European Data Protection Digest

We have a long weekend—and hopefully some good weather—ahead of us, so right now our minds are probably focused more on Easter eggs and chocolate bunnies (in my case also my mother’s lasagna on Sunday) than on data protection developments. Nevertheless, this spring is bound to be a busy one for privacy pros—not that we actually had a dull moment in the past year or so.

At the IAPP, we are working hard to help our members stay on top of things: Our upcoming European Data Protection Intensive will be a great way to kick-start the second quarter of the year. As usual, rendezvous in London for an intense programme, great networking—including our special Privacy Social reception at the Guildhall—and CIPP and CIPM certification training and testing. Preconference workshops are not bad either.

But since he who hesitates is lost, work is already underway also for IAPP Europe’s flagship event, the Data Protection Congress, which will be in Brussels again this year, on 19 and 20 November to be precise. The call for proposals for the Congress is open, and submissions will be accepted until 9 May, so do send us your ideas or feel free to forward the call for proposals link to someone who might be interested.

In the meantime, though, Happy Easter!

Rita Di Antonio
Managing Director
IAPP Europe

Top European Privacy and Data Protection News

Reding reveals views on BCRs (November 30, 2011)

The buzz right now in Europe centers on the business and data protection community’s anticipation of the upcoming release of proposed changes to the EU Data Protection Directive. As one professional put it, “we are on pins and needles in anticipation.” Another expressed hope that the changes, which are expected in January, will provide some legal certainty around challenging data protection issues.

So, in introducing European Commission Vice-President Viviane Reding at Tuesday’s IAPP Europe Data Protection Congress, and with a nod to the holiday season, former UK Information Commissioner Richard Thomas speculated that perhaps she might “give the gift of a preview” of what to expect among the  changes.

The vice president fulfilled that wish to an extent, offering a glimpse of the commission’s thoughts. Specifically, Reding discussed her views on binding corporate rules (BCRs), describing them as a “smart tool” for businesses to gain legal certainty in an uncertain data protection landscape. But, she said, as an instrument, BCRs could be made more effective and more available to a broader range of businesses.

Three modes to improvements

Binding corporate rules emerged as an alternative means to enable cross-border data transfers to those countries deemed not to have “adequate” data protection standards by the European Commission. No more than 30 companies have gained approval for BCRs since their inception. The approval-seeking process is considered laborious and expensive, which causes some companies to forgo applying.

Reding's speech hinted at a possible change to this paradigm.

In her speech, Vice-President Reding said the administrative burdens associated with seeking BCRs must be lifted. Binding corporate rules, she said, should no longer be a tool only for experts. “Companies of any size should be able to take advantage of BCRs.”

Reding also proposed three strategies to improve BCRs’ effectiveness—simplification, consistent enforcement and innovation.

Simplification

Currently, approximately 19 data protection authorities (DPAs) participate in a mutual-recognition pact that allows for speedier BCR review and approval.

In her address, Reding hinted that more mutual recognition is needed, saying, “I propose BCRs be based on one single law—European law,” where, once approved by one data protection authority, BCRs are approved by all DPAs in the bloc. 

Enforcement

Consistent enforcement, Reding said, is also needed in order to improve BCRs’...

DATA PROTECTION

Reding Reveals Views on BCRs (November 30, 2011)
During a keynote address at the IAPP Europe Data Protection Congress on Tuesday, EU Vice-President Viviane Reding offered a glimpse of her views on binding corporate rules (BCRs) as an instrument for data transfers. Reding described BCRs as a "smart tool" in need of improvement. She proposed three strategies to improve BCRs' effectiveness--simplification, consistent enforcement and innovation.

PRIVACY LAW—ITALY

DPA Imposes Direct Marketing Limitation (November 29, 2011)

Personal data registered in a professional telephone directory cannot be used to propose commercial products or relevant offers without the express consent of the interested professional or other specific conditions. By means of an ad hoc decision, Italy's data protection authority, the Garante, has forbidden a telephone company to use the personal data of a lawyer to call him to promote its telephone products since the direct marketing operation was neither covered by the express consent of the lawyer nor focused on products directly connected to the legal profession. (Article in Italian.)
Full Story

ONLINE PRIVACY

Twitter Acquires Whisper Systems (November 29, 2011)

The online messaging company Twitter has acquired Whisper Systems, a technology company that developed a software suite to protect people's cellphone and text communications from being obtained by third parties, reports The Wall Street Journal. The move has some questioning what plans Twitter has for the company and others disappointed that Whisper Systems' current services--which have been used by activist groups to organize--have been temporarily shut down. Twitter said in a statement that Whisper Systems' founders will join the company, "bringing their technology and security expertise to Twitter's products and services." (Registration may be required to access this story.)  
Full Story

TRAVELLERS’ PRIVACY—EU & U.S.

