European Data Protection Digest

In 1897, Oscar Wilde wrote to Lord Douglas, “Do not be afraid of the past. If people tell you that it is irrevocable, do not believe them.”

I wonder if he would share this piece of advice today. Though the past may not be irrevocable, we all leave digital shadows we may regret one day. I had no Internet growing up, and I am grateful that the only traces of my past are some old pictures gathering dust at my parents’ house and a box of letters I used to exchange with overseas friends—you know, having overseas pen pals was actually pretty cool back in the day.

Come to think of it, Oscar Wilde may never have meant for his 1897 letter to Lord Douglas to be published, as it came to light only after his death, so you could almost argue he had no right to be forgotten…

This week, the Court of Justice of the European Union declared the 2006 Data Retention Directive invalid, stating that it interferes with the fundamental rights to respect for private life and to the protection of personal data, as stipulated in the EU Charter of Fundamental Rights. The interference, said the court, exceeds the limits imposed by compliance with the principle of proportionality.

Aside from the obvious consequences the court’s decision will have on telcos and ISPs, some commentators have said that it can have a significant impact on the EU reform of data protection law and, in particular, on the debate around the General Data Protection Regulation.  

To quote Oscar Wilde again, “It is a very sad thing that nowadays there is so little useless information.”

Rita Di Antonio
Managing Director
IAPP Europe

Top European Privacy and Data Protection News

SOCIAL NETWORKING

Irish DPC Opens Investigation; Data Use Concerns Persist (September 30, 2011)

Following an advocacy group's logging of more than 20 complaints, Ireland's Data Protection Commission "will examine all of Facebook's activities outside the U.S. and Canada" with a goal of publishing its findings by the end of the year, siliconrepublic reports. Meanwhile, the Financial Times highlights privacy advocates' concerns that the social network is not adequately informing users of the potential for information "it will collect from new entertainment and media applications" to be used in advertising. One advocate said, "If the ad were to publish facts about you without your knowledge...it would cross into extremely creepy territory," while Facebook stressed its features "only work if people explicitly opt in to them."
Full Story

PRIVACY LAW—FRANCE

Court: Web Editors Not Liable for Online Comments (September 30, 2011)

The French Constitutional Court has ruled that website administrators, such as blog or forum editors, should not automatically be held liable for comments posted to the sites, an EDRI-gram reports. In cases where the editor had no previous knowledge of the content of the comments, and because commenters often cannot be traced in order to assign responsibility, it is unacceptable to penalise the site editor for the messages. The court also concluded that a mass media law identifying editors as responsible for content does not apply in "this new field," the report states. 
Full Story

PRIVACY LAW—FRANCE

CNIL Sanctions Company for Linking Social Profiles (September 30, 2011)

The French data protection authority--CNIL--has sanctioned the Yellow Pages online directory company for linking search results to social networking profiles. "A large portion of the 65-million member French society--25 million individuals including minors and unlisted people--were affected," writes Pascale Gelly, CIPP/E, in this month's IAPP Privacy Advisor newsletter. The service has since been suspended. Gelly writes, "The CNIL determined that the activity consisted of an unfair collection of data, as the individuals...could not be deemed as having knowingly provided their data to the social networks so that it could be used to add value to an online directory."
Full Story

PRIVACY LAW—EU

Cloud Laws Drifting This Way (September 30, 2011)

The European Union will introduce new data protection laws on cloud computing in November, iTNews reports. The Binding Safe Processor Rules will ask EU cloud providers to agree to be legally liable for any data breaches or losses, the report states, acting as a cloud provider accreditation service. Eduardo Ustaran of Field Fisher Waterhouse said service providers can use the accreditation as a selling point for their security models, while those who don't have it may be seen as unsafe. Field Fisher Waterhouse's Stewart Room described the rules as a "bridge" for cloud adoption in light of concerns about liabilities.
Full Story

PRIVACY LAW—EU

Directive Reform Publication Likely Delayed (September 30, 2011)

The European Commission's publication of the EU Data Protection Directive (95/46/EC) reform will likely be delayed beyond the expected November deadline. Matthew Newman, a spokesperson for European Commission Vice President Viviane Reding, said that "this is a comprehensive reform" and the timing for publication will be "within 20 weeks." In this IAPP Europe Data Protection Digest exclusive, experts provide insight into the complexity of this legislation and common ground that stakeholders share.
Full Story

SOCIAL NETWORKING

Site Introduces New Privacy Features (September 30, 2011)

Music streaming site Spotify has introduced new privacy features in the wake of complaints about its integration with the world's largest social network, the Financial Times reports. The music service had "quietly introduced the requirement that all new users sign up with a Facebook account rather than the usual e-mail" and "defaulted to sharing all a user's listening habits," the report states. While users could choose to opt out of sharing their music tastes through Facebook, in response to "hundreds of complaints," Spotify's CEO has announced a new "private listening" mode, noting, "we value feedback and will make changes based on it." (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

New Browser Raises Privacy Concerns (September 30, 2011)

Computerworld reports on Amazon's new Silk browser and the concerns raised by privacy advocates. The browser will connect to a cloud service owned by the company, thereby speeding up browsing capabilities, and, according to the company, a secure connection will be established "from the cloud to the site owner on your behalf for page requests of sites using SSL." A representative from the Center for Democracy & Technology said, "This makes Amazon your ISP...I don't think it's at all clear that Amazon can step into that," but he added it was a "great move" for the company to offer an opt-out to customers. The Electronic Frontier Foundation commented that "there are some worrisome privacy issues" in general around use of browsing history.
Full Story

Directive Reform Likely Delayed (September 29, 2011)

 

By Jedidiah Bracy, CIPP

The European Commission’s publication of the EU Data Protection Directive (95/46/EC) reform will likely be delayed beyond the expected November deadline.

Matthew Newman, a spokesperson for European Commission Vice President Viviane Reding, told the IAPP Europe Data Protection Digest that “this is a comprehensive reform” and the timing for publication is “within 20 weeks.” 

The likely delay “does not entirely come as a surprise,” says Henriette Tielemans, partner at Covington & Burling LLP in Brussels. “For all the criticism it has received, the 1995 Data Protection Directive proves difficult to revise.”

The directive has been a landmark for privacy protection and guidance for more than 15 years. Since its enactment, the digital economy has expanded rapidly, prompting regulators to draft an updated data protection framework.

In a speech in May, Reding boiled down the reform to “four important changes,” including making the directive enforceable for countries outside the EU that “target” EU citizens; including “data protection by design;” revising the rules on adequacy as well as streamlining and strengthening “procedures for international data transfers,” and the creation of a “mechanism” for third-country providers--possibly an “EU Safe Harbour system.”

Reding added that “a sound data protection framework fosters trust.” Likewise, businesses “should do their share to ensure safe and transparent digital products and services.”

Trust is a component underlined by Netherlands Data Protection Commissioner and Chairman of the Article 29 Working Party Jacob Kohnstamm. Speaking at the International Data Protection Conference in Warsaw, Poland, last week, Kohnstamm said that by embedding privacy from the beginning, conducting privacy impact assessments and being accountable, companies will gain trust from consumers.

According to a document on the conference website, Kohnstamm said that “what counts for DPAs is that companies have done their data protection homework. Personal data should be properly protected, without DPAs spelling out each and every step controllers should take to ensure this.”

