European Data Protection Digest

We have a long weekend—and hopefully some good weather—ahead of us, so right now our minds are probably focused more on Easter eggs and chocolate bunnies (in my case also my mother’s lasagna on Sunday) than on data protection developments. Nevertheless, this spring is bound to be a busy one for privacy pros—not that we actually had a dull moment in the past year or so.

At the IAPP, we are working hard to help our members stay on top of things: Our upcoming European Data Protection Intensive will be a great way to kick-start the second quarter of the year. As usual, rendezvous in London for an intense programme, great networking—including our special Privacy Social reception at the Guildhall—and CIPP and CIPM certification training and testing. Preconference workshops are not bad either.

But since he who hesitates is lost, work is already underway also for IAPP Europe’s flagship event, the Data Protection Congress, which will be in Brussels again this year, on 19 and 20 November to be precise. The call for proposals for the Congress is open, and submissions will be accepted until 9 May, so do send us your ideas or feel free to forward the call for proposals link to someone who might be interested.

In the meantime, though, Happy Easter!

Rita Di Antonio
Managing Director
IAPP Europe

Top European Privacy and Data Protection News

PRIVACY LAW—ITALY

DPA Issues New Rules for Mapping Service (October 29, 2010)

On Thursday, Italian prosecutors announced they have opened an investigation to determine whether Google's Street View WiFi data collection violated the country's privacy laws, CIO reports. This follows the passage of two resolutions on Google's Street View, by the Garante, Italy's DPA, most recently requiring notice about the itinerary of Street View vehicles, Reuters reports. With action pending or taken in other EU member states, IAPP European Advisory Board member Rocco Panetti told the Data Protection Digest, "Different legislations based on different jurisdictions could produce a set of prescriptions hard to be followed by Google or any other data controller...A sort of coordination procedure amongst DPAs to ascertain the breach of data protection rules in order to adopt at least similar measures in similar cases within EU members, to fulfill relevant obligations, should be considered a priority for the GPEN agenda and for the next revision of the EU directive 95/46/CE." 
Full Story

PRIVACY LAW—UK

MP Proposes Internet Bill of Rights (October 29, 2010)

On the heels of the Information Commissioner's Office (ICO) decision to reopen its investigation into Google's Street View service, British Parliamentarian Robert Halfon is proposing an Internet bill of rights to give citizens an easy and affordable means of protecting their privacy. PC Magazine reports on Halfon's suggestion Thursday that it could pave the way to privacy oversight similar to what the British Medical Association and British Law Society provide in their fields. The ICO launched its new investigation into Street View's data collection following reports of personal data being collected, stating the office will determine whether such data was inadvertently captured in the UK "before deciding on the necessary course of action, including a consideration of the need to use our enforcement powers."
Full Story

PRIVACY LAW—EU

EFF Calls for Repeal of Data Retention Laws (October 29, 2010)

The Electronic Frontier Foundation has called on European privacy authorities to scrap legislation that requires ISPs to retain data, ComputerWeekly reports. The Internet traffic data must be stored for at least two months and for up to two years for possible use by law enforcement authorities. European privacy authorities have found such practices to be unlawful, according to the EFF, and several countries have resisted implementation.  The EFF has suggested the need for a "more targeted data preservation regime." Meanwhile, at the 32nd Annual Conference of Data Protection and Privacy Commissioners, the EFF urged privacy authorities to call for the legislation's repeal.
Full Story

ONLINE PRIVACY—GERMANY

Commissioner: “Right To Object” Needed (October 29, 2010)

Discussing figures on the number of objections filed against Google Street View, Commissioner for Data Protection and Freedom of Information Peter Schaar said he knows of no comparable effort in which so many people have objected in such a short time to use of their data. He considers the figures a clear indication that individuals want control over what data appears about them on the Internet. He said a general right to object is, therefore, urgently needed. He is calling for a central registry to process objections and distribute them to the various Internet services without passing on identifying information about the individual. (Article in German.)
Full Story

PRIVACY LAW—GERMANY

DPA Calls for Internet Legislation (October 29, 2010)

Thilo Weichert, director of the Independent Center for Data Protection of Schleswig Holstein, presented a proposal before the German Lawyers Association on Wednesday for legislation that would regulate data protection on the Internet. Central to the proposal is a provision that requires the question of digital publication of personal data to be dependent upon a balancing between freedom of expression and data protection laws. In describing the proposal, Weichert stated in part, "Our draft should free the current discussion from a fixation on geo data and direct attention to significant and mutual problems of data protection." (Article in German.)
Full Story

PRIVACY LAW—EU & AUSTRIA

EU To Take Austria to Court (October 29, 2010)

PC World reports on the European Commission's announcement this week that it will refer Austria to the Court of Justice due to its lack of an independent data protection authority. The commission has been reviewing the EU's 1995 Data Protection Directive and has thus far taken Luxembourg and Germany to court for noncompliance. The result of Germany's case noted that those bodies responsible for supervising personal data processing must remain free from any external influence, the report states. However, the commission believes this is not the case in Austria due to the Federal Chancellery's supervision of the data protection authority and the fact that the authority does not have its own staff or budget.
Full Story

PRIVACY LAW—EU & ISRAEL

Israel To Have Laws Deemed Adequate (October 29, 2010)

