European Data Protection Digest

In 1897, Oscar Wilde wrote to Lord Douglas, “Do not be afraid of the past. If people tell you that it is irrevocable, do not believe them.”

I wonder if he would share this piece of advice today. Though the past may not be irrevocable, we all leave digital shadows we may regret one day. I had no Internet growing up, and I am grateful that the only traces of my past are some old pictures gathering dust at my parents’ house and a box of letters I used to exchange with overseas friends—you know, having overseas pen pals was actually pretty cool back in the day.

Come to think of it, Oscar Wilde may never have meant for his 1897 letter to Lord Douglas to be published, as it came to light only after his death, so you could almost argue he had no right to be forgotten…

This week, the Court of Justice of the European Union declared the 2006 Data Retention Directive invalid, stating that it interferes with the fundamental rights to respect for private life and to the protection of personal data, as stipulated in the EU Charter of Fundamental Rights. The interference, said the court, exceeds the limits imposed by compliance with the principle of proportionality.

Aside from the obvious consequences the court’s decision will have on telcos and ISPs, some commentators have said that it can have a significant impact on the EU reform of data protection law and, in particular, on the debate around the General Data Protection Regulation.  

To quote Oscar Wilde again, “It is a very sad thing that nowadays there is so little useless information.”

Rita Di Antonio
Managing Director
IAPP Europe

Top European Privacy and Data Protection News

PRIVACY LAW—IRELAND

DPC Reports Record Number of Data Complaints (April 30, 2012)

According to an annual report from Ireland Data Protection Commissioner Billy Hawkes, 2011 saw a record level of complaints from the public about data use, The Irish Times reports. The total number of complaints went from 783 in 2010 to 1,161 in 2011, a 48 percent increase. The report also revealed that the complaints ranged from unsolicited marketing to unlawful use of CCTV in the workplace. Hawkes noted a shift in types of complaints, suggesting a "growing level of public awareness of the right of access to personal data." 
Full Story

SURVEILLANCE

As Use of Facial Recognition and Surveillance Increase, What Happens To Privacy? (April 30, 2012)

The Economist reports on the increasingly pervasive use of video surveillance in countries around the world. China will soon employ three million surveillance cameras--surpassing Britain--and its industry is expected to reach 500 billion yuan, or $79 billion, in 2015. Alongside the increase in video surveillance is an increase in the use of facial recognition technology, currently employed at Mexican prisons, U.S. bars, Japanese workplaces and many other locations worldwide. Brazilian police will use it to improve security at the 2014 World Cup. The U.S. National Institute of Standards and Technology has found that such technology is improving, raising legal questions about the "reasonable expectation of privacy" in public, the report states. 
Full Story

PRIVACY LAW—EU & HUNGARY

Hungary Referred to EU Court Over DPA, Judiciary Concerns (April 27, 2012)

DW reports that the European Commission will refer Hungary to the EU's highest court over concerns that government reforms "infringe on the independence of the judiciary and data protection agency," and a EurActiv report notes, "Brussels considers the lack of autonomy of the independent authority caused by recent laws as detrimental to citizens and media." The law allows the government to remove the leader of Hungary's data protection authority "at any time and with immediate effect," the report states. "With this step we hope to convince Hungary to change the legislation," a commission spokesman said Wednesday.
Full Story

PRIVACY LAW—FRANCE

CNIL Releases Inspections Agenda (April 27, 2012)

The French Data Protection Authority (CNIL) has unveiled its annual programme of inspections. Bird & Bird reports the CNIL will conduct 450 onsite inspections on data protection and privacy. Investigations will focus on CCTV uses; the treatment of data collected by mobile operators and smartphone resellers and developers; the processing of health data by medical research facilities, hospitals and via the cloud; ISP procedures on data breach requirements; sport federations' treatment of data processing; processing of personal data in police files, and facilities providers' and motorway companies' treatment of personal data.
Full Story

DATA LOSS—UK

ICO Investigation Finds Dangers on Discarded Hard Drives (April 27, 2012)

A recent report by Information Commissioner Christopher Graham warns that people are "in danger of becoming a soft touch for online fraudsters," The Telegraph reports. An investigation by the Information Commissioner's Office (ICO) found that of 200 hard drives purchased, 11 percent contained personal information and about 50 percent still had some data on them. Two of the drives had enough information to be able to steal the individual's identity, the report states. Meanwhile, a recent survey has found that 12 percent of consumers believe organisations are adequately protecting their data, while 76 percent say they'd leave a business or service if their data was leaked.
Full Story

ONLINE PRIVACY—EU

“Internet of Things” Spurs Concerns (April 27, 2012)

DW reports on the possibilities inherent in the "Internet of Things" and also the privacy concerns being raised by the potential for such comprehensive connectivity. The report notes that the European Commission's public consultation on the Internet of Things, which is scheduled to be completed this summer, "is a step toward potential regulation." An EC spokesperson notes that, among the approximately 350 opinions submitted within the consultation's first week, more than 300 call for provisions to ensure the confidentiality of user data. "People are saying, we like the convenience and potential, but we want safeguards," he said.
Full Story

CCTV—UK

ICO Orders Council To Justify Taxi Plan (April 27, 2012)

