European Data Protection Digest

We have a long weekend—and hopefully some good weather—ahead of us, so right now our minds are probably focused more on Easter eggs and chocolate bunnies (in my case also my mother’s lasagna on Sunday) than on data protection developments. Nevertheless, this spring is bound to be a busy one for privacy pros—not that we actually had a dull moment in the past year or so.

At the IAPP, we are working hard to help our members stay on top of things: Our upcoming European Data Protection Intensive will be a great way to kick-start the second quarter of the year. As usual, rendezvous in London for an intense programme, great networking—including our special Privacy Social reception at the Guildhall—and CIPP and CIPM certification training and testing. Preconference workshops are not bad either.

But since he who hesitates is lost, work is already underway also for IAPP Europe’s flagship event, the Data Protection Congress, which will be in Brussels again this year, on 19 and 20 November to be precise. The call for proposals for the Congress is open, and submissions will be accepted until 9 May, so do send us your ideas or feel free to forward the call for proposals link to someone who might be interested.

In the meantime, though, Happy Easter!

Rita Di Antonio
Managing Director
IAPP Europe

Top European Privacy and Data Protection News

PRIVACY LAW—EU

Council of Ministers Proposes “Personal Data” Revision (June 28, 2012)

The EU Council of Ministers has proposed an amendment to the European Commission’s draft General Data Protection Regulation that would redefine what constitutes personal data, Out-Law.com reports. According to the proposed revision, “If identification requires a disproportionate amount of time, effort or material resources, the natural living person shall not be considered identifiable.” The council also proposed an amendment to the scope of when the regulation would apply to information, the report states.
Full Story

ONLINE PRIVACY—IRELAND

Facebook, LinkedIn “Beefing Up” Privacy Teams (June 28, 2012)

Reuters reports on moves by Facebook and LinkedIn to strengthen their privacy and compliance teams. Following Facebook’s agreement in December to revamp its privacy protection for international users in the wake of concerns from Ireland’s Office of the Data Protection Commissioner (DPC), Deputy DPC Gary Davies said, "They're beefing up their privacy functions in Ireland by bringing in people who've taken a lead in the U.S.” Meanwhile, in the wake of a recent breach currently under investigation by the DPC, a LinkedIn spokeswoman said, “We are putting additional privacy resources in Ireland and moving one of our key directors to our International HQ in Dublin.”
Full Story

PRIVACY LAW—HUNGARY

Deputy Prime Minister Questions Need for Infringement Proceedings (June 28, 2012)

Hungarian Deputy Prime Minister Tibor Navracsics says it’s “not clear why the European Commission insists on carrying through with infringement procedures against Hungary,” reports Politics.hu. The majority of the concerns raised with the retirement of judges and the data protection ombudsman have been resolved, Navracsics said this week, adding that the Court of Justice of the European Union will make a decision.
Full Story

PRIVACY LAW—UK

Court: Police Photo Retention Policy Is Unlawful (June 28, 2012)

The High Court has ruled that retaining photographs taken of suspects on file is unlawful, Out-Law.com reports. The Metropolitan Police Service (The Met) policy contained “deficiencies” that provided the police with “a disproportionate right to retain photographs of previous suspects that were either never charged or had been acquitted of any offence for too long,” especially in cases involving children, the report states. The court said the practice “engages individuals’ privacy rights” but added The Met should have time to revise its policy. The case involved file photographs of two individuals--including a 15-year-old--on whom charges were never pursued.
Full Story

PRIVACY LAW—EU & U.S.

Concerns Persist on EU-U.S. Data Sharing (June 28, 2012)

EUObserver reports that EU police agency Eurpol refuses to reveal an inspection report detailing how financial data is shared with U.S. authorities. Europol’s joint-supervisory body said last week that it “transfers bulk data on a daily basis to the U.S. Department of Treasury.” This follows an agreement adopted by the European Parliament in 2010 on the terrorist financing tracking program, which many MEPs thought would grant the U.S. only the data it required. Dutch Liberal MEP Sophie in’t Veld says, however, that two years later a system has not been implemented to filter out data. “The Americans want a needle, and we give them a haystack,” she said.
Full Story

SURVEILLANCE—GERMANY

Drone Usage on the Rise (June 28, 2012)

Deutsche Welle reports on the rise of the use of drones in Germany and the privacy concerns it’s raising. Police have been using drones equipped with cameras to monitor soccer matches and protests, as well as in crimefighting efforts, the report states. And universities have been using them to conduct nature research. In May, a passage was added to the country’s Aviation Act stating companies had to take the federal data protection commissioner’s concerns about privacy into account, but “Nobody knows how they do this, or if they refuse, or if they are even aware of it,” said a Green Party spokesman.
Full Story

CLOUD COMPUTING—FRANCE

CNIL Updates Recommendations (June 28, 2012)

The French data protection authority (CNIL) has updated its analysis on the legal framework concerning cloud computing services. The CNIL launched a public consultation on the topic at the end of 2011 in response to the cloud’s “strong growth over the past four years,” the agency says. It received 49 responses and says the legal framework “supports businesses that consider using cloud computing services, and particularly small- and medium-sized companies, by offering practical recommendations.”
Full Story

PRIVACY—FRANCE

Opinion: The Diminishing Line Between Public and Private (June 28, 2012)

CNN’s Philippe Coste reports on the increasingly blurred line between the public and private lives of France’s elite class. Privacy laws in the country were generally created not because citizens were concerned about Big Brother, but because the elite class wanted to keep a safe distance from the electorate, Coste writes. Incidents such as accusations against the former director of the International Monetary Fund have allowed the press to “tip-toe around our strict privacy laws and question, for the first time, their cozy gentleman’s agreement with the powerful. Now what?” he asks.
Full Story

FINANCIAL PRIVACY

Authorities Arrest Two Dozen for Computer Crimes (June 27, 2012)

The New York Times reports that authorities in 13 countries have arrested two dozen people accused of committing fraud involving computer crime. "Operation Card Shop" was a two-year effort, authorities said, and prevented potential losses of more than $200 million by notifying credit card providers of more than 400,000 compromised credit and debit cards. Janice Fedarcyk, assistant director of the U.S. Federal Bureau of Investigation, said the arrests would cause "significant disruption to the underground economy." Arrests took place in countries such as the U.S., UK, Bosnia, Bulgaria, Norway and Germany. (Registration may be required to access this story.)
Full Story

