European Data Protection Digest

In 1897, Oscar Wilde wrote to Lord Douglas, “Do not be afraid of the past. If people tell you that it is irrevocable, do not believe them.”

I wonder if he would share this piece of advice today. Though the past may not be irrevocable, we all leave digital shadows we may regret one day. I had no Internet growing up, and I am grateful that the only traces of my past are some old pictures gathering dust at my parents’ house and a box of letters I used to exchange with overseas friends—you know, having overseas pen pals was actually pretty cool back in the day.

Come to think of it, Oscar Wilde may never have meant for his 1897 letter to Lord Douglas to be published, as it came to light only after his death, so you could almost argue he had no right to be forgotten…

This week, the Court of Justice of the European Union declared the 2006 Data Retention Directive invalid, stating that it interferes with the fundamental rights to respect for private life and to the protection of personal data, as stipulated in the EU Charter of Fundamental Rights. The interference, said the court, exceeds the limits imposed by compliance with the principle of proportionality.

Aside from the obvious consequences the court’s decision will have on telcos and ISPs, some commentators have said that it can have a significant impact on the EU reform of data protection law and, in particular, on the debate around the General Data Protection Regulation.  

To quote Oscar Wilde again, “It is a very sad thing that nowadays there is so little useless information.”

Rita Di Antonio
Managing Director
IAPP Europe

Top European Privacy and Data Protection News

ONLINE PRIVACY—SWITZERLAND

Thür Outlines Privacy Needs (June 30, 2010)

At his yearly news conference, Hanspeter Thür, the Swiss data protection commissioner, warned that people need to be aware that their data is a currency traded for online services. "The business system is always the same. Companies provide clients with a new and interesting online service. And clients pay by giving their personal data," said Thür. Swissinfo.ch reports the commissioner's office is backing legal amendments to require that service providers offer better privacy protection as the default. "Opt in rather than opt out should apply," said Thür. He also pointed out the need to increase privacy awareness in teens given the risks involved with social networking and the need to increase international cooperation.
Full Story

SOCIAL NETWORKING

Getting Divorced? Watch What You Post Online (June 29, 2010)

All those details social network users share online can add up to an abundance of evidence in divorce cases, the Associated Press reports. According to the American Academy of Matrimonial Lawyers, 81 percent of its members have used or faced evidence found on Facebook, MySpace, Twitter and other social networking sites in the past five years alone. "You're finding information that you just never get in the normal discovery process--ever," said one divorce attorney. "People are just blabbing things all over Facebook. People don't yet quite connect what they're saying in their divorce cases is completely different from what they're saying on Facebook. It doesn't even occur to them that they'd be found out."
Full Story

ONLINE PRIVACY—EU

Regulators Push Google To Deliver WiFi Data (June 29, 2010)

After preliminary inspections of information gathered through unsecured wireless networks, privacy regulators in France, Germany and Spain are reiterating their requests that Google give them the original data collected in their countries, The New York Times reports. Google is keeping the data on hard drives at its U.S. headquarters and has offered the regulators remote access to review the information by computer, the report states, but regulators are saying that is not enough. As Agencia Española de Protección de Datos Director Artemi Rallo put it, "for a matter this important, we really need to see all of the data, including the original hard drive." The data protection agencies have said their investigations remain open with civil and criminal penalties possible. (Registration may be required to access this story.)
Full Story

FINANCIAL PRIVACY—EU & U.S.

MEPs To Vote on SWIFT Agreement Next Week (June 29, 2010)

The five-year agreement signed by the European Council to allow the EU to share banking data with the U.S. could be approved by the European Parliament as early as next week, The Washington Post reports. The agreement was signed following the addition of stronger privacy guarantees requested by MEPs. "Currently, U.S. authorities submit a request for a needle, and we send them the whole haystack," said Sophie in 't Veld. "In the future...we will find the needle and send it to the U.S. authorities." The European Parliament is expected to approve the plan when it votes next week, the report states, with the data-sharing deal to go into effect on August 1. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—GERMANY

Regulators Propose Extending Law To Online Images (June 29, 2010)

German privacy regulators met Friday to discuss extending privacy laws to give citizens control over the use of their images and those of their homes in online street-mapping services, IT World reports. The proposal demonstrates "the urgent need for a comprehensive modernization of data protection," said Hamburg Data Protection Commissioner Johannes Caspar. The draft law, which was submitted to parliament in April, would amend the Data Protection Act to make it illegal to publish databases of street images linked to their geographic coordinates without blurring faces and license plates. If adopted, the law would include other provisions as well, including making it illegal to store raw data for more than one month after initial publication.
Full Story

