European Data Protection Digest

In 1897, Oscar Wilde wrote to Lord Douglas, “Do not be afraid of the past. If people tell you that it is irrevocable, do not believe them.”

I wonder if he would share this piece of advice today. Though the past may not be irrevocable, we all leave digital shadows we may regret one day. I had no Internet growing up, and I am grateful that the only traces of my past are some old pictures gathering dust at my parents’ house and a box of letters I used to exchange with overseas friends—you know, having overseas pen pals was actually pretty cool back in the day.

Come to think of it, Oscar Wilde may never have meant for his 1897 letter to Lord Douglas to be published, as it came to light only after his death, so you could almost argue he had no right to be forgotten…

This week, the Court of Justice of the European Union declared the 2006 Data Retention Directive invalid, stating that it interferes with the fundamental rights to respect for private life and to the protection of personal data, as stipulated in the EU Charter of Fundamental Rights. The interference, said the court, exceeds the limits imposed by compliance with the principle of proportionality.

Aside from the obvious consequences the court’s decision will have on telcos and ISPs, some commentators have said that it can have a significant impact on the EU reform of data protection law and, in particular, on the debate around the General Data Protection Regulation.  

To quote Oscar Wilde again, “It is a very sad thing that nowadays there is so little useless information.”

Rita Di Antonio
Managing Director
IAPP Europe

Top European Privacy and Data Protection News

PRIVACY LAW—AUSTRIA

Lower House Passes Data Retention Bill (April 29, 2011)

The lower house of the Austrian parliament has passed a measure endorsing the storage of private phone call and e-mail data, Deutsche Welle reports, and the upper house is expected to soon pass it into law. Data will be stored for six months under the measure, which the European Commission adopted in 2006. The information will be available to investigators and public prosecutors in criminal procedures. A spokesman for an Austrian organization that opposes data retention said he's "very concerned" and that the "risk is that the data retained will not only be used for finding terrorists...but will be used against normal people."
Full Story

DATA LOSS

European Regulators Investigate Breach (April 29, 2011)

Regulators in the UK and Ireland plan to investigate the data breach sustained by Sony's PlayStation Network, according to Forbes. The Irish data protection commissioner has contacted Sony Ireland but said it is "extremely unlikely" that the agency will fine the company. UK Information Commissioner Christopher Graham "will be making further inquiries to establish the precise nature of the incident before deciding what action...needs to be taken." And, Germany's federal data protection commissioner claims that Sony breached a legal duty by taking too long to notify its customers. The article suggests that the breach could have implications for the European Commission's proposal to extend current data protection laws beyond the telecommunications industry.
Full Story

GEO PRIVACY—EU & U.S.

Apple Facing Investigations (April 29, 2011)

As regulators investigate the collection of location data by Apple's iPhone and iPad devices, Bloomberg reports that greater scrutiny is expected in the EU than the U.S. Drawing a parallel to inquiries that followed the collection of WiFi data by Google's Street View vehicles, the report notes that regulators in Germany, France and Italy are among those examining whether the storage and sharing of location data violated privacy rules. While U.S. lawmakers are also calling for investigations, one privacy expert notes, "Issues that may not look terribly serious in the U.S. can have much greater significance and seriousness here in Europe...There is this tension between the U.S. rules, which are much narrower, and the EU rules, which are much broader."
Full Story

DATA LOSS—GERMANY

Hackers Breach Software Company (April 29, 2011)

The German software company Ashampoo announced that an attack on one of its servers has exposed names and e-mail addresses of its customers--approximately 14 million people. InfoSecurity reports that the hackers have already used the information to attempt to scam people through targeted phishing e-mails with attached documents containing malicious software. One security analyst noted the similarity to the recent Epsilon breach, saying that with Ashampoo's customer data, "hackers can tailor specific malware or phishing campaigns to target this group specifically." Ashampoo has apologised for the breach, notified German authorities and is warning customers of fake e-mails that appear to come from the company.
Full Story

PRIVACY LAW—UK

ICO Wants Stiff Penalties for Data Traffickers (April 29, 2011)

Information Commissioner Christopher Graham has told the Commons Home Affairs Committee that jail time, not just fines, are needed for serious breaches of the Data Protection Act such as data trafficking, reports computing.co.uk. The commissioner gave evidence on the profitability of the illegal trade of personal data, which he confirmed tallied into the millions of pounds. Graham recommended a two-year prison term for serious breaches of the Data Protection Act, warning that the law has become obsolete with advancements in technology. He lamented that the status quo amounts to a few commissioners enforcing "a patchwork regime for hacking and blagging and interception."
Full Story  

DATA LOSS—UK

ICO Defends Data Breach Figures (April 29, 2011)

CRN reports that the Information Commissioner's Office (ICO) disputes encryption vendor ViaSat's analysis of data it acquired through the Freedom of Information Act. Last week, ViaSat asserted that the ICO did not penalise organisations enough, suggesting the ICO's "inaction was harming the deterrent value of the fines" it could impose. In response, the ICO has released a statement claiming the vendor misinterpreted one of the statistics relating to the number of reported data breaches. ViaSat's chief executive defends his firm's use of the figures, saying, "Our request was clear in that we wanted information on the number of data breaches."
Full Story

SOCIAL NETWORKING—UK

Teachers Warned of Negative Repercussions (April 29, 2011)

At the National Union of Teachers' (NUT) annual conference, Karl Hopwood, an Internet safety consultant and former head teacher, warned attendees of the dangers of connecting with students and sharing information on social networking sites, reports The Guardian. While the sites can be a space for sharing positive information, he urged teachers not to "friend pupils on social networking sites. Set up a group to link up with the orchestra or the rugby team." Hopwood also implored teachers to be "sophisticated" in their use of social networking, noting that many employers are now using online search engines and social networking sites to glean information on job candidates.
Full Story

ONLINE PRIVACY—EU & U.S.