 

PRIVACY

Hong Kong DPA Releases APPA Forum Highlights (June 27, 2012)

Hong Kong Office of the Privacy Commissioner for Personal Data has released a communiqué featuring highlights from the 37th Asia Pacific Privacy Authorities (APPA) forum. Participants, including government representatives from Australia, Canada, Korea, New Zealand and the U.S., discussed topics such as global privacy enforcement, Google's new privacy policy, information on public registers, smartphone apps, legal assistance to aggrieved data subjects and direct marketing regulation. Government representatives from Japan, Macao and Portugal joined the meeting as observers. Editor's note: The Privacy Advisor recently caught up with Hong Kong Privacy Commissioner for Personal Data Allan Chiang for a Q&A.
Full Story

 

BEHAVIORAL TARGETING—UK

Supermarket To Target Shoppers By Wealth (June 26, 2012)

Daily Mail reports on moves announced by UK grocer Tesco to divide its loyalty card customers into "wealthy" and "poor" tiers in order to tailor its website to each shopper accordingly. Perceived wealthier shoppers may see ads for fine foods, while less wealthy consumers may see "Tesco's Value promotions." Company head Phil Clarke said, "We're now making changes to our UK website to highlight promotions that are relevant to the customer who is browsing the site," adding, "Using Clubcard data, we would show, for example, offers of our everyday Value range to price-sensitive customers, and offers of our Finest range to more upmarket customers."
Full Story 

ONLINE PRIVACY—EU

European Regulators Back DNT Feature (June 26, 2012)

COMPUTERWORLD reports that European regulators have urged the World Wide Web Consortium (W3C) to let Microsoft set users' do-not-track (DNT) features in its soon-to-be-released Internet Explorer 10 (IE10) browser. The European Commission (EC) also asked the W3C to require browser makers to showcase DNT options when users first install a browser. The head of the EC's Information Society and Media Directorate-General said, "The standard should foresee that at the install or first use of the browser, the owner should be informed of the importance of the DNT choice, told of the default setting and prompted or allowed to change that setting."
Full Story 

PRIVACY LAW—EU

Reding: Right To Be Forgotten Must Be Balanced (June 25, 2012)
In a speech last week, European Commissioner for Justice Viviane Reding discussed the right to be forgotten provision within the proposed EU Data Protection Regulation. The right to be forgotten “like the general right to privacy…needs to be reconciled with other rights protected by the EU Charter of Fundamental Rights,” said Reding. The European Parliament’s Economic and Social Committee has recommended the regulation be treated as a floor and not a ceiling, reports Hogan Lovells’ Chronicle of Data Protection. Meanwhile, Jeff Rosen recently opined that though the EU’s treatment of the right to be forgotten might go “overboard,” the threat of regulation may prompt companies to help empower users to clean up their online reputations. Editor’s Note: The Privacy Advisor recently caught up with Irish Data Protection Commissioner Billy Hawkes on the right to be forgotten in this article for the July/August edition

FINANCIAL PRIVACY

Nations Working Toward FATCA Implementation (June 22, 2012)

The U.S. has offered up a new model to Switzerland and Japan for implementing the Foreign Account Tax Compliance Act (FATCA)--a law that requires foreign financial institutions to disclose accounts to the U.S. Internal Revenue Service (IRS) or face fines, reports Bloomberg. In a joint statement, Switzerland and the U.S. have said they will work "to ensure the effective, efficient and proper implementation" of FATCA, reports The New York Times. The new model is in response to complaints from both the financial industry and privacy regulators who have said privacy laws may make implementing FATCA illegal. In February, France, Germany, Italy, Spain and the UK signed similar agreements.
Full Story  

ONLINE PRIVACY—UK

Google Responds to ICO Investigation (June 22, 2012)

Google has responded to the decision by the Information Commissioner's Office (ICO) to reopen its investigation into Street View's data collection practices, Out-Law.com reports, citing a letter from the ICO's Steve Eckersley raising "questions over the manipulation of information Google had provided for initial inspection by the ICO and the actual 'raw data' that had been collected." In response, Google Global Privacy Counsel Peter Fleischer wrote that the company had only used software to convert the raw data into "human-readable" form, noting that prior to the ICO's inspection, Google had "not viewed or analyzed the payload data on the hard drive used, and nor has it since."
Full Story  

PRIVACY LAW—EU

EU Lawmakers Vote Down ACTA (June 21, 2012)

The European Parliament's (EP) trade committee has voted down the international anti-piracy agreement ACTA, echoing the responses of the civil liberties, legal and industry committees--which all voted against it in May. Reuters reports that some legislators are calling this a signal that, for the first time since the 2008 increase in its powers, the EP will reject an international agreement. "This vote is the penultimate nail in ACTA's coffin," said one German politician in the legislature. ACTA goes up for a final parliamentary vote on 4 July.
Full Story

PRIVACY LAW—EU

EDPS: Current Laws May Breach Data Protection Requirements (June 21, 2012)

Out-Law.com reports on an eight-page opinion from the European Data Protection Supervisor (EDPS) on provisions within the proposed EU Data Protection Framework that would require regulators issuing sanctions against companies and individuals that break financial services laws to publish details of those sanctions. "The EDPS is of the view that the provision on the mandatory publication of sanctions--as it is currently formulated--does not comply with the fundamental right to privacy and data protection," Assistant EDPS Giovanni Buttarelli wrote in the opinion, recommending the legislature “carefully assess the necessity of the proposed system” and determine whether less restrictive measures than publication could “attain the same objective."
Full Story

PRIVACY LAW—SWEDEN

PTS Seeks Comments on Retention Guidelines (June 21, 2012)

The Swedish Post and Telecom Agency (PTS) is seeking comments on its proposals for the regulation of data retention. Telecompaper reports PTS’s regulations will address the technical and organisational actions surrounding storage, protection, authorisation and access of data held under the EU Data Retention Directive. PTS will also address what kind of compensation operators can receive for releasing the data. Comments will be accepted through 24 August.
Full Story

DATA PROTECTION—UK

ICO Issues SME Guidance (June 21, 2012)

