European Data Protection Digest

We have a long weekend—and hopefully some good weather—ahead of us, so right now our minds are probably focused more on Easter eggs and chocolate bunnies (in my case also my mother’s lasagna on Sunday) than on data protection developments. Nevertheless, this spring is bound to be a busy one for privacy pros—not that we actually had a dull moment in the past year or so.

At the IAPP, we are working hard to help our members stay on top of things: Our upcoming European Data Protection Intensive will be a great way to kick-start the second quarter of the year. As usual, rendezvous in London for an intense programme, great networking—including our special Privacy Social reception at the Guildhall—and CIPP and CIPM certification training and testing. Preconference workshops are not bad either.

But since he who hesitates is lost, work is already underway also for IAPP Europe’s flagship event, the Data Protection Congress, which will be in Brussels again this year, on 19 and 20 November to be precise. The call for proposals for the Congress is open, and submissions will be accepted until 9 May, so do send us your ideas or feel free to forward the call for proposals link to someone who might be interested.

In the meantime, though, Happy Easter!

Rita Di Antonio
Managing Director
IAPP Europe

Top European Privacy and Data Protection News

MOBILE PRIVACY

Loophole Exposes Access to Photos (February 29, 2012)

The New York Times reports on a loophole in Apple's mobile devices that allows developers to copy a user's photo library without warning or notification after a user consents to allowing access to location information in photos. Though it is not clear if the company illicitly copies user photos, one app developer said, "Conceivably, an app with access to location data could put together a history of where the user has been based on photo location." The data could then be uploaded to a server and, "Once the data is off of the iOS device, Apple has virtually no ability to monitor or limit its use." A representative from the Electronic Privacy Information Center said the company "has a tremendous responsibility as the gatekeeper to the app store...Apple and app makers should be making sure people understand what they are consenting to." (Registration may be required to access this story.)
Full Story

DATA PROTECTION

Suspected Hacktivists Arrested Worldwide (February 29, 2012)

In a sweep conducted by Interpol's Latin American Working Group of Experts on Information Technology Crime, 25 suspected members of the hacker group Anonymous were arrested in Argentina, Columbia and Spain, reports The Telegraph. The arrestees are suspected of planning attacks against Columbia's Defense Ministry, Chile's Endesa electricity company and others. Interpol began its investigation in mid-February and has seized 250 pieces of IT equipment from 40 locations in 15 cities, the report states.
Full Story

PRIVACY LAW—U.S. & EU

DOC’s Kerry Discusses White House Framework (February 28, 2012)

The success of the White House's recently released framework for its privacy bill of rights will depend in part on allowing businesses and regulators to take the lead and on consumer education, said Department of Commerce General Counsel Cameron Kerry from Brussels this week. The plan is slightly different from the European Commission's top-down approach, reports Dow Jones Newswire. However, "This is not simply self-regulation," Kerry said, "we are, like the commission, proposing legislation and trying to get that adopted. This code of conduct will be legally enforceable by the Federal Trade Commission." The U.S. looks forward to working with the EU on interoperability, Kerry said. (Registration may be required to access this story.)
Full Story

DATA PROTECTION—THE NETHERLANDS

DPA Says Organisations Not Protecting Data (February 24, 2012)

The Dutch Data Protection Authority (CBP) says information about patients "is there for the taking" at some Dutch pharmacies, Dutchnews.nl reports. In a study of 15 public and private organisations, the CBP found that local authorities and amusement parks are also vulnerable. "We were shocked by the results," said CBP Chairman Jacob Kohnstamm. "The most simple rules for good security are not being followed." Nine investigations are still ongoing, but the CBP said the organisations it looked at did not use secure website addresses or protect passwords properly.
Full Story

PRIVACY LAW—UK

Judge Allows Social Network Suit To Proceed (February 24, 2012)

A UK judge has served legal papers via Facebook in a case where one defendant was difficult to locate, Mobiledia reports. The move sets a precedent in the UK "for using the social media site in an official legal capacity," the report states. "It's a fairly natural progression," said a lawyer representing one of the parties in the case. "A High Court judge has already ruled that an injunction can be served via Twitter, so it's a hop, skip and a jump away from that to allow claims to be served via Facebook." Similar allowances have been made in Australia, New Zealand and the UK county court system.  
Full Story

DATA LOSS—IRELAND

Passport Numbers Made Public, Studyhub Breached (February 24, 2012)

A travel agency says a number of customers' personal data was breached because of a security flaw on its website. Go4Less.ie says the data--which included passport numbers, phone numbers and addresses--was made public for a short time, but the Office of the Data Protection Commissioner has confirmed that the agency has rectified the problem. The agency will provide a full report to the office, reports TheJournal.ie. Meanwhile, more than 8,000 users of Eircom's Studyhub service may have been affected by a data breach last week.  
Full Story

PRIVACY LAW—UK

Student Gets Prison Time for Facebook Hack (February 24, 2012)

