European Data Protection Digest

We have a long weekend—and hopefully some good weather—ahead of us, so right now our minds are probably focused more on Easter eggs and chocolate bunnies (in my case also my mother’s lasagna on Sunday) than on data protection developments. Nevertheless, this spring is bound to be a busy one for privacy pros—not that we actually had a dull moment in the past year or so.

At the IAPP, we are working hard to help our members stay on top of things: Our upcoming European Data Protection Intensive will be a great way to kick-start the second quarter of the year. As usual, rendezvous in London for an intense programme, great networking—including our special Privacy Social reception at the Guildhall—and CIPP and CIPM certification training and testing. Preconference workshops are not bad either.

But since he who hesitates is lost, work is already underway also for IAPP Europe’s flagship event, the Data Protection Congress, which will be in Brussels again this year, on 19 and 20 November to be precise. The call for proposals for the Congress is open, and submissions will be accepted until 9 May, so do send us your ideas or feel free to forward the call for proposals link to someone who might be interested.

In the meantime, though, Happy Easter!

Rita Di Antonio
Managing Director
IAPP Europe

Top European Privacy and Data Protection News

PRIVACY LAW—UK

ICO: Jail Time Needed for Privacy Violations (July 29, 2011)
A recent phone hacking scandal has prompted Information Commissioner Christopher Graham to call on the British government to implement prison sentences for those who use stolen personal data, Bloomberg reports. The Information Commissioner's Office previously recommended two-year prison terms for such offenses after a 2006 investigation into the sale of stolen personal data to journalists, the report states, but the government did not implement the proposal after journalists claimed it would limit free speech. In calling for stronger laws, Graham noted, "Unless people realize they can go to prison, it seems like a victimless crime."

PRIVACY LAW—HUNGARY

New Law Would Establish Sanctions, Boost Cloud (July 29, 2011)

As of late, legal challenges have complicated cloud solutions, but recently-submitted amendments to Hungary's data protection law could improve that, The Budapest Business Journal reports. The legislation may allow a new data protection and freedom of information authority to fine companies that don't comply with data protection law, which legal expert Zoltán Kozma says would hopefully "move forward the spread of cloud computing in Hungary." Kozma advises companies using cloud providers to analyse potential risks before signing contracts, adding that companies should study the conditions under which a contract can be terminated and what happens to the data in that case.
Full Story

DATA PROTECTION—IRELAND

Breach Fines Helping To Peak Protection Interests (July 29, 2011)

Irish organisations are taking greater interest in protecting confidential information in light of stricter breach fines. That's according to security expert John Ryan, who told Silicon Republic that it's not only data protection officials taking interest. "A lot of people are talking about data breaches--not admitting they've had one but becoming more conscious of it before it happens. The Data Protection Commissioner's (DPC) new guidelines around mandatory disclosure for when more than 100 records are lost is one reason, and the other driver is that the DPC's powers have increased and the maximum fine is now €250,000, Ryan said.
Full Story

PRIVACY LAW—EU

The Cloud Is Coming, But Slowly (July 29, 2011)

Data protection laws and differing definitions of what constitutes personal information have made cloud computing a challenge in Europe. And while cloud computing remains "the exception, not the rule," a research study predicts sales of cloud services in Europe to rise 4.3 percent this year, The New York Times reports. Some cloud services sellers are compensating for laws prohibiting data transfer outside the EU by creating EU-based data centers, but one technology expert notes, "The legal landscape is not conducive to cloud computing in Europe." However, the data protection directive is currently under review, and European Commission Vice President Viviane Reding has submitted a revision that she says would benefit businesses and consumers. (Registration may be required to access this story.) 
Full Story

SURVEILLANCE—UK

Committee Requests ICO-Issued Guidance (July 29, 2011)

The Information Commissioner's Office (ICO) should give advice and support on UK laws on communication hacking, said a House of Commons committee. OUT-LAW News reports that the committee recommends the ICO clarify the Regulation of Investigatory Powers Act in an effort to advise those who may be in danger of breaking surveillance laws or think they've been victims of illegal hacking or surveillance. "Although the Information Commissioner's Office provides some advice, there is no formal mechanism," the committee said.
Full Story

PRIVACY LAW—UK & U.S.

Opinion: Social Media Evidence Should Be Admissible (July 29, 2011)

Information published on social media sites should be admissible in court, according to law expert Claire McCracken. In an OUT-LAW News editorial, McCracken opines that if courts can demand to see private letters or hear the contents of private conversations, social network data should be treated the same. McCracken points to UK laws and a recent U.S. court case in which a worker claimed damages for lost wages as the result of a work injury. His employers requested username and passwords for his social media sites to prove the injury was insubstantial, which McCracken says should be legal. In question is the additional data the employers would then have access to, she says.
Full Story

TRAVELLER’S PRIVACY—UK

Opinion: Body Scanner Debate Needed (July 29, 2011)