UK Information Commissioner Christopher Graham has launched a new guide aimed at helping small- and medium-sized businesses comply with data protection laws and avoid fines, reports Public Service UK. Noting that his office has already issued more than £1.5 million in penalties for failures to “take the necessary measures to keep peoples’ data secure,” Graham says this guide will help smaller organisations "significantly reduce the risks of a serious data loss and the reputational and financial damage that can result." The guide includes information on minimising the amount of data organisations store, updating systems and securing data in transit--as well as identifying problems.
Full Story

ONLINE PRIVACY—THE NETHERLANDS

As Interconnectedness Grows, So Do Risks (June 21, 2012)

“The Internet of Things” offers convenience and efficiency by connecting everything to everything else; however, the more connected we are, the more at risk we become to privacy violations, among other things, reports Radio Netherlands Worldwide. "If something goes wrong, the damage is enormous,” says one security and privacy expert, adding, that's no reason not to go ahead. We have to be aware of the risks. About 90 percent of the applications for this technology haven't even been thought of yet.”
Full Story

DATA LOSS—UK

Councils Investigate Breach, Implement Policy (June 21, 2012)

The Peterborough City Council is investigating two breaches at its children’s services department involving the personal information and case details of a family receiving services from the organisation, reports the Peterborough Telegraph. An employee of the organisation e-mailed the details of a case to the wrong family and then, when sending an apology e-mail, included the 57 councillors, inadvertently sending the information to them as well. Meanwhile, BBC News reports that the Dumfries and Galloway Council--just one day after implementing a new data protection policy--has announced that an employee dropped a file containing confidential information in a car park. The file was recovered within 20 minutes. Deputy Council Leader Brian Collins said incidents like this are what prompted the policy change, noting, "Whilst such plans minimise the risk of a data breach, we can never eliminate human error entirely."
Full Story

PRIVACY LAW—EU & U.S.

Reding, Holder Discuss Data Privacy Protection Agreement (June 21, 2012)
At the EU-U.S. Justice and Home Affairs Ministerial Meeting, European Commission Vice-President Viviane Reding and U.S. Attorney General Eric Holder released a joint statement highlighting their "determination to finalize negotiations on a comprehensive EU-U.S. data privacy and protection agreement that provides a high level of privacy protection for all individuals and thereby facilitates the exchange of data needed to fight crime and terrorism" and the progress made to date. Citing key principles including data security, transparency of data processing and data protection oversight, they added they will review progress at the 2013 ministerial meeting and "consider next steps to ensure the continued rapid advancement of the negotiations."

PRIVACY—EU

EDPS Releases Annual Report (June 21, 2012)

European Data Protection Supervisor (EDPS) Peter Hustinx and Assistant Supervisor Giovanni Buttarelli presented their annual report for 2011 to the European Parliament's Committee on Civil Liberties, Justice and Home Affairs on Wednesday, detailing actions in the past year and "efforts to push the effective protection of personal data." In advance of the report's release, Hustinx spoke on the need for "more effective and consistent data protection across the EU." The EDPS has signaled its main priorities for 2012 to include raising awareness, defining procedures, visits and inspections, technological developments and determining "the state of play for DPOs in EU institutions and bodies in order to provide support for the DPO function in line with the accountability principle."
Full Story  

ONLINE PRIVACY

Apple Obtains Online “Cloning” Patent (June 21, 2012)

Apple has been awarded a patent for a method of generating fake online identities, or "clone" identities, to thwart the online profiling of Internet users, reports InformationWeek. Apple received U.S. Department of Justice approval for the patent on Tuesday. Known as "Techniques to pollute electronic profiling," the patent describes how the clone identity "appears to be the principal to others that interact (with) or monitor the clone over the network," performing activities that would not reflect the interests of the real user. The patent calls automated online monitoring programs "little brothers" and says, "Even the most cautious Internet users are still being profiled over the Internet via dataveillance techniques from automated (little) brothers." Apple has not confirmed the acquisition.
Full Story  

PRIVACY LAW—EU & HUNGARY

Court Registers Infringement Procedures (June 20, 2012)
European Commission infringement procedures against Hungary were registered by the EU court on Monday, Politics.hu reports. One of the proceedings concerns the independence of Hungary's data protection authority. In April, the commission said that while Hungary had made progress, the premature ending of the previous data protection commissioner's term as part of the creation of a National Agency for Data Protection Hungary conflicted with EU laws, the report states. "The personal independence of a national data protection supervisor, which includes protection against removal from office during the term of office, is a key requirement of EU law," the commission said.

PRIVACY LAW—EU

Working Party Adopts Document on BCRs (June 20, 2012)

The Article 29 Working Party has adopted a working document on Binding Corporate Rules (BCRs) for Processors. The document includes a full checklist of requirements for processors and is designed both for companies and data protection authorities. The adoption is based on BCRs' success and the proposal to include BCRs for controllers and processors in the European Union's legal framework. The document's processor checklist includes the definition of what must be found in BCRs and what must be presented to data protection authorities during the application process. Next, the working party will develop a European coordination procedure on BCRs for processors.
Full Story  

PRIVACY LAW—UK

ICO Levies £225,000 Fine on Belfast Trust (June 20, 2012)

The Information Commissioner's Office (ICO) has fined the Belfast Health Trust £225,000 for failing to secure the sensitive information of Belvoir Park Cancer Hospital patients, UTV News reports. The files of 20,000 patients were discovered abandoned at the hospital, which closed in 2006. "The Trust failed to take appropriate action to keep the information secure, leaving sensitive information at a hospital site that was clearly no longer fit for purpose," said ICO Assistant Commissioner for Northern Ireland Ken MacDonald. "The severity of this penalty reflects the fact that this case involved the confidential and sensitive personal data of thousands of patients and staff being compromised."
Full Story 

PRIVACY LAW—EU & U.S.

