European Data Protection Digest

We have a long weekend—and hopefully some good weather—ahead of us, so right now our minds are probably focused more on Easter eggs and chocolate bunnies (in my case also my mother’s lasagna on Sunday) than on data protection developments. Nevertheless, this spring is bound to be a busy one for privacy pros—not that we actually had a dull moment in the past year or so.

At the IAPP, we are working hard to help our members stay on top of things: Our upcoming European Data Protection Intensive will be a great way to kick-start the second quarter of the year. As usual, rendezvous in London for an intense programme, great networking—including our special Privacy Social reception at the Guildhall—and CIPP and CIPM certification training and testing. Preconference workshops are not bad either.

But since he who hesitates is lost, work is already underway also for IAPP Europe’s flagship event, the Data Protection Congress, which will be in Brussels again this year, on 19 and 20 November to be precise. The call for proposals for the Congress is open, and submissions will be accepted until 9 May, so do send us your ideas or feel free to forward the call for proposals link to someone who might be interested.

In the meantime, though, Happy Easter!

Rita Di Antonio
Managing Director
IAPP Europe

Top European Privacy and Data Protection News

PRIVACY LAW—UK

Half-Way to Cookie Law Enforcement (December 23, 2011)

In his latest blog post, UK Information Commissioner Christopher Graham offers a half-term report sixmonths after the new cookie law was implemented and six months before the commissioner's promised enforcement of the law begins. The current status of compliance with the law can be summed up using old schoolteacher clichés like "could do better" and "must try harder," Graham writes. However, there have been improvements and efforts made by some companies and organisations. "The ICO's response to those who claim that following good practice advice is impossible will be, 'if they can do it, why can't you?'" Graham writes. Enforcement efforts are to begin 26 May.
Full Story

SURVEILLANCE—SWEDEN

Datainspektionen: SJ Broke Law (December 23, 2011)

The Data Inspection Board (Datainspektionen) says the national rail service, SJ, violated Swedish law by placing surveillance cameras on trains without notifying employees, The Local reports. SJ had installed the cameras in order to identify employees who were thought to be stealing items from rail cars. "To watch over people this way in order to catch a perpetrator seems very much like the secret surveillance that only the police and other crime-fighting agencies can undertake, and then only in the case of serious offences," said Director General Göran Gräslund.
Full Story

PRIVACY LAW—IRELAND

Commissioner Gives Company 21 Days To Respond (December 23, 2011)

The Data Protection Commissioner has given Eircom 21 days to respond to its decision that the operator should halt its "three strikes" policy against music piracy, siliconrepublic reports. The policy allows users pirating music online to be warned three times before their broadband would be cut off for 12 months, the report states. "I can confirm we have concluded our investigation on the above matter and have communicated the outcome to Eircom.
Full Story

SOCIAL NETWORKING—FINLAND

Facebook Disputes Timeline Privacy Breach (December 23, 2011)

Facebook is disputing claims by its users in Finland that the social networking site's new Timeline feature has caused a privacy breach, PCMagazine reports. Users there have claimed that the feature was making private messages public, but the company says that users have likely just forgotten about posts they made public via their profile pages years ago. "Our engineers have investigated these claims. It appears that these were old wall postings which users mistook for private messages," said a Facebook spokesman in a statement.
Full Story

BIOMETRICS—GERMANY

Privacy Agency: Opt-In Facial Recognition OK (December 23, 2011)

A German privacy and information agency, HmbBfDI, says it approves of the opt-in facial recognition feature recently launched by Google+, while it is continuing to push Facebook to notify users before creating biometric profiles of them. Investor's Business Daily reports that an HmbBfDI spokesman said, "it seems that users of Google+ have a real choice, and therefore the legal requirements of effective consent seemed to be met," but the agency will continue to look into the feature. The report states that HmbBfDI has begun administrative proceedings against Facebook, however, giving the company until mid-January to respond to the suit, which claims that without user consent, "the creation of biometric profiles of the users is illegal."
Full Story

DATA LOSS—UK

Council Apologises After Publishing PI (December 23, 2011)

East Herts District Council has informed the Information Commissioner's Office (ICO) and apologised after publishing "sensitive personal details of members of the public" on its website as part of temporary event notices, Herts and Essex Observer reports. The information was collected on the event applications and included insurance numbers, addresses, contact details and dates of birth, the report states. Nick Pickles of privacy advocate Big Brother Watch spoke out against such practices, saying, "The more personal information is collected by authorities, the greater the risk to personal privacy." An ICO spokeswoman has said the office is now making enquiries.
Full Story

DATA LOSS—UK

Receptionist Poses as Hospital Employee, Breaches Act (December 23, 2011)

A receptionist has been found guilty of breaching the Data Protection Act after she looked at details of her sister-in-law's medical records. Usha Pawal has been given a two-year conditional discharge and must pay prosecution costs after posing as a hospital employee to request that the records be faxed to the medical center where she was employed. "Medical records contain some of the most sensitive information possible," said UK Information Commissioner Christopher Graham. "The medical centre's receptionist was in a position of trust and abused her position for her own personal gain. This case demonstrates just how easy it can be to misuse personal data."
Full Story

PRIVACY LAW—IRELAND

Family Members Charged with Breaching Act (December 23, 2011)

