European Data Protection Digest

For most of history, Anonymous was a woman. Dare I say, be careful what you wish for, Virginia Wolf. Judging by the research my colleague Jed Bracy has been doing on “revenge porn,” women today might just face the exact opposite challenge. For those unfamiliar with revenge porn, it is the practice of posting online nude pictures of a person (surprisingly (not) women most of the times) out of revenge. The perpetrators are usually ex-boyfriends. You know how when we were young our exes would spread false rumours about us in school to get back at us? Same thing more or less—except that, instead of a rumour, in this case the exes disseminate pictures and their audience expands well beyond a school’s walls. Not to mention the right to be forgotten (or lack thereof) implications. It’s basically stalking on steroids.

As creepy as revenge porn is, in a recent blog post, Jed also brought to my attention this gem of a Facebook group that is WWEOT, Women Who Eat on Tubes (as in the London underground). So much has been written about this group (see this article from the The Guardian, for example) that I’d rather not waste another word about it. Interestingly, though, TFL’s enforcement director has been quoted as saying that, whilst taking photos on the Tube isn’t illegal (fair enough) they ask anyone doing so to ensure that they use common sense and respect for other passengers. Yes, common sense and respect are exactly the notions that spring to mind here.  

So let’s think—I am definitely not from the “selfie generation” and might be immune from revenge porn, but now I can’t even eat crisps on the Tube?

We have a saying here in Italy that goes something like this: The mother of the ignorant ones is always pregnant.

Rita Di Antonio
Managing Director
IAPP Europe

Top European Privacy and Data Protection News

DATA PROTECTION—EU

EDPS Releases Compliance Benchmarks (January 31, 2012)

In response to a survey revealing shortcomings in data protection compliance, European Data Protection Supervisor (EDPS) Peter Hustinx has established "benchmarks" to help EU bodies meet compliance standards, Out-Law.com reports. Hustinx said he is "concerned that not all EU institutions and bodies are performing as well as they should...Implementation of data protection principles is not only a matter of time and resources but also of organizational will." The strictness of the "benchmarks" varies according to the institution, the report states. While all organizations must appoint a data protection officer (DPO), bodies created in the past year must submit to the EDPS the DPOs' "implementing rules." More established institutions, such as the European Commission, will be given much stricter requirements.
Full Story

DATA PROTECTION

Industry Group Set To Fight Phishing E-mails (January 31, 2012)

In an attempt to reduce the amount of phishing scams, several e-mail providers and financial organizations, among others, are banding together to create an environment where consumers can feel secure about whether a message is authentic, The Wall Street Journal reports. Companies such as Yahoo, Google, Microsoft, Paypal and Bank of America have joined a group of 15 businesses to form DMARC.org. The goal is to promote technology standards that will help secure e-mails, the report states, and would include digital signatures and policies guiding e-mail providers to detect authentic messages. One representative from the messaging industry said, "If you are a big bank or a retailer, you have a very strong interest in making sure people trust your messages" and added that DMARC "has a lot of promise." (Registration may be required to access this story.)
Full Story

DATA LOSS—UK

ICO Fines Council £140,000 (January 30, 2012)
In response to five separate data breaches involving children's social service reports, the Information Commissioner's Office (ICO) has fined Midlothian council £140,000, The Guardian reports. In each case, the highly sensitive data of children and their caretakers was sent to the incorrect recipients. The ICO found that all five incidents, which occurred between January and June 2011, could have been prevented if the council had stronger data protection policies as well as employee training in place, the report states.

INFORMATION ACCESS—UK

ICO: Customers Denied Access to Their Data (January 27, 2012)

Information Commissioner Christopher Graham has raised concerns that many consumers are denied access to the information that various organizations hold about them and is launching the Access Aware campaign in an effort to change that. Complaints about mishandled access requests accounted for 38 percent of his office's caseload in the past financial year, the report states, with the financial, healthcare and law enforcement sectors generating the most complaints. "Organizations that handle personal information need to remember that customer records are not simply their property--the individuals who do business with them also have rights," Graham said.
Full Story

PRIVACY LAW—UK & EU

EC Drops Infringement Proceedings Against UK (January 27, 2012)

The European Commission (EC) has dropped infringement proceedings it brought against the UK for failing to implement aspects of EU law aimed at protecting Internet users' privacy, Out-Law.com reports. "The commission believes UK law and institutions are now well-equipped to enforce the privacy rights of UK users," the commission said, referring to changes the UK government made to the Regulation of Investigatory Powers Act (RIPA). The UK government amended the act last year at the conclusion of a consultation that began when the EC began its infringement proceedings in 2009.
Full Story

SOCIAL NETWORKING—IRELAND

DPC: More Info Needed on Privacy Settings (January 27, 2012)

