European Data Protection Digest

We have a long weekend—and hopefully some good weather—ahead of us, so right now our minds are probably focused more on Easter eggs and chocolate bunnies (in my case also my mother’s lasagna on Sunday) than on data protection developments. Nevertheless, this spring is bound to be a busy one for privacy pros—not that we actually had a dull moment in the past year or so.

At the IAPP, we are working hard to help our members stay on top of things: Our upcoming European Data Protection Intensive will be a great way to kick-start the second quarter of the year. As usual, rendezvous in London for an intense programme, great networking—including our special Privacy Social reception at the Guildhall—and CIPP and CIPM certification training and testing. Preconference workshops are not bad either.

But since he who hesitates is lost, work is already underway also for IAPP Europe’s flagship event, the Data Protection Congress, which will be in Brussels again this year, on 19 and 20 November to be precise. The call for proposals for the Congress is open, and submissions will be accepted until 9 May, so do send us your ideas or feel free to forward the call for proposals link to someone who might be interested.

In the meantime, though, Happy Easter!

Rita Di Antonio
Managing Director
IAPP Europe

Top European Privacy and Data Protection News

GENETIC PRIVACY

What To Ask Before You Give Away Your DNA (August 31, 2010)

When it comes to giving samples of your DNA, there are things you need to know. That's according to Marcy Darnovsky, head of the U.S.-based Center for Genetics and Society, who told The Wall Street Journal that while individuals may want to share their DNA to help scientific studies move forward, it must be done in a "responsible way" that does not put privacy at risk. Darnovsky recommends asking who will have access to the data, whether and how it will be anonymized, where it will be stored and how it will be analyzed, the report states. As Darnovsky put it, "once you give someone your genetic information, it doesn't matter if you destroy the sample" since the data will live on. (Registration may be required to access this story.)
Full Story

DATA PROTECTION

Opinion: Ten Fallacies About Web Privacy (August 30, 2010)

In a column for The Wall Street Journal, Emory University economics Prof. Paul Rubin discusses 10 fallacies about Web privacy. Rubin asserts that despite privacy advocates' arguments otherwise, increased privacy online comes at a cost to the consumer. Information helps the economy to function, Rubin says, and less of it will result in less efficient markets. More information also means firms are able to better market to specific customers, meaning they receive information useful to them more quickly. Additionally, Rubin says, it's untrue that more privacy means more safety and less risk. For example, the more information available to firms for identity verification, the less risk of identity theft, he writes. (Registration may be required to access this story.)
Full Story

BEHAVIORAL TARGETING

Ads That Follow You on the Web (August 30, 2010)

The New York Times reports on an ad industry practice known as personalized retargeting or remarketing, where Internet users are followed from site to site by ads for items they've viewed online. With more retailers and Internet companies using it, the report states, retargeting, which relies on placing cookies on users' browsers, has reached a level of precision that is leaving consumers with the palpable feeling that they are being watched as they roam the virtual aisles of online stores." While the practice is raising privacy advocates' concerns, even some advertising and media experts suggest the practice is "bold," the report states, and many users may not like it. (Registration may be required to access this story.)
Full Story

BEHAVIORAL TARGETING—GERMANY

Postal Company Acquires Online Ad Platform (August 30, 2010)

As the behavioral targeting market continues to gain momentum in Germany, mail services provider Deutsche Post has acquired Europe's largest targeted online ad platform, Media Post reports. Nugg.ad, which provides "predictive behavioral targeting" for an array of companies, integrates surveys with "machine learning, predictive analytics and targeting." Deutsche Post and its DHL Express division are not strangers to new technology, the report states, pointing out the early use of RFID by the company to track packages. Deutsche Post stated in a press release that the investment in targeting technology will consolidate new areas of growth in online marketing. Nugg.ad displays the European Privacy Seal of approval, the report states.
Full Story

HEALTHCARE PRIVACY—FINLAND

Ombudsman: Clinics Fail to Protect Data (August 27, 2010)

A study conducted by Finland's data protection ombudsman in June has found that private health clinics often fail to protect patients' data, yle.fi reports. According to the survey results, many private clinics do not monitor how patient information could be misused, the report states. Furthermore, one-third of private sector clinics have not appointed an information security contact person as required by law. The study also found that most pharmacies and clinics do not inform patients upon discovering that their information has been misused.
Full Story

