European Data Protection Digest

We have a long weekend—and hopefully some good weather—ahead of us, so right now our minds are probably focused more on Easter eggs and chocolate bunnies (in my case also my mother’s lasagna on Sunday) than on data protection developments. Nevertheless, this spring is bound to be a busy one for privacy pros—not that we actually had a dull moment in the past year or so.

At the IAPP, we are working hard to help our members stay on top of things: Our upcoming European Data Protection Intensive will be a great way to kick-start the second quarter of the year. As usual, rendezvous in London for an intense programme, great networking—including our special Privacy Social reception at the Guildhall—and CIPP and CIPM certification training and testing. Preconference workshops are not bad either.

But since he who hesitates is lost, work is already underway also for IAPP Europe’s flagship event, the Data Protection Congress, which will be in Brussels again this year, on 19 and 20 November to be precise. The call for proposals for the Congress is open, and submissions will be accepted until 9 May, so do send us your ideas or feel free to forward the call for proposals link to someone who might be interested.

In the meantime, though, Happy Easter!

Rita Di Antonio
Managing Director
IAPP Europe

Top European Privacy and Data Protection News

PRIVACY LAW—EU

Hustinx Calls for Ambitious Approach to Framework (April 30, 2010)

Speaking at the European Privacy and Data Protection Commissioners' Conference in Prague yesterday, European Data Protection Supervisor Peter Hustinx called on the European Commission to be proactive on the legal framework for data protection. He said key elements of an effective framework would include integration of privacy by design into communications technologies, increased accountability for data controllers and stronger enforcement powers for data protection authorities. "It is essential that the commission comes up with proposals that take into account what is really needed and does not settle for less ambitious results," Hustinx said.
Full Story

ONLINE PRIVACY—GERMANY

Caspar to Meet with Google, Steffen to Introduce Bill Next Week (April 30, 2010)

Google has confirmed that its Street View cars collect Wi-Fi data, but a company spokesperson declares that the practice is "totally legal" and said the company has no plans to publish the data, The New York Times reports. But, "The question is what will Google do with this information?" asked Johannes Caspar, the head of data protection in Hamburg, who will meet with company representatives next week. Meanwhile, German Consumer Protection Minister Ilse Aigner is calling on Germans to opt out of Street View, and a Hamburg senator for justice plans to introduce a bill in the Bundesrat next week that would impose €50,000-60,000 fines for every instance where the company failed to eliminate the data of citizens who had opted out, the report states. (Registration may be required to access this story.)
Full Story

SURVEILLANCE—ITALY

New Rules On Video Surveillance (April 30, 2010)

The Italian Data Protection Authority (the Garante) approved a general decision on closed circuit television (CCTV) systems that results in the repeal of the rules that have been in force since 2004. The new rules allow recorded data to be retained for 24 hours and leave open the possibility for that period to be extended up to seven days. In different cases, an ad hoc authorisation must be obtained from the Garante. The decision raises most of the issues traditionally associated with video surveillance in various contexts, from work places to public areas, and for various purposes, including crime prevention, property protection and social networking. (Decision in Italian.)
Full Story

PRIVACY—GERMANY

Privacy To Be Required Course (April 30, 2010)

Students enrolled in Christian-Albrechts-University's information management program will now be required to take a course on data privacy. The university has signed an agreement to cooperate with Schleswig-Holstein's Independent Center for Privacy Protection (ULD), whose employees will teach the course. "The aim of the cooperation is to improve, in an increasingly connected world, data protection and security," the university's chancellor said. Thilo Weichert, head of the ULD, said, "Schleswig-Holstein can maintain its leading position in data protection only if the issue is an integral part of computer science education."  
Full Story

PRIVACY LAW—IRELAND

Commission Calls for Timely Destruction of DNA Profiles (April 30, 2010)

The Irish Human Rights Commission says DNA profiles should be destroyed as soon as reasonably possible in cases where a person is not being charged with a crime or is acquitted, The Irish Times reports. The commission yesterday made a presentation to the Oireachtas Committee on Justice, Equality, Defence and Women's Rights. The proposed DNA database bill would allow for the collection of volunteer samples in criminal investigations, with a default destruction period of 10 years for adults and five years for children and "protected persons" deemed vulnerable. But the commission has concerns that a volunteer could be asked to allow the sample to be retained even without suspicion or conviction of a criminal offence, among others.
Full Story

SOCIAL NETWORKING

Site Changes Concern Canadian Commissioner (April 30, 2010)

Canada's federal privacy commissioner has expressed concern about changes Facebook made last week that will allow third-party developers to retain users' data indefinitely, The Globe and Mail reports. "I'm very concerned about these changes," said Commissioner Jennifer Stoddart. "More than half a million developers will have access to this data." Stoddart indicated that the company seems to "be moving in the opposite direction" from that which it committed to move toward last summer when the company agreed to certain privacy reforms following an OPC investigation. Stoddart also reiterated concerns she and her global counterparts set forth last week in relation to online companies' actions impacting user privacy.
Full Story

TRAVELERS’ PRIVACY—EU & U.S.