Opinion: USA PATRIOT Act Affects European Privacy (April 29, 2011)

In a post for ZDNet, journalist Zack Whittaker discusses the effect the USA PATRIOT Act has on Europeans who work in or use the cloud. "There is no privacy in the European cloud," Whittaker states, "or any public cloud outside of the United States where a U.S.-based or wholly owned subsidiary company is involved." He notes that many EU universities use cloud-based e-mail or storage, adding, "I could not find a single official or representative (in the UK) who can guarantee that student data will not leave the EEA under any circumstances." As prevention, he recommends that Europeans look for cloud service providers wholly owned by EU-based companies. 
Full Story

ONLINE PRIVACY

Web Standards Group Discusses Do Not Track (April 29, 2011)

The Web standards organization, World Wide Web Consortium (W3C), met this week to examine online privacy and the main issues surrounding a universal do-not-track mechanism, reports MediaPost. Discussion topics included definitions for do not track and the mechanism's operational feasibility. Nearly 60 position papers were submitted by Web companies, academics and others prior to the conference. W3C Co-Chair Lorrie Cranor said the group "has not yet formally taken on the task of formalising do not track or any of the other consumer protection technologies in the tracking space but are looking at it and trying to determine if there's a role for them and, if so, what direction to go in."
Full Story

PRIVACY LAW—EU

German Lawmakers Say Directive May Be Illegal (April 28, 2011)

The European Commission's Data Retention Directive may be illegal, the German Parliament has said. A report from the Bundestag's Working Group on data retention says the directive is incompatible with the EU Charter of Fundamental Rights; the directive's requirement that service providers retain data for two years is disproportionate with crime-fighting measures, "as data retention increases the crime clearance rate only slightly," CIO reports. A spokesperson for Bundestag's Working Group said that the EU "must abort this experiment immediately and replace the completely disproportionate blanket collection of the entire population's communications records" with one that only collects data on suspects.
Full Story

ONLINE PRIVACY

Social Network Plans Internet Erasure (April 28, 2011)

In the midst of ongoing calls for a "right to be forgotten" on the Internet, an early social network has announced it will erase old posts and photos from its site. In a column for technology review, David Zax explores the push for an Internet "written in pencil," where users may remove information. The owners of Friendster, which predated such social networks as MySpace and Facebook, appear to be doing just that, having notified users that they plan to "wipe out the site's trove of digital memories, including ancient dorm-room photos, late-night blog entries and heartfelt friend endorsements," The New York Times reports. (Registration may be required to access this story.)
Full Story

DATA PROTECTION

Opinion: PR Damage Not Enough to Incite Action? (April 28, 2011)

There seem to be few repercussions for companies that lose customers' sensitive data, opines Nick Bilton in The New York Times. Breach reports are on the rise, and customers continue to hand over their information for access to online services. And yet, "the only real hit a company takes when these data breaches happen is to the company's image," Bilton writes. "It seems that with the frequency these events happen, a simple PR hit is not working to force these companies to protect people's privacy." Bilton says the problem will only get worse with the advent of the cloud. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—IRELAND

DPC: Insurers Committed “Unprecedented” Number of Breaches (April 27, 2011)

An Office of the Data Protection Commissioner (ODPC) investigation has found that staff at insurance companies inappropriately accessed data to examine claims histories, The Irish Times reports, including accessing an industry-wide database prior to making quotes. The commissioner has ordered insurers to remove data from Insurance Link, which stores and shares details on 2.4 million cases, breaching the Data Protection Act. It's illegal to store such data without a valid basis, the commissioner's office said, adding most of the public is unaware of the database, and there is no evidence data-subject consent was acquired. The ODPC will publish the investigation's findings in a report later this year.
Full Story

DATA RETENTION—EU

Hustinx: Directive Is “Intrusive Measure” (April 26, 2011)

In an interview with Euractiv, European Data Protection Supervisor Peter Hustinx discusses the European Commission's recent evaluation report on the Data Retention Directive, saying that he still believes it's the "most privacy-invasive instrument ever." Hustinx admits he is grateful the report is "on the table so we can take a careful look," but adds, "I am not going to speak in favor of the directive as it was adopted in the past." Looking ahead, Hustinx plans "to make sure that the directive is revised in ways so that it can be applied in a more appropriate way" and intends to "react within a few weeks (to) help the commission stay on track."
Full Story

GEO PRIVACY

Hidden Mobile Device Tracking Raises Concerns (April 22, 2011)

Researchers have found that Apple's iPhone and 3G-enabled iPad record their locations in hidden files, and they have been since Apple updated its mobile operating system last June, reports Deutsche Welle. On Wednesday, two computer programmers presented these findings at a technology conference and wrote in their blog that the files are unencrypted and are on "any machine you've synched with your iOS device." EU authorities are assessing the potential impact, and two U.S. legislators have written to Apple seeking answers. Peter Schaar, Germany's commissioner for data protection, is calling for action to create a law forbidding secret tracking, and Privacy International's deputy director says his organisation is drafting complaints to be submitted to EU regulators.
Full Story

DATA RETENTION—EU

Member States React to Commission Ruling (April 22, 2011)

MEPs are opposing the European Commission on its recent ruling against five member states who have not adequately adopted the Data Retention Directive of 2006, reports Euractiv. Under the current legislation, countries can retain "swathes" of telecommunications data for a period of six months to two years. MEPs from Germany, Austria and Sweden--all of which face fines--are pushing for shortened data retention periods, or "quick freezes," and more targeted searches. Constitutional courts in the Czech Republic and Romania declared the directive violates Article 8 of the European Convention of Human Rights. One MEP from Germany explained, "There is no evidence that the far-reaching retention of data has led to any concrete results beyond compromising civil liberties."
Full Story

PRIVACY LAW—EU

EDPS Says Proposal Defies Data Protection Law (April 22, 2011)

The European Data Protection Supervisor (EDPS) last Friday adopted an opinion that the European Commission's proposal to revise the EU's financial regulations does not comply with data protection law. The proposal includes provisions about processing personal data by EU institutions and member states, such as publishing decisions about administrative and financial penalties in a way that would identify the individual penalised, among others, reports IEWY. "The role of privacy and data protection is not to prevent public access to information whenever personal data are involved," said Assistant Supervisor Giovanni Buttarelli. However, he said, synergy between transparency and data protection "in the new regulation can only be ensured if the rules on transparency and processing of personal information are sufficiently clear and precise."
Full Story

PRIVACY LAW—UK

ICO Granted New Powers for Unwanted Marketing (April 22, 2011)

Third Sector reports the Information Commissioner's Office (ICO) has been given new powers to fine organisations--including charities--for making unwanted contact via e-mail, texts and live or automated phone calls. As part of an amendment to the UK's Privacy and Electronic Communications Regulations, the ICO will also have increased investigatory and auditing powers as well as the responsibility to regulate new rules for Web sites using cookies. Under the new amendment, ISPs and telecommunications firms must inform the ICO if they suffer a breach. Information Commissioner Christopher Graham welcomed the new powers, saying, "the changes...will grant us the right to impose significant monetary penalties" and "improved powers to investigate companies that make nuisance marketing calls."
Full Story

PRIVACY LAW—FRANCE

Amended Data Protection Act Now in Effect (April 22, 2011)