BEHAVIORAL TARGETING—EU

Browser Settings Don’t Imply “Cookie Consent” (June 28, 2010)

Web sites cannot comply with the new EU law governing Internet cookies by relying on users' browser settings, according to the Article 29 Working Party's interpretation of the revised Privacy and Electronic Communications Directive. OUT-LAW.COM reports that while online companies have claimed that advertising behavior will not need to change, experts believe Web sites will have to receive visitors' permission before using cookies. According to the Working Party's interpretation, "Informed consent can only be obtained if prior information about the sending and purposes of the cookie has been given to the user." Prior consent can, however, be given to advertising networks covering thousands of Web sites and need not be given to every individual site, the report states.
Full Story

PRIVACY LAW—EU & UK

Commission Gives UK Two Months To Ramp Up ICO Powers (June 28, 2010)

The European Commission has notified the UK government that it has two months to increase the powers of the Information Commissioner's Office (ICO) before the commission will pursue legal action through the European Court of Justice, reports OUT-LAW.com. To comply with the Data Protection Directive, the commission says the ICO must have the power to conduct random checks on organizations and, where appropriate, take action. The commission has also stated the UK must change its law on people's rights to have their information deleted by organizations, the report states, and the ICO must be given the ability to assess the data protection laws of other countries before transferring information.
Full Story

ONLINE PRIVACY—GERMANY

Justice Minister Questions Data Collection Practices (June 28, 2010)

German Justice Minister Sabine Leutheusser-Schnarrenberger has told Apple that it must immediately release information on what personal data it's collecting through GPS-enabled iPads and iPhones, how long the data is stored and how it's being used, reports Der Spiegel (article in German). Germany's personal data laws are very specific on collection, retention and consumer notification, reports PadGadget. Users must be aware of the company's practices, Leutheusser-Schnarrenberger said, adding, it would be "unthinkable" if Apple was tracking identifiable profile and location data. Meanwhile, Apple CEO Steve Jobs outlined the company's position on privacy at a recent conference, saying, "Ask them. Ask them every time. Make them tell you to stop asking if they get tired of your asking them. Let them know precisely what you're going to do with their data."
Full Story

PRIVACY LAW—EU

Reding To Launch Consultation on Data Laws (June 25, 2010)

European Commissioner for Justice and Fundamental Rights Viviane Reding plans to launch a public consultation on whether to introduce a European contract law on the use of personal data, Research Magazine reports. In a speech at the American Chamber of Commerce, Reding outlined a three-point plan to ensure the safety of data protection and privacy among all EU countries, though she noted industry self-regulation should remain at the core of any new legislation. "I am very much aware that this sector needs clarity, not red tape," Reding said. "I am considering this approach as a way to have codes of conduct" and "the incorporation of 'privacy by design' principles."
Full Story

PRIVACY LAW—EU & UK

Commission Wants UK ICO Powers In Line with Directive (June 25, 2010)

The European Commission has released its reasoned opinion in its request that the UK strengthen the power of the data protection authority in order to comply with the Data Protection Directive, according to a press release. The UK Information Commissioner's Office currently cannot monitor the adequacy of third countries' data protection, perform random checks on data processors or impose penalties, among other restrictions the commission wants changed. "Data protection authorities have the crucial and delicate task of protecting the fundamental right to privacy," said Viviane Reding, commissioner for justice, fundamental rights and citizenship. "Having a watchdog with insufficient powers is like keeping your guard dog tied up in the basement."
Full Story

DATA PROTECTION—CZECH REPUBLIC

Nemec Re-elected to Data Protection Office (June 25, 2010)

In a secret ballot Wednesday, the Czech Senate re-elected Igor Nemec head of the Personal Data Protection Office, Prague Daily Monitor reports. Nemec, whose five-year term will begin September 1, said the number of complaints increases by one-third each year. He said a change is required in the way complaints are processed, which would subsequently mean a change in data protection law. The personal data protection office was established 10 years ago and has the authority to check public offices and private firms and can impose fines for violations as well as order the deletion of data.
Full Story

DATA PROTECTION—FRANCE

French Data Protection Authority Releases Annual Report (June 25, 2010)

Last year, the French data protection authority received more than 4,265 complaints and nearly 70,000 data processing registrations. That's according to the CNIL's annual report 2010, published last week. The Annual Activity Report outlines some of the authority's priorities for the upcoming year and covers topics such as the effectiveness of Binding Corporate Rules, international and intercontinental data transfers and outsourcing data to the cloud. The CNIL plans to conduct hearings in 2010 to consider modifying its 2005 authorization process for whistleblowing procedures and plans to conduct at least 300 inspections over the course of 2010, reports the Hunton & William's Privacy and Information Security Law Blog.
Full Story

