We have a long weekend—and hopefully some good weather—ahead of us, so right now our minds are probably focused more on Easter eggs and chocolate bunnies (in my case also my mother’s lasagna on Sunday) than on data protection developments. Nevertheless, this spring is bound to be a busy one for privacy pros—not that we actually had a dull moment in the past year or so.
At the IAPP, we are working hard to help our members stay on top of things: Our upcoming European Data Protection Intensive will be a great way to kick-start the second quarter of the year. As usual, rendezvous in London for an intense programme, great networking—including our special Privacy Social reception at the Guildhall—and CIPP and CIPM certification training and testing. Preconference workshops are not bad either.
But since he who hesitates is lost, work is already underway also for IAPP Europe’s flagship event, the Data Protection Congress, which will be in Brussels again this year, on 19 and 20 November to be precise. The call for proposals for the Congress is open, and submissions will be accepted until 9 May, so do send us your ideas or feel free to forward the call for proposals link to someone who might be interested.
In the meantime, though, Happy Easter!
Rita Di Antonio
Top European Privacy and Data Protection News
EU Commissioner: Privacy Will Be Big Challenge for Next Decade (January 29, 2010)
On Data Protection and Privacy Day yesterday, EU Information Society and Media Commissioner Viviane Reding announced that the decade ahead promises many challenges, and the commission's goal is to reform the 1995 EU Data Protection Directive and create new rules for personal data protection and privacy. "Innovation is important in today's society but should not go at the expense of people's fundamental right to privacy," Reding said, explaining the focus is on ensuring that data protection rules are current with technology and as comprehensive as required by the Lisbon Treaty. "EU rules should allow everyone to realise their right to know when their personal data can be lawfully processed," she said. Reding is the incoming EU justice commissioner.
Hospital May Destroy Blood Samples to Comply with Law (January 29, 2010)
Following a review by the Data Protection Commissioner (DPC), a Dublin hospital is proposing to destroy records more than 10 years old from the more than 1.5 million blood samples it has collected as part of the national newborn screening program since 1984, the Times Online
reports. The hospital kept the samples, which include such details as names, addresses, dates of birth and test results, without informing the DPC or seeking parental permission, as required by law. A Health Service Executive spokesperson is quoted as saying the HSE is determined "to do whatever it takes" to bring the database into compliance, including determining whether parents can retroactively opt out if they do not want their children's samples stored.
Tax Program Changes Data Requirement (January 29, 2010)
Following a complaint from Hungarian data protection Ombudsman Andras Jori, the country's tax authority will no longer require those who use its online property tax calculator to enter personal data in order to gain access to it, reports realdeal.hu
. Instead, users can submit such information on a voluntary basis.
Keitch: Marketing Industry Must Self-Regulate (January 29, 2010)
Robert Keitch of the Direct Marketing Association (DMA) UK says it's imperative that British direct marketers self-regulate in the area of data protection. In a MarketingWeek
article, Keitch writes of a "growing political appetite" to reform data protection laws and says that, should a Tory administration come to power, data protection policies could become "weighted heavily in favour of protecting individuals' rights." "It is imperative that the UK direct marketing industry proves it is capable of managing its data security obligations and does not require excessive state intervention," Keitch writes. The DMA has launched an information security standard--DataSeal--aimed at helping companies demonstrate the adequacy of their data safeguards.
Researchers: E-Passports Vulnerable to Tracking (January 29, 2010)
Researchers in the UK claim to have identified a flaw in electronic passports being issued by the UK, U.S. and as many as 50 other countries that allow electronic eavesdroppers to track document holders as they enter and exit buildings, according to the Register
. Using the newly discovered technique, researchers from the University of Birmingham say they do not need to know the cryptographic key embedded in the document's radio frequency identification (RFID) chip to track the holder, and that the only way to prevent someone from executing a traceability attack is by shielding the passport in a special pouch.
ID Card Plans Concern Data Protection Commissioner (January 29, 2010)
Ireland's Data Protection Commissioner is concerned about plans to create a national public services identity card, the Irish Times
reports. A spokesman for the DPC says the commissioner is engaged in "extensive consultations" with the Department of Social and Family Affairs about its plans to create the card. The spokesman said the DPC's primary concerns would be related to the inclusion of PPS numbers on the cards, which, combined with other personal information could make it a "de facto national ID card." But, the spokesman said, "it is clear from our discussions that the department does not intend this." Still, the commissioner feels that "any move towards what might be viewed as a national ID card should only take place following an appropriate public debate."