Amendments to the French Data Protection Act went into effect on 31 March. The amendments bring the law into compliance with the European Convention for the Protection of Human Rights. They include provisions to bring a greater separation of powers within the French data protection authority (CNIL) and specify certain terms the CNIL must follow when conducting onsite inspections. Bird & Bird partner Ariane Mole outlines the changes in this IAPP Europe Data Protection Digest special.
Full Story

PRIVACY LAW—SWEDEN

Data Inspection Board Allows Database (April 22, 2011)

The Swedish Data Inspection Board has granted the rail operator SJ special permission to implement a "graffiti database," The Local reports. SJ had applied to be exempt from a portion of the Data Protection Act that prohibits certain personal data management activities. The Datainspektionen approved the exception, allowing SJ to track acts of vandalism and graffiti, but "personal details of suspects will not, however, be permitted to be included in the database," the report states. Instead, graffiti artists will be identified in the database via the "'tag' included in their handiwork."
Full Story

DATA THEFT—EU

Space Agency Breached (April 22, 2011)

A hacker recently entered the European Space Agency's (ESA) FTP servers and took sensitive data, including hundreds of passwords, usernames, e-mail addresses and server logs, according to ZDNet. The agency conceded there were some risks but noted the internal network and main site were not at risk because the networks were partitioned. An ESA spokesman did not give specifics on how the assailant breached the network but added, "it could have been achieved by an attacker sniffing usernames and passwords stored in plaintext and captured while in transit."
Full Story

DATA LOSS—UK

Numbers Show Many Data Breaches, Few Fines (April 22, 2011)

Of the 2,565 data breaches identified by the Information Commissioner's Office (ICO) since April 2010, "only 36 have resulted in a punishment--and only four have resulted in financial penalties," The Guardian reports. An ICO spokesman said getting organisations to comply with the Data Protection Act "isn't always best achieved by issuing organisations or businesses with monetary penalties." Just this week, the ICO announced breaches at Norwich City College, Freehold Community School and NHS Birmingham East and North. A Christchurch nurse was also found guilty of misconduct for inappropriate access of medical records. The ICO defends its actions, and the acting head of enforcement said, "organisations have a legal responsibility to abide by the principles of the DPA."
Full Story

PRIVACY LAW—IRELAND

Opinion: Data Retention Law Hurts Businesses (April 22, 2011)

An Irish Times editorial asserts that the Communications (Retention of Data) Act 2011, signed into law in January, will mean higher costs for Internet-centric Irish businesses and puts Ireland at a "competitive disadvantage" in attracting such businesses. The author says the act, which she describes as a "transposition of an EU directive," was not put in an "Irish-appropriate context," noting that businesses such as cyber cafes and hotels and hostels that provide Internet access may fall within its scope. Under the act, Internet service providers would be required to store--and make accessible to police and the revenue service--two years' worth of online communications data.
Full Story

ONLINE PRIVACY—UK

Study Shows Posters’ Remorse (April 22, 2011)

A recent study by security firm Norton found that more than half of respondents would delete all of the personal information they've posted online. The study asked 1,004 adults about the amount of personal information they have shared online and how it could affect them. The Daily Mail reports that many believe there is information available that could potentially be damaging to them, yet 40 percent admit they don't actively protect their online reputation. Sherly Seitz of Norton warns that when embracing new technologies, "consumers should stay mindful of the dangers, both personal and professional, of sharing too much and too openly online." The article features tips on how to protect online personal data.
Full Story

Amended French Data Protection Act now in force (April 21, 2011)
The French Data Protection Act (Loi Informatique, fichiers et libertés) was recently amended and went into force on March 31.

ONLINE PRIVACY—BELGIUM

Authorities Probe Mapping Service’s Data Collection (April 21, 2011)

Bloomberg reports that Google is working with Belgian authorities over its online mapping service. The company never inspected or used the information it inadvertently collected via its Street View cars, said company spokeswoman Anoek Eckhardt in an e-mail. A spokesman for Belgium's Privacy Commission said the authority concluded earlier this year that "Google committed 'flagrant violations of privacy law' by collecting and storing wireless Internet addresses and traffic between computers and WiFi hotspots."
Full Story

PRIVACY LAW—UK & EU

ICO Says Revised Law Still Years Away (April 21, 2011)

New EU data protection laws will likely mandate data breach notifications for all organizations, said UK Deputy Information Commissioner David Smith. However, Smith said at a London event this week, the new laws are likely still years away. The Data Protection Directive is currently under review by the European Commission, V3.co.uk reports. An initial set of proposals is expected this summer. Service providers will be required to report breaches in May, but that will likely extend to all organizations eventually. Other changes may include the "right to be forgotten," built-in privacy protections and requirements for minimal data collection, Smith said.
Full Story

DATA PROTECTION

IT Study Reveals Same Challenges, Accelerated Pace (April 21, 2011)

A survey of 2,400 IT security specialists from around the world shows compliance, governance and information security management at the top of their priorities for the remainder of 2011, reports InfoSecurity. The study, conducted by not-for-profit IT security association ISACA, found that the complexities of the IT landscape are accelerating due to new technologies and regulations as well as an increase in data breaches. Tony Noble, a member of ISACA's guidance and practice committee, notes that this year's survey shows a need to better align "business with IT to unlock greater value," adding that there's a perception on the business side of organizations that "IT is managed in a silo."
Full Story

ONLINE PRIVACY—NETHERLANDS

DPA: Comply with Demands or Face Fines (April 20, 2011)

The Dutch Data Protection Authority said Google collected the Media Access Control (MAC) addresses of more than 3.6 million WiFi routers while its Street View cars photographed Dutch streets, The Wall Street Journal reports. The MAC addresses are unique identifiers attached to each computer's wireless hardware. Combined with the ability to locate the hardware, the MAC addresses qualify as personal data "that could provide information about the routers' owners and requires Google to offer an online opt out," the authority said Tuesday. The company could face fines of up to €1 million if it fails to comply within three months.
Full Story

PRIVACY LAW—EU & U.S.

