Home | The Handling of Legal Issues  (Summary)
Full Text: Page 1 | Page 2 | Page 3 | Page 4

SCOPE

Issues dealt with in this guideline include: 
EC policy 
Data protection and privacy
Encryption and authentication
Filtering software
IPR in metadata 


POLICY ISSUES

Readers should note that there are virtually no examples of best practice or policies published in these areas, despite the fact that they are issues of great concern. This is commented upon further at the end of the report. 

The EU has adopted a large number of Directives that are designed to encourage the development of an information society. In addition, the EU has published discussion documents and has organised a number of conferences and hearings of relevance. 

The importance of EU initiatives cannot be under-estimated. In many regards, the EU leads the world in developing a regulatory framework for the information society, and many of these initiatives have significance for public libraries. 

E-Commerce Directive
The E-commerce Directive 00/31/EC states that member states shall ensure that their legal systems allow contracts to be concluded by electronic means. The Directive also limits the liability of Internet Service Providers (ISP) under certain circumstances where the ISP acts as a mere carrier and has no control over the contents of messages sent.

This Directive is applicable to all kinds of e-commerce, and is therefore relevant wherever public libraries undertake commercial activities with third parties electronically. This would include, for example, the provision of electronic document delivery services, and the receipt of or order for documents or other materials by e-mail. The ISP rules will be of significance to those public libraries that host their own Web pages. The Directive will affect many public libraries, but knowledge of the Directive is not widespread. The Directive should have been implemented in member states by January 2002. Many member states have already adopted the Directive. 

Key political issue – Governments are determined to push through further legislation and initiatives to encourage e-commerce.

Electronic Signatures Directive
The Directive for E-signatures (Directive 1999/93/EC) came into force in January 2000. All Member States should have implemented the Directive by 19 July 2001. The purpose of this Directive is to facilitate the use of e-signatures and to contribute to their legal recognition. The Directive sets certain minimum authentication standards before e-signatures have to be accepted in law. These are that the signature is:

  • uniquely linked to the signatory;

  • capable of identifying the signatory;

  • is created by a means that the signatory can maintain under his sole control; and

  • is linked to the data to which it relates in such a way that any subsequent change of that data is detectable.

In practice, this can only be achieved using Public Key Cryptography. Few public libraries currently use such methods. It is therefore unlikely that the electronic signature Directive will have a high impact on public libraries immediately.

Under the Directive, electronic signatures have the same legal validity as traditional hand-written signatures across the Member States. Security remains one of the biggest fears for all kinds of businesses, but experts have claimed that it is much more difficult to forge an electronic signature than a hand-written one. (See also personalisation)

Key political point – Governments are determined that electronic signatures should have the same status as handwritten ones.

Data Protection 
It is believed, whether justifiably or not, that governments and many private sector organisations are routinely collecting information about individuals for purposes that range from the bona fide to those which are sinister. Much of this information is easily and conveniently collected by electronic means. Data protection legislation is concerned with the handling of any information about individuals. That information handling can be in computerised form or in other forms, such as manual filing systems, tape recordings, CCTV footage, and the like. 

Data protection law applies to information about individuals, whether it is totally innocuous, such as author entries in library catalogues, moderately sensitive information such as home addresses and phone numbers, or highly sensitive information, such as peoples’ criminal, medical or sexual histories. The EU Data Protection Directive makes sensitive personal information the subject of particularly stringent rules.

Data Protection legislation requires organisations that control records containing personal information about living identifiable individuals to register with an appropriate authority. The legislation also typically allows individuals who are the subject of such databases the right to know what records there are about them and the content of those records. There will be exceptions to permit the processing of data by government and related bodies for the purposes of crime prevention, national security, tax collecting etc without having to inform the data subject. 

In contrast to the EU, which has passed a Directive (EU Directive 95/46/EC) enforcing data protection, the USA is notable in having only limited protection at a federal level. The EU Directive requires that:

  • Data users must register if they use personal data.

  • Data subjects have the right to know that data are held about them, and to inspect what information is held about them.

  • Data subjects can sue for damage caused by inaccurate data.

  • Data users must abide by certain general principles and codes of practice.

  • There are exemptions for matters of national security, crime prevention, etc.

  • There must be systems in place to prevent unauthorised access, deletion or amendment of records.

  • Data users must request permission of data subjects before handling personal data.

  • Data subjects can in some circumstances insist that data about them are wiped.

  • Manual systems as well as computerised systems are covered.

  • Data subjects shall be entitled to know to whom data about them have been passed.

  • No decisions about the data subject may be made purely relying on information obtained from personal data files.

The European Union Directive should have been implemented in all Member States by October 24 1998, although in fact some member states failed to do so. 

The Directive prohibits the transfer of personal data to countries outside the EEA (European Economic Area) that do not have “an adequate level of protection”. As a result of this, the EU Directive has placed pressure on non-EEA countries to adopt privacy standards similar to the European standard. This particularly applies to the USA, which has virtually no data protection legislation in place. Two questions therefore are generated, what is “transfer”, and what constitutes “an adequate level of protection”? 

“Transfer” means either exporting data, or permitting people overseas to access the data. Placing personal data on the Internet permits people outside the EEA to access that data. Executives travelling from the UK to outside the EEA, or company Intranets that permit access to users outside the EEA, are just as problematic as more immediately obvious forms of transfer. 

Three key features can be identified that are likely to indicate that an adequate level of protection exists. These are as follows:

  • The presence of a data protection law. 

  • Rights for data subjects to inspect records about themselves, to demand rectification, and to sue for damage caused by inaccurate data.

  • The presence of a supervisory body. 

It is still unclear how broadly or narrowly adequacy will be defined beyond these basic principles. It is likely that evaluation will depend upon the particular circumstances of the data being transferred. 

The USA at present has no federal data protection law. To get round this problem, the idea of “safe harbours” in non-EEA countries (and in particular the USA) has been developed. These are companies that commit to a set of privacy principles. Any data transferred is stored by the safe harbour and may not be transferred anywhere else in that country. Safe harbours voluntarily adhere to a binding set of data protection principles approved by the EU, and then enter into contracts with data controllers within the EU. The personal data could not be passed out of these safe harbours without special safeguards being implemented and approved. 

Because of these issues, public libraries should be extremely careful about material they post on the Internet. 

Key political point – the dispute between the USA and the EU means that those libraries that have a Web presence must be very careful about personal information they put on it.

Home | The Handling of Legal Issues  (Summary)
Full Text: Page 1 | Page 2 | Page 3 | Page 4


Select a country to view information on public libraries


Digital Guidelines Manuals
Click here to view


The PULMAN
Online Database of Education Resources


Private Section for PULMAN partners only.
Click here to Enter

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Last updated 11/05/2004
Site best viewed with IE 4.0 or above