European Data Protection Digest

In 1897, Oscar Wilde wrote to Lord Douglas, “Do not be afraid of the past. If people tell you that it is irrevocable, do not believe them.”

I wonder if he would share this piece of advice today. Though the past may not be irrevocable, we all leave digital shadows we may regret one day. I had no Internet growing up, and I am grateful that the only traces of my past are some old pictures gathering dust at my parents’ house and a box of letters I used to exchange with overseas friends—you know, having overseas pen pals was actually pretty cool back in the day.

Come to think of it, Oscar Wilde may never have meant for his 1897 letter to Lord Douglas to be published, as it came to light only after his death, so you could almost argue he had no right to be forgotten…

This week, the Court of Justice of the European Union declared the 2006 Data Retention Directive invalid, stating that it interferes with the fundamental rights to respect for private life and to the protection of personal data, as stipulated in the EU Charter of Fundamental Rights. The interference, said the court, exceeds the limits imposed by compliance with the principle of proportionality.

Aside from the obvious consequences the court’s decision will have on telcos and ISPs, some commentators have said that it can have a significant impact on the EU reform of data protection law and, in particular, on the debate around the General Data Protection Regulation.  

To quote Oscar Wilde again, “It is a very sad thing that nowadays there is so little useless information.”

Rita Di Antonio
Managing Director
IAPP Europe

Top European Privacy and Data Protection News

FINANCIAL PRIVACY

Study: Hackers Outpacing Bank Security (June 30, 2011)

Evidence in a recent study suggests that large credit card-issuing banks are not keeping up with the technological sophistication of hackers, TIME reports. One research firm analyzed and graded the online security practices of the financial sector's 23 largest card-issuing institutions. Based on a 100-point scale, the average score was a 59. "The good news is issuers are doing a better job overall of resolution, but that's the easiest thing to do," says the study's lead author. "Prevention is the hardest to do, but it's got the biggest payback." The study also noted that banks have a strong record of eliminating fraudulent charges from individuals' bank accounts.
Full Story

DATA RETENTION—EU

Opinion: Directive Should Be Repealed (June 30, 2011)

The European directive on data retention remains as contentious today as it did when it passed parliament five years ago, writes German MEP Alexander Alvaro in EurActiv. Privacy concerns and "flawed and inconsistent data retention practices" demonstrate the law's ineffectiveness, Alvaro says, adding that eight of the 19 member states that have implemented the directive have imposed stricter laws than the directive intended--retaining data for all criminal offenses and not just for the prevention of serious crimes. "The commission should listen to its own data and repeal the directive," Alvaro writes.
Full Story

ICDP Opposes Capture of Smart Meter Data (June 30, 2011)

With respect to the decision regarding the phasing out of nuclear energy that is to be made tomorrow, the Lower House of the German Parliament also plans to approve data protection regulations that will permit extensive capture via so called “smart meters” of information on energy use and feed-in by consumers. During initial discussions, and together with other German data protection authorities, the Independent Center for Data Protection in Schleswig Holstein (ULD) had criticized these planned regulations.

The Upper House of the German Parliament took up these criticisms and requested that the data protection regulations be examined during the ongoing legislative process as to whether they are sufficient to protect the personal privacy of affected parties against investigations of user behavior patterns. As additional measures, the Upper House recommended legal requirements. “The use of remote measuring services must be known to customers” and “a review of the ban against linking cheaper rates with the disclosure of energy usage patterns.” (BT-Drs.  17/6248, Stellungnahme des Bundesrates Nr. 10)  The statement issued by the German government ignored these recommendations. (BT-Drs. 17/6248, Counter-Statement of the German government)

Thilo Weichert, the director of the Independent Center for Data Protection in Schleswig Holstein comments that “those who seek to regulate energy saving and energy feed-in measures in an unprofessional manner should not be surprised that the goals aimed for and the acceptance of affected parties cannot be achieved. However appropriate the rapidity of decision-making to phase out nuclear energy, it is counterproductive to not pay attention to legitimate criticism. In the event that the Upper House does not change course tomorrow, there is no escaping amendment. The planned standards create the basis for a see-through consumer. Energy savings and decentralized energy production can proceed without developing detailed consumer profiles. The current dangerous, and in part senseless regulations must be modified.” 

Independent Center for Data Protection statement (in German)

ONLINE PRIVACY—EU & U.S.

Analysis: Balancing Innovation with Privacy (June 29, 2011)

The Wall Street Journal reports on the increasing challenges businesses face balancing technological innovation with individuals' right to privacy. European Commissioner Neelie Kroes says, "Updating and improving our legal and administrative tools for privacy protection to make them more effective in a globalized world empowered by new information and communication technologies is one of the key challenges addressed as part of the current review of the EU's data protection rules." According to the article, potential U.S.-EU cooperation could generate a global privacy agreement, but as more services move to the cloud, such an agreement could become complex. One expert says, "Cloud computing and increased use of the Internet will increase the focus on privacy and data protection." (Registration may be required to access this story.)
Full Story

SOCIAL NETWORKING

Privacy Emphasized in New Google Network (June 29, 2011)