The Information Commissioner's Office (ICO) has told the Oxford City Council to justify in writing its plans to require all Hackney cabs and private hire taxis to install sound and video recording systems, the Oxford Mail reports. The council wants the cabs to install the CCTV systems to protect drivers and says footage will only be reviewed upon request. An ICO spokesman said, "The notice relates to our concerns that the scheme may not be compliant with the requirements of the Data Protection Act."
Full Story

MOBILE PRIVACY

Mobile Phone Industry Initiative To Be Adopted (April 27, 2012)

BBC News reports on an industry initiative by four mobile phone operators that will give consumers more control over their personal data. The initiative will develop a tool that will log consumer information sharing preferences, which could limit what kinds of data are available to advertisers, the report states. The head of Mobile Entertainment Forum, the group coordinating the tool's development, said, "There's a burning need for the industry to develop a way to communicate what the consumer has consented to."
Full Story

PRIVACY LAW—EU

Experts Weigh In on Changes Draft Would Incite (April 27, 2012)

Financial Times reports on the ways the European Commission's draft regulation on data protection may affect EU companies as well as foreign companies processing data on European customers. "It's a big change, and it's my belief that many business leaders haven't even begun to get to grips with what it might mean for their companies," said one attorney. The draft gives an organisation 24 hours to report a breach to their data protection authority and every customer potentially affected. "My main concern is that companies might be forced into providing either an incomplete or a vastly overstated picture of a breach that could do more harm than good," said an IT specialist. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—EU

Critics: Draft’s Exemptions for Police Are Troublesome (April 27, 2012)

EUobserver reports on critics of the European Commission's draft regulation on data protection when it comes to police privileges. Under the proposal, law enforcement agents conducting investigations would be exempt from changes to the law that would strengthen data protection on commercial matters, and that is raising concerns about police justice. The proposal also allows for exceptions to be made when it comes to access to sensitive data for the sake of the public interest. "The data protection directive is a step in the right direction, but there are many, many loopholes and broad exemptions," said a spokesperson for NGO Panoptykon Foundation, a Polish-based digital rights organisation. Meanwhile, police say the proposal would require the hiring of specialist data protection officers, costing millions of pounds.
Full Story

TRAVELLERS’ PRIVACY—EU & U.S.

Opinion: PNR Agreement Leaves Much To Be Desired (April 27, 2012)

In an opinion piece for EUobserver, MEP Jan Philipp Albrecht opines that the recently green-lighted EU-U.S. agreement on air passenger data remains disproportionate in its mandates for passenger data retention periods. Albrecht also disagrees with the lack of safeguards to prevent the misuse of data--potentially resulting in passenger profiling--and the lack of legal redress for data misuse. "These concerns will now simply be brushed under the carpet by members of the European Parliament who wanted to wash their hands of the controversy," Albrecht writes, adding that there remains a lack of evidence that using passenger records to thwart terrorism and criminal activity is effective at all.
Full Story

DATA LOSS—UK

London Marathon Data Mistakenly Revealed (April 27, 2012)

Organisers of the London Marathon are apoligising after it was brought to their attention that the personal data of 38,000 marathon participants was mistakenly accessible to anyone logging on to the official marathon website, BBC News reports. A spokesman for the Information Commissioner's Office says the agency will "certainly" investigate the matter, adding, "This is something the information commissioner will need to look into to see how it has come about."
Full Story

ONLINE PRIVACY—GERMANY

Athlete Outs Online Admirer, Incites Debate (April 27, 2012)

The New York Times reports on an Olympic hopeful who publicly posted the name and city of a man who sent her an obscene message on Facebook. More than 10,000 people have commented on her post, debating its legality. Despite Germany's strict privacy laws, "Something like this is new; we have not had an incident in this form before in Germany," said a spokesperson for a victims' rights organisation. A lawyer specialising in Internet law said legality will be determined by whether the man in fact sent her the harassing message to begin with. "If it is true, then she is allowed to post it," he said. (Registration may be required to access this story.)
Full Story

DATA PROTECTION

Privacy Among “Five Biggest Threats;” Kroes Calls for Prevention Strategy (April 27, 2012)

A BBC News technology section feature lays out the "world's five biggest cyber threats." Among them, according to the article, are the loss of privacy and cyber warfare. Citing global mapping technology, drones, closed-circuit television cameras and companies' thirst for personal data, security expert Eugene Kaspersky says, "In the end of the day, it's not only dangerous for you personally, but your entire nation could become hostage." On cyber warfare, Kaspersky warns that vast sums are being directed toward the creation of cyber weapons. During an address in London this week, EU Digital Agenda Commissioner Neelie Kroes said the EU needs to do more to prevent cyber attacks, EUobserver reports.
Full Story

DATA LOSS—EUROPE

Risk Survey Shows “Worrying Level of Complacency” (April 27, 2012)

Bloomberg reports on the results of an information risk survey of 600 European businesses. The PricewaterhouseCoopers and Iron Mountain, Inc., survey asked financial services firms, pharmaceutical companies, law firms and insurance providers about data breaches and other data protection-related issues, finding "a worrying level of complacency across the legal sector," says Christian Toon of Iron Mountain Europe. "There's absolutely no point in pouring resources into information security if no one takes any notice," Toon says. According to the report, less than 30 percent of responding law firms have risk training programs in place for staff.
Full Story

