UK with CCTV, is an indication that CCTV is in operation, hopefully if the guidelines are followed and the signs go up in shops and they will see some drop in customer numbers because people are not willing to accept that level of invasion of privacy.

Specifically, BT are being investigated by the ICO after it turned out that they sent PlusNet subscriber data to ACS:Law in an unencrypted format; they're also technically in contempt of court as the court order requiring them to hand over said data explicitly required it to be encrypted.

This has interesting implications for UK businesses which outsource functions to India. The Data Protection Act requires that where processing of personal data is done in other countries, the same protections are applied to the data as if it were being processed in the UK.

One of the requirements is knowing who has access to the data and what they will use it for. I would have thought that allowing $Unnamed_Govt_Official access to the data for $Unspecified_Offical_Purpose would be a clear violation of this requirement

Unfortunately as consumers, we have few options for making much of a difference to a company's behaviour by moving to a competitor as they're all at it! However, a flood of complaints to the Information Commissioner's Office may provoke some kind of response....perhaps a few companies might start rethinking the false economy of outsourcing...

Firstly, in the UK, the data protection act comes into play, especially considering the level of insight that browsing info can give about many of the items listed on the "Sensitive personal data" list.

Secondly, wiretapping legislation specifically forbids monitoring of telephone communications except in specific circumstances, whether they are encrypted or not. It's hardly a stretch to apply the same logic to internet communication.

Quick question: is it worth getting the statutory £2 report from all of the companies (incidentally, the ICO only lists three) or will it be sufficient to go with one?

Not that it particularly matters at £2 per go, I suppose, but it'd still save some time if it turns out they're all working from shared info.

That's fairly crazy to me. If it's legal to keep and store data in paper records without a license

It isn't in the UK -- the laws apply equally to both paper and electronic records. "Data" as covered by the Data Protection Act includes "information which is being processed by means of equipment operating automatically in response to instructions given for that purpose," (i.e. a computer), and "any set of information relating to individuals to the extent that, although the information is not processed by means of equipment operating automatically in response to instructions given for that purpose, the set is structured, either by reference to individuals or by reference to criteria relating to individuals, in such a way that specific information relating to a particular individual is readily accessible". See here

I don't know about Sweden, but in the UK there are specific exemptions for individuals holding personal data like an address book.
"The most comprehensive exemption applies when personal data is processed by a data controller who is an individual (not an organisation) only for the purposes of their personal, family or household affairs.

Example
An individual keeps a database of their friends’ and relatives’ names, addresses and dates of birth on their PC. They use the database for keeping track of birthdays and to produce address labels for Christmas cards. The domestic purposes exemption applies to this type of processing.

Example
An individual records the highlights of their summer holiday on a digital camcorder. The recording includes images of people they meet on holiday. Although those digital images are personal data, the domestic purposes exemption applies.

None of the data protection principles apply in these circumstances, nor do any of the rights which the Act gives to data subjects. There is also no need to notify the ICO about processing for these purposes.

So there is an almost total exemption from the Data Protection Act for individuals who just use personal data for their own domestic and recreational purposes. However, the Act still applies to the extent that the ICO may investigate if someone seems to have gone beyond the scope of the exemption, and we may take enforcement action where necessary."

If you have no expectation of privacy, why should it matter whether Google uploaded the data to a public site or merely collected and catalogued it?

But if there is an expectation of privacy, the point is that they processed the data rather than discarding it. US privacy law is practically non-existent but the EU has a substantial framework which is reflected in the laws of member states.

FWIW, it may even be illegal in the UK to listen in without permission to signals not from the Broadcast Service (i.e. commercial licensed radio), the Amateur Service and utility stations (e.g. navigation/weather). From the Wireless Telegraphy Act (1949), Section 5:

Any person who: [...]
(b) otherwise than under the authority of the Postmaster General or in the course of his duty as a servant of the Crown, either--
(i) uses any wireless telegraphy apparatus with intent to obtain information as to the contents, sender or addressee of any message (whether sent by means of wireless telegraphy or not) which neither the person using the apparatus nor any person on whose behalf he is acting is authorised by the Postmaster General to receive; or
(ii) except in the course of legal proceedings or for the purpose of any report thereof, discloses any information as to the contents, sender or addressee of any such message, being information which would not have come to his knowledge but for the use of wireless telegraphy apparatus by him or by another person, shall be guilty of an offence under this Act.

I'm not sure anyone's ever been prosecuted for (i), probably because it's difficult to define/discern what someone's "intent" is unless they also do (ii). Note this is an entirely separate and much older law than data protection laws, and it is necessary to discern when blanket permission is already given by the "Postmaster General" - e.g. there is explicitly no expectation of privacy on the Amateur Service and every amateur licensee should have learnt this.

I am the story's submitter. My original submission included a link to the mathematician's web page about this; the page has many more details. There have also been other news stories, e.g. at the BBC.

The UK Freedom of Information Act has exemptions for data that has not yet been used in publications, vexatious requests, etc.

It seems evident that most who deal with them just hand this stuff over, and then wonder why they end up being owned.

In the end it turned out good for me since I looked elsewhere and got a much better service on phone numbers - but at the time it looked to me as if I was paying a cost (today) for trying to keep secure (future). They do not need my credit limit for their purposes, I am concerned about what is happening with such information that others have given them; I will report them to the UK ICO.

We French have a law (roughly called "IT and privacy) that guarantees us the right to see and amend any data about us retained in computer form. I'm of half a mind to request my file from Google, for curiosity's sake.

Section 7 of the UK's Data Protection Act covers something similar but for any data - not just that held in digital form:

(1)....an individual is entitled—

1. (a) to be informed by any data controller whether personal data of which that individual is the data subject are being processed by or on behalf of that data controller,
2. (b) if that is the case, to be given by the data controller a description of—
   1. (i) the personal data of which that individual is the data subject....
3. (c) to have communicated to him in an intelligible form—
   1. (i) the information constituting any personal data of which that individual is the data subject, and
   2. (ii) any information available to the data controller as to the source of those data,

Effectively this means that any individual is able to have any data on them disclosed to them and there are further provisions for having the data corrected if it is inaccurate. However, the data controller responsible is entitled to charge for providing the data, (possibly planning to prevent mass-spamming of requests). All data controllers are required to be registered with the Information Commissioner's Office which has a database of all the data controllers (that is publicly searchable). That's also the reason why, at least in the UK, if somewhere as CCTV cameras they are legally obliged to have a large sign saying so and making it clear who has all the recordings etc.. The Data Protection Act is an impressively complicated piece of legislation, though, so there are lots of other requirements and get-outs (it consists of 8 pages of raw law and 12 pages of schedules).

The Freedom of Information Act only applies to public authorities as defined in the Act and includes companies that are wholly owned by public authorities. Oh, and even then, if it'll take more than 10 hours to prepare, they don't have to. That's NuLabor(TM) for you.