European Data Protection Digest

We have a long weekend—and hopefully some good weather—ahead of us, so right now our minds are probably focused more on Easter eggs and chocolate bunnies (in my case also my mother’s lasagna on Sunday) than on data protection developments. Nevertheless, this spring is bound to be a busy one for privacy pros—not that we actually had a dull moment in the past year or so.

At the IAPP, we are working hard to help our members stay on top of things: Our upcoming European Data Protection Intensive will be a great way to kick-start the second quarter of the year. As usual, rendezvous in London for an intense programme, great networking—including our special Privacy Social reception at the Guildhall—and CIPP and CIPM certification training and testing. Preconference workshops are not bad either.

But since he who hesitates is lost, work is already underway also for IAPP Europe’s flagship event, the Data Protection Congress, which will be in Brussels again this year, on 19 and 20 November to be precise. The call for proposals for the Congress is open, and submissions will be accepted until 9 May, so do send us your ideas or feel free to forward the call for proposals link to someone who might be interested.

In the meantime, though, Happy Easter!

Rita Di Antonio
Managing Director
IAPP Europe

Top European Privacy and Data Protection News

EMPLOYEE PRIVACY—GERMANY

Commission Finds Employee Blood Tests Illegal (March 30, 2010)

Stuttgart's state privacy office has warned automotive company Daimler that it is breaking the law by testing the blood and urine of all job applicants, Deutsche Presse-Agentur reports. The privacy commission said that taking the blood of applicants broke the law because it could reveal private matters of no relevance to a future employer and would only be legal if used to avoid potential health dangers in the workplace. The commission has not imposed a fine on the company for the practice. Daimler, which had already agreed to restrict the tests to applicants for jobs where there is a health risk, has said it may challenge portions of the ruling.
Full Story

HEALTHCARE PRIVACY—UK

Scottish Gov’t Launches Paperless Records (March 30, 2010)

In spite of privacy concerns and delays with a similar project in England, The Times reports that a £44 million electronic data system intended to make the NHS paper-free has been launched by the Scottish government. The British Medical Association in Scotland has said that while there are advantages to the electronic system, there is serious concern across the UK about confidentiality and access to online records, the report states. According to the privacy advocate group Big Brother Watch, as many as 140,000 non-medical staff can access patient files in England, and those files will become even easier to access through the new NHS database.
Full Story

ONLINE PRIVACY

Browser Fingerprinting Gains Attention (March 29, 2010)

A tracking technique that creates sophisticated digital fingerprints of Web users has emerged from the banking sector and seems poised to enter the wider Web. PCWorld reports on the browser fingerprinting method, which was developed originally to help banks detect online fraud but is now being sold as a Web service. The method involves the collection of identifying data on one's browser in addition to biometric identifiers such as typing speed and patterns, the report states. It has the attention of the Electronic Frontier Foundation, which describes the legality of the method as fuzzy.
Full Story

SOCIAL NETWORKING

Facebook Privacy Changes, “Places” Feature Raise Concerns (March 29, 2010)

Facebook's announcement of changes to its privacy policy--including amendments permitting the site to share data with "pre-approved" third-party Web sites--and plans to add a new "places" feature to allow users to add their locations to their pages--are raising privacy concerns. The Financial Times reports that the privacy policy changes would allow sites to receive Facebook user information, including "names, profile pictures, gender, user IDs, connections and any content shared using the Everyone privacy setting," and potentially retain that information "to the extent permitted" under the third-party sites' policies. Marc Rotenberg of the Electronic Privacy Information Center (EPIC) said Facebook is "pushing the envelope," and EPIC is considering bringing a new complaint before the Federal Trade Commission. (Registration may be required to access this story.)
Full Story

BEHAVIORAL TARGETING—BRAZIL

Phorm Launches Commercial Operations (March 29, 2010)

Behavioral advertising company Phorm has partnered with five Internet service providers (ISPs) in Brazil and has secured millions in pre-booked ad revenue, reports ClickZ. Phorm's technology harvests ISP data, allowing advertisers to tailor promotions based on Web users' browsing activities. The company announced the deals in a notice to investors on Friday. The launch follows less successful attempts in other markets such as the U.S. and UK, where authorities have scrutinized the legality of the technology. The company has also partnered with a major Korean ISP, and CEO Kent Ertugrul said Phorm is "active in almost every other major Internet market worldwide."  
Full Story

DATA THEFT—UK

Survey: 100 Percent of Respondents Targets of Data Theft (March 26, 2010)

In a recent survey of 115 UK executives, all reported attacks targeting corporate data within the past year, and 77 percent reported their organizations have experienced a data breach in the past. InformationWeek reports that the study, which was conducted by the Ponemon Institute and sponsored by IBM, reveals growing concern about data protection. The survey indicates that more than 27 percent of the respondents doubt their organizations could avoid a data breach in the next 12 months. According to the survey, data protection initiatives result in an average cost savings or revenue improvement of £11 million ($16 million), the report states.
Full Story

TRAVELERS’ PRIVACY—UK

Committee: Body Scanner Privacy Fears Overblown (March 26, 2010)

The House of Commons' Home Affairs Committee has stated that privacy concerns raised in response to the deployment of body scanners at airports are overblown, the Associated Press reports. "Air passengers already tolerate a large invasion of their privacy," the committee noted in a report on counterterrorism measures at the nation's airports. "We do not feel that full-body scanners add greatly to this situation." Meanwhile, Reuters reports that a security worker at London's Heathrow Airport has received a police warning and faces disciplinary action after allegedly making lewd comments to a female colleague who had mistakenly walked through the scanner.
Full Story