PRIVACY LAW—EU

EDPS: ACTA Could Threaten Privacy (April 27, 2012)

European Data Protection Supervisor (EDPS) Peter Hustinx has said the Anti-Counterfeiting Trade Agreement (ACTA) "could involve the large-scale monitoring of users' behavior and of their electronic communications," which could go "beyond what is allowed under EU law," Reuters reports. Signed by 22 of the EU's 27 member states as well as the U.S. and Japan, ACTA is a global trade deal addressing copyright theft. In an EDPS opinion, Hustinx said, "ACTA measures to enforce intellectual property rights in the digital environment could threaten privacy and data protection if not properly implemented."
Full Story

ONLINE PRIVACY—EU & U.S.

Reporter Explores Personal Data Held by Large Sites (April 27, 2012)

In a column for The Guardian, James Ball discovers what personal information is held about him by Google and Facebook. Using EU rights to make requests on personal data held by these online companies, Ball wonders "exactly how much the Internet giants know about us." After reviewing his personal data, Ball concludes, "The tour through a decent swath of my personal data is at once disturbing and comforting...Among the huge tranche of information available to Google and Facebook alone is virtually everyone I know, a huge amount of what I've said to--and about--them and a vast amount of data on where I've been."
Full Story

PRIVACY LAW—EU & U.S.

Hustinx: Companies Should “Innovate” on Privacy (April 27, 2012)

The New York Times reports on comments from European Data Protection Supervisor Peter Hustinx urging companies to "innovate" on consumer privacy. Speaking at a Berkeley Center for Law and Technology event in California, Hustinx said EU lawmakers will move forward with far-reaching legislation to protect online privacy, the report states. "It really is based on the idea that when there is not good enough reason to keep the data, it should be deleted," Hustinx said at Thursday's event, adding, "When data have been published or have been shared and it is within your power to get them back, you have to make reasonable effort to get the spirit back in the bottle." (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Critics Say Terms of Service Allow for Lack of Privacy (April 27, 2012)

The New York Times reports on concerns about Google's recently released online storage service, Google Drive. The service offers free storage of documents, pictures and video, among other data, and critics say that under Google's “one-size-fits-all” terms of service, the company can use the stored content for its own purposes. A Google representative, however, said the company doesn't "take personal information and use it in a way that we don't represent to the user,” and the company’s terms state, “You retain ownership of any intellectual property rights that you hold…In short, what belongs to you stays yours.” (Registration may be required to access this story.)
Full Story

DATA PROTECTION—UK

ICO To Spend 20 Percent on IT (April 26, 2012)

The Information Commissioner's Office plans to spend £3 million--or about 20 percent of its total budget--on IT security, The Guardian reports. At a recent conference, Information Commissioner Christopher Graham said the office is currently seeking a vendor to provide such services. Graham added that the ICO has issued 14 civil monetary penalties for data protection breaches since his office gained the power to do so 18 months ago. In cases where organizations took action to mitigate risks of future breaches, fines were less likely to be handed down. Asked about the potential for a communications monitoring law in the UK, Graham said it must have the proper safeguards.
Full Story

PRIVACY LAW—GERMANY

Germany Could Face Lawsuit, Fines (April 25, 2012)

Bloomberg reports the German government will not attempt to fight off an EU lawsuit based on the country's failure to implement EU data retention guidelines into law thus far. An agreement between the interior and justice ministries will not be reached by the April 26 deadline, which could result in a lawsuit and a fine of at least €32.5 million. The country may face additional fines of €80,000 per day until a decision is reached.
Full Story

PRIVACY LAW—EU

ECJ: ISPs Can Disclose Data to IP Holders (April 24, 2012)
The European Court of Justice (ECJ) has ruled that EU laws do not prevent Internet service providers from disclosing data to copyright holders for the purpose of identifying file-sharing violators, Out-Law.com reports. The ECJ ruled that the Data Retention Directive "must be interpreted as not precluding the application of national legislation based on (the Intellectual Property Rights Directive) which, in order to identify an Internet subscriber or user, permits an Internet service provider in civil proceedings to be ordered to give a copyright holder or its representative information on the subscriber to whom the Internet service provider provided an IP address which was allegedly used in an infringement, since that legislation does not fall within the material scope of" the directive.

ONLINE PRIVACY

Opportunities, Privacy Concerns Abound with Big Data (April 23, 2012)
The Guardian reports on the rise of Big Data and how privacy boundaries shift as personal information becomes more valuable to companies. One O'Reilly Media representative said, "Given enough data, intelligence and power, corporations and government can connect dots in ways that only previously existed in science fiction." The ability of Big Data systems to collect and make sense of huge amounts of information provides some companies with valuable opportunities but brings with it concerns about personal privacy.