Data Protection Commissioner Billy Hawkes is calling for better awareness of privacy settings on social networks, the Irish Examiner reports. Commenting after a judge refused to stop newspapers from identifying an individual who was wrongly believed to be a man in an online video and noting a recent audit of Facebook in Ireland, Hawkes said one of his "recommendations is that there should be greater information for people when they use Facebook...They should get better information on how you can in fact protect yourself on Facebook in terms of the privacy settings; they are there to be used."
Full Story

DATA PROTECTION—IRELAND

Dublin Council Investigated After Data Transfer (January 27, 2012)

The data protection commissioner will investigate Dublin City Council to determine whether it complied with guidelines when it handed over 140,000 customers details to a private waste company, The Irish Times reports. Greyhound took over the council's bin collections in January, inciting a number of complaints from council customers. The commissioner's office has asked the council to demonstrate compliance with rules on data transfers and wishes to confirm that proper data protection safeguards were put in place, the report states.
Full Story

DATA PROTECTION—UK

ICO Launches Advisory Programme (January 27, 2012)

In an effort to help small- and medium-sized organisations understand the value of having a voluntary data protection audit, the Information Commissioner's Office (ICO) is encouraging them to invite an advisory services visit from the office's "good practice team," reports Out-Law.com. The visit is an alternative to a full-scale audit and focuses on "general advice and recommendations" surrounding "security, records management and requests for personal data," said Louise Webb, head of the good practice team. Organisations would then receive a "short report which summarises what to do next," briefs of which are posted to the ICO website.
Full Story

ONLINE PRIVACY—EUROPE

Opinion: Data Is “New Oil,” But What To Do With It? (January 27, 2012)

In an op-ed for CNN, Andrew Keen writes about this week's Digital Life Design conference and the messages shared by its keynotes, European Commission Vice President Viviane Reding and Facebook Chief Operating Officer Sheryl Sandberg. "Reding and Sandberg were in agreement about one thing: personal data is the new oil, the vital fuel of our digital economy," he writes, adding that outside of that point, "their priorities and agendas represent the bookends of an increasingly fractious debate" over calls for better data protection regulations versus what Sandberg described as the need for "a regulatory environment that promotes innovation and economic growth."
Full Story

DATA PROTECTION—EU

Data Protection Regimes Ranked (January 27, 2012)

Data Guidance's Data Privacy Index calculates a risk score for each country based on the severity of its data protection laws, Information Age reports. A high score correlates to a high chance of breaking the rules and being punished. Spain is at the top of the list, with a ranked score of 4.5 based on "a number of high-level fines seen for noncompliance with data protection legislation" in the country, the report states. Germany ranked second for its strict rules around marketing data. The UK was ranked twenty-first near countries such as Romania, Latvia, Ireland and Sweden.
Full Story

SURVEILLANCE

Considerations of Commercial Drone Use (January 27, 2012)

After years of debating the ethical and legal considerations of drone use in war times, "pressure is mounting" for the Civil Action Authority to re-evaluate regulations to allow domestic drone use, reports The Guardian. "It is widely anticipated that they will be used as a security measure during the London Olympics," the report states, and use by government and, potentially, commercial agencies is expected to rise. M. Ryan Calo writes in the Stanford Law Review that domestic use is inevitable but may end up acting as a "privacy catalyst." Calo writes, "People would feel observed, regardless of how or whether the information was actually used. The resulting backlash could force us to reexamine not merely the use of drones to observe but the doctrines that today permit this use."
Full Story

ONLINE PRIVACY

Google Revises Privacy Policy, Regulators Take Note (January 27, 2012)

The Wall Street Journal reports on Google's revisions to its privacy policy, suggesting the changes could make it more difficult for online users to remain anonymous. The new policy indicates Google's decision to start combining the information it collects on an individual user to provide better services to customers, according to the company. "We'll treat you as a single user across all our products, which will mean a simpler, more intuitive Google experience," said Alma Whitten, director of privacy. The changes take effect March 1. Regulators in Ireland, France and elsewhere have taken note, Bloomberg reports. Deputy Data Protection Commissioner of Ireland, Gary Davis, said his agency will further assess "the implications of the changes." (Registration may be required to access this story).
Full Story

ONLINE PRIVACY

Davos Delves Into Big Data, Privacy (January 26, 2012)
At the World Economic Forum in Davos, Switzerland, the big topic is "lots of data," reports Nick Bilton of The New York Times. "Chancellors, bankers and educators meeting at the conference are being asked to discuss what the forum calls a growing data deluge and how to manage it," Bilton writes, adding "the discussion of privacy is not far behind."

