European Data Protection Digest

We have a long weekend—and hopefully some good weather—ahead of us, so right now our minds are probably focused more on Easter eggs and chocolate bunnies (in my case also my mother’s lasagna on Sunday) than on data protection developments. Nevertheless, this spring is bound to be a busy one for privacy pros—not that we actually had a dull moment in the past year or so.

At the IAPP, we are working hard to help our members stay on top of things: Our upcoming European Data Protection Intensive will be a great way to kick-start the second quarter of the year. As usual, rendezvous in London for an intense programme, great networking—including our special Privacy Social reception at the Guildhall—and CIPP and CIPM certification training and testing. Preconference workshops are not bad either.

But since he who hesitates is lost, work is already underway also for IAPP Europe’s flagship event, the Data Protection Congress, which will be in Brussels again this year, on 19 and 20 November to be precise. The call for proposals for the Congress is open, and submissions will be accepted until 9 May, so do send us your ideas or feel free to forward the call for proposals link to someone who might be interested.

In the meantime, though, Happy Easter!

Rita Di Antonio
Managing Director
IAPP Europe

Top European Privacy and Data Protection News

DATA PROTECTION—UK

Opinion: Fraud Relies on Data (August 31, 2011)

"Data is the fuel fraud needs to survive," opines London Police Commissioner Adrian Leppard for The Telegraph. Leppard points to a recent crime in which fraudsters targeted pensioners to illustrate the changing nature of fraud. "In this way, personal information--in this instance, a list of people...is a valuable, tradable commodity." Businesses storing large caches of data, therefore, are becoming a major battleground. "While individuals focus on shredding old utility bills and protecting their PINS, the reality is that businesses are a far greater source of data," he says, adding that a business's reputation for safeguarding customer data is now imperative.
Full Story

DATA LOSS

Phone Company Hacked (August 30, 2011)

Nokia says its developer forum website has been hacked, requiring it to shut down the site until "further investigations and security assessments" have been completed, The Wall Street Journal reports. The company says users' personal information--including e-mail, some dates of birth and other data--were compromised. A hacker known as "pr0tect0r AKA mrNRG," believed to be based in India, claimed responsibility for the breach. "Though we have no evidence of any misuse, we believe the potential risk is an increase in unsolicited e-mail," the company said. (Registration may be required to access this story.)   
Full Story

ONLINE PRIVACY

Identifiable By Association (August 30, 2011)

In an article for Slate, Kevin Gold discusses the "leaky" nature of online privacy. Pattern recognition software has made it increasingly possible to determine a person's identity not by the data that they themselves have shared online, but by what their friends have shared. A researcher from Northeastern University found that only 20 percent of college students needed to participate in filling out profile information online "in order to deduce facts about the nonresponders who friended others," the report states. Using statistics about common characteristics, it's possible to make a "statistically motivated guess as to whether a person belongs to a particular community."     
Full Story

PRIVACY LAW—EU

Opinion: The Directive’s Likely Direction (August 29, 2011)

In Field Fisher Waterhouse's Privacy and Information Law Blog, Eduardo Ustaran discusses the European Commission's yet-to-be-released revision of the EU Data Protection Directive. Ustaran predicts that the amended law may come in the form of a regulation, rather than a directive. Key changes may include Vice President Viviane Reding's "right to be forgotten" provision and a focus on meaningful transparency and consent, as well as accountability. It's crucial that the new law "shows the benefits of data protection for all and encourages compliance not just for the sake of it, but for the good of the future generations," Ustaran writes. 
Full Story

PRIVACY LAW—FRANCE

French Gov’t Publishes Legislation on Cookies and Data Breach Notification (August 26, 2011)
Today, the French government published legislation on cookies and data breach notification in accordance with Directive 2009/136/EC. Bird & Bird Associate Gabriel Voisin tells the Daily Dashboard that "Pursuant to Article 17 of Law no 2011-302 of 22 March 2011, implementation of the Directive 2009/136/EC has been delegated by French Parliament to the government." The legislation "introduces a requirement for consent to be obtained before cookies are placed" and that browser settings or another application can be used to signify consent. "Unlike the UK," Voisin says, "consent given through browser settings is valid even if the subscriber does not amend or set the controls." The legislation also introduces a data breach notification requirement for electronic communication providers.

