European Data Protection Digest

We have a long weekend—and hopefully some good weather—ahead of us, so right now our minds are probably focused more on Easter eggs and chocolate bunnies (in my case also my mother’s lasagna on Sunday) than on data protection developments. Nevertheless, this spring is bound to be a busy one for privacy pros—not that we actually had a dull moment in the past year or so.

At the IAPP, we are working hard to help our members stay on top of things: Our upcoming European Data Protection Intensive will be a great way to kick-start the second quarter of the year. As usual, rendezvous in London for an intense programme, great networking—including our special Privacy Social reception at the Guildhall—and CIPP and CIPM certification training and testing. Preconference workshops are not bad either.

But since he who hesitates is lost, work is already underway also for IAPP Europe’s flagship event, the Data Protection Congress, which will be in Brussels again this year, on 19 and 20 November to be precise. The call for proposals for the Congress is open, and submissions will be accepted until 9 May, so do send us your ideas or feel free to forward the call for proposals link to someone who might be interested.

In the meantime, though, Happy Easter!

Rita Di Antonio
Managing Director
IAPP Europe

Top European Privacy and Data Protection News

PRIVACY LAW—UK

MPs Call for Jail Terms (October 28, 2011)

BBC News reports that members of the House of Commons Justice Select Committee have called for increased powers to imprison and fine individuals who abuse the Data Protection Act. Stating that current fines are an "inadequate" deterrent, a report filed by the MPs warns that the Information Commissioner's Office lacks sufficient powers to audit organizations and investigate data abuse incidents. The committee's report said, "We are concerned that the information commissioner's lack of inspection power is limiting his ability to investigate, identify problems and prevent breaches of the Data Protection Act, particularly in the insurance and healthcare sectors." The ICO welcomed the committee's report, saying, "The government should lose no more time in bringing in appropriate deterrent sentences to combat the unlawful trade in personal data." 
Full Story

DATA RETENTION—EU

EC Wants Compliance, MEP Wants “Traffic Data” (October 28, 2011)

The European Commission (EC) has formally requested that Germany and Romania come into full compliance with EU rules on data retention within two months. The two countries have not yet indicated how and when they will adopt the EU Data Retention Directive, according to an EC announcement. The commission says this will likely harm the internal market for electronic communications and law enforcement's ability to investigate and prosecute crime. The directive--which requires telephone companies and Internet service providers to store telecommunications and location data--was adopted in 2006, and countries were to have transposed it into law by September 2007. Meanwhile, an Italian MEP has proposed expanding the reach of the Data Retention Directive so as to capture users' "traffic data" from content providers, reports Out-Law.com.
Full Story

PRIVACY LAW—THE NETHERLANDS

Cookie Proposals Raise Concerns (October 28, 2011)

The Dutch Parliament has been discussing draft legislation that would mandate opt-in consent for the use of cookies, the Field Fisher Waterhouse Privacy Law Blog reports. According to an interim publication on those discussions, the Upper House has several questions, including what the impact may be on Internet users and whether opt-in proposals will mean "a competitive disadvantage against countries that adopt a more 'lenient' implementation" of the e-Privacy Directive. "While it's too early to say whether this means that the currently proposed strict opt-in requirements will get shot down," Phil Lee writes, "the level of concern voiced by the Upper House" indicates "a more pragmatic approach" may prevail.
Full Story

PRIVACY LAW—GERMANY

Facebook, Google Meet with Lawmakers (October 28, 2011)

Representatives from Facebook and Google met with data protection officials and a German parliamentary subcommittee to discuss the companies' privacy policies and whether they comply with German and European data protection laws, Deutsche Welle reports. A Facebook spokesperson said, "We are pleased that the new media subcommittee of the German (parliament) is interested in the issue and felt that their meeting today was helpful." At the meeting, Schleswig-Holstein Data Protection Commissioner Thilo Weichert said, starting in November, his office would "apply appropriate actions" to companies that have not complied with a ruling to disable the Facebook "like" button on their Web pages.
Full Story

DATA LOSS—SWEDEN

Hackers Expose Passwords of 180,000 (October 28, 2011)

Exploiting code on nearly 60 websites, hackers have accessed and exposed the log-in credentials of about 180,000 Swedes, reports The Local. The information--including personal identity numbers in some cases--was exposed through Twitter accounts, including that of former Democrat MP William Petzäll, whose lawyer says the account was hijacked. In an e-mail to the Expressen newspaper, the hacker said he published the information to draw attention to its mismanagement, not for misuse. Experts recommend that users of Bloggtoppen.se and other infiltrated sites change their online passwords.
Full Story