PRIVACY LAW—UK

Companies Face Enforcement after Breaching Rules (March 26, 2010)

The Information Commissioner's Office (ICO) has served two UK security companies enforcement notices for violating Privacy and Electronic Communications Regulations (PECR). Direct Response Security Systems and SAS Fire and Security Systems both received notices for making unsolicited marketing calls to customers even after some complained, according to an ICO press release. The complaints alleged that the individuals had received promotional calls despite having registered with the Telephone Preference Service. "Companies who flout the law and continue to target individuals...will face action from the ICO," said the ICO's Sally-Anne Poole. Direct Response has appealed the notice.
Full Story

DATA LOSS—UK

Insurance Company Signs Undertaking After Data Breach (March 26, 2010)

A UK insurance company has signed an undertaking to improve data security after losing a tape containing the personal details of 46,000 customers and 1,800 third parties. The Information Commissioner's Office (ICO) said Zurich Insurance breached the Data Protection Act when its sister company in South Africa lost the tape nearly two years ago. Though Zurich said there is no evidence the data has been misused, it has written to customers whose details were on the tape advising them to take precautions, The Independent reports. The ICO's Sally-Anne Poole said she is pleased that Zurich has taken "remedial steps to ensure individuals' personal details are protected in the future."
Full Story

FINANCIAL PRIVACY—U.S. & EU

EU to Revive SWIFT Talks, Set up Tracking Program (March 25, 2010)

The European Commission (EC) has revived negotiations on sharing banking data with the U.S., reports the New York Times. Citing data privacy concerns, the EU Parliament last month rejected the so-called SWIFT deal, which would have enabled the continued transfer of transaction data from the Belgium-based Society for Worldwide Interbank Financial Transactions (SWIFT) to the U.S. for use in counter-terrorism efforts. The EC adopted a mandate yesterday to begin new negotiations with the U.S. EU justice commissioner Viviane Reding said the new deal would address parliamentarians' data privacy concerns and would require reciprocity in the sharing of data. "We would like to set up our own [terrorist financing tracking program,]" Reding said.  (Registration may be required to access this story.)
Full Story

DATA PROTECTION—UK

ICO Announces Plan to Boost IT Expertise (March 25, 2010)

The Information Commissioner's Office (ICO) will be staffing its policy and strategy division with more technical experts as part of its reorganisation process, Kable reports. Speaking before the Home Affairs Select Committee, Information Commissioner Christopher Graham said this technical expertise will help the ICO be more forward-looking and "spot the next big thing before it becomes a huge problem." Graham noted that while government entities have improved data protection processes, he does not expect issues around data-sharing to go away, the report states. The challenge, he said, is for the ICO to ensure "that what is proposed is proportionate, privacy friendly and thought through and complies with the Data Protection Act."
Full Story

SOCIAL NETWORKING—EU

Regulators Probe “Tagging,” Consent (March 24, 2010)

European regulators are looking into whether the practice of posting photos and other information online without the consent of those featured is a breach of privacy laws, reports the Associated Press. Swiss Data Protection Commissioner Hanspeter Thuer has launched a preliminary probe and Thilo Weichert of the data protection commission in the German state of Schleswig Holstein said that his office has "written to Facebook and told them they're not abiding by the law in Europe." A Columbia University law professor says "If the European regulators get serious, it will create a significant conflict." Facebook's European policy director said the company has added a tool to facilitate nonuser data removal.
Full Story

ONLINE PRIVACY—UK

Gov’t Considers Moving Public Services to the Web (March 24, 2010)

Prime Minister Gordon Brown's move toward a paperless society calls for the creation of personalised Web sites and unique identifiers that would allow citizens to do everything from booking doctors' appointments to paying taxes to registering their cars from their home computers, The Times reports. However, data and identity protection are among the concerns being raised about the plan. Privacy experts and union leaders, including Jonathan Baume of the FDA, caution not to "underestimate a whole range of risk factors including upfront costs, data protection, identity theft...Roughly £12 billion of taxpayers' money has also just been wasted on the NHS IT project and there has been a long history of government computer problems."
Full Story

PRIVACY LAW—EU

Hustinx: EU Laws Should Push ‘Privacy by Design’ (March 24, 2010)

EU data protection laws should change to force companies developing new information and communication technologies (ICTs) to design privacy features into them, says European Data Protection Supervisor (EDPS) Peter Hustinx. In a statement, the EDPS said that ICTs raise new concerns that are not accounted for in EU regulations thus far, making further action necessary, OUT-LAW.COM reports. In an opinion submitted to the European Commission recently, Hustinx said it's crucial to consumer trust in emerging ICTs that laws change to address social media, radio frequency identification and targeted advertising. "This need for a 'privacy by design' approach should be reflected in the EU data protection legal framework at different levels..." Hustinx said.
Full Story

DATA PROTECTION—FRANCE

CNIL Unveils 2010 Inspections Report (March 23, 2010)

