European Data Protection Digest

We have a long weekend—and hopefully some good weather—ahead of us, so right now our minds are probably focused more on Easter eggs and chocolate bunnies (in my case also my mother’s lasagna on Sunday) than on data protection developments. Nevertheless, this spring is bound to be a busy one for privacy pros—not that we actually had a dull moment in the past year or so.

At the IAPP, we are working hard to help our members stay on top of things: Our upcoming European Data Protection Intensive will be a great way to kick-start the second quarter of the year. As usual, rendezvous in London for an intense programme, great networking—including our special Privacy Social reception at the Guildhall—and CIPP and CIPM certification training and testing. Preconference workshops are not bad either.

But since he who hesitates is lost, work is already underway also for IAPP Europe’s flagship event, the Data Protection Congress, which will be in Brussels again this year, on 19 and 20 November to be precise. The call for proposals for the Congress is open, and submissions will be accepted until 9 May, so do send us your ideas or feel free to forward the call for proposals link to someone who might be interested.

In the meantime, though, Happy Easter!

Rita Di Antonio
Managing Director
IAPP Europe

Top European Privacy and Data Protection News

PRIVACY LAW—EU

Parliamentary Study on Proposed Regulation Finds Room for Improvement (September 27, 2012)

The study "Reforming the Data Protection Package," authored by lawyers of the Polish firm Traple Konarski Podrecki and members of the European Legal Studies Institute in Osnabrück, Germany, was requested by the European Parliament's Committee on Internal Market and Consumer Protection. It analyses the European Commission's legislative proposal for a General Data Protection Regulation, which was published on 25 January, under four different aspects: mapping new technologies and services--such as geolocation services, cloud computing and smart metering; the internal market dimension--creating a level-playing field for all businesses active in the EU; strengthening consumer rights, and international data transfers. Whilst the study concludes that the legislative proposal represents an improvement in each of these four aspects, at the same time it highlights the shortcomings and weaknesses of the proposal in relation to each of them, providing a number of recommendations. "This study reflects in some parts criticism raised by industry regarding the proposal--for instance, in relation to the broad definition of personal data or the lack of incentives for the anonymisation or pseudonymisation of personal data--and will inform the decision-making process in the European Parliament," says partner Monika Kuschewsky, head of the European Data Protection practice of Van Bael & Bellis. (Registration may be required to access this story.) Editor’s Note: The upcoming IAPP Europe Data Protection Congress will include breakout sessions specifically focused on the EU’s data protection reforms.
Full Story

PRIVACY LAW—EU & IRELAND

Hawkes: DPC Might Need More Resources (September 27, 2012)

Ireland Data Protection Commissioner Billy Hawkes has said his office may require more staff and resources in light of pending EU privacy legislation, EUObserver reports. Hawkes reportedly told EU Justice and Home Commissioner Viviane Reding that data protection authorities will need additional resources to “carry out their broader European oversight responsibilities.” Hawkes also said, “This is a key issue for us due to the large number of multinational companies handling personal data that have substantial operations in Ireland.”
Full Story

CLOUD COMPUTING—NORWAY

DPA Gives Cloud Go-Ahead, But No Private Data (September 27, 2012)

After an earlier ban, Norway’s data protection authority has announced that councils may begin using cloud services such as Google Apps with the condition that no private data about the public is communicated, ZDNet reports. Data Protection Commissioner Bjorn Erik Thon said, “This does not constitute an open-ended permit for unlimited use of cloud computing services, but conditional upon certain prerequisites and a thorough and good risk analysis of the enterprise, cloud computing may be an acceptable solution.”
Full Story

SOCIAL NETWORKING—FRANCE

CNIL Debunks Privacy Bug Fears (September 27, 2012)

In the wake of concerns raised by newspapers over Facebook posts, the Commission nationale de l’informatique et des libertés (CNIL) is debunking rumors of a privacy bug in the social network’s Timeline feature, GigaOM reports. “The investigation came after the French tabloid Metro reported on Monday that private messages were appearing unexpectedly on users’ Timelines,” the report states, noting other European newspapers and U.S. tech publications picked up on the story. The CNIL has “accepted Facebook’s explanation that the ‘messages’ were simply old public wall posts that became visible once more,” the report states.
Full Story

