European Data Protection Digest

We have a long weekend—and hopefully some good weather—ahead of us, so right now our minds are probably focused more on Easter eggs and chocolate bunnies (in my case also my mother’s lasagna on Sunday) than on data protection developments. Nevertheless, this spring is bound to be a busy one for privacy pros—not that we actually had a dull moment in the past year or so.

At the IAPP, we are working hard to help our members stay on top of things: Our upcoming European Data Protection Intensive will be a great way to kick-start the second quarter of the year. As usual, rendezvous in London for an intense programme, great networking—including our special Privacy Social reception at the Guildhall—and CIPP and CIPM certification training and testing. Preconference workshops are not bad either.

But since he who hesitates is lost, work is already underway also for IAPP Europe’s flagship event, the Data Protection Congress, which will be in Brussels again this year, on 19 and 20 November to be precise. The call for proposals for the Congress is open, and submissions will be accepted until 9 May, so do send us your ideas or feel free to forward the call for proposals link to someone who might be interested.

In the meantime, though, Happy Easter!

Rita Di Antonio
Managing Director
IAPP Europe

Top European Privacy and Data Protection News

PRIVACY LAW—UK

ICO To Fine Companies in Breach of DPA (September 30, 2010)

The Information Commissioner's Office says it is in the process of imposing fines against two organizations found to be in breach of the Data Protection Act, reports V3.co.uk. "This will be a landmark moment in ensuring that firms take data protection seriously," said Deputy Information Commissioner David Smith, adding that his office will now actively use its fining powers. The office has been criticized in the past for not using such powers, the report states. Smith added that businesses should provide users with transparent privacy settings that at least provide a minimal layer of protection.
Full Story

ONLINE PRIVACY

Apps That Overshare (September 30, 2010)

According to a study conducted by Duke University, Penn State and Intel Labs, of 30 applications for the Android smartphone studied, two-thirds exhibited "suspicious handling of sensitive data." InfoWorld reports that 15 of the applications sent users' geographic location to remote advertisement servers, even if users had specified that the app only access that data to unlock location-based features. According to the study, the loophole exists because apps have only "coarse-grain controls" for accessing personal information, but few regulations over how the data can be used.
Full Story

BEHAVIORAL TARGETING

Web Analytics Code of Ethics (September 30, 2010)

The Wall Street Journal interviewed Eric Peterson and John Lovett of consulting firm Web Analytics Demystified about their efforts to create a code of ethics for Web analysts to clarify "what this stuff can be used for, and more importantly, can't be used for." The consultants credit a recent WSJ series, "What They Know," for opening their eyes to the fact that there was no "consistent platform" for the field. The pair has proposed the creation of a certification program which could grow to become a trustmark. (Registration may be required to access this story.)
Full Story

IDENTITY THEFT

Study: Fewer Headlines Means Fewer Fears (September 30, 2010)

Forbes reports on a study released this week showing that about 25 percent of consumers now subscribe to identity theft protection services, down 42 percent since 2008. The reasons for the drop are tight budgets and a lack of major data breach headlines over the past year, according to analyst Robert Vamosi. Though the number of breaches this year is still expected to rise, the number of individual records breached has fallen more than 90 percent compared with last year due to the lack of a major breach exposing thousands or millions of records at one time. "Without those massive attacks and the headlines that follow, concerns about identity fraud are lessened," Vamosi said.
Full Story

DATA LOSS—UK

Law Firm Alleged To Have Exposed Data (September 29, 2010)

The Information Commissioner's Office (ICO) is investigating a breach involving the personal data of 10,000 people, reports eWeek. The firm ACS:Law is at the center of the investigation due to allegations that the firm exposed the data on its Web site. ACS:Law has been tracking Internet users suspected of illegal file sharing, according to the report. On Monday, Privacy International announced that it is planning legal action against the firm for the breach. The ICO said it will be contacting the firm "to establish further facts of the case and to identify what action, if any, needs to be taken."
Full Story

ONLINE PRIVACY

Rosen Discusses Challenges, Solutions (September 29, 2010)

In an interview with Bank Info Security, Jeffrey Rosen, author of The Naked Crowd and past IAPP keynote speaker, outlines privacy challenges for individuals and corporations, the evolution of privacy as a worldwide concern and what the future may hold. According to Rosen, the biggest threat to privacy is "the fact that the Internet never forgets." What people want, he says, "is the ability to control their entire reputation, which in the end is an unrealistic hope but an understandable one." Rosen says expiration dates for online information is the best approach. "Inevitably we are going to make mistakes and say things we shouldn't and reveal things we shouldn't. The question is, how do we escape from these errors?"
Full Story

SOCIAL NETWORKING

Patient Data Sharing Spurs Concerns (September 29, 2010)

Even as medical identity theft becomes more prevalent, some patients are voluntarily posting their personal medical details on healthcare-related social networks, DarkReading reports. And while some divulge the information (diagnoses, medications, locations) readily, some experts worry that other patients are participating under the mistaken assumption that their posts are anonymous, thereby making themselves vulnerable to social engineering and other attacks. Nitesh Dhanjani of Ernst & Young says a patient's identity could be ascertained by linking it to data posted on other social networks. "We know...that with one handle and any one piece of data you have in Facebook, you can easily connect the dots and link everything up," Dhanjani said. (For more on patient data sharing, see the article "Health Information-Sharing Environment" from the September 2009 issue of Inside 1to1: Privacy.)
Full Story