ONLINE PRIVACY—FRANCE

CNIL Displeased with Street View Resumption (August 27, 2010)

French police stopped a car used to collect images for Google's Street View service Wednesday to verify it was not also collecting WiFi data, Bloomberg reports. Earlier this week, France's data protection authority expressed annoyance that Google resumed collecting images before a full investigation had been completed. The National Commission on Computing and Liberty (CNIL) said it was "premature" for the company to resume. CNIL ordered Google to stop collecting WiFi data following the company's 14 May admission it had done so via its street cars. Google has said it has removed WiFi equipment from its vehicles and is only collecting images.
Full Story

DATA LOSS—UK

ICO Finds Three Organizations in Breach (August 27, 2010)

The Information Commissioner's Office has found three organizations in breach of the Data Protection Act (DPA). DSG International failed to properly dispose of customer records, CRN reports, after eight customer credit agreements containing financial information were found in a dumpster near one of the company's outlet stores. The company has signed a formal undertaking to prevent future breaches, the report states. Yorkshire Building Society has also signed a formal undertaking after an unencrypted laptop was stolen from an employee's home. Meanwhile, the ICO has also found Royal Wolverhampton Hospitals NHS Trust in breach of the DPA after it lost 100 patient records.
Full Story

PRIVACY LAW—GERMANY

Law Would Forbid Social Networking Research (August 26, 2010)

The New York Times reports German Chancellor Angela Merkel's cabinet yesterday backed a proposed law that would prevent employers from looking at job applicants' social networking activities during the hiring process. Under the law, which now moves to the parliament, employers would still be permitted to conduct general Internet searches regarding potential employees. In addition to forbidding social networking inquiries, the law would also forbid certain employee surveillance in the workplace. German Commissioner for Data Protection and Freedom of Information Peter Schaar called the proposal "a substantial improvement on the status quo in dealing with employees' data." (Registration may be required to access this story.)
Full Story

SOCIAL MEDIA

Boyd: Privacy Is Not Dead (August 26, 2010)

In the MIT Technology Review, researcher Danah Boyd says that the way privacy is encoded into software doesn't match the way we handle it in real life and that, as social media mature, "we must rethink how we encode privacy into our systems." As social media become more embedded in everyday society, Boyd says, "the mismatch between the rule-based privacy that software offers and the subtler, intuitive ways that humans understand the concept will increasingly cause cultural collisions" and users will have to work harder to gain privacy. "Instead of forcing users to do that," Boyd asks, "why not make our social software support the way we naturally handle privacy?"
Full Story

ONLINE PRIVACY

What Is Personal Information? Debate Continues (August 25, 2010)

The debate over what is and is not personal information continues to play out, as witnessed at an event last week in Seattle, WA, where one identity expert asserted that, "The notion that location information tied to random identifiers is not personally identifiable information is total hogwash." The statement led to an exchange about transparency and duplicity in privacy policies, The Register reports.
Full Story

ONLINE PRIVACY—GERMANY

Defining and Defending Privacy (August 23, 2010)

The legacy of the Nazi era and the Cold War has many Germans focused on protecting privacy, the Canadian Press reports, most recently prompting the government to take a stand against Google's plans to unveil its Street View in that country in the months ahead. "We respect people's privacy," said Philipp Schindler of Google, noting, "In Germany, we offer rules for 'Street View' that do not exist in any other countries. Only in Germany can you request your house be omitted before the start." The issues rekindle debate over how to define and defend privacy in the digital age, the report states. According to Berlin's Freie University Prof. Jesko Kaltenbaek, "There is a fear of becoming a 'See-through Citizen' in a totalitarian surveillance state."
Full Story

GEO PRIVACY

Mixed Reactions to Social Network’s Location Feature (August 23, 2010)

The Wall Street Journal reports on reactions to Facebook's new location feature, "Places," which range from concerns about privacy to nods to the company for improvement over past privacy-related issues. Among those who are still concerned about the feature, which allows users to share their physical location and that of friends who have not opted out of Places, is Ireland's Data Protection Commissioner, which has announced it will be monitoring its privacy implications. Facebook has defended the new feature, stating it consulted numerous privacy and safety groups before it went live, the report states. However, advocacy groups including the Electronic Privacy Information Center have said the company has not given users adequate controls. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