Google has introduced a new social networking service that will allow users to communicate status updates, photos and links, The New York Times reports. The Google+ project will initially be available to a "select group" of Google users, according to the article, who will then be able to extend the network by inviting friends and groups into the network. Though many of the features will be similar to Facebook, Google's site is engineered to allow small groups to share information without sharing updates with all of an individual's friends. "In real life, we have walls and windows, and I can speak to you knowing who's in the room," says a Google representative, "but in the online world, you get to a 'Share' box and you share with the whole world...We have a different model." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—THE NETHERLANDS

Law Requires Unambiguous Cookie Consent (June 28, 2011)

A new Internet privacy law adopted by the Dutch Parliament requires prior consent from Internet users before website operators may store cookies on users' computers. In this Daily Dashboard exclusive, Nicole Wolters Ruckert and David Korteweg of Kennedy Van Der Laan explore the implications of the new "cookie law" incorporated in the Dutch Telecommunications Act. Under the new law, Web browsers' acceptance of all cookies under standard settings is not considered a form of consent, they note. The new law "goes further than what the ePrivacy Directive required member states to do," the authors write, adding that the law is already stirring up "quite a lot of controversy in the Netherlands and abroad."
Full Story

DATA PROTECTION—SWITZERLAND

Commissioner Calls for Privacy by Default (June 28, 2011)

There is a need for greater transparency in the processing of personal data, according to Swiss Data Protection Commissioner Hanspeter Thϋr. In his annual report, released yesterday, Thϋr said changes are needed due to the "rapid pace of development in the area of communication technologies," and that "data protection principles must be included in all projects and taken into account from the very outset." The report notes that Thϋr handled many cases related to new technologies in the last year. An issue of particular concern is "evercookies," Swissinfo.ch reports.
Full Story

PRIVACY

Expert: Need for Privacy Trumps Cultural Differences (June 28, 2011)

In a blog post for the Center for Democracy & Technology's "CDT Fellows Focus" series, Omer Tene, associate professor at the College of Management School of Law, analyzes the cultural perceptions of privacy in the U.S. and Europe. "While the psychological need for and social value of privacy are universal," Tene says, "legal and societal privacy norms diverge to the extent that we must ask whether we are speaking about the same thing." In highlighting "the varying cultural perceptions of privacy," Tene asserts that "it is not simple, then, to determine whether there is 'more' privacy east or west of the Atlantic."
Full Story

PRIVACY LAW—EU

Kroes: One Year To Agree to Online Privacy Standards (June 27, 2011)
European Union member states should agree to online privacy standards by June 2012, says European Commission Vice President Neelie Kroes. In a Brussels speech to the Online Tracking Protection & Browsers Workshop last week, Kroes advocated for icons allowing users to opt out of cookies but added that more was needed, computing.co.uk reports. "The standard must be rich enough for users to know exactly what compliant companies do with their information and for me to be able to say to the industry, if you implement this, then I can assume you comply with your legal obligations under the ePrivacy Directive."

DATA LOSS

More Companies Train and Prepare for Breaches (June 27, 2011)

Business Insurance reports on the growing concern businesses have in the face of increased hacker attacks and cybersecurity risks. The report notes that breach preparation will place a business in a better position to appropriately respond to an event and, subsequently, improve its ability to receive cyber risk coverage from insurers. Vinny Sakore, CIPP/IT, of Immersion Ltd. says, "With data breaches, experience is critical," adding that it's important for consultants to improve client awareness of data breach issues. Rick Prendergast at Kroll Fraud Solutions says that breach costs have risen 22 percent since 2009, prompting more companies to take breaches more seriously and "to certify that breach training has taken place across the enterprise."
Full Story

PERSONAL PRIVACY

Companies Help Individuals Control Personal Data (June 27, 2011)

In light of the vast amount of information that is collected online, companies are emerging with an alternative business model that allows consumers to control their personal data, The Mercury News reports. Instead of cookies that track consumers online, some companies are attempting to create a new model where individuals could access and track their personal information and refute false personal information that might exist on the Web. Additionally, Google has launched "Me on the Web" to help individuals monitor their personal data. One startup's CEO says, "We felt like there was a huge opportunity to turn the consumer model upside-down--to help people manage, create and grant access to the best data about themselves."
Full Story

DATA LOSS

External NATO Website Breached (June 24, 2011)

The North Atlantic Treaty Organization (NATO) has released a statement announcing that a NATO-related website, operated by a third party, has been compromised, TIME reports. In addition to blocking access to the site and providing customer notification, the statement noted that "NATO's e-Bookshop is a separate service for the public for the release of NATO information and does not contain any classified data." NATO also announced, according to the report, that is has created a "cyber defense action plan" that will deal with growing cybersecurity threats.
Full Story

ONLINE PRIVACY

Opinion: Biggest Problem is Policies (June 24, 2011)

In an op-ed for ITWorld, Dan Tynan writes that while online privacy is based on a clear concept--people should have control over their personal information--the average privacy policy is not. "If you want people to understand privacy--and maybe not be either so blasé or so paranoid about how their data is being used--we need privacy policies that human beings can understand," he writes. Using real-life examples of how confusing policies can be, Tynan outlines his suggestion for a pop-up box with four bullet points outlining simple facts about websites' collection and use practices and ways to opt out.
Full Story

