European Data Protection Digest

We have a long weekend—and hopefully some good weather—ahead of us, so right now our minds are probably focused more on Easter eggs and chocolate bunnies (in my case also my mother’s lasagna on Sunday) than on data protection developments. Nevertheless, this spring is bound to be a busy one for privacy pros—not that we actually had a dull moment in the past year or so.

At the IAPP, we are working hard to help our members stay on top of things: Our upcoming European Data Protection Intensive will be a great way to kick-start the second quarter of the year. As usual, rendezvous in London for an intense programme, great networking—including our special Privacy Social reception at the Guildhall—and CIPP and CIPM certification training and testing. Preconference workshops are not bad either.

But since he who hesitates is lost, work is already underway also for IAPP Europe’s flagship event, the Data Protection Congress, which will be in Brussels again this year, on 19 and 20 November to be precise. The call for proposals for the Congress is open, and submissions will be accepted until 9 May, so do send us your ideas or feel free to forward the call for proposals link to someone who might be interested.

In the meantime, though, Happy Easter!

Rita Di Antonio
Managing Director
IAPP Europe

Top European Privacy and Data Protection News

PRIVACY—GERMANY

Justice Minister Focuses on Privacy Leadership (January 31, 2011)
The Associated Press reports on Justice Minister Sabine Leutheusser-Schnarrenberger's comments that Germany should become a leader in international data protection standards. Urging the EU to include agreements on data protection standards with the U.S. in its revision of existing data protection laws, she spoke of the "different legal cultures" of data protection on both sides of the Atlantic, noting, "For this reason, I believe it is important that we strive to achieve basic ground rules of what constitutes data security." Leutheusser-Schnarrenberger has announced the creation of a German foundation to explore such data security issues as developing technology to protect users' privacy.

PRIVACY LAW—UK

Companies Await Changes to BT Rules (January 31, 2011)

UK businesses are preparing for changes to current law that will bar them from collecting personal information about Internet users without their knowledge, the Daily Mail reports. As the European Commission reviews the data protection act, changes are expected to include a strengthening of people's rights to opt out of having their personal data used for targeted ads and could include the right to have their data permanently deleted. Justice Minister Lord McNally said technology has come a long way, which is why "the government is working with businesses, charities, consumer groups and the public sector to look at the law and ensure it continues to protect our personal information well into the 21st century."
Full Story

DATA LOSS—IRELAND

Credit Card Scam Still Active (January 31, 2011)

Data Protection Commissioner Billy Hawkes and Microsoft Ireland are warning the public about a cold-calling scam from people claiming to be representing Microsoft, Silicon Republic reports. Scammers posing as Microsoft employees have been calling individuals claiming there was a problem with their computers and that they could fix it by downloading a file that would be available once a credit card was provided. The file contained a virus, allowing the hackers access to the individuals' personal information. The still-active scam is under investigation by the Gardia, ComReg and the National Consumer Agency. Individuals are warned to hang up if they receive such a call and to call their credit card provider if any account details were provided.
Full Story

SOCIAL NETWORKING

Advocates Not “Liking” Ad Plan (January 31, 2011)

While a new feature on the world's largest social network is being seen as potential gold for advertising, privacy advocates and some users are raising concerns, USA TODAY reports. The new advertising format uses Facebook members' "likes" and other online actions to create promotional content in the form of "Sponsored Stories," which "became available for large brands to buy last week and is being rolled out over the next few weeks to Facebook's more than 500 million members." The Electronic Frontier Foundation is calling for an opt-out option for users. "Any time they make a change, people react, especially if there is a commercial element," says Future of Privacy Forum Director Jules Polonetsky, CIPP.
Full Story

PRIVACY LAW—EU

Reding: Rules Must Reflect Modern Times (January 28, 2011)

European Commission Vice President Viviane Reding was scheduled to speak in Davos today in honor of Data Protection Day, discussing 2011 data protection reform. Reding was attending a session on cloud computing and meeting with EU and U.S. technology leaders, according to a European Commission media release, and was to be meeting leading European and U.S. technology companies. Reding said the commission's review of the 1995 Data Protection Directive "will have a profound impact on the ICT industry. My goal is to ensure that the modernized rules reflect changes in technology--especially the emergence of cloud computing, social network sites and behavioral advertising." Clarifying legal certainties for cross-border services will have a profound impact on the ICT industry and strengthen users' data protection rights, the report states.
Full Story

ONLINE PRIVACY—EU

Commissioner: EU Should Guide Cloud Deployment (January 28, 2011)