Europe’s Regulations Offer a Glimpse at Similar Effects in U.S. (June 20, 2012)

While the U.S. debates enacting tougher privacy rules, "Europe offers a laboratory for studying their economic impact," reports MIT's Technology Review. Advertisers point to the effect European privacy rules have had on the region's €20.9 billion online advertising sector. And MIT's Catherine Tucker found in her 2010 study that within European countries that implemented the EU's 2002 e-Privacy Directive, online ads' efficacy dropped 65 percent. Additional research indicates European regulations have scared off investors--by 73 percent, estimates one expert. Others, however, have found the rules a boon to business.
Full Story  

SOCIAL NETWORKING

Facial Recognition Acquisition Spurs Privacy Concerns (June 19, 2012)

Facebook has announced the acquisition of its long-time vendor Face.com, the company that provides the technology for its photo tagging suggestion feature, reports Daily Mail. A Facebook spokesman said, "Face.com's technology has helped to provide the best photo experience. This transaction simply brings a world-class team and a long-time technology vendor in house." But the company's use of facial-recognition technology "has spurred concerns about user privacy," the report states. The deal means Facebook will acquire the technology and the 11 employees of the Israeli company.
Full Story 

SOCIAL NETWORKING

Experts: Privacy Is the Hitch with Age Verification (June 18, 2012)

The New York Times outlines the difficulties of identifying the ages of Internet users, noting "everyone--not only sex offenders--has an incentive to lie." Recent cases of adults masquerading as children on a social network aimed at 13- to 17-year-olds has the site looking for a better way to vet users, but those who've studied age verification technologies are not optimistic. In 2008, a task force was convened to examine ways to verify age, but danah boyd, co-director of the task force and Microsoft researcher, says the technologies "would not address any of the major safety issues we identified." Others note that the available options--such as a national identity database--are considered by many to be privacy violations. (Registration may be required to access this story.) 
Full Story 

ONLINE PRIVACY—UK & U.S.

Study: Consumers Not Willing To Compromise on Privacy (June 15, 2012)

Edelman has released its sixth "Value & Engagement in the Era of Social Entertainment and Second Screens Survey" exploring consumer attitudes, behaviors and habits in the U.S and UK. This year's study shows that Internet entertainment is growing but that many consumers are unlikely to use automatic notifications that share their viewing or reading habits on social media sites, reports The Wall Street Journal. "Over the past six years, privacy has always been the one factor that audiences are not willing to sacrifice," said Jon Hargreaves of Edelman Europe, noting that U.S. respondents were twice as likely to use these features as their British counterparts. "Social networks offer great opportunities to brands, but audiences want to remain in control and do not want to automatically share what they are viewing," said Gail Becker, also of Edelman. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—CZECH REPUBLIC

Parliament May Reintroduce Retention Directive (June 14, 2012)

PC World reports the Czech Parliament is considering reintroducing the Data Retention Directive, which was repealed by the nation’s constitutional court in March 2011 and has been deemed unconstitutional in some EU member states. The directive would see telecoms and ISPs collecting and retaining communications data for law enforcement purposes. Currently police have access to data kept for other purposes. One privacy advocate says that while police claim data retention is “more or less an essential tool,” a recent study contradicts that notion. The study showed that a tenfold drop in the number of information requests had “virtually no effect on the detection of crime,” said Jan Voboril with Luridicum Remedium.
Full Story

PRIVACY LAW—UK

Gov’t Mulls Proposed Surveillance Bill (June 14, 2012)

BBC News reports on a proposed surveillance bill that would allow police to access detailed data about people’s phone calls, e-mails and Internet usage. Currently, police may access data on when a message was sent and by whom without a warrant. But a draft Communications Bill would allow police to obtain a warrant to access the content of the message, as well. The data stored would include information from social networks, e-mail, voice calls over the Internet and gaming. The Information Commissioner’s Office said it will need “appropriately enhanced powers and the necessary additional resources” to ensure compliance should the bill become law.
Full Story

PRIVACY LAW—UK

Advocates Concerned Over Proposed Defamation Bill (June 14, 2012)

UK website operators may soon have to identify people who have posted defamatory messages online, BBC News reports. Though current laws hold website operators liable for everything that appears on their site, the UK Ministry of Justice is proposing a defamation bill that would allow victims of disparaging comments to go after the individual that posted the remarks rather than the website. The group Privacy International says “there is a concern that gun-shy website operators will start automatically divulging user details the moment someone alleges defamation in order to shield themselves from libel actions.”
Full Story

PRIVACY LAW—ITALY

DPA Approves Request of Authorisation (June 14, 2012)

The Italian Data Protection Authority (Garante) recently approved a request of authorisation filed by a phone company asking to enrich its database of customers’ personal data without prior consent. In this report for The Privacy Advisor, Rocco Panetta of Panetta & Associati Studio Legale examines what the enrichment process implies. Panetta also lists the specific security measures prescribed by the Garante, noting its observation that combining new data with existing personal and statistical information might make it possible to track a user’s identity.
Full Story

PRIVACY LAW—GERMANY & IRELAND

Hamburg DPA Suspends Facebook Probe While Irish DPA Negotiates (June 14, 2012)

Hamburg’s data protection authority (DPA) says it will wait for Facebook to negotiate with Ireland’s privacy authority before deciding whether the company complies with rules for using biometric data, Bloomberg reports. Following an investigation by the Irish DPA last year, Hamburg began taking legal action against the company for not seeking user consent before introducing a facial recognition feature that asks users to “tag” people, the report states. If Facebook doesn’t “allow users more influence over the way their data is handled,” Hamburg may reopen its probe, said Johannes Caspar of Hamburg's DPA.
Full Story

PRIVACY LAW—EU & UK

ICO Welcomes Open Data Agenda (June 14, 2012)

UK Information Commissioner Christopher Graham says he welcomes the European Commission’s open data agenda and that it would provide “clear, practical advice on how data can be anonymised,” UK AuthorITy reports. Under the plan, public bodies will be permitted to publish anonymised personal data. The plan aims to “resolve the clash between open data and privacy” and is currently open for public consultation. “The risks of anonymisation can sometimes be underestimated and in other cases overstated,” Graham said. “Organisations need to be aware of what those risks are and take a structured approached to assessing them, particularly in light of other personal information in the public domain.”
Full Story

DATA LOSS—UK & EUROPE

Glasgow Council, Game Developer Report Breaches (June 14, 2012)

Glasgow City Council is notifying 37,835 individuals and companies that their personal details were contained on a laptop computer that was stolen from its offices in late May, BBC News reports. The data includes names, addresses and bank account details. “We are sorry that this has happened and apologise for the inconvenience it has caused,” a council spokesperson said. Meanwhile, game developer Riot Games is notifying League of Legends players that “Hackers gained access to certain personal player data contained in certain EU West and EU Nordic & East databases.”
Full Story

PRIVACY LAW—NETHERLANDS

Dutch CBP Fines Rail Company €125,000 (June 14, 2012)
The Dutch data protection authority (CBP) has fined rail company NS €125,000 for retaining passenger information, DutchNews.nl reports. The CBP found that, despite its warnings, the company retained student smart card data beyond a two-year period.