The Failure of Anonymity (August 23, 2010)

In the August issue of the UCLA Law Review, Paul Ohm writes about the ways that advancing computer science has "undermined our faith in the privacy-protecting power of anonymization" in his article entitled, "Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization." The article discusses how scientists have learned to "reidentify" or "deanonymize" data, revealing the individuals behind the "anonymous" information. "By understanding this research, we realize we have made a mistake, labored beneath a fundamental misunderstanding, which has assured us much less privacy than we have assumed," the paper's abstract notes, suggesting this error "pervades nearly every information privacy law, regulation and debate, yet regulators and legal scholars have paid it scant attention."
Full Story

DATA THEFT—UK

Customer Data A Hot Commodity (August 20, 2010)

When employees and contractors leave a company, the item they're most likely to steal is customer data, according to a recent survey by IT security company SailPoint. OUT-LAW.COM reports that 52 percent of the 1,065 UK workers surveyed said they would take a former employee's property, with 23 percent of them saying they would take customer data and contact details. A SailPoint executive said the survey shows that employees and companies do not yet treat information as a valuable enough asset. The survey, which asked 1,000 UK employees what they would do if they were given access to a confidential file by mistake found that 57 percent would look at the file.
Full Story

SOCIAL NETWORKING—GERMANY

Generational Divide Defines Sharing or Not (August 20, 2010)

Deutsche Welle reports on generational differences in concerns about privacy. Those under 30 years old, so-called "digital natives," are less concerned about privacy than those over 30, called "digital immigrants," as digital natives have grown up using the technology. "They have grown up watching talk shows and reality TV programs like 'Big Brother,' where nothing is private anymore," said an expert from the German Institute for Internet Communication and Law. The older the user, the less likely he or she is to share information, the report states, adding that digital immigrants more often use social networking sites to check up on children and grandchildren than to share personal information about themselves.
Full Story

HEALTHCARE PRIVACY—UK

Medical Records Found in Car Park (August 20, 2010)

Patient medical records and a blank prescription pad were found in a clinic's car park, the Dudley News reports, and the  breach breaks several data protection laws and regulations. A patient found the papers and turned them over to the newspaper, the report states. Doctors at the practice have apologised for the breach, stating they "will now be looking hard at our processes to ensure this can never happen again." The clinic could face actions by the Information Commissioner's Office (ICO), the report states.
Full Story

GEO PRIVACY

Facebook Launches Places (August 19, 2010)

Facebook yesterday introduced a new geolocation feature that lets users share their locations, The New York Times reports. Called Places, the service allows users to "check in" to a place, allowing friends to see where they are and letting them find nearby friends. Users can also tag friends as being at the place. "This is not a service to broadcast your location at all times," said Places product manager Michael Sharon, "but rather one to share where you are, who you are with, when you want to." Sharon said that users will be able to control who sees their check-ins and remove themselves after being tagged. According to analysts, the company must tread carefully. "Location-aware services, if misused, could...result in catastrophic events." (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—GERMANY

Leaders To Convene Summit (August 19, 2010)

Germany is now planning a summit on geographically based Internet services in response to concerns about Google's introduction of Street View in that country, Spiegel reports. Interior Minister Thomas de Maizière said government ministers as well as consumer, data and privacy protection officials and "the companies in question--including, above all, Google" will be invited to the summit, the report states. Meanwhile, Data Protection Commissioner Peter Schaar is calling for greater protection of private data on the Internet, including a federal register to assist those who want to keep their personal information off the Web. According to Justice Minister Sabine Leutheusser-Schnarrenberger, "The current right to data protection needs to finally be adapted for the digital world."  
Full Story

ONLINE PRIVACY

Google CEO Discusses Privacy Trends (August 19, 2010)

In an interview with The Wall Street Journal, Google CEO Eric Schmidt describes a future where the transition from childhood to adulthood could include an option where adults can change their names to protect their privacy later in life. CRN reports on his point of view that "as our private information becomes ubiquitous on the Internet due to postings on social media sites such as Facebook, young people should be entitled to automatically change their name on reaching adulthood." Schmidt also discussed Google's ongoing privacy-related issues across the globe, stating it will do what is "good for consumers" and "fair" to competitors.
Full Story