FINANCIAL PRIVACY—EU & UK

EU Commissioner, ICO Call for Bank Disclosures (June 24, 2011)

EU Justice Commissioner Viviane Reding says that banks will be among the companies required to disclose serious breaches of customer data, Bloomberg reports. "I understand that some in the banking sector are concerned that a mandatory notification requirement would be an additional administrative burden," Reding said during a speech in London, adding that such a requirement "is entirely proportionate and would enhance consumers' confidence in data security and oversight." Meanwhile, the UK Information Commissioner's Office (ICO) has issued a release stating that financial service providers must "do more to fulfill their legal obligations to give customers access to the information they hold about them." The ICO has also named the financial sector as a "priority area" in its Information Rights Strategy.
Full Story

DATA PROTECTION—HUNGARY

Leaders Discuss Accountability, Harmonisation (June 24, 2011)

European leaders, lawmakers and groups convened in Budapest for a two-day International Data Protection Conference hosted by the Hungarian Presidency of the Council of the European Union. Day one featured discussions on the directive review, cloud computing and harmonisation of laws, among other topics. During day two of the conference, experts discussed globally compatible data protection standards and accountability. The Hunton & Williams Privacy and Information Security Law Blog reports that Professor Paul De Hert of the Vrije Universiteit Brussel reviewed the case I v. Finland, which is considered a "key document for the concept of accountability in European data protection law," the report states. Former Hungarian Data Protection Commissioner Attila Péterfalvi delivered the event's closing speech, during which he detailed legislation to amend the nation's data protection law to bring it into full compliance with the European Data Protection Directive.
Full Story

PRIVACY LAW—THE NETHERLANDS & UK

Officials Address New Cookie Regulation (June 24, 2011)

The Lower House of the Dutch Parliament has passed an amended version of the Telecommunications Act, Telecompaper reports. The new legislation implements the revised EU telecoms framework and includes new cookies regulations that require websites to get user permission prior to using cookies that collect consumer data. The bill will need approval from the upper house, which will reconvene after the summer holidays. Meanwhile, UK Information Commissioner Christopher Graham has announced that his office will allow a one-year grace period for businesses to comply with the new EU cookie regulation that went into effect 26 May. "This does not let everyone off the hook," says Graham. "Those that choose to do nothing will have their lack of action taken into account when we begin formal enforcement of the rules." 
Full Story

DATA PROTECTION—ITALY

DPA Issues Annual Report (June 24, 2011)

The Garante issued its Activity Report 2010 on Thursday, focusing on the authority's 14th year of operation and on the implementation of privacy legislation. AGI reports on the document's release, noting that the Garante "has issued fines of over €4 million in 2010 and the first six months of 2011." In its announcement of the report, the Garante notes that it includes action taken and efforts toward effective data protection in light of new forms of technology and means of communication. The document also includes information on the approximately 600 provisions the Garante has adopted as well as information on questions, complaints, reports and appeals that have been addressed in the past year.
Full Story

PRIVACY LAW—UK

ICO Ruling Sides With Government Transparency (June 24, 2011)

The Information Commissioner's Office (ICO) has ruled that every civil servant earning a salary greater than £150,000 will be disclosed to the public, The Guardian reports. This is the first time, according to the report, the ICO has chosen to back government transparency over privacy safeguards. Information Commissioner Christopher Graham said, "Being open and transparent is an integral part of being accountable to the taxpayer and, like it or not, this level of disclosure goes with the territory." The Cabinet Office added, "Today's ruling by the ICO has given an important and much-needed clarification on the balance between transparency and the protection of personal data."
Full Story

DATA PROTECTION—UK

Expert: Risk Assessments Help Stave Off ICO Penalites (June 24, 2011)

ComputerWeekly reports on one expert's views on how to avoid Civil Monetary Penalties imposed by the Information Commissioner's Office (ICO). Mick Gorrill, a former ICO enforcement officer, says that risk assessments are key to demonstrating that a company has put at least some data protection policies and procedures in place. Gorrill says that failure to implement a risk assessment or to follow through with self-imposed policies for data protection are the "top reasons" the ICO imposes a monetary penalty. In the report, Gorrill discusses what an organisation should do after a breach, whether an organisation should notify the ICO and if so, how long it should wait to notify the regulatory authority.
Full Story

DATA PROTECTION—UK

Departments Conducting Security Training (June 24, 2011)

The Guardian reports that government departments are conducting visual data security training, including the use of e-learning, intranets, staff inductions, security briefings and campaigns. Labour MP Andrew Miller wrote to secretaries of state querying what methods were being used to provide visual data security training. According to the report, most departments said all staff receive annual training, and the health department includes data protection training that covers working away from the office.
Full Story

ONLINE PRIVACY

Reputation Monitoring Tool Unveiled (June 24, 2011)

Social Barrel reports that Google has unveiled a new privacy tool aimed at helping users manage their identities online. "Me on the Web" is available on the Google Dashboard and alerts users if their name or e-mail address is mentioned anywhere on the Internet, suggests search terms that users may want to monitor and offers tips on how to remove unwanted content about themselves, the report states.
Full Story