EU and U.S. Differ on Passenger Data Sharing (April 20, 2011)

Bloomberg reports on the differing views between the EU and U.S. on the collection of air passenger data. "The U.S. wants to collect data on anyone suspected of crimes carrying sentences of more than a year," while the "EU wants data to be handed over only in individual cases related to fighting terrorism and organized crime," the report states. The amount of time data can be stored should be restricted, the EU says, as should third-party access. However, the U.S. wants the data stored for 15 to 20 years. The U.S. will have to enter agreements with individual member states if an agreement with the EU cannot be reached.
Full Story

DATA LOSS

Study: Small Targets Are a Big Hit with Hackers (April 20, 2011)

Secure Computing reports on Verizon Business's recently released 2011 Data Breach Investigations report that shows data thieves are targeting "smaller, softer and less reactive" businesses, such as retail and hospitality companies. The study also found that many breaches were "basic hacks" due to "ineffective or weak" credentials. Mark Goudie of Verizon encouraged companies to upgrade security procedures and software, warning, "If there are six people being chased by a bear, it's best not to be the slowest runner." The findings of two other data protection studies--Imperva and the Ponemon Institute's 2011 PCI DSS Compliance Trends Study, and Veracode's State of Software Security Report: The Intractable Problem of Insecure Software--have also been announced.
Full Story

HEALTHCARE PRIVACY

Drug Manufacturer Alerts Consumers of Breaches (April 19, 2011)

The Wall Street Journal reports that, as a result of the recent Epsilon data breach, GlaxoSmithKlein has warned consumers in a letter that their e-mail addresses and names "were accessed by an unauthorized third party." The company makes drugs for asthma, HIV, depression and smoking cessation, among others. The breach may have exposed which product sites consumers are registered for, according to the company, which could help fraudsters discern what prescription drugs they take, warns CAUCE, a spam coalition. (Registration may be required to access this story.)
Full Story

DATA RETENTION

Company Extends Retention Term (April 19, 2011)

Yahoo disclosed on Friday that it will extend the length of the term it retains user data to 18 months, The New York Times reports. In a company blog post, Yahoo Chief Trust Officer Anne Toth said, "we will keep our log file data longer than we have been--offering consumers a more robust individualized experience--while we continue our innovation in the areas of transparency and choice to protect privacy." The company's current retention term is 90 days. Privacy advocates expressed disappointment about the change, and, the report states, "Yahoo's new policy may be in conflict with European Union data protection rules." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—U.K. & EU

UK Law Will Require Consent (April 18, 2011)
The United Kingdom's final plan to implement the amended EU e-Privacy Directive (2009/136/EC) does not deviate from the directive's requirement that effective consent be obtained from online users in order to place most cookies on their computers, according to the Department for Culture, Media and Sport report released on Friday. The plan does not use the phrase "opt-in consent," but it is clear from the rules that it would amend the country's Privacy in Electronic Communications Regulations to require that such consent be obtained from users. "Organizations running Web sites will need the user's permission before a cookie can be used," said Culture Minister Ed Vaizey.

CHILDREN’S PRIVACY—EU

Kids Not Using Privacy Settings (April 18, 2011)

Many children using social networking sites don't employ privacy settings, making them vulnerable to stalkers and other risks, according to EU Commissioner for the Digital Agenda Neelie Kroes. The Associated Press reports that EU data show 77 percent of 13 to 16 year olds and 38 percent of nine to 12 year olds are on social networks, but 25 percent don't use privacy settings, and many display phone numbers and addresses. "These children are placing themselves in harm's way, vulnerable to stalkers and groomers," Kroes said. She is urging social networking sites to make minors' profiles accessible only to designated "friends" by default.
Full Story

PRIVACY—EU & U.S.

EU, U.S. Officials Moving Toward “Umbrella Agreement” (April 15, 2011)

Formal negotiations between EU and U.S. officials began Thursday for the creation of a data protection framework that would protect European citizens' data for future anti-terror operations, the AFP reports. EU Justice Commissioner Viviane Reding says it is "important to have...an umbrella agreement" making it "much easier to have specific agreements" on areas with privacy concerns. Anticipating difficulties in future data sharing agreements, including a crucial deal on passenger data for European airlines, "the EU wants to establish a data protection framework that would cover all future arrangements," the article states. U.S. Homeland Security Secretary Janet Napolitano believes "the sharing of passenger data can be very consistent with the protection of privacy."
Full Story 

PRIVACY LAW—EU

Court Official: Monitoring ISPs Violates Privacy (April 15, 2011)

ISP monitoring for copyright infringement has serious privacy implications. That's according to European Court of Justice Advocate-General Pedro Cruz Villalón, who said courts of individual member nations cannot order ISPs to filter copyrighted material. The comments came in opposition to the verdict in a Belgian case that dates back to 2007, paidContent reports, and could have implications for the UK as well. Villalón said the "installation of that filtering and blocking system is a restriction on the right to respect for the privacy of communications and the right to protection of personal data, both of which are rights protected under the Charter of Fundamental Rights."
Full Story

DATA PRIVACY—UK

Government Will Not Prosecute BT and Phorm (April 15, 2011)

Privacy advocates are expressing frustration after the Crown Prosecution Service (CPS) announcement that it will not prosecute BT and Phorm for tracking consumers online, The Guardian reports. The CPS launched an investigation after allegations that BT partnered with Phorm to place cookies on BT users' browsers without consent and used data on Web activity for behavioral targeting purposes. CPS has concluded that there is not sufficient evidence to prosecute under the Regulation of Investigatory Powers Act (RIPA). The Home Office has published changes to RIPA that it says will close loopholes in UK privacy law and prevent similar incidents in the future.
Full Story

DATA PROTECTION—FRANCE

Juriste Delves into Data Protection (April 15, 2011)

The April edition of Juriste d'Entreprise Magazine delves into data protection with features including an interview with CNIL President Alex Türk, articles on international exchanges of personal data and binding corporate rules and a call from French Enterprise Lawyers Association (AFJE) President Jean-Charles Savoure for members to focus on data privacy compliance and consider becoming data protection officers-- correspondants informatique et libertés (CIL). In her article, Areva CIL Hélène Legras discusses the benefits of having a CIL in the enterprise. The magazine also features interviews with several members of the AFCDP (French Association of Data Protection Correspondents) and an article from AFCDP President Paul-Olivier Gibert about CIL-legal compliance cooperation within enterprises. (Articles in French.)
Full Story

 

PERSONAL PRIVACY—EU

European Commission Outlines Smart Grid Plans (April 15, 2011)

The European Commission has presented its ideas on how to push smart grids forward, Europolitics reports. Among plans to develop common technical standards across the EU to allow for system interoperability, the commission asks that member states produce action plans for smart grid implementation. The smart grid will digitize electricity use via smart meters, which communicate consumer energy use back to the utility. Energy Efficiency News reports that Energy Commissioner Gunther Oettinger has "unveiled a report calling for all European nations to set smart meter targets by 2012." A spokeswoman from consumer organization BEUC noted that smart meters will supply utilities with a "truckload of personal data" and called for safeguards.
Full Story

ONLINE PRIVACY—EUROPE

Street View Opts Out of Germany; “Streetside” Launched (April 15, 2011)