A spokesperson for Kohnstamm told the IAPP Europe Data Protection Digest that “the focus for a DPA should be on enforcement and not on guidance.”

Despite the many variables involved in reforming the directive, stakeholders seem to agree on certain desired outcomes.

“Increasing harmonisation in the EU’s internal market, strengthening the users’...

DATA RETENTION—EU

Digital Rights Groups Oppose Blanket Retention (September 28, 2011)

More than 30 civil liberties organizations have signed and submitted a letter to the European Commission voicing opposition to the blanket retention of telecommunications data required under the EU Data Retention Directive, PCWorld reports. In the letter to Home Affairs Commissioner Cecilia Malmström, the groups argue that the retention of data is disproportionate and "therefore illegal" under the Charter of Fundamental Rights and the European Convention on Human Rights, the report states. The groups also query whether the practice has a "demonstrable, statistically significant impact on the prevalence or the investigation of serious crime in a given member state..."
Full Story

SOCIAL NETWORKING

Technologist Says Site Fixed Cookie Problem (September 28, 2011)

ZDNet reports that Facebook has denied technologist Nik Cubrilovic's claim that the social networking site tracks users even after they have logged out. Cubrilovic, whose claims incited concerns among privacy advocates this week, says Facebook has since made changes to the logout process, alleviating privacy concerns. He has detailed the functions of what he says are the site's five persistent cookies, including the user ID, which he says is now destroyed when a user logs out. The rest of the cookies, Cubrilovic says, are not concerning and users "shouldn't worry about them."
Full Story

SOCIAL NETWORKING

Site’s Redesign Ignites Concerns (September 27, 2011)

Facebook's planned redesign has some users and privacy advocates concerned, The Washington Post reports. The redesign will integrate third-party apps into a user's profile page and update user activity on those apps automatically, meaning "users will have to think more carefully about what apps they use, since their private media consumption, exercise routines and other habits could be automatically published on their profiles," the report states. Pam Dixon of the World Privacy Forum said consumers have voiced that they don't understand the new, more granular privacy controls. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Opinion: Search Engines Need Discretion (September 27, 2011)

In a column for The New York Times, Noam Cohen analyzes the "predicament" surrounding the loss of control of one's online identity through search engine algorithms. One such case involves a U.S. presidential candidate whose lost online identity "stands as a chilling example of what it means to be at the mercy" of a search engine algorithm. A search engine company says that "search results are a reflection of the content and information that is available on the Web," but Cohen writes that the issue should be directed at the companies, not the algorithms, "especially when it comes to hurting living, breathing people." (Registration may be required to access this story.)
Full Story

PRIVACY

Report Spotlights “New World of Corporate Privacy” (September 26, 2011)
The Wall Street Journal explores the value of privacy impact assessments to avoid "running into regulatory fire in the complicated landscape of privacy law" across jurisdictions, pointing out that a "growing cadre of professionals is being hired to manage companies' privacy risk." The report spotlights the work of the IAPP; includes insights from several IAPP members from leading companies including GE, IBM, Apple and Hewlett-Packard, and quotes IAPP President and CEO J. Trevor Hughes, CIPP, who explains that when it comes to the work of privacy professionals, "Early on it was all about compliance. Today, there is as much business-management focus as there is law and compliance." (Registration may be required to access this story.)

RFID—EU

Product Tagging Increasing (September 26, 2011)

It's not only a computer that can be connected to the Web now, reports BBC News, it's your smartphone, your car, your home and even your jeans. Retailers are increasingly tracking products with radio frequency identification tags (RFID), interconnectivity that could allow for monitoring of virtually anything at any time. Privacy advocates have raised concerns that RFID tags could read more data than intended, such as a consumer's RFID-tagged passport or driver's license, and could lead to cases of identity theft. European Data Protection Supervisor Peter Hustinx has warned that with any tracking devices, "there's privacy relevance" and uses must be compliant with the new European Commission Framework, signed by the commission this year.
Full Story

PRIVACY LAW—NETHERLANDS & U.S.

U.S. Cloud Providers Banned, Pending Law Revision (September 23, 2011)

The Dutch government has announced it will ban U.S. cloud service providers from government contracts due to compliance concerns surrounding the U.S. Patriot Act, reports ZDNet. The Dutch government says this is a temporary measure until the European Commission changes data protection laws. U.S. providers must comply with Patriot Act information requests, which contravenes an EU data protection law stating that organisations must have users' permission to share their data with non-European third parties. Dutch Minister Ivo Opstelten said, "This basically means that companies from the United States in such bids and contracts are excluded." The report states that the Dutch government is also considering a ban on Google and Microsoft cloud offerings and is asking for policies on requirements for awarding contracts.
Full Story

PRIVACY LAW—FRANCE

CNIL Issues Statement on Cookie Legislation (September 23, 2011)

The CNIL has released its public statement about the legislation recently published by the French government on cookies and data breach notification. In the CNIL's view, browser settings allowing all cookies without making a distinction between their purposes cannot be deemed as a valid consent expressed by the user. This interpretation is "more restrictive than required by the legislation but very much in line with the UK Information Commissioner's Office and the European Article 29 Working Party," according to Bird & Bird associate Gabriel Voisin. In its statement, the CNIL also expressed dismay that the legislation does not require sites to provide users with information on recipients and data controllers. (Statement in French.)
Full Story

CHILDREN’S PRIVACY—SWEDEN

Daycares Use GPS to Track Children (September 23, 2011)

The Data Inspection Board has said it might investigate the use of GPS tracking devices on children in daycare centres, the Associated Press reports. Daycare centres in Sweden are currently using GPS systems and other tracking technology to keep tabs on children during out-of-school excursions. One principal of a centre that uses the technology said the system is "excellent," but others--including some parents--have expressed concerns about the practice.
Full Story

DATA PROTECTION—UK

To Submit Or Not To Submit to a Voluntary Audit (September 23, 2011)

The Information Commissioner's Office (ICO) conducts free data protection compliance audits for government departments, but, The Guardian asks, is it worth it? Because the ICO publishes a summary of the audit findings on its website, there is a risk that it could be required to release the full findings under the Freedom of Information Act, the report states. "Negotiate your terms," the authors write. "You should not be shy about pressing the ICO to alter it if you think it genuinely unfair."
Full Story

DATA LOSS—UK

Residents’ Sensitive Data Breached (September 23, 2011)

The personal information of more than 80 residents of Fuming Blackpool Coastal Housing (BCH) was compromised when an employee took a memory stick from her workplace, The Blackpool Gazette reports. The worker has since been terminated from the position. Compromised information includes names, addresses, telephone numbers and sensitive care plans, the report states. The incident is currently being investigated by the information commissioner. A representative from the BCH apologised "unreservedly to the tenants whose personal details may have been disclosed," adding, "No financial or banking details were included in the data."  
Full Story

INFORMATION ACCESS—HUNGARY

Ombudsman Investigates Photography Ban (September 23, 2011)

Politics.hu reports that Data Protection Commissioner András Jóri has initiated an inquiry into Speaker László Kövér's banning of photographers because they published pictures of the transcript from which Prime Minister Viktor Orbán read when addressing Parliament earlier this month. According to the report, the pictures showed that Orbán did not read all the passages from the written transcript. A representative from media website Origo said, "in our assessment, the manuscript of a speech of such importance--together with the corrections and the dilemma and alternatives obvious with the deletions--unequivocally belongs to the public." 
Full Story