The French Data Protection Authority (CNIL) plans to conduct at least 300 on-site inspections in 2010, with a special focus on compliance issues, the Hunton and Williams Privacy and Information Security Law Blog reports. In 2009, the CNIL conducted 270 on-site inspections, with 22 percent leading to warnings or sanctions. In its recently adopted 2010 inspections report, the CNIL lists its areas of focus as including ensuring data controller compliance and assessing the effectiveness of data protection officers within organizations. The CNIL also intends to focus on certain business sectors and concerns, the report states, including the airline and real estate industries, the protection of minors and the use of closed-circuit television (CCTV) for video surveillance.
Full Story

DATA LOSS—UK

Report Recommends Personal Compensation for Data Breaches (March 23, 2010)

A study commissioned by the Information Commissioner's Office (ICO) and Consumer Focus recommends putting a price on privacy breaches to deter organisations from losing or misusing personal information, The Telegraph reports. The study also recommends giving consumers more control over how their data is used, requiring regulators to name organisations that mishandle data and providing the ICO with new powers to administer fines when information is misused. "The study points the way for the ICO to meet its commitment to respond to the real concerns of real people," said Information Commissioner Christopher Graham. "Consumers want to be in effective control of their personal information and privacy and there is support for tougher penalties for misuse of information by rogue individuals within organisations."
Full Story

PERSONAL PRIVACY

I Always Feel Like Somebody’s Watching Me (March 23, 2010)

The use of video surveillance in retail stores is growing and so is concern about loss of privacy, reports the New York Times. Stores are tracking customers' browsing habits and then studying them to identify potential changes that might improve the shopping experiencing and increase sales. But some question the ethics of these methods, especially as facial recognition software is added to the mix. "I think it is absolutely inevitable that this stuff is going to be linked to individuals," says Katherine Albrecht, founder of Consumers Against Supermarket Privacy Invasion and Numbering. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Privacy in the Video Everywhere World (March 22, 2010)

The emerging online video revolution begs a new definition of the word privacy, The Guardian reports. New sites are making online video more immediate and communal, says author Victor Keegan, giving us a "taste of the future when everyone will have instantaneous access to almost anyone else." Archiving video in the cloud would be an "amazing tool...if anyone ever has the time to go through it," but could also come at the expense of our privacy. "Indeed..." writes Keegan, "Whatever our fears about governments collecting data about ourselves, we seem to be two steps ahead of them in revealing it all ourselves voluntarily."
Full Story

ONLINE PRIVACY

Privacy Eroding? Look Within. (March 22, 2010)

The Atlantic responds to recent articles about the loss of privacy in the online environment, saying "Don't blame Facebook" for its erosion. Derek Thompson writes that our privacy is vanishing online because we want it to. "Occasionally Facebook screws up," he writes. "But mostly, we sacrifice our privacy online for the human instinct to share and feel connected. If you want somebody to blame, look in the mirror." Thompson says Cornell University Professor Jon Kleinberg offers words to live by in saying, "When you're doing stuff online, you should behave as if you're doing it in public--because increasingly it is."  
Full Story

DATA PROTECTION

Copy Machines a ‘Gold Mine’ for Data Thieves (March 22, 2010)

The Toronto Star reports on the potential privacy implications of photocopiers in the work place. Multi-purpose copy machines store a wealth of information on their hard drives and it can be easily hacked, the report states. One security expert who reconfigures used copy machines says businesses are unaware of the privacy breach risks when a copier is replaced. "In almost all the machines I have seen, the files, phone numbers, fax numbers and e-mail addresses are left there as if it was still in the office," he says, adding that he often comes across files from insurance companies and medical facilities. Another expert says if linked to an unsecured network, copier data can be found and tracked online.
Full Story

PRIVACY LAW—EU

Justice Commissioner Outlines Goals (March 19, 2010)

Justice Commissioner Viviane Reding outlined her priorities for the term ahead at the European Policy Centre in Brussels on Thursday, stating, "we need to protect the privacy of our citizens in the context of all EU policies..." Reding has initiated the process to reform the 1995 European Data Protection Directive, she said, in order to "address new challenges of the Information Age, such as globalisation, development of information technologies, the Internet, online social networking, e-commerce, cloud computing, video surveillance, behavioural advertising, data security breaches, etc."
Full Story

CHILDREN’S PRIVACY—GERMANY

Nutrition Game Asks Kids for Data (March 19, 2010)

The German educational foundation Stiftung Lesen is facing criticism for its collaboration with food company Nestlé on a Web-based nutrition game that is being distributed to schools across the nation, The Local reports.  Opponents say although the game does not collect data from children when they play during school hours, when they play at home the program asks for their names, e-mail addresses and birth dates, among other data. The head of Berlin's state parents' committee said, "this data does not belong on the Internet." A Nestlé spokesperson said the company has since changed the game's registration requirements. Data protection officials in Darmstadt are looking into the matter.
Full Story

PERSONAL PRIVACY—CZECH REPUBLIC

MPs: Police Access to 140,000 Calls and Texts Violated Privacy Rights (March 19, 2010)

While police have defended the interception or retrieval of information from more than 140,000 calls and text messages last year, privacy advocates and MPs are asking the Constitutional Court to deny such access in the future, the Prague Post reports. Police and security services are allowed access to phone messages and text messages in the Czech Republic and can keep the information for up to six months, the report states, but some fear this could lead to an abuse of power. "The scope of interference in the right to privacy is greater than the use of the data to achieve the purpose of combating crime," said Jan Voboril of Iuridicum Remedium, which has asked the Czech Constitutional Court to review the EU Data Retention Directive.
Full Story

SURVEILLANCE—EU

EDPS Issues Guidelines on Video Surveillance (March 19, 2010)