Amidst an announcement that Google will not push forward with its Street View cars in Germany, Microsoft has launched its own version of a mapping service in Europe. Microsoft says "Streetside" will collect the "bare minimum" of data. The UK Information Commissioner's Office has said it will be keeping a close eye on the service. German data privacy officials raised concerns after Street View launched there last year, and one woman filed a lawsuit. Google won that case but now says it has "no plans to launch new imagery on Street View in Germany," CNET reports.
Full Story

PRIVACY LAW—EU

Commissioners: Rules Needed for Data Access (April 15, 2011)

European data protection commissioners have called for reforms to provide "an effective and consistent implementation of fundamental rights in a global environment," OUT-LAW.COM reports. At an event last week, the commissioners also called for data protection laws to apply to law enforcement agencies in the same way they do for companies and governments. The commissioners expressed concern that data intended for private-sector use is increasingly being repurposed for law enforcement needs. Data protection laws currently under revision should include clauses that allow for such use while balancing individuals' personal privacy rights, the commissioners said.
Full Story

DATA LOSS—UK

Paper Records Breaches Alarm ICO (April 15, 2011)

The Devon County Council has removed documents containing names and financial information of children who were excluded from county schools and those with special needs from the Internet, reports Express&Echo. The council has informed the Information Commissioner's Office (ICO) and says it will conduct a review of its data protection strategy. Meanwhile, the ICO is voicing concern over the security of paper records after breaches at NHS Liverpool Community Health and the Council for Healthcare Regulatory Excellence. Both institutions were found to have inadequate data protection processes. "These incidents should act as a warning to other organisations...to make sure their paper records management processes are as robust as their electronic data systems," said Sally-Anne Poole of the ICO.
Full Story

PRIVACY LAW—EU & U.S.

Concerns Persist Over PNR Retention, Cloud Computing (April 15, 2011)

"The European Commission has still to prove why passengers' personal details should be recorded on all flights to and from Europe," OUT-LAW.COM reports in a piece on the Article 29 Working Party's opinion on the collection of passenger name record (PNR) data. The commission has not provided "proper evaluation of the use of PNR," the Working Party writes, suggesting that collecting PNR data to fight crime "should not enable mass tracking and surveillance of all travelers." Other opinions on PNR plans are divided, the report states. Amidst such questions about PNR retention and cross-border access to data stored by U.S. cloud providers, U.S. Attorney General Eric Holder and Homeland Security Secretary Janet Napolitano have been attending a meeting of EU-U.S. justice officials.
Full Story

FINANCIAL PRIVACY—SWITZERLAND & GERMANY

Swiss Bank Pays To Protect Clients’ Identities (April 15, 2011)

The Swiss bank Julius Baer will pay the German government 50 million euros to protect its German clients' data and stave off future investigations, Deutsche Welle reports. German tax authorities have been looking into tax evasion after acquiring an electronic file containing data on citizens who hold Swiss bank accounts last year, the report states. "This will end investigations against Julius Baer," the Zurich bank said in a statement this week. Credit Suisse has also been a target of the investigations.
Full Story

 

PRIVACY LAW—UK

Experts Say NHS Not Prepared for Law Overhaul (April 15, 2011)

The National Health Service is not prepared for the upcoming overhaul of European data protection laws, some experts say. ZDNet reports that, at an event this week, the chief information officer for health detailed plans allowing for electronic medical records' implementation and said that government plans "rely on a free flow of data." But, the culture and systems are not in place to handle such implementation, says a spokesman for the British Medical Association. "The general level of information assurance is poor," he said. Legal expert Stuart Knowles said NHS systems have not been built with information security in mind, and now data security is being "bolted on."
Full Story

DATA PROTECTION—EU & MALTA

During Visit, MEP and DPC Exchange Views (April 15, 2011)

Member of the European Parliament Simon Busuttil recently travelled to Malta to discuss data protection rights in the country with Data Protection Commissioner Joseph Ebejer. "People in Malta are becoming increasingly aware that their personal data is theirs and should not be misused or abused," said Busuttil. An announcement on Busuttil's Web site says that the leaders discussed "individual complaints on data protection brought to the attention of the MEP, ongoing developments at EU level on data protection and the upcoming review of the EU data protection legislation."
Full Story

PRIVACY LAW—CZECH REPUBLIC

Opinion: Aftermath of the Data Retention Decision (April 15, 2011)

The Czech Republic's Constitutional Court (ÚS) last month overturned parts of an antiterrorism law requiring telephone operators to retain data on all calls, faxes, text messages and e-mail exchanges. The change has brought on "surrealistic reports in the media that have underlined the difference between myth and reality," writes Miroslav Uřičař for Czech Position. According to Uřičař, the ÚS ruling makes it clear that the major sticking point for the court was the breadth of institutions that had access to the data. And, while police are lamenting the loss of easy access to the information, they are not, Uřičař says, breaking out numbers on how many crimes were uncovered and criminals punished because of the law.
Full Story

BEHAVIORAL TARGETING—EU

Firms Sign On to Self-Regulate (April 14, 2011)
The Interactive Advertising Bureau (IAB) Europe today launched a pan-European self-regulatory program aimed at thwarting regulation around the practice of online behavioral advertising, Business and Leadership reports. Major media groups and technology firms have signed onto the agreement, which includes good practice guidelines and an icon that companies can use to help inform Internet users about how behavioral targeting works. According to an MLex article, creators of the agreement "assert that all consumer and privacy concerns have been addressed" and are "confident" that European regulators will be satisfied with the program.

DATA PROTECTION—UK

Government Unveils Consumer Data Plan (April 14, 2011)

The government has unveiled a plan to give consumers better access to data companies hold on them, This Is Money reports. "Mydata" will grant the public access to any marketing data businesses hold, the report states, with the aim of standardizing the information across industries. Data protection laws allow individuals the right to access the personal data businesses store, but accessing the information can be "complex and confusing." More than 20 firms will work together to share information with consumers under the plan. Consumer Minister Edward Davey said the plan will "radically change how consumers relate to business."
Full Story

PRIVACY LAW—NEW ZEALAND & EU

Working Party Recommends “Adequacy” for NZ (April 12, 2011)

The Article 29 Working Party has issued its opinion on New Zealand's data protection and privacy law, writing that "although some concerns still exist," New Zealand ensures "an adequate level of protection within the meaning of Article 25(6) of Directive 95/46/E...with regard to the processing of personal data and the free movement of such data." In the opinion, the Working Party notes that it is also encouraging authorities there "to take the necessary steps to address weaknesses in the current legal framework," including strengthening the law governing direct marketing. The opinion also calls for maintaining oversight of data transfers to countries that "are not themselves subject to an adequacy finding."
Full Story

ONLINE PRIVACY

What Happens to Your Digital Life After Death? (April 11, 2011)