ONLINE PRIVACY—EU

Kroes: Do-Not-Track Standards Deadline Approaches (January 26, 2012)

In a speech earlier this week, European Commissioner Neelie Kroes reminded Internet companies to establish a do-not-track (DNT) system by June of this year, Out-Law.com reports. Speaking at a World Wide Web Consortium (W3C) meeting and echoing demands made in June of last year, Kroes said, "Do-not-track today is still an aspiration rather than a reality...we need to act fast to turn do-not-track into a reality for all web users." Draft plans for DNT were also unveiled at the W3C event. Kroes added, "When providers receive do-not-track signals from their users, how they need to respond may be different depending on whether the user is in Europe, the U.S. or wherever...So the system will need to adapt flexibly, depending on the jurisdiction in question." 
Full Story

PRIVACY LAW—EU

European Commission Publishes New Framework on Data Protection (January 25, 2012)
As anticipated, and just days before Data Protection and Privacy Day, the European Commission has released its proposal to reform the European Union's data protection framework. The reform--which takes shape via a regulation on data protection and a directive "protecting personal data processed for the purposes of prevention, detection, investigation or prosecution of criminal offences"--comes after years of public consultations and dialogue with stakeholders.

PRIVACY LAW—NORWAY

DPA Bans Public-Sector Use of Google Apps (January 25, 2012)

The data protection authority (DPA) of Norway has issued a public-sector ban on Google Apps because, according to the Financial Times, the service could potentially put citizens' data at risk. Norway's DPA ruled that the service did not comply with the nation's privacy laws due to insufficient information of where user data was stored. The move comes shortly after Google signed its largest-ever contract with Spanish bank BBVA. Last year, a Danish school was banned from using the service for similar reasons. Meanwhile, the German government is drafting stricter data protection and storage rules, and the French government has set up a venture to promote French-based cloud services. (Registration may be required to access this story.)
Full Story

MOBILE PRIVACY—EUROPE

Company Investigating Possible Breach (January 25, 2012)

European mobile operator O2 is investigating accusations that it shares customers' numbers with websites they visit through its mobile data network, paidContent reports. A web systems administrator noticed the issue, the report states, and set up a website to show users what information O2 is allegedly passing along during visits. One privacy advocate suggests that sharing such information could mean a "very serious breach," while the UK Information Commissioner's Office has said that while sharing a mobile number on its own may not mean a breach, "when it is coupled with any other identifying information, it can constitute a data breach," the report states.
Full Story

The European Commission’s new proposed regulation: From “equipment/means” to “directed to” criterion (January 24, 2012)

By Fabio Di Resta

In a globalised world where every place is interconnected via the Internet and new technologies, companies—both big multinationals and SMEs—are operating more and more in different jurisdictions. Particularly, in the Internet environment, companies provide services and products remotely and they collect data that they can easily share among an undetermined group of enterprises. These are widespread activities in the Information Society that can raise problems if not carried out lawfully.

New Regulation and Harmonisation

In order to ensure legal certainty for controllers, individuals and stakeholders, the EU legislative body is trying to address applicability and jurisdictional issues. The European Commission will publish its new proposed data protection framework on Wednesday, January 25. According to an official draft (version no. 56, 29 November 2011) of the new regulation released late last year for inter-service consultation, one of the main objectives of this document is to fulfill the ambitious harmonisation of the data protection laws of EU Member States. This is particularly relevant for multinationals, who struggle with the lack of sufficient harmonisation, which creates legal uncertainties and barriers to free movements of data in Europe.

External scope of the EU data protection law

In more detail, the following example of a common electronic transaction shows the main challenges that faced in protecting personal data in the EU:

A buyer resides in Europe, while the vendor’s place of business is outside of the EU. In this case, many privacy experts say that the rules and conditions under which the buyer controls his own personal data should be applied; these rules should come from the country in which the buyer (data subject) resides rather than those in which the place of business of the operator of electronic commerce is located (data controller).

The simple above-mentioned case illustrates one of the most crucial issues of the EU data protection law and the ongoing debate on the review of EU data protection law framework. On this subject, the provisions on applicable law provide a set of rules to determine the external scope of EU law, this means that provisions determine the extent to which the EU data protection law is applicable to data processing that has taken place wholly or partially outside the EU or European Economic Area (EEA) (Iceland, Liechtenstein and Norway).

The “Equipment/Means” Criterion

Regarding...

PRIVACY LAW—FRANCE

Court Upholds Search and Seizure of E-Mails (January 23, 2012)

The French Court of Cassation has upheld an appeals court ruling that dismissed claims that an investigation by the French Competition Authority violated Janssen-Cilag employees' rights to privacy, secrecy of correspondence and protection of personal data. The appeals court ruled that the unlimited search and seizure carried out by the authority was exempt from the French data protection law under the French Commercial Code, which grants the authority "the power to inspect the premises of a company suspected of anti-competitive practices and to search and seize all company documents and information that may be relevant to an investigation," reports the Hunton and Williams Privacy and Information Security Law Blog.
Full Story

TRAVELERS’ PRIVACY—EU & U.S.