SOCIAL NETWORKING

Facebook Creating Location-Based Service (June 24, 2010)

The world's largest social networking site is "pretty close" to providing location-based services, CEO Mark Zuckerberg said Wednesday at an event in Cannes, France. The service would allow marketers to deliver personalized ads to Facebook users based on their locations, Bloomberg reports. Attendees at last week's Computers, Freedom and Privacy conference, meanwhile, have released a 14-point Social Networking Users' Bill of Rights focused on privacy enhancements and user control. For his part, Zuckerberg spoke of recent privacy complaints against the site at the Cannes event, noting, "With almost a half-billion users, we're making a transition. Our challenge is to make a safe, secure environment for users to share."
Full Story

DATA PROTECTION—EU

Reding: Data Laws Should Put Individuals First (June 23, 2010)

Europe needs to put individuals at the heart of its data protection laws to ensure the safety of personal data, according to Viviane Reding, European Commissioner for Justice and Fundamental Rights. In a speech at an American Chamber of Commerce to the European Union event Tuesday, Reding said, "We need to find new ways to empower Web surfers. Internet users must have effective control of what they put online and be able to correct, withdraw or delete it at will." Reding added the EU needs to have unified consumer rights, despite the interference of national contract laws. She plans to launch a public consultation on various long-term possibilities this summer, The Wall Street Journal reports. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—EU & U.S.

EDPS Lists Concerns about New SWIFT Draft (June 23, 2010)

European Data Protection Supervisor Peter Hustinx has issued his opinion on the European Commission's draft agreement to allow U.S. authorities access to European financial data for anti-terrorism investigations, and while he cites improvements over an interim agreement rejected by the European Parliament, Hustinx is raising concerns. Eurasia Review reports on Hustinx's announcement Tuesday that while the fight against terrorism "may require restrictions to the right to the protection of personal data," such provisions as the transfer of banking data in bulk to the U.S., data retention periods, enforceability of data protection rights and independent supervision need improvement "in order to meet the conditions of the EU legal framework for data protection."
Full Story

GEO PRIVACY

Apple Updates Location-Based Services Policy (June 22, 2010)

Apple has updated its privacy policy to make sure users know that when they use location-based services, they will be sharing their location information with that service provider. CNET News reports that the update, which was released on Monday, specifies that in order to provide location-based services, "Apple and our partners and licensees may collect, use and share precise location data, including the real-time geographic location of your Apple computer or device." The policy points out that the information is collected anonymously "to provide and improve location-based products and services." The announcement comes on the heels of comments by Apple CEO Steve Jobs at this month's All Things Digital conference, where he said customers should always be asked whether they want to share their information.
Full Story

DATA LOSS—UK

Police Breached Data Protection Act (June 21, 2010)

The Information Commissioner's office has found Kent Police in breach of the Data Protection Act after personal data was stolen from the back of an officer's car, The Register reports. The data was stored in an unsecure briefcase in transit to the officer's home. Adrian Leppard, temporary chief constable of Kent Police, has signed an undertaking to improve policies, the report states. Kent Police staff transporting confidential data outside of the station will now use secure briefcases and storage facilities at home. Staff will also be trained in new procedures.
Full Story

ONLINE PRIVACY

WiFi Data Fallout Continues (June 21, 2010)

French data protection agency CNIL is deciding whether to prosecute Google after finding e-mail passwords and other sensitive data among the information collected from unsecured wireless networks. CNIL Chairman Alex Turk has said an early review of information collected in France showed the presence of "data that are normally covered by...banking and medical privacy rules," BBC News reports, and Turk hopes to decide by September what further action to take as CNIL has the power to issue warnings, levy fines or forward the case to prosecutors. Australia's privacy commissioner is also continuing to hold discussions with prosecutors and police and, in the U.S., Congress is being urged to consider basic principles to meet privacy expectations. Google has said it is continuing to work with authorities across the globe.
Full Story

PRIVACY LAW—EU & U.S.

European Parliament May Reject New Banking Data Deal (June 18, 2010)

MEPs who rejected the SWIFT deal back in February are voicing resistance to the new EU-U.S. bank data transfer agreement negotiated by the European Commission, EUobserver reports. "We regret that the European Commission seems to have already closed the negotiations on a draft agreement that is far from being approvable," said MEP Martin Schulz. The primary focus of concern is with the transfer of bulk data, the report states, as MEPs want information filtered in the EU before it is sent to the U.S. for processing. MEP Jan Philipp-Albrecht said the plan would allow "bulk data about completely unsuspicious persons" to be sent to the U.S., violating the EU Charter of Fundamental Rights.
Full Story

DATA PROTECTION—EU & U.S.

