Helen is the managing director of a small company advertising lesser-known musical artists on the Internet though a (fictional) website called www.lesserknownartist.com. The business model is simple. Her company obtains income from each musician listed on her website that is visited by a person through a hyperlink on www.lesserknownartist.com. The company also obtain a small percentage of any merchandise that is sold during these visits. By ensuring that her website features prominently on search engine results pages, she can increase her company’s income through ‘hits’ on to the advertised websites.
Helen has built the company up to be very successful and each month it makes a very healthy financial profit. She has a very strong work-ethic, which was drummed into her from her youth and Helen believes that all of her staff should have the same approach to work. To this end, Helen believes that the office computers, which are all connected to the Internet, should only be used for work purposes and that her three employees should not use the work computers for personal use. Indeed, there is a policy that makes it abundantly clear that employees may not use the work computers for personal use (including emails, online shopping and social networking). However, Helen is concerned that her employees are using the computers for personal use and therefore decides to monitor the usage of the work computers. Helen introduces a system that monitors websites that are visited by her employees during working hours. Helen reads the monitoring reports and places them in her employee folders, which contain personal information and bank details. She regularly leaves these folders on her desk, where anyone could access them.
Although her employees only work traditional office hours, Helen’s work ethic often means that she remains in the office until late at night trying to devise methods to move her website from simply having a national profile to an international profile. One method Helen uses is that she writes a number of blogs for people who are interested in fringe musical artists. She comments on new groups and occasionally advertises her website if her readers want additional information. All the blogs are freely available online. On one blog (operated by ‘thoughtsonline’ – a nationally recognised blog facilitator) Helen uses a pseudonym ‘musicchick1967’ when posting comments; one such comment that she wrote says that the members of a band called ‘TClub8’ (a band targeted at children and young people) are regular drug-users and are major figures in the underworld sex industry. Helen is not aware if these allegations are true, but she is annoyed that the band has not paid an invoice, which has been owed for some time. ‘TClub8’ are very angry about these allegations as the allegations have reached the national press. They consider the comments to be defamatory. Helen understands that a national music magazine has come into the possession of her identity. Helen wants her identity to remain secret and has told the national magazine this.
Helen is also aware of the power of internet advertising and regularly sends out emails to visitors to her site, who have signed up for the email alerts. Helen wants to reach more people with these emails as it is a very cheap and effective way of advertising. Therefore she purchases a piece of software that can manufacture hundreds of emails a minute to enable her to reach a wider audience. Helen begins to send these emails out.
Helen’s employees have discovered about her monitoring their activities and are very distressed. She is also very concerned about the possibility of her identity being revealed as both ‘thoughtsonline’ and the national magazine have ascertained her identity. Her concern about her identity being revealed is also due to her concern that ‘TClub8’ may commence a defamation action against her. Aware of this, Helen subsequently removed the posting. It had been online for twelve weeks and 56 people (all based in the United Kingdom) had viewed it. Helen has also received
correspondence from the Information Commissioner about the emails that she has been sending out advertising her website.
Advise Helen on the legality of her actions and the likelihood of legal action being taken against her.