Regulators Voice PNR Concerns (November 24, 2011)

Dutch Member of the European Parliament (MEP) Sophie in't Veld says that a gag order that prevents MEPs from speaking about the passenger name record agreement between the U.S. and EU "is highly unfortunate. MEPs can read it, but citizens should also have access to what is decided about their rights." PCWorld reports that German MEP Jan Philipp Albrecht says the agreement violates EU privacy laws, adding, even if data is anonymised after six months, "the U.S. still keeps all the records for 15 years...way beyond what is allowed by the EU treaties." And head of the French Data Protection Authority (CNIL) Isabelle Falque-Pierrotin says European and American views on the balance between data protection and security are "not totally aligned." Europe "is trying to negotiate to make sure that data and Internet privacy is respected," she said. 
Full Story

DATA PROTECTION—EU

Nemitz: EC To Present New Privacy Regulation (November 24, 2011)

At the German Association for Data Protection and Data Security's (GDD) annual privacy conference, Director for Fundamental Rights and Citizenship of the European Commission Paul Nemitz announced the commission's plan to implement a law aimed at creating uniform data protection regulation in Europe, reports Hunton & Williams' Privacy and Information Security Law Blog. The GDD report states that the law will assign regulatory responsibilities based on the location of companies' headquarters but also allow individuals to lodge complaints in their home countries. The law will also require large companies to appoint data protection officers, conduct privacy impact assessments and, in some cases, implement "privacy by default" settings for IT systems, according to the report.
Full Story

DATA LOSS—UK

Advocacy Group Reports Prevalance of Breaches; ICO Issues Case Findings (November 24, 2011)

In a press release, the Information Commissioner's Office (ICO) announced that Southwark Council violated the Data Protection Act when it misplaced a computer and various papers that contained the personal information of 7,200 individuals. Compromised data included names, addresses, ethnic backgrounds, medical histories and criminal convictions. The council has agreed to improve security procedures and will undergo an ICO audit in the next year. The ICO has also found a government advisor guilty of "failure to protect personal information" after a laptop containing unencrypted sensitive information about eight court cases was stolen from her house. Meanwhile, The Bolton News reports that the Bolton Council plans to appeal the ICO's decision regarding the release of staff information in a Freedom of Information Act request, and The Guardian reports that Big Brother Watch says local councils have experienced data breaches at least 1,035 times during the past three years.
Full Story

PRIVACY LAW—UK

Scottish Police Officer Faces Trial in Breach Case (November 24, 2011)

A senior police officer will stand trial on charges she breached the Data Protection Act by accessing police computers at Edinburgh Sheriff Court to access private information. BBC News reports the trial of Inspector Allison Strachan is scheduled to begin in March on four charges "she illegally accessed top secret databases at various police stations in the Lothian and Borders force area between November 2006 and May 2010." Strachan entered not guilty pleas to all charges through her attorney, the report states.  
Full Story

DATA PROTECTION—FRANCE

CNIL Issues Annual Report (November 23, 2011)

In its Annual Activity Report for 2010, the French Data Protection Authority (CNIL) outlines its recommendations on key topics including the revised EU Data Protection Directive, the right to be forgotten and the creation of binding international data protection regulations, reports Hunton & Williams' Privacy and Information Security Law Blog. The report also notes that the CNIL's powers were strengthened in the last year--it "issued its first injunctions to stop data processing activities" and "levied a record fine against Google," the report states. The authority also reviewed the implementation of 55 surveillance cameras and conducted 308 onsite inspections--up 14 percent from last year.  
Full Story

PRIVACY LAW—EU

EDPS Calls for Strengthened IMI Data Protection Framework (November 23, 2011)

In an opinion released on Tuesday, the European Data Protection Supervisor (EDPS) called for improved data protection standards for the Internal Markets Information System (IMI), eGovmonitor reports. Recognizing the need for flexibility "to cover administrative cooperation in different policy areas," the EDPS says the flexibility should also bring with it legal certainty. According to the report, the EDPS recommends that foreseeable IMI components should be clarified and new functionalities should undergo safeguards such as a privacy impact assessment or a consultation with the EDPS or national data protection authorities. An EDPS spokesman said, "The EDPS calls attention to two key challenges: the need to ensure consistency in the legal framework, while respecting diversity, and the need to balance flexibility and legal certainty."  
Full Story

ONLINE PRIVACY

Privacy-Focused Browser Extension Released (November 23, 2011)

PCWorld reports on a team of European and U.S.-based privacy researchers and product designers that has released "a browser-based implementation of Privicons, a project that aims to provide users with a simple method of expressing their expectations of privacy when sending e-mail." The "Privicons" are six icons matched with instructions such as "don't attribute" or "keep private" that users can add to their e-mails "to instruct recipients about how to handle a message or its content," the report states. Project proponents note it is based on user choice rather than the technological enforcement used for most e-mail privacy efforts. 
Full Story

GENETIC PRIVACY—EU

Experts: DNA Requires Privacy Protection (November 21, 2011)

Experts are advising the EU to ensure privacy is protected and that technological advances do not make it possible for employers and insurers to abuse genetic data, the Irish Times reports. Speaking at a conference in Ireland, scientific and legal experts "outlined how genetic testing techniques may be able to detect the onset of future disabilities and how this technology is used increasingly in both employment and insurance contexts." With no EU-level regulation to "ensure the privacy...or to prevent the discriminatory use of such information," one expert recommends "a transatlantic dialogue between the EU and the U.S." as U.S. legislation "has struck a balance between the rights of employers and insurers and the rights of individuals."
Full Story