The European Union is set to introduce a set of cloud computing guidelines that will address data protection, privacy regulations and common approaches to cloud deployment, Computerworld reports. At the World Economic Forum in Davos yesterday, European Digital Agenda Commissioner Neelie Kroes said the EU can help the transition to the cloud run "smoother and faster," and should take care that data protection achievements do not clash with the cloud. The three areas the EU should get involved in are the cloud's legal framework around data protection and privacy, technical and commercial fundamentals and supporting pilot projects towards cloud deployment, the report states. A document containing plans for such action should be released by 2012, Kroes said.
Full Story

DATA PROTECTION—UK

ICO Releases Guidelines for Online Safety (January 28, 2011)

Information Commissioner Christopher Graham has released guidelines to help consumers protect their personal information on social networking sites and understand what steps to take if a data breach occurs, The Telegraph reports. The "Personal Information Toolkit" also aims to alert consumers about their right to access and correct information held about them, the report states. Graham said, "It's never been more important to protect your personal information." A recent Information Commissioner's Office survey found that 92 percent of people believe that organizations are failing to keep customers' personal details safe online and that three out of five people think they have lost control of the way their personal information is collected and processed.
Full Story

PRIVACY LAW—LATVIA

New Data Protection Law Takes Effect Next Week (January 28, 2011)

Latvia's new data protection law will take effect on February 1, Deutsche Welle reports. The law requires the appointment of a new IT security official to oversee all state institutions. It also establishes the nation's new Cyber-Security Response Agency, which will be comprised of eight IT experts who will oversee IT security and promote data protection awareness among public-sector employees. The Latvian Parliament passed the law last October following a February 2010 data breach at the State Revenue Service. One of the drafters of the legislation said, "We will establish the minimal standards for every state and every local government institution in IT security."
Full Story

ONLINE PRIVACY—KOSOVO

SIM Registration Deadline Nears, But Still No Privacy Regulator (January 28, 2011)

Per a new directive from Kosovo's telecom regulator, mobile phone owners must register their SIM cards by February 28 or face disconnection, Deutsche Welle reports. And this could lead to trouble, according to some who say the country's data protection regulator should be put into place before such data collection and potential sharing occurs. Kosovo's data protection law was adopted in 2010, but political opposition has prevented the establishment of the agency that will enforce it. Although the Kosovo Police Service has asserted that officers will need a warrant in order to obtain registered SIM data, a European Commission official says that Kosovars should be wary.
Full Story

DATA PROTECTION—EU

EDPS Outlines Priorities in Data Protection Day Video (January 28, 2011)

In a video address in recognition of Data Protection Day 2011, European Data Protection Supervisor Peter Hustinx and Assistant Supervisor Giovanni Buttarelli outline the main priorities and challenges for data protection in the coming year. With regards to the European Commission's review of the EU data protection framework, Hustinx emphasized that "there is no room for mistakes here. The challenges are huge." He added that his office expects the European Commission to "seize the opportunity to come up with ambitious proposals for parliament and the council." The two also discussed compliance monitoring, the Stockholm Programme and the need for privacy by design.
Full Story

SOCIAL NETWORKING—GERMANY

Facebook, DPA Reach Privacy Deal (January 28, 2011)

Following concerns from German data protection officials, the world's largest social network has agreed to make changes to its feature that allows the company to send e-mail invitations to potential users through current members' address books, Deutsche Welle reports. The Hamburg Data Protection Authority announced Monday that it had reached an agreement with Facebook to give its members more control over their e-mail address books, including allowing Facebook users to choose who should receive an invitation to join the site and adding an additional warning message before it can be sent. Facebook issued a statement that it looks forward to continuing "our constructive discussions and dialogue in the future."
Full Story

HEALTHCARE PRIVACY—EU

Report: Privacy Protection Needed for eHealth (January 28, 2011)

EurActiv reports on the implications of technologies being developed to allow medical checkups via telephone as one of the latest moves toward eHealth. The eHealth industry "has the potential to become the third largest industry in the health sector," the report states, but one of the key issues that must be addressed is data protection. Guaranteed protection of patient data is required for eHealth to move forward, since "Winning public acceptance of new health technologies will require consumer confidence."
Full Story 

ONLINE PRIVACY

GSMA Publishes Mobile Privacy Principles (January 28, 2011)

The GSMA has published Mobile Privacy Principles to help address concerns associated with the use of mobile technologies, Telecompaper reports. "Online privacy is an important and high-profile issue across the globe," said GSMA Chief Regulatory Officer Tom Phillips. The principles cover transparency, notice and data minimization, among other topics, and are expected to aid the creation of "more detailed guidelines and codes of conduct to address specific consumer concerns," according to a GSMA press release. Phillips described the principles as "a significant first step," but said addressing mobile privacy is an ongoing challenge that requires the support and collaboration of many. "This is a call to action to the broader industry," he said. (Registration may be required to access this article.)
Full Story

PRIVACY—FRANCE

A History of Data Protection (January 28, 2011)