BEHAVIORAL TARGETING—EU

Working Party Shares Self-Regulation Concerns (August 26, 2011)

Article 29 Working Party Chairman Jacob Kohnstamm has released an announcement of a September meeting with the Internet Advertising Bureau Europe (IAB) and European Advertising Standards Alliance (EASA) to discuss a self-regulatory framework for online behavioral advertising known as the EASA/IAB Code. In his announcement, Kohnstamm highlights input from the U.S. Federal Trade Commission and shares key concerns from the Working Party. Among those concerns, he references a provision in the code that allows tracking unless Internet users object, noting that while it is "an improvement to the current situation, it does not meet the requirement to obtain...informed consent" as required by the EU e-Privacy Directive. 
Full Story

SOCIAL NETWORKING—IRELAND & AUSTRIA

Austrian Group To File Complaint with DPC (August 26, 2011)

The Austrian-based lobby group "Europe v Facebook" will soon file a complaint with Ireland's Data Protection Commission (DPC) over a certain Facebook feature, TheJournal.ie reports. The group wants the DPC to investigate the legality of the site's "like" button, the report states. Last week, the privacy regulator for the German state of Schleswig-Holstein told website owners in that state to remove social plug-ins such as the "like" button from their sites, saying it violates state and federal laws. A spokesperson for the Irish DPC said it would look into "different aspects of Facebook Ireland's compliance with Irish data protection law" if it received a complaint. 
Full Story

DATA PROTECTION—IRELAND

Commissioner To Question “Cute” Site Operators (August 26, 2011)

The data protection commissioner will question the operators of a website that encourages people to take pictures of strangers they find attractive, reports The Irish Times. Data Protection Commissioner Billy Hawkes will ask the operators of Luascrush.com--which posts pictures of men using public transportation systems--if they are aware of their legal obligations. Hawkes said based on his examination of the website, the issues "in relation to the operation of the site are as much, if not more, in the general area of the extent of the right to privacy when in a public space--and the right to control the use of one's image--as strictly data protection."
Full Story

PRIVACY LAW—BELGIUM

DPA Simplifies BCR Authorisation Procedure (August 26, 2011)

In conjunction with the Ministry of Justice, the Belgian Privacy Commission has signed a protocol that will improve the efficiency of authorising binding corporate rules (BCRs) under the country's law, Hunton & Williams' Privacy and Information Security Law Blog reports. Prior to the protocol, no BCR had been approved because the Belgian Data Protection Act required a Royal Decree to authorise the BCR data transfers, which was "extremely impractical and burdensome," according to the report. The protocol provides minimum requirements for BCR approval, new approval procedures, an explanatory note and a pre-approved Royal Decree template. The report also includes a summarised version of the new procedure.
Full Story 

SURVEILLANCE—UK

“Smart” CCTV Being Developed (August 26, 2011)

BBC News reports on the work of researchers at Kingston University to develop CCTV that will be able to monitor illegal behaviour and track suspects. The scientists "have created a system that uses artificial intelligence to recognise specific types of behaviour, such as someone holding a gun," the report states, prompting privacy advocates to warn it might be used for other purposes--such as targeting protesters. The research is part of the ADDPRIV project, which is aimed at creating surveillance that takes privacy concerns into account, the report states, noting the new system would include "the automatic deletion of surplus video data."
Full Story

DATA LOSS—IRELAND

Medical Records Found in Bog (August 26, 2011)

The Office of the Data Protection Commissioner has opened an investigation into the discovery of medical records in a Galway bog, Newstalk reports. The names and addresses of Sligo General Hospital patients may have been exposed, according to the report. Community wardens found the records in an Abbeyknockmoy bog and notified the Health Service Executive.
Full Story

ONLINE PRIVACY

Facebook Unveils New Settings (August 24, 2011)

The Wall Street Journal reports that Facebook has unveiled new options to help users manage the amount of information they share on the site and with whom. The changes, to roll out Thursday, will allow users to check a box indicating which friends can see which online posts; share locations from PCs and laptops; control being "tagged" by others in posted photos, or choose to block a user entirely--disabling them from photo tags or other interactions on the site. The company wants to make the sharing options "unmistakably clear," said a Facebook spokesman. (Registration may be required to access this article.) 
Full Story

IDENTITY THEFT

Caller ID Spoofing Threatens Personal Privacy (August 23, 2011)

The New York Times reports on the rise of an easy-to-find and legal service known as "spoofing" that allows identity thieves to access others' voicemail accounts by disguising their phone numbers and consumer advocate Edgar Dworsky's recent finding that thieves can also access some automated bank and credit card systems. Many mobile phone providers and financial institutions have phone systems that disclose personal information--like recent purchases--when a call is made from the customer's phone number. "There are additional steps mobile phone companies and the card issuers could take to stop this sort of thing from ever happening," the report states. "The fact that many of them don't, however, makes this your problem to solve." (Registration may be required to access this story.)  
Full Story

ONLINE PRIVACY—UK

Survey: Many Gov’t Websites Unprepared for Cookie Law (August 23, 2011)

An independent audit by Socitm of 603 public-sector websites, including 433 local authorities, has found that only a half-dozen have taken action to be sure their websites comply with new cookie legislation, ZDNet reports. The cookie law, which came into force in May, requires website owners to gain consent from users before cookies are placed on computers or mobile devices. The average number of cookies on sites surveyed was 32, while one site contained 1,346 cookies. The Information Commissioner's Office has given websites one year to come into compliance before taking enforcement action.
Full Story

CONSUMER PRIVACY—U.S. & EUROPE

No Right To Be Forgotten (August 22, 2011)
"In a data economy where personal information is an increasingly valuable currency, a customer's automatic access to a delete button remains an exception," writes Natasha Singer for The New York Times. Singer recently received a promotional text message from her dentist's office, though she had given her cell phone number for different purposes. Though the communications company that facilitated the message allowed Singer to delete the information stored on her, companies in the U.S. aren't required to recognize citizens' right to be forgotten,  despite a bill introduced in the house of representatives last May and recommendations from the FTC. EU citizens, meanwhile, have stronger rights under the data protection directive, the report states.