A British student who hacked into Facebook's computers has been sentenced to eight months in prison, reports AAP. Glenn Mangham, 26, accessed the social network's computers from his bedroom and stole "invaluable intellectual property," the report states. It was an attack that "represents the most extensive and grave incident of social media hacking to be brought before the British courts," Prosecutor Sandip Patel said. Mangham's defense argued that he hacked the system to show Facebook how to better protect its security. The judge ruled his actions had "very serious potential consequences."
Full Story

PRIVACY LAW—IRELAND

Networking Site Faces Suit from Student (February 24, 2012)

Since Austrian student Max Schrems filed a challenge to Facebook's data collection policies, 40,000 people have contacted the company asking for their own data. Under the proposed draft that would replace current European data protection law, Dublin-based Facebook would be policed by Ireland's data protection commissioner. But Schrems said that's not realistic and filed a challenge on behalf of the company's 229 million European users claiming the policies breach European data protection law, reports The Irish Times. Schrems filed a complaint with the commissioner that the company was deceiving its users on what happened to their data.
Full Story

CLOUD COMPUTING—EU

Experts: Directive Changes Could Hamper Cloud Business (February 24, 2012)

Cloud legal experts say the European Commission's proposed changes to the Data Protection Directive will likely drive business away, ITWorld reports. "Unless further changes are made to clarify and harmonise data protection rules across the EU, the draft regulation may drive business away from Europe and still fail to deliver effective protection for individuals," said the lead of the Cloud Legal Project at Queen Mary, University of London. Without such changes, it will be unclear which providers and users are regulated in the EU. Further, the group says, the draft imposes substantial burdens on businesses as well as regulators--who will need greater resources in order to police compliance.
Full Story

PRIVACY LAW—IRELAND

Investigation Concludes Recycling Company Did Not Breach Act (February 24, 2012)

An investigation by the data protection commissioner has concluded that Dublin City Council's transfer of information to a private recycling company did not breach privacy laws, reports The Irish Times. The investigation followed a number of complaints from the public after Greyhound took over the council's bin collections. The council has agreed to comply with all data protection guidance should a similar situation occur in the future and put in place an audit procedure before any debt collection data is transferred from the council to Greyhound.
Full Story

PRIVACY LAW—EU & U.S.

Reding Addresses Legal Gray Area, Data Protection Reform (February 24, 2012)

U.S. authorities cannot override EU laws on data privacy, said EU Justice Commissioner Viviane Reding in a debate over whether U.S. laws and legal subpoenas could force EU companies to disclose personal data to U.S. law enforcement agencies, EUobserver reports. "Any processing of personal data in the EU has to respect the applicable EU data protection law," Reding said. Meanwhile, in a CNN feature published on Thursday--the day the U.S. government released a proposed consumer privacy bill or rights--Reding described the European Commission's proposed new framework on data protection, saying, "As Europe tackles reform, I hope these proposed rules will inspire other countries that are grappling with privacy issues, like the United States."
Full Story

PRIVACY LAW—EU

Commission Refers ACTA to High Court (February 23, 2012)

The European Commission has asked the European Court of Justice to determine the legality of the Anti-Counterfeiting Trade Agreement (ACTA), PC Magazine reports. EU Commissioner Karel De Gucht has asked the court to clarify whether ACTA violates rights such as "freedom of expression and information or data protection and the right to property in case of intellectual property." Proposed in 2007 and first negotiated in June 2008, the agreement must still be ratified by the European Parliament. The U.S., Australia, Canada, Korea, Japan, New Zealand, Morocco, Singapore and 22 EU member states have signed the agreement to date. De Gucht said the review is "a needed step."
Full Story

TRAVELERS’ PRIVACY—EU & U.S.

in ‘t Veld Recommends Rejecting PNR Deal (February 23, 2012)

Member of the European Parliament Sophie in 't Veld says  the passenger name records (PNR) agreement between the European Union and the U.S. fails to adequately protect passengers' personal information in records shared with U.S. authorities, reports the European Voice. European Commissioner for Home Affairs Cecilia Malmström, meanwhile, has lauded the agreement's "robust privacy safeguards" and warns that the U.S. administration is not likely to negotiate the terms--leaving airlines that comply with the PNR agreement unsure of whether they are complying with EU law. The European Parliament's civil liberties committee reviews the agreement on Monday, with a plenary vote scheduled for April. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—EU

EC Responds to “Right To Be Forgotten” Concerns (February 23, 2012)

EU Justice Commissioner Viviane Reding has responded to concerns about the "right to be forgotten" provision in the new EU data protection framework, saying that the commission was clear in its expectations. "In principle, pure hosting services have no ownership and no responsibility for the content their users let them host...However, other information services, including social networking and search engines, may exercise control on the content, conditions and means of processing, thereby acting as data controllers. If and when this is the case, clearly they have to respect related data protection obligations," the commission wrote in a rebuttal letter sent to ZDNet UK. Google's Global Privacy Counsel Peter Fleischer wrote in a blog post that posters of information--not the companies running the platform--should be responsible for deleting the information.
Full Story

DATA PROTECTION

Wyckoff: Privacy Needs Elevating in Governments (February 22, 2012)

