European Data Protection Digest

We have a long weekend—and hopefully some good weather—ahead of us, so right now our minds are probably focused more on Easter eggs and chocolate bunnies (in my case also my mother’s lasagna on Sunday) than on data protection developments. Nevertheless, this spring is bound to be a busy one for privacy pros—not that we actually had a dull moment in the past year or so.

At the IAPP, we are working hard to help our members stay on top of things: Our upcoming European Data Protection Intensive will be a great way to kick-start the second quarter of the year. As usual, rendezvous in London for an intense programme, great networking—including our special Privacy Social reception at the Guildhall—and CIPP and CIPM certification training and testing. Preconference workshops are not bad either.

But since he who hesitates is lost, work is already underway also for IAPP Europe’s flagship event, the Data Protection Congress, which will be in Brussels again this year, on 19 and 20 November to be precise. The call for proposals for the Congress is open, and submissions will be accepted until 9 May, so do send us your ideas or feel free to forward the call for proposals link to someone who might be interested.

In the meantime, though, Happy Easter!

Rita Di Antonio
Managing Director
IAPP Europe

Top European Privacy and Data Protection News

PRIVACY LAW—EU

ENISA Calls for Closing Breach Gaps in EU Laws (August 30, 2012)

The European Network and Information Security Agency (ENISA) has said there are “regulatory gaps” in the scope of EU laws in certain cases of security breaches, Out-Law.com reports. Breaches affecting companies such as LinkedIn and Research In Motion were examples of incidents that had not “clearly” fallen within EU laws. ENISA has asked the European Commission and national authorities to rethink the interpretation of “electronic communication services” in order to close these alleged regulatory gaps. “This can be done without necessarily changing the text of existing legislation…but rather the interpretation of what the services are…because the landscape of electronic communications is continuously changing,” according to an ENISA report.
Full Story

DATA LOSS—SWITZERLAND & GERMANY

Former Employee May Have Breached Bank Data (August 30, 2012)

A Swiss bank is investigating an incident involving a former employee who may have misused client data by allegedly sharing it with German authorities investigating tax evaders, CITY A.M. reports. The suspect had been sacked by the company for the data breach, the report states.
Full Story

EMPLOYEE PRIVACY—BELGIUM

DPA Clarifies Workplace Cyber-Surveillance Policy (August 30, 2012)

In May, the Belgian Data Protection Authority (DPA) released its recommendation on cyber-surveillance in the workplace. In this exclusive for The Privacy Advisor, Lorenz Data Privacy Practice Head Jan Dhont and data protection specialist Jonathan Guzy delve into the implications of the DPA’s recommendations. “This nonbinding recommendation strives to clarify the Belgian rules governing access to the content of electronic communications at work,” they write. (IAPP member login required.)
Full Story

PRIVACY LAW—GERMANY

Can Breach Warnings Be Unfair Commercial Practice? (August 30, 2012)

In this exclusive for The Privacy Advisor, Norton Rose Partner Flemming Moos analyses “two contradictory judgments by German courts in relation to whether companies can issue warning letters under the Act Against Unfair Competition because of data protection breaches by a competitor.” Moos notes the cases shed light on this issue because each court reached the opposite decision, even though “the facts of these two cases were almost identical.” (IAPP member login required.)
Full Story

HEALTHCARE PRIVACY—UK

Opinion: “Anonymous” Record Sharing Harms Privacy (August 30, 2012)

In a column for The Guardian, Ross Anderson writes that as David Cameron’s “anonymous” record-sharing initiative goes live next month, the privacy of medical records “will be sold off.” Anderson cites a Royal Society report stating, “a substantial body of work in computer science has now demonstrated that the security of personal records in databases cannot be guaranteed through anonymisation procedures where identities are actively sought.” Anderson notes that medical records pose particular challenges because “they often contain publicly known information mixed with private stuff…” Anderson also opines that the information commissioner’s draft anonymisation code of practice is not strong enough to protect patient privacy.
Full Story

DATA LOSS—UK

ICO To Fine One Council, Another Avoids Fines (August 30, 2012)

The Kingston Council will avoid a fine after an investigation by the Information Commissioner’s Office (ICO), but the ICO has served a notice of intent to Scottish Borders Council, meaning the council most likely will face a fine for violating the Data Privacy Act, according to The Southern Reporter. Meanwhile, the ICO says the increase in the number of UK data breaches, as revealed in a recent Freedom of Information Act request, is reflective of the rise in organisational reporting of incidents.
Full Story

