European Data Protection Digest

We have a long weekend—and hopefully some good weather—ahead of us, so right now our minds are probably focused more on Easter eggs and chocolate bunnies (in my case also my mother’s lasagna on Sunday) than on data protection developments. Nevertheless, this spring is bound to be a busy one for privacy pros—not that we actually had a dull moment in the past year or so.

At the IAPP, we are working hard to help our members stay on top of things: Our upcoming European Data Protection Intensive will be a great way to kick-start the second quarter of the year. As usual, rendezvous in London for an intense programme, great networking—including our special Privacy Social reception at the Guildhall—and CIPP and CIPM certification training and testing. Preconference workshops are not bad either.

But since he who hesitates is lost, work is already underway also for IAPP Europe’s flagship event, the Data Protection Congress, which will be in Brussels again this year, on 19 and 20 November to be precise. The call for proposals for the Congress is open, and submissions will be accepted until 9 May, so do send us your ideas or feel free to forward the call for proposals link to someone who might be interested.

In the meantime, though, Happy Easter!

Rita Di Antonio
Managing Director
IAPP Europe

Top European Privacy and Data Protection News

ONLINE PRIVACY

Headlines Inspire Opt-Out Technologies (February 28, 2011)
Concerns about privacy have prompted the creation of two start-ups that aim to provide online users with more choice. Following the news of a privacy breach at Facebook, a former Google engineer created a piece of software that disabled features that track browsing history, The Wall Street Journal reports. Within two weeks, 50,000 users downloaded the free application. Engineer Brian Kennish said he's since left Google so that he could create "Disconnect"--software to work with a wider array of sites' tracking devices or "widgets." The software also disables search engines from tracking users' Web movements. Meanwhile, a 19-year-old college student has started a company that allows users to opt out of tracking by 100 companies. (Registration may be required to access this story.)

ONLINE PRIVACY

Companies Take Steps To Protect Privacy (February 28, 2011)

Internet companies are taking steps to address calls for stronger online protection for Internet users, The Wall Street Journal reports. Most recently, both Microsoft and Facebook have "moved to beef up and clarify their efforts around the thorny issue of online privacy," the report states, describing Microsoft's move to add a do-not-track tool to its services and Facebook's new draft of its privacy policy with more user-friendly information headings. "The new policy is much more of a user guide to how to manage your data," said Jules Polonetsky, CIPP, of the Future of Privacy Forum, which was consulted by Facebook. "You might actually want to read this thing." (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Start-Ups Capitalize on Data as Currency (February 28, 2011)

Entrepreneur Shane Green's company allows people to personally profit from providing companies with their personal data, which he says has become "a new form of currency." His company is one of about a dozen start-ups aiming to capitalize on privacy as marketers increasingly rely on personal data for targeted ads, The Wall Street Journal reports. One London real estate developer now offers to sell people's personal information on their behalf and give them 70 percent of the sale, the report states, while others offer products to help block online tracking or charge to remove users from marketing databases. One entrepreneur said while "privacy" was a hard sell as of two years ago, investors are now quick to jump at opportunities. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Governing Body Accepts Microsoft Tracking Proposal (February 25, 2011)

The World Wide Web Consortium (W3C), the governing body for HTML5, has accepted Microsoft's tracking opt-out proposal to protect consumer privacy, PCWorld reports. Microsoft's Tracking Protection allows users to choose not to be tracked on the Web by blocking the content that does the tracking, the report states. Internet Explorer's corporate vice president, Dean Hachamovitch, said online privacy is a high priority for consumers and governments around the world. Ashkan Soltani, a privacy and security researcher, called Microsoft's release of the program "a great move" that demonstrates the company's recognition "that for this to work, you want both technology and policy to work in tandem."
Full Story

DATA PROTECTION—EU

Hustinx Discusses Sanctions, Incentives (February 25, 2011)