EU Air Travel Privacy and Other Concerns Persist (April 29, 2010)

The New York Times reports that while airline passenger records may be the most prominent, other privacy issues--ranging from Internet mapping services to U.S. access to banking records to data breaches--have also "accentuated concerns among Europeans that governments and companies cannot be trusted to keep potentially sensitive information under lock and key." Meanwhile, some Americans want the U.S. to follow the EU's lead on privacy. "In many respects today, the United States has fallen behind Europe in its ability to develop appropriate safeguards for the use of technology," said Marc Rotenberg of the Electronic Privacy Information Center. "If the Europeans are successful in establishing a standard, there will be benefits to American citizens as well." (Registration may be required to access this story.)
Full Story

DATA LOSS—UK

Health Plan at Top of Data Breach List (April 29, 2010)

The UK's national health plan has reported 287 data breaches since the end of 2007, 113 of which were due to data theft, BBC News reports. That's the greatest number of serious data breaches reported by UK organizations, said Deputy Information Commissioner David Smith at an event this week. He noted that the public sector's tendency to report breaches may have skewed the numbers. A spokesman for the British Medical Association thinks the number of breaches reflects in part the size and complexity of the NHS, the report states. "So many people have access to data and often human error is to blame," he said.
Full Story

PRIVACY LAW—EU

UK ICO Says Breach Notification Law Coming (April 28, 2010)

The requirement for companies to notify national regulators about serious data breaches will expand beyond the telecommunications sector, according to UK Deputy Information Commissioner David Smith. At an event on Tuesday, Smith said that the European Commission has breach notification "on its agenda" and that its current review of data laws will likely require notifications from a wider range of businesses, ZDNet reports. There is "no logical reason" to confine the requirement to telcos, Smith said. Responding to his comments, one analyst said, "Notification promotes efficient publication of breaches, which encourages data protection." Smith, himself, described breach notification as a "double-edged sword" for regulators.
Full Story

PRIVACY LAW—ITALY

Legal Expert Says Google Conviction Based on Misinterpretation (April 28, 2010)

An Italian legal expert says that a legal error formed the basis of the conviction of three Google executives earlier this year, and the company would likely win an appeal to the conviction, OUT-LAW.COM reports. A Court of Milan judge sentenced the executives to a suspended jail term in February after finding them guilty of violating the nation's privacy laws. But Elvira Berlingieri, a legal consultant and academic who has studied the reasoning behind the verdict, says a judicial error in interpreting Italy's laws prompted the conviction. Berlingieri says the error involves confusion over Sections 13 and 167 of the Privacy Code.
Full Story

ONLINE PRIVACY

Company Apologizes for Glitch that Exposed Customers’ Credit Cards Online (April 28, 2010)

Social networking site Blippy has apologized for its recent privacy glitch that accidentally exposed members' credit card information and is promising to hire a chief security officer and invest in more security, PC Magazine reports. The company will also have regular third-party audits, invest in its systems to filter out sensitive information, control caching of information in search engines and create a security and privacy center that includes information about how Blippy is protecting its customers, the report states. Blippy has reached out to eight customers whose information might have been compromised, the report states, and will assist in resolving any issues prompted by the data breach.
Full Story

SOCIAL NETWORKING—EU

EC Says Buzz in Line with Data Laws (April 27, 2010)

While members of the U.S. Congress call for an investigation into Google's Buzz social networking platform and privacy regulators from 10 nations criticize the company's methods in rolling out the product, the European Commission (EC) has deemed it to be in line with the bloc's data protection guidelines as long as users' data was not used without prior and tacit consent, Euractiv reports. An EC spokesperson said it "is up to the member states to verify whether the amended privacy settings by Google...regarding their Buzz service comply with this prior informed consent principle." The spokesperson said the EC will cooperate with national data protection authorities to ensure the rules are respected.
Full Story

BEHAVIORAL TARGETING

Marketers Navigating Trust and Privacy Issues (April 27, 2010)

"Trust is the currency of effective advertising, and yet it's so curiously evasive and increasingly murky," Pete Blackshaw writes in an Advertising Age feature that suggests addressing privacy is among the key components to establishing and maintaining credibility. "At the heart of the privacy debate is apprehension that marketers will abuse personally identifiable data or the targeting opportunities of behavioral advertising," he writes. However, Blackshaw points out that many consumers volunteer personal information via social networks that would not have been shared publicly in the past, suggesting such changes require "a new dialogue and a new wave of thinking about how we nurture trust and the credibility of our conversations, platforms and models."
Full Story

DATA LOSS—UK

NHS Computers Hit with Malware Infection (April 26, 2010)

A number of National Health Service (NHS) computers have been hit with data-stealing malware, NetworkWorld reports. The computers were infected by Qakbot, a malicious software capable of stealing credit card information, passwords, Internet search histories and other data, the report states. However, according to the security company that discovered the breach, it does not appear patient information has been stolen. In an e-mailed statement, an NHS spokesman said, "This hasn't been raised with us as an issue within the NHS. The NHS requires its organizations to reach high standards of virus protection. We will investigate any incidents brought to our attention."
Full Story

PRIVACY LAW—EU

EC to Review Data Laws (April 23, 2010)

The European Commission will undertake a series of data law reviews, officials announced this week. ZDNet reports the Data Retention Directive, Data Protection Directive, the Passenger Name Record package and SWIFT accord will be examined. The Data Retention Directive, which has caused consternation in Member States, will be scrutinized to determine whether the six-month minimum retention period "is proportionate or whether the length of time the data is held is too long," said Justice, Fundamental Rights and Citizenship spokesperson Matthew Newman. The 1995 Data Protection Directive "needs to be looked at" to determine whether it protects data adequately, Newman said.
Full Story

FINANCIAL PRIVACY—U.S. & EU

MEPs Still Struggling with SWIFT (April 23, 2010)