BEHAVIORAL TARGETING

Company Advises Against UDID (August 22, 2011)

Software developers who build programs for Apple's operating system have been asked by the company to avoid using unique device identifiers (UDID) in software for its iPhones and iPads, The Wall Street Journal reports. UDIDs make it easier for advertising networks, analytics firms and others to observe and track users' online behavior. A deadline for the change has not been specified, but the company's website tells developers that the tracking tool "has been superseded and may become unsupported in the future." The Center for Democracy & Technology's Justin Brookman said, "I want to see how this all plays out, but at first glance, this is a really good result for consumers." (Registration may be required to access this story.)        
Full Story

HEALTHCARE PRIVACY—IRELAND

Commissioner Investigating Hospital Transcription Services (August 20, 2011)

Tallaght Hospital says the third party it used to outsource medical transcriptions did not alert it of ownership changes twice within two years, irishhealth.com reports. The data protection commissioner is investigating a breach involving unauthorised use and disclosure of personal information and says the changes in the outsourcing company's ownership are key components of the investigation. Tallaght says it has since terminated its contract with the company. Meanwhile, the commissioner is questioning dozens of hospital consultants and doctors about their uses of transcription services. 
Full Story
 

DATA LOSS—IRELAND

Files Stolen from Nurse’s Car (August 20, 2011)

The Longford Leader reports that private documents were stolen from a district health nurse's car last week. Health Service Executive officials say they have launched an internal review, and the Gardai is said to be investigating as well. The incident follows a breach last week when files, largely belonging to Longford patients, were found outside a hospital by a passerby. 
Full Story

BEHAVIOURAL TARGETING

Group: Do Not Track Would Affect Research (August 20, 2011)

Measures to introduce do-not-track lists could have unintended consequences for research, warns industry association Esomar. The association says European Commissioner Neelie Kroes' calls on the online industry to standardise do-not-track practices should not be ignored, adding that the standards would apply to companies beyond advertisers, reports Research. "The problem for researchers is that their companies appear on these tracking protection lists, and this blurs the distinction between the non-sales purpose of research and tracking, which aims to promote and sell," Esomar said.  
Full Story

SOCIAL NETWORKING—GERMANY

Schleswig-Holstein Commissioner Orders Site Owners To Deactivate Analytics (August 19, 2011)
The Independent Centre for Privacy Protection (ULD)--the privacy regulator for the German state of Schleswig-Holstein--has told website owners in that state to "shut down their fan pages on Facebook and remove social plug-ins such as the 'like' button" from their sites. In a press release, the ULD said that "after a thorough legal and technical analysis," it concluded that use of such features violates the German Telemedia Act, the Federal Data Protection Act and the Data Protection Act of Schleswig-Holstein. The ULD is giving website owners until the end of September to discontinue use or face consequences.

PERSONAL PRIVACY—GERMANY

Berlin Officers To Fight ID Requirement (August 19, 2011)

Berlin police officers are staging a fight against a new requirement for them to wear personal identification on their uniforms, The Local reports. In 2010, the Berlin police superintendent established the mandate, which took effect last month and requires officers to wear their personnel numbers or names. Berlin is the first German state to make such a requirement, according to the report. A Berlin police spokesman said wearing identification "is a form of customer service," but one officer said, "I'm afraid. We deal daily with criminals and people who want to hurt us." The officers have the backing of the GdP police union. A GdP administrator said, "There is no compromising on this."  
Full Story

DATA PROTECTION

Opinion: Are PIAs Enough? (August 19, 2011)

In a Communications of the ACM article, David Wright of Trilateral Research considers whether privacy impact assessments (PIAs) should be mandatory. As databases grow, so do data breaches. PIAs are a reasonable tool for any organization managing personal data, but are they enough? Wright says no; the most effective way to protect sensitive information is to use PIAs with a "combination of tools and strategies, which include complying with legislation and policy, using privacy-enhancing technologies and architectures and engaging in public education..." Whether PIAs will become mandatory, in the meantime, remains to be seen. (Registration may be required to access this story.)      
Full Story

ONLINE PRIVACY

Will Web Giants Be Regulated? (August 19, 2011)

As debates continue about whether websites will self-regulate or be regulated, The Prague Post reports that some experts are skeptical that the EU will be able to force Internet giants to follow potential online privacy regulations. "If Google, Facebook, Microsoft and Apple, et al, simply say 'no,' what is the EU going to do?" asks one expert. "Some of these companies are, financially, as big or bigger than some EU nations. They could and should be responsible for removing personal data, but they won't do it."  
Full Story

Schleswig-Holstein commissioner orders site owners to deactivate analytics (August 19, 2011)

 

The Independent Centre for Privacy Protection (ULD)—the privacy regulator for the German state of Schleswig-Holstein—has told website owners in that state to “shut down their fan pages on Facebook and remove social plug-ins such as the ‘like’ button” from their sites.

