European Data Protection Digest

We have a long weekend—and hopefully some good weather—ahead of us, so right now our minds are probably focused more on Easter eggs and chocolate bunnies (in my case also my mother’s lasagna on Sunday) than on data protection developments. Nevertheless, this spring is bound to be a busy one for privacy pros—not that we actually had a dull moment in the past year or so.

At the IAPP, we are working hard to help our members stay on top of things: Our upcoming European Data Protection Intensive will be a great way to kick-start the second quarter of the year. As usual, rendezvous in London for an intense programme, great networking—including our special Privacy Social reception at the Guildhall—and CIPP and CIPM certification training and testing. Preconference workshops are not bad either.

But since he who hesitates is lost, work is already underway also for IAPP Europe’s flagship event, the Data Protection Congress, which will be in Brussels again this year, on 19 and 20 November to be precise. The call for proposals for the Congress is open, and submissions will be accepted until 9 May, so do send us your ideas or feel free to forward the call for proposals link to someone who might be interested.

In the meantime, though, Happy Easter!

Rita Di Antonio
Managing Director
IAPP Europe

Top European Privacy and Data Protection News

PRIVACY—EU & U.S.

Opinion: Reforms on Both Sides of the Atlantic (July 31, 2012)

In an op-ed for Concurring Opinions, Omer Tene of the Israeli College of Management School of Law reports on efforts within the U.S. and Europe to reform privacy frameworks. In the U.S., legislating Fair Information Practice Principles “remains crucial,” Tene writes, adding that without them, “the FTC cannot do much more than enforce promises made in corporate privacy policies, which are largely acknowledged to be vacuous.” When it comes to self-regulatory efforts, Tene notes many are skeptical about their success. In formalizing the EU’s draft regulation on data protection, policymakers “should keep in mind the desired balance between innovation, economic progress and regulation,” he writes.
Full Story

PRIVACY LAW—IRELAND

Commissioner’s Office To Conduct Second Facebook Audit (July 31, 2012)

The Office of the Data Protection Commissioner (DPC) has said he will determine by early October whether to take legal action against Facebook, RTE News reports. The DPC will soon conduct a second audit to ensure Facebook is complying with EU laws. Amidst reports it had cut ties with Europe v. Facebook—the Austrian group that has been working with the DPC and which has been successful in convincing Facebook to release information about the data it collects from users—the office said in a statement this week that “Europe v. Facebook performed a useful public service in highlighting the specific issues raised in its complaints.”
Full Story

CLOUD COMPUTING—UK

ICO: Onus Remains on Organizations, Not Cloud Providers (July 31, 2012)

The Information Commissioner’s Office (ICO) says while it welcomes a new online platform that allows prospective cloud computing users to view the providers’ security features, organizations cannot rely on that information to ensure their own compliance with UK data protection laws, Out-Law.com reports. Amazon is the latest cloud provider to post details of its data protection protocols to the Security, Trust & Assurance Registry, which is free to view and includes members such as Google and Microsoft. An ICO spokesperson said organizations “thinking of using cloud service providers must understand that they are still responsible for the safety of that data.”
Full Story

PRIVACY LAW—EU

Member States Negotiate Flexibility Agreement (July 30, 2012)

During a meeting at the Council of Ministers in Cyprus, a number of EU member states have obtained an agreement that would allow the commission to change data protection laws in the future in order to respond to advancements in technology, Out-Law.com reports. “For us, it’s important that we have legislation that is, of course, detailed enough to give protection to citizens but that is also applicable for a longer period of time,” a Swedish official said. The General Data Protection Regulation would introduce a single data protection law across EU member states. Its draft was revised by the Council of Ministers in June.
Full Story

PRIVACY LAW—EU & U.S.

Weitzner: U.S. Plan Is Not Deregulation (July 27, 2012)

EUROPOLITICS reports on the EU and U.S. handling of online privacy, highlighting comments by the Obama administration’s deputy chief technology officer at a recent seminar hosted by an EU and a U.S. think tank. Speaking at the event, Daniel Weitzner said the U.S.-proposed multi-stakeholder process to encourage companies to develop codes of conduct “is not a code word for deregulation,” the report states. The report also touches on concerns about the EU-U.S. Safe Harbour Agreement, noting, “There is a growing realization that this agreement will need to be updated in light of the ongoing overhaul of the EU and U.S. privacy frameworks.” Weitzner recently announced that he will leave his White House position on 3 August to return to MIT.
Full Story

PRIVACY LAW—GERMANY & EU

For Framework Reforms, Germany Softens Stance On Public Access (July 26, 2012)