A retired garda has admitted to asking a family member who worked for the Revenue Commissioner to look up the files of those who had filed claims against the firm he worked for as a private investigator, the Irish Examiner reports. Adele McKeown has pleaded guilty to disclosing personal data to her father and father-in-law in separate incidents, the report states. McKeown has been charged with four additional counts of disclosing personal data. Members of the public should not have to worry that information stored about them will be made public, said Judge Patrick McCartan, applying the Probation Act and ordering that each defendant pay €1,000 to a children's hospital. 
Full Story

BIOMETRICS

Is a Facial Recognition Opt-Out Possible? (December 22, 2011)

Slate reports on recent advances in facial recognition and detection technology and the inherent difficulties involved when offering an opt-out for individuals in the physical world. Though facial recognition technology is not entirely sophisticated at this point, "critical questions" about personal privacy remain. The column asks, "At what point do people know they are being watched? Where can they find the privacy policy to learn what happens when they're on camera? How can they opt out if they're not comfortable with the technology?" Noting that these questions were discussed at a recent Federal Trade Commission roundtable by industry representatives, regulators and privacy advocates, the report suggests the answers and "suggestions were problematic and superficial."
Full Story

PRIVACY LAW—IRELAND

DPC Publishes Facebook Audit Findings (December 21, 2011)
Irish Data Protection Commissioner (DPC) Billy Hawkes has published the findings of the biggest investigation in the history of his agency--the three-month audit of Facebook Ireland. The DPC made several recommendations for "best-practice" improvements, which the company must make within the next six months, reports siliconrepublic.

ONLINE PRIVACY

QR Codes Pose Potential Risks (December 20, 2011)

MSNBC reports on the increasing use of QR or "quick response" codes--puzzle-like square matrixes that populate ads and promotional posters to provide smartphone users with product details. Fifteen percent of consumers are using the codes, up from five percent last year. But experts say there are privacy risks involved, including the ability of the app maker to put in tracking systems and the potential for malware to be installed. "Unfortunately, this is a case of buyer beware," says malware researcher Tim Armstrong. "Being that this is a new territory, be suspicious of everything...users should always know what is being installed and when."
Full Story

PRIVACY LAW—EU

Working Party: Industry Self-Regulation Plan “Inadequate” (December 16, 2011)

The Article 29 Working Party has released its opinion on the Online Behavioural Advertising Self-Regulatory Framework proposed by the European Advertising Standards Alliance (EASA), noting that while it welcomes the self-regulatory efforts, "adherence to the EASA/IAB Code on online behavioural advertising and participation in the website www.youronlinechoices.eu does not result in compliance with the current e-Privacy Directive" and creates "the wrong assumption that it is possible to choose not to be tracked while surfing the Web." The Working Party calls for industry to "comply with the precise requirements of the e-Privacy Directive," cautioning that DPAs will "ensure compliance...and enforce on the basis of the law."
Full Story

DATA PROTECTION—EU

EDPS Discusses Key Issues (December 16, 2011)

In an interview with Eurescom, European Data Protection Supervisor Peter Hustinx discussed emerging technologies and their impact, noting, "It is therefore in everybody's interest that we make our information society more robust, more responsible and more trustworthy. Data privacy is in that sense only part of a much larger issue." Hustinx shared insight on such issues as protecting user data in the cloud, the key challenges of the EU Data Protection Directive revision and the economic impact of data protection. Looking to the future, he noted, "My single most important wish is that we are successful in achieving a more effective EU legal framework for data protection by 2015."
Full Story

PRIVACY LAW—UK

ICO: Official Gov’t Correspondence Subject to FOI (December 16, 2011)

Information Commissioner Christopher Graham says that official government correspondence falls within the jurisdiction of the Freedom of Information Act, The Telegraph reports. "It should not come as a surprise to public authorities," Graham said, "to have the clarification that information held in private e-mail accounts can be subject to Freedom of Information law if it relates to official business...This has always been the case--the act covers all recorded information in any form." Graham has also released guidance on the subject "with two key aims--first, to give public authorities an authoritative steer on the factors that should be considered before deciding whether a search of private e-mail accounts is necessary when responding to a request under the act...Second, to set out the procedures that should generally be in place to respond to requests." 
Full Story

DATA LOSS—EUROPE

Visa Investigating Potential Breach (December 16, 2011)

Visa is investigating a potential security breach at a European payment processor, PCWorld reports. Multiple banks have been alerted to the breach and some are taking precautions; a Romanian bank is now reissuing 17,000 payment cards, though it says its customers weren't specifically targeted. The Romanian Association of Banks says it was alerted of a potential breach that may have exposed customer information and transactions but that it doesn't expect customers to be affected. "Visa Europe has been informed of a potential data security breach at a European processor and an investigation is underway," the company said.
Full Story

PRIVACY LAW—EU

Article 29 Working Party Issues Announcements (December 16, 2011)

The Article 29 Data Protection Working Party this week released several documents on a variety of issues including airport security, the transfer of specific data to the U.S. and Internal Market Information System regulation. In guidance related to the transfer of data to the U.S. Public Company Accounting Oversight Board, the Working Party advises a "harmonised EU approach" will offer better data protection than "the current bilateral approach." Meanwhile, with regard to the International Air Transport Association's proposed "Checkpoint of the Future," the Working Party has advised of potential privacy impacts, noting "data protection authorities have to look at all potential impacts of all new security passenger screening systems."
Full Story

