European Data Protection Digest

In 1897, Oscar Wilde wrote to Lord Douglas, “Do not be afraid of the past. If people tell you that it is irrevocable, do not believe them.”

I wonder if he would share this piece of advice today. Though the past may not be irrevocable, we all leave digital shadows we may regret one day. I had no Internet growing up, and I am grateful that the only traces of my past are some old pictures gathering dust at my parents’ house and a box of letters I used to exchange with overseas friends—you know, having overseas pen pals was actually pretty cool back in the day.

Come to think of it, Oscar Wilde may never have meant for his 1897 letter to Lord Douglas to be published, as it came to light only after his death, so you could almost argue he had no right to be forgotten…

This week, the Court of Justice of the European Union declared the 2006 Data Retention Directive invalid, stating that it interferes with the fundamental rights to respect for private life and to the protection of personal data, as stipulated in the EU Charter of Fundamental Rights. The interference, said the court, exceeds the limits imposed by compliance with the principle of proportionality.

Aside from the obvious consequences the court’s decision will have on telcos and ISPs, some commentators have said that it can have a significant impact on the EU reform of data protection law and, in particular, on the debate around the General Data Protection Regulation.  

To quote Oscar Wilde again, “It is a very sad thing that nowadays there is so little useless information.”

Rita Di Antonio
Managing Director
IAPP Europe

Top European Privacy and Data Protection News

ONLINE PRIVACY

YouTube Developing Tool To Blur Faces (March 30, 2012)

YouTube is developing a tool that will allow faces in videos uploaded to the site to be blurred, addressing "privacy complaints from people featured without permission in other people's videos," InformationWeek reports. Victoria Grand, YouTube's director of global communications and policy, said currently, when such complaints are received, videos must be removed. "Once the blur tool is made available, video creators will have the option to edit the video in question so the complainant's face is blurred. This will allow the video to remain on YouTube," the report states. YouTube expects to have the technology available for use in online videos within a few months.
Full Story

PRIVACY

OPC Honours Committee Member (March 30, 2012)

The Office of the Privacy Commissioner (OPC) is honouring OPC External Advisory Committee and Internal Audit Committee Member Jocelyne Côté-O'Hara. On December 30, Côté-O'Hara was appointed a Member of the Order of Canada. Among her many duties, Côté-O'Hara "has been active over several decades in many capacities," including serving on many Canadian and international task forces, according to an OPC press release.
Full Story

EMPLOYEE PRIVACY—UK & EU

ICO Warns Employers on Password Requests (March 30, 2012)

Following reports in the U.S. that employers are increasingly requiring employees and job applicants for their social networking credentials, the Information Commissioner's Office (ICO) has issued a warning about the practice, The Guardian reports. "The UK Data Protection Act clearly says that organisations shouldn't hold excessive information about individuals, and it's questionable why they would need that information in the first place," an ICO spokesman said. Last week, Facebook said employers should not exercise the practice. Meanwhile, author Cory Doctorow worries that simply preventing an employer from accessing social networking passwords is not enough to protect personal data. Doctorow points out that many companies use "self-signed certificates," which means an employer can "undetectably" eavesdrop "on your connection."
Full Story

DATA LOSS—UK

Councils, Healthcare Office Expose Data (March 30, 2012)

After an investigation, the Information Commissioner's Office (ICO) found Pharmacyrepublic Limited breached the Data Protection Act when a Patient Medication Record system was stolen from one of its locations during a move. According to an ICO press release, the system contained medication details of approximately 2,000 patients and was password-protected. An ICO representative said, "This incident should act as a warning to all healthcare providers--your data protection obligations do not end while the personal information of your patients remains on site and in your control." The company is updating its procedures. Meanwhile, a Chronicle News report outlines three breaches at North East councils, including a USB stick lost by the Northumberland council and two in Newcastle involving information on children and vulnerable adults.
Full Story

FINANCIAL PRIVACY—UK

Investigation May Have Uncovered Security Flaw (March 30, 2012)

The Telegraph reports on an independent investigation that may have uncovered a security flaw in Barclays bank's "contactless" debit and credit cards. The investigation found that the cards, when placed near "special readers" that could be contained on smartphones, could be read without the user's knowledge. A representative from the security company that investigated the cards said, "Using the wireless reader on the phone, I was able to lift out the details from your card--that includes the long card number, the expiry data and your name." Information Commissioner Christopher Graham said, "We must investigate and find out what's gone wrong...If there's been a serious breach of the data protection act, we do have very significant sanctions."
Full Story

PRIVACY LAW—UK

ICO To Decide Soon on Sony Breach Penalty (March 30, 2012)

Deputy Information Commissioner David Smith has revealed that the office will announce its decision on whether to punish Sony for its 2011 data breach within the next six weeks, reports TechWeekEurope. The breaches on multiple Sony sites led to the exposure of more than 100 million customers. The ICO has the power to fine Sony up to £500,000 if it determines that the individuals were seriously affected by the incident; however, the report states, the office has come under fire in the past for not appropriately punishing large private organisations. Smith said that Sony has been cooperating with the investigation and "enquiries are ongoing at this stage," the report states.
Full Story

PRIVACY LAW—UK

Committee Warns Search Engines To Try Harder (March 30, 2012)

The Joint Committee on Privacy and Injunctions has said that search engines need to take a greater responsibility in observing court orders requiring privacy-invasive content to be removed from websites--or face legislation requiring them to do so, reports Out-Law.com. The committee cites Google's response to a recent case in which the company said employing technology to monitor the web for such content wasn't "as a policy matter...a good idea." Calling the argument "totally unconvincing," the committee said in its report, "search engines should take steps to ensure that their websites are not used as vehicles to breach the law and should actively develop and use such technology. We recommend that if legislation is necessary to require them to do so, it should be introduced."
Full Story

ONLINE PRIVACY—EU

Cerf Condemns Right To Be Forgotten Provision (March 30, 2012)