AFCDP Releases Right-of-Access Index (January 29, 2010)
Following passage of the French "Informatique et Libertes" law, an individual may request that an entity holding personal data about him, share that personal data with him. The entity has two months from the time of the request to provide full information to the requestor, free of charge. In certain circumstances, the individual may then request that the personal information be deleted or brought up to date. The Association Francaise des Correspondants a la Protection des Donnees a Caractere Personnel, also known as the French Association of Data Protection Officers (AFCDP), on the occasion of Data Privacy Day yesterday, published its first "Access Right Index." Intended to help French entities--both private and governmental--prepare themselves for responding to information requests and to help educate individuals about their rights, the index provides insight into the manner in which entities are currently complying with the law. The index indicates which sectors are the best and worst in terms of compliance and provides anonymous, real-world examples of wrongdoing, as well as best-practice guidance.
NHS Trust Commits to Better Data Protection (January 29, 2010)
The chief executive of Southampton University Hospitals NHS Trust has made a formal commitment
to improve data security following the Information Commissioner's Office (ICO) ruling that its October data breach violated the Data Protection Act. The breach occurred when a laptop containing 33,000 password-protected patient records was stolen from an unlocked and unattended retinal screening van. The commitment requires the trust to improve data encryption, physical security measures and staff training, among other areas. Sally-Anne Poole, head of investigations at the ICO, says "It is vital that NHS organizations ensure their staff handles personal information securely, especially where so much sensitive personal information is concerned."
Full StoryThe chief executive of Southampton University Hospitals NHS Trust has made a formal commitment to improve data security following the Information Commissioner's Office (ICO) ruling that its October data breach violated the Data Protection Act. The breach occurred when a laptop containing 33,000 password-protected patient records was stolen from an unlocked and unattended retinal screening van. The commitment requires the trust to improve data encryption, physical security measures and staff training, among other areas. Sally-Anne Poole, head of investigations at the ICO, says "It is vital that NHS organizations ensure their staff handles personal information securely, especially where so much sensitive personal information is concerned."
City Council to Remove CCTVs (January 29, 2010)
Birmingham's City Council plans to remove intercom security cameras in five residential tower blocks, the Yorkshire Post
reports. The council says it has been advised that the cameras--which allow tenants to see callers on CCTV before letting them in--breach the Data Protection Act. Councillor Mike Leddy says removing the system would be detrimental to tenants. "It puts at risk the 'feel-safe' factor for a number of older residents in my ward," he said. However, the city council, including the head of the housing department, believes that removing the cameras protects them from potential prosecution.
EU Takes legal Action Against Italy (January 29, 2010)
The European Commission (EC) on Thursday took legal action against Italy for non-compliance with EU ePrivacy rules, according to a commission press release. The EC sent Italian authorities a formal notice for failing to notify individuals about the transfer of their personal information from phone directories to a marketing telecommunications database, the release states. "Not only is it worrying to see that Italian legislation does not comply with the privacy requirements set out in the [EU ePrivacy] Directive," said EU Telecoms Commissioner Viviane Reding, the commission is also concerned that Italian authorities failed to gain the consent of those whose personal data was affected. Italy has two months to reply.
FINANCIAL PRIVACY—EU & U.S.
Bank Data Deal to Take Effect Next Week (January 29, 2010)
A financial data-sharing agreement between the U.S. and EU will go into effect next week despite the European Parliament's request for a delay. European Voice
reports that the so-called SWIFT agreement, which gives American officials access to the banking transaction data of European citizens to aid counter-terrorism efforts, will take effect on February 1. Members of Parliament (MEPs) and European Data Protection Supervisor Peter Hustinx have expressed concerns about the deal's privacy consequences, calling it a "privacy-intrusive" agreement that is insufficiently justified. MEPs will vote on the agreement the week of February 8.
New EU Laws Will Focus on Privacy and Social Networking (January 29, 2010)
The European Commission is planning comprehensive new laws to protect Internet users' privacy, euobserver.com
reports. Incoming EU Justice Commissioner Viviane Reding said yesterday, "Whether we want it or not, almost every day we share personal data about ourselves." Reding named social media, specifically, in outlining her goals for privacy protection. "Data are being collected without our consent and often without our knowledge. This is where European law comes in." She is calling for "a change of approach" that focuses on protecting data and personal privacy right from the start rather than responding only after a new product or service is developed.
Company Plans Release of Anonymous Browsing Tool (January 28, 2010)
Ixquick, the company that earned the respect of privacy advocates when it decided in 2006 to stop collecting IP data from users of its search tool, is again drawing praise for its planned release of a new proxy browsing service that the company says will allow users to visit Web pages without the site owner's knowledge, OUT-LAW.COM
reports. The company said it decided to offer the service because of what it saw as an opportunity to respond to increased consumer concern over their privacy while surfing the Web. "People are more concerned about online data retention policies than ever before," said CEO Robert Beens. "We wanted to offer them a useful tool and this proxy is a logical extension of our services."
