European Data Protection Digest

In 1897, Oscar Wilde wrote to Lord Douglas, “Do not be afraid of the past. If people tell you that it is irrevocable, do not believe them.”

I wonder if he would share this piece of advice today. Though the past may not be irrevocable, we all leave digital shadows we may regret one day. I had no Internet growing up, and I am grateful that the only traces of my past are some old pictures gathering dust at my parents’ house and a box of letters I used to exchange with overseas friends—you know, having overseas pen pals was actually pretty cool back in the day.

Come to think of it, Oscar Wilde may never have meant for his 1897 letter to Lord Douglas to be published, as it came to light only after his death, so you could almost argue he had no right to be forgotten…

This week, the Court of Justice of the European Union declared the 2006 Data Retention Directive invalid, stating that it interferes with the fundamental rights to respect for private life and to the protection of personal data, as stipulated in the EU Charter of Fundamental Rights. The interference, said the court, exceeds the limits imposed by compliance with the principle of proportionality.

Aside from the obvious consequences the court’s decision will have on telcos and ISPs, some commentators have said that it can have a significant impact on the EU reform of data protection law and, in particular, on the debate around the General Data Protection Regulation.  

To quote Oscar Wilde again, “It is a very sad thing that nowadays there is so little useless information.”

Rita Di Antonio
Managing Director
IAPP Europe

Top European Privacy and Data Protection News

PRIVACY LAW—SPAIN

DPA Case Asks Search Engine To Forget (March 30, 2011)

The Spanish Data Protection Agency's (DPA) call for Google to remove links to individuals' personal information from its search results is currently before the Spanish High Court but could be referred to the European Court of Justice, Deutsche Welle reports, in what some suggest may be "a landmark case within Europe." Privacy expert Viktor Mayer-Schönberger suggests the case pits "two fundamental rights against each other: The right to remember in a society versus the right to personal privacy and the right to be forgotten." The DPA is representing about 80 plaintiffs calling for records from their past to be removed. Spain's privacy laws include fines of up to €600,000 for such infringements as inappropriate publishing of personal information, the report states.
Full Story

ONLINE PRIVACY

Expert: The Re-identification Devil Is in the Details (March 30, 2011)

When it comes to protecting privacy online, the biggest threat lies in the everyday details Internet users share without realizing that even anonymous postings can be correlated to expose their identities. That's according to University of Colorado Law School Prof. Paul Ohm, who spoke recently on the process of "re-identification." Deleting information is not enough, Thinq.co.uk reports, as companies can identify users by drawing inferences from the bits of data left behind. "We have to get used to talking about the price of privacy," Ohm notes, adding, "Maybe we should give up some of the efficiency and convenience of the Internet if we can protect privacy."
Full Story

PRIVACY LAW—U.S. & EU

U.S. and EU Negotiating Data Exchanges (March 29, 2011)

The U.S. and EU have begun formal negotiations toward a pact to protect the personal information they exchange while fighting crime and terrorism, The Wall Street Journal reports. The negotiations come amid ongoing conflict between law enforcement's need for access to personal information in order to fight crime and the need to protect individuals' privacy. The U.S. and EU are "committed to ensuring a high level of protection of personal information while fighting crime and terrorism," a U.S. Justice Department statement said. The negotiations follow the U.S. decision last month to extend provisions of the Patriot Act, prompting advocates to call for safeguards. (Registration may be required to access this story.)
Full Story

PERSONAL PRIVACY—UK

Census Concerns Persist (March 29, 2011)

While the Office of National Statistics has requested all UK households to file their 2011 census forms under threat of possible fines, questions about the security of census data persist. Infosecurity reports on concerns about the company that will be processing the census data as having "a patchy record for data-handling." The report quotes one security expert who cautions that "it's not just the Office of National Statistics staff we have to be concerned about, with the fact that this data will be shared out with the police, MI5 and other security bodies--all of which will be able to see the information."
Full Story

PRIVACY LAW—NEW ZEALAND & EU

Companies Awaiting Adequacy Notice (March 29, 2011)

Six months after the New Zealand Parliament passed legislation to comply with European privacy laws, companies are still waiting for the okay to do business in Europe, Computerworld reports. At least one New Zealand business says it has lost clients due to not being branded "adequate" under European privacy law, says Privacy Commissioner Marie Shroff. Further meetings and analyses are in process, and a formal recommendation for acceptance may come next month, the report states, noting the approval process has been underway for more than 10 years.
Full Story

 

DATA LOSS

Study: Many Companies Don’t Report, Don’t Fix (March 29, 2011)