Using the signing of the "Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data" 30 years ago, Deutsche Welle examines France's long tradition of privacy and data protection. Describing France as one of the first EU countries to enact privacy law, the report highlights the Data Protection and Liberties Act, prohibiting the processing of sensitive data such as race, ethnicity, politics or religious affiliation. The report also reflects on nineteenth-century origins of the right to a private life in France. Paris II University Prof. Emmanuel Derieux suggests this commitment may stem from "a sensitivity or sensibility. French people worried about the protection of their private life and their independence."
Full Story

PRIVACY LAW—UK

ICO Reminds Councillors To Register (January 28, 2011)

The UK Information Commissioner's Office (ICO) is sending letters to councillors urging them to make sure they are fulfilling their legal requirements under the Data Protection Act. An ICO press release says councillors need to consider their role in processing personal information and, if required, register with the ICO or risk fines of up to €5,000. "Most councillors have regular access to the personal information of the residents they represent," said Simon Entwisle, ICO director of operations. "Like all organisations who handle people's information, it is of paramount importance that they take their responsibilities under the Data Protection Act seriously."
Full Story

DATA RETENTION

Report Questions Effectiveness of Data Retention (January 27, 2011)

U.S. law enforcement officials this week called for mandatory data retention periods for Internet service providers in order to better fight online crime, just as a European NGO released a report critical of data retention as a crime-fighting method. The report, published by the German NGO AK Vorrat, states that data retention is ineffective because criminals switch to "Internet cafes, wireless Internet access points, anonymization services, public telephones, unregistered mobile telephone cards" and other means to get around scrutiny, The Wall Street Journal reports. The European Commission continues its review of the controversial data retention directive. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Privacy as Competitive Edge (January 27, 2011)

The Wall Street Journal examines whether startup search engine DuckDuckGo's pledge to honor user privacy by not storing personal data or sending search information to other sites will provide a competitive edge against online search giants. The report poses the question, "Would you switch search engines for privacy reasons, or are other aspects of search more important to you?" DuckDuckGo's founder has said the company's goal is to appeal "to a non-negligible part of the population," adding he expects the site to see about 4 million searches this month, up from a typical 2.5 million per month before he publicized its privacy features. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Search Engines Offer Opt-Out Plans (January 25, 2011)

Major media outlets are reporting on plans by Google and Mozilla to offer do-not-track options for their users. Google has announced its new "Keep My Opt-Outs" tool, which enables users of its Chrome Web browser to permanently opt out of online tracking, while Mozilla's new opt-out tool for its Firefox browser provides users with more understanding and control of how their personal information is being used by advertisers. A Federal Trade Commission spokeswoman discussed efforts by Mozilla, Microsoft and Google to provide do-not-track options. Meanwhile, MediaPost News reports that while the FTC is cheering such plans, "whether ad networks and online marketers will follow those preferences is far from clear."
Full Story

ONLINE PRIVACY

Opinion: Is There a Dark Lining in the Cloud? (January 25, 2011)

There are many benefits to cloud computing, but European Commissioner Viviane Reding questions, "is there a dark lining to the cloud?" In an opinion piece for The Wall Street Journal, Reding cautions, "Consumers who store data in the cloud risk losing control over their photos, contacts and e-mails. Data is whirling around the world: A UK resident who creates an online personal agenda could use software hosted in Germany that is then processed in India, stored in Poland and accessed in Spain." Describing the European Commission's commitment to privacy, she writes that the EU's data protection rules "have stood the test of time, but now they need to be modernized to reflect the new technological landscape." (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—GERMANY

Rhineland-Palatinate DPA Finds Legal Infractions (January 25, 2011)

The data protection authority (DPA) of Rhineland-Palatinate has concluded its investigation into the legality of Web site analysis tools, finding that many companies are breaching data protection law in using them. The DPA found that the companies are failing to notify individuals about the use of analytics and are failing to obtain the required consent to transfer personal data to the United States, reports the Hunton & Williams Privacy and Information Security Law Blog. The DPA also found that companies' data processor agreements "do not meet the statutory requirements for such agreements pursuant to the Federal Data Protection Act."
Full Story

PRIVACY LAW—EU

Hustinx: Directive Changes Should Be Stronger (January 25, 2011)

European Data Protection Supervisor (EDPS) Peter Hustinx has published an opinion urging the European Commission (EC) to extend mandatory data breach notifications beyond current limits, OUT-LAW.COM reports. Hustinx says planned changes to EU privacy law do not go far enough and supports the extension of notification obligations to "fully apply to data controllers other than providers of electronic communication services." In his analysis of the EC's plans to amend data protection law, Hustinx says his office supports more ambitious solutions and calls for a strengthening of EDPS powers, a user's right to be forgotten and greater consistency in the way the directive is implemented amongst EU member states.
Full Story