Reuters reports that Germany plans to cede some of its concerns over public information access in exchange for flexibility in applying the rules to meet proposed EU data protection reforms. Germany had wanted strict access to public data—such as tax and employment records—but its new concession will help negotiations proceed. At a meeting in Cyprus this week, a diplomat said, “As far as certain member states do already have a stricter regulation for certain areas of the public sphere, the new legislation should also give member states the possibility to preserve these differentiated levels of data protection.”
Full Story

PRIVACY LAW—EU

EDPS Issues Opinion on Online Child Protection (July 26, 2012)

The European Data Protection Supervisor (EDPS) has released an opinion on the European Commission’s communication on the “European Strategy for a Better Internet for Children.” In addition to supporting the EC’s initiatives to make a safer Internet for children, “The EDPS underlines that data protection requirements should be appropriately considered by industry, member states and the European Commission,” adding that the contemporary approach to age verification on the Internet is “fragmented and lacks harmonisation.” The opinion also looks into the right to be forgotten, behavioural advertising and fair processing of information.
Full Story

DATA LOSS—GERMANY

German Game Site User Data Posted Online (July 26, 2012)

ZDNet reports that data relating to 8.24 million customers of a German gaming site hacked in February has been posted to the Internet. Gamigo warned customers at that time that its server had been breached. Now, the user data has been posted to PwnedList, according to the report.
Full Story

CLOUD COMPUTING—UK

ICO Welcomes STAR Registry, Urges Caution (July 26, 2012)

The Information Commissioner’s Office (ICO) has welcomed a new online platform for prospective cloud computing users but cautions that organisations not simply rely upon provider suggestions, Out-Law.com reports. The Security, Trust & Assurance Registry (STAR), operated by the Cloud Security Alliance, allows providers to submit “self-assessment reports” to document their compliance with best practices. An ICO spokesman said because a provider may be registered with STAR “does not absolve the organisation who collected the data of the legal responsibilities.” The ICO is also developing guidance on legal requirements for organisations storing data in the cloud, the report states, and is reminding firms to notify the agency if they plan to process personal data.
Full Story

PRIVACY LAW—UK

ICO: Recording Conversations in Taxis Must Stop (July 26, 2012)

The Information Commissioner’s Office (ICO) has ordered Southampton City Council to stop recording drivers’ and passengers’ conversations in taxi cabs, The Independent reports. “We recognise the council’s desire to ensure the safety of passengers and drivers, but this has to be balanced against the degree of privacy that most people would reasonably expect in the back of a taxi cab,” the ICO stated. Plans in Oxford for similar implementation have been halted as well.
Full Story

SURVEILLANCE—UK

Advocacy Group Presses For Halt of Web-Spying Exports (July 26, 2012)

Privacy International (PI) wants the government to halt the export by British firms of surveillance technology that is sold to repressive regimes, V3.co.uk reports. In a letter to the secretary of state for business, innovation and skills, PI wrote, “The government must stop exports of British surveillance technologies to despotic regimes before more harm is done.”
Full Story

DATA LOSS—UK

Council Mistakenly Reveals Hundreds of E-mail Addresses (July 26, 2012)

“Human error” is the alleged reason Wrexham Council mistakenly revealed hundreds of personal e-mail addresses in a mailing of its annual tenant survey, Wrexham.com reports. Instead of blind-copying the recipients, the e-mailed survey was simply copied. The council has apologised to those affected.
Full Story

PERSONAL PRIVACY—EU & UK

Smart Meters, “Internet of Things” May Redefine Privacy (July 26, 2012)

Information Age reports on the “increasing use of data collection and transmission technologies” and how smart meters and the “Internet of Things” collect data that “goes beyond personally identifying information and instead describes” individuals’ behaviour and movements. With these new technologies, it’s becoming more difficult to determine who “owns” the data, the report states, and one expert said, “The Internet of Things has the capacity to blur the physical and virtual worlds.”
Full Story

DATA LOSS—UK

Council Data on 2,400 Residents Leaked Via Spreadsheets (July 26, 2012)

Responding to a Freedom of Information request, the Islington Borough Council inadvertently leaked personal data of 2,376 residents—including individuals’ names, marital status and sexuality, Information Age reports. The FOI request was filed by WhatDoTheyKnow.com, which publishes FOI requests on a publicly available website. The breach was identified by an employee of the organization that operates the website. The group then notified the council and the Information Commissioner’s Office. This is the second incident involving the Islington council this year.
Full Story

PRIVACY LAW—GERMANY

Customer Sues Mobile Phone Operator (July 25, 2012)

PCWorld reports on a customer suing mobile operator Vodafone for allegedly storing connection data unnecessarily. Lawyer Meinhard Starostik—a part of the Working Group on Data Retention—sent a cease-and-desist letter to Vodafone stating the “allegedly illegally stored traffic data was unnecessary for the billing process and should be deleted without delay,” the report states. The information Vodafone stores includes mobile phones’ unique identification numbers, SIM cards’ unique identification numbers and the relevant cell tower’s physical location. The data retention ranges from 30 to 92 days. Vodafone says the data is needed for billing services.
Full Story

EU Data Protection Digest Contributors (July 25, 2012)
The IAPP is pleased to introduce the European data protection experts who contribute to the European Data Protection Digest e-newsletter on a weekly basis.