DATA PROTECTION—UK

Opinion: Councils Must Get Smart on Strategy Now (September 23, 2011)

Given the increase in public concern about data security breaches, recent high-profile incidents and the information commissioner's new fining powers, it's essential that councils put in place proper measures to reduce data breach risks, opines Field Fisher Waterhouse partner Stewart Room for The Guardian. The challenge will be to "design new systems and operations for data breach detection and the handling of incidents," Room writes. Noting the commissioner's expectation of being notified about serious incidents, Room says that for "all intents and purposes, local authorities are now working within a mandatory breach reporting regime. They cannot afford to get this wrong."  
Full Story

DATA PROTECTION

Group Says Social Network Is Responding To Requests (September 23, 2011)

After urging people to request the personal data the world's largest social network has stored on them, Austrian-based Europe v. Facebook says the site is working on "a system to automatically process access requests." ZDNet reports that the organisation believes the site's current system, which sometimes results in a 30-day wait on requests for information, contravenes European privacy law and that the information users can download on their own only includes information they have uploaded, but not information others have posted on them. Europe v. Facebook began its campaign in August by submitting 16 complaints to the data protection commissioner in Ireland, the company's base country for operations outside of the U.S.  
Full Story

DATA LOSS—SWEDEN

50,000 Patient Records Lost in System Crash (September 22, 2011)

Approximately 50,000 patient records from 14 clinics and two hospitals in Region Skåne may have been lost when a computer system crashed late last month, The Local reports. The compromised hard drives have been sent to a Norwegian company specializing in data recovery. The cause of the system failure and the extent of the lost information is not known, the report states. One representative familiar with the case said, "The job is still ongoing, and they've had to bring in specialists from the United States." The director of the National Board of Health and Welfare's Southern Region said, "We have never before lost so much information."  
Full Story

PRIVACY LAW—FRANCE

CNIL Elects New Chair (September 22, 2011)

The board of France's data protection authority--CNIL--has elected Isabelle Falque-Pierrotin as its new chair, Hunton & Williams' Privacy and Information Security Law Blog reports. The move comes after the resignation of Alex Türk, which became official on September 21. Prior to becoming a member of CNIL in 2004 and Deputy Chair in February 2009, Falque-Pierrotin worked for the Organisation for Economic Cooperation and Development and was chair of the French Internet Rights Forum. 
Full Story

PERSONAL PRIVACY—GERMANY

Researchers: TV Habits Determinable with Smart Meters (September 22, 2011)

A Münster University of Applied Sciences study found that, by analyzing patterns in electricity consumption transmitted by a household smart meter, researchers could figure out what program was playing on a television, reports The H Security. Previously, it was thought that smart meter data could only be used to distinguish between appliances, but because of the frequency of the data transfers--every two seconds--this finer analysis is possible, the report states. According to the research team, the discovery means tighter regulations on this data are needed.    
Full Story

HEALTHCARE PRIVACY

Survey: Industry Lacks Data Security (September 22, 2011)

A survey of the healthcare industry reveals that less than half the companies surveyed are bolstering privacy and security measures to keep up with the growing use of digital technology, Reuters reports. Of the 600 executives interviewed by PricewaterhouseCoopers' Health Research Institute, nearly 74 percent are planning to expand the use of electronic health records, but only 47 percent are addressing related privacy and security implications. One of the report's contributors, Jim Koenig, CIPP, said, "health IT and new uses of health information are changing quickly and the privacy and security sometimes may not be moving in step...That is some of the most sensitive and important information to a consumer, so with the advancement of healthcare IT, it's only natural that advancements in privacy and security should come along."  
Full Story

SOCIAL NETWORKING—NORWAY

Company Answers Data Collection Questions (September 21, 2011)

Facebook has released a letter to the Norwegian data protection authority answering questions about its data collection and sharing practices, BusinessWeek reports. The company said that it does not use third parties when it takes information from users' pages for targeted advertising and that wall posts, photographs and personal data are only shared with third parties if a user consents, the report states. Saying the company's letter provided "useful feedback," Norway Data Protection Commissioner Bjorn Erik Thon added, "In the continuous dialogue with Facebook, we will aim to argue the company should give their users the opportunity to 'opt in' to new features when they are released rather than being signed on automatically and then having to 'opt out' later."   
Full Story

ONLINE PRIVACY—GERMANY

Aigner Meets with Tech Giants, Consumer Groups (September 21, 2011)

German Consumer Protection Minister Ilse Aigner met with Facebook's spokesperson for global policy on Tuesday, calling the meeting "open and constructive" and adding that the company's popularity means it plays an important role in data protection, and it needs to change its data-handling practices, reports Deutsche Welle. The meeting comes on the heels of Facebook's entry into a code of conduct agreement with Schleswig-Holstein Data Protection Commissioner Thilo Weichert. While in the U.S., Aigner also met with Google and Microsoft representatives and consumer protection groups, and she has a meeting scheduled with the U.S. Trade Department about the Safe Harbor program. Aigner has voiced her desire for "strict bloc-wide rules on facial recognition, geodata and the profiling of individual Internet users," the report states.   
Full Story

HEALTHCARE PRIVACY

Study: Majority Concerned About EHRs (September 21, 2011)

The Australian reports on a survey that reveals more than 80 percent of citizens living in Australia, the U.S. and UK are concerned about the move towards electronic health records. Approximately 37 percent of Australians expressed concern about identity theft; 30 percent worried personal information would find its way onto the Internet, and three percent thought that an employer could access private health data, while only 17 percent expressed "no concerns." A survey representative said, "In all three countries, the growing use of e-medical records is a prime concern because adults believe that having healthcare organzations manage their data electronically exposes them to more threats." 
Full Story

PRIVACY LAW—U.S. & EU

U.S. Attorney General Defends Umbrella Agreement (September 20, 2011)

Speaking with the European Parliament's Civil Liberties Committee, U.S. Attorney General Eric Holder defended data sharing agreements between the EU and U.S., saying there was "not one single example of privacy being breached," the BBC reports. Holder added that the U.S. is committed to privacy protection but said the EU and U.S. "should not impose each other's system on each other." Although Holder did not provide details about the current negotiations between the EU and U.S., he did say that they are "much closer than some might have suggested."
Full Story

ONLINE PRIVACY—EU

Regulators Weigh Opt-In, Opt-Out (September 19, 2011)

The European Commission has been weighing how to best address issues around online tracking, The New York Times reports, and while there appeared to be some consensus around a self-regulatory model earlier this year, "regulators representing EU member states, backed by consumers' rights groups, are balking at the voluntary arrangement, which they argue does not adequately protect individuals from unwittingly permitting marketers to collect personal data." The report focuses on the push-and-pull between calls by consumer advocates for an opt-in mandate as part of the revised EU Data Protection Directive and the industry position that such a move would be "cumbersome" and using an opt-out model "fits with the needs of today's Internet users." (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Researcher: Smartphone IDs Not Secure (September 19, 2011)