ONLINE PRIVACY—EU

Commissioner: Industry Must Implement Do Not Track (June 23, 2011)

European Commissioner Neelie Kroes has challenged the advertising industry to agree to a do-not-track standard by June 2012, ZDNet reports. Speaking at a workshop in Brussels, Kroes said some Web browsers currently run do-not-track mechanisms, and some businesses say they honor them. "But this is not enough," she says. "Citizens need to be sure what exactly companies commit to if they say they honor do not track." According to the report, Kroes is working with the U.S. Federal Trade Commission to monitor the development of do-not-track technology. Kroes warned the industry that, "If I don't see a speedy and satisfactory development, I will not hesitate to employ all available means to ensure our citizens' right to privacy."
Full Story

DATA LOSS

Study: Breaches More Frequent and Severe (June 23, 2011)

A Ponemon Institute study has found that 90 percent of businesses experienced a data breach in the past year, and attacks were more severe and difficult to prevent. Network World reports that mobile devices--employee laptops, smartphones and tablets--are responsible for most breaches, while business partnerships also elevate risk. Fifty-three percent of businesses reported a low level of confidence in their ability to avoid future attacks, which the authors attribute to "the fact that so many organizations are having multiple breaches." An MSNBC report outlines ways for individuals to protect themselves in light of the recent "seemingly endless string" of data breaches, and according to the report, most aren't made public. Meanwhile, CIO has posted an online quiz to test readers' knowledge of data breaches.
Full Story

ONLINE PRIVACY

Browser Updates Do-Not-Track Option (June 23, 2011)

Mozilla has made its new do-not-track option easier to find and set in its latest Web browser update, ZDNet reports. Firefox 5 is the first in the company's accelerated release cycle--a plan to release browser updates every three months. The latest update also includes a do-not-track mechanism for the Android version of the browser. Mozilla's do-not-track feature relays header information to advertising companies, which then have the option to honor the request to avoid data collection. Microsoft's Internet Explorer 9 also features a do-not-track mechanism, but unlike Firefox, the report states, it uses a "tracking protection list--essentially a block list to decide which third-party elements of a Web page to block or allow."
Full Story

ONLINE PRIVACY

Is Anonymity on the Web Impossible? (June 22, 2011)

In a feature for The New York Times, Brian Stelter suggests the Internet is becoming "the place where anonymity dies." Amidst calls for a "right to be forgotten" in Europe, Stelter suggests, "The collective intelligence of the Internet's two billion users, and the digital fingerprints that so many users leave on websites, combine to make it more and more likely that every embarrassing video, every intimate photo and every indelicate e-mail is attributed to its source, whether that source wants it to be or not." One expert suggests the Web "can't be made to forget," and "an inescapable public world" may be the result. (Registration may be required to access this story.)
Full Story

CHILDREN’S PRIVACY—EU

Commission: Social Networks Should Better Protect Minors (June 21, 2011)
A European Commission (EC) study of 14 social networks includes in its findings that just two "have default settings to make minors' profiles accessible only to their approved list of contacts," The Wall Street Journal reports. The study comes as the EC continues exploring Internet regulation, the report notes. Commissioner Neelie Kroes reacted by saying she is "disappointed" in the results, urging social networks "to make a clear commitment to remedy this in a revised version of the self-regulatory framework we are currently discussing." A spokesman said the EC will be "sitting down with them over the coming months, and we want them to do more." (Registration may be required to access this story.)

DATA LOSS

Online Network Hacked, 1.3 Million Affected (June 21, 2011)

A recent rash of cyberattacks continues, this time affecting 1.3 million members of Sega's online video game network, Sega Pass. Reuters reports that names, birth dates, e-mail addresses and encrypted passwords of users were stolen from the database. Sega Europe discovered the breach on Thursday and notified network users and Sega Corp, which then shut down the site. A company spokeswoman apologized for the breach, saying that Sega is working on improving security measures. A hacker group responsible for attacks on other video game sites has offered to track down these hackers, according to the report.
Full Story

PRIVACY LAW—EU

Commission’s Lawyers: PNR Agreement Illegal (June 21, 2011)

The European Commission's legal counsel has warned that an agreement between the EU and U.S. to store airline passenger data for 15 years is unlawful, The Guardian reports. The passenger name record (PNR) deal is now being finalized and needs the approval of the European Parliament, but the legal counsel's May 16 document raises "grave doubts" that the agreement complies with data protection law. The legal opinion particularly lists the provisions requiring data storage for 15 years, the lack of independent oversight and proper legal recourse if data is misused. One parliamentarian said the legal advice is an indication that the commission should drop the PNR agreement and go "back to the drawing board."
Full Story

DATA PROTECTION—SPAIN

José Luis Rodríguez Álvarez Nominated Director of Spanish DPA (June 21, 2011)

The Spanish Council of Ministers approved on June 17 the nomination of José Luis Rodríguez Álvarez as director of the Spanish Data Protection Agency. The lawyer and professor of constitutional rights in the Faculty of Law of the Complutense University of Madrid was nominated director of the Cabinet of the Spanish Ministry of Justice in February 2009--a role he has now given up due to the circumstances. Rodríguez Álvarez will replace outgoing director Artemi Rallo Lombarte. (Article in Spanish.)
Full Story