IAB Publishes New Code of Conduct (September 24, 2010)

OUT-LAW.COM reports that the Interactive Advertising Bureau (IAB) has launched a new code of conduct to govern behavioural retargeting, where companies advertise to users who have recently viewed their Web sites but not made a purchase. The code, which members of the IAB must follow, suggests a 48-hour limit on technologies that track users after they've left a Web site and that sites should disclose the fact that they use the technologies. Privacy advocates have raised concerns about tracking technologies because of their ability to retain user data. The ICO said such technologies are not illegal or unfair, but that it's good practice to allow for their disabling.
Full Story

HEALTHCARE PRIVACY—UK

BMA Wants Tighter Standards (September 24, 2010)

The British Medical Association in Scotland on Wednesday called for better safeguards for patient data, Computerworld reports. "The ease with which patient information can now be shared challenges us to come up with new ways of protecting information they have shared with us," said Dr Alan McDevitt, deputy chairman of the BMA's Scottish General Practitioners Committee. McDevitt said the BMA supports the Clinical Portal Technology project, but the group is concerned about access and verification controls. "With the growing use of electronic patient records, it is essential that we know who has looked at which records and when, so we can ensure only appropriate access."
Full Story

ONLINE PRIVACY—GERMANY

Citizens Say No to Mapping Service (September 24, 2010)

Several hundred thousand people have asked Google to remove their home from its Street View mapping service, The New York Times reports. The deadline for opting out of the service in Germany is 15 October. Germany has expressed more resistance than any of the other 20 countries where Street View is offered, which Reuters' Brian Rohan says is due to "the memories of the role played by the Nazis' Gestapo and the East German Stasi secret police." Meanwhile, Germany's government has informed the companies behind online mapping services to come up with guidelines on data protection by December or face regulations. (Registration may be required to access this story.)
Full Story

DATA LOSS—UK

Trust Loses USB stick (September 24, 2010)

The Information Commissioner's Office (ICO) has found East & North Hertfordshire NHS Trust to be in breach of the Data Protection Act after an unencrypted USB stick containing sensitive personal data was lost on a train. The USB stick contained details on patients' conditions and medications and has not yet been recovered. An ICO investigation revealed that the trust's policies on the use of personal USB sticks were not clear and that no technical measures were in place to prevent misuse of portable devices. The trust has signed an undertaking to improve security measures. ICO Head of Enforcement Mick Gorrill said, "Storing sensitive personal data on unencrypted data sticks is a risk trusts should not be willing to take."
Full Story

ONLINE PRIVACY—ITALY

Garante Blocks Payload Data Processing (September 24, 2010)

The Italian Data Protection Authority (IDPA, or Garante) has ordered Google to block any processing dealing with the so-called payload data collected during Street View recording. By means of the same resolution and published on the IDPA official Web site on Tuesday, the Garante has asked the public prosecutor's office to assess possible criminal profiles connected to this kind of data processing. In Italy, data protection legislation (i.e. leg. decree. no. 196/2003) based on the EU Directive 95/46/CE is assisted by administrative, civil and criminal sanctions. (News in Italian.)
Full Story

French DPA Updates Anti-Spam System (September 24, 2010)

The Commission Nationale de L'informatique et Des Libertés (CNIL) has launched a new version of its Signal Spam system, Telecompaper reports. CNIL describes the system as unique because it unites all of the actors of the e-mail ecosystem, business and operators, professional associations and public authorities, the report states. The CNIL system is free to users and aims to stop spam at the source by finding those who send it and reporting it to the Internet user community for action. CNIL President Alex T?rk encouraged consumers to use the system and said that the authority keeps a list of the most active spam drives every month.
Full Story

ONLINE PRIVACY—GERMANY

Correcting Data Privacy Problems in Online Games (September 24, 2010)

On 14 September, the Independent Center for Privacy Protection in Schleswig-Holstein released a study about data privacy in online games. Commissioned by the German Ministry for Education and Research, the study examines the extensive practice of collecting personal data from users of online games. On the basis of findings that data is being collected without notice and without legal basis, the study sets forth practical guidelines and instructions for creating, publishing and operating games in accordance with data privacy protections found in German law. Additionally the study informs online game users about their data privacy rights. (Article in German.)
Full Story

PRIVACY LAW—EUROPE

Commissioner: Self-Regulate or Face Intervention (September 23, 2010)

Online advertisers and technology companies must act quickly if they want to avoid regulation, European Digital Commissioner Neelie Kroes said recently. At the European Roundtable on the Benefits of Online Advertising for Consumers in Brussels last week, Kroes said the industry should adopt four key principles of self regulation to enhance users' trust in the online economy, The Financial Times reports, including notice of personalized ads and opt-in affirmation for cookies. "The alternative is a more interventionist approach. If you don't want to see that, then you need to act quickly and responsibly," Kroes said, adding that "What is helpful to one citizen is an invasion of privacy to another." (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—CZECH REPUBLIC

Gov’t: No Street View, Cites Privacy Concerns (September 23, 2010)