ONLINE PRIVACY—EU

UK ICO Says Right To Be Forgotten “Unenforceable” (November 18, 2011)

In a briefing document, the UK Information Commissioner's Office (ICO) asserts that revisions to the European Union's data protection laws should not include a general "right to be forgotten," Out-Law.com reports. Instead, the "framework should strengthen individual rights to object to and block processing..." the ICO said in the briefing. "It should not introduce a standalone right to be forgotten which could mislead individuals and falsely raise their expectations, and be impossible to implement and enforce in practice." EU Justice Commissioner Viviane Reding recently called for consumers to have a right to remove information posted about them online.
Full Story

SURVEILLANCE—EU

ENISA Warns of Voluntary Surveillance Society (November 18, 2011)

The European Network and Information Security Agency (ENISA) has released a report warning that Europeans "run the risk of creating a surveillance society" as the world becomes increasingly networked and individuals surrender personal information in exchange for benefits, FierceGovernmentIT reports. ENISA recommends the European Commission "utilize the consultation on revisions to the data protection directive as a mechanism to anticipate the regulatory frameworks required as a result of increasing use of life-logging devices and services." The report also calls for private-public sector cooperation and industry self-regulation.
Full Story

PRIVACY LAW—EU

MEP “Disappointed” in New PNR Agreement (November 18, 2011)

In an interview with Europolitics, Vice Chair of the European Parliament Committee on Civil Liberties Sophie in't Veld said that the new passenger name record (PNR) agreement with the U.S. "is not clear" and she is "very disappointed that, in the negotiations with our closest ally, we are unable to come up with something that is in line with EU legislation." Though she said she will hold her "definitive judgement until I have had the opinion of legal experts," in't Veld added that the data retention terms "are much harsher than those laid down in the agreement with Australia," and the agreement contains clauses that "may allow for other uses of PNR data, like controlling borders or other unspecified purposes."
Full Story

SURVEILLANCE—UK

Oxford Taxis To Record Audio, ICO Responds (November 18, 2011)

The Oxford City Council is backing a decision to require CCTV cameras in the city's taxis to record all conversations while the information commissioner and privacy advocates are calling it a violation of privacy. The council says audio recording is critical for public safety and that the recordings would not be used unless needed in a specific crime or licensing issue, The Oxford Times reports. But Information Commissioner Christopher Graham says, "CCTV must not be used to record conversations between members of the public as this is highly intrusive." His office recommends solutions such as a system where audio recording is triggered by excessive noise or a panic button.
Full Story

DATA LOSS—UK

MP’s Document Disposal Breached Privacy (November 18, 2011)

Information Commissioner Christopher Graham says that Cabinet Minister Oliver Letwin violated the Data Protection Act when, on numerous occasions, he disposed of constituents' documents in a St. James' Park dustbin, reports The Guardian. An Information Commissioner's Office investigation revealed that the documents contained personal data of approximately 20 individuals, including names, addresses, contact details--and, in at least one case, an individual's recent medical treatment. Graham said, "Constituents entrust their Member of Parliament with all sorts of personal information and should never expect the details of the concerns they've raised in confidence to end up in a park bin for anyone to see." Letwin has signed a commitment ensuring he will securely handle sensitive documents in the future.
Full Story

PRIVACY LAW—IRELAND

Company Makes Changes To Avoid Fines (November 18, 2011)

Currently undergoing an audit by the Irish Data Protection Commissioner's office, Facebook is making changes to stay in compliance with the country's data protection laws, TPM reports. Though he did not specifically disclose the changes the company is making, Ireland Deputy Commissioner of Data Protection Gary Davis said, "Facebook is cooperating fully with the audit, and we would anticipate that it will implement any necessary changes to comply with any requirements identified without the need for any use of powers by the commissioner." Davis also added that the office plans to publish its findings by the end of the year.
Full Story

DATA LOSS—FINLAND

Used Car Site Experiences Breach (November 18, 2011)

The Helsinki Times reports that the personal data of car shoppers was posted to the Internet by a hacker. The information included usernames, passwords and e-mail addresses of 12,000 users of the site Netcar. It is the third large-scale breach in recent days, according to the report. Last week, the country's communications authority notified 16,000 individuals that their personal data had been breached.
Full Story

ONLINE PRIVACY

Programme Offers Consumers Control of Personal Data (November 18, 2011)

In light of telecommunications company O2's trial programme, which will provide customers with more control over how their data is used, Financial Times asked three experts about who should ultimately police companies' use of personal data. Photobox Managing Director Lawrence Merritt said, "It should be a shared responsibility," adding that "data privacy must be viewed as a continuum." Author Misha Glenny was cautious of O2's programme but said "enabling people to judge who can use their details ensures a small measure of control over a technology that sometimes threatens to run out of control." Hitachi Data Systems Vice President and General Manager of UK, Ireland and South Africa Stephen Ball said, "While organisations are legally obliged to take ownership of where data sit, a rethink is required by consumers." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—EU & U.S.

Reding Talks Self-Regulation, Harmonization (November 17, 2011)
In a Q&A with The Washington Post, European Commission Vice President Viviane Reding said that self-regulation is "little more than a fig leaf" and only works "if there is strong, legally binding regulation in the first place." Reding also stressed the need for harmonization in the European marketplace.