DATA PROTECTION—FRANCE

CNIL Issues Smartphone Recommendations (December 16, 2011)

The French data protection authority (CNIL) has published a study on mobile phone security, Telecompaper reports. The CNIL provides 10 recommendations on protecting personal and geolocation data when using a smartphone. Teenagers are more savvy about the risks of personal data storage than adults, according to a survey. The survey also found that 89 percent of smartphone owners store contacts and 40 percent store confidential information like bank details, passwords and building entry codes on their smartphones. CNIL recommends not putting confidential information on handsets, using complicated PIN codes and automatic locking, as well as deactivating a phone's geolocation and WiFi capabilities. (Registration may be required to access this story.)
Full Story

DATA PROTECTION—UK

ICO Has “Deep Concerns” on Data Handling (December 16, 2011)

The Information Commissioner's Office (ICO) in Wales says it has deep concern about the way councils in Wales are handling individuals' confidential data, BBC News reports. That announcement comes after eight of Wales' 22 councils have experienced data breaches within the last three years. Big Brother Watch reported on the number of breaches through a Freedom of Information Act request. "We're talking about sensitive information going to the wrong people, and that is going to cause a lot of distress for individuals...people don't want that kind of information in the public doman, which is what could happen here," said a spokeswoman for the ICO.
Full Story

PRIVACY LAW—AUSTRIA

Group Petitions Against Retention Directive (December 16, 2011)

The Austrian Arbeitskreis Vorratsdaten has submitted a petition asking that the Austrian Parliament reevaluate its implementation of the EU Data Retention Directive as well as additional anti-terror legislation, EDRI reports. The Data Retention Directive was transposed into Austrian law last April and is slated to go into effect on 1 April 2012. From now until then, Austrian citizens can file complaints against the legislation with the Constitutional Court of Austria.
Full Story

DATA LOSS—UK

ICO Investigating After Council Breach (December 16, 2011)

The Information Commissioner's Office (ICO) is investigating Bolton Council after files containing children's details were stolen, reports This Is Lancashire. The documents were stolen when a staff member's car was broken into, though the files should not have left the office. The council alerted parents and the ICO of the incident. "We take our responsibilities under the Data Protection Act very seriously, having in place robust procedures to meet our obligations. In this situation, we made it our priority to speak to those people potentially affected by the breach the following workday," said a council spokesman.
Full Story

PRIVACY LAW—UK

Levenson Inquiry Continues (December 16, 2011)

The Telegraph reports on the ongoing Levenson inquiry, including input from former UK Information Commissioner Richard Thomas. In recent weeks, a former ICO investigator suggested enough evidence existed to prosecute journalists for unlawfully obtaining personal information. Matthew Holehouse writes in The Telegraph that the ICO explained being unable to "provide details of the transactions or name the journalists accused of breaking the Data Protection Act because of--ironically--the Data Protection Act."
Full Story

PRIVACY

Expert Discusses Technology’s Effect on Privacy (December 16, 2011)

In an interview with The European, Harvard Prof. Harry Lewis discusses the ways technology is changing society. Speaking about the amount of information sharing that occurs, Lewis says, "I think there's still plenty to worry about from governments in terms of surveillance and tracking. But I also worry that we're doing it to each other. And more than that, we're doing it to ourselves, just by the amount that we disclose, just by how hard it is to live our lives without leaving a digital trail." Lewis also worries that a lack of privacy will hamper social innovation and progress.
Full Story

ONLINE PRIVACY

On the Web: Convenience Versus Data Protection (December 16, 2011)

BBC News reports on Web giants in the social networking and search spheres and the convenience they provide to users, suggesting privacy "is becoming the thorn in the side of this marriage of convenience." The feature examines recent calls by regulators from the EU and Canada, as well as the U.S. Federal Trade Commission, for better privacy protections from online firms. Looking at regulators' responses to such issues as cookies and shadow profiles, the report suggests, "2012 could see a change in the balance of power between Net firms and citizens, with citizens, for once, holding the upper hand."
Full Story

RFID

Opt-Out for NFC Technology Recommended (December 16, 2011)

The lack of consumer choice when it comes to banks' use of near-field communication (NFC) enabled bank cards is of grave concern, according to one expert. ISACA's Richard Hollis recently visited five banks to ask for a bank card without the embedded technology--a method of wireless communication--but was refused at each, V3.co.uk reports. "The industry is not leading on the issue of privacy but just saying, 'User Beware' and carrying on with its practices, and we are still some way from the tipping point of consumers starting to ask questions about what is actually being done with their data," Hollis said at a recent conference on cyber privacy.
Full Story

ONLINE PRIVACY—EU

Microsoft Signs EU Data Protection Agreement (December 15, 2011)

In efforts to ease European organizations' use of its new software suite, Microsoft has signed the EU Model Clauses agreement, allowing "member nations to transfer personal data for processing to countries that cannot ensure an adequate level of protection," reports ITNews. Signing the agreement means EU regulators will have the ability to request that customers stop using Office 365 if they find it has not taken "appropriate steps" to protect data. The software stores data in servers in the U.S., Ireland and the Netherlands, among others. Microsoft has also created a "trust center" that shows users the "geographic boundary" of their Office 365 data, states the report, but stops short of disclosing exactly how many servers it has and where they are located.
Full Story

