European Data Protection Digest

We have a long weekend—and hopefully some good weather—ahead of us, so right now our minds are probably focused more on Easter eggs and chocolate bunnies (in my case also my mother’s lasagna on Sunday) than on data protection developments. Nevertheless, this spring is bound to be a busy one for privacy pros—not that we actually had a dull moment in the past year or so.

At the IAPP, we are working hard to help our members stay on top of things: Our upcoming European Data Protection Intensive will be a great way to kick-start the second quarter of the year. As usual, rendezvous in London for an intense programme, great networking—including our special Privacy Social reception at the Guildhall—and CIPP and CIPM certification training and testing. Preconference workshops are not bad either.

But since he who hesitates is lost, work is already underway also for IAPP Europe’s flagship event, the Data Protection Congress, which will be in Brussels again this year, on 19 and 20 November to be precise. The call for proposals for the Congress is open, and submissions will be accepted until 9 May, so do send us your ideas or feel free to forward the call for proposals link to someone who might be interested.

In the meantime, though, Happy Easter!

Rita Di Antonio
Managing Director
IAPP Europe

Top European Privacy and Data Protection News

ONLINE PRIVACY

Yahoo To Ignore Default DNT Settings (October 31, 2012)

Yahoo has announced that it will ignore Internet Explorer 10’s default do-not-track (DNT) settings, InformationWeek reports, indicating the setting “ignores the wishes of its users.” The browser will continue to offer its Ad Interest Manager, which allows users to make choices about the online ads targeted to them, and other tools. “Ultimately, we believe that DNT must map to user intent—not to the intent of one browser creator, plug-in writer or third-party software service,” Yahoo said in a statement.
Full Story

DATA PROTECTION—UK

ICO Looking Into Police Data Collection, Retention (October 30, 2012)

The Information Commissioner’s Office (ICO) is investigating claims against Kent police over data collection and retention activities, This is Kent reports. A spokesman for the ICO said, “If police forces are examining the content on mobile phones and are wanting to use that information, this would need to comply with the Data Protection Act.” He added the office is “looking at this issue and will be considering whether any action is necessary to help ensure compliance…” Meanwhile, a spokesman for the Home Office said that although information about suspects is crucial, police “should only be extracting and retaining data relevant to criminal investigations or for other permitted purposes.”
Full Story 

DATA PROTECTION

Cyber Liability Insurance Awareness Is Growing (October 30, 2012)

Out-Law.com reports on a survey revealing that 60 percent of businesses do not have cyber liability insurance, but according to one expert, companies are becoming more aware of it. The Advisen survey report states that 52 percent of businesses not currently covered have no plans to gain the insurance in the next year. Pinsent Masons’ Ian Birdsey said, “When you consider the frequency, severity and exposure of security and data breaches,” it’s “surprising” that 52 percent are not considering the insurance. Birdsey noted that “the test remains whether advocates for data risks or cyber liability insurance cover at general counsel or chief privacy officer level can persuade their management teams to allocate budget to buy cover in the next financial year.”
Full Story

PRIVACY LAW—EU

Regulators Looking Into Microsoft Changes (October 29, 2012)

Luxembourg and other EU data protection commissions (DPCs) are looking into whether changes Microsoft made to its Internet products Hotmail and Bing bring new privacy risks for users and comply with the region’s standards on notice and choice, reports The Washington Post. President of the Luxembourg DPC Gerard Lommel acknowledged that possible issues “can neither be excluded nor confirmed” in this case, suggesting the review is not on the level of a recent investigation into Google’s privacy policy changes “where clear privacy issues had been identified.” (Registration may be required to access this story.)
Full Story

PRIVACY LAW—EU

Reding Hints at Data Protection Concessions for SMEs (October 29, 2012)

At a Home Affairs Council meeting in Luxembourg last week, EU Justice Commissioner Viviane Reding said she was willing to offer some concessions to small-medium enterprises (SMEs) and the public sector in revisions to the data protection regulation, COMPUTERWORLD UK reports. Though the regulation needs the “right firmness of touch,” Reding said she did not want SMEs to be overburdened. “The commission is prepared to look at whether this SME exemption could be broadened to other areas and that we can also look to add further flexibility through an approach that takes into account the amount and sensitivity of the data processed,” Reding said, adding, “One thing is clear: There can be no general exemption for the public sector.”
Full Story

PRIVACY LAW

Hustinx Discusses EU Draft Regulation (October 25, 2012)

