European Data Protection Digest

We have a long weekend—and hopefully some good weather—ahead of us, so right now our minds are probably focused more on Easter eggs and chocolate bunnies (in my case also my mother’s lasagna on Sunday) than on data protection developments. Nevertheless, this spring is bound to be a busy one for privacy pros—not that we actually had a dull moment in the past year or so.

At the IAPP, we are working hard to help our members stay on top of things: Our upcoming European Data Protection Intensive will be a great way to kick-start the second quarter of the year. As usual, rendezvous in London for an intense programme, great networking—including our special Privacy Social reception at the Guildhall—and CIPP and CIPM certification training and testing. Preconference workshops are not bad either.

But since he who hesitates is lost, work is already underway also for IAPP Europe’s flagship event, the Data Protection Congress, which will be in Brussels again this year, on 19 and 20 November to be precise. The call for proposals for the Congress is open, and submissions will be accepted until 9 May, so do send us your ideas or feel free to forward the call for proposals link to someone who might be interested.

In the meantime, though, Happy Easter!

Rita Di Antonio
Managing Director
IAPP Europe

Top European Privacy and Data Protection News

PRIVACY LAW—EU

Article 29 WP on Safe Harbor, Anonymisation, Data Controllers

April 18, 2014

“If the revision process currently undertaken by the European Commission does not lead to a positive outcome, then the Safe Harbor agreement should be suspended.” That was the message in a letter to Vice President and Commissioner for Justice Viviane Reding from Article 29 Working Party (WP) Chair Isabelle Falque-Pierrotin. The improvements made to modify Safe Harbor must be “valuable to the European Commission,” the letter states. Meanwhile, the WP has also issued an opinion on “making data processing legitimate.” The opinion states, “Beyond guidance on the practical interpretation and application of Article 7(f) under the current legal framework, it aims at formulating policy recommendations to assist policy makers as they consider changes to the current data protection legal framework.” A second WP opinion “analyses the effectiveness and limits of existing anonymisation techniques against the EU legal background of data protection and provides recommendations to handle these techniques by taking account of the residual risk of identification inherent in each of them.”
Full Story

DATA RETENTION—EU

Member States React to CJEU Ruling

April 17, 2014

Since the Court of Justice of the EU (CJEU) rejection of the Data Retention Directive, several member states have taken action. Norway has changed plans to incorporate the directive into law, with officials confirming the government “will prepare a new proposal for data storage.” Swedish authorities, meanwhile, “won’t take action against an ISP that erased all retained communications metadata, even though there is still a law in place compelling providers to retain such data,” PC World reports. And in The Netherlands, the GroenLinks Party “plans to introduce legislation within two weeks ending the requirement for telecom and Internet companies to store data on customer communications.” This week, the IAPP’s Privacy Tracker legislative roundup includes, with other news from round the globe, the CJEU’s recent decision invalidating the directive. (IAPP member log in required.)
Full Story

HEALTHCARE PRIVACY—EU

Commission Launches mHealth Consultation

April 17, 2014

The European Commission has launched a consultation on mobile health (mHealth) and patient care, European Voice reports, in an effort “to improve the use of mobile devices such as smartphones and tablets.” European Commissioner Neelie Kroes noted, “mHealth will reduce costly visits to hospitals, help citizens take charge of their own health and wellbeing and move toward prevention rather than cure.” However, the report states, “there are rising concerns among patients about data protection and safety issues. The European Commission is now requesting information on how to deal with these issues and on what level—European or national.” The mHealth consultation will continue until 2 July.
Full Story

PRIVACY LAW—SPAIN

AEPD Publishes Draft PIA Guide

April 17, 2014

Spain’s Data Protection Agency (AEPD) has published a draft privacy impact assessment (PIA) guide and “initiated a public consultation, open until 25 April, to garner opinion and comments on the guide,” Mondaq reports. The PIA guide provides “a framework to improve privacy and data protection in relation to an organisation's technological developments, with the aim of helping them identify, address and minimise data protection risks prior to the implementation of a new product or service,” the report states. In the guide, the AEPD discusses the importance of developing PIAs to show organisations are performing due diligence and developing “appropriate methods and procedures for addressing privacy risks,” the report states.
Full Story

DATA LOSS—EUROPE

Hackers Infiltrate Computer Hardware Co., French Medical Group; Breaches Investigated in Ireland, UK

April 17, 2014

Hackers recently accessed the details of 500,000 individuals considering cosmetic surgery, The Guardian reports. The UK’s Harley Medical Group said it believes the hack was an attempt to extort money from the company, and the information includes potential clients’ names, addresses and telephone numbers. Also in the UK, the Information Commissioner's Office has said a "series of errors" by Wokingham Borough Council led to the delivery of a record "with no consideration given to its content." Meanwhile, French computer hardware manufacturer LaCie is notifying customers their personal information may have been compromised after hackers used malware to infiltrate transaction data from its website. Customers who bought products between March 2013 and March 2014 may have been affected. Meanwhile, in Ireland, the Data Protection Commission is investigating a breach at Cork Institute of Technology where applicants were “given portfolio assessment marks of other applicants instead of receiving just their own result.”
Full Story