Members of Parliament continue to be concerned about proposals that would allow U.S. authorities to view European citizens' bank transfer data for counterterrorism purposes, reports V3.co.uk. The European Commission has revived negotiations on the so-called SWIFT deal, which was rejected by Parliament in February due in part to MEPs' data privacy concerns. This week negotiator Jonathan Faull said, "We go into this determined to negotiate an agreement which provides greater protection for the personal data of Europeans." MEPs have called for clearer language about citizens' rights over their data and have questioned why the data needs to be sent "in bulk."
Full Story

DATA RETENTION—GERMANY

Organisations Call for End to Telecom Data Retention (April 23, 2010)

More than 40 organisations have sent a letter asking the German Federal Minister of Justice to push for the "abolition of EU telecommunications data retention requirements," EDRI-gram reports. Current regulations require phone and Internet companies to collect data about their customers' communications, creating risks for data leaks and abuses, the letter says. "The EU-wide requirement to retain the entire population's communications data...is outdated," says a spokesman for the German Working Group on Data Retention. "The EU regulations must now be made more flexible to allow for alternative procedures that work more intelligently than an untargeted stockpiling of data."
Full Story

PRIVACY LAW—ITALY

Judge Rejects Demands for ISP Customer IDs (April 23, 2010)

In a decision that has "important implications for the policing of the Internet in Italy," an Italian judge has rejected a major anti-piracy organization's suit against Telecom Italia, NetworkWorld reports. The Audiovisual Antipiracy Federation sued Telecom Italia, alleging that it failed to prevent customers from illegally downloading copyright material. The suit called on the company to identify those who have downloaded copyright material and report them to authorities. Telecom Italia refused to release customers' information, citing privacy concerns. Italy's national privacy authority backed the company in the case.
Full Story

PRIVACY LAW—UK

Labour MSPs Want to Extend DNA Retention Term (April 23, 2010)

The Scottish National Party (SNP) is expected to oppose an attempt by Labour MSPs to change Scotland's DNA retention model, PublicService.co.uk reports. Labour wants to amend the Criminal Justice and Licensing (Scotland) Bill so that it mirrors regulations in England and Wales, which allow police to keep DNA data from those suspected of violent or sexual crimes for up to six years before it must be deleted. Currently, Scottish police may keep the data for three years. The Scottish Justice Committee is expected to consider the amendment this month, the report states.
Full Story

ONLINE PRIVACY—GERMANY

Schaar “Appalled” that Cars Have Logged Mac Addresses (April 23, 2010)

German Data Protection Commissioner Peter Schaar is calling on Google to delete unlawfully collected personal data and to "stop the rides for Street View." Schaar made the demands after learning that Google's camera-equipped cars, which have been cruising the country in search of photographs for its Street View feature, have been scanning privacy WLAN networks and recording users' unique Media Access Control addresses, The Register reports. Schaar says he is "horrified" by the discovery. Google's potential ability to cross-reference the WLAN information with other data it has collected "raises additional concerns," according to the report. (Related article in German.)
Full Story

RFID

Technology Will Provide RFID Privacy (April 23, 2010)

A Canadian researcher is working on technology that could help protect private information included in RFID tags, PCWorld reports. With the "always-on" RFID technology being embedded into everything from passports to credit cards, security becomes a concern, the report states. "We are building our own RFID cards and adding features to them to make it visible and noticeable when someone is accessing the information," Nicolai Marquardt, a PhD student at the University of Calgary, explained at a conference last week. Marquardt is working with Microsoft Research in the UK on the project, which he says could also make it possible for users to control when the information on the card is being accessed.
Full Story

ONLINE PRIVACY

10 Nations’ Privacy Officials Issue Stern Warning (April 22, 2010)

Privacy officials from 10 nations this week issued a stern warning to Google Inc. and other Internet companies about their privacy practices, reports TVNZ. New Zealand Privacy Commissioner Marie Shroff was one of the signatories of a letter sent to Google CEO Eric Schmidt, urging him to better protect users' data and set an example "as a leader in the online world." The data protection commissioners of Canada, France, Germany, Ireland, Israel, Italy, the Netherlands, Spain and the United Kingdom also signed the letter, which asserted that Google's rollout of its Buzz social networking service "violated the fundamental principle that individuals should be able to control the use of their personal information."
Full Story

ONLINE PRIVACY

Site Shows Governments’ Requests for User Data (April 22, 2010)

Google released a tool this week that reveals the number of data requests it receives from governments, the Sydney Morning Herald reports. During the six-month period ending December 31, 2009, the Australian government requested user data from Google on 155 occasions. According to the company, the tool is part of an overall effort toward increased transparency. The governments that made the most requests for user information during the six-month period were Brazil, the United States and Great Britain, respectively. Australian Privacy Commissioner Karen Curtis told ABC News that she welcomes the list, noting that it "adds transparency of how and when people's personal information may be disclosed."
Full Story

SOCIAL NETWORKING

Zuckerberg: Building a Web Where the Default is Social (April 22, 2010)

Facebook CEO Mark Zuckerberg this week shed insight on his company's plans to make the Web more social by letting users share personal preferences on external sites across the Internet, TIME reports. The company's new Open Graph suite of products, unveiled this week at its annual developers' conference, includes a "Like" button that Facebook wants every page on the Web to have. "We are building a Web where the default is social," Zuckerberg said. The chairman of Electronic Frontiers Australia told the Sydney Morning Herald that expanding the offering to so many third-party sites will clearly bring privacy concerns.
Full Story

