Unwieldy data

'Cooking up a recipe for data protection' (see [2001] Gazette, 28 June, 20) highlighted the issues arising when personal data is gathered on-line.The writers hit the nail on the head in stating that failing to obtain individuals' consent and, instead, implying such consent is likely to infringe the legislation.

The problem is that no one knows how consent should be given.

Certainly for sensitive personal data 'explicit consent' must be given, but for other personal data the Data Protection Act 1998 schedule 2(1) says the individual must have 'given his consent'.The newly named information commissioner appears to believe that a consent cannot be given by default (that is to say, by failing to 'opt out' when the opportunity is presented), but not all those involved in the direct mail industry agree, though it must be said that 'to give' is an active, not passive, verb.

It is a shame that rules of English grammar might decide the one issue on which clients expect the legislation to be clear.

My advice to the more robust clients, for whom huge sums of money will be lost if they move to opting in, rather than opting out, is wait until case law forces a move to opting in.

For those, including law firms, who export personal data from the European Union the voluntary standard clauses for data export adopted by the commission on 18 June can now be used to ensure lawful export in accordance with the eighth data protection principle, yet another legislative requirement.

However, be warned.

The clauses are long, legalistic, and hugely off-putting.

Perhaps they appropriately symbolise the impractical and non-commercial approach of the legislature in the data protection arena, legislation which is often in practice more honoured in the breach.Susan Singleton, Singletons, Pinner, Middlesex