Igor Nemec, head of the Czech Office for Personal Data Protection, said Wednesday that privacy concerns led to the decision to reject Google's request to expand its Street View online mapping service. Nemec said the Street View cameras were positioned too high and could see over fences and into people's homes and that, while gathering the data, Google uses technology that "disproportionately invades citizens' privacy," reports the Associated Press. Google said it takes people's privacy into consideration when positioning cameras and that it will remove any disputed images. The company will not collect more data in the region until the problem is resolved.
Full Story

PERSONAL PRIVACY

Contributing to the Digital Universe (September 23, 2010)

"In your daily life, there are dozens of ways you transmit personal information--without ever logging on to a computer," writes Jason Magder for The Montreal Gazette. Madger notes that the information acquired daily by digital television boxes, RFID chips, vehicle GPS systems, loyalty cards, credit card companies and others, amasses "digital shadows." These digital shadows make up about 70 percent of the "digital universe," according to technology consulting firm IDC's annual study measuring the size of that universe. "It's startling now how much information people can collect about you if they know how to use the right online databases and search engines," said Colin McKay of the Office of the Privacy Commissioner of Canada.
Full Story

DATA PROTECTION

As Apps Multiply, How Will Privacy Apply? (September 23, 2010)

End-user software for mobile phones, or "apps," are on their way to becoming more popular than the Internet itself, some predict. Developed by teenage amateurs and billion-dollar companies alike, apps are capable of performing limitless tasks, from computing billing services to monitoring health information to forecasting the weather. But privacy advocates say apps come with risks to consumer privacy, as the data they solicit for use is managed by those who may or may not have experience in data protection or knowledge of privacy law. Some are calling for industry to get ahead of those risks, while others say the app developers themselves must take responsibility.
Full Story

TRAVELERS’ PRIVACY

EU: Limit Passenger Data Shared With Other Countries (September 22, 2010)

The European Commission is focused on strengthening privacy rules for the sharing of air travelers' personal information with the U.S., Australia and Canada, EUobserver reports, and to limit the use of such data "exclusively to fight terrorism and serious transnational crime." New agreements are set to be negotiated with the three countries to replace those that have been deemed to lack appropriate privacy safeguards by the European Parliament. "PNR transfers have been going on for 60 years," said European Commissioner Cecilia Malmström, noting, "carriers are obliged to do it, otherwise they can't land. But we want legal clarity for passengers and to embed it with as many data protection provisions as possible."
Full Story

ONLINE PRIVACY—GERMANY

New Privacy Rules To Be Introduced (September 22, 2010)

Germany plans to introduce a new privacy code this December to balance privacy concerns with online services, The Wall Street Journal reports, and has asked Internet firms to submit suggestions for self-regulation. "I expect the services to commit to strong privacy rules," said Interior Minister Thomas de Maizière. The announcement follows recent controversy around the introduction of street-level mapping applications such as Google's Street View, the report states. A Google spokeswoman has said the company is looking forward to taking part in "constructive conversations" about the issues, and that, "Any future legislation must make sure that in addition to the requirements of data protection, the development of innovative business opportunities and modern technology are allowed to flourish." (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Cookies Slip Through Loophole (September 20, 2010)
The New York Times reports on the results of a Carnegie Mellon University (CMU) study that reveal that "large numbers of Web sites...appear to be using a loophole that circumvents Internet Explorer's ability to block cookies."

PRIVACY

Wolf Examines the Politics of Privacy (September 20, 2010)

Christopher Wolf of the Future of Privacy Forum begins his feature for Israel's Haaretz Newspaper discussing the past harms that have come from personal information landing in the wrong hands, writing of the tragedy of the Holocaust and its influence on EU data protection and the EU's view that the U.S., despite laws and regulations intended to protect privacy, still lacks "adequate protection" for personal data. By contrast, he writes, Israel has earned the recognition of the EU's Article 29 Working Party, continuing on to question the recent block of EU data transfers to Israel by Ireland. "International cooperation to promote privacy, which is essential in our information society, used to be fairly immune to politics," he writes, suggesting, "In the end, privacy is too important to be politicized."
Full Story

ONLINE PRIVACY—EUROPE

Businesses Attempt To Address EU Cloud Concerns (September 20, 2010)

The move to cloud computing is facing obstacles in Europe, where the definition of personal data is much broader than in other parts of the world, The New York Times reports. "European governments fear that personal information could fall prey to aggressive marketers and cybercriminals once it leaves the jurisdictions of individual members," the report states, noting that the EU's strict privacy laws place "rigid limits on the movement of information" outside of its 27 member counties. Some U.S. businesses, however, are developing new methods to make cloud computing work within Europe's complicated legal landscape, including new forms of encryption and ways to let individuals choose the degree of privacy on each part of their personal information in the cloud. (Registration may be required to access this story.)
Full Story

PRIVACY

TPP Seeking Research Grant Proposals (September 20, 2010)

The Privacy Projects (TPP) has announced that its Winter 2010 Research Grants competition proposals are due October 29, with awards ranging from $25,000 to $100,000 per project. According to TPP, the goal of the grant program is to "advance practical and effective research relating to information and privacy governance to inform the transition we believe is underway from traditional regulatory models to emerging frameworks of demonstrated accountability and responsibility." The TPP Board of Directors is encouraging grant applicants to submit proposals addressing such areas of emphasis as legislative reforms, organizational data governance programs and consumer privacy compliance. Questions on the program may be e-mailed to TPP.
Full Story