Anti-Piracy Software Examined (January 28, 2010)
Privacy International has asked the European Commission to look into the legality of anti-piracy software used by some ISPs to monitor for illegal file sharing, the BBC
reports. Specifically, Privacy International is concerned about software developed by Detica, in use by Virgin Media, that employs deep packet inspection techniques to identify offending files transmitted over Virgin's network. Privacy International believes deep packet inspection poses a threat to privacy because of its ability to identify actual file names. Industry observers say as many as 40 percent of Virgin's customers may be subject to monitoring with the software, but Virgin said that subscriber privacy is not at risk.
ICO Warns UK Companies: Report Breaches or Else (January 28, 2010)
The Information Commissioner's Office (ICO) has issued a warning to UK businesses: report your breaches or face stiff sanctions, eGov Monitor
reports. The ICO said that only 800 data breaches have been reported to its offices in the last two years, but that it is eager to work with companies that suffer a data breach to help address the situation. Deputy Commissioner David Smith said, "Talking to us may of course result in regulatory action. However, organizations must act responsibly; those that try to cover up breaches which we subsequently become aware of are likely to face tougher regulatory sanctions."
Privacy Commissioner Launches New Facebook Probe (January 28, 2010)
The Office of the Privacy Commissioner (OPC) has announced it is once again launching an investigation
into Facebook. The probe comes on the heels of the OPC's extensive investigation last summer that resulted in Privacy Commissioner Jennifer Stoddart ordering Facebook to change its policies and practices to comply with Canada's privacy law, the National Post
reports. The new investigation is focused on a complaint alleging a tool introduced last month requiring users to review their privacy settings--a change Facebook made in response to the commissioner's first investigation--actually exposes more personal information. The new complaint "mirrors some of the concerns that our office has heard and expressed to Facebook in recent months," says Assistant Privacy Commissioner Elizabeth Denham.
The Power of “i” TBD (January 27, 2010)
The Future of Privacy Forum will today introduce an icon designed to help advertisers better inform consumers about the methods behind their online ads, the New York Times reports. It is expected that major companies will begin using the icon, a blue circle with a white "i", by midsummer, the report states. The "Power I" is one outcome of calls for more effective self-regulation among advertisers who use behavioral targeting methods. Congress and the Federal Trade Commission (FTC) have been examining advertisers' practices in this area, and FTC officials will continue their exploration of behavioral targeting during a roundtable event
tomorrow in Berkeley, California. (Registration may be required to access this story.)
Sharing “TMI” on Social Media Sites Helps ID Thieves (January 26, 2010)
A recent study indicates that more than half of those ages 45 and older who use popular social networking sites could fall prey to identity thieves because they share too much information, the San Francisco Chronicle
reports. The study, which polled more than 1,000 adults, found that 14 percent of respondents--and 20 percent of those over the age of 60--posted their full home addresses in their profiles, and about 50 percent revealed information that could tip thieves off to their bank account passwords. Experian, which commissioned the study, recommended avoiding posting specific personal details and being sure that online quizzes or games come from a reputable source.
Behavioral Targeting Faces Paradox (January 25, 2010)Marketing Week
reports that, according to a new poll, 95 percent of the UK's Internet users say they are interested in receiving online marketing tailored to their interests. That's good news for the interactive marketing industry. However, 77 percent of those same people say they always opt out of Internet marketing campaigns. The study also reveals that a quarter of consumers are rebuffing communication from brands they know and trust, up from 18 percent a year ago. "Through well-publicized instances of data breaches and the mishandling of personal information by large organizations, consumers are sensibly becoming more selective about who they share their personal details with," said the Direct Marketing Association's Robert Keitch.
FINANCIAL PRIVACY—SWITZERLAND & U.S.
Swiss Court Prohibits Release of UBS Client Data (January 25, 2010)
A client of Swiss bank UBS won her appeal to prevent the bank from turning over data to the United States when a Swiss administrative court ruled that a disclosure agreement between the two countries only applied to cases of "fraud or the like," the New York Times
reports. The lawsuit was prompted by the Swiss government's decision to hand over information for 4,450 customers with Swiss bank accounts to U.S. authorities. Twenty five similar lawsuits remain pending and there is a possibility of appeal, but the ruling held that the language in the agreement did not apply to individuals accused of simple tax evasion. (Registration may be required to access this story.)
For Sale: Private Information on UK Gamblers (January 25, 2010)
A data theft has hit British bookmaker Ladbrokes, compromising the confidential data of 4.5 million of the gambling house's customers, reports the Daily Mail
. The Mail became aware of the theft when an individual identifying himself as "Daniel" contacted the paper and offered to sell information on 10,000 Ladbrokes' customers. The paper said it immediately contacted Ladbrokes and the Information Commissioner's Office, which has launched an investigation. "Daniel" claimed to be a former Ladbrokes computer security expert now working for DSS Enterprises in Melbourne, Australia. DSS founder Dinitha Subasinghe denied any involvement in the case.