European Data Protection Supervisor (EDPS) Peter Hustinx has called the draft EU data protection regulation an “ambitious” undertaking, reports the Hunton & Williams Privacy and Information Security Law Blog. Speaking at the 34th International Conference of Data Protection and Privacy Commissioners in Uruguay, the EDPS said the draft regulation aims to provide the structure for EU data protection for the next 20 years, eliminate discrepancies in data protection requirements across EU member states and reflect the belief that privacy is a human right.
Full Story

DATA RETENTION—UK

Draft Communications Bill Raises Surveillance Concerns (October 25, 2012)

A draft bill currently being considered by Parliament is raising concerns among some civil liberties campaigners and journalist Henry Porter, BBC News reports. The draft Communications Data Bill would require Internet service providers to retain users’ online activities for one year to allow law enforcement and intelligence authorities access to the data. Retained activity would include social networking use, webmail, Internet phone calls and online gaming, the report states. Porter told a parliamentary committee that such a law would be “really dangerous,” adding, “I don’t believe this entire nation should subject itself to massive surveillance campaign by a few people who appear to be unscrutinised and the methods untransparent.”
Full Story

TRAVELLERS’ PRIVACY—UK

Airport To Test Body Scanners (October 25, 2012)

Stansted Airport in Essex will conduct a three-month trial of new body scanners for detection of security threats, BBC News reports. The machines will alert staff to potential dangers via mannequin-like figures on a screen, the report states. The airport’s head of terminal said security is the highest priority but “the introduction of this quick, effective and safe scan will also significantly improve the passenger’s experience of security searching and provide maximum protection of privacy.”
Full Story

DATA LOSS—UK

ICO Will Not Take Action Against DfE (October 25, 2012)

The Information Commissioner’s Office (ICO) has said the Department for Education (DfE) violated the Data Protection Act, but because the compromised information was not sensitive, it will not take action against the organisation, Out-Law.com reports. Due to a “temporary security flaw,” e-mail addresses, unencrypted passwords and individuals’ answers to consultation questions were accessible online. The ICO said, “as the personal information compromised was not sensitive, and any distress caused is likely to have been minimal, we have decided that no further enforcement action is required at this time.”
Full Story

DATA LOSS—UK

ICO Fines Council £120,000 (October 25, 2012)

The Information Commissioner’s Office (ICO) has fined Stoke-on-Trent Council £120,000 after sensitive personal information was e-mailed to the incorrect recipient, Publicservice.co.uk reports. The council failed to resolve issues raised by an earlier and similar incident by failing to provide a legal department with encryption software and lacking data protection training, the report states. ICO Head of Enforcement Stephen Eckersley said “the authority has received a significant penalty for failing to adopt what is a simple and widely used security measure.”
Full Story

FINANCIAL PRIVACY

Breach Report: 174 Million Records Compromised in 2011 (October 25, 2012)

According to Verizon’s Data Breach Investigations Report, 174 million records were compromised in 855 data breach incidents in 2011, Out-Law.com reports. Calling it “an all-time low” for data breach protection, the report revealed that 96 percent of organizations required to follow the Payment Card Industry Data Security Standard (PCI DSS) that experienced a breach—according to Verizon’s “caseload”—were not compliant with PCI DSS. The Verizon report stated, “We are seeing a continuing trend whereby more of the organizations that fall in the 96-percent tend to be on the small side,” adding, “In many cases, these organizations have either failed to perform their assessments or failed to meet one or more of the requirements.”
Full Story

PRIVACY

FPF Announces Privacy Papers for Policy Makers 2012 (October 25, 2012)

The Future of Privacy Forum (FPF) has announced this year’s selections for its Privacy Papers for Policy Makers. Of the more than 35 entries, eight were selected. The papers cover topics such as Privacy by Design, online behavioral advertising, mobile privacy, government surveillance, de-identification and social networking. FPF Founder and Co-chair Christopher Wolf said, “Improving privacy protection is vitally important in this technology age, so we are delighted to help build a bridge of communication between privacy scholars and privacy policy makers.” FPF Director and Co-chair Jules Polonetsky, CIPP/US, said, “These writings offer some of the most compelling and innovative viewpoints that we hope policy makers consider as they look to address privacy issues.”
Full Story

PRIVACY LAW—EU & U.S.