In a press release, the ULD said that “after a thorough legal and technical analysis,” it concluded that use of such features violates the German Telemedia Act, the Federal Data Protection Act and the Data Protection Act of Schleswig-Holstein. 

From the ULD press release:

“By using the Facebook service, traffic and content data are transferred into the U.S.A, and a qualified feedback is sent back to the website owner concerning the web page usage, the so called web analytics (Ger.:Reichweitenanalyse”). Whoever visits facebook.com or uses a plug-in must expect that he or she will be tracked by the company for two years. Facebook builds a broad individual and for members even a personalized profile. Such a profiling infringes German and European data protection law. There is no sufficient information of users and there is no choice; the wording in the conditions of use and privacy statements of Facebook does not nearly meet the legal requirements relevant for compliance of legal notice, privacy consent and general terms of use.”

The ULD calls for Schleswig-Holstein website owners to immediately deactivate the services. “If this does not take place by the end of September 2011, ULD will take further steps,” the release states. 

ULD International Coordinator Kirsten Bock told the IAPP Europe Data Protection Digest that the ULD will levy fines against sites that fail to comply, “but only after having gone through the formal procedures in each and every case and as a last resort. We still hope to solve the issue in a more constructive way,” Bock said.

Data Protection Commissioner Thilo Weichert, head of the ULD, said his organisation “has pointed out informally for some time that many Facebook offerings are in conflict with the law,” but website owners continue to use them.

Weichert added that “Institutions must be aware that they cannot shift their responsibility for data privacy” onto non-German enterprises and users.

He also promised more action.

“Our current call is only the beginning of a continuing privacy impact analysis of Facebook applications” Weichert said. “ULD will continue in cooperation with other German data protection authorities.”

Commissioner Weichert has issued similar...

ONLINE PRIVACY

Researchers Uncover “Supercookies” (August 18, 2011)
The Wall Street Journal reports on the latest online tracking methods, including the existence of "supercookies" found on popular websites. Researchers at Stanford Univeristy and the University of California at Berkeley say that supercookies are able to recreate a user's profile even after normal cookies are deleted. According to the report, companies who were found to be using the tracking technology have since stopped the practice. A Microsoft representative said as soon as the supercookies were "brought to our attention, we were alarmed. It was inconsistent with our intent and our policy." Hulu said in an online statement that it "acted immediately to investigate and address" the supercookie issue. (Registration may be required to access this story.)

PRIVACY LAW—BELGIUM

Authorities Offer Company Extrajudicial Settlement (August 18, 2011)

A federal prosecutor from Belgium has offered Google the opportunity to pay a €150,000 fine to settle claims of illegal data collection practices stemming from its Street View project, Bloomberg reports. The company now has three months to accept the offer or the case could be brought before the country's federal court, which could declare higher fines or imprisonment. A Google representative said, "We have received an offer of extrajudicial settlement from the Belgian federal prosecutor, and we have to study it carefully."  
Full Story

PRIVACY LAW—EU

Obtaining consent in Europe: Mission Impossible? (August 18, 2011)

 

Jan Dhont

 

By Jan Dhont

On 13 July 2011, the Article 29 Working Party (WP 29) adopted its opinion on the definition of consent.

The opinion clarifies the concept of consent as currently used in the Data Protection Directive (95/46/EC) and the e-Privacy Directive (2002/58/EC) as the legal basis for processing personal data. Furthermore, the WP 29 formulates policy recommendations for the review of the Data Protection Directive (95/46/EC).

Generally, consent is defined as “any freely given specific and well informed indication of his wishes by which the data subject signifies his agreement to personal data regarding him being processed.” The opinion breaks down the definition into different conditions for consent to be valid.

First, consent is “any indication of wishes…signifying the data subject’s agreement.” “Any indication” indicates that there are no limits as to the form of consent. However it is clear that some kind of action from the data subject is required (i.e. written or oral statement or any behavior from which the consent can reasonably be inferred, such as dropping a business card into a glass bowl).

Second, consent should be “freely given” (i.e. the data subject should have a real choice and there may not be a risk of deception, intimidation, coercion or significant negative consequences suffered in relation to the refusal to consent). The freedom of choice can be affected by certain situations and contextual elements (e.g. situation of subordination or dependency such as in the context of employment and other contextual elements such as financial, emotional or practical consequences related to refusing processing of personal data).

Third, consent should be “specific” (i.e. clearly and precisely refer to the exact purposes of the intended processing). Consequently, blanket consent is not permitted. The opinion calls for specific consent clauses separated from the general terms and conditions in a contract.