PRIVACY LAW—UK

Commissioner: Consumers Complaining About Cookie Noncompliance (June 14, 2012)

The UK Information Commissioner's Office says it has received 169 complaints thus far about websites failing to comply with the cookie law that came into force May 26, V3.co.uk reports. Information Commissioner Christopher Graham said the complaints should serve as a warning to organizations that failure to comply with the law can lead to reputational damage. "It's fair to say that some have a little too much rhetoric, but there are many where customers are pointing that well-respected brands are not doing anything about the cookie law and can't understand why not," Graham said.
Full Story

DATA PROTECTION

Data Mining For Credit Scores and More Not A Rarity (June 14, 2012)

TIME reports on a change of plans by Germany's largest credit reporting agency to use social networking to determine if a person is credit-worthy. Schufa had established a research group to determine how to link social networking information to other details about a person's credit rating, but a public outcry following media coverage of the plans prompted the university slated to do the research to back out of the plans. Privacy advocates say similar plans are likely in the not-too-distant future, given the amount of data collected by companies and the widespread interest in trying to use that information to generate revenue.
Full Story

PRIVACY LAW—UK

ICO Reopens Street View Investigation (June 13, 2012)

Steve Eckersley, enforcement chief of the Information Commissioner's Office (ICO), sent a letter to Google executive Alan Eustace saying the ICO is reopening its investigation into the collection of personal data by Google's Street View service, reports The Washington Post. An April U.S. Federal Communications Commission report found that Google deliberately collected the data. According to Eckersley's letter, the ICO was told the collection was a "simple mistake," adding, "If the data was collected deliberately, then it is clear that this is a different situation than was reported to us in April 2010." Google responded in a statement saying, "We're happy to answer the ICO's questions." On Tuesday, Google released documents relating to the U.S. federal investigation into its activities, including affidavits from nine people denying any knowledge of the data collection. (Registration may be required to access this story.)
Full Story

BEHAVIORAL TARGETING

Online Ads To Match Your Emotions (June 13, 2012)

Microsoft has filed patents for tracking systems "to match online advertisements to moods," the Toronto Star reports. The systems would track emotions "including facial expressions captured in video conversations and Facebook status updates," the report states, and could result in, for example, "weight-loss ads matched with unhappy people--who are more likely to want to change their lifestyle--and electronic ads with happy people--who are more likely to spend." Privacy advocates are questioning such mood-tracking technology. "Definitely when you're talking about people's emotional states, you're getting closer to sensitive data that relates to their identity," said Tamir Israel of the Canadian Internet Policy & Public Interest Clinic.
Full Story

PRIVACY LAW—EU

Article 29 Working Party Adopts Cookie Opinion (June 12, 2012)

The Article 29 Working Party has adopted an opinion on cookie consent exemption. The opinion explains how Article 5.3 in the revised e-Privacy Directive changes informed consent requirements for cookie use. It also describes which cookies are exempted from the changes, including those used "for the sole purpose of carrying out the transmission of a communication" or those "strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to use the service." Meanwhile, European Union member states' privacy agencies are expected to release recommendations on how to apply cookie rules as early as this week.
Full Story

PERSONAL PRIVACY—EU & UK

EDPS Calls for Limits on Smart Meter Data Use (June 12, 2012)

The European Data Protection Supervisor (EDPS) is calling for limits on the retention and use of customer data from smart meters, The Register reports. EDPS Peter Hustinx says while there are advantages to smart metering, the technology "will also enable massive collection of personal data, which can track what members of a household do within the privacy of their own homes." The UK Department of Energy and Climate Change says personal data won't be shared with third parties and security will be implemented to prevent its theft. The UK government has said it plans to require smart meter suppliers to ensure data security as a part of licensing agreements.
Full Story

MOBILE PRIVACY

Report: Apple To Release New Tracking Tool (June 11, 2012)
In what The Wall Street Journal reports is "the company's latest attempt to balance developers' appetite for targeting data with consumers' unease over how it is used," Apple will reportedly release a new tracking tool for mobile app developers. While Apple declined to comment, individuals briefed about the plan have indicated the tool aims to better protect user privacy. "How Apple's new technology works and what it will allow developers to track remains unclear," the report states. "One of the people briefed said that the new anonymous identifier is likely to rely on a sequence of numbers that isn't tied to a specific device." (Registration may be required to access this story.)

ONLINE PRIVACY—EU

EU Regulators To Issue Cookie Recommendations (June 11, 2012)

The Wall Street Journal reports on recommendations from European Union member states' privacy agencies on how to apply European data privacy rules governing cookies. The guidelines are expected to be released as early as this week and differentiate between innocuous cookies and those that should require user consent to be deployed, including those that are used to track users' Web browsing for targeted advertising. "There's absolutely no ambiguity that you need consent for those kinds of cookies," said a spokesperson from French data protection authority the CNIL. But a spokeswoman from IAB France said, "Right now, they have one position and we have another." (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—UK

WiFi Service Conditions Changed (June 11, 2012)

PC Pro reports on Virgin Media's changes to the terms and conditions for its Tube WiFi services after privacy concerns were raised that the service "could snoop on user communications." The user agreement had read, "with your permission, we may monitor e-mail and Internet communications, including without limitation, any content or material transmitted over the services," which sparked complaints from MP Robert Halfon and privacy advocate Big Brother Watch. "The company said it had never intended to snoop on e-mails or other communications and had only included the wording to cover itself legally for blocking illegal content," the report states.
Full Story

PRIVACY LAW—SWITZERLAND

Court Rules Street View Need Not Guarantee Total Anonymity (June 8, 2012)
A federal court has ruled that Google will not be required to ensure all images of faces and license plates are obscured, swissinfo.ch reports. However, people may ask the company to blur their images manually, the report states. The decision declares a lower court's earlier ruling--that the company blur the images because its commercial interests did not outweigh Swiss privacy law--went too far. The federal court ordered Google treat requests for blurring "without red tape" and that it offer a free contact service online and postal address for such requests. The federal data protection and information commissioner says he is "extremely satisfied with the judgement."