At an event in Frankfurt this week, European Data Protection Supervisor Peter Hustinx said that stricter sanctions for violations and a collective redress mechanism could improve compliance with data protection regulations, reports mlex.com. He pointed to the types of fines levied in antitrust cases as an example of what could work for data protection, saying, "anticompetitive fines can range in the millions, and if it is a big wrongdoing, that is probably what it takes to make (enforcement) more effective." When it comes to incenting firms to comply, Hustinx suggested, "if accountability for data protection was linked to being registered on a stock exchange, and the board needs to be sure that it has to be correct, there is a stronger incentive to seek compliance." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—UK & EU

Details on EC’s Issues with Data Protection Act Revealed (February 25, 2011)

Details about the European Commission's objections to the UK Data Protection Act have been revealed in a document published recently, The Register reports. The EC has taken infringement proceedings against the UK for what it says is the government's failure to appropriately implement several articles of the EU Data Protection Directive. The document indicates  the EC believes that the UK DPA flies in the face of Article 12, for example. "The Data Protection Act...appears to confer upon the courts a discretion to grant or refuse applications made by data subjects" who want to check the accuracy of their data, the document states. It also indicates that the EC questions whether the UK Information Commissioner's Office has enough power.
Full Story

ONLINE PRIVACY—EU

ENISA Warns Users About Supercookies (February 25, 2011)

The European Network and Information Security Agency (ENISA) has published a report outlining concerns about users' ability to control the information collected about them online, OUT-LAW News reports. The report discusses a new form of cookies--supercookies--that are capable of continuing to track users even after they've deleted their browsers' flash cookies and could breach EU privacy law. "In most cases, users cannot easily manage cookies. This is particularly true for a new type of cookies that are not controlled by browsers and require additional management tools," the report states, adding that national laws should be reviewed.
Full Story

DATA LOSS—UK

Scientist Experiment Finds Smartphone Data Risks (February 25, 2011)

A computer scientist says that "cell phones running the Android operating system fail to encrypt data sent to and from certain Web sites," The Register reports, creating privacy implications for millions. Prof. Dan Wallach made the discovery during an experiment with his undergraduate security class. Connecting a packet sniffer to his network, Wallach observed the traffic from various apps including Facebook and Google Calendar to his phone. Unencrypted private messages, photo uploads and other transactions were all visible, the report states. Facebook said it is still testing its Secure Sockets Layer (SSL) and advises users to practice caution on unsecured networks. Google said it plans to begin encrypting calendar traffic on Android soon.
Full Story

DATA PROTECTION—IRELAND

Study: Companies Lack Knowledge, Training (February 25, 2011)

A study conducted by the Irish Computer Society shows that Irish businesses have a "severe lack of knowledge of data protection requirements," reports Business & Leadership. The "Data Protection and Practices Survey 2011" polled 286 IT personnel, more than half of whom said they don't feel they have received sufficient data protection training, and one in five don't feel they know their legal data protection responsibilities. Other findings indicate that companies' senior management don't give data protection "due consideration" and that companies are hesitant to report data breaches. According to the report, several respondents noted that "those who come out and report get in trouble, so there's no motivation to report."
Full Story

PRIVACY LAW—EU

Opinion: Workable Data Protection Framework Needed (February 25, 2011)

In an opinion piece for European Voice responding to a recent report on plans to update the EU's 26-year-old data protection directive, Antoine Larpin writes, "We need a workable framework for data to be protected and to flow freely between member states." In what he describes as the "global digital environment," he suggests that "it is critical to have a workable framework for personal data to be protected and to flow freely from one member state to another," he writes, noting that businesses ranging from social networks to online "are already conscious of the competitive advantage they can gain" when providing data privacy options to consumers.
Full Story

DATA LOSS—UK

Passport Data Lost, ICO Says IPS Broke Laws (February 25, 2011)

The Information Commissioner's Office (ICO) has announced that the Identity and Passport Service (IPS) broke data protection laws when it lost 21 passport renewal applications last May. The applications contained the personal information of both the applicants and the applicants' cosigners. The IPS's chief executive signed formal undertakings stating that the department will put in place data security measures and train staff on how to follow them. Mick Gorrill of the ICO said that while the office has concerns about lost data relating to identification documents, there is "no evidence to suggest that the applications have fallen into the wrong hands, and we are pleased that the Identity and Passport Service is taking steps to stop this happening again."
Full Story

