European Data Protection Digest

We have a long weekend—and hopefully some good weather—ahead of us, so right now our minds are probably focused more on Easter eggs and chocolate bunnies (in my case also my mother’s lasagna on Sunday) than on data protection developments. Nevertheless, this spring is bound to be a busy one for privacy pros—not that we actually had a dull moment in the past year or so.

At the IAPP, we are working hard to help our members stay on top of things: Our upcoming European Data Protection Intensive will be a great way to kick-start the second quarter of the year. As usual, rendezvous in London for an intense programme, great networking—including our special Privacy Social reception at the Guildhall—and CIPP and CIPM certification training and testing. Preconference workshops are not bad either.

But since he who hesitates is lost, work is already underway also for IAPP Europe’s flagship event, the Data Protection Congress, which will be in Brussels again this year, on 19 and 20 November to be precise. The call for proposals for the Congress is open, and submissions will be accepted until 9 May, so do send us your ideas or feel free to forward the call for proposals link to someone who might be interested.

In the meantime, though, Happy Easter!

Rita Di Antonio
Managing Director
IAPP Europe

Top European Privacy and Data Protection News

PRIVACY LAW—EU

Officials Push for Right To Be Forgotten (November 30, 2010)

Senior European Union officials have begun campaigning publicly for an online "right to be forgotten," The Wall Street Journal reports. EU Commissioner Viviane Reding, who introduced the idea earlier this month, said such change is needed in a world where the Web never forgets. Meanwhile, EU Commissioner Neelie Kroes called for "cloud-friendly" rules to improve data privacy. Proposed changes to EU privacy rules will face 12 to 18 months of debate before becoming law, the report states. "We still need to work out the details, but I support the right to be forgotten," said Jacob Kohnstamm of the Article 29 Working Party. (Registration may be required to access this story.) Read more about proposed changes to the EU Data Protection Directive in the December edition of the IAPP Privacy Advisor newsletter. (Member login required.)
Full Story

PRIVACY LAW—UK

Expert: ICO Fines an Educational Opportunity (November 29, 2010)

There are lessons to be learned from the first fines handed out by the Information Commissioner's Office (ICO) for data breaches, ComputerWeekly reports, highlighting the ICO's recent fines of £100,000 for the Hertfordshire County Council and £60,000 on employment services firm A4e. A primary lesson here is that the ICO will punish "business-as-usual" failures, such as misdirected faxes and unencrypted devices, explains Stewart Room of Field Fisher Waterhouse. "This tells us the ICO considers encryption as a mandatory privacy-enhancing technology," he said, adding, "Punishment despite good behavior also demonstrates the ICO's policy of zero-tolerance for such low-level failings."
Full Story

HEALTHCARE PRIVACY—UK

NHS Site Questioned (November 29, 2010)

The Information Commissioner's Office (ICO) has asked the Department of Health for information about its NHS Choices Web site, V3.co.uk reports. According to privacy experts, the site is sharing visitor information with third parties through social network features. The department has stated the information is collected to "see what is most effective about our site, to help us identify ways to improve it and to make it more effective." However, as one privacy expert cautions, while the need for such statistics is valid, "users' privacy should be of utmost importance (and) there is open source analytics software which the NHS should run themselves."
Full Story

PRIVACY LAW—EU

Security Plan Calls for EU Data Access (November 25, 2010)

EUobserver reports on the European Commission's Internal Security Strategy, with proposals including EU data systems to track potential terrorists taking a flight or wiring money to suspicious organisations. The plan, which includes 41 actions, "responds to requests from the European Parliament to have EU-based data extraction and analysis on bank transactions to terrorist organisations, instead of sending all the banking data to the U.S.," the report states. The report also suggests that air passenger data collected by European airlines and turned over to U.S. authorities when carriers fly to that country may be shared with EU countries as well. "We don't propose many new organisations, but we want to equip existing ones with better tools," said EU Commissioner Cecilia Malmström.
Full Story

PRIVACY LAW—UK

RIPA Modifications Could Mean ISP Exec Jail Time (November 25, 2010)

As part of modifications to the Regulation of Investigatory Powers Act, the government is advocating prison sentences for executives of Internet service providers that are caught snooping on sensitive customer information, Computerworld reports. The proposed changes, which follow claims that providers sometimes track users online and sell the information to marketers, would impose a two-year jail sentence for ISP executives found guilty and a £10,000 fine for those who unintentionally access user data illegally, the report states. A home office spokesperson said the changes "would provide additional protection for users by making it clear when users have explicitly given their consent to their information being used."
Full Story

PRIVACY LAW—EU

EFF to Commission: Clarify ISP Safe Harbor Provision (November 25, 2010)

The Electronic Frontier Foundation has recommended that the European Commission clarify that intermediaries not be considered to have "actual knowledge" requiring them to take down content unless a court order or notification requires them to do so, according to an Electronic Frontier Foundation press release. The recommendation is part of the commission's public consultation on the workability of the 2000 EU eCommerce Directive, the report states, which regulates Internet activity in the EU. Clarifying the directive's safe harbor provision limiting intermediaries' liability for content is essential to protecting privacy and preventing monitoring of user communication on platforms, according to the EFF, which also seeks clarification on when court orders requiring communication monitoring can be used. 
Full Story

PRIVACY LAW—DENMARK

Denmark Withdraws Data Bill (November 25, 2010)