All Things Digital explores the question "Who will be reading your e-mail after you die?" in a feature on a new startup aimed at letting users decide. Michael Aiello, founder of LifeEnsured, explains, "We want people to think about what their virtual life is and what it means to them and their families and how they want to be perceived after they pass away." Besides deleting social network accounts or entries on online dating sites, options include moving photos stored in online servers into the public domain and sending final e-mails. And whatever end-of-life options LifeEnsured users may choose, Aiello says, "We put all the requests for our paying members in irrevocable trust."
Full Story

PRIVACY LAW—EU & GERMANY

Commission Asks Court to Nudge Germany (April 8, 2011)

The European Commission has formally requested that Germany comply with a March ruling by the EU Court of Justice for the complete independence of data protection supervisory authorities, according to a commission press release. The ruling held that Germany had failed to correctly implement the requirement that authorities monitoring compliance with data protection law operate with complete independence. Now, German data protection supervisors are "expressly subject to state scrutiny," the report states. The commission may ask that the court impose monetary penalties against Germany if it does not come into compliance within two months.
Full Story

RFID—EU

EU, Companies, Advocates Sign PIA Agreement (April 8, 2011)

The European Commission has signed a voluntary privacy impact assessment with industry, civil society groups and privacy advocates to establish guidelines for radio frequency identification (RFID) tags, a technology gaining in use and popularity. The Privacy and Data Protection Impact Assessment Framework for RFID Applications aims to ensure consumers' privacy ahead of widespread use of the tags; about one billion are expected to be used in Europe in 2011 for applications such as bus and metro passes and highway tolls, Dow Jones Newswires reports. Privacy and security concerns include that third-parties will use the location-based data without permission and such data as biometric, health and other identity information will also be stored on the tags.
Full Story

PRIVACY LAW—EU & SWEDEN

Commission Sends Sweden Back to Court (April 8, 2011)

The European Commission has referred Sweden back to the European Court of Justice for a second time for failing to implement the Data Retention Directive into national law, Reuters reports. In February 2010, the court condemned Sweden for failing to implement the directive, which requires telecommunications companies and Internet service providers to retain online traffic and location data for law enforcement purposes. The implementation deadline for all member states was more than three years ago. The commission asks that the court impose monetary penalties for each day Sweden is not in compliance. Though draft legislation was submitted to Sweden's parliament in December, the vote was deferred for another 12 months in March.
Full Story

PRIVACY LAW—FRANCE

Internet Companies Fighting Data Retention Decree (April 8, 2011)

More than 20 Internet companies--including Google and Facebook--are filing a complaint with France's highest judicial body to fight a decree that requires them to keep users' personal data for one year, AFP reports. The decree requires the retention of such information as users' full names, addresses, pseudonyms, e-mail addresses and telephone numbers that "can be demanded in the context of an enquiry by police, the fraud office, customs, tax or social security authorities," the report states. The French Association of Internet Community Services (ASIC) "is appealing at the State Council against the decree to keep connection data," Benoit Tabaka of ASIC announced.
Full Story

PRIVACY LAW—NORWAY

Parliament Passes Data Retention Directive (April 8, 2011)

The Norwegian Parliament on Tuesday adopted the Data Retention Directive, which will see Internet and telecommunication traffic "stored for six months, regardless of the access platform, after which it will be deleted with no copies being made," according to theForeigner. The 89-80 vote is drawing fire from the Liberal Party leader, who said, "I do not think those who voted for the directive understand the consequences of the decision." The Norwegian Data Inspectorate also opposes the directive, saying, "crime fighting is not a privacy measure, rather an interest that must be weighed against the consequences of privacy."
Full Story

HEALTHCARE PRIVACY—THE NETHERLANDS

Senate Rejects Electronic Records Plan (April 8, 2011)

The Dutch Senate cited data security concerns as the reason for rejecting Health Minister Edith Schippers' plan to make citizens' medical records available to health professionals across the country, reports Radio Netherlands Worldwide. The Electronic Patient Dossier (EPD) was unanimously voted down because the system's security did not adequately protect patients' privacy. Almost 60 percent of the country's healthcare professionals have chosen to join the EPD, which holds records on about 8.5 million residents.
Full Story

DATA LOSS—UK

Two Councils and a Trust Cleaning Up After Breaches (April 8, 2011)

A health trust and two city councils are working to improve policies after recent data breaches. Royal Cornwall Hospitals NHS Trust breached the Data Protection Act by accidentally disclosing personal data to unauthorized people on two occasions, said the Information Commissioner's Office (ICO). The City of York Council has signed an undertaking after a similar incident occurred. Meanwhile, Leicester City Council has found the memory stick it lost last month containing personal data on 4,000, BBC News reports. It appears that the data was not accessed during the time the stick was missing. The council is awaiting a possible ICO fine of up to £500,000.
Full Story

BEHAVIOURAL TARGETING—UK

Questions Linger Ahead of Online Privacy Directive (April 8, 2011)

MarketingWeek reports on questions that remain about how the EU will implement its directive on cookies. The online privacy directive, requiring Web users to give consent for cookies to be placed on their browsers, comes into force 25 May. But, it is not yet known whether explicit permission will be needed for every new cookie or can be obtained in a way that extends more broadly. For now, companies are taking varied approaches. Yahoo recently introduced its AdChoices scheme, which allows users to control targeted ads served to them. Other Web sites have turned to TRUSTe to certify they meet privacy protocols.
Full Story

PRIVACY LAW—EU

Opinion: Wisdom of Retention Laws Remains To Be Seen (April 8, 2011)

Following the announcement that approximately 20 Internet companies, including Google and Facebook, are filing a complaint with the State Council of France contesting a decree that requires them to keep user data for a full year, Silicon Republic examines issues around data retention in the EU. Ireland, the report points out, requires Internet service providers (ISPs) and telcos to retain user data for two years. "The wisdom of the passing of such laws--whether enlightened or draconian--will be telling in the months and years ahead," John Kennedy writes, adding, "Let's hope the system is not open to abuse or invasion of privacy."
Full Story

BEHAVIOURAL TARGETING—EU

Icon Coming to a Web Page Near You (April 8, 2011)

Later this month, a coalition will unveil a behavioural advertising privacy icon aimed at letting Internet users know they're being tracked and allowing them to opt out of the practice. The initiative was spearheaded by IAB Europe and its network of partners alongside industry groups in order to fulfill a 2009 amendment to the European Privacy Directive requiring consent before placing cookies on users' machines, reports ClickZ. Colin O'Malley of Evidon says the EU icon will use the same platform as the U.S. icon, but the implementation may differ. The article also notes that the opt-out will only work on Web pages of those companies that support the initiative, causing the coalition to highlight the need for "effective enforcement" of the program.
Full Story