DATA LOSS—UK

County Council Sends Data to Wrong Recipients (February 25, 2011)

The Isle of Anglesey County Council reported to the Information Commissioner's Office (ICO) last November that a contractor sent benefit, income and savings data to the wrong recipients. V3.co.uk reports that, upon investigation, the ICO discovered that the council had no contract in place for how the contractor was to process protected information. While the council escaped an ICO-imposed fine, it has signed a formal undertaking ensuring "the processing of personal data carried out on behalf of the council is performed under a written contract and that any contractor will act only on instruction from the council," the report states.
Full Story

DATA LOSS—UK

Despite Policy, Council Loses Unencrypted Memory Stick (February 25, 2011)

Cambridgeshire County Council has signed a formal undertaking after an unencrypted memory stick containing personal information went missing, The Guardian reports. Though the council took steps to inform staff of its internal encryption policy and asked that unencrypted sticks were turned in, a staffer used an unencrypted stick to store personal details of at least six at-risk individuals after having trouble getting an encrypted stick to function properly. The stick was lost in November, prompting the council to inform the Information Commissioner's Office (ICO). ICO Enforcement Group Manager Sally Anne-Poole said the case "shows that organisations need to check that their data protection policies are continually followed and fully understood by staff."
Full Story

FINANCIAL PRIVACY—EU & U.S.

Bank Data Transfer Details Withheld (February 24, 2011)
Six months after the Terrorist Finance Tracking Agreement between the EU and the U.S. came into effect, PCWorld reports that both the European Commission and Europol are not releasing details on the number of U.S. requests for data that have been received and approved. When the agreement came into place, EU Commissioner Cecilia Malmström was quoted as pledging "complete transparency as far as access and use of data are concerned" as well as "access to appropriate tools and redress procedures to ensure that privacy is protected." While Europol has said such questions must be answered by the commission, the commission's response has been that neither it, nor Europol nor EU Member States "have the power to bindingly interpret the agreement."

PRIVACY—EU

Report Explores Privacy Pros’ Public Roles (February 24, 2011)

A Financial Times article looking at the importance of privacy officers features the work of Accenture Data Privacy Director and IAPP Board Chairman Bojana Bellamy. With new data protection legislation in the works, the report details a push by some in the EU to make the role of chief privacy officer mandatory in all large organizations. Privacy, Bellamy said, "has become unavoidable for business...Strategically, you need to be seen to care about it." Christopher Kuner of Hunton and Williams agreed, noting, "Data is the raw material for many companies...You have to have procedures when handling private information like you need to have procedures when handling chemicals." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—SWITZERLAND

Commissioner Wants Safeguards Ahead of Street View (February 24, 2011)

Switzerland's data protection commissioner wants Google to manually blur sensitive images stored on its Street View mapping feature, The Wall Street Journal reports. The Swiss Court heard arguments on the yearlong ban of the service today and will make a decision on whether to lift the moratorium in coming weeks. Commissioner Hanspeter Thür has asked that license plate numbers, faces, hospitals and women's shelters be blurred. "I don't want a ban of Google Street View," Thür told the Swiss Court. "But in the present form, Google Street View breaches basic principles of privacy." Google lawyers have asked that the ban be lifted. Manually blurring images is too costly, and the feature does so automatically, they said. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—UK

BMA Calls for Redrafting Healthcare Legislation (February 24, 2011)

The British Medical Association (BMA) is appealing to Health Minister Simon Burns to redraft legislation that it believes undermines a patient's right to confidentiality. The Telegraph reports that the legislation allows certain government bodies and local authorities to access sensitive medical data without patient consent. Vivienne Nathanson, head of science and ethics at the BMA, said, "The government has decided to place its desire for access to information over the need to respect patient confidentiality," adding that the legislation would "undermine the bond of trust between doctors and their patients and could have appalling consequences." A Department of Health spokesman said, "The bill does not change any of the existing legal safeguards, which are set out in the Data Protection Act and the common law of confidence.''
Full Story

RFID—EU

Working Party Approves Self-Regulatory Proposal (February 22, 2011)