ONLINE PRIVACY

Privacy Worries Surround UN Internet Regs (August 30, 2012)

“What would online privacy look like if the United Nations (UN) regulated the Internet?” queries Mathew J. Schwartz in this exclusive for The Privacy Advisor. “That’s one question on the minds of privacy advocates as the International Telecommunications Union—a UN agency based in Geneva, Switzerland, that regulated telecommunications and IT issues—approaches the task of helping the UN decide if it should exert more control over Internet governance,” Schwartz writes. According to the report, some proposals “have technologists and—at least in the United States—legislators up in arms, leading to allegations that the renegotiated treaty could allow countries such as China and Russia to more easily censor the Internet.”
Full Story

SOCIAL NETWORKING—GERMANY

Consumer Group Tells Facebook To Fix App Centre (August 28, 2012)

Reuters reports the Federation of German Consumer Organizations “believes Facebook is violating privacy laws with its new app center and has set a deadline for the social network…to fix it or potentially face legal action.” The group contends the app center gives third-party applications users’ information without their knowledge. “It will consider legal action against Facebook if the site fails to fix the problem by September 4,” the report states, noting the deadline follows plans by Hamburg’s data protection commissioner to “reopen his investigation into Facebook's policies on tagging photos, retaining and deleting data and the level of control users have over their information.”
Full Story

PRIVACY LAW—UK

Retailers Could Be Forced To Release Data (August 27, 2012)
UK ministers have announced they may require supermarkets and online retailers “to release sensitive personal data they hold about customers,” the London Evening Standard reports. Companies could be required by law “to provide electronic copies of ‘historic transaction data’ when individuals request it,” the report states, which would mean shoppers receive “records of their purchases and spending habits.” While consumers currently have the right to request such information under the Data Protection Act, “the details are rarely in electronic form, and the process is awkward and slow,” the report states, noting, “The new rules would make access far quicker and easier.”

EMPLOYEE PRIVACY—SWITZERLAND & U.S.

Swiss DPA Asks Banks To Halt Data Transfers, Will Investigate (August 23, 2012)

Switzerland Data Protection Commissioner Hanspeter Thür has written to a number of Swiss banks to find out what data has been transferred to U.S. authorities investigating American tax evaders and why information such as employee telephone numbers and written correspondence were included, swissinfo.ch reports. “We have informed them that we are opening an analysis to verify the legality of the data transmitted to the U.S.,” Thür said, adding, “Until we have the result, we have demanded that no further bank employee data be sent to the U.S.” The transferred data was supposed to have been encoded to protect employee identities but was reportedly re-identified, the report states.
Full Story

GEO PRIVACY—UK

Website Publishes Location from Tweets (August 23, 2012)

A website has generated controversy for publishing home addresses using geolocation information gleaned from users’ tweets, the Daily Mail reports. WeKnowYourHouse.com says it is alerting users of the location feature and, the report states, it deletes user data after one hour and provides an opt-out. A security expert said “it’s scary to see how much information can be compiled against someone so quickly, using information that is freely available.” Big Brother Watch’s Nick Pickles said the site could help users better understand the vulnerabilities of disclosing location data.
Full Story

SURVEILLANCE—UK

Police, Councils Collecting Citizen Data (August 23, 2012)

The Guardian reports on police intelligence records obtained using the Freedom of Information Act revealing that the Police National Database (PND) contains 317.2 million records of individuals, including files on protesters and other unconvicted “persons of interest.” The PNB allegedly shares its files with Britain’s police agencies. Meanwhile, Big Brother Watch (BBW) has released a report revealing that councils may be misusing the Regulation of Investigatory Powers Act. BBW’s Nick Pickles said, “With no transparency, and only councils subject to court approval, the law is dangerously flawed,” adding that a review of the law is needed “before any more powers are considered that further endanger our civil liberties and privacy.”
Full Story

CCTV—UK

Council Appeals ICO’s Order to Halt Recording (August 23, 2012)

The Southampton City Council is appealing an order by the Information Commissioner’s Office (ICO) to stop requiring taxis to record their transports, BBC News reports. In July, the ICO said the practice breaches the Data Protection Act. But Council Deputy Leader Jacquie Rayment said the council goes to lengths “to protect the privacy of all drivers and passengers,” adding, “No one sees these videos unless there is an incident that needs investigating, and in those cases, the footage and audio becomes crucial independent evidence.” A council spokesman said Southampton taxis will continue to record transports until the appeal is heard in spring 2013.
Full Story