ONLINE PRIVACY

Company Offers WiFi Opt-Out (November 16, 2011)
Google has agreed to provide a WiFi opt-out method for users who prefer to keep the names and locations of their wireless routers out of the company's database. The move comes after the company faced increased pressure from data protection authorities in the Netherlands, The New York Times reports.

BIOMETRICS—UK & INDIA

Frontline: It Failed in the UK; Will It Work in India? (November 16, 2011)

India's Unique Identification project (UID) will assign every citizen a unique 12-digit identifying number linked to their biometric and demographic information. The project has generated concerns around the scheme's privacy safeguards. The UK planned to implement a biometric identification program in 2004, but concerns were raised about "a potential danger to the public interest and to the legal rights of individuals," among others, and the plan was halted in 2010. In this Frontline report, Edgar Whitley, research coordinator of the London School of Economics Identity Project, discusses why certain biometric identification plans failed.  
Full Story

PRIVACY LAW

APEC Endorses Cross-Border Rules (November 15, 2011)

At a meeting in Hawaii this week, the Asia-Pacific Economic Cooperation (APEC) leaders endorsed the APEC Cross-Border Privacy Rules (CPBRs), reports Hunton & Williams' Privacy and Information Security Law Blog. Implementing the rules enables data flow across borders "while enhancing data privacy practices; facilitating regulatory cooperating, and enabling greater accountability through the use of common principles, coordinated legal approaches and accountability agents," said an APEC statement. Welcoming the approval of the rules, FTC Commissioner Edith Ramirez said they have the potential to "significantly benefit companies, consumers and privacy regulators." The APEC Data Privacy Subgroup will next begin developing the structure for CBPR implementation, the report states. 
Full Story

TRAVELERS’ PRIVACY—EU

Body Scanner Guidelines Aim To Protect Privacy (November 15, 2011)

The European Union (EU) has adopted new guidelines for the use of airport body scanners and, according to the EU commissioner of transport, the rules will help protect privacy and supply travelers with basic rights, The Washington Post reports. The new guidelines mandate that scanners not store or copy passenger images, security agents analyzing images be in a room separate from the actual screening and passengers be notified and granted an alternative screening method. A spokeswoman from the transport commission said, "The most important provision is that every passenger has the right to opt out and ask for the use of an alternative method." (Registration may be required to access this story.)
Full Story

BIOMETRICS

Creepy or Cool? Facial Recognition Is on the Rise (November 14, 2011)
From digital billboards that target advertising based on the demographics of passersby to an app that scans bars determining the average age and gender of the crowd to Facebook's "Tag Suggestions" feature, facial recognition is looking like the wave of the future, The New York Times reports. While some see the trend as an opportunity to offer and receive relevant information, others are concerned about potentially more intrusive uses of the technology.

PERSONAL PRIVACY—EU & U.S.

EC Announces New PNR Deal (November 11, 2011)

The European Commission has announced a newly revised deal with the U.S. that will allow American authorities to retain airline passengers' personal data for 15 years as part of counterterrorism efforts, AFP reports. The EC and U.S. government have been negotiating the deal for several months. Previous versions have been criticised by members of the European Parliament due to privacy concerns. "To our eyes, the new text represents a very big improvement from the existing agreement," said Michele Cerone of the EU Home Affairs office. "The new agreement will guarantee that PNR (Passenger Name Record) data will be used for restricted and well-defined purposes." 
Full Story

BIOMETRICS—GERMANY

Caspar Preparing Legal Remedy (November 11, 2011)

Hamburg's Commissioner for Data Protection and Freedom of Information says Facebook has failed to bring its facial recognition function into line with European and German data protection laws and he will "make use of the legal avenues available" to remedy the matter. Johannes Caspar in October  demanded the company begin seeking users' consent before enabling the function, but the method the company introduced to meet this demand "is insufficient to provide a substantive legitimation to the collection of users' biometric face profiles," according to a commission press release. "After the months of negotiations we have conducted with Facebook, this result is a disappointing one," said Caspar.
Full Story

CHILDREN’S PRIVACY—EU

ENISA Issues Recommendations To Protect Children Online (November 11, 2011)

PCWorld reports on new recommendations issued by the European Network and Information Security Agency (ENISA) toward mitigating the risks children face while online. Aimed at assisting law enforcement agencies, member states, civil groups, parents and educators in protecting children, ENISA lists top threats--including cyberbullying and exposure to online predators--and uses a fictional scenario to highlight how potential attackers use "data mining and profiling techniques to build an online identity" to earn children's trust. ENISA's recommendations include specialised security settings for teens and assessing applications with access to teenagers' data "for their impact on privacy," the report states.