Finally, the consent needs to be “informed.” The information provided to data subjects should meet a certain quality standard (i.e. in plain text, without use of jargon and understandable) and be clear and sufficiently conspicuous to ensure that data subjects notice the information.

In addition to the above-mentioned conditions, consent must be unambiguous and in certain cases (i.e. processing of sensitive data) explicit. To obtain unambiguous consent, data controllers should provide a procedure that leaves no doubt about the...

DATA RETENTION—HUNGARY

Ombudsman Orders Survey Data Destroyed (August 17, 2011)

Hungary's data protection ombudsman, Andras Jori, has declared that the personal data collected from a government-issued survey has not been handled correctly, should be deleted from the records and should not be used or processed in the future. In June, Jori established that the questionnaires did not meet the country's data protection law and ordered the data be erased, but, according to Politics.hu, Jori said on Tuesday that the agency in charge of destroying the data has not complied with his instructions, prompting him to ban the database containing the personal information. 
Full Story

ONLINE PRIVACY—UK & NEW ZEALAND

ICO Gives Google Good Grades, Not a “Rubber Stamp” (August 16, 2011)

After auditing the company's privacy structure, the Information Commissioner's Office (ICO) says that Google "has taken reasonable steps to improve its privacy policies" but adds that the audit "is not a rubber stamp," The Telegraph reports. The company agreed last year to let the ICO conduct the audit in light of its controversial Street View project. The ICO said that "the audit verified that Google made improvements to their internal privacy structure," but it "needs to ensure its work in this area continues to evolve alongside new products and technologies." Meanwhile, in a Google blog post, the company announced that it will conduct a privacy impact assessment on any additional Street View activities in New Zealand.   
Full Story

PRIVACY LAW—UK

Commission: Privacy Laws Insufficient (August 15, 2011)

A report from the Equality and Human Rights Commission says that UK privacy laws do not do enough to protect citizens, The Inquirer reports. Current privacy laws have failed to prevent breaches and keep pace with advances in technology and increases in the amount of data organizations collect about individuals, the report states. "This needs to change so that any need for personal information has to be clearly justified by the organization that wants it. The law and regulatory framework needs to be simplified and, in the meantime, public authorities need to check what data they have and that it complies with the existing laws," said Commissioner Geraldine Van Bueren.
Full Story

DATA PROTECTION

Tokenization Guidelines Released (August 15, 2011)

The Payment Card Industry Security Standards Council (PCI SSC) has released guidelines on tokenization, SC Magazine reports. The PCI DSS Tokenization Guidelines Information Supplement provides suggestions for "developing, evaluating or implementing a tokenization solution, including insight on how a tokenization solution may impact the scope of PCI DSS efforts," the report states. "These specific guidelines provide a starting point for merchants when considering tokenization implementations. The council will continue to evaluate tokenization and other technologies to determine the need for further guidance and/or requirements," said PCI SSC General Manager Bob Russo. 
Full Story

HEALTHCARE PRIVACY—ESTONIA

AKI Investigating Information System (August 12, 2011)

The Data Protection Inspectorate (AKI) is conducting an audit of Estonia's Internet-based healthcare information system following concerns about easy access to data and the potential for it to be misused, ERR News reports. Referencing fears raised by individuals, doctors and groups such as the Patients Advocacy Association around the ability for any healthcare employee to access patients' medical histories, the report notes that AKI has said "an aura of doubt and suspicion around such a vital information system cannot be allowed to remain."
Full Story

DATA PROTECTION—MALTA

Chairman Asks DPC To Investigate Allegations (August 12, 2011)

The chairman of the Malta Information Technology Agency (MITA) is asking the data protection commissioner to investigate claims his position is "dangerous to individual freedoms on data protection," TIMESOFMALTA.com reports. At least two individuals have called for the chairman's resignation because they say his position in the MITA gives him the ability to access citizens' data, the report states. "It is unacceptable that a person is in the counting hall in an election campaign taking care of the Nationalist Party's data," says the leader of the Labour Party, "and also heads an agency that has all the personal data of Malta and Gozo." 
Full Story

DATA LOSS—UK

Undertakings Signed, Another Breach Reported (August 12, 2011)

Two entities have signed undertakings with the Information Commissioner's Office (ICO), committing to increase actions towards the protection of personal data. The head teacher of Bay House School in Hampshire has pledged to improve data security practices after the ICO found the school to have breached the Data Protection Act by exposing the personal data of students, teachers and parents. The chief executive of HCA International Ltd has agreed to better secure data after being found to have breached the act by losing two unencrypted laptops containing individuals' medical data. Meanwhile, a Bradford councillor has notifed the ICO about the discovery of paper medical files abandoned at a former nursing home.
Full Story

DATA PROTECTION—UK

DPA Warns Retailers (August 12, 2011)