DATA LOSS—UK

CPS Accused of Breach (September 27, 2012)

The Huffington Post UK reports the Crown Prosecution Service (CPS) “mistakenly released the names of nearly 300 people arrested at student protests, including 44 under-18s, to a member of the public.” A CPS spokesperson has said, “Since becoming aware of this breach on 13 September, the CPS has written to and apologised to those whose details appeared on the document” and to the individual who received the information, requesting it be destroyed. Jennifer Hilliard of Defend the Right to Protest responded, “I find it very disturbing that that information should be handed out so lightly.”
Full Story

DATA PROTECTION—UK

ICO Report Gives Council Poor Rating (September 27, 2012)

After recent data protection blunders at the Dumfries and Galloway council, the Information Commissioner’s Office (ICO) conducted an independent report of the council’s privacy practices, giving it the second worst rating and a list of 41 recommendations for improvement. The ICO has given the council six months to comply with all but two of the recommendations. A working group has been formed to implement an action plan. Labour group leader Ronnie Nicholson called the council’s attempts to address privacy failings “shambolic,” saying the council needs to act quickly to address the recommendations.
Full Story

DATA BREACH—UK

Suffolk Police Officers Resign After Breach Incidents (September 27, 2012)

Over the span of three years the Suffolk Constabulary has seen two officers resign and two staff members fired due to data protection breaches with several other staff receiving written warnings, reports the East Anglian Daily Times. Privacy advocates say the incidents should have been reported to the Information Commissioner’s Office (ICO), but a constabulary spokeswoman said if it can handle a breach to all parties’ satisfaction, it doesn’t see a need to report it to the ICO. “If individuals are found to be misusing the privileged access they have to information, they will be subjected to disciplinary action and possibly face criminal proceedings,” the spokeswoman said.
Full Story

DATA PROTECTION

PCI DSS To Launch Integrator Reseller Guidance (September 27, 2012)

The PCI Security Standards Council (PCI SSC) plans to launch guidance for software integrators and resellers to coincide with its October conference in Dublin, European PCI DSS Director Jeremy King told SC Magazine. The guidance is part of its Qualified Integrators and Resellers (QIR) program, announced earlier this year. The QIR program also consists of training and qualification of integrators and resellers, and there will be a list of PCI qualified providers on the PCI SSC website. “Retailers and franchise operators alike will have a go-to resource they can trust for making sure their applications and systems are being installed and maintained properly,” King said.
Full Story

DATA PROTECTION—UK

No Flowers on Your Big Day? Blame the DPA (September 27, 2012)

The tradition of Scottish councils presenting centenarians and long-married couples with flowers on their big days is in jeopardy because of data sharing restrictions in the Data Protection Act, reports The Courier. A team leader at the National Records of Scotland Local Organisation Unit (LOU) wrote to the Fife Council provost's office saying, ''The LOU will no longer provide your office with details of special birthday or wedding anniversary celebrations notified to us by a third party,” adding, ''The reason for this instruction is that by providing this information, we are in breach of the Data Protection Act.'' One councillor calls it “a great shame that some are missing out.”
Full Story

PRIVACY—EU & UK

Opinion: Regulation Should Consider Marketing’s Role (September 27, 2012)

A report by the Direct Marketing Association (DMA) indicates UK businesses spent £14.2 billion on direct marketing in 2011, and it’s predicted that number will increase by seven percent in 2012, writes the DMA’s Chris Combemale in an op-ed for The Guardian. As such, the draft EU data protection regulation should strike the right balance “between protecting individuals’ rights to data privacy and preserving the commercial freedoms of companies to engage with consumers.” As it’s drafted, the regulation’s opt-in consent requirements, classification of IP addresses as personal data and “overly prescriptive” regulation on the right to be forgotten would stifle data-driven marketing, Combemale says.
Full Story

PRIVACY LAW—IRELAND

Opinion: Privacy Bill 2006 Falls Short of Real Protection (September 27, 2012)

After Minister for Justice, Equality and Defence Alan Shatter said he will revisit a previously abandoned privacy bill, Dublin City University Prof. Column Kenny writes in a letter to The Irish Times that Privacy Bill 2006 would “allow editors to defeat the spirit of the (Irish Press) Council’s Code of Practice.” Kenny writes that a provision in the code “appears to permit only those whose privacy has been invaded to make complaints about gross intrusion,” noting that “if editors begin to weigh up the material benefits of such invasions against the inability of the Press Ombudsman to do much more than merely scold transgressors, then the press could “give politicians an excuse to pass the Privacy Bill 2006.”
Full Story