Speaking with The Daily Telegraph at the opening of a new museum exhibit this week, one of the co-founders of the Internet condemned the "right to be forgotten" provision in the European Commission's proposed new data protection framework, describing it as an impractical proposition. "It's very, very hard to get the Internet to forget things that you don't want it to remember because it's easy to download and copy and re-upload files again later," said Vint Cerf, who works for Google as its chief Internet evangelist. Cerf went on to say that parents should engage their children in "the art of critical thinking."
Full Story

ONLINE PRIVACY

Opinion: Privacy Protection or Paranoia? (March 30, 2012)

In a column for BBC News, James Melik explores Internet privacy in light of policy changes by companies like Google and Facebook. Promontory Financial Group Managing Director Simon McDougall says consumers should be concerned about privacy, but points out that free online services must be paid for somehow. "If you pay money for a product, you get a product," says McDougall. "If you do not pay money for a product, you are the product." The Centre for Digital Democracy's Jeff Chester, however, is concerned that companies "are expanding their data collection techniques and they are not telling consumers and citizens why."
Full Story

DATA PROTECTION—EU

Article 29 WP Releases Opinion on EC Proposals (March 29, 2012)

The Article 29 Working Party (WP) has adopted a "general positive stance" in its opinion on the European Commission's (EC) data protection reform proposals; however, it says in a WP press release that parts "need clarification and improvement." The release lauds the EC's initiatives that "seek to reinforce the position of data subjects, to enhance the responsibility of controllers and to strengthen the position of supervisory authorities, both nationally and internationally." Conversely, the WP calls out the "strong role" of the EC and the lack of "ambition" in provisions directed towards the retention, transparency and accuracy of information held by authorities as concerns.
Full Story

PRIVACY LAW—EU

Reding Urges MEPs To Back Reforms (March 29, 2012)

Speaking at an EU Parliament "Privacy Platform" event yesterday, EU Commission Vice President Viviane Reding urged Members of the European Parliament to adopt the proposed reforms to the EU data protection framework, EUobserver reports. Reding added that citizens "can't wait two years for adoption" and the reforms would "improve certainty, reduce fragmentation and increase trust." European Data Protection Supervisor Peter Hustinx said the reforms are "a huge step forward for data regulation," making data controllers "more responsible and accountable." Hustinx, along with Article 29 Working Party Vice Chairman Christopher Graham, did say the reforms do not leave "enough discretion for national authorities." According to the European Voice, Reding said the biggest obstacle for the reform's approval would be opposition from EU interior ministers, adding, "We need to do a lot of work with ministers of the interior."
Full Story

PRIVACY LAW—GERMANY

Bundesrat Concerned About Data Protection Regulation (March 29, 2012)

The Upper House of the German Parliament (Bundesrat) has released a paper indicating the Bundesrat's EU Committee, Committee on Internal Affairs and Legal Committee take the view that the European Commission's proposed General Data Protection Regulation "contradicts the principle of proportionality and the principle of subsidiarity contained in Article 5(3) of the Treaty on European Union (TEU) and exceeds the legislative powers of the EU," according to Bird & Bird's analysis of the paper, which explains, "The committees therefore recommended to the Bundesrat to exercise its right to subsidiarity complaints." Bird & Bird Associate Gabriel Voisin notes, "there is a similar movement in the Netherlands and Belgium." (Article in German.)
Full Story

TRAVELER’S PRIVACY—EU & U.S.

EU Lawmakers Back PNR Deal (March 28, 2012)

In a highly contested vote, European Union lawmakers agreed to back the passenger name record (PNR) deal with the U.S. Department of Homeland Security (DHS), The Wall Street Journal reports. The European Parliament's Civil Liberties Committee voted 31 to 23 in favor of the deal, which would allow the personal information of Europeans traveling to the U.S. to be shared with the DHS. The PNR agreement is now slated to go before the European Parliament on April 19 for a vote. Member of the European Parliament (MEP) Sophie in 't Veld said, "it is highly regrettable that the fundamental rights of EU citizens have been bargained away under pressure." MEP Axel Voss said, though the agreement didn't "100-percent reflect the EU's position, the U.S. have made major concessions, in particular on the storage period, the method of transferring data, legal protection and the handling of sensitive data." (Registration may be required to access this story.)
Full Story

IDENTITY THEFT—U.S. & BELARUS

Call Service Creator Sentenced to 33 Months (March 26, 2012)

One of the creators of CallService.biz, a site that facilitates identity theft, has been sentenced to 33 months in prison in New York, Wired reports. The service helped identity thieves go around bank authentication systems in cases where the bank calls the account holder via phone. Identity thieves would provide stolen personal information--including names, Social Security and account numbers and answers to security questions--to CallService.biz to trick the financial institution. According to the report, more than 2,000 identity thieves used the service to conduct more than 5,000 fraudulent acts. A U.S. attorney involved with the case said the defendant "served as a middleman for a network of identity thieves," adding, "This case is another example of how cybercrime knows no geographic boundaries..."
Full Story

PRIVACY LAW—SWEDEN

Riksdag Approves EU Retention Rules (March 23, 2012)

After years of discussion in its parliament, Sweden has approved the EU Data Retention Directive, The Local reports. Sweden's implementation will require Internet service providers and telecommunications companies to retain customer data for six months. According to the report, 233 members voted in favor of the legislation, 41 members voted against it and 19 abstained. The new rule is slated to go into effect on 1 May of this year. The directive has been a controversial topic in Sweden. Green Party MP Maria Ferm said, "The data retention directive doesn't in any way live up to the standards we require of legislation...It's an infringement on personal privacy way out of proportion relative to its utility." Proponents say that retaining user data will help curb terrorism and fight crime. Meanwhile, the European Commission has told Germany it has 30 days to implement the Data Retention Directive or face fines.
Full Story

ONLINE PRIVACY—FRANCE

CNIL Asks Google to Answer Dozens of Policy Questions (March 23, 2012)

