CASE STUDY 8/99
Telecommunications company - electronic publication of telephone directory on the Internet and CD-ROM - advanced and novel search capabilities - whether compatible with purpose for which data were obtained
A telecommunications company transferred the database of its telephone subscribers to a subsidiary company, which was tasked with arranging for publication of a telephone directory. The subsidiary published the directory in paper format and also in electronic format as a CD-ROM and, later, published the electronic directory on the Internet as well. Several individuals complained about the data protection implications of the electronic publication of the telephone directory. The complaints fell into the following two categories:
· Some people were unhappy that the telephone directory, which traditionally was published in paper format, should be made available in electronic format. These complainants had no objection to their details being available for manual searching, but considered that electronic publication was qualitatively different and was not something to which they had consented.
· Other people had no objection in principle to their data being available in electronic format, provided that the search capabilities of the electronic version were restricted to what was available in the manual directory. Their complaint was that the Internet directory was capable of being searched in completely new ways, which could undermine their privacy.
In data protection terms, the issue to be considered was whether the publication of the electronic directory, and the novel uses of personal data involved in such publication, were compatible with the purposes for which the personal data had been obtained and were kept by the data controller, as required by section 2(1)(c)(ii) of the Data Protection Act.
In considering whether a particular use of personal data is compatible with the purpose for which the data were obtained and kept, a useful question to ask is: what would a data subject have reasonably expected to happen to his or her data at the time the data were obtained? In the case of telephone directory information, the answer to this question is, in my view, that individuals would normally have expected their data to be made publicly available in the manual telephone book (unless, of course, they had expressed a preference for their telephone number to be ex-directory or unlisted). Many telephone subscribers, in my view, would not have been aware that an electronic version of the manual telephone directory existed, or would exist in the future. Does this imply that subscribers should have been asked for their consent before their details were included in the electronic directory? Having considered the matter in detail, I came to the view that if an individual was content to have his or her details included in a manual telephone directory (where the option not to do so was readily available), a telecommunications company was reasonably entitled to assume that the individual would not object to the same details being made available in electronic format. The electronic medium is simply one of a number of ways in which details can be made available publicly. Where appropriate safeguards are in place, electronic publication of itself need pose no additional risks to the privacy of the persons concerned.
However, to the extent that electronic publication is coupled with novel capabilities for the processing of personal data, then additional data protection issues arise for consideration. In the case in question, two distinct forms of processing could be identified for both the CD-ROM and Internet versions of the directory. First, the looking-up of a particular telephone directory entry based on the subscriber's name could be accomplished in a rapid fashion, by virtue of the computerised nature of the directory. I did not view this processing function as being novel, since this function simply replicated, in an efficient and convenient way, the traditional manner of looking up entries in a paper telephone directory. Second, the directory also facilitated the looking-up of subscriber details based on address. In other words, a particular address could be typed into the directory, without entering a subscriber name, and the directory would then show the name and telephone number of the subscriber at that address. Indeed, if a street name was entered, the directory would return a list of all the subscribers in that street, showing house numbers and telephone numbers.
In my view, this second processing capability was novel, since a traditional manual telephone directory could not be searched in this way. Some complainants made the point that this new search capability could have material consequences - for example, a burglar might use the reverse listings to obtain the telephone numbers for particular houses, and could call the telephone number for that address to confirm that no-one was home. In the light of such considerations, I concluded that subscribers could not reasonably be assumed to have consented to this new use of their personal data. Accordingly, I requested the telecommunications company to stop making the telephone directory available on the Internet, and to stop publishing the CD-ROM version pending discussions on the matter.
My Office had a productive dialogue with the telecommunications company, and the company agreed to modify significantly the electronic version of its directory. The modified electronic directory is now subject to the same search principles as the traditional manual directory, with some minor additions (such as the capability of searching names phonetically). Novel forms of searching, such as searching backwards from the address, are no longer possible.
Since this case was concluded, the Article 29 Group of EU Data Protection Commissioners has formalised its views on the general question of reverse telephone directories, reflecting significant input from my Office based on the Irish experience. The Article 29 Group's statement, due to be published shortly, affirms the principle that consent is required before a telecommunications company can subject its subscriber directory database to new search capabilities. The Group's statement also illustrates that lessons learned in the Irish context can positively influence the overall European environment for the protection of consumer privacy.