European Data Protection Digest

In 1897, Oscar Wilde wrote to Lord Douglas, “Do not be afraid of the past. If people tell you that it is irrevocable, do not believe them.”

I wonder if he would share this piece of advice today. Though the past may not be irrevocable, we all leave digital shadows we may regret one day. I had no Internet growing up, and I am grateful that the only traces of my past are some old pictures gathering dust at my parents’ house and a box of letters I used to exchange with overseas friends—you know, having overseas pen pals was actually pretty cool back in the day.

Come to think of it, Oscar Wilde may never have meant for his 1897 letter to Lord Douglas to be published, as it came to light only after his death, so you could almost argue he had no right to be forgotten…

This week, the Court of Justice of the European Union declared the 2006 Data Retention Directive invalid, stating that it interferes with the fundamental rights to respect for private life and to the protection of personal data, as stipulated in the EU Charter of Fundamental Rights. The interference, said the court, exceeds the limits imposed by compliance with the principle of proportionality.

Aside from the obvious consequences the court’s decision will have on telcos and ISPs, some commentators have said that it can have a significant impact on the EU reform of data protection law and, in particular, on the debate around the General Data Protection Regulation.  

To quote Oscar Wilde again, “It is a very sad thing that nowadays there is so little useless information.”

Rita Di Antonio
Managing Director
IAPP Europe

Top European Privacy and Data Protection News

ONLINE PRIVACY

Deep Packet Inspection Standards Raise Concerns (November 30, 2012)

The United Nations’ International Telecommunications Union has approved a deep packet inspection (DPI) standard that is raising privacy and security concerns, IDG News Service reports. The Center for Democracy & Technology’s (CDT) website says the standard—known as the “Requirements for Deep Packet Inspection in Next Generation Networks,” or Y.2770”—“could give governments and companies the ability to sift through all of an Internet user’s traffic—including e-mails, banking transactions and voice calls—without adequate privacy safeguards.” CDT Chief Computer Scientist Alissa Cooper said, “There is a general lack of attention to design considerations we think are important to Internet users, namely privacy and security. Obviously DPI has the potential to be an extremely invasive technology."
Full Story

PRIVACY LAW—UK

Leveson Publishes Report on Data Protection Act (November 30, 2012)

Lord Justice Leveson has published his report to the Ministry of Justice on the Data Protection Act, reports Field Fisher Waterhouse’s Privacy and Information Law Blog. The recommendations include amending the right to compensation; repealing “certain procedural provisions around journalism”; extending the Information Commissioner Office’s prosecuting powers to include offences related to breaches of the Data Protection Principles, and reconstituting the ICO to become an information commission led by a board of commissioners.
Full Story

BEHAVIOURAL TARGETING—GERMANY

Advertisers Launch Self-Regulation Initiative (November 29, 2012)

Forty German advertising companies have established the “German Data Protection Council for Online Advertising,” which aims to increase consumer awareness of online behavioural advertising, reports Hunton & Williams’ Privacy and Information Security Law Blog. The group plans to increase transparency through the use of codes of conduct, an OBA icon and a tool allowing German Internet users to determine which sites can place cookies on their computers. The initiative is linked to the European Interactive Digital Advertising Alliance.
Full Story

DATA PROTECTION—EU

Commissioner Threatens Antitrust Investigations for Data Portability Violations (November 29, 2012)

Indicating support for the draft data protection regulation, EU Competition Commissioner Joaquín Almunia has threatened antitrust action for businesses that fail to comply with data portability rules provided under the draft. In a speech in Brussels this week, Almunia said consumers must be able to “easily and cheaply” transfer their data from one company to another in order for competition to thrive. “The proposed regulation aims to ensure the ‘right of portability,’” he said, adding that although the commission has not investigated such a case yet, firms’ use of personal data to “keep competition at bay” is possible. Covington & Burling’s Henriette Tielemans told the Daily Dashboard the development is interesting and expected. “Aside from the Google/Doubleclick merger a number of years ago, data protection has not yet been raised in EU competition law cases. But this is clearly about to change. Data gives market power and that power can be abused.” Meanwhile, Christopher Kuner of Wilson Sonsini Goodrich & Rosati said, “At present, competition and data protection are two separate areas in Europe. Commissioner Joaquín Almuni’s speech does not mean that a violation of the right to data portability would necessarily trigger sanctions under EU competition law. But the commissioner seemed to leave the door open to antitrust investigation of anti-competitive practices by data controllers."
Full Story

PRIVACY LAW—EU & UK

Proposed Regulation Headed to MoJ Panel (November 29, 2012)

V3.co.uk reports the UK Ministry of Justice was to host a meeting Thursday to discuss the European Commission’s revised data protection regulation. The meeting was to be chaired by Justice Minister Lord Tom McNally and include stakeholders and advocates including the Open Rights Group and Privacy International, the report states. The meeting invitation states it will “provide you with an update on the EC negotiations and key topics. In order to facilitate discussion, it would also be helpful to know whether you have any particular concerns or questions about the new data protection proposals.”
Full Story

DATA LOSS—UK

Council Fined 60K for Loss of Kids’ Data (November 29, 2012)

The Information Commissioner’s Office (ICO) has fined the Plymouth City Council 60,000 GBP for a 2011 breach in which it sent the details of a child neglect case to the wrong recipient, reports Information Age. The incident occurred when an employee picked up someone else’s printout and included it with their own. "It would be too easy to consider this a simple human error," said Steven Eckersley, head of enforcement at the ICO, adding, “not enough care was being taken within the organisation when handling vulnerable people's sensitive information. The distress this incident will have caused the people involved is obvious, and the penalty we have issued today reflects that."
Full Story