The results of a recent study by cybersecurity vendor McAfee indicate that six in 10 companies pick and choose which data breaches to report and half of those that have experienced a breach make changes to fix and protect their systems from future breaches, reports The Huffington Post. The study surveyed over 1,000 senior IT professionals from Brazil, China, India, Japan, the Middle East, the UK and the U.S. about the challenges of protecting corporate data. According to the report, outsourcing and mobile devices are expected to pose even greater challenges to data security as they become more prevalent.
Full Story

PRIVACY LAW—EU

Industry to Commission: Forget “Right To Be Forgotten” (March 25, 2011)

Reactions to calls for a "right to be forgotten" have varied, with some online industry leaders arguing that is not what Internet users want, The Register reports. That was the message from Facebook officials in light of a European Commission endorsement of such a right in its efforts to update privacy legislation. Speaking at an event in the UK, Facebook's Richard Allan spoke of a "shoot the messenger" mentality where people who are uncomfortable with certain online content do not address the source, instead "going to those places where the content is shared or indexed and asking them to resolve the problem. I think that's extremely worrying for a whole range of reasons." At the same event, one legal expert added, "Right to be forgotten will not work. Simple as that."
Full Story

DATA PROTECTION—EU

Hustinx Advises on Balancing Privacy, Transparency (March 25, 2011)

European Data Protection Supervisor Peter Hustinx has issued advice to European Union institutions on how to protect privacy while providing access to information, V3.co.uk reports. The advice comes after a ruling by the European Court of Justice that the European Commission "was right to refuse the release of information on the attendees of a meeting requested by the Bavarian Lagar Company," the report states. Hustinx said EU institutions should develop clear policies that state what kind of data can be released and clarified that data protection does not mean withholding information. While data protection must be respected, that shouldn't be "used as a pretext for not being transparent," he said.
Full Story

DATA LOSS—UK

Council Loses Data on 4,000 (March 25, 2011)

Pending an ongoing investigation, Leicester City Council could be fined up to £500,000 for a data breach that occurred when the council lost a memory stick containing files on about 4,000 people, this is Leicestershire reports. The council reported the breach to the police and the Information Commissioner's Office (ICO). The missing files include medical records as well as keysafe codes used to gain access to home keys. The council is now in the process of changing all of those codes. The information contained on the memory stick was encrypted, the council says. A spokesman for the ICO wouldn't comment on the investigation but said, "Our highest enforcement power is a penalty of up to £500,000 for a breach of the Data Protection Act."
Full Story

 

PRIVACY LAW—IRELAND

Companies Fined €15,000 Collectively for Breaching Act (March 25, 2011)

Four companies have been found guilty of breaching data protection laws, RTE News reports. Between them, the companies were ordered to pay almost €15,000 in fines for charges related to unsolicited marketing, the report states. UPC pleaded guilty to 18 counts of breaching the Data Protection Act in relation to four separate complaints and was fined €7,100; Vodafone was convicted on five counts and fined €3,850; Eircome pleaded guilty to one count and was ordered to donate €2,000 to charity, and O2 pleaded guilty to one count and was fined €2,000 also. The Office for the Data Protection Commissioner said it is pleased with the outcome.
Full Story

PRIVACY—UK

Concerns Raised Over DPA (March 25, 2011)

The UK's Data Protection Act (DPA) contains a loophole related to data anonymity that could cause "sensitive data to be compromised on a massive scale," silicon.com reports. The issue was raised by Caspar Bowden, a chief privacy advisor at Microsoft, who said "it is really relatively easy to reidentify" such information. Information Commissioner Christopher Graham explained that his office is bound by the limits of the current DPA, which dates back to 1998, but noted the ICO will be hosting a seminar on the subject on March 30 aimed at creating updates that address "the real issues about the way that data is handled."
Full Story

DATA LOSS—UK

Online Retailer Breached Via Third Party (March 25, 2011)

An online retailer has alerted its customers of a data breach that exposed names and e-mail addresses, ZDNet reports. The breach occurred after a third-party marketing company affiliated with Jersey-based Play.com experienced a breach. The Jersey Office of the Data Protection Commissioner (ODPC) is now investigating the breach. "It seems there is cause for concern," said Paul Vane of the ODPC earlier this week. "We will be establishing from Play.com what has happened and how we can deal with it." Vane added that despite the fact that the breach occurred at a third party, Play.com is ultimately responsible for customer data, and enforcement action is possible. Play.com CEO John Perkins has said the compromised information includes only customer names and e-mail addresses.
Full Story

 

PRIVACY LAW—EU

Series Examines Data Protection Rules (March 25, 2011)

In a series on data protection, The Lawyer features industry experts' insights on legislative requirements. With EU regulations governing the use of cookies for online tracking changing, Melanie Hatton of Latitude Digital Marketing notes, "As ever, the devil is in the detail, or in this case the lack of it," stressing that the "directive is open to interpretation" in terms of using cookies to track Web users' online behavior. Janice More of Heinz European, meanwhile, speaks to the company's efforts to address cross-border data transfer regulations. "The primary objective of the Heinz data compliance project was to ensure compliance with data privacy where Heinz employee data might be exported across our international network of offices and businesses."