How Will Elections Impact Privacy? (October 25, 2012)

In an exclusive for The Privacy Advisor, Mathew Schwartz reports on how potential changes in leadership may affect privacy rights around the world. The U.S. presidential election in November will be followed by Ireland’s resumption of the EU presidency for six months in January, while the UK will take on the presidency of the Group of Eight (G8). Questions persist in the U.S. on finding a balance between innovation and data protection, Schwartz writes, and in the UK, the question of whether the G8 could be used as a platform for eliciting change in privacy law cannot yet be “answered in detail.”
Full Story

SURVEILLANCE

UN Wants “Anti-Terror” Internet Surveillance (October 23, 2012)

The United Nations (UN) has released a report calling for more surveillance of Internet traffic and users for the purpose of undermining terrorist activity, CNET News reports. “The Use of the Internet for Terrorist Purposes” states, “One of the major problems confronting all law enforcement agencies is the lack of an internationally agreed framework for retention of data held by ISPs.” The 148-page report notes that terrorists use social networks to spread propaganda. UN Executive Director Yury Fedotov said, “Potential terrorists use advanced communications technology, often involving the Internet, to reach a worldwide audience with relative anonymity and at a low cost.”
Full Story

ONLINE PRIVACY

Microsoft Alters Its Privacy Rules (October 22, 2012)

The New York Times reports on a new policy implemented by Microsoft allowing it “broad leeway” over how it collects and processes information from consumers using its free, web-based services. Unlike Google’s policy changes earlier this year, “Almost no one noticed” Microsoft’s change, the report states, adding, “The difference in the two events illustrates the confusion surrounding Internet consumer privacy.” Consumer Watchdog’s John Simpson said, “What Microsoft is doing is no different from what Google did,” adding, “It allows the combination of data across services in ways a user wouldn’t reasonably expect.” A Microsoft spokesman said, “one thing we don’t do is use the content of our customers’ private communications and documents to create targeted advertising.” (Registration may be required to access this story.)
Full Story

PRIVACY LAW—EU

Law Student’s Quest Against Facebook Continues (October 22, 2012)

Austrian law student Max Schrems has said Facebook and European regulators have not done enough to curb what he says are violations against European privacy laws, The Washington Post reports. Founder of “Europe v Facebook,” Schrems is looking to raise approximately 200,000 euros to keep his campaign moving forward. “At the core of the fight is one of the overarching questions of our time: Who has rights to the trillions of bits of data users create online every day?” the report states. Schrems said, “We’re right now defining what our world is going to look like in 20 years.” (Registration may be required to access this story.)
Full Story

PRIVACY LAW—AUSTRIA & EU

EU Court Rules Austria DPA Needs More Independence from Gov’t (October 19, 2012)
The Court of Justice of the European Union (CJEU) has ruled that the Austrian government has not complied with EU law as it has not provided its data protection authority (DPA), the Datenschutzkommission, with “complete independence,” Out-Law.com reports. In order to attain “complete independence,” the CJEU ruled that DPA staff must not share offices with government officials; must not be required to provide the government with “unconditional” access to information about the DPA’s work, and an individual heading a DPA must not simultaneously hold other government positions. During a speech in Brussels, the European Data Protection Supervisor called the decision a “great day for data protection in Europe,” while also discussing the relationship between the proposed EU regulation and the e-Privacy Directive.

PRIVACY LAW—UKRAINE

Insurance Group Asks for Veto (October 19, 2012)

An insurance industry group has asked Ukraine’s president to veto a measure to amend the data protection law, KyivPost reports. The League of Insurance Organizations of Ukraine (LIOU) says the amendments “unreasonably extend the powers of the State Service of Ukraine on Personal Data Protection,” the report states. “We think the adoption of this law in such wording, despite numerous plus points, contains serious obstacles to entrepreneurship in Ukraine, creating a serious threat of the appearance of unreasonable additional financial and organizational expenses for businesses, as well as contradicting international standards regarding personal data protection, and the norms of the Ukrainian legislation,” the group stated in its letter.
Full Story

DATA LOSS—UK

ICO Fines Police 120,000 Pounds, Investigates Landlord (October 18, 2012)

Greater Manchester Police has paid a fine of 120,000 pounds after a breach involving the theft of a memory stick containing sensitive information, Publicservice.co.uk reports. The stick was not password-protected and contained details on more than 1,000 individuals connected to crime investigations. The Information Commissioner’s Office (ICO) found that Greater Manchester Police regularly used unencrypted memory sticks to transport data, the report states. The ICO has also confirmed it is investigating Network Housing Group’s accidental breach of employee information. Meanwhile, one expert is calling for additional patient privacy safeguards in the wake of recent NHS breaches and subsequent actions by the ICO.
Full Story  