The Guardian reports on a U.S. Court of Appeals decision earlier this month, suggesting it should renew debate in the UK. An interim code of practice has been introduced in the UK to allow the Department of Transport to test the scanners at airports. A public consultation on the interim code that closed last year generated concerns from human rights groups. Unlike in the U.S., an alternative would not be offered to those wishing to opt out of a body scan, prompting one group to write that "the issue here is not a refusal to submit to a security search but the disproportionate impact on some people's privacy." 
Full Story

PERSONAL PRIVACY—FRANCE

Unique Identifying Information Collected, Searchable (July 29, 2011)

ZDNet reports that the French data protection authority, the CNIL, has confirmed that "street addresses and unique identifying information for millions of laptops, media players and other wireless devices" were collected during Google's Street View project. Until recently, the collected data could be accessed by individuals who used a specific online search, the report states. In May, Google Chairman Eric Schmidt said the company would improve its privacy practices and consult specialists before launching new products.   
Full Story

DATA PROTECTION—IRELAND

Commissioner Investigating Potential Hospital Breach (July 29, 2011)

The Data Protection Commissioner is investigating a potential breach at a Dublin hospital, RTE News reports. Tallaght Hospital says it notified the commissioner's office last Friday of "unsubstantiated allegations" involving unauthorised disclosure of personal information. The alleged disclosure involves the hospital's dictation outsourcing to a company with international facilities, though the hospital reportedly does not outsource the transcription of medical reports. The hospital says it has no evidence that any patient information has been inappropriately disclosed or accessed.
Full Story

DATA LOSS—UK

Crime Details Found on Street (July 29, 2011)

A confidential file containing details about a crime victim was found on a Blackpool, Lancashire, street last week, BBC News reports. An individual found the file--which contained details about a teenage girl, including her photograph, age, address, phone numbers and school. The alleged attacker was also named in the file. "I have commenced an internal inquiry to establish how these documents have come into the public domain...It's likely there will be a look at procedures, and if there is a lesson to be learned procedurally from this, we will," said the operations manager for central Blackpool. The Information Commissioner's Office will inquire and take action if necessary. 
Full Story

DATA RETENTION—EUROPE

Tragedies Cause Leaders To Revisit Internet Laws (July 28, 2011)

After the recent attacks in Norway, information was discovered online that, if found, might have helped to prevent the tragedies. Now, some European leaders are questioning whether stringent data retention laws and more online surveillance could prevent these types of attacks in the future, reports Deutsche Welle. In Germany, conservative leaders are reviving plans to bring back a data retention law requiring telecommunications and Internet companies to store online correspondence and location data for six months--which was recently declared unconstitutional. Meanwhile, Estonian leaders are looking to get faster access to IP addresses. Internet activists, however, have voiced concern that while attempting to fill a "reassurance vacuum," politicians and police will erode online freedoms. 
Full Story

BIOMETRICS—UK

Minister: De-identified DNA Profiles Kept, Re-Identifiable (July 28, 2011)

Months after a bill was introduced to remove the DNA profiles of innocent people from police databases, Home Office Minister James Brokenshire says the profiles will be retained in an anonymized form, at which point they would be considered deleted. However, he added, the original barcode will remain, "theoretically" making the data re-identifiable. Brokenshire also said that the Information Commissioner's Office gave its approval to the plan to allow forensic labs to keep the anonymized profiles. However, a Home Office spokesman told The Guardian that its policy is unchanged, meaning "DNA records of the innocent will come off the database and physical samples will be deleted."
Full Story

BIOMETRICS

Social Network Addressing Concerns (July 27, 2011)

Reuters reports on Facebook's efforts to simplify the opt-out process for users to disable its "Tag Suggestions" facial recognition feature in the wake of privacy concerns. Connecticut AG George Jepsen has issued a statement following his request for a meeting with Facebook officials to discuss the social network's privacy approach. He said the company "has made significant changes that will provide better service and greater privacy protection to its users," referring to the series of ads advising users of their privacy settings and how to disable the facial recognition feature.  
Full Story

PRIVACY

Opinion: Right to Privacy Definitions Need Updating (July 26, 2011)
In The Wall Street Journal, L. Gordon Crovitz writes that in light of a phone hacking scandal, definitions of the right to privacy need to be updated. The debate surrounding the right to privacy in recent years has focused on new media, he writes, "but when we post details about ourselves on social media or reply to online marketing, we are choosing to become less private." Hacking phones is "a clear-cut violation of privacy," Crovitz writes, "but the clarity of this violation highlights how much ambiguity there is in other claimed areas of privacy."