Article 29 WP Responds to Recent PNR Draft (January 23, 2012)

In an open letter to the members of the LIBRE Committee of the European Parliament, the Article 29 Working Party (WP) acknowledges that modest improvements have been made to the latest draft of the EU-U.S. Passenger Name Records (PNR) agreement, but says many of its concerns stand. The WP says that it has not received evidence proving the agreement is warranted in the first place and goes on to outline its concerns, including uncertainty about how the U.S. Department of Homeland Security is allowed to use PNR data, the 15-year data retention term, the masking--and not deletion--of sensitive data and whether the access and redress mechanisms are in line with EU laws.
Full Story

EMPLOYEE PRIVACY—ITALY

Garante: No CCTV in the Workplace (January 20, 2012)

The Italian Data Protection Authority, or Garante, has ruled on the installation and use of video surveillance devices in several workplaces. The Garante ruled that an ICT private company, a public administration, a hospital and a rest home for elderly people have used CCTV and relevant data processing illicitly. The Garante has ordered the organisations to cease their use of CCTV and destroy images collected. Absent appropriate measures and guarantees to protect workers, inter alia the agreement with works councils or the authorisation by the Local Labour Office--as provided for by the Italian Data Protection Code, the CCTV Guidelines enacted by the authority and the Statute of Workers of 1970--the use of CCTV systems in workplaces is forbidden. (Garante press release in Italian.)
Full Story

SURVEILLANCE—GERMANY

Gov’t Agency Testing Spyware Programme (January 20, 2012)

Germany's federal criminal agency (BKA) is testing a spyware programme that can monitor individuals through their computers, Deutsche Welle reports. FinSpy infiltrates computers by tricking a user to update software either on a personal computer or mobile phone. Once the programme infects a computer, it can monitor a user via webcam and download files without detection, the report states. A representative from Privacy International said, "The potential for abuse in the hands of low-level law enforcement is extraordinarily high, given the limits of any possible oversight mechanisms." Last year, German authorities' use of spyware also prompted privacy concerns.
Full Story

DATA RETENTION—EU

EC Informs DAPIX of DRD Consultation (January 20, 2012)

EDRi reports on a paper sent from the European Commission (EC) to the Council of the European Union's Working Group on Information Exchange and Data Protection (DAPIX) on the EC's consultation about the Data Retention Directive (DRD). Taking place in April 2011, the consultation highlighted components of the DRD that the EC would like to address, according to the report. The EC says "there is a continued perception that there is little evidence at an EU and national level on the value of data retention in terms of public security and criminal justice nor of what alternatives have been considered." The document ends by reportedly asking, "What are the most effective ways of demonstrating value of data retention in general and of the DRD itself?"
Full Story

HEALTHCARE PRIVACY—UK

Pharmacy To Offer ‘Smart Pills’ (January 20, 2012)

Financial Times reports on the potential privacy implications surrounding a pharmacy chain's plans to offer customers "intelligent medicines" to help monitor their health and comply with doctors' orders. Lloydspharmacy has signed a deal with a U.S. company to sell pills embedded with microchips that will communicate with a patch worn on patients' shoulders and transmit information about heart rate and posture to their mobile devices or computers. (Registration may be required to access this story.)
Full Story

FINANCIAL PRIVACY—UK

Customer Service Requirement Raises Concerns (January 20, 2012)

COMPUTERWORLD UK reports on a controversial procedure conducted by London department store Fortnum & Mason asking customers who are returning items to e-mail their credit card details. A company spokesman said no payment details are stored by the organisation. According to the article, a customer service e-mail sent to a customer said credit card details--including card type, name on the card, number, expiry date and security code--were required to get a refund. Though the company said it would destroy the information once the transaction went through, one security expert criticised the company's current practice as "weak."
Full Story

DATA PROTECTION—GERMANY

Privacy Commissioner, Others Oppose Register (January 20, 2012)

Federal Privacy Commissioner Peter Schaar has expressed opposition to a proposed national register to keep track of violent neo-Nazis. According to a Monsters and Critics report, Chancellor Angela Merkel's cabinet this week moved to create the register in an effort to stem violent acts. Schaar deems the register as unnecessary, according to the report, while others say it would threaten civil liberties. The German parliament would have to approve of the register's creation.
Full Story

EMPLOYEE PRIVACY—SWEDEN

Analysis: Whistleblowing Systems Uncovered (January 20, 2012)

International Law Office analyses the legal requirements surrounding whistleblowing systems in Sweden. In addition to requiring that employers process reported information using data protection rules, instances of criminal offences generally need to be processed by Swedish authorities. However, the exception to the rule is when management is involved in criminal activities. In such cases, the employer does not need to provide the employee with prior authorisation when processing personal data. The report outlines additional rules that employers must observe after an instance of wrongdoing is reported in the workplace, including employee notification obligations, sensitive personal data restrictions, third-party data transfers and information storage. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—HUNGARY & EU

EC Launches Proceedings Against Hungary (January 18, 2012)
European Voice reports that the European Commission (EC) has begun infringement proceedings against the Hungarian government over three laws that took effect January 1 and are considered by the commission to violate EU law. One of the laws in question pertains to the independence of the country's data protection authority. EC President José Manuel Barroso announced the legal challenge in Strasbourg on Tuesday. The Hungarian government has until February 17 to respond.