Full Story

PRIVACY

Scientist: “Surveillance Society Inevitable, Irresistible” (March 24, 2011)

There's enough data floating around about any given person to predict where they'll be next Thursday around 5:53 p.m., says Jeff Jonas, chief scientist of IBM's Entity Analytics group. The question is how privacy models will change as a result of the amount of data collected via cell phones, transactions and social media sites, among others, ZDNet reports. "The surveillance society is inevitable and irresistible," Jonas said at a recent conference in New York, adding that he's working on an "analytic sensemaking" machine that will incorporate privacy features into it from its construction that cannot be turned off. The system, called G2, aims to "explore new physics of big data," the report states.
Full Story

BEHAVIORAL TARGETING

Social Network Turns User “Likes” Into Ads (March 24, 2011)

PCWorld reports that Facebook's "sponsored stories" ad plan, which has raised concerns among privacy advocates, is now being rolled out across the social network. For those who don't like the plan, Dan Tynan suggests in his report, "don't 'Like' it--or anything else. Because once you do...There is no opting out. Facebook can use your name and profile image alongside any product you endorse, per its privacy policy." A forthcoming plan to allow third-party advertisers to put users' images and names in a similar way will have an opt-out, the report states.
Full Story

PERSONAL PRIVACY—UK

Questions Raised About Census Data Use (March 24, 2011)

Concerns are being raised about the potential for access to personal information gathered by the Office of National Statistics (ONS) for the upcoming UK census, InformationAge reports. Data collected in the census "will remain confidential for 100 years," according to information on the ONS Web site, but experts note that census data falls under the Statistics and Registration Service Act 2007, which stipulates conditions under which the ONS may disclose data, including for criminal investigations, court orders or "to an approved researcher," the report states. "I'd like to see confidentiality guaranteed in black and white," one expert said.
Full Story

 

PRIVACY LAW—UK

ICO Prepares To “Use Teeth,” Issue Fifth Fine (March 23, 2011)

Information Commissioner Christopher Graham says his office is preparing a fine against an organization--the fifth issued by the ICO since it gained the powers to do so in January 2010. It is not yet known which organization will be punished, but Wolverhampton City Council, Leicester City Council and the University of York have all been flagged for breaches in recent weeks, eWeek reports. "This fifth fine coming down the track shows that the ICO is not an organization with small fangs, but that data controllers should realize that, if they let consumers down, a fine from the ICO will be the Mark of Cain," Graham said.
Full Story

PRIVACY LAW—GERMANY

Woman Loses Suit Against Mapping Feature (March 23, 2011)

Court documents recently published on the city of Berlin's Web site show that a German woman has lost a case against Google that claimed the company's camera cars invaded her privacy. The woman, who did not seek compensation but wanted the photography to cease, said that Google's Street View cars could peer into her home and backyard, PC World reports. The woman originally lost the case in a regional court in September 2010. A three-judge court of appeal panel upheld the court's decision, stating that Street View photography isn't illegal and that citizens can request to have pictures taken down.
Full Story

BEHAVIORAL TARGETING

Advocates: Device Fingerprinting Easier To Track Than Cookies (March 22, 2011)
Device fingerprinting technology now allows advertisers to specifically identify connected devices such as computers and smart phones. When devices send or receive data, they transmit pieces of information about their properties and settings that can be pieced together to form a unique "fingerprint" for that device, ClickZ reports. This concerns privacy advocates, as a device's fingerprint is more persistent than a Web-tracking tool such as a cookie. "You don't have any control over them, or at least not the same kind of control you do over cookies...That makes fingerprinting a serious privacy threat," said Peter Eckersley of the Electronic Frontier Foundation.

PRIVACY LAW—EU & U.S.

Will Regulation Tame the “Wild West” of the Web? (March 22, 2011)

Reuters reports on efforts by regulators on both sides of the Atlantic to tighten the reins on the "Wild Wild West" of the Internet. The EU has announced that Web businesses may be subject to legal action if they fail to obey forthcoming EU data privacy rules--one of which may require what the European Commission calls a "right to be forgotten" for Internet users. A spokesman for one social network said there are industry concerns about "an over-prescriptive interpretation of what these rights mean in practice." Meanwhile, the report points out that although the EU and U.S. have traditionally differed on privacy issues, "they are working together to come up with a common set of standards."
Full Story

BEHAVIORAL TARGETING—EU

Cookies Icon Aims To Inform Users (March 22, 2011)