CYBER LAW – ADVISING HELEN
With a view to advising Helen regarding the legality of her actions and the potential for legal action being taken against her, there is a need to evaluate Helen's concerns in relation to her employees using office computers for personal use that led to the introduction of a system that monitors websites visited during working hours. This is because Helen not only reads the monitoring reports but also places them in her employee folders which includes their personal information and regularly leaves them on her desk. Helen's actions illustrate the fact privacy has become something of an afterthen the reality is no modern technology is more threatening to individual privacy rights than the Internet. Such a view is founded on the fact that computer technology's ongoing development has served to permit researchers and those who would illicitly use such information to collect data cheaply via the Interneince even the most technically inept layperson can store, use, and misuse personal data in powerful new ways
Individuals should be able to control the use of their own personal informatihilst also focussing on externalities regarding private data's uncompensated usnd still more have considered property-related policy approaches to privacy to reflect the fact expectations shiftuch a view is based on the fact that where companies increasingly pay or otherwise compensate consumers for the use of their personal information, expectations in this area shiftddition, one person’s ‘enhanced information’ can invade another’s privaccause respect for individual's privacy is becoming increasingly susceptible to the Internet with systems like that which Helen has implemented to monitor her employees activitiesviduals rights to privacy are recognised under Article 8 of the European Convention on Human Rights (ECHR) 1950 (enacted domestically via the Human Rights Act (HRA) 1998) and interference with this right is illegitimate unless it falls under Article 8(2) since it needs to - (i) have a legal basis; (ii) with a need for the measure in a democratic society; and (c) conform to one of the ECHR 1950's aims Helen is unlikely to be
8 E. de Grazia Blumenfeld ‘Survey, Privacy Please: Will the Internet Industry Act to Protect Consumer Privacy Before the Government Steps In?’ (1998) 54 Bus. Law. 349 at pp.351-352. 9 D. R Tan ‘Comment, Personal Privacy in the Information Age: Comparison of Internet Data Protection Regulations in the United States & the European Union’ (1999) 21 Loy. L.A. Int'l & Comp. L. Rev. 661 at pp.662-63. 10 B. Zammit ‘Traffic data retention under EC law - implications for the industry’ (2005) 11(1) C.T.L.R. 17-22.
able to fulfil these exceptions so, as opposed to monitoring employee data, to limit the impact of legal action being taken against she should look to limit access to specific websites and/or inform her employees that she is monitoring their activity during work hours and that action will be taken against them if they do not adhere to her policy
However, whilst the law in this area is founded upon the Regulation of Investigatory Powers Act
2000 and the Data Protection Act 1998, employers should actually look to the Employment
Practices Data Protection Code (specifically Part 3 regarding monitoring at work) that was issued
by the Information Commissioner as a statement of good practice that aims to balance workers
rights against employers needs through the consideration of human rights under the ECHR
Fundamentally, there is a need for an employer to establish a policy and communicate it to their
employees. But, whilst an employer could ban all personal email and internet use, since this solves
the problem of having to distinguish between personal and business communications because
intercepting personal communications are not authorised under the Telecommunications (Lawful
Business Practice) (Interception of Communications) Regulations 2000, this may prove very
unpopular with employeesTherefore, there is a need for employers to consider what is
proportionate in the circumstances because the Employment Practices Data Protection Code also
recognised the need for an impact assessment where employers decide if and how to monitor by
considering whether any adverse impact is justifie
An impact assessment involves recognising why a policy such as that put forward by Helen
identifying the purposes for the monitoring, the benefits it should deliver, any adverse impact,
alternatives to monitoring, the legal obligations involved and whether this is justified.But a
minimalist approach to monitoring is favoured whilst still complying with the terms of the RIPA
2000 and the DPA 1998. At the same time, however, the Telecommunications (Lawful Business
11 D. I. Bainbridge 'Introduction to Information Technology Law' 6th Edition, Pearson Longman (2007) at pp.121-134.
12 Out-Law.Com 'Monitoring Your Employees' E-mails Legally' Out-Law.com (September 2008). 13 Ibid. 14 Out-Law.com 'The Laws Relating to Monitoring your Employees' Out-Law.com (September 2008). 15 Out-Law.Com 'Monitoring Your Employees' E-mails Legally' Out-Law.com (September 2008).
Practice) (Interception of Communications) Regulations 2000 served to provide another means of
lawful authority since the monitoring is for one or more of the purposes specified in the Regulations
including ascertaining compliance with regulatory or self-regulatory practices or procedures,
detecting unauthorised use and preventing or detecting crimeIt is then for the system controller
to show they have taken reasonable steps to inform everyone of the remit of the system.