The Wall Street Journal reports on the use of smartphones' unique ID numbers as a way for criminals to access users' social networks. While the IDs do not contain user information in and of themselves, the report notes that "app developers and mobile ad networks often use them to keep track of user accounts, sometimes storing them along with more sensitive information like name, location, e-mail address or social-networking data," effectively using the IDs as what researcher Aldo Cortesi describes as a not-too-secure key to that information. "Mobile security is not limited to a singular app or games overall--it's an issue that the entire mobile ecosystem needs to address," Cortesi said. (Registration may be required to access this story.)
Full Story

PRIVACY

Jennifer Barrett Glasgow Receives 2011 Privacy Vanguard Award (September 16, 2011)
Jennifer Barrett Glasgow, CIPP, Acxiom Corporation Executive for Global Public Policy and Privacy, received the 2011 IAPP Privacy Vanguard Award at the annual Privacy Dinner last night in Dallas, TX. Presenting the award, past IAPP Board Chairman and GE Chief Privacy Leader Nuala O'Connor Kelly, CIPP, CIPP/G, described Barrett Glasgow as an educator, advocate and "model of courage, of poise and grace." Also recognized at the dinner were the winners of the 2011 HP-IAPP Innovation Awards--Warner Bros. Entertainment, Inc., Ontario Telemedicine Network and Heartland Payment Systems. Texas Comptroller Susan Combs delivered the evening's keynote address on how agencies, businesses and organizations can learn from a data breach, make proactive data protection choices and improve for the future.

DATA LOSS—UK

NHS Trust Signs Undertaking for Breach (September 16, 2011)

An NHS trust has signed an undertaking with the Information Commissioner's Office for contravening the Data Protection Act by improperly disposing of sensitive personal data, publicservice.co.uk reports. During an office move, the Eastern and Coastal Kent Primary Care Trust left a CD containing data on 1.6 million people in a filing cabinet that was sent to a landfill, according to the report. The undertaking requires that the trust develop certain policies and procedures and increase staff training.
Full Story

BEHAVIOURAL TARGETING—EU

WP Will Publish OBA Opinion by End of Year (September 16, 2011)

In a meeting between industry groups and members of the Article 29 Working Party (WP), WP Chairman Jacob Kohnstamm recapped regulators' concerns over the advertising industry's self-regulatory code for online behavioral advertising (OBA) and announced plans to release an opinion on the code by the end of the year. The WP underscored the code's noncompliance with EU and national regulations because it "legitimises processing on the basis of inaction or silence of the user." Industry representatives responded that the code's intent was not to achieve compliance but to level the playing field. Kohnstamm asked the representatives to respond to the WP's letter to the OBA industry and said the WP will use the information in forming its opinion.
Full Story

SURVEILLANCE—GERMANY

Protesters Denounce Gov’t Surveillance (September 16, 2011)

PressTV reports on a Berlin demonstration to oppose governmental surveillance. The demonstration drew thousands of activists, including one who said the government is using anti-terrorist measures to impose "unnecessary and disproportionate surveillance, encroaching on people's freedom," the report states. The government has plans to enact a law allowing personal data including individual's mobile phone texts and calls to be stored for six months--spurring this protest and several more to be held in the near future. Protestors held signs with such messages as "privacy is not a crime."
Full Story

DATA PROTECTION—UK

Review: ICO Needs More Technological Expertise (September 16, 2011)

A review commissioned by the Cabinet Office recommends greater technical awareness in the Information Commissioner's Office (ICO), The Guardian reports. A University of Southampton researcher says technology experts should be involved in the screening of information to be released. Kieron O'Hara says, "Technological developments have created so many imponderable problems...We need better institutions and conversations to screen data for the privacy implications of their release, and we need to include technologists in these conversations to a much greater degree than has historically been the case." Although the ICO has made "welcome strides" towards this, "the severe technical demands made by cutting-edge research in deanonymisation means that more effort is needed in this direction," O'Hara said.
Full Story

PRIVACY LAW—UK

Graham: Violator Deserved Jail, More Powers Needed (September 16, 2011)

A bank worker who breached the Data Protection Act should have been jailed, says Information Commissioner Christopher Graham. The wife of a man on trial for an assault was fined for looking at the victim's personal details repeatedly, BBC News reports. Graham has called for custodial sentences for such offenses, and recently told the Commons Justice Committee that evidence shows that such blagging occurs routinely in financial services, debt collection and claims management companies, among others, and current penalties are "no deterrent." Graham also voiced his concern that an inquiry into media practices would delay efforts to increase penalties. 
Full Story

PRIVACY LAW—UK

Council Failed To Secure Contract, Breached Act (September 16, 2011)

The Information Commissioner's Office (ICO) has determined that Walsall Council breached the Data Protection Act when it "accidentally dumped hundreds of local residents' postal vote statements in a skip," Computer Business Review reports. An ICO investigation revealed that the council did not have a contract with the organisation processing the residents' personal information and failed to provide instructions on how the information should be handled. The compromised information included names, addresses, dates of birth and signatures. The council has signed an undertaking.
Full Story

CHILDREN’S PRIVACY—UK

Agency Breach, ICO Investigation Incite Improvements (September 16, 2011)

The Child Exploitation and Online Protection Centre of the UK's Serious Organised Crime Agency has improved security around personal data sent from its website, reports ComputerWeekly, as the result of an Information Commissioner's Office (ICO) investigation. The ICO's inquiry found that a data link on the agency's website was unencrypted, and therefore unsecured, for several months, making personal details vulnerable while they were transmitted to the agency's servers. The ICO says the agency has since taken steps to ensure improved data security on its site.
Full Story

PERSONAL PRIVACY—UK

Agency Reprimanded for Van Photo (September 16, 2011)

The agency charged with policing UK advertising has ruled that a photo of a horse van was in breach of privacy rules, Out-Law.com reports. The Advertising Standards Authority (ASA) said Equi-Sport Horseboxes breached the rules when it featured a photo of a horse van on its website with the van's licence plate visible. The van's owner complained to the ASA that consent was not granted. The Committee of Advertising Practice's CAP Code, which governs print and online marketing, forbids referring to or portraying individuals' "identifiable possessions" without written consent.
Full Story

DATA PROTECTION—UK

How To Stay Safe When It Comes to Data (September 16, 2011)

Housing associations store sensitive information on about eight million people. Hundreds of data breaches have been reported to the Information Commissioner's Office in the last few years due to lost laptops and memory sticks, among other digital media. The only way to avoid similar breaches in the future are clear internal guidelines on who can access what data, and when data can be removed or shared, Duncan Jefferies writes in The Guardian. The article offers tips for social landlords on staying safe when it comes to data protection, including always being open and honest about what tenant data is needed; only collecting and storing the amount of data needed for specific purposes and for only the time period required, and establishing disciplinary measures for those who violate data protection rules.
Full Story

DATA LOSS—IRELAND

Irish Jobs Website Hacked (September 16, 2011)

A website for jobseekers has suffered a security breach, The Irish Times reports. The company has written to users to inform them and ask them to use "best practice in choosing all Internet passwords" and not use the same password on any two sites. Police have apprehended two suspects, and the data protection commissioner has been made aware of the breach.
Full Story

DATA PROTECTION—EU

Company Pushes To Offer Europe-Only Cloud Services (September 15, 2011)