PCWorld reports on Yahoo's introduction of a feature that allows users to opt out of cookies. The icon was unveiled last Friday ahead of a new law that will come into force in the EU on May 25 known as the "Cookie Directive," which will require online companies to obtain explicit consent to track users' Web movements via cookies. Yahoo's mechanism involves an "Ad Choices" icon that users can click to find out what information has been collected about them and modify their preferences on targeted ads. "Businesses like ours depend on the trust of our users," said Justin Weiss, CIPP, Yahoo's director of international privacy and policy.
Full Story

PRIVACY LAW—FRANCE

CNIL Issues Record Fine Over WiFi Collection (March 21, 2011)
The CNIL, France's data privacy regulator, has issued a €100,000 fine against Google for the collection of personal information over unencrypted wireless networks by its Street View vehicles and has asked the company to delete all data collected. The Guardian reports that the fine represents the highest penalty levied by the CNIL since it obtained fining powers back in 2004. Google has repeatedly apologized for collecting the data. "As we have said before, we are profoundly sorry for having mistakenly collected payload data from unencrypted WiFi networks," said Google Privacy Counsel Peter Fleischer, adding, "Deleting the data has always been our priority, and we're happy the CNIL has given permission for us to do so."

DATA LOSS—UK

Data Breach? That’ll be £1.9M, Please (March 21, 2011)

The cost of an average data breach in the UK is now up to £1.9 million, BBC reports. The 2010 Annual Study: U.K. Cost of a Data Breach, from the Ponemon Institute and Symantec, indicates those costs come from such factors as "clearing up after breaches, loss of clients and rebuilding trust with customers." The study also shows that the cost of data breaches has risen every year for the past three years. "The biggest incident logged in the report cost the firm involved about £6.2m, a leap of £2.3m from the biggest incident in 2009," the report states. The study also found that system failure was the top reason for breaches.
Full Story

PRIVACY LAW—SWEDEN & AUSTRIA

Austria OKs, Riksdag Delays (March 18, 2011)

Sweden's Riksdag on Wednesday postponed its vote on whether to implement the EU Data Protection Directive, The Local reports. "The Swedish government needs to act towards a renegotiation of the data retention directive in the EU while this case is postponed in Sweden," said Green Party member Marie Ferm. The decision to delay the vote could result in a several million kronor fine for the Swedish government. Meanwhile, the Austrian government has decided to implement the directive, according to Christian Schmelz and Günther Leissler of Schönherr Rechtsanwälte GmbH. The Austrian parliament will take up the topic in May.
Full Story

PRIVACY LAW—ITALY

Telecommunication Companies Must Inform Subscribers (March 18, 2011)

The Italian Data Protection Authority (Garante) has mandated that telecommunication companies must inform old and new subscribers about how they can stop receiving advertising phone calls. New telemarketing regulations provide subscribers with the right to register their line in the "Registro delle Opposizioni"--a sort of Robinson's List--which became operative on 1 February. The Garante has provided telecommunications companies with information on how they must communicate this to customers. Companies that fail to comply with the Data Protection Authority's regulation will be subject to sanctions, including a minimum 30,000 euro fine and up to a maximum fine of 180,000 euro, which could increase, in the most serious cases, to 300,000 euros. (Article in Italian.)
Full Story

PRIVACY LAW—UK

Gov’t Approach to EU Cookie Rule (March 18, 2011)

UK Information Commissioner Christopher Graham shared details of the government's proposed implementation of the EU ePrivacy Directive, highlighting the cookie provision. The Hunton & Williams Privacy and Information Security Law Blog reports that a letter from Minister for Culture, Communications and Creative Industries Ed Vaizey outlines a phased approach to implementation and states that the government "does not see a one-size-fits-all solution to this article but rather will look to the development of a UK ecology of solutions." The letter also says that in the government's yet-to-be published response to its consultation, it will lay out expectations for what cookie-using corporations should do while solutions are developed. Commissioner Graham, while promising guidance from his office, warned organisations that the law is changing, and "the time for compliance is now."
Full Story

DATA PROTECTION—UK

Home Users Unsure of WiFi Security (March 18, 2011)

Two out of five people who own a home wireless network don't know how to change its security settings, The Register reports. That's according to an Information Commissioner's Office (ICO) survey conducted by YouGov this month. The survey also found that 16 percent of users were unable to say if they were "running security on their home WiFi network." The ICO has issued guidance on home WiFi security and is calling on Internet Service Providers and equipment manufacturers to provide clearer instructions on how to make home wireless systems more secure and the privacy implications unsecure networks create.
Full Story

TRAVELLERS’ PRIVACY—UK

Lords: Opt In to Passenger Data System (March 18, 2011)

The Lords European Union Committee has issued a report urging the UK to opt in to a pan-European passenger information data system and seek changes down the road, reports computing.co.uk. The system has been criticized by the European data protection supervisor and the EU Parliament for allegedly invading the privacy of innocent travellers and for concerns about data protection and collection. Regardless, the Lords believe the benefits of collecting data from other member states warrants joining the system. According to the report, the committee also recommends the government push for extending the directive "to cover intra-community travel as well as flights into and out of the EU."
Full Story