During remarks at an event in Mexico City last fall, the Organisation for Economic Co-operation and Development's (OECD) director of science, technology and industry, Andrew Wyckoff, said the matter of data privacy needs to be elevated within governments. The OECD event, "Current Developments in Privacy Frameworks: Towards Global Interoperability," was held in conjunction with the 33rd International Conference of Data Protection and Privacy Commissioners. In this IAPP exclusive, The Privacy Advisor asks Wyckoff to answer some follow up questions.
Full Story

PRIVACY LAW—EU & HUNGARY

Hungary Responds to Infringement Proceedings (February 21, 2012)

Hungary has sent an approximately 100-page response to the European Commission regarding infringement proceedings launched against the country last month, EUobserver reports. The commission's concerns include questions about the integrity of the national data protection authority, the report states. Hungary's ambassador to the EU stated, "We sent our official replies to the European Commission, which is the end of the stage of the first process," noting the replies include proposals to change Hungary's legislation and explanations of areas where the country believes no changes are required. Hungary has indicated readiness "to make concessions to guarantee the independence of the data protection authority," the report states.
Full Story

BEHAVIORAL TARGETING

Predictive Analytics Fueling OBA (February 21, 2012)

In an article for The New York Times, Charles Duhigg takes an in-depth look at how companies collect vast amounts of personal information and use predictive analytics to advertise products to individuals before they know they want them. "A retailer's holy grail" comes when an individual's buying habits are in flux the most--the time around the birth of a child. An analyst working for one retailer told Duhigg, "We knew if we could identify them in the second trimester, there's a good chance we could capture them for years." Habit formation has become a large field of research in medical centers and universities, the report states. "We're living through a golden age of behavioral research," said a representative from Predictive Analytics World. "It's amazing how much we can figure out about how people think now." (Registration may be required to access this story.)
Full Story

FINANCIAL PRIVACY

Researchers Point to Flaw in Online Transaction Encryption (February 17, 2012)
Researchers have found a flaw in the algorithm used to encrypt transactions during online banking and shopping, AFP reports. While a team of U.S. and European researchers noted, "We found that the vast majority of public keys work as intended," their report cautions, "A more disconcerting finding is that two out of every one thousand RSA moduli that we collected offer no security."

PRIVACY LAW—SPAIN

High Court Declares Data Protection Article Void (February 17, 2012)

In light of the European Court of Justice's decision that "Spain had not transposed correctly the provisions concerning the balance of interests of EC Directive 95/46 on personal data protection and that, consequently, Spanish law is in breach of Article 7(f) of the directive," the Spanish Supreme Court has ruled on a challenge to Article 10.2.b. The Spanish Supreme Court has "declared Article 10.2.b of the secondary regulation, which required that the data appeared in public sources, in addition to the legitimate interest of the data controller, void," according to a Bird & Bird report. "This judgment shows, once again, the enormous importance of EU law in the development, interpretation and application of national legislations," said Antonio Creus of Bird & Bird, adding, "It is curious how a legal action against a recent secondary regulation (from 2007) can show the inadequacy of a 10-year-old organic law."
Full Story

PRIVACY LAW—EU

EDPS Reports on Financial and Surveillance Practices (February 17, 2012)

The European Data Protection Supervisor (EDPS) published a follow-up status report on compliance with the Video-Surveillance Guidelines, acknowledging "considerable efforts" from many organisations but noting that, in others, compliance has been "put on hold or significantly delayed." The EDPS also published a package of four opinions on European Commission proposals concerning the monitoring of financial data. "I am particularly concerned about the data protection issues raised by the new powers of the supervisory authorities, especially in relation to access to communication data and inspection of private premises," said Assistant EDPS Giovanni Buttarelli.
Full Story

PRIVACY LAW—EU & HUNGARY

Parliament Calls for Amended Laws (February 17, 2012)

The European Parliament has adopted a resolution highlighting "serious" concerns regarding Hungary's constitutional changes  and calling on officials there to amend the laws in question "and comply with the recommendations, objections and demands of the commission and the Council of Europe," The Irish Times reports. The European Parliament has said it will release a report on whether the nation is in breach of the region's "common values." The institutional independence of data protection is one of the issues to be monitored, the report states.
Full Story

PRIVACY LAW—THE NETHERLANDS

Opinion: Breach Notification, Supposed To Be the Law, But Isn’t (February 17, 2012)

A Financial Times report points to a breach that occurred at a Dutch telecoms company--discovered in January but not announced until February--as evidence that a breach notification law is needed. In accordance with the European ePrivacy Directive from 2002, EU countries should have implemented a breach notification law; however, the European Commission last year took action against 20 of the 27 member states for not complying with the directive. The report states the Dutch government supports a breach notification law, but Daphne van der Kroft of the Dutch digital rights organisation Bits of Freedom says, "It's going to take a long time before there's a law on the books."
Full Story

ONLINE PRIVACY

Opinion: Who Owns Your Online Posts? (February 17, 2012)

The Wall Street Journal asks, "To whom do those embarrassing photos you foolishly posted...truly belong?" Pointing out that the sharing and re-sharing of online posts can make "cordoning off data as yours or mine" a difficult task, the report examines the call for a right to be forgotten as a chance "to wipe clean your digital muck and be reborn as an online tabula rasa." The report notes that the "permanence of information on the Internet is unsettling. A youthful indiscretion once posted can become a lifetime stain." (Registration may be required to access this story.)
Full Story

The Supreme Court admits “legitimate interest” as a criterion for the processing of personal data wi (February 16, 2012)
On 8 February the Spanish Supreme Court put an end to the conflict between the Spanish Public Administration and ADigital [formerly, the Federation of Electronic Commerce and Direct Marketing (FECEMD)], where several Articles of the Spanish secondary regulation on the protection of personal data had been challenged.