The European Data Protection Supervisor (EDPS) has issued guidelines for European institutions and bodies on how to use video surveillance responsibly and with effective safeguards in place to minimize the impact on privacy and other fundamental rights. According to an EDPS press release, the guidelines apply to existing as well as future systems. Institutions have until 1 January 2011 to come into compliance. "There are fundamental rights at stake," said Assistant EDPS Giovanni Buttarelli, "such as the right to privacy in the workplace." He said security needs must be balanced against the fundamental rights of individuals. "Using a pragmatic approach, video surveillance systems can meet security needs whilst also respecting our privacy," he said.
Full Story

FINANCIAL PRIVACY—UK, FRANCE & SWITZERLAND

UK to Acquire Stolen Bank Data (March 19, 2010)

The government is set to acquire the Swiss bank account details of up to 6,600 British citizens suspected of tax evasion, reports The Sunday Times. HM Revenue & Customs says it will purchase the data, which was stolen from Swiss bank HSBC, within a month. "It's fair to say that the prospect of getting hold of this information has generated some excitement here," an HMRC official said. It will get the information from the French government, which kept copies of the files it retrieved from the thief--a French citizen--at the request of the Swiss government.
Full Story

DATA PROTECTION—NORWAY

Encryption Required for Paycheck Stubs (March 19, 2010)

Norway's Data Inspectorate (Datailsynet) has released new data security guidelines that require encryption of paycheck stubs. The guidelines apply to all employers that are covered by Norwegian tax regulations, and require the encryption of all pay stubs issued to employees' personal e-mail addresses, whether issued by the company or by external accounting firms. Electronic pay stubs sent to employees' company e-mail addresses need not be encrypted but must satisfy a number of new requirements regarding storage, copying, and forwarding. (Article in Norwegian.)
Full Story

CHILDREN’S PRIVACY—UK

New Code of Practice Restricts Data Collection (March 19, 2010)

Advertising industry groups have released a new code of practice that outlaws the collection of personal data from children under the age of 12 without parental consent, reports OUT-LAW.COM. The rules, which will be enforced by the Advertising Standards Authority, will take effect on September 1. The rule also prohibits marketers from collecting personal information about other people from children under the age of 16, the report states. The Direct Marketing Code of Practice requires parental consent before the online collection of data from children under the age of 16.
Full Story

DATA LOSS—UK

Intelligence Agency Loses Laptops (March 19, 2010)

A British intelligence agency's loss of 35 laptop computers showed a "cavalier" attitude to tracking equipment, according to a parliamentary committee report. A 2008 audit of the Government Communications Headquarters revealed the lapse. Three of the laptops were certified to hold top secret information, the Irish Times reports. "The committee considers that this...attitude towards valuable and sensitive assets was unacceptable. GCHQ must ensure that it controls, tracks and monitors its equipment effectively. In a statement, the government said, "The most likely explanation in most cases is that the laptops were destroyed but without the destruction being fully recorded. GCHQ has now tightened up its controls."
Full Story

DATA LOSS—UK

Insurer Breaches DPA, Signs Undertaking (March 19, 2010)

The group chief executive officer of Royal London Mutual Insurance Society has signed a formal undertaking with the Information Commissioner's Office, promising to improve data protection efforts. According to an ICO press release, the company breached the Data Protection Act by not properly securing eight laptops, which were stolen from the company's Edinburgh offices. The computers were password protected, but not encrypted. In the undertaking, the company promises to encrypt portable and mobile devices and to implement appropriate physical security measures. "I am pleased the Royal London Mutual Insurance Society Ltd has agreed to take further remedial steps to prevent a similar incident happening again," said ICO Head of Enforcement Mick Gorrill.
Full Story

SURVEILLANCE—UK

Report: School CCTV Surveillance Violates Law (March 19, 2010)

A recent study on the use of closed circuit television (CCTV) in British schools found that most fail to alert students to the practice. The report also found that pupils in schools are as frequently monitored by CCTV cameras as inmates in prisons, The Guardian reports. The Data Protection Act requires that schools tell pupils where cameras have been installed and for what purpose, though the study found most schools were unaware of this requirement. "We need specific guidance for pupils on how far schools can monitor them," the report's author says. "The dearth of concrete legislation permits ever more invasive surveillance practices to be introduced in schools. Pupils are definitely the most surveilled non-criminal population."
Full Story

DATA LOSS—UK

Experts: New ICO Powers Will Mean Hefty Fines for Data Breaches (March 19, 2010)

When its fining powers come into effect on April 6, the Information Commissioner's Office (ICO) is likely to use the full force of its new powers to penalise organisations for data loss and send a message to others, Computing reports. Alan Calder of ITgovernance expects the ICO will pursue a small number of high-profile Data Protection Act breaches and issue fines of up to £500,000 to make it clear that those who violate the law "will be penalised for losing laptops or USB sticks or having their networks hacked." However, an ICO spokesman said the office "would not make an example of an organisation for the sake of making an example. It would be done on a case-by-case basis."
Full Story

ONLINE PRIVACY—UK

Complaints Follow Street View Expansion (March 19, 2010)