DATA LOSS—UK

Data Breaches Bring Investigations, Undertaking (March 18, 2011)

A city council has breached the Data Protection Act and a university may face a similar determination. The University of York is investigating a breach involving the personal data of students--including phone numbers and addresses--after the information was accessible on the university's Web site. The university said in a statement it has notified the Information Commissioner, is now reviewing its security systems and has "taken immediate action to rectify this problem." Meanwhile, the commissioner has found that Wolverhampton City Council breached the Data Protection Act by allowing personal information to be disposed of in a skip. The council has signed an undertaking.
Full Story

ONLINE PRIVACY—EU

Reding Outlines Four Pillars of New Rules (March 17, 2011)
Forthcoming amendments to the EU Data Protection Directive are needed to respond to new technologies allowing for automatic data collection "used by companies to better target individuals," Justice Commissioner Viviane Reding said during a speech in Brussels on Wednesday. The rules, to be finalized this summer and put in front of parliament, are to be based on four pillars: the right to be forgotten, transparency, privacy by default and data protection regardless of data location. Redding said third parties processing EU citizens' data outside of the EU should be held accountable to the same laws, v3.co.uk reports.

PRIVACY LAW—EU

MEPs: SWIFT Transfers Have Been “Rubber Stamped” (March 17, 2011)

The European Commission is due to publish its six-month review of the SWIFT agreement today. Members of the European Parliament have criticized the bank transfer data sharing deal between the European Union and the U.S., Sofia Echo reports. The SWIFT agreement allows the U.S. to access details of European bank transactions to be used in the effort to fight terrorism. Since the agreement took effect six months ago, the U.S. has made four data transfer requests to oversight body Europol that Civil Liberties Committee MEPs say have been "rubber stamped," citing that the requests were too general and abstract "to allow Europol to check whether they meet EU data protection standards."
Full Story

ONLINE PRIVACY

E-Commerce Site Makes Changes After Users Complain (March 16, 2011)

As a result of privacy concerns voiced by a number of users, an e-commerce Web site has decided to stop publishing customers' purchase histories within user feedback posts. Etsy recently activated a "people search" tool allowing users to search for other users' names as a way to view purchases and recommendations. However, some users claimed they were not notified that their information would become public when they initially entered their full names on the Web site. Etsy has now disabled the feature and says it is considering further changes to protect buyer privacy, Ars Technica reports. In the future, the site may allow users to post purchases, but it would be "completely opt-in," executives said.
Full Story

PERSONAL PRIVACY

The Changing Meaning of “Personal Data” (March 16, 2011)

William Baker and Anthony Matyjaszewski explore the changing meaning of "personal data" in this preview article for the upcoming April edition of the IAPP member newsletter, the Privacy Advisor. The article includes a compendium of definitions outlining how the term is defined within data protection laws worldwide.
Full Story

ONLINE PRIVACY

Microsoft Do-Not-Track Tool To Debut Tuesday (March 15, 2011)

Microsoft's newest version of Internet Explorer is set to release on Tuesday with a do-not-track tool to help Internet users "keep their online habits from being monitored." However, concerns persist as to whether self-regulatory approaches will work. The Wall Street Journal reports that Microsoft and Mozilla have adopted do not track in the wake of the Federal Trade Commission's recommendation for such tools, highlighting "the pressure the industry faces to provide people with a way to control how they are tracked and targeted online" with legislation being contemplated at the federal level. However, the report goes on to state, industry-based systems "will only work if tracking companies agree to respect visitors' requests," and to date, none have publicly agreed. (Registration may be required to access this story.)
Full Story

BEHAVIORAL TARGETING—EU

Future of Online Display Hangs in the Balance (March 15, 2011)

Wired reports on the ePrivacy Directive amendment that requires Web publishers to obtain consent from users before placing cookies on their browsers and its impact on the future of display advertising. "The implications could be unpleasant for publishers," the report states. UK Information Commissioner Christopher Graham recently warned that "Industry needs to wake up and realize this isn't some kind of Brussels nightmare." While a recent Department of Culture, Media and Sport announcement and anticipated government support of pan-European self-regulatory efforts give some in the ad industry reason for calm, "the conflict between publishers and privacy advocates can only intensify," the report states. "In the balance hangs the future of online display."
Full Story

PRIVACY LAW—EU & U.S.