PRIVACY LAW—EU

Article 29 Working Party: Prior Consent Necessary (July 26, 2011)

The Article 29 Working Party guidance on the European e-Privacy Directive states that "the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent," reports research-live.com. While the directive does not use the word "prior" specifically, the Working Party writes that it is a "clear and obvious conclusion from the wording of the provision...Otherwise, the processing carried out during the period of time from the moment the processing had started until the moment that consent had been obtained would be unlawful because of lack of legal ground."
Full Story

PRIVACY

Privacy Leads 2011 Concerns (July 26, 2011)

ReadWriteWeb reports on privacy concerns as a top trend of 2011 so far. The report looks at privacy-focused social networks and examines concerns about smartphones and a do-not-track mechanism. The report predicts that, in response to Google's social network that allows users to publish information to targeted "circles," Facebook will likely enable selective sharing by the year's end. The report also notes researchers' revelation that smartphones are capable of storing user location data, noting a survey by TRUSTe indicating that 77 percent of respondents don't want their location data shared. 
Full Story

PRIVACY LAW—UK

Commissioner: Stronger Data Theft Laws Needed (July 25, 2011)

In a column for Prospect Magazine, UK Information Commissioner Christopher Graham writes about the widespread and unlawful trade of personal data. Going beyond tabloid journalism, "the problem," Graham writes, "actually involves a much bigger cast list--of lawyers, claims management companies, private investigators and scam merchants, to name but a few." Current attempts to stop the unlawful trade of personal data is a "20th century approach to a 21st century problem," the commissioner writes, and legislators "have not caught up with the reality of data crime." Graham echoes his predecessor, Richard Thomas, saying there needs to be "a custodial penalty" where violators could face jail time and steeper financial penalties. "Armed with that," Graham states, "the ICO could investigate breaches more speedily, and the dealers in data would know they faced the full range of possible court sanctions." 
Full Story

DATA LOSS

Preparing for Mandatory Breach Notification (July 25, 2011)

As data security breach notification requirements become more widespread on a global scale, businesses are at greater risk for brand damage, customer loss and regulatory scrutiny. In a special pre-release article for the September issue of The Privacy Advisor, Baker McKenzie's Brian Hengesbaugh, CIPP, Michael Stoker and Daniel Krone discuss the 10 steps every organization should take to address these requirements. They say an organization's actions "should be tailored to reflect its industry; geographic footprint; data collections and transfers; history of data security incidents," and other factors. The authors outline specific steps organizations can take. (IAPP member login required.)
Full Story

PRIVACY LAW—ITALY

DPA Fines Agency for Employment Data Collection (July 25, 2011)

The Italian Data Protection Authority (Garante) has found that collecting and processing the sensitive personal information of job applicants violates the law and has censored and fined a real estate agency for asking applicants "a disproportioned quantity" of personal questions. The Garante found the practice violated Italy's Data Protection Code, and further investigation and sanctions may be forthcoming. "It is incredible that notwithstanding strong data protection legislation, we still experience similar shocking data processing in the employment field," notes Rocco Panetta of Panetta & Associati," adding that such behaviors expose organizations "to enormous risks of sanctions." (Article in Italian.)   
Full Story

SOCIAL NETWORKING—IRELAND

Opinion: Privacy Protections Should Be Priority (July 22, 2011)

In a feature for the Irish Times, Karlin Lillington reviews the widespread use of social media in Ireland, noting, "With so many people divulging personal information, safe use of social venues should be a priority in this country." Recent surveys indicate that Ireland has some of "the heaviest social network users in Europe and the heaviest business users internationally," the report states. Lillington goes on to note that despite the wide use of social media in Ireland, concerns about privacy protection persist, with 50 percent of Irish respondents to an EU survey reporting they fear that their personal information might be misused. 
Full Story

DATA PROTECTION—EU

Commission Eyeing Rules for Breach Notifications (July 22, 2011)

The European Commission has launched a public consultation on its consideration of a set of practical rules to govern companies' behavior in the case of a data breach, Computing.co.uk reports. Following recent high-profile breaches, the commission outlined the rules in Brussels last Thursday. Jon McNamee, head of European Digital Rights, said clear and predictable rules and legal certainty is vital, as are contingency plans when it comes to data breaches. "It is precisely because there will inevitably be breaches that rules are needed to ensure that citizens are informed and that companies have compelling reasons to minimise the data they collect and maximise for their internal security," he said. The public consultation will close 9 September.
Full Story

DATA LOSS—IRELAND

DPC Investigating Council Upload Breach (July 22, 2011)

The data protection commissioner is investigating a Meath County Council breach after the council uploaded personal information online, the Irish Independent reports. The council has removed the personal information--which included birth certificates, bank account information and driver's licences of planning permission applicants--after a member of the public alerted it of the incident. A council spokeswoman said those affected by the breach would be contacted. The council has not said how many applications were uploaded.
Full Story
 

DATA LOSS—UK

University, Police Breach DPA (July 22, 2011)

The Information Commissioner's Office (ICO) has said that the University of York breached the Data Protection Act by making student information available online, ITPRO reports. The breach occurred in 2009, when an employee made an error while working on an IT system. The information included student addresses, phone numbers and dates of birth. Meanwhile, the Lancashire Police Authority has signed an undertaking with the ICO after it accidentally published details of an individual's complaint to its website. The group Big Brother Watch has found that 900 police officers and staff in the UK have been disciplined for breaching the Data Protection Act in the last three years, the report states.
Full Story
 

PRIVACY LAW—RUSSIA

Federal Data Protection Law Amendments Passed (July 20, 2011)