The Article 29 Working Party has approved an industry proposal for a privacy and data protection impact assessment framework for RFID self-regulation. Although it rejected a series of drafts, including a March 31, 2010, proposal that contained only "scattered references"  to risk assessment, industry reworked its proposal and submitted its latest version, the Revised Framework, on January 12. The industry proposal was developed at the request of the European Commission, which issued a recommendation in 2009 on the implementation of privacy and data protection principles in applications supported by RFID. In its February 11 opinion, the Article 29 Working Party endorsed the revised framework.
Full Story

DATA PROTECTION

PCI Council Launches Training Program (February 18, 2011)

The PCI Council today begins its series of training programs intended to educate practitioners on Payment Card Industry Data Security Standards (PCI DSS). Council General Manager Bob Russo told Info Security that the courses "cover all PCI basics, including how the payment system operates straight through to how PCI works and why it is important to be compliant." Offerings include in-person sessions as well as online training, and according to Russo, there will likely be supplemental guidance throughout the year. Version 2.0 of the PCI DSS went into effect last month, and merchants have one year to comply with the new standard. "We can say confidently that (PCI compliance) is the best defense you will have against a breach, but by no means is this the ceiling," said Russo.
Full Story

DATA PROTECTION—GERMANY

Government Plans To Create New Foundation (February 18, 2011)

The Office of the German Federal Commissioner for Data Protection and Freedom of Information is calling for the creation of a national Data Protection Foundation, the Hunton & Williams Privacy and Information Security Law Blog reports. The foundation's tasks will include testing products to ensure data protection compliance, providing education, conducting research and creating a data protection seal. The German government has set aside €10 million in funding, the report states, and plans to establish the new foundation--which has been described as being similar to Germany's consumer protection organization--this year.
Full Story

ONLINE PRIVACY—EU & U.S.

Mobile Ads Spark Privacy Concerns (February 18, 2011)

Privacy concerns abound over increased targeted advertising to users of smartphones and other mobile devices, The Economic Times reports. Sharing input from various industry leaders, the report also explores assessments from research firm Berg Insight, of how the devices are used "to deliver messages which are highly relevant for the recipient, taking into consideration demographics, interests, habits and other preferences." With so much personal information accessible, authorities on both sides of the Atlantic are considering new regulations, and some business leaders are also weighing in. As one executive put it, "we need to do a better job...If you don't offer the options to protect the consumer through self regulation, you will have imposed regulation."
Full Story

PRIVACY LAW—CYPRUS

Supreme Court: Data Retention Law Breaches Constitution (February 18, 2011)

The Cyprus Supreme Court has decided that some provisions of the country's law on data disclosures violate the Cyprus Constitution. The 1 February ruling specifically responded to complaints about a provision in the law granting police access to retained telecommunications data. The court ruled that such a provision goes beyond the parameters of the EU Data Retention Directive, which does not address access to retained data, EDRI-gram reports. The decision responded to four complaints following the issuance of court orders for police confiscation of telephone numbers and call records. Three of the four court orders have been annulled.
Full Story

HEALTHCARE PRIVACY—UK

Critics: Database Too Accessible (February 18, 2011)

The NHS's new summary care records database is drawing fire from privacy advocates, reports yourashford.co.uk. The system aims to streamline patient care with a centralised database, but critics say the NHS isn't informing the public of the wide range of people who will have access to patient data. Ian Taylor of the No2ID organisation says government, police and researchers will be able to access the data and NHS informational letters are misleading. "Contrary to the enclosed information, people not directly involved in your care will be able to access your record," he said. Mark Gray of Eastern and Coastal Kent says access controls--such as chipped smartcards, individual passcodes and patient consent requirements--are built into the system.
Full Story

PRIVACY LAW—UK

ICO: Gwent Police Violated Data Protection Act (February 18, 2011)

The Information Commissioner's Office (ICO) has announced that the Gwent Police violated the Data Protection Act when a staff member accidentally sent an e-mail to a Web journalist including the results of about 10,000 Criminal Records Bureau inquiries. Wales Assistant Commissioner Ann Jones said, "It is essential that staff are aware of and follow their organisation's security policies. Such a huge amount of sensitive personal information should never have been circulated via e-mail..." No identifiable information or details of convictions were included in the e-mail, the report states. The Gwent police chief has signed a formal undertaking to implement new security measures. The ICO says it is pleased with the steps the department is taking.
Full Story