DATA PROTECTION—UK

Graham Closes News Publisher Investigation (June 20, 2011)

Information Commissioner Christopher Graham has ended an investigation into a newspaper publisher after being assured a train of e-mails were not sent to India, The Guardian reports. A News Group Newspapers senior executive had claimed archived e-mails involving a court case on telephone hacking were sent in a "botched transfer." Graham said the company has assured him the incident did not occur, though it has declined to answer investigative questions in detail because of a pending court case. Given that, and "a lack of firm evidence that the e-mails were actually lost or that any damage or distress has been caused...my investigation is closed," Graham said.
Full Story

DATA LOSS—UK

ICO Investigating Loss of 6.8 Million Records (June 17, 2011)

The Information Commissioner's Office (ICO) is investigating a breach involving the loss of a number of laptops from a storeroom, including one that the NHS North Central London says contained up to 8.6 million medical records, PC Pro reports. A spokesperson for the NHS said it couldn't comment on the ongoing investigation. An NHS statement said that the laptops were password protected and that the trust's policy is to manually delete data after its been processed. The ICO said it will "now make enquiries to establish the full facts of this alleged data breach."
Full Story

PRIVACY LAW—THE NETHERLANDS

Parliament Debates Internet Data Retention (June 17, 2011)

A debate in the Lower House of the Dutch Parliament revealed that the opposition party wants to change the Internet traffic retention period to six months, Telecompaper reports. At present, the data must be stored for one year. The amended law draft was sent to parliament in 2009, but some parties have concerns about the costs of implementing the new law, and others have questioned its necessity. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—GERMANY

ULD Responds to Energy Act (June 17, 2011)

The Independent Centre for Privacy Protection Schleswig-Holstein (ULD) has responded to the federal government's draft law on new energy management standards, citing concerns about consumer privacy. "Daily routines are reflected in the use of energy," the ULD writes in its opinion on smart meter systems, adding that consumer profiles could be built based upon these daily routines. Additionally, consumers' control of the data collected, stored and potentially retransmitted about them may erode, the ULD said. The opinion also addresses third-party data sharing, user recourse in the event of erroneous consumer data storage and fines in the case of privacy violations. (Article in German).
Full Story

DATA PROTECTION—UK

Graham Warns Housing Sector To Protect Data (June 17, 2011)

Information Commissioner Christopher Graham says the housing sector must improve its data protection practices, INSIDE HOUSING reports, and he is calling on social landlords to take action. Graham says an unencrypted laptop taken from an employee's house, a USB stick left in a taxi or an employee untrained in what information can be distributed are all risks to data protection. "Social housing is very much on our radar," Graham said, "It seems to us that there is very little awareness of data protection within the sector, with a few honourable exceptions."
Full Story

DATA LOSS—UK

Council Posts Information To Web Site (June 17, 2011)

The chief executive of Closeburn Council is apologising to the nearly 900 people potentially affected by a data breach, Dumfries & Galloway Standard reports. The council mistakenly published workers' sensitive information--including names, job titles, salaries and dates of birth--to a website. The council says it immediately took action and removed the information when it realised the mistake. Union officials are encouraging staff to contact the Information Commissioner's Office, the report states, after receiving a number of concerns from those affected.
Full Story

CCTV—UK

ICO Orders Website to Encrypt Streams (June 17, 2011)

The Information Commissioner's Office (ICO) has ordered a video surveillance provider to better protect individuals' data after footage was discovered on YouTube, OUT-LAW.COM reports. Internet Eyes streams live closed-caption television footage to members' homes as part of its shoplifting-prevention efforts. The company will now encrypt CCTV images and implement stronger viewer vetting and auditing measures in order to satisfy some of the ICO's demands. "CCTV footage should not end up on YouTube when it shows someone simply out doing their shopping," said Deputy Information Commissioner David Smith. "A person's CCTV image is their personal data. The law says that it should only be disclosed where necessary."
Full Story

DATA PROTECTION

Council Releases PCI Standards Document (June 17, 2011)

The Payment Card Industry Security Standards Council has released a set of guidelines for companies to ensure compliance with industry standards, Computerworld reports. The 39-page document describes how each of the 12 PCI security requirements can be applied in a virtual environment, the report states, and offers recommendations on how to stay compliant in the cloud, delineating between entities' and cloud vendors' responsibilities. "Consequently, the burden for providing proof of PCI DSS compliance for a cloud-based service falls heavily on the cloud provider," the document states. The guidance is the "best document that the PCI Security Standards Council has written to date," an independent PCI consultant said.
Full Story

DATA PROTECTION—EU

EDPS To Increase Inspections This Year (June 16, 2011)
European Data Protection Supervisor (EDPS) Peter Hustinx will carry out more on-the-spot inspections this year in cases where he believes an EU institution is failing to comply with EU law, European Voice reports. That's according to the EDPS annual report, released this week. In a press conference, Hustinx said that though his office prefers to "encourage compliance rather than warn or admonish controllers or make legally binding orders," it now believes "the time has come to take a more robust approach to enforcement, particularly in cases of serious, deliberate or repeated noncompliance with data protection principles." The report also says the office will focus on member states' and the European Commission's implementation of new legislation on border security checks and an EU-wide system on airline passenger data.