CLOUD COMPUTING—FRANCE

Experts Review CNIL Recommendations (October 18, 2012)

The Commission Nationale de l’Informatique et des Libertés (CNIL) has issued recommendations following the close of its call for contributions from cloud computing stakeholders, including customers and providers. In this exclusive for The Privacy Advisor, Gaëtan Cordier and Adeline Jobard of Eversheds LLP examine the recommendations. “The CNIL’s seven recommendations are based mainly on a risk analysis carried out beforehand by customers and undertakings of transparency on the part of service providers towards their customers which must be formalised in the service contracts,” they write.
Full Story

SOCIAL NETWORKING

Facebook Communications Manager Talks Privacy Stumbles (October 18, 2012)

The Guardian discusses recent criticism of Facebook’s privacy practices with its Pan-Euro Communications Manager Iain Mackenzie, who says, "There are bad things and many good things going on in the online world. It's not surprising that people look at the service that's closest to them and are at least receptive to these myths." The author notes that Facebook’s lack of clarity in its responses to past privacy concerns may add to the traction of the more recent issues. “More transparency on the network side is needed, but it also must be said that millions of users have overlooked and adapted to the site's many changes,” the report states, adding, “they're not leaving Facebook.”
Full Story

BIG DATA

Opinion: Wouldn’t it Be Nice if We Could Use our Own Data? (October 18, 2012)

Citing an Osborne Clarke (OC) report that states “Data is the commodity of the moment,” Jonathan MacDonald opines for The Guardian that it’s time for consumers to speak up about their inability to use their own online data. While the OC report states that 82 percent of its 5,078 European respondents indicated they would like an area on sites “where I am kept up-to-date about my data, where I can choose what I share and not share on an ongoing basis," people are not given straightforward access to their data. “If this data really is so valuable, does the value have to exclusively reside in the coffers of those who did not produce it?” writes MacDonald.
Full Story

PRIVACY LAW

EU Regulators Call for Changes to Google’s Privacy Policy (October 18, 2012)

The New York Times reports on this week’s press conference hosted by the French data protection authority, the CNIL, where regulators called upon Google to clarify its 10-month-old privacy policy or face potential sanctions. In a letter to Google, the regulators noted that the revised privacy policy “did not appear to adhere to Europe’s approach to data collection, which requires explicit prior consent by individuals and that the data collected be kept at a minimum,” the report states. CNIL Chairwoman Isabelle Falque-Pierrotin said the agency will give Google three or four months to respond to the concerns. In a statement provided to the Daily Dashboard, Google Global Privacy Counsel Peter Fleischer said, “We have received the report and are reviewing it now. Our new privacy policy demonstrates our longstanding commitment to protecting our users’ information and creating great products. We are confident that our privacy notices respect European law.” While the U.S. Federal Trade Commission declined Falque-Pierrotin’s request to endorse the EU’s position, Dutch DPA Chairman Jacob Kohnstamm confirmed that privacy regulators from the 27 EU member states, Canada and some countries in Asia participated in the CNIL inquiry and “endorsed the request to Google, which outlines areas for changes to improve protection of personal data.” Google CEO Larry Page has since defended the policy, saying, “Virtually everything we want to do, I think, is somewhat at odds with locking down all of your information for uses you haven’t contemplated yet. That’s something I worry about.” (Registration may be required to access this story.) Editor's Note: Jacob Kohnstamm will deliver a keynote address while Isabelle Falque-Pierrotin will participate in a breakout session on the new European privacy regulation at the upcoming IAPP Data Protection Congress in Brussels, Belgium, in November.
Full Story

DATA PROTECTION—EU & INDIA

India Asks EU To Declare it as “Data Secure” Country (October 18, 2012)

The government of India has asked the EU to declare the country as “data secure,” The Times of India reports. Without a data secure declaration from the EU, sensitive data such as medical information cannot legally flow between the regions. India Commerce and Industry Minister Anand Sharma said, “It is our clear analysis that our existing law does meet the required EU standards. We would urge that this issue is sorted out quickly, and necessary comfort in declaring India data secure in overall sense needs to be given as almost all the major Fortune-500 companies have trusted India with their critical data.” The EU is studying whether India’s laws meet the EU’s directive.
Full Story

BIOMETRICS

The Emergence of Emotion-Sensing Technologies (October 17, 2012)
The New York Times reports on efforts to improve facial recognition technologies capable of sensing human emotions such as anger, sadness and frustration. Affective computing is currently being developed to assess a wide range of applications from reading student interest in the classroom to helping those on the autism spectrum understand the emotions of others. Emotionally aware devices, however, give “many people the creeps,” the report states. Oxford University Future of Humanity Institute Director Nick Bostrom said, “We want to have some control over how we display ourselves to others,” adding, “it’s not obvious the world would be a better place” with such technology. (Registration may be required to access this story.)