CHILDREN’S PRIVACY—ITALY

Privacy Authority OK with Child Abuse Database (September 17, 2010)

Italy's privacy authority says a national database designed to tackle paedophilia and child pornography is legal under data protection laws, Life In Italy reports. Privacy Authority chief Mauro Paissan said last week that proposals drawn up by the Equal Opportunities Ministry comply with the law, but he stressed that the database should be sure to protect victims' identities. The project awaits a feasibility report to be conducted by the ministry. It has been in the works since the establishment of the Paedophilia and Child Pornography Observatory in 2006. The privacy authority has called for data transfers to be encrypted and for information, including victims' names, to be stored using codes to prevent identification.
Full Story

PRIVACY—GERMANY & U.S.

A Private-Public Balancing Act (September 17, 2010)

Jeff Jarvis writes in The Faster Times on comments at a recent event in Berlin, Germany, where Schleswig-Holstein Data Protection and Privacy Commissioner Thilo Weichert continued a trend that began earlier this summer of calling out nations and industry on privacy concerns. Weichert, who previously called for the European Commission to walk away from the U.S. safe harbor principles, is quoted as saying that those who are "stupid enough" to use Google "don't deserve any better." Jarvis writes that while Weichert suggests privacy should be the default, there is merit to "publicness" and a "balancing discussion" is what is needed "so people know they have a choice and protect that choice."
Full Story

DATA PROTECTION—UK

Data Loss Insurance Policies on the Rise (September 16, 2010)
Organizations are increasingly looking at insurance to augment their data security systems, according to a new survey, though UK companies do not plan to increase spending on such systems as quickly as other countries.

ONLINE PRIVACY

Web’s Creator: Mobile Devices Require Privacy Rethink (September 16, 2010)

The Internet's creator believes that mobile devices will continue to evolve and pose new privacy challenges, Sarah Perez notes in a report for ReadWriteWeb. Speaking at a conference on Wednesday, Sir Tim Berners-Lee shared concerns around the development of mobile technologies, noting that geolocation features are the "tip of the iceberg," and such devices may eventually be able to monitor everything from where users are to how they feel. "The problem that has not been worked out yet is how to allow a user to share their location while still making it easy for them to understand when they're sharing critical information, how much control they have over that information and who can access that data," Perez writes.
Full Story

HEALTHCARE PRIVACY—UK

NHS Employee Pleads Guilty to Viewing Files (September 16, 2010)

An NHS IT manager has admitted to illegally accessing the medical records of patients, including his friends and family, This is Hull and East Riding reports. The 22-year-old male pleaded guilty to seven counts of breaching the Computer Misuse Act 1990 for accessing the files 431 times without authority, the report states. He will be sentenced next month. A spokesman for NHS Hull called the defendant's actions a serious breach of trust. "We welcome the fact a successful criminal prosecution has been brought and that a custodial sentence is being considered. It sends out a powerful message to NHS staff and the healthcare community about the importance of data protection."
Full Story

ONLINE PRIVACY

Site Engineer Fired for Accessing Accounts (September 15, 2010)

A Google site reliability engineer has been fired for violating the company's privacy rules for allegedly improperly accessing accounts belonging to several teenagers, PCWorld reports. Site reliability engineers have access to databases that contain e-mails, chat logs and other files that belong to Google users, the report states. "We dismissed David Barksdale for breaking Google's strict internal privacy policies," Google Senior Vice President Bill Coughran said in a statement, noting, "We carefully control the number of employees who have access to our systems, and we regularly upgrade our security controls...That said, a limited number of people will always need to access these systems if we are to operate them properly--which is why we take any breach so seriously."
Full Story

ONLINE PRIVACY

What Should Be Forgotten, Protected? (September 15, 2010)

Privacy was one of the key policy issues discussed at the UN-sponsored Internet Governance Forum held in Lithuania this week. Larry Magid writes in The Mercury News on the event's panel on the future of privacy, the "right to be forgotten" and the discussion of whether personal information should have an expiration date. The report also looks at what Magid describes as the dichotomy in U.S. law that assigns a higher level of privacy protection to data stored on a home or office computer than to data stored on any type of Internet-based system such as Web mail. "The 'cloud' is, for all practical purposes, an extension of your desktop computer," he writes, "so providing the government with easier access to cloud data than data stored on personal hard drives makes no sense."
Full Story

ONLINE PRIVACY—CZECH REPUBLIC

Authorities Reject Street View Request (September 15, 2010)

For a second time, the Czech Office for Personal Data Protection (UOOU) has rejected Google's request to collect information necessary to complete the photo imaging for its Street View mapping service. Reuters reports that UOOU spokeswoman Hana Stepankova said the ruling doesn't ban Google from using photos it has already taken, and that if the company can ensure that the process can be done legally, the office may consider reversing its decision. While Google can publish only blurred images of individuals in the Czech Republic, the parties have not resolved whether it can include non-blurred images of car license tags and building facades, reports The Wall Street Journal. According to the report, Czech authorities are scheduled to release more information at a press conference on September 22.
Full Story