SURVEILLANCE

With the Sky Watching, What Is and Is Not Private? (August 17, 2010)

A report published in the San Francisco Chronicle describes how "High-tech eyes in the sky--from satellite imagery to sophisticated aerial photography that maps entire communities--are being employed in creative new ways by government officials," which is raising concerns about the loss of privacy rights. From online services providing detailed views of locations across the planet to the use of such technology to monitor compliance with local, state and federal laws, Gregory Nojeim of the Washington, DC-based Center for Democracy and Technology, points out, "As technology advances, we have to revisit questions about what is and what is not private information."
Full Story

ONLINE PRIVACY—EUROPE

Mapping Service Debate Continues (August 17, 2010)

While debate continues in Germany over Google's plan to launch its Street View services in 20 cities there, Spain has become the most recent country to launch an investigation into concerns that Street View data collection violated people's privacy, a Google spokeswoman confirmed. Meanwhile, Google has announced it is seeking a UK Privacy Counsel. The Wall Street Journal reports that polls show a majority of Germans oppose having images of their homes included in Street View. While Google has given residents several weeks to opt out of the service before it goes live, concerns persist that Street View data could eventually be used by some sites in conjunction with other personal information about residents. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Advocates: Net Neutrality Is Necessary (August 16, 2010)

Privacy experts are questioning the impact that moving away from net neutrality, where ISPs are prohibited "from exploiting their role in delivering information to favor their own content or the content of the highest bidders," will have on online privacy. The New York Times reports on privacy advocates' concerns that in a non-neutral Web environment, "the Internet becomes more like a mall--where users are from the start viewed as consumers--and less like a public square." Cindy Cohn of the Electronic Frontier Foundation contends, "The people who are pushing for a non-neutral world are pushing it for monetary purposes," while Columbia Law School Prof. Eben Moglen believes such moves emphasize the business of the Internet at the expense of privacy. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Street View Concerns Persist, Could Pixels Replace People? (August 13, 2010)

Privacy concerns over Google's Street View service prompted South Korean police to raid the company's offices while, a continent away, the UK's Information Commissioner's Office has issued a statement on Street View. In Germany, privacy concerns persist despite the company's offer to give property owners four weeks to opt out of the service before its launch. Officials there are now considering legislation to put more stringent controls on the service. Meanwhile, two U.S. researchers have discovered a way to ghost-out the images of pedestrians captured in street-level photography, InformationWeek reports. Speaking at the recent IEEE International Workshop on Mobile Vision, they suggested it could be a way for Google to address the privacy issues associated with its Street View mapping application.
Full Story

PERSONAL PRIVACY—UK

ICO Concerned About Benefit Fraud Plan (August 13, 2010)

Citing concerns about privacy, Information Commissioner Christopher Graham has requested a meeting with coalition ministers to explain their plans to use credit reference agencies to gather evidence of benefit fraud, The Register reports. In a statement issued Wednesday, Graham said he hopes the government will "hold to the good practice of considering the data protection implications of policies at the earliest stage." Graham indicated it is appropriate to share credit reference data where fraud is suspected, the report states, but stressed, "A common sense approach should be applied to information sharing. This includes letting people know how their information will be processed." Civil liberties groups, meanwhile, are raising concerns that the government's plan will result in a "disproportionate invasion of privacy."
Full Story

GEO PRIVACY

There’s More to That Photo Than Meets the Eye (August 12, 2010)

Geotags embedded in photos and videos taken with GPS-equipped devices are invisible to the casual viewer, The New York Times reports, and that has experts concerned that many people are putting their privacy and security at risk. By looking at geotags and the text of posts, "you can easily find out where people live, what kind of things they have in their house and also when they are going to be away," said Robin Sommer, who authored the recent paper "Cybercasing the Joint: On the Privacy Implications of Geotagging" with Gerald Friedland. Peter Eckersley of the Electronic Frontier Foundation said he believes few people are aware of geotagging capabilities, "and consent is sort of a slippery slope" due to the complexities of disabling such functions. (Registration may be required to access this story.) Editor's Note: See our related story in this month's edition of Inside 1to1: Privacy.
Full Story

SOCIAL NETWORKING

Facebook Working To Fix Privacy Flaw (August 12, 2010)