PRIVACY LAW—EU

EC Opens Consultation on Cybersecurity Draft Laws (July 24, 2012)

The European Commission is seeking comment from governments, businesses and others in drafting new cybersecurity laws, Out-Law.com reports, and could include a provision requiring businesses to report “cyber incidents” affecting their “essential” systems. According to a statement, “The commission is considering the introduction of a requirement to adopt risk management practices and to report security breaches affecting networks and information systems that are critical to the provision of key economic and societal services; e.g. finance, energy, transport and health, and to the functioning of the Internet; e.g. e-commerce, social networking.”
Full Story

ONLINE PRIVACY—THE NETHERLANDS

Telecom Regulator Plans To Use Automated Cookie Monitor (July 24, 2012)

Dutch telecom regulator OPTA has said it plans to use automated supervision to assure companies are complying with its new cookie consent regime, Bird & Bird reports. Similar to web crawlers, the proposed cookie monitor, which is still in development, scans websites for cookie use and placement. An OPTA spokesman said, “Sites that place cookies without consent, which are hard to remove by the user, will be fined promptly,” adding, “sites that commit less serious offenses are likely to receive a warning first.” The potential result, according to the report, could be the rise in enforcement in the coming months.
Full Story

PRIVACY LAW—EU

Europe Takes Lead in Tech Industry Regulation (July 23, 2012)
Regulators in the European Union are challenging the world’s largest technology firms, and according to The Washington Post, “they are winning.” U.S.-based tech companies are being scrutinized by European regulators “to the point that many experts say,” according to the report, “the legal landscape of the technology industry is being shaped more profoundly” in Europe than in the U.S. A professor from the University of Liege Law School in Belgium said, “The pipeline is packed with these cases.” Before Europe takes its summer break next week, regulators hope to have a settlement with Google, the report states.

CLOUD COMPUTING—EU

EC Calls for Better Cloud Contracts (July 20, 2012)

The European Commission (EC) is calling for cloud computing firms to improve their customer contracts to avoid both privacy issues and “costly legal disputes” while boosting the cloud industry, Reuters reports. "The complexity and uncertainty of the legal framework for cloud services providers means that they often issue complex contracts...or agreements with extensive disclaimers," the EC writes in a policy paper expected to be released later this year. The EC has expressed its desire to help the cloud industry develop model agreements and “will also look into whether binding laws will be needed for cloud services,” the report states.
Full Story

PRIVACY LAW

Estonian Hacker Gets Seven Years Behind Bars (July 20, 2012)

An Estonian man has been sentenced to seven years in prison for his involvement in a global hacking operation that saw the theft of tens of millions of payment cards, SC Magazine reports. A Long Island federal court sentenced Aleksandr Suvorov, who had pleaded guilty to wire fraud conspiracy and admitted to selling 160,000 payment card numbers stolen from the Dave & Buster’s restaurant group to an undercover officer, according to the report. The ringleader of the operation, which resulted in breaches at large retailers including Hannaford Bros., TJX, BJ’s Wholesale Club and Heartland Payment Systems, was sentenced to 20 years in prison in 2010.
Full Story

PRIVACY LAW—EU & CANADA

EC Says Controversial Articles Removed From CETA (July 19, 2012)

Elements of the EU-Canada trade deal that had privacy advocates concerned have been removed, reports PCWorld. Following a leaked draft of the Canada-EU Trade Agreement (CETA), spokesman for the European Commission John Clancy says the controversial articles have been removed, though the deal is being conducted in private and it isn’t clear exactly what has been changed. Via a Twitter post, Clancy said, “CETA does not contain any provisions that differ from existing EU law.” CETA will reach the European Parliament in early 2014. Columnist Michael Geist says the deal creates “enormous risks for Canada’s trade ambitions.”
Full Story

SURVEILLANCE—UK

Report Highlights Concerns About Internet Monitoring (July 19, 2012)

