European Data Protection Digest

We have a long weekend—and hopefully some good weather—ahead of us, so right now our minds are probably focused more on Easter eggs and chocolate bunnies (in my case also my mother’s lasagna on Sunday) than on data protection developments. Nevertheless, this spring is bound to be a busy one for privacy pros—not that we actually had a dull moment in the past year or so.

At the IAPP, we are working hard to help our members stay on top of things: Our upcoming European Data Protection Intensive will be a great way to kick-start the second quarter of the year. As usual, rendezvous in London for an intense programme, great networking—including our special Privacy Social reception at the Guildhall—and CIPP and CIPM certification training and testing. Preconference workshops are not bad either.

But since he who hesitates is lost, work is already underway also for IAPP Europe’s flagship event, the Data Protection Congress, which will be in Brussels again this year, on 19 and 20 November to be precise. The call for proposals for the Congress is open, and submissions will be accepted until 9 May, so do send us your ideas or feel free to forward the call for proposals link to someone who might be interested.

In the meantime, though, Happy Easter!

Rita Di Antonio
Managing Director
IAPP Europe

Top European Privacy and Data Protection News

PRIVACY—IRELAND

Breaches, CCTV Use Examined in Annual Report (May 31, 2011)

Data Protection Commissioner Billy Hawkes released his annual report this week, and among the findings was a "dramatic increase in the number and significance of organizations that have lost personal data," he said, up from 119 reports in 2009 to 410 in 2010. The report points to increased demands in a new code of practice as the reason, "rather than an increase in the absolute number of data breaches." The report also looks at specific issues related to the use of biometrics and closed-circuit television (CCTV), highlighting one case where a school was required to remove CCTV cameras from its restrooms. The annual report also includes details on recent investigations.
Full Story

ONLINE PRIVACY

Opinion: Big Data Needs Ethics (May 27, 2011)

In an article for the MIT Technology Review, Jeffrey F. Rayport delves into "Big Data" and the myriad companies emerging that mine and aggregate "massive amounts of unstructured data"--800 billion gigabytes of which is currently available, estimates market intelligence firm IDC--for financial gain. "As the store of data grows, the analytics available to draw inferences from it will only become more sophisticated," Rayport opines, adding, "The potential dark side of Big Data suggests the need for a code of ethical principles." Rayport proposes a structure of ethics, including his own digital "Golden Rule: Do unto the data of others as you would have them do unto yours."
Full Story

TRAVELLERS’ PRIVACY—EU & U.S.

Leaked Agreement Reveals 15-Year Storage Plans (May 27, 2011)

The Guardian reports that a deal between the U.S. and EU will see the personal data of air passengers retained by the U.S. government for a period of 15 years. According to a "restricted" draft of the agreement obtained by The Guardian, passengers' names, addresses and credit card details--among other data--will be stored in an active U.S. Department of Homeland Security (DHS) database for five years; then it will be transferred to a dormant DHS database to be stored for another 10 years. The agreement proposes to "mask" or "depersonalise" individuals' identities after six months in the active database, the report states.
Full Story

PRIVACY LAW—UK & EU

Ministers Raise Concerns About Data Protection (May 27, 2011)

UK Justice Secretary Ken Clarke and former Culture Secretary Lord Smith are raising separate concerns about privacy laws. The Independent reports Clarke fears that the EU could "sacrifice individual freedoms in the battle to boost security" when it comes to plans for a new EU-U.S. deal on passenger name record information and protecting data in such information repositories as DNA databases. "The challenge," he says, is having a system of rules "subtle and grounded enough to protect those three crucial rights: privacy, safety and freedom." Smith, meanwhile, is quoted as saying privacy law has gone "seriously wrong" in terms of freedom of expression.
Full Story

PRIVACY LAW—HUNGARY

Ombudsman Probes Voter Questionnaires (May 27, 2011)

Hungary's data protection ombudsman is investigating bar codes on questionnaires sent to voters, which the Hungarian Socialist Party says could be used to expose subjects' identities and answers to questions, The Budapest Times reports. The government has sent the questionnaires to some eight million citizens as part of a national consultation. Politician Tibor Szanyi said those who do not return the completed form to the government could be assumed to be opting out of the system of national cooperation, the report states, recommending that respondents instead should check "I cannot answer this question" boxes to complete the form.
Full Story

PRIVACY LAW—SWEDEN

DPA Turns Down Exemption Request (May 27, 2011)