PRIVACY LAW—IRELAND

Hawkes Warns Candidates: Consent Before Contact (January 25, 2011)

As the general election approaches, Data Protection Commissioner Billy Hawkes has warned political parties to only communicate with individuals over text, e-mail or phone if they have consented to share contact information, Silicon Republic reports. Though candidates may send letters to anyone on the Register of Electors per the Data Protection Act, they may not obtain contact information through third parties, Hawkes warns. In the past, Hawkes has received complaints from people who received unsolicited calls, texts and e-mails, which investigations revealed were possible due to third-party information sharing without consent.
Full Story

DATA LOSS

Smartphone User Data Potentially Exposed (January 24, 2011)

A mobile application developer has warned of a data breach that could affect up to 10 million users, SC Magazine reports. Trapster.com says a hacker may have accessed user e-mail addresses and passwords and advises that users change their passwords. The company believes this was a single event and has rewritten the software code to prevent future attacks, it says. It is now notifying those potentially affected, though there is no evidence that the data has been used.
Full Story

DATA LOSS—UK

Lush Confirms Breach (January 21, 2011)

ZDNet reports that Lush Cosmetics has suffered a data breach. The company issued a statement yesterday advising customers that credit card information was compromised when hackers entered the UK version of its Web site. ZDNet reports that Lush customers are reporting fraudulent transactions in their bank accounts. The company has shuttered the compromised site due in part to re-entry attempts by the perpetrators. In its statement, Lush said, "For complete ease of mind, we would like all customers that placed ONLINE orders with us between 4th Oct 2010 and today, 20th Jan 2011, to contact their banks for advice as their card details may have been compromised."
Full Story

PRIVACY LAW—EU

ENISA Raises Data Protection Concerns (January 21, 2011)

Computing.co.uk reports on the European Network and Information Security Agency (ENISA) release of its report on data breach notifications as required for the electronic communications sector in the ePrivacy Directive. The requirement, according to an ENISA release, is vital to increase long-term data security in Europe. The report highlights key concerns for both telecom operators and DPAs--including the use of cloud computing--and notes that recent high-profile incidents have prompted discussion about the security of personal information shared, processed, stored and transmitted  electronically. "Gaining and maintaining the trust of citizens that their data is secure and protected is an important factor in the future development and take-up of innovative technologies and online services across Europe," said ENISA Executive Director Udo Helmbrecht.
Full Story 

PRIVACY LAW—SPAIN

In Madrid Court, Google Challenges AEPD (January 21, 2011)

In a Madrid court on Wednesday, Google challenged five rulings by Spain's data protection authority, Bloomberg reports. The  Agencia Española de Protección de Datos (AEPD) had ordered the company to remove certain articles from its search listing due to the privacy concerns of those featured in search results. But in an e-mailed statement read in court, Google spokesman Peter Barron said, "We are disappointed by the actions of the Spanish privacy regulator. Requiring intermediaries...to censor material published by others would have a profound chilling effect on free expression..." The government, however, contends that Google has "never addressed the underlying question, the right of citizens to protect their information."
Full Story

EMPLOYEE PRIVACY—ITALY

IDPA: Company Must Stop Locating Its Employees (January 21, 2011)

The Italian Data Protection Agency (IDPA or Garante) has ordered an Italian company to stop processing the personal data of its employees collected by means of GPS systems on company vehicles. The company is forbidden from using employees' geolocation systems without union agreements or the permission of the local Labor Office per the Workers Statute (Law No. 300/70). The order was adopted after some workers complained about being controlled while going about their work. The employees claimed that the geolocation systems could reveal information about their travels, such as the stops they make and their travelling speed. An IDPA investigation revealed that neither an ad hoc union agreement nor permission of the local Labor Office had been granted. Per the IDPA order, if the company gains union or labor office permission in the future, it must inform the Garante about the data processing and divulge who may access the information gleaned. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—EU & UK

Former Commissioner: Modernise Data Protection Laws (January 21, 2011)

Former UK Information Commissioner Richard Thomas is calling for a modernised European framework for data protection, ComputerWeekly reports. Thomas, now of Hunton & Williams, responded to a European Commission consultation on a comprehensive approach to personal data protection by stating he is pleased a review is underway, "But there is still a long way to go to draft balanced laws that will work in practice when so much personal information can flow so easily around cyberspace with no regard to national boundaries." Hunton & Williams' Centre for Information Policy Leadership has also made other recommendations, including that "EU standard-form privacy information notices must not be so comprehensive or so simple as to be meaningless," the report states.
Full Story

PRIVACY LAW—UK

Experts Disagree on ICO Fining Powers (January 21, 2011)