Companies will now be able to legally transfer personal data to Israel, as it has been approved to have its data protection laws deemed adequate, OUT-LAW.com reports. Israel will join the approved list in one month and is the seventh country outside of the European Economic Area to have its data protection laws deemed adequate by the EU. Ireland had previously expressed resistance to deeming Israel adequate, delaying the decision last month. A European Commission spokeswoman said the adequacy should be formally approved by the end of the year.
Full Story

SURVEILLANCE—UK

Cameras “Must Come Down” (October 29, 2010)

West Midlands Police Authority is reconsidering the future of surveillance cameras installed in parts of Birmingham, BBC News reports. The cameras were put up earlier this year but prompted complaints amongst the community. In response, the authority apologized and instigated an independent review by another police force, which found a lack of "scrutiny and oversight" on the project. The cameras run on a CCTV network and are equipped with a license plate recognition system. One legal officer said the police did not comply with the Data Protection Act and, therefore, breached the right to privacy under the Human Rights Act. "The cameras must come down," she said, an option now being explored.
Full Story

PRIVACY—GERMANY

Insophia Honored (October 29, 2010)

The Independent Center for Data Protection in Schleswig Holstein has announced that the Uruguayan technology company Insophia has been awarded the European Privacy Seal for its Web-based service Certified Privnote. Thilo Weichert, center director, said Privnote guarantees the fundamental protection of confidentiality in communications through the use of the SSL Cryptography Protocol to encrypt the content of messages and secure the message exchange. The European seal, an initiative of the center, verifies compliance with the high standards of European data protection regulations and provides consumers and organizations with a transparent guide for choosing and evaluating IT products and services. (Article in German.)
Full Story

TRAVELERS’ PRIVACY—EU & U.S.

EU, U.S. Tussle Over Passenger Data Sharing (October 28, 2010)

The U.S. is facing resistance to its requests for broad sharing of European airline passenger data from the EU and European airline officials alike. The EU executive has demanded a renegotiation of the Lisbon Treaty, which lays out the conditions under which European airlines can supply passenger data. According to The Washington Post report, this move serves as recognition that the European Parliament would not approve the treaty as is. Meanwhile, officials from British Airways and Virgin Atlantic and others are accusing the U.S. of imposing overly intrusive and redundant security measures. These objections worry U.S. counterterrorism officials because computer scrutiny of passenger lists has become an important anti-terrorism tool, the report states. (Registration may be required to access this story.)
Full Story

PRIVACY—UK

ICO To Recruit Tech Advisor (October 28, 2010)

The Information Commissioner's Office (ICO) plans to recruit a technology advisor to improve its knowledge of the industry, V3.co.uk reports. The advisor, who will focus on policy development, investigations and complaints, will help ensure the ICO "stays one step ahead of the game," said Deputy Commissioner David Smith. Private-sector and advocate reactions to the plan are positive. "UK privacy legislation dates from the mid to late 1990s, and technology has moved on an enormous amount since then," said Alex Brown of Simmons & Simmons. "It's difficult for companies that want to use cutting edge technologies to know how to comply with the legislation." Florian Mueller of the Open Rights Group said, "This step has been overdue." Editor's Note: The 2010 IAPP Data Protection Authorities Global Benchmarking Survey, which examines federal-level privacy offices and data protection authorities (DPAs) in 38 countries and territories, is now available in the IAPP Knowledge Center.
Full Story

SOCIAL NETWORKING

Study Shows Most Proactive Countries for Privacy Settings (October 28, 2010)

The Unisys Security Index surveyed 10,575 consumers in 11 countries and found that 80 percent of social networking users in the U.S.--more than in any other country studied--said they regularly limit the personal information they post and restrict others' access to it, reports InformationWeek. Brazil and Germany were the next in line, with Brazil the most concerned with overall security, the report states. Patricia Titus, global chief information security officer at Unisys, says that the U.S. may be more proactive because it has "better reporting on social media issues here because Facebook is a U.S.-based company."
Full Story

PRIVACY LAW—EU & U.S.

Personal Data Transfer Negotiations To Begin (October 27, 2010)

The EU and U.S. are set to renegotiate rules governing the privacy of personal data when it is transferred between the two, computing.co.uk reports. The European Commission is recommending citizens on both sides of the Atlantic be able to take legal action against abuses in Europe or the U.S., the report states. Speaking before the European Parliament's Committee on Civil Liberties, Justice and Home Affairs on Tuesday, Françoise Le Bail, the commission's director-general for justice, said with the current "patchwork" of data transfer regulations, "the overall result is not very satisfactory," and the commission's proposal would "guarantee a certain number of basic rights for those whose data is gathered."
Full Story

ONLINE PRIVACY

Google’s Fleischer Discusses Privacy Perspectives (October 27, 2010)

Only a small fraction of users of the world's largest search engine are taking advantage of privacy controls that allow them to choose which ads are steered their way, the Associated Press reports. Peter Fleischer, Google's global privacy counsel, said he is "puzzled about why more people don't use more of the privacy controls." Google targets ads based on cookies left behind on users' Web browsers, but with its "ads preference manager," a user can wipe out cookies or alter the subject areas identified, the report states. Fleischer also spoke of the challenges of global Internet products with different nations having different privacy views, noting he expects more efforts to reach agreement on common privacy policies around the world.
Full Story