The problem with such a policy, however, is that the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 only apply to business and not personal communicationsddition, the Employment Practices Data Protection Code reinforces the point if monitoring involves interceptions of the content of non-business related communications then this is unlawful so employers need to consider how they will complyThen, where it is shown that Helen has lawful authority, she must try to inform people about the interceptions being undertaken and, as a checklist, employers should develop a clear policy, communicate it to employees, create audit trails, enforce the policy and consider alternatives
With regards to Helen's blog writing on ‘thoughtsonline’ using a pseudonym ‘musicchick1967’, one
comment she wrote said a band called ‘TClub8’ (targeted at young people) are regular drug-users
and significant figures in the sex industry even though Helen is not aware if these allegations are
true (she is annoyed the band did not pay an invoice). On this basis, although Helen subsequently
removed the posting after twelve weeks, this still could be considered defamation since a
defamatory statement is one that would serve to lower 'Tclub8's' standing “in the estimation of right-thinking members of society” Then, subject to the recognised differences between libel
(i.e. statement made in permanent and slander (i.e. spoken), 'TClub8' must show what was
written – (i) was defamatory;(ii) referred to themand (iii) was published to a third partyIt
is then for Helen to prove it was - (i) the trut(ii) fair as a matter of public interestor (iii)
16 Ibid. 17 Out-Law.com 'The Laws Relating to Monitoring your Employees' Out-Law.com (September 2008). 18 Ibid. 19 Out-Law.Com 'Monitoring Your Employees' E-mails Legally' Out-Law.com (September 2008). 20 Sim v. Stretch  2 All ER 1237 at p.1240, per Lord Atkin. 21 See, for example, Youssoupoff v. MGM Pictures Ltd (1934) 50 TLR 581. 22 See, for example, Sim v. Stretch  2 All ER 1237. 23 Eastwood v. Holmes (1858) 1 F&F 347 at p.349, per Justice Willis. 24 See, for example, Bryanston Finance v. De Vries  QB 703. 25 See, for example, section 5 of the Defamation Act 1952. 26 See, for example, Reynolds v. Times Newspapers  4 All ER 609.
was made on a privileged occasiThen, if the judge rules in a given case that no reasonable
person would conclude a statement was defamatory, the case will fail otherwise the words will be
put to the jury and the judge will ask them to decide
As well as the standard libel defences, however, there are also special defences including section 1(1) of the Defamation Act 1996 that provides “In defamation proceedings a person has a defence if he shows that (a) he was not the author, editor or publisher of the statement complained of, (b) he took reasonable care in relation to its publication, and (c) he did not know, and had no reason to believe, that what he did caused or contributed to the publication of a defamatory statement”. Therefore, such a defence should protect a web publisher from the problems that can arise with regards to the use of defamatory user comments so long as the publisher has taken ‘reasonable care’ and has no involvement with or knowledge of the statement and they should have been removed when they became aware that they may be defamatory. In addition, it is also to be appreciated that it was recognised in the case of Milne v. Express Newspaperhat honest mistakes need not give rise to protracted legal proceedings. This is because it was recognised that an unqualified offer of amends under section 2 of the Defamation Act 1996 could be appropriate in the circumstances because Express Newspapers were allowing the amount of damages and the form of any apology to be settled by the court if they could not be agreed with Milne section 4 provides that someone like Helen who makes an offer of amends will not be able to rely on that if they “knew or had reason to believe” that the statement complained was false and defamatory. However, what someone knows or has reason to believe at any given time depends on the facts available
Regarding the protection of Helen's identity, an individual's right to privacy has proved somewhat
difficult to define since it is a bundle of rights with a variety of justificationsincluding the right
to limit access to personal informatiSpecifically, Lord Chief Justice Woolf recognised in A v.
a duty of confidence would arise whenever a media outlet knows or ought to know someone
like Helen can reasonably expect their privacy to be protected under the ECHR 1950.This is
because, unlike someone like the model and 'Dancing on Ice' contestant Heather Mills who failed in
her action against the press when seeking an injunction preventing the disclosure of her new
27 See, for example, Chatterton v. Secretary of State for India  2 QB 189. 28 See, for example, Lewis v. Daily Telegraph  AC 234. 29 Milne v. Express Newspapers  EWHC 2564. 30 E. Alanko ' Offer of Amends' Defence under the 1996 Defamation Act' Press Gazette (13th December 2002). 31 Ibid. 32 See, for example, the decisions in A-G v. Guardian Newspapers Ltd (No 2)  3 All ER 545 & R v. Khan  3 All ER 289. 33 See, for example, Gaskin v. United Kingdom A 160 (1989) 12 EHRR 36 & R v Secretary of State for the Home Department, ex p Doody  1 AC 531. 34 A v. B  QB 195. 35 Campbell v. MGN  2 WLR 1232.