The Information Commissioner's Office (ICO) has announced that cosmetics retailer Lush will not be fined for a breach that compromised the payment data of approximately 5,000 customers over a four-month period. According to an ICO news release, the company is required to "sign an undertaking" that says it will comply with the Payment Card Industry Data Security Standard (PCI DSS). Some are criticising the ICO for not fining the company, but the ICO's Sally-Anne Poole said, "This breach should serve as a warning to all retailers that online security must be taken seriously and that the PCI DSS or an equivalent must be followed at all times." The ICO has warned that companies that fail to adhere to the PCI DSS "or provide equivalent protection," risk bringing an enforcement action, according to an OUT-LAW.COM report.
Full Story

Company Cancels Advertising Scheme (August 12, 2011)
LinkedIn has announced that it will no longer pursue its new form of advertising called "social ads," which shared users' activities and included their pictures, The Wall Street Journal reports. The company began testing the initiative in late June after announcing it to users. Complaints about user privacy followed, including a statement from the Dutch Data Protection Authority that the company's changes may have breached Dutch privacy law. The company's head of marketing solutions told users, however, that "The only information that (was) used in social ads is information that is already publicly available and viewable by anyone in your network." (Registration may be required to access this article.)

SOCIAL NETWORKING

Threat To Destroy Site May Be Hoax (August 12, 2011)

A reported threat by a hacker group to destroy Facebook on November 5 may have been a hoax, reports eWeek. The group claimed earlier this week that it would destroy Facebook on the grounds of privacy issues, stating that the site's privacy controls are lacking. But some are skeptical about the claims. The CEO of Kapersky Lab, Eugene Kaspersky, tweeted about the news on Wednesday, saying it "most probably is fake." Others have also registered skepticism.  
Full Story

DATA PROTECTION—UK

Smartphone Use by Rioters Creates Privacy Dilemma (August 11, 2011)
Research in Motion (RIM) has placed itself in the smartphone market as the provider able to ensure security and corporate privacy for its users, Zack Whittaker writes for ZDNet. But currently, its secure Messenger service is being used by rioters in London to organize, and UK authorities will be issuing warrants to access these messages, Whittaker writes. While RIM has pledged to help UK authorities whenever possible, it still needs to maintain its reputation as a secure provider, he states. RIM does not hold the encryption keys, however, so the messages it provides will be encrypted. According to Whittaker, RIM has one consideration, "how it can continue to market itself as a secure communications platform, when ultimately it is still vulnerable to the laws of the land."

DATA PROTECTION

Report Analyzes Advanced Persistent Threats (August 11, 2011)

In its latest global threat report, Cisco has found that data breaches have been "seemingly nonstop" in 2011, with unique instances of malware more than doubling, siliconrepublic reports. The report discusses advanced persistent threats (APTs) and the difficulty of identifying them, saying that APTs "must enable the attacker to remotely manipulate a system while remaining virtually invisible to standard defenses." A Cisco representative said, "If anyone attempts to sell your organization a hardware or software solution for APTs, they either don't understand APTs, don't really understand how computers work or are lying--or possibly all three."      
Full Story

PRIVACY LAW—EUROPE

Court Case Results from “Transatlantic Clash” (August 10, 2011)
Spain's government has ordered Google to halt its indexing of data on certain individuals, The New York Times reports. Ninety individuals who filed complaints with the Spanish Data Protection Agency will benefit from the order, which is now being considered in court. Google has asserted that the requirement "would have a profound chilling effect on free expression without protecting people's privacy." Experts weigh in on the order, the origins of the concept of a "right to be forgotten" and the differing perspectives. "What you really have here is a transatlantic clash," said a Swiss native and Georgetown University professor. (Registration may be required to access this story.)

PRIVACY LAW—THE NETHERLANDS

Company May Have Breached Law (August 10, 2011)

A recent change to its privacy settings may mean that a social networking site has breached Dutch privacy law, Radio Netherlands Worldwide reports. LinkedIn should have asked users for explicit consent before using their profile pictures for advertising material, the Dutch Data Protection Authority (CPB) says, adding that default settings on social networking sites should be privacy-friendly and opt-in. The CPB statement is in concert with a recent Article 29 Working Party clarification on consent requirements.    
Full Story

ONLINE PRIVACY

The War On Anonymity (August 8, 2011)

A SPIEGEL International report discusses what some describe as a war on online anonymity. Some say anonymity is the Internet's greatest strength--promoting free speech and privacy--but others see it as increasingly dangerous. In the wake of terrorist acts and cyber-bullying worldwide, there is a push to reveal the identities of extremist bloggers and online bullies. In fact, a Carnegie Mellon study found that when users were required to identify themselves by using their real names, they behaved in a more civilized way. However, an American Association for the Advancement of Science report states that "Anonymous communication should be regarded as a strong human right."  
Full Story

SOCIAL NETWORKING

Start Up Allows for Privacy On the Web (August 8, 2011)

A social network launched in April of this year claims to give people "real-world style, disposable interaction on the web," reports PaidContent. In an interview, SecretSocial co-founder Zubin Wadia discusses the idea behind the company and its plans for the future, including becoming the "go-to place" for private conversations when using other online networks. All SecretSocial conversations have an expiration date set by the users involved, at which time the conversation is deleted from user browsers as well as the company's servers. According to Wadia, one of the problems behind Internet privacy is the assumption that data needs to be retained forever. "A lot of this data analysis, complex or not, can occur in realtime," he says.
Full Story