Art. 29 Working Party Highlights BCRs, Search Engines in 2008 Annual Report (January 22, 2010)
The Article 29 Working Party released its annual report for 2008, which details data protection progress in the European Union for that year. The report--adopted in June 2009 but not released until EU Member State translations were complete--summarizes important legislative developments in individual EU Member States as well as initiatives from the Art. 29 Party, the European Commission, the European Court of Justice and the European Data Protection Supervisor in 2008. In the report's introduction, Art. 29 Party Chairman Alex Turk identified four main data protection issues for 2008: the protection of children's personal data, search engines, international data transfers--particularly the use of binding corporate rules (BCRs)--and the transfer of airline passenger name records to U.S. authorities.
CNIL Awards 7,000 Euro Prize (January 22, 2010)
The CNIL held its first awards ceremony last week. Ms. Roques-Bonnet received a prize of €7,000 for her thesis entitled "The Constitution and the Internet," which was recognized among eight theses. (Article in French.)
Company Loses Tape Containing Billing Data (January 22, 2010)
Bill processing contractors have reported the loss of a data tape containing information from 12,799 NIE Energy bills, ITN reports
. The Information Commissioner's Office was alerted to the loss of the billing information, which includes such details as names and addresses, but not banking information. "We fully appreciate that our customers will be concerned that any personal information regarding them is missing," says NIE Energy Managing Director Stephen McCully. "However, while we have not been able to locate this tape, there is absolutely no evidence to suggest that it has fallen into the wrong hands."
Online Information Security Initiative Raises Awareness (January 22, 2010)
An online information security training program is helping more than 250,000 public sector personnel reduce data loss incidents and handle personal data appropriately. The Cabinet Office and National School of Government created the program in response to multiple high-profile cases of data loss by government departments, according to a Guardian
report. Sharon Wiltshire, head of information assurance professionalism at the Cabinet Office, says the new initiative has made an "invaluable contribution" to improved data security. A spokesperson for the Information Commissioner's Office told the Daily Dashboard
the office has produced a guide
to data protection to provide organisations with practical advice about the Data Protection Act and dispel myths.
DVLA Sales Practices Come into Question (January 22, 2010)
A government agency in the UK has released for a fee the names and addresses of several million motorists over the last five years, reports the Daily Mail
. The Driver and Vehicle Licensing Agency (DVLA) has come under scrutiny, once again, for selling more than 18 million names and addresses to various businesses in the private sector for commercial use. Bob Russell, a Liberal Democrat, said, "This shows there is a huge Big Brother system run by the state..." The DVLA was criticized last fall for selling
motorists' information to the oil firm Castrol, which used the information for billboard advertising purposes.
Recruitment Scam Targets Jobseekers (January 22, 2010)
Bogus recruitment firms are using online scams and follow-up calls to target the unemployed, according to a report in the Irish Examiner
. Fergal Brosnan, director of Berkley Recruitment, points out that it is illegal for recruitment firms to charge jobseekers a fee to register their details online. However, recent research indicates the number of false employment advertisements has risen nearly 350 percent. A spokesman for the Office of the Data Protection Commissioner has stated that a lack of specific complaints in recent months does not mean the scams are not ongoing. Data Protection Commissioner Billy Hawkes has warned jobseekers to be cautious, especially when it comes to supplying personal information online.
ISP Stands up for Torrent Site Owner’s Privacy (January 22, 2010)
The Swedish ISP TeliaSonera is refusing to comply with a court ruling ordering the company to hand over information identifying the owner of SweTorrents, according to the TorrentFreak
blog. The company has appealed the decision, arguing that the verdict is in violation of the European data retention directive and claiming that SweTorrents doesn't host any copyrighted files.
Groups Partner on Social Networking in Workplace (January 22, 2010)
Several organizations, including the union representing employers, recruiting organizations and the French employment agency, concluded a partnership agreement in order to promote a code of conduct about the use of social networks in employment practices (Charte réseaux sociaux, Internet, Vie privée et Recrutement). (Site in French. Registration may be required to access site
Code of conduct
ICO Finds Council Breached Data Protection Act (January 22, 2010)
The Information Commissioner's Office (ICO) has found the Lancashire County Council in breach of the Data Protection Act following an incident involving the disposal of a filing cabinet containing confidential documents, the Lancashire Telegraph
reports. The documents, which were found in a cabinet purchased from a second-hand shop, included information on residents' ethnicity, religious beliefs and health conditions. The council has pledged to implement a formal procedure to avoid such incidents in the future while providing staff training on the proper storage, use and disposal of personal information. "This incident highlights the importance of having the necessary safeguards in place to ensure personal information is disposed of securely," says Sally-Anne Poole, head of enforcement at the ICO.
Database Hacked, Passwords Accessed (January 22, 2010)
An Irish Internet forum reports its user database was hacked by an unauthorised source outside Ireland and thousands of usernames, passwords and e-mails were accessed, reports BBC News
. Tom Murphy, co-founder of Boards.ie, which receives more than 1.1 million page views per day, said the site is "regularly the target for disruption and takes continual actions to proactively protect data." Ireland's data protection commissioner, Billy Hawkes, said the attack should serve as a warning to Internet users to create different passwords for different Web sites.