PERSONAL PRIVACY

CarrierIQ Reassures Regulators, Customers on Privacy Practices (December 15, 2011)

CarrierIQ says it contacted the Federal Trade Commission (FTC) and Federal Communications Commission (FCC), not the other way around, VentureBeat reports. The company has faced scrutiny since computer programmers discovered that CarrierIQ software--used by many smartphone service providers--logs users' keystrokes and other personal information. In the U.S., several lawsuits have been filed, and lawmakers have written to the company, which says it sought meetings with the FCC and FTC for transparency and that it will "comply with all domestic and foreign regulators" as European agencies investigate. CarrierIQ recently published a 19-page report explaining how its technology works. 
Full Story

ONLINE PRIVACY—UK

Commissioner: Cookie Law Enforcement To Come (December 14, 2011)

Releasing guidance on how to do so, the Information Commissioner's Office (ICO) says companies must try harder to comply with the new rules on cookies, Financial Times reports. Commissioner Christopher Graham says companies have not yet devised methods to gain consent from online users to collect their information, despite the new law. In a recent blog post on plans for enforcement efforts to begin in May, Graham advises companies to "be assured that if we get complaints or have concerns, then we will be checking your site and we will take the necessary steps to ensure that you do work towards compliance." Meanwhile, the ICO has also recommended monthly breach reports from communications providers. (Registration may be required to access this story.)
Full Story

TRAVELERS’ PRIVACY—EU & U.S.

EDPS: PNR Agreement Does Not Address Concerns (December 13, 2011)
In the wake of issues raised by other EU regulators with a passenger name record (PNR) sharing plan between the EU and U.S., European Data Protection Supervisor (EDPS) Peter Hustinx has released a statement detailing his concerns with the plan. "Any legitimate agreement providing for the massive transfer of passengers' personal data to third countries must fulfill strict conditions," he noted, adding, "Unfortunately, many concerns expressed by the EDPS and the national data protection authorities of the member states have not been met."

DATA PROTECTION—HUNGARY

Head of New Independent Authority Named (December 13, 2011)

President Pal Schmitt has appointed Attila Peterfalvi the head of Hungary's National Data Protection and Freedom of Information Authority, Politics.hu reports. The new authority--established by Parliament as an independent entity to replace the data protection ombudsman--will retain the duties of the ombudsman but will be more in line with EU legislation, the report states. Peterfalvi, who will serve a nine-year term beginning January 1, will have broader powers than the ombudsman and may impose fines of up to €33,000. Peterfalvi served as Hungary's data protection ombudsman from 2001-2007.
Full Story

GEO PRIVACY

Experts Detail Concerns About Emerging Technologies (December 13, 2011)

"The sheer scale of technological change and the ingenuity with which people are using location-based service data feeds means we are always playing catch-up." That was the message from Jonathan Bamford of the UK Information Commissioner's Office at a recent privacy event, V3.co.uk reports. Considering the future of privacy, one U.S. expert suggested it may soon be impossible to opt out of sharing location data, noting, "As we match the physical world to the virtual world, by placing items such as fridges or even your car keys on the Internet, firms could have even more access to your data, your location and your life."
Full Story

PRIVACY LAW—EU

Opinion: Proposed Rules Send “Disturbing Message” (December 13, 2011)

In a feature for Forbes, Richard Levick suggests that the proposed revision of the EU's data protection laws "should send a clear and disturbing message to businesses that do business globally." Levick highlights the proposals, which include increased penalties--to the tune of five percent of the global turnover of organizations that mishandle data--in suggesting that even if the rules are not adopted as presented, "they now provide a real window on how EU regulators are already thinking...If nothing else, the trend line points toward ever more aggressive regulatory prerogatives." Editor's Note: The IAPP 2012 Global Privacy Summit will offer several preconference and breakout sessions related to the new EU data protection framework.
Full Story

HEALTHCARE PRIVACY—UK

Advocates: Data Sharing Plan Needs Strong Safeguards (December 12, 2011)

The Guardian reports that a Department of Health (DH) plan would see the NHS Information Centre and Connecting for Health (CfH) providing patient data to private research firms, causing concern for some privacy advocates. While CfH claims only anonymized data would be shared, in some cases--with permission from the secretary of state for health--data would be shared in an identifiable format, or "pseudonymized." Privacy advocates say that more details are needed about the distinction between the two formats. "The safeguards in place need to be robust and clearly communicated," says Nick Pickles of Big Brother Watch. "The long-term risk to privacy of patients' identities and their health details being connected cannot be quantified, so these plans should be implemented with absolute care."
Full Story

ONLINE PRIVACY

Opinion: Online Anonymity Isn’t So Achievable Anymore (December 12, 2011)

In a column for The New York Times, Nick Bilton describes how easily a supposedly anonymous Web user can be identified. Bilton recently uploaded images to a photo-sharing app, eliciting comments from a stranger. But it took Bilton only 10 minutes to piece together bits of the stranger's personal information online to identify her full name, phone number, home address and place of employment. Privacy expert Elizabeth Stark of Stanford University said, "Previously you could have searched every photo on the Internet for a photo of Nick Bilton until you eventually found one, but that would take a lifetime. Now, facial recognition software can return more images about someone instantly." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—LITHUANIA

Breach Notification Requirement Established (December 9, 2011)

Hunton & Williams' Privacy and Information Security Law Blog reports that Lithuania's Law on Legal Protection of Personal Data and Law on Electronic Communications have established a breach notification requirement. According to the report, the requirement means the data protection authority must be notified of security breaches that occur at providers of publicly available electronic communications services and public communications networks, and if the breach is likely to negatively affect individuals, providers must notify all those affected.
Full Story

ONLINE PRIVACY—EUROPE & U.S.