DATA RETENTION—UK

Graham: “Important Data Protection Principles at Stake” (October 17, 2012)

Information Commissioner Christopher Graham told a committee of MPs recently that the draft Communications Bill, currently in front of Parliament, may miss its intended mark and instead uncover “incompetent and accidental anarchists” rather than the “really scary people,” reports BBC News. The bill would see Internet service providers (ISPs) required to store communications data for at least one year, but Graham says it may only apply to the six largest companies, adding, there are “important data protection principles at stake. There is a judgment to be made between the security community saying 'we have to have this stuff' and the civil liberties community, which says this is a gross intrusion of privacy and of citizens' rights."
Full Story

MOBILE PRIVACY

PCI Council Says Payment Regulation Is Challenging (October 17, 2012)

PCI Security Standards Council European Director Jeremy King has said the council was “surprised at how fast new technologies were coming along” in the mobile payment landscape, SC Magazine reports. King added, “Mobile technology is still new, and there is still no knowledge of how to do mobile security.” Analyst Alan Goode said challenges not only reside on the security side but in the authentication and data protection spheres as well. “It is difficult to regulate and ensure data is protected,” he said, adding, “With mobile you can do it right, providing that the data is protected and assured.”
Full Story

ONLINE PRIVACY—CANADA & GERMANY

Authorities To Cooperate on Cross-Border Digital Privacy (October 16, 2012)

IDG News Service reports that German and Canadian data protection authorities have signed an agreement on protecting privacy in cross-border data transfers via the web. The countries will cooperate on specific cases and inform each other on privacy complaints. “Since personal data can be transferred to other countries and parts of the world with one mouse click, data protection agencies have to cooperate better internationally,” Canada’s Office of the Privacy Commissioner noted. Germany and Canada plan to discuss extending the plan to additional countries at the 34th International Conference of Data Protection and Privacy Commissioners in Uruguay later this month, the report states.
Full Story

DATA PROTECTION—UK

ICO: Private Sector Ahead on Compliance (October 15, 2012)

COMPUTERWORLD reports on audits by the Information Commissioner’s Office (ICO) indicating the private sector is “leading the way" while data protection compliance "concerns remain" for the public sector. "The private-sector organizations we have audited so far should be commended for their positive approach to looking after people's data,” said the ICO’s Louise Byers, adding, “However, this does not mean that businesses in the UK should rest on their laurels.” She also noted that, generally, the public-sector entities audited had appropriate information governance and training practices in place but need to do more in terms of data security, the report states.
Full Story

ONLINE PRIVACY

Kroes, Industry on Do-Not-Track (October 11, 2012)

EU Digital Agenda Commissioner Neelie Kroes is voicing her concern about the status of the do-not-track initiative, including the delay and the “turn taken” in discussions at the World Wide Web Consortium, which missed a June deadline to come up with a better system for DNT. “I am not naïve,” Kroes said, noting that a DNT standard alone will not satisfy EU cookie legal requirements because “the emerging consensus appears to exclude first-party cookies from the scope.” Meanwhile, the U.S.-based Digital Advertising Alliance (DAA) says web companies can reject Microsoft’s new default-on DNT browser, noting it is not an appropriate standard for customers, but two U.S. senators say the DAA is putting “profits over privacy.”
Full Story

PRIVACY LAW—EU

MEPs, WP Release Data Protection Recommendations (October 11, 2012)

MEP Jan Philipp Albrecht, rapporteur for the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs, has released “Working Document 2” on the General Data Protection Regulation draft, recommending clarifying the definitions of “personal data” and “data subject” and noting consent should “remain a cornerstone of the EU approach to data protection.” The Hunton & Williams’ Privacy and Information Security Law Blog reports on the Article 29 Working Party’s opinion on the reform discussions, also emphasizing the importance of consent and clear definitions of terms. Meanwhile, Vice President of the European Parliament Alexander Alvaro has released “Lifecycle Data Protection Management,” in which he emphasizes the need to modernize data protection legislation.
Full Story