After mounting objections by businesses and Denmark's data protection authority, the Danish government on 15 November withdrew a legislative proposal that sought to allow tax authorities full access to all company data stored by electronic media, Danish Tax Minister Troels Lund Poulsen announced in a statement. The draft bill would have amended the Danish Tax Control Act (869/04) to remove the requirement that tax authorities obtain a court order to view business files upon a demonstration of justifiable suspicion that the company in question has committed an offense (211 PRA, 11/3/10).
Full Story

PRIVACY—FRANCE

CNIL Launches Complaint Service (November 25, 2010)

The CNIL has launched a new complaint service on its Web site where users can report the inability to delete or modify personal data on third-party sites, search engines or social networks, epractice.eu reports. Users can lodge a complaint, the report states, and receive the CNIL's support to enforce their right to update or to delete information from files containing their personal data. Digitised attachments in various formats may be included with the online complaint and, upon completion, the form is submitted securely to the CNIL and conveyed to the complaints department, the report states.
Full Story

PRIVACY LAW—GERMANY

DPA Issues Open Letter (November 25, 2010)

In an open letter issued 23 November, Thilo Weichert of the Schleswig Holstein Independent Center for Data Privacy invites German law enforcement authorities to cease demands for immediate reenactment of a six-month data retention law and instead contribute to discussions on aiming for a data retention policy that balances fundamental rights of the individual with the need to prevent and fight crime via the Internet.  Arguing that the German six-month telecommunications data retention law was declared unconstitutional earlier this year, Weichert outlines issues he considers important to creating legislation that is as limited as possible but still proportional. (Text in German.)
Full Story

PRIVACY LAW—UK

Spammer to Spend 18 Months in Jail (November 25, 2010)

A 33-year-old Scotland man will spend 18 months in jail after admitting he orchestrated a major e-mail scam, BBC News reports. The  case involved the man sending millions of e-mails worldwide that released a virus when opened, the report states, allowing him access to private images, wills and confidential medical reports. He also targeted major international organisations. The prosecutor described the man as being "part of the top-end international hacking community." The detective in the case said the conviction shows that "criminals can't hide online and are being held accountable for their actions."
Full Story

PRIVACY LAW—UK

Council Signs Undertaking After Children’s Data Breach (November 25, 2010)

Stoke on Trent Council has signed an undertaking after the Information Commissioner's Office was informed that the local authority had lost personal data on 40 children, v3.co.uk reports. An unencrypted memory stick that was not password protected was recovered by a citizen and returned to the council, which says it will now improve staff training and be sure portable devices are encrypted. The council will not be fined, however, as the incident occurred 6 April, before the ICO was granted fining powers. 
Full Story

DATA THEFT—UK

Police Officer Convicted of Illegally Accessing Files (November 25, 2010)

Glasgow Sheriff Court this week convicted Strathclyde police officer Steven Smith of illegally accessing police systems for information on his boyfriend, reports BBC News. The department found out that Smith had looked at the file when it conducted an audit after being tipped off that he was associating with a known criminal. The sheriff told Smith, "You accessed information on two occasions without consent and without a known policing purpose. It is an abuse of trust and you did it for selfish personal reasons." Smith's lawyer said the relationship impaired the officer's judgment, and he regrets his actions.
Full Story

PRIVACY LAW—UK

ICO Issues First Data Breach Fines (November 24, 2010)

The Information Commissioner's Office (ICO) has levied its first monetary penalty for a data breach, fining the Hertfordshire County Council £100,000 for accidentally faxing highly sensitive information about child abuse cases to the wrong recipients. The Independent reports that the ICO determined the incidents were serious breaches of the Data Protection Act. "It is difficult to imagine information more sensitive than that," said Information Commissioner Christopher Graham, adding, "I am concerned at this breach--not least because the local authority allowed it to happen twice within two weeks." In a separate case, a £60,000 fine was imposed on A4e, an employment services company, over the theft of a laptop containing personal information on about 24,000 people. 
Full Story

ONLINE PRIVACY

Profiling Technology Making a Comeback (November 24, 2010)

Two years after an outcry by privacy advocates in the U.S. and UK appeared to squelch its use, deep packet inspection is on the verge of a comeback, The Wall Street Journal reports. Deep packet inspection is more powerful than other tracking techniques "because it can be used to monitor all online activity, not just Web browsing," the report states. Two U.S.-based companies now pitching use of such services have said they protect user privacy with such steps as user consent. The FTC has stated providers "should, at a minimum, notify consumers that the ISP was mining the information and obtain clear consumer consent." (Registration may be required to access this story.)
Full Story

FINANCIAL PRIVACY—GERMANY

DPA Issues €200K Fine for Access, Profiling (November 24, 2010)

The German Data Protection Authority (DPA) has issued a €200,000 fine to the financial institution Hamburger Sparkasse AG for allowing customer representatives access to customers' bank data and for profiling its customers, reports the Hunton & Williams Privacy and Information Security Law Blog. The bank reportedly allowed self-employed, mobile customer service representatives to access customer data, often without consent, and created character profiles on customers based on neurological research and customer data such as socio-demographic data and product usage, including direct deposit accounts and the number of transactions. The DPA said that the bank quickly amended its procedures and cooperated with its investigation.
Full Story