PRIVACY LAW—EU

EDPS Calls For Safeguards In Open Data Package (April 20, 2012)

European Data Protection Supervisor (EDPS) Peter Hustinx has called for clearer parameters on how and when public-sector bodies make personal data available for re-use in his opinion on the European Commission's Open Data Package. The opinion, adopted Wednesday, calls for safeguards whenever personal data is involved, according to an EDPS press release. Hustinx said the commission's proposal, adopted in December 2011 and aiming to facilitate, harmonise and remove barriers to the reuse of public-sector information throughout the EU, should require data protection assessments before data releases; a license for use that includes a data protection clause, and that applicants demonstrate compliance with data protection laws. Personal data should also be fully or partially anonymised where appropriate, Hustinx said.
Full Story

PRIVACY LAW—SPAIN

Spain Implements EU Cookie Regulation (April 20, 2012)

Spain has issued Royal Decree-Law 13/2012, fully implementing the EU ePrivacy Directive, reports Bird & Bird. Prior to the implementation, a service provider was required to inform users of placed cookies, but now they must gain opt-in consent. While the Royal Decree fully implements the EU Directive, it has imposed additional requirements for "affirmative action" to signal users' consent as recommended by the Article 29 Working Party.
Full Story

SURVEILLANCE—UK

Queen Expected To Address Monitoring Plans (April 20, 2012)

According to UK Information Commissioner Christopher Graham, next month's Queen's Speech will highlight the proposal for expanded government surveillance plans that have raised concern for lawmakers and privacy advocates alike, reports SC Magazine. "There are core decisions to be made, and the intrusion into people's privacy, to be sure it is compliant with the Data Protection Act on safeguarding people's data. It will be interesting to see what is in the Queen's Speech, and my role is to look at the details and suggest where there needs to be changes," Graham said.
Full Story

PRIVACY LAW—EU

EC Launches Survey on “Internet of Things” (April 20, 2012)

The European Commission (EC) is seeking public input through an online survey on how to balance privacy with societal and economic benefits in the ever-growing "Internet of Things," reports InfoSecurity. The EC estimates the average person has at least two devices connected to the Internet, but by 2015, that number is expected to grow to seven, making some level of governance necessary, says one report. According to an expert, the current directive wasn't "designed with this technology in mind," calling it a classic example of law not being able to keep up with technology. The survey will be open for responses through 12 July, and the responses will inform the EC's recommendation, to be presented by the summer of 2013.
Full Story

DATA RETENTION—CZECH REPUBLIC

Pirate Party and NGO Speak Out Against Bill (April 20, 2012)

The Czech Pirate Party and the NGO Iuridicum Remedium have spoken out against a bill intended to fight organised crime, saying it would amount to a guilty-until-proven-innocent principle of law. The bill would require "phone operators and Internet providers to store personal data from electronic and mobile communication," reports Radio Praha. Last year, the Czech Constitutional Court rejected a similar initiative, calling the retention of personal data unconstitutional.
Full Story

PRIVACY LAW—INDIA & EU

India Seeking Adequacy Designation from EU (April 20, 2012)

The Economic Times reports on India's call for the EU to "lift restrictions on flow of sophisticated outsourcing business to India by designating it as a data secure country." The lack of an adequacy designation "prevents flow of sensitive data, such as patient information for telemedicine, to India under data protection laws in the EU," the report states. One official has said, "We have made adequate changes in our domestic data protection laws to ensure high security of data that flows in," noting that for India to receive high-end business process outsourcing, the "stamp of approval from the EU" is needed.
Full Story

DATA PROTECTION—GERMANY

Baum Discusses Privacy in a Digital World (April 20, 2012)

Former Interior Minister Gerhart Baum, known for his work on data protection and civil liberties issues, talks to Deutsche Welle about the privacy risks inherent in the digital world. Baum says the Internet "offers new possibilities for personal development and communication," but warns that online data remains forever and people should "exercise restraint." He also voices concern over those instances where web users "leave information whether we like it or not." Pointing to the difficulty of taking action in the private sector, where the major players are global corporations, Baum says, "The state must set the framework for data processing in the private sector...But we need global agreements on the protection of privacy."
Full Story

ONLINE PRIVACY—UK

Cookies: A Mystery Soon To Be Revealed (April 20, 2012)

The Telegraph reports that though many organisations will likely miss the 26 May compliance deadline for implementation of the EU ePrivacy Directive, it will mark the day many web users become more aware of cookies. Websites will, under the new law, be required to gain consent for each cookie placed on users' computers and, according to one expert, this will be "incredibly onerous for website owners." The information commissioner has said he doesn't want the law to put an "unnecessary burden" on businesses, and the Communications Minister noted, "we do not expect the ICO to take enforcement action in the short term against businesses and organisations as they work out how to address their use of cookies."
Full Story

ONLINE PRIVACY—UK

Study: High Cookie Rate Among Popular Websites (April 20, 2012)

A recent study revealed that there are, on average, 14 tracking mechanisms per web page on the UK's most popular websites, BBC News reports. The TRUSTe study also suggests that a user will typically encounter approximately 140 cookies while visiting one site. Undertaken in March and covering the UK's 50 most popular websites, the study notes that 68 percent of the tracking mechanisms belong to third parties, most of which are advertisers. A TRUSTe representative said, "It's not illegal to do the tracking--the question is whether you are giving consumers enough awareness that it is happening and what you are doing with the data." The UK Information Commissioner's Office is expected to begin enforcing the cookie rule on 26 May.
Full Story

DATA LOSS—UK

ICO: Lack of Staff Training Led to Breach (April 20, 2012)