Sweden's data protection authority has turned down a company's request for an exemption from certain prohibitions in the Personal Data Act. The company, technical security provider Niscayah, filed a joint application with petroleum industry representatives to be able to process certain data related to fuel-station customers in an effort to cut down on the numbers of nonpaying customers. But in decision published 11 May, Director General Göran Gräslund refused to grant the exemption. (Article in Swedish.)
Full Story

DATA LOSS—UK

Group Says Bank Data Breaches On the Rise (May 27, 2011)

Bloomberg reports that eight banking lenders are suspected of breaking rules on protecting customer data for a total of more than 500 times in one year, according to UK consumer rights group Which?. The Information Commissioner's Office (ICO) has received complaints that banks failed to give customers copies of data held on them, the report states, and gave data to third parties. Complaints against financial institutions have risen 10 percent from 2009, the group says. It claims the problem could be much more widespread, but few consumers know how to report breaches. A spokesman for the ICO told the IAPP Europe Data Protection Digest that it has identified financial services as one of its priority areas and that it is working closely with that sector to help it make improvements, adding, "Where we encounter systemic problems, we are committed to taking appropriate regulatory action, including imposing financial penalties in the most serious cases."
Full Story

DATA LOSS—IRELAND

62,000 Records Lost on Unencrypted Tape (May 27, 2011)

Life insurance and pension company Phoenix Ireland has announced that it lost an unencrypted data tape holding personal information on 62,000 people in July of last year, reports RTÉ News. The company reported the loss to the Data Protection Commission and the Central Bank, but at the time, the bank thought the data was unable to be accessed by a third party. Upon investigation, a forensics expert revealed that--with the right equipment and knowledge--the data could be accessed. The company has sent letters to those affected and has had no reports of fraudulent activity. 
Full Story

DATA THEFT—UK

CPL Signs Undertaking (May 27, 2011)

A funeral financier has signed an undertaking with the Information Commissioner's Office, pledging to introduce data loss prevention software across it servers, Information Age reports. The ICO investigated the loss of details on 83,000 customers of Co-operative Life Planning (CPL), finding that a third-party service provider for the company improperly handled CPL data, making it vulnerable to theft. "The ICO's investigation found that the software support services provider had no authorisation to copy the data from the organisation's servers and failed to delete the information once the file had been repaired," said an ICO statement.
Full Story

DATA LOSS—UK

Airport Leaves Sensitive Employee Data Exposed (May 27, 2011)

The management company running Dundee Airport says it's close to completing its investigation of how documents containing names, addresses and national insurance numbers of security staff were left in an unsecured area of the airport. While exposing this data presents the risk of identity theft for the employees, the information is that which is used to earn security clearance for staff to work airside at any British airport, reports The Courier. Staff members notified the airport management company of the breach, and three employees have since been suspended as a precaution. Airport staff has contacted the Department of Transport over concerns that the company's internal investigation is unsatisfactory.
Full Story

ONLINE PRIVACY

Researcher “Scrapes” Online Profiles of 35M (May 27, 2011)

A University of Amsterdam student has compiled names, addresses and biographical information from 35 million online profiles into a database in one month's time using one IP connection, reports The Register. Matthijs R. Koot collected the information as part of an online privacy research project to see "how easy it would be for private detectives, spear phishers and others" to mine the data stored in Google Profiles. Not hard, Koot said. A Google spokesman said he's looking into whether this "scraping" is a violation of the company's terms of service, adding, "The sitemap does not reveal any information that is not already designated to be public." The spokesman also noted that users can choose to make certain pieces of information private.
Full Story

PRIVACY LAW—EU

Cookie Directive In Effect, EC Threatens Action (May 26, 2011)
The European Commission (EC) is threatening action against member states that have failed to implement the EU's new cookie law, The Register reports. The deadline to comply with the amended EU Privacy and Communications Directive passed at midnight. Though UK Information Commissioner Christopher Graham said he will not take action against noncompliant companies for one year, European Digital Agenda Commissioner Neelie Kroes has warned that she will take "measures necessary" against noncompliant states. A spokesman for the EC said it "may open infringement proceedings against the member states in question as a matter of urgency."