addressHelen did not actively court publicity with her use of a pseudonym (‘musicchick1967’)
as opposed to her own nameBut the freedom of expression under Article 10 of the ECHR 1950
does not always sit well with the right to privacy since there is usually a need to favour the
recognition of one right or another in practice on the facts of a given case in the cirucmstances as
and where it arisesInterference with Helen's right to a private life that is recognised under
Article 8(1) of the ECHR 1950 is, however, legitimate if it falls under Article 8(2) where there is (i)
a legal basis; (ii) a need in the democratic society; and (iii) it conforms to one of the ECHR 1950's
However, in the case of Author of a Blog v. Times Newspaperhe facts the applicant blogger applied for an interim injunction to stop the newspaper from publishing regarding his identity being publicly revealed. The applicant was a detective constable who wrote in his blog about his police work and what he thought about related social and political issues and he was worried about a significant risk of disciplinary action as a result. But, whilst the respondents managed to discover the identity of the blogger through a process of deduction and investigation, the applicant argued his anonymity should be maintained, since he had a reasonable expectation of privacy as the author and because there was no countervailing public interest. However, the court refused the application under Article 8 of the ECHR 1950 because the applicant had been unable to demonstrate sufficiently he had a legally enforceable right to stay anonymous. The court considered previous cases where the claimant had been successful and found the information was usually of a strictly personal nature in such cases. Therefore, the court held the applicant did not have a reasonable expectation of privacy over the information being published in his blog since it is a public activity and the court also felt there was significant public interest in their identity being revealed.
Finally, regarding Helen's use of software to manufacture hundreds of emails a minute, Helen needs
to be advised that 'spam' has been described as unsolicited advertisements sent in bulk to numerous
e-mail inboxes and is often pornographic, sexual or financial.With this in mind, the Data
Protection Directive was passed at the European Union (EU) level through which Member
36 Mills v. News Group Ltd (2001) EMLR 957. 37 Woodward v. Huchins  1 WLR 760. 38 Kaye v. Robertson  FSR 62. 39 B. Zammit ‘Traffic data retention under EC law - implications for the industry’ (2005) 11(1) C.T.L.R. 17-22. 40 Author of a Blog v. Times Newspapers  EWHC 1358. 41 K. M. Rogers 'Viagra, viruses & virgins: a pan-Atlantic comparative analysis on the vanquishing of spam' (2006)
22(3) Computer Law & Security Report 228-240.
Statesmust enact legislatias part of the world’s most ambitious data privacy initiativeEU
policy makers recognised early on those serious about protecting individuals data privacy rights
would fail without controlling data use beyond the EU because of the Internet's wholly global
natureBut, although the Data Protection Directiwas limited because it only protected
‘personal data someone notified of personal data collection is protected through ‘opt-iand
‘objection rights– although such protections were also somewhat restrictive.Therefore,
questions remain regarding whether Member States should not allow data subjects to object when
data is being processed because it is required “for the performance of a contract to which the data subject is partyso this may exemplify a class of cases defined by the data processor employing
discretion through which a data subject may well disagree is justified “for compliance with a legal obligation to which the controller is subject“to protect (their) vital interests”
Legislation domestically implementing the Privacy Directihrough the Privacy & Electronic Communications (EC Directive) Regulations 2003 was meant to combat ‘spam’ because Article 1 of the Directive served to harmonise “the provisions . . . required to ensure an equivalent level of protection of fundamental rights and freedoms, and in particular the right to privacy, with respect to the processing of personal data in the electronic communication sector”. Moreover, Article 13(4) provided no one should “transmit, nor instigate the transmission of, a communication for the purposes of direct marketing by means of electronic mail – (a) where the identity of the person on whose behalf the communication has been sent has been disguised or concealed; (b) where a valid address to which the recipient of the communication may send a request that such communication cease has not been provided”. Therefore, Helen's activities would not be said to violate this regulation if she used a valid subject line, her real name and a valid return address because Regulation 8 of the Electronic Commerce (EC Directive) Regulations 2002 provided where an unsolicited commercial communication is sent it must be “clearly and unambiguously identifiable” - although Regulation 22(3) provided methods through which someone may give consent to allow