Full Story

HEALTHCARE PRIVACY—UK

NHS Staffers Disciplined for Social Media Use (November 11, 2011)

The Guardian reports on disciplinary action taken against NHS Trust staffers for improper use of social media. According to data released in response to Freedom of Information requests, 16 trusts took 72 actions against staffers from 2008 through this October. A number of trusts have responded to the misuse by restricting Internet access at work, but the British Medical Association and the Nursing and Midwifery Council say healthcare professionals should be aware of how to properly use social media. The Department of Health says it has released recommendations but it is up to individual entities to enforce policies.
Full Story

STUDENT PRIVACY—UK

ICO Announces Information Rights Research Project (November 11, 2011)

The Centre for Research on Families and Relationships at the University of Edinburgh will lead a research project to ensure young people are aware of privacy threats and the ways they can protect themselves, the Information Commissioner's Office (ICO) has announced. "Embedding information rights in the education system isn't as straightforward as simply making all pupils complete a specific course--it's about equipping them with a set of life skills," said ICO Head of Strategic Liaison Jonathan Bamford, adding that knowledge about protecting online privacy and accessing information will empower students and "serve them well throughout their adult lives."
Full Story

DATA LOSS—UK

Council Loses Data on 18,000 (November 11, 2011)

The Information Commissioner's Office (ICO) says that Rochdale Metropolitan Borough Council breached the Data Protection Act when it lost a USB drive containing the personal information of 18,000 citizens, PC Advisor. ICO Acting Head of Enforcement Sally-Anne Poole said the office's investigation "uncovered a number of failings," adding, "This incident could have been easily avoided if adequate security measures had been in place." The data, which was unencrypted, included names, addresses and details of payments made to the council. The council had no policy for encrypting USB sticks but has now adopted one and has plans to extend it to other devices.
Full Story

DATA LOSS—IRELAND

Commissioner: No ID Theft Resulting from Hospital Breach (November 11, 2011)

After investigating an August data breach at Dublin's Tallaght Hospital, Ireland's Data Protection Commissioner says that there has been no indication of identity theft or selling of the data, reports Irishhealth.com. The breach involved unauthorised use and disclosure of personal information that was outsourced to a transcription services company in the Philippines. While the commissioner says he's no longer investigating this incident, he is looking into the outsourcing of such patient data in general after learning that other heath entities used the company.

Full Story

PRIVACY LAW—SWEDEN

Complaints Say Site Violates Privacy (November 11, 2011)

The Local reports that a new, non-government website is generating complaints because it contains personal information of convicted criminals. Users of the site are able to perform geographic searches as well as find out the names, contact information, personal identity numbers and court rulings of the offenders, the report states. The country's data protection laws prohibit "anyone other than a public agency to handle personal information about violations of the law which include crimes." A representative from Sweden's Data Protection Board says the agency has received complaints about the site but has yet to conduct a detailed investigation.
Full Story

SURVEILLANCE—UK

Group Says Law Allows for Excessive Snooping (November 11, 2011)

A human rights group has said that public bodies are using the UK's Regulation of Investigatory Powers Act (RIPA) to snoop on citizens. The group, Justice, says RIPA has been used nearly three million times in the last decade for surveillance purposes and more than 20,000 warrants have been issued to intercept phone calls, e-mails and Internet use, reports The Telegraph. Justice also reports that 10 of 1,100 complaints on the use of RIPA have been upheld. "Its poor drafting has allowed councils to snoop, phone hacking to flourish, privileged conversations to be illegally recorded, and CCTV to spread," a Justice spokesman said.
Full Story

PRIVACY LAW—U.S. & EU

Experts, Organizations Respond to Comments (November 10, 2011)

The New York Times reports on reaction to comments made earlier this week by European Justice Commissioner Viviane Reding and German Minister of Food, Agriculture and Consumer Protection Ilse Aigner about strengthening the European Union's (EU) data protection framework. One privacy lawyer was skeptical that the strengthened laws would place more of a burden on U.S.-based companies, saying, "The challenge is one of jurisdiction in the Internet age." Meanwhile, earlier this year, the American Chamber of Commerce to the EU submitted a brief to lawmakers saying stricter laws "would inevitably lead to a general obligation to monitor the Internet, undermining the strong foundations on which the Internet was developed in the first place and the basis on which democratic societies operate." (Registration may be required to access this story.)  
Full Story

DATA LOSS

Experts: CPO, Plans Needed To Avoid High-Cost Breaches (November 10, 2011)

"Having a good plan in place can seriously reduce the costs resulting from the breach as, in these kinds of situations, the longer things run without being dealt with in the proper fashion, the more costly it can get." That's the message from one of the cyber-risk experts sharing insights on guarding against high-cost data breaches in a Financial Times feature. Given the ever-increasing amount of personal data that companies hold about their customers, the report highlights safeguards that apply across jurisdictions and borders, including having a breach response plan and a dedicated chief privacy officer in place. (Registration may be required to access this story.) Editor's Note: The most recent edition of Inside 1 to 1: PRIVACY includes a report on avoiding become the subject of a U.S. FTC action or a target for lawsuits.  
Full Story

DATA PROTECTION

Carrots, Sticks and Big Data (November 10, 2011)

In The Mercury News, Larry Magid summarizes last week's 33rd International Conference of Data Protection and Privacy Commissioners in Mexico City. Magid observes that "there are tensions not only between regulators and those they regulate but among regulators themselves, who don't always agree on just whether they should be wielding sticks or dangling carrots." And he discusses the conversations about "big data," quoting Future of Privacy Forum Director Jules Polonetsky, CIPP, as saying there are concerns about how big databases will be used but that they also offer benefits. "We can learn a huge amount, and the question is, can we manage to not throw out the baby with the bath water."    Full Story