DATA PROTECTION—GERMANY

Researchers Find Break in the Cloud (October 28, 2011)

German researchers report having found a security flaw in a cloud service provider allowing hackers to gain administrative rights to users' accounts, and according to the researchers, the flaw is one that may occur in many cloud architectures. Network World reports that the researchers informed Amazon Web Services (AWS) of the flaw, which has since been fixed, but say "since the relevant Web service standards make performance and security incompatible...These problems could be found in other cloud frameworks also." However, an AWS spokesman said, "It is important to note that this potential vulnerability involved a very small percentage of all authenticated AWS API calls...and was not a potentially widespread vulnerability as has been reported."
Full Story

PRIVACY LAW—UK

Experts Weigh In on Required Breach Disclosures (October 28, 2011)

Referencing the announcement of U.S. disclosure obligations for companies in that country, a Computing report points to "increasing signs that the UK will have to implement similar rules under proposed changes to the EU Data Protection Directive." Posing the question of whether such a requirement would be welcome in the UK, the report looks at the differing views of IT experts. One, for example, suggests similar rules "should be advocated by the UK government. At present there is virtually no obligation for UK companies to disclose anything." Another, however, suggested that when it comes to reporting, "The first time you have a data breach people get overexcited; the next time you get data breach fatigue."
Full Story

ONLINE PRIVACY—GERMANY

Authorities’ Use of Spyware Spurs Outcry (October 28, 2011)

An investigation by a hacker group has focused on the use of spyware by authorities in numerous German states, and while Internet telephone monitoring is allowed under German law, "it has emerged that software deployed by some law enforcement agencies was capable of much more intrusive snooping," GlobalPost reports. In the wake of the announcement and analysis by a security firm, some--including Justice Minister Sabine Leutheusser-Schnarrenberger--are calling for a closer look into the matter. While officials have stated the use of the spyware has been legal, Data Protection Commissioner Peter Schaar is voicing concerns about the legal "gray area" surrounding the use of such technology.
Full Story

DATA LOSS—UK

ICO Orders Trust To Review Policies, Train Staff (October 28, 2011)

The Information Commissioner's Office (ICO) has ordered University Hospitals Coventry & Warwickshire NHS Trust to review its policies and train staff after finding that the trust breached the Data Protection Act on two occasions, according to an ICO press release. "The fact that the trust lost sensitive personal information on two separate occasions within the space of two months is clearly not acceptable," said ICO Head of Enforcement Sally Anne Poole. The breaches occurred in February and May of this year and involved the improper disposal of patient records. Meanwhile, the group Big Brother Watch has released a report showing that during a three-year period between 2008 and 2011, NHS trusts experienced 806 data breach incidents.
Full Story

HEALTHCARE PRIVACY—IRELAND

HIQA Releases Data Protection Guidance (October 28, 2011)

The Health Information and Quality Authority (HIQA) has released guidance on protecting sensitive health records, thejournal.ie reports. The guide--"What You Should Know About Information Governance: A Guide for Health and Social Care Staff and HIQA"--comes on the heels of breaches involving patients' sensitive health data--events that HIQA Director of Health Information Prof. Jane Grimson describes as "unacceptable." Good information governance does not "take place in isolation, or separate from healthcare provision," said Grimson. The authority has also published Privacy Impact Assessment guidelines and a self-assessment tool.
Full Story

PRIVACY—GERMANY

University, Google Open Internet Research Institute (October 28, 2011)

Designed to explore the effects of the digital age, a new institute funded by Google has opened in Germany, The Washington Post reports. Housed at Humboldt University in Berlin, the Institute for Internet and Society will explore Internet privacy, freedom of expression and civil liberties issues. Google will provide the institute with €4.5 million for the next three years. Google Vice President David Drummond said the institute "will be based on a philosophy of openness, open access, standards and an ability to innovation." (Registration may be required to access this story.)     
Full Story

HEALTHCARE PRIVACY—EU & U.S.

