Global Privacy Dispatches
By Barbora LezatkovÃ¡
Czech Data Protection Office Against Excessive Use of Cameras
The Czech Data Protection Office recently warned against the excessive use of cameras. The operation of cameras falls within the scope of the Czech data protection law if images and/or sounds are recorded, and if such recordings are used for identifying individuals. Video recording systems may be used only if it is not possible to achieve the objective of monitoring by other means that do not interfere with the privacy of individuals. When carrying out checks in the past year, the Czech Data Protection Office has discovered that video recording systems often are operated only as a precautionary measure without any attempts to employ other means to protect the property.
By Pascale Gelly
CNIL Issues Its Annual Report
The Commission nationale de l'informatique et des libertÃ©s (CNIL) activities have increased dramatically in the last three years by an estimated 570 percent. These activities also have changed in nature and philosophy. Important efforts were made toward simplification, including the issuance of four standards for simplified notifications; five exemptions from notifications; and eight unique authorizations.
The CNIL also has made use of its new powers granted by the 2004 Law by issuing 132 authorizations and 19 refusals of authorizations (use of SSN, use of digital prints). It also used its enforcement powers by sanctioning
18 data controllers and issuing four warnings.
In 2006, the CNIL received some 73,800 notifications and 3,572 complaints. The report demonstrates how understaffed the authority is (95 agents) in comparison with its European counterparts. "Among the 27 members of the European Union, France is one of the last 3 countries in terms of number of allocated agents," according to the report. The UK and Germany have respectively 270 and 400 agents and the Czech Republic has 113 agents for only 10 million of inhabitants (vs. 64 million in France). The report describes the topics addressed last year by the CNIL: concern of a surveillance society, Passenger Name Records, political solicitation, measure of diversity and RFID, among others.
CNIL Sanctions in 2006
In 2006, the CNIL initiated about 100 procedures because of complaints or as a result of an on-site investigation. In most cases, no sanctions were issued as infringers complied with the CNIL's injunction within the given time frame (10 days to 3 months). Still, 11 companies were ordered to pay fines ranging from $420 and $63,000; seven controllers received a formal injunction to stop or modify the concerned data processing; and four received a mere warning. Most of the cases involved banks, telecom operators, companies making direct marketing campaigns, and those firms that failed to cooperate with the CNIL. A certain number of decisions were published. The total amount of fines was about $235,000.
Delocalization of Call Centres and IT Outsourcing
The CNIL has formed a working group to address the implications of delocalizations of call centres and IT outsourcing. The working group is expected to issue proposals by the end of 2007.
Is an IP Address Personal Data? Paris Court of Appeal: No. CNIL and the Article 29 Working Party: Yes
Last May, in two cases, the Paris Court of Appeal ruled that IP addresses are not personal data. As a result, the collection of IP addresses of computers on which MP3 files were downloaded illegally has been considered outside
of the scope of the Data Protection Law of 1978.
The court considered that individuals could not be identified even indirectly. The CNIL, expressing great concern about this decision, brought it to the attention of the Ministry of Justice in the hope that the ministry files a request before the Supreme Court. Ironically, one month after the court's rulings, the Article 29 Working Party adopted an opinion on the concept of personal data confirming the CNIL's approach.
The Controversy on Diversity Continues
A legal amendment to the draft bill on immigration and integration, adopted by a Commission of the National Assembly at the end of September, has reignited the controversy around the need to measure diversity, which is criticized by part of the French society considering that it would be a denial of the right to equality.
The text intends to authorize the conduct of research on diversity of origins to permit a better integration. The CNIL considers that this text is an implementation of its recommendation since, if finally approved, it would modify the Data Protection Act to subject such researches to the CNIL prior authorization. In May 2007, the CNIL issued a list of 10 recommendations
on the measure of diversity and the protection of personal data.