The upper house of Russia's federal legislature has approved amendments to the country's federal data protection law, InformationLawGroup reports. The amendments require businesses that process personal data to conduct threat assessments and examine the effectiveness of data protection safeguards; use only verified data protection methods; implement access controls; log all relevant actions; record incidents of unauthorized access, and implement measures to restore lost, destroyed or damaged data following breaches, the report states. The government will develop regulations for appropriate data protections and requirements for biometric data processing. The report advises that businesses "should be prepared to review and adjust as necessary their privacy and data security practices" as privacy enforcement increases worldwide.
Full Story

PRIVACY LAW—EU

Commission Begins Action Against States (July 19, 2011)
The European Commission has started legal action against 20 member states for failing to implement telecommunications rules, Reuters reports. The commission has written to the states to inquire about why they have not implemented the so-called telecoms package, which was to have been incorporated into practice by May 25. The rules include what has been a controversial mandate for websites to obtain users' consent before placing cookies on their systems. To date, only Britain, Denmark, Estonia, Finland, Ireland, Malta and Sweden have implemented the rules. The states in question have two months to respond.

SOCIAL NETWORKING

Opinion: New Site Puts Privacy First (July 19, 2011)

A new social networking site has learned the lessons of past privacy mishaps and made privacy the "No. 1 feature of its new service," says Nick Bilton in The New York Times. Google launched its new social network Google+ last month and now has 10 million users whose posts are private by default, the report states. Breaches of user privacy on other sites have rarely led to repercussions, and users have mostly stuck with Facebook because there hasn't been a "viable alternative," Bilton writes, adding, Google seems to have learned "the importance of privacy for consumers online." (Registration may be required to access this story.)
Full Story

Working Party Clarifies “Consent” (July 18, 2011)
The Article 29 Working Party has offered clarification on the idea of consent as the basis for data processing. The July 13 opinion includes recommendations for improving the concept of consent in the review of the EU data protection framework. The opinion notes that "only statements or actions, not mere silence or inaction, can constitute valid consent." The ability to withdraw consent should also be guaranteed, the Working Party states. When signing on to a social networking site, for example, default settings do not imply consent to make personal information available. Privacy professionals say that the opinion will be controversial and that the Working Party's opinion takes the most conservative approach wherever there is room for interpretation.

DATA PROTECTION

Outsourcers Working to Allay Fears (July 18, 2011)

With reports of large-scale data breaches attracting media attention, companies that outsource services are looking for ways to assure customers that sensitive data is being adequately protected. ComputerWeekly reports that according to PricewaterhouseCoopers (PwC), many outsourcers are using independent reports to show that they have robust protections in place, and this increased trust and transparency has become a competitive advantage. "Companies are increasingly looking for comfort that the operational activities that they have outsourced, be it transaction processing, logistics management or cloud computing, are being properly controlled," said Neil Hewitt of PwC.
Full Story

PRIVACY LAW—UK

Deputy PM: Blaggers Should Go To Jail (July 15, 2011)

A renewed interest in issuing custodial sentences for those who flout data protection law has emerged in the wake of the News International phone hacking scandal. In a speech this week, Deputy PM Nick Clegg said those convicted of obtaining personal data by deception should be jailed, BBC News reports. "The Information Commissioner recommended in 2006 that that offence should...attract a custodial sentence," Clegg said. "It wasn't taken up then, and this government has said it will keep it under review. I think that now...there is a case for looking at this issue again." Stewart Room, a partner at Field Fisher Waterhouse in London, told the IAPP Europe Data Protection Digest that the case for introduction of jail sentences for data theft in breach of section 55 of the DPA "has always been compelling." Room said, "The News of the World scandal has captured the public imagination and the Coalition Government will have to react...In my view, it is inconceivable that the government will fail to act. The introduction of jail sentences is now inevitable."
Full Story

PRIVACY LAW—EU

Commission Considering New Breach Rules (July 15, 2011)

PCWorld reports on the European Commission's discussions over whether additional EU data breach notification regulations are needed and EU Digital Agenda Commissioner Neelie Kroes' announcement of a public consultation on the topic. Currently, the ePrivacy Directive requires organisations to notify individuals if the information they hold about them is lost or stolen and to report breaches to the appropriate authorities, but, Kroes said, "we need consistency across the EU so businesses don't have to deal with a complicated range of different national schemes. I want to provide a level playing field, with certainty for consumers and practical solutions for businesses."
Full Story

PRIVACY LAW—IRELAND

New Regulations Address E-Mail Marketing (July 15, 2011)

Ireland's new electronic privacy regulations to enact the EU Directive have implications for Web cookies and e-mail marketing. The new rules allow marketers to send unsolicited e-mail "once it reasonably appears to the sender that the recipient's e-mail address is mainly used for their commercial activity and the subject of the e-mail relates to that commercial activity," the Irish Times reports. One expert suggests that helps marketers who had struggled with "not being able to contact people who were clearly putting themselves out there." The regulations also include provisions allowing customers to opt out of marketing e-mails from companies and specify that opt-in consent expires after 12 months unless renewed.
Full Story

PRIVACY LAW—FRANCE

CNIL Warns Third-Party Contractor (July 15, 2011)