A telecommunications company is asking regulators to issue a certificate for German or European cloud service providers to help protect online data from government access, Bloomberg reports. Deutsche Telekom AG's T-systems wants to offer customers secure servers designed to prevent outside access such as that allowed under the U.S. Patriot Act, the report states. A representative from the company said, "Certain German companies don't want others to access their systems. That's why we're well-positioned if we can say we're a European provider in a European legal sphere and no American can get to them."
Full Story

CHILDREN’S PRIVACY—EU

Commission Urges Improvements, Will Issue Proposals (September 15, 2011)

The European Commission (EC) says that European Union nations are not doing enough to protect children in the digital world, AFP reports. Citing insufficiencies in current recommendations, an EC report said new proposals on safeguarding children will be issued later in the year. The report urges member nations to "improve awareness of hotlines and privacy risks on social networking sites," noting that one out of three children aged 9-12, and three out of four teenagers aged 13-16 have online profiles. 
Full Story

PRIVACY—FRANCE

Alex Türk Resigns as CNIL President (September 14, 2011)
The head of the French data protection authority--CNIL--has announced his resignation. According to the CNIL, Alex Türk will resign effective September 21, 2011. The announcement follows new legislative provisions drafted in March that prohibit Türk from serving as both head of CNIL and as a senator. A new CNIL president may be elected at a meeting to be held by the authority on September 21. (Article in French.)

ONLINE PRIVACY

Google Offers Location Service Opt-Out (September 14, 2011)

The New York Times reports Google will provide an option for residential WiFi routers to be removed from a registry the company uses to locate cell towers. The change comes in the wake of warnings by EU data protection regulators that "unauthorized use of data sent by WiFi routers, which can broadcast the names, locations and identities of cell phones within their range, violated European law," the report states. Google Global Privacy Counsel Peter Fleischer noted the opt-out comes at the request of several European data protection authorities and "will allow an access point owner to opt out from Google's location services." The opt-out will be available internationally, the report states. (Registration may be required to access this story.)
Full Story

SOCIAL NETWORKING

Facebook Hires Three: A Privacy Expert, Obama Advisor and Former MEP (September 14, 2011)

Facebook has hired a privacy expert for its Washington, DC, office, The Washington Post reports. Erin Egan, who is currently a partner at Covington & Burling and co-chair of that firm's global privacy and data security practice, will join the company in October as its senior policy advisor and director of privacy. Facebook spokesman Andrew Noyes said, "It's imperative that we scale our policy team so that we have the resources in place to demonstrate to policymakers that we are industry leaders in privacy, data security and safety." The company also announced the hiring of legislative advisor Louisa Terrell as its director of public policy and former European Parliament member Erika Mann as head of its Brussels office. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—EU

Groups Dissatisfied with Status Quo (September 14, 2011)

While industry groups continue to push for self-regulation of online advertising, many consumer advocates and lawmakers are dissatisfied with the level of control Internet users have over their personal information, reports EurActive. The European Commission, regulators and advertisers are meeting today in Brussels to discuss recent efforts, including the Interactive Advertising Bureau's do-not-track icon. "While this mechanism is welcome and constitutes an improvement to the current situation, it does not meet the requirement" to obtain informed consent, wrote Dutch regulator Jacob Kohnstamm. Meanwhile, civil liberties groups plan to meet in Brussels on Saturday to protest the EU Data Retention Directive and the European Commission's plans to store passenger name records currently held by airlines.
Full Story

DATA PROTECTION—EU

New Agency To Oversee Database Security (September 13, 2011)
The European Union's General Affairs Council has approved plans to establish a pan-European agency to manage its large-scale IT systems, PCWorld reports. The new agency will be responsible for operational management of the Schengen Information System--which stores data on the exchange of information between individuals and law enforcement--and the Visa Information System--which stores visa data, including biometrics. The agency, to begin its work in the summer of 2012, will also oversee the EURODAC, which compares the fingerprints of asylum seekers and illegal immigrants, the report states. Experts have warned that effective security is essential given the sensitive nature of the data stored.

PRIVACY LAW—GERMANY

Commissioner Imposes Fine for Third-Party Sharing (September 13, 2011)

The data protection commissioner of the German federal state North Rhine-Westphalia (DPA) has imposed a €60,000 fine on an electronic payment service provider, reports Hunton & Williams' Privacy and Information Security Law Blog. Easycash GmbH unlawfully transferred bank account information in approximately 400,000 instances to an affiliated company to analyze the data for customer loyalty and bonus programs, the report states. The data included location, time and amount of bank account transactions. The DPA stated that companies "offering payment transaction services to merchants as trustees must exercise special care regarding such data" and should not share it with third parties for profiling purposes.
Full Story

PRIVACY

Mexican DPA Discusses Data Protection, International Conference (September 12, 2011)
For the first time in its 33-year history, the International Conference of Data Protection and Privacy Commissioners (ICDPPC) will be held in Latin America, hosted this year by Mexico's Federal Institute for Access to Information and Data Protection (IFAI). In this Daily Dashboard exclusive, IFAI President Commissioner Jacqueline Peschard discusses the highlights of the upcoming 2011 conference, entitled "PRIVACY: The Global Age," as well as the work of the IFAI and the international data protection landscape. As Peschard puts it, in a time when data is not hemmed in by geographic boundaries, DPAs must work together across borders, which is one of the key aims of ICDPPC.

SOCIAL NETWORKING—GERMANY

Minister Calls for Government Ban on Site (September 12, 2011)

German Consumer Protection Minister Ilse Aigner has called on her cabinet colleagues to stop using Facebook, reports SPIEGEL. Aigner has cited ongoing German concerns about the site's data privacy practices in asking ministries to set a "good example and show that they give a high priority to the protection of personal data" by ceasing to use the site. Aigner's concerns follow orders by Schleswig-Holstein Data Protection Commissioner Thilo Weichert that Facebook remove its "like" buttons or face fines. Facebook has since agreed to develop a code of conduct. One expert says the degree of public concern over companies' data collection practices is currently "understated." 
Full Story

BEHAVIORAL TARGETING

W3C Announces Tracking Protection Working Group (September 12, 2011)

The World Wide Web Consortium (W3C) recently announced its Tracking Protection Working Group, established to create a "set of standards that enables individuals to express their preferences and choices about online tracking and enables transparency concerning online tracking activities," the group said on its blog. The Register reports that one of the first hurdles the group may face is getting all the stakeholders to agree on the standards. "A critical element of the group's success will be broad-based participation," W3C said, adding that do-not-track efforts by Microsoft and Mozilla will act as the basis for the group's work. Aleecia McDonald, senior privacy researcher at Mozilla, and another unidentified industry leader will co-chair the group. 
Full Story

BEHAVIORAL TARGETING—U.S. & EU

Consumer Group Says Web Paths Are Personal Data (September 12, 2011)

In a letter to the U.S. Federal Trade Commission and Europe's Article 29 Working Party, an international consumer group has asked that both regulatory bodies not accept the self-regulation of online behavioral advertising (OBA), PCWorld reports. Trans-Atlantic Consumer Dialogue (TACD) is concerned with the industry's move to define users' Web paths as "non-personal data." A representative from TACD also wrote that the industry's icon program attempts to dissuade users from opting out of OBA, while the director general of the European Consumers' Organization said, "The EU should not accept the advertising industry's attempt to redefine people's Internet usage as 'non-personal data.' It's certainly personal, and a clear line should be drawn..."
Full Story