Study Analyses Healthcare Privacy Laws (October 28, 2011)

A new study comparing U.S. and EU healthcare privacy law has been released by the Pamplin College of Business at Virginia Tech, Newswise reports. The study, co-authored by Prof. Janine Hiller, also examines the pros and cons of electronic health records (EHRs) and the ability of U.S. laws to address privacy risks and concerns. Hiller said, "EU countries have adopted electronic health records and systems...and legally protected privacy at the same time," and if the U.S. strengthened the legal and technical protections around EHRs, then risks would be minimized and public concern assuaged. 
Full Story

STUDENT PRIVACY—UK

Study: Students Worried About Their Online Data (October 27, 2011)

A survey conducted by YouGov for the Information Commissioner's Office (ICO) has found that 42 percent of students polled are concerned that their online personal data could affect their future job opportunities, but many are not taking steps to protect their privacy, The Press Association reports. Information Commissioner Christopher Graham said "young people are clearly less relaxed about privacy, particularly in relation to information that they post online--but many may not know what they can do about it." To help educate them, the ICO has launched its Student Brand Ambassador campaign. 
Full Story

BEHAVIORAL TARGETING

Credit Card Companies Look Into OBA (October 26, 2011)
The Wall Street Journal reports on plans by the world's two largest credit card networks to move into the online behavioral advertising business. Though the technology to link purchase transactions with an individual's online profile is still evolving, according to the report, Visa and Mastercard are currently pursuing the idea. The article cites a published Visa patent application that would attempt to incorporate information from DNA data banks into profiles that would target consumers online. Meanwhile, a representative from Mastercard said in an interview in August, "There is a lot of data out there, but there is not a lot of data based on actual purchase transactions...We are taking it a level deeper...it is a much more precise targeting mechanism." (Registration may be required to access this story.)

DATA PROTECTION—UK

Information Commissioner: Breaches on the Rise (October 25, 2011)

The Information Commissioner's Office (ICO) says the number of data security breaches in the private sector is on the rise, increasing by 58 percent in 2010. The increase comes despite the fact that private sector organizations reported "unprompted awareness" of data protection obligations under the law, reports Out-Law.com. In a survey of 806 private and public sector organizations, 72 percent acknowledged their data protection obligation, up 18 percent from the previous year. "I'm encouraged that the private sector is waking up to its data protection responsibilities," said Information Commissioner Christopher Graham. "However, the sector does not seem to be putting its knowledge to good use." He added that as the number of breaches rise, public confidence declines.
Full Story

ONLINE PRIVACY

Researcher Says Skypers Are Vulnerable (October 25, 2011)

A researcher from New York University (NYU) will present findings in Berlin next week asserting that Skype may allow strangers access to users' contact details. "If you have Skype running in your laptop, then I or any other attacker can inconspicuously call you, obtain your current IP address and your current location without you ever knowing about it," says NYU's Keith Ross, a professor of computer science. A high school-aged hacker would be capable of such an act, Ross says, adding that the hacker could scale the operation to track thousands of users. Skype's chief information security officer says determining other users' IP addresses is possible with typical Internet communications software, not just Skype's. 
Full Story

SOCIAL NETWORKING

DPC Investigating “Shadow Profiles” and Data Logs (October 24, 2011)

The Irish Data Protection Commissioner (DPC) is investigating complaints against Facebook for its data collection practices. Fox News reports on one allegation that the site encourages members to offer information on nonmembers and uses it to create "extensive profiles." The Wall Street Journal reports that another complaint claims Facebook held information on an Austrian student which appeared to have been deleted from his account. The data included rejected friend requests, untagged photos of the student and logs of all his chats. Facebook denies both claims. A company spokeswoman said "the assertion that Facebook is doing some sort of nefarious profiling is simply wrong," adding that its messaging service works the way "every message service ever invented works." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—GERMANY

Social Network Warned About Facial Recognition (October 24, 2011)

Hamburg Data Protection Commissioner Johannes Caspar has announced that the world's largest social network has until November 7 "to bring its facial recognition software into conformity with privacy laws in Germany and the European Union or face legal action," AFP reports. Caspar told the press agency that negotiations with Facebook have been extended, but "If our demands are not met, we will be obliged to take the legal path" regarding the facial recognition application, which the data protection official believes violates national and EU data protection law.
Full Story

PRIVACY LAW—IRELAND

Commissioner Clarifies Directive Implementation (October 24, 2011)

Ireland's Data Protection Commissioner (DPC) has said that websites do not need to get separate consent from users when employing Google Analytics on homepages, The Sociable reports. The UK's implementation of the EU's e-Privacy Directive (2009/136/EC) requires websites to gain consent prior to loading Google Analytics, according to the report. A representative from the DPC said, "this office expects websites to make information available on their homepages in relation to cookie usage generally including third-party analytics services such as Google Analytics, but we do not consider that SI 336 of 2011 imposes a need for an explicit separate consent for Google Analytics use."
Full Story