The Information Commissioner's Office (ICO) says insufficient staff training has led to the breach of two unencrypted memory sticks from a London-based hospital, COMPUTERWORLD UK reports. According to an ICO undertaking , one memory stick contained the personal information of 600 maternity patients, while the other held medical data of 33 children. The ICO said, "Due to not having received up-to-date information on governance training, the employee was unaware that an encrypted device issued by the data controller should have been used."
Full Story

DATA LOSS

Breaches Hit ICANN, Toshiba (April 20, 2012)

MediaPost reports that the Internet Corporation for Assigned Names and Numbers (ICANN) has experienced a security breach. ICANN said that it has temporarily stopped accepting new domain name applications until it "can confirm that the problem has been resolved." In a separate incident, Toshiba is promising the UK Information Commissioner's Office that it will handle personal data with more care after a security flaw exposed the personal data of 20 individuals.
Full Story

DATA LOSS—UK

Breaches Persist, Is This the New Norm? (April 20, 2012)

The South London Healthcare Trust, Hertfordshire County Council and Leicestershire Council have all signed undertakings to better protect personal information and train staff after breaches at each organisation, and GE Healthcare is reviewing its privacy procedures after sending data on 600,000 NHS patients to servers in the U.S. The spate of breaches in the UK has one reporter wondering whether this will be the new norm and some security experts calling for an NHS "security czar." In a publicservice.co.uk op-ed voicing disapproval of the ICO's response to breaches, Information Commissioner Christopher Graham says it's important to make staff aware that they're dealing with sensitive personal information, and adds, assessing a breach is not "black and white."
Full Story

TRAVELERS’ PRIVACY—EU & U.S.

EP Approves U.S. PNR Deal, MEPs Back EU Agreement (April 19, 2012)
The European Parliament has adopted a passenger name record (PNR) agreement with U.S. authorities, Euroalert.net reports. With 409 votes in favor, 226 against and 33 abstentions, the agreement sets a framework for allowing U.S. authorities access to EU citizens' PNR data and sets conditions for data retention periods and data security, as well as administrative and judicial redress, the report states. Meanwhile, EU interior ministers are preparing a framework for an EU-wide PNR deal, reports EuropeanVoice.com. The agreement, which will reportedly be concluded at a meeting in Luxembourg next week, will set the stage for talks with the European Parliament.

ONLINE PRIVACY

Berners-Lee: “Demand Your Data” (April 19, 2012)

World Wide Web creator Tim Berners-Lee has urged Internet users to demand their personal data from web companies in order to help begin a new era of customized computer services, reports The Guardian. He says consumers have not fully realized the value of their personal data held by online companies. "My computer has a great understanding of the state of my fitness," Berners-Lee said, "of the things I'm eating, of the places I'm at." By taking advantage of such personalized data, services "with tremendous potential to help humanity" could be created, but only if web companies allow users access to their data.
Full Story

PRIVACY LAW—EU

WP Calls for Assessment of Reform Costs to DPAs (April 18, 2012)

The Article 29 Working Party (WP) wrote a letter to Justice Commissioner Viviane Reding stating that the European Commission (EC) may not have "sufficiently recognized" the added strain data protection reforms will have on data protection authorities (DPAs), reports Out-Law.com. Calling for an independent assessment of the added costs that will come with the reforms, the letter says that without member states committing to provide "financial, human and technical resources...there is a risk that DPAs will not be able to cope with the demands on them and will act as an impediment to rather than an enabler of the innovation and growth that you are seeking to promote." The letter also suggests the EC scale back certain duties if member states and the EC are not prepared to commit to the cost of necessary resources.
Full Story

MOBILE PRIVACY—TURKEY

Authority Fines Three Leading Mobile Phone Companies (April 16, 2012)

The Information Technologies and Communications Authority (BTK) has fined three major mobile phone operators for violating client privacy, Today's Zaman reports. The authority has fined Turkcell, Avea and Vodafone a total of TL 13.6 million ($7.5 million) after the firms opened phone lines using customers' personal information, registering multiple lines under each person's name. The BTK implemented a new regulation in 2009 that prohibits the use of personal information to register phone lines without user consent, the report states, in an effort to thwart criminal use of individuals' information.
Full Story

PRIVACY

Site’s Security Prompt Incites Concerns (April 16, 2012)

The Telegraph reports that a new security verification feature currently being tested by Google is raising concerns among some privacy advocates. The new feature asks users to verify their account by typing in house numbers taken from Google's Street View images. Since the house number images are blurry, the security check can filter out bots, the report states, but the data entry--checked against entries from other users--also verifies Street View data for the company. Big Brother Watch's Nick Pickles said, "There is a serious privacy issue with identifying the individual number of people's homes." A company spokesman said the security feature is only used about 10 percent of the time and that there are no security risks in the practice.
Full Story

ONLINE PRIVACY—UK

ICO: There’s Still Time To Comply with Cookie Rules (April 13, 2012)