PRIVACY COMMUNITY—MALTA

Cachia Appointed Data Protection Commissioner

April 17, 2014

Malta has a new commissioner for information and data protection with the appointment of Saviour Cachia, who took the oath of office on Wednesday, Malta Independent reports. Education Minister Evarist Bartolo has asked Cachia “to review the legal notice which empowers him to collect data on students, from ability reports to their identification card number,” the report states, noting Bartolo has said he is seeking to “work hand in hand” with Cachia “in order to be guided to ensure protection of the data subjects.” The report states the Partit Nazzjonalista has written to Cachia contending Legal Notice 76 “is a threat to the dignity and privacy of students and their families.”
Full Story

SURVEILLANCE—UK

Advocacy Group Concerned About CCTV Use

April 17, 2014

The Guardian reports on how communities used “fixed and mobile CCTV cameras to impose parking and traffic fines” totaling GBP 300 million in the past five years and raising concerns from privacy advocates. “Big Brother Watch said figures obtained under the Freedom of Information Act showed that the number of CCTV cars in operation had soared by 87 percent since 2009, despite a new code of practice saying CCTV should be used only sparingly for traffic offences,” the report states, noting 90 percent of the revenue raised came from boroughs of London.
Full Story

PRIVACY LAW—BULGARIA

DPC, Electoral Commission To Meet on Complaints

April 17, 2014

Bulgaria’s Commission for Personal Data Protection will meet with the Central Electoral Commission (CEC), Focus Information Agency reports. ”The Commission for Personal Data Protection is to launch a probe into the filed complaints and the work done at the CEC,” said Commission for Personal Data Protection Chair Ventsislav Karadzhov, adding, “We will provide instructions of technical nature to the CEC and consider the respective complaints.” The commission will also “impose the respective punitive measures if violations of laws are ascertained,” Karadzhov said.
Full Story

CLOUD COMPUTING

Why Attempts To Physically Control Data Make No Sense

April 17, 2014

“With cloud computing, many fear losing control. True, supply chains may be complex … However, users can retain control in cloud computing—depending,” writes cloud computing expert Kuan Hon in this Privacy Tracker post. Using examples of the evolution of the EU Data Protection Directive and cases from the EU Court of Justice and the Danish Data Protection Agency, Hon outlines reasons the data export restriction and the “transfer to a third country” provisions are antiquated in today’s technological environment. “Nowadays, physically confining data to the EEA does not equate to or guarantee data protection. Yet vast amounts of time and resources are poured into compliance with the restriction, which could be better spent on improving information security,” Hon writes. (IAPP member login required.) Editor's Note: The IAPP and TRUSTe will present a free web conference, The Role of Privacy Seals and Certifications in Building Trust and Global Interoperability, on May 8.
Full Story

INTERNET OF THINGS

Seeing Is Believing with Google’s New Smart Contact Lens

April 17, 2014

Wired reports on one of the latest projects from Google X lab, a smart contact lens with a built-in camera. An earlier iteration of the lens could be used to monitor blood glucose levels via tear fluid. This latest project would include a sensor, circuit and camera. The sensor could be used to detect light, pressure and temperature to give people a sort of “sixth sense.” According to the report, the technology “isn’t all that far off,” as clunkier versions have been tested, adding, “If these contact lenses ever do come to market, it means you can leapfrog the Glasshole stage and go straight to Lenshole.”
Full Story

PRIVACY COMMUNITY

IAPP Announces Two Newest Westin Fellows

April 16, 2014

As the inaugural IAPP Westin Research Fellows Kelsey Finch and Dennis Holmes prepare for life after Portsmouth, NH, the IAPP is proud to announce our second batch of newly graduated students looking to continue their studies in privacy. Patricia Bailin, coming from Tufts’ Fletcher School of Law & Diplomacy, and Arielle Brown of the University of Colorado School of Law will join the IAPP Westin Research Center this fall after wrapping up their current studies. IAPP Publications Director Sam Pfeifle makes introductions.
Full Story

BIOMETRICS—FRANCE & U.S.

French DNA Sweep Exposes Differing Cultural Norms

April 16, 2014

The Christian Science Monitor reports on the differing privacy norms in France and the U.S. through the prism of a case where a high school student was raped and more than 500 male students and staff willingly submitted to DNA testing to help find the rapist. One expert said that although the French value their privacy, the case has not sparked a mass outcry because of its criminal context. In the U.S., the case likely would have raised civil rights and Fourth Amendment violation concerns, the report states. Pascale Gelly, CIPP/E, said, “France takes data privacy very seriously,” adding, “Massive testing will always raise privacy issues, and that’s good because it’s always important to (ask) the question, ‘Is it proportionate or not?’”
Full Story