SOCIAL NETWORKING—GERMANY

Site Will Give Exemption To Schleswig-Holstein (October 21, 2011)
In a private meeting between Schleswig-Holstein Data Protection Commissioner Thilo Weichert and Facebook European Head of Privacy Policy Richard Allen, Allen offered to bar the transfer of data collected from Schleswig-Holstein IP addresses to the U.S., reports The Local. Allen also offered a full account of how the company collects and uses data, the report states. Weichert, who in September threatened websites with fines of up to €50,000 if "like" buttons were not removed, says--if implemented--this agreement would be "a great success." Meanwhile, Hamburg's data protection authority is calling on Facebook to obtain explicit consent from users prior to employing its facial recognition automatic tagging feature, saying, "The time for negotiation is now over."

DATA PROTECTION—EU

Article 29 WP Releases Plenary Notes (October 21, 2011)

The Article 29 Working Party held its 82nd plenary meeting in Brussels last week, discussing such topics as harmonization among member states and data breach notification. According to a press release issued yesterday, the group will soon send Vice President Viviane Reding proposals for "a mechanism to ensure cooperation and coordination between data protection authorities and to ensure consistent application of the law." The Working Party also agreed to provide insight to the European Commission on data protection concerns related to the World Anti-Doping Code and has decided to intensify its dialogue with ENISA, the European Network and Information Security Agency. Party members also heard from a Fundamental Rights Agency representative on certain data protection projects.
Full Story

DATA PROTECTION—UK

Survey Respondents: Online Details Not Protected (October 21, 2011)

The Press Association reports on a survey of more than 1,200 UK residents by the Information Commissioner's Office (ICO) that has found approximately 75 percent do not believe online companies are keeping their personal information secure. Additionally, more than two-thirds of the survey's respondents indicated they believe current UK laws "fail to provide sufficient protection of personal information, and three in five feel they have lost control over the way their information is collected and processed," the report states. Information Commissioner Christopher Graham noted, "Companies need to consider the damage that can be done to a brand's reputation when data is not handled properly."
Full Story

SOCIAL NETWORKING—EU

Group Prompts Regulatory Audit (October 21, 2011)

The Irish Times reports on the Irish Data Protection Commissioner's (DPC) audit of Facebook, which comes in the wake of privacy-related complaints from the group Europe-v-Facebook. The group has filed 22 complaints against the company, including allegations that the site is assembling "shadow profiles about users and non-users." The group's founder said the goal of the complaints is to generate transparency. "We're not trying kill Facebook," he said. "I'm actually a big fan..." A spokesperson for the company said Facebook looks forward to welcoming the DPC to "our European headquarters over the coming weeks so we can demonstrate our commitment to the appropriate handling of user data and reinforce our compliance with EU data protection laws." 
Full Story

DATA LOSS—UK

ICO Investigates Breaches, Offers a Solution (October 21, 2011)

The Information Commissioner's Office (ICO) has announced that the accidental disclosure of a spreadsheet containing the names, salaries and birthdates of approximately 900 current and former employees of Dumfries and Galloway Council breached the Data Privacy Act. A Dorset private housing group has signed a formal undertaking with the ICO for not having the required level of data protection security in place. And the ICO will investigate an incident involving an accidental e-mail disclosure at Edge Hill University. According to PRESSTV, the commissioner's office has also announced that it will investigate potential breaches reportedly committed by Cabinet Office Minister Oliver Letwin. Meanwhile, speaking at a healthcare expo, an ICO representative said that he is concerned with the number of health sector data breaches, adding that IT providers could help educate and offer solutions to users to reduce the risk of data loss.     Full Story

DATA PROTECTION—EU

Research Group Releases Report on PIA Benefits (October 21, 2011)

During a meeting of data protection authorities in Brussels last week, a research consortium released a report detailing the benefits of using privacy impact assessments (PIAs), PRWeb reports. A product of the Privacy Impact Assessment Framework (PIAF), the report reviews PIA methodologies and policies in Australia, Canada, Hong Kong, Ireland, New Zealand, the UK and the U.S., as well as providing analysis of 10 PIA case studies. The PIAF report also provides recommendations for an "optimised" PIA framework for Europe. The European Commission is reportedly expected to make PIAs a mandatory component in its revision of the data protection framework in 2012.    
Full Story

DATA PROTECTION—HUNGARY

Groups Appeal to Barroso on Ombudsman Role (October 20, 2011)