DATA PROTECTION—UK

Researchers: Study Your Cloud Computing Contracts (November 24, 2010)

Computerworld reports on a recent study by UK academics which found that cloud computing contracts may contain clauses posing risks to users. The Cloud Legal Project at Queen Mary University of London studied 31 cloud computing contracts from 27 providers and found that the contracts sometimes can be terminated for lack of use or sometimes for no reason, contain disclaimers denying responsibility for keeping user data secure and can be revoked for violations of the provider's "acceptable use" policy. Claims against a provider for data loss or a privacy breach may be difficult in cases where the provider seems local but, in fact, is hosted on another continent, the report warns.
Full Story

PRIVACY LAW—EU

Cookies and Consent (November 24, 2010)

ComputerWeekly reports on the European Commission Citizens Rights Directive's rules for data security and breach disclosure. "These new rules focus in particular on the dropping of cookies onto our equipment," the report states. "This will only be lawful if the service provider has the subscriber or user's consent." The report points out that the benchmark for consent to be considered valid is that it "must be freely given, specific and informed." The EU's Article 29 Working Party issued an opinion earlier this year on the issue of cookies and consent, noting that default browser settings, bulk consents, Web user inactivity or the use of opt-outs will not meet the consent requirement.
Full Story

DATA PROTECTION—UK

Survey: 70 Percent of Employees Would Take Data (November 23, 2010)

When leaving a job, 70 percent of employees indicated they would take corporate data with them. That's according to a report in OUT-LAW News on a recent survey of 1,000 London employees by data security company Imperva. "The increasingly common use of personal devices such as phones for business purposes and the ease with which digital data can be copied have led to growing concern among businesses that employees will take information belonging to a company when they leave it," the report states. The fears may be well founded, as the survey indicated 72 percent of respondents admitted to taking corporate data out of a company in the past.
Full Story

DATA PROTECTION

Smartphones in the Workplace: A Problem? (November 23, 2010)

A recent survey found that eight out of 10 CIOs rank data breaches as their top security concern and think that using smartphones in the workplace increases their vulnerability to attack, InformationWeek reports. Market researcher Ovum and the European Association for e-identity and Security released the survey's report this week, which also found that half of organizations fail to authenticate employees' mobile devices but that 48 percent of employees are allowed to use personal mobile devices to connect to corporate systems. "Employees will want to use their devices, no matter who owns them, for both their work and personal lives," said an Ovum spokesman, adding that it's unrealistic to delineate between those uses.
Full Story

DATA PROTECTION—EU

Working Party Calls for “Strict” General Agreement (November 22, 2010)

European data protection authorities have called for a "strict and far-reaching" general privacy agreement with the United States. In a letter addressed to European Commission Vice President Viviane Reding, the Article 29 Working Party "welcomes the initiative for a general agreement with the United States, since this could ensure a high level of protection for all individuals' personal data." The authorities would like this to be an "umbrella agreement" that could cover existing and future agreements between the EU and U.S., and the party stresses "the need for the future agreement to comply with the European Union's data protection framework, including the EU Charter of Fundamental Rights."
Full Story

ONLINE PRIVACY—EU

Curbing Tracking Poses Challenges (November 22, 2010)

An EU effort to regulate the use of cookies for Internet tracking "is crumbling," The Wall Street Journal reports. The EU's law requiring companies to obtain consent from Web users when tracking files are placed on their computers awaits enactment by member countries, but "Internet companies, advertisers, lawmakers, privacy advocates and EU member nations can't agree on the law's meaning," the report states. And just how to move forward is a source of contention, with regulators, officials, privacy advocates and individual nations interpreting the law in different ways. EU Commissioner Neelie Kroes, who is in charge of overseeing the law's implementation, suggests, "We need a user-friendly solution." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—UK

ICO, Google Sign Data Handling Commitment (November 22, 2010)

The Information Commissioner's Office (ICO) has announced that Google has signed a commitment with the office, agreeing to improve data handling practices globally and not just in the UK, Computerworld reports. The commitment, which stems from the collection of personal information over unsecured wireless networks, does not include a fine, but had Google not agreed to sign it, an enforcement notice could have been issued, the report states. The agreement requires the company to enact improved data protection training measures for all employees, and the company has said each new project it launches will include a privacy design document. The company will also delete all data collected in the UK.
Full Story

DATA RETENTION—GERMANY

Personal Data Plan Debate Flares (November 19, 2010)

A number of federal and state officials believe it is essential to restore Germany's 2007 data retention law, given new threats and a raised terror alert, Deutsche Welle reports. Interior Minister Thomas de Mazière, who has raised the terror alert level, has announced that there are concrete indications of a possible terrorist attack occurring soon in Germany. Justice Minister Sabine Leutheusser-Schnarrenberg, however, has said her office is against resuming data retention and instead favors "event-related use of any data," the report states, which would allow data to be temporarily captured and handed over to authorities, as is the case in the U.S.
Full Story

TRAVELLERS’ PRIVACY—EU

Working Party Issues Opinion on PNR (November 19, 2010)

The Article 29 Working Party has issued an opinion on European Commission (EC) plans to exchange passengers' personal data with countries outside the European Union, according to a press release. The working party "questions the necessity of large-scale profiling for law enforcement purposes" and says that the EC has not presented objective proof or statistics that passenger name record data are valuable in combating terrorism. The opinion reacts to the EC's September communication on the matter. Article 29 Working Party Chairman Jacob Kohnstamm raised the concerns last week during a meeting with EU Commissioner for Home Affairs Cecilia Malmström.
Full Story