In the wake of concerns raised by regulators across the globe regarding the use of cookies on mobile devices, France's data protection authority, the CNIL, is asking Google to answer "69 questions on its privacy policy before 5 April," Bloomberg reports. In a letter to the company, the CNIL writes that the questions "reflect the need for legal clarifications on your new privacy policy and in particular on the sharing of user data across Google services." Google has responded that it is "confident that our new simple, clear and transparent privacy policy respects all European data protection laws and principles," the report states.
Full Story

SOCIAL NETWORKING—GERMANY

Authorities React To Facebook Privacy Policy Plan (March 23, 2012)

Social networking site Facebook is set to change its privacy policy, PCWorld reports. In addition to changing the name of its privacy policy to a data-use policy, Facebook reserves the right to use all of the information you give it, according to ZDNet. The site says, "removed content may persist in backup copies for a reasonable period of time," and applications will reportedly get more access to personal data. Two German data protection authorities have issued a press release stating that the new policy puts the onus of protection on users, and that "Facebook, not users, should be responsible for that." Meanwhile, researchers have discovered a loophole in the site that reportedly allows stalkers to use a technique called "cloaking."
Full Story

SURVEILLANCE—UK

Traffic Warden Badges Contain Cameras (March 23, 2012)

The Daily Mail reports on badges worn by civil enforcement officers that contain small digital video cameras to help protect staff and resolve disputes. Notification of the filming is on the badges themselves, and the footage can be used in court, the report states. Nick Pickles of Big Brother Watch said, "A tiny warning on a badge hardly constitutes telling someone they're being recorded...there is absolutely nothing to stop a council official or someone else with access to the video putting the footage online or releasing it to a third party." A representative from the software company that makes the device said the data is encrypted and a password is needed to access it, adding, "There is nothing covert about this device."
Full Story

PRIVACY—UK & INDIA

DVLA To Give Company Offshore Access (March 23, 2012)

The UK's Driver and Vehicle Licensing Agency (DVLA) is planning to give offshore IBM staff access to data on all UK drivers, PC Advisor reports. The plan will allow staff in India access to drivers' registration plate numbers, addresses and credit card numbers, but the DVLA says the data will remain in the UK. A DVLA spokesman said, "All our information is stored in the UK and there are absolutely no plans to change this," adding, "We are seeking appropriate assurances that it will not be possible for the data to be printed, copied or amended in any way when it is accessed from abroad." Meanwhile, the DVLA says, following a rise in automatic plate recognition technology, there has been a rise in parking fines.
Full Story

PRIVACY LAW—IRELAND

Commissioner Not Consulted Before Household Charge Act (March 23, 2012)

The Irish Times reports that Ireland Data Protection Commissioner Billy Hawkes says he was not consulted by the government prior to the introduction of the Household Charge Act. Hawkes said he was "somewhat surprised" that his office was not included in crafting legislation that allows the government to access consumer data. The Household Charge Act would allow the state to collect a €100 charge from individuals who do not pay their utility bills, the report states. Hawkes wants to ensure that a minimum level of personal information is taken from a consumer in the process. "We would have preferred if those conditions were actually built into the law itself," he said, adding, "but now we're playing catch-up." A protocol is reportedly being negotiated between Hawkes' office and the Department of Environment to ensure that the appropriate level of consumer data is accessed by the government. Meanwhile, officials met this week to develop guidelines for data sharing among public bodies. The Data Sharing Clearing House will also consult interested parties who are concerned about the development of the new guidelines.
Full Story

DATA PROTECTION—EU & UK

Experts Advocate “Data Protection by Design” (March 23, 2012)

The work of chief information officers (CIOs) is becoming increasingly difficult amidst the proposed reform of the EU Data Protection Directive, prompting support for "data protection by design...a more proactive approach to security," The Guardian reports. One attorney suggests that while the concept has "only become fashionable" in the last year or so, "its popularity will continue to grow because of changes to the regulatory environment and the requirement for smarter data protection." Another expert suggests it is the only option to manage public-sector IT needs, noting, "It's not even a choice. Modern CIOs have to create security by design if they want to do their job properly."
Full Story

DATA LOSS—UK

Northern Ireland Officials Seize Computer (March 23, 2012)

BBC News reports that officials recovered a computer allegedly containing the personal data of 51 Belfast city councillors after a Belfast High Court judge authorised an order. The judge also authorised the recovery of any electronic storage devices or hard copies of the compromised information. Experts will examine the recovered items to delete the councillors' data and will attempt to detect if and where the data was sent. A representative from the Belfast council said it "attempted to recover the data on a voluntary basis but was unable to do so...It was therefore compelled to take legal action to prevent any further dissemination given the personal nature of the data in question."
Full Story

PERSONAL PRIVACY—EU

PRISMS Project Will Look at Security and Privacy (March 23, 2012)

A European Commission-funded research project to measure civil society's pulse on privacy and security launched this week, Security Document World reports. The PRISMS project (Privacy and Security Mirrors: Towards a European Framework for Integrated Decision Making), will look at the relationship between surveillance, security and privacy, according to the report. "It should be possible to provide greater security, even without infringing fundamental rights," says project coordinator Michael Friedewald. Eight organisations will partner on the project, which will embark on a survey to measure the feelings of 27,000 citizens with regards to security and privacy.
Full Story

DATA LOSS—UK

E-mail Addresses of 8,000 Students Mistakenly Sent (March 23, 2012)

The e-mail addresses of more than 8,000 students were accidentally sent out in a mass e-mail by Student Finance England, The Telegraph reports. The intention of the e-mail was to remind students that they had yet to complete their grant application forms, and, the report states, staff mistakenly included an attachment containing all the student e-mail addresses. A consumer watchdog said, "Just because this information didn't contain bank details, it doesn't mean it isn't useful to people." The loan agency has apologised to those affected and said no additional information was compromised, adding, "The integrity and security of student accounts and the protection of personal information is vital to us, and we apologise to all of the students involved."
Full Story

ONLINE PRIVACY—UK & U.S.