An audit by the French data protection authority (CNIL) has found vulnerabilities in a system used to monitor online piracy, Telecompaper reports. HADOPI, the agency that fights online copyright infringement, employs third-party contractor Trident Media Guard (TMG), which experienced a data breach, a member of the public discovered, when lists of Internet users' IP addresses--who were found to be illegally downloading content--were exposed. CNIL has given TMG and five other copyright groups three months to ensure "perfect security."
Full Story

PRIVACY LAW—HUNGARY

LMP Calls for Review of Police Decision on Survey (July 15, 2011)

Police have dismissed a call to press charges over a national survey, Politics.hu reports. LMP Andras Schiffer had raised concerns last month about the handling of data from the government's survey, specifically surrounding who handled the personal information and responses. A spokesman for the prime minister said that prior to releasing the survey, the government consulted with the data protection authority and the ombudsman, neither of whom objected. Schiffer has requested a review of the Budapest Police Force's decision.
Full Story

DATA LOSS—GERMANY & UK

Data Breaches Affect Police, Hospital (July 15, 2011)

The German Federal Police has been hacked and location data stolen, CRN reports. The hacking group published police details including "location coordinates, licence plate and telephone numbers, police usernames and passwords and a GPS application," the report states. The group said the attack was a response to German government "communications interception and use of biometrics." Meanwhile, an UK hospital is changing its procedures after it repeatedly faxed cancer records to a member of the public instead of a general practitioner, BBC News reports. The faxes were sent over a two-year period from several hospital departments at an Essex hospital, which now delivers cancer forms and sensitive material by courier, the report states.
Full Story

DATA PROTECTION—UK

Opinion: Cloud Is Here, Know the Rules (July 15, 2011)

The cloud is here to stay, writes Louise Kidney in The Guardian, so "understanding its implications and effect on electronic data is now a necessity." It's important to realize that the information one sends may not be governed by UK law if the cloud provider is located in a different country, Kidney explains. The EU Data Protection Directive forbids sending data to countries outside of the EU without Safe Harbor frameworks. Additionally, customers' requests for any data stored on them must be provided, even if the data is stored in a cloud outside of the UK.
Full Story

Phone hacking scandal prompts closer look at ICO’s call for jail terms (July 15, 2011)

 

A renewed interest in issuing custodial sentences for those who flout UK data protection law has emerged in the wake of the News of the World phone hacking scandal.

In a speech this week, Deputy Prime Minister Nick Clegg said those convicted of obtaining personal data by deception should be jailed.

"The Information Commissioner recommended in 2006 that that offence should...attract a custodial sentence," Clegg said. "I think that now...there is a case for looking at this issue again."

In 2006, reports from then Information Commissioner Richard Thomas documented the nature and extent of the illegal trade in personal information and called for jail sentences as a serious deterrent.

The Gordon Brown government tried to introduce prison terms for certain breaches of data protection law, but failed to see the law enacted.

In the House of Commons on Wednesday, Prime Minster David Cameron said the 2006 ICO reports did not receive the attention deserved.

“We…should have made more of those reports, which included some very important detail about what was going wrong in data handling, data theft and the rest of it,” Cameron said.

Government leaders across the globe are following the hacking debacle, which has prompted the privacy commissioners of Australia and New Zealand to recommend password diligence and has spurred U.S. lawmakers to ask for a congressional inquiry.

In the UK, a Judicial Inquiry has been set up.

Prime Minister Cameron told the House of Commons, “We must ensure that the inquiry asks the question, ‘Why were (the reports) ignored, and what are we going to do about it now?’”

Stewart Room, a partner at Field Fisher Waterhouse, told the IAPP Europe Data Protection Digest that “The News of the World scandal has captured the public imagination and the Coalition Government will have to react.”

Room added, “In my view, it is inconceivable that the government will fail to act. The introduction of jail sentences is now inevitable."

—IAPP staff

PRIVACY—EU & U.S.

Should the U.S. Follow Europe’s Lead? (July 14, 2011)
An InformationWeek report examines whether the U.S. should follow the EU's lead when it comes to creating privacy law. Although the EU's protections are stronger than U.S. regulations now, "it's where the rubber meets the road that makes a difference," says Hogan Lovells' Christopher Wolf. In the U.S., "We have a lot more enforcement against violations of the various laws," he said, creating vigilant regimes. Omer Tene of Israel's College of Management School of Law says the expectations of privacy are different in Europe and the U.S. In Europe, he says, governments generally regulate privacy, while the U.S. is concerned with government intrusion.