PERSONAL PRIVACY

Forget Big Brother: We’re Recording Ourselves (April 22, 2010)

Is it possible to over examine your life? That's one of the questions Jonathan Liu asks in his Wired report on the phenomenon of recording our online--and offline--lives. From social networking entries to blogs to data applications, "there's a lot of data that's constantly being collected and recorded automatically," Liu writes, adding it is getting "progressively easier and cheaper to do." Currently, he notes, there are ways to record your daily life through video glasses or miniature camcorders small enough to be worn everywhere you go. "Who needs Big Brother when we do all the surveillance ourselves?" he asks.
Full Story

PRIVACY

Peter Hustinx Receives 2010 Privacy Leadership Award (April 21, 2010)

European Data Protection Supervisor Peter J. Hustinx has received the International Association of Privacy Professionals' 2010 Privacy Leadership Award for his commitment to ensuring individual privacy rights are respected. In a video acceptance speech Hustinx said, "I feel very honored and proud to have received this prestigious award from the International Association of Privacy Professionals." The award recognizes ongoing commitment to furthering privacy policy, promoting recognition of privacy issues and advancing the growth and visibility of the privacy profession. Hustinx has been involved in shaping national and international privacy law for nearly 40 years. He has served as European Data Protection Supervisor since January, 2004.

Full Story

ONLINE PRIVACY

Generational Differences Rooted in Awareness Levels (April 21, 2010)

The Wall Street Journal reports on research findings that suggest young people care about privacy to about the same degree as older adults but are less informed about the rules of the road. "In most cases young people think very much the same as older people when it comes to online privacy," said the co-author of one of the studies, Harvard Law School Professor John Palfrey. But University of California Berkeley and University of Pennsylvania researchers found that while the desire for privacy is similar, kids and teens believe that rules surrounding the privacy of their data are more stringent than they actually are, the report states.

Full Story

PRIVACY LAW—IRELAND

High Court Says “Three Strikes” Doesn’t Violate Law (April 20, 2010)

Ireland's High Court has ruled that a settlement reached between the Internet service provider Eircom and four major record labels does not breach data protection laws, reports OUT-LAW.COM. Under the settlement, Eircom agreed to disconnect Internet users suspected of copyright infringement if, after two written warnings, the suspected infringements endured. Data Protection Commissioner Billy Hawkes had raised questions about whether the monitoring of users' activities and use of users' Internet protocol (IP) addresses broke privacy laws. The High Court determined the deal does not violate data protection laws because the information processed in such instances does not count as "personal data."

Full Story

ONLINE PRIVACY

Site Grades Privacy of Internet Apps (April 20, 2010)

A Stanford University project has ushered in a Web forum where Internet users can review and compare the privacy and security of Internet and mobile applications, the San Francisco Chronicle  reports. The WhatApp.org site, released in beta last month, grades applications based on reviewers' answers to questions about data collection and openness, for example. One news outlet described it as a mix of Consumer Reports, Yelp and Wikipedia, but with a privacy and security focus. Its creators hope the site will bring more attention to the issues. "We've been saying this for a while," said McAfee Labs director David Marcus. "If developers use security and privacy correctly, they can be used as a competitive advantage."

Full Story

PRIVACY LAW—EU

Hustinx: Waste Directive Needs Data Protection Provisions (April 19, 2010)

European Data Protection Supervisor Peter Hustinx says European Union law should force digital equipment makers to include free and easy data-wiping capabilities within their products, reports OUT-LAW.COM. In an opinion published last week on planned changes to the Waste Electrical and Electronic Equipment (WEEE) Directive, Hustinx said there should also be a ban on the sale of used devices that have not been wiped of their data. Hustinx also recommended that makers of digital equipment build privacy and data protection into their products. "Respect for security measures and a 'privacy by design' approach should be seen as essential pre-conditions in order to effectively guarantee the right to the protection of personal data," he said.

Full Story

DATA LOSS—UK

Police Security Breach Prompts Investigation (April 19, 2010)

A Gwent Police data management employee is facing a gross misconduct investigation and possible dismissal after accidentally sending the results of more than 10,000 Criminal Records Bureau checks to a newspaper. The Register reports it received a file containing the full names and dates of birth of 10,006 with the results of background checks dating back as far as 2001. The newspaper has deleted the file, which was not encrypted or password protected, and is assuring those affected that it will not publish their personal information. Investigators have indicated human error was to blame as the e-mail's author used the "auto complete" function for addresses and accidentally included the journalist's contact information with that of police officials, the report states.

Full Story

PRIVACY LAW—IRELAND

Call for Data Breach Notification Law (April 16, 2010)

On the heels of the Data Protection Commissioner's annual report, which revealed a 50 percent increase in the number of data breaches, an Irish Times article says it is time for Ireland to legislate mandatory data breach disclosure. Without a notification law, "citizens cannot even take the most basic steps to protect themselves from becoming a victim of identity theft," writes Karlin Lillington. "We cannot sit about and wait for years for the subject to come back onto Europe's agenda." Lillington notes that although the government is working on legislation to allow for the retention of "huge amounts of sensitive data...little has been done to protect such data--as the Data Protection Commissioner's report makes all too clear."
Full Story

PRIVACY LAW—GERMANY

German Ministry Clarifying Employee Data Protection (April 16, 2010)