Survey Indicates Similarities Across the Atlantic (March 23, 2012)

According to a new survey, the majority of British adults have concerns about their online privacy. The TRUSTe survey, launched in February, found that 90 percent of British adults worry about their privacy "at least sometimes," 37 percent do not trust most companies with their personal information online and 88 percent "avoid companies that they believe do not protect their privacy." The survey also found that the vast majority of those surveyed believe companies have a responsibility to protect their privacy and that older British adults were more likely to avoid companies they don't trust. TRUSTe CEO Chris Babel said the survey mirrors U.S. results.
Full Story

DATA PROTECTION

ICC Issues Recommendations on Cross-Border Data Requests (March 23, 2012)

The International Chamber of Commerce (ICC) Task Force on the Protection of Personal Data and Privacy has issued a policy statement to inform governments and law enforcement authorities about the challenges companies face when governments make cross-border personal data requests. The statement discusses the conflicts that arise from such requests and makes recommendations aimed at easing such conflicts. Task Force Chairman Christopher Kuner says implementation of the recommendations "would allow for improved compliance with legitimate public and law enforcement requests and would permit companies to "better cope with conflicting legal obligations," promote data protection law compliance and strengthen global commerce.
Full Story

ONLINE PRIVACY—EU

Study: Consumers Value Privacy But Won’t Pay Much (March 23, 2012)

A study released by the European Network and Information Sharing Agency (ENISA) has found that online shoppers are not willing to pay a high premium to protect their privacy, threatpost reports. Researchers from DIW Berlin, the German Institute for Economic Research and the UK's University of Cambridge recently released their ENISA-sponsored "Study on Monetising Privacy: An Economic Model for Pricing Personal Information," which found "consumers consistently prefer companies that protect the privacy of their data over companies that don't," but that they were "reluctant to spend more than a €.50 (65-cent) premium to protect information like their e-mail address and cell phone number from marketers," the report states.
Full Story

MOBILE PRIVACY

LBS Privacy Fears Persist (March 23, 2012)

COMPUTERWORLD UK reports on the persistence of privacy concerns even as location-based mobile services continue to profit and suggestions by some industry leaders that more must be done to ease consumers' worries. Speaking at a conference this week, experts suggested "recent scandals have not helped the cause," the report states. One executive pointed to lack of transparency as a cause for some of the problems. Meanwhile, Google has been awarded a patent to deliver ads based on "background noise," prompting one expert to suggest while there could be a privacy issue with the technology, "if you look at it that way, there is a privacy issue with everything that is on your phone."
Full Story

DATA LOSS

Verizon: 97 Percent of 2011 Breaches Were Avoidable (March 23, 2012)

Verizon has released its annual report for 2011 on data breaches, COMPUTERWORLD reports. The report was compiled with help from global law enforcement officials and the U.S. Secret Service. The report suggests companies are "continuing to overlook fundamental security precautions." Verizon studied 850 data breaches to compile the report, finding that "97 percent were avoidable" and that, despite companies' claims that hackers' increasing sophistication is what allows breaches to take place, 96 percent of the attacks "were not highly difficult" for the hackers. "Not enough has been done to...force (organizations) to spend" significant amounts on prevention, said Verizon security analyst Marc Spitler.
Full Story

DATA PROTECTION

Big Data, IT Risks and Privacy Meet in the Boardroom (March 23, 2012)

In three separate articles, Financial Times reports on large-scale privacy and security issues faced by organisations around the world. The rise of big data "poses a challenge for businesses" on "how to manage the ever-increasing--and increasingly disparate--data that we generate every day and how we use it." Utilising consumer data is "business critical," but data management poses security risks for IT departments. Several recent data breaches "underscore a key principle for boards: IT risks are business risks. Poorly managed, they can and will exceed corporate risk tolerances," the report states. In light of these recent breaches, chief financial officers "should be kept awake worrying about accountability at the business level." One report adds, "The key to data security is not what your IT department does, it is the policies you set in the boardroom." (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

HTTPS By Default Headed Toward Users (March 22, 2012)

A Firefox bug that allowed users' search queries to be easily observed has been fixed, according to Mozilla. The bug was discovered by privacy researcher Christopher Soghoian last year, who reported to Mozilla that anyone with Deep Packet Inspection tools--namely ISPs and governments--could easily view a users' HTTP connections. Mozilla has since enabled HTTPS by default, "thereby making privacy protection available to all users of its browser," the report states. A Mozilla spokesperson said it is testing the change and it may be a few months before Firefox users see it. The Electronic Frontier Foundation has been encouraging such changes via its HTTPS Everywhere campaign, InformationWeek reports.
Full Story

DATA PROTECTION

Are Companies Ready for the Influx of Big Data? (March 21, 2012)

CIO reports on "Big Data" and the "widening gap between companies that understand and exploit Big Data and companies that are aware of it but don't know what to do about it." Collecting such vast amounts of data and making it accessible for various business uses means organizations need to be serious about securing it, one expert says. "I believe the biggest mistake that most people make with security is they leave thinking about it until the very end, until they've done everything else: architecture, design and, in some cases, development. That is always a mistake," he says, adding every piece of data should be considered an asset worth protecting.
Full Story

PRIVACY LAW—EU & U.S.

Officials Discuss the Future of Privacy, Cooperation (March 20, 2012)
At the High Level Conference on Privacy and Protection of Personal Data, held simultaneously in Brussels and Washington, DC, on Monday, European and U.S. leaders discussed the development of online privacy rules on both sides of the Atlantic and opined on what must happen between the two to protect online users and facilitate innovation and trade critical to the world economy, The Hill reports. EU Justice Commissioner Viviane Reding and U.S. Commerce Secretary John Bryson issued a joint statement pledging to work together, but some experts say that may be tricky. U.S. FTC Commissioner Julie Brill said, however, that the U.S. and EU share common principles on privacy. Reding said an EU-U.S. agreement is "the missing piece."

PRIVACY LAW—EU & U.S.