ONLINE PRIVACY

How Safe Is Your Login? (October 26, 2010)

Social networks are becoming the focus of new privacy questions about how their logins can be accessed through WiFi networks. The Wall Street Journal reports that Firesheep, a new add-on for the Web browser Firefox, "is designed to make it easy to intercept browser 'cookies' used by popular Web sites like Facebook, Twitter and others to identify their users, thereby allowing Firesheep users to log in to those Web sites posing as others." Eric Butler, a U.S. programmer who developed Firesheep, said he introduced the program as a way of bringing attention to a common weakness in Web site security. "On an open wireless network," he said, "cookies are basically shouted through the air, making these attacks extremely easy." (Registration may be required to access this story.)
Full Story

SOCIAL NETWORKING

More Sites Tagged With Info-Sharing Concerns (October 26, 2010)

Following an investigation into a privacy breach involving popular applications on Facebook, social network MySpace and some of its apps have been found to be transmitting user information to outside advertising companies, The Wall Street Journal reports. Rapleaf, a company which compiles profiles of Internet users and was cited in the investigation as providing such information to advertisers, has stated it no longer passes such user information on to advertising networks due to privacy concerns. "The MySpace leaks appear to be more limited than those at Facebook, which has far more users and requires them to make public their name, gender and country," the report states. (Registration may be required to access this story.)
Full Story

BEHAVIORAL TARGETING

Researchers: Ads Can Expose Personal Info (October 26, 2010)

Two recent academic papers focusing on targeted advertising found that ads can expose "sensitive profile information, like a person's sexual orientation or religion, even if the person is sharing that information only with a small circle of friends," The New York Times reports. Researchers in India and Germany, who focused on ads targeted to Facebook users, noted that by clicking on ads, users could reveal such personal information along with a unique identifier. In a separate study, a U.S. researcher said she was able to determine Facebook users' ages and sexual orientation by tailoring ads to their profiles. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Tools Enable Online Browsing Privacy (October 25, 2010)

Mercury News reports on various ways to maintain privacy on the Internet despite the pervasive tools used by search engines and marketing companies to track your movements online. Peter Eckersley of the Electronic Frontier Foundation says such ubiquitous online surveillance violates our right to "read in private," adding that "You might be reading the magazine, but it's reading you back." The report highlights a suite of tools available to increase online privacy, downloadable software to encrypt users' online searches and privacy modes within various Web browsers that allow for "private browsing," preventing the permanent storage of tracking technologies such as cookies.
Full Story

ONLINE PRIVACY—SPAIN

Criminal Sanctions, Fine Sought for Web Giant (October 22, 2010)

DLA Piper's E-Commerce and Privacy Alert reports on the announcement by Spain's Agencia Española de Protección de Datos (AEPD) that it has initiated a criminal sanction procedure and plans to impose a fine of over €2.4 million against Google, based on the outcome of its investigation into the collection of WiFi data by Google's Street View service that included user surnames, usernames and passwords. The AEPD alleges the company has committed five infringements of the Spanish Data Protection Act, the report states, and will send a special report of its conclusions to a criminal court in Madrid. The company is also facing questions in Canada. Google, which has discontinued the WiFi data collection process, has stated that the personal information was collected unintentionally.
Full Story

PRIVACY LAW—FRANCE

Gov’t Secures “Right To Be Forgotten” (October 22, 2010)

The Hunton & Williams Privacy & Information Security Law Blog reports on the efforts of Nathalie Kosciusko-Morizet, the secretary of state in charge of the digital economy, to secure the "right to be forgotten" on the Internet. The project focused on such goals as educating Internet users about their exposure to privacy risks, encouraging the development of privacy-enhancing tools and fostering data protection rights at the national and EU level. The results, the report states, are the new "Code of Good Practice on Targeted Advertising and the Protection of Internet Users" and "Code of Good Practice on the Right to Be Forgotten on Social Networks and Search Engines," which Kosciusko-Morizet has said "could be the starting point for a future international agreement." Editor's note: For more on this topic, read "Understanding the 'right to be forgotten' in a digital world" from this month's issue of Inside 1to1: Privacy.
Full Story

ONLINE PRIVACY—UK

ICO Investigates Possible Data Breach (October 22, 2010)

The Information Commissioner's Office (ICO) is investigating a possible data breach involving a Crown Paint Web site, The Register reports. The company's customer database was published in full online, the report states, displaying messages, names, e-mail addresses, telephone numbers and home addresses of customers who had filled in an enquiry form. The company has said it is investigating how the site became visible and has blocked further access to it. In a prepared statement, the ICO said it is aware of the possible breach and "will be making enquiries into the circumstances of the alleged breach of the Data Protection Act before deciding what action, if any, needs to be taken."
Full Story

DATA LOSS—UK

Undertaking Signed After Loss of Patient Records (October 22, 2010)

A doctor's mistake in leaving diagnostic information about 56 patients on a train on his way home from work has resulted in changes at North West London Hospitals NHS Trust, ComputerWeekly reports. The documents were recovered by London Transport when the doctor realised he had lost them, the report states, and the trust reported the breach to the Information Commissioner's Office (ICO). NHS Trust CEO Fiona Wise has signed a formal undertaking to ensure that personal data is processed in accordance with the Data Protection Act, agreeing to use pseudonyms to prevent patient names from being revealed on printouts.
Full Story