ONLINE PRIVACY—EU

Google Adds Model Clauses to Apps Sales Contracts (June 8, 2012)

Google says it will now include model clauses in its apps sales contracts to assure EU customers that it will protect information stored in Google data centres, IDG News Service reports. A company spokesman said this step "will provide our customers with an even wider palette of EU regulatory compliance options," noting in a blog post that the contracts are "an additional means of meeting the adequacy and security requirements of the European Commission's Data Protection Directive."
Full Story

PRIVACY LAW—EU & U.S.

EU Rules Reinforce Need for CIOs (June 8, 2012)

The Wall Street Journal reports on the growing importance of chief information officers (CIOs) within EU and U.S. companies because of EU-mandated laws for online tracking. The UK Information Commissioner's Office has sent letters to more than 70 companies during the last two weeks inquiring how they are reaching cookie compliance. An attorney at Duane Morris said the "CIO needs to be front-and-center" within companies on privacy compliance. CIOs are often the only figures who know of and have the authority over a company's blend of third-party vendors, customer-facing applications and online analytics tools, the report states. "The challenge for CIOs is they will have to ask very direct and tough questions of vendors," the attorney said. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—GERMANY

Gov’t Proposes Amendments To Geolocation Law (June 7, 2012)

The government has submitted a proposal to Parliament to amend existing federal law concerning access to geographical data. In force since 2009, the law applies to federal agencies and corporations. The amendment “would create a legal basis for largely free use of geographical data and metadata maintained by the German Federal State, thereby enhancing the ‘added-value’ potential of such data,” reports Hunton & Williams’ Privacy and Information Security Law Blog. Thus far, the government has relied on self-regulation and a draft code for geographical data services.
Full Story

PRIVACY LAW—UK

Survey: 75 Percent of Sites Not Cookie Compliant (June 7, 2012)

More than three in four British businesses are non-compliant with the so-called “cookie law,” according to recent research by KPMG. Financial Times reports that in an analysis of 55 UK websites, only 20 percent were complying with the new law, which went into effect 26 May. In a survey just before the law came into force, 95 percent of the same websites had not yet changed their sites to obtain user consent for cookies. The Information Commissioner’s Office says it has received dozens of complaints from the public about websites’ cookie use without consent. “There is a sense of wait-and-see,” said a KPMG spokesman. (Registration may be required to access to this story.)
Full Story

ONLINE PRIVACY—EU

Google Adds Model Clauses to Apps Sales Contracts (June 7, 2012)

Google says it will now include model clauses in its apps sales contracts to assure EU customers that it will protect information stored in Google data centres, IDG News Service reports. A company spokesman said this step “will provide our customers with an even wider palette of EU regulatory compliance options,” noting in a blog post that the contracts are “an additional means of meeting the adequacy and security requirements of the European Commission’s Data Protection Directive.”
Full Story

PRIVACY—ITALY

Parliament Appoints New Garante Board (June 7, 2012)

Italy’s Parliament has appointed the new board of its data protection agency (Garante) to include former MP Soro, Head of Legislative Office of the Ministry of Justice Iannini, former MP Bianchi Clerici and Constitutional Law Professor Califano. According to a post by Panetta & Associati, the appointment process has received criticism on social networks and from the main press agencies due to the absence of transparency in the appointment; the lack of a public discussion and public hiring of the candidates, and the fact that professionals appointed are neither technically experts strictu sensu in data protection nor part of the privacy community. The board will serve for the next seven years during the implementation of the new regulation, facing emerging challenges.
Full Story

HEALTHCARE PRIVACY—UK

Police Seek Access to Teenage Girls’ Health Records (June 7, 2012)

The Independent reports doctors are concerned with plans by police in Manchester to obtain anonymised data from NHS sexual health centres to identify areas where gangs may be operating. The database is currently only available to doctors and contains such details as patient age groups, ethnicity, the area in which they live and for what diseases they were screened. A police spokesman said there are legal structures that would allow information to be “exchanged, assessed and acted upon” without breaching the law.
Full Story

DATA LOSS

Last.fm Apologises, LinkedIn Investigates Breach, Defends Calendar Syncing (June 7, 2012)

Music website Last.fm is investigating the leak of members’ passwords, BBC News reports. The company has apologised to members, saying it takes user privacy “very seriously” and suggesting users update their passwords. Meanwhile, business social network LinkedIn has launched an investigation into a breach of as many as six million user passwords that may have been published on a hacker's website. According to an official LinkedIn update, users will "benefit from the enhanced security we just recently put in place..." Ireland's data protection authority said it may investigate the incident, and U.S. lawmakers are calling for data security legislation. Meanwhile, The New York Times reports on findings by security researchers revealing that LinkedIn's mobile app may transmit iPhone and iPad calendar details back to company servers without user knowledge. The practice, the report states, may violate Apple's privacy guidelines. A LinkedIn spokeswoman said the "calendar sync feature is a clear 'opt-in' experience." (Registration may be required to access this story.)
Full Story

GENETIC PRIVACY—UK

DNA Database Still Collecting Troves of Data (June 7, 2012)

Despite the recent passage of a law intending to scale down the world’s largest database of DNA profiles, privacy advocates say more than 150,000 innocent people have had their DNA added to the national database in recent years, The Telegraph reports. Since 2004, police have been permitted to take DNA or fingerprints of anyone older than 10 years old who’s been arrested for a “recordable offence.” In 2008, the European Court of Human Rights ruled keeping the records indefinitely was unlawful, the report states, prompting the government to promise to only keep the DNA of those convicted of serious offences for a maximum of five years--a promise group Big Brother Watch says has not been fulfilled.
Full Story

PRIVACY LAW—UK

ICO Fines Council for Breaches Involving Kids (June 7, 2012)

The Information Commissioner’s Office has fined Telford and Wrenkin Council £90,000 for two data breaches that occurred within months of each other, Infosecurity reports. The first breach occurred in March 2011 when a staff member sent personal information on one child to the wrong family member. The second occurred when the placement name and address of two young foster children were accidentally shown to the children’s birth mother. The ICO says both breaches occurred due to problems with staff training and the council’s information system. The council has agreed to provide staff training, among other improvements.
Full Story