Privacy Probes Could Mean “Years of Legal Battles” (March 16, 2012)
The Wall Street Journal reports on investigations by regulators in the U.S. and EU into whether Google circumvented the privacy settings of Apple Safari browser users by placing tracking cookies on their devices. "The investigations--which span U.S. federal and state agencies as well as a pan-European effort led by France--could embroil Google in years of legal battles and result in hefty fines for privacy violations," the report states. "We will of course cooperate with any officials who have questions," a Google spokeswoman said, adding, "it's important to remember that we didn't anticipate this would happen, and we have been removing these advertising cookies from Safari browsers." (Registration may be required to access this story.)

INFORMATION ACCESS—ITALY

Regulator Warns of Excessive Information Requests (March 16, 2012)

President of the Italian data protection authority (Garante) Francesco Pizzetti, while presenting a book on data protection in Italy, warned of "The ever-increasing requests from public bodies...to access personal details of citizens," reports Agenzia Giornalistica Italia. The agencies, according to Pizzetti, are entitled by law to "access some information, not necessarily as part of any tax enquiry, not even preliminary ones." Pizzetti called instances of unnecessary access to citizens' information "major blows to the rule of law and the very concept of citizenship which lies at its root."
Full Story

DATA PROTECTION—EU

Privacy Protector: EV Profiles Peter Hustinx (March 16, 2012)

European Voice offers a profile of European Data Protection Supervisor (EDPS) Peter Hustinx, whose long career in privacy began when, as a master's degree student in Michigan, his interest was sparked. "It was very interesting: privacy, computers and law...it was pioneering," said Hustinx, who is in his second five-year terms as EDPS. The article looks at Hustinx' successes, his toughest challenge--which he says came in 2007 and involved certain information-sharing provisions in the Prüm treaty--and his approaching retirement. (Registration may be required to access this story.)
Full Story

DATA PROTECTION—FINLAND

Ombudsman Questions State Railways (March 16, 2012)

Finland's data protection ombudsman wants to know whether Finnish State Railways (VR) is keeping a register of trespassers, YLE reports. The inquiry follows a complaint by the operator of the VR leaks website, which says it suspects the VR maintains such a register. Data Protection Ombudsman Reijo Aarnio told YLE that database subjects must be notified of its existence.
Full Story

TRAVELLERS’ PRIVACY—EU & U.S.

Study: PNR Agreement Violates Rights (March 16, 2012)

A study has found that the most recent EU agreement for the transfer of European passenger name record (PNR) data to U.S. authorities "breaches fundamental European human rights," ZDNet reports. The study, which was conducted by Gerrit Hornung of the Universität Passau and Franziska Boehm of the Université du Luxembourg, compared EU-U.S. PNR agreements from 2004, 2007 and 2011, finding "a general deterioration of Europeans' rights in relation to data sent to the U.S.," the report states. Issues raised in the study include the extension of the purpose and use of the data, its retention period and the transfer to third parties.
Full Story

SOCIAL NETWORKING—GERMANY

Commissioner Concerned About Music Service (March 16, 2012)

TELECOMPAPER reports on concerns from Federal Commissioner for Data Protection and Freedom of Information Peter Schaar over a music service that requires users to link their social networking accounts to it. "Spotify is facing criticism in Germany over the obligation to have a Facebook account when using the service," the report states, noting comments by Schaar that having a Spotify account "only available via Facebook infringes the Telemedia Act." The report cites one data protection specialist's recommendation that such services "develop a business model that is compatible with the German data protection law."
Full Story

DATA LOSS—UK

Firm: ICO Reduced Fines in Half of Cases (March 16, 2012)

Out-Law.com reports on the results of its recent freedom of information request, noting the results show the Information Commissioner's Office (ICO) has reduced  the amounts for half the organisations it has fined in data breach cases. Noting the ICO has had the power to issue monetary penalties of up to £500,000 since April of 2010 and has, so far, issued 14 such notices with the highest fine totaling £140,000, the report states that in five of the first 10 instances, the ICO "issued final penalties lower than it had originally proposed."
Full Story

DATA LOSS—UK

Hacking and Lost USBs Result in Exposed Data (March 16, 2012)

BBC News reports that hackers accessed data on a pornographic website, exposing the personal information of more than 73,000 subscribers and the numbers, expiry dates and security codes of 40,000 credit cards. The group posted some of the data online with comments noting the lack of security on the site. Meanwhile, an employee at a Scotland charity lost two USB sticks containing individuals' names, addresses, dates of birth and some health information. The charity--which supports mental health patients--had no policies for handling data outside the office but has signed an undertaking ensuring encryption on mobile devices. Scotland's assistant commissioner said the "incident should act as a warning to all charities that they must ensure that personal information is handled correctly."
Full Story

PRIVACY LAW—EU

Article 29 WP To Discuss Future, Biometrics (March 16, 2012)

The Article 29 Working Party has released the agenda for its meeting in Brussels on 22-23 March. The group will discuss the future of privacy and its opinions on biometrics and facial recognition, according to the draft agenda.
Full Story

PRIVACY

With New Rules, Data Protection Officers Needed (March 14, 2012)

Google Global Privacy Counsel Peter Fleischer has warned that "there are not enough experienced data protection officers (DPOs) to meet the impending legal requirements and that more need to be trained," InformationWeek reports. In the wake of the EU's proposed reforms of its 1995 Data Protection Directive and the Obama administration's calls for a Consumer Privacy Bill of Rights, Fleischer wrote last week that "Soon, many thousands of companies operating in Europe will be looking to appoint (data protection officers) to meet legal obligations, and since there is no available pool of such people, companies need to start thinking now about how to recruit, train and resource a DPO, and/or an entire DPO team, for the large companies."
Full Story

DATA LOSS—UK

ICO Fines Police £70,000 for Breach (March 14, 2012)

The Information Commissioner's Office (ICO) has fined the Lancashire Constabulary £70,000 after a report containing sensitive information about a missing 15-year-old girl and details on 14 other people was found on a public street, computing.co.uk reports. This marks the first such fine for a police force in England and Wales, the report states. The information had been found by a member of the public and given to a newspaper. "The fact that information as sensitive as this could go missing without anybody realizing is extremely worrying and shows that Lancashire Constabulary failed to have the necessary governance, policies and suitable training in place to keep the personal information they handle secure," an ICO spokesman said.
Full Story

PRIVACY LAW—HUNGARY & U.S.