PRIVACY LAW—EU

Parliamentary Committee Adopts Draft Resolution (June 16, 2011)

The European Parliament Civil Liberties Committee has adopted a draft resolution intended to influence the revision of the EU Data Protection Directive. According to a press release, the resolution includes provisions to allow people to access and alter or delete their data online and recommends "severe and dissuasive sanctions" for misuse or abuse of consumer data. The committee is calling for a modern data protection law that will improve international data transfer processes and better protect children--especially on social networking sites. The committee has also put its support behind a requirement for organizations to appoint data protection officers.
Full Story

GEO PRIVACY

Nissan Looking Into Data Sharing Claims (June 15, 2011)
Nissan is looking into a blogger's claims that the navigation systems in its Leaf vehicles send drivers' location data to third parties, The Wall Street Journal reports. A SeattleWireless.net blog post claims that the information is transmitted via Nissan's subscription-based Carwings system when a driver updates his RSS feeds. "There is no way to prevent this data from being sent, nor does Nissan or Carwings warn you that your location data can be flung off to random third parties," the blog states.

SOCIAL NETWORKING

LinkedIn Privacy Changes Point To Social Ads (June 15, 2011)

MediaPost News reports on LinkedIn privacy policy updates as hinting at the introduction of "social ads" based on users' activities. LinkedIn "appears eager" to avoid privacy issues, the report states, and will allow users to opt out of social ads. "Most importantly, we do not provide your name or image back to any advertiser when that ad is served," one LinkedIn official noted, while another said, "This upcoming change to the privacy policy reflects the evolving ways in which our members are using the LinkedIn platform, and it allows us to explore this area should we choose."
Full Story

PRIVACY

“Cyberinsurance” in High Demand (June 15, 2011)

The "cyberinsurance" industry is experiencing an up-tick in business with recent high-profile breaches driving companies' desire to protect themselves from spending potentially millions of dollars on breach-related costs. Companies are upgrading IT and human resources practices and training employees in order to get coverage--in some cases worth hundreds of millions of dollars. "Concensus is building" on what policies cover, but standardization remains a hurdle, says one insurance expert who predicts, "One day the industry will actually be so robust that...we'll have the leverage to actually create standards." A Ponemon Institute study shows the average breach cost $7.2 million last year, "But with the scale and scope of hacking attacks growing daily, some companies cannot be cautious enough," the report states.
Full Story

DATA THEFT—UK

ICO Fines Former Telecom Employees (June 13, 2011)
Two former employees of T-Mobile have been fined by the Information Commissioner's Office (ICO) for stealing and selling customer data, V3.co.uk reports. The fines totaled £73,000, and for the first time, the ICO will receive part of the settlement to train investigation staff. Information Commissioner Christopher Graham hopes the case will show that his office is being tough on data theft. "Those who have access to thousands of customer details," he added, "may think that attempts to use it for personal gain will go undetected. But this case shows there is always an audit trail, and my office will do everything in its power to uncover it."

SURVEILLANCE—UK

Civil Liberties Groups Petition ICO (June 13, 2011)

Three civil liberties groups have sent a complaint to the Information Commissioner's Office (ICO) about plans to install surveillance cameras around the town of Royston in Hertfordshire. In a written complaint to the ICO, the groups claim that automatic number plate cameras (ANPR) are "unlawful" because their use "has not been as the result of any parliamentary debate, Act of Parliament or even a Statutory Instrument," The Guardian reports. They also argue that data collected from the cameras is retained too long. The police defended the cameras, saying they are used "to target criminals and unsafe drivers, not law-abiding motorists." A spokeswoman from the ICO said, "We have received the letter and are looking into it." 
Full Story

SOCIAL NETWORKING—EU

DPAs Raise Facial Recognition Concerns (June 10, 2011)

Throughout Europe, privacy concerns continue to surface in the wake of the announcement that Facebook's new facial recognition feature, which allows users to more easily identify and "tag" people in photos, is activated by default and requires users to opt out if they don't want to be tagged. Among those reported to be examining the new feature are the Article 29 Working Party, Irish DPA and UK Information Commissioner's Office. Deutsche-Welle reports that the social network's use of facial recognition without users' prior consent has German data protection officials especially concerned. "Again Facebook has changed its Privacy Declaration without the users' consent," said Data Protection Commissioner Peter Schaar, adding, "I do not think that Facebook's action conforms to European and German data protection law."
Full Story

ONLINE PRIVACY—GERMANY

Citizens May Opt Out of Mapping Feature (June 10, 2011)

Microsoft will delay its launch of an online mapping feature in order to allow German citizens to opt out of it, the Deutsche Presse-Agentur reports. The company will hold off on publishing a version of its Bing Maps Streetside photo feature and will give residents two months to request that their property not be included in the service. "We're willing to compromise," said Microsoft Germany's Ralph Haupter.
Full Story

DATA PROTECTION—HUNGARY

Citizen Survey Includes PII, Ombudsman Concerned (June 10, 2011)