A recent UK survey found that 34 percent of respondents consider Google's Street View mapping feature to be a "positive" move, but the remainder say it's an intrusion, eWeek Europe reports. Google expanded the feature last week to cover 96 percent of the UK's public roads. The feature offers 360-degree views of cities and towns. Of those who said it was an intrusion, 74 percent said they were most angered that they had not given permission that the images be taken. Though they were removed within one hour of going live, images of a naked child being dressed at a public park appeared on the site last week, prompting complaints and concerns about pedophilia. Google has since apologized and removed those images, but a spokesman for Big Brother Watch says, "Where there's one example like this, there will be many others."
Full Story

GEO PRIVACY

Location-Based Services Have Privacy Implications for Businesses and Individuals (March 18, 2010)

The potential for location-based services to cause embarrassment goes beyond revealing secret affairs and exposing children to parental scrutiny, BBC News reports. Citing the decision by some users to post their locations in their social networking profiles as well as services that "exploit geolocation of IP addresses and the GPS built into our smartphones," the report warns of potential negative implications for individuals and businesses alike. "Perhaps once companies start losing work because their employees are leaking all sorts of potentially embarrassing information about their movements, meetings and opinions on clients," the report states, "we will see some serious pressure on the service providers to offer more nuanced and effective privacy controls."
Full Story

PRIVACY

The Future of the Privacy Profession (March 17, 2010)

At the IAPP's tenth anniversary celebration yesterday, experts offered insight on the future of the data protection field and those who work in it. The privacy professional of the future must be agile, multicultural and engaged in the technologies that are stirring privacy debates, said a panel of seasoned privacy pros. In a moderated forum at the National Press Club in Washington, DC, panelists discussed the growth and evolution of the privacy field over the past decade and offered a sneak peak at what it will look like in the year 2020. Picture this: acrobatic regulators, data protection in the mainstream and, potentially, an ethical code for privacy professionals.
Watch online

PRIVACY LAW—IRELAND

High Court to Rule on Privacy Rights (March 17, 2010)

A number of major record companies have asked the High Court to rule on data protection issues based on agreements to disclose the Internet protocol (IP) addresses of people involved in music piracy, the Irish Times reports. In a settlement last year, broadband provider Eircom agreed to implement several measures aimed at stopping illegal downloading, including disclosing the implicated IP addresses. But the issue has come before the High Court again after the data protection commissioner said that disclosing the IP addresses violates the Data Protection Act. The record companies claim, however, that privacy rights are overruled when a person commits copyright infringement. A judge is expected to rule on the issue next week.
Full Story

ONLINE PRIVACY—SWEDEN

New Company Manages Your Online Life After Death (March 16, 2010)

For those who have ever wondered what will become of their social networking pages and photos or their online games, posts and blogs after they pass away, a Swedish online company may have the answer. Lisa Granberg and Elin Tybring's new company, Webwill, solves the problem of what happens to that content when family or friends are unable to access or delete social networking profiles after the loss of a loved one, Deutsche Welle reports. "You create an account and tell us which online services you use, and what changes we should make after your death," Granberg says. "...Once we're informed of your death, we execute your digital will, so to speak."
Full Story

PRIVACY LAW—UK

ICO Pushes for Jail Terms (March 15, 2010)

The information commissioner wants dormant legislation brought to life and is urging Tories to act, reports The Register. The legislation imposes jail sentences of up to two years on data thieves. Speaking at a conference in London last week, Christopher Graham urged Conservatives to activate the sentences if they win the May 7 election, saying that the failure to impose custodial sentences is stopping him from doing his job. "It's there to be taken off the shelf," Graham said. "But there has been remarkable reluctance by ministers to take it."
Full Story

FINANCIAL PRIVACY—SWITZERLAND

Swiss People Want Secrecy Laws Upheld (March 15, 2010)

A Swiss Bankers Association survey of more than 1,000 Swiss citizens has found that the majority oppose ending banking secrecy laws in the state. Seventy-three percent of respondents want the laws maintained, down five percent from last year's poll. In addition to wanting confidentiality laws upheld, 40 percent of respondents indicate that their government should do more to protect the tradition and 70 percent say they object to the automatic exchange of banking information with other governments. The Swiss government has been facing international pressure to relax the rules in order to assist international tax evasion investigations.
Full Story

DATA THEFT—SWITZERLAND

Data Theft Involves 24,000 Swiss Bank Clients (March 12, 2010)

A security breach at a private bank in Switzerland is much more serious than was first believed, with personal information on about 24,000 clients compromised during the theft in 2006, the Financial Times reports. HSBC has confirmed that the theft, which was uncovered last year, affects 15 percent of the bank's total private client base, the report states. The data was stolen by a former IT specialist who then provided it to French tax officials. Although the authorities had used the stolen data to launch a crackdown on tax evaders, the report states that they have since returned those files to the Swiss federal prosecutor, which is leading a criminal investigation.
Full Story

PRIVACY LAW—EU

Court of Justice Rules on DPAs’ Independence (March 12, 2010)

The Court of Justice has decided that data protection authorities in the German Länder are not acting with "complete independence" as required by the Data Protection Directive. The court ruled on Tuesday that the authorities, which supervise the processing of personal data in the private sector, are not acting independently as they are part of the regional administration and therefore subject to state scrutiny. European Data Protection Supervisor Peter Hustinx lauded the court's decision, saying, "It strengthens and clarifies the position of data protection authorities as part of the fundamental right to data protection."
Full Story

DATA RETENTION—CZECH REPUBLIC

Watchdog Wants Court Review of EU Directive (March 12, 2010)