ONLINE PRIVACY—EU

Opinion: CEO Praises Call for Cloud Privacy (February 18, 2011)

Per Werngren, chief executive officer for Sweden's IDE, reacts to an op-ed by European Justice Commissioner Viviane Reding on cloud computing in The Wall Street Journal. "The commissioner's idea about 'privacy by design'--building privacy-enhancing technologies into products and services--is particularly encouraging," he writes. If responsible companies work together, he suggests, "we can safeguard consumers so that their data is well-protected, so that they have the right to be forgotten..." With such provisions in place, he writes, the cloud might prove to be one of the "great technological and business shifts of our time." (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—EU & U.S.

Consumer, Industry Needs Create Balancing Act (February 17, 2011)
European Voice explores the balance between online advertisers' ability to track consumers and Internet users' privacy concerns with regard to personal data, which one European commissioner has described as the "currency of the digital world." The European Commission has suggested that building consumer confidence about data use will only help the online industry. The report examines the potential for new laws and recent efforts by Internet companies to prove that self-regulation can work. As the U.S. considers new regulations--and the EU plans to update its 26-year-old data protection directive--one consumer advocate notes, "Legislation needs to be kept flexible and general because we don't know where we will be, even in six months' time."

PRIVACY LAW—FRANCE

CNIL Announces Data Processing Exemption (February 17, 2011)

The French Data Protection Authority (CNIL) has published its Deliberation No. 2011-023, which IT Law Group reports should make reporting requirements less odious for companies that have no operations in France but use subcontractors or cloud providers there to process data. The French Data Protection Law requires companies to file with CNIL and, in some cases, obtain authorization in advance. Under the new declaration, payroll processing, workforce management and the management of databases of clients and prospects for personal data collected outside of France will be exempt from the requirement for data that is returned to the data controller, or other specified recipient, "for the benefit of the data subject," the report states.
Full Story

HEALTHCARE PRIVACY—UK

Researcher: Anonymization Not Enough (February 17, 2011)

The use of medical records for research is a polarizing topic, with some believing current patient consent requirements hamper life-saving discoveries. But research associate Dr. Lindsey Brown opines in The Guardian that patient privacy is crucial within the National Health Service (NHS) and consent the only solution. Legally, patient records may only be accessed by special government permission, if the data has been "pseudonymized" or with explicit patient consent. However, "pseudonymized" data can still be identified, Brown writes, rendering it "personal data" and therefore subject to EU and UK consent requirements. "There are serious public concerns over the use of patient records without individual consent. Public trust in the NHS could be threatened unless there's a response to calls for transparency and accountability," Brown writes.
Full Story

PRIVACY LAW

G8 May Have Privacy Focus (February 16, 2011)
Following up on its efforts in October to move toward the goal of adopting "an international binding legal instrument harmonizing the protection of privacy," France has announced its intent to bring the world's Internet leaders to the G8 Summit in May. An announcement from France's Commission nationale de l'informatique et des libertés (CNIL) suggests that including privacy on the agenda for the G8 "would mark a critical milestone in the protection of privacy against the development of digital technologies." Despite the continual exchange of data across borders and the prevalence of biometrics, geolocation and surveillance, the CNIL points out that "there is no globalized legal answer, and the levels of privacy protection are disparate."

PRIVACY LAW—UK

DNA Records To Be Deleted (February 14, 2011)

OUT-LAW.COM reports on the Protection of Freedoms Bill, which includes such provisions as requiring the deletion of DNA profiles on individuals questioned by police but not charged with crimes. Information Commissioner Christopher Graham spoke in favor of the bill's role in addressing "issues that have been longstanding concerns for us...increased privacy safeguards on biometric information such as DNA profiles and ensuring effective regulation of camera surveillance, including the increasing use of automatic number plate recognition." The bill, which comes two years after the European Court of Human Rights called for such a change, is expected to "result in a massive reduction in the number of innocent people whose DNA is held by police," the report states.
Full Story