42 Data Protection Directive, Council Directive 95/46/EC, 1995 O.J. (L281) – see also D. Rowland & E. Macdonald 'Information Technology Law' 2nd Edition, Cavendish Publishing (2005) at pp.322-346. 43 S. R. Salbu ‘The European Union Data Privacy Directive & International Relations’ (2002) 35(2) Vanderbilt Journal of Transnational Law 655. 44 Data Protection Directive, Council Directive 95/46/EC, 1995 O.J. (L 281) at Preamble (paragraph 56) – see also D. Rowland & E. Macdonald 'Information Technology Law' 2nd Edition, Cavendish Publishing (2005) at pp.322-346. 45 Ibid. 46 Ibid at Article 2(a). 47 Ibid at Article 7. 48 Ibid at Articles 14-15. 49 Ibid at Article 7(a). 50 Data Protection Directive, Council Directive 95/46/EC, 1995 O.J. (L 281) at Article 7(b). 51 Ibid at Article 7(c). 52 Ibid at Article 7(d). 53 Privacy Directive, Council Directive 2002/58/EC,  O.J. (L201).
'spam' to be sent to a passive recipient if they contact Helen's business by way of a ‘soft opt-i
There is, however, a problem with the understanding of the level of consent needed here because the recipient needs to consent to being sent commercial e-mail where - (a) it is “in the course of the sale or negotiations for . . . a product or service”; (b) it is for “similar products or services only”; and (c) “there is a simple method of refusing the use of . contact details for the purposes of such direct marketing”. On this basis, Regulation 30 of the Privacy & Electronic Communications (EC Directive) Regulations 2003 provides anyone suffering 'damage' due to a contravention of the regulations “shall be entitled to bring proceedings for compensatixcept where they “had taken such care as . . . was reasonably required”fusal to comply with the Regulations is a criminal offence with a ￡5,000 fine in a Magistrate’s Court that is unlimited in a higher court. But the Information Commissioner has not succeeded in any prosecutions, since private prosecutions have proved more successful with limited awards in damages plus costs in Scottish cases
On this basis, to conclude Helen has breached her employees rights to privacy by monitoring their use of the Internet during office hours without their knowledge or consent under Article 8 of the ECHR 1950 so there is the possibility of legal action being taken against her. Therefore, Helen should have informed her employees of what she was doing and/or looked to implement a policy whereby internet access was restricted during office hours for her employees to complete their work. Helen also needs to be advised there is a strong likelihood the band 'TClub8' would be able to successfully take action for defamation against her for her actions since her right to privacy may not be upheld where Article 8(2) of the ECHR 1950 is found to apply because it is in the interests of justice. Moreover, on the basis of the decision in Author of a Blog v. Times Newspapert has been recognised that Helen's identity may be publicly revealed by a publication like a newspaper because of the fact that blogging is a public activity and it may be considered to be in the public interest to reveal her identity in view of the actions that she had previously taken. Then, regarding Helen's use of 'spam', this could also be subject to significant action since 'spam' is not permitted under the EU law identified as part of this discussion so, whilst the Information Commissioner has not yet been successful in any of its attempted public prosecutions, Helen could still be subject to successful a private prosecution. Bibliography Text Books
D. I. Bainbridge 'Introduction to Information Technology Law' 6th Edition, Pearson Longman
54 Ibid. 55 Privacy & Electronic Communications (EC Directive) Regulations 2003 at Regulation 30(1). 56 Ibid at Regulation 30(2). 57 See Out-Law.com 'How to sue a British Spammer' Out-Law.com (5th January 2006) & Out-Law.com 'Sheriff awards damages of £750 for single spam e-mail' Out-Law.com (January 2006).