MEPs Want Passenger Data Protected (June 18, 2010)

In a resolution passed Thursday, members of parliament called for better protection of air passengers' personal data, according to a European Parliament press release. Parliament "emphasizes that the privacy of European and U.S. citizens should be respected when personal passenger data are exchanged," MEPs said, adding they "believe that all transfers of personal data from the EU and its Member States for security purposes should be based on international agreements, with the necessary safeguards, and comply with data protection legislation at national and EU levels." MEPs also noted an urgency to arrive "at worldwide standards on data protection and privacy."
Full Story

DATA PROTECTION—EU

MEPs Call for Smart Grid Progress and Safety (June 18, 2010)

In a resolution at a recent plenary session, the European Parliament gave its backing to the development of the "Internet of things." Drafted by Maria Badia I Cutchet, the resolution was adopted by a majority. However, MEPs are calling for a proper assessment of any consequences for health, privacy and personal data protection, reports Euroalert.net. Given the real-time information made available by the Internet of things on multiple applications including tyre pressure, public transport and waste collection, MEPs said they would like to see principles and rules on Internet governance. Additionally, parliament believes that the European consumer should have the right to choose a product that is not connected to the Internet of things, the report states.
Full Story

DATA PROTECTION—UK

Investigations Reveal Call Centre Dangers (June 18, 2010)

Corporate investigators are hard at work detecting the data loss dangers companies face when outsourcing portions of their operations offshore, The Times reports. Members of the forensic services division of Price Waterhouse Coopers share examples of recent cases that illustrate how a "lax approach to data protection" at call centres located around the world can translate into data loss risks for companies. In addition to loss of reputation as a motivator for sealing data leaks, the report points out that the UK's Financial Services Authority "has the power to fine them for the loss or theft of data in their outsourced operations abroad." (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—EUROPE

CNIL Examines WiFi Data, Germany Plans Meeting (June 18, 2010)

CNIL has announced that Google has handed over copies of e-mails, browsing history, banking details and other fragments of data collected from unsecured wireless networks by its Street View vehicles. The Associated Press reports that CNIL is examining the data it received from Google on June 4 and may seek financial or criminal penalties over the privacy breach. German authorities, meanwhile, have not received all the data they requested, the report states. German Consumer Protection Minister Ilse Aigner is planning a meeting with Google management, stating, "We have a lot of questions and we are expecting answers." Investigations are continuing across the globe into the WiFi data collection, which Google has said was a mistake but not illegal.
Full Story

PRIVACY LAW—GERMANY

Prosecutors Close Deutsche Telekom Investigation (June 18, 2010)

Prosecutors in Bonn said Monday that there was insufficient evidence of any wrongdoing as they closed cases against two former Deutsche Telekom executives, Deutsche Welle reports. However, the prosecutors said they will be bringing charges against three other employees, including one security official. According to the report, the investigation determined that Deutsche Telekom monitored telephone records of senior executives and journalists in an effort to track possible information leaks to media organizations. Deutsche Telekom, meanwhile, has said that while there is no indication that actual calls were monitored, such information as call times and participants were improperly reviewed, the report states
Full Story

DATA RETENTION—EU

Parliament Proposals Send Mixed Messages (June 17, 2010)

A new push by the European Parliament contradicts the Article 29 Working Party's requirement that search engines reduce the time they store data to six months, Search Engine Land reports. The proposed European Data Retention Directive seeks to have search engines retain "all communications traffic data...for possible use by law enforcement" for two years, the report states. Pointing out that while it is not guaranteed that the European Parliament will support the directive becoming law, the report suggests that "for the time being at least, it would seem to paralyze the EU's ability to make data retention demands on search engines of any sort."
Full Story

EMPLOYEE PRIVACY

Staff Surveillance: Part of the IT Job (June 17, 2010)

As more corporate infractions such as leaking intellectual property, sharing trade secrets and violating regulatory requirements are occurring via the Internet, Computerworld reports that organizations are increasingly monitoring what their employees are doing online--at home as well as during work hours. Often, the report states, it is the IT department that is tasked with filtering Web sites, scanning e-mails, watching what employees post on social networks, collecting mobile phone calls and messages and, in some cases, even tracking employees' physical locations using GPS features on smartphones. Some estimates indicate such monitoring uses up more than 20 percent of an average IT manager's workday.
Full Story

SOCIAL NETWORKING

Advocates: Facebook Needs More Privacy Changes (June 17, 2010)