PRIVACY LAW—EU

Court of Justice Decision “A Win” for Privacy (February 16, 2012)

A European Court of Justice decision on filtering online content is a "win" for privacy, The Inquirer reports. In Sabam v. Netlog, the court found, "The owner of an online social network cannot be obliged to install a general filtering system, covering all its users, in order to prevent the unlawful use of musical and audio-visual work." The ruling follows an early decision involving another ISP, and in both cases, the court has indicated "there is a requirement to strike a fair balance between the right to intellectual property...and the privacy right to protection of personal data," the report states.
Full Story

DATA PROTECTION—UK

ICO Opens Consultation on Audit Policy (February 16, 2012)

The Information Commissioner's Office (ICO) has opened a consultation on proposed changes it has made to its code of practice on mandatory data protection audits, Out-Law.com reports. Government departments are subject to mandatory audits when the ICO issues assessment notices, a power granted to the authority under the Data Protection Act. Its revised code of practice states that government departments would have six weeks to agree to an audit within an accepted timeframe before an assessment notice would be issued. The ICO will issue a notice if it has reason to ensure that a department has taken appropriate measures to comply" with previously mandated changes to its privacy practices.
Full Story

PRIVACY LAW—EU

CEDPO Supports Role of DPO in Data Protection Regs (February 15, 2012)

The Confederation of European Data Protection Organizations (CEDPO), in a press release, says it "welcomes the recognition of Data Protection Officers (DPOs) as key players" in the draft data protection regulation adopted by the European Commission. The regulation requires the designation of a DPO in organizations with 250 employees or more, public bodies and those in which the main activities involve processing that requires "regular and systematic monitoring of data subjects." Christoph Klug of the GDD said, "DPOs will help to make data protection more effective, to reduce unnecessary administrative burdens and to create trust," while Sachiko Scheuing of the Dutch NGFG notes, "The positive impact of DPOs is already proven by a study of the Dutch Ministry of Justice. We are pleased to hear that this fact is recognized at European level." The requirement allows for flexibility in the positioning of the DPO within--or even outside--an organization, which Cecilia Alvarez of the Spanish APEP says will help to accommodate "the needs to fit organizations of all sizes." Pascale Gelly, CIPP/E, of the French AFCDP says CEDPO members can now join forces to "share their pan-European experiences on topics such as the necessary qualifications which DPOs should hold, the scope of the DPOs' tasks and how to ensure their independence." The CEDPO has released a comparative study of the role of the DPO in 12 European member states.
Full Story

ONLINE PRIVACY

Experts: Big Data Means Big Decisions (February 15, 2012)

"We live in an age of 'big data,'" which brings with it "immense economic and social value" but also concerns about privacy, write two privacy experts in the Stanford Law Review. Associate Professor at the College of Management School of Law Omer Tene and Future of Privacy Forum Director Jules Polonetsky, CIPP/US, describe the many benefits of big data, while acknowledging a "data deluge" could foment a "regulatory backlash" capable of "dampening the data economy and stifling innovation." Tene and Polonetsky write, "In order to craft a balance between beneficial uses of data and the protection of individual privacy, policymakers must address some of the most fundamental concepts of privacy law, including the definition of 'personally identifiable information,' the role of consent and the principles of purpose limitation and data minimization." Editor's Note: Omer Tene and Jules Polonetsky will both present at next month's Global Privacy Summit.  
Full Story

PRIVACY LAW—EU & U.S.

Rosen: The Right To Be Forgotten Could Close the Internet (February 14, 2012)
Unless the "right to be forgotten" is defined more precisely as it is implemented within the EU, a clash between European and American conceptions of the proper balance between privacy and free speech could lead to a far less open Internet. That's according to Jeffrey Rosen, who opines in the Stanford Law Review on differences between European and U.S. approaches to "an urgent problem in the digital age: It is very hard to escape your past on the Internet now that every photo, status update and tweet lives forever in the cloud."