Three Hungarian civic groups have asked European Commission President José Manuel Barroso to launch proceedings against Hungary due to its passage of a bill that they say violates EU laws, politics.hu reports. The Károly Eötvös Institute, the Hungarian Helsinki Committee and the Hungarian Civil Liberties Union say Hungary's passage of a "cardinal law" in July that sees the role of the country's independent data protection ombudsman subsumed by the new National Data Protection and Freedom of Information Authority goes against EU legal frameworks, according to the report.
Full Story

ONLINE PRIVACY

Site Brings New Meaning to “Creepy” Data Use (October 19, 2011)

A new website--used by 300,000 people in its first 24 hours--accesses information from peoples' Facebook accounts to create a personalized horror movie featuring a man browsing through the user's account and "getting increasingly agitated," reports The New York Times. Take This Lollipop's developer, Jason Zada, says creating the site was a fun seasonal project but adds that its popularity may in part be due to peoples' concerns about how their data is being used. "When you see your personal information in an environment where you normally wouldn't, it creates a strong emotional response," Zada said. "It's tied into the fears about privacy and personal info that we have now that we live online." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—UK

ICO: Cookie Consent Is Not Optional (October 18, 2011)

Information Commissioner Christopher Graham has warned that nearly half of the one-year grace period for implementing cookie consent obligations has elapsed and not enough is being done by the industry to meet the new requirements thus far, Silicon.com reports. Speaking last week at a digital marketing forum, Graham said, "We will shortly be producing the commissioner's half-term report...it will be couched very much in those familiar terms of 'could do better, must try harder.'" Graham also said that a do-not-track approach in browsers is "no silver bullet," adding, "I still think there are a fair number of people in the advertising business and the website business who are in denial about this...However much you don't like it...consent for cookies is the law."
Full Story

SURVEILLANCE—GERMANY

Police Using Spyware on Suspects’ Computers (October 17, 2011)
A German hacking group has announced that, after analyzing the hard drives of people who had been under investigation, it found software allowing police to log keystrokes, capture screenshots and activate cameras and microphones, reports The New York Times. After the announcement, Justice Minister Sabine Leutheusser-Schnarrenberger called for an inquiry into the matter, and Data Protection Commissioner Peter Schaar said Parliament needs to clarify search and surveillance laws, adding, "In my opinion, this kind of infiltration through software is a deeper intrusion and a greater risk than simply listening in on a phone line." While federal investigators denied using the software, several state investigators admitted using it, states the report. (Registration may be required to access this story.)

GEO PRIVACY—FRANCE

CNIL Publishes Findings of Geo Study (October 14, 2011)

GPS Business News reports that the French data protection authority, CNIL, has been analysing how Apple is using location data through its iPhones. CNIL released its findings on the study this week, saying in a report on its website that "Apple seems to have adopted a novel approach to provide location-based service based on the detection of WiFi access points: when a user asks to be geo-located, the phone itself, which calculates its own position using information provided by Apple." The commission says that although Apple's methods for crowdsourcing WiFi access points is largely anonymous, the company "should clearly inform its users of such treatment." The CNIL is conducting similar analysis on the Android and other systems.
Full Story

PRIVACY LAW—FRANCE & U.S.

Appeals Court Suspends Whistleblower Program (October 14, 2011)

Though the French Data Protection Authority (CNIL) had pre-approved a U.S. company's whistleblower program, an appeals court upheld a decision to suspend the program on the grounds that the company's employee representative group was not consulted, reports Hunton & Williams' Privacy and Information Security Law Blog. Additionally, the Labor Chamber of the Court of Appeals of Caen found that data on the whistleblower hotline homepage did not match the company's standard operating procedure and employees reportedly had not been properly informed of their rights--including their right to access, rectify or delete their personal information.
Full Story

ONLINE PRIVACY—EU

Cloud Providers Warn Against Over-Regulation (October 14, 2011)

An AT&T Europe representative told EUObserver that while data security in cloud computing is generally better than what people use at home, fear is "creating barriers in the development of the new systems. It's important not to over-legislate in a sector that is still developing." Karim Lesima also said that the possibility for a requirement on where data is stored is one of the biggest potential problems with legislation in Europe. But--because of the nature of the cloud--a World Economic Forum report says that without a geographical requirement, inconsistencies in jurisdiction could become a problem in the case of a breach, adding, "Governments worry about losing the legal ability to 'oversee' data in the cloud and apply their laws to the cloud." 
Full Story

HEALTHCARE PRIVACY—UK

Patients Fret About Breaches, ICO Wants Auditing Powers (October 13, 2011)