CONSUMER PRIVACY—UK

Innovative Data Uses for TV Content (May 26, 2011)

A television executive has asked Ofcom to review airtime trading and "investigate the control of audience data," reports The Guardian. In a Royal Television Society speech, David Abraham said that by 2020 about two-thirds of "TV audiovisual content" will be tracked, including TV, PC and mobile platforms. "I don't think the penny has dropped about who is controlling the data," Abraham said, adding, "Future ad sales models are unclear, but two things are certain--change is likely and data is becoming more important." Abraham also said if viewers allow Channel 4 to access and share "some of their anonymized data...we can invest the proceeds in original, risk-taking and imaginative content."
Full Story

ONLINE PRIVACY

G-8 Leaders Talk Privacy, Internet Regulation (May 25, 2011)
In a communiqué to be issued later this week, G-8 leaders are expected to call for stronger regulation of the Internet, including strengthened privacy protections, The New York Times reports. The document is expected to call for "an international approach to protecting users' personal data," and to "encourage the development of common approaches...based on fundamental rights that protect personal data, whilst allowing the legitimate transfer of data," according to a Daily Mail report. At yesterday's opening of the e-G8 Forum in Paris--a prelude event to the Group of Eight meeting taking place later this week in Deauville, France--global Internet leaders and heads of state discussed and debated some of the issues that have provoked the attention of the G-8. (Registration may be required to access this story.)

DATA LOSS

Data Breaches Continue (May 24, 2011)

Sony has announced that it has found a data breach in one of its Sony Music Entertainment Greece units. Usernames, passwords, e-mails and phone numbers for approximately 8,500 customers were compromised, but credit card information was not, The Wall Street Journal reports. Sony has also detected unauthorized user access to two additional websites in Thailand and Indonesia. The company immediately shut down the websites upon learning of the breaches. A spokesman for Sony said the company is not sure if these incidents were related to the PlayStation Network breaches last month, but added, "For now, we are still investigating each incident." (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Schmidt: No Facial Recognition for Google (May 20, 2011)

Google CEO Eric Schmidt, talking this week at the company's "Big Tent" conference in the UK, said that Google is "unlikely" to create a facial recognition database, saying the accuracy of the technology is "very concerning" and that popularizing the technology may cause governments to pass broad-reaching laws with unintended consequences, reports PC Advisor. Schmidt also announced Google's new Dashboard, a service that allows users to see the information Google has collected about them and opt to delete certain data. "It is worth stressing that we can only do this with data you have shared with Google. We can't be a vacuum cleaner for the whole Internet," said Schmidt.
Full Story 

ONLINE PRIVACY

Expert Explores Internet Data Dilemma (May 20, 2011)

When it comes to controlling personal information online, the best option Internet users have lies in that old adage, "if you can't beat them, join them." That's according to MIT Prof. Sandy Pentland, whose work has focused on finding a data collection approach that works for organizations, advocates and regulators, The Wall Street Journal reports. Pentland suggests an approach where consumers manage their data and receive compensation for making it available. "Your data becomes a new asset class," he said, adding, "you have more control over the information, and it becomes your most lucrative asset." (Registration may be required to access this story.)
Full Story 

PRIVACY LAW—EU

Working Party, EDPS: Location Data Is Personal Data (May 20, 2011)

The European Data Protection Supervisor (EDPS) has said that geolocation constitutes personal data, PC World reports. "Location data is certainly, in many instances, private data, and there then follows the obligations to inform users, and the opportunity to opt in or opt out," said EDPS Peter Hustinx. The opinion, as approved by the Article 29 Working Party, would also require employers to make a case that it's "demonstrably necessary" to track employees. The European Commission is currently reviewing the European Data Protection Directive and could include geolocation in the law's revision if the working group's recommendations are accepted, the report states.
Full Story

PRIVACY LAW—GERMANY

Final Framework for Cloud Privacy Released (May 20, 2011)

The German Federal Office for Information Security has released its final framework paper on data security in cloud computing, which outlines industry best practices and "serves as a basis for the discussion between cloud computing service providers and cloud users," reports the Hunton & Williams Privacy and Information Security Law Blog. The paper incorporates comments and suggestions from stakeholders offered in response to the draft proposal released in September of last year. "Based on the paper, concrete recommendations for companies or public authorities may be developed, including at the international level," the report states.
Full Story

GENETIC PRIVACY—UK

Supreme Court Declares DNA Policies Unconstitutional (May 20, 2011)

The UK's Supreme Court has ruled that indefinite retention of an individual's DNA violates a person's right to privacy, OUT-LAW News reports. The Association of Chief Police Officers (ACPO) maintain guidelines asserting that a suspect's DNA should only be discarded "in exceptional cases." The court ruling said, "The majority grant a declaration that the present ACPO guidelines are unlawful because they are incompatible with... the European Convention on Human Rights." The ruling notes that it will not force a change in UK law because of upcoming legislation covering biometric data retention, but adds, "It is...open to ACPO to reconsider and amend the guidelines in the interim."
Full Story

TRAVELLERS’ PRIVACY—EU & U.S.