Hungary Files DPC Amendment (March 13, 2012)
The Hungarian government has filed new amendments following European Commission (EC) action last week to give Hungary one month to "take corrective action" on several laws or face being taken before the European Court of Justice. Among the latest changes, Hungary will "narrow the prime minister's room to fire the independent data protection commissioner," Bloomberg reports, aiming "to 'strengthen the independence' of the data protection agency" as called for by the EC. The amendments do not, however, address the EC's concerns over the previous commissioner's termination before his mandate expired, the report states.

DATA LOSS—UK

Breach Affects Belfast City Councillors (March 9, 2012)

The Belfast Telegraph reports on the alleged accidental disclosure of 51 Belfast city councillors' personal information. According to the report, the data--including bank details, addresses, phone numbers, car registrations and national insurance numbers--was sent to a woman seeking the councillors' contact information. A council spokesman said the breach was a mistake and has been reported to the Information Commissioner's Office (ICO), adding, "We are aware there has been a breach of data protection." A representative from the ICO said, "We will be making enquiries into the circumstances of the alleged breach of the Data Protection Act before deciding what action needs to be taken."
Full Story

DATA PROTECTION—EU

Study: Laws Result in Budget Increases (March 9, 2012)

Help Net Security reports on a recent survey showing that changes to EU data protection law will mean increased security budgets. The survey was released in the wake of the announcement by EU Justice Commissioner Viviane Reding on the proposed data protection framework, the report states. Among its findings, the study indicates that 54 percent of network security managers surveyed "believe that automating audits would reduce the organisation's risk of violating the law," with some respondents pointing to the need for company security standards or strict compliance strategies with "data security awareness program across the organisations" to reduce compliance risks.
Full Story

PERSONAL PRIVACY—FRANCE

Man Sues Search Engine for Privacy Infringement (March 9, 2012)

A man is suing Google for privacy infringement and for not seeking notice after a Street View service uploaded an unsavory image of him on the Internet, The Province reports. The plaintiff wants the company to remove the image. His lawyer said, "He discovered the existence of this photo after noticing that he had become an object of ridicule in his village." A representative from Google said the lawsuit was "implausible," according to the report.
Full Story

DATA PROTECTION

Survey: InfoSec Increasingly Important (March 8, 2012)

Consumers are growing more aware and concerned about how companies protect their data, according to a survey released this week. Edelman Global Chair of Technology Pete Pedersen says companies should exercise transparency and be proactive if a breach occurs. The survey, conducted on behalf of Edelman by StrategyOne, sampled 4,050 adult consumers in seven countries and found that 90 percent of consumers are concerned about data security and 80 percent said they know more today about data protection than they did five years ago. Pedersen said one of the most surprising discoveries was that 84 percent of respondents said security was important to them, but only 33 percent said they expected companies to adequately protect their data.
Full Story

PRIVACY

Privacy Pro Garners All Five CIPP Certifications (March 8, 2012)

Shortly after the unveiling of the IAPP's newest certification--the CIPP/E--Accenture North American Director of Legal Services and Data Privacy Compliance Benjamin Hayes, CIPP/US, CIPP/G, CIPP/C, CIPP/IT, CIPP/E, became the first IAPP member to achieve all five certifications. In this exclusive for The Privacy Advisor, Hayes discusses what the certifications mean not only for his job but for aspiring privacy professionals and what achieving a "blackbelt" in privacy might mean.
Full Story

PRIVACY LAW—GERMANY

Court: Social Network Users Retain Property Rights (March 7, 2012)
The Wall Street Journal reports that a German court has ruled against Facebook in a 2010 case sparked by concerns over the social network's use of members' e-mail addresses to solicit new users. "Facebook can't force users to grant the social network a comprehensive license to their content," the report states, noting the court found "users remain the owners of intellectual-property rights of their Facebook posts, pictures and other content posted on the site." A Facebook spokeswoman said, "We will take a close look into the details of today's court decision as soon as they are available and then decide on the next steps," adding that the social network "is committed to adhering to European data protection principles." (Registration may be required to access this story.)

PRIVACY LAW—EU

EDPS Releases Opinion on Data Protection Reforms (March 7, 2012)

European Data Protection Supervisor (EDPS) Peter Hustinx adopted an opinion today on the European Commission's proposed reform of EU data protection rules. While the EDPS is welcoming "the strengthening of the right to data protection in Europe...the proposals are disappointing in the law enforcement area and leave many existing EU data protection instruments untouched," Euroalert.net reports. In the opinion's executive summary, the EDPS notes that while the regulation "constitutes a huge step forward for data protection in Europe...the main weakness of the package as a whole is that it does not remedy the lack of comprehensiveness of the EU data protection rules."
Full Story

PRIVACY LAW—HUNGARY & EU

EC Gives Hungary One Month To Address Issues (March 7, 2012)

The European Commission today gave Hungary one month to "take corrective action" on several laws--including one affecting the data protection authority--to avoid being taken to the European Court of Justice, Europe Online Magazine reports. Noting that Hungary "has not answered all the questions that we have raised," the commission today sent "letters of formal warning" to Hungary, marking the second step in EU infringement procedures, the report states. When sending its response to the first step of the proceedings last month, Hungary had indicated it would "make concessions to guarantee the independence of the data protection authority."
Full Story

BEHAVIORAL TARGETING—EU

Article 29 Working Party Calls for DNT Protocol (March 7, 2012)