ONLINE PRIVACY—NORWAY

DPA Asks Agencies for Tracking Info (August 22, 2012)

The Norwegian Data Protection Authority (DPA) is concerned that two state agencies are violating Norwegian data protection law through their use of Google Analytics, and it has asked the agencies for more information, PCWorld reports. The DPA says that because the tracking service collects Internet protocol (IP) addresses and because the agencies—the Tax Administration and the State Educational Loan Fund—may not have control over how the IP addresses are handled, it wants documentation “before it moves forward.”
Full Story

PRIVACY LAW—UK

ICO Defends Cookie Compliance Initiatives (August 22, 2012)

The Information Commissioner’s Office (ICO) has defended its record against claims it has not investigated cookie compliance failures, SC Magazine reports. An earlier report stated the ICO received 320 violation claims without investigating one. The ICO said the report was “dramatically wide of the mark,” adding, “So far, 45 (websites) have been analyzed, of which 27 have clearly taken action to increase the visibility of the information about cookies.” The ICO also said, “A progress update, including a list of all the websites contacted, will be published on our website in November…” Editor's Note: The session Passport to the EU: Cookies, Consent and Other Marketing Issues will be featured during the IAPP's Practical Privacy Series Marketing and Advertising track on October 30 in New York City.
Full Story

PRIVACY LAW—UK

ICO To Probe Tesco Website (August 21, 2012)

The Information Commissioner’s Office will investigate claims that Tesco’s website doesn’t protect consumer privacy, ComputerWeekly reports. A number of security experts have raised concerns about how the retailer’s main website stores shoppers’ passwords. One expert said Tesco sent him an e-mail containing his password in plain text, indicating the company is not encrypting such data. The expert also said the company is not using Hypertext Transfer Protocol Secure (HTTPS) on its site to protect users from phishing attacks and data theft. Tesco has said its security is robust and there is no reason to believe customer data is at risk.
Full Story

DATA LOSS—UK

Children’s Private Data Leaked Online (August 21, 2012)

The personal information—including names, addresses, accomplishments, illnesses and learning difficulties—of 1,367 children seeking to enter the country’s top independent schools was leaked online, The Independent reports. The company holding the data said it was a victim of a cyber attack and has since shut down the compromised website. An Information Commissioner’s Office spokesman said, “We will be making inquiries into the circumstances of any potential breach of the Data Protection Act before deciding what action, if any, needs to be taken.” Meanwhile, Essex County Council has suffered a breach after an employee allegedly sent the sensitive personal data of 400 individuals to an unauthorized recipient.
Full Story

PRIVACY LAW—HUNGARY

Hungarian DPA Issues Maximum Fine (August 20, 2012)

The Hungarian Data Protection Authority has imposed a fine of €35,700 on an online real estate marketplace for unauthorized data processing. The fine is significant in that it is the first maximum fine imposed under Hungary’s new Privacy Act, which took effect January 1. The company controlled websites that offered users free trial periods but later invoiced them high fees and transferred customer data to third parties without consent or notification. In this exclusive for The Privacy Advisor, Bird & Bird’s Bálint Halász discusses the details and implications of the case.
Full Story

BIOMETRICS—GERMANY

DPA Reopens Facial Recognition Probe; Expert Weighs In (August 16, 2012)

Hamburg Data Protection Officer Johannes Caspar has reopened an investigation into Facebook’s facial recognition practices, saying the company is illegally amassing a photo database without users’ consent, The New York Times reports. Caspar said, “We have met repeatedly with Facebook but have not been able to get their cooperation on this issue, which has grave implications for personal data.” Caspar’s office wants Facebook to destroy its database of faces collected in Germany and alter its website to obtain express consent, the report states. Facebook said, “We believe that the photo tag suggest feature…is fully compliant with EU data protection laws.” Meanwhile, in a personal blog post, Google Global Privacy Counsel Peter Fleischer advocates for a lead regulator in Europe. (Registration may be required to access this story.)
Full Story

DATA PROTECTION—UK

Firm Warns SMEs of Data Risks, Rising Fines (August 16, 2012)