The watchdog group Iuridicum Remedium wants the Czech Constitutional Court to review the EU Data Retention Directive, Radio Prague reports. The group wants the court to assess whether the directive is in line with the Czech constitution. Iuridicum's Filip Pospisil says the group was inspired by the recent decision of Germany's Federal Constitutional Court. Last week that court overturned the law requiring the retention of communications data. Pospisil says he hopes for the same outcome in the Czech court. "We would like to push the ministries in charge to prepare new legislation that would protect personal data and limit access to the data, and also the amount of it being stored."
Full Story

GENETIC PRIVACY—UK

Committee: Six Years is Too Long (March 12, 2010)

The Commons home affairs select committee this week rejected government proposals to keep the DNA profiles of innocent people for up to six years, reports The Guardian. After a short inquiry into the matter, MPs said they were unconvinced that retaining genetic information for that period of time would lead to more crimes being detected, the report states. The committee would support a three-year retention period. "We do not think we should go back to the situation where DNA is only taken on charge, not arrest," said committee chairman Keith Vaz, "but it is vital that it is made easier for those wrongly arrested...to get their records removed from the database."
Full Story

PRIVACY LAW—EUROPE

Parliament Resolves to Open ACTA Talks (March 12, 2010)

In a near unanimous vote, the EU Parliament yesterday approved a common resolution that calls for openness in negotiations related to the Anti-Counterfeiting Trade Agreement (ACTA), reports NetworkWorld. Although the resolution is not formally binding, MEPs say they will "fight on" to the Court of Justice if denied access to the legislation. The ACTA negotiations came under scrutiny when a draft was leaked online last month. European officials expressed concern that civil liberties could be breached by the agreement, which aims to enforce international standards for intellectual property rights. European Data Protection Supervisor Peter Hustinx said that ACTA could result in "large-scale monitoring of Internet users."
Full Story

HEALTHCARE PRIVACY—UK

NHS Scotland Improves Patient Data Protection Policies (March 12, 2010)

Following an internal review of its handling of patient health records, Scotland's National Health Service has developed recommendations on how to improve data protection policies. The December 2009 review came after a patient's records were sent to the wrong doctor without her knowledge, removing her from a list of candidates for cervical cancer screening tests. The review found that NHS Scotland's rules regarding medical record transfers may not meet data protection laws. The recommendations call for the creation of a formal agreement on data protection responsibilities for general practitioners and a public awareness campaign, BBC News reports.  
Full Story

ONLINE PRIVACY—GERMANY

The Politicization of Data Privacy (March 12, 2010)

Spiegel reports on the politicization of data privacy, saying that while until recently only "backbenchers" paid attention to it, today "no politician wants to be left out." The report delves into issues associated with online mapping programs such as Google's StreetView, a matter in which Germany's minister of consumer protection has taken a keen interest, and discusses the creation of the Internet and Digital Society commission, which was launched last week to examine the interaction between people and digital media. "The long overdue discussion of data privacy is now finally getting underway," says former German Interior Minister Gerhart Baum.
Full Story

PERSONAL PRIVACY

Mobile Phone Capable of Tracking Users’ Movements (March 12, 2010)

A Japanese company has created a mobile phone capable of tracking users' physical movements, BBC News reports. KDDI Corporation has developed phone technology capable of  deciphering precise movements such as scrubbing, sweeping and walking, for example. KDDI plans to sell the phone to managers, foremen and employment agencies, the report states. Some say it introduces an increased opportunity for abuse. "...There will surely be negative consequences when applied to employee tracking or salesforce optimization," said the director of the International University of Japan's mobile consumer lab.  
Full Story

GEO PRIVACY

Location-Based Services Raise Privacy Concerns (March 11, 2010)

A proliferation of services that let social networkers share their locations have some concerned about the privacy ramifications. Facebook and Twitter will soon offer location-based features, and dozens of similar services already exist, the Wall Street Journal reports. "There are a lot of concerns about the government being able to subpoena this information," says Carnegie Mellon University researcher Lorrie Cranor, citing other potential and possibly unwelcome uses of such information. Cranor was involved in a recent Carnegie Mellon study of 80 location services that found the majority either don't have a privacy policy or collect and save all data for an indefinite amount of time, according to the WSJ report. (Registration may be required to access story.)
Full Story

PRIVACY LAW—EU

MEPs Want More Time on Passenger Data Vote (March 10, 2010)

The European Parliament Civil Liberties Committee has asked that a vote on the sharing of passenger name records with the U.S. be postponed, reports ZDNet. The committee says that a "no" vote would hamper carriers, which are required to provide passenger name records (PNRs) under U.S. law. The European Court of Justice ruled in 2004 that a temporary agreement to share air passengers' names, itineraries, payment details and other information was illegal. Committee rapporteur Sophie In 't Veld said the EU needs "to systematically harmonise the set of principles [around PNR]," and that she would push for the PNR data provision to comply with EU data protection law, the report states.
Full Story

TRAVELERS’ PRIVACY

UN Expert Says Airport Scanners Violate Human Rights (March 10, 2010)

Is the use of full-body scanners in airport security a breach of individual rights? Yes, according to Martin Scheinin, the UN special rapporteur on the protection of human rights. The Montreal Gazette reports that Scheinin believes the scanners are not only an excessive intrusion into individual privacy but also ineffective in preventing terrorist attacks. "The use of a full-body scanner which reveals graphic details of the human body, including the most private parts of it, very easily is a violation of human rights," Scheinin says. He has told the UN Human Rights Council that different technology would better protect personal privacy, the report states.
Full Story