Working Party To Eye New Zealand Adequacy, Proposed Directive Changes (November 19, 2010)

At its 7-8 December meetings in Brussels, the European Union's Article 29 Working Party will consider whether New Zealand's data protection regime provides adequate privacy protection for EU citizens' personal data, according to a draft agenda released this week by the working party, which is comprised of data protection officials from the 27 EU member states. The commissioners will also discuss the European Commission's recently released outline of proposals for amending the EU Data Protection Directive (95/46/EC). Meanwhile, Ireland has secured concessions related to its concerns about the EU's recent decision to declare Israel adequate to store Europeans' personal information, including additional monitoring of Israel's manual processing of such data.
Full Story

PRIVACY LAW—POLAND

Polish DPA Exploring Legality of Street View (November 19, 2010)

Warsaw Business Journal reports that Google may not be able to introduce its Street View feature in Poland because authorities feel it is illegal. The Inspector General for Personal Data Protection (GIODO) is checking the legality of the service, the report states, but has already indicated that his office does not support the company's storage of images of Polish streets on its server for 12 months. A GIODO spokesperson said the office previously released a decision demanding that source photos used for Street View be deleted immediately after posting. Meanwhile, Google placed 3-D images of 20 German cities online yesterday, though some buildings were pixilated; 245,000 Germans had asked that pictures of their homes be blurred for privacy.
Full Story

PRIVACY LAW—GERMANY

Opinion: Retaining Telecoms Data Is Questionable (November 19, 2010)

According to an op-ed written for the online version of Die Zeit about retention of telecommunications data, reasons stated by Federal Data Protection Commissioner Peter Schaar for his support of some form of retention are strange. Noting that the Federal Constitutional Court declared a previous law on retention of telecommunications data without cause unconstitutional, the op-ed author questions in part statements Schaar makes in his blog regarding the need to consider a less intrusive alternative to the earlier law so as to better enable prosecution of Internet crime. The author also questions Thilo Weichert's views on this topic. (Article in German.)
Full Story

DATA PROTECTION—UK

Database Plan Raises Concerns (November 19, 2010)

Deputy Prime Minister Nick Clegg has announced that councils will have the power to cross-match their databases beginning next year, ComputerworldUK reports, and that has privacy advocates concerned. NO2ID, an advocacy group that successfully campaigned against the introduction of national ID cards, is among those warning against the plan. "It breaks the first principle of data protection, which is that you don't use data gathered for one purpose for another purpose," said Phil Booth, NO2ID's national coordinator. The minister's announcement comes on the heels of recent criticism by the Information Commissioner's Office regarding councils' use of CCTV to track citizens for alleged minor misdemeanors.
Full Story

DATA THEFT—EUROPE

EAST: Criminals Working Around Banks’ Protections (November 19, 2010)

Fraudsters are working around steps European banks have taken to prevent the skimming of ATM users' personal information, CIO reports. The European ATM Security Team (EAST) has issued a report that identifies new methods  criminals are using to record payment card details. According to the report, banks in five countries have reported the existence of a new type of skimming device that records card details using a modified MP3 player.
Full Story

TRAVELLERS’ PRIVACY

Airport Scanner Controversy Continues (November 19, 2010)

While a U.S. transportation official defended his agency's use of full body airport security scanners before a senate committee meeting this week, a German radio report claimed that the scanners being tested on a voluntary basis at the Hamburg Airport do not function correctly. North German Radio Channel 90.3 reported that the scanners apparently flag too many items as suspicious, and software written to resolve problems has not yet been installed. For example, the scanners are not reliable when penetrating multiple layers of clothing or with folds and wrinkles in individual clothing items, the report states. Consequently, manual passenger rechecks are frequent and long delays common. (Article in German.) Editor's note: A robust conversation about the privacy concerns associated with full body scanners is taking place on the IAPP Privacy List. Members can sign up or view the archives here.
Full Story

PRIVACY LAW—THE NETHERLANDS

Bill Addresses Data Breaches, Cookies (November 17, 2010)

The minister of economic affairs has submitted a bill to the Dutch Parliament in a move toward implementation of the EU's e-Privacy Directive, the Hunton and Williams Privacy and Information Security Law Blog reports. The proposed legislation would amend the Dutch Telecommunications Act to require telecoms and ISPs to provide notification of data security breaches and would require consent for the use of cookies, the report states. The bill would require notification of both the Dutch Telecom Authority and affected individuals "without delay" of breaches that could affect personal data. It would also require data subjects' prior consent to place cookies on their computers.
Full Story

ONLINE PRIVACY

Analysts, Others React to New Messaging System (November 17, 2010)

Analysts and others are reacting to news that Facebook has launched a messaging system, Computerworld reports. Company founder Mark Zuckerberg introduced Facebook Messages at a press conference earlier this week. The system will enable e-mail, instant messaging, SMS and Facebook messages, and the company will archive conversation histories, according to a Deutsche Welle report. "The more Facebook puts itself in a position to receive, store and safeguard the most private communications we have, the more Facebook will need to be vigilant to protect privacy and guard against hacking and theft," said Forrester Research analyst Augie Ray. 
Full Story