Following a security researcher's announcement that entering an e-mail address into Facebook's login page with an incorrect password could result in access to the user's name and profile photo, the company has acknowledged it is working on fixing a bug that it says "temporarily prevented" its systems from working correctly. InformationWeek reports on Secfence Technologies CEO Atul Agarwal's discovery that such details could be exposed regardless of user privacy settings. Another researcher found that the site suggested valid user names, profile pictures and e-mail addresses when supplied with an incorrect e-mail address that was similar to a valid one, the report states. A Facebook spokesperson noted, "We are already working on a fix and expect to remedy the situation shortly."
Full Story

DATA PROTECTION

PCI DSS 2.0 Summary Unveiled (August 12, 2010)

The PCI Security Standards Council has released a summary of anticipated changes to the Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA DSS), Bank Info Security reports. The 12 proposed changes are designed to clarify certain aspects of the standards and provide additional guidance, among other aims. There are no new requirements in version 2.0. "The relatively minor revisions are a testament to the maturity of the standards and their ability to protect sensitive data," said council General Manager Bob Russo. A more detailed summary of both will be released in September.
Full Story

PERSONAL PRIVACY—UK

Police Collect PII on Innocents (August 12, 2010)

The Daily Mail reports that police in the United Kingdom are amassing personal details on citizens who call them to report incidents. One police force has compiled data on hundreds of thousands of innocent individuals. The North Yorkshire Police confirmed that the information is retained for a minimum of 15 years and up to 100 years and can be shared with other forces. A spokesperson said, "Data is an essential factor in being effective, which is why we request that individuals who come into contact with [us] provide additional information regarding their date of birth and ethnicity."
Full Story

ONLINE PRIVACY—GERMANY

State Wants to Boost Students’ Internet Savvy (August 10, 2010)

The government of one German state is embarking on an initiative to educate young people about Internet privacy, Spiegel reports. "Many young people are unaware of how many details they reveal about themselves online," said North Rhine-Westphalia media minister Angelica Schwall-Düren. The initiative will bring privacy education into the state's schools. "Our goal is to convey that the Internet...has risks that students should understand in order to exercise autonomy with regards to digital media," Schwall-Düren said. A similar initiative is underway in Bavaria, where elementary school children are learning about the various forms of digital media.
Full Story

PRIVACY LAW—EU

Commission Confirms Directive’s Timetable (August 10, 2010)

The European Commission has confirmed that while it will release plans for a review of the Data Protection Directive this year, the proposed new law itself will not be published until next year. OUT-LAW.COM reports that a spokeswoman has said the commission is taking time to consider 160 responses from public consultations, noting the process could not be a short one because the changes EU Commissioner Viviane Reding is seeking are significant. "Commissioner Reding envisages it as a bit more than simply 'an amendment'... It is rather an overhaul because the idea is to integrate data protection for law enforcement purposes into the new framework," the spokeswoman said.
Full Story

RFID—U.S. & EU

Researchers: Your Tires Can Be Used To Track You (August 10, 2010)

Researchers from Rutgers University and the University of South Carolina have found that the RFID tags used to measure tire pressure on new cars and provide information wirelessly to the car's electronic control unit can be intercepted or even forged, Computerworld reports. Such monitors are currently required in the U.S. and will be required in the EU by 2012. The vulnerability points to what one researcher described as a troubling lack of concern about privacy and security with new software development. With such systems, "people just try to make things work first, and they don't care about the security or privacy during the first run of design," said Wenyuan Xu, adding, however, that consumers "may be willing to pay a few dollars to make their autos secure."
Full Story

ONLINE PRIVACY

Opinion: The Internet Tracking Debate (August 9, 2010)

Following up on last week's investigative report, The Wall Street Journal is exploring "The Great Privacy Debate" around consumer tracking on the Internet. Some advocates are calling for more control of users' online information while others are supporting less intervention on the Web. Jim Harper writes that when it comes to the Internet, "If Web users supply less information to the Web, the Web will supply less information to them." He discounts assertions about "surreptitious" cookies and writes, "people should get smart and learn how to control personal information." Nicholas Carr, however, suggests that the tradeoff between personalization and privacy on the Web poses real dangers--ranging from the potential for criminals to access personal information to a society-wide erosion of privacy. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Privacy Modes Aren’t Always Private (August 9, 2010)