Ministers Meet on Body Scanners (January 22, 2010)
While interior and justice ministers are proposing heightened airport security measures aimed at thwarting terrorist attacks, members of the European Parliament are speaking out against the plan, Deutsche Welle
reports. The ministers met in Spain with Janet Napolitano, head of U.S. Homeland Security, to discuss improved screening at airports, and the European Voice reports
that the European Commission is preparing a report on the health and privacy implications of using full-body airport scanners. The ministers stopped short of approving the use of such scanners, but the data-sharing plans under consideration are raising concerns. Manfred Weber of the European Parliament says getting the majority of the members to approve the plan "will be very difficult."
DNA Database Legislation Raises Concerns (January 22, 2010)
Data Protection Commissioner Billy Hawkes is concerned that a bill allowing gardaí to take DNA samples from suspects could result in the retention of the DNA of innocent people for up to 10 years, the Irish Examiner
reports. The legislation
, which calls for a national database of genetic samples from individuals arrested in connection with serious crimes as well as convicted criminals and former offenders, indicates that DNA profiles collected from those cleared of criminal activity could be held for up to a decade unless they apply to have the data removed. Hawkes says samples gathered from people acquitted or not subsequently charged with a crime should be "immediately" destroyed.
IAPP Announces New Board Members (January 22, 2010)
The International Association of Privacy Professionals has announced new appointments to its 2010 Board of Directors. Five new members have joined the board and three existing members have moved into leadership roles. Incoming board members hail from Microsoft, Hewlett-Packard, Siemens, Hunton & Williams LLP and the Graduate Management Admissions Council. New board president Nuala O'Connor Kelly, CIPP, CIPP/G, said, "I'm extremely pleased to welcome these distinguished privacy professionals to our board. Their vision and experience will be invaluable in leading the IAPP and the privacy profession into the next decade."
UN Official Calls for Int’l Declaration on Data Protection (January 22, 2010)
A UN official has called for a new international agreement on privacy, reports The Register
. In a report to the UN Human Rights Council, special rapporteur Martin Scheinin said "a global declaration on data protection and data privacy" is necessary to stopgap what he describes as the loss of basic privacy protections in the wake of expanded counter-terrorism efforts. European Data Protection Supervisor Peter Hustinx told the IAPP Daily Dashboard
newsletter that he considers this "a very welcome call for action that should be considered very carefully." Hustinx said that global standards and global safeguards are required to limit increasing surveillance activities and to ensure a legitimate global use of new technologies. However, Martin Abrams, executive director of the Hunton & Williams Centre for Information Policy Leadership, said that until UN member states can find the balance between physical security and data protection within their own borders, it is unlikely they will be able to move forward with an international agreement.
Germany Fines Drug Chain for Data Retention (January 22, 2010)
Germany's Data Protection Authority (DPA) has fined pharmaceutical chain Müller Group €137,500 for retaining illegally collected healthcare data, and for failing to hire a data protection officer, according to the Hunton & Williams Privacy and Information Security Law
blog. The chain, which employs 20,000, had required employees returning from sick leave to inform the company of the reason for their absence by filling out a form that was collected and stored in a central HR database. In all, Müller had collected more than 24,000 such forms in a practice that the DPA said was not justified in the vast majority of cases.
FINANCIAL PRIVACY—U.S. & EU
EU Threatens Block of U.S. Bank Data Transfer (January 22, 2010)
The European Parliament has threatened to block financial data transfers between EU member nations and the U.S. under the SWIFT agreement unless it gets answers to questions it has asked of Spain and Switzerland, the EUObserver
reports. The financial data transfers are part of a U.S.-European anti-terror program which some EU officials have protested as a threat to privacy and have threatened to scrap altogether if Spain does not provide the requested information. In a statement, the coalition opposed to the SWIFT agreement said two clear conditions must be satisfied before a longer term agreement can be considered.
Greek Government to Allow Street Images (January 20, 2010)
In a decision seen as opening the door for Google Street View, the Greek Data Protection Authority (DPA) has given the okay for kapou.gr to provide its panoramic street-level image service, according to an Associated Press report in the Atlanta Journal Constitution. The DPA's approval was granted following kapou.gr assurances related to face-blurring technology and limits on the storage of images. Talks between the DPA and Google related to the launch of Street View in Greek cities are ongoing, and while the kapou.gr decision makes it likely that Google will be granted similar approval, no timeline has been given by the DPA.