DATA LOSS—UK

Nuclear Company Launches Investigation Into Lost USB (October 22, 2010)

A nuclear processing company has begun an investigation after one of its USB devices was found in a hotel room, eWeek Europe reports. The USB device was reportedly unencrypted and included details of a proposed workforce transfer and information related to a visit by the International Atomic Energy Agency. Experts have praised the company for launching an investigation but caution about the implications for such a breach, the report states. The breach falls under the jurisdiction of the Information Commissioner's Office, which has warned organisations that they could face sanctions if they do not notify the office of such incidents.
Full Story

PRIVACY LAW—EU

EU Document Hints at Legislative Changes in Directive Review (October 20, 2010)

A European Commission (EC) document obtained by Bloomberg hints at what regulators may propose in the upcoming review of the EU Data Protection Directive. "It appears that the commission intends to propose changes in the law and non-legislative steps to bring about the changes that are being discussed," writes Hogan Lovells partner Christopher Wolf in a blog post. The EC document suggests that expanded criminal penalties for data protection violations may be on the way, stating that it is "essential to have effective provisions on remedies and sanctions," including "criminal sanctions in case of serious data protection violations." The document also suggests that citizens gain the right to have certain details deleted from the Web, the Bloomberg report states. Regulators are set to discuss the document in early December and a draft of the amended legislation is expected in mid-2011.
Full Story

PRIVACY

Looking to the Future: Essential Skills for CPOs (October 20, 2010)

In a feature for GovInfoSecurity, Upasana Gupta quotes a scenario written by IAPP Board Chairman Nuala O'Connor Kelly, CIPP, CIPP/G, of GE and Michelle Dennedy of Oracle on the future of privacy in a fully networked world where between waking and 9 a.m. each morning, "you've already generated a terabyte of data in your personal account in the cloud." With ever-changing technology, Gupta writes, the top four skills privacy leaders will need in the decade ahead are the understanding of IT security and risk, encryption technologies, international privacy laws and the implications of cloud computing. The privacy profession, she writes, "is moving from regulatory compliance and breach notifications to being identified by development in various applications."
Full Story

TRAVELERS’ PRIVACY—EU & U.S.

EDPS: Justification, Safeguards Needed for PNR Use (October 20, 2010)

EDPS: Justification, Safeguards Needed for PNR Use
European Data Protection Supervisor Peter Hustinx is speaking out against the use of passenger name records (PNR) to profile the potential risk of international travelers to their destination country, ComputerWeekly reports. In an opinion issued Tuesday, Hustinx said, "The proactive use of PNR data of all passengers for risk assessment purposes requires more explicit justification and safeguards," calling for strict conditions on the processing, transfer and retention of sensitive data. He is also recommending that conditions for collection and use of PNR data "be considerably restricted" and EU-U.S. talks focus on "a consistent and harmonized approach on data protection."
Full Story

SOCIAL NETWORKING—FRANCE

CNIL Voices Concerns Over “Places” Feature (October 20, 2010)

French data protection agency CNIL wants Facebook and consumers to carefully consider the privacy implications of the "Places" location feature. Telecompaper reports that CNIL has asked Facebook to improve the confidentiality and personal data settings of the service, which uses GPS on smartphones to allow users to place themselves at a certain location and allows them to tag others as being at a location. CNIL also voiced concerns about the use of data collected and the notice given to users who have been tagged through Places. CNIL said users need to be mindful of their settings and how they use it. (Registration may be required to access this story.)
Full Story

SOCIAL NETWORKING

As Officials Raise Concerns, Facebook Promises To Fix Glitch (October 19, 2010)

A report that some of Facebook's most popular applications have been transmitting user information to Web tracking companies has privacy advocates and legislators sounding an alarm. While Facebook issued a statement that there is "no evidence that any personal information was misused or even collected," The New York Times reports that the company plans to introduce "new technical systems that will dramatically limit the sharing of user IDs." Meanwhile, Canadian Privacy Commissioner Jennifer Stoddart is considering launching a new investigation into Facebook's privacy policies, and U.S. House Bipartisan Privacy Caucus Chairmen Edward Markey and Joe Barton have sent a letter to the company seeking more information on the way "third-party applications gathered and transmitted personally identifiable information about Facebook users and those users' friends." (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

CEA: Personal Data Should Be Paid For (October 19, 2010)

BBC News reports on the U.S. Consumer Electronics Association (CEA) statement that companies seeking to make use of the personal information people share online should pay for it. "The mining of personal data is here to stay," said Sean Murphy of the CEA, noting, "Privacy is only going to continue to get increased attention in the years and months to come." With privacy topping the CEA's list of technology trends to watch for in the year ahead, advocates suggest the key is for consumers to be "fully informed, have control of their data and choose to opt in to some sort of scheme that offers payments" for sharing their personal information. Editor's note: For more on the view of personal data as a commodity, read "Valuing, protecting and commoditizing your personal information: Is 'data banking' the answer?" from the June issue of Inside 1to1: Privacy.
Full Story