Regulators, Advocates Want Answers on CarrierIQ (December 9, 2011)

After computer programmers discovered that CarrierIQ software--used by many smartphone service providers--logs users' keystrokes and other personal information, European regulators have begun taking preliminary steps toward a possible investigation into violations of EU data protection laws. Deutsche Welle reports that authorities in Germany and Ireland have questioned mobile phone carriers and makers, and regulators in the U.K., France and Italy are reviewing whether the software is used in their jurisdictions. In the U.S., the company is facing four lawsuits and possible inquiries by three federal agencies. The report states that CarrierIQ's unwillingness to disclose which phones and carriers use its service is particularly concerning to privacy regulators.
Full Story

ONLINE PRIVACY

Germany Stern On Privacy (December 9, 2011)

The Atlantic reports on Germany's relationship with Facebook and Google when it comes to privacy. Hamburg's privacy commissioner filed a legal complaint against Facebook for storing data on nonsubscribers to the social networking site, and German opposition to Google's Street View resulted in the company abandoning the project there. The country "is offering remarkable resistance when it comes to data protection issues...The sense of condemnation coming from state privacy agencies is strong," the report states.
Full Story

DATA PROTECTION—EU

Lack of U.S. Cloud Rules Could Boost European Business (December 9, 2011)

European success with the cloud may get a boost due to the lack of data protection laws in the U.S., reports Techworld. Two Swedish companies have begun marketing their services as "a safe haven from the reaches of the USA PATRIOT Act," the report says, as the act could allow U.S. law enforcement agencies access to European users of U.S.-based clouds. EU Justice Commissioner Viviane Reding has promised that new measures will cover cloud data, but legislators have indicated concern about data protection in the cloud, and some say safe harbor agreements with U.S. companies may no longer be adequate. "Safe harbor is a nice idea, but it didn't work," said MEP Sophie In't Veld.
Full Story

INFORMATION ACCESS—UK

Roundtable Discusses Public-Sector Data Use (December 9, 2011)

Government agencies process extensive data on citizens, and a recent roundtable was held to discuss the commonly held belief that this data represents an underused resource. The Guardian reports that participants agreed that better data analytics could benefit both citizens and government by reducing costs and improving the delivery of services. One recommendation from the group was to make nonpersonal data available to all, driving innovation; however, it was noted the reliability of the data is questionable. One participant pointed out, "You can put a number of connections together, and it (the result) isn't always anonymous--I think those risks are very apparent."
Full Story

PRIVACY LAW—UK

Former Investigator: Agency Should Have Prosecuted (December 9, 2011)

A former senior investigator at the Information Commissioner's Office (ICO) has said that the ICO did not prosecute journalists for unlawfully obtaining personal data during an investigation, despite sufficient evidence, Out-Law.com reports. The investigation, which began in 2002, reportedly found more than 3,757 requests for private information on behalf of 333 journalists, but the ICO chose not to prosecute because it "didn't have the evidence that those journalists knew beyond all reasonable doubt that the information had been obtained illegally," said the ICO's David Smith. Former investigator Alex Owens said in a recent witness statement, however, that the number of requests made by journalists had been underreported.
Full Story

DATA PROTECTION—EU & U.S.

Reding: EU Reforms Should Inspire U.S. and Others (December 9, 2011)

EU Justice Commissioner Viviane Reding said in a recent speech that she supports the growth of cloud computing, including data centers, in Europe, but "this cannot be the only solution. We need free flow of data between our continents. It doesn't make much sense for us to retreat from each other." Bloomberg reports that the European Commission plans to present its proposal for changes to current data protection laws by the end of next month, and Reding said the reforms can act as "an inspiration for changes in the U.S. and elsewhere." Reding expressed concern that self-regulation may be the path forward for the U.S.--which may not be "sufficient to achieve full interoperability between the EU and U.S."
Full Story

PERSONAL PRIVACY—UK

Spam Texts Causing Concern, ICO Cracks Down (December 9, 2011)

A recent study found that 700 of 1,014 Britons surveyed feel spam text messages "cause them concern," and the Information Commissioner's Office (ICO) earlier this year launched an investigation into the problem, reports The Guardian. The majority of the messages offer accident compensation claims, with payment protection and debt settlement messages taking second and third, according to the study. ICO Operations Director Simon Entwisle is working with the Ministry of Justice, the Office of Fair Trading and others to tackle the problem, and says "Significant progress has been made" in tracking down the spammers, adding, "This is an ongoing challenge."
Full Story

HEALTHCARE PRIVACY—UK

Critics Say PM’s Data Sharing Plan Contains Risks (December 9, 2011)

Plans by Britain's prime minister to allow pharmaceutical companies access to anonymous patient data are drawing criticism that commercial interests are coming before privacy concerns, BBC News reports. Prime Minister David Cameron has said he hopes that by anonymising NHS records and then allowing private firms access, medical breakthroughs and treatment options may proliferate. Advocates including Patient Concern and Big Brother Watch are skeptical that data will remain anonymous. Patient Concern says the data can be traced back to the individuals concerned and that patient consent should be required before records are shared. The proposal is to take effect 14 December.
Full Story

PRIVACY LAW—EU

Draft Framework Offers Glimpse of Upcoming Changes to Directive (December 8, 2011)
The European Commission has released two documents that will serve as the basis of a new data protection framework in the European Union. The documents are under review by Directorates-General, whose comments will be considered before the final version of the new regulation is published in late January.