V3.co.uk reports that Phil Jones, a former assistant information commissioner who headed up the ICO's data protection practice, has defended the £500,000 limit of the ICO's fining powers as enough to warn organisations on data security. "People have complained that the fine only goes to £500,000, but it's not the money that's the issue," he said. "It's about the reputational damage that is caused through being made an example of if the ICO issues a financial penalty." Stewart Room of Field Fisher Waterhouse disagreed, saying, "Perceptions are very important, and some people consider that the cap speaks very negatively about the value that parliament attaches to privacy and data protection."
Full Story

DATA LOSS—UK

Football Fans Safe After Breach Scare (January 21, 2011)

The Information Commissioner's Office (ICO) has investigated reports that the UK could have been a source of a leaked database that included personal information on 250,000 international fans that purchased tickets for the 2006 FIFA World Cup in Germany, CIO reports, and a Norwegian newspaper alleged information such as passport details of 35,689 ticket purchasers from the UK were included on the database. The ICO investigation found no ticket purchasers in the UK were affected by the breach and "there is no evidence to suggest that any person has unlawfully obtained personal information within the UK or that any person or organisation has breached UK data protection laws."
Full Story

PRIVACY—FRANCE

Reflections on 2010, Looking Ahead to 2011 (January 21, 2011)

The Hogan Lovells Chronicle of Data Protection takes a look back at the evolution of privacy in France over the past year while contemplating the "new challenges and opportunities that will develop in 2011." The report looks at changes at the Commission Nationale de l'Informatique et des Libertés (CNIL), including new guidance to data controllers. "2010 also saw privacy invite itself in the public debate, whether as a result of controls and sanctions conducted and imposed by the CNIL or as a result of high-profile cases," the report notes. Looking forward, the report spotlights certification labels as a top priority for CNIL in 2011.
Full Story

DATA THEFT—UK

Medical Director Apologises for Breach (January 21, 2011)

Health officials are apologising to patients whose records were on a laptop computer that was stolen from the home of a junior doctor, reports the Yorkshire Post. More than 1,100 patients were affected. The doctor is being disciplined, according to Dr. David Hepburn, the medical director of the Hull and East Yorkshire Hospitals NHS Trust. "We have written to anyone affected by this to inform them of these incidents," Hepburn said. He added that officials do not believe the exposed information could be used for identity fraud.
Full Story 

PRIVACY LAW—EU

Hustinx Calls for Incentives, Stronger Regulatory Powers (January 20, 2011)

V3.co.uk reports that European Data Protection Supervisor Peter Hustinx has backed the European Commission's (EC) plans to reform EU data protection laws but wants stronger accountability for public and private companies controlling data. As the EC reviews data protection laws, Hustinx says mandatory data breach notification laws are necessary in all relevant industries and has called for data controller incentives that would encourage controllers to revise their business processes in the name of compliance. Data protection authorities also need stronger powers, he says, adding, "If we want to strengthen citizens' rights over their personal data, we need to ensure that individuals remain in control..."
Full Story

ONLINE PRIVACY—EU

Report: No Bite in Cookie Directive (January 18, 2011)
The Wall Street Journal reports that Internet companies' concerns about a European Union directive to require them to obtain permission before placing cookies on users' computers are unnecessary. John W. Miller writes that a European Commission document written to offer formal guidance to member states implementing the directive sheds light on "how EU regulators see the directive, and that's firmly on the side of business." The document does not endorse an opt-in clause, and instead states, "It is not necessary to obtain consent for each individual operation of gaining access to or storing of information on a user's terminal if the initial information and consent covered such further use."(Registration may be required to access this story.)

PRIVACY LAW—FRANCE

DPA Amendments Move Forward (January 18, 2011)

A bill containing several key amendments to the French Data Protection Act was preliminarily adopted by the French National Assembly last week, reports the Hunton & Williams Privacy and Information Security Law Blog. The  bill would amend the powers of the French data protection authority (CNIL) by requiring it to obtain a judge's approval before conducting an onsite inspection without proper warning and would authorize CNIL to publish its sanctions against violators of the Data Protection Act. It would also amend the role of CNIL's chairman, who would no longer belong to the decision-making committee on sanctions but would be required to notify parties ahead of an imposed penalty.
Full Story

SOCIAL NETWORKING

Facebook Suspends Third-Party Plans (January 18, 2011)

Facebook has decided to suspend its latest privacy policy modification, which would have enabled third-party applications to access users' addresses and cell phone numbers, reports the Inquirer. The company said it would protect users' personal information by only sharing it with third parties if the user explicitly granted permission to do so, but a Facebook spokesman this week said the company would "temporarily disable the feature" based on feedback that it could make people more clearly aware of the changes. Some have questioned how the third parties would use the additional data.
Full Story

HEALTHCARE PRIVACY—FRANCE

CNIL Approves Hosting for Electronic Records (January 14, 2011)