PRIVACY

Protecting Customer, Employer and Supplier Privacy (September 15, 2010)

Speaking before the CSO Security Standard, GE Chief Privacy Leader and Senior Counsel Nuala O'Connor Kelly, CIPP, began with the question of what privacy is. The answer, NetworkWorld reports, is the right and ability to control how your personal information is used. With issues ranging from the privacy implications of social networking posts by employees to the use of mobile devices for both work and personal activities, companies face significant privacy challenges. "The trick for GE is the same as it is for most organizations--how to achieve security without setting off animosity someone might feel about being violated," the report states, noting O'Connor Kelly believes GE's move to create a partnership between its legal and IT security divisions has made a significant difference.
Full Story

PRIVACY

Researchers to Create a Privacy Dictionary (September 15, 2010)

Researchers at four universities in the UK are working to create an automated privacy dictionary to assist researchers studying privacy. Disputes on what criteria belong to the concept of "privacy" have hampered research thus far, according to the paper's abstract. "The lack of a clear definition or consensus on privacy, along with the need to avoid priming questions, suggests that without methodological tools that help capture a nuanced and broad perspective on privacy, privacy-related content may end up being ignored in favor of more easily coded themes," the report states.
Full Story

ONLINE PRIVACY

Researchers: Promises Fall Short in Compact Policies (September 14, 2010)
The longtime tenets of know-say-do have been incorporated into the development of many privacy policies. According to the findings of a recent Carnegie Mellon University study, when it comes to the compact policies (CPs) created for the Platform for Privacy Preferences (P3P) protocol, industry may be falling short of doing what it says it is doing.

PERSONAL PRIVACY

Do Egyptian Mummies Have Privacy Rights? (September 14, 2010)

The assumption that ancient corpses are fair game for science is beginning to be challenged, NewScientist reports. The strict ethical guidelines that apply to human research don't extend to Egyptian mummies, which disturbs anatomist Frank Rühil and ethicist Ina Kaufmann of the University of Zurich, who say such research produces personal information including family history and medical conditions and doesn't allow for patient consent, the report states. The rights of the deceased individual must be considered and weighed against the knowledge attained by the research, Rühil says. Some regions classify such information as personal. In New Zealand, information about how someone died is considered personal data, and in the European Union, information about the deceased is considered personal if it can reveal something about living descendants.
Full Story

PRIVACY LAW—SWITZERLAND

Court: Illegal File Sharers’ IP Addresses Private (September 13, 2010)
The Register reports on a Swiss Federal Court ruling that the collection of illegal file sharers' IP addresses is a violation of the law. The ruling backs Switzerland's data protection commissioner's assertion that Logistep's collection of sharers' IP addresses violates the country's data protection act.

ONLINE PRIVACY

Cookie Questions Persist (September 13, 2010)

The Wall Street Journal recently asked for questions from readers on technology and privacy, and a key question on many readers' minds, the report states, is, "Does deleting cookies force trackers to start over, or do they just pick up where they left off, combining the new with the old?" Jules Polonetsky, CIPP, of the Future of Privacy Forum explained that when consumers delete all cookies and later enable them, tracking companies generally can't associate the data from the newly enabled ones with the old ones. "You deleted that number that the advertising company or Web site recognizes you by," he said, explaining that when users return, "they will assign you a new number and generally are not going to have a link between the new and the old." (Registration may be required to access this story.)
Full Story

PRIVACY—GERMANY

Germans Gather to Protest Government Database (September 13, 2010)

Some 7,500 Germans gathered in Berlin this weekend to express concerns about personal data privacy, AFP reports. The protestors, comprised of civic organizations and political parties gathered under the name "Liberty Instead of Fear," denounced a government database that will collect information on wages, taxes and social payments, the report states, as the government and companies increasingly accumulate personal information in large databases. The protest follows strong opposition to Google's Street View mapping service. The company has since given German citizens the opportunity to have images of their homes and businesses pixilated prior to the services' launch online.
Full Story

SOCIAL NETWORKING

Facebook Founder Talks Privacy (September 13, 2010)

In a feature published in The New Yorker, Jose Antonio Vargas shares a conversation with Facebook founder Mark Zuckerberg that touched on issues related to privacy. Referencing recent privacy controversies involving the company and its privacy settings, Vargas writes that Zuckerberg told him privacy is the "third-rail issue" online. "A lot of people who are worried about privacy and those kinds of issues will take any minor misstep that we make and turn it into as big a deal as possible," Zuckerberg reportedly said, adding, "We realize that people will probably criticize us for this for a long time, but we just believe that this is the right thing to do."
Full Story

PRIVACY LAW—TURKEY

Privacy Rights Voted In (September 13, 2010)

Turkish voters on Sunday approved 26 amended articles to their constitution, including one that expands privacy rights, Reuters reports. According to the report, 58 percent voted to approve the amendments. Article 20 of the referendum makes individuals' personal information accessible only with the individual's permission or in certain legal circumstances. The changes are being called a step towards full democracy by the government, while the opposition has concerns that the changes take power away from the courts.
Full Story

PRIVACY LAW—UK

ICO Warns Estate Agents To Notify (September 10, 2010)