In a published letter, the Article 29 Working Party (A29 WP) indicated that the voluntary guidelines drafted by a European digital advertising industry group do not meet the consent and information requirements laid out in the ePrivacy Directive, PCWorld reports. The European Advertising Standard Alliance (EASA) backs an icon-based approach to inform users of how the targeted advertisement works. A29 WP Chairman Jacob Kohnstamm said, though the icon helps raise awareness, a browser-based do-not-track (DNT) protocol is needed, adding, "A DNT setting in a browser means that users should no longer be tracked instead of just not being shown targeted advertisements."  
Full Story

PRIVACY

2012 Salary Survey Examines Trends (March 7, 2012)

The IAPP's 2012 Privacy Professionals Role, Function and Salary Survey, which is being released at the Global Privacy Summit, examines compensation levels and key trends as reported by respondents from the organization's diverse membership. This year's survey includes data and comparisons on issues including how privacy professionals allocate their time across different responsibilities, what career paths they are pursuing and their placement within their organizations. Other information included in the survey includes which industry sectors are most represented by privacy professionals; the size of organizations with in-house privacy staff, and what privacy professionals report as the most time-consuming tasks they oversee in their work.
Full Story

PRIVACY LAW—SPAIN & EU

Spain Seeks ECJ Guidance on Search Engine Cases (March 7, 2012)
PCWorld reports that Spain's National Court (AN) has asked the European Court of Justice (EJC) to provide jurisdiction clarification on cases involving privacy complaints brought against search engines. The AN said it is unclear who has the final decision-making authority in such matters. The Spanish Data Protection Authority (DPA) says that search engines are subject to European laws and "right to be forgotten" decisions should be made in national courts in the EU. Spain's DPA has started legal action against Google to delete index files of Spanish complainants. A Google spokesman said, "We welcome the Spanish national court's decision to refer this case to the European Court of Justice. We support the right to be forgotten, and we think there are ways to apply it to intermediaries like search engines in a way that protects both the right to privacy and the right to free expression."

PRIVACY LAW—UK & EU

Court of Appeal Upholds DEA Ruling (March 7, 2012)

The UK Court of Appeal has rejected claims that the Digital Economy Act (DEA)--aimed at fighting online copyright infringement--violates EU law, Out-Law.com reports. Two ISPs had argued that the DEA breached EU laws on data protection and privacy. "We are pleased the Appeal Court has upheld the original ruling that the Digital Economy Act is a lawful and proportionate response to the threat posed by online piracy," a government spokesperson said. One of the plaintiffs has responded, "We are reviewing this long and complex judgment and considering our options. Though we have lost this appeal, we will continue fighting to defend our customers' rights against this ill-judged legislation."
Full Story

MOBILE PRIVACY—U.S. & EU

Lawmaker, Regulator Concerned About Apps (March 5, 2012)

Following news that mobile apps on the Apple and Google mobile systems may access users' address books and photos, U.S. Sen. Charles Schumer (D-NY) is urging the Federal Trade Commission to investigate, The Economic Times reports. "These uses go well beyond what a reasonable user understands himself to be consenting to when he allows an app to access data on the phone for purposes of the app's functionality," writes Schumer. He questions whether the companies' terms of service are being breached and notes, "smartphone makers should be required to put in place safety measures to ensure third party applications are not able to violate a user's personal privacy..." Meanwhile, in light of similar findings in the UK, EU Justice Commissioner Viviane Reding said, "This really concerns me, and this is against the law because nobody has the right to get your personal data without you agreeing to this."
Full Story

ONLINE PRIVACY

Philosophical Questions at the Heart of OBA Issues (March 5, 2012)

In The Atlantic, Alexis Madrigal explores the relationship between our "digital and physical selves," which he says is at the heart of consumers' concerns about online data collection. Currently, data collectors do not connect your online tracking data to your name, but "If and when that wall breaks down, the numbers may overwhelm the name. The unconsciously created profile may mean more than the examined self I've sought to build," Madrigal writes. In an interview with The Inquirer, Jeffrey Rosen says this version of the future is not inevitable, but "Privacy is not for the passive...This is an area where civic engagement and protest work." For marketers, he says, "It's a constant tug-of-war. There is huge economic pressure to see how much tracking people will accept."
Full Story

SOCIAL NETWORKING

Tweet Sales: A Game-Changer? (March 2, 2012)

The Financial Post reports on Twitter's plans to sell archived tweets to two data mining companies. One company, DataSift, will "release Twitter data in packages that will encompass the last two years of activity for its customers to mine," the report states, while the company Gnip will offer a "short-term data package." While one advocate described the harvesting as "game-changing," another expert said, "The only privacy risk is marketers being able to do more with the data, faster." DataSift CEO Rob Bailey said, "The only information that we make available is what's public. We do not sell data for targeted advertising."
Full Story

PRIVACY LAW—EU & UK

ICO: Law May Not Deliver Suggested Protections (March 2, 2012)

An Out-Law.com report quotes the UK Information Commissioner's Office (ICO) as saying the European Commission should not suggest the draft General Data Protection Regulation will provide citizens with protection that "in reality, it cannot deliver." The ICO said while it recognises the "desirability of extending the territorial scope of EU regulation...in practice, there may be little that European supervisory authorities and others can do in terms of enforcement unless effective cross-border enforcement mechanisms can be provided." Among other comments, the ICO also said it would be "unrealistic" to have companies report all data breaches within a 24-hour period.
Full Story

TRAVELLERS’ PRIVACY—UK

UK Joins EU PNR Agreement with the U.S. (March 2, 2012)

Home Office Minister Damien Green has confirmed that the UK has agreed to join the EU passenger name record (PNR) agreement with the U.S., The Guardian reports. Green said the UK "places considerable value on the collection and analysis of PNR data for the purpose of preventing terrorism and serious crime," adding, "We fully recognise the importance of working with partners outside the EU given that the threats we face are global in nature, and, in common with other EU member states, we view the U.S. as a key partner." Green also said the government is "firmly committed to consistency in our approach to civil liberties" and will observe purpose limitation, proportionality, data protection safeguards and full compliance with EU law and treaties, according to the report.
Full Story