A study conducted by an auditing solutions firm has revealed that more than half of National Health Service (NHS) patients would withhold personal information from their doctors due to concerns over data breaches or confidentiality, PublicService.co.uk reports. Of the more than 1,000 respondents, nearly 40 percent said they would seek alternative treatment if a clinic had a poor data security reputation. Meanwhile, Information Commissioner Christopher Graham has once again called for powers to conduct compulsory data protection audits in the local government, health and private sectors, according to a press release. Graham said, "Something is clearly wrong when the regulator has to ask permission from the organizations causing us concern before we can audit their data protection practices."
Full Story

DATA LOSS

Company Suspends 93,000 Online Accounts (October 12, 2011)

Sony announced that it has locked 93,000 online network user accounts because of an unusual amount of sign-in attempts from an unauthorized user, AFP reports. The suspicious activity reportedly took place between October 7 and 10 and verified user IDs and passwords. The company said that the incidents "appear to include a large amount of data obtained from one or more compromised lists from other companies, sites or sources," and "only a small fraction of the 93,000 accounts showed additional activity prior to being locked." Sony is continuing an investigation into the breaches and has notified affected users.
Full Story

ONLINE PRIVACY—EU

Hustinx: Net Neutrality Must Include Privacy (October 11, 2011)

V3.co.uk reports that European Data Protection Supervisor Peter Hustinx has urged the European Commission (EC) to include users' confidentiality in any policy discussions dealing with net neutrality. Hustinx has also asked the EC to work with stakeholders to create guidance on implementation of data protection laws in any ISP monitoring. "By looking into users' Internet communications," Hustinx said, "ISPs may breach the existing rules on the confidentiality of communications, which is a fundamental right that must be carefully preserved...A serious policy debate on net neutrality must make sure that users' confidentiality of communications is effectively protected."  
Full Story

BIOMETRICS—UK

Committee: Bill May Infringe on Privacy (October 11, 2011)

A human rights committee in Parliament says that a bill designed to reform the government's retention of data in its DNA database may infringe on individuals' right to privacy, ZDNet reports. In a summary that reviewed the Protection of Freedoms Bill, the committee said it is concerned with three main components regarding biometric data--the bill's proportionality; a mechanism that would retain suspects' biometric information, and that the bill would create a "catch all" data retention system. The committee also commented on sections in the bill that deal with parental consent concerning the collection of children's biometric data as well as CCTV surveillance code.
Full Story

GEO PRIVACY

EDPS Issues Opinion on Proposed Amendments (October 7, 2011)

The European Data Protection Supervisor (EDPS) this week issued an opinion on a proposed amendment to Regulation (EEC) No 3821/85, which pertains to the use of recording equipment in road transport. The amendment would address developments in digital tachograph, which "impinges on the privacy of professional drivers in a very visible way," the opinion states. The EDPS praises the proposal for its "dedicated provision on data protection" and attention to the concept of privacy by design but notes that more is needed "to guarantee a satisfactory level of data protection in tachographs." The EDPS recommends changes and calls on member states to consult data protection authorities before adopting national measures for tachographs. 
Full Story

PRIVACY LAW—SWEDEN

Expert Outlines Personal Data Act’s Cloud Provisions (October 7, 2011)

In this IAPP Europe Data Protection Digest exclusive, Jim Runsten of Bird & Bird explores how the Swedish Personal Data Act applies to the handling of personal data by cloud services. As recently as September, Runsten notes, the Data Inspectorate Board released guidance on the processing of such data. His report explores those data controller responsibilities, including verifying legality, analysing risk and vulnerability, ensuring there is a personal data processer agreement in place, establishing appropriate security measures and addressing third-country issues. "It still remains to be seen whether all of the above requirements...can realistically be achieved by service providers," Runsten writes.
Full Story

PRIVACY LAW—EU & U.S.

Green Party: ACTA Threatens Human Rights (October 7, 2011)

The Anti Counterfeiting Trade Agreement (ACTA) may represent "a severe threat to human rights," The Inquirer reports. That's according to a report from a London Metropolitan University professor and Oxford researcher delivered in the European Parliament by Green MEP Jan Phillip Albrecht. ACTA "allows for the monitoring of Internet users without initial suspicion, the handing over of their personal data to rights holders on the basis of mere claims and the transfer of this data even to countries without adequate data protection, all of which is in clear conflict with legal guarantees of fundamental rights in the EU," Albrecht said, adding the decision on ACTA should be made by the European Court of Justice.
Full Story