PRIVACY LAW—EU

Expert: Updated Directive Is Vital (November 9, 2011)

V3.co.uk reports the head of Field Fisher Waterhouse's privacy and information law group, Eduardo Ustaran, CIPP, comments that updating and strengthening the EU Data Protection Directive (95/46/EC) is vital to protect European citizens' data. The European Commission (EC) "wants to make sure that companies targeting individuals in the EC do not fall outside European law as the current directive is limited in scope," says Ustaran. "For example, German data regulators find it hard to compel organizations to adhere to its own laws if they're not based within the EU at large, so there is a strong desire to overhaul the current system." The updated directive is also reportedly going to address loopholes in the current directive that allow the U.S. Patriot Act to access European citizens' data contained in the cloud.  
Full Story

PRIVACY LAW

Multinationals Struggle To Comply With Varied Laws (November 9, 2011)

Describing online privacy as "an issue of central importance for businesses in every industry," Financial Times explores the efforts of policymakers to strengthen existing privacy laws and introduce new ones as Internet technologies evolve ahead of legislation. "The rules differ widely from country to country, with varying degrees of enforcement," the report states, noting that from the sectoral privacy regulations of the U.S. to those "stricter laws" in place in such countries as the UK, Germany and Canada, "the large and growing body of different national privacy regimes means that multinational businesses operating in many markets, face an increasingly difficult task in complying with them all." (Registration may be required to access this story.)
Full Story

DATA LOSS—FINLAND

Personal Data of 16,000 Leaked Online (November 7, 2011)

Finland's communications authority, Ficora, is telling more than 16,000 victims of a data breach to be aware of online predators after their personal information was leaked on a file-sharing website, YLE.fi reports. Compromised information includes Social Security numbers, addresses, telephone numbers and e-mail addresses. A data security expert says he believes the incident may have been caused by careless handling of data. The National Bureau of Investigation has launched a criminal probe into the incident, the report states.  
Full Story

ONLINE PRIVACY—GERMANY

Gaming Company Faces Petition, Revises Terms (November 4, 2011)

More than 8,000 online game users have signed a petition demanding that a video game maker change its terms and conditions. EA says it has modified the terms and conditions of its online distribution system after allegations that it violated German privacy law, The Local reports. The Origin System allows users to purchase and network games, but its terms and conditions seem to be a literal translation from the American version, which allows for data collection including IP addresses, in violation of German law, the report states. EA says it "regrets any confusion."
Full Story

DATA PROTECTION—UK

Gov’t Launches Consumer Data Control Effort (November 4, 2011)

The Register reports on the UK government's launch of "midata," an effort to increase government and private company transparency on data collection practices. Information Commissioner Christopher Graham has welcomed the scheme, a voluntary partnership allowing users to access the information companies hold about them. The Business, Innovation and Skills (BIS) department, which launched the scheme, said not only will consumers benefit from it, but businesses, too. "As customers get used to updating and managing preferences and permissions, they are more likely to opt in rather than out of marketing communications," a BIS document states.
Full Story

DATA LOSS—UK

Study: 800-Plus NHS Breach Incidents in Three Years (November 4, 2011)

The group Big Brother Watch has released a report showing that during a three-year period between 2008 and 2011, NHS trusts experienced 806 data breach incidents, the Belfast Telegraph reports. The ICO has also ordered University Hospitals Coventry & Warwickshire NHS Trust to review its policies and train staff after finding that the trust breached the Data Protection Act on two occasions, according to an ICO press release, while 16 Great Western Hospital employees and 47 NHS Lothian employees were disciplined for privacy breaches. Meanwhile, The Guardian reports that reforms aimed at filling in some of the gaps that exist in the efficacy of the NHS's use of patient data are on the way, but privacy advocates have taken issue with the NHS's Secondary Uses of Service when it comes to patient consent and the public release of anonymised data.
Full Story

ONLINE PRIVACY—UK

Group Calls on Gov’t To Foster Online Rights (November 4, 2011)

Advocates for freedom of expression and online privacy have written to the UK's foreign secretary to call for clearer online rights. A letter signed by Open Rights Group and Privacy International, among others, urges the UK government to promote citizens' rights online, eWeek reports. "The government now has an historic opportunity to support technologies that promote rather than undermine people's political and social empowerment," the letter stated. The UK this week hosted a conference on cyberspace that saw leaders from the U.S. and EU.
Full Story

DATA LOSS—UK

Stolen Youth Data Was Unencrypted (November 4, 2011)

An investigation by the Information Commissioner's Office (ICO) has concluded that not enough was done to protect the sensitive information of a group of troubled youths, Chronicle News reports. Newcastle Youth Offending Team failed to protect the data and to ensure its employees were complying with necessary security measures, the report states, after a laptop storing unencrypted data on about 100 youths was stolen from a third-party contractor's home. ICO spokeswoman Sally-Anne Poole said not enough data handlers are making use of encryption, and that organisations can't assume third parties have adequate data protection standards.
Full Story