PRIVACY LAW—EU

EDPS: Commission Ambiguous on Cookie Advice (July 14, 2011)

The European Data Protection Supervisor (EDPS) says that the European Commission has offered "inconsistent advice to website owners on how they should obtain users' consent to cookies," OUT-LAW News reports. EU Commissioner Neelie Kroes said last month that European companies had one year to create a uniform way for users to opt out of cookies and that she supported self-regulatory efforts, but EDPS Peter Hustinx says that neither a self-regulatory model nor a do-not-track model comply with EU Directive requirements. Hustinx says the directive's requirements should be "fully respected," and "The Commission should avoid any ambiguity" in making sure that transparency and consumer control online are delivered in the EU.
Full Story

ONLINE PRIVACY

Former Google Employee Offers Insight (July 14, 2011)

In an interview with The Wall Street Journal, former Google employee Douglas Edwards offers insight into the company's attitude on privacy and efforts toward creating a social network. Edwards submits that, for Google's founders, privacy was not an issue. "The facts were that Google was not reading e-mail; Google was not targeting e-mail. So, the facts said there was no privacy issue," Edwards said, adding they "didn't understand that people's perception was reality." Edwards also weighed in on Google's efforts to gain ground in social networking. The company sees information created in social networks as "extremely important and valuable," he says, and without access to it, the founders think "Google will be less valuable as an information source." (Registration may be required to access this story.)
Full Story

FINANCIAL PRIVACY—EU & U.S.

EU Exploring Its Own Funds-Tracking Program (July 13, 2011)
In the wake of objections by many EU officials to a program that allows the U.S. to access European financial transactions as part of efforts to fight terrorism, the European Commission has presented its own proposals for tracking finances of suspected terrorists. The New York Times reports the plans "are aimed at ending the primary role of the United States in those efforts," quoting Commissioner Cecilia Malmström's statement that an EU system "would need to fully respect fundamental rights and, in particular, ensure a high level of data protection." One of the EU's primary goals will be to limit the amount of data sent to the U.S. (Registration may be required to access this story.)

SOCIAL NETWORKING

Privacy Approach May Determine Success (July 13, 2011)

CNNMoney reports on new competition in social networking, and the report says privacy may end up determining the leader. While Facebook holds the major market share, Google's new Google+ is being lauded by testers for its privacy controls. "Web users may benefit from a Facebook-Google rivalry, but for a different reason: The best way for these companies to differentiate their social media offerings is by preserving personal privacy," the report states.
Full Story
 

SOCIAL NETWORKING—EUROPE

Regulators Want Answers on Data Handling (July 13, 2011)

Norway's data protection agency (DPA) last week sent 45 questions to Facebook on behalf of Sweden, Denmark, Finland and itself, asking for information on the site's handling of users' information. AFP reports that the inquiry included questions about the use of members' photos and stated preferences as well as information collected when they click the "like" button, among others. The DPAs have given the company until the end of August to answer the questions. "Despite the fact that Facebook is continuously working on improving information to its members, it is unclear what information Facebook collects and how this is used and passed on," said Bjoern Erik Thon of the Norwegian DPA.
Full Story

PRIVACY LAW—SWITZERLAND & U.S.

ISPs Being Asked To Record Data (July 12, 2011)
In nations on both sides of the Atlantic, Internet service providers (ISPs) may be required to record customer information to assist in investigations. CNET News reports on U.S. law enforcement representatives' endorsement of a proposed federal law, scheduled for a hearing today, that would require ISPs to store user data logs for 18 months. Meanwhile, in Switzerland, plans to revise the Data Protection Act include requiring ISPs to record and release client data and allowing "the government to install Trojan viruses on computers and use mobile phone network data to ease dragnet investigations," swissinfo.ch reports in a question-and-answer with one privacy expert who believes the concept goes too far.

ONLINE PRIVACY

Cloud Concerns Pervasive (July 12, 2011)

Across jurisdictions, concerns about privacy in the cloud persist. "There is no global law of cyberspace or law of the Internet, although there are separate pieces of legislation relating to privacy, spam, electronic transactions, cybercrime and more," one Australian expert writes, cautioning that recent breaches are a warning to all businesses. Technorati reports that, additionally, concerns about differing regulations, such as the U.S. Patriot Act being at odds with EU data protection rules, are also problematic. "All this could lead to something as drastic as the EU banning--even if only temporarily--U.S. companies from operating cloud services within the EU," the report states.
Full Story
 

DATA PROTECTION—UK

ICO Publishes Guidance on Fines (July 11, 2011)
The Information Commissioner's Office (ICO) has released details on how it will use its new fining powers under the Privacy and Electronic Communications Regulations (PECR), OUT-LAW.COM reports. Amendments to the PECR let the ICO fine up to £500,000 for offenses, and "It is possible that a single breach may be sufficient to meet this threshold," the ICO says in its guidance, which offers insight into potential triggers for fines. Organizations will have the chance to weigh in on the guidance before it is adopted.

PRIVACY LAW—IRELAND

Legislation Forbids Cold Calls, Allows for Penalties (July 8, 2011)

New electronic privacy regulations make it illegal for marketers--including charities and political campaigns--to cold call mobile phones, The Irish Times reports. The new legislation will also place tighter controls on website operators' use of personal data and follows several companies' breaches of the Data Protection Act by repeatedly sending customers unsolicited texts and calls, the report states. The legislation requires website operators to obtain users' consent in order to place persistent cookies on their computers. It also allows the data protection commissioner to impose penalties of up to €250,000.
Full Story

DATA PROTECTION—ITALY

Garante: Service Providers Are Data Processors (July 8, 2011)