Hungarian Data Protection Ombudsman Andras Jori says government questionnaires sent to more than six million Hungarian citizens are not anonymous, and he's asking for personal information to be deleted from the database, reports Politics.hu. Jori last month launched an investigation into bar codes on the questionnaires that he suspected could reveal subjects' identities. The questionnaires ask about pensions, welfare and education, and, according to Jori, the responses--and whether a citizen participates--could be interpreted as "giving a political opinion." A spokesman for the prime minister said Jori's office was consulted prior to sending the questionnaires and raised no personal data protection concerns, but Jori has refuted that assertion.
Full Story

DATA RETENTION—EU

German Crime Stats Raise Questions (June 10, 2011)

Newly released German crime statistics suggest that the retention of telecommunications data does not have a positive impact on crime-solving, according to a group that opposes the blanket retention of such data. PCWorld reports that a spokesperson for the German Working Group on Data Retention says, "The truth is that with targeted investigations of suspects, we live just as safely as we would with a policy of indiscriminate retention of all communications data." The statistics published by German police come on the heels of criticism from European Data Protection Supervisor Peter Hustinx, who recently denounced the European Data Retention Directive, saying it fails "to meet its main purpose."
Full Story

DATA LOSS—UK

ICO Levies £120,000 Fine (June 9, 2011)

The Information Commissioner’s Office (ICO) has fined Surrey County Council £120,000 for lax data protection practices, 24dash.com reports. The council breached the Data Protection Act in May 2010 when it e-mailed a file containing sensitive personal data to the wrong recipients, the report states. Two separate incidents involving misdirected e-mails occurred in June 2010 and January 2011. “This significant penalty fully reflects the seriousness of the case,” said Information Commissioner Christopher Graham in a press release. “Surrey County Council has paid the price for their failings, and this case should act as a warning to others that lax data protection practices will not be tolerated.”

BEHAVIORAL TARGETING

IPv6 Rollout Could Necessitate Privacy Rethink (June 9, 2011)

Yesterday, hundreds of companies began testing the next-generation Internet address protocol--Ipv6. The new standard will replace IPv4, which is running out of unique IP addresses for the world's many devices, Computerworld reports. IPv6 will "have the ability to profile Internet behavior to more accurately target online ads," writes Laurie Sullivan for MediaPost. And although it is too soon to tell, "IPv6 could likely require companies to go back to the drawing board and renegotiate privacy laws with the SEC because of the ability to identify more granular data collected through ad targeting," she adds.
Full Story

ONLINE PRIVACY

Investigation Finds Apps Put Data at Risk (June 9, 2011)

A computer security firm has found that some popular mobile applications store users' personal data in plain text on their mobile devices, reports The Wall Street Journal. The viaForensics investigation found information such as unencrypted user names, passwords and transaction amounts on smartphones, which goes against industry best practices. "Data should not be stored on a phone," said Andrew Hoog, chief investigative officer of viaForensics. Hoog also said that while app developers are becoming more aware of data security issues, the fact that vulnerabilities still exist indicates security is not a top priority. One app maker's spokeswoman said that it's necessary for some information to be stored on phones, and the practice is allowed by the PCI Security Standards Council. (Registration may be required to access this story.)
Full Story

DATA LOSS

Opinion: Management Lessons from Breaches (June 8, 2011)

The Financial Times reports on lessons that should be gleaned from data breaches that have affected several large companies. Saying that recent high-profile data breaches were "more a failure in management than a failure in security," the column notes that chief executives should place data governance on par with processes such as financial reporting and brand management. A major breach of privacy can have an effect on a company similar to a product recall or defect. "Managing consumers' data and privacy is an executive matter of the highest priority," the column states, adding that security efforts like encryption and firewalls are "only part of the challenge."  (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Opinion: A Tale of Two Ideologies (June 8, 2011)

In a feature for The Atlantic Monthly, John Hendel explores the push-and-pull between calls for a "right to be forgotten" online and support for an open Internet in suggesting the world's "two biggest transnational institutions may soon fall into a complex, ideological struggle over people's rights to digital expression." One United Nations official suggests the removal of data, as sought in the right to be forgotten being advocated in the EU, would violate free expression. Hendel questions, "Could Europe's right to be forgotten evolve into a direct violation of the UN's newly entrenched principles and commitment to Internet liberty?" And his conclusion is, "Expect the battles to only be beginning."
Full Story

ONLINE PRIVACY

Mobile Phone CEO Advocates Regulation (June 6, 2011)
The chief executive of a UK-based mobile phone company is among those calling for global Internet regulation, European Voice reports. Vodafone's Vittorio Colao has written in support of a call by President of the French Republic Nicolas Sarkozy for more regulation—a perspective that contradicts some high-profile U.S.-based Internet companies that are advocating instead for self-regulation. "If electronic commerce is to flourish and more jobs are to be created, we all need to feel we can trust those we deal with and that the law will protect our trust," Colao wrote, adding,"We need to feel that our privacy will be safeguarded and that personal data will be secure."