The German Federal Ministry of the Interior is nearing completion of a draft law providing clarification for employee data protection, the Hunton & Williams Privacy & Information Security Law Blog reports. The law "aims to ensure legal certainty and to close existing gaps in the current law," the report states, and addresses key issues such as data collection in the recruitment process, health checks, video surveillance, use of telecommunications and biometrics, to name a few. The draft for a new chapter on employee data is now in its final phases, the report states, and will be submitted to the German Parliament before its summer break.
Full Story

DATA PROTECTION—FRANCE

CNIL to Launch Online Claim Form (April 16, 2010)

The Commission Nationale de l'Informatique et des Libertés (CNIL) is working on a virtual platform for accepting complaints, reports 01net. Beginning next month, the public will be able to lodge certain claims on the site, such as those concerning direct marketing. After an initial pilot phase, CNIL is expected to expand the online complaint form to allow for the filing of other common grievances. (Story in French)
Full Story

DATA PROTECTION—EU

E-Waste Can Be Treasure Trove for Criminals (April 16, 2010)

The wealth of sensitive personal data that often remains on old computers and mobile phones has prompted European Data Protection Supervisor Peter Hustinx to raise concerns about the European Commission's proposal to recast its old directive for waste electrical and electronic equipment, the EUobserver  reports. With the focus "solely on the environmental risks related to the disposal of e-waste," Hustinx said, the proposal "does not take into account other additional risks to individuals or organisations that may arise from the operations of disposal, reuse or recycling of e-waste, in particular those related to the likelihood of improper acquisition, disclosure or dissemination of personal data." Hustinx said appropriate security measures must be adopted at every stage of the processing of personal data.
Full Story

DATA LOSS—FRANCE

Average Cost of Managing Data Loss: Almost €2 Million (April 16, 2010)

A study of 17 French companies and organisations shows that the costs incurred after experiencing a data breach can range from €400,000 to €6.4 million, with the average pricetag coming in around €1.9 million. The "2009 Annual Study: French Cost of a Data Breach," conducted by the Ponemon Institute and PGP Corporation and released Thursday, found that each lost customer record cost an average of €89. "Should the new data breach notification bill that has just been passed by the French Senate be adopted by the National Assembly, the costs associated with handling incidents will surely increase," noted Larry Ponemon of the Ponemon Institute.
Full Story

FINANCIAL PRIVACY—EU & U.S.

EU-U.S. to Resume Bank Data-Sharing Talks (April 15, 2010)

European Union interior ministers are expected to meet on April 22 to discuss and endorse the start of new negotiations between the European Commission and the U.S. on sharing bank transfer data that the U.S. contends is essential to the fight against terrorism. The European Voice reports the EU is considering new arrangements to replace those thrown out by the European Parliament in February due to data privacy concerns. According to the draft mandate, transfer requests from the U.S. will have to be approved by a designated judicial authority in the EU to ensure that EU citizens have the same administrative and judicial redress as U.S. citizens against any misuse of their data, the report states.
Full Story

TRAVELERS’ PRIVACY—EU

Report: Assess Privacy Risks before Deploying Passenger RFID Tags (April 15, 2010)

An EU cybersecurity agency has developed recommendations ahead of the implementation of RFID technology in air travel, The Register reports. The European Network and Information Security Agency (ENISA) report focuses on RFID luggage tags and biometric chips in electronic passports. The technologies are expected to streamline the air travel experience for both passengers and airport staff. But the report recommends further research in the areas of data protection and privacy, citing possible privacy and security risks, among others. ENISA also advises European Commission policymakers to mandate security and privacy impact assessments before the new technologies are deployed, the report states.
Full Story

ONLINE PRIVACY

Privacy Changes Will Keep Flash Cookies Off Computers (April 14, 2010)

Adobe Flash Player 10.1 will honor each user's browser privacy setting, which means Flash cookies will no longer be "dropped on computers to track Web activity," NetworkWorld reports. Adobe officials noted in a statement that the enhancements will help users better control their personal information "so that when someone activates private browsing in their browser, it is also activated in Flash Player--meaning there is no local storage of information from that Flash Player session." The changes, which are intended to improve user privacy, could mean difficulties for online merchants and banks that use Flash cookies to identify returning customers, the report states.
Full Story

SOCIAL NETWORKING—GERMANY

Aigner Writes, Facebook Writes Back (April 14, 2010)

TIME reports on the open letter Germany's consumer protection minister sent to Facebook CEO Mark Zuckerberg last week in which she expressed dismay over the company's plans to begin sharing users' personal details with certain third-party Web sites. "Private information must remain private," wrote Ilse Aigner. The letter added to concerns already voiced by German data protection officials. In response to Aigner's letter, the company stated that the proposed changes do "not relate to the wholesale sharing of user data for commercial purposes as the minister fears." Aigner also established a Facebook group for discussing data protection.
Full Story

PRIVACY LAW—IRELAND

Doctor: Data Protection Legislation Needs Review (April 14, 2010)

The Irish Medical Office (IMO) is calling for a review of current data protection legislation and its impact on effective patient care, Irish Medical News reports. At the IMO's Annual General Meeting last week, Dr. Matt Sadlier proposed there be standard guidelines--renewed periodically to keep pace with technology--and encryption requirements for laptops storing healthcare data. "If you are traveling with medical notes in your car, 'here is how you hold them safely i.e., do you have them in a locked briefcase in a locked car' like you would with a drug," he said. Sadlier also proposed amending legislation to ensure doctors' home addresses are no longer published on the Medical Council Web site.
Full Story