PRIVACY—URUGUAY

DPA Discusses Privacy Landscape (September 27, 2012)

The European Union recently confirmed that Uruguay had achieved adequacy for personal data protection. Prior to that, in 2008, the country passed its data protection act. Since that time, the Unit for the Regulation and Control of Personal Data (URCDP) has been established to field data protection complaints and educate the public and database controllers, in both the private and public sector, of their duties and obligations under the act. The URCDP is now preparing to host the 34th International Conference of Data Protection and Privacy Commissioners, a task the URCDP’s Federico Monteverde says has kept it very busy. In this exclusive for The Privacy Advisor, a URCDP representative discusses Uruguay’s data privacy landscape.
Full Story

CLOUD COMPUTING—EU & UK

EC Releases Cloud Strategy; ICO Releases Guidelines (September 27, 2012)
The European Commission (EC) has released a new strategy for “unleashing the potential of cloud computing in Europe.” Among the “key actions” in the strategy are “Cutting through the jungle of technical standards so that cloud users get interoperability, data portability and reversibility,” EU-wide certification schemes and a European Cloud Partnership with member states. EC Vice President Viviane Reding said the strategy “will enhance trust in innovative computing solutions and boost a competitive digital single market where Europeans feel safe,” adding, “That means swift adoption of the new data protection framework…” Meanwhile, the UK Information Commissioner’s Office has published guidelines on the responsible use of cloud computing. Editor’s Note: The IAPP will host the web conference EU Cloud Computing Privacy Guidance next Thursday, October 4 at 11 a.m. EDT.

DATA LOSS

Breach Affects 100,000 IEEE Members (September 27, 2012)

The user names and passwords of approximately 100,000 members of the Institute of Electrical and Electronics Engineers (IEEE) have been compromised in an apparent breach, Help Net Security reports. The affected data was stored on an FTP server in unencrypted form. The IEEE has as many as 400,000 members worldwide, many of whom are security professionals. The incident was discovered by Romanian researcher Radu Dragusin.
Full Story

PRIVACY LAW—EU

Reding: Overhaul Could Save €2.3 Billion in Costs (September 26, 2012)

EU Justice Commissioner Viviane Reding says an overhaul of EU data protection rules could save as much as €2.3 billion in administrative costs, Bloomberg reports. Reding has said a single set of data rules for the EU and a one-stop-shop for data protection will make Europe a more attractive place to do business. The proposed legislation will also provide better access to personal data, Reding and Irish Data Protection Commissioner Billy Hawkes wrote in a recent piece for the Irish Examiner. Ireland will play a key role in shaping the new rules, Reding says, as it is home to many firms handling personal data.
Full Story 

SOCIAL NETWORKING

Confusion Over Facebook Wall Posts Leads to Privacy Scare (September 25, 2012)

Facebook representatives have said yesterday’s reports that private messages were appearing on users’ timelines were false, The Wall Street Journal reports. According to Facebook, “A small number of users raised concerns after what they mistakenly believed to be private messages appeared on their Timeline,” adding that an investigation revealed “that the messages were older wall posts that had always been visible on the users’ profile pages.” In response, France’s data protection authority—the CNIL—has been asked to investigate the issue. Meanwhile, the Electronic Privacy Information Center plans to ask the Federal Trade Commission to investigate the new Facebook-Datalogix deal and whether it contravenes a recent settlement. (Registration may be required to access this story.)
Full Story

DATA PROTECTION

Report: Most Breaches Due to Employee Error (September 25, 2012)

COMPUTERWORLD reports Forrester Research has found that most data breaches are caused by events such as employees losing or misusing corporate assets or having them stolen. In the survey of more than 7,000 executives and employees in North America and Europe, 31 percent said theft or loss was the cause of data breaches, and 39 percent said data leaks on mobile devices are a concern. “Whether their actions are intentional or unintentional, insiders cause their fair share of breaches,” the report’s authors said, adding it’s not only a matter of appropriate tools and controls; only 56 percent of respondents said they were aware of their organization’s security policies.
Full Story