HEALTHCARE PRIVACY—U.S. & EU

Proposed Info Sharing Agreement in Focus (March 9, 2010)

U.S. Department of Health and Human Services Secretary Kathleen Sebelius and her Spanish counterpart, Minister of Health and Social Policy Trinidad Jimenez, met to discuss a proposed digital healthcare data sharing program last week, reports ZDNet. "The aim is to create a scenario for clinical information exchange and technical interoperability..." said the EU presidency in a statement. The European Data Protection Supervisor's office (EDPS) has "taken note of the initiative," the report states. "This legal framework [for information exchange] will require special safeguards for the protection of sensitive personal data and...under the Lisbon Treaty, be subject to approval by the European Parliament," the EDPS said.
Full Story

HEALTHCARE PRIVACY—UK

Privacy in Question with Health Database (March 8, 2010)

Privacy advocates, human rights activists and doctors are voicing concerns about patients' privacy rights in the creation of individual summary care records (SCR), reports The Guardian. Intended to ease information sharing among healthcare providers and potentially improve patient care, the NHS has created 1.24 million SCRs so far and plans to create SCRs for more than 50 million people overall. Concerns abound regarding the security of the records and NHS's "implied consent" method for gaining patient permission to create the SCRs, a method one advocate describes as "inaccessible and virtually meaningless." A Cambridge University security expert worries about accessibility. "You just can't keep a secret if 300,000 people have access to it."
Full Story

BEHAVIORAL TARGETING

Self-Service Ads: Serving Some Better than Others? (March 5, 2010)

The New York Times reports on reactions to Facebook's self-service ad system, which lets advertisers target promotions to users based on information they post to their profiles. Major advertisers have begun using the program, which was previously the domain of small businesses. "When it works, it's amazingly impactful," says Chicago consultant Tim Hanlon. When it doesn't work, "it's not only creepy but off-putting," Hanlon adds. Facebook members report that some targeted ads seem presumptuous and nonsensical. "What a marketer might think is endearing, by knowing a little bit about you, actually crosses the line pretty easily," Hanlon says. A Facebook spokesperson says the platform has come a long way in the past year and will continue to improve. (Registration may be required to access this story.)
Full Story

DATA PROTECTION—UK

Making the Business Case for Data Protection (March 5, 2010)

The Information Commissioner's Office (ICO) wants businesses to put a value on personal information and invest in systems to protect it, reports eWeek. The ICO released a report this week to help organizations make a business case for data protection. The Privacy Dividend report includes tools and calculation sheets to help companies assess the value of the information they hold. "No organisation can neglect to protect people's privacy," said Information Commissioner Christopher Graham. "This report provides organisations with the tools to produce a financial business case for data protection, ensuring privacy protection is hardwired into organisational culture and governance."
Full Story

PRIVACY LAW—IRELAND

Opinion: All’s Not Well with Data Protection Plan (March 5, 2010)

Data retention proposals similar to those expected to become law in Ireland have been declared an invasion of privacy in a German court decision that Karlin Lillington calls "a timely warning shot" in an op-ed for the Irish Times. The Retention of Data Bill 2009 would implement an EU directive, but Lillington warns that the same issues cited in the German case--including ensuring data safety and legal remedies when personal data is misused--have been raised as concerns in Ireland. "If the government fails to reconsider the terms of its Data Retention Bill," Lillington writes, "...it is likely to find that costly court challenges and a forced reworking of the legislation lie ahead."
Full Story

DATA THEFT—CYPRUS

Police Investigating Illegal Disclosure of Telecommunications Data (March 5, 2010)

Police investigating the illegal disclosure of telecommunications data are hoping to determine why a company employee gathered information on 22 individuals and provided it to a private investigator, the Cyprus Mail reports. According to police, the data--which included phone numbers of callers and those receiving the calls as well as the dates, times and durations of each call--was illegally passed on to a private detective by a former CyTA employee. CyTA Chairman Stathis Kittis has said that, due to the investigation, those affected by the breach will first be contacted by police, but in the future, CyTA will be apologising to them directly "for failing to completely protect their privacy."
Full Story

PERSONAL PRIVACY—UK

Information Commissioner to Political Parties: Oh, Behave (March 5, 2010)

Noting violations in previous years, the UK's information commissioner has warned political parties to adhere to privacy laws during the upcoming elections. At a recent conference on data protection, Commissioner Christopher Graham advised the parties on proper communication techniques and pointed them to newly created guidance on the ICO Web site, Public Service.co.uk reports. He also reminded them of the Privacy and Electronic Communications Regulations and the Data Protection Act. Graham strongly urged the parties to adhere to the rules, adding, "We have taken enforcement action to uphold the law in the past and, with stronger powers available to me in just a matter of weeks, I intend to make sure that everybody stays in line."
Full Story

PERSONAL PRIVACY—UK

Commission Investigating Bullying Helpline Complaints (March 5, 2010)

The Charity Commission has announced it is opening an inquiry into the National Bullying Helpline after the charity's founder reportedly disclosed mistreatment complaints from Downing Street employees, The Guardian reports. "Concerns have been raised about the protection of confidential information held by the charity," a commission spokeswoman explained. The inquiry, which will look into the charity's data protection procedures, will also examine how people were referred from the helpline to a business run by one of its trustees, the report states. The inquiry comes on the heels of allegations that the charity's founder, Christine Pratt, used the helpline to solicit business for a human resources consulting firm she runs with her husband.
Full Story