PRIVACY LAW—SWEDEN

Data Retention Implementation Faces More Delays (February 14, 2011)

As Sweden prepares to implement the European Data Retention Directive, a parliamentary committee's request for consultation may further delay such action. Sweden was to have implemented the directive in September 2007. The European Commission sued the country in 2010 for failing to do so. Now, the Parliamentary Constitutional Committee wants the government to consult parliament on details within the directive and "has sent its opinion to the Committee on Justice, which is currently hearing a report on how the directive is to be introduced in Sweden," Stockholm News reports.
Full Story

CHILDREN’S PRIVACY—EU

Surveys: Kids At Risk Online (February 11, 2011)

While the UK Information Commissioner's Office has announced ongoing efforts as part of the international initiative "The i in online" to teach children about the importance of protecting their personal information on the Internet, recent EU surveys indicate children are still at risk. EurActiv reports on survey findings, including statistics that show 80 percent of 15- and 16-year-olds go online every day, and 59 percent of all European children have a profile on a social networking site. However, the report notes, almost half "admitted that they have no idea how to change the privacy settings of their profiles." EU legislative initiatives aimed at Internet safety for children are expected in the months ahead.
Full Story

PRIVACY LAW—ITALY

Garante Examining Investigators, Banks and the Cloud (February 11, 2011)

The Garante's inspection plan for the first half of 2011 has been enacted, and is expected to focus on private investigators, cloud computing, banks, credit cards, marketing and welfare institutes. The plan provides for verifications of the use of personal data, adoption of safety measures, the length of time data can be stored and the need for consent. More than 250 checks have been scheduled to be carried out with the cooperation of the Italian Guardia di Finanza's privacy unit. In 2010, 474 inspections were carried out and 424 disciplinary actions were taken, with the Garante imposing sanctions amounting to almost €3.8 million. (Report in Italian.)
Full Story

ONLINE PRIVACY—UK

PCC: Social Network Posts Were Not Private (February 11, 2011)

The Telegraph explores the issue of just how private those online posts are in examining the case of a Department for Transport employee whose "series of embarrassing tweets" have been found to be public and thus fair game for newspaper reports. The comments, which were republished by two newspapers, prompted her to contact the Press Complaints Commission (PCC), stating she had a "reasonable expectation of privacy" when she made the comments on social networking site Twitter. The PCC, however, disagreed "As more and more people make use of such social media to publish material related to their lives, the commission is increasingly being asked to make judgments about what can legitimately be described as private information," said PCC Director Stephen Abell.
Full Story

PRIVACY LAW—EU & IRELAND

Examining the Communications Act 2011 (February 11, 2011)

Matheson Ormsby Prentice examines the Communications Act 2011, which came into effect late last month to implement "Directive 2006/24/EC on the retention of data generated or processed by or in connection with the provision of publicly available electronic communications services or of public communications networks" and repeals Ireland's prior data retention law. The new act requires service providers to retain data and make it available to Irish authorities in specific instances and includes provisions addressing those obligations as well as security measures for the data. The act now brings Ireland's law into compliance with EU directives, the report states. (Registration may be required to access this story.)
Full Story

PERSONAL PRIVACY—UK

Advocates Raise Concerns with Survey (February 11, 2011)

The advocacy group Privacy International (PI) is urging residents not to complete a survey circulated by Wiltshire Council that asks for such personal details as income level and sexual orientation, reports BBC News. A council spokesman said the survey aims to help the county understand future housing needs and that the responses would be anonymous. "I would say that, whereas there may not be any legal issue here, it certainly goes against a number of principles of the Data Protection Act, such as only collecting as much data as you need for a specific purpose," said PI's Alexander Hanff. According to the report, the group has asked the council to "rethink" its plan.
Full Story

DATA LOSS—EUROPE

Paper: Data Breach Notifications Essential (February 11, 2011)

A recent whitepaper drafted by two privacy risk experts and released by insurance and risk analysis firm Lockton suggests "Europe is at a tipping point in its legal and regulatory environment surrounding data breaches," Infosecurity reports. The paper, entitled "Exposed in Europe: Data Breaches and Their Impact in a Changing Legal and Regulatory Environment," recommends that organisations consider the potential implications of the European Commission's E-Privacy Directive, which will introduce requirements for ISPs and telecom providers to notify both potential data breach victims and the authorities when an incident occurs.
Full Story