The Commission Nationale Informatique et Libertés (CNIL) last month authorized the computer applications necessary to implement the first phase of a national and voluntary online personal health file system, reports eGov Monitor. Dossier Médical Personnels (DMPs) are patient-controlled online health records that stay with a person throughout their life; the patient first gives consent to create the profile, then controls the content of and access to their records from their computer and can close the account at any time. The first phase is expected to last three years, and CNIL says it will use feedback and lessons learned to develop the legal framework and content and access conditions for the DMP system.
Full Story

ONLINE PRIVACY

Flash Fix Is Important First Step (January 14, 2011)

The Wall Street Journal reports on efforts to improve privacy controls in Adobe's Flash video player after privacy advocates and regulators raised concerns that companies could use such technology to track Internet users. "So-called 'Flash cookies,' which are small files stored on a user's computer through the Flash program, have raised privacy questions because they are more difficult for users to detect and delete than regular cookies associated with Web browsers," the report states, noting that although Adobe's effort to simplify the program's settings is an important step, it "doesn't solve all the issues associated with this type of tracking," and other video programs can also track users. (Registration may be required to access this story.)
Full Story

DATA PROTECTION

Survey: PCI DSS Standards Necessary (January 14, 2011)

A new survey has found that the majority of IT security practitioners believe that the Payment Card Industry Data Security Standard (PCI DSS) is necessary for protecting cardholder information, SC Magazine reports. The Cisco survey polled 500 IT security decision makers in healthcare, finance, retail and education, a majority of whom said they were "very confident" they could pass an assessment today. The greatest challenge for PCI DSS compliance is educating employees about the proper handling of cardholder data, the report states. Respondents also indicated they expect "significantly increased spending" on PCI compliance this year. Meanwhile, a recent Verizon survey found that organizations that had suffered data breaches performed "dismally" with PCI requirements.
Full Story

PRIVACY LAW—EU

Commissioner: Directive Update To Shorten Retention Periods (January 14, 2011)

ComputerWeekly reports that the updated version of the EU Data Retention Directive will reduce data retention periods, according to the EU Home Affairs Commissioner. The European Commission's evaluation of the directive is expected early this year and will likely include proposed amendments, including one that addresses data retention lengths, which are currently at a minimum of six months and maximum of 24 months. Commissioner Cecilia Malmström has said she wants the directive to be more harmonised across the region.
Full Story

PRIVACY LAW—ITALY

Garante Authorizes Researchers’ Access to Data (January 14, 2011)

The Italian Data Protection Authority has authorized a pharmaceutical company to gain access to personal medical files in order to conduct a study about breast cancer. The company will be allowed access to the files of 1,000 patients; however, access will be restricted to essential information only and that information will be cryptic. Upon completion of the survey, the patients' information will be made unavailable. The Garante deemed that, due to the importance of the research and the difficulties involved in gathering information in advance, the company and health centers should have access to the data. (Article in Italian.)
Full Story

HEALTHCARE PRIVACY—IRELAND

Health Authority Discusses Importance of PIAs (January 14, 2011)

Irish Medical Times reports on the Health Information and Quality Authority (HIQA) guidance around privacy impact assessments (PIAs). Prof. Jane Grimson, director of health information at HIQA, explained that the authority has developed and published new guidelines on how to protect people's privacy within healthcare services, creating a step-by-step guide on how to undertake PIAs. "It has been estimated internationally that up to 30 percent of a country's total health budget is spent on health information," Grimson said, noting it is essential to manage such data "as efficiently and effectively as possible... PIAs make an important contribution to this."
Full Story

DATA PROTECTION

New Committee To Advise IT on Privacy Specs (January 14, 2011)

An open standards organisation has announced a new committee tasked with integrating privacy and security policies into systems and processes, v3.co.uk reports. OASIS has established a Privacy Management Reference Model (PMRM) Technical Committee to promote an open standards framework to define ways in which privacy by design can be applied to applications, the report states. A co-chairman of the committee said that its establishment may help companies prevent privacy breaches, especially with the advent of cloud computing, in that policies describe fair practice principles but rarely inform IT specialists about how to build a system with privacy in mind, the report states. "PMRM will provide a template for developing operational solutions to privacy issues," John Sabo said.
Full Story

PRIVACY LAW—IRELAND

Political Party’s Web Site Hacked (January 14, 2011)

The details of 2,000 people were compromised when a political party's Web site was attacked, reports Inside Ireland.ie. The site was launched by Fine Gael to invite the public to share their views on policy and the future of Ireland. The hack compromised such personal information as names, IP and e-mail addresses and phone numbers, as well as comments made on the page. The data protection commissioner's office is now investigating the Sunday night attack, as are police. The U.S. Federal Bureau of Investigation is also involved because the site is hosted by a U.S. company. Fine Gael has said it is cooperating with authorities.
Full Story 