U.S. Senate Criticises EU Over PNR Data (May 20, 2011)

AFP reports on the U.S. Senate's passage of a symbolic resolution alleging the EU has shown "a reluctance to exchange airline passenger data to deter extremist attacks." The nonbinding resolution, which received unanimous approval on Wednesday, recommends that the U.S. Department of Homeland Security "reject any efforts by the European Union to modify existing PNR data sharing mechanisms" in the wake of calls last year by the European Parliament for "less intrusive alternatives" to the use of PNR data and provisions that such information "in no circumstances be used for data mining or profiling," the report states.
Full Story

DATA LOSS—UK

Councils Leak Personal Information (May 20, 2011)

The Information Commissioner's Office (ICO) has reprimanded a local council for a data breach, V3.co.uk reports. The Somerset County Council sent personal details about a local teenager via a social services assessment to the wrong family. Additionally, after realizing the mistake, the council told the unintended recipients to throw away the information. Sally-Anne Poole of the ICO said that "even though the information was returned to the council, the damage had already been done and will have caused considerable embarrassment to those affected." Meanwhile, Wychavon District Council may have breached data protection law for posting personal details on its website, and Milton Keynes Council has reported a similar breach.
Full Story

PRIVACY LAW—EU & U.S.

Groups Concerned About Data Sharing (May 19, 2011)

Privacy groups are concerned about data sharing talks between the U.S. Department of Homeland Security (DHS) and the European Commission, The Hill reports. In a letter to President Barack Obama and the Senate Foreign Relations Committee, the 11 groups said, "We fear that the United States may be pushing the Europeans to weaken their comparatively strong protections of privacy and other fundamental rights, rather than agreeing to strengthen U.S. protections and respect such principles." The groups, which are also calling for a hearing on the topic, include the American Civil Liberties Union and the Consumer Federation of America. This week, a DHS spokesman said the belief that the "U.S. doesn't care about privacy" is a misconception.
Full Story

ONLINE PRIVACY—EU

Search Engine Pledging To Change Its Ways (May 19, 2011)

Google Chairman Eric Schmidt is leading a new initiative to change the company's image in Europe. With 88 percent of the market share, Google has loyal customers in Europe, reports Bloomberg, but government agencies continue to challenge the company's advertising practices and online mapping service, Street View. The company says it will improve privacy practices and consult public policy specialists and advocacy groups prior to launching new products, among other efforts. "You should be able to delete information about you that we can control. You should own your data, and we should be transparent," Schmidt said. Alice Enders, a London economist, says Google is trying to "avoid a situation where...governments fill the hole with new laws to respond. It's no longer sufficient to view the world from the West Coast of the U.S."
Full Story

 

DATA LOSS

Security Flaw Forces Site Shutdown (May 19, 2011)

Sony has shut down a website that was designed to help those affected by last month's data breaches, Reuters reports. The announcement came after Sony found a "security hole"--potentially allowing hackers to access users' accounts by using personal information stolen during the original breaches. The news comes after U.S. lawmakers wrote a letter to the company questioning the breach incidents and response. One expert said, "The Sony network in general still isn't secure and still has security issues that could be exploited by hackers." A Sony spokesman said the issue has been fixed, and the site will be back up soon.
Full Story 

PRIVACY LAW—FRANCE

CNIL To Increase Compliance Checks (May 18, 2011)
The French data protection authority (CNIL) is warning companies and individuals that they should "exercise caution" when transferring data in and out of European countries as it plans to increase its compliance inspections, COMPLIANCE WEEK reports. The CNIL said in an April statement that it plans to increase inspections by one third compared to last year, aiming to complete at least 400 this year. The checks, which will especially look at companies enrolled in the U.S.-EU Safe Harbor Program, will focus on telemedicine, storage of health data and consulting firms' use of data from the Program of Medicalization of Information Systems, the report states. The CNIL has the ability to impose sanctions for violations of French data privacy law.