Reorganization at the CNIL
The CNIL services have been reorganized recently in order to ensure a transversal cooperation among services to better serve the CNIL's strategy:
education/enforcement. Several promotions have followed. A department of experts, the Department of Legal and International Affairs and of Expertise is now led by Sophie Vuillet-Tavernier, seconded by Sophie Nerbonne. Clarisse Girot and Guillaume Desgens, respectively, are appointed head of European and International Affairs, and head of Legal Affairs. Another important department is the Department of Relationship with Users and of Controls, whose Director is Jeanne Bossi. Thomas Deautieu is now leading the investigation department.
By Shannon Ballard, CIPP/G, and Lauren Saadat, CIPP/G
ISO Developing Privacy Framework
The International Standards Org-anization (ISO), an international standard-setting body based in Geneva, is developing a Privacy Framework standard.
According to a statement from the ISO to the International Conference of Data Protection and Privacy Commission-ers (ICDPPC), "the standard will provide a framework for defining privacy safeguarding requirements as they relate to personally identifiable (PI) information processed by any information and communication system in any jurisdiction. The framework will be applicable on an international scale and will set a common privacy terminology; define privacy principles when processing PI information; categorize privacy features; and relate all described privacy aspects to existing security guidelines. The privacy framework will serve as a basis for desirable additional privacy standardization initiatives, for example, a technical reference architecture; the use of specific privacy technologies; an overall privacy management; privacy impact assessments; and engineering specifications."
According to working documents, the standard, based on the EU Directive 95/46/EC on the Protection of Personal Data, applies to government and the private sector, and therefore has the potential to impact U.S. government systems.
Canada, this year's host of ICDPPC, has drafted a resolution for presentation at the September meeting calling for support of the ISO standards and active involvement of members in the standards development process. The U.S. Department of Homeland Security has representation on the U.S. team to the ISO.
By Eduardo Ustaran
House of Lords Supports Data Breach Notification Law
A wide-ranging inquiry into personal Internet security conducted by the House of Lords' Science and Technology Committee has concluded that the government should pass a law requiring organisations to notify all affected parties in the event of a loss of confidential data.
According to Lord Harris of Haringey, a data breach notification law would "concentrate the minds" of companies holding data, because loss of data would have an impact on that organisation's reputation. The Information Commissioner's Office (ICO) is, however, more cautious about the merits of compulsory breach notification measures. In particular, the ICO wishes to avoid situations where people are unnecessarily notified of a privacy breach.
Ministry in Breach of Subject Access Right
The ICO has found the Northern Ireland Office, which is the UK Government department responsible for Northern Ireland affairs (NIO), in breach of the Data Protection Act after it failed to supply an individual with information it held on him.
TheICO investigated the NIO following a complaint from an individual that the authority had not responded to a subject access request. Under the Data Protection Act, individuals have the right to find out what information an organisation holds on them. The ICO now has required the NIO to sign a formal undertaking to ensure that all personal information is processed in accordance with the Data Protection Act. The NIO also must provide training to all employees who deal with subject access requests under
By Michael T. Spadea
Loan Applicants' Personal Information Stolen
Loans.co.uk, a wholly owned subsidiary of MBNA Europe, which in turn is owned by Bank of America, had the names, addresses, phone numbers and financial details of persons who applied for loans, stolen and subsequently provided to rival loan companies.
The company states that the stolen information appears to only have been used for marketing purposes. Victims report receiving aggressive marketing calls and increased mail regarding financial products. Loans.co.uk is offering to victims one year's free subscription to a credit monitoring service. Potential victims, the ICO and the police have been notified.
EU Claims UK Data Protection Act Inadequate
The European Commission states that the UK Data Protection Act does not adequately implement articles 2, 3, 8, 10, 11, 12, 13, 22, 23, 25 and 28 of the EU Data Protection Directive.
These articles refer to manual files, sensitive personal data processing, fair processing notices, rights of data subjects and exemptions from these rights, data subject's remedies when a breach occurs, organizational liability for breaches, transfer of personal data outside the EU, and the powers of the Information Commissioner. The EU and UK are currently in discussions, but the EU has reportedly threatened legal proceedings if negotiations are not fruitful.