PRIVACY LAW—IRELAND

Insurance Firms Breached Data Protection Act (February 14, 2012)

Three insurance companies have pleaded guilty to charges of breaching the Data Protection Act by using social welfare data obtained through a private investigator, reports The Irish Times. The breach was discovered through a complaint from the Department of Social Protection after it noticed "an unusual pattern of access to its database by an official, who had also been making phone calls to two specific numbers." The companies will each pay €20,000 to charity and all legal costs, and the data protection commissioner's office said it is satisfied that the companies have improved their systems and are working to be compliant.
Full Story

PRIVACY LAW—UK

Gov’t Issues Directive Reform Call for Evidence (February 13, 2012)

The Ministry of Justice (MoJ) has announced a "call for evidence" from business, advocates, policy experts and data controllers on the recently released EU data protection framework in an attempt to better understand potential impacts the groups will face, Out-Law.com reports. The MoJ says the data provided will help contour how the government will negotiate reforms. "In particular," the MoJ document states, "we would like information on the potential impact on organisations processing personal data as well as the likely benefits to individuals through strengthened rights." The MoJ wants interested parties to address "practical, day-to-day examples of the proposals' possible effects and monetised cost and benefit figures," among others.
Full Story

DATA RETENTION—EU

Leaked Memo Raises Concerns (February 13, 2012)

PCWorld reports that a number of European digital rights groups have called for a ban on blanket data retention after the leak of a European Commission (EC) internal memo highlighting issues with the current data retention directive. Published by The German Working Group on Data Retention (AK Vorrat), the leaked memo lists issues the EC thinks should be fixed. An AK Vorrat representative said, "The commission has failed to prove the necessity of the data retention directive...Instead the commission is asking the EU member states for arbitrary examples of benefits of data retention. This obliterates any trust in the impartiality of the commission." The EC is expected to release proposed directive reforms in July.
Full Story

DATA LOSS—UK

Councils, Hospital and Financial Firm Face Breaches (February 13, 2012)

The personal data of approximately 1,075 primary school students across East Lothian has been lost after an employee misplaced a memory thumb drive, SC Magazine reports. A council worker downloaded the records, including students' names, dates of birth, emergency contacts and some medical history. A council representative apologised to the affected students and their families. Meanwhile, an investigation has been launched into an incident involving the loss of patient data at Whitehaven's West Cumberland Hospital and Carlisle's Cumberland Infirmary. The ICO has revealed  that a financial services company breached the Data Protection Act after losing the personal data of more than 600 customers. And Medway Council has responded to a breach involving the personal data of hundreds of municipal workers, according to a BBC News report.
Full Story

DATA PROTECTION—UK

Dear Councils, Protect The Data You Hold (February 13, 2012)

UK Information Commissioner Christopher Graham last week sent a letter to local authorities in England encouraging them to boost their data protection efforts, V3.co.uk reports. Graham wrote the letter in conjunction with civil service chief Robert Kersale. The letter follows several breaches of personal information in the hands of local councils. The ICO sent a similar letter to the head of the NHS last year.
Full Story

PRIVACY

Safer Internet Day Celebrated Worldwide (February 13, 2012)

More than 100 events in 30 European countries and 70 countries worldwide took place for Safer Internet Day earlier this week, part of a global drive to promote Internet safety for children and young people, reports New Europe. The INSAFE event took place 7 February and comes on the heels of the European Commission's proposal for reform of the EU's data protection rules in the face of emerging technologies. A recent EU survey found that 77 percent of 13- to 16-year-old and 38 percent of nine- to 12-year-old Internet users have a profile on a social networking site, and 26 percent feel they have "complete control over their personal data," the report states.
Full Story

ONLINE PRIVACY

Protecting and Pricing Personal Data on the Web (February 13, 2012)
The New York Times explores the view of personal data as "the oil of the digital age" and the push to use such data "as a kind of online currency, to be cashed in directly or exchanged for other items of value." The report looks at startups aimed at giving online users control of their information while potentially profiting from it. "Many of the new ideas center on a concept known as the personal data locker," the report states, where users have "a single account with information about themselves.

HEALTHCARE PRIVACY—GERMANY

Company Accused of Selling Raw Data (February 13, 2012)

The Local reports on allegations about the sale of raw data to pharmaceutical firms by a German research company. An employee of data processing firm Pharmafakt GFD has said under oath that "data from millions of pharmacy prescriptions had been saved and analyzed then sold to pharma firms," the report states. The employee alleged the data was neither made anonymous nor coded. Schleswig-Holstein Data Protection Commissioner Thilo Weichert has said, "This could be one of the biggest data scandals in the country in the medical field." A Pharmafakt GFD manager has denied the allegations, saying the company has adhered to data protection laws.
Full Story

DATA THEFT—IRELAND

Unencrypted Laptops Stolen from Telecoms Firm (February 13, 2012)

Telecommunications company eircom has reported that, in two separate instances, unencrypted laptops containing the personal information of approximately 7,000 customers and employees were stolen, CBR reports. Two of the laptops were stolen from the company's Dublin office and contained financial or bank details of nearly 150 individuals. Irish Data Protection Commissioner Billy Hawkes said the breach is one of the "most serious" his office has seen, "Because the nature of the financial data that was on the unencrypted laptops puts people at risk of data theft and secondly, the long delay in telling people that their data had been compromised and giving them the opportunity to protect themselves." Hawkes added that his office is investigating the incident. 
Full Story