The UK Information Commissioner's Office (ICO) is warning lettings and estate agents of their legal obligation to notify the ICO that they are handling people's personal information. According to an ICO press release, only a small percentage of industry members are registered, despite the Data Protection Act requirement for all organizations handling personal information to register with the watchdog. The ICO has written to professional bodies, urging them to encourage their members to notify. ICO Head of Enforcement Mick Gorrill said, "We want to work with the industry to ensure all property agents meet the legal requirement to notify us." If the encouragement is ignored, said Gorrill, "we will take action against those who flout the law."
Full Story

ONLINE PRIVACY—UK

ICO Rebukes TalkTalk, Company Responds (September 10, 2010)

The Register reports that Information Commissioner Christopher Graham has rebuked TalkTalk for tracking customers' movements across the Web without notifying them. The ICO sent a letter to the company in July, expressing dismay that during a trial of its anti-malware system, it not only tracked customers' movements but also failed to mention the activity to ICO officials during meetings with them. "I am concerned that the trial was undertaken without first informing those affected that it was taking place," Graham wrote. A TalkTalk spokesperson told OUT-LAW.COM that the company is confident it did not breach privacy laws.
Full Story

PRIVACY LAW—SWITZERLAND

Court: File Sharers’ Privacy Infringed Upon (September 10, 2010)

The Swiss supreme court has ordered a company to stop collecting information on suspected illegal file sharers, saying the practice breaches sharers' privacy rights, The Associated Press reports. Logistep AG's distribution of file-sharers' information to film and music companies seeking to protect their copyrights is a significant infringement of privacy rights, a Lausanne-based Federal Tribunal said in a Wednesday ruling. The information distributed included IP addresses, which the court said are protected by Switzerland's strict data protection laws.
Full Story

ONLINE PRIVACY—GERMANY

Schmidt Addresses Street View Concerns (September 10, 2010)

Google CEO Eric Schmidt spoke to the German publication Bild on Thursday, inviting Germans to use Google's street level mapping service, Street View. "I can understand the worries very well," said Schmidt, "But we firmly believe that Germans will love Street View and will be convinced after they have used it." The Local reports that Google plans to add Germany's 20 largest cities to Street View, which currently includes cities in 23 countries. In answer to regulators' pressure, the company now offers German citizens the opportunity to have images of their homes and businesses pixilated prior to the launch. "I visited East and West Berlin before the Wall fell," said Schmidt, "I know what many Germans had to go through, and I have the greatest respect for the fact that your privacy is so important because of your historical experiences."
Full Story

RFID—GERMANY

Report: Government ID Cards Not Secure (September 10, 2010)

The public broadcasting show "Plusminus" will on Tuesday air an episode reporting that new government ID cards are susceptible to hacking, reports The Local. Teaming up with a hacker organization, the show tested the home scanners that will accompany the cards and are necessary for processing personal data for official business on home computers. The report states that the tests found that scammers would be able to extract personal information from the machines. The interior minister, during an interview with the show, said he sees no reason to act on the matter, while the Federal Office for Information Security rejected the claim, saying the card is secure, and the new security measures are a "significant security improvement compared to today's standard process of user name and password."
Full Story

ONLINE PRIVACY

Expert: Privacy is Worth Paying For (September 9, 2010)

Following up its report on startup companies focused on privacy protection, The Wall Street Journal has published a Q&A with Eugene Kuznetsov, a former IBM executive and cofounder of the online privacy company Abine. Kuznetsov notes that one of the key opportunities for privacy protection companies is to "alleviate some of the confusion around privacy." A key component of getting people to use such services is trust, he said, which is built in businesses where the consumer is the paying customer. Looking to future issues in privacy protection, Kuznetsov points to the use of e-mail addresses to log into Web sites, noting, "if every one of the hundred sites online that you log into has your one unique e-mail address as the login, they can track you now across sites. They don't need a cookie." (Registration may be required to access this story.)
Full Story

BEHAVIORAL TARGETING—UK

Ad Regulator Latest To Monitor Online Marketing (September 8, 2010)

The Advertising Standards Authority of Britain, an industry-financed body that operates independent of the government to monitor advertising in the UK, has announced it is extending its oversight to social networks, company sites and other nontraditional digital marketing activities, The New York Times reports. The announcement follows similar moves in more than a dozen European countries, the report states, as well as the release of guidelines by the U.S. Federal Trade Commission for marketing via social media and blogs in that country. The Advertising Standards Authority will include particularly tough sanctions, the report states, as "marketers, ad agencies and Internet companies are eager to demonstrate that 'self-regulation' can protect consumers at a time when the future of marketing is under scrutiny." (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Q&A with Microsoft’s CPO (September 8, 2010)

The Inquirer discusses online trust with Microsoft Chief Privacy Officer Brendon Lynch, CIPP. Lynch has been part of Microsoft's privacy team since 2004. In the interview, he discusses the company's move to offer tokenized authentication. He hopes the company's U-Prove technology, which he says brought to life the bridging of offline and online identities, will be built widely into identity technologies. "There's a need for rethinking and thinking deeply about how identity is dealt with online," Lynch said. "In certain situations, you want high assurance and strong authentication--for example, healthcare, when it moves online." Lynch is on the IAPP board of directors.
Full Story

ONLINE PRIVACY

Google Updates Privacy Policy, Settles Buzz Suit (September 7, 2010)