ONLINE PRIVACY

Opinion: Is Truth More Valuable than Privacy? (March 5, 2010)

In an op-ed for The Times, David Aaronovitch describes personal privacy protection as the Web's "latest ethical battleground" but questions, "is it the most important?" Aaronovitch looks at the way personal information is used online in posing the question "how much control or ownership can one have over one's own image and reputation?" He goes on to write that options allowing users to permanently delete their online lives at the click of a mouse have posed "a threat much worse than that to privacy" in the form of "privacy-induced attempts to bend or erase the truth that is essential to the value of the Internet. Lack of privacy may be uncomfortable. Lack of truth is fatal."
Full Story

PRIVACY LAW—GERMANY

Court Decision Pleases Some, Rattles Others (March 4, 2010)

Germany's Federal Constitutional Court this week overturned a law requiring the retention of certain communications data and ordered the immediate destruction of stored e-mail, telephone and text message data. Police and security experts are reacting with "shock and alarm," while civil libertarians are celebrating, reports the Financial Times. Other EU states are reacting to the decision as well. The law required six-month retention of phone and e-mail data for use in counterterrorism efforts. It was unpopular with Germans; 35,000 had appealed for it to be overturned and Data Protection Commissioner Peter Schaar had also spoken out against it. The court said that such retention violated Germans' constitutional rights and failed to balance privacy rights against the need to provide security.
Full Story

PRIVACY LAW—EU

Google May Not Renew Street View in Europe (March 3, 2010)

Google may not map the continent again if European Union data-protection regulators decide to cut the image storage time for the company's Street View service from one year to six months, BusinessWeek reports. "I think we would consider whether we want to drive through Europe again, because it would make the expense so draining," said Michael Jones, founder of Google Earth, noting the need for longer storage time due to software constraints. "I think that privacy is more important than technology but for privacy people it is only about privacy," Jones said, while, "for us it is also about technology. We have to be actually able to do what they want us to do. What we want is to have enough time."
Full Story

ONLINE PRIVACY

Internet of Things More Reality than Fiction (March 2, 2010)

A new McKinsey consultancy report suggests that the "Internet of things" is closer than ever to becoming a reality, The Guardian reports. The system would see everyday objects like shoes and food become capable of communicating data about their position, status and location through GPS and RFID systems, the report states. "Pill-shaped micro-cameras already traverse the human digestive tract and send back thousands of images to pinpoint sources of illness," the authors write, describing the potential benefits of the Internet of things. But they acknowledge the downsides, as well, saying that companies working on such technological advances must consider privacy, security and data protection concerns.
Full Story

BEHAVIOURAL TARGETING—UK

BT Facing Criminal Probe (March 1, 2010)

British Internet service provider BT is facing a criminal investigation for allegedly selling consumer data to a behavioural targeting company, MediaPost News reports. Britain's Crown Prosecution Service is said to be probing allegations that BT sold consumers' Web activity data to Phorm, which uses such data to serve relevant ads to users. "The Crown Prosecution Service is working hard to review the evidence in this legally and factually complex matter," a spokeswoman said. "We have requested and received technical and expert evidence...which is being very carefully considered." BT has taken heat from the European Commission for its secret trials of Phorm's platform in 2006.
Full Story

BEHAVIORAL TARGETING

Company to Target Ads Based on IP Addresses (March 1, 2010)

In a move that promises to push the debate on whether IP addresses should be considered personally identifiable information, a behavioral targeting company says it will soon launch an ad platform that is based on users' IP addresses. MediaPost reports that ClearSight Interactive has acquired 100 million IP addresses--along with postal and e-mail addresses--from publishers. The company says it has enough data to reliably link 65 million IP addresses to specific individuals, and it intends to begin serving ads to visitors based on their neighborhoods within four to six weeks, according to the report.
Full Story

PRIVACY LAW—FRANCE

Court: IP Address Not Enough to ID User (March 1, 2010)

EDRI-gram reports on the Paris Appeal Court's recent ruling that an IP address does not allow the identification of an Internet user and, therefore, can be collected without the prior authorization of the French data protection authority, the CNIL. The decision backs the Cassation Court's decision of January 13, 2009, which classified the IP address as "nominal data." The Appeal Court said the IP address "cannot be considered personal data because it does not identify the user," the report states. A techdirt commentary on the ruling says that while some will not like it, it's good that "courts recognize that an IP address does not identify a user, even if it means that IP addresses aren't considered private info."
Full Story

ONLINE PRIVACY—EU & U.S.

Cultures Collide on Privacy (March 1, 2010)

The New York Times explores the fundamental differences between American and European attitudes toward privacy--a topic that has become front of mind for many in the days following last week's conviction of three Google executives in an Italian court. "Americans to this day don't fully appreciate how Europeans regard privacy," says Jane Kirtley of the University of Minnesota. The European framework, describes Google lawyer Nicole Wong, sees privacy as a human-dignity right. "As enforced in the U.S., it's a consumer-protection right," Wong adds. Indiana University Professor Fred Cate explains how the origins of Europe's privacy protectiveness--the response to totalitarian regimes' myriad privacy-intrusive methods for maintaining power--differentiate it from America's, where free speech often trumps privacy. Meanwhile, a University of Michigan professor offers an alternate, less privacy-centric theory on why the Italian court was keen to convict the Google executives. (Registration may be required to access this story.)
Full Story