SOCIAL NETWORKING

Opinion: Date-Rating Site Blurs Online Privacy (February 10, 2012)

In a column for The Guardian, Tom Scott analyzes a date-rating site to uncover where data from Facebook can eventually end up. Called Luluvise, this "social network for women" allows women to share personal information about the men they are dating without their consent. One feature, called WikiDate, allows users to "rate" the men. To do so, a user must sign in using their Facebook account. Scott points to Facebook's privacy page, which says, "People who can see your info can bring it with them when they use apps," meaning, Scott argues, "that when your friend signs into an application, they don't just share their own data--they can share some of your data as well." For Scott, the essential lesson is, "if you use Facebook, and your friends sign up for social applications, your name and details could appear in unexpected places."
Full Story

DATA PROTECTION—AUSTRALIA & EU

Expert: Australia Needs Stronger Laws (February 10, 2012)

In an interview with ZDNet Australia, the Council of Europe Head of Data Protection and Cybercrime Division Alexander Seger said that without stronger data privacy laws, Australia may miss opportunities to provide services to European citizens. While this data can be processed in any country, Seger says, "it makes it very difficult if that country does not have data protection standards in place," adding, "It would actually be illegal..." While Australia has taken the lead in providing offshore forensic services, Seger says it could be more proactive in data protection.
Full Story

PRIVACY—UK

A Day In the Life of Christopher Graham (February 10, 2012)

Highlighting the frantic schedule of a regulator, UK Information Commissioner Christopher Graham shares a snapshot of a week of his life with Public Service Europe. Among the many public and personal duties he fulfills, Graham meets with the communications commissioner to discuss "cookies" and the new privacy and electronic communications rules; composes a rebuttal letter on the Leveson inquiry; drafts another letter to local government leaders to promote data protection due diligence; attends his reelection as Article 29 Working Party vice chairman, and hears a "very interesting presentation" by the U.S. FTC demonstrating the need for "a more global approach to global phenomena." Editor's Note: Graham will be a panelist at the preconference workshop Advanced Topics in European Privacy at next month's Global Privacy Summit.
Full Story

PRIVACY LAW—EU

Reding: Ambiguity, Adaptability Essential in Directive (February 9, 2012)
In today's data currency age, EU Justice Commissioner Viviane Reding hopes that her E-Privacy Directive will offer a balance between "commercial interests and personal privacy," The Telegraph reports. After fighting "absolutely fierce" lobbying "from all sides," Reding says, "the legislation was on the table on January 25 as I wanted to have it."

SOCIAL NETWORKING

Facebook To Unveil New Advertising Format (February 9, 2012)

Financial Times reports on Facebook's new Timeline advertising feature and its new privacy implications. Users who opt in to use features from companies such as some music, movie and news providers will not be able to opt out of their activity being used for paid advertising, the report states. An analyst from the Altimeter Group said, "There will be a user hue and cry. There will be further reminders that Facebook is using information about users and using their data to sell them to advertisers," but added, "People care more about getting free media than they do about their privacy." (Registration may be required to access this story.)
Full Story

SOCIAL NETWORKING

Activist: Facebook Will Release Data (February 8, 2012)

An Austrian privacy activist group has said Facebook will release more information about the data it collects from users, Reuters reports. The comment came following a six-hour meeting on Monday between Europe V. Facebook and executives from the social network. "We have a fixed commitment that we will finally know what Facebook stores in the background," said Max Schrems, who heads up the activist group, adding, "that means a list of all categories of data that are clicked on by users." While Facebook has declined to comment specifically on Schrems' statements, the company has said it was "a very constructive meeting," the report states.
Full Story

ONLINE PRIVACY

Search Engine Offering To Pay Users To Share Data (February 8, 2012)

eWeek reports on Google's Screenwise program, which offers to pay Chrome users ages 13 and older up to $25 in gift card codes if they install a browser extension to share data about websites they visit with the company. "What we learn from you, and others like you, will help us improve Google products and services and make a better online experience for everyone," Google wrote. The report notes that amidst recent concerns about changes to its privacy policies, Google has noted that it "will not save your e-mail address or associate it with any other personally identifiable information."
Full Story

DATA PROTECTION—EU

Article 29 WP Publishes Meeting Notes (February 7, 2012)

The Article 29 Working Party has released notes about its 84th plenary meeting in Brussels last week, during which the group undertook elections; met with representatives from the U.S. Federal Trade Commission and the Organisation for Economic Co-operation and Development, and discussed Google's privacy policy changes and an upcoming anti-doping code revision. The party reelected Dutch Data Protection Commissioner Jacob Kohnstamm as chairman of the group, which comprises the data protection authorities of EU member states. Czech Data Protection President Igor Nemec and UK Information Commissioner Christopher Graham were reelected as vice-chairmen. The party recently wrote to the European Commission about revisions to the World Anti-Doping Agency's code.
Full Story

PRIVACY LAW—UK

ICO To ‘Fast-Track’ Motorman Notification (February 7, 2012)