UK Information Commissioner Christopher Graham says time is running out for organisations to come into compliance with the cookie law enforcement deadline of 26 May, ComputerWeekly reports. "We gave industry a year's grace, but when that runs out we will certainly be responding to complaints about organisations that are not following the rules," Graham said, adding that businesses would do well to both review the  ICO's guidance and conduct an internal cookie audit. "When the ICO comes to call," Graham said, "we will certainly expect businesses to know what their websites do, we will expect them to be clearing up and getting rid of all unnecessary cookies and we will expect them to have a plan in place to become compliant." Financial Times  reported this week that the majority of British companies are not yet compliant.
Full Story

HEALTHCARE PRIVACY—ITALY

Expert: New Legislation Creates Health IT Opportunities (April 13, 2012)

New legislative updates are refocusing attention on data protection safeguards in Italy's healthcare sector, writes Giulio Coraggio in an International Law Office report. A new decree is reportedly about to be ratified by Parliament that will affect electronic health records, online examination records and the general use of healthcare information technology. According to Coraggio, the Ministry of Health will set forth decrees on mobile device use when collecting medical data and on its distribution to practicioners, researchers and patients. "The decree represents a key opportunity," writes Coraggio, "for providers of cloud computing services that are affiliates of pharmaceutical companies, but also companies--such as Google--that are active in other sectors, but whose services could be adapted to the needs of the medical sector."
Full Story

DATA PROTECTION—EU

Expert Advises Drone Makers To Address Privacy (April 13, 2012)

Speaking at the Eindhoven University of Technology, attorney Peter Lee said European drone companies should proactively engage with the EU in order to bring industry concerns in line with European data protection issues, PCWorld reports. Lee warned drone makers to take European privacy issues seriously, saying that many unmanned aircraft systems contain surveillance and video equipment that would likely subject them to data protection rules. The drone industry may experience "rocky times ahead" if it does not comply with EU privacy regulations, the report states.
Full Story

ONLINE PRIVACY—FRANCE

UFMD Issues Cookie Guidelines (April 13, 2012)

The French direct marketing association (UFMD) and 10 of its members have issued guidelines on advertising cookies. (News in French.) (English version)
Full Story

HEALTHCARE PRIVACY—UK

FOIA Request Reveals Patient Data Breaches Have Doubled (April 13, 2012)

The number of security breaches involving missing or mishandled patient records have doubled in the last four years. That's according to The Telegraph, which reports that a Freedom of Information Act inquiry revealed incidents such as medical tests in bins outside of hospitals, personal data left on public transportation and faxes sent to unintended recipients. The number of incidents increased from 90 in 2008 to 179 in 2011, the report states.
Full Story

PRIVACY LAW—UK

ICO Condemns Motorman File Release (April 13, 2012)

Following blogger Paul Staines' release of portions of the Operation Motorman files, the Information Commissioner's Office (ICO) has said it "strongly condemns" the action, The Guardian reports. More than 1,000 alleged requests by journalists to a private investigator have been published and reportedly include ex-directory phone numbers, criminal record checks and vehicle registration details. In a statement, the ICO said, "Putting these into the public domain in this way is a serious violation of many people's privacy and raises more questions than it answers." Indicating the release may have breached the Data Protection Act, the ICO is now considering what steps it should take next. Saying that he is "really very angry," Information Commissioner Christopher Graham added, "This is absolutely what we were trying to avoid."
Full Story

SOCIAL NETWORKING

One Company’s Privacy Dilemma (April 13, 2012)

The Guardian reports on "Facebook's $100 billion privacy dilemma." As the company moves toward its public offering, it faces two obstacles--"its contempt for privacy and Wall Street's frothy expectations," the report states. Since the site makes most of its money from advertisements, "if it does not play the privacy game well," users and lawmakers may demand limited data use. "Facebook's future relies in great part on its ability to wisely adjust its privacy dials," the report states, "even at the expense of its shareholders' dreams."
Full Story

DATA LOSS

American Man Pleads Guilty in Sony Hack (April 13, 2012)

An American man and former member of the hacker group Lulz Security pleaded guilty last week to hacking Sony Pictures Entertainment computers, the Mercury News reports. Cody Kretsinger faces 15 years in prison for federal charges of conspiracy and unauthorised impairment of a protected computer, the report states. Kretsinger was arrested in September 2011 for his role in what was one of the largest data breaches of that year.
Full Story

SOCIAL NETWORKING

Facebook Offering “More Disclosure” About Data Storage (April 13, 2012)
The New York Times reports that in an attempt "to address criticism of the social network's privacy practices," Facebook has said it will give users "an expanded, downloadable archive of the many types of data on individuals that the company stores and tracks." The announcement came in the form of a post on Facebook's privacy blog that indicated the site would expand its "Download Your Information" archive. Max Schrems, a law student who has challenged Facebook's data collection practices in the EU, responded, "We welcome that Facebook users are now getting more access to their data, but Facebook is still not in line with the European Data Protection Law." (Registration may be required to access this story.)