DATA PROTECTION—EU

Cloud Computing Off to a Slow Start (October 7, 2011)

Participants at a roundtable event this week said small and medium enterprises would be wise to overcome security fears and adopt cloud technology, potentially earning €1.2 billion in additional profits, EurActiv reports. Maurice van der Woude of trade group Eurocloud Europe says businesses simply aren't aware of the opportunities. André Richier, an official at the European Commission's Enterprise directorate, says educational schemes are needed, particularly targeting European business students. "We have problems with fraudsters, and we need to think about the regulatory regime and enforcement because, for companies, this is very important," Richier said. Others expressed that the European Parliament could legislate cloud computing soon.
Full Story

DATA LOSS—UK

Trust, Schools, Police Officer Breach Act (October 7, 2011)

The Information Commissioner's Office (ICO) says that Dartford and Gravesham NHS Trust breached the Data Protection Act when it destroyed 10,000 archived records. The records had been stored in a disposal room, and the hospital has been unable to determine how many of the records contained personal information, though some of them contained names, addresses and medical information. The ICO also says that two education institutions have breached the Data Protection Act after laptops belonging to the institutions were stolen. Meanwhile, a senior police officer has been charged with "attempting to pervert the course of justice" and four counts of breaching data protection laws after accessing information on work computers.
Full Story

PERSONAL PRIVACY

Opinion: Enter Extreme Transparency (October 7, 2011)

In the BBC News Magazine, an advertising consultant and founder of an Internet start up proposes that we forget about privacy and, instead, focus on image. "The new reality that all of us live in today, personally and professionally, is one of complete transparency," says Cindy Gallop, who goes on to propose "a very simple solution" for individuals and companies--"identify exactly who you are...what you stand for, what you believe in, what you value...and if you then only ever behave, act and communicate in a way that is true to you, then you never have to worry about where anybody comes across you or what you're found doing."   
Full Story

PRIVACY LAW—IRELAND

Opinion: Audits Will Require Appropriate Staffing (October 7, 2011)

The Irish data protection office will conduct a privacy audit of Facebook, internationally headquartered in Ireland, a task likely to extend to other companies within the country, opines Karlin Lillington for The Irish Times. Because of this, Ireland should staff the commissioner's office appropriately, Lillington writes, adding the office "will need to decide where the balance lies between the fact that a social network is predicated on the notion that people choose to share personal information and a reasonable expectation of how that information could be used." Lillington notes that if Ireland "wants such companies here," it must consider such issues.
Full Story

TRAVELERS’ PRIVACY—U.S. & EU

DHS Defends Draft Sharing Agreement (October 6, 2011)

The U.S. Department of Homeland Security (DHS) is defending a draft airline passenger data sharing agreement with the EU, saying that such data has prevented terrorist threats, AFP reports. Members of the European Parliament could veto the agreement and have expressed concern that a 15-year data retention period is too long and doubt that the system would prevent terror plots. Testifying in front of a congressional subcommittee, DHS Chief Privacy Officer Mary Ellen Callahan, CIPP, cited three audits that she said prove data had not been abused by authorities and argued that the department's powers are not "disproportionate." Callahan refuted suggestions that only criminal data should be collected, adding, "We don't know who all the bad guys are. We have unknown terrorists out there."
Full Story

PRIVACY

Pro Bono Privacy Initiative Brings Expertise to Nonprofits (October 6, 2011)

Amidst a growing need among nonprofits for expertise in the protection of personal information, privacy professionals have come together to form the Pro Bono Privacy Initiative, which is now in its pilot phase. In this Daily Dashboard exclusive, pilot volunteers--who hail from such well-known firms and companies as Baker & McKenzie, Hogan Lovells, Hunton & Williams, Deloitte, Intuit, Verizon and IBM--discuss their hope for this new program. As IBM VP Security Counsel and Chief Privacy Officer Harriet Pearson, CIPP, puts it, "The true sign of a mature profession is when people step back and give back."   
Full Story

Cloud services and the Swedish Personal Data Act (October 6, 2011)

 

By Jim Runsten

The key piece of Swedish legislation regarding handling of personal data is the Swedish Personal Data Act (the act). The act sets out certain requirements for any parties engaging in such activity. As more and more public and private entities are considering the use of so-called “cloud services,” and the data processed or stored often comprises personal data, there are good reasons to pinpoint the requirements imposed by the act on the party handling personal data. The Swedish Data Inspection Board has as recently as September 2011 published a general statement concerning the processing of personal data in cloud services, the essence of which is summarized here.