Microsoft Reduces Search Data Storage Limit (January 20, 2010)
Microsoft has announced that it will further reduce the length of time it holds data entered into its Bing search engine, the New York Times
reports. The decision comes in response to criticism related to search data management from within the European Union and will be implemented over the next 18 months for users everywhere, not just in the EU. Professor Hendrik Speck of the University of Applied Sciences in Kaiserslautern, Germany predicts that the move will prompt Bing competitors to follow suit, saying, "Google and other engines are starting to realize that consumers around the world are placing an increasing value on privacy and that can have business consequences." (Registration may be required to view story.)
Google Calls for EU Privacy Panel (January 20, 2010)
Google says that the recent hack of its Chinese operation shows why it needs to retain user search data and will this week call on the Article 29 Working Party to establish a privacy and security panel to encourage productive dialogue on the proper use and protection of such data, PCWorld reports. "You can't discuss privacy in a vacuum," said Google global privacy counsel Peter Fleischer. Google retains search users' full IP addresses for nine months. "We find it incomprehensible that a company would throw away useful data when holding it poses no privacy threat," Fleischer said.
Most Employers Screening Candidates Online (January 19, 2010)
According to a new report, 53 percent of all UK employers review the public profiles of job candidates before making a hire, and 20 percent say they have rejected candidates based on what they have found, PC Advisor
reports. The study, conducted by CareerBuilder, found that both social networking sites and popular search engines are commonly used to evaluate a job candidate; and of the organizations not using them, 12 percent said they plan to in the future. The study also found that 28 percent of companies surveyed said that they had fired an employee because of negative information about the company or a coworker posted to a social networking site.
Art. 29 Party Urges Updates as EC Data Directive Comment Period Closes (January 15, 2010)
The privacy principles in the European Union Data Protection Directive (95/46/EC) "are still valid," but harmonization of data protection law, data-transfer mechanisms, notification requirements and other areas could be improved, the Article 29 Working Party said in a paper released on 5 January. The group, in tandem with the Commission's Working Party on Police and Justice, submitted the paper in response to a European Commission request for comments on how to improve the EU's privacy legal framework.
EDPS Issues Critical Report (January 15, 2010)
The European Data Protection Supervisor (EDPS) issued a critical report on a draft council directive on administrative cooperation in the field of taxation. The EDPS indicated that the measures that are envisaged violate European data protection rules.
Art. 29 Working Party Examines Passenger Data (January 15, 2010)
At the request of the European Commission, the Article 29 Working Party looked into the matter of the protection of passenger data collected and processed by duty-free shops at airports and ports in the European Union. The Working Party reviewed the current practices within EU Member States and issued recommendations for a uniform application of the general data protection principles to be respected in duty-free shops.
Europol Confidentiality Rules Now Adopted (January 15, 2010)
The Official Journal of the European Union has now published rules on the confidentiality of Europol information, as were adopted 30 Nov 2009 (Council Decision 2009/968/JHA). The rules include basic protections for non-public information processed by or through Europol, such as data protection requirements for personal data, and make clear that member states are responsible for making sure Europol information is protected at the required level.
HADOPI Members Appointed (January 15, 2010)
The members of the High Authority for the diffusion of works and the protection of rights on the Internet--HADOPI--have been appointed. A judge will preside over the authority. One of its eight members is former Minister of Culture, Jacques Toubon. HADOPI will tackle unlawful peer-to-peer downloads. It is expected to send the first warning e-mails in April, at the earliest, but no later than next July. (Story in French.)
Garante Issues Resolution on Photos (January 15, 2010)
By means of an ad hoc resolution, the Italian Data Protection Authority (IDPA, or Garante) has prohibited the publishing of certain pictures taken at actor George Clooney's home. While in general the privacy of public and notorious people receives a lower level of protection, the publishing of photos taken in a private place without the proper consent, is illegal. (Resolution in Italian.)
Garante Reapproves General Authorisations (January 15, 2010)
The Italian Data Protection Authority (IDPA), known as the Garante, again approved seven general authorisations dealing with the processing of personal, sensitive and judiciary data in various fields and for different purposes. The authorisations, which were first approved last year, concern data with regards to employment, sexuality, genetics and healthcare, in addition to data processed by professional, financial and insurance institutions and that used by private investigators. The authorisations will be in force until June 2011, except that concerning genetic data, which will elapse on April 30, 2010. The aim is to ensure that the processing of sensitive and judiciary data in such fields will be possible based on the interested person's consent only (or in presence of any alternative tool to the consent), with no need for an ad hoc green light from the IDPA. (Story in Italian.)
ONLINE PRIVACY—UK & EU
Deadline Passes with No Response from UK (January 15, 2010)
The December 2009 deadline for UK officials to respond to the European Commission (EC) about Internet privacy concerns passed with no response, The Register
reports. In October, the EC opened a second phase infringement proceeding against the UK for potentially allowing the misuse of deep packet inspection technology, the report states. "People's privacy and the integrity of their personal data in the digital world is not only an important matter, it is a fundamental right, protected by European law," EU telecommunications commissioner Viviane Reding said at that time. The Home Office told The Register that it continues "to engage with the Commission on the issue."