PRIVACY LAW—ITALY

Milan Court Files Reasoning behind Google Convictions (April 13, 2010)

Yesterday, the Milan Court filed the judicial reasoning behind the February conviction of three Google executives for violating Italian privacy code, the New York Times reports. In the 111-page document, Judge Oscar Magi said the employees were convicted and sentenced based on Italian law that prohibits the use of someone's personal information with the intent of making a profit. "In simple terms," Magi wrote, "it is not the writing on the wall that constitutes a crime for the owner of the wall, but its commercial exploitation can." Italian lawyer Rocco Panetta told the Daily Dashboard the reasoning confirms "Google had no obligation to filter and/or prior remove the eventual illegal content," nor was this "a case around freedom of speech." Rather, "it was a matter of compliance with laws and regulations dealing with personal data processing currently in force," Panetta said. (Registration may be required to access this story.)
Full Story

GEO PRIVACY

Apple “Taking Privacy Further” (April 12, 2010)

Apple introduced its iAd mobile advertising platform last week and previewed the next version of the iPhone operating system, which will include features to help users control their geo privacy, reports the New York Times. "We're taking privacy several steps further," with iPhone OS 4, Apple's senior vice president of iPhone software said at a preview event on Thursday. Among them, OS 4 will include a status bar arrow that indicates when a user's location is being tracked as well as other "fine-grained settings" to improve users' awareness and control. Jules Polonetsky, CIPP, of the Future of Privacy Forum, said the move shows "how treating data use as a feature is a better way to communicate to users than legal policies" about privacy. (Registration may be required to access this story.)
Full Story

FINANCIAL PRIVACY—EU & U.S.

Holder Says “Extensive Privacy Safeguards” in Place (April 9, 2010)

Speaking at a news conference in Madrid yesterday, U.S. Attorney General Eric Holder acknowledged European concerns about an accord that would enable the sharing of EU citizens' bank transaction data with U.S. officials for counterterrorism efforts, the New York Times reports. "We recognize that there have been questions raised in Europe, and one of our goals is to highlight the extensive privacy safeguards that have been put in place," Mr. Holder said. American and European justice and interior ministers are meeting today to discuss financial data sharing and other matters. The European Commission recently announced intentions to create its own terror financing tracking system. A senior U.S. Treasury official said yesterday that Washington is committed to working with it "under the basis of reciprocity," but stopped short at saying whether the U.S. would grant the EC access to American citizens' banking data, an arrangement EC officials will push for in today's meeting.
Full Story

PERSONAL PRIVACY—UK

Report: British Public Cares About Privacy (April 9, 2010)

A new report shows that when it comes to the protection, use and management of information, transparency is a critical requirement for enhancing the public's trust in how businesses and organisations use personal data. The Hunton & Williams Privacy & Information Security Law Blog reports that the study, published by UK-based think tank Demos, asked 40 members of the British public from a range of socioeconomic backgrounds to discuss their views on how their personal information is used. UK Information Commissioner Christopher Graham notes that the study paints "a fascinating picture of a public who certainly care about information rights, but who are by no means hysterical about perceived threats to liberty or privacy."
Full Story

SOCIAL NETWORKING—FRANCE

Rumours About Leaders’ Private Lives Spark Judicial Inquiry (April 9, 2010)

Social networking site postings and online blogs focused on the personal lives of President Nicolas Sarkozy and his wife, Carla Bruni, are testing the limits of privacy, The Economist reports. Denouncing the stories as "totally unfounded," Sarkozy's attorney has said a judicial inquiry is looking into the origins of the rumours, the report states. Noting that France's strict privacy laws allow public figures to sue even when stories are true, the report points out that many media organisations have adopted the practice of "publish first and pay the penalty later." Social networking users, meanwhile, who are not required to provide proof or check for accuracy, "make enforcement of the privacy laws harder."
Full Story

PRIVACY LAW—UK

New £500,000 Breach Fines Effective (April 9, 2010)

The Information Commissioner's new fining powers--up to £500,000 for serious breaches--became effective this week, but a survey shows that many are unaware of the change, reports The Register. Parliament approved the new powers three months ago in order to deter negligent breaches, but a Cyber-Ark study has found that 65 percent of workers are in the dark on the new fines. According to a Computing report, the Information Commissioner's Office will reserve the higher penalties for serious breaches, such as those on the scale of last year's T-Mobile incident.
Full Story

GEO PRIVACY—UK

Is Privacy the Loser in Location Games? (April 9, 2010)

While fans of location-based social networking games and geotagging might enjoy the activities, others are raising concerns about what such technologies mean for the future of privacy. While people "check in" through their social networking sites to broadcast their locations, visit geotagged sites and play location-based games like Foursquare and Gowalla, some social media experts are suggesting there might be something Orwellian in all this. The Guardian reports that "as these tools become more mainstream, users must be aware, for example, of the risks of burglary, when they broadcast their location away from home." Once it is clear how to address privacy concerns with such games and services, the report states, "then the fun can begin."  
Full Story

PERSONAL PRIVACY—HUNGARY

Political Party Accused of Compiling “Secret Database” (April 9, 2010)

Data privacy ombudsman András Jóri will launch an inquiry into alleged illegal data gathering techniques employed by political parties in the run up to a mayoral by-election last year, reports Politics.hu. Fidesz Director Gábor Kubatov admitted that his party collected personal information on more than 50,000 voters. Socialist Party officials are urging Fidesz officials to turn over the "secret database" to the investigating authorities, including the police and National Election Commission.
Full Story