After a series of audits and inspections, the Italian Data Protection Authority (Garante) determined that there was confusion about data processor rules in outsourcing relationships. The Garante has since deemed, in a general resolution, that data controllers must designate those companies that operate on their behalf as data processors. Data controllers have 60 days to comply with the new rules. (Article in Italian.)
Full Story
 

PRIVACY LAW—EU

Parliament Approves Calls for Access, Breach Notifications (July 8, 2011)

Computing reports that the European Parliament has approved a document that calls for mandatory breach notifications and granting individuals greater access to and control over their personal data. European Commission Vice President Viviane Reding lauded the vote and the report, which was authored by German Christian Democrat Axel Voss. "Putting people back in control of their personal data is a priority for me," Reding said. "I welcome the European Parliament's support for this approach."
Full Story
 

DATA LOSS—UK

Police Employees Caught Breaching DPA (July 8, 2011)

A privacy advocacy group has published research showing that hundreds of police employees have been investigated for breaching the Data Protection Act in the past three years, The Guardian reports. The group Big Brother Watch sent freedom-of-information requests to police forces in England and Wales, finding that 904 employees have been disciplined for such breaches, and 243 have received criminal convictions. Ninety-eight employees have been dismissed for DPA breaches. A Big Brother Watch spokesperson said the investigation showed that police employees have "been found to have run background records checks on friends and possible partners" and some have "been convicted for passing sensitive information to criminal gangs and drug dealers."
Full Story

PERSONAL PRIVACY—UK

Employees Reportedly Selling Mobile Numbers (July 8, 2011)

Experts are warning about Indian call centre employees illegally selling British mobile phone numbers, The Telegraph reports. The report states that a representative from a firm that sells software and messaging services had offered mobile numbers without obtaining customer opt-ins, a breach of the Data Protection Act and European privacy and electronic communications regulations. Information Commissioner Christopher Graham is said to be investigating the companies behind the practices. House of Commons Justice Committee Chair Alan Beith, said, "Any UK company which is using Indian call centres needs to check on its security and to act decisively if there is any breach of that security."
Full Story

ONLINE PRIVACY—EU

Street View Proceeds Here, Halts There (July 8, 2011)

Google's Street View mapping feature will proceed in the Czech Republic and Hungary, but has come to a halt on the island of Guernsey. The Czech Republic's Office for Personal Data Protection had raised concerns that Google had not registered as a data controller before photographing city streets and that its cameras were able to capture images over residential fences. The poles supporting the cameras will be shortened and the company has registered as a data controller, The Register reports. Meanwhile, Hungary's data protection ombudsman says the company can resume its photography after it agreed to blur license plate and facial images. Guernsey's data protection commissioner, however, is in ongoing discussions with Google about privacy concerns.
Full Story

ICO Report: Audits a Badge of Honor (July 7, 2011)
The Information Commissioner's Office (ICO) released its annual report yesterday, which states that more companies should offer themselves up for voluntary audits, The Register reports. Last year, there were 603 reported data breaches, and 186 occurred in the private sector. Of those businesses, 19 percent accepted the ICO's offer for a free data protection audit. In the public sector, 71 percent agreed to the voluntary audit, the report states. "These audits are not about naming and shaming those who are getting it wrong. The fact that a company has undergone a consentual audit should count as a badge of honor, showing that the business takes data security seriously," said Information Commissioner Christopher Graham.

PRIVACY LAW—EU & U.S.

EU Lawmakers Concerned About Patriot Act (July 6, 2011)

Members of the European Parliament are expressing concern about the conflict between the European Union's Data Protection Directive and the U.S. Patriot Act. Last week, Microsoft admitted that it may have to disclose European users' data, found in its new cloud service, to U.S. authorities, while keeping transfer details secret, Computerworld reports. Such disclosure would be a violation of the directive, prompting MEP Sophie in't Veld to ask, "Does the commission consider that the U.S. Patriot Act thus effectively overrules the EU Directive on Data Protection? What will the commission do to remedy this situation and ensure that EU data protection rules can be effectively enforced and that third-country legislation does not take precedence over EU legislation?"
Full Story

DATA LOSS—UK

Graham Calling for Stiffer Penalties (July 6, 2011)

Information Commissioner Christopher Graham is prepared to impose fines of up to £500,000 on NHS trusts and hospitals after a number of data breaches including the loss of laptops and memory sticks, among other incidents, The Independent reports. "There's just too much of this stuff going on," Graham said. "The senior management is aware of the challenge, but the breaches continue. Whether it's a systemic problem in the NHS or an epidemic, we have got to do something about it." Graham also called for stiffer penalties for unlawfully obtaining personal data, which he says is a wider problem than the courts recognize.
Full Story

SURVEILLANCE—EU & U.S.

