European Data Protection Digest

We have a long weekend—and hopefully some good weather—ahead of us, so right now our minds are probably focused more on Easter eggs and chocolate bunnies (in my case also my mother’s lasagna on Sunday) than on data protection developments. Nevertheless, this spring is bound to be a busy one for privacy pros—not that we actually had a dull moment in the past year or so.

At the IAPP, we are working hard to help our members stay on top of things: Our upcoming European Data Protection Intensive will be a great way to kick-start the second quarter of the year. As usual, rendezvous in London for an intense programme, great networking—including our special Privacy Social reception at the Guildhall—and CIPP and CIPM certification training and testing. Preconference workshops are not bad either.

But since he who hesitates is lost, work is already underway also for IAPP Europe’s flagship event, the Data Protection Congress, which will be in Brussels again this year, on 19 and 20 November to be precise. The call for proposals for the Congress is open, and submissions will be accepted until 9 May, so do send us your ideas or feel free to forward the call for proposals link to someone who might be interested.

In the meantime, though, Happy Easter!

Rita Di Antonio
Managing Director
IAPP Europe

Top European Privacy and Data Protection News

EMPLOYEE PRIVACY

Companies Plan Social Network Monitoring Programs (May 31, 2012)

Research firm Gartner says digital surveillance in the workplace is on the rise, ZDNet reports. Companies are aiming to increase their watch on employees' social networking use, Gartner says, and about 60 percent of corporations will have programs in place to monitor accounts for security breaches and data leaks by 2015. But there are risks of going too far, the report states, such as if an employer were to visit a Facebook page to review an employee's sexuality or marriage status. Meanwhile, CBR also reports on employers' social network monitoring, citing U.S. lawmakers' proposed legislation on the matter and a lack of clarity when it comes to UK laws.
Full Story

DATA RETENTION—GERMANY & EU

EC To Refer Germany to European Court of Justice (May 30, 2012)
The European Commission plans to refer Germany to the European Court of Justice (ECJ) for not implementing a telecommunications data retention policy in line with the data retention directive, Reuters reports. The directive mandates that all 27 EU member states implement policies obliging telecommunications companies to retain user data for at least six months in order to aid law enforcement authorities in tracking "serious crime." In 2010, Germany's highest court rejected the German government's data retention proposal because it was a "particularly deep intrusion into telecommunications privacy." A referral to the ECJ is the final stage in infringement proceedings and can result in a fine.

PRIVACY LAW—EU

Source: Five Member States To Face Court Action (May 30, 2012)

A European Commission official has said EU regulators are planning legal action against the Netherlands, Portugal, Belgium, Poland and Slovenia "for not implementing new telecoms rules aimed at protecting users' privacy online," Reuters reports. EU countries had until May 25 of last year to adopt the rules, which include the requirement to obtain consent from users before cookies are stored on their devices. The official declined to be identified, the report states, but the commission is expected to formally announce its decision to take the five member states to court this week.
Full Story

PRIVACY LAW—UK

Cookie Law In Effect, ICO Backs Implied Consent (May 29, 2012)
The UK's date to begin enforcement of the cookie directive went into force on Saturday, hours after the Information Commissioner's Office (ICO) released updated cookie guidance. The Guardian reports the new ICO advice states implied consent is a valid form of user consent. One privacy law expert said, "This is a striking shift...Previously the ICO said that implied consent would be unlikely to work." Since activating a cookie complaint mechanism on its website, the ICO has received at least 64 separate complaints about potential violations. Meanwhile, the European Commission has said that its own website should comply with cookie laws.

PRIVACY LAW

Some Authorities Push Ahead, Others Back Off Google Inquiries (May 29, 2012)

Bloomberg reports Google may face further action from the UK Information Commissioner's Office following the U.S. Federal Communications Commission (FCC) report on Google's Street View data collection practices. Australian Privacy Commissioner Timothy Pilgrim, however, says his office will not launch a second investigation after examining the FCC report. Meanwhile, two U.S. legislators have called on the U.S. Justice Department to consider looking further into the matter. "Previous statements and testimony from Google indicated that the privacy violation was unintentional, but a recent investigation by the Federal Communications Commission casts doubt on those statements," said Reps. John Barrow (D-GA) and Frank Pallone (D-NJ).
Full Story