A finance provider has warned small- and medium-sized enterprises to keep their data secure or risk a large fine, PublicService.co.uk reports. Syscap has said that the private sector will begin to see a rise in monetary penalties from the Information Commissioner’s Office (ICO) for serious data breaches. A company representative said, “It’s clear that the ICO is starting to take a much more proactive stance in penalising data lapses, so this is something that business owners need to take very seriously.” A representative from Duane Morris LLP said third parties responsible for data breaches should “suffer the consequences” of ICO fines. Meanwhile, Scottish Borders Council may face fines from the ICO after pension records were discovered in a recycling centre.
Full Story

MOBILE PRIVACY—CZECH REPUBLIC

IMSI Catcher Use Becoming Widespread (August 16, 2012)

Český rozhlas reports on the growing use of IMSI catchers, or agátas, throughout the Czech Republic. The technology can track mobile phone calls and SMS messages in a given radius. One expert explained, “It sends out a signal that is basically like the one coming from a cellular phone base station, which is why a mobile phone would voluntarily connect to it.” Tomáš Almer, head of wiretapping for the Czech Criminal Police, has confirmed the growing use of the technology throughout the country, the report states.
Full Story

PRIVACY LAW—EU & U.S.

Opinion: Google Case Reveals Weak U.S. Privacy Laws (August 16, 2012)

In a column for Spiegel, Christian Stöcker says the U.S. Federal Trade Commission’s (FTC) $22.5 million fine of Google last week “underscores weaknesses in U.S. data protection regulations.” Though the fine is the largest in the FTC’s history and “far higher than any fine that has ever been imposed in Germany for data protection violations,” it represents “just 0.81 percent of the profits of the company,” and Stöcker adds, “some American data and privacy protection advocates are placing their hopes on the possibility of tougher regulations coming from Europe.”
Full Story

PRIVACY LAW—UK

ICO “Not Ready” for Cookie Investigations (August 14, 2012)

The Information Commissioner’s Office (ICO) has said it is “not ready” to investigate any cookie consent rule complaints because staff is not yet in place for such a task, PCPro reports. Since the ICO unveiled its online submission tool, 320 websites have been reported. “At present the information has not yet been analyzed as the team which will have responsibility for this is not in place yet,” the ICO said. Meanwhile, according to a new study, fines issued by the ICO have totaled £1.8 million in the last year, up from £431,000 in the previous 12 months.
Full Story

DATA PROTECTION—SWEDEN

Government Gets Go-Ahead for Blacklist Database (August 13, 2012)

The Swedish Data Inspection Board will allow the government to start a registry of blacklisted sports supporters, The Local reports. The board says there are a number of issues that need to be addressed before the registry moves forward, including exactly what information would be kept on blacklisted individuals and the way innocent individuals would be affected by proposed measures such as increased surveillance. The board also says an in-depth analysis of what information would be available to sports associations and event organizers is necessary. “There’s always a risk that information kept in these types of sensitive registers will fall into the wrong hands,” said the board’s director general.
Full Story

ONLINE PRIVACY

The Difficulties of Cultivating Online Trust (August 13, 2012)

The New York Times reports on security expert Bruce Schneier’s concerns about how trust “is cultivated, destroyed and tweaked in the digital age.” Schneier says we have long-standing ways of establishing trust offline, but online, “this becomes even more complicated.” In his latest book, Liars and Outliers: Enabling the Trust That Society Needs to Thrive, he writes, “The technology changes how our social interactions work, but it’s easy to forget that,” adding, “In this way, our traditional intuition of trust and security fails.” In particular, Schneier worries about government agencies and private companies “advancing their own interests, whether for surveillance or commerce.” (Registration may be required to access this story.) Editor’s Note: Inside 1to1: PRIVACY recently caught up with Martha Rogers to discuss her new book, Extreme Trust: Honesty as a Competitive Differentiator.
Full Story

PRIVACY LAW—IRELAND

Commissioner: Top Banks To Be Audited (August 10, 2012)

Irish Times reports that the Office of the Data Protection Commissioner (DPC) will audit Ireland’s top banks in the coming months. The announcement comes after the DPC discovered that AIB “supplied inaccurate personal data” to the Irish Credit Bureau (ICB) in breach of data protection law and resulting in the denial of credit to individuals. AIB has confirmed the incorrect reporting of missed loan repayments to the ICB over a six-year period. One MEP said the DPC “has performed excellently in this case; however, we need to strengthen and reinforce the office to ensure that it can effectively monitor companies, investigate breaches and protect individuals."
Full Story

HEALTHCARE PRIVACY—UK & U.S.