Opinion: Employee Monitoring a Touchy Subject (July 6, 2011)

Employers considering monitoring employees should watch recent developments in the U.S. and Europe before proceeding, advises Philip Gordon in a Littler Workplace Privacy Counsel blog. Two bills were introduced on Capitol Hill last month on the use of location data; the Supreme Court has agreed to review a court decision holding that police tracking of a suspect violated Fourth Amendment rights, and the EU Article 29 Working Party's recently published opinion on geolocation services on smart mobile devices states that employers cannot lawfully monitor employees unless for a "legitimate business purpose." Such a focus in the EU "very well may spill over to the U.S. workplace," Gordon writes.
Full Story

DATA PROTECTION

OECD Communiqué Nettles Some (July 1, 2011)

At a high-level meeting on the Internet economy this week, the Organisation for Economic Co-operation and Development released its Communiqué on Principles for Internet Policy-Making, which outlines the OECD's commitment to promoting the free flow of information; investing in high-speed networks and services; enabling cross-border delivery of services, and strengthening "consistency and effectiveness in privacy protection at a global level," among other areas. But some groups have criticised its plans to make Internet service providers more responsible for policing copyright infringement, something the Civil Society Information Society Advisory Council says could "lead to network filtering."
Full Story

DATA PROTECTION—ITALY

Garante Issued €4 Million in Fines (July 1, 2011)

The Italian Data Protection Authority has released its annual report, which confirmed an increased level of monetary sanctions issued in the last year. The total amount of fines issued in 2010 was €4 million, writes Rocco Panetta of Panetta & Associati Studio Legale. The Garante also conducted audits and inspections, as did the financial police. In 2010, the Garante turned a greater focus towards the areas of banking, cloud computing, retailing and the storage of public data, among other areas. New members of the Board of the Garante are expected to be appointed by spring 2012. (Article in Italian.)
Full Story

PERSONAL PRIVACY—UK

ICO Investigating Car Insurance Tactics (July 1, 2011)

Information Commissioner Christopher Graham has started an investigation into whether recently reported car insurance claim compensation tactics are breaches of data protection law, The Daily Mail reports. After a car accident, drivers' details are reportedly sold to law firms and car hire firms, and insurers sell client information to claims lawyers. According to the report, Graham's office receives up to 100 complaints per month from motorists who are contacted via phone and text and urged to to claim compensation. The methods are part of what former Justice Secretary Jack Straw says is a "huge racket," adding that "the garages, the recovery firms--even the police--are selling on this information."
Full Story

ONLINE PRIVACY—DENMARK

Internet ID Program Would Require SSN Identifiers (July 1, 2011)

A Danish Ministry of Justice working group has drafted a measure suggesting that Internet users identify themselves using a Social Security number or electronic signature. Deutsche Welle interviewed Chairman of the Danish Online News Association Jon Lund on the topic, who says that there isn't much political support for the measure. He adds that he's "fairly confident that it won't pass if it gets proposed" and calls the approach "totalitarian," predicting that it would "narrow down people's willingness to communicate online."
Full Story

DATA PROTECTION—UK

Opinion: Gambling Companies Should Plan, Train (July 1, 2011)

The sensitivity of the data that gambling companies hold about users creates increased risk and means they should be especially diligent in creating data protection and breach recovery strategies, writes data protection expert Kathryn Wynn for OUT-LAW News. Along with names and addresses, gambling companies hold payment details, bank account information and gambling habits. Wynn recommends that companies protect data with secure systems and processes, and "make sure security requirements and restrictions extend to any subcontractors and anyone else with access to the data." She also notes the importance of making sure "all your staff are trained and have the level of data protection expertise appropriate to their role."
Full Story

DATA PROTECTION—ITALY

Resolution Impacts Banking Sector (July 1, 2011)

The Italian Data Protection Authority has passed a general resolution that impacts the banking sector. Rocco Panetta of Panetta & Associati Studio Legale writes that "after having monitored activities of 441 banks and financial institutions, the Garante issued rules to be followed in order to respect individual rights in the banking sector with specific respect to the obligation provided for by applicable bank law on tracking and storing all customers bank operations and, also, in connection with money laundering, bribery and fraud acts." The Garante now requires annual internal audits for banks and mandatory breach notification. (Article in Italian.)
Full Story

DATA LOSS—UK

Online Data Exposures Announced (July 1, 2011)

An NHS job site was taken down on Tuesday to fix a computer error that left 69 new users' data exposed to others on the site, reports the Oxford Mail. The NHS Jobs Team has apologised for the breach, but one user lamented, "if the big companies can't keep hold of it, it doesn't give you much faith." Meanwhile, CBR reports that the Information Commissioner's Office is investigating a breach at Travelodge UK. Travelodge said the breach affected a "small number" of its customers' names and e-mail addresses and apologised for the incident, assuring customers that their financial data was not compromised.
Full Story

ONLINE PRIVACY

New Database Contains 500 Million Profiles (July 1, 2011)

The Telegraph reports on a new database called Xaxis that has collected data from websites, advertisers and consumer research. Containing the profiles of approximately 500 million individuals worldwide, Xaxis says, according to the article, that it has covered nearly 100 percent of the populations of the UK, U.S., Australia and eight additional developed nations. The company says that its data is anonymised and cannot be traced to individuals. Xaxis' chief executive says, "The Internet is an advertising-supported medium, and much of the Web is free because advertisers want to put messages in front of people...We are supporting the broader Internet economy by improving the targeting of ads while also playing by the strictest privacy rules."
Full Story