PRIVACY—FRANCE

Reflections on 2010, Looking Ahead to 2011 (January 14, 2011)

The Hogan Lovells Chronicle of Data Protection takes a look back at the evolution of privacy in France over the past year while contemplating the "new challenges and opportunities that will develop in 2011." The report looks at changes at the Commission Nationale de l'Informatique et des Libertés (CNIL), including new guidance to data controllers. "2010 also saw privacy invite itself in the public debate, whether as a result of controls and sanctions conducted and imposed by the CNIL or as a result of high profile cases," the report notes. Looking forward, the report spotlights certification labels as a top priority for CNIL in 2011.
Full Story

 

ONLINE PRIVACY—GERMANY

Regulators: Using Analytics May Mean Legal Action (January 12, 2011)
German data protection authorities have ended talks with Google over its free metrics tool, warning that German companies using Google Analytics could face fines and legal action, The Wall Street Journal reports. The tool gathers data about how visitors use Web sites by tracking IP addresses, which regulators have argued could violate individuals' privacy. Google has said its service "complies with European data protection laws and is used by other European data protection authorities on their own Web sites." Meanwhile, IAB Europe Vice President Kimon Zorbas told the Daily Dashboard, "Web analytics tools were indispensible for the transformation of Web 1.0 to Web 2.0. If you restrict a Web site's capacity to analyze which parts are successful and which are not, you risk catapulting the Internet back to the 'Digital Stone Age.' Companies would have to guess what's going on on their properties instead of focusing on how to improve any shortcomings. Cookies-based Web analytics like Google and many other companies offer are neither intrusive nor do they process personal data."

PRIVACY LAW—EU & U.S.

U.S. Commerce Official Discusses EU Data Protection (January 12, 2011)

U.S. Department of Commerce Deputy Under Secretary for International Trade Michelle O'Neill held a briefing on her recent meetings in Brussels with European DPAs, discussing "the right to be forgotten" as a current key topic in Europe, the Hunton & Williams Privacy and Information Security Law Blog reports. O'Neill has said that European Data Protection Supervisor Peter Hustinx has been encouraged by such ongoing U.S. efforts as the Commerce Department's recent green paper on data protection, the report states. O'Neill also met with Françoise Le Bail of the European Commission's Directorate-General for Enterprise and Industry to discuss the Safe Harbor framework, noting the commission and Commerce Department will take part in a Safe Harbor conference in November.
Full Story

PRIVACY LAW—U.S. & EU

Social Network Subpoena Fuels Debate (January 11, 2011)

EUobserver reports on the implications of a U.S. court order that may give law enforcement officials access to all 637,000 followers of the WikiLeaks account on Twitter. The move, the report states, "has added fuel to the fire of an EU debate on data retention." Members of the European Parliament said on Monday that this move illustrates the need for governments to have checks and balances on access to private data, the report states. "We need to show the U.S. that they can't impose their rules on the whole world and that there is a real possibility for redress and appeal when such orders are issued," said German MEP Jan Philipp Albrecht.
Full Story

CHILDREN’S PRIVACY—FRANCE

CNIL Launches Youth Awareness Effort (January 7, 2011)

The French data protection authority has embarked on a campaign to improve data protection awareness among young people, ZDNet France reports. "The goal is to remind young people that vigilance is needed today, especially when it comes to disseminating information about political, sexual, religious or medical matters," the Commission nationale de l'informatique et des libertés (CNIL) said in a statement. Youth must think before publishing as "it is difficult to remove information that can follow you your whole life," the statement said. The CNIL has dedicated €500,000 to the effort, which will disseminate guidance and best-practice tips to students and educators. (Article in French.)
Full Story

PRIVACY LAW—UKRAINE

Media Watchdog Says Data Protection Law Needs Revision (January 7, 2011)

Ukraine's personal data protection law went into effect on 1 January, but some say it needs revision, ZIK reports. Natalia Ligachova, the editor of Telekrytyka, says the law restricts freedom of expression due to the fact that public persons can ban the publication of personal information they find offensive. She says a law is needed to define the term "public person" and adds, "If the present regime really cared for democratic principles and values, the president would return the personal data protection law to Verkhovna Rada for revisions, something a lot of NGOs had asked him to do."
Full Story

DATA LOSS—UK

ICO: Courts, Banks Need To Keep Records Secure (January 7, 2011)

The Information Commissioner's Office announced that the Scottish Court Service breached the Data Protection Act when a law report editor lost court documents which were subsequently found at a local recycling bank. Assistant Commissioner Jen MacDonald said, "People involved in court cases should be able to feel confident that their personal and sensitive information is going to be kept secure and not taken outside the court room." The court service's chief executive has signed a formal undertaking to ensure all staff are aware of storage, use and disclosure policies and are properly trained. Meanwhile, the ICO is also investigating a reported breach involving the bank Santander.
Full Story