In an open letter to Facebook CEO Mark Zuckerberg, a group of privacy advocates acknowledges the social network has made some positive changes but calls on the company to do more to address "outstanding privacy problems." V3.co.uk reports that the group, which includes the American Civil Liberties Union, Electronic Frontier Foundation, Electronic Privacy Information Center, PrivacyActivism, Privacy Lives and the Privacy Rights Clearinghouse, has made six recommendations to Facebook,
including giving users the choice of opting in to the site's "instant personalization" feature rather than opting out. The letter urges Facebook to give users "control over how and with whom they share" their information--including their names,
gender, profile pictures and networks.
Full Story

GEO PRIVACY

Make Maximum Privacy Default (June 16, 2010)

The International Business Times reports that as location-based services become more common, so do privacy and security concerns. Stored locational data could be misused or used in civil lawsuits such as divorce cases, said Peter Eckersley of the Electronic Frontier Foundation. He added that unless the company providing the service specifically states how long the data is kept, chances are it is forever. "Privacy is hard to figure out. It's hard to anticipate in advance the kind of privacy you're going to need," he said, adding that the solution is to design applications to provide maximum privacy as the default. (Registration may be required to access this story.)
Full Story

FINANCIAL PRIVACY—SWITZERLAND & U.S.

Swiss Bank Data Deal Moves Forward (June 15, 2010)

Switzerland's parliament has approved a deal with the U.S. that would require UBS to provide data on as many as 4,450 suspected U.S. tax evaders holding accounts with the bank, Deutsche Welle reports. The specific details of the agreement are still being reviewed, including whether a public referendum will be required before it becomes law. Final approval is expected to put an end to legal action by U.S. authorities, the report states. A transfer agreement between the U.S. and Switzerland governments had first been reached in 2009, but parliamentary approval was required after the Swiss Supreme Court questioned whether it was legal.
Full Story

HEALTHCARE PRIVACY—UK

ICO: Too Many NHS Breaches (June 15, 2010)

The Information Commissioner's Office has expressed concern about the prevalence of data breaches involving NHS organizations. A quarter of all data breaches reported to the ICO involve the NHS, according to an ICO press release, and two more NHS bodies have promised to increase data security after recent losses of patient data. "Everyone makes mistakes," said ICO Head of Enforcement Mick Gorrill, "but regrettably there are far too many within the NHS." Gorrill added that "Health bodies must implement the appropriate procedures when storing and transferring patients' sensitive personal information." The chief executives of NHS Stoke-on-Trent and Basingstoke and North Hampshire NHS Trust have signed formal undertakings with the ICO for recent losses.
Full Story

SOCIAL NETWORKING

Whitepaper: Five Risks CIOs Must Consider (June 15, 2010)

Companies should embrace social media while encouraging employees to make themselves aware of the risks involved. That's according to the Information Systems Audit and Control Association (ISACA), which this week released a whitepaper on social networking risks CIOs should be aware of, CIO reports. "Companies should embrace it, not block it," said ISACA Vice President Robert Stroud. "But they also need to empower their employees with knowledge to implement sound social media governance." The whitepaper cites viruses and malware, brand hijacking, lack of control over content, unrealistic consumer expectations of "Internet-speed" service and noncompliance with records management regulations as the top five risks.
Full Story

ONLINE PRIVACY

Cloud Computing Study Portends Ubiquity, Big Breaches (June 14, 2010)

A Pew Internet survey has revealed most experts agree that cloud computing will be ubiquitous by the year 2020, Ars Technica reports. But some also caution that a massive data breach will cause a rethink on that move. "Expect a major news event involving a cloud catastrophe (security breach or lost data) to drive a reversion of these critical resources back to dedicated computing," said the Mozilla Foundation's Nathaniel James in the Pew report, which reflects widespread unease about the cloud. "Trust not the cloud for reliability, security, privacy," said University of Toronto Professor Barry Wellman.
Full Story

FINANCIAL PRIVACY—EU & U.S.