PERSONAL PRIVACY—UK

Gov’t Says Consent Required for Third-Party Access (April 12, 2012)

The Department of Energy and Climate Change says third-party companies will not be able to access consumer smart meter data without their consent, Out-Law.com reports. "Consumers should be able easily to access their own smart metering energy consumption data, and share it with third parties, should they choose to," said the department in its consultation on data access and privacy for its smart meter implementation program. The department says safeguards will be put in place to verify that the person granting third parties access to data is valid. "This information is useful to energy suppliers, but it is also potentially valuable to a whole host of other organizations, too," said one expert.
Full Story

PRIVACY LAW—FRANCE

Google Defends New Policy To CNIL (April 6, 2012)

Google is defending its new privacy policy to French data protection regulator the CNIL, Reuters reports. In its response to the CNIL's request that Google answer "69 questions on its privacy policy before 5 April," the company's global privacy counsel said it is "convinced that the overall package of our privacy notices respects completely the requirements of European data protection law." The company answered half of the CNIL's questions in its 18-page letter and will provide answers to the remainder of the questions by 15 April. CNIL may issue an administrative caution or a fine, according to Article 29 Working Party Chairman Jacob Kohnstamm.
Full Story

PRIVACY LAW—EU

Working Party Calls for Improvements to Draft Regulation (April 6, 2012)

The Article 29 Working Party has said organisations should have a general obligation to "anonymise or pseudonymise" personal data when processing personal data if it is "feasible and proportionate" to do so, Out-Law.com reports. In its published opinion on the European Commission's proposed General Data Protection Regulation, the Working Party says the concept of pseudonymisation should be "introduced more explicitly." It also says data protection authorities should not be required to issue fines for breaches but rather that the power be "discretionary." The opinion also voices concerns surrounding the draft rules' clarity on jurisdiction and the breadth of mandatory data breach notifications.
Full Story

PRIVACY LAW—UK

Court Hands Down Punishments for Breach (April 6, 2012)

Two individuals and a property investment firm have been found guilty of breaching the Data Protection Act after unlawfully obtaining details about tenants, according to the Information Commissioner's Office. SAI Property Investments was fined penalties and prosecution costs, as was Sundeep Jaswal for asking an employee--who was also fined--to collect and provide details about the tenants from housing records to settle outstanding debts. Information Commissioner Christopher Graham said the case speaks to the need for tougher penalties for abuses of the Data Protection Act to deter future crimes. Meanwhile, Devon County Council accidentally sent pay slips to the wrong employees.
Full Story

PRIVACY LAW—EU

Proposed Law Would Criminalise Hacks (April 6, 2012)

The European Parliament is proposing laws to harmonise cybercriminal penalties with punishments ranging from two to five years in prison. Parliament approved the draft law, which would also make companies liable for hacks that could benefit them, ZDNet reports. The proposal effectively criminalises hacks against networks, databases or websites across Europe, whereas now the rules differ from one member state to the next. It would also criminalise "illegal access, interference or interception of data," the report states.
Full Story

PERSONAL PRIVACY—UK

MP Fights Against CCTV in Taxis (April 6, 2012)

An Oxford West MP has written to the Oxford City Council urging it to halt plans to install CCTV cameras in all new taxis beginning 1 April. MP Nicola Blackwood also has written to the Information Commissioner's Office asking for an update on the council's investigation into the plans, ITV News reports. The council believes the cameras will increase safety for passengers and drivers, but Blackwood says "the city council has crossed the line with this policy; it is an invasion of privacy and undermining of civil liberties that neither passengers nor taxi drivers themselves have welcomed." She also questioned whether the plans comply with data protection law.
Full Story

BEHAVIOURAL TARGETING—EU

Ad Icon, European Advertising Alliance En Route (April 6, 2012)

A behavioural ad icon that will notify users when they are served targeted online ads based on their web browsing habits and other data is expected to be unveiled soon, reports ClickZ. The U.S.-based Digital Advertising Alliance (DAA), in conjunction with European self-regulatory advertising industry groups, is expected to license the DAA's AdChoices icon to a newly established European DAA (EDAA) within weeks. Peter Kosmala, CIPP/US, senior vice president of government affairs at the 4A's, said industry groups comprising the EDAA will include the Interactive Advertising Bureau Europe, IAB UK, European Advertising Standards Alliance and World Federation of Advertisers.
Full Story

BIOMETRICS

Gov’t Use of Biometric IDs On the Rise (April 6, 2012)

The use of biometric information is inevitable when it comes to border control, Public Service Europe reports. The market for civil and military biometrics is expected to grow 14 percent per year and will include RFID-chip embedded passports and what are known as e-gates, allowing for access control at national borders without human intervention, and are already being employed in China, the UK, Germany and Spain. National ID cards will also include RFID chips--and already do in countries such as India, for example, which is currently undertaking a unique ID program. Implementation of such unique ID programs face opposition, however, from privacy and civil liberties groups.
Full Story

DATA PROTECTION—EU

Researchers Hope Regulations Bring Project-Backing (April 6, 2012)

The Irish Times reports on a research group planning to capitalise on the heightened focus on data privacy in Europe. The Waterford Institute of Technology's Telecommunications Software and Systems Group (TSSG) hopes to gain EU backing for projects on breaches and network attacks as well as on helping organisations comply with privacy regulations, the report states. Based on proposals in the draft regulations on data protection, the projects would, for example, allow for more secure information sharing among government bodies and within the cloud environment. The new regulations are going to "set the blueprint for communications, and we are going to need technological solutions for technological problems," said a TSSG spokesman.
Full Story

PERSONAL PRIVACY—SWEDEN

Gov’t Approves Bio Banks, Databases for Research (April 6, 2012)