SURVEILLANCE—UK

Group Considers Bringing ANPR Before High Court (April 9, 2010)

A civil rights group may be bringing the police to court on allegations that taking photographs of motorists and linking them through automatic numberplate recognition (ANPR) technology violates privacy rights. The Times reports that Liberty is considering asking the High Court to review the use of the nationwide network of cameras to take up to 14 million photographs of motorists each day. Stored data include car registrations as well as photographs of drivers and passengers, the report states. "It's bad enough that images and movements of millions of innocent motorists are being stored for years on end," said Liberty Director Shami Chakrabarti. "That the police are doing this with no legislative basis shows a contempt for parliament, personal privacy and the law."
Full Story

DATA PROTECTION—IRELAND

Report: Tighter Control of Data Needed (April 8, 2010)

Data Protection Commissioner Billy Hawkes released his annual report for 2009 today. The commission investigated 914 complaints last year, which is slightly less than the two previous years, the Belfast Telegraph reports. The commission issued several calls for increased data protection in 2009. Among them, it ordered the Health Service Executive (HSE) to increase controls around patient data. "The HSE holds the most sensitive detail about people--patient data," Hawkes said. "It's very important that is minded carefully so that we can all trust the health service when we use it."
Full Story

SURVEILLANCE—UK

Film Explores Escaping the “Surveillance State” (April 8, 2010)

The advocacy group Privacy International has ranked the UK just behind such nations as Russia and China in terms of its use of surveillance, TIME reports. In an interview with filmmaker David Bond, the magazine explores Bond's experiment spending a month escaping detection, which was prompted by the government's loss of his newborn daughter's personal information in 2007. Bond's experiences resulted in the creation of a documentary entitled "Erasing David." Going "off the grid," Bond says he learned that, "We're normalized to living an utterly exposed life. But there's value in privacy--it's a tremendously uplifting and strengthening feeling, to feel like you can withdraw. Not because you've got anything to hide, just because you want to."
Full Story

GENETIC PRIVACY—UK

DNA Bill Moving Forward (April 8, 2010)

The government's crime and security bill, which includes provisions allowing police to retain DNA profiles of anyone charged with a crime for up to six years, is moving forward, The Guardian reports. However, opponents have pledged to bring in early legislation to ensure the DNA profiles of innocent people arrested for minor offences would not be retained on the national database, the report states. The DNA register has been criticized on the basis of privacy concerns, and the government is now required to limit the time that DNA samples are stored following a European Court of Human Rights ruling that indefinite retention was illegal.
Full Story

BEHAVIORAL TARGETING

Criteo Says Privacy Advantage Coming to U.S. Market (April 8, 2010)

The CEO of a Paris-based retargeting company says its experience in Europe has given it a privacy advantage that it will now introduce to the U.S. market. Criteo has moved its headquarters to Palo Alto, California, according to a MediaPost News report. JB Rudelle, chief executive of Criteo, says, "We have been working in countries like Germany, which is probably the most demanding country in the world when it comes to privacy. We put a direct opt-out link on all retargeting display banners in Europe and hope to bring this feature into the U.S. market."
Full Story

ONLINE PRIVACY

Companies Leverage Privacy as Competitive Advantage (April 8, 2010)

The Register explores how companies are using privacy practices as a competitive advantage. Namely, the report outlines how recent Microsoft communications seem to be leveraging privacy to differentiate the company from its competitors. The Register cites a recent company pledge to refrain from indexing Hotmail users' information for the purpose of serving targeted advertisements.
Full Story

ONLINE PRIVACY

Professional Reference Hub in Beta (April 6, 2010)

A new Web site designed to help employers find out more about job candidates has some concerned about its potential for damaging professional reputations, reports San Diego Entertainer. Currently in beta and only accessible through Facebook, the Unvarnished site lets individuals create profiles of themselves or someone else. Other users can then build upon the profiles anonymously, adding feedback on professional performance. Once created, the profiles cannot be removed, the report states. Critics say the site could damage the professional patinas of "unsuspecting individuals."  
Full Story

DATA PROTECTION

UN Privacy Treaty Possible (April 5, 2010)

New Zealand Privacy Commissioner Marie Shroff says that huge increases in international data flows necessitate global privacy standards and enforcement, reports Stuff.co.nz. "We have to look at whether and how we can regulate to provide certainty for businesses and protections for individual citizens," Shroff says. A United Nations treaty might be a way to get there, according to the report. Such a treaty could address issues including search engine data collection, call centre outsourcing and payment card privacy. Shroff says she hopes it would apply to government uses of information as well, since "One of the drivers of international data flows is counterterrorism."
Full Story

SOCIAL NETWORKING—GERMANY

German Minister Pens Open Letter to Facebook (April 5, 2010)

In an open letter, German Consumer Protection Minister Ilse Aigner has urged Facebook CEO Mark Zuckerberg to revise the company's privacy policy "without delay," reports the Washington Post. Referring to more planned changes to the site's privacy settings, Aigner wrote, "I was astonished to discover that, despite the concerns of users and severe criticism from consumer activists, Facebook would like to relax data protection regulations on the network even further." According to the report, Aigner stressed that the company should not allow users' personal data to be shared with third parties for commercial purposes without users' consent. "Private information must remain private," Aigner wrote. (Registration may be required to access this story.)
Full Story