Commissioner: SWIFT Negotiations Near Completion (June 11, 2010)

Negotiations between the EU and U.S. on the sharing of bank transfer data are close to being finalised, European Commissioner Cecilia Malmström told MEPs on Thursday. The talks have yielded "considerable improvements" over the interim deal rejected by MEPs in February, Malmström said in a European Voice report, with "significantly stronger" data protection guarantees. Malmström will ask her fellow commissioners to approve the agreement at their June meeting, the report states, at which point it would be forwarded to the European Parliament and the Council of Ministers for adoption. MEP Alexander Alvaro, however, said questions remain about issues including data retention and sharing, suggesting, "The draft as it is now still has room for improvement." MEP Jan Philipp Albrecht went a step further, stating it has "serious flaws" and should be renegotiated. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—EU

More WiFi Investigations Announced (June 11, 2010)

Privacy International is planning to file a criminal complaint with UK police over Google's interception of private data over unsecured wireless networks, Financial Times reports, while data protection authorities in Germany are also considering whether there are grounds for criminal prosecution. Similar investigations have been announced in Hong Kong, Australia, New Zealand and the U.S., while Denmark's Data Protection Agency has asked Google to destroy all sensitive WiFi data collected by its Street View vehicles. Privacy International is pointing to a third-party audit of the data collection as indicating the interception was deliberate. Google, however, has stated that the collection of personal information was accidental. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—UK

Attorney: UK DPA Out of Sync with EU Law (June 11, 2010)

The most important change for the UK Data Protection Act (DPA) is to amend Section 13, which allows only data breach victims who have suffered financial losses to be eligible for compensation, according to Field Fisher Waterhouse partner Stewart Room. Room believes the section contradicts Article 23 of the EU directive, which calls for compensation for any form of damage suffered as the result of a data breach, ComputerWeekly reports. Section 13 also contradicts provisions in the DPA that give the Information Commissioner's Office (ICO) the power to impose fines of up to £500,000 where breaches cause "distress or damage," Room noted at a recent conference. The second most important change, he said, will be to require private organisations to disclose data breaches.
Full Story

PRIVACY LAW—EU & U.S.

EU Washington Administrator Discusses Privacy (June 11, 2010)

Piotr Nowina-Konopka of the European Parliament's new Washington, DC liaison office, suggests the catalyst for changes in the U.S. government's mindset when it comes to the EU was parliament's decision to reject a deal allowing U.S. access to Europeans' banking data on data privacy grounds, EUobserver reports. "Few people really paid attention until SWIFT exploded," he said, adding, "this wake call seems to be very healthy. I no longer have to explain from scratch how important the European Parliament is." Nowina-Konopka's goal is to keep EU and U.S. legislatures informed about what the other is doing, the report states, with possible future flashpoints including "U.S. demands for extensive air passenger data while both sides are carefully watching how the other seeks to regulate the financial sector."
Full Story

DATA PROTECTION—UK

Survey: ICO Needs More Power to Fine for Breaches (June 11, 2010)

Nearly 70 percent of those polled by the Information Commissioner's Office (ICO) at a privacy event on Tuesday think the ICO's new £500,000 fines for serious data breaches are not high enough, reports V3.co.uk. Jonathan Bamford, head of strategic liaisons at the ICO, acknowledged that for some larger corporations this amount may be too small. Bamford said in his keynote speech, "I do not want a situation where we have to use bigger sticks, but by God am I prepared to use them." The ICO received powers to levy the £500,000 fines in April.
Full Story

PRIVACY LAW—IRELAND

Draft Code To Require Breach Reports (June 10, 2010)

OUT-LAW.COM reports on Ireland's draft code of practice published recently by Data Protection Commissioner Billy Hawkes. The code would require Irish organizations to report data breaches involving the personal information of more than 100 people. Organizations can avoid reporting an incident, however, if the data is encrypted and password protected. In cases involving fewer than 100 people, breaches still must be reported if the information involves sensitive personal data or financial information. The code follows a government-appointed review group's recommendation that guidelines be established regarding when organizations must report data breach incidents.
Full Story

ONLINE PRIVACY

Cyber Safety vs. Internet Freedom (June 10, 2010)

Concerns about the potential for nations to use the Internet to secretly declare "cyberwar" on each other are bringing to light the challenge of balancing online privacy with public safety. NPR reports that while security experts focus on the "attribution problem" of identifying and tracking down the source of cyberattacks, privacy advocates fear the loss of anonymity for Internet users. Security experts suggest that deterrence in the form of knowing where an attack comes from is needed to prevent countries from secretly using the Internet to disable their rivals' power grids, telecommunications, transportation and banking systems. Privacy advocates, meanwhile, question whether the security benefits will justify the cost to privacy, especially in countries where dissidents depend on anonymity to raise awareness of human rights issues.
Full Story

FINANCIAL PRIVACY—U.S. & SWITZERLAND

Bank Data Deal Coming Undone (June 9, 2010)