DATA PROTECTION—EU

EU Plans for Cloud Computing Transformation (April 8, 2011)

Digital Agenda Commissioner Neelie Kroes will hold a consultation next month with stakeholders on development of a strategy for cloud computing. The technology, allowing data to be both stored and accessed from any location, will become as transformative to this decade as PCs were to the 1970s, EUObserver reports. But cloud computing's success will depend on a secure framework for data protection internationally, experts say. "It's reasonable to expect that consumers and businesses will require a high level of confidence before they place sensitive financial or medical information in the cloud," said the chairman of the U.S. Federal Communications Commission.
Full Story

PRIVACY LAW—EU

Officials Support “Right To Be Forgotten” (April 8, 2011)

A feature in The Christian Science Monitor explores EU Justice Commissioner Viviane Reding's call for a right to be forgotten. While this push has been met with mixed responses from industry and officials, a spokesman for the commissioner says such a right "already exists in the sense that if you live in the EU, you have control over your data. But what's missing is that it hasn't taken account of how we use the Internet now." More stringent rules would not only provide a right for users to remove their data but would also require companies to prove the need to collect data in the first place, the report states.
Full Story

PRIVACY LAW—SWITZERLAND

Court: Street View Must Blur Images (April 8, 2011)

Privacy advocates say they are pleased with a Swiss court's ruling that Google must ensure anonymity before it publishes faces and license plates captured in that country on its Street View mapping feature, Swiss info.ch reports. "I'm relieved that the question of whether a citizen walking the streets is fair game for online services has been resolved," said Swiss Data Protection Commissioner Hanspeter Thϋr. The ruling, which Thϋr said "confirms our right to our own image," comes after Thϋr argued in 2009 that the feature's privacy safeguards were insufficient. Peter Fleischer, Google's global privacy counsel, said the company will "take some time to consider what this means for Street View in Switzerland."
Full Story

PRIVACY LAW—EU & U.S.

Reding: U.S. Moving Toward EU Regulatory Model (April 8, 2011)

The call for a do-not-track mechanism and a privacy bill of rights by U.S. officials "means very clearly that the U.S. is approaching the EU regulatory model." That was one of the messages shared by EU Commissioner Viviane Reding during a speech this week. V3.co.uk reports on Reding's comments that changes to the EU data protection rules, which are expected this summer, may come with additional costs for organizations, but those costs would be offset by less "red tape within the EU" and opportunities for more innovation. Reding said her goals include harmonizing data protection rules within the EU, simplifying the rules of applicable law, facilitating international data transfers and eliminating "those administrative obligations and requirements imposed on businesses that are unnecessary and ineffective." Meanwhile, European Commission Vice President for the Digital Agenda Neelie Kroes has also been clarifying data protection efforts in Europe, stating, "Europe has become more united, the internal market more coherent and data flows more global. Now, we need to catch up and make the rules future-proof for the decades to come."
Full Story

ONLINE PRIVACY

OECD Analyses Trusted Online Digital ID System Progress (April 8, 2011)

All 18 of the Organisation for Economic Cooperation and Development member countries that responded to the group's survey on their efforts to create a digital identity management (IdM) structure intend to include their current privacy protection framework in the design, according to a 31 March OECD Working Party on Information Security and Privacy report. The 18 countries responding to the 2010 OECD survey include Australia, Austria, Canada, Chile, Denmark, Germany, Italy, Japan, South Korea, Luxembourg, the Netherlands, New Zealand, Portugal, Slovenia, Spain, Sweden, Turkey and the United States. IdM is concerned with establishing an online identity verification for individuals so that they will be recognised as trusted users, the report explained.
Full Story

DATA LOSS

Breach Effects Grow, Officials Want Answers (April 8, 2011)

As Alliance Data Systems apologizes and works to rebuild its clients' trust, the fallout from last week's Epsilon data breach continues. U.S. legislators are requesting details about the breach and its subsequent risks to consumers, and Sen. Richard Blumenthal (D-CT) is calling for the U.S. attorney general to investigate. Meanwhile the list of affected companies continues to grow. Forrester Research Analyst Dave Frankland told eWEEK that the effects of this breach reach farther than the company's client base, saying the breach calls into question the security of data in a cloud-computing environment. Cloud computing has been "hampered somewhat with concerns about data security in a multi-tenant deployment, and the Epsilon breach brought those concerns back to the forefront," states the report.
Full Story

ONLINE PRIVACY

“G-8 du Web” Planned (April 8, 2011)

Data privacy concerns continue to demand the attention of world leaders. More details have emerged about plans to include Internet privacy on the agenda of the Group of 8 summit in France this year. The New York Times reports that French President Nicolas Sarkozy has enlisted a longtime advertising industry executive to help "organize a gathering of policy makers and Internet company executives" for a "first-of-its-kind meeting, dubbed 'G-8 du Web,'" to coincide with the G-8 summit, which takes place in Deauville, France, in May. (Registration may be required to access this story.)
Full Story
 

PRIVACY LAW

Condé Nast Targeted in Phishing Scam (April 8, 2011)

The ABA Journal reports that magazine publisher Condé Nast was recently duped in a spear-phishing scheme and is suing to recover the funds that the scammers attempted to steal. The publisher received a fraudulent e-mail that appeared to come from its regular printing house asking for payment to be sent to a new address. Relying on this e-mail, the company sent its $8 million payment to the new address. The publisher was alerted to the scam by its printing house and froze the funds, which were still in the recipients' account. This news comes amid high-level concerns that customers affected by the recent data breach at e-mail marketer Epsilon will fall victim to similar spear-phishing campaigns.
Full Story

PERSONAL PRIVACY

Samsung: Keylogging Accusations False (April 8, 2011)

Samsung has refuted claims that some of its laptops came loaded with a keylogger. The statement follows an internal investigation launched by Samsung after a report claiming that the spyware was installed on two of its models. The report was based on a security consultant's findings after he had performed a series of virus scans, Digital Trends reports. The keylogging software is publicly available. It records computer users' keystrokes and can send information to a third party without the users' knowledge, the report states. An additional, independent investigation confirmed that the keylogging finding was false.
Full Story

ONLINE PRIVACY

Reputation Managers Striving for Internet Amnesia (April 8, 2011)