DATA LOSS

Data of 3.5 Million Online Poker Players Exposed (December 8, 2011)

A defunct gambling site experienced a breach affecting 3.5 million members this past weekend, SecurityNewsDaily reports. The names, screen names, birth dates, phone numbers and IP, home and e-mail addresses of Ultimate Bet users in Canada, the U.S., the UK and elsewhere were posted to online poker forums, the report states. The data was removed after eight minutes.
Full Story

European Commission Sends Draft Regulation out for Review (December 8, 2011)

 

The European Commission has released two documents that will serve as the basis of a new data protection framework in the European Union. The documents are under review by Directorates-General, whose comments will be considered before the final version of the new regulation is published in late January.

In a speech delivered on Tuesday in Brussels, European Commission Vice-President Viviane Reding said data protection rules “need to be adapted to new technological challenges.”

The draft regulation, which will repeal the existing Directive 95/46/EC, includes a right to be forgotten; a requirement to seek explicit consent when processing data for marketing and other purposes; a greater emphasis on the protection of children; a requirement for data protection officers, and a breach notification requirement, among other mandates.

The draft “is remarkable in a lot of respects,” notes Daniel Cooper of Covington & Burling LLP’s London office. “The commission is not nibbling at the edges. This really will be fairly seismic in terms of impact.”

Cooper notes that there are many changes. “Some you would expect, but the commission has added a lot that will be entirely new—processors will be directly regulated; there are new rights, such as the right to be forgotten and new data portability rights…it’s a candy shop of new and interesting provisions.”

This summary provides a snapshot of the changes, focusing on Articles 15, 18, 28, 29, 30, 32, 36, 63, 65 and 68 of the draft, which cover

  • the right to be forgotten;
  • data protection officers;
  • certification and seal programs;
  • breach notifications;
  • data protection impact assessments;
  • consent, and
  • the Article 29 Working Party (which will become the new European Data Protection Board).

The Right To Be Forgotten

Article 15 provides a right for individuals to bring about the erasure of data pertaining to them in certain circumstances—a so-called right to be forgotten.

The commission’s emphasis on the privacy rights of children shines through in this article, where it states that the right to be forgotten “shall apply especially in relation to personal data which are made available by the data subject while he or she was a child.”

The commission seems to be acknowledging that adults should not be made to live in perpetuity with data they posted during a less mature point in their lives, says Cooper. 

Data Protection Officers

Article 32 requires that data controllers and processors in private-sector enterprises with more...

DATA LOSS—UK

Council Receives “Record Fine” for Disclosure Error (December 7, 2011)
The Information Commissioner's Office (ICO) has fined Powys County Council for breaching the Data Protection Act in what it called "the most serious case it had dealt with since receiving the power to fine organizations," BBC News reports. The council was fined £130,000--the highest penalty the ICO has issued--and says it has since reviewed its policies and procedures.

PRIVACY LAW—ITALY

Italian Gov’t Passes Interim Rule on Legal Entities’ Data (December 6, 2011)
The government of new Italian Prime Minister Mario Monti has passed an interim rule by means of which legal entities' personal data are no longer protected and covered by Italian data protection legislation. According to Rocco Panetta of Panetta & Associati in Rome, Italy was one of only a few countries in the European Union extending protection provided for by EU Directive 95/46/CE over legal entities' data.

PRIVACY LAW—EU

Updated Directive Could Mean Hefty Fines for Some (December 5, 2011)

Financial Times reports that under the European Commission's update to the Data Protection Directive, companies found to have mishandled personal data could be fined up to five percent of their global turnover--which could mean billions in losses for some. The rules would apply to foreign companies' European subsidiaries as well. Companies that have experienced a breach would have 24 hours to notify authorities of the incident. The proposal--now reportedly being finalized--would also require companies with more than 250 employees to dedicate staff to data protection, the report states. 
Full Story

PRIVACY LAW—EU

Court of Justice Rules on ISPs, Processing Personal Data (December 2, 2011)

In separate rulings this past week, the European Court of Justice has determined two key issues related to data protection. In the SCARLET EXTENDED (BELGACOM GROUP) v SABAM case, which dates back to 2004, the European Court of Justice found that a requirement for a Belgian ISP to install a general filtering system was prohibited by Article 15(1) of the E-Commerce Directive. Meanwhile, as Bird & Bird Partner Ariane Mole writes in this European Data Protection Digest exclusive, a 24 November decision by the court found "Spain had not transposed correctly the provisions concerning the balance of interests of EC Directive 95/46 on personal data protection and that consequently Spanish law is in breach of Article 7(f) of the directive." The decisions are expected to have significant impacts, according to experts.
Full Story