A deal negotiated by the U.S. with Switzerland to gather information on Americans with holdings in Swiss bank UBS is on the verge of collapsing, The Washington Post reports. The lower house of Switzerland's parliament voted to prevent the country from turning over the names and financial information of as many as 4,450 Americans with undeclared accounts at UBS, following a ruling by a Swiss court that the deal was illegal. Lawmakers have voted to hold a public referendum on the question. In the U.S., Sen. Carl M. Levin (D-MI), who led a senate probe of UBS, said the U.S. should move forward with legal action and "force UBS to provide the names and account information..." (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—UK

Advocates: Businesses “Spying” for Online Complaints (June 8, 2010)

Privacy advocates are concerned about UK companies tracking conversations on social networking sites to monitor customer comments and then contact complainants with solutions, the Daily Mail reports. Critics are saying those unsolicited calls could breach data protection laws, while business executives maintain that the information being gathered is not private. "These are all discussions that can be seen by anyone on the Web," said Warren Buckley of BT. "I would liken it to someone having a conversation in a pub--it's just a very big pub." Simon Davies of Privacy International offered a different perspective, calling the practice "nothing short of outright spying...It may not be illegal but it is morally wrong. And it is unlikely to stop there."
Full Story

PRIVACY LAW—EU

Declaration Would Store Web Inquiries for Two Years (June 8, 2010)

Civil liberty groups and some MEPs are calling an EU plan to store Web search inquiries for up to two years an intrusion into citizens' privacy, the Daily Mail reports. Written Declaration 29 aims to serve as an early warning system to stop paedophiles. It would extend the Data Retention Directive--which allows EU member states to monitor and store personal e-mails and other Web activity for up to two years--to all Web search engines. "MEPs should have a serious re-think before supporting this declaration which would open up even more of citizens' personal data to monitoring and abuse," Open Europe spokeswoman Sarah Gaskell said.
Full Story

BIOMETRICS—UK

Expert: Brain Scanning Could Invade Privacy (June 8, 2010)

Experts and researchers from around the world will gather in Glasgow today to discuss the use of brain imaging and its potential for exploitation, reports The Telegraph. At the Institute for Advanced Studies event, researcher Burkhard Schafer of the University of Edinburgh will say that, if unregulated, scanners could threaten people's privacy. Scanning could be used to test the validity of candidates' résumés or to analyze the subconscious preferences of consumers, the report states. "After data mining and online profiling, brain imaging could well become the next frontier in the privacy wars," Schafer said.
Full Story

DATA PROTECTION

Hengesbaugh Discusses Challenges, Solutions (June 7, 2010)

BankInfoSecurity spoke with attorney Brian Hengesbaugh, CIPP, about the top privacy and security issues for organizations today. Hengesbaugh is a partner in the Chicago offices of the global law firm Baker & McKenzie, where he sits on the firm's global privacy steering committee. He says U.S. breach notification rules and a proliferation of new privacy laws worldwide are posing some of the day's top challenges. Hengesbaugh says that "A lot of U.S. companies haven't yet realized how strict these privacy laws are," and discusses what businesses should do to comply.

Editor's note: Read Brian Hengesbaugh's Privacy Advisor article about the U.S.-EU Safe Harbor privacy framework here
Full Story

ONLINE PRIVACY

Google “Close” to Handing Over Data (June 4, 2010)

Google says it is close to resolving legal issues that have prevented it from supplying German data protection officials with data it inadvertently collected from unsecured WiFi networks, BBC News reports. "We are working hard to get the Hamburg DPA access to the...information he needs," the company said in a statement. Hamburg data commissioner Johannes Caspar said his office has completed tests on a Google vehicle that collected the data but added that "a full investigation is essential" and "I expect Google to continue on the path of cooperation and transparency." German consumer minister Ilse Aigner estimates that the number of legal actions related to the data collection could reach 50,000 by year's end, The Local reports.
Full Story

PRIVACY LAW—EU

MEPs: Declaration 29 Extends Directive to Search Engines (June 4, 2010)

The European Parliament is urging members to sign Declaration 29 in order to combat pedophilia and child pornography, Ars Technica reports. But some say the EU is misleading members into signing the declaration, which would ultimately extend the Data Retention Directive to cover search engines. In a letter to fellow MEPs, Cecilia Wikström wrote, "The Written Declaration is supposed to be about an early-warning system for the protection of children. Long-term storage of citizens' data has clearly nothing to do with 'early warning' for any purpose." Wikström urged those MEPs who may have signed the declaration mistakenly to withdraw their support.
Full Story

SOCIAL NETWORKING

Aigner Will Change Status, Council Files Complaint (June 4, 2010)