DATA PROTECTION—UK

ICO Defends Fines Against Criticism (October 11, 2012)

After receiving criticism for administering fines on NHS bodies for data breaches, the Information Commissioner’s Office (ICO) is defending its actions, reports Out-Law.com. An ICO spokesperson said the fines discourage others from making the same mistakes, adding, “The best way a public authority can protect taxpayers’ money is by not being lax in the way it looks after personal information in the first place." Chairman of the UK Council of Caldicott Guardians Christopher Fincken said it’s wrong that patient-care funding suffers in order to pay the fines. He added, “There needs to be a different mechanism, a fairer way" and one that holds “relevant officers” accountable for breach incidents.
Full Story

DATA LOSS—UK

ICO Fines Charity, Investigates Council (October 11, 2012)

The Information Commissioner’s Office (ICO) has fined a social care charity for a breach involving lost documents on four children, BBC News reports. A charity spokesperson said it has taken steps to “tighten procedures” after documents on four children went missing. Meanwhile, the ICO is looking into a possible data security breach at Essex County Council. The council experienced a breach in August involving the personal data of 400 individuals.
Full Story

SURVEILLANCE—UK

Increased Drone Use Brings Calls for Clarity (October 11, 2012)

A European Commission report says there are approximately 400 applications for civilian drone use in development across the EU, and with this increase has come concerns that privacy and civil liberties are not being taken into consideration, The Guardian reports. Eric King of Privacy International says, "With the use of drones in European airspace spiralling, we urgently need greater clarity and transparency about when and how these tools are deployed." The U.S. Government Accountability Office has also noted the privacy concerns, and a global market research analyst notes, "The UK doesn't have a proper road map (for the roll out of drones); its existing roadmap was written in 2005 and it's too old."
Full Story

DATA LOSS—UK

Survey: IT Professionals Not Confident on Breach Detection (October 11, 2012)

Business Review Europe reports that “IT data breaches have become commonplace.” That’s according to a new Ponemon Institute report, which indicates 48 percent of IT professionals in the UK report having had sensitive information stolen or compromised from their companies’ databases and applications by a malicious insider, the report states. Survey respondents indicated vulnerabilities, budgets and “difficulties complying with privacy and data privacy regulations” as the greatest challenges to data protection. Of the 532 professionals surveyed, 59 percent said they aren’t confident they could detect a breach of sensitive information.
Full Story

BIG DATA

Telecom Launches Analytics Products (October 11, 2012)

A Spanish mobile phone operator has announced its launch of a new division to sell information about its customers, BBC News reports. Telefonica will offer organisations analytics based on users’ anonymised location data, including a product to map mobile phone users’ movements throughout the day. “A teenage fashion chain might find it useful to know when and where teenage girls tend to congregate around town,” said a spokesman for the British Retail Consortium. Customers will not be permitted to opt out of the service. The Information Commissioner’s Office says as long as personal information cannot be identified, “we don’t have any problem with it.”
Full Story

ONLINE PRIVACY—EU & U.S.

U.S. Officials Head to Europe To Talk Privacy (October 11, 2012)

Officials from the U.S. Department of Commerce (DoC), Federal Trade Commission (FTC) and Chamber of Commerce recently traveled to Europe to discuss privacy issues. DoC General Counsel Cameron Kerry met with Irish Data Protection Commissioner Billy Hawkes and Department of Justice officials this week to discuss cross-border data flows. The FTC’s Director of the Bureau of Consumer Protection, David Vladek, was in Brussels supporting efforts by the Internet Cooperation for Assigned Names and Numbers to store more data on website operators and retain it for two years. And TechWeekEurope reports that Adam Schlosser of the U.S. Chamber of Commerce, also in Brussels, lobbied for changes to the proposed EU Data Protection Directive, while Department of Justice officials voiced their concerns.
Full Story

ONLINE PRIVACY

What Happens to Data After Death? (October 9, 2012)
IT World reports on what happens to an individual’s online data after death. There isn’t yet comprehensive legislation on how a deceased person’s data must be handled, and the draft of the revised European Data Protection Directive makes no mention of it, the report states. Instead, rules differ from one jurisdiction to the next. In Bulgaria, for example, data rights belong to the deceased’s heirs, while in Estonia, previously obtained consent to process personal data is deemed valid for 30 years after death, unless the data subject says otherwise during their living years.