PRIVACY LAW—EU

Commission VP Calls for Streamlined ISP Regulations (December 2, 2011)

In a speech on Monday, European Commission Vice President Viviane Reding called for a streamlined approach to how Internet service providers (ISPs) collect personal information, ReadWriteWeb reports. Instead of requiring ISPs to follow the EU's 27 different national data protection laws, new guidelines would require an ISP to follow the laws found in its native country. In text provided to ReadWriteWeb, Reding said that ISPs "need--the same as customers--to have a 'one-stop-shop' when it comes to data protection matters--one law and one single data protection authority for each business; that of the Member State in which they have their main establishment." Meanwhile, industry groups have warned the EU that "overly strict, static and bureaucratic data protection rules will have a detrimental impact on Europe's economy." Reding also mentioned that Facebook could face more scrutiny with the new EU Directive.
Full Story

PRIVACY LAW—EU

EC Tells 16 Countries To Comply with Telecom Laws (December 2, 2011)

The European Commission has requested that 16 countries come into line with EU telecom laws, The Sofia Echo reports. The commission said last week that it sent letters to Bulgaria, Belgium, the Czech Republic, Germany, Greece, Spain, France, Italy, Cyprus, Hungary, the Netherlands, Austria, Poland, Portugal, Romania and Slovenia. The deadline for implementing national legislation on the rules--which grant customers the right to receive detailed information about how Internet service providers use their data as well as increased opportunities for privacy and data protection--expired six months ago. Countries that do not comply could be referred to the Court of Justice or fined.
Full Story

PRIVACY—UK

Will the UK Get Its Own Privacy Commissioner? (December 2, 2011)

A recently tabled amendment in the House of Lords indicated that the UK could see its first privacy commissioner, The Inquirer reports. Privacy International has indicated support for such a position. The House of Lords amendment said the "Secretary of State shall appoint a commissioner to be known as the privacy commissioner...It shall be the duty of the commissioner to promote respect for individual privacy," the report states.
Full Story

DATA LOSS—UK

ICO Issues Fines, But Are They Enough? (December 2, 2011)

The Information Commissioner's Office (ICO) has fined two councils after both experienced data breaches involving e-mail, Computerworld UK reports. The ICO fined Worcestershire County Council £80,000 for a March incident in which it sent e-mails containing sensitive information on a "large number of vulnerable individuals to 23 people on the wrong contact list," the report states. North Somerset Council has been fined £60,000 for sending sensitive data on a child to the wrong NHS employee. Meanwhile, a Public Service.co.uk editorial asks when the ICO will see a significant increase in power, since, "Currently, the ICO's maximum fine is £500,000 and it seems that it still has to hold back on the biggest penalty" until a major breach comes along.
Full Story

DATA PROTECTION—EU

Data Security Hampering Cloud Adoption (December 2, 2011)

Companies providing cloud services will likely face audits on their personal data security practices, reports EurActiv. European Commission sources say audits and liability clauses will be considered in an effort to harmonise legal regimes around cloud adoption, the report states, adding that security concerns around cloud storage are the number one impediment to the cloud's success in Europe. Safe Harbor rules are not enough to quell those concerns, EU officials say. "The major problem for the cloud is the different implementation of the Data Protection Directive in different member states," said a commission source. For example, the medical data of cows are not permitted to be transferred outside of one country.
Full Story

DATA PROTECTION—UK

Research Says Firms Not Properly Disposing of Data (December 2, 2011)

New research indicates that UK firms are not taking steps to delete all personal data before disposing of storage devices such as computers. Osirium recently released research that 40 percent of organisations "are not confident that all their data is deleted before disposal of computers and that seven percent of companies in the finance and retail sectors didn't delete data at all," reports eWEEK. "In the wrong hands, it could be possible to not only gain access to the networks through recovered group admin credentials but also to compromise data, which could constitute a serious data privacy breach," an Osirium spokesperson said.
Full Story

DATA PROTECTION—UK

In First Blog, ICO Anticipates Directive Changes (December 2, 2011)

The Information Commissioner's Office has launched a new blog on current issues. In the office's first post, Commissioner Christopher Graham writes on the future of data protection law in Europe. "The big event we're all waiting for is the release of the commission's proposals for a new legal framework," Graham writes, adding, however, that he doesn't anticipate a January announcement as scheduled. Graham said his office hopes for a framework that clearly regulates developing technology and new applications and is easily understood and applied in practice. As for data protection authorities, they need independent, clear roles and effective powers, Graham writes.
Full Story

RFID—EU

Privacy Impact Tool Released (December 2, 2011)

A global standards organisation has released a software application to help European companies assess privacy risks when deploying RFID tags, reports RFID Journal. GS1's tool can be used to conduct privacy impact assessments and determine where improvements should be made. The tool is the result of seven months of research conducted along with companies including Wal-Mart, Procter & Gamble, Metro Group and Carrefour Group. Earlier this year, the European Commission partnered with the European Network and Information Security Agency to establish data protection guidelines for RFID applications.
Full Story

HEALTHCARE PRIVACY—UK

Worker Charged in Hospital Breach (December 2, 2011)