Transport Designee Wants Common Rules (January 15, 2010)
At his confirmation hearing this week, the EU's transport chief-designate said that European states should not use full-body scanners at airports until the bloc can agree on rules to protect the privacy and health of passengers, Reuters reports. "It's very bad that some countries already use them without common agreed standards," said Siim Kallas of Estonia on Thursday. Interest in the devices has increased since the failed Christmas Day bombing attempt on a Detroit-bound plane. The European Commission is preparing a report on the scanners' privacy impacts.
Gov’t Approves £500,000 Fines for Data Breaches (January 15, 2010)
The UK government has approved larger fines for serious breaches of the Data Protection Act, reports OUT-LAW.COM
. Pending Parliamentary approval, the Information Commissioner's Office will be able to impose monetary penalties up to £500,000, the report states. The new powers are expected to take effect beginning on April 6. Speaking in support of the request, Information Commissioner Christopher Graham said: "These penalties are designed to act as a deterrent and to promote compliance with the Data Protection Act. I will not hesitate to use these tough new sanctions for the most serious cases where organisations disregard the law."
Reding: Privacy High on My Agenda (January 13, 2010)
Speaking to members of the European Parliament (MEPs) in Brussels yesterday, commissioner-designate Viviane Reding outlined her top priority areas should she be confirmed to the post of Commissioner of Justice, Fundamental Rights and Citizenship, Europolitics reports. Data protection, she said, "will be high on my agenda." Reding said that privacy protections need to be strengthened in the areas of law enforcement, crime prevention and international relations. "The fight against terrorism is important, there can be no doubt," she said. "But I am not convinced that we really need so many new laws and new restrictions on our citizens' privacy to achieve this purpose." Reding also cautioned MEPs on the hasty introduction of airport security scanners. (Registation may be required to access this story.)
Advocates Rally Against Scanners (January 12, 2010)
In the United States and around the world, political figures, privacy advocates and civil libertarians are speaking out against the use of whole body scanners, reports the Chicago Tribune. "We don't need to look at naked eight-year-olds and grandmothers to secure airplanes," said Congressman Jason Chaffetz (R-Utah) in a statement that reflects the popular view of those opposed to the devices, which generate a revealing image of the human body. Chaffetz, who introduced a legislative amendment against the scanners last year, is joined by the ACLU. Meanwhile in Germany, members of the Pirate Party protested the scanners by demonstrating in a number of German airports.
Privacy Group Refutes TSA Claims on Scanners (January 12, 2010)
The Electronic Privacy Information Center (EPIC) has taken issue with the Transportation Safety Administration's (TSA) claims that the controversial whole body scanners being deployed to airports around the world cannot be used to store and transmit near-naked images of the human body, Computerworld reports. Using information gained following a Freedom of Information Act lawsuit Mark Rotenberg, EPIC's executive director, asserts that the scanners include hard disk storage, USB interfaces, and Ethernet connectivity and are fully capable of storing and transmitting images.
Zuckerberg: Privacy No Longer the ‘Social Norm’ (January 12, 2010)
Facebook founder Mark Zuckerberg recently told TechCrunch that a desire for privacy is no longer the "social norm," PCWorld reports. Despite protests from Facebook's critics, the success of that social networking platform may be all the evidence needed to support his assertion. "People have really gotten comfortable not only sharing more information and different kinds, but more openly and with more people," Zuckerberg said. "That social norm is just something that's evolved over time." The challenge today, says the report, is in striking a balance between allowing people to share information about themselves online and in providing tools to help them make better decisions about how to share.
Online DNA Matchmaking (January 11, 2010)
Today's progressive dating services may seek to go beyond a picture and a paragraph, but tomorrow's online matchmakers may ask for a DNA sample to find your soulmate. In fact, more and more people are eschewing personal chemistry in favor of genetic science in their search for a mate, reports the Daily Mail
. Services such as ScientificMatch and GenePartner.com are gaining in popularity, but Eric Holzel of ScientificMatch says he sees a difference in the age groups signing onto his service. "Generally we find that those under 45 love the idea because they realize that it's going to make things a lot easier for them," Holzel said. "Those over 45 are less keen and generally far more likely to have privacy concerns."
SOCIAL NETWORKING—UK & U.S.
CIOs Wary of Social Network Use (January 11, 2010)
With an increasing number of employees and companies engaging professionally on social networking utilities such as Facebook and Twitter, CIOs remain wary of the potential impact on information security, reports NetworkWorld. Two recent polls show that more than half of U.S. CIOs have restricted access to social nets, and more than three quarters of UK companies do not use Twitter. But the reluctance of CIOs to embrace social nets does not reflect a changing business reality, according to IDC analyst Caroline Dangson. "This concept of trying to control or block [social media usage], it is not going to work," Dangson told NetworkWorld
. "There's going to be a divide, with some companies that shun public social networks and are fearful of using them, and some who embrace it and take the risk."