Information Commissioner Christopher Graham said he would quicken operations to notify individuals whose names were among 4,000 found during a 2003 investigation into the trade of personal information by private investigators, BBC News reports. Operation Motorman revealed that a private investigator possessed the sensitive personal data and information logging requests by journalists to access the data, the report states. Graham said many of the names did not have corresponding addresses, making notification "a monumental task." Parliament has opened a probe into the private investigator industry after concerns were raised about press ethics during the Leveson inquiry. Graham will answer questions from the House of Commons Home Affairs Select Committee today.  
Full Story

PRIVACY LAW—HUNGARY & EU

Hungary To Revise Law (February 6, 2012)

Bloomberg reports that the Hungarian government will rework a law that has been the subject of controversy since it took effect on January 1. The European Commission launched infringement proceedings against the government last month over three laws considered to be in violation of EU law. One of the laws in question pertains to the independence of the country's data protection authority. According to a Hungarian newspaper, the prime minister's cabinet has indicated it will revise the law to exclude the right of the premier to dismiss the data protection agency's leader.
Full Story

ONLINE PRIVACY—EUROPE

Google Responds to European Regulators (February 6, 2012)

Google has responded to European data protection regulators regarding their concerns about the company's plans to implement privacy policy changes on March 1. In a letter dated Friday, February 3, Google Global Privacy Counsel Peter Fleischer addressed Article 29 Working Party Chairman Jacob Kohnstamm, stating, "Given the misconceptions that have been spread about these changes by some of our competitors, we wanted to take this opportunity to clarify a few points." Fleischer said the company updated its privacy policies to "make them simpler and more understandable" and "to create a better user experience." Last week France's data protection agency, CNIL, asked Google to halt the policy changes.
Full Story

ONLINE PRIVACY—EU

Kroes: EC Proposal Would Promote Cloud Adoption (February 3, 2012)

At the World Economic Forum in Davos, Switzerland, European Commission (EC) Vice President Neelie Kroes said that the EC's recently proposed data protection framework would improve online privacy while promoting cloud use, reports ComputerWeekly. By creating a single set of rules and enforcement agency, the proposal makes it easier "to operate clouds both within and outside our single market," said Kroes, adding, "Cloud users should not have to guess where their provider is: if a company offers goods or services to people in the EU, or is monitoring them...Our rules should apply to the data." In the coming weeks, Kroes said she will lay out a "cloud-friendly" legal framework as well as updates on the progress of security and interoperability mechanisms.
Full Story

ONLINE PRIVACY—UK

BBC To Allow Users To Be Forgotten (February 3, 2012)

The BBC will unveil a new digital charter that will allow users of its web services to have all of their data deleted, The Telegraph reports. Users of such BBC digital services as the BBC iPlayer can also opt out of having their data collected by the BBC. The announcement comes on the heels of the European Commission's release of its proposal to reform the European Union's data protection framework, which includes a "right to be forgotten." The BBC's charter is still under works, according to the organisation's director of policy and strategy, who said different levels of data sharing may be offered to users.
Full Story

PRIVACY LAW—EU & GERMANY

German DPAs: Member States Should Maintain Authority (February 3, 2012)

Reaction to the European Commission's proposed revised data protection framework continues, and German data protection commissioners are among the latest to register their feelings about it. The framework would replace the existing Directive 95/46/EC and would take shape via a regulation for the private sector and a directive for the criminal justice community. The data protection commissioners of the German states of Rhineland-Palatinate and Hesse recently held a joint press conference where they welcomed the harmonisation and other aims of the legislation but stressed that member states should "maintain their authority with respect to other issues," according to the Hunton and Williams Privacy and Information Security Law Blog.
Full Story

BIOMETRICS—GERMANY

Officials Speak With Company About Facial Recognition (February 3, 2012)

A Hamburg-based privacy agency has begun talks with Facebook about its facial recognition opt-out system, Investor's Business Daily reports. Hamburgischen Beauftragten für Datenschutz und Infromationsfreiheit (HmbBfDl) representative Moritz Karg said, "It is clear by now, that in certain points, we will have to ask more questions, since Facebook denies our competence, which is of no surprise to us." The agency says that the company's "Find My Face" feature collects the biometric data of its users who have not opted in--which causes the HmbBfDl concern, the report states. Karg says the agency might bring legal action if it disagrees with its findings after the talks and expects to meet with other government agencies to "discuss the strategy."
Full Story

PRIVACY LAW—IRELAND & EU

Irish High Court Asks ECJ To Mull Data Retention (February 3, 2012)

The Irish High Court has asked the European Court of Justice (ECJ) to clarify the country's legal ability to require telecommunications providers to retain data on users as stated in the EU Data Retention Directive. The Journal reports that one judge has also questioned the ECJ on whether the implementation of the directive must fall in line with the European Convention on Human Rights in order to be fully compatible with EU law. Laws that breach the human rights convention can be appealed to the non-EU institution, the European Court of Human Rights, and if violations are found, countries can be ordered to change their laws.
Full Story

PRIVACY LAW—UK

Graham: No Evidence of Journalists Breaching Law (February 3, 2012)