SOCIAL NETWORKING

Digital Suicide: Saying Goodbye to Online Life (April 5, 2010)

There's a new movement afoot among some social networking users to take back privacy by ending their online lives. The Globe and Mail reports on recent instances where users have decided to become "digital dropouts." Reasons behind the decision to say goodbye have ranged from concerns about online friends tracking users into their offline lives to social networking interactions becoming "someone else's entertainment." While two of the most recent online suicide sites, Web 2.0 Suicide Machine and Seppukoo, are now defunct, experts agree many issues come into play when making the decision of whether to delete or not to delete online information.
Full Story

PRIVACY—EU

PRESCIENT Project Will Examine Emerging Technologies (April 2, 2010)

A three-year project funded by the European Commission will explore the privacy implications of emerging technologies ranging from identification and surveillance to biometrics and on-the-spot DNA sequencing, Security Management Today reports. PRESCIENT, which stands for Privacy and Emerging Sciences and Technologies, aims to establish a new framework for privacy and ethical considerations arising from emerging technologies. According to PRESCIENT's Web site, the project "will identify and analyse ethical issues posed by new technologies and discuss them with interested stakeholders and, in due course, provide scientifically based recommendations to policymakers on how to address privacy issues..." Michael Friedewald, the project's coordinator, says it is essential "to reconceptualise privacy in ethical, social, cultural and other dimensions, and to examine both how these different conceptualisations impact upon each other and how they can be bridged."
Full Story

TRAVELERS’ PRIVACY—EU & U.S.

MEP: Air Passenger Data Must Be Protected (April 2, 2010)

Irish MEP Gay Mitchell is urging EU justice commissioner Viviane Reding to balance anti-terrorism security measures with the need to protect personal freedom, The Post reports. Under a 2007 deal, passenger name records (PNRs) are provided to U.S. authorities for every air traveler entering the country. The European Parliament must now ratify the deal, the report states, based on provisions of the Lisbon Treaty. "There has to be cooperation between the EU and the U.S. in combating terrorism and organised crime, and I have no difficulty with providing air passenger details in principle," Mitchell said. "However, I have concerns about the protection of privacy and the rights of law-abiding people."
Full Story

DATA THEFT—UK

Two Thefts Expose Data of 9,000-Plus Students (April 2, 2010)

London's Barnet Council has apologised to the parents of 9,000 schoolchildren after a laptop, CD, and USB sticks containing the students' personal information were stolen. The devices, which stored student names, post codes and phone numbers, among other data, were stolen during a burglary at a staff member's home. The employee has since been suspended for breaking council rules by saving the data onto memory sticks, and the council says it has disabled external storage devices to prevent unauthorised copies of data, The Register reports. In a separate incident, the Information Commissioner's Office (ICO) has found the Warwickshire County Council in violation of the Data Protection Act following the theft of two laptops and a data stick that contained student and staff information.
Full Story

DATA THEFT—UK

ICO Finds Councils in Breach of Data Protection Act (April 2, 2010)

The Information Commissioner's Office (ICO) has found the St. Albans City and District Council in breach of the Data Protection Act following the theft of a laptop that contained unencrypted personal information in the form of voters' records. "When organisations store large volumes of personal details on portable computers, encryption is essential," said Sally-anne Poole of the ICO, adding that employees and contractors must be "trained to handle personal information securely to avoid the risk of information falling into the wrong hands." In a case involving the Highland Council, the ICO determined the council violated the DPA after personal data relating to several members of one family was accidentally disclosed to an unrelated individual.
Full Story

PERSONAL PRIVACY—UK

Telecoms Fines Jump from £50,000 to £2 Million (April 2, 2010)

The government has increased the upper limit of fines to £2 million in a bid to deter companies from the misuse of phone networks, OUT-LAW.com reports. Telecoms regulator Ofcom will now have the power to issue fines of £2 million, up from the current level of £50,000, in an effort to provide "greater ability to deter and punish companies that ignore the guidelines in this area" a government statement explains. "Companies who make nuisance calls by abusing automated equipment should face the consequences, which is why those who break the rules will be fined with a hefty penalty of up to £2m," said Kevin Brennan, consumer affairs minister.
Full Story

EMPLOYEE PRIVACY—GERMANY

Court Receives Wage Verification System Complaint (April 1, 2010)

Lawyers for the civil rights group FoeBud have filed a formal complaint with Germany's Constitutional Court to stop the storage of employment data, contending the Electronic Wage Verification System (ELENA) violates privacy laws. Deutsche-Welle reports that more than 22,000 Germans have joined the legal initiative to stop the use of ELENA to store employee data including wages, absenteeism and reasons for dismissals and disciplinary action. Privacy advocates believe the ELENA system could allow for the manipulation of personal data. "The system could become the target of computer hackers," said Rena Tangens of FoeBud, adding, the government could amend "the ELENA law, allowing intelligence services access to the system."
Full Story

ONLINE PRIVACY—GERMANY

Street View Foes Vandalize Vehicle (April 1, 2010)

Foes of a Google mapping feature vandalized a car used to photograph German cities and towns this week, The Local reports. On Tuesday, the camera-clad vehicle of a Street View photographer was found with deflated tires and slashed camera cables, the report states. Street View offers Internet users panoramic views of cities and towns in a growing list of nations across the world. The feature has come under scrutiny in Germany, where data protection authorities have expressed privacy concerns.
Full Story