DATA LOSS—IRELAND & UK

Records Found Unattended, Council Data Breached (November 4, 2011)

The UK Information Commissioner's Office (ICO) has ordered a council to make improvements to its data protection practices by March 2012 after it lost a memory stick containing details on more than 18,000 individuals, Public Service reports. The ICO has also determined that another UK council has taken appropriate steps after a data breach that resulted in personal information on foster parents being shared with the child they fostered. In Ireland, meanwhile, the Data Protection Agency (DPA) is investigating after a box of confidential information on private security staff and the Security Institute of Ireland was discovered unattended. Cork County Council officials removed the files and contacted the agency involved. The information included passport data, home addresses and telephone numbers. A DPA spokesperson said that the agency will work with the council and "investigate from there."
Full Story

IDENTITY THEFT—UK

E-Crime Summit Addresses Risks (November 4, 2011)

E-crimes cost the Welsh economy nearly £1 billion per year year, which has prompted a summit on e-crime and identity theft in Wales this week. BBC News reports on a Welsh woman raising money to build a rehabilitation centre who recently learned she'd become a victim of identity theft after she received letters from mobile phone, insurance and computer companies--none of whom she was affiliated with--thanking her for her business. As a multimillion-pound charity, Mel Davies worries its good name may suffer. Matt Jukes, assistant chief constable of South Wales Police, suggests ways individuals can protect themselves.
Full Story

PRIVACY LAW—FRANCE

CNIL Releases Cookie Guidance (November 4, 2011)

The French Data Protection Authority (CNIL) has released guidance through its website addressing the EU Directive 2009/136/EC and the use of cookies by online companies. In this Daily Dashboard exclusive, Bird & Bird Associate Gabriel Voisin explores the key elements of the recently released guidance, including how the term "cookie" will be interpreted, which types of cookies do not require prior consent, ways to obtain user consent, the CNIL's position on advertising industry initiatives and the risks of not complying with the new rules. Editor's Note: Visit the IAPP Knowledge Center for a comprehensive look at the status of EU member states' implementation of the ePrivacy Directive.
Full Story

DATA LOSS—UK

MP Apologizes for Privacy Breach (November 4, 2011)

Business Secretary Vince Cable has apologized for inappropriately disposing of unshredded documents and letters that contained personal information of constituents, The Telegraph reports. Cable admitted that it was an "unacceptable breach of privacy" and has taken "full responsibility" for the incident. The Information Commissioner's Office (ICO) has confirmed that they have been notified by Cable and will look into the matter. Cable could face a fine of up to £500,000 by the ICO, the report states. 
Full Story

CNIL Releases Cookie Guidance (November 4, 2011)

By Gabriel Voisin
Associate, Bird and Bird

In France, implementation of the Directive 2009/136/EC (Directive) has been done through the ordinance of 24 August 2011 n°2011-1012 relating to electronic communications (Ordinance). The new cookie rules, which entered into force on 26 August, now require that consent be obtained before cookies are placed.

Accompanying guidance was approved by the French Data Protection Authority (the “CNIL”) on 26 October and was made available on the CNIL’s website on 2 November. The key elements can be summarised as follows.

The term “cookie” will be broadly interpreted

According to the CNIL’s guidance, the term “cookie” also applies to other technology related to cookies, like “flash” cookies, also known as “Local Shared Objects,” and local web storage, also called DOM Storage. The term “cookie” therefore has a wide scope.

No consent needed for specific types of cookies

The following cookies are not covered by the information and prior consent rules:

  • Cookies that are used like a shopping basket on an online retailer’s website;
  • User session cookies (Session ID), for linking the actions of a user which is necessary to provide the service which they have asked for;
  • Cookies that have the sole purpose of contributing to security the user has asked for;
  • Cookies for registering the language spoken by the user--for sites translated into many languages--or other necessary preferences necessary to provide the requested service;
  • Flash cookies that contain elements strictly necessary to make a media player work (audio or video) if the content has been demanded by the user.

The CNIL indicates that, although no prior information is required for that type of cookie, it is nevertheless recommended for operators to give information about the use of cookies in their website’s privacy policy.

Third-party cookies

In the case that a cookie is inserted by a third party--for example, targeted advertising inserted by an advertising agency--the information and consent do not have to be given twice. As such, if an advertising agency gives the information and collects the consent from the Internet user, the operator in charge of the website does not have to repeat this operation for that particular cookie.

Operators established outside of the European Union

If the operator of the website is established outside of the European Union, it can delegate the implementation of the new provisions to a representative established in France. This...