PRIVACY LAW—URUGUAY EU

Working Party Deems Uruguay “Adequate” (October 18, 2010)

After a two-year review process, Europe's Article 29 Working Party has deemed Uruguay's data protection regime to be "adequate" by the standards of the European Data Protection Directive. In an opinion published last week, the group of European data protection authorities said that "Uruguay provides an adequate level of protection with regard to transfers of personal data from the EU/EEA, pursuant to Article 25(6) of Directive 95/46/EC on the protection of personal data." In making the determination, the group compared Uruguay's Law No. 18,331 on the Protection of Personal Data and "Habeas Data" to the main provisions of the directive. The Article 31 committee and the European Commission will consider the opinion before issuing a final decision on Uruguay's adequacy status.
Full Story

DATA PROTECTION

Mexico To Lead Data Protection Consortium (October 18, 2010)

The Ibero-American Data Protection Network unanimously chose Mexico to lead the consortium, which includes the governments of Spain, Portugal, Andorra and 19 Latin American countries and focuses on exchanging knowledge of data protection issues through dialogue and collaboration, reports the Hunton & Williams Privacy & Information Security Law Blog. The election comes on the heels of Mexico's recent enactment of its Federal Data Protection Law. According to the report, Jacqueline Peschard, head of Mexico's Federal Institute for Access to Information and Data Protection, will represent Mexico during its two-year term.
Full Story

ONLINE PRIVACY—GERMANY

Thousands Opt Out of Street View (October 18, 2010)

The New York Times reports on Google's announcement on its plans for Street View in Germany despite the fact that thousands of residents have asked the company to delete their properties from the service. "The number of requests will not have an effect on our plans to launch Street View this year," said Kay Oberbeck, a Google spokesman in Hamburg. The option to request properties to be removed from Street View was offered to address privacy concerns, the report states. "We realize that privacy is a very sensitive issue in Germany and are doing what needs to be done to address everyone's concerns," Oberbeck said. (Registration may be required to access this story.)
Full Story

DATA RETENTION—EU

Hotels May Face EU ISP Rules (October 15, 2010)

New rules in the Netherlands could force hotels to register as ISPs and make them subject to EU data retention laws, PCWorld reports. Dutch telecommunications authority OPTA has said that some hotels offering free WiFi to their guests must register under the Dutch Telecommunications Act. MEP Alexander Alvaro has said he will send a written question to the European Commission in order to verify whether the EU's Data Retention Directive, which requires member states to ensure that communications providers retain enough data to trace and identify the source, destination, date, time and duration of a communication for up to two years, would now apply to hotels.
Full Story

DATA LOSS—U.K.

ICO: Healthcare Recruiter Breached DPA (October 15, 2010)

Another healthcare-related entity has been found in breach of the Data Protection Act. According to an Information Commissioner's Office press release, the healthcare recruiting firm Healthcare Locums Plc (HCL) breached the act in losing the personal data of doctors it employed. A hard drive containing doctors' visa information and security clearance data was lost and sold on a Web auction site. It has since been returned to the agency. HCL's chief operating officer has signed a formal Undertaking promising to put in place certain data protection protocols. The ICO's enforcement group manager said, "I am pleased that Healthcare Locums is taking remedial steps to make sure incidents like this one do not happen again."
Full Story

EMPLOYEE PRIVACY—GERMANY

Center for Data Privacy Issues Opinion on Draft Law (October 15, 2010)

On 12 October, the Schleswig-Holstein Center for Data Privacy submitted an advisory opinion on draft legislation addressing employee data privacy that is soon to be considered by the German Federal Assembly. In its opinion, the center sets forth both criticisms and recommendations on issues including poor drafting, allowance for excessive monitoring of employees and the constitutionality of various provisions. Center Director Thilo Weichert states that the law should serve employee job satisfaction and workforce productivity but not mete out punishment to affected parties. Employee data privacy legislation has been promised by successive German administrations for more than 20 years. (Report in German.)
Full Story

HEALTHCARE PRIVACY—UK

Scotland’s NHS Hopes To Strengthen Privacy (October 15, 2010)

NHS health boards in Scotland are looking to a four-year agreement for privacy breach protection software to help the organisations "strengthen their existing privacy surveillance and privacy breach detection capabilities," SmartHealthcare reports. "The system should be Web-based and accessible from desktop and mobile devices," and is expected to allow automatic downloading from a variety of hospital and pharmacy systems, according to an NHS statement. The goal of the boards' framework is to find a system that will have extensive reporting capabilities and include information based on access date, demographic data and system user ID, the report states.
Full Story

DATA LOSS—UK

Third-Party Software Responsible (October 15, 2010)

Managed security services provider Omniquad is blaming a glitch in third-party software used by the company for its recent data breach, reports channelweb.co.uk. The company's customer log-in details were exposed online by a vulnerability in its helpdesk software, according to the report. Daniel Sobstel, managing director of Omniquad, said that only a handful of customers would have been affected, and the system was taken offline within minutes of finding out about the breach. A Privacy International spokesman is criticising the company for not protecting customers' data, saying that it should have more carefully audited its third-party software and services. Ominquad has notified affected customers.
Full Story

HEALTHCARE PRIVACY—SPAIN

Hospitals Lack Data Breach Protection (October 14, 2010)

The Reader reports that one in three Spanish hospitals are in breach of data protection requirements, with no measures in place to prevent data loss or unauthorized access. The report also states that another 40 percent of state hospitals and 15 percent of private ones do not record access to clinical files, and 45 percent do not include legal explanations on their forms explaining how and why patient data is stored. "Only a third of state hospitals carry out any kind of security audit on their files," the report states. Those found in breach have been issued warnings and could face substantial fines.
Full Story

PRIVACY LAW

Data Protection Laws Expanding Worldwide (October 14, 2010)

Dark Reading reports on the expansion of data protection laws across the globe as detailed in the report "A New Era of Compliance: Raising the Bar for Organizations Worldwide" from the RSA and the Security for Business Innovation Council (SBIC). The report analyzes how new legislation and strengthened regulations are forcing businesses to change their approaches to compliance. In the report, which includes recommendations from SBIC for enterprise security teams, Art Coviello of the RSA notes, "Regulators are making it clear that you're on the hook for ensuring the protection of your data at all times, even when it's being processed by a service provider."
Full Story

DATA PROTECTION—FRANCE

CNIL Issues Data Security Guidance (October 14, 2010)

The French Data Protection Authority (CNIL) has released a comprehensive handbook on securing personal data, reports the Hunton Williams Privacy Information Security Law Blog. The guidance follows the CNIL's "10 tips for the security of your information system," the report states. It reminds data controllers of their legal obligation to secure data and the penalties for failing to do so. The 17-chapter document addresses such topics as authentication, education, privacy by design and anonymization.
Full Story

ONLINE PRIVACY

HTML 5 Concerns Persist (October 14, 2010)

HTML 5 is already being used to create new ways of experiencing online content and is raising privacy concerns as it is expected to provide improved opportunities for tracking consumers' online activities. The New York Times "Tech Talk" podcast features a discussion of the implications of the new technology, including the ability to collect personal data. The report notes that such information as browsing histories, blog text, photos and messages can be collected and stored, and deleting HTML 5 storage "can be tricky." (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—GERMANY

Controversial Service Opened Dialogue about Privacy (October 13, 2010)

In a Deutsche Welle Q&A, the editor of the blog Netzpolitik, Markus Beckedahl, discusses the recent hype about Google Street View's launch in Germany. Beckedahl says that while the debate over the controversial service brought the concept of privacy to the forefront, fears about the service itself were somewhat unfounded. But the controversy, which had some politicians claiming they'd put an end to it while others supported it, allowed for privacy to become more tangible a concept to generations young and old. "It's something where my parents have an opinion about it, and maybe your parents do too," Beckedahl said. "This is a new level in that debate."
Full Story

PRIVACY LAW—UK

ICO Yet To Fine for a Data Breach (October 12, 2010)

It's been six months since the Information Commissioner's Office (ICO) has had the power to issue fines of up to £500,000, but it has yet to collect such a fine, SC Magazine reports. One company's CEO said he believes that the ICO raised awareness about data losses by introducing the new fine but that people are starting to wonder if they'll ever make use of it and, as a result, aren't taking data loss as a serious threat. "Personal customer data should be of utmost importance to any company, so if it's not the fear of losing their reputation that makes them invest in encryption, it has to be the threat of a significant fine."
Full Story

SOCIAL NETWORKING

Advocates Pleased with Facebook Changes (October 12, 2010)

Privacy advocates are voicing approval of Facebook's new privacy features, which will allow users greater control over their personal data, OUT-LAW.com reports. The changes include a "dashboard," which will display to users which applications are active and the data they collect. The Electronic Frontier Foundation welcomed the change, the report states. "We think that this is an important step forward in terms of providing more transparency to users about where their Facebook data is going and who is using it." Additional features will allow users to export all of their uploaded data from the site and create private groups for communications.
Full Story

PRIVACY LAW—UK & EU

ICO Responds to MoJ, Calls for Custodial Sentences (October 8, 2010)

Document Management News reports on the information commissioner's response to the Ministry of Justice's (MoJ) call for evidence on the current data protection legislative framework. The response highlights key features the Information Commissioner's Office (ICO) would expect to see in any revised framework and, the report states, points out that although the current data protection principles are sound, the law needs to provide more clarity for individuals and for businesses. The ICO also reiterated calls for increased powers of enforcement and the ability to impose jail sentences for severe offences.
Full Story

PRIVACY LAW—FRANCE

Court Rejects GeoLocation Evidence (October 8, 2010)

Hunton & Williams reports on a French Appeals Court decision related to employee privacy. Last month, an appeals court in Dijon upheld that an employer could not use global positioning system device data from a company vehicle as evidence in the termination of an employee because the employer had failed to register that type of data processing with the French data protection authority (CNIL), the Privacy & Information Security Law Blog reports. The court also found that the employer had not properly notified the employee about its use of GPS. The French Labor Code states that "no device may be used to collect personal information about an employee without giving him prior notice."
Full Story

PRIVACY LAW—SWEDEN

Gov’t Will Move To Delay Retention Mandate (October 8, 2010)