PRIVACY LAW—EU

Commission Addresses Cloud Computing (May 18, 2011)

The European Commission (EC) has released a proposal that considers standardizing terms and conditions for using cloud computing services, how to address cloud security and who is responsible for data protection in the cloud. OUT-LAW News reports that the commission is looking to businesses and public organizations for feedback on its consultation on "data protection and liability questions, in particular in cross-border situations." The consultation looks at the existing legal framework for data protection in the cloud and asks respondents for specific updates that could be applied to the EU Data Protection Directive. Neelie Kroes, EC vice president for the digital agenda, said businesses can benefit from lower costs, improved services and new opportunities that come with cloud computing, adding, "We need a well-defined cloud computing strategy to ensure that we make the best use of this potential."
Full Story

TRAVELLERS’ PRIVACY—UK & EU

UK Supports EU PNR Collection Plan (May 13, 2011)

OUT-LAW.COM reports on the UK's decision to opt in to the EU's draft proposal for collecting personal name record (PNR) data on EU flights. The original plans only applied to PNR data from flights between EU countries and destinations outside the EU, the report states, but the proposed directive would extend the collection of PNR across Europe itself. UK Minister for Immigration Damien Green noted that 15 EU member states support the plan for "intra-EU data collection." However, the Article 29 Working Party has criticised the plan, and privacy groups have raised concerns that the proposed measures "are unnecessary and disproportionate to the threat of serious crime," the report states.
Full Story

PERSONAL PRIVACY—GERMANY & UK

Census Incites Privacy Complaints (May 13, 2011)

Germany has begun its first national census in 25 years, which will tally about a third of the country's population. But critics say the information the government will collect about the estimated 26 million individuals exceeds the amount necessary, Spiegel reports. The survey will bring Germany in line with EU census regulations, but some are concerned, also, that the information collected will not remain anonymous. Meanwhile, in the UK, Deutsche Post reports that few complaints have been lodged regarding the UK census, though some dissenters have boycotted based on privacy concerns.
Full Story

PERSONAL PRIVACY—GERMANY & UK

Census Incites Privacy Complaints (May 13, 2011)

Germany has begun its first national census in 25 years, which will tally about a third of the country's population. But critics say the information the government will collect about the estimated 26 million individuals exceeds the amount necessary, Spiegel reports. The survey will bring Germany in line with EU census regulations, but some are concerned, also, that the information collected will not remain anonymous. Meanwhile, in the UK, Deutsche Post reports that few complaints have been lodged regarding the UK census, though some dissenters have boycotted based on privacy concerns.
Full Story

SURVEILLANCE—U.K.

Police Force To Use Digital Mapping Software (May 13, 2011)

The Guardian reports that the Metropolitan Police have purchased software that can map "nearly every move suspects and their associates make in the digital world." Geotime software can collect and collate information gleaned from social networking sites, GPS equipment, mobile phones, financial transactions and IP network logs. A spokesman from the police said, "We are in the process of evaluating the Geotime software...a decision has yet to be made as to whether we will adopt the technology." Some individuals are concerned the software could be a violation of data protection legislation. One attorney said, "This latest tool could also be used in a wholly invasive way."
Full Story

DATA PROTECTION—IRELAND

Survey: Many Companies Have Unreliable Data Protection (May 13, 2011)

Results from an IT Force and Irish Computer Society poll show that a "high number" of companies use unreliable or outdated methods to back up sensitive data, reports the Irish Times. Querying 500 organisations, the poll notes that "despite the continued reliance on traditional methods...38 percent admitted to a significant data loss incident," and a "staggering" 27 percent of respondents did not know if their data was encrypted. The article adds that, earlier this year, Data Protection Commissioner Billy Hawkes said there has been a "very significant" increase in reported data breach incidents.
Full Story

ONLINE PRIVACY—EU & U.S.