DATA PROTECTION—EU

Medical Groups Want Input on Data Uses (June 3, 2011)

The European Medicines Agency (EMA) and the Heads of Medicines Agencies (HMA) have released guidance outlining how to identify confidential information and protect personal data within marketing authorisation applications, PharmaTimes reports. The document, open for public consultation until 1 September, explains what information requested in a marketing application can be released. The EMA and HMA say they are interested in the opinions of stakeholders, including healthcare professionals and patient groups, on the criteria for releasing and protecting personal data.
Full Story

DATA PROTECTION—EU

Associations Call on EC To Recognise CILs (June 3, 2011)

Four data protection associations are appealing to the European Commission to recognise the role of the data protection officer when considering revisions to the EU Data Protection Directive. The groups—the French Association of Data Protection Correspondents, Spanish Association of Privacy Professionals, German Association for Data Protection and Data Security and the data protection association of the Netherlands—feel that the role of the data privacy controller should be strengthened. In a recent press release, they say that data protection officers are "key players in protecting the privacy of consumers, employees and citizens," and their roles, missions and legal status should be defined and harmonised across Europe. (Article in French.)
Full Story

PRIVACY LAW—EU & UK

Justice Secretary Opposes Data Protection Proposals (June 3, 2011)

UK Justice Secretary Ken Clarke said he does not support the new EU data protection legislation that has been proposed, The Register reports. In a speech to the British Chamber of Commerce in Brussels, Clarke said, "A preoccupation with imposing a single, inflexible, codified data protection regime on the whole of the European Union, regardless of the different cultures and different legal systems, carries with it serious risks." Clarke also criticised the concept of "the right to be forgotten," saying that, in practice, it would create "an unachievable standard." Clarke also said, "Rather than improving privacy, safety and freedom, there is a real risk that some of these ideas might accidentally undermine them."
Full Story

PRIVACY LAW—SWEDEN

Board Approves “Anti-Hooligan” Register (June 3, 2011)

Sweden's Data Inspection Board has given a Stockholm football club approval to create a register of blacklisted fans in order to prevent them from entering sporting events, The Local reports. The register will contain personal information, images of the "risk-supporters" and witness statements. The register will also contain the personal information of parents if the supporter is a juvenile. To legally enact the register, the football club must provide clear notice, have "a high level of IT security" for its database and a two-year limit for data retention.
Full Story

DATA LOSS—UK

ICO Fines Personal Injury Employee (June 3, 2011)

A former employee of a personal injury claims company has pleaded guilty to illegally accessing patient information from the National Health Service during a four-month period, BBC News reports. According to an Information Commissioner's Office (ICO) press release, the assailant acquired the patient information from a nurse who worked at a medical treatment facility. He then used the data to "generate leads for the personal injury claims company he was working for at the time." The ICO has also announced that two charities experienced data breaches when unencrypted laptops that contained personal information were stolen. In a press release, an ICO spokesman said, "We are pleased that both charities have agreed to take the necessary steps to ensure that the personal information they hold is kept secure from now on."
Full Story

PRIVACY LAW—EU

EDPS Denounces Directive (June 1, 2011)
European Data Protection Supervisor Peter Hustinx said Tuesday that the 2006 directive on data retention does not adequately meet privacy and data protection requirements, Deutsche Welle reports. The directive has "failed to meet its main purpose," Hustinx said in his 16-page opinion, adding that the need for data retention "as provided for in the Data Retention Directive has not been sufficiently demonstrated." Hustinx is calling on the European Commission to consider repealing the directive for a more "targeted EU measure." Cecilia Malmström, commissioner for home affairs, recently said the five countries that have not yet implemented the directive would face legal action, though she noted the directive's "serious shortcomings."

PRIVACY LAW—UK & EU

Cookie Law Guidance Needed (June 1, 2011)

The EU cookie law came into force last Thursday, and The Guardian reports that while UK Information Commissioner Christopher Graham has given websites a year to comply with the law, many are wondering just how to do that. Guidance from the Information Commissioner's Office has been "disappointing," according to one law firm's blog. Graham has called the new rules "challenging," and has said that he will "take a commonsense approach" to enforcement, adding, "Browser settings giving individuals more control over cookies will be an important contributor to a solution, but the necessary changes to the technology aren't there yet." The report questions, "What is the advice in the meantime?"
Full Story

PRIVACY LAW—GERMANY

DPAs Release FAQs on Breach Requirements (June 1, 2011)

Two German data protection authorities (DPAs) have issued a paper that addresses the data breach notification requirements under Section 42a of the German Federal Data Protection Act. Hunton & Williams' Privacy and Information Security Law Blog reports that the paper includes frequently asked questions that address breach notification procedures that private organizations and some public entities must follow to achieve compliance. The paper contains "practical guidelines" to help organizations identify when notification is required and appropriately comply with notification obligations.
Full Story

ONLINE PRIVACY

Schmidt: Google Now More Cautious on Privacy (June 1, 2011)

Intensifying scrutiny by public- and private-sector watchdogs has Google taking a more guarded approach toward privacy, CNN reports. "We're so sensitive on the privacy issue now," Google Executive Chairman Eric Schmidt said yesterday at an event in California, where he also shed light on the company's privacy processes. "Historically, we would just throw stuff over the wall," he said. "We now have a very, very thorough process." Google lawyers and policy experts now collaborate with development teams during product creation. Schmidt's comments follow the recent announcement that the company is withholding its rollout of a facial-recognition app due to the potential privacy ramifications.
Full Story