Among dozens of motions the Swedish government will present this autumn will be one to delay implementation of the EU Data Retention Directive, The Local reports. The directive sets retention terms for telecommunications data and is to be implemented in Sweden in November. Already, the nation has been reprimanded by the EU for having failed to implement the directive on time. The government will move to delay the implementation further in order to give the justice department more time on an inquiry into which groups may access the stored data.
Full Story

DATA LOSS—UK

Patient, Staff Records Missing (October 8, 2010)

A total of 387 confidential patient and staff records have been reported lost or stolen from NHS West Midlands between April and June of this year, the Express & Star reports. Two other incidents also took place, the report states, but the numbers of records missing as a result of those cases is unknown. Since January of 2009, there have been more than 20,000 breaches, including a spreadsheet of patient details that was e-mailed to the wrong address, several stolen laptops and a CD containing 300 records that was found unencrypted and without password protection at an area bus stop, the report states.
Full Story

PRIVACY LAW—GERMANY

Court Rejects Motion To Suspend Order (October 8, 2010)

The Schleswig-Holstein Administrative Court rejected a motion by the regional Association of Family Practitioners to temporarily suspend a July 2010 order issued by the Schleswig- Holstein Independent Center for Data Protection enjoining the transfer or use of patient data acquired from member physicians under a contract entered into between the association and a health insurer. In its 1 October decision, the court cites apparent risks to privacy arising out of the contract and the mandated billing software. The center considers the interim decision a judicial acknowledgment of privacy problems found in current service contracts for family practitioner care. (Article in German.)
Full Story

CHILDREN’S PRIVACY—UK

Site Offers Children’s Ethical Communications Kit (October 8, 2010)

OUT-LAW.COM reports on the Advertising Association's launch of the Children's Ethical Communications Kit (CHECK), a site aimed at bringing together all UK laws and regulations on advertising to children. The Committee of Advertising Practice has revised its guidance on the collection of data on children this year, the report states, with the rules strengthened in recent months. "Nobody gains from irresponsible marketing where children are concerned," said Advertising Association Director of Communications Ian Barber, noting, "It's damaging for client relationships, for brands, for the industry's reputation and for the person that gets it wrong."
Full Story

CHILDREN’S PRIVACY

Study: Lots of Little Ones Have Online Presence (October 8, 2010)

The security firm AVG has released study results that show 82 percent of kids under the age of two in 10 Western nations have an online presence, CNN reports. Newborns and toddlers in the U.S., New Zealand, Canada and Australia are the most likely to appear online in photographs, the report states. The study found that often it is friends or other family members--not the child's parents--who post the photos. "Obviously there's a privacy issue," said an AVG spokeswoman. "If they're applying for credit (later on) and having that information readily available for people who want to compromise their identities."
Full Story

SOCIAL NETWORKING

Facebook Unveils Privacy Changes (October 7, 2010)

Facebook has released new privacy options, it announced at a press conference yesterday, allowing users more control over their data and communications, NPR reports. Users will now be able to create "closed" groups in order to communicate with Facebook friends privately and can also use a "dashboard," allowing them to view what personal information has been collected by games and third-party applications on the site and letting them disable some of those features. An analyst at Forrester Research called the changes a smart move for Facebook, adding the announcement "helps move the ball forward in terms of greater control and greater transparency."
Full Story

BEHAVIORAL TARGETING—EU

IAB Europe: Re-Spawning is Illegal (October 7, 2010)

The Interactive Advertising Bureau (IAB) Europe has condemned the practice of re-spawning because it circumvents a user's choice to allow cookies and erodes consumer trust, Silicon Republic reports. The practice involves the automatic reestablishment of a previously deleted cookie from a backup copy despite the user's preference to not accept cookies. IAB Europe considers the practice illegal under European data protection rules and has called on all businesses not to engage in such practices. "We work hard to protect lawful business practices across Europe and will not allow individual companies to jeopardize the trust and confidence that our membership has built with their European users," said a spokesman from IAB Europe.
Full Story

ONLINE PRIVACY

Self-Regulatory Program Overview Released (October 7, 2010)

Morrison & Foerster has released an overview of the self-regulatory program for online behavioral advertising announced earlier this week. The program features an "Advertising Option Icon" to alert users when data is collected for behavioral targeting. The Morrison & Foerster report, which is now available in the IAPP Knowledge Center, looks at the efforts by several leading media and marketing associations to address issues of consumer control. The report includes background on the origin of the program, its goals and frequently asked questions.
Full Story

PRIVACY LAW—GERMANY

DPAs: Google Analytics Illegal (October 6, 2010)

The Düsseldorfer Kreis, which is comprised of Germany's state data protection authorities (DPAs) responsible for the private sector, continues to consider the use of Google Analytics on company Web sites to be illegal, but it hopes to continue negotiations with the company, the Hunton & Williams Privacy and Information Security Law Blog reports. Berlin Commissioner for Data Protection and Freedom of Information Alexander Dix has said that although the company has undertaken efforts to improve Google Analytics, the DPAs do not consider the improvements to be sufficient. The DPAs have given Google eight weeks to improve the service, the report states.
Full Story

PRIVACY LAW—GERMANY

Employee Data Protection Law Moves Forward (October 5, 2010)

The government's draft law providing special rules for employee data protection now goes before the German Parliament for a first reading in November 2010, the Hunton & Williams Privacy and Information Security Law Blog reports, which means the law could be passed this year. The draft law would amend the German Federal Data Protection Act (BDSG) by adding provisions in nine key subject areas, including medical exams, CCTV use, employee tracking, biometrics and monitoring employees' Internet, e-mail and telephone use. In several cases, such actions are prohibited or require employee knowledge and consent, according to the draft law's provisions.
Full Story

ONLINE PRIVACY

Paper Raises Concerns About Smartphone Security (October 4, 2010)

The user data collected by some smartphone applications can be correlated to real-world identities, Ars Technica reports, posing privacy risks to users of such popular devices as the iPhone, iPod and iPad. According to a paper by Bucknell University Assistant Director of Information Security and Networking Eric Smith entitled "iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs)," many applications request personally identifiable information affiliated with users' accounts. Smith noted that such data, combined with "extremely long-lived" tracking cookies, could result in companies tracking users' online activities for extended periods of time and across multiple devices, the report states.
Full Story

PRIVACY LAW - EU & UK

Commission Taking UK to Court (October 1, 2010)

The European Commission is taking the UK to court for failing to protect citizens' privacy to the degree demanded by EU Internet privacy laws, OUT-LAW.COM reports. The action follows calls by the EU for the UK government to bring its data protection standards into accordance with EU directives. "The commission considers that UK law does not comply with EU rules on consent to interception and on enforcement by supervisory authorities," said a commission statement. "The commission considers that existing UK law governing the confidentiality of electronic communications is in breach of the UK's obligations under the ePrivacy Directive and the Data Protection Directive."
Full Story

PRIVACY

Jennifer Stoddart Receives Vanguard Award (October 1, 2010)

At a reception in Baltimore, Maryland last night, Canadian Privacy Commissioner Jennifer Stoddart received the 2010 IAPP Privacy Vanguard Award. The annual award recognizes the privacy professional who has best demonstrated outstanding leadership, knowledge and creativity in privacy and data protection. Stoddart was selected for her role in establishing Canada as a leading regulator on privacy issues. "Commissioner Stoddart has been instrumental in forging coordinated approaches to global data protection challenges," said IAPP President Nuala O'Connor Kelly, CIPP, CIPP/G, General Electric Company's chief privacy leader. "Her strong leadership has elevated the privacy profession, not just in Canada, but globally; this award is richly deserved." Stoddart has served as Canada's federal privacy commissioner since 2003.
Full Story

TRAVELLERS’ PRIVACY—GERMANY

Body Scanners Tested at German Airport (October 1, 2010)

The six-month test run of a controversial body scanner began Monday at Hamburg Airport, The Local reports. Interior Minister Thomas de Maiziere calls the trial a step towards improved air security at German airports and a victory for safety in civilian air travel. The trial period aims to establish that the machines pose no health risks, that individual rights are protected and that aviation security is improved, the report states. Due to opposition to the scanners, Germany has been slow to deploy them.
Full Story

DATA PROTECTION—UK

Group Calls for Investigation into Blacklist Database (October 1, 2010)

Click Liverpool reports on advocacy group Privacy International's call for a government investigation into a Bristol-based company's national blacklist of "nightmare" hotel guests. GuestScan.com allows hotel owners to share information about "known or potential troublemakers" in an online database describing the guests' behaviors and personal details, including racial or ethnic origin and sexual orientation or offences. Privacy International's Alex Hanff called the site "despicable" and said the group will call upon the Information Commissioner's Office to look into the site's business practices. "Data can only be used for the purpose which it is collected," Hanff said.
Full Story

DATA PROTECTION—GERMANY

Data Protection Wiki Announced (October 1, 2010)

Germany has a new Wiki on data protection. Designed to be a resource for professionals and private persons, it will offer practical work aids like checklists and model contracts, easy-to-understand explanations of the terms and principles of data protection law and information about legal sources. The idea for creating a comprehensive and up-to-date resource originated last year among participants in the Data Protection Forum run by the office of Peter Schaar, federal commissioner for data protection and freedom of information. Commissioner Schaar invites all interested persons to participate in the Wiki. (Story in German.)
Full Story

CHILDREN’S PRIVACY—UK

Advocacy Group Warns YOTs (October 1, 2010)

The Information Commissioner's Office (ICO) is in discussions with the Youth Justice Board (YJB) over how to handle concerns that Youth Offending Teams (YOTs) are collecting too much personal data on youth offenders, which could possibly lead to the identification of children, reports CYP Now. Children's rights group Action on Rights for Children (ARCH) first brought concerns about the database to the ICO last year after the YJB introduced a new system that collects more personal data than the one previously used. ARCH recently sent letters to all YOTs, calling on them remove personal data from future uploads and asking the YJB to remove the personal information from the system. The group is threatening legal action if YOTs don't comply.
Full Story

DATA LOSS —UK

ICO: Trust Breached Data Protection Rules (October 1, 2010)

The NHS Forth Valley has signed a formal undertaking after it breached data protection rules when a personal memory stick containing patient records went missing. A 12-year-old boy found the stick in a supermarket parking lot in May, BBC News reports. It contained such details as the criminal histories of some patients who were treated at the center for severe mental health problems. It also included details on certain staff. A staff member was suspended for losing the memory stick.
Full Story