BIOMETRICS

Facebook Halts Face ID Tech, For Now (September 24, 2012)
The New York Times reports on Facebook’s agreement with European regulators to stop using its facial recognition software and delete users’ facial identification data. “The development of these tools in the private sector directly affects civil liberties,” said University of California, Berkeley Law Prof. Chris Hoofnagle, adding, “The ultimate application is going to be—can we apply these patterns in video surveillance to automatically identify people for security purposes and maybe for marketing purposes as well?” Ireland Data Protection Commissioner Billy Hawkes has said he is satisfied with the company’s privacy upgrades, but some in Europe do not think they have gone far enough. Meanwhile, Financial Times reports the company is working to improve its ad tracking systems. (Registration may be required to access this story.)

PRIVACY LAW—EU

Ireland DPC: EU Overhaul Will Strengthen Personal Data Control (September 24, 2012)

Ireland Data Protection Commissioner Billy Hawkes has said new EU laws to be introduced in January will strengthen EU citizens’ control over their personal data. In a column for the Irish Examiner, Hawkes wrote that personal data should always be protected, even outside the EU. The proposed legislation will provide a single set of rules for data protection across the EU; better access to personal data; the “right to be forgotten”; data protection rules for companies—such as Google and Facebook—doing business in EU markets, and additional power to independent data protection authorities.
Full Story

DATA PROTECTION

Risk Report Finds “Sharp Increase” in Browser Exploits (September 21, 2012)

InfoSecurity reports that the results of the IBM X-Force 2012 Mid-Year Trend and Risk Report suggest “the landscape has seen a sharp increase in browser-related exploits…along with renewed concerns around social media password security and continued disparity in mobile devices and corporate bring-your-own-device (BYOD) programs.” The report notes an upward trend in vulnerabilities. “We’ve seen an increase in the number of sophisticated and targeted attacks,” said IBM’s Clinton McFadden, adding, "As long as these targets remain lucrative, the attacks will keep coming and in response, organizations should take proactive approaches to better protect their enterprises and data." Editor's Note: The IAPP's recent web conference The Implications of Bring Your Own Device (BYOD) offers additional insights into the issues surrounding BYOD.
Full Story

PRIVACY LAW—EU & MONACO

Article 29 Working Party Issues Favourable Adequacy Opinion (September 20, 2012)

The Article 29 Working Party has released a favourable opinion on the level of data protection standards in Monaco, Hunton & Williams’ Privacy and Information Security Law Blog reports. The finding was based on Monaco’s 1993 Act—as amended in 2009—on the protection of personal data. According to the report, the favourable opinion “paves the way” for a final adequacy level finding by the European Commission in the future.
Full Story

DATA PROTECTION—UK

ICO: Google Has Improved on Data Practices (September 20, 2012)

The Information Commissioner’s Office (ICO) says its most recent audit indicates Google has improved its handling of personal data since the privacy issues surrounding its Street View data collection in 2010, Techworld reports. The ICO conducted an initial audit of the company in 2011 following the revelation that Street View cars had inadvertently collected WiFi data, including e-mails and passwords. The audit indicated the company had made improvements to privacy structure, training and reviews. The ICO suggested Google projects have a privacy design document, that “privacy stories” inform consumers about privacy and that engineers receive focused training. Though some changes remain to be implemented, “significant progress” has been made, the ICO says.
Full Story

PRIVACY LAW—IRELAND

Justice Minister To Revisit Abandoned Privacy Bill (September 20, 2012)

After the Irish Daily Star reprinted controversial photos of the Duchess of Cambridge, Ireland’s justice minister has said he will revisit abandoned privacy legislation, The Guardian reports. Minister for Justice, Equality and Defence Alan Shatter has said he will return to the 2006 Privacy Act because the decision by some media outlets to publish the photos makes it seem “that no value of any nature is attached to an individual’s right to privacy,” adding, “What is needed is balanced legislation that does nothing to inhibit proper investigative journalism…but which also prevents the abuse of an individual’s human rights and flagrant violation of an individual’s right to privacy.”
Full Story

DATA PROTECTION—IRELAND

Hawkes: Councils Can’t Use Data to Collect Charge (September 20, 2012)