Consumer protection officials in Europe are expressing frustration with the world's largest social networking site. A meeting with company executives on Thursday failed to convince Germany's consumer minister that Facebook is doing enough to comply with that nation's laws, AFP reports. Ilse Aigner said that despite the fact many data privacy settings "really have been improved," they are "no way near sufficient to protect the users' privacy or to comply with German law." The Consumer Council of Norway, meanwhile, has filed a complaint with the Norwegian Data Inspectorate about Facebook and game provider Zynga, OUT-LAW.COM reports. The council's deputy director said, "We believe that much of the collection and use of personal information is in breach of the Data Protection Act."
Full Story

ONLINE PRIVACY—FINLAND

Police Drop Street View Probe (June 4, 2010)

Finnish police have dropped their investigation into whether Google's Street View mapping service violated the nation's privacy legislation, AFP reports. The investigation began in February at the request of a Raahe resident who was captured in one of the photographs taken for the feature while seated in the garden of a private residence last summer. This week, the resident told police "he no longer had any demands in the case."
Full Story

DATA LOSS—UK

ICO: Loss of Unencrypted Memory Sticks Breach DPA (June 4, 2010)

The Information Commissioner's Office says two entities have breached the Data Protection Act following the loss of unencrypted memory sticks. The West Berkshire Council has signed a formal undertaking pledging to encrypt all mobile and portable devices and provide staff training, OUT-LAW.COM  reports. Meanwhile, Lampeter Medical Practice says it will take action to tighten security after a memory stick containing details on 8,000 patients went missing. "A lack of awareness and training in data protection requirements can lead to personal information falling into the wrong hands," said Sally-anne Poole of the ICO.
Full Story

DATA PROTECTION—EU

Hustinx: Privacy Should Be Default in “Smart” Environment (June 3, 2010)

Clear rules are needed to mitigate risks posed by a world of ubiquitous smart tags, according to European Data Protection Supervisor Peter Hustinx. At the annual Internet of Things conference yesterday, Hustinx said that smart objects such as appliances equipped with metering technology and geo-enabled devices must have data protection built in. Hustinx also stressed that privacy should be the default in the "smart" environment, and he called for more accountability on the part of manufacturers and vendors. "Controllers should be more in control," Hustinx said. "This is happening in the financial sector, on environmental issues and it should also be the case in the context of data protection."
Full Story

SOCIAL NETWORKING

Yahoo Urges Users to Review Privacy Settings (June 3, 2010)

In preparation for unveiling its new social networking option to its users, Yahoo is advising its 280 million e-mail accountholders to review their privacy settings, the Associated Press reports. Yahoo has posted a privacy reminder in connection with its plans for a new service that will share e-mail users' online activities and interests with their saved contacts unless they disable the feature. Yahoo is trying to avoid a privacy backlash by providing a one-click option for opting out of its new social features.
Full Story

PRIVACY LAW—IRELAND

Draft Code of Practice Calls for Breach Notification (June 2, 2010)

Data Protection Commissioner Billy Hawkes yesterday published a draft code of practice, The Irish Times reports. The code would require data breaches affecting more than 100 individuals and any loss of sensitive personal or financial data be reported to the Data Protection Commissioner's Office. It would provide an exception where the data can be considered inaccessible due to proper security, the report states. The code comes on the heels of recommendations last week by a government-appointed Data Protection Review Group calling for the code of practice as well as for prosecution in cases where organizations or individuals fail to report breaches.
Full Story

DATA PROTECTION—UK

ICO Sends Warning as Data Breach List Nears 1,000 (June 1, 2010)

As its list of reported data breaches nears 1,000, the Information Commissioner's Office (ICO) is urging organizations to minimize risks, Insurance Age reports. The ICO's Security Breaches Report, which lists reported data loss incidents since 1998, shows NHS at the top with 305 reported breaches, followed by a private organization with 288. Deputy Information Commissioner David Smith is urging companies to have security and disclosure procedures that staff can understand and that are properly implemented. "We all know that mistakes can happen, but the fact is that human error is behind a high proportion of security breaches that have been reported to us," Smith said.
Full Story

ONLINE PRIVACY

New Companies Bank on Privacy (June 1, 2010)

In the wake of recent backlash against Facebook and Google over their handling of user information, The San Francisco Chronicle reports that "a slate of ambitious online startups are aiming to squeeze into the fields of social networking and search by touting a stronger focus on privacy." In such privacy-focused social networking projects as Diaspora, Appleseed and OneSocialWeb as well as search engines like Yauba, Ixquick and Duck Duck, a strong focus on privacy is included as part of the package, the report states. And while market analysts do not see privacy as the sole factor to draw users from one service to another, Ryan Calo, whose company reviews Web applications based on privacy, security and openness, believes companies have begun to use privacy as a business differentiator.
Full Story