ONLINE PRIVACY - EU & SPAIN

“Right To Be Forgotten” Tested in Court, Questioned (March 2, 2012)

A "right to be forgotten" case was dismissed by a Spanish court last week, Deutsche Welle reports. Alfacs Vacances, which operates the Los Alfaques camping ground, had sued Google Spain to remove disturbing images that appeared atop a search engine query. The company argued the images--which stem from a gas explosion in the 1970s--have harmed its reputation. The court ruled that Google Spain, as a subsidiary, "lacked standing to be sued." Computeractive reports on a "loophole" in the "right to be forgotten" clause in the draft data protection regulations, which could pose difficulties for social networking sites. Meanwhile, UK Communications Minister Ed Vaizey said, "We need to be much clearer about what is meant by the 'right to be forgotten.'"
Full Story

DATA THEFT—UK

ICO Investigates Blagging (March 2, 2012)

The Independent reports on an investigation initiated by the Information Commissioner's Office (ICO) into the clients of a former intelligence officer who illegally accessed personal data, including bank statements, phone records, medical documents and Interpol files. Information Commissioner Christopher Graham said, "The scourge of data theft continues to threaten the privacy rights of UK citizens. (We) would not rule out taking further against the organisations that received information from these individuals." Graham also commented on two contrasting court decisions related to blagging. "The contrast is striking in the penalties available for blagging under the Fraud Act on the one hand and under the Data Protection Act on the other," said Graham. "On the same day, prison sentences were handed down in one court with chicken feed fines being imposed in another--all for the same activity."
Full Story

DATA LOSS—UK

ICO Investigates Potential Breach (March 2, 2012)

The Information Commissioner's Office (ICO) has launched an investigation into a potential data breach at Avnet Technology Solutions, the Channel Register reports. Late last year, thieves broke into one of the organisation's offices and accessed hard drives containing staff and customer data, the report states. The ICO said it is making "enquiries into the circumstances of the alleged breach of the Data Protection Act before deciding what action, if any, needs to be taken." Meanwhile, the ICO was recently alerted to a potential breach involving home care patients' personal files. Documents containing names, addresses and healthcare details were found abandoned in an alley. Greenbanks Homecare said it was "hugely disappointed" by the incident. Meanwhile, after an investigation by the ICO, a letting agent has been found guilty of illegally obtaining a tenant's finances.
Full Story

PRIVACY LAW—IRELAND

Music Companies Dispute Commissioner’s Notice (March 2, 2012)

Four music companies have brought a legal challenge to a notice of the data protection commissioner, hoping to uphold a "three strikes and you're out" agreement the companies made with Eircom to combat illegal downloads of music, reports The Irish Times. The companies contend the commissioner's enforcement notice ordering Eircom to stop implementing the agreement--claiming it breached data protection and privacy laws--is an "unlawful and irrational attempt to reopen data protection issues already determined in the favour by the High Court," the report states. A judge will handle the companies' request to have the case fast-tracked on 12 March.
Full Story

DATA PROTECTION—EU & U.S.

Opinion: Obama Objectives Mirror EU Directive (March 2, 2012)

The Obama administration last week released the Consumer Privacy Bill of Rights to provide safeguards to consumer data held by organisations. The announcement came on the heels of the European Commission's draft data protection directive, revealed in January. According to an op-ed in the The Irish Times, "The U.S. proposals somewhat unfairly now have the feel of a response rather than international leadership. But, in the U.S. context, the proposals are definitely groundbreaking and, if implemented, would give U.S. citizens some of the data protections Europeans already have." The author writes that while implementation and enforcement will make or break both proposals, "it's refreshing to see privacy and data protection high on the agenda."
Full Story

ONLINE PRIVACY—UK

Opinion: Privacy Is Being Eroded (March 2, 2012)

In The Guardian, Charles Arthur opines that "the edifices of privacy that we once thought we understood are melting like ice in a heatwave." Citing recent incidents where user data was taken without notice, Arthur says "the idea of 'privacy' is being eroded from inside and outside...In fact, online privacy looks altogether like global warming: We tut about it and mutter 'something must be done' and then do the equivalent of clambering into 4x4s--tagging photos on Facebook of friends getting drunk, tweeting pictures of our lovely trip and family in Instagram."
Full Story
 

ONLINE PRIVACY

Google Implements New Privacy Policy (March 1, 2012)

Amidst concerns from privacy advocates and regulators, Google today implemented its new privacy policy, RTÉ reports. A group of U.S. and European consumer advocacy groups made last-minute appeals to the company to suspend the changes. Trans Atlantic Consumer Dialogue sent Google CEO Larry Page a letter appealing the move. "Going forward with this plan will be a mistake. We ask you to reconsider," the letter said. "You record virtually every event of a Google user, in far more detail than consumers understand...It is both unfair and unwise for you to 'change the terms of the bargain' as you propose to do." Ireland Data Protection Commissioner Billy Hawkes said there will be issues to consider, the report states. Meanwhile, Japan has expressed concern over the changes, and France's data protection authority has also sent a letter to Page, writing, "Our preliminary analysis shows that Google's new policy does not meet the requirements of the European directive on data protection, especially regarding the information provided to data subjects." Editor's Note: Irish Data Protection Commissioner Billy Hawkes will deliver a keynote address at the upcoming IAPP Data Protection Intensive in London.
Full Story

ONLINE PRIVACY

Mozilla Offers New Web-Tracking Tool (March 1, 2012)

In Forbes, Kashmir Hill describes a new tool released by Firefox browser provider Mozilla. Called Collusion, the tool lets a user view how he or she is being tracked online. Mozilla CEO Gary Kovacs said, "We are being watched. It's now time for us to watch the watchers." Though the new tool does not describe what each tracker does, Hill breaks down various tracking tools and widgets that are found on the Forbes site when a user visits to read her articles. Editor's Note: The IAPP will host the web conference Online Behavioral Advertising--The Current Global Landscape on Thursday, March 22.
Full Story