Aiming to learn more about prevalent diseases, Sweden's government has approved a unique medical research project that will involve "large-scale population registration and bio-banks," The Swedish Wire reports. LifeGene was launched in 2010 to collect health information from 500,000 individuals to study the effects of various factors on health but was halted by Sweden's Data Inspection Board due to concerns surrounding the size of the database involved. But the government now plans to make constitutional and legislative changes to address such concerns. Sweden's minister for education said the research must be balanced with individual privacy, the report states.
Full Story

FINANCIAL PRIVACY

Opinion: “Cashless Society” Will Need Privacy Provisions (April 5, 2012)

In a feature for The New York Times, George Mason University Senior Research Fellow Jerry Brito writes of Canada's move to eliminate the penny in coin form, suggesting it is "almost inevitable that digital money will soon replace not just the penny, but all physical money--in the U.S., Canada and elsewhere." While that makes sense in terms of costs and efficiency, he notes, "when it comes to privacy and freedom, cash can't be beat." In the move toward a "cashless society," Brito writes, "preserving some untraceable payment method" is necessary to "defend consumers' privacy and limit the power of government and businesses." (Registration may be required to access this story.)
Full Story

MOBILE PRIVACY

Study: Majority Use Geolocation, Privacy Concerns Persist (April 4, 2012)

IDG News reports on a study revealing that nearly 60 percent of smartphone users acquire geolocation apps even while the respondents expressed privacy and safety concerns. Conducted by ISACA, the study polled 1,000 smartphone users. Some of the largest concerns for the users, according to the report, are advertisers' access to their data and possible risks to their personal safety. A representative from the Center for Democracy & Technology said, "If you think about it, most of us have one location where we spend our daytime hours at work and one location where we spend our nighttime at home, so after just a day or two of these data points, it's fairly obvious who they describe." Meanwhile, TRUSTe is releasing a new tool to help mobile companies target smartphone users while also allowing users to opt out of in-app advertising.
Full Story

ONLINE PRIVACY—UK

ICC UK Releases Cookie Guide (April 4, 2012)

The International Chamber of Commerce UK has released a cookie guide designed to help organizations comply with new EU cookies rules. The guide aims to "give practical recipes to website operators so they can provide users with information in language they can understand and enable users to make an informed choice," says Gabriel Voisin of Bird & Bird, adding, "As the ICO deadline for compliance is coming up (May 25), this guide should be viewed by website operators as an additional opportunity to address the issue." David Evans of the UK Information Commissioner's Office describes the guidance as "a good starting point from which (organizations) can work towards full compliance."
Full Story

SURVEILLANCE—UK

New Gov’t Surveillance Powers Raise Concerns (April 3, 2012)

The Information Commissioner's Office (ICO), British lawmakers and privacy advocates are raising concerns that a proposed expansion of government surveillance powers will be an invasion of citizens' privacy. The proposed plan, to be introduced later this year, would require ISPs to install monitoring hardware, which would allow the Government Communications Headquarters to examine the communications of any British citizen--including e-mails, phone calls and websites visited--without a warrant. Police and other intelligence authorities would also be able to access the data, The Telegraph reports. The ICO said the "case still needs to be made" for the proposed plan, and the move would be a "step change in the relationship between the citizen and the state."
Full Story

PRIVACY LAW—EU & HUNGARY

Disputed DPA Law Amended (April 3, 2012)

A state news service has said that Hungary has amended its "disputed bill on the data protection agency (DPA) to bring the law in line with European Union recommendations," Bloomberg reports. "The amendment strengthens the agency's independence and curbs the power of the president and the prime minister to dismiss the head of the institution," news service MTI has reported. The announcement comes amidst infringement procedures the EU started against Hungary over multiple pieces of legislation. Politics.hu reports the government presented its official response to the European Commission last Friday.
Full Story

PRIVACY LAW—EU & IRELAND

Student To Bring Facebook Concerns to EC (April 3, 2012)

The student who challenged Facebook's data collection policies may complain to the European Commission that Ireland's Office of the Data Protection Commissioner (DPC) has not yet brought the site into compliance, The Irish Times reports. Max Schrems is "also considering a case in the Irish courts" over the social network's data collection policies. In December, the DPC "issued a report and to-do list to make Facebook compliant before a second audit in July," with Facebook working toward "simpler explanations of its privacy policies" by March 31. A DPC official has said that while that deadline was not met, Facebook is "very engaged, I'm seeing a lot of effort and response."
Full Story

BIOMETRICS

The Rise of Voice Recognition Technology (April 2, 2012)

The New York Times reports on voice recognition technology developed by Nuance Communications. Going beyond dictation, the new technology can extract meaning from and respond to human voice commands and, in addition to computers, could be featured in common household appliances. Privacy advocates worry that the biometric identifier will leave a digital trail for more data mining. The company says its system recognizes individuals' voices by unique codes, not by consumers' names, and its privacy policy states that it only uses consumers' voice data to improve its internal systems. The FTC's David Vladeck said, "Just as we are concerned about the possible applications of facial recognition, there are other forms of biometric identification, like voice, that pose the same kind of problems." (Registration may be required to access this story.)
Full Story