"Don't do anything in privacy mode that you wouldn't do with the boss looking over your shoulder," PCWorld warns in an article examining the potential to discover users' online activities through Web browsers' privacy modes. According to the findings of a trio of researchers from Stanford and Carnegie Mellon, privacy modes used by major Web browsers to "cover a user's tracks" after an online browsing session fail to purge all traces of user activities. Browser add-ons and even secure certificates can undermine user privacy, the report states, "So anyone who knows where to look for it can find it and glimpse into a user's Internet travels."
Full Story

PRIVACY LAW—DENMARK

Think Tank Urges Danish Data Retention Law Repeal (August 6, 2010)

Influential Danish think tank CEPOS issued a policy paper 20 July calling for the repeal of the nation's Administrative Order on Data Retention, which transposed the EU's Data Retention Directive. The law, which took effect in 2007, requires telecoms and ISPs to retain customer communications data for 12 months for the purposes of fighting serious crime and terrorism. According to CEPOS, the law is a "fiasco" which has had a "very limited impact" in its primary aim but has resulted in a "massive registration" of personal data that potentially breaches EU privacy legislation. CEPOS estimated that the law has cost the Danish telecommunications industry around DKK 300 million ($52 million) to implement. (Report in Danish)
Full Story

ONLINE PRIVACY—SWITZERLAND

Street View on the Road Again (August 6, 2010)

An interim agreement between Swiss Data Protection Commissioner Hanspeter Thür and Google is allowing Street View vehicles to be back on the roads, filming in Swiss cities, Swissinfo.ch reports. However, the new photos will not be uploaded until the Federal Administrative Court enters its decision on the lawsuit Thür has filed against Google over privacy concerns. The company is facing a total of 28 legal actions worldwide related to its mapping service. Thür's concerns include inadequate blurring of faces and vehicle registration plates and photos that "did not respect people's private sphere," the report states.
Full Story

PERSONAL PRIVACY—UK

ICO Reminds PIs To Notify (August 6, 2010)

The Information Commissioner's Office (ICO) has issued a release reminding private investigators to notify the office when
they are handling personal information. All organisations that handle personal data are required to notify the ICO under the
Data Protection Act; however, only 1,626 private investigators appear on the public register, the release states. "We want to
work with the industry to ensure all private investigators meet the legal requirement to notify us that they are processing
personal information," said Deputy Commissioner David Smith, stressing that while the ICO is encouraging voluntary compliance,
"we will take action against those who flout the law. The message is very clear--notify the ICO or face regulatory action."
Full Story

ONLINE PRIVACY

Company: No Special Access to Blackberry User Data (August 6, 2010)

Research in Motion (RIM), the company behind BlackBerry smartphones, is rejecting reports that it would allow the Indian government access to user data shared via email and instant messaging. The Guardian reports that India, following bans by the United Arab Emirates and Saudi Arabia, had warned it could block some BlackBerry services based on concerns about encrypted e-mail. RIM has since issued a statement that suggestions it would allow governments to have special access to customers' data were "unfounded." The company has said that its services have been designed "to preclude RIM, or any third party, from reading encrypted information under any circumstances since RIM does not store or have access to the encrypted data."
Full Story

ONLINE PRIVACY

Google CEO Discusses Technology and Privacy (August 5, 2010)

Speaking at this week's Techonomy conference in the U.S., Google CEO Eric Schmidt discussed some of the privacy-related issues spurred by the advent of new and evolving technology. Schmidt's examples included the use of computers and artificial intelligence to identify people from their online photos, CNET News reports, as well as using data collected by location-based services not only to show where people are but to predict where they are going. Schmidt said that technology is good, but the only way to manage the challenges is "much greater transparency and no anonymity" as "true anonymity is too dangerous."
Full Story

ONLINE PRIVACY

Privacy Breaches in the Clouds? Blame the Customer (August 5, 2010)

When it comes to computing in the cloud, the default contract from many major cloud providers puts the onus for any privacy problems on the customer--even if the provider is at fault for the breach, Steven J. Vaughan-Nichols writes in a report published in the San Francisco Chronicle. "You should ask questions about data security and privacy during the preliminary stages, even before you get to the contract," warns Tanya Forsheit, CIPP, of Info Law Group. "You should ask them what kind of privacy and security controls they have, whether they'll let you audit their security and what they will agree to in regards to liability." Vaughan-Nichols notes that "when it comes to cloud computing, it's better to be safe than sorry regarding both the legal and technical issues." Editor's Note: This year's Privacy Academy will feature multiple breakout sessions related to cloud computing.
Full Story