Google has reached an $8.5 million settlement in a class-action suit regarding its Buzz social-networking feature, PC Magazine reports. The agreement includes an acknowledgment that the company has addressed the privacy issues and the creation of a fund for "existing organizations focused on Internet privacy policy or privacy education," the report states. The settlement was released on the same day that the company announced it will simplify its privacy policies--cutting the length of the policies by 22 percent. "To be clear, we aren't changing any of our privacy practices," Google officials wrote in the company's official blog, noting "we want to make our policies more transparent and understandable." However, Marc Rotenberg of the Electronic Privacy Information Center is questioning whether the changes will be good for Google users. The revisions go into effect October 3.
Full Story

DATA THEFT

FIFA Fans’ Personal Information Stolen, Sold (September 7, 2010)

A criminal investigation has been launched into the theft and sale of personal details of as many as 250,000 individuals from the U.S., UK, Switzerland, Portugal, the Netherlands, Poland, Italy, Germany, France, Spain and Croatia who purchased tickets to the 2006 World Cup from official FIFA outlets, the Daily Mail reports. The information, which includes passport details and dates of birth, was sold for as much as £500,000 (USD$765,132). "The unlawful trade in people's personal information is a criminal offense under the Data Protection Act," Mick Gorrill of the UK's Information Commissioner's Office said over the weekend, noting the office will be working with FIFA and international data protection authorities in the investigation.
Full Story

ONLINE PRIVACY—EU & U.S.

Regulators Raise Cloud Concerns (September 7, 2010)

Concerns about the Safe Harbor Framework voiced recently by Schleswig-Holstein Data Protection Commissioner Thilo Weichert illustrate the importance of developing transparency and standardized policies in the cloud computing market, ReadWriteWeb reports. Referencing a report from the Information Law Group that, despite the German regulator's concerns, there is no "imminent danger of a European crackdown," the report points to questions that still remain about protecting personal information in the cloud. "European authorities have a reputation for strict data protection requirements. That's not going to change," the report states. "It's just a question what effect the law will have on the technology itself as privacy takes center stage."
Full Story

PRIVACY LAW—EU

Commission Wants New PNR Data-Sharing Mandates (September 3, 2010)

The European Commission is planning to seek new mandates to negotiate the conditions for the transfer of information about airline passengers to countries outside the EU, the European Voice reports. The commission is expected to seek the European Parliament's approval and that of the Council of Ministers this month to void "previous battles with MEPs over international data-sharing," the report states. The agreement would address how the European Commission and EU member states would react when individual passenger data stored in airline reservation systems is requested by counties for security purposes. There are concerns that without an agreement in place, individual deals with foreign governments that would not meet the EU's privacy standards could come into play. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—EU

Tech Companies Lobby for Single Data Retention Standard (September 3, 2010)

Some of the world's largest technology companies are urging the EU to create a single standard for data retention, Deutsche-Welle reports. The European Commission's tasks this fall include preparing a draft of its new "Digital Agenda," which includes the goal of establishing a digital equivalent of the "single market" that already exists for goods and services that would specifically affect "cloud computing" applications that store data on the Internet, the report states. Technology leaders are calling for a unified policy, and some experts point out that for individual countries, "There's a psychological perspective that having it in house is much more secure," but cloud providers may actually be able to deliver improved security.
Full Story

PRIVACY LAW—EU

In Spite of Ireland’s Fears, Data May Be Stored in Israel (September 3, 2010)

The EU is expected to allow the storage of sensitive personal data on European citizens in Israel. That move is expected to come in spite of concerns raised by Ireland Minister for Justice Dermot Ahern about the use of eight fake Irish passports by alleged Israeli assassins, the Irish Times reports. the Irish government suspects that the data used in the forged documents was gleaned from official passport inspections in Israel. The issue was expected to be raised at a meeting of an EU committee on the protection of personal data on Thursday, but government sources have indicated there is expected to be little support for Ireland's request to scrap the data transfer pact with Israel, the report states.
Full Story

PRIVACY—GERMANY

Fundamental Human Rights at Risk (September 3, 2010)

On August 30, the Schleswig Holstein Independent Center for Privacy Protection hosted its annual summer academy. Entitled "Codex Digitalis," the academy examined the inadequate protection of fundamental rights in the digital world. The broad range of perspectives presented included a challenge to amend  the Universal Declaration of Human Rights by adding universal fundamental rights for the digital world, reference to indications that the German Foreign Ministry may potentially support developing international data protection regulations with France and Spain and advocacy for the use of privacy by design as a means to lessen the loss of control over data caused by information technology. (Article in German.)
Full Story

PRIVACY LAW—UK

Wales Detective Fined for Disclosing Data (September 3, 2010)

BBC News reports on a North Wales police detective who has been fined £4,000 and ordered to pay £1,000 costs after disclosing police information. Vaughan Roberts accessed information about a friend on the police computer, according to the report, and North Wales Police have suspended him from duty. Roberts has been given six months to pay the fine and costs, with three months' imprisonment if he defaults. Data protection offences carry only a financial penalty, the report states.
Full Story

DATA LOSS—UK

Officials in Scotland Concerned Over Info Losses, Theft (September 3, 2010)