Opinion: Divergent Views on PI Protection (May 13, 2011)

In response to a report in The New York Times, privacy experts have shared their opinions on the protection of personal information on both sides of the Atlantic. Marc Rotenberg of the Electronic Privacy Information Center suggests, "It is hardly surprising that Europe is taking the lead; the United States has been slow to update its privacy laws," recommending that U.S. policymakers endeavor "to understand the problems and begin to develop solutions." Meanwhile, Christopher Wolf of Hogan Lovells says of the U.S., "Our approach to how best to achieve privacy for personal data may differ from that of our European colleagues, but our commitment is equal." (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Research Raises New Smartphone Concerns (May 12, 2011)

The Wall Street Journal reports on research suggesting that unique smartphone identifiers can be linked with other information to allow third parties access to personal information without users' consent. "The identifiers--long strings of numbers and letters associated with the phone--don't themselves hold any information about users," the report states, but New Zealand-based researcher Aldo Cortesi has found that U.S. gaming company OpenFeint "connected the IDs to users' locations and Facebook profiles and then made the combined data available to outsiders." Although the company has since fixed those issues, Cortesi has noted it is likely that other databases also link the unique IDs with other user information. (Registration may be required to access this story.)
Full Story

DATA PROTECTION—NETHERLANDS

Authority Calls for “Sharper Teeth” (May 12, 2011)

The Dutch data protection authority (CBP) has said that the Netherlands "needs a privacy watchdog with sharper teeth," Dutch News.nl reports. The authority must be able to ensure that government, companies and individuals take appropriate care of people's personal data, said Jacob Kohnstamm, head of the CBP, noting that technological advances have made it possible to track individuals' behavioral patterns. In his annual report, Kohnstamm noted the almost limitless options to store and process information, making it increasingly difficult to keep watch over such processes and to be sure data is appropriately handled and protected.
Full Story

PRIVACY LAW—UK

ICO Launches Code for Sharing Personal Data (May 12, 2011)

The Information Commissioner's Office has launched a code of practice aimed at guiding private- and public-sector companies on data protection when it comes to legally sharing personal information, reports V3.co.uk. The code of practice, which incorporates input solicited during the consultation period, can be applied in all sectors, said Information Commissioner Christopher Graham. "...We can be confident that it not only makes sense on paper but will work in the real world," he said. "I would encourage all businesses and public bodies that share personal data to get to grips with the code without delay so they can be sure they are getting it right."
Full Story

DATA LOSS—UK

ICO Issues Fine for Breach (May 11, 2011)

The Information Commissioner's Office (ICO) has fined ACS:Law £1,000 in the wake of a breach that resulted in the loss of personal information belonging to at least 6,000 individuals, ZDNet UK reports. "The security measures ACS:Law had in place were barely fit for purpose in a person's home environment, let alone a business handling such sensitive details," Information Commissioner Christopher Graham said when the fine was announced, noting it lacked such provisions as firewalls and access control. One privacy advocate has called the level of the fine "ridiculous" given the sensitivity of the information involved. "The ICO would have fined ACS:Law £200,000 had the company still been trading," the report states.
Full Story

PRIVACY LAW—SWITZERLAND & U.S.

Swiss Court Decision To Be Appealed (May 11, 2011)

Google will appeal a Swiss court's ruling that the company must blur faces and license plates on its Street View mapping feature, The Wall Street Journal reports. Peter Fleischer, Google's global privacy counsel, said that 99 percent of people are not identifiable on the feature but that the "decision of the Federal Administrative Tribunal requires us to guarantee that 100 percent of faces and license plates are not identifiable. We simply cannot comply with that." Meanwhile, at a hearing before the U.S. Senate Judiciary Committee's privacy subcommittee, Sen. Richard Blumenthal (D-CT) questioned Google about a patent application related to determining a user's location based on nearby Wi-Fi signals. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—EU & UK

ICO: Informed Cookie Consent Needed To Comply with New EU Law (May 9, 2011)
The UK Information Commissioner's Office (ICO) has published advice on how organizations can comply with a new EU law on the use of cookies, which goes into effect on May 26. "Not surprisingly, the ICO has adopted a pragmatic approach to the controversial cookie consent requirement. However, it is also clear that inaction is not an option," Eduardo Ustaran of Field Fisher Waterhouse LLP told the Daily Dashboard following the release of the ICO's advice on Monday. The changes will require UK websites "to get informed consent from visitors...to store and retrieve information on users' computers." The advice suggests that "most browser settings are not sophisticated enough" to imply consent, so organizations should obtain consent in other ways.