Your Posts Diminish Everyone’s Privacy (January 8, 2010)
The Intimacy 2.0 era has dawned and it's not just those who post intimate details about their lives online whose privacy is diminished. A university fellow says that such sharing undermines everyone else's right to privacy, reports BBC News. "As more private lives are exported online, reasonable expectations are diminishing," says Kieron O'Hara of the University of Southampton. "When our reasonable expectations diminish, as they have, by necessity our legal protection diminishes."
DPC Investigates Blood Sample Bank (January 8, 2010)
The Data Protection Commissioner has expressed shock about a Dublin hospital's database of infants' DNA, reports the Times Online. Commissioner Billy Hawkes is investigating the database, which contains the blood samples of almost every person born in Ireland since 1984, according to the report. The Children's University hospital stores the samples indefinitely, and has the genetic information of a million and a half in the database so far. The samples come from infant 'heel prick tests.' Parental consent is not sought before the tests are conducted. The hospital has, on four occasions, shared anonymized DNA data with university and hospital researchers.
USB Sticks Recalled (January 8, 2010)
At least three vendors have recalled hardware-encrypted USB memory sticks after penetration testers discovered a vulnerability that could allow hackers access to the data contained on the devices, reports CSO. According to one of the USB vendors affected by the flaw, "a skilled person with the proper tools and physical access to the drives may be able to gain unauthorized access to data..." The flaw pertains to the drives' access-control mechanisms.
20-Somethings and Privacy (January 8, 2010)
A Curtin University of Technology researcher has published a paper on how certain Facebook users understand and navigate privacy concerns. The paper, which appears on the peer-reviewed journal site First Monday, builds upon a Canadian ethnographic study about the privacy concerns of younger users. Specifically, the research explores how a 20-something community of Facebook users perceives privacy and how the users' privacy concerns differ from those of others. The paper also explores ways that users attempt to enhance their social privacy and why users remain active on the site despite their privacy concerns.
Government Assures Motorists of RFID Safety in Philippines (January 7, 2010)
In response to privacy concerns voiced by the Commission on Human Rights (CHR), the Philippines Land Transportation Office (LTO) has moved to assure motorists in that country that a new RFID motor vehicle tagging technology does not have the capability to allow tracking of vehicles, and that its staff will be properly trained in using the new system, reports the Manila Bulletin. LTO Chief Arturo Lomibao told the CHR that the tags do not function as a global positioning system and cannot be tracked, nor will the tags contain a driver's personally identifiable information. Further, Lomibao said the tags can only be read from a distance of 10 - 12 meters.
Privacy Agency Holds Up “Three Strikes” Copyright Law (January 7, 2010)
France's Commission nationale de l'informatique et des libertés (CNIL), established in the 1970s to review national legislation for potential privacy impacts, is holding up enactment of a pending "three strikes" law for online copyright infringers, Ars Technica reports. The delay, says the report, is due to privacy concerns with the new authority, HADOPI, created to compile and manage the database used to track offenders. Before CNIL will provide the necessary endorsement, the agency wants to know more about how the information will be collected and archived.
Marianas Call For Alien Registry (January 6, 2010)
The Fitial Administration of the Commonwealth of the Northern Mariana Islands (CNMI) has called for a mandatory national registry for any aliens who remain in the islands for more than 90 days, reports the Saipan Tribune. The registry has been proposed in response to a change in U.S. law that places CNMI immigration under the direct control of the U.S. federal government and was drafted in cooperation with the U.S. Department of Homeland Security. Registration would likely include biometric data, such as fingerprints, photographs and other personal information. The public comment period for the policy ends on January 8.
Massive Employee Database Begins Operation (January 6, 2010)
In what has been described as Germany's "largest ever data acquisition program," ELENA--a new employment database--began operation on January 1. Employers are required to submit employee income data monthly to the country's ELENA system to track eligibility for social payment programs. Deutsche-Welle reports income data will be aggregated beginning in 2012 whether or not individuals qualify for social welfare benefits. Peter Schaar of Germany's Data Protection and Freedom of Information Commission has sharply criticized the project, saying "I've got a big problem with this. Until now, such information on salary declarations has not appeared, and their general storage in a central file is not legally nor constitutionally allowed."
Profile Purgers Come Under Fire (January 5, 2010)
Services that help social networkers expunge their accounts have come under the scrutiny of Facebook, reports MediaPost. According to the report, last month the company sent a cease-and-desist letter to Les Liens Invisibles, the company behind the Seppukoo.com platform that assists users in committing "Facebook suicide." A Facebook spokesperson said the service causes users to violate Facebook terms of service and breaks anti-hacking and spam laws, among others. The Los Angeles Times reports that Facebook is also blocking the IP address of Web 2.0 Suicide Machine, another deactivation platform, and has filed a lawsuit against social networking data aggregator, Power.com.