Upholding its reputation as one of the most flexible EU data protection authorities (DPAs), the Office of the UK Information Commissioner recently released Good Practice Note taking a surprisingly flexible approach to sale of databases containing consumers' personal data. To the initial question "Can databases be sold?," the Information Commissioner gave a qualified "Yes." The first circumstance in which the Information Commissioner notes that consumer databases may be sold is where the consumers included in the database have given their consent. The second, and more controversial, circumstance is the Information Commissioner's statement that if a business is insolvent, bankrupt, going out of business, or being sold, the "[UK Data Protection] Act will not prevent the sale of a database containing the details of individual customers, providing certain requirements are met." The "requirements" relate mainly to using the information for the "same or similar" purposes to those for which the information was gathered, and providing notice to consumers in the database of the sale. But nowhere does the Information Commissioner say that consumers must be given the chance to object to further use of their information upon a sale, and the authorization of "similar" use is quite flexible. Such guidance will certainly raise a few eyebrows at other EU DPAs.
© Copyright 2006 Steptoe & Johnson LLP
No comments:
Post a Comment