The loss of computers and other electronic devices from councils, police forces and health boards in Scotland is raising concerns about data privacy, The Press and Journal reports. Losses or thefts have been reported by the Aberdeen City Council, Aberdeenshire Council, Highland Council and Shetland Council. In addition, the report states, the Shetland and Tayside health boards, Greater Glasgow and Clyde NHS Board and the Lothian and Borders Police have also been involved in data breach incidents. Liberal Democrats Chief Whip Mike Rumbles suggested that given the number of breaches, "The government is not in control of the situation. They need to get a grip on this right now."
Full Story

PRIVACY LAW—EU

Commission Suspends Data Transfers to Israel (September 3, 2010)

The European Commission has suspended its plans to allow the storage of personal data on European citizens in Israel. Justice commissioner Viviane Reding yesterday moved to halt the immediate adoption of an EU declaration that Israeli data protection systems are in line with European Standards, The Irish Times reports. The plan had elicited criticism from Irish Minister for Justice Dermot Ahern, who expressed concern about the nation's data protection standards. The move to allow such transfers was expected to pass, as Ireland has been the only EU state to express resistance. A spokesman for Reding indicated the proposal would see more discussion, stating, "A decision has been delayed."
Full Story

ONLINE PRIVACY

Personal Data Has a Price (September 2, 2010)

NetworkWorld reports on the view of digital personal data as bankable currency. Marc Davis of Microsoft, who is a backer of rights-based privacy, suggests that "every piece of data on the Internet maps back to who created it and who they know. Where they were when they did it, where they've been and where they plan to go. What they are interested in, attend to and interact with, and is around them and when they do these things." All this, he explains, has vast implications for privacy and the economy, he writes, noting that personal data "could be bankable and tradable from your Personal Data Bank," which would be "tied to clear, immediate and concrete benefits to choices about your personal data." Editor's Note: Read more about the concept of data banking and exchange.
Full Story

SOCIAL NETWORKING

The Privacy of Ping (September 2, 2010)

Apple's Ping, a music-focused social-networking service for iTunes users, was introduced this week, and the company is promising simple and straightforward privacy controls, indicating companies are now seeing the potential for privacy as grounds on which to compete, The New York Times reports. "You can get as private or as public as you want," Apple CEO Steve Jobs said of Ping, noting the device's privacy settings are "super simple." Citing recent privacy issues for large Web and social networking companies, Marc Rotenberg of the Electronic Privacy Information Center said Jobs' remarks show "privacy is very much on the minds of companies offering social-network services," and Ryan Calo of Stanford Law School's Center for Internet and Society suggested the comments show that companies are responding to public demands for simple privacy controls. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—INDIA

Government: Security More Important than Privacy (September 2, 2010)

Following its demand for access to encrypted Blackberry data in the country, India has said security is more important than privacy, reports News.com.ag. Research In Motion (RIM), which manufactures Blackberrys, has conceded to India's demand for lawful access to its private data to avoid a ban on the product in the country, says the report. "The government feels that security is more important than privacy," said India's home minister, adding the country will watch the progress made over the next two months. The UN said yesterday that RIM should provide India, Indonesia, Lebanon, Saudi Arabia and the United Arab Emirates access to Blackberry data due to legitimate security concerns.
Full Story

ONLINE PRIVACY

Tech Suppliers Urged To Embrace Privacy Principles (September 2, 2010)

In a feature for The Last Watchdog, Fran Maier of TRUSTe shares her personal experience underscoring the privacy risks that come with the "Internet of Things." Maier writes how her missing camera began wirelessly uploading photos to her Eye-Fi account from an unsuspecting family in Germany that did not know that the account--complete with geo-tags--was enabled. "In this new world of the Internet of Things, a family photo can be much more than that," Maier writes, noting, "It may be a sensitive piece of personal data inadvertently shared with a stranger because of insufficient privacy safeguards." As the Internet of Things grows, Maier said it will be essential for technology designers and suppliers to "incorporate transparency, accountability and choice" to protect privacy. Editor's Note: Read more about Maier's story and the unforeseen consequences of such technology.
Full Story

DATA LOSS—UK

Company Fined £2.27 Million for Data Breach (September 1, 2010)

The Financial Services Authority (FSA) has fined an insurance company £2.27 million, a record amount, for its loss of computer backup tapes containing the personal information of 46,000 policy holders, Citywire reports. The FSA says Zurich Insurance failed to have systems in place to prevent the loss, which occurred during the outsourcing of unencrypted information, including credit card and bank details, to the company's South African branch arm. "This incident was unacceptable," said Zurich's chief executive, adding that the company is doing all it can to protect customer data.  
Full Story

PRIVACY LAW—UK

Does ICO Need More Power To Stop Breaches? (September 1, 2010)

In the wake of recent Data Protection Act breaches, ITPRO reports on expert opinions as to whether the Information Commissioner's Office (ICO) has enough power to prevent such incidents. Although the ICO can levy £500,000 fines for serious data breaches, no fines were issued in the most recent cases, the report states, prompting some experts to suggest the issue isn't with the ICO's powers but with "lack of enforcement ability, just in terms of actual manpower." Several said the ICO should issue fines more often. As Edy Almer of Safend put it, "If Europe and the UK do not start acting fast, there will be more instances of this kind and once it's out, the genie cannot be put back in the bottle."
Full Story