DATA LOSS—CANADA & UK

Two Sites Concede Heartbleed Data Losses

April 15, 2014

Two websites, Canada’s tax authority and a British parenting website, have said some of their users’ data has been compromised as a result of the Heartbleed bug, and, according to PC World, these are the first two admissions stemming from the now infamous OpenSSL security vulnerability that was exposed last week. The Canada Revenue Agency (CRA) blocked online public access to its site last week. “Regrettably, the CRA has been notified … of a malicious breach of taxpayer data that occurred over a six-hour period,” the CRA said. British parenting site Mumsnet assured its more than one million users it “followed all the published steps to protect members’ security … but it seems that the breach occurred prior to that risk becoming known.”
Full Story

ONLINE PRIVACY

Google Updates Terms To Reflect Content Analysis

April 15, 2014

Amidst controversies with privacy groups over its scanning of user e-mail, PC World reports, “Google has updated its terms of service to reflect that it analyzes user content including e-mails to provide users tailored advertising, customized search results and other features.” The report highlights actions around Google’s practices and quotes the new terms of service, which went into effect Monday, as stating, “Our automated systems analyze your content (including e-mails) to provide you personally relevant product features, such as customized search results, tailored advertising and spam and malware detection. This analysis occurs as the content is sent, received and when it is stored.”
Full Story

BIG DATA

Scientists Using Tweets To Determine Flu Outbreaks

April 15, 2014

Scientists from Pennsylvania State University say they’ve developed a way to find Twitter posts that identify viral illnesses, InformationWeek reports. In a recently published paper, “On the Ground Validation of Online Diagnosis with Twitter and Medical Records,” researchers say they’ve created “a system for making an accurate influenza diagnosis based on an individual’s publicly available Twitter data.” The researchers say they were able to determine, with 99-percent accuracy, whether an influenza outbreak was occurring by combining text analysis, anomaly detection and social network analysis. In 2008, similarly, Google began estimating flu infections by tracking flu-related search terms.
Full Story

DATA PROTECTION

10 Steps To a Quality Privacy Program (Part 8): Learn From Others’ Mistakes

April 14, 2014

In the latest installment of her 10-part series on creating a quality privacy program, Deidre Rodriguez, CIPP/US, discusses the importance of learning from others’ mistakes in order to keep your brand out of trouble. “The least painful and easiest lessons are the ones that we can learn from others’ mistakes,” Rodriguez writes in this exclusive for The Privacy Advisor. “As privacy professionals, it’s important that we take time to peruse the headlines and read articles that talk about others’ mistakes.” She outlines four action items privacy pros should take while scanning headlines. Editor’s Note: Did you miss the first seven installments of this series? See them here.
Full Story

PRIVACY

Making the Case for Surprise Minimization

April 14, 2014

Last week, Facebook announced it was unveiling a new set of user privacy controls. The move comes a month after the IAPP Global Privacy Summit, where Facebook CPO Erin Egan said, “If people are surprised, that’s not good for me.” What did she mean, exactly? This post for Privacy Perspectives looks at the promise of surprise minimization and how, “in a Big Data and Internet of Things world where providing users with notice and choice can prove difficult,” it “is becoming a powerful tool businesses can use to help engender trust with consumers while avoiding the ire of regulators.”
Full Story

CLOUD COMPUTING—EU & U.S.

Does Privacy Make North America Easy Pickings for EU Firms?

April 14, 2014

With big-name providers reducing prices to beat the competition for cloud services, ZD Net reports on Finland-based UpCloud, which believes customers’ desire for privacy means the “opportunity to break into the sector has never been greater.” Some customers, UpCloud’s Antti Vilpponen says, “want to stay away from U.S. companies,” increasing the demand for non-U.S. providers. “Naturally we comply with the laws of the countries where we operate, but as customers' personal information is always stored in Finland, that stays under Finnish law," Vilpponen said. Other European companies are also looking to “tackle the U.S. privacy issue,” the report states, suggesting “North America … is seen as potentially easy pickings for European startups that focus on privacy.”
Full Story

DATA LOSS

New Tool Will Identify Breached Companies

April 11, 2014

A new online tool has been launched to help users identify large merchants and hotels that have exposed credit card data and other personal information to hackers, Inside Counsel reports. PrivacyAtlas.com allows users to search through 39,000 hotel and motel locations as well as 28,000 chain stores. Security Validation President and CEO David Durko said, “Consumers want to know how safe their credit card data is when it’s shared with hotels, retail stores or online.” The tool assesses whether a given retailer is PCI-DSS compliant. For businesses, participation with PrivacyAtlas is voluntary, but those that choose not to disclose their compliance status with the site receive a “black mark.”
Full Story

PRIVACY LAW—EU & HUNGARY

CJEU: DPA Firing Violated EU Law

April 10, 2014

The Court of Justice of the European Union (CJEU) has determined “Hungary violated European Union law by firing the head of its data protection agency (DPA) in 2012,” The Wall Street Journal reports. In its judgment Tuesday, the CJEU found national DPAs “must not be bound by instructions of any kind” and their decision-making processes “must be free from political influence,” noting if a government can fire staff before their terms’ end, “that authority might be prompted to enter into a form of prior compliance with political powers.” The CJEU has ordered Hungary to comply “without delay” but has not specified “what form compliance should take,” the report states. (Registration may be required to access this story.)
Full Story