Comparing Each Nation’s Privacy Enforcement Strategies (August 10, 2012)

A GovInfoSecurity report analyzes the healthcare breach enforcement strategies of the UK and the U.S. In the UK, emphasis relies on “publicizing frequent financial penalties” while the U.S. focus has centered on the announcement of less frequent “resolution agreements.” This year, the UK has handed out 11 fines totaling £1.4 million—approximately $2.2 million—and the U.S. has issued three resolution agreements totaling $3.3 million. “The jury is out on which nation’s approach will be more successful in reducing the number of breaches over the long haul,” the report states.
Full Story

DATA LOSS

Gamers Urged To Change Passwords After Breach (August 10, 2012)

Blizzard Entertainment is warning gamers to change their passwords due to a security breach of its internal network, CNET News reports. Certain e-mail addresses and scrambled passwords are believed to have been stolen, according to the company.At this time, we've found no evidence that financial information such as credit cards, billing addresses or real names were compromised,” said company President Michael Morhaime in a blog post. “Our investigation is ongoing, but so far nothing suggests that these pieces of information have been accessed.”
Full Story

ONLINE PRIVACY

Google To Include Gmail Content in Web Searches (August 10, 2012)

Google has announced plans to roll out a new feature to a million Gmail users who sign up for it, and after accepting feedback, hopes to give all accountholders the ability to opt in to the feature that would allow contents of users’ Gmail correspondences to be included in their Google searches, reports the Associated Press. The feature is a response to a more people-centered Internet driven by the prevalence of information sharing on social networks, the report states, and may bring with it privacy concerns. To alleviate these concerns, Google will show Gmail communications in a collapsed format that users have to open in order to see details.
Full Story

FINANCIAL PRIVACY—HUNGARY

HFSA Offers Cloud Guidance (August 9, 2012)

The Hungarian Financial Supervisory Authority has issued a circular on the use of cloud computing technologies for Hungarian financial institutions. In this exclusive for The Privacy Advisor, Márton Domokos notes this marks the first time a Hungarian regulatory authority has issued such an opinion. This feature details the document’s recommendations for financial institutions to address data classification, pre-contracting tasks and the contents of the service agreement with the cloud provider.
Full Story

PRIVACY LAW—IRELAND

Commissioner: AIB’s Misreporting Violated Law (August 9, 2012)

RTÉ News reports that Deputy Data Protection Commissioner Gary Davis has said AIB “supplied inaccurate personal data” to the Irish Credit Bureau (ICB) in breach of data protection law. The misreported data resulted in individuals being denied credit, the report states, noting AIB has confirmed the incorrect reporting of missed loan repayments to the ICB over a six-year period. Davis is urging those affected to get copies of their credit reports to ensure their information is now accurate.
Full Story

ONLINE PRIVACY

Search Tool Moves Toward Artificial Intelligence (August 9, 2012)

The New York Times reports on a Google search tool that aims to understand human meaning, have spoken conversations and provide results—not only from the Internet but from users’ personal lives. The tool, which is being rolled out to the first million volunteers, will also incorporate a user’s Gmail messages to aid in searches. Google Senior Vice President of Search Amit Singhal said the moves are “baby steps in the direction of making search truly universal” and toward building in artificial intelligence. The company emphasized that users can turn the search tool off. Singhal added, “We have to do this very carefully; we know that.” (Registration may be required to access this story.)
Full Story

DATA PROTECTION—UK

ICO Issues Guidance for SMBs (August 9, 2012)

The Information Commissioner’s Office (ICO) has issued guidance on the top five areas of improvement recommended for small- and medium-size businesses. Among the suggestions, staff training and communication with customers are the most important, SC Magazine reports. The office suggests organizations tell people how their data is being used; ensure proper staff training; use strong passwords; encrypt portable devices, and only retain data for as long as necessary. The ICO recommends charities and third parties conduct data protection checkups given that they often handle sensitive information. The office also offers advisory visits to organizations seeking advice on data protection improvements.
Full Story

ONLINE PRIVACY

Internet Explorer 10 To Keep DNT By Default (August 8, 2012)