Hustinx, Leibowitz Discuss Approaches to Consumer Privacy (March 11, 2011)

The National Journal reports on comments by EU Data Protection Supervisor Peter Hustinx and Federal Trade Commission (FTC) Chairman Jon Leibowitz at this week's IAPP Global Privacy Summit and whether common ground on privacy protection exists on both sides of the Atlantic. In light of the European Commission's work on revising its Data Protection Directive and the FTC's December report on protecting consumer privacy online, Leibowitz said, "I see more convergence than divergence." Hustinx, who said he was pleased to see the FTC's recognition that "status quo in the U.S. is not satisfactory," responded to a question about whether a federal privacy law could help the U.S. meet the EU's adequacy standard, stating, the "trend is moving in the right direction" but "whether this is adequate in a technical sense may not be so decisive."
Full Story

PRIVACY LAW—UK

UK Focused on EU Directive Compliance (March 11, 2011)

The UK government is working with Web browsers in an effort to help businesses comply with a new EU directive related to online privacy that comes into force this May. The government "also insisted that the EU Directive will become UK law by the May deadline," reports OUT-LAW.COM, in spite of comments by Information Commissioner Christopher Graham that the new law, which requires online companies to obtain "explicit consent" from users before using Web cookies, will not go into effect until autumn. "We are working with browser manufacturers to find a way to enhance browser settings so that they can obtain the necessary consent to meet the directive's standards," a Department of Culture, Media and Sport spokesman said.
Full Story

EMPLOYEE PRIVACY—ITALY

Garante Rules on Ex-Employee’s Claim (March 11, 2011)

Italy's data protection authority has made a decision in a claim brought by a man who sought the destruction of personal data from his work computer after he was dismissed from his job. The man asked that the employer destroy his personal data and files. The DPA determined that the employer does not have to delete the data, but the DPA forbade the company from accessing the former employee's personal files as that would violate "the pertinence and proportionality principle provided by the Italian Data Protection Code," writes attorney Rocco Panetta for the European Data Protection Digest. (Article in Italian.)
Full Story

ONLINE PRIVACY

DPAs, Others Weigh “Right To Be Forgotten” (March 11, 2011)

Across borders, discussions are in full swing over the dichotomy between the Internet's inability to forget and the call for a "right to be forgotten." In a Forbes report, Kashmir Hill notes, for example, that just such a right "has been affirmed by the Spanish DPA," which recently called for Web sites to delete "inaccurate or out-of-date links" from searches. Meanwhile, Google Global Privacy Counsel Peter Fleischer writes, "More and more, privacy is being used to justify censorship. In a sense, privacy depends on keeping some things private, in other words, hidden, restricted or deleted. And in a world where ever more content is coming online, and where ever more content is findable and shareable, it's also natural that the privacy countermovement is gathering strength."
Full Story

PRIVACY

CDT Receives 2011 IAPP Privacy Leadership Award (March 10, 2011)

The Center for Democracy and Technology has received the 2011 IAPP Privacy Leadership Award. The annual award recognizes a global leader in the field of privacy and data protection. Presenting the honor this morning at the IAPP Global Privacy Summit in Washington, DC, IAPP Board of Directors Treasurer Brendon Lynch, CIPP, said the CDT "is at the forefront of efforts to keep the Internet open, innovative and free. They have consistently been a leading voice for free expression and privacy in communications and have fostered practical and innovative solutions to public policy and civil liberties." CDT President Leslie Harris accepted the award on stage with CDT staff members Justin Brookman, Jim Dempsey and Erica Newland and CDT Board Chairman Deidre Mulligan.
Full Story

FINANCIAL PRIVACY—EU & U.S.

SWIFT Transfers in Spotlight (March 10, 2011)

Europol has approved requests to send citizens' banking data to the U.S. Department of Treasury "without sufficient consideration for data protection laws," PCWorld reports. That is according to the findings of an investigation by Europol's Joint Supervisory Body (JSB), which were made public yesterday by Germany's data protection authority. A JSB team of seven data protection experts conducted the investigation into transfers under the so-called SWIFT pact. It found that some of the transfers approved by Europol failed to meet a provision that the U.S. "clearly substantiate the necessity of the data" in combating terrorism.
Full Story

DATA PROTECTION—EU & U.S.

Data Sharing Talks To Begin Soon (March 10, 2011)

The United States government and European Union are expected to begin negotiating a justice- and security-related data-sharing agreement soon, the European Voice reports. The European Parliament will have to approve whatever agreement may be reached. A working group comprised of officials from both governments has already been working towards certain resolutions in this area, but a U.S. official said, "We have a long way to go." The European Commission's director-general of justice, Françoise Le Bail, will serve as chief negotiator of the talks, which will begin in April. (Registration may be required to access this story.)
Full Story

DATA THEFT—FRANCE

French Ministry Documents Stolen (March 9, 2011)

The French Finance Ministry has confirmed that hackers infiltrated 170,000 of the agency's computers in December and stole data related to the G20, All Headline News reports. The attack involved Trojan horses and was discovered in January, according to French Budget Minister Francois Baroin. Officials are investigating.
Full Story