A report in The New York Times on efforts to make the Internet forget likens the proliferation of personal information online to "a metastasized cancer" that has "embedded itself into the nether reaches of cyberspace, etched into archives, algorithms and a web of hyperlinks." More often, people from all walks of life are turning to online reputation managers that focus on improving their clients' Internet images through such techniques as removing negative posts and burying unfavorable search results. "The Internet has become the go-to resource to destroy someone's life online," the head of one reputation management company put it, adding the result is that life offline is turned upside-down as well. (Registration may be required to access this story.)
Full Story


DATA PROTECTION—EU

Who Pays for Data Protection? (April 1, 2011)

In an address before European parliamentarians in Brussels yesterday, EU Justice Commissioner Viviane Reding addressed the topic of who pays for data protection. Reding said the costs "are carried by businesses, administrations and citizens--actually by society as a whole." She added that "companies have specific responsibility because data is often their main economic asset" but said that new data protection law "should not unduly punish the industry." Reding outlined five priorities aimed at helping businesses cope with the costs of new data protection standards. "Data protection is both a fundamental right and a guarantee for a well-functioning internal market," Reding said.
Full Story

ONLINE PRIVACY—EU

Kroes: Regulations for the Cloud Would Benefit All (April 1, 2011)

European Commission (EC) Vice President for the Digital Agenda Neelie Kroes is calling for the EC and governments to work together to create laws for cloud computing, reports v3.co.uk. In a blog post, Kroes said the key principles guiding Europe's thinking on cloud computing are establishing a legal framework, standardising data and interface formats for cloud-based services and pushing the use of the cloud by business. "Getting the cloud right will mean the Internet can continue to be a generator of innovation, growth and freedom," said Kroes, adding, "We can't simply assume that voluntary approaches like codes of conduct will do the job. Sometimes you need the sort of real teeth only public authorities have."
Full Story

TRAVELLERS’ PRIVACY—EU

EDPS: PNR Proposal Does Not Meet Necessity Principle (April 1, 2011)

Last Friday, the European Data Protection Supervisor (EDPS) adopted the opinion that the proposed Passenger Name Record (PNR) system does not "demonstrate the necessity and the proportionality of a system involving a large-scale collection of PNR data for the purpose of a systematic assessment of all passengers." IEWY News reports that while acknowledging the measures the new commission took to protect the collected data, as well as the data's value in targeted cases, EDPS Peter Hustinx said, "It is their use in a systematic and indiscriminate way, with regard to all passengers, which raises specific concerns." Hustinx also offered suggestions to improve on the proposal.
Full Story

PRIVACY LAW—EU & U.S.

An Ocean Apart, Regulators Find Common Ground (April 1, 2011)

Reuters reports that when it comes to Internet privacy, regulators in Europe and the U.S. appear to be moving closer together in their views. Referencing recent meetings between officials in both Washington, DC, and Brussels, the report notes, "There are still many specifics to be worked out--final legislative proposals are not expected from the European Union until later this year and the United States in June or July--but officials are confident about steadily narrowing the gap." As EU Justice Commissioner Viviane Reding put it, "Until recently, there was a common belief that our approaches on privacy differed so much that it would be difficult to work together. This can no longer be argued."
Full Story

PRIVACY LAW—EU & UK

Vaizey Questions “Right To Be Forgotten” Feasibility (April 1, 2011)

Though EU officials have indicated strong support for a "right to be forgotten" principle as data protection laws are reviewed, UK Communications Minister Ed Vaizey has questioned the practicality of such a provision, Financial Times reports. During a recent speech, Justice Commissioner Viviane Reding said that citizens should have the right--and not only the possibility--to be forgotten online, calling for changes to EU law requiring Web site owners to delete information about a person upon their request. But Vaizey said at a London event, "How do we force a Web site hosted in Calcutta to take down an image uploaded in Croydon? We should not give people false expectations." (Registration may be required to access this story.) 
Full Story

DATA PROTECTION—UK

Graham: Gov’t Data Sharing Threatens Personal Privacy (April 1, 2011)

In the midst of concerns over census data--how it will be used and who will have access to it, among others--Information Commissioner Christopher Graham has said that the volume of personal information held and shared by public bodies is putting individual privacy at risk, reports computing.co.uk. At a seminar recently, Graham said, "The government's transparency agenda is driving the publication of large volumes of data. What is up for debate is how best we can assess the privacy risks. When can a statistic lead to someone being identified? And should we withhold publishing data where there is a small risk that privacy could be threatened?"
Full Story

PRIVACY LAW—CZECH REPUBLIC & THE NETHERLANDS

Courts Review Data Retention Laws (April 1, 2011)

The Czech Republic's constitutional court has overturned parts of an antiterrorism law that require telephone operators to retain data on all calls, faxes, text messages and e-mail exchanges, reports Seattlepi. The court ruled that the practice is unconstitutional, calling it a "massive" intrusion into citizens' privacy and not in keeping with the law. Fifty-one members of parliament appealed to the court to overturn the law. Meanwhile, the Dutch Lower House of Parliament plans this month to revisit a corrective law that would lower data retention requirements in that country from 12 to six months, reports Telecompaper.
Full Story

PRIVACY LAW—HUNGARY

Ombudsman Concerned Over Constitutional Plan (April 1, 2011)

POLITICS.HU reports on concerns by Hungary Data Protection Ombudsman Andras Jori over a constitutional draft that would remove the current data protection post and replace it with a new authority overseeing data and information protection. Jori wrote a letter to the drafting committee expressing fears that the new office would not fulfill such key roles as independent monitoring of classified data. If the draft is adopted, he noted, citizens would also not be able to turn to the Constitutional Court with individual appeals, the report states.
Full Story

DATA PROTECTION—IRELAND

Opinion: Tough Laws Needed To Take Matters Seriously (April 1, 2011)

The data protection landscape is changing, and with those changes has come a greater responsibility for organisations to protect their data. John Ryan writes for Silicon Republic that perhaps what Ireland needs is an "overcorrection" in the form of tougher regulations so organisations will begin to take these responsibilities seriously. Most breaches are due to error, not malice, and this, he writes, "is often because the organisation has not implemented secure methods for the way they need to work." Organisations need to begin to look at data security as an "enabler for more effective ways of doing business and not as the roadblock for business technology changes," Ryan writes.
Full Story

DATA LOSS—UK

Third-Party Provider Exposes Consumer Records Online (April 1, 2011)

The Co-operative Group, a retail, banking and services group, says that a third-party service provider is responsible for making 83,000 of its customers' records available online, reports Information Age. The exposed data included "non-sensitive" information on customers of its Life Planning and Will & Funeral Planning divisions. The Information Commissioner's Office was notified and has acknowledged that it will investigate. The company has apologised for the breach, saying, "We take our responsibilities to our customers extremely seriously and we have written to all the approximately 83,000 customers affected."
Full Story