Microsoft has announced it will keep its default do-not-track (DNT) setting in Internet Explorer 10 (IE10), Ars Technica reports. Microsoft Chief Privacy Officer Brendon Lynch, CIPP/US, said, “Customers will receive prominent notice that the selection of Express Settings turns DNT on.” Users will also have the option to opt out of DNT in the customize setting. Lynch added, “Our approach to DNT in IE10 is part of our commitment to privacy by design and putting people first…We believe consumers should have more control over how data about their online behavior is tracked, shared and used.”
Full Story

CLOUD COMPUTING

The Cloud and Its Privacy Risks (August 8, 2012)

TECHNEWSWORLD reports that privacy in the cloud “may be an illusion,” and businesses relying on the cloud should be aware of its privacy risks. Laws in the U.S., EU and elsewhere allow government agencies access to cloud data, and Mutual Legal Assistance Treaties facilitate cooperation across borders, allowing law enforcement to request data in any country that is a part of such a treaty. The report points to a recent whitepaper that concludes “it is not possible to isolate data in the cloud from governmental access based on the physical location of the cloud service provider or its facilities.”
Full Story

DATA PROTECTION—UK

Advocate: Gambling Industry “Ignores” Privacy Laws (August 8, 2012)

The founder of Privacy International, Simon Davies, has said the online gaming industry is failing to adequately protect its customers’ personal data and violates the UK’s Data Protection Act (DPA), computing.co.uk reports. After analyzing the industry for two years, Davies says many online sites collect vast amounts of personal information, including passport and credit card scans, driver’s licenses and utility bills. “All the available evidence indicates that this information is stored permanently,” Davies has said, adding that this constitutes a violation of the third and fifth principles of the DPA, the report states.
Full Story

PRIVACY LAW—EU

Committee: Too Many Exceptions and Restrictions in EC Proposals (August 7, 2012)

The European Economic and Social Committee has said search engines, social networks and some cloud computing services should be brought within the scope of forthcoming European data protection reforms, Out-Law.com reports. The committee said the European Commission’s proposals need to be “more in line with the needs and expectations of the public,” and it is concerned about the number of exceptions and restrictions within the proposals. “The proposal could have gone further in increasing the protection offered by certain rights,” the committee said in a report, adding that the rules should be “applied more systematically to certain fields of economic and social activity.”
Full Story

DATA LOSS—UK

ICO Fines Health Trust £175,000 (August 7, 2012)

The Information Commissioner’s Office (ICO) has fined a health trust £175,000 for inadvertently publishing the sensitive personal information of approximately 1,000 staff members on its website in April 2011, The Independent reports. Torbay Care Trust released a spreadsheet that contained staff members’ sexual orientations and religious beliefs in addition to names, birth dates, salaries and National Insurance numbers. Describing the incident as “serious” and “extremely troubling,” the ICO’s investigation revealed that the organization has poor privacy guidance for staff. The ICO said the trust is “taking action to keep its employees' details secure."
Full Story

PRIVACY LAW—EU

Member States Concerned About Proposed EU Regulation (August 6, 2012)

Out-Law.com reports on a leaked file from the Council of Ministers containing concerns by the UK government about proposed EU data protection reforms. “We are of the view,” the file states, “that the proposed general regulation should be a directive in order to provide greater member state flexibility to implement the measures—a regulation would allow the EU to prescribe rules without necessarily giving due regard to national tradition and practice.” The leaked document was published by civil liberties organization Statewatch and contains the opinions of 20 European states on the proposed reform.
Full Story   

PRIVACY—FINLAND

Ombudsman Examines Sites; Gov’t Data Sharing in Force (August 2, 2012)

Finland Data Protection Ombudsman Reijo Aarnio will examine 70 websites of organisations that experienced a data breach or threat of a breach within the past year to find out if they’ve made improvements to their systems, reports Helsingin Sanomat. Erka Koivunen of the Finnish Communications Regulatory Authority says, “Careful coding and checkups should prevent” many attacks, and Aarnio says technology is not used enough in data protection.  Meanwhile, the nation’s agreement with the U.S. to mutually share data to aid in solving serious crimes and terrorist acts went into effect this week. The agreement includes the sharing of DNA and fingerprint data. Sharing will begin when the technical details of the system have been determined.
Full Story

PRIVACY LAW—ITALY

Garante Adopts Telecom Measures Toward Directive (August 2, 2012)