DATA PROTECTION—EU & U.S.

Regulators To Examine Google Policy, EPIC Challenges FTC (October 9, 2012)

EU data protection commissioners will look at whether Google’s changes to its privacy policy earlier this year comply with EU privacy laws, The Guardian reports. The revision created a single policy for all Google services and resulted in the consolidation of data into a single location, the report states, drawing questions from regulators including the French data protection authority. Meanwhile, the Electronic Privacy and Information Center has released a statement alleging the U.S. Federal Trade Commission has “withheld from public disclosure” information about its recent audit of Google’s privacy program.
Full Story

PRIVACY LAW—EU

Expert: Medical Data Not Adequately Protected in Draft Directive (October 9, 2012)

University of Cambridge Prof. Ross Anderson spoke at a recent privacy conference about a loophole in draft EU data protection regulations that he believes puts medical data at risk, reports CIO. The loophole exists in provisions allowing for secondary uses of medical data for historical and research purposes, Anderson says. "The fundamental problem is that everyone from insurers to drug companies wants access to masses of personal data," he says, and while the regulations call for the anonymization of data shared with researchers, "You can always find a set of queries that reveals the target." Anderson says he’s bringing attention to the weakness now in hopes of getting the sections amended.
Full Story

ONLINE PRIVACY

Exploring the Privacy of Private Messages (October 5, 2012)

The Wall Street Journal reports on a recent online video allegedly showing that Facebook scans links sent via private messages and registers them as though the user “likes” the page sent. “It’s just one example of how online messages that seem private are often actually examined by computers for data,” the report states, adding, “it is not clear from Facebook’s data use policy that regular users would expect links in their messages to be scanned this way.” Facebook has responded that “absolutely no private information has been exposed,” and users’ privacy settings were not affected. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—UK

Logins Could Be Used as Online Gov’t Identifiers (October 4, 2012)

The Cabinet Office has confirmed that personal login details for social networking sites, bank accounts and personal mobile phone accounts could be used as identifiers for its “identity assurance programme,” The Guardian reports. The first list of potential “certified providers” will be announced within weeks. Citizens will use the identifiers to securely access public services online in an effort to thwart identity theft, among other aims. The No2ID campaign has voiced concerns about privacy, including that the scheme “could be sidelined and used as a fig leaf by the data-hungry government departments,” a No2ID spokesman said.
Full Story

DATA PROTECTION—GERMANY

Authorities Publish Data Retention Guide for Telecoms (October 4, 2012)

The German Federal Network Agency (BNetzA) and the German Federal Commissioner for Data Protection have published a guide for telecom providers on traffic data retention, reports Hunton & Williams’ Privacy and Information Security Law Blog. The guide includes a chart on data retention periods for traffic data, including that of telephone, SMS, Internet and e-mail. The commissioner and the BNetzA hope the guide will “lead to a more unified interpretation of German telecommunications law and a ‘best practice’ approach,” the report states. They add that data should be stored for shorter periods of time whenever possible.
Full Story

HEALTHCARE PRIVACY—UK

Lawyers Warn of Data-Sharing Risks Following Breach (October 4, 2012)

Following a breach at NHS Bournemouth and Poole, lawyers are warning of the legal limits of sharing information with private companies, Health Service Journal reports. The Information Commissioner’s Office found that the health trust breached the Data Protection Act when details on 3,700 patients were shared without patients’ consent. “If the patient doesn’t know beforehand their confidential information will be shared and how they could object, you can’t assume that consent is freely given,” one lawyer advises.
Full Story

SURVEILLANCE—UK

New Regulator Raises HD CCTV Concerns (October 4, 2012)

Newly appointed Surveillance Camera Commissioner Andrew Rennison says the unregulated installation of inexpensive, high-definition CCTV cameras in Britain could identify and track individuals, creating a Big Brother state and breaching human rights laws, The Telegraph reports. “The technology has overtaken our ability to regulate it,” Rennison said, adding, the sophisticated cameras are “storing all the images they record” and have the ability to “run your image against a database of wanted people.” According to the report, Rennison is creating a CCTV code of conduct for Parliament. Henry Porter opines for The Guardian that the proliferation of such technology puts privacy and freedom “in mortal danger.”
Full Story

DATA PROTECTION—SWITZERLAND & U.S.