DATA LOSS—UK

ICO Takes Action Following Breach (January 18, 2012)

The Information Commissioner's Office (ICO) has taken action against a healthcare provider following a data breach, Computer Business Review reports. In August, Praxis Care Limited lost an unencrypted memory stick containing sensitive patient information, breaching the UK Data Protection Act and the Isle of Man Data Protection Act. The 160 individuals affected have been notified, and the company has not received any complaints so far, the report states. Praxis Care Limited has agreed to ensure that all portable media devices are encrypted and not retain unnecessary data. It has also updated its data security guidance, the report states.
Full Story

DATA LOSS

Customers React To Breach Responses (January 18, 2012)

Highlighting individual consumer experiences, The New York Times delves into the ongoing string of online data breaches, saying, "The attacks point to an unsettling new world in which even the supposed stalwarts of the Internet...cannot seem to keep personal information safe." Commonly, company breach response plans amount to telling consumers they are responsible for protecting their data, the report states. One Internet expert says the recent breaches have the potential to cause consumers to lose confidence in Internet commerce. One woman--whose data has been breached three times in 2012 alone--says, "Companies have to do a better job protecting our privacy." The report notes that a White House initiative, the National Strategy for Trusted Identities in Cyberspace, is working to help online organizations adopt higher standards for verifying users and storing data. (Registration may be required to access this story.)
Full Story

DATA LOSS

Analysts React to Zappos Breach Response (January 18, 2012)

PCWorld reports on Zappos' response to its recent breach affecting 24 million customers. The online shoe retailer notified affected customers via e-mail and has asked them to change passwords after discovering a hacker had gained unauthorized access to company servers containing names, e-mail addresses and billing addresses. But some analysts say that the company's response was the wrong one, and that deleting 24 million customer passwords makes the company look like it's in panic mode. Another expert and Zappos customer, however, says data encryption should have been more broadly applied because the "definition of what is sensitive is changing. It's not just card numbers anymore..."
Full Story

BEHAVIORAL TARGETING

Do-Not-Track Option Released for Browser (January 17, 2012)

Privacy expert Jonathan Mayer of Stanford University has released a do-not-track extension for Google's Chrome browser allowing users to opt out of tracking by targeted advertising companies, reports PC Pro. While other browsers have had do-not-track mechanisms for "quite some time," Mayer says Google has declined thus far to add the feature to Chrome. The do-not-track initiative has been criticized for being unenforceable, among other reasons, and while Mayer acknowledges the criticism, noting that "websites have to add support for it," he says "that line has largely faded, partly because researchers have demonstrated again and again how Web measurement tools can catch bad actors."
Full Story

DATA PROTECTION

Experts: Passwords Don’t Protect You (January 17, 2012)

Two researchers say that online passwords, while helpful for websites aiming to sign up millions of users, overlook "really scary and effective attacks." While password advice usually instructs users to choose something strong, memorable and a mix of numbers and letters, strong passwords aren't as important as they used to be, given more advanced hacking methods such as phishing and keylogging. Researchers Cormac Herley and Paul C. van Oorschot say in a new paper that the computer industry wrote off the significance of passwords a decade ago after Bill Gates said they'd become obsolete soon, so not enough work has gone into improving them and understanding how they get compromised, Wired reports.
Full Story

PRIVACY LAW—EU

EC: New Framework on Track for January Release (January 16, 2012)

Despite reports last week warning of a possible delay to the release of the revised European data protection framework, a spokesman for EU Justice Commissioner Viviane Reding told Bloomberg that the framework will be published by the end of January. "The data protection reform is well on track for adoption by the commission by the end of January," Matthew Newman said. Editor's note: The IAPP will host a Web conference to discuss the changes shortly after the release of the new framework.
Full Story

PRIVACY LAW—UK

Trust Challenges ICO Fine (January 16, 2012)

Saying that it was a "victim of a crime," Brighton and Sussex University Hospitals NHS Trust is challenging an Information Commissioner's Office (ICO) £375,000 fine over the theft of sensitive personal information, COMPUTERWORLD UK reports. At least 232 hard drives containing the data were stolen from the trust and sold for profit. "We subcontracted the destruction of these hard drives to a registered contractor, who subsequently sold them on eBay," said the hospitals' chief executive. "As soon as we were alerted to this, we informed the police and with their help we recovered all the hard drives stolen by this individual. We are confident that there is a very low risk of any of the data from them having passed into the public domain."
Full Story

GEO PRIVACY—THE NETHERLANDS

TomTom Gets Green Light from Dutch DPA (January 13, 2012)

The Dutch Personal Data Protection Agency (CBP) has cleared navigation device maker TomTom of claims that it violated data protection laws by collecting and selling user data without gaining customers' consent, reports Reuters. TomTom's head of privacy and information security, Simon Hania, said while the company sells aggregated, anonymous data, "it was confirmed by the CBP that we never have and we never will sell data from our individual users to anyone else, including governments and the police." Hania also said the company has amended its third-party contracts to limit the use of information it sells and will update the consent software on its products to ensure consumers know how the company uses their data.
Full Story