The Italian data protection authority, the Garante, has issued guidelines requiring telecom providers and operators to implement measures to prevent data breaches and, in the event of a breach, notify the Garante as well as those affected. Rocco Panetta, CIPP/E, of Panetta & Associati, says, additionally, “Administrative sanctions of up to €150,000—to be multiplied up to a maximum of four times in function of the revenues of the data controller—and criminal sanctions of up to six months in jail have been introduced.” The Garante has launched a public consultation on aspects of the rules, which will be open for 90 days.
Full Story

PRIVACY LAW—UK

Bill Would Mean More Access to Communications (August 2, 2012)

The draft Communications and Data Bill, currently in Parliament, would see the UK adopt standards set by the European Telecommunications Standards Institute (Etsi), allowing for increased interception of online data, reports The Guardian. While a home office spokeswoman says it is “simply untrue to suggest we would be able to collect the content of communications data,” privacy and civil rights groups view the move as a stepping stone toward interception. The report states that the Etsi standards were not disclosed to the committee established to review the bill, adding to their skepticism.
Full Story

BIOMETRICS—NORWAY

DPA Probes Facebook’s Facial Recognition Program (August 2, 2012)

Norway’s data protection commissioner, Bjorn Erik Thon, has said his office is investigating Facebook’s facial recognition tagging program out of concern that it may breach privacy regulations, Bloomberg reports. Thon said, “It’s a very powerful tool that Facebook has, and it’s not yet clear how it all really works,” adding, the material the company “has in its databases is something we need to discuss with them.” Thon also noted his office is coordinating its investigation with its Irish counterpart. Earlier this year, the EU’s Article 29 Working Party issued an opinion on the new technology.
Full Story

INFORMATION ACCESS—UK

Graham Welcomes Calls to Increase FOI Time Limit (August 2, 2012)

Information Commissioner Christopher Graham says that while he welcomes the Justice Committee’s recommendations to increase the time period for his office to prosecute Freedom of Information Act breaches, it will take time to implement. The law must be changed in order to increase the time allotment, which is unlikely to happen within the year, said Graham, adding, "I do not think this is that contentious but just a question of the politicians and legal draftsmen sorting things out."
Full Story

PERSONAL PRIVACY—UK

Are Councils Collecting Too Much Personal Data? (August 2, 2012)

In light of two recent incidents involving Southampton and Islington councils, The Guardian asks, “how much information do councils need to get their services right?” According to the article, “Both cases highlight the need to treat data carefully, but is local government now overstepping the mark when it comes to profiling local residents?”
Full Story

MOBILE PRIVACY—FRANCE

CNIL Study Targets the “Black Box” of Smartphones (August 2, 2012)

The French data protection authority, the CNIL, has made smartphones the first topic of its strategic planning research, assessing users’ practices and perceptions of data protection on the devices in its “Smartphones and Privacy: Uses and Protection Measures” study. “Beyond this initial step, CNIL will endeavor to incite the various players in building a framework for more transparent and privacy-friendly products and services, “writes CNIL Chairwoman Isabelle Falque-Pierrotin in CNIL’s newsletter Innovation & Prospective. Findings from the study show one-fourth of smartphone users have no locked access code on their phones and 51 percent believe incorrectly that data from a mobile phone cannot be transmitted without user consent.
Full Story

DATA PROTECTION—EU

ENISA Calls for End User, Service Provider Collaboration (August 2, 2012)

The European Network and Information Security Agency has called for collaboration between service providers and end users to protect online identities, ComputerWeekly reports. The agency said this week that in the first half of 2012, millions of citizens’ personal data was exposed due to data breaches, often affecting multiple sites at once. The agency published guidelines for online service providers on passwords, authentication systems and data breach notifications—which it believes will contribute to better data protection in the long term.
Full Story

PRIVACY LAW—EU & FRANCE

CNIL Asks To Examine Street View Data (August 1, 2012)

The French data protection authority (CNIL) has asked Google to make undeleted payload data from its Street View project available for analysis, The New York Times reports. The move comes days after the UK’s Information Commissioner’s Office (ICO) announced a similar inquiry. The CNIL said that like the ICO, it has asked the company to keep the data in question “secure while the necessary investigations are conducted.” Google Global Privacy Counsel Peter Fleischer said the company learned some of the data still existed during a “comprehensive manual review of our Street View disk inventory.” (Registration may be required to access this story.)
Full Story