PRIVACY LAW—EU

Reding: Tracking Technologies Highly Intrusive (February 10, 2011)

European Union regulators are concerned that mobile phone and computer technologies that monitor online activities threaten individual privacy rights, Bloomberg reports. "I am concerned about the use of highly privacy-intrusive tracking technologies," EU Justice Commissioner Viviane Reding said in a speech in Brussels yesterday. "Mobile phones and computers have become tracking devices." She added that tracking technologies can have serious consequences for people and can lead to criminal penalties. Reding's concerns come as the European Commission reviews the EU's data protection law with plans to update it to reflect new technologies that have emerged since the law passed nearly 16 years ago.
Full Story

DATA LOSS—IRELAND

Job Recruiting Site Breached (February 9, 2011)

Ireland's Gardaí are investigating a data breach on the job recruitment Web site recruitireland.com, reports Silicon Republic. The data protection commissioner has also been informed of the breach, which the company says exposed the names and e-mail addresses of its users. According to a message posted to the site's homepage, no other data has been compromised, but the company is recommending that once the site is back online, users change their usernames and passwords. "We have a process in place for eventualities such as this; when we were notified, we shut down the server and the database to prevent any access," the message says.
Full Story

ONLINE PRIVACY

Schwartz Discusses the Impact of Choice on Privacy (February 8, 2011)

Barry Schwartz, author of The Paradox of Choice: Why More is Less and professor of social therapy and social action at Swarthmore College, shared his insights on the intersection of choices and privacy with the Privacy Advisor. "I think the main task facing organizations that worry about Internet privacy is to figure out a 'default' level of privacy that enables people to benefit from what the Web makes available and not be tortured by it," he explained. Schwartz, who will be a keynote speaker at the IAPP Global Privacy Summit in March, said he will be discussing "how too much choice produces paralysis rather than liberation, leads to bad decisions and reduces satisfaction with even good decisions."
Full Story

PRIVACY LAW—UK

Councils Fined £150,000 After Laptop Theft (February 8, 2011)

The Information Commissioner's Office (ICO) has fined two councils a combined total of £150,000 after two laptops were stolen, ComputerWeekly reports. Ealing Council used the laptops to provide a service for itself and Hounslow Council. The laptops contained data on more than 1,700 individuals and were not encrypted. Ealing Council has been fined £80,000 for the breach, and Hounslow Council has been fined £70,000 for failing to have a written contract in place with Ealing and not monitoring its operational procedures. Deputy Commissioner David Smith said the Hounslow Council fine makes clear that organizations can't outsource services "unless they ensure that the information is properly protected."
Full Story

CHILDREN’S PRIVACY—SWITZERLAND

Thür Launches Web Safety Campaign for Kids (February 4, 2011)

Swiss Data Protection Commissioner Hanspeter Thür announced last week the launch of a campaign to teach children and teens about protecting their personal information online, reports swissinfo.ch. Thür said kids need to be aware that posting a picture online could have consequences when looking for a job later on. The Netla campaign uses a comic book and a Web site that includes two games to make kids think about how they use the Internet and how they share information on it. There are also teaching materials and advice for parents.
Full Story

HEALTHCARE PRIVACY—UK

Oxford Researchers: Patients Misled About Privacy (February 4, 2011)

Oxford University researchers say patients are not being adequately informed about possible secondary uses of their medical data for research, Computerworld reports. In a paper published yesterday in the British Medical Journal, the researchers also assert that patients are "misled about the level of anonymisation of their data and the likelihood of re-identification." Their paper, "The limits of anonymisation in NHS data systems," questions whether health data can be kept confidential in an age of data collection and sharing, the report states, and discusses what the researchers describe as the "increasing commercialization of patient data."
Full Story

DATA RETENTION—SWEDEN

ISP To Reroute Customer Traffic (February 4, 2011)