Chief Surveillance Commissioner Christopher Rose’s annual report suggests law enforcement authorities are abandoning “directed surveillance” because they can gather more information “by trawling through material readily available on the Internet, through social media for example, and not be subjected to any RIPA (Regulation of Investigatory Powers Act 2000) controls,” The Guardian reports. Rose said he is concerned that examination of online data—such as social media profiles—should be subject to RIPA. “There is a fine line between general observation, systematic observation and research,” he noted, “and it is unwise to rely on a perception of a person's reasonable expectation or their ability to control their personal data."
Full Story

SOCIAL NETWORKING—GERMANY

Court Orders Mother To Remove Photos, Pay Daughter Damages (July 19, 2012)

A 24-year-old woman is being awarded damages after her mother posted photos of her on Facebook alongside mocking comments, The Local reports. The woman took her mother to Bonndorf regional court, which ordered that the photos be removed and the woman be awarded €600 in damages, the report states.
Full Story

PRIVACY—UK

Graham on Open Data, Gov’t Progress (July 19, 2012)

In an interview with The Guardian, Information Commissioner Christopher Graham discusses the recently released open data whitepaper and his office’s ability to hand down fines for data breaches. Graham says his office worked with the Cabinet Office on the paper and he is pleased a privacy expert has been appointed to the office’s Transparency Board. The board has done great work, Graham said, adding that when he mentioned privacy at board meetings, however, “I very much felt like a bit of a party pooper.” Government must get the basis of data protection down before turning to projects such as electronic health records, Graham said.
Full Story

PRIVACY—FRANCE

Restaurant Employees Object to “Digital Specs” (July 19, 2012)

The Associated Press reports on employees in a Paris fast food restaurant “who stopped a Canadian computer engineering professor from wearing computerized eyeglasses” due to privacy concerns. Steve Mann, who designed a vision device “similar to the enhanced reality glasses recently announced by Google,” described the incident at the Champs Elysees McDonald’s in a blog post, alleging staff members knocked the glasses off and grabbed them. Employees contend the exchange was respectful, noting “they were concerned about privacy violations when they approached Mann,” the report states.
Full Story

DATA LOSS—UK

Breach Leads to Investigation, Potential Fine (July 19, 2012)

An inquiry following a data breach has found that Islington Council is “ineffective” at protecting personal data,” the Islington Tribune reports. The council reported itself to the information commissioner after details--including addresses and phone numbers--on individuals who had made complaints to the council about antisocial behaviour were sent to the wrong individuals. The details of those who complained were intended to be removed from the documents before they were sent. The council says it has since put safeguards in place. The information commissioner is investigating and could fine the council, which will now undertake an internal audit and a review of its procedures.
Full Story

ONLINE PRIVACY

YouTube Releases Facial Blurring Tool (July 19, 2012)

YouTube has released a tool allowing people to obscure faces within videos uploaded to the site, The New York Times reports. The feature aims “to help protect dissidents using video to tell their stories in countries with repressive government regimes,” the report states. “Visual anonymity in video allows people to share personal footage more widely and to speak out when they otherwise may not,” said a YouTube spokeswoman, adding that “human rights footage, in particular, opens up new risks to the people posting videos and to those filmed.” YouTube said the feature would also help protect children’s identities. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Skype Looking Into Messaging Bug (July 17, 2012)

Skype is looking into a bug resulting in the voice-Internet service sending instant messages to unintended recipients, CNET News reports. Skype says “in rare circumstances” and stemming from an upgrade last month, users intending to send a message to one contact have found the message has been sent to another, which one user called “a serious breach of privacy.” Skype says it is investigating the matter and hopes to provide a solution soon. “We are rolling out a fix for this issue in the next few days and will notify our users to download an updated version of Skype,” a spokesperson said in an e-mailed statement.
Full Story

DATA PROTECTION—UK

How To Avoid Expensive Data Privacy Mistakes (July 13, 2012)

In light of recent headline-making fines from the UK Information Commissioner’s Office (ICO), experts are looking at what needs to be done to keep organizations and businesses from making expensive data privacy mistakes. In this exclusive for The Privacy Advisor, McDermott Will & Emery’s Rohan Massey discusses the importance of training and compliance. It’s critical businesses undertake a “360-degree review of their data lifecycle to establish the types of data, different processing, storage, sharing and destruction of data that takes place,” Massey writes, adding the ICO has made it clear that having a data-handling policy in place is not enough. Rather, organizations must be sure employees are aware of their legal obligations.
Full Story

PRIVACY—FRANCE

CNIL Releases 2011 Annual Report (July 13, 2012)