A PROTECTION—UK

Are Fines the Best Incentive to Keep Data Secure? (August 5, 2011)

The Information Commissioner's Office (ICO) has fined six organizations for breaching the Data Protection Act, and of the fines assessed, four were to local councils already struggling with budget cuts, reports Computing. This has some wondering whether fines are appropriate incentives for protecting data. One council's head of IT said, "Training and education is the best way to prevent data breaches. And we could have funded more of both if we hadn't been fined." But an ICO spokeswoman says, "The best way a public authority can protect taxpayers' money is by not being lax in the way it looks after personal information." Meanwhile, Information Commissioner Christopher Graham has asked for custodial sentencing to be added to his enforcement tools.    
Full Story

DATA PROTECTION—UK

MPs Urge Gov’t to Consult with ICO on ID-handling Plan (August 5, 2011)

In a report published this week, MPs urge the government to work with the Information Commissioner's Office on its plans to develop an "ID assurance" protocol that could see ID handling outsourced to third parties, The Register reports. Published on Tuesday, the Public Administration Select Committee report, "Government and IT - 'a recipe for rip-offs': time for a new approach," says that the ID-handling model being proposed by the Cabinet Office will "need to be trialled extensively," and warns that concerns about privacy "could act as a barrier to implementing such a radical reform." The authors recommend the government work with the ICO to "review potential barriers" and explore development options.
Full Story

GEO PRIVACY—FRANCE

CNIL Investigating Phone Tracking Practices (August 5, 2011)

France's Data Protection Authority (CNIL) has announced that it is investigating the location information collection practices of Apple iPhones, PC Magazine reports. The move comes shortly after the South Korean government fined the company for unauthorised collection of location data. CNIL is looking into how the company encrypts the location data that it collects. "We have sent two letters to Apple, who have responded to us in part," said CNIL's Yann Padova. "We received some clarifications, but they were not complete. The file is still under investigation."   
Full Story

DATA LOSS—UK

Media Source May Have Been Breached (August 5, 2011)

Chris Duncan, a spokesman for News Group Newspapers, says that customer information from competitions and polls held on its website may have been breached by hackers, SC Magazine reports. Compromised data could include names, addresses, birth dates, e-mail addresses and phone numbers, but not financial or password information. Duncan says the company is "working closely with the police and Information Commissioner's Office to ensure that all steps are taken to retrieve the files involved." Field Fisher Waterhouse partner Stewart Room says the breach illustrates "that we do not properly understand the full dynamics of cyber threats." 
Full Story

DATA LOSS—IRELAND

Patient Data From Hospital Breached (August 5, 2011)

A Dublin hospital using the transcription services of Uscribe has confirmed that sensitive patient information underwent "unauthorised access and disclosure," while a Cork hospital using the same company says it has "no evidence whatsoever that any of its patient data has been misused, destroyed or disclosed improperly," The Irish Times reports. The compromised records include patient consultations with doctors and hospital referrals, but according to the report, not full medical records. The Data Protection Commissioner's office will meet with the chief executive of the Dublin hospital to discuss the incident. 
Full Story

DATA PROTECTION—EU & U.S.

European Companies Avoiding U.S. Cloud Providers (August 5, 2011)

The Financial Times reports that European companies are choosing not to use U.S.-based cloud service providers because of legal obligations the service providers have to the U.S. government under the USA Patriot Act. According to the U.S. legislation, data that is stored, processed or retained by a U.S.-based service provider must be made available for inspection by U.S. authorities without notification to users, which is a violation of the European Data Protection Directive. One European IT chief said, "We would never be able to use a U.S.-based provider of cloud services, even if the data is stored in a data center in the EU," suggesting that European companies would instead use local service providers. (Registration may be required to access this story.)  
Full Story

DATA PROTECTION—ITALY

Garante to Investigate Call Centres’ Compliance (August 5, 2011)

The Italian Data Protection Authority has extended its investigation of major telephone operators to include call centre service providers located outside the country. Rocco Panetta of Panetta & Associati in Rome tells the IAPP Europe Data Protection Digest that the Garante will look into the centres' compliance with data protection rules--particularly those related to the processing of employee data, data protection outsourcing arrangements and international data transfers. (Article in Italian.)  
Full Story

DATA LOSS—UK

Housing Bodies Breached Data Protection Act (August 5, 2011)

Two London housing bodies have agreed to better secure the personal data of tenants after the Information Commissioner's Office (ICO) deemed that they breached the Data Protection Act, BBC News reports. A contractor for Lewisham Homes and Wandle Housing Association left an unencrypted memory stick containing the personal data of 26,000 tenants in a pub. ICO head of enforcement Sally-Anne Poole said, "Luckily, the device was handed in and there is no suggestion that the data was misused. But this incident could so easily have been avoided if the information had been properly protected."
Full Story