ONLINE PRIVACY—GERMANY

“Streetside” Service Goes Offline After Complaints (May 25, 2012)

Microsoft has taken its Bing Streetside service offline in Germany after receiving complaints from residents "about how Microsoft handles requests for blurring of images," IDG News Service reports. In a statement, the company said it has made photos inaccessible while it evaluates the complaints and considers a solution. A Microsoft spokesman has said he cannot predict "when or if the service will be reinstated" but noted the complaints were not initiated by data protection agencies. "These are single incidents," he said, but did not disclose the number of complaints Microsoft received, the report states.
Full Story

HEALTHCARE PRIVACY—UK

DoH Document Calls for EHRs, Admits Re-ID Possible (May 25, 2012)

The Department of Health (DoH) has published a new health-sector strategy that calls for better data sharing and for all electronic health records (EHRs) to be available online by 2015, Out-Law.com reports, but the document admits that anonymisation of data may not prevent reidentification. "Although publically available datasets will always be anonymised," the document states, "there can be a risk of 'jigsaw' identification."
Full Story


PRIVACY LAW—KAZAKHSTAN

Personal Information Bill Raises Privacy Concerns (May 25, 2012)

RadioFreeEurope reports that Kazakhstan's parliament has initiated discussion about a draft law that would allow law enforcement agencies to collect sensitive information about its citizens. Called "Personal Information," the bill is raising concerns among privacy advocates because it would allow agents to obtain citizen data such as marital status, assets, fingerprints and eye scans, the report states.
Full Story


MOBILE PRIVACY—IRELAND

Rise In Gov’t Interception of Communications Data (May 25, 2012)

An investigative report in the Irish Examiner reveals Gardai and other officials are accessing "record levels" of private landline, mobile phone and Internet records. According to numbers released by the Department of Justice, authorities accessed more than 40 private communications per day in 2010, compared with 31 per day the year prior, the report states. Additionally, almost 15,000 requests were made for telecoms to hand over communications data. The report also discusses the use of tracking devices to detect illegal smuggling.
Full Story


MOBILE PRIVACY—UK

Police Data-Extraction Technology Raises Concerns (May 25, 2012)

London's Metropolitan Police (Met) have said their mobile phone data-extraction technology meets privacy regulations, Out-Law.com reports. Met officials say the technology is only used in special circumstances and stored for as long as can be justified in accordance with Met guidelines. A statement from the Met says the technology "is only used to analyse phones of people in police custody." Saying the Met's plans violate data retention laws, Big Brother Watch has filed a complaint with the Information Commissioner's Office.
Full Story


PERSONAL PRIVACY—EU

EC To Propose e-Identity Agenda (May 25, 2012)

The European Commission (EC) is planning to propose legislation that would promote the use of electronic identities across the EU, EurActiv.com reports. This June, EU Digital Agenda Commissioner Neelie Kroes plans to introduce legislation "to facilitate cross-border electronic transactions" by implementing harmonised e-signatures, e-identities and electronic authentication services (eIAS) throughout the EU, the report states. "A clear regulatory environment for eIAS would boost user convenience, trust and confidence in the digital world," an EC document reportedly states. "This will increase the availability of cross-border and cross-sector eIAS and stimulate the take-up of cross-border electronic transactions in all sectors."
Full Story


CLOUD COMPUTING—U.S. & EU

U.S. Anti-Terror vs. Directive Creates “Stumbling Block” (May 25, 2012)

Financial Times reports on the differing privacy approaches taken by the U.S. and EU and their effect on cloud-based services. U.S.-based cloud providers, because of the USA PATRIOT Act, cannot guarantee to EU-based companies that data will not leave Europe--a violation of the EU's data protection directive. A representative from Taylor Wessing said, "This is a big stumbling block...When data need to move outside the EU, then the data protection law framework and its rights and protections have to follow." Obama administration officials have suggested that European concerns about U.S. anti-terror laws are a "red herring" and amount to "digital protectionism" for EU-based cloud providers, and, according to a recent study, the law does not give the U.S. special access to cloud data. (Registration may be required to access this story.)
Full Story