The Commission Nationale de L’Informatique et des Libertés (CNIL) has released its annual report for 2011. The CNIL fielded 5,738 complaints in 2011, an increase of 19 percent from 2010, and the agency adopted 1,969 decisions and deliberations, an increase of 25 percent from 2010. Also during 2011, the CNIL issued 65 notices to comply, 13 warnings, five financial fines and two acquittals. In addition, among several other initiatives, the commission directed efforts toward raising the prestige of data protection officers (CILs) within their organisations, creating and distributing a “communication kit” and requesting the French national employment agency “to register the profession of CIL in the ‘Repertoire Operationnel des Metiers.’”
Full Story

DATA LOSS—UK

ICO Fines NHS Trust 60,000 (July 12, 2012)

The Information Commissioner’s Office (ICO) has fined St. George’s Healthcare NHS Trust £60,000 for failing to keep private the sensitive medical information of one of its patients, PublicService.co.uk reports. “It’s hard to imagine a more distressing situation for a vulnerable person than the thought of their sensitive health information being sent to someone who had no reason to see it,” said ICO Head of Enforcement Stephen Eckersley, who added, “This breach was clearly preventable and is the result of the trust’s failure to make sure the contact details they have for their patients are accurate and up to date.”
Full Story

ONLINE PRIVACY—EU

ENISA Calls for Smart Grid Security, Privacy Regulations (July 12, 2012)

The European Network and Information Security Agency (ENISA) has recommended the European Commission and member states develop “specific policy documents and regulations on cybersecurity and privacy of the smart grid in order to improve the current regulatory and policy framework.” This was among 10 recommendations in a report the agency put forth this week. The report concludes the agency’s study to identify “risks and challenges related to cybersecurity aspects of smart grids.” ENISA says the smart grid’s success depends upon the guarantee of consumers’ privacy, among other factors, and that “cybersecurity and privacy should be addressed at the design phase so as to minimize costs and maximize security.”
Full Story

PRIVACY LAW—UK

Committee Seeks Opinions on Communications Bill (July 12, 2012)

The Joint Committee of MPs and Peers has launched a “call for evidence” on a bill that would expand surveillance powers for authorities when it is in the best interests of national security or in order to prevent or detect crime, among other reasons, reports Out-Law.com. The draft Communications Data Bill has seen criticism from civil liberties organisations and ISPs, and Committee Chairman Lord Blencathra said it “wants to ensure that the draft bill will ensure a sufficient balance between an individuals’ privacy and national security. We intend very thoroughly to examine the government’s proposals and hope to hear from interested bodies and organisations…” The call for evidence is open until 23 August.
Full Story

DATA LOSS

Yahoo Investigating Breach (July 12, 2012)

BBC News reports that Yahoo is investigating a breach involving hundreds of thousands of users. The company has confirmed that a file containing about 450,000 Yahoo user names and passwords was compromised on Wednesday. “Of these, less than five percent of the Yahoo accounts had valid passwords,” the company said in a statement, adding, “We are taking immediate action by fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo users and notifying the companies whose users’ accounts may have been compromised.” A U.S. security firm claims that intruders used SQL injection to access the data.
Full Story

DATA PROTECTION—SERBIA & U.S.

Serbian Commissioner Meets with U.S. Lawyer (July 12, 2012)

Serbia Commissioner for Information of Public Importance and Personal Data Protection Rudoljub Sabic met with Chair of the U.S. Department of Homeland Security’s Data Privacy and Integrity Advisory Committee Lisa Sotto this week, reports Hunton & Williams’ Privacy and Information Security Law Blog. The meeting was to discuss the Serbian office’s need for staff education about ongoing data protection issues, the report states. “As a commissioner for Information of Public Importance and Personal Data Protection," Sabic said, “I have been continuously warning that we as a state are facing serious problems in the area of data protection, and that we are practically at the very beginning…we need to change this situation.”
Full Story

DATA LOSS—EU

BackUp Vendor Reports Breach (July 12, 2012)

Backup vendor Acronis says some of its customer data was leaked onto the web, TechWeekEurope reports. Most of the involved data was not sensitive or confidential, the company says, but a technical issue with one of its servers led to the information leak, which included “an older spreadsheet listing just the e-mail addresses of customers who had been entitled to a free product upgrade.” However, “no other identifying information was contained in this spreadsheet,” said a company spokesman.
Full Story

PRIVACY LAW—GERMANY

Complaints Abound After Passing of Privacy Law (July 12, 2012)