PRIVACY LAW—SPAIN

Parliament Reduces DPA’s Penalties (March 8, 2011)

The Spanish Data Protection Agency (DPA) is described as "one of the more enforcement-oriented DPAs in the EU," but parliament has modified its penalty structure to lower many fines, the Hogan Lovells Chronicle of Data Protection reports. The main modifications include warning businesses and giving them a set amount of time to resolve breaches before fines would be levied and changes in the level of infringement for certain transfers of personal data, the report states. The modifications were announced in the wake of Europe's highest court's review of the DPA's order that Google remove links to Web content due to privacy concerns.
Full Story

ONLINE PRIVACY—EU & UK

Report Forecasts Pros and Cons of the Cloud (March 8, 2011)

Experts have suggested that 75 percent of senior business leaders believe that privacy and security concerns are the key impediments to the adoption of cloud computing, the Financial Times reports in an analysis piece on the benefits and risks of cloud computing for entities in the UK and EU. With the European Commission anticipating introducing data protection reforms later this year, the report stresses that "to comply with EU personal data requirements, the data controller needs to ensure that the security standards are appropriate, having regard to the nature of the personal data, the state of technological development and the cost of implementing particular measures." (Registration may be required to access this story.)
Full Story

DATA PROTECTION—LATVIA

DPA Suspends Electronic Tax Service (March 7, 2011)

Latvia's data protection inspectorate has suspended the State Revenue Service's tax return service due to privacy concerns, Baltic Business News reports. The inspectorate ordered a halt to the Electronic Declaration System due to the fact that "users who happen to know another person's identity number can find out that person's name, surname, address and other personal data," the report states. The system will remain suspended until the revenue authority finds a way to control access.
Full Story

PRIVACY LAW—SPAIN

Medical Malpractice Case at Heart of Legal Debate (March 7, 2011)

A plastic surgeon who was cleared of wrongdoing in a criminal medical malpractice case 20 years ago is at the heart of a legal debate in a Spanish court, The Wall Street Journal reports. The case involves the Spanish data protection authority's request for Google to remove from its search results links that go to a 1991 newspaper article about the surgeon's troubles. Google is contesting the request, saying that to do so would be censorship. But "Spain has always taken an extremely strong line over privacy," says a Barcelona lawyer, and now the European Court of Justice may become involved. (Registration may be required to access this story.)
Full Story

Tracking Users’ Web Footprints (March 7, 2011)

A feature in The New York Times explores Web sites that track users' browser history for public viewing, questioning whether individuals will choose to share such information, which can range from visits to online dating and banking sites to exploring medical conditions, and pointing to the assurances site developers are making about privacy. "At all of these tracking sites, developers say they take privacy very seriously," Austin Considine writes in the report, adding, "their success will ultimately be predicated on trust." The developers point to such safeguards as not sharing secure links and providing options for disabling tracking. The founder of one such site suggests they make users more aware of online privacy, noting, "If we're not following you, no matter what, somebody else is." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—GERMANY

Germany Adopts Telecom Breach Notification Requirements (March 4, 2011)

The German government has adopted a draft law that revises the German Telecommunications Act to include breach notification requirements for telecommunications companies, reports the Hunton & Williams Privacy and Information Security Law Blog. The law brings Germany into alliance with the European e-Privacy Directive. Under the draft law, telecommunications companies are required to notify the federal data protection commissioner and the federal network agency about data breaches. The law also includes provisions requiring "providers of location-based telecommunications services to send text messages informing users whenever their mobile devices are being tracked on location," according to the report.
Full Story

BEHAVIORAL TARGETING

Fingerprinting To Supplant Cookies? (March 4, 2011)

Several startups are experimenting with tracking technologies that could supplant cookies as behavioral targeting mechanisms, ClickZ reports. Device fingerprinting operates by tracking mobile phones, PCs, TVs and cars using unique identifiers. Based on the device's properties and settings, fingerprinting allows advertisers to link to and track the device and transmit messages based on activity. It's easier to opt out of fingerprint tracking than cookies, developers say; because the device's fingerprint lasts as long as the device itself, opting-out must only happen once. In addition, the developers say, the new technology already complies with do-not-track principles because users can "opt out of both tracking and targeting independently."
Full Story

DATA PROTECTION—EU & U.S.