At the outset, it is important to note that, for the purposes of the act, the party engaging a cloud provider is always the “Data Controller,” even when the actual processing is done by the cloud service provider or its subcontractors. The provider and its subcontractors take the role as the Data Controller’s “Data Processors,” but the responsibility for compliance with the act and other laws remains with the Data Controller.

The responsibilities for the Data Controller can be divided into the following five main categories:

Legality verification

Under the act, the Data Processor may only process personal data in accordance with instructions from the Data Controller. Since providers of cloud services often stipulate the terms of their services themselves, the Data Controller must assess whether these terms are in accordance with the requirements of the act before transferring the personal data to the cloud service provider. Such assessment must determine, amongst other things, whether there is a risk that the data will be used for other purposes than originally intended, whether the data may legally be transferred to a third country and whether the terms offered are sufficient to fulfil the demands on a data processor agreement. It remains the responsibility of the Data Controller to ensure that such agreement is entered into with the cloud service provider.

Risk and vulnerability analysis

The demands placed on the cloud service provider through the act vary depending on the level of risk involved in the data processing, and higher integrity risks means higher demands on security. The Data Controller must conduct a risk and vulnerability analysis and decide whether it is possible to engage the cloud service provider. There are multiple well-established methods of conducting a risk...

FINANCIAL PRIVACY—EU

Article 29 Working Party Submits TFTS Dissent (October 5, 2011)

In a press release dated October 3, the Article 29 Data Protection Working Party has announced that it is "not convinced" that the proposed Terrorist Finance Tracking System (TFTS) is needed. The Working Party has sent a letter to European Commissioner Cecilia Malmström calling for evidence that the TFTS is necessary and proportional. "The Data Protection Authorities make clear that the mere added value of the information to be gained from the system is not sufficient," the release states. The commission has not yet presented a detailed TFTS proposal but will complete an impact assessment on possible options before submitting a finalized proposal.     
Full Story

DATA PROTECTION—EU

Kroes Discusses Privacy, Do-Not-Track Challenge (October 5, 2011)

Speaking at a Lisbon Council event in Brussels yesterday, European Union Digital Agenda Chief Neelie Kroes said trust and privacy are essential to the expansion of Europe's digital economy. Kroes said three principles are needed to quell users' concerns about online privacy--transparency, fairness and control. Kroes added that a citizen's right to privacy must not be sacrificed to economic interests, "but we can also not afford to damage legitimate economic interests by insisting on too inflexible or cumbersome implementations of privacy rules and the paternalistic attitude towards citizens they embody." Kroes mentioned her challenge to the web industry to agree to a do-not-track technology by June of 2012.
Full Story

DATA PROTECTION

Experts Offer Advice on Legacy IT Systems (October 5, 2011)

Though businesses rolling out new IT systems or collecting new data on their customers are increasingly privacy-conscious, the same is not true for legacy systems, reports Computerworld Canada. Experts including Ontario Privacy Commissioner Ann Cavoukian and Sagi Leizerov, CIPP, of Ernst & Young, offer advice on how to address the most pressing issues when it comes to such systems, including advising IT staff that more is not better when it comes to data collection, taking stock of "which systems your sensitive information is passing though...evaluating and improving upon the password policy settings in custom apps" and looking at any "unrestricted mass data storages and share folders."
Full Story

PERSONAL PRIVACY—UK

Phone Manufacturer To Fix Security Flaw (October 5, 2011)

Android phone manufacturer HTC says it will soon release an update to fix a flaw that could expose users' GPS locations and call logs to "a malicious third-party application," BBC News reports. The announcement comes after Android Police, a blog focused on Android phones, discovered a security loophole. "HTC is working very diligently to quickly release a security update that will resolve the issue on affected devices," said a company spokesperson, adding that no customers have thus far reportedly been affected. The blogger who discovered the flaw has raised concerns about the amount of personal data stored in one file.  
Full Story

PERSONAL PRIVACY

Opinion: Privacy? Fuhgettaboutit. Enter Extreme Transparency (October 5, 2011)

In the BBC News Magazine, an advertising consultant and founder of an Internet start up proposes that we forget about privacy and, instead, focus on image. "The new reality that all of us live in today, personally and professionally, is one of complete transparency," says Cindy Gallop, who goes on to propose "a very simple solution" for individuals and companies--"identify exactly who you are...what you stand for, what you believe in, what you value...and if you then only ever behave, act and communicate in a way that is true to you, then you never have to worry about where anybody comes across you or what you're found doing."   
Full Story