RT reports the Bundestag has passed a law allowing the government to sell citizens’ personal data on an opt-out basis, causing 120,000 people to sign a petition to appeal the law. One grievance with the law is that it passed in 57 seconds without debate--and six minutes into the European Football Championships semi-finals game in which Germany played Italy. Hamburg Data Protection Officer Johannes Caspar questions whether the advertising and address-trade industries pushed for the law, adding, "There is no other way to explain why the preexisting draft law, which included an option requiring a citizen's consent, was changed. The previous draft was fine." The law now goes to the upper house of Parliament.
Full Story

TRAVELLER’S PRIVACY—UK

Expert: BA Could Justify Image Checks (July 12, 2012)

Out-Law.com examines the potential for British Airways to argue “legitimate interests to process online images of passengers that have booked with them” in the wake of media reports of its “Know Me” program, which relies on searches of Google images to identify passengers. Danielle van der Merwe of Pinsent Masons notes, “There are a number of routes available under the Data Protection Act that one can take in order to justify the arrangement…the most appropriate of those would be to notify passengers about the possible processing and asking them for their consent at the time they book a flight.”
Full Story

MOBILE PRIVACY

New Consumer Trust Award Launched (July 12, 2012)

In an interview with The Guardian, MEF Global Chairman Andrew Bud discusses the company’s new Meffy’s Consumer Trust Award and the importance of and challenges in building trust in the mobile environment. The award recognises companies that demonstrate best practices in consumer trust, says Bud. Calling “transparency and consumer control” the keys to building trust, Bud says, “The more confidence consumers have in knowing what personal information is being used and how it will benefit them, the more confidence they will have to purchase.” The company is accepting nominations until 19 July.
Full Story

BIG DATA

Privacy, Economics and “Do Not Collect” (July 12, 2012)

Examining the difference between the low cost of paying a company to find someone online versus the higher costs associated with companies that help people “hide from the Internet,” a paidContent report questions whether the time has come for a “do not collect” law. While suggesting “the ‘pay for privacy’ approach doesn’t acknowledge the new economic imbalance in which personal data is cheap and anonymity is expensive,” the report also questions whether a “do not collect” system “would be enough to put the data genie back in the bottle.”
Full Story

PRIVACY LAW—FRANCE

CNIL Says Google Report Due in September (July 11, 2012)

The French data protection authority (CNIL) says it will release a report to European regulators on Google’s changes to its privacy policies by early September, Bloomberg reports. CNIL’s Isabelle Falque-Pierrotin said Google’s responses to the authority’s inquiry came in about two weeks late, which is delaying the report, and added the company’s answers “weren’t entirely satisfactory.” The two entities have been “engaged in extremely close discussions,” Falque-Pierrotin said. Google Global Privacy Counsel Peter Fleischer said in his June 21 response to CNIL that the company’s “new simple, easy-to-read privacy policy” is “in compliance with European data protection principles.”
Full Story

PRIVACY—UK

MPs Question ICO on Employee’s Move to Google (July 11, 2012)

A freedom of information request has revealed that the former strategic liaison group manager for government and society at the Information Commissioner’s Office (ICO) is now a privacy policy manager at Google, causing Member of Parliament Robert Halfon to question the ICO’s legitimacy, reports The Inquirer. The ICO has been criticized for its Google Street View investigation, and the staffing change has Halfon urging “the government to consider whether the public can continue to have confidence in the ICO.” The ICO has said the employee played no part in the Google investigation and continues to be “legally bound by a confidentiality agreement…as part of the Data Protection Act.”
Full Story

DATA PROTECTION—UK

Study: British Public Skeptical of Companies’ Data Uses (July 11, 2012)

The Wall Street Journal reports the British public is “deeply skeptical of companies collecting personal data” and “does not trust companies to safeguard that data.” That’s according to the Data Nation 2012 study, which found that the number of people opposing data collection “overwhelmingly” outnumber those who support it. The report also found that 82 percent of those surveyed realize their data is being collected, but only 29 percent are confident companies won’t surreptitiously share their data with third parties. Respondents said the top two reasons why they’d stop using a service would be if the company failed to protect their data or sold anonymized data. (Registration may be required to access this story.)
Full Story

SOCIAL NETWORKING—IRELAND

DPC Officials Following Up on Audit (July 10, 2012)

The Irish Times reports on a visit from the Office of the Data Protection Commissioner (DPC) to Facebook’s headquarters in Dublin “in a follow-up to a major audit of the company’s privacy policies and use of customer data.” The DPC is holding a formal review following Facebook’s agreement to make changes to its privacy policy and the way it retains user data, the report states. Deputy Data Protection Commissioner Gary Davis described last year’s Facebook audit as “the most comprehensive and detailed” ever undertaken by the DPC. A Facebook spokesman said the company has been keeping the DPC “closely informed” as it implements the audit’s recommendations.
Full Story