As the Leveson Inquiry continues, UK Information Commissioner Christopher Graham says he has not seen evidence of breaches by the press since 2006 but added that breaches of data protection laws occur every day at the hands of employees in many fields, including NHS workers, bank clerks and private investigators, BBC News reports. Graham told the inquiry that if there had been press violations of the law, specifically Section 55, which deals with illegally obtaining or using personal information, he would have known about it. That said, Graham stressed, "that doesn't mean Section 55 isn't being breached. It's being breached every day."
Full Story

DATA PROTECTION—IRELAND

DPA Investigates Recycling Company (February 3, 2012)

A private recycling company says it has been investigated by the data protection commissioner, though it recently refuted such claims, The Herald reports. Greyhound Recycling says, however, that it did not receive the personal bank details of 140,000 customers from Dublin City Council. The commissioner's office wrote to the council after 20 customers complained and has asked the company to demonstrate compliance with data protection law, according to media reports. Greyhound has reassured the DPA that "no such information has yet been passed to Greyhound," said a company spokesperson.
Full Story

PRIVACY LAW—UK

Court Orders Independent Investigation of Union’s Site (February 3, 2012)

Out-Law.com reports that a trade union has been ordered to let an independent expert examine its computer database to identify anonymous users who harassed an airline pilot. The High Court said the expert will not reveal any information uncovered during the investigation that is not relevant, despite Unite's claims that the search would violate its members' privacy. The High Court's ruling noted that the trade union's website warns users that it reserves the right "to disclose their true identities and other information, if requested by a third party, albeit subject to their rights of privacy and of data protection." Unite argues the data stored is sensitive and must be given special protection under the law.
Full Story

DATA LOSS—UK

Police, Doctor Report Breaches (February 3, 2012)

The Metropolitan Police accidentally shared the e-mail addresses of more than 1,000 crime victims, the Daily Mail reports. The Information Commissioner's Office (ICO) said it has been informed of the possible data breach. "No other personal details were revealed, and we are contacting everyone affected to explain what happened and to apologise," said a spokesperson for the police. Meanwhile, a podiatry clinic in Hampshire has reported a laptop containing the personal and medical information of 1,500 people has been stolen. The ICO is investigating the loss. In an op-ed for Public Service, the CEO of a breach detection company writes that healthcare leaders must rapidly become leaders in patient privacy.
Full Story

DATA LOSS—IRELAND

Blacknight Notifies DPC, Customers About Incident (February 3, 2012)

The Irish hosting firm Blacknight has notified customers that a 31 January data breach may have exposed their contact details, the Irish Times reports. More than 40,000 customers' e-mail addresses may have been affected by the breach, according to the report. In an apology letter, Blacknight's CEO said, "Unfortunately the reality is that we and our customers are attacked on a daily basis. We're trying to deal with it as responsibly as we can." The data protection commissioner has also been notified.
Full Story

SOCIAL NETWORKING

Privacy Laws, Hacking Are “Risk Factors” in Facebook IPO (February 2, 2012)
In its IPO filing, Facebook said that potential privacy legislation, evolving attitudes around user privacy and cyberattacks, among others, contribute to "risk factors" for its business, The Wall Street Journal reports. The filing mentions privacy 35 times and includes "privacy and sharing settings" as one way the company creates value for users. Facebook expects "to continue to be subject" to future investigations but added that it has "a dedicated team of privacy professionals who are involved in new product and feature development from design through launch; ongoing review and monitoring of the way data is handled by existing features and apps, and rigorous data security practices." Stanford Law School's Ryan Calo said, "It just struck me about how aware they are of the vulnerabilities...They have a narrow path to walk, and their risk factors really dramatize that in a way we hadn't seen before." (Registration may be required to access this story.)

TRAVELERS’ PRIVACY—EU & U.S.

Lawmaker Disapproves of Current PNR Deal (February 1, 2012)

The New York Times reports on comments made by Dutch MEP Sopie in 't Veld about the passenger name record deal between the EU and U.S. The European Parliament (EP) should vote down the deal, she said, because it does not address EP concerns and is not in line with European law, the report states. "It is deeply disappointing," said in 't Veld, "that nine years of negotiations with our closest friend and ally, the United States of America, have not resulted in an agreement that respects European standards on fundamental rights...the new agreement represents a deterioration on many points." Expressing hope that the EP would pass the legislation, EU Commissioner for Home Affairs Cecilia Malmström said there were "robust safeguards" in place. The EP is expected to vote on the deal in April. (Registration may be required to access this story.)
Full Story

SOCIAL NETWORKING—EU

Activists Set To Meet With Facebook (February 1, 2012)

Austrian student activist group Europe v. Facebook expects to meet with representatives from the social networking company in Vienna next Monday in hopes of resolving its disapproval of the company's privacy policies, PCWorld reports. The group originally filed a complaint with the Irish data protection commissioner (DPC), but does not think the regulator went far enough in its audit recommendations, the report states. The DPC said it would reexamine the complaints if the group is still not satisfied with the outcome, and as a final recourse, if the group is not satisfied with the reexamination, it can then file a court appeal.
Full Story