PRIVACY—IRELAND

Opinion: “Privacy Is Dead” Debate Needs To Start Now (May 25, 2012)

In a column for siliconrepublic, John Kennedy writes, "in the past decade and over the next 10 years, our notions of privacy and what constitutes privacy and safety will have become so distorted that the time is now to debate what it really means." Kennedy notes that the "conundrum we find ourselves at in 2012" is one where, on the one hand, we voluntarily share personal information on social media but "recoil in horror" if our private data is used by business, government or criminals.
Full Story

SOCIAL NETWORKING—EU

Users May Get a Vote on Facebook Policies (May 25, 2012)

Following a campaign to collect comments about Facebook's proposed amendments to its data use policy, the company may be required to allow users to vote on the matter. Facebook's "Statement of Rights and Responsibilities" requires the company to allow a vote if 7,000 users comment, reports Out-Law.com . Facebook's proposed changes drew 47,824 user comments, some of which call for opt-in data uses. The complaints follow the Office of the Irish Data Protection Commissioner's audit of Facebook Ireland's privacy practices last year and its subsequent request that the company make changes to how it uses and stores customer data.
Full Story


PRIVACY LAW—EU & U.S.

CNIL Sends Google Fresh Privacy Policy Questions (May 24, 2012)
French data protection authority CNIL has sent additional questions to Google about its new privacy policy, according to a press release. Noting the company's answers are "often incomplete or approximate," the CNIL has given Google until June 8 to answer the questionnaire. According to the statement, "the CNIL considers it impossible to know Google's processings of personal data, as well as the links between collected data, purposes and recipients, and that the obligation of information of the data subjects is not respected." The CNIL's president noted, "All options are on the table." Google Privacy Counsel Peter Fleischer said the company is "confident that our privacy notices respect the requirements of European data protection laws."

PRIVACY LAW

International DPAs Meet on Enforcement (May 24, 2012)

A dozen privacy enforcement authorities from around the world met at a two-day event in Montreal last week to explore ways to cooperate on enforcement. In this exclusive for The Privacy Advisor, Sophie Paluck-Bastien reports on the efforts of the temporary working group formed under the Resolution on Privacy Enforcement Co-ordination at the International Level adopted at the 33rd International Conference of Data Protection and Privacy Commissioners last year. "The group agreed that there is nothing to be gained from a dozen authorities investigating the same incident in silos and everything to be gained from them using their limited resources in a concerted fashion," Paluck-Bastien writes.
Full Story

CHILDREN’S PRIVACY—GERMANY

Court Weighs Freedom of Expression vs. Privacy Rights (May 24, 2012)

Germany's highest court has ruled that lower courts took "too narrow and simplistic" a view of children's privacy rights in a case involving a celebrity's two children, Out-Law.com reports. In the case, an online publisher reported that the two children had been involved in acts of vandalism. The Federal Constitutional Court ruled that lower courts "misunderstood" the media's right to freedom of expression when considering the "personality rights" of the two children, and, the report states, the courts gave "an unjustified precedence to the value of children's privacy rights..." A German district court will re-evaluate the case.
Full Story

FINANCIAL PRIVACY—IRELAND

Survey: Banks Violating Consumer Protection Laws (May 24, 2012)

According to a new survey, banks are breaking consumer protection laws by monitoring account transactions and using the information to sell products, The Irish Times reports. The Professional Insurance Brokers' Association (PIBA), which released the survey this week, recently met with the data protection commissioner to discuss the matter. "These are illegal practices. The banks are flagrantly violating consumer protection laws and pressurizing consumers who feel they have little choice because their credit facilities could be curtailed or withdrawn," said PIBA's chief executive.
Full Story

BIG DATA

Kaspersky: Too Much Data Is Collected (May 23, 2012)

Speaking at a conference this week, Kaspersky Lab CEO Eugene Kaspersky warned that too much data is being collected about individuals, COMPUTERWORLD reports. "We can forget about privacy," he said, adding, "There's no privacy anymore." Kaspersky said the increased use of CCTV and online tracking makes it "a national security issue," and argues that this kind of "data can be used not just against people but against nations." The IT security expert advocated for regulation. "We should make it forbidden to collect so much information about you," Kaspersky said.
Full Story

DATA LOSS—UK

Poor Staff Training Cited in ICO’s £90,000 NHS Fine (May 22, 2012)
The Central London community healthcare trust has been fined £90,000 by the Information Commissioner's Office (ICO) for sending sensitive medical data on 59 patients via fax to the incorrect recipient, The Guardian reports. The faxes were meant for another hospital but were repeatedly sent to an unidentified individual. The ICO said, "The fact that this information was sent to the wrong recipient for three months without anyone noticing makes this case all the more worrying." The ICO said the trust did not have enough mitigating checks in place and was not adequately training staff on data protection issues.

PRIVACY LAW—UK

ICO To Publish List of Cookie Law Offenders (May 22, 2012)

Out-Law.com reports European privacy watchdogs have not agreed on a single approach to enforcement of new cookie laws, according to UK Deputy Information Commissioner David Smith. Smith said the Information Commissioner's Office would not immediately penalize companies who are noncompliant when the UK's new cookie law comes into effect at the end of this month as long as those companies have begun auditing their use of cookies, the report states. The office will publish a list of 50 websites to receive a warning letter from the ICO for noncompliance, however. Smith said that "big multinational users will feature there."
Full Story

PRIVACY

Regulator Says Facebook Model Could “Implode” (May 21, 2012)

The Washington Post reports on provocative comments from the data protection commissioner for the northern German state of Schleswig-Holstein that if European privacy authorities have their way, "Facebook's business model will implode." The regulator says the site's $38 starting share price is "based on practices that breach European privacy rules," the report states. Meanwhile, a U.S. law firm announced it has combined 21 privacy lawsuits against the company into one class-action suit, CNET News reports. The Stewarts Law US suit asks for $15 billion from the company for allegedly violating user privacy by tracking them on the Web. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—UK

Gov’t Websites Expected To Miss Cookie Deadline (May 17, 2012)

According to the Cabinet Office, most government department websites will not be in compliance with the new cookie laws by the 26 May deadline, reports ZDNet UK. A Cabinet Office spokesman told the BBC, "As in the private sector, where it is estimated that very few websites will be compliant by 26 May, so it is true of the government estate." In a statement, the Cabinet Office said the departments are “actively working to achieve compliance,” and Information Commissioner Christopher Graham has said his office will not be asking “'Who can we menace?' but, where we need to take regulatory action, the key thing is--well, what have you done?" Editor’s Note: For more on this topic see the IAPP web conference “Cookie Consent: How To Avoid Half-Baked Compliance.”
Full Story

PRIVACY LAW

CNIL To Sit Down with Google (May 17, 2012)
French data protection authority CNIL has scheduled a meeting with Google to more closely examine changes to the company's privacy policy, BBC News reports. The company consolidated its 60 privacy policies into one in March, prompting the CNIL to ask questions on the legality of the move and on how user data would be shared. The CNIL says it was not satisfied with the company's answers and wants to "untangle the precise way that specific personal data is being used for individual services and examine what the benefit for the consumer really is," said CNIL's president.

DATA PROTECTION—ESTONIA

Inspectorate: Data Use Complaints On The Rise (May 17, 2012)

The Data Protection Inspectorate reports that the number of complaints over misuse of personal data has increased sevenfold in the last five years, according to Estonian Public Broadcasting. In 2007, there were 110 registered complaints, while last year there were 818. The majority of reports were based on misuse of population registry data, the report states. The authority says people’s awareness of the importance of data protection is also increasing, however, and talks with the interior ministry are bringing results.
Full Story

DATA PROTECTION—UK

Probe Exposes Investigators’ Tactics (May 17, 2012)

A news agency’s report has found private investigators can access highly personal and sensitive information stored in secured government databases, The Guardian reports. A Channel 4 progamme revealed that a London firm of detectives sold individuals’ personal data, including bank accounts, benefit claims and a national insurance number, the report states. Undercover reporters also recorded a Crown Intelligence private investigator disclosing medical details and, on “several occasions, the investigator provided information for payment that appears to be covered by the Data Protection Act,” the report states. The Information Commissioner's Office is now investigating the allegations.
Full Story