BEHAVIORAL TARGETING

Google Releases Opt-Out Feature for Users (November 3, 2011)

Google has released a new feature to explain why Google search and Gmail users have been targeted by advertisements and allow them to opt out of such ads from future search page results, reports The Wall Street Journal. "Why These Ads" is an effort to increase company transparency when it comes to behavioral advertising, the company's senior vice president of advertising wrote in a blog post. "Because ads should be just as useful as any other information on the Web, we try to make them as relevant as possible for you. Over the coming weeks, we're making improvements to provide greater transparency and choice regarding the ads you see on Google search and Gmail," the blog states. (Registration may be required to access this story.)  
Full Story

PRIVACY LAW—GERMANY

DPA Says Site May Be Illegally Tracking Users (November 3, 2011)

The New York Times reports that Hamburg's data protection authority has said that Facebook may be illegally tracking subscribers through the use of cookies, even after a user deletes an account. After an investigation into the way cookies are installed after an account is created and deleted, Data Protection Commissioner Johannes Caspar said, "The probe raises the suspicion that Facebook is creating user tracking profiles." Such profiles would be illegal if a user was not alerted, according to the report. "Arguments that all users have to remain recognizable after they leave Facebook to guarantee the service's security can't stand up," Caspar said. A Facebook statement says the company is seeking an "open channel of communication" with Caspar, while another statement adds that it "does not track users across the Web." (Registration may be required to access this story.) 
Full Story

SOCIAL NETWORKING

Impending “Timeline” Release Elicits Concerns (November 3, 2011)

USA TODAY reports on Facebook's impending overhaul of its members' profile pages with the unveiling of its new "Timeline" feature. The feature will display members' history on Facebook comprehensively, which has drawn criticism from privacy advocates. "Things, over time, get harder to find, and that is sometimes a good thing," said Marc Rotenberg of the Electronic Privacy Information Center (EPIC). In letters to the Federal Trade Commission, EPIC has voiced concerns that Facebook should "honor its past commitment to privacy settings," the report states. Facebook says users will have five days to hide aspects of their profiles that they don't want as part of their history. 
Full Story

SURVEILLANCE—EU

Employee Surveillance on the Rise (November 2, 2011)

Al Jazeera reports on the prevalence of employee monitoring via surveillance software. With the right software, employers can intercept employee e-mails sent from personal e-mail accounts, the report states. For example, 40 percent of large companies operating in Romania use software to intercept and track information, according to IT security firm Netsec. Employees should be aware of this, said a Netsec executive, adding that "IT monitoring tools are used by some employers for personal rather than professional goals." Germany, meanwhile, is considering a federal law that would require employers planning to monitor employee communications to gain only employee consent and not that of unions and labor courts, as they are currently required to do.
Full Story

PRIVACY LAW—EU

Judge To Hear Argument That Act Violates Directives (November 2, 2011)

A UK judge has said that BT and TalkTalk's argument that the UK's Digital Economy Act (DEA) violates EU laws on liability for communications made over the Internet may be successful, Out-Law.com reports. Though BT and TalkTalk lost a High Court challenge earlier this year, a judge says he will hear an argument that the act may breach the Privacy and Electronic Communications Directive and the Data Protection Directive, among other laws. The ISPs' appeal has been found to be "justified because the opinion of the judge who ruled on the legality of the processing in April differed from that of the EU's privacy watchdog, the European Data Protection Supervisor," the report states. 
Full Story

PRIVACY LAW

Expert: Global Harmonization Needed for Cloud (November 2, 2011)

In an interview with BankInfoSecurity, Internet security expert Alastair MacWillson says that inconsistent data protection laws in various markets are proving to be a difficult challenge for large organizations using cloud-based services. "Much like any innovation," he says, "it takes a lot of people to talk about the opportunities and also the risks, and it takes a little bit longer for the technology guys to catch up." MacWillson discusses the interstate and international challenges organizations face, advantages provided by the cloud for cross-border security risk management and finding a balance between the risks and advantages of using the cloud.
Full Story

SURVEILLANCE—UK

Police Tracking Technology Spurs Privacy Fears (November 1, 2011)
ZDNet reports on the discovery that the London Metropolitan Police possesses military-grade technology that can track cell phone users, intercept text messages and calls and remotely shut down service. The technology is portable for tracking users on the move but can also be set up in a fixed location for tracking data in a specific area. A representative from the Electronic Frontier Foundation said, "The problem with this kind of technology is that it means that the police and law enforcement do not have to go through a cell phone provider to gain access to information that can be obtained via someone's cell phone." Meanwhile, a representative from Big Brother Watch said, "Such invasive surveillance must be tightly regulated, authorized at the highest level and only used in the most serious investigations."

PRIVACY LAW—EU & AUSTRALIA

Government Signs Passenger Data Agreement (November 1, 2011)

The Australian reports that the government has signed a revised Passenger Name Record agreement with the EU. The European Parliament approved the agreement last week to permit the Australian Customs Service to retain data transferred from air carriers--including passport numbers and credit card details--for a maximum of 5.5 years for the purpose of detecting and combating crime. The agreement has elicited privacy concerns including from the Australian Privacy Foundation, which said the agreement intrudes on passengers' personal affairs without their knowledge and consent and proper safeguards have not been demonstrated. The agreement allows for six agencies besides customs to share the data.
Full Story

DATA PROTECTION

Browser Found To Have Privacy Flaw (October 31, 2011)

Recent versions of a third-party Web browser reportedly have been found to have a privacy flaw, reports Ars Technica. The Android Police blog has reported that a breach of privacy occurs when every URL loaded in Dolphin HD is relayed as plain text to a remote server, the report states. Dolphin HD has released a statement explaining that when the URL is relayed, data is not collected or retained and says it has updated the browser to disable the feature and that it will be opt-in in the future.
Full Story