ONLINE PRIVACY

Studies Point to Benefits of Privacy Icons (November 16, 2010)

Two recent studies indicate that privacy icons are effective, The New York Times reports. The first study, conducted by TRUSTe and Publishers Clearing House over six months, allowed users to click on an icon to learn about interest-based ads, provide feedback and opt out. Only 1.1 percent chose to opt out of all advertising networks. A study by Better Advertising and Dynamic Logic analyzed reactions to the Digital Advertising Alliance's icon, finding that 67 percent preferred brands that gave them more control, including opt-out provisions. "The level of transparency and control accrues really positive benefits to the brands that take this extra step," said Scott Meyer of Better Advertising. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—EU

Hustinx Supports Proposed Data Protection Reforms (November 16, 2010)

European Data Protection Supervisor Peter Hustinx says he welcomes the proposed changes to Europe's Data Protection Directive, The Register reports. The proposed changes, which Hustinx says are needed to keep pace with advances in technology and increased data collection, include revision of the rules in the areas of law enforcement, cross-border data protection, mandatory breach notifications and more effective enforcement of the rules. "Data protection is not an abstract thing. It relates to everybody's life," Hustinx said. "There is no room for mistakes here. The challenges are enormous."
Full Story

DATA LOSS—UK

ICO Addresses Two Breach Cases (November 16, 2010)

The Independent Parliamentary Standards Authority has signed a formal undertaking with the Information Commissioner's Office (ICO) following an incident where MPs' personal details were exposed for 21 hours on a parliamentary expense database. "This case highlights how any work carried out on a database must be subject to rigorous security testing before being re-launched," ICO Head of Enforcement Mike Gorrill noted in a press release. In a second incident, the ICO has determined the New Forest District Council breached the Data Protection Act by publishing planning applicants' personal information online. "We will be monitoring other local authorities to scope compliance in this area on a national level," said ICO Enforcement Group Manager Sally-Anne Poole. 
Full Story

ONLINE PRIVACY

Opinion: Forget Being Forgotten (November 15, 2010)

On both sides of the Atlantic, privacy is front and center on the regulatory stage. The Wall Street Journal reports on discussions in the U.S. on new laws and an EU proposal that, "People should have the 'right to be forgotten' when their data is no longer needed or they want their data to be deleted." However, Adam Thierer, president of the Progress and Freedom Foundation, contends, "A privacy right should only concern information that is actually private. What a 'right to be forgotten' does is try to take information that is, by default, public information, and pretend that it's private." (Registration may be required to access this story.)
Full Story

TRAVELLERS’ PRIVACY—EU & U.S.

Passenger Data Debate Persists (November 12, 2010)

Members of the European Parliament (MEP) continue to express concerns about the collection and use of air passengers' data, as talks on sharing it between the European Union and U.S. are set to continue, PCWorld reports. At a 20 November EU-U.S. summit, parliamentarians will debate the issues associated with sharing such data as names, phone numbers, e-mail addresses, travel itineraries and billing information of passengers entering and leaving the EU. While the European Commission says the information would be used for counter-terrorism purposes only, MEPs have called for "factual evidence that the collection, storage and processing of PNR data is necessary."
Full Story

HEALTHCARE PRIVACY—UK

ICO Investigating NHS Birmingham Breach (November 12, 2010)

The UK Information Commissioner's Office (ICO) is investigating the Birmingham Primary Care Shared Services Agency after learning that patient and staff data were exposed, reports the Birmingham Post. Jonathan Tringham, director of resources at NHS Birmingham East and North, said, "Documents with patient identifiable data were potentially available to staff across the three trusts. At no point were patient records accessed inappropriately." The agency is working through plans and assessing the cost of rectifying the situation, Tringham said. If the commissioner finds the agency in breach of the Data Protection Act, it could face fines of up to £500,000.
Full Story

PERSONAL PRIVACY—EU

Farmers Win Privacy v. Transparency Suit (November 12, 2010)

The European Court of Justice (ECJ) ruled this week that the EU must stop publishing data about individual farmers who receive subsidies under the Common Agricultural Policy (CAP), reports BBC News. In an effort to show taxpayers where and how CAP subsidies--which make up about half the EU's budget--were being used, the EU published the names of farmers and amounts of subsidies. But the ECJ found that the practice did not strike the proper balance between privacy and transparency where individual farmers were concerned. The practice continues for agricultural firms and farmers registered as companies. The European Commission will now look at whether new regulation is needed.
Full Story

PRIVACY LAW—UK

RIPA Revision Open for Consult (November 12, 2010)

The UK Home Office has released its proposed revision of the Regulation of Investigatory Powers Act (RIPA) after the European Commission said the UK's implementation of its data protection and online privacy laws was flawed, reports ITPro. In October, the EC threatened legal action and gave the UK two months to respond. The Home Office will close the response period on 7 December. The proposed changes have been posted to the Internet and include increased powers for the Interception of Communications Commissioner to act against ISPs and telecom carriers.
Full Story

SURVEILLANCE—UK

ICO Report: Legislation Needs Privacy Review (November 12, 2010)