TRAVELLERS’ PRIVACY—GERMANY

DPC Calls Passenger Profiling Unreasonable (January 7, 2011)

Data Protection Commissioner Peter Schaar has rejected a proposal to implement passenger profiling in German airports, calling the idea unreasonable and unsupportable in any legal sense, reports Deutsche Welle. The CEO of Dusseldorf Airport and new president of the German Airport Association, Christoph Blume, is recommending passenger profiling based on age, gender and ethnic background, among other criteria, to combat terrorism. According to the report, he has supporters. But critics say the dangers outweigh the possible benefits, and one believes the plan would be unconstitutional. Blume's proposal was also rejected by German Justice Minister Sabine Leutheusser-Schnarrenberger, who said it would contravene German and European anti-discrimination legislation.
Full Story

PERSONAL PRIVACY—UK

Police Database Under Fire (January 7, 2011)

Police forces in England and Wales are being called out on their databases of information on innocent people who have called non-emergency numbers to report crimes or pass on information, reports The Telegraph. Police officials say that collecting the information is necessary for preventing crime, protecting the vulnerable and ensuring concerns are dealt with properly. But according to the report, civil liberties groups say the databases cross the line. Shami Chakrabarti, director of Liberty, said, "Of course crime reports should be recorded to pursue investigations, but holding millions of records of innocents for decades on end is disproportionate to any legitimate policing goal."
Full Story

PRIVACY LAW—UK

ICO: Scottish Guidelines May Guide All of UK (January 7, 2011)

Information Commissioner Christopher Graham says privacy protection guidelines recently drawn up by the Scottish government could serve as a guideline for the rest of the UK. Drafted by a group of lawyers, activists and academics, the guidelines recommend data collection only for specific purposes and for it not to be stored in large, centralized databases, UKauthorITy.com reports. The guidelines also call for individuals' access to data collected on them. Graham has urged "all Scottish public authorities...to adopt the principles as a minimum standard," and said that when considering issuing fines, he takes into consideration "the level of compliance with best-practice guidelines issued both by my office and other relevant parties."
Full Story

PRIVACY LAW—EU

Working Party Suggests Directive Improvements (January 6, 2011)
The Hunton & Williams Privacy and Information Security Law Blog reports on the Article 29 Working Party's opinion on practical implications of the EU Data Protection Directive. The opinion "intends to clarify the current scope of EU data protection law with regard to the processing of personal data within and outside the European Economic Area," the report states. The Working Party's goals include providing a clearer framework and avoiding legal loopholes and potential conflicts between overlapping national data protection laws. "Furthermore, in light of the general revision of the EU data protection framework," the report states, the opinion includes "suggestions to improve the existing applicable law provisions in the EU Data Protection Directive."

DATA PROTECTION

Most Info Sec Budgets Unchanged for 2011 (January 4, 2011)

The Great Recession may have lingering effects on information security plans in 2011, SC Magazine reports. That's according to a recent survey that found 36 percent of respondents expect their budgets for IT security projects and data leakage prevention efforts to increase in 2011, compared with 41 percent in 2010. The Guarding Against a Data Breach survey, conducted by SC Magazine, ArcSight and research firm CA Walker, polled 468 information security leaders. Sixty percent expect their budgets to remain the same. Concerns about damage to the brand and compliance demands are top drivers for security planning, the report states.
Full Story

PRIVACY LAW—RUSSIA

Russia Extends Deadline for Database Operators (January 3, 2011)

President Dmitry Medvedev signed into law a bill to amend the country's framework personal data protection law to, for a second time, postpone the implementation of certain data protection requirements, according to a December 27 presidential press-service statement. Medvedev signed Federal Law No. 359-FZ, which amends Article 25 of the 2006 framework "On Personal Data" law (Federal Law No. 152-FZ), garant.ru reports. The amendment moves the required compliance date for database operators from January 1, 2011, to July 1, 2011. Originally, the database requirement was set to take effect January 1, 2010. (Article in Russian.)
Full Story

ONLINE PRIVACY

The Privacy Year In Review (January 3, 2011)

The BBC looks at the year that was 2010 from a privacy perspective. Exploring high-profile breaches of the past year, the report considers the implications of government and private-sector privacy decisions for the future. It suggests that "an interesting twist in 2010's privacy story" is that while private-sector organizations have been taken to task on privacy issues, "governments seem intent on increasing their snooping powers." When it comes to social networking, Ian Brown of the Oxford Internet Institute says the environment "is designed to encourage people to share. Often the default setting is privacy-unfriendly." The report also suggests that personal information "is fast becoming the most important commodity online."
Full Story