DATA LOSS

Regulators, Lawmakers Take Action Following Breach (May 6, 2011)

Reaction from last month's data breaches involving Sony's PlayStation Network and its Online Entertainment service continues. In the UK, the Information Commissioner's Office has announced it will conduct a formal investigation, and German privacy officials will also question the company, eWeek reports. Lawmakers in the U.S. are planning to push for national data breach legislation. Australian Privacy Commissioner Timothy Pilgrim will question whether Sony's Australian outfit was in violation of the country's Privacy Act, and a Canadian law firm has filed a $1 billion class-action lawsuit against Sony. The company said it has hired outside investigators and cybersecurity detectives "to help with the clean-up." Larry Ponemon, CIPP, chairman of the Ponemon Institute, said, "This may be the mother of all data breaches at this point." (Registration may be required to access this story.)
Full Story

DATA LOSS—IRELAND

College Files “Inadvertently” Made Available (May 6, 2011)

Trinity College Dublin (TCD) officials said a file containing the names, addresses, ID numbers and e-mail addresses of students and staff was "inadvertently" made accessible on a local library network. On 30 March, TCD found out the file existed but said the personal information--which they did not believe was breached--could not be accessed through the Internet, according to the Irish Times. The college reported the incident to the data protection commissioner on 29 April and noted that it takes data protection "very seriously, and we will continue to work diligently to protect...personal information."
Full Story

DATA LOSS—UK

Health Trust Study Shows Staff Is Biggest Threat (May 6, 2011)

The Guardian reports that, according to a Guardian Healthcare study, the greatest risk to patient confidentiality lies with the employees of healthcare providers. Guardian Healthcare asked all 71 health service trusts for a list of data breaches experienced in the past three years, to which 30 responded with varying levels of detail. The results suggest "a large number could have been prevented if better data security awareness was in place at these organisations," the report states. The study also showed that, of the respondents, NHS Barnet has experienced the most data breaches, claiming a fifth--187--of the 909 NHS breaches.
Full Story

 

PRIVACY LAW—INDIA

New Privacy Regulations Stricter Than EU, U.S. Provisions (May 5, 2011)
In a client alert released Wednesday, Morrison & Foerster reports on a "dramatic transformation" in the privacy landscape for India with the issuing of final regulations for the protection of personal information. The Information Technology Rules 2011 "apply to all organizations that collect and use personal data and information in India," the report notes, and represent the implementation of parts of the Information Technology Act. The rules include a provision for prior written consent for the collection and use of sensitive personal information in what the report's authors, Miriam Wugmeister and Cynthia Rich, describe as much stricter provisions than current laws in the EU and U.S. As a result, "U.S. and European multinational businesses...may have to adjust their personal data collection practices to conform to Indian data protection rules," the report states.

DATA PROTECTION—EU

Reding Speaks Out on Recent Incidents (May 4, 2011)
The New York Times reports that recent worldwide data privacy incidents have spurred increased interest in data protection regulation. In a speech on Tuesday, EU Justice Commissioner Viviane Reding said she will propose expanding breach notification requirements to businesses outside the telecommunications sector. Citing recent breach events, Reding said in a statement that "European citizens care deeply about protecting their privacy and data protection rights...Any company operating in the EU market or any online product that is targeted at EU consumers should comply with EU rules." A Georgetown University professor said, "Authorities in Europe have decided that consumers better not be duped." (Registration may be required to access this story.)

ONLINE PRIVACY

Study: Define “Do Not Track” (May 4, 2011)

Initial results of a study of 200 Web users reveal that consumers might define the term "do not track" differently than Web companies, MediaPost reports. Preceding last week's World Wide Web Consortium workshop, researcher Aleecia McDonald asked Internet users what kind of data would be collected after activating a do-not-track option. Nearly 40 percent of respondents felt that "nothing at all" would be collected. Fifty-one percent of those polled indicated that they would not be surprised if nothing changed after they activated a do-not-track option. Eighty-one percent said it was the first time they had heard the phrase do not track.
Full Story

GEO PRIVACY—THE NETHERLANDS

TomTom Data Used by Police for Speed Traps (May 3, 2011)

Personal navigation device and service provider TomTom is amending its contracts to ban police from using its data after finding out that Dutch police were using it to place speed traps, reports The Wall Street Journal. TomTom collects anonymous data from owners of its devices to provide real-time data to subscribers and also sells the data to governments throughout Europe, Canada and the U.S. Chief Executive Harold Goddijn says that while the company adheres to "strict privacy laws," the realization that the police were using the data in this way was "a sobering experience." While, there is no indication that this has occurred anywhere other than the Netherlands, Goddijn said the company can't rule it out. (Registration may be required to access this story.)
Full Story