EMPLOYEE PRIVACY—FRANCE

Company Fined 10,000 For Withholding Employee Data (July 10, 2012)

The French data protection agency (CNIL) has fined a regional water utility €10,000 for failing to hand over GPS tracking data to an employee who was attempting to prove that he had been the victim of a workplace accident, reports PCWorld. The man reported the company to the CNIL after waiting 11 weeks for a response; the CNIL then sent four requests over the next six months and a formal notice to hand over the data, to no avail. The CNIL’s ruling stated, "Through its stalling tactics, the company took the risk of depriving the plaintiff of the possibility of accessing data, the storage of which was only guaranteed for six months after its recording."
Full Story

PRIVACY LAW—GERMANY

German Gov’t Considers Amending Data Sharing Bill (July 9, 2012)
The German government is likely to change a controversial law that allows government offices to sell personal information to marketing companies, SPIEGEL reports. The government passed the bill last month, but a spokesman says it's likely Parliament will amend it following protests from data protection rights groups and politicians who are concerned with individuals' lack of privacy under the measure and the way in which it was passed. The bill allows individuals to opt out of having their information sold to third parties, but Schleswig-Holstein Data Protection Commissioner Thilo Weichert has called it "legal madness." If not overturned, the bill will go into effect in 2014.

PRIVACY LAW—EU

ENISA Says Proposal Could Have Negative Impact on Breach Prevention (July 9, 2012)

A new report from the European Network and Information Security Agency (ENISA) says proposed EU regulations that would require Internet firms to quickly report data breaches could lead companies to focus on "symptoms rather than causes of cybersecurity vulnerabilities if not augmented by other regulations," FierceGovernmentIT reports. In a June report, the Justice and Fundamental Rights Directorate General proposed updating existing regulations to require breaches be reported to government supervisory entities within 24 hours. But "like many other areas of regulatory intervention," the proposal "addresses the symptoms and not the cause of cybersecurity problems," ENISA says.
Full Story  

PRIVACY LAW—EU & INDIA

India Seeks “Secure” Status for Deal with EU (July 9, 2012)

The Economic Times reports on the EU's study of India's data protection laws in deciding on its commitment in the bilateral free trade agreement being negotiated between the two. The chief executive of the Data Security Council of India, Kamlesh Bajaj, says the country is "data secure" even if its data protection law is worded differently than the EU directive. The country amended its Information Technology Act to be compliant with EU standards four years ago. "If India is given a data secure status, not only will Indian firms save on costs, but EU companies will also have increased confidence in doing business here," Bajaj says.
Full Story  

CLOUD COMPUTING—EU & IRELAND

Article 29 Working Party Releases Cloud Opinion, Hawkes Releases Guidelines (July 5, 2012)

The Article 29 Working Party has released an opinion on cloud computing that outlines data protection risks, particularly “a lack of control over personal data” and the “unavailability of a common global data portability framework.” The opinion warns that “a lack of transparency in terms of the information a controller is able to provide to a data subject on how their personal data is processed is highlighted…as a matter of serious concern.” For the group, “A key conclusion…is that businesses and administrations wishing to use cloud computing should conduct, as a first step, a comprehensive and thorough risk analysis” and a cloud client “should select a cloud provider that guarantees compliance with EU data protection legislation.” Meanwhile, Ireland’s data protection commissioner has released cloud guidelines, and a UK ICO spokesman said its guidance is in development and will be published in the next few weeks. Editor's note: Tools and templates for conducting risk assessments are available on the IAPP Resource Center
Full Story 

PRIVACY LAW—UK

ICO Levies £150,000 Fine Following Breach (July 5, 2012)

Out-Law.com reports on the Information Commissioner’s Office (ICO) fining Welcome Financial Services Limited (WFSL) £150,000--its highest penalty to date--following the loss of about half a million customer records. Customer names, addresses, phone numbers, dates of birth and loan account information “had been stored on two unencrypted backup tapes that the company used to log its daily business activity,” the report states, noting WFSL discovered the tapes were "unaccounted for" last November. The ICO reported receiving 26 formal complaints about the incident.
Full Story

PRIVACY LAW—FRANCE

CNIL Releases Warning Decision (July 5, 2012)

Using its power of making its warning decisions public, the CNIL has issued a public "blame" against  the affiliate of a financial services group, operating as the group's IT service provider, for making available to all employees of the group documents about some of the bank's customers and their transactions. This exclusive for The Privacy Advisor examines the incident and the CNIL’s perspective that the IT provider's behavior in this case demonstrated "unforgivable lightness."
Full Story