DATA RETENTION—SWEDEN

Sweden Responds to European Court of Justice (September 9, 2011)

The Swedish government has responded to the European Court of Justice about its failure to implement the Directive on Data Retention, according to EDRI-gram. In correspondence this week, Sweden said implementing the directive is unnecessary, and daily financial penalties proposed by the European Commission as punishment for not implementing the directive are disproportionate. All EU member states were to have transposed the directive by September 15, 2007. The European Commission has referred Sweden to the European Court of Justice twice--once in February 2010 and again earlier this year.
Full Story

PRIVACY LAW—GERMANY

Social Network Enters Code of Conduct (September 9, 2011)

The Local reports that Facebook has agreed to enter into a voluntary code of conduct after Schleswig-Holstein's Independent Centre for Privacy Protection concluded that certain Facebook features--such as the "like" button--violate both the German Telemedia Act and the Federal Data Protection Act. Schleswig-Holstein Data Protection Commissioner Thilo Weichert threatened websites with fines of up to €50,000 if "like" buttons were not removed by the end of September, and, according to the report, it is not clear if the agreement will stave off fines. "With Facebook's willingness to sign up for this self-regulation...the debate over the extent to which German data protection law applies to Facebook has been considerably defused," the Interior Ministry said.
Full Story

STUDENT PRIVACY—NORWAY

University Ordered To Stop Collecting Internet Activity (September 9, 2011)

Norway's data protection agency (Datatilsynet) has ordered the Norwegian University of Science and Technology (NTNU) to stop collecting data on students' Internet behavior to identify those that are violating copyright laws, reports Out-Law.com. Datatilsynet said the practice is a "disproportionate disadvantage" to student privacy rights because it involves "extensive handling of privacy information," the report states. Copyright holders contacted NTNU with concerns that some of the school's students were participating in illegal file-sharing. NTNU was using the information to pass along warning letters to infringers, but Datatilsynet has suggested that the school use other means to deter illegal sharing.
Full Story

PRIVACY LAW—HUNGARY

Opinion: New Regulations Have Setbacks (September 9, 2011)

Field Fisher Waterhouse's Privacy and Information Law Blog reports on Hungary's new Data Protection Act, saying that while strengthening the Data Protection Authority and including legitimate interest as a legal basis are steps forward, other provisions within the act represent backwards movement. Victoria Hordern writes that including requiring a registration to process personal data and a subsequent registration fee; high standards for the legitimate interest condition, and the omission of binding corporate rules are examples of where the act misses the mark. Hordern asserts, "It is also completely out of step with the discussions elsewhere in the EU about reforming the data protection framework around international transfers."
Full Story

PRIVACY—FRANCE

Candidate Calls for Strengthening CNIL (September 9, 2011)

Socialist party presidential candidate Martine Aubry has said that she'd like to see the data protection authority (CNIL) transformed into a national commission for data protection and freedom of speech with enhanced powers, reports Telecompaper. Meanwhile, Socialist deputy Christian Paul has said that copyright enforcement agency HADOPI's budget should be transferred to CNIL. The announcements come after a breach that occurred when a subcontractor exposed lists of IP addresses belonging to Internet users who were found to be illegally downloading copyrighted materials.
Full Story

DATA PROTECTION—EU

DPAs Getting and Using Fining Powers (September 9, 2011)

Driven by technology and bureaucratic momentum, Data Protection Authorities (DPAs) have been handing down penalties for data breach incidents at an increased rate in the past 12 months. In many cases, governments are adding increased fining powers to DPAs' enforcement quivers. A recent IAPP survey, to be released in November, showed that DPAs around the globe assessed fines totaling more than $31 million--with Spain, Italy and the UK topping the list in the EU. This IAPP Europe Data Protection Digest exclusive highlights some recent DPA actions and how this new direction is being received.
Full Story

ONLINE PRIVACY—EU & U.S.

Advocacy Groups: Industry’s Do-Not-Track Not Enough (September 9, 2011)

Advocacy groups are going on the record against an online advertising industry do-not-track mechanism. USA Today reports on a letter from Trans Atlantic Consumer Dialogue (TACD) to the Federal Trade Commission's David Vladeck and Jacob Kohnstamm of the Article 29 Working Party asking them "to reject the current OBA self-regulatory regime as inadequate, and work with industry and consumer and privacy groups to ensure that significant revisions are made to protect consumer privacy." A Digital Advertising Alliance spokesman has disputed the claims, pointing to the oversight of independent organisations. 
Full Story

PRIVACY—EU & U.S.

Opinion: Data Anonymisation Isn’t Black and White (September 9, 2011)

In a dataprotectionlaw&policy featured article, Omer Tene of the Israeli College of Management School of Law discusses the complexity of defining "personal data" as the legal frameworks for data protection and privacy are reviewed in both the EU and U.S. Researchers have found, Tene writes, that data thought to be anonymous can often be de-anonymised or re-identified, a finding that has "significant implications for policymakers." If all data is considered identifiable and, therefore, covered by data protection rules, business models based on anonymisation and encryption will suffer, Tene says. Therefore, the nature of data should be considered a continuum--rather than either identifiable or not--and treated accordingly, he suggests.
Full Story

DATA PROTECTION—EU & U.S.

Parliament Discusses Data Transfers, Online Privacy (September 8, 2011)
ZDNet reports on the European Parliament Privacy Platform's meeting Wednesday on "a wide range of transatlantic data protection matters, which have yet to be resolved." The meeting included officials from high-profile online companies as well as privacy advocates in discussions about ongoing EU-U.S. data transfer negotiations. Following up on a recent request from MEPs regarding the U.S. Patriot Act's reach in the EU, Francoise Le Bail of the European Commission said the "key thing" is that the U.S. cannot impose its laws on data held in the EU and "normal channels through the relevant authorities" must be followed.

DATA PROTECTION

In-depth on Incident Response (September 8, 2011)

SCMagazine looks at incident response and data protection. Lockheed Martin CISO Chandra McMahon discusses the company's "kill chain" approach to network protection. "The way the kill chain is set up, you're doing incident response as soon as the attack gets started," McMahon says. The company was the target of hackers earlier this year. The premise of its seven-step kill chain "is that the attacker has to be correct every step of the way. Somewhere between steps one and seven, we have to stop those attacks." The feature also looks at other high-profile data incidents and offers incident response "steps to success."  
Full Story

CHILDREN’S PRIVACY

Experts: Kids Unaware of Internet Threats (September 8, 2011)

USA Today reports on the likelihood that social networks and mobile apps could violate the privacy of the children and teens who use them. From a recent settlement of a Children's Online Privacy and Protection Act violation in the U.S. to calls by the UK's data protection authority for children to know their rights regarding online privacy, experts are calling for more education for youth who "exchange their personal data to Web services without knowing the possible consequences." Meanwhile, WBAL-TV 11 News reports on parents in one U.S. state who are questioning why they should provide schools with their children's Social Security numbers.  
Full Story

DATA LOSS—UK

ICO: Trust Breached Data Protection Act (September 8, 2011)