PERSONAL PRIVACY—EU

Researchers: Smart Meters Capable of Surveillance (January 13, 2012)

Researchers claim they have been able to intercept and analyse information sent between energy suppliers and smart meter devices, Out-Law.com reports. The researchers said they were able to reveal intimate details about a household's energy consumption--including when houses are occupied or the television show playing--because the data was unencrypted and sent in two-second intervals. "Unfortunately, smart meters are able to become surveillance devices that monitor the behaviour of the customers, leading to unprecedented invasions of consumer privacy," said the researchers, who presented their findings at a recent conference in Berlin.
Full Story

PERSONAL PRIVACY—MALTA

Commissioner Says Nature Organisation Breached Act (January 13, 2012)

Malta's data protection commissioner has responded to a complaint from the Federation for Hunting & Conservation (FKNK) claiming that Birdlife Malta breached the Data Protection and Privacy Act when it filmed an incident involving FKNK representatives without their permission and after being asked to stop, reports The Malta Independent. While FKNK says the commissioner warned BirdLife Malta not to film individuals without their consent unless allowed under the act, Birdlife Malta says the commissioner ruled the organisation was "acting in the public interest when publishing the video concerned but that individuals ought not to be identifiable in such material." Birdlife Malta says the decision refers to one incident only, in which a video was released prior to the sentencing of the individual.
Full Story

DATA LOSS—UK

Employee Fined for Unauthorised Access (January 13, 2012)

A former employee of Royal Liverpool university hospital faces fines for unlawfully accessing the medical records of her ex-husband's family, reports The Guardian. The hospital was notified of the possible data breach by one of the victims after he received phone calls from a person he suspected to be his former daughter-in-law, hospital employee Juliah Kechil. Liverpool city magistrates court ordered Kechil to pay fines of £500 and £1,000, as well as a £15 victim surcharge. "People should be able to feel confident that their personal details will be stored securely and only accessed when there is a legitimate business need," said a spokesman for the Information Commissioner's Office.
Full Story

FINANCIAL PRIVACY—EU

Secure Payments Green Paper Consultation Opened (January 13, 2012)

In its effort to "integrate the market for cards, Internet and mobile payments," the European Commission has established a green paper consultation, TMC reports. As part of the commission's goal of a "secure and transparent integrated payments environment to create more efficient, modern and safer means of payments," the key issues being addressed as part of the consultation include payment security and data protection, the report states. Responses will be accepted through 11 April, with the next steps in the process to be announced in the summer.
Full Story

PRIVACY LAW—HUNGARY & EU

EC: Hungary Must Act Before Tuesday (January 12, 2012)
The Hungarian government must modify some of its new constitutional measures by Tuesday or face potential infringement proceedings by the European Commission (EC), European Voice reports. The commission is troubled by changes to Hungary's constitution that took effect on January 1 and may flout EU law. In particular, the independence of the country's data protection commissioner has come into question.

PERSONAL PRIVACY

Searls: Goodbye Data Collection, Hello Intention Economy (January 12, 2012)

In the Harvard Business Review, tech guru Doc Searls says the age of collecting data on customers is over. The intention economy will soon arrive, he says, and it will render unnecessary the mining and amassing techniques companies have used to get to know their customers better. "Businesses soon will no longer own the data...customers will." Searls says when this happens, vendors will realize greater benefits than they do now because when customers own and control their data, "demand will drive supply more efficiently than supply currently drives demand. Customers not only will collect and manage their own data but will be equipped with tools for declaring their intentions directly to the whole marketplace."
Full Story

DATA LOSS—UK

ICO Serves Intent To Fine £375,000 (January 11, 2012)
The Information Commissioner's Office (ICO) has served an NHS Trust with a notice of intent to fine, The Argus reports. The fine follows an ICO investigation into the theft of 232 hard drives from Brighton General Hospital. The drives contained the private medical data of tens of thousands of patients. They were sold on eBay, and the purchaser notified the trust, which recovered the data.

PRIVACY LAW—UK

Online Retailers Told To Prepare for EU Cookie Rules (January 11, 2012)

COMPUTERWORLD UK reports on recommendations to online retailers to "act now to address new EU cookie legislation" before the Information Commissioner's Office (ICO) begins enforcing the law later this year. One expert suggests that not to act early will have a negative impact on customers' online experiences and marketers' optimization efforts. "Finding out which approach works and assessing the right wording and design elements will be a critical part of ensuring ICO demands are met without affecting the bottom line," said Peter Ellen of website testing company Maxymiser, adding that must be done now "so the results can be acted on before May 2012."
Full Story

ONLINE PRIVACY

Google Searches May Include Google+ Info (January 11, 2012)

Google search results will now include photos and commentary from its Google+ social network, the Huffington Post reports. "The Internet search leader eventually hopes to know enough about each of its users so it can tailor its results to fit the unique interests of each person looking for something," the report states, in what the company has described as "the new era of social and private data search." The new feature, which was rolled out on Tuesday, will be the default "for all English-language searches made by users logged into Google," the report states, but can be turned off permanently with a settings change or on a per-case basis via an icon.
Full Story