In an update submitted to parliament Thursday on the state of surveillance, Information Commissioner Christopher Graham recommends post-legislative reviews of laws affecting privacy concerns to ensure they are being used as intended. In a press release, the commissioner said this would give the government "a key way of ensuring the successful delivery of the new transparency and privacy agenda." The report also recommends widespread adoption of privacy enhancing technologies for the private sector and says organizations should consider the privacy implications of new technologies prior to launching them. The Home Affairs Committee requested the report as part of its inquiry into the surveillance society.
Full Story

DATA PROTECTION—UK

ICO Responds to Critics of WiFi Investigation (November 11, 2010)

In The Telegraph, Information Commissioner Christopher Graham responds to criticism about his agency's investigation into Google's collection of personal details through unencrypted WiFi networks. Privacy advocates and members of parliament have condemned Graham for sending non-technical staff to investigate the matter, initially, and for failing to levy a harsher punishment on the company for contravening the UK Data Protection Act. But Graham points out that the amends--deletion of the data and a future audit--fit the offense, saying that what Google collected "certainly didn't amount to a significant cache of personally identifiable information." 
Full Story

PRIVACY LAW—SWEDEN

Sweden Proposes Six-Month Data Retention (November 11, 2010)

The Local reports on a bill presented by the Swedish government Thursday that aims to bring Sweden in line with the EU Data Retention Directive. Telephone and broadband providers would be required to retain electronic data for six months under the bill--the shortest period allowed under the directive--which would come into force in July 2011. In presenting the bill, Justice Minister Beatrice Ask said it considers privacy in that "the information can only be disclosed for crime-fighting purposes." Sweden was reprimanded in February by the EU Court of Justice for not having implemented the directive on time.
Full Story

BEHAVORIAL TARGETING—EU

Parliament Looks at Warning Labels for OBA (November 10, 2010)

The EU Parliament has demonstrated concerns that behavioral advertising may breach consumer privacy rights, PCWorld reports. Parliament's Internal Market Committee approved a report calling for warning labels to accompany targeted advertisements. The report, by French member Philippe Juvin, highlights behavioral targeting techniques and calls for online forum moderators who are savvy about these methods. Members noted that the Unfair Commercial Practices Directive of 2005 is not equipped to cover these new technologies, the report states. The report is scheduled for a plenary vote in December.
Full Story

RFID—FRANCE

Is Tagging a Solution or a Problem? (November 10, 2010)

Though a French company with plans to electronically tag nursery-aged children in Paris has halted implementation due to privacy concerns, the international trend is different, The Guardian reports. Worldwide, 150 maternity wards in 17 countries already use RFID tags that are capable of remotely tracking a subject's location, with some countries creating laws to mandate such devices. Alex Tϋrk, the head of France's Commission for Information Technology and Freedom (CNIL), says the tags will become smaller and more difficult to legislate. "Sometimes we need to say 'no' to the temptations of technology," Tϋrk said, calling for the French Parliament to address the issue and for debates on the topic to begin around the globe.
Full Story

DATA PROTECTION—UK

ICO Releases Study Findings (November 9, 2010)

A survey commissioned by the UK Information Commissioner's Office (ICO) has revealed that private sector organizations lag behind public sector bodies in their knowledge of data protection principles, eWeek reports. While 60 percent of public sector organizations surveyed indicated awareness about securely storing personal information, 48 percent of private sector entities indicated the same. Only 14 percent of all organizations polled for the study could identify all eight data protection principles, the report states. On releasing the findings, Information Commissioner Christopher Graham said, "A strong awareness of data protection obligations is of fundamental importance to any organization. Businesses need to show they are taking data protection seriously."
Full Story

SOCIAL NETWORKING

Web Company: Put Privacy Before Ads (November 9, 2010)

Founders of a new browser aimed at social network users are not planning on selling ads, The Wall Street Journal reports, because they believe it will be a conflict of interest with user privacy. RockMelt made its public debut in a test version Monday, the report states, and while it has some big-name investors, the company has said that when it comes to making money, an ad network is not part of the plan. The focus, said co-founder Tim Howes, is on improved Web browsing, and "you can't have a good user experience if somebody is (taking) your data and using it to sell ads." (Registration may be required to access this story.)
Full Story

GEO PRIVACY

Location-Based Services See Success Ahead (November 8, 2010)

The location-based services industry has had no problem finding investors. That's because of how valuable the currency that is personal data is to marketing, The New York Times reports. Advertisers plan to spend $1.8 billion on location-based marketing in 2015, according to ABI Research. And users are happy to give up their personal data for a service they find useful, the report states, even despite concerns about their privacy. "Many people are in a more 'transactional' frame of mind" when it comes to their personal information, said the director of the Internet and American Life Project. "They will share information if they think they can get something of value for it." (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Somebody’s Camera Is Watching You (November 8, 2010)

They are tiny, lightweight and can even be worn tucked into your hair accessory or just above your ear as they record everything that's going on around you. The New York Times reports on these "wearable" cameras that have the ability to "record life's memorable moments as they unfold" and the privacy questions they raise. Harvard Prof. Jonathan Zittrain suggests that with proper procedures in place, the cameras could help future historians, noting, "We have painstakingly reconstructed ancient civilizations based on pottery and a few tablets... I would love to leave this legacy instead." However, he also acknowledges that as photos and video of unsuspecting individuals show up on the Internet, the devices are likely to raise privacy concerns. (Registration may be required to access this story.) Editor's note: Read more about the practice of recording every moment in the feature, "Valuing, protecting and commoditizing your personal information: Is 'data banking' the answer?" from the June edition of Inside 1to1: Privacy.
Full Story