PRIVACY LAW—EUROPE

EU Data Protection Directive Revision Postponed (August 4, 2010)

The French Data Protection Authority (CNIL) announced that the European Commission has decided to postpone proposed revisions to the EU Data Protection Directive until next year. The Hunton & Williams Privacy and Information Security Law Blog reports that although EU Commissioner Viviane Reding had previously announced that a proposal for the revisions would be presented this November, several data protection authorities have requested additional time to address such issues as challenges to personal data protection. The European Commission will outline its plans this year for action later, The Register reports, quoting a commission spokeswoman who said, "This will be the first step for a legislative proposal that will then follow in the course of the next 10 months."
Full Story

ONLINE PRIVACY

Citizens, Activists Denounce Nations’ Internet Monitoring (August 4, 2010)

Across the globe, critics believe governments have been engaged in a "surveillance land-grab" when it comes to online information, The Christian Science Monitor reports. The article examines such recent developments as a lawsuit in Ireland challenging the EU's efforts to collect and store personal data, the UAE's plan to ban BlackBerry use unless it can monitor user information and a push in the U.S. to allow the government access to browser histories and e-mail addresses without judicial oversight. "Online privacy has become a key civil liberty battleground," the report states, noting that across Europe, for example, "a backlash against the storage of private data is growing."
Full Story

ONLINE PRIVACY

Researchers Propose “PseudoID” for Web Logins (August 4, 2010)

Google researchers are proposing using a system called "PseudoID" to protect the privacy of Internet users, InformationWeek reports. A paper presented at a conference in July describes how the system would use blind cryptographic signatures to generate pseudonyms that would allow the users to be authenticated to log into Web sites without being identified. Under current sign-on systems, the researchers note, user login information is passed through an identity provider, presenting privacy risks. Should PseudoID be adopted, the report notes, online identity providers would be prevented "from amassing information about Internet users that could harm user privacy if exposed."
Full Story

FINANCIAL PRIVACY—EU & U.S.

SWIFT Agreement Takes Effect (August 3, 2010)

The U.S. can now access the details of European bank transactions to be used in the effort to fight terrorism as the SWIFT agreement went into effect August 1. Deutsche Welle reports that the U.S. will be able to demand information about transfers that take place between the EU and the rest of the world with requested data to be sent in bulk packages to the U.S. Some members of the European Parliament remain concerned that the revised agreement poses a risk to the privacy of innocent individuals. MEP Jan Philipp Albrecht, for example, believes the agreement represents "a step backwards for negotiations for comprehensive privacy rights in international security operations."
Full Story

PRIVACY LAW—SPAIN

Spain Asks EU To Review Data Protection Law (August 2, 2010)

The Spanish Supreme Court is asking the European Court of Justice to review the country's Data Protection Regulations to determine whether they are compatible with the EU's Data Protection Directive, Expansión reports. The Spanish Supreme Court agreed to submit a preliminary question to the European Court of Justice in a case brought on behalf of the Spanish Digital Economy Federation (FECEMD), according to a release from the Madrid office of Bird & Bird LLP. "In the last years, we have witnessed a number of companies deciding to stop operations in Spain due to the strict regulations and strict approaches of the Spanish Data Protection," said Javier Fernandez-Samaniego of Bird & Bird, noting the goal is "harmonization of data regulations in Europe." (Article in Spanish.)
Full Story

ONLINE PRIVACY

Did Last Week Mark the End of Privacy? (August 2, 2010)

CNET News reports on a conversation between media industry pundit Jeff Jarvis and Danah Boyd of Microsoft that took place at the Supernova conference in Philadelphia, PA, last week. Both speakers weighed in on privacy in the framework of social networking, the government and the media. Boyd noted security, protection of PII and avoiding embarrassment as reasons people tend to uphold privacy, while Jarvis warned that alarmism over privacy may cause people to miss "getting to the benefits of publicness that the Internet makes possible." Meanwhile, a Telegraph blogger writes about online data sharing, questioning whether the "end of privacy" has come.
Full Story