While councils are told to do whatever it takes to collect the €100 household charge for college grant applications, Data Protection Commissioner Billy Hawkes says they can’t go after people based on information gathered in relation to student grants, reports the Irish Examiner. Hawkes’ office said Clare County Council may gather information about payment to see whose applications were processed first, the report states. A spokesperson for the office said protocol does not allow “data gathered in this way to be used to pursue people who have not paid,” and it will provide “any necessary clarification to Clare County Council.”
Full Story

STUDENT PRIVACY—UK

ICO Report Gives Data Protection Advice to Schools (September 20, 2012)

The Information Commissioner’s Office (ICO) has released recommendations to help schools ensure internal privacy protection practices are in line with the Data Protection Act. The ICO surveyed 400 schools and found that schools need to improve data protection compliance. An ICO representative said, “The survey results showed that whilst awareness of the law was broadly good, knowledge on how to comply with it wasn’t always there.” He added, “I’d urge teachers and heads to take a look at our recommendations and make sure they’re complying with the law.”
Full Story

RFID—UK

Researchers Explore Human Implant Concerns (September 20, 2012)

In a column for Public Service Europe, Professors Nada Kakabadse and Andrew Kakabadse explore the implications of implanting RFID chips in human beings. They write, “when technology pierces the skin and invades the sovereign state of the human body, it enters a domain awash with ethical, moral, political and philosophical controversy.” The UK-based professors write, “We know that RFID technologies promise enormous benefits in areas ranging from security and health monitoring to business efficiency. But there is a dark side to the technology, a potential for abuse.”
Full Story

PRIVACY LAW—EU & U.S.

EU Proposal Would Complicate Workplace Evidence Gathering (September 20, 2012)

If the EU adopts its new data protection proposal, companies could have a difficult time conducting internal investigations that rely on collecting documents and e-mail from employees, Corporate Counsel reports. EU regulations already make it difficult for lawyers to gather information—including data stored on company computers and servers, the report states. But the new proposal “eliminates the most convenient way of gathering evidence for U.S. legal compliance purposes,” said DLA Piper’s Jim Halpert. He added that under current law, lawyers can gather information if given voluntary employee consent. But under the EU’s proposal, that consent, “even if freely given,” would be deemed “invalid.”
Full Story

PRIVACY LAW—EU

EDPS Calls for Harmonized “Illegal Content” Definition (September 19, 2012)
European Data Protection Supervisor (EDPS) Peter Hustinx has said the European Commission (EC) should define the term “illegal content” in order to provide clarity on content host responsibilities for removal of such information, Out-Law.com reports. Comments by the EDPS come after an EC consultation on reforming rules governing the removal of illegal material posted online. Examples of what the EC considered illegal include content infringing on intellectual property rights, inciting hate, relating to terrorism or invading privacy. Hustinx said he “is of the view that there is a need for a more pan-European harmonized definition of the notion of illegal content for which notice-and-action procedures would be applicable.”

PERSONAL PRIVACY

Think Tank: Business Would Benefit by Upping Consumer Data Control (September 19, 2012)

Policy think tank Demos has said businesses would benefit if they granted consumers more control over how their personal data is used, reports Out-Law.com. Consumers are suffering a “crisis of confidence” when it comes to information sharing, Demos said. Businesses could overcome this if they have “open, transparent and clear information-sharing relationships with customers” and allow consumers to make an “informed choice” about the ways their personal information is used. “Regulators and businesses need to find a flexible, dynamic framework, which recognizes the diversity of views on the issue, and consider how people can customize and negotiate their relationship with organizations so that it is and feels mutually beneficial.”
Full Story

DATA LOSS—UK

Stolen Laptop Contained Children’s Data (September 18, 2012)

The Information Commissioner’s Office (ICO) is investigating the theft of an Edinburgh Council laptop used by a fostering service consultant. The laptop reportedly contained sensitive details of dozens of cases, “including assessments of the prospective foster and adoptive parents, TechWeekEurope reports. Though it is believed thieves would have wiped the computer clean for resale, the council has contacted “the majority of those involved” and issued an apology. An ICO spokesman said, “We will be making enquiries into the circumstances of the alleged breach of the Data Protection Act before deciding what action, if any, needs to be taken.”
Full Story

PRIVACY LAW—EU & U.S.