TRAVELLER’S PRIVACY—UK

Airline Faces Criticism Over Personalisation Plan (July 5, 2012)

British Airways is facing a backlash from privacy campaigners following its unveiling of plans to use the Internet to create dossiers on passengers, reports the London Evening Standard. The company’s “Know Me” programme will use Google images to identify passengers as they exit plane terminals so staff can address them, adding “a more personal touch.” Big Brother Watch says, “If British Airways wants more information about us, they can ask us for it rather than ignoring people’s privacy and storing data without us having any idea what data they are storing.”
Full Story

PERSONAL PRIVACY—EU & UK

EDPS Warns Smart Meters Threaten Privacy (July 5, 2012)

The European Data Protection Supervisor (EDPS) has warned that the integration of smart meters will be used to track more than household energy consumption if no privacy safeguards are established, The Guardian reports. Though the Europe-wide rollout of smart meters “may bring significant benefits, it will also enable massive collection of personal data,” the EDPS stated. The EDPS’s assistant director said, “together with data from other sources, the potential for extensive data mining is very significant,” adding, “Profiles can be used for many other purposes, including marketing, advertising and price discrimination by third parties.”
Full Story

PRIVACY LAW—UK

Cabinet Office Releases Anonymisation Whitepaper (July 5, 2012)

According to a whitepaper released by the Cabinet Office, government departments must conduct tests to determine whether data blocks they release can be reidentified by other publically available data sets, Out-Law.com reports. “Open Data White Paper: Unleashing the Potential” says that government departments would have to conduct “disclosure testing” when there are “concerns regarding the potential unintended identification of individuals” prior to releasing data. The “new requirement” would dovetail with existing requirements to conduct privacy impact assessments (PIAs) when making data release determinations. According to the report, “PIAs and effective disclosure testing provide the infrastructure for government to pursue transparency and privacy simultaneously.”
Full Story

PRIVACY LAW—UK

Police Employee Suspended Over Data Protection Act Concerns (July 5, 2012)

BBC News reports on the suspension of a West Mercia Police staff member “pending inquiries into a possible Data Protection Act breach.” The investigation was launched after employees raised concerns related to “an incident in June at the force's Control Room North in Shrewsbury,” the report states.
Full Story

DATA PROTECTION—EU

Study: EU Needs Better Cyberinsurance Options (July 5, 2012)

COMPUTERWORLD UK reports on cyberinsurance market findings by the European Network and Information Security Agency. According to the report, the EU lacks a well-developed cyberinsurance market. If developed, specialised insurance products could improve IT security and data protection for businesses and individuals. Meanwhile, IBM’s Centre for Applied Insights recently conducted a survey on the role of chief information security officers (CISO). “With the increasing demand and expansion of the global role of security,” the report states, “the role of a modern CISO is evolving from simply being a technical officer to a leader in business strategy.”
Full Story

PRIVACY LAW—EU

European Parliament Axes ACTA (July 5, 2012)
Members of the European Parliament (MEP) voted Wednesday to reject the Anti-Counterfeiting Trade Agreement (ACTA), COMPUTERWORLD reports. The vote, 478 against and 39 for ACTA, means the agreement cannot become law in the EU. After ACTA was signed in January, civil liberties and digital rights groups across the continent protested the law would allow Internet service providers to police users, breaching users' right to privacy and leading to censorship. The European Court of Justice will still review whether ACTA is compatible with EU law, "but this is now an academic exercise," the report states. One MEP said, "No emergency surgery, no transplant, no long period of recuperations is going to save ACTA."

DATA PROTECTION—UK

ICO Releases Annual Report (July 5, 2012)

As his office releases its annual report, Information Commissioner Christopher Graham warns that organizations are learning the hard way of the consequences of mishandling personal information, SC Magazine reports. The office says it has issued 21 civil monetary penalties since it was granted the power to do so. "Over the past year, the ICO has bared its teeth and has taken effective action to punish organizations, many of which have shown a cavalier attitude to looking after people's personal information," Graham said, adding he hopes the penalties "send a clear message."
Full Story
 

BIG DATA

The E-Book’s Two-Way Mirror (July 3, 2012)

The Wall Street Journal reports on the rise of big data analytics on consumers' e-reading habits by publishers, providing "a glimpse into the story behind the sales figures, revealing not only how many people buy particular books but how intensely they read them." Now that publishers are employing e-reader data analytics, the formerly private act of reading is becoming "something measurable and quasi-public," the report states. The U.S.-based Electronic Frontier Foundation argues that readers should have the right to opt out of being tracked by publishers, adding, "There's a societal ideal that what you read is nobody else's business." (Registration may be required to access this story.)
Full Story