DATA PROTECTION—EU

Regulatory Tweak Hampering Fisheries Research (June 7, 2012)

A change to one of the European Union’s rules is causing fisheries scientists to struggle for access to data, Nature.com reports. Raw data from devices used to monitor fishing vessels is no longer available to some scientists, the report states, as a result of a 2009 European Commission rule stating bodies in charge of fisheries data may only release information aggregated over areas measuring about 5.5 kilometres. “This is now a serious problem for us. We’re asked to give the best possible advice, and if you do not have highly detailed data, you end up having a problem,” said a marine biologist at a UK university in the journal Fish and Fisheries.
Full Story

PERSONAL PRIVACY—UK

Gov’t Plans Obligations for Smart Meter Suppliers (June 7, 2012)

The UK government plans to require smart meter suppliers to ensure data security as part of licensing agreements to install the technology, reports Out-Law.com. The Department for Energy and Climate Change said in its latest consultation that it has established steps suppliers will have to carry out to ensure their systems are secure to an “appropriate standard,” the report states. Those steps will include initial and ongoing risk assessments of end-to-end systems and annual independent security risk audits. Smart meters are to be installed across the UK by 2014.
Full Story

HEALTHCARE PRIVACY—UK

Doctors Union Says Members Concerned about E-mail Breaches (June 7, 2012)

The Medical Defence Union (MDU) says it is being contacted by medical professionals who are worried about how to remedy data breaches, BBC News reports. The MDU’s members make up more than 50 percent of UK hospital doctors and general practitioners. MDU says doctors are concerned about such breaches as sending an e-mail to the wrong person and revealing confidential information. The chief executive at the Patients Association says the association has received complaints from patients about general practitioners’ use of texts or e-mails, the report states.
Full Story

PRIVACY LAW—U.S. & EU

Irish MEP Briefs DoC on EU Data Protection Rules (June 7, 2012)

Irish MEP Sean Kelly was set to have briefed the Obama administration yesterday on the EU's stance on online privacy and its proposals for updating data protection rules among member states, Silicon Republic reports. Kelly, who was selected to co-author the European Parliament's report on data protection regulation earlier this year, was to have met with the U.S. Commerce Department's Cameron Kerry on the topic, which he says is "perhaps the most important piece of legislation that will emerge from the European Union for quite some time." Kelly stressed that the legislative process is still in the early stages.
Full Story

FINANCIAL PRIVACY—GERMANY

Credit Bureau To Scan Social Networks (June 7, 2012)

The Local reports on plans by Germany's largest credit bureau to use social networks to determine if someone is credit-worthy. Schufa has established a research group to determine how to link social networking information to other details about a person's credit rating, the report states. It also plans to link personal characteristics with the ability or willingness of a person to pay off loans. The plan has raised concerns among consumer protection and data protection groups. "People who are on Facebook do not think that what they say there could one day be influential in their credit status. That crosses a line," said Edda Castelló, data protection commissioner in Hamburg.
Full Story

PRIVACY LAW—EU & U.S.

Proposed Regs Could Cloud Transatlantic Data Sharing (June 5, 2012)

Financial Times reports on potential tensions as the EU and U.S. consider privacy regulations for businesses. EU reforms may be welcomed by individuals, but "they impose a cost on business and do not always sit easily alongside other legislation designed to protect the public," the report states. One such example is the friction between the EU and U.S. over the USA PATRIOT Act. A Deloitte representative said if there is a "clash" between the entities, "it will come down to whose stick is bigger, and that may be the U.S. government," adding, "It is only going to get worse with the new, wider-reaching EU regulations that are being drafted." (Registration may be required to access this story.)
Full Story

PRIVACY LAW—EU

Data Protection Officer Role Will Be Key (June 4, 2012)

CIO reports on the role data protection officers (DPOs) will play in organizations operating in the EU. Proposed EU reforms mandate that organizations create a DPO role filled by a seasoned professional who reports directly to the board of directors. "With the potential for a land grab of qualified candidates," the article states, "organizations may want to begin defining their needs now." A security industry expert said, "There are a ton of very smart people who get IT security, but they don't have the ability to make it viral among the employee base," adding, "They have to be passionate about credentials and be good communicators that can work with" business and executive teams. The DPO will also be responsible for training staff.
Full Story

DATA LOSS—UK

Trust Appealing £325,000 Data Breach Fine (June 1, 2012)

An NHS trust will appeal a £325,000 fine issued by the Information Commissioner's Office (ICO) following a data breach. Brighton and Sussex University Hospitals NHS Trust was served the largest penalty to date after it sold hard drives that contained sensitive data on tens of thousands of patients and staff, Public Service reports. The trust does not accept the ICO's conclusions that it "failed significantly in its duty to its patients, and also to its staff," the report states. The trust says it "simply cannot afford to pay a £325,000 fine" and is therefore appealing to the information tribunal.
Full Story

DATA PROTECTION—UK

ICO: Anonymised Personal Data Falls Outside DPA (June 1, 2012)

The Information Commissioner's Office (ICO) has said that anonymised personal data disclosed by companies does not fall under the Data Protection Act--provided that when combined with other available data it is "reasonably unlikely" that individuals can be identified, reports Out-Law.com. The ICO has published a draft code of practice on anonymisation and will take comments until 23 August with plans to publish the final code in September. The ICO is also offering a £15,000 contract as initial funding for the creation, development and support of a professional network with the aim of demonstrating to practitioners that effective anonymisation is possible and beneficial.
Full Story

PRIVACY LAW—EU

MEPs Strive for Balance in Data Protection Law (June 1, 2012)

Members of the European Parliament (MEPs) attended a workshop held by the civil liberties committee on Tuesday to review EU data protection rules introduced in 1995. According to a Parliament press release, the discussions centered on striking a balance between "boosting business competitiveness and safeguarding consumers' privacy." Parliament rapporteur for the new data protection regulation Jan Philipp Albrecht said, "A set of coherent, harmonised data protection rules" will achieve both objectives. Parliament has begun work on the European Commission's proposed directive and regulation, which were tabled in January.
Full Story

INFORMATION ACCESS—IRELAND

ODPC Investigates Access to Welfare Data (June 1, 2012)