The Information Commissioner's Office (ICO) says a Manchester hospital breached the Data Protection Act when it failed to train a medical student, who was conducting research, to appropriately handle sensitive health information, The Guardian reports. The ICO said its investigation revealed that the hospital assumed the student had received data protection training at medical school and did not provide the same training it gives its staff. The hospital has agreed to ensure all students know the institution's privacy policies. ICO representative Sally-Ann Poole said, "This case highlights the need to ensure data protection training for healthcare providers is built in early on so that it becomes second nature." Meanwhile, the London Ambulance Service has agreed to an undertaking with the ICO in response to a breach of data on approximately 2,664 patients.  
Full Story

DATA THEFT

Company Halts Authentication Certificates (September 8, 2011)

A security company has suspended issuing authentication certificates for secure websites in response to claims that an unauthorized individual accessed the company's servers, BBC News reports. The Belgian-based company, GlobalSign, has stopped issuing the certificates while it investigates the allegations. The hacker also claims to have accessed additional certificate authorities, including DigiNotar. A GlobalSign representative said that the company takes the hacker's claims "very seriously."        
Full Story

Data Protection Authorities Crack Down on Breach Offenders (September 8, 2011)

 

By Emily Leach, CIPP

In this era of cloud computing and social media, personal information is being scattered across the globe by individuals and organisations alike. Responsible for regulating the handling of that information are the Data Protection Authorities (DPAs)--and the events of this year have kept them on their toes.

Recent media reports indicate that with the modernisation of the EU Data Protection Directive has come an increase in DPA actions--notably, the assessment of fines.

In the past, DPAs have been equated to “toothless tigers” having little ability to dole out severe enough penalties to effectively enforce regulations. But as Jay Cline, CIPP, writes for the IAPP’s Inside1to1: PRIVACY, a new wave of enforcement activity is at hand, triggered by technological advancements and bureaucratic momentum.

According to a soon-to-be released IAPP survey, leading the pack among European DPAs in terms of the amounts of fines levied in the past year are Spain, Italy and the UK, tallying more than €21 million combined.

Spain
Spain has been described as "one of the more enforcement-oriented DPAs in the EU,” and despite Parliament’s decision to lower many fines in the Spanish DPA’s penalty structure--and the government’s decision to give organisations a warning period before fining for data breaches, as reported by the Hogan Lovells Chronicle of Data Protection in March--the nation still topped the recent survey’s list with fines totaling €17.5 million.

Italy
Among the actions it has taken in the past year, the Italian Data Protection Authority (Garante) censored and fined a real estate agency for asking employment applicants "a disproportioned quantity" of personal questions. The DPA found that collecting and processing the sensitive personal information of job applicants violates the Data Protection Code.

UK
The UK Information Commissioner’s Office (ICO), meanwhile, recently released its guidance on fining powers it has received under the Privacy and Electronic Communications Regulations, which allow for fines of up to £500,000. In June, the ICO had fined one county council £120,000 for lax data protection involving misdirected e-mails.

Reactions to such fines have been mixed. While one Irish security expert credits the DPA’s increased fining powers with improving public awareness of breach risks, some in the UK are asking, whether, in tough economic times, fining organisations such as local councils is the best way to promote data protection.

For...

DATA LOSS

Study: Breaches Cost Companies Almost $157 Billion (September 7, 2011)

A recent study found that from 2005 through 2010, data breaches cost companies $156.7 billion dollars, reports InfoSecurity. The Digital Forensics Association studied 3,765 publicly disclosed data breach incidents encompassing more than 800 million lost records--65 percent of which disclosed victims' names, addresses and Social Security numbers. Incidents of confirmed criminal use of breached data increased by 58 percent from the prior study, states the report, with hackers responsible for 48 percent of the records studied.
Full Story

SURVEILLANCE

Facial Recognition Technology Seeing “Boom Time” (September 7, 2011)

Forbes reports on the increasing popularity of facial recognition technology, now experiencing its "boom time." The technology is being used by police departments, casinos and bars, among others. Shoe retailer Adidas is now testing the technology in order to market shoes to specific age and gender demographics, and Kraft foods is working with supermarket chains with hopes of installing facial recognition kiosks in order to better target specific consumers. "You can put this technology into kiosks, vending machines, digital signs," said a spokesman for Intel, a developer of the software. "It's going to become a much more common thing in the next few years."    
Full Story

SOCIAL NETWORKING—IRELAND

Site Faces Privacy Audit (September 6, 2011)

The Office of the Data Protection Commissioner (DPC) has announced that it will conduct an audit of Facebook's privacy practices after an Austrian group submitted 17 complaints about the site's handling of personal information, Independent.ie reports. The complaints allege that the site's Dublin headquarters retains all of its users' data, including "likes," e-mails and phone numbers, the report states. A DPC spokesman said that it will "go into the premises and go through in great detail every aspect of security...It's a very significant, detailed and intense undertaking that will stretch over four or five days. Then we'll publish a detailed report and Facebook will respond." A spokesman for the social network said the company is cooperating with the DPC.     
Full Story

ONLINE PRIVACY

Smartphone Makers Respond to Tracking Allegations (September 6, 2011)

Microsoft has responded to a class-action lawsuit, saying the location data it collects through its Windows Phone camera is not linked to a specific device or user, reports The Next Web. While the suit claims the software collects users' geographical coordinates even after they request not to be tracked, Microsoft says that because it does not collect unique identifiers, "the Windows Phone camera would not enable Microsoft to identify an individual or 'track' his or her movements." Meanwhile, smartphone maker HTC responded to claims that at least two of its phones collect location and personal data, explaining that the data in question is de-identified, encrypted and only collected upon user opt-in.
Full Story

PRIVACY LAW—EU & U.S.

MEPs Raise Concerns About ACTA (September 6, 2011)

Members of the European Parliament (MEPs) are raising concerns about the Anti-Counterfeiting Trade Agreement (ACTA), IDG News reports, and one MEP has said Parliament's legal department will discuss whether it must go to the European Court of Justice. Questions linger as to whether the agreement with the U.S. and other countries is compatible with EU law. "The ACTA agreement has been mired in controversy from the beginning due to secrecy imposed by the U.S. and worries that it may not uphold EU rules on data privacy," the report states, "as national authorities would be able to order ISPs to disclose personal information about customers."
Full Story

ONLINE PRIVACY—EU & U.S.

EU Cookie Requirement Snubs Self-Regulation (September 2, 2011)

USA Today reports that an EU Article 29 Working Party proposal rebuffs self-regulation efforts by the online advertising industry and would likely shrink online ad revenue. The proposal would require online companies to include a check box for Internet users to accept every cookie that marketers and data aggregators place to track them. According to Christopher Wolf of Hogan Lovells, it may effectively "impede business initiatives to advance privacy" by not recognizing and rewarding genuine efforts. But one consumer advocate disagrees, saying, "The Europeans have exactly the right approach" compared to the U.S.    
Full Story

DATA LOSS—UK

Children’s Administration Breaches Act Twice (September 2, 2011)

The Information Commissioner's Office (ICO) has found the Scottish Children's Reporter Administration (SCRA) in breach of the Data Protection Act in two incidents, ComputerWeekly reports. In the first instance, nine files containing personal information including names, dates of birth and social reports were sold to a secondhand furniture shop. Later, legal papers containing sensitive information about a child's court case were sent to the wrong e-mail address, the report states. The ICO says the SCRA failed to ensure that staff followed proper data protection and security rules. The SCRA says it has made improvements, and the ICO is urging "other organizations, particularly those handling sensitive information relating to young people, to follow suit." 
Full Story