Opinion: Region’s Privacy Approaches Run Parallel (September 18, 2012)

“For almost two decades, a myth has been circulating that the European Union’s approach to privacy and data protection is ‘stricter’ than the sectorial approach the U.S. employs,” writes Jenner & Block Partner Mary Ellen Callahan, CIPP/US. In a column for The Lawyer, Callahan notes “the two regions' approaches have more in common than the myth would suggest.” Both approaches are grounded in the Fair Information Practice Principles, she writes, adding, “Although differences in emphasis, interpretation and implementation exist, they provide an invaluable lens through which governments and companies can analyze whether they are employing appropriate privacy protections.”
Full Story

TRAVELERS’ PRIVACY—UK

Body Scanners Removed by Manchester Airport (September 17, 2012)

A UK airport is scrapping passenger body scanners after a three-year trial period ended without a decision from the European Commission, BBC News reports. The airport will replace the body scanners with “privacy friendly” scanners. Manchester Airport Group Chief Operating Officer Andrew Harrison expressed frustration “that Brussels has allowed this successful trial to end,” adding, “Our security surveys and those run by the Department for Transport show passengers regularly rate their experience at Manchester as one of the best security processes in the UK, if not Europe. There’s no doubt that body scanners play a big part in these results.”
Full Story

PRIVACY LAW—UK

ICO To Increase Cookie Enforcement Efforts (September 14, 2012)
The Information Commissioner’s Office (ICO) has warned organizations to comply with regulations on cookie use or face “massive fines,” Computeractive reports. Unnamed operators now have a deadline for compliance, according to the ICO’s Dave Evans, following criticism that the office has not been strict enough on cookie enforcement. For those operators that do not meet a given deadline, formal enforcement action is likely, Evans said. “Failure to act on an enforcement notice is a criminal offense,” he added. The ICO gained the authority by law in May to fine organizations up to £500,000 for failure to comply with rules on cookies.

PRIVACY LAW—IRELAND

Telcoms Plead Guilty, Must Pay Charity (September 13, 2012)

After the theft of two laptops from Eircom’s Dublin office resulted in lost data on about 7,000 customers, a court has ordered eMobile and Meteor, subsidiaries of Eircom, each to pay 15,000 to charity, The Independent reports. The companies pleaded guilty to “three charges relating to failure to take appropriate security measures to protect the personal information on the laptops, failing to notify the commissioner of the breach without undue delay and…failing to notify their customers of the theft of their information without undue delay,” an Irish Times report states.
Full Story

PRIVACY LAW—UK

Twitter Warns Against Communications Bill (September 13, 2012)

In its submission to the joint Commons and Lords committee on the draft communications bill, Twitter warned that government plans to require Internet service providers to retain communications data for one year may open the government up to privacy lawsuits, reports The Guardian. "We would be interested to understand what consideration was given to issues of proportionality in the drafting of this provision as well as some cross-jurisdictional challenges which may arise,” the submission reads, noting the plan would likely “result in the collection and retention of data on users who are outside of the United Kingdom.” Authorities say greater retention is needed for counter-terrorism efforts and other criminal investigations.
Full Story

GENETIC PRIVACY—CZECH REPUBLIC

UOOZ and Police Go To Court Over DNA Database (September 13, 2012)

A Czech court will decide whether police must comply with a request from the Office for Personal Data Protection (UOOZ) that police shred DNA records on people involved in lesser crimes, such as driving without documentation, or those whose prosecution has been suspended, reports the Prague Daily Monitor. "It was ordered to shred all the data in the database that do not correspond with the given criteria," UOOZ President Igor Nemec said, but police have not complied, saying the records that did not correspond with the law were withdrawn from the databases. The UOOZ last spring imposed a 10,000-crown fine on the police for failing to shred the documents.
Full Story

DATA LOSS—UK

ICO Fines Council £250,000, Another Reveals Breach (September 13, 2012)

The Information Commissioner’s Office (ICO) has fined Scottish Borders Council £250,000 for a breach involving the personal information of employees. “This is a classic case of an organization taking its eye off the ball when it came to outsourcing,” said ICO Assistant Commissioner for Scotland Ken Macdonald. The council had contracted an outside company to digitize pension records but failed to “seek appropriate guarantees on how the personal data would be kept secure,” according to an ICO press release. Meanwhile, The Star reports Sheffield Council could face similar fines after confidential files on mental health patients were found on a city street.
Full Story