DATA LOSS—UK

ICO Fines Council, Lawyers (May 17, 2012)

For the second time in two years, the Information Commissioner’s Office (ICO) has taken action against Barnet Council. Most recently, the ICO fined the council £70,000 for losing information--including names, addresses, dates of birth and other details--relating to young children, Computer Business Review reports. An employee brought the records home and was later the victim of a burglary. In June 2010, the council signed an undertaking to improve data protection practices following a breach. Meanwhile, the ICO has also fined lawyers for the Financial Services Compensation Scheme for violating the law.
Full Story

MOBILE PRIVACY—UK

Police Extracting Suspects’ Mobile Phone Data (May 17, 2012)

BBC News reports that police in 16 London boroughs are using new technology that extracts data from suspects’ mobile phones, and the data is retained regardless of whether charges are brought against the suspects. A Met Police spokesman said “a solution located within the boroughs that enables trained officers to examine devices and gives immediate access to the data in that handset" will expedite the former process of sending devices that may have been used in criminal activity to the digital forensic laboratory for analysis. The system allows officers to connect mobiles to “purpose built terminals” that can save and produce a printout of data including call history, texts and contacts, the report states.
Full Story

BIOMETRICS—EU

Working Party Issues Opinion on Biometric Data (May 17, 2012)

The Article 29 Data Protection Working Party has issued an opinion on biometric technologies, identifying and offering guidance on how to mitigate risks when it comes to data subjects' data protection and privacy. Technological advances have allowed for cheaper storage and analysis of biometric data, including fingerprints, vein patterns and DNA. A lack of appropriate safeguards can put the data subject at risk, however, and some technologies could allow for the collection of biometric data without consent, the opinion states.
Full Story

SOCIAL NETWORKING

Facebook Clarifies Changes on Updated Policy (May 17, 2012)

Forbes reports on changes being made to Facebook's data-use policy, including how it reserves the right to serve ads to users outside of Facebook and a clarification on how long it keeps user data received from advertisers and third parties. Users can provide feedback on the site. The updated policy also provides explanations on how cookies work on the site, what data developers receive when a user downloads an app and what the company does with users' data after deleting an account. Sarah A. Downey, an online privacy analyst at Abine, says users' expectations have changed. "The assumption in 2004 was that people wanted to be private and would set things to public," she said. "Now, Facebook assumes that all activity will be public."
Full Story
 

ONLINE PRIVACY—UK

Survey: Most Users Comfortable with Cookies (May 17, 2012)

A survey has found nearly half of UK Internet users approve of advertisers tracking their online activity, Out-Law.com reports. The Internet Advertising Bureau and ValueClick survey found that 45 percent of the 2,001 Internet users surveyed, age 16 and up, said they were “happy for advertisers to track their online behaviour in order to deliver personalised ads,” the report states. Eighty-nine percent said they want control of their personal data, but 28 percent said they are “happy for Internet businesses to store and share their personal data” as long as the firms are transparent about data use.
Full Story

DATA PROTECTION—IRELAND

Hawkes To Speak at Digital Rights Forum Today (May 17, 2012)

The Irish Times reports Data Protection Commissioner Billy Hawkes will participate in today’s Digital Rights Forum. Hawkes will join Tom Murphy of Boards.ie and cyber-threat advisor Paul Dwyer for the public debate to address online privacy. The event will be live streamed on The Digital Rights Forum website.
Full Story

MOBILE PRIVACY

Security, Sharing Concerns Persist (May 11, 2012)

A NetworkWorld report looks at the "Trusted Mobility Index" survey of more than 4,000 IT professionals and mobile users in the U.S., UK, Germany, China and Japan who reported "abundant use of mobile devices but profound concerns about security and how employee-owned devices ought to be used for business purposes." Meanwhile, a survey for Intel Corporation on "mobile etiquette and digital sharing showed that 90 percent of Americans think too much is being divulged and nearly half feel overwhelmed by all the all the data that is out there."
Full Story

FINANCIAL PRIVACY—FRANCE

CNIL Investigating Contactless Bank Cards (May 11, 2012)

The French data protection authority (CNIL) has begun an investigation into the security of contactless bank cards, Telecompaper reports. The investigation will look at security problems when it comes to near field communication (NFC) technology and any resulting implications on privacy following recent press reports on the matter. "Recent tests reportedly found that NFC payment cards distributed by certain banks could communicate information about their carriers and their transactions over several meters," the report states.
Full Story

PRIVACY LAW—EU

Working Party Releases Draft Agenda (May 11, 2012)

The EU Article 29 Data Protection Working Party has released a draft agenda for its meeting next month in Brussels, Belgium. The main topics that will be discussed include the cloud computing draft opinion; the Binding Corporate Rules for processors draft opinion; a future opinion on purpose limitation; pretrial discovery; European investigation order, and developments on the draft data protection directive.
Full Story

PRIVACY LAW—UK

Queen Details Communications Bill, Promises “Strict Safeguards” (May 10, 2012)
In her speech this week, Queen Elizabeth announced plans to move forward with the draft Communications Data Bill, which would give the government access to citizens' communications data including the telephone numbers and e-mail addresses of contacts and the time and duration of communications, reports Out-Law.com. Under the bill, communications service providers would be required to hold data for one year and make it available to authorities "under strict safeguards to protect the public," Her Majesty said. Information Commissioner Christopher Graham noted some "core decisions" related to privacy have not yet been made, saying his role is to "look at the details and suggest where there need to be changes." Privacy advocates are voicing concerns over the bill.

PRIVACY LAW—EU

Kroes Spokesman: ACTA No Longer a “Political Reality” (May 10, 2012)

A spokesman for European Commissioner for the Digital Agenda Neelie Kroes said the “political reality” surrounding the Anti-Counterfeiting Trade Agreement (ACTA) makes the bill’s passage unlikely, The Wall Street Journal reports. Speaking at a conference in Berlin, Kroes said, “We are now likely to be in a world without SOPA and without ACTA.” (Registration may be required to access this story.)
Full Story

PRIVACY LAW—EU

Commission, MEP React to ECJ Judgement (May 10, 2012)

EUobserver reports on the European Commission and EU governments “seeking to crack down on the rules granting access to their internal documents despite a ruling by the European Court of Justice calling on them to release legal opinions drafted by the EU Council's legal service.” Last week’s ruling stemmed from a dispute between MEP Sophie in't Veld and the European Council regarding the SWIFT agreement on the transfer of financial data. “It is a step forward for transparency in Europe that the General Court makes it clear that negotiations on international agreements are not automatically exempt from EU transparency rules,” in ‘t Veld said following the 4 May ruling.
Full Story

ONLINE PRIVACY—EU

U.S. Report Could Impact EU Investigation (May 10, 2012)

The U.S. Federal Communications Commission (FCC) report on Google in the wake of data collection concerns involving the company’s Street View program could have implications for an unrelated investigation in the EU, the European Voice reports. “The report focused on privacy issues, while an ongoing EU investigation is limited to competition rules,” the report states, suggesting, however, that the FCC report could add “to the significance of concerns about Google's use of its power and technologies.” (Registration may be required to access this story.)
Full Story

PRIVACY LAW—EUROPE

DPAs Discuss EU Reforms (May 10, 2012)

According to a Spring Conference of the European Data Protection Commissioners press release, data protection authorities (DPAs) discussed developments in the EU’s data protection framework reforms. Key aims welcomed by the DPAs include clarification of individual rights; data controller and processor accountability; reduced administrative burdens, and independent DPAs.
Full Story

DATA THEFT—BELGIUM

Hackers Breach Credit Provider (May 10, 2012)

eWeek.com reports that Belgian credit provider Elantis has experienced a breach of some of its online loan applications. A hacker group has threatened to publish the unencrypted data--including names, job descriptions and income information--if the company does not pay the group €150,000, the report states. The company has said it will not meet the hackers’ demands.
Full Story

ONLINE PRIVACY—UK

Study: Citizens Concerned About Privacy on Gov’t Sites (May 10, 2012)

A study conducted by Accenture has revealed that while a majority of UK citizens studied say they access government services digitally, a third are concerned about handing over their personal data. The study surveyed 200 people, and one-third pointed to the concern that government will have “too much” of their personal data as the biggest barrier to increased digital interaction. Mark Lyons of Accenture said citizens tend to use government websites to conduct routine business and they want more access to services, asserting that governments need to change the way they deliver services.
Full Story

DATA LOSS—UK

Council, Housing Association Expose Personal Information (May 10, 2012)

The Information Commissioner’s Office plans to investigate Kingston Council for a data breach that occurred when more than 100 rent statements were sent to the wrong addresses, reports This Is Local London. The statements included housing benefits entitlements, the name of each tenant’s bank and rent account number. The council has apologised and plans to review its mailing system. Meanwhile, Hornsey Housing Trust revealed in a freedom of information request a complainant’s personal information to the neighbor about whom he filed the complaint.
Full Story

PRIVACY LAW—UK

Opinion: Protection of Freedoms Act Needs Closer Scrutiny (May 10, 2012)

According to a computing.co.uk op-ed, the Protection of Freedoms Act 2012, which received Royal Assent on 1 May, has some contentious measures that “demand closer scrutiny.” While the act expands the scope of the Freedom of Information Act and requires authorities to destroy DNA and fingerprint evidence from suspects with no previous convictions after three years, another clause states this data can be “retained for as long as a national security determination made by the responsible chief officer of police has effect in relation to it." Parliament’s Human Rights Joint Committee reviewed the act and recommended that without “further justification or additional safeguards,” these measures be removed.
Full Story

CLOUD COMPUTING—EU

Working Group Releases Working Paper on Cloud Privacy (May 8, 2012)

The International Working Group on Data Protection in Telecommunications has issued a working paper on privacy and data protection issues related to cloud computing, Hunton & Williams' Privacy and Information Security Law Blog reports. Led by the Berlin commissioner for data protection and freedom of information, the working paper attempts to limit uncertainty around the definition of cloud computing, the report states, and lays out best practices and guidance to reduce risks as well as promote accountability and appropriate governance. The paper also recommends technical safeguards, cloud service agreements and impact and risk assessments, and it discusses the legal requirements toward data subjects, among others.
Full Story

SOCIAL NETWORKING

Facebook Privacy Back in the News (May 7, 2012)

As Facebook prepares to take its stock public this month, "user privacy will have to be a major consideration for potential investors," The Washington Post reports. The company said in its recent U.S. Securities and Exchange Commission filing that changes in user sentiment about its "privacy and sharing," could have a negative impact. POLITICO reports on actions the company has taken in order to navigate through privacy issues. Meanwhile, a survey recently found that users are concerned with the site's "Timeline" feature, which automatically opts users in, and privacy concerns have been raised about the newest version of Facebook Messenger. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—EU & U.S.

Regulator Discusses Europe’s Privacy Approach (May 4, 2012)

In an interview with the San Francisco Chronicle, Dutch Data Protection Authority and Article 29 Working Party Chairman Jacob Kohnstamm discusses the European view of privacy, the current do-not-track debate and the status of the European Commission's proposed data protection framework. When asked about the "right to be forgotten," Kohnstamm said that, "fundamentally, behind the principle of the right to be forgotten is this idea that you shouldn't judge a child on its childish behaviour 20 years later." Kohnstamm has recently spoken out to several large Internet companies to respect European privacy regulations.
Full Story

PRIVACY LAW

Article 29 Working Party May Reopen Inquiries (May 4, 2012)

European regulators say they may reopen inquiries into Google's Street View project following the release of a U.S. Federal Communications Commission (FCC) report, The New York Times reports. Regulators in the UK, Germany and France may take action. Johannes Caspar, Hamburg's data protection commissioner, says the FCC report's revelations will have a big impact. "This is apparently a totally different situation than what we thought initially," he said, adding that it's time for data protection authorities worldwide to hold the company accountable. The Article 29 Working Party says it plans to meet next week to discuss the allegations. Questions have recently been raised about the role of data privacy within data-driven organisations. (Registration may be required to access this story.)
Full Story

CHILDREN’S PRIVACY - EU

EC Unveils Strategy For Protection of Children (May 4, 2012)

EU officials are calling on industry to better protect children in the online environment, EUobserver reports. The European Commission this week unveiled its "European strategy for a better Internet for Children," which proposes the IT industry develop age-appropriate privacy settings among other mechanisms to improve kids' online safety, the report states. The commission says binding legislation would be proposed in the absence of self-regulation. Introducing the strategy this week, Commissioners Viviane Reding, Neelie Kroes and Cecilia Malmström also urged industry to implement data protection rules.
Full Story

PRIVACY LAW—EU

Reding Speaks to European DPAs; Biz Groups Write Letter (May 4, 2012)

EU Justice Commissioner Viviane Reding spoke in Luxembourg this week at the Spring Conference of the European data protection authorities. Her speech focused on proposed reforms to the EU data protection framework and provided examples of the "advantages the reform will bring for individuals." The speech also highlighted the need for "strong and independent data protection authorities," which are "the bedrock of the EU's data protection reform." Meanwhile, in an open letter to EU ministers, five trade and business groups said the proposed EU framework would "stifle growth and innovation in the UK."
Full Story

ONLINE PRIVACY—FRANCE

CNIL Reissues, Clarifies Cookie Guidance (May 4, 2012)

France's data protection authority (CNIL) has released an updated version of its guidance on cookies, Bird & Bird reports. No consent will be necessary for some categories of analytic cookies if certain specified conditions are met, but, according to the report, CNIL could change its position depending on the stance taken by the Article 29 Working Party. The revised guidance also provides two consent language templates, including one for third-party advertising providers and one for social networking platforms.
Full Story

ONLINE PRIVACY—EU & U.S.

EU Regulator Pressures U.S. Tech Companies (May 4, 2012)

While touring Silicon Valley, Jacob Kohnstamm, chairman of the EU's data protection regulatory group, warned that U.S. tech companies should respect European privacy regulations or face the consequences, adding, "Enforcement actions will be taken against them," NPR reports. Kohnstamm says European users should be able to prevent websites from tracking them online. "To say American companies rule this world could be a very dangerous sort of thinking," said Kohnstamm. The Digital Advertising Alliance's Stu Ingis said, "I can tell you as somebody who's around these companies every day that they're creating untold benefits to both our economy and to consumers, and it'd be a shame if the Europeans want to limit those benefits."
Full Story

DATA LOSS—UK

ICO To Aggregate, Analyse Private-Sector Breach Complaints (May 4, 2012)

In an attempt to balance public- and private-sector fines for data breaches, the Information Commissioner's Office (ICO) says it will begin aggregating complaints about private-sector organisations, ZDNet reports. Information Commissioner Christopher Graham said, "The next phase for us is to make more sophisticated use of all the information we get in from consumer complaints" and to analyse it with the purpose of spotting the "serial offenders, which would build the case for action on more occasions in the private sector." Graham added that for private companies "it's a much bigger deal" than it is for public-sector entities "because they lose consumer confidence--there's a real hit to the bottom line." Meanwhile, the ICO is investigating an incident potentially affecting 51 individuals.
Full Story

SOCIAL NETWORKING

Organ Donation Feature Garners Applause and Warnings (May 4, 2012)

The announcement of Facebook's new feature allowing people to add organ donation status to their profiles has some lawmakers and organ donation advocates lauding the company, but Deven McGraw of the U.S. Center for Democracy and Technology warns that medical information on Facebook isn't protected under healthcare privacy laws, noting, "The sensitivity of health information underscores the need for there to be some baseline regulations on privacy protection to guard people." While one expert says a Facebook declaration is legal, questions remain, and privacy settings mean doctors may need to gain access to users' donation preference.
Full Story

PRIVACY LAW—EU & SPAIN

Opinion: New EU Framework Good for Data Processors (May 2, 2012)

In a Privacy and Information Law Blog post, Nuria Pastor reasons that the new EU draft data protection framework is "good news" because "data processors have finally been given a voice." Pastor adds that "Binding Safe Processors Rules are the obvious next step for global data processors," but some European-based processors will not have to wait long. The Spanish data protection authority recently drafted proposed model clauses "that will allow data processors in Spain to engage sub-processors outside" the European Economic Area (EEA). By providing a more flexible mechanism to cover processor-to-processor exports, these new model clauses could "eliminate some of the regulatory barriers that place EU processors at a competitive disadvantage with their non-EEA competitors."  
Full Story