Police are investigating a patient confidentiality breach at Scotland's largest hospital, the Scotsman reports. A hospital worker has been charged with breaching data after he sent a young woman a Facebook message the day after she was treated at the hospital. The worker--who has also been suspended from the hospital--admitted to using hospital computers to look the woman up and obtain her contact details. NHS Lothian is investigating the incident and says that the worker did not breach the computer systems but that the patient's name was on a computerised floor plan and that the worker did not have access to the patient's personal medical records. Police are now investigating the incident.
Full Story 

DATA LOSS—UK

Breaches Plague Councils, Police Force (December 2, 2011)

In light of news about North Somerset Council's breach of the Data Protection Act by sending sensitive e-mails to the wrong people, Big Brother Watch has revealed 16 breaches by the same council in three years, Mercury 24 reports, and 100 breaches by London councils in general. Eighteen of London's 33 councils admitted to 113 cases of lost or stolen data, the report states. Meanwhile, two police workers have been fired and another has resigned as the result of 85 breaches of data protection in Wales' four police forces, BBC News reports. 
Full Story

PRIVACY—UK

Opinion: Don’t Like Being Tracked? Turn Off Your Phone (December 2, 2011)

Amidst news that many British retail chains are tracking shoppers via their cell phones, Michael Hanlon writes for the Daily Mail that though privacy may not be dead, it's "certainly on life support." Turning off one's cell phone, using proper passwords and avoiding providing personal details at retail checkouts are all ways to help maintain personal privacy, Hanlon writes, adding, "There is nothing private about e-mail, and the word 'delete' on any kind of software is a pernicious fiction. The only way to truly delete a file is to get hold of the medium on which it is stored and physically smash it to bits."
Full Story

ONLINE PRIVACY—UK

Opinion: Privacy Offline Is Eroding, But What About Online? (December 2, 2011)

Recent hype about the invasiveness of the press in the UK has also "revealed much about the UK's attitudes towards privacy," opines Aleks Krotoski for The Guardian. Online, he writes, "ideas about privacy are changing at the ground level and what we do online will have a greater impact upon future privacy laws than any legislation that results from the current offline inquiry." Meanwhile, Prof. Michael Birnhack of Tel Aviv University said at a recent conference that, as our privacy erodes online, we should be careful to protect it at home.
Full Story

SOCIAL NETWORKING—EU & U.S.

French Advocates File Complaint Against Facebook (December 2, 2011)

The French online consumer rights group Internet Sans Frontières has filed a complaint with the CNIL against Facebook, claiming unfair data collection and retention practices, reports ZDNet France. The organization says the company collected users' data without prior notice and consent--using "zombie" cookies and facial recognition, among other methods. The complaint also points to data retention periods and claims users are prevented from deleting their data. The group says the agreement between the U.S. Federal Trade Commission and Facebook is not sufficient to ensure compliance with EU data protection rules since the commitment of Facebook to obtain consent from Internet users arrives too late and because the audit schedule--every two years--does not match the high speed of social networking innovations. (Article in French.)
Full Story

PRIVACY LAW—ITALY

Google Appeal Soon To Begin (December 2, 2011)

Bloomberg reports that Google plans to "begin an appeal as soon as January of a conviction by an Italian court of two managers and a former executive for violating privacy laws." The case stems from an incident where Turin students uploaded a video to a Google site showing them bullying a classmate. In February of 2010, a Milan judge found three Google executives guilty of privacy violations. Each received a suspended sentence. Google announced at the time that it would appeal.
Full Story

CHILDREN’S PRIVACY—EU

Coalition Created To Protect Children Online (December 2, 2011)

Reuters reports on a coalition that includes the European Commission and 28 technology companies--including Apple, Facebook, Google, BSkyB, BT, Deutsche Telekom, Nintendo, Nokia and Orange--working together to better protect children on the Web with such initiatives as an age-based privacy ratings system. Announcing the coalition's creation on Thursday, European Commissioner Neelie Kroes said, "This new coalition should provide both children and parents with transparent and consistent protection tools to make the most of the online world."
Full Story

PERSONAL PRIVACY

Hidden Rootkit Software Fuels Privacy Debate (December 1, 2011)
Several programmers have discovered a hidden software application found on Android-based HTC phones that logs a wide range of detailed information about a user's activities, Network World reports, prompting Sen. Al Franken (D-MN) to demand answers from the software maker. The software is called CarrierIQ and has been termed by one expert as a "classic rootkit" that lets carriers locate and correct performance issues on the cell phones but can also monitor key presses, locations and received messages of its users without notification.

PRIVACY LAW—EU & U.S.

European Companies Weary of USA PATRIOT Act (December 1, 2011)

EurActiv.com reports on the current discussions between the European Union and the U.S. about cloud service providers and the role of the USA PATRIOT Act. Many EU companies are reluctant to use U.S.-based cloud providers, fearing that their data could come under the auspices of U.S. law. EU Vice President Viviane Reding, who has been in talks with U.S. Attorney General Eric Holder, says she has been reassured by the U.S. that it will "seek assistance from member states using existing police and judicial cooperation channels." Yet, several European cloud service providers do not want to follow the U.S. legislation at all. Meanwhile, two Swedish companies have banded together to offer a "fully European Database-as-service solution."  
Full Story