DATA PROTECTION—GERMANY

Schaar Unable To Access Police Spyware (September 13, 2012)

German Data Protection and Freedom of Information Commissioner Peter Schaar says he is not able to review the source code of software being used by police to monitor suspects, reports The Local. After a hacker group revealed last year that it found software allowing police to log keystrokes, capture screenshots and activate cameras and microphones on computers belonging to people under investigation, the Parliamentary Domestic Affairs Committee called for an investigation by Schaar. The program supplier, DigiTask, has refused to hand over the source code unless Schaar signs a gag order and it receives €1,200 per day for the access.
Full Story

SOCIAL NETWORKING—FRANCE.

CNIL Names Sites with A29 WP Data Protection Features (September 13, 2012)

The French data protection agency, CNIL, is calling social network Famicity, among others, a good example of a network following the recommendations set out by the Article 29 Working Party, reports Telecompaper. The recommendations include “defining default parameters to limit the diffusion of Internet users' data, protection measures for minors, eliminating accounts that have been inactive for a long time, suggesting that users use a pseudonym and offering a tool on the homepage allowing members and nonmembers to make complaints related to personal data,” the report states.
Full Story

PRIVACY LAW—UK

ICO: Cookie Compliance Deadline Set for Some Websites (September 12, 2012)
Out-law.com reports on comments made by Information Commissioner’s Office (ICO) Group Manager for Business and Industry Dave Evans. Businesses should now “know they have to respond to the law,” said Evans. The comments come after one web software firm taunted the ICO about cookie compliance. For noncompliant businesses, Evans said, “It might be a law they wish didn’t exist, but the simple fact is that it is here to stay,” adding, “for example, some sites have failed to engage with us at all, and they’re now being set a deadline to take steps towards compliance, with formal enforcement action likely if they fail to meet this deadline.” Editor's Note: For the latest on EU cookie consent implementation, see the Field Fisher Waterhouse chart, Cookie ‘consent’ rule: EU implementation, in the IAPP Resource Center.

PRIVACY LAW—EU

Working Party Releases Meeting Agenda (September 12, 2012)

The Article 29 Working Party has released a draft agenda ahead of its next meeting. The meeting will take place September 25 and 26 in Brussels. It will discuss “the draft application form and cooperation procedure for Binding Corporate Rules (BCR) for processors,” the draft opinion on purpose limitation and “developments on the draft data protection regulation and directive.”
Full Story

PRIVACY LAW—UK

Cookie Taunt Launched by Web Firm (September 11, 2012)
BBC News reports on a website created by web software firm Silktide that dares the Information Commissioner’s Office (ICO) to levy punishment for its use of cookies. Nocookielaw.com says the cookie rules are “ineffective.” An ICO spokesman said, “We welcome any opportunity to help us draw attention to this matter as a key part of our work in ensuring compliance with the cookie law has been making businesses aware of the regulations.” An ICO blog post notes education is “key to cookie law progress.” Meanwhile, research by TRUSTe reveals that 63 percent of top UK websites have made cookie compliance efforts.

EMPLOYEE PRIVACY—SWITZERLAND

Banks To Notify Employees of Data Transfers (September 7, 2012)

In the wake of concerns surrounding the transfer of bank data to other countries, World Radio Switzerland reports that Swiss banks have agreed to inform employees before data is sent to foreign tax investigators. Data Protection Commissioner Hanspeter Thür said five banks have “signed on to notify employees after Thür threatened to ask the Federal Administrative Court to force banks to protect employee data,” the report states, noting Thür met with bank officials to promote “a transparent process for employees” and that he has “doubts data handovers to the U.S. are legal.”
Full Story

CLOUD COMPUTING—EU & HONG KONG

CSA Launches Privacy Level Agreement Working Group (September 6, 2012)

eWeek reports on a new initiative by the Cloud Security Alliance (CSA) to promote cloud security and standards for data protection. The CSA has launched the Privacy Level Agreement (PLA) Working Group in the EU and has partnered with the Hong Kong Applied Science and Technology Research Institute. Comprised of privacy experts and officers and regulatory representatives, the PLA Working Group will create compliance baselines for data protection legislation and publish best practices. One expert said, “The goal of this working group is to create a structure for privacy disclosures that will provide both cloud providers and their customers with an objective and comparable way by which to communicate their personal data handling practices.”
Full Story