A Look at Switzerland’s Regulatory Landscape (October 4, 2012)

In this exclusive for The Privacy Advisor, Sylvain Métille reports on data protection law in Switzerland and transferring data to the U.S. The right to privacy “is an aspect of dignity and a right to be respected” in Switzerland, Métille writes. The U.S. Federal Trade Commission has negotiated a Safe Harbor agreement with the Swiss Federal Data Protection and Information Commissioner so data may be transferred from Switzerland to the U.S. without violating Swiss law. The agreement allows U.S. companies a way to demonstrate commitment to privacy protection for their customers, but “additional measures should be taken to demonstrate the company’s full compliance with its own privacy policy,” Métille writes. (IAPP member login required for access.)
Full Story

PRIVACY LAW—UK

ICO Set To Penalize Illegal Marketers (October 3, 2012)

The Information Commissioner’s Office (ICO) has announced it is set to issue two monetary penalties totaling more than £250,000 to illegal marketers for distributing millions of unsolicited spam texts. According to an ICO press release, the actions of the two individuals violate the Privacy and Electronic Communications Regulations (PECR). The ICO said the marketers have 28 days to respond and prove compliance with the PECR. ICO Director of Operations Simon Entwisle said, “we are already working to identify other individuals and companies involved in these unlawful practices.” Entwisle has also released a blog post on the agency’s work in this area.
Full Story

PRIVACY LAW—EU

EDPS: Common Standards Should Govern E-ID Schemes (October 3, 2012)

In a new opinion, the European Data Protection Supervisor (EDPS) has recommended that “trust service providers” and other electronic identification issuers should be required to meet a common set of data security standards under the proposed Electronic Trust Services Regulation, Out-Law.com reports. The EDPS said “the proposed regulation should establish a minimum set of requirements, in particular with respect to the circumstances, formats and procedures associated to security as well as the criteria, conditions and requirements, including the determination of what constitutes the state of the art in terms of security for electronic trust services.”
Full Story

PRIVACY LAW—EU

Article 29 Working Party: ICANN Updates May Be Unlawful (October 2, 2012)

As the Internet Corporation for Assigned Names and Numbers (ICANN) updates its Registrar Accreditation Agreement, the European Commission’s Article 29 Working Party has said some of the changes may be illegal, Infosecurity Magazine reports. The Working Party has written to ICANN to address its annual re-verification of contact details, which it calls “excessive and therefore unlawful” and a new data retention proposal that would keep personal information on registrants including phone numbers, e-mail addresses and credit card data, “for two years after the registration ceases,” the report states. The Working Party says such retention “does not stem from any legal requirement in Europe” and there is no “legitimate purpose” for the data collection.
Full Story

PRIVACY LAW—UK

ICO To Commence Cookie Crackdown (October 1, 2012)
Financial Times reports the Information Commissioner’s Office (ICO) is beginning to crack down on companies not complying with cookie regulations. KPMG Partner Steve Bonner said, “There is still a wait-and-see element among companies. It is much like when you are speeding along the motorway with no police car in sight and everyone else also driving 100 miles an hour. It doesn’t feel risky. But when the police car suddenly pulls out of the lay-by, it will be interesting to see what happens.” Noncompliant organizations may be liable for fines of up to £500,000. (Registration may be required to access this story.)

PRIVACY LAW—EU

German MEP Calls for Tighter Rules on Social Networks (October 1, 2012)

A member of the European Parliament has called for tighter controls of online social networks under the EU’s proposed data protection framework, Reuters reports. Germany’s Jan Philipp Albrecht, who is heading up the European Parliament’s work on the draft framework, says a recent incident involving Facebook users’ allegations that their personal messages appeared on their public profiles indicates the need for increased user control over data. “The informed and explicit agreement of all those affected by data processing must be a guiding principle,” said Albrecht. The CNIL met with Facebook last week about the incident and accepted Facebook’s explanation that the incident was a misunderstanding and not a breach.
Full Story

CLOUD COMPUTING—EU & UK

Commission, ICO Release Cloud Guidance (October 1, 2012)

The European Commission and the UK Information Commissioner’s Office (ICO) both released guidelines on cloud computing last week, SC Magazine reports. EU Digital Affairs Commissioner Neelie Kroes announced plans for the development of European standards and certifications on the technology by 2013, estimating it could boost the private-sector and public-services economies by €160 billion within years. “But this can only happen if we get the policies right,” said Kroes. The ICO issued guidance reminding businesses they are responsible for the data they store in the cloud, regardless of who processes it. Meanwhile, a survey has found regulatory and privacy issues among the reasons widespread cloud adoption is slow.
Full Story