ONLINE PRIVACY—UK

Graham: Anti-Terrorist Database Plans Flawed (November 8, 2010)

Information Commissioner Christopher Graham said that after finding Google responsible for a "significant breach" of data protection rules, the company cannot be trusted to store data in accordance with the new anti-terrorism plan proposed by the UK government, reports The Australian. The plan requires companies and Internet service providers to store details of customers' Internet and telephone communications, states the report. Earlier, the government dismissed proposals for a central government database, but Graham still has concerns. "Anyone who thinks that storing the information with the communication service providers, rather than in a big database, solves the problem hasn't been paying attention with what's been going on with Google," he said.
Full Story

PRIVACY LAW—EU

EU Commission Proposes Revisions to Data Protection Directive (November 5, 2010)

On 4 November, the European Commission announced a set of proposals for revision of the EU 1995 Data Protection Directive. Arising out of a policy review that began in 2009, the proposals include the key goals of strengthening individual rights, enhancing the single market dimension in the implementation of EU data protection rules, revision of the rules in the areas of police and criminal justice, ensuring high levels of protection for data transferred outside the EU, and more effective enforcement of the rules. The commission has called for comments from the public and all stakeholders on these proposals, to be submitted by 15 January, 2011.
Full Story

DATA LOSS

OECD Network Hacked (November 5, 2010)

The Organisation for Economic Cooperation and Development (OECD) confirmed on Thursday that its network had been hacked, reports euobserver.com. An OECD spokesman described the event as a sophisticated attack. "We've got quite high levels of security protocols at the OECD, and this has been able to bypass those security measures," said Stephen Di Biasio, adding that the agency is trying to clear malware out of its system. "It's not a destructive attack," Di Biasio said, "It's obviously fishing for information." Di Biasio believes the malware came from a USB memory stick. "Our agents travel around the world," he said. "There are exchanges of information, exchanges of USB keys."
Full Story

ICO: WiFi Collection Breached DPA (November 5, 2010)

UK Information Commissioner Christopher Graham has determined Google's inadvertent collection of personal data through its Street View vehicles was a "significant breach" of the Data Protection Act, BBC reports. Google must now sign an undertaking to ensure data protection breaches do not happen again and delete the data it collected. "We are profoundly sorry for mistakenly collecting payload data in the UK from unencrypted wireless networks," said Peter Fleischer, Google's global privacy counsel, noting, "We are in the process of confirming that there are no outstanding legal obligations upon us to retain the data and will then ensure that it is quickly and safely deleted." Meanwhile, the Australia Privacy Foundation is criticizing Australia's former privacy commissioner for her handling of the Street View incident.
Full Story

PRIVACY LAW—GERMANY

German Commissioner Supports EU Directive Review (November 5, 2010)

German Commissioner for Data Privacy and Freedom of Information Peter Schaar welcomes the newly announced European Commission initiative to revise the EU Data Protection Directive saying it is a solid foundation for modernizing data privacy law. Schaar said he agrees with the commission that EU citizens have a guaranteed right to the protection of their personal data which must be applied in relations with non EU countries. This right should then apply to the processing of personal data by international Internet companies. Schaar also agrees that the right to protection of data should be strengthened as against government authorities. (Article in German)
Full Story

PRIVACY LAW—UK

ICO: First Fines To Be Imposed Later This Month (November 5, 2010)

Information Commissioner Christopher Graham says his office will announce the first organizations to be fined later this month, Kable reports. The office's ability to impose fines has given it the teeth it has lacked, said Graham at an event in London Wednesday. He also provided data on organizations leading in data breaches, which included the NHS with 377 breaches--30 percent of all 1,254 breaches reported to date--followed by the private sector (360), local government (184), central government (97) and other public sector bodies (149). Graham said decisions on how steep a fine will be imposed will depend on the size of the offending organization.
Full Story

PRIVACY LAW—GERMANY

Bundesrat Calls for Substantial Improvements in Legislation (November 5, 2010)

On 2 November, Bundesrat committees submitted 46 pages of recommendations for changes to the legislation drafted by the administration of Chancellor Merkel on employee data protection. The committees have expressed concern that the administration has not presented a draft for an independent piece of legislation but rather for an amendment to be included as a subsection to the federal data privacy law. Among other points, committee policy specialists insist on more restrictions against video surveillance in the workplace and unwarranted data matching. Overall, the recommendations agree with the demands for substantial improvements previously made by German data protection officials. (Article in German)
Full Story

DATA LOSS—UK

Council Signs Undertaking (November 5, 2010)

Portsmouth City Council has signed an undertaking after the Information Commissioner's Office (ICO) found it had inappropriately disclosed personal information. The disclosure occurred after an individual requested to see the information the council held about her through a subject access request, which was granted by an individual who was neither employed by the council nor acting on its behalf. The council informed the ICO of the breach, which found the supervision and training provided to staff involved in the subject access request process to be inadequate. The undertaking states that the council will improve its training on such requests.
Full Story

DATA PROTECTION—UK

Minister Proposes New Code of Conduct (November 4, 2010)