PRIVACY LAW—ITALY

Garante Approves Inspection Plan (September 6, 2012)

The board of the Italian Data Protection Authority has approved its inspection plan for the second half of the year. Areas of focus will include consumer credit, mobile payments and telemarketing. The Garante will focus on how personal data are processed by public- and private-sector organisations in these areas and others. Rocco Panetta, CIPP/E, of Panetta & Associati in Rome says the Garante will carry out at least 220 inspections in cooperation with Italy’s fiscal policy department—Nucleo Speciale Privacy. The Garante levied sanctions amounting to 1.6 million euros based on the results of inspections carried out during the first half of the year.
Full Story

DATA LOSS—UK

In Five Years, PII of 10,000 Lost by Scottish Councils (September 6, 2012)

PublicSevice.co.uk reports that Scottish councils have lost the personal data of more than 10,000 individuals stemming from a number of incidents in the last five years. Lost data has included images of children, pension information and sensitive e-mails. One government official said, “The Data Protection Act clearly emphasises the importance of keeping personal information safe” and councils “aren’t doing nearly enough to protect individuals from data losses,” adding, “Given the highly sensitive nature of the information held by the councils, it is unacceptable that many could not even estimate how many people had been affected by their losses.”
Full Story

DATA PROTECTION—UK

Expert: Businesses Should Seek Cyber Insurance (September 6, 2012)

Following the recent release of new cyber risk-management guidance by the government, Pinsent Mason representative Luke Scanlon says UK firms should assess the potential cost of a cyber attack and insure against it, Out-Law.com reports. The guidance underlined the benefits for business executives and boards in implementing a “risk management approach to cybersecurity,” and the report states executives should analyse whether “key information” protections are strong enough.
Full Story

PRIVACY LAW—EU & U.S.

UN Internet Debate Set; Advocates Urge Strong EU Privacy Regs (September 6, 2012)
Debate about how the United Nations (UN) may govern the Internet will commence in Denmark next week, and EuropeanVoice reports that regulators, industry representatives and advocates are set for a robust discussion. Proposed rule changes could affect the UN International Telecommunications Union’s powers to enforce data protection and cybersecurity, the report states. Meanwhile, a group of consumer and privacy groups have sent the European Parliament a letter urging the EU to press forward on tough privacy rules under the proposed data protection regulation, saying “that the promotion of stronger privacy standards in Europe will benefit consumers around the globe.” Editor’s note: For more on this topic, see the article “Privacy worries surround UN Internet regulations” in the September edition of the IAPP’s Privacy Advisor newsletter. (IAPP member login required.) (Registration may be required to access this story.)

BIOMETRICS—EU

EDPS Says Eurodac Proposal Is “Serious Intrusion” (September 6, 2012)

The European Data Protection Supervisor (EDPS) has said the European Commission’s adoption of a proposal to allow Member States’ law enforcement authorities access to the Eurodac database is “a serious intrusion into the rights of a vulnerable group of people in need of protection,” EurActiv reports. Designed to curb illegal immigration, Eurodac is a new fingerprint database for individuals seeking asylum in EU-based countries. The EDPS added, “To intrude upon the privacy of individuals and risk stigmatizing them requires strong justification, and the commission has simply not provided sufficient reason why asylum seekers should be singled out for such treatment.”
Full Story

PRIVACY LAW—EU & UK

Parliamentary Committee Hears Evidence on Proposed Framework (September 5, 2012)

The UK Parliament’s Justice Select Committee has held its first evidence session on the EU’s proposed data protection framework, reports Field Fisher Waterhouse’s Victoria Hordern. The Association of Chief Police Officers, the Federation of Small Businesses and the Information Commissioner’s Office were among those who provided their opinions. While many said the regulation brings welcome changes, “the overwhelming response was to criticize the overly-engineered text” of both the regulation and the Data Protection Directive, the report states, and a key “tension in the regulation exists between the drive toward harmonization and the consequent prescriptive practices and procedures that the commission’s version of harmonization requires.”
Full Story