Callahan Discusses Privacy Oversight (March 4, 2011)

Speaking at an event in Washington this week, the chief privacy officer of U.S. Department of Homeland Security said that the members of a group formed to create standards for data sharing between the U.S. and EU governments disagree on privacy oversight, Fierce Government IT reports. Mary Ellen Callahan, CIPP, said the "issue of independence" has come up within the so-called high-level contact group. European group members have expressed concern that the U.S. lacks an agency dedicated to data privacy. Callahan told those in attendance at an American Bar Association gathering that the U.S. Congress could alleviate these concerns by fully staffing the Privacy and Civil Liberties Oversight Board and granting it more independence.
Full Story

PRIVACY LAW—UK

Gov’t To Publish CCTV, Plate Recognition Code (March 4, 2011)

The government will publish a code of conduct on the use of CCTV and automated plate recognition technology, The Register reports. It will also remove CCTV regulation from the Information Commissioner's Office (ICO) powers and establish a new surveillance camera commissioner. A public consultation on the code was published Tuesday, stating that the government will require anyone wanting to use CCTV to conduct a checklist demonstrating a need, a cost/benefit analysis and consultation with the appropriate authorities. The code will need to comply with the Data Protection Act and cannot conflict with the ICO, the report states. The crime prevention minister said the two technologies help crime fighting, but can't "invade law-abiding people's privacy."
Full Story

DATA PROTECTION—UK

Minister Calls for Protections on E-mail (March 4, 2011)

Officials must do more to stop Internet service providers (ISPs) from accessing individuals' e-mails without consent, says an ex-cybersecurity minister. Lord West says further action is needed to prevent abuses as ISPs increasingly trial deep packet inspection, which scans e-mails for keywords and tracks Web users' browsing habits, BBC News reports. The Home Office is expected to soon make an announcement regarding its review of the Regulation of Investigatory Powers Act. Privacy International says the planned changes won't improve consumer protection because they only apply to "unintentional" e-mail interceptions. West said allowing private companies "the right to go and look into people's e-mails is something I find unhealthy."
Full Story

DATA LOSS—UK

Data Taken in Youth Club Break-In (March 4, 2011)

Robbers broke into a north Hull youth center and stole items including a computer that held five years' worth of data on attendees of the program. Thisishullandeastriding.co.uk reports that names, addresses and medical conditions of up to 700 current and former attendees of the program were stored on the computer, which, according to the program's founder, Tony Fee, was password-protected. An Humberside police spokesman said some of the stolen property has been recovered but not the computer. Fee said most residents know about the robbery, but staff are considering writing to parents about the loss of records.
Full Story 

DATA PROTECTION—UK

Patient Data To Be Encrypted After Theft (March 4, 2011)

The theft of a hospital laptop containing 1,500 patients' data may have been an inside job, The Huddersfield Daily Examiner reports. In the November theft, a computer was taken from a locked office at Calderdale Royal Hospital. The computer contained such information as names and dates of birth. Medical director Yvette Oade says the theft probably occurred during working hours by someone with an access code to the building, as there was no evidence of an external break-in. The hospital informed police following the breach and has now installed software to encrypt patient data, Oade said.
Full Story

DATA LOSS—UK

Survey: 17,000 USB Sticks Left at Dry Cleaners (March 4, 2011)

More than 17,000 USB sticks were left in clothes to be dry cleaned, a survey has found. The 2010 Credant Technologies survey indicates an increase of 400 percent from 2009, USP reports. A company spokeswoman said the increase indicates a "growth in 'IT consumerisation,' as consumers today carry more and more mobile devices than ever before, such as smart phones, laptops, iPads, USB sticks and other portable devices. Inevitably, unsuspecting consumers leave the USB sticks behind, creating a potential risk for their employers if these devices have proprietary information on them and end up in the hands of criminals."
Full Story

 

ONLINE PRIVACY—EU & UK

Consumer Group: Cookie Concerns Continue (March 3, 2011)

An investigation by Which?, a consumer group, that points to difficulties for Internet users to manage local shared objects--more commonly known as Flash cookies--is sparking a push for stricter online legislation. The Guardian reports on the difficulties of removing local shared objects from hard drives and features comments by Sarah Kidner of Which?, who suggests, "If such practices are happening without the user's knowledge, it is pretty serious and could be in contravention of data protection law." A member of the group's legal counsel says that "as the online behavioral advertising industry innovates to collect ever more data," both the UK Information Commissioner's Office and the EU need to address such technologies.
Full Story

DATA PROTECTION—UK

Cloud Provider: Legislation Required for Cloud Success (March 3, 2011)

"Legislation is an impediment" to the UK government's G-Cloud initiative, say officials from Lockheed Martin, the largest provider of cloud services to the U.S. government. In the UK and Europe, data privacy laws prevent the movement of data outside the jurisdiction, Computing reports, which is "the antithesis of cloud computing's concept." For the cloud to succeed, privacy and confidentiality legislation will need to change, the report states. "Governments should all be updating their laws if they aren't already," said Melvin Greer, chief strategist for Lockheed Martin, adding that the UK government and the G-Cloud initiative "will have to deal with the concept of having a secure infrastructure..."
Full Story