PRIVACY LAW—EU

EDPS Releases 2012 Priorities (January 10, 2012)

European Data Protection Supervisor (EDPS) Peter Hustinx today released a strategic planning document for the upcoming year in the area of legislative consultation. Noting that 2012 will be a demanding year, Hustinx said, "The EDPS will face the challenge of fulfilling an ever-increasing role in the legislative procedure and at the same time guarantee high-quality and well-appreciated contributions to it with limited resources." Among the major issues of strategic importance for the EDPS are the revision of the EU data protection framework; technological developments in the digital agenda, IP rights and the Internet; continued development of the area of freedom, security and justice, and financial sector reform, according to an EDPS press release.
Full Story

GEO PRIVACY—UK

Advocates Admonish Stores for Tracking Shoppers (January 6, 2012)

In the wake of recent reports of shopping centres using tracking technology to monitor customers' browsing habits via their mobile phones, shoppers and privacy advocates alike are raising concerns. The Guardian reports that shopping centres "can analyse data such as how long visitors stay, where their favourite spots are and their preferred routes as they move around a mall," which has some questioning the lack of an opt-out--other than turning off their phones. "Shopping centres argue the system benefits both customers and retailers and insist privacy is not compromised because individuals are not identified," the report states.
Full Story

TRAVELLERS’ PRIVACY—THE NETHERLANDS

Minister: Project Does Not Violate Privacy Laws (January 6, 2012)

EUobserver reports on a statement from Dutch Interior Minister Gerd Leers that the country's new €19 million border control system @migo-Boras--which will see the installation of cameras in some police cars and along major highways connecting the Netherlands to Belgium and Germany--"falls within the existing rules for border control and privacy." One German police official reportedly suggested the cameras put "all travellers under general suspicion." Leers has acknowledged receiving questions from the European Commission and has said he will be providing information, the report states.
Full Story

DATA PROTECTION—UK

ICO Offers Informal Audits (January 6, 2012)

The Information Commissioner's Office (ICO) has introduced informal advisory visits for small to medium sized businesses, charities, not-for-profit organisations and public authorities seeking improvement ideas on their data protection practices, reports the Field Fisher Waterhouse Privacy Law Blog. The ICO has indicated it will put a priority on audits of organisations it considers high-risk, but the informal visits will provide lower-risk organisations with access to the ICO's good practice team. Each visit is one day; focuses on security, records management and requests for personal data, and includes a subsequent report on the ICO's findings and ideas for improvements.
Full Story

DATA PROTECTION—EU

Readers Support Breach Fines (January 6, 2012)

A V3.co.uk survey recently found that the majority of readers feel that fining organisations five percent of their annual turnover for privacy breaches would help encourage better data protection. In a draft of the new Data Protection Directive, the European Commission has proposed such a provision, as well as another that would require any organisation with 250 or more employees to appoint a full-time staff dedicated to data protection. While 87 percent of V3.co.uk readers support five-percent fines for breaches, a small percent said such a fine is too high and the current system is sufficient.
Full Story

DATA PROTECTION—SWEDEN

Institutet To Dispute Board’s Decision (January 6, 2012)

The Karolinska Institutet says it will appeal the Data Inspection Board's ruling that it must stop collecting certain data from patients. After auditing the institute's LifeGene project, the board ruled that the ongoing information gathering for the purpose of future research was in breach of the Personal Data Act. The project has compiled information from volunteers about their health and lifestyles. The data board also noted that parliament and the government should review the legislation. Karolinska Institutet President Harriet Wallberg-Henriksson described the decision as "a devastating blow for medical research," adding, "This shows that there are flaws in the law."
Full Story

DATA PROTECTION—IRELAND

Opinion: Kudos to DPC on Investigation (January 6, 2012)

The Irish Times takes a look at the investigation into Facebook's privacy practices completed recently by the Data Protection Commission. The report compliments the DPC for bringing a technologist into the audit and lauds Facebook for cooperating with the investigation, but it questions the sensibility of the joint report announcement, saying that "had overtones of cosiness and comfort that...made the two organisations seem more like dancing than sparring partners." However, overall, writes Karlin Lillington, "the commissioner's office carried off this major and unprecedented challenge with commendable speed and focus, and produced a list of spot-on recommendations that will benefit all European Facebook users in a brave new era of social networking." Editor's note: Irish Data Protection Commissioner Billy Hawkes will discuss the investigation during a keynote address at the IAPP Europe Data Protection Intensive in London in April.
Full Story

ONLINE PRIVACY—IRELAND

Complaint Filed Against Utility Payment Website (January 5, 2012)