BEHAVIOURAL TARGETING—THE NETHERLANDS

Online Advertisers Introduce Opt-Out Register (September 2, 2011)

DutchNews.nl reports that several newspapers have agreed to support a register allowing users to opt out of being tracked by online advertisers. Advertisers that subscribe to the register will place an "X" on their advertisements. When clicked, the "X" will take the user to the opt-out register. Web privacy lobbying group Bits of Freedom has said the initiative does not do enough to protect individuals, asserting, "Internet users should not be spied on unless they say it's okay...An advert for shoes might be innocent, but what if you are looking for information about back problems? Such private information is open to abuse."  
Full Story

INFORMATION ACCESS—CZECH REPUBLIC

Official Backs Privacy Protections for Public Employees (September 2, 2011)

The Prague Daily Monitor reports on the "relatively crucial role in the privatisation of power" that Personal Protection Data Office (UOOU) head Igor Nemec plays within the Czech Republic. Responding to a recent Supreme Administrative Court decision granting citizens the right to know the salaries of public officials, the UOOU said the judiciary placed freedom of information above the right to privacy, and, the report states, Nemec has "launched a campaign against the release of information on salaries..."
Full Story

DATA THEFT—IRELAND

Two Arrested for Alleged Cyberattack (September 2, 2011)

Law enforcement authorities in Ireland have arrested two men suspected of hacking into the Fine Gael website, accessing the contact information of approximately 2,000 individuals, The Irish Times reports. Compromised information includes e-mail addresses, phone numbers and computer details of subscribers. As the site is hosted by a U.S. company, the FBI has been called in to help with the investigation, and the website has reported the incident to the data protection commissioner.
Full Story

DATA LOSS—UK

RBS Announces Breach (September 2, 2011)

SearchSecurity.co.UK reports that the pay rates of 3,000 contract staff were exposed when a staff member at the employment agency Hays e-mailed 800 RBS employees with the details. "We are extremely disappointed that confidential personnel data has been shared by one of our suppliers," the bank said in a statement. "This is unacceptable and we are taking action to address this issue." The bank stressed that no customer information was compromised.
Full Story

ONLINE PRIVACY

Opinion: Web Anonymity Should Be Curtailed (September 2, 2011)

Amidst the push-and-pull between calls for a right to be forgotten online and concerns that online anonymity may contribute to "a lack of ethics," John Gapper writes in the Financial Times that the time has come to limit just how much invisibility Web users have. "Anonymity should not be banned in every corner of the Internet any more than it is in the physical world in democracies--it would breach civil liberties," he writes. "But there are good reasons to discourage it. Most users would gain if anonymity were the exception rather than the rule." (Registration may be required to access this story.)
Full Story

DATA LOSS—UK

Medical Files Stolen, Recovered (September 2, 2011)

The Edinburgh Royal Infirmary has notified more than 100 patients that their personal details were stolen, Scotsman.com reports. The files, which contained patients' names, addresses and dates of birth, among other data, were taken from a reception desk. They have since been recovered, and a man has been arrested in connection with the theft, according to the report. NHS Lothian has notified the affected patients. "We have also launched an internal investigation and we have already improved our processes and security as a result," an official said.    
Full Story

TRAVELLERS’ PRIVACY—IRELAND

Body Scanners To Be Tested (September 2, 2011)

Employees at Dublin Airport will test body scanners ahead of their implementation at passenger terminals, The Irish Times reports. The trial period may last up to 18 months and will be open to any airline employees and other staffers interested in voluntarily using the technology. The European Parliament last month said body scanners should be allowed at EU airports if "health, dignity and privacy are protected," the report states. A spokeswoman for Dublin Airport Authority says no full-body images will be displayed by the scanners and emphasised that they are "not mandatory." 
Full Story

DATA LOSS—IRELAND

Medical Records Not Identifiable (September 2, 2011)

The Health Service Executive (HSE) says medical records found to be inappropriately disposed of last week did not contain identifiable details on patients, according to the Office of the Data Protection Commissioner. The office opened an investigation last week after the Sligo Hospital records were discovered in a Galway bog. Community wardens found the records in an Abbeyknockmoy bog and notified the HSE, which now says it is investigating the matter internally, ShannonSide reports. 
Full Story

PRIVACY LAW

Class-Action Filed on Behalf of Mobile Phone Users (September 2, 2011)

A proposed class-action lawsuit filed on behalf of Windows Phone 7 users in a Seattle, WA, court on Wednesday alleges that Microsoft designed the phone to track customers regardless of their preferences, The Sydney Morning Herald reports. The suit alleges the company designed camera software on the phone's operating system to collect users' geographical coordinates even if they had requested not to be tracked, the report states. The suit also alleges that statements the company made in a letter to the U.S. Congress were "false." 
Full Story

ONLINE PRIVACY

Kundra: Cloud Concerns re: Privacy “Unfounded and Ridiculous” (September 1, 2011)
Former U.S. Chief Information Officer Vivek Kundra is sounding off on governments' reluctance to adopt cloud computing due to privacy and information security concerns, noting the U.S. government's outsourcing of more than 4,700 systems "and yet when it comes to cloud for some reason these fears are raised," reports The Australian. In The New York Times, Kundra  writes that "governments around the world are wasting billions of dollars on unnecessary information technology," adding that cloud computing is often more secure than traditional methods. Taking part in a Digital Agenda panel on Wednesday, Kundra urged government officials to think about how they are serving constituents. "All that money's being spent on redundant infrastructure, redundant application that we're not able to optimize," he said. Meanwhile, Kundra's Digital Agenda co-panelist Vice President of the European Commission Digital Agenda Neelie Kroes said that while she agrees there are benefits to the adoption of cloud computing, the value depends on trust and security in the system, and there are cultural hurdles to overcome that will take time, ZDNet reports. Editor's Note: Navigate, an IAPP executive forum being held on September 14 in Dallas, TX, will feature a special program entitled Putting Cloud Computing on Trial to fully explore these issues.

PRIVACY LAW—EU & U.S.

MEP Seeks Patriot Act Clarity (September 1, 2011)

ZDNet reports on Dutch MEP and Civil Liberties, Justice and Home Affairs Committee Vice Chair Sophie in 't Veld's "mission to clarify the reach of the Patriot Act in Europe and to amend laws to prevent its reach." Based on reports in June that EU datacenters holding data provided by U.S.-based cloud providers "cannot guarantee that data will not be handed over to U.S. authorities for interception or intelligence gathering," in 't Veld and four other MEPs are asking European Commissioner Viviane Reding to clarify the Patriot Act's reach and "remedy this situation" to ensure that "third-country legislation does not take precedence over EU legislation," the report states. 
Full Story

CHILDREN’S PRIVACY—UK

ICO Recommends Privacy Education for Children (September 1, 2011)

The Information Commissioner's Office (ICO) has announced that primary and secondary students should receive data privacy and freedom-of-information rights education and that both issues "should be embedded in the formal education process," OUT-LAW News reports. In a recent survey that revealed 88 percent of secondary students and 39 percent of primary students have social networking profiles, the ICO found that most respondents were not familiar with the sites' privacy policies. A representative from the ICO said, "Young people today are growing up in an age where an ever-increasing amount of information is held about them...It is vital that they understand their privacy rights and how to exercise them."  
Full Story