Culture Minister Ed Vaizey has proposed a refreshed code of Internet conduct that "more well-known and legitimate Web sites" should be made to sign, the Guardian reports. He proposes an updated version of the code the Information Commissioner's Office (ICO) currently uses. Vaizey was set to meet with the ICO yesterday to discuss the proposition and plans to write to Internet service providers about the idea. The code would allow for citizen redress in the event of privacy breaches, Vaizey said during a parliamentary debate last week. He also proposed the creation of a mediation service that citizens could use to seek data dispute resolution.
Full Story

CHILDREN’S PRIVACY

Eye-Spy Barbie? (November 4, 2010)

The Sydney Morning Herald reports that Barbie may be getting older, but she is certainly keeping up with new technology--with her most recent iteration, complete with a built-in camera, raising privacy concerns. The Barbie Video Girl doll comes equipped with the ability to record up to 30 minutes of video and a color LCD screen in her back. The doll is being criticized for enabling children to film themselves and others using the hidden camera in the doll's necklace, creating videos that can then be transferred to a computer. Some experts suggest better privacy laws are needed to protect children against the potential inappropriate use of technology.
Full Story

PERSONAL PRIVACY—GERMANY

Electronic ID Cards Incite Concerns (November 3, 2010)

Fears about privacy and identity theft are accompanying the government's rollout of electronic identity cards, Reuters reports. The cards store personal data--including the owner's date and place of birth, address, biometric photo and voluntary fingerprints--and aim to facilitate e-commerce by allowing users to sign documents electronically. But around 44 percent of Germans are skeptical about the cards, according to an industry body's survey. Johannes Caspar, head of Hamburg's data protection agency, said some of the fears are based on a "Big Brother" scenario about the state's collection and storage of personal information.
Full Story

SOCIAL NETWORKING

New Feature Raises Concerns (November 2, 2010)

"Friendship Pages," a new Facebook feature that shows the relationship between friends, is raising privacy concerns, InformationWeek reports. The new feature uses public information shared between friends that would be linked under relevant wall posts, stories and profile photos and would be accessible to those who are Facebook friends with at least one of the two users, the report states. Some users, however, are voicing privacy concerns. As one user put it, "While I'm all for innovation, privacy should come first...If you introduce a new feature, notify the community when it arrives." Users are also calling for clear opt-in or opt-out choices for such features.
Full Story

ONLINE PRIVACY

Rethinking Privacy in the Cloud (November 2, 2010)

With privacy concerns abounding when it comes to Internet use and cloud computing, eSecurityPlanet explores the idea of rethinking privacy in the cloud. "To gain some clarity on the cloud privacy issue, it is helpful to break down the exposure use cases into three categories," the report states, focusing on the issues of unintentional user-driven data leaks, lack of provider protections and intentional breaches perpetrated for monetary gain. When it comes to cloud computing, the report suggests, "providers have a responsibility to let users and enterprises know when they're using our information to hop on the marketing gravy train and selling sensitive information to other vendors and advertisers." Editor's Note: The upcoming IAPP Practical Privacy Series will feature a session on cloud computing issues entitled "Cutting Through the Cloud Computing Fog: Evaluation, Adoption, Privacy and Security."
Full Story

ONLINE PRIVACY—GERMANY

Street View Launched (November 2, 2010)

Google's first Street View images of Germany are now online, AFP reports. Following opposition to the mapping service over privacy concerns, Google allowed people to opt out by having their properties pixilated, and about 250,000 Germans chose the option, the report states. The first images now online show the town of Oberstaufen in Bavaria, and some of the houses are blurred. Street View will be rolled out in the country's 20 largest cities later this year, the report states.
Full Story

SOCIAL NETWORKING

Facebook Suspends Apps for Sharing User Data (November 1, 2010)

The Wall Street Journal reports that Facebook has announced a data broker paid application developers for users' information, prompting the world's largest social networking site to place some of its app developers on a six-month suspension. In its announcement, Facebook wrote that it has a "zero tolerance" policy for data brokers "because they undermine the value that users have come to expect from Facebook," the report states. The company has said the apps in question were not providing data that users had set as private, but wrote that "this violation of our policy is something we take seriously." Facebook has not named the app developers or data broker involved, the report states. (Registration may be required to access this story.)
Full Story

FINANCIAL PRIVACY

PCI DSS Changes Welcomed (November 1, 2010)

Although the PCI Security Standards Council (PCI SSC) revisions to the PCI data security standard (PCI DSS) and payment application data security standard (PA DSS) have been described as minor, the response so far has been positive, SC Magazine reports. The new version, which will go into effect on Jan. 1, "does not introduce any new major requirements, and the majority of changes are modifications to the language, which clarify the meaning of the requirements and make understanding and adoption easier for merchants," the report states. The report highlights the positive responses by several organizations and data protection professionals to the changes announced last week.
Full Story

SOCIAL NETWORKING

Filling Privacy’s Generation Gap (November 1, 2010)

Michael Geist writes of this past week's 32nd Annual Data Protection and Privacy Commissioner Conference and the focus on the perception of "a growing privacy divide between generations, with older and younger demographics seemingly adopting sharply different views on the importance of privacy." In this Toronto Star report, he writes that "longstanding privacy norms are being increasingly challenged by the massive popularity of social networks that encourage users to share information," citing strategies to balance openness and personal privacy while ensuring companies "understand the legal limits on collecting, using and disclosing personal information and for users to know that the law stands ready to assist them if those rules are violated."
Full Story