An Irish Socialist Party MEP has filed a complaint with the Data Protection Commissioner claiming a website set up by the Irish government to facilitate the payment of a new household utilities charge contravenes EU privacy regulations, reports The Independent. "The website's privacy statement declares that the site uses 'session cookies,' which are erased after use, whereas in fact it uses so-called 'persistent cookies' that remain on people's computers after they visit the website," says MEP Paul Murphy. Data Protection Commissioner Billy Hawkes has also voiced his concerns over a proposed plan to tap into homeowners' utility bills in order to collect the charge.
Full Story

DATA PROTECTION

Survey Respondents Focused on Data Security (January 5, 2012)

SC Magazine reports on its fifth annual "Guarding Against a Data Breach" survey, which found that 63 percent of 488 respondents "are confident that their company's IT security departments have the power, executive support and budget/resources necessary to safeguard customer, client and other critical corporate data." That share is up from 58 percent of last year's respondents. The report also highlights concerns that 2012 "promises still more of the advanced cyber attacks" that occurred in 2011, as well as increases in regulatory audit "and a continuation of end-users and consumers relying on an array of vulnerable technologies to conduct business."
Full Story

PRIVACY LAW—HUNGARY & EU

Commission Concerned About Changes to Constitution (January 4, 2012)

The European Commission (EC) has expressed concern about Hungary's newly revised constitution, European Voice reports. The commission is looking into whether certain changes comply with EU laws. EC spokesman Olivier Bailly said that EC Vice President Viviane Reding is concerned about the independence of the new data protection supervisor, the report states. In July, the Hungarian government passed a law that saw the role of the country's independent data protection ombudsman subsumed by a new National Data Protection and Freedom of Information Authority. Reding wrote to Hungarian ministers last month expressing "doubts" about the changes.
Full Story

DATA PROTECTION—UK

ICO Lays Out Plans for This Year (January 4, 2012)

The start of 2012 "marks a pivotal moment for both data protection and freedom of information," writes UK Information Commissioner Christopher Graham in his latest blog post. For his office's part, it will take a practical but principled approach in the coming year, he says. This week it is releasing its Information Rights Strategy, which reveals that the office will place a priority on the areas of health; credit and finance; criminal justice; Internet and mobile services, and information security. Noting increases in data collection amidst a struggling economy, Graham says companies shouldn't look to information security budgets to save on costs.
Full Story

PRIVACY LAW—EU

EDPS Discusses Need for Stronger Data Protection (January 3, 2012)
In a feature for NEWEUROPE Online, European Data Protection Supervisor Peter Hustinx explains that despite its impressive history, the Data Protection Directive 95/46/EC "is starting to show its age." Given the increasingly Internet-based nature of the world we live in and other factors, he writes, "there is not only a need for modernization but also an urgent need to ensure that the principles of data protection continue to be fully effective in a changing world."

DATA PROTECTION—FRANCE

CNIL Inspects Bank Units (January 3, 2012)

The French data protection authority--the Commission Nationale de l'Informatique et des Libertes (CNIL)--is analyzing data gathered during a recent inspection of two bank units, Bloomberg reports. The CNIL inspected a newspaper and an information technology unit of Credit Mutuel-CIC based on a report of a system failure on December 28, according to the report.
Full Story

ONLINE PRIVACY

User Authentication Goes High-Tech (January 3, 2012)

Studies show that sophisticated technologies are making it easier for hackers to crack the current system of user authentication--passwords--meaning some tech firms are looking at other ways of identifying users, reports The New York Times. A recent blog post predicted that users may no longer need passwords, pointing to biometrics as the wave of the future, but one Web researcher says a problem with biometric authentication is "once your digital biometric signature is compromised, you cannot even replace it." A security expert warns all authentication has drawbacks, and using more than one is always best. One tech giant recently launched a behavioral password system using gestures in addition to a password and facial recognition. (Registration may be required to access this story.)
Full Story

DATA LOSS

Hackers Dump Security Company Data (January 2, 2012)

The hacker collective Anonymous has exposed the usernames, e-mail addresses and passwords of 860,000 users of the security think tank Stratfor--including the credit card information of 75,000 of them, reports VentureBeat. Stratfor has consequently shut down its website pending the completion of a "thorough review and adjustment by outside experts." Anonymous reportedly broke into Stratfor's Web servers and downloaded 200 gigabytes of data. A New York Times report notes this breach could be "especially embarrassing" if hackers can prove the company--"which markets its security expertise"--did not encrypt its sensitive data. One security expert says requisite credit card fraud has already been "well documented," and advises Stratfor customers to contact their credit card companies.
Full Story

DATA RETENTION—EU & GERMANY

German Gov’t Writes to Commission (January 2, 2012)

Telecompaper reports that in a letter dated December 23, the German government notified the European Commission (EC) that it has partially implemented the EU Data Retention Directive. The commission could take legal action in the European Court of Justice if Germany does not come into compliance with the directive. A government spokesperson said Germany is "preparing a reasonable compromise to present a stable constitutional solution" in the event the EC takes such action. In its letter, the German government said it is awaiting details on the so-called Quick-Freeze procedure, according to the report.   
Full Story