The Office of the Data Protection Commissioner (ODPC) is investigating the appropriateness of the access that local authority workers have to sensitive welfare data, reports the Irish Examiner. The ODPC is conducting onsite inspections of eight agencies that have access to the Department of Social Protection database after a general audit of the database in 2011 showed "limited guidance on when files should be made available," the report states. The ODPC recently insisted that fingerprint or palm prints be used to track access to personal details of individuals not paying household charges, and three insurance companies have pleaded guilty to illegally seeking access to welfare data.
Full Story

PRIVACY LAW—ITALY

Government Approves Cookies, Notification Decree (June 1, 2012)

The government has approved a Legislative Decree by means of which the EU's cookies and data breach notification directive has been implemented. The opt-in regime has been introduced as a mandatory rule. The data breach notification obligation is, for now, mandatory in the telecom and Internet service provider market only. (Article in Italian.)
Full Story

PRIVACY LAW—EU

Committees Vote Down ACTA (June 1, 2012)

The European Parliament's civil liberties, legal and industry committees all voted against the international anti-piracy agreement ACTA on Thursday, reports PC World . The civil liberties committee cited concerns over Internet providers policing the web and a lack of protection for sensitive information, while the industry committee said ACTA fails to balance intellectual property and privacy rights with freedom of information. ACTA was signed by the European Commission (EC) and 22 member states in January, but most have suspended ratification after civil protests and Europe's Data Protection Supervisor warned the agreement may violate privacy law. The EC has asked Parliament to wait for an opinion from the European Court of Justice, but according to the report, that is unlikely.
Full Story

DATA LOSS—IRELAND

Names of Job Applicants Disclosed to Others (June 1, 2012)

The Irish Department of Justice (DOJ) has issued apologies to nine people who applied for a position at the RUC George Cross Foundation after mistakenly sending all the applicants' names to one applicant, reports IT PRO. A staff member accidentally attached a document containing the applicants' names, but no other information, to an e-mail sent to the individual. "The incident was a result of human error, and officials have been reminded of the procedures regarding data handling," a DOJ statement said.
Full Story



HEALTHCARE PRIVACY—ITALY

DPA Rules on Medical Data Again (June 1, 2012)

With an ad hoc resolution, Italy's DPA, the Garante, adopted a number of measures and prescription to rule the data processing carried out during specific clinical operations. Informative notice and consent must be collected unambiguously in order to provide a clear picture of purposes of data collection. Profile of security measures has been stressed as well. (Article in Italian.)
Full Story


PRIVACY LAW—FRANCE

CNIL Releases FAQs on Data Breaches (June 1, 2012)

The French data protection authority (CNIL) has published an explanation of the new data breach notification rules, writes Pascale Gelly, CIPP/E, for The Privacy Advisor. Internet service and telecom providers are the only entities currently subject to the breach notification obligation. "Any breach--loss, destruction, disclosure, distortion, unauthorized access--must be notified to the CNIL, without exception, whatever the severity level, without delay," writes Gelly, adding that if there is a particular risk to the data or individuals' privacy, individuals must be notified as well. Noncompliance could result in criminal sanctions of a maximum of five years of imprisonment, a fine of 300,000 euros and CNIL administrative sanctions up to 150,000 euros.
Full Story



PERSONAL PRIVACY—UK

Plans for Mandatory Audio Recording in Taxi Scrapped (June 1, 2012)

The Oxford City Council has announced it will not pursue plans to require audio recording in all of the city's taxis after the Information Commissioner's Office warned that the practice may contravene data protection laws, reports The Oxford Times. Colin Cook, chairman of the council's general purposes licensing committee, said the council stands behind mandatory video recording, but that audio recording could be activated by a panic button. Disagreement continues over whether the cameras are vital to the security of drivers and passengers or an invasion of privacy.
Full Story



PRIVACY LAW—UK

Experts: Cookie Audit Is Best Start Towards Compliance (June 1, 2012)

The UK began enforcement of the cookie directive, which states that websites must gain consent prior to collecting data from European users, on Saturday, but Corporate Counsel reports that many businesses are not in compliance--including most government sites. Bridget Treacy of Hunton & Williams and Robert Bond of Speechly Bircham say if your organisation isn't ready for the directive, start with a cookie audit. Treacy says an audit will help determine what types of cookies your site uses, what data they collect and which cookies are exempt from the law, the report states.
Full Story


DATA LOSS—UK

Telecom Data Open to Internet (June 1, 2012)

Business telecommunications provider Greystone Telecom, a subsidiary of TalkTalk, is inadvertently sharing customer data online, reports The Register. Details including customer pricing, sales orders and company spreadsheets are on an open FTP server that Google crawlers have indexed; however, the data did not come from TalkTalk servers. "Our firewalls and security procedures are functioning properly. We are working to identify the IP address from which this data was disseminated and are in contact with the appropriate authorities," says a statement from the company.
Full Story



PRIVACY LAW—EU & UK

Experts: Proposed Laws May Bring Trouble (June 1, 2012)

According to some in the industry, the European Commission's (EC) proposed changes to the Data Protection Directive may bring problems for small and medium enterprises (SMEs) and the UK Information Commissioner's Office (ICO). Stewart Room of Field Fisher Waterhouse questions the feasibility and usefulness of the proposed 24-hour breach notification provision, noting that it would mean the ICO--which is "already swamped with disclosures"--will see even more. Meanwhile, PC Pro reports that Peter Fleischer, Google's chief privacy counsel, writes in his blog about the effect the law will have on SMEs, stating, "Frankly, I wonder how an SME could possibly deal with this paperwork and process torrent and how they're supposed to pay for it."
Full Story


CLOUD COMPUTING—ITALY

Garante Publishes Cloud Computing Guide (June 1, 2012)

The Italian Data Protection Authority, the Garante, has released a practical guide on cloud computing risks and opportunities for citizens and operators. The guide stresses the need for strong contractual schemes and security measure to navigate safely in a cloud environment. (Article in Italian.)
Full Story

“I think they mean it.” The new medical records privacy law in Texas (June 1, 2012)
Revisions to the Texas Medical Records Privacy statute, which take effect on Sept. 1, expand existing requirements for those who have access to medical information pertaining to others. House Bill 300 (HB 300) provides that covered entities, as defined in the statute, must comply with expanded responsibilities pertaining to health information. The act imposes upon these covered entities additional duties beyond those that are dictated by the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA).