European Data Protection Digest

We have a long weekend—and hopefully some good weather—ahead of us, so right now our minds are probably focused more on Easter eggs and chocolate bunnies (in my case also my mother’s lasagna on Sunday) than on data protection developments. Nevertheless, this spring is bound to be a busy one for privacy pros—not that we actually had a dull moment in the past year or so.

At the IAPP, we are working hard to help our members stay on top of things: Our upcoming European Data Protection Intensive will be a great way to kick-start the second quarter of the year. As usual, rendezvous in London for an intense programme, great networking—including our special Privacy Social reception at the Guildhall—and CIPP and CIPM certification training and testing. Preconference workshops are not bad either.

But since he who hesitates is lost, work is already underway also for IAPP Europe’s flagship event, the Data Protection Congress, which will be in Brussels again this year, on 19 and 20 November to be precise. The call for proposals for the Congress is open, and submissions will be accepted until 9 May, so do send us your ideas or feel free to forward the call for proposals link to someone who might be interested.

In the meantime, though, Happy Easter!

Rita Di Antonio
Managing Director
IAPP Europe

Top European Privacy and Data Protection News

PRIVACY LAW—UK

Former Employee Pleads Guilty (July 30, 2010)

A former T-Mobile employee pleaded guilty last week in a Chester Crown Court to 18 charges of violating the Data Protection Act, reports The Register. The case stems from the illegal sale of millions of T-Mobile customer records that were used by marketers to poach subscribers nearing the end of their contracts, says the report. The staffer has yet to be sentenced, and another employee will enter a plea on November 23 in relation to his role in the theft. The Information Commissioner's Office responded to the plea, saying, "We are pleased with this outcome."
Full Story

DATA PROTECTION—EU

EDPS Calls for IMI Data Protection Framework (July 30, 2010)

The European Data Protection Supervisor (EDPS) has written to the Internal Market and Services Directorate General of the Commission commenting on the progress made to date and encouraging the implementation of further safeguards for data protection in the Internal Market Information System (IMI). Recommendations include using the principles of privacy by design, continuing cooperation with EU Member States' data protection authorities and establishing a more comprehensive data protection framework. "The adoption of a legal instrument, such as a Council and Parliament Regulation, is necessary to set a more comprehensive framework for the operation of IMI and provide for legal certainty and a higher level of data protection," noted Peter Hustinx, EDPS.
Full Story

DATA LOSS—UK

Nearly 600 Storage Devices Missing from MoD (July 30, 2010)

The Ministry of Defense (MoD) released a report stating nearly 600 data storage devices were either lost or stolen over the past two years, reports Dark Reading--and only one in five of those devices was encrypted. In all, 340 laptops, 593 CDs, DVDs and floppy disks, 215 USB memory sticks, 96 removable hard disk drives and 13 mobile phones have gone missing, states the report. Eleven government departments were studied, racking up over 1,000 devices lost, with the MoD topping the list. In July of 2008, the MoD reported 658 stolen laptops.
Full Story

ONLINE PRIVACY

Tech Firms Lobby EU on Privacy Rules (July 29, 2010)

As tech firms ready to sell remote computing services in the European marketplace, they are pushing for streamlined privacy standards in order to make cloud computing more viable in the 27-nation bloc. The Wall Street Journal reports on the efforts of U.S. tech giants, which say that Europe's patchwork and sometimes contradictory regulations on cloud computing represent "real hurdles or speed bumps to sales." But with Europe's Digital Agenda still months away from being finalized, some believe "It's way too early to say whether the EU directive will create a pan-European authority" to oversee cloud computing and privacy issues, according to an EU spokesperson. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Virtual Insecurity (July 29, 2010)

Companies are now able to create detailed "digital dossiers" from the Web browsing, networking and searching many of us engage in each day, raising questions about personal privacy, Financial Times reports. Self-regulation has been the norm in the U.S., but as Jessica Rich of the FTC points out, "If the goal is providing consumers with information about how their information is being used and giving them some control, that is not being achieved." U.S. legislators are discussing new laws to address online privacy issues. European regulators, meanwhile, are focused on such provisions as user consent and the "right to be forgotten," the report states. "Internet users must have effective control of what they put online and be able to correct, withdraw or delete it at will," said EU Justice Commissioner Viviane Reding.
Full Story

ONLINE PRIVACY

100M Social Network Users’ Details Published (July 29, 2010)

Personal information from 100 million Facebook users has been published online by a security consultant who was able to collect data through the site's public directory, BBC News reports. Ron Bowes said he published the list, which contains the URL of every searchable Facebook user profile along with such information as names and unique IDs, to highlight privacy issues, the report states. On the same day that reports of the list surfaced in the international media, Facebook CEO Mark Zuckerberg was meeting privately with U.S. legislators to discuss issues including online privacy. In response to the incident, Facebook has noted that data included in the creation of the list was already public. Simon Davies of Privacy International, however, contends it illustrates confusion over the site's privacy settings.
Full Story

ONLINE PRIVACY—UK

ICO Checked WiFi Data (July 28, 2010)

Representatives from the Information Commissioner's Office (ICO) visited Google's offices earlier this month to view samples of the WiFi data the company collected via its Street View cars, V3.co.uk reports. "While Google considered it unlikely it had collected anything other than fragments of content, we wanted to make our own judgment," an ICO spokesperson said, adding that the samples viewed offered "no evidence" that the data captured has caused or could cause harm. "Nevertheless, it was wrong to collect the information," the spokesperson said. The ICO will forward its findings to those who have filed complaints about the information collection.
Full Story

DATA PROTECTION

Report: Cyber Attacks Cost up to $53 Million Per Year (July 27, 2010)

A Ponemon Institute report has found that organizations are the victims of cyber attacks at least once per week, costing from $1 million to $53 million per year. "The First Annual Cost of Cyber Crime Study" found that Web-borne attacks, malicious code and malicious insiders are the most costly cyber attacks and that information theft remains the highest consequence, Dark Reading reports. Of the 45 U.S. organizations surveyed, the majority were "random and haphazard in their approach" to the problem, said Ponemon Institute CEO Larry Ponemon, CIPP. Meanwhile, a Digital Forensics Association report found that nearly half of all reported breaches in the last five years were due to mainly laptop thefts and that Social Security numbers are the most commonly compromised form of data.
Full Story

PRIVACY LAW

German Regulator: Terminate U.S. Safe Harbor (July 26, 2010)

On the 10th anniversary of the European Commission's agreement to recognize the U.S. Department of Commerce (DOC) "safe harbor" principles, Schleswig-Holstein Data Protection and Privacy Commissioner Thilo Weichert is calling for an end to the agreement. According to a release issued by Germany's Independent Centre for Privacy Protection (ULD), an Australian study due to be released next month has revealed widespread compliance issues among the 2,170 U.S. companies that "claim to be safe harbor privileged," including lack of information on how to enforce individual rights, high-priced dispute resolution options and a minimal number of U.S. Federal Trade Commission prosecutions for false claims of certification  "From a privacy perspective, there is only one conclusion to be drawn from the lessons learned--to terminate safe harbor immediately," Weichert said.
Full Story

CONSUMER PRIVACY—UK

New Industry Code Requires Parental Consent (July 26, 2010)

Companies directly marketing to customers must not use the Internet to gather data about children. That's according to a new code of practice published by the Direct Marketing Association (DMA), which says companies must seek parental consent for children under 12 years old, The Register reports. The code must be adhered to by members of the DMA. "Even if your site is not primarily aimed at young people, if there is a possibility that it would be attractive to them...you have a responsibility," a DMA spokeswoman said. The revision brings the code into compliance with the Committee of Advertising Practice, which sets the rules governing advertising in the UK, the report states.
Full Story

PRIVACY—EUROPE

EC Releases Report on PETs (July 23, 2010)

The European Commission this week received the final report on a London Economics study that looks at the costs and benefits of Privacy Enhancing Technologies (PETs) and lays out a framework for how to understand and deploy them, reports egovmonitor.com. Based on a survey of businesses from 12 EU member states, the economic benefits are shown to be technology and application specific and should be determined on a case-by-case basis. The report states,"There is little evidence that the demand by individuals for greater privacy is driving PETs deployment...Data controllers, on the other hand, can derive a variety of benefits from holding and using personal data, including the personalisation of goods and services, data mining, etc."
Full Story

DATA RETENTION—SWEDEN

Swedish ISP Won’t Retain IP Addresses (July 23, 2010)

Sweden's Pirate Party plans to launch a new Internet service that will not retain logs of users' IP addresses, Deutsche Welle reports. The party hopes to compete on anonymity. "We want to make more of a political statement about which Internet service provider you use," said Pirate ISPs CEO, Gustav Nipe. He said that by not keeping such user data, there would be nothing to provide to law enforcement if requested. But a lawyer with the Swedish Anti-Piracy Bureau predicts the Pirate ISP will be found illegal, the report states, because all ISPs are required to turn over IPA addresses when asked. Nipe said the company is being "proactive against the Data Retention Directive," which will be voted on in Swedish Parliament later this year.  
Full Story

PRIVACY LAW—UK

Organisations Support Mandatory Breach Notification (July 23, 2010)

Nearly half of UK organisations surveyed believe data protection laws are too relaxed, with 87 percent favoring mandatory disclosure, ComputerWeekly reports. From May 2011, ISPs and telecom companies will be required to disclose data breaches under the current EU data protection directive, the report states, with a revised directive currently under consideration expected to extend the requirement to all organizations. When the UK and other EU member states draft legislation to reflect those changes, data privacy experts are recommending they focus on encouraging organisations to find and correct the causes of data breaches. As one expert put it, "The point of data breach disclosure should be about understanding the problem, not about punishment."
Full Story

DATA PROTECTION—UK

DLP On the Rise Due to Increased Enforcement (July 23, 2010)

New levying powers for the Information Commissioner's Office and increased enforcement seem to be causing companies to rethink their data loss prevention (DLP) strategies. For an SC Magazine article, Dan Raywood spoke with vendors in the DLP arena about the changes they see and found that companies seem to be taking data security more seriously due to the new powers. Neil Stephenson, CEO of the Onyx Group, outlines  suggestions for keeping data secure, including educating staff on the importance of reliable management processes, protecting data and deleting unnecessary data, as well as investing in encryption software.
Full Story

PRIVACY LAW—EU & ISRAEL

Ireland Seeks EU Support in Blocking Adequacy Status (July 23, 2010)

Ireland's Minister for Justice (MoJ) Dermot Ahern will ask the EU to back Ireland in its attempt to prevent data transfers to
Israel, reports The Irish Times. Though the European Commission plans to grant Israel adequacy status under its data
protection directive, allowing for the transfer and storage of European citizens' data in Israel, the MoJ has expressed
"profound concerns." The EU declaration allowing for the data transfer was set to happen two weeks ago, but the Irish
government objected, citing recent events involving fake Irish passports and alleged Israeli assassins. "I think it's
important that we put down a marker, which we have, that given the history, we in Ireland are worried," said Ahern.
Full Story

DATA PROTECTION—IRELAND

Commissioner Investigates Insurance Industry Database (July 22, 2010)

The Office of the Data Protection Commissioner is investigating insurance companies' use of an industry-wide database, which may breach data protection laws, The Irish Times reports. The database, which companies lawfully use to post the personal details of people who make an official insurance claim, includes data on customers who have consulted an insurer but never made an official claim, which is not permitted under the law. The commissioner's office is also concerned about unregulated access to the database, the report states. Deputy Data Commissioner Gary Davis said the investigation, the office's largest undertaking yet, was initiated following a large number of audits that gave the office "cause for concern."  
Full Story

ONLINE PRIVACY

Tips for Managing Your Online Information (July 22, 2010)

This week's New York Times Magazine features a report by Jeffrey Rosen on the challenges of living life in this age when the Internet has records of almost everything we do and forgets none of it. Rosen is now inviting readers to submit their questions to two of the experts he interviewed for his article, Michael Fertik of ReputationDefender, a company that offers its clients options for managing their online reputations, and Prof. Paul Ohm of the University of Colorado, who has suggested ways new laws could be drafted to limit how companies use online information to influence employment decisions. Questions on managing online information will be accepted until July 25, the report notes, with answers to be posted July 26 and 27.
Full Story

RFID

The Benefits of Information vs. Loss of Privacy (July 21, 2010)

From using RFID devices in student identification cards to track attendance at university classes to card-based customer loyalty programs, controversies around the use of RFID center on the balance between privacy and information. "RFID, and electronic storage and transmission of information more broadly, often evokes concerns about breaches of privacy. In practice, the technology often replaces tracking methods prone to security lapses," Rebecca Walberg writes in a report published in The Vancouver Sun. While some experts suggests RFID is not a threat to privacy, given that programs such as customer rewards require user consent, others, like Prof. Yeona Jang of McGill University, caution, "there are privacy issues that need to be addressed accordingly, as technology advances."
Full Story

ONLINE PRIVACY

The Economic Value of Privacy (July 20, 2010)

While at least one startup is banking on consumers wanting to use their personal information as "virtual currency that can be traded," making personal information a commodity poses challenges, Steve Lohr writes in The New York Times. According to M. Ryan Calo of Stanford Law School, "There is no way to know in advance what the value of this information is." Citing last year's "What Is Privacy Worth?" study by three Carnegie Mellon researchers, Lohr points out that the value of privacy is shaped by people's expectations, as summed up by Alessandro Acquisti, one of the study's authors, who notes, "When you have privacy, you value it more, but when the starting point is that we feel we don't have privacy, we value privacy far less." (Registration may be required to access this story.)
Full Story

DATA RETENTION—EU

Working Party Finds Problems with Data Retention Directive (July 16, 2010)

The Article 29 Working Party says the European data retention directive is not being applied correctly by member states and that some service providers are retaining inappropriate data. The Working Party this week published a report on the findings of a joint inquiry into the directive. The group of European data protection authorities found discrepancies among member states' implementation of the law. It also concluded that "more data are being retained than is allowed." The report includes several recommendations for amending the directive and calls on the European Commission to take into account its findings as it considers potential changes to the directive.
Full Story

PRIVACY LAW—IRELAND

First Conviction for Unsolicited Marketing (July 16, 2010)

Dublin District Court on Monday convicted supermarket giant TESCO of breaching the European Communities (Electronic
Communications Networks and Services Data Protection and Privacy) Regulations, reports Herald.ie. TECSO pleaded guilty and
admitted to sending e-mails to customers who had previously indicated they did not want them. The company received a €2,000
fine, and Tesco Ireland has suspended all marketing e-mails until it can resolve the situation to the satisfaction Office of
the Data Protection Commissioner, the report states. Deputy Data Protection Commissioner Gary Davis said his office had warned
the company about its actions in the past and hopes that this conviction sends a message to others about this kind of
marketing.
Full Story

DATA LOSS—UK

Calls for Mandatory Breach Notification (July 16, 2010)

Starting next May, telecoms and Internet service providers will be required to report data breaches, but some legal experts at
a roundtable event this week said they would like to see mandatory breach reporting requirements for all, reports V3.co.uk.
Field Fisher Waterhouse partner Stewart Room said that mandating breach notification would stop companies from burying the bad
news. He said many firms "often decide not to report data breaches to the (Information Commissioner's Office) as they are not
obliged to report it under law, yet could suffer retrospective punishment despite admitting the loss."
Full Story

DATA LOSS—UK

Medical and Financial Breaches (July 16, 2010)

The Information Commissioner's Office has found Brigham Children's Hospital NHS Trust in breach of the Data Protection Act
after two laptops containing patients' personal information were stolen. The trust will sign a formal undertaking stating that
it will begin processing personal information in accordance with the Data Protection Act and will implement  security measures
such as software encryption. Meanwhile, the Barking and Dagenham Post reports that the Barking and Dagenham Council's
financial system was hacked, possibly exposing employees' bank details. Though investigators deemed personal data loss
unlikely, they could not rule it out.
Full Story

DATA PROTECTION—UK

ICO Reiterates Call for Jail Sentences (July 15, 2010)

British Information Commissioner Christopher Graham released his Annual Report for 2009/10 yesterday, reiterating his call for jail sentences for those convicted of illegal data trading, OUT-LAW.COM reports. "I shall continue to press for a more effective deterrent to criminal behavior by 'rogue' individuals," Graham said. "I continue to believe that the courts should be able to impose a custodial sentence, where appropriate, to tackle the unlawful trade in personal data that is the scourge of the digital world." The ICO saw a 30 percent increase in the number of data protection enquiries during the 2009/10 year.
Full Story

PRIVACY LAW—UKRAINE

Ukraine Passes Data Protection Law (July 15, 2010)

The Ukrainian Parliament has adopted a data protection law that will become effective  January 1, 2011. The law states that personal data may not be processed without the consent of the individual concerned, except in cases provided for by law or where the data is necessary for maintaining national security, economic welfare or the protection of human rights, according to Olexander Martinenko and Olga Belyakova of the law firm CMS Cameron McKenna. The law also requires that personal data not be used in ways other than its intended purpose at the time of collection. Any database must be registered with a state entity yet to be created by the government. (Registration may be required to access this story.)
Full Story

DATA PROTECTION—EU & U.S.

Reding: Umbrella Data Transfer Agreement Needed (July 14, 2010)

European Commissioner for Justice, Fundamental Rights and Citizenship Viviane Reding is keen to hammer out a data protection agreement that would govern all transfers of data between the EU and U.S., OUT-LAW.COM reports. "It is my determination to end this piecemeal approach," she said, referring to the recent negotiations of separate deals on financial and travelers' data sharing during a meeting at The Atlantic Council in Washington, DC this week. Reding said that EU Member States are "discussing the fine print" of the European Commission's proposal. The aim, Reding said, is "to provide legal certainty to data transfers by ensuring that all these transfers are subject to high standards of data protection on both sides of the Atlantic."
Full Story

STUDENT PRIVACY—IRELAND

Department of Education to Revise Data Collection Practices (July 14, 2010)

Following warnings from the data protection commissioner that they may breach privacy laws, the Department of Education says it will revise its data collection practices. The department has confirmed it will seek parental consent in the collection of sensitive personal data. Deputy Data Commissioner Gary Davis said this week that parents were often unaware that information given to the schools, which sometimes includes Personal Public Service numbers and medical card status, was forwarded to the department, reports the Irish Times. The department said it has taken the data protection commissioner's concerns seriously and continues to work with the office to meet requirements.
Full Story

SOCIAL NETWORKING

Int’l Companies Must Navigate Patchwork Laws (July 14, 2010)

CNET News reports on the complications companies face in complying with data protection and privacy laws across national borders. The operational reality of platforms such as Facebook, for example, "is challenged to the breaking point by the patchwork of privacy laws in different countries," said Paul Bond, a data protection attorney with Reed Smith. However, changing privacy policies to comply with various jurisdictional laws can create more problems than solutions for users, according to attorney Francoise Gilbert of IT Law Group. "What all of these people are asking is that it be more simple, more understandable, so it should not be more complex. If it's more complex, then everybody has lost."
Full Story

DATA PROTECTION—GERMANY

German Minister Calls for Internet Code of Honor (July 13, 2010)

Germany's consumer minister has called for an Internet "honor code," reports The Sydney Morning Herald. Ilse Aigner says she's worried about the trends she sees on the Internet and that the Internet community should develop a code with "10 golden rules--short, sharp and clear," using suggestions from Internet users. Aigner, who wrote a letter to Facebook earlier this year urging that it revise its privacy policy "without delay," says users must be made aware that social networking services are not free. "We users pay for it with our private data."  
Full Story

ONLINE PRIVACY

Study: Consumer v. Marketer Expectations (July 13, 2010)

A recently released study shows that when it comes to new technology, consumers have higher privacy expectations than marketers and most often prefer an opt-in method for collecting personal information. The University of Massachusetts Amherst study looked at cookies, RFID, text messaging, pop-up ads, telemarketing, SPAM, biometrics and loyalty cards. This is the first study to directly compare the privacy expectations of consumers and marketers. The researchers also discovered that many consumers don't understand the tools used by online companies and marketers and don't know how much, or how often, detailed information is gathered about them.
Full Story

ONLINE PRIVACY—GERMANY

While Regulators Bear Down, Consumers Sign Up (July 12, 2010)

On the surface, the actions of German data protection regulators don't seem to reflect the sentiment of consumers in that country, where Facebook and Google--two companies under investigation by data protection regulators there--are popular, The New York Times reports. "I think many people in Germany...do not have as many problems with data protection as the regulators are making out," said a 21-year-old college student. But experts say that while the dichotomy is unlikely to lead to a loosening of the country's strict privacy rules, lowering barriers for online marketing could help encourage economic growth. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Study: Online Habits of the Young Will Live On (July 12, 2010)

A study fielded by the Pew Research Center's Internet & American Life Project and Elon University's Imagining the Internet
Center found that most technology experts and stakeholders believe the online sharing habits of the millennial generation will
stay with them throughout their lives. Sixty-seven percent of respondents agreed with a statement that Millenials "will
continue to be ambient broadcasters who disclose a great deal of personal information in order to stay connected and take
advantage of social, economic and political opportunities." Respondents also acknowledged that new social norms and new
definitions of public and private information are already taking shape.
Full Story

FINANCIAL PRIVACY—EU & U.S.

Parliament Approves SWIFT (July 9, 2010)

By a vote of 484 to 109, with 12 abstentions, the European Parliament voted yesterday to approve a revised bank transfer data sharing agreement between the EU and U.S., V3.co.uk reports. Several of those opposing the plan have suggested it is "a clear violation of EU legislation on data protection." European Commissioner Cecilia Malmström, however, described the new agreement as "proof that we can find appropriate safeguards to accommodate legitimate concerns about both security and privacy," while U.S. President Barack Obama thanked the EU, stating the plan "reflects significant additional data privacy safeguards but still retains the effectiveness and integrity of this indispensable counterterrorism program." The agreement will go into effect 1 August.
Full Story

PRIVACY LAW—EU & ISRAEL

Irish Gov’t Moves to Block Adequacy Status for Israel (July 9, 2010)

The Irish government has expressed "profound concern" about European Commission plans to grant Israel adequacy status under its data protection directive, The Irish Times reports. Adequacy status would allow for the transfer and storage of European citizens' sensitive personal data in Israel. Earlier this year, Europe's Article 29 Working Party released an opinion that Israel "guarantees an adequate level of protection" and an EC committee sought to confirm the status in the coming days. However, Irish Minister for Justice Dermot Ahern moved to block approval, saying that recent events involving fake Irish passports should be considered. "It may well be the case that Israel provides data protections which meet EU standards," a spokesman for the MoJ said. "But the minister believes the EU committee has to take very serious account of forgery of EU passports...by Israel in recent months."
Full Story

SURVEILLANCE—UK

Stricter Regulations for Car-Tracking Cameras (July 9, 2010)

Home Secretary Theresa May has ordered tighter regulations placed on the automatic number plate recognition (ANPR) system, which captures images of the front of cars--including details of number plates--and records the date, time and place of capture. BBC News reports the government will look into limiting access to the database and length of data retention as well as requiring greater transparency over where the cameras are, among others. The review comes after a decision was made to remove 72 ANPR cameras once it was discovered they were funded through a Home Office counterterrorism fund, the report states. Home Office Minister James Brokenshire said the growing use of ANPR "has been outside of a suitable governance regime" and that to ensure ANPR is used effectively, "further regulation is required." One privacy group is calling the review "long overdue."
Full Story

PRIVACY LAW—EU

Dutch MEP: Passenger Data Deal Needs Improvements (July 9, 2010)

The European Commission has until autumn to propose mandates to the agreement allowing the U.S. access to EU passenger data on flights into or over the U.S., reports EU Observer. Though the Passenger Name Record (PNR) agreement has been in place since 2007, it must be renewed under the Lisbon Treaty. Dutch Liberal MEP Sophie in't Veld said improvements are needed to the deal, which provides U.S. authorities access to data on passengers in both "terrorism" and "serious crime" cases.  She predicts that the PNR vote will be more difficult than the SWIFT deal, passed yesterday, "because our objections are stronger."
Full Story

PRIVACY LAW—UK

Ministry Calls for Input on Data Protection Law (July 9, 2010)

In its effort to determine whether the powers of the Information Commissioner's Office (ICO) should be expanded, the Ministry
of Justice has asked for evidence on how current data protection laws are working. The request will allow individuals, private
organisations, charities and public authorities to voice their views on the current data protection law ahead of negotiations
on a new EU data protection instrument, expected to begin in early 2011, Kable reports. EU Justice Commissioner Viviane Reding has called on the UK to change its rules and give the ICO more power or face action from the European Commission.
Full Story

DATA PROTECTION—UK

ICO Releases Guidelines on Personal Data Collection (July 8, 2010)

The information commissioner has issued guidelines on how organisations can protect consumers' personal information online, ComputerWeekly reports. Releasing the "Personal Information Online Code of Practice," Information Commissioner Christopher Graham has called on organisations to be transparent in collecting data from customers by informing them why the data is being collected and allowing them choice over data use. Companies that improperly collect or retain personal data risk enforcement by the ICO, Graham said, adding that customers may distrust companies that mislead them about collection and use. "Get privacy right and you will retain the trust and confidence of your customers and users," Graham said this week.
Full Story

SOCIAL NETWORKING—GERMANY

Legal Proceedings Launched Against Facebook (July 8, 2010)

A German data protection official has filed legal action against Facebook, alleging the social networking service illegally accessed personal information about people who do not use the site, the Associated Press reports. Johannes Caspar of the Hamburg office of data protection said his office has received complaints from many people who were allegedly contacted by Facebook because users had listed their names and e-mail addresses among their personal contacts. "We consider the saving of data from third parties, in this context, to be against data privacy laws," he said. Facebook has until August 11 to formally respond to the complaint. The company has confirmed it is reviewing the notice and will respond within that timeframe, the report states.
Full Story

BEHAVIORAL TARGETING—UK

ICO: Advertisers Should Offer Opt-Out Provisions (July 8, 2010)

There is nothing "intrinsically unfair" about behavioral advertising when users have the opportunity to opt out, the Information Commissioner's Office (ICO) suggests in its code of practice for gathering and processing personal data. "Organizations must be transparent so that consumers can make online privacy choices and see how their information will be used," said Information Commissioner Christopher Graham. OUT-LAW.COM reports on the ICO's position that the Data Protection Act provides options for processing information. The code of practice recommends Web sites include "a simple means of disabling the targeting of advertising using behavioral data," noting that Web companies also have the right to refuse to provide services to those who opt out.
Full Story

DATA LOSS

Study Shows Hotels Hacked at “Disturbing Rate” (July 8, 2010)

A recent study by SpiderLabs found that the hotel industry was involved in 38 percent of all credit card hacking cases last year, reports The New York Times. Anthony Roman, a private security investigator, told the Times that hotels are attractive targets because "the greatest amount of credit card information can be obtained using the most simplified methods." Roman added that most hotel breaches are due to "a failure to equip, or to properly store or transmit, this kind of data, and that starts with the point-of-sale credit card swiping systems." According to the report, tough economic times have forced hotel owners to cut spending, leading to lagging security upgrades and a worsening of the problem. Credit card companies, meanwhile, are pushing for uniform security measures for all retailers. (Registration may be required to access this story.)
Full Story

DATA PROTECTION—FRANCE

CNIL: Cease Illegal Data Processing (July 7, 2010)

The French data protection authority (CNIL) has issued orders in several recent cases that illegal data processing cease immediately, according to Matthias Rubner of Latham & Watkins LLP. CNIL investigators can audit a company's data protection controls without warning to review its data collection methods as well as the data it collects. Companies fined for breaches by CNIL are named on the authority's Web site and appear in French newspapers regularly, the report states, causing reputational damage to the brand. Recent cases included fines of €10,000 to a retail store and €40,000 to a marketing company. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—UK

Data Protection Costs £53 Million Per Year (July 7, 2010)

A government report released yesterday revealed that data protection law costs in the UK total £53 million every year. The Independent reports that a review of the Data Protection Act revealed that companies bear the brunt of costs, with officials saying they spend around £50 million a year responding to subject access requests for information. The review comes as the UK considers granting more punitive powers to the Information Commissioner's Office, at the urging of the EU. Justice Minister Lord McNally said in reviewing the law, the government aims to protect personal privacy "without placing undue burdens on businesses and other organisations that collect personal data."
Full Story

DATA LOSS—IRELAND

Gov’t Departments Have Lost More Than 50 Laptops (July 6, 2010)

An Irish Independent investigation has found that, since 2008, 51 laptops, 21 BlackBerrys, one desktop computer and two memory sticks have been lost by 19 government departments. One stolen laptop contained unencrypted personal data on 163 students, prompting the Department of Education to notify those affected, states the report. One data protection expert worries that if government-held private information gets into the public domain, the government may face lawsuits. Another expert says the Data Protection Act--revised in 2003--is not up to pace with technology such as mobile devices.
Full Story

PRIVACY LAW—ITALY

Regulator: Privacy Bill Goes Too Far (July 2, 2010)

Francesco Pizzetti, Italy's privacy regulator, is raising concerns that draft legislation passed by the senate earlier this month does too much to limit media coverage of criminal cases, Bloomberg reports. The bill "objectively shifts the balance between press freedom and privacy completely in favor of privacy," Pizzetti said in his annual speech to parliament. "In doing this, a danger to press freedom is created." Meanwhile, Italian Prime Minister Silvio Berlusconi, who supports the bill, has cautioned that pervasive wiretap leaks have led to "people being tried in the press," the report states. Debate on the bill is set to begin in the Chamber of Deputies on 29 July.
Full Story

PRIVACY LAW—EU

Opinion: Making the Best of Cookie Compliance (July 2, 2010)

The EU's Privacy and Electronic Communications Directive "is a shambles," Struan Robertson writes in an opinion piece for OUT-LAW.COM. While he describes the law itself as "ambiguous and potentially contradictory," Robertson offers positive feedback for the Article 29 Working Party's recent interpretation on complying with the law, stating regulators have "done a decent job of making a fundamentally anti-business law more palatable." When it comes to the Working Party's call for greater privacy control in Web browsers, Robertson writes that "real change will take years." And while noting that "publishers and advertisers are never going to be happy with the new law," he suggests that with the new guidance from EU regulators, "the situation is not as bad as they might have feared."  
Full Story

DATA PROTECTION—EU & U.S.

Differing Rules Pose Challenges to International Data Protection (July 2, 2010)

EUobserver reports on the differing philosophies and laws governing the U.S. and EU when it comes to data protection. The differences pose challenges to U.S. companies doing business in the EU, the report states. Whereas in Europe data protection is viewed as a fundamental human right, in the U.S. "it's a consumer protection interest," said Lisa Sotto, a privacy lawyer at U.S.-based Hunton & Williams. Sotto discusses Safe Harbour agreements, which aim to bridge the gap between EU and U.S. philosophies and have helped some 2,200 U.S. companies to comply with EU laws.
Full Story

GENETIC PRIVACY—UK

Senior Officers Say Delete Innocents’ DNA (July 2, 2010)

Senior officers will launch an effort to remove innocents' data from the DNA database by writing letters to police chiefs to highlight current DNA retention legislation. The Telegraph reports that though the law states chief constables have discretion to remove innocent people from the database, some police forces are refusing to delete the information. In May, the coalition government announced its commitment to remove such information from the DNA database, and recently the European Court of Human Rights said the practice of storing such data violates human rights. At a conference in Manchester this week, West Midlands Chief Constable Chris Sims said he will persuade senior officials to remove the data. "It is not a radical change of policy," he said, "it is making sure it is being implemented in a reasonable consistent way."
Full Story

GEO PRIVACY

Privacy Breach Reveals Network Users’ Locations (July 1, 2010)

Internet site Foursquare published a notice Wednesday about a privacy breach that shared all users' location information across the Web, regardless of whether they had chosen to opt out of such broadcasts through their privacy settings, Wired reports. The location-based social network was made aware of the data breach on June 20 by "white-hat hacker" Jesper Andersen, the report states, and asked Andersen to give it nine days to address the issue. According to the report, Foursquare sent Andersen an e-mail Tuesday morning that it had fixed that "privacy leak" but had not yet solved two other issues Andersen raised and "was trying to figure out how to balance usability with privacy."
Full Story

PRIVACY—BERMUDA

Opinion: Let Us Be Forgotten (July 1, 2010)

In a piece for The Royal Gazette calling for Bermuda to enact data protection legislation, Ahmed ElAmin writes of European Commissioner Viviane Reding's comments on data protection and the desire by some for "a right to be forgotten." When it comes to companies using personal data, he says, this is exactly what individuals should have. Unlike the EU, ElAmin notes, "Bermuda has not implemented any specific data protection legislation under its Electronic Transactions Act 1999 or through a separate piece of legislation." Bermuda's situation is different from the EU's effort to weave laws from 27 countries, ElAmin asserts, asking lawmakers to "get with it" and provide Bermuda's residents with the "right to be forgotten."
Full Story