DATA PROTECTION—ITALY

Inspection Plan Approved (August 5, 2011)

The Italian Data Protection Authority's inspection plan for the second half of 2011 has been approved, and it includes a focus on the areas of telemarketing, fax abuse, debt collection activities and social security institutions, among other areas in both the public and private sectors. According to the Garante, it will pay special attention to the potential infringements related to the Opposition Register; the Privacy Unit of Guardia di Finanza will inspect all of the most-reported companies on the register. In the first half of the year, the Garante carried out nearly 230 inspections and levied 181 sanctions, the fines from which resulted in more than 1 million euros in revenue. 
Full Story

DATA PROTECTION

Opinion: Digital Technology Provides Opportunities, Risks (August 5, 2011)

In The Guardian's "Privacy Matters Blog," Tanya Notley writes that though new digital technologies are a crucial component to the development sector, they also pose risks to privacy and security. Mobile phones, the Internet, social networking sites and digital videos "can play a critical role in helping people hold governments and development agencies accountable," but, Notley adds, "while new communication technologies have become cheaper and easier to use, they have also become more opaque." Notley highlights the difficulty of developing strategies for digital privacy and security, writing, "Some information needs to be widely circulated; some needs to be fiercely protected." 
Full Story

BEHAVIORAL TARGETING

Web Tracking Raises Revenue, Threatens Privacy (August 4, 2011)
USA Today reports on the rise in online tracking for behavioral advertising and the subsequent challenges tracking poses to personal privacy. Privacy advocates are concerned that digital shadowing will erode "traditional notions of privacy," while new research suggests that as more companies exercise online tracking, opportunities for the loss of privacy increase, the report states. Ernst & Young's Sagi Leizerov, CIPP, says, "It is a mistake to consider tracking benign...It's both an opportunity for amazing connections of data as well as a time bomb of revealing personal information you assume will be kept private."

ONLINE PRIVACY

Company To Sell Tracking Abilities to Merchants (August 4, 2011)

Online deals company Foursquare is looking to bring in revenue by selling its merchants software that will enable them to track--and therefore better target specials to--their customers who use the service. Traditionally, social media companies have turned to advertisers to monetize "free" services, and Foursquare's method may end up putting them in the center of the privacy debate, according to Erik Sherman, writing for BNET. "The minute you start analysis on people at specific stores, particularly smaller stores with repeat customers, consumer anonymity begins to fade," Sherman writes. "Set the right specials, and a store owner could begin matching faces, names (especially from credit card purchases) and online identities."
Full Story

BIOMETRICS—GERMANY

DPA Demands Changes to Facial Recognition Feature (August 3, 2011)
In a statement released on Tuesday, the head of Hamburg's data protection authority said Facebook's facial recognition feature violates German data protection laws, the Financial Times reports. "The problem is not with the facial recognition itself," said Johannes Caspar, "but the data that is stored in the background to allow the system to recognize a face." He said the company "needs to design a new kind of system to get consent from people before their data is stored." Caspar has given Facebook two weeks to respond to his demand for change or disablement. Other European regulators are looking into the feature. (Registration may be required to access this story.)

GEO PRIVACY

Company Limits WiFi Location Database (August 2, 2011)

CNET News reports that Microsoft has stopped publishing the locations of WiFi connections on its Live.com database. Access to the website has been restricted as of last Saturday, according to the report. The location data was gathered from Windows Phone 7 phones and "managed driving" that records WiFi signals accessed from public roads. A Microsoft representative wrote, "This change improved filtering to validate each request so that the service will no longer return an inferred position when a single Media Access Control address is submitted," adding, "We will continue to update our service with improvements that benefit the consumer in both positioning accuracy as well as individual privacy."  
Full Story

PRIVACY LAW—NETHERLANDS

New Law Aims to Deter Privacy Breaches (August 1, 2011)
A new law expected to become effective this year will allow for the imposition of fines for data privacy violations, Radio Netherlands Worldwide reports. "People's personal data are being used by others all the time, without their realizing it in the least," said Dutch Data Protection Commissioner Jacob Kohnstamm, who is assisting the justice ministry in drafting the law. "The new, steep fines will make sure that people's privacy will be respected." Violators risk fines from 25,000 to several million euros. Kohnstamm has also announced that his office is investigating the presence of regional electronic medical records.

BIOMETRICS

Study: Facial Recognition Technology Powerful, Intrusive (August 1, 2011)

The Wall Street Journal reports on research conducted at Carnegie Mellon University that successfully identified approximately one-third of participants using the same facial recognition technology recently acquired by Google. Using profile data from Facebook, the study's author could also correctly predict the first five digits of the participants' Social Security numbers nearly 27 percent of the time. One law professor notes that the combination of available, "anonymous" online data and the technology makes re-identifying people possible. The study's author says, "This paper really establishes that re-identification is much easier than experts think it's going to be." (Registration may be required to access this story.) 
Full Story