Sweden is about to implement the European Data Retention Directive, meaning that soon ISPs and telecom operators will be required to retain certain activity data for six months. But a Swedish Internet service provider says it will reroute its customers' traffic using an ISP-level virtual private network (VPN) in order to skirt the requirements, Softpedia reports. Bahnhof CEO Jon Karlung explained that customer data will be logged in Bahnhof's first server, but after that it will be routed outside of Sweden through the VPN. "Technically, this is a stealth section," Karlung said, "we will store all data up to this point of invisibility."
Full Story

DATA LOSS—IRELAND

Laptops Stolen, Commissioner Investigates (February 4, 2011)

Data Protection Commissioner Billy Hawkes has launched an investigation into the theft of 10 laptops from the Revenue Commissioner's office, reports Business & Leadership. Commissioner Hawkes will look into whether the stolen laptops contained any sensitive data and, while they were encrypted, determine if the security measures were sufficient to protect the data. The report states that three men are understood to have been part of the theft, which occurred last week.
Full Story

TRAVELERS’ PRIVACY—EU

PNR Data Could Be Required for EU Travel (February 2, 2011)

EUobserver reports on proposals set to come before the European Commission to require air travelers to have their passenger name record (PNR) data--such as home addresses, mobile phone numbers, credit card information and e-mail addresses--checked by authorities and shared with other member states if links to terrorism or serious crime are suspected. Negotiations between member states and the European Parliament on the plan are expected to last two years. "So far, the U.S. and other countries using the PNR system have failed to convince us about its necessity," said German MEP Manfred Weber, adding, "There are deficits in the usage of current data. So why should we collect even more mass data?"
Full Story

PERSONAL PRIVACY

Cavoukian Releases Smart Grid Study (February 2, 2011)

Ontario Privacy Commissioner Ann Cavoukian today released a study on an Ontario utility's approach to smart meter deployment, which she says should serve as the model for all future smart grid investment, The Globe and Mail reports. Released at a California event, Operationalizing Privacy by Design: The Ontario Smart Grid Case Study is the third in a suite of papers on smart grid deployment. It describes the utility's policy to only include customer identification information in the company's own billing records and not share it with third parties unless consent is acquired for service offers. "Smart grid technologies have the potential to collect extremely detailed information about energy consumption in the home, which can lead to the unwelcome profiling of individuals," Cavoukian said.
Full Story

PRIVACY LAW—NETHERLANDS

Reding Investigating Passport Laws (February 2, 2011)

The Dutch government is treating innocent citizens as potential criminals by storing their fingerprints for passports, according to MEP Sophie in't Veld, who has incited a European Commission investigation into whether Dutch passport legislation breaches EU data protection rules, Radio Netherlands Worldwide reports. The government stores four fingerprints in a central database kept by local councils. European Justice Commissioner Viviane Reding is leading the commission's investigation. In't Veld says the Dutch practice is much more privacy-intrusive than other EU-member states' practices and that the United Nations Human Rights Council is critical of the practice.
Full Story

ONLINE PRIVACY

Mozilla Offers Do-Not-Track Feature (February 1, 2011)
Mozilla has confirmed that its Firefox 4 Web browser will include a do-not-track system allowing users to opt out of targeted advertising, V3.co.uk reports. "This is just our first step," said Mozilla developer Sid Stamm. "We are exploring ways to empower users to have more robust and precise control over their data, and will share our progress on this as it is made." Google has added a similar feature to its Chrome browser, while Microsoft is exploring tracking protection to work consistently across browsers. The announcements come in the midst of questions about what "do not track" actually means, prompting the Center for Democracy & Technology to release a draft definition.

ONLINE PRIVACY—UK

Advocates Angered Over End of BT Investigation (February 1, 2011)

Privacy groups are criticizing the Information Commissioner's Office (ICO) for closing its investigation of a BT data breach, the Guardian reports. The ICO said BT cannot be held responsible for the incident in which a spreadsheet with such confidential information as customer names, addresses and telephone numbers was sent to a law firm by a BT employee, the report states. While the ICO closed its investigation after determining the company was not liable for a mistake committed by one of its employees, advocates contend such a move "appears to give the green light to companies like BT claiming to have a data protection policy but failing to adequately enforce it."
Full Story