58 Author of a Blog v. Times Newspapers  EWHC 1358. 'Halsbury's Laws of England' Lexis Nexis, Butterworths (2009)
K. Basho ‘Comment, The Licensing of Our Personal Information: Is it a Solution to Internet Privacy?’ (2000) 88 Cal. L. Rev. 1507
M. Chetwin & B. Clarke 'The relative effectiveness of technology v legislation in curtailing spam'
E. de Grazia Blumenfeld ‘Survey, Privacy Please: Will the Internet Industry Act to Protect Consumer Privacy Before the Government Steps In?’ (1998) 54 Bus. Law. 349
S. A. Hetcher ‘The Emergence of Website Privacy Norms’ (2001) 7 Mich. Telecomm. & Tech. L. Rev. 97
M. W. Heydrich ‘Note, A Brave New World: Complying with the European Union Directive on Personal Privacy Through the Power of Contract’ (1999) 25 Brook. J. Int’l L. 407
J. Kang ‘Information Privacy in Cyberspace Transactions’ (1998) 50 Stan. L. Rev. 1193
K. M. Rogers 'Viagra, viruses & virgins: a pan-Atlantic comparative analysis on the vanquishing of spam' (2006) 22(3) Computer Law & Security Report 228-240
S. R Salbu ‘The European Union Data Privacy Directive & International Relations’ (2002) 35(2) Vanderbilt Journal of Transnational Law 655
D. R Tan ‘Comment, Personal Privacy in the Information Age: Comparison of Internet Data Protection Regulations in the United States & the European Union’ (1999) 21 Loy. L.A. Int'l & Comp. L. Rev. 661
E. Alanko ' Offer of Amends' Defence under the 1996 Defamation Act' Press Gazette (13th
Out-Law.com 'How to sue a British Spammer' Out-Law.com (5th January 2006)
Out-Law.com 'Monitoring Your Employees' E-mails Legally' Out-Law.com (September 2008)
Out-Law.com 'Sheriff awards damages of ￡ 750 for single spam e-mail' Out-Law.com (January
Out-Law.com 'The Laws Relating to Monitoring your Employees' Out-Law.com (September 2008)
Table of Cases A-G v. Guardian Newspapers Ltd (No 2)  3 All ER 545
Author of a Blog v. Times Newspapers  EWHC 1358
Bryanston Finance v. De Vries  QB 703
Chatterton v. Secretary of State for India  2 QB 189
Gaskin v. United Kingdom A 160 (1989) 12 EHRR 36
Lewis v. Daily Telegraph  AC 234
Mills v. News Group Ltd (2001) EMLR 957
Milne v. Express Newspapers  EWHC 2564
R v. Secretary of State for the Home Department, ex p Doody  1 AC 531
Reynolds v. Times Newspapers  4 All ER 609
Sim v. Stretch  2 All ER 1237
Woodward v. Huchins  1 WLR 760
Youssoupoff v. MGM Pictures Ltd (1934) 50 TLR 581
Table of Statutes
Data Protection Directive, Council Directive 95/46/EC, 1995 O.J. (L 281)
Electronic Commerce (EC Directive) Regulations 2002
Privacy Directive, Council Directive 2002/58/EC,  O.J. (L201)
Privacy & Electronic Communications (EC Directive) Regulations 2003
Regulation of Investigatory Powers Act 2000
Dr. Daniel R. Jones 4201 South Washington Street Marion, IN 46953 Telephone: 765-677-2296 Fax: 765-677-2455 E-mail: [email protected] 9389 Rockwood Court, Noblesville, IN 46060 PERSONAL: CAREER SUMMARY: I have been blessed with opportunities to learn and serve in the dental, biomedical research, and teaching fields. I am most grateful for the opportunity to serve Christ at Ind
Advance Access publication 24 December 2008Analgesic effects of treatments for non-specific low back pain:a meta-analysis of placebo-controlled randomized trialsL. A. C. Machado1, S. J. Kamper1, R. D. Herbert1, C. G. Maher1 and J. H. McAuley2Objective. Estimates of treatment effects reported in placebo-controlled randomized trials are less subject to bias than those estimatesprovided by other s