DATA PROTECTION—EU & GERMANY

Organisation To Present Study to Reding (November 29, 2012)

A Germany-based data privacy consulting group yesterday presented its study to Vice President of the European Commission (EC) Viviane Reding, according to a company release. The study shows that while privacy officers at German companies agree with many components of the EC’s proposed data protection regulation, they question the ability to enforce them and also states that the group “confirms the effectiveness and efficacy of this model of entrepreneurial self-monitoring and control,” the report states. Managing director of 2B Advice says the “Data Protection Practice 2012” study aims to “help ensure that the practical experiences of data privacy officers in enterprises is included in European and international data protection and privacy legislation.”
Full Story

ONLINE PRIVACY

New W3C Mediator Looks To Salvage DNT Process (November 29, 2012)

The New York Times reports on the “acrimonious discussions” within the World Wide Web Consortium’s (W3C) effort to work out a global Do-Not-Track standard and the difficult task facing newly appointed W3C Co-Chair Peter Swire, CIPP/US. “People can choose not to have telemarketers call them during dinner. The simple idea is that users should have a choice over how their Internet browsing works as well,” Swire said, adding, “The overarching theme is how to give users choice about their Internet experience while also funding a useful Internet.” (Registration may be required to access this story.)
Full Story

DATA PROTECTION—UK

Her Job: Manage the Data for the 2012 Olympics (November 29, 2012)

Patricia Poku isn’t new to data protection. A quick glance at her resume would tell you that. In fact, she’s spent the last 20 years or so in the field. But perhaps no amount of experience could have prepared her for the herculean task she most recently took on: head of data protection at London 2012—the Olympics and the Paralympics. In this exclusive for The Privacy Advisor, Poku discusses the challenges she faced in this “once-in-a-lifetime experience in data privacy,” including overseeing roughly 85 databases—each containing an average of about 100,000 data sets—and training a constant influx of new volunteers and staff on the importance of data protection.
Full Story

DATA LOSS—UK & U.S.

Breaches Affect NASA Employees, UK Civil Servants (November 29, 2012)

In January 2011, NASA employees lost a Supreme Court case against the agency claiming its background checks violated privacy rights. This month, some of those employees received a letter warning them that a data breach at the agency may have exposed their personal information, The New York Times reports. The Government Accountability Office says NASA has experienced “numerous cyberattacks” in recent years and in 2009 issued a report titled “NASA Needs to Remedy Vulnerabilities in Key Networks,” the report states. Meanwhile, the UK’s Civil Service Sports Club is notifying more than 100,000 British civil servants of a breach that occurred two years ago and may have resulted in the theft of their personal information. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—UK

ICO Fines Text-Spammers 440,000 Pounds (November 28, 2012)

The Information Commissioner’s Office (ICO) has fined the two owners of Tetrus Telecoms 440,000 pounds for sending out illegal text messages that offered compensation for accidents and then selling the collected data to claims management firms for profit. It is the first time the ICO has levied such a fine to the illegal marketing industry and, the report states, three additional firms may be in the agency’s sights. Information Commissioner Christopher Graham said, “The public have told us that they are distressed and annoyed by the constant bombardment of illegal texts and calls, and we are currently cracking down on the companies responsible, using the full force of the law.”
Full Story

CLOUD COMPUTING—EU & U.S.

Opinion: EU, Cloud Models on Collision Course (November 27, 2012)

In a column for Wired, Doug Miller writes that “European data protection interests are on a collision course with the current business models of companies such as Facebook and Google, which rely on personal data to thrive.” Miller presents four potential outcomes to this “impasse”—the EU will need to lower policy expectations; cloud providers will need to “substantially” alter their business models; clouds providers may pull out of Europe altogether, or both sides will reach “a sane resolution.” The EU’s stance should matter to U.S. interests, opines Miller, because “what the Europeans are pushing for is something we could all benefit from,” including “more control over and knowledge about how our personal data is used by cloud providers.”
Full Story

SOCIAL NETWORKING

Regulators, Advocates React to Data Use Changes (November 26, 2012)
Proposed changes to Facebook’s data use policy have some regulators and privacy advocates concerned about potential privacy violations, The Washington Post reports. Announced last Wednesday, the changes would include a plan to share data with affiliates such as Instagram, instituting “new filters for managing incoming messages” and ending the user voting system for policy changes. Ireland Deputy Data Protection Commissioner Gary Davis has “expressed confidence” the company will give European users the right to approve or deny affiliate data sharing. Davis said, “We expect Facebook to be reverting (to previous policies) on these issues.” At least two privacy advocacy groups are expected to file a complaint with the FTC over the proposed changes. (Registration may be required to access this story.)

PRIVACY LAW—EU & UK

Gov’t Assessment Indicates Regulation Would Cost Companies (November 26, 2012)

The UK government says EU data protection laws will result in extra costs rather than savings for businesses, Out-Law.com reports. The net cost of annual compliance with the draft data protection regulation would be between 100 and 360 million pounds for UK businesses, public-sector organizations and charities, according to Justice Minister Helen Grant, who says the “burdens the proposed regulation would impose far outweigh the net benefit estimated by the commission.” Grant’s comments are based on a recent impact assessment published by the UK Ministry of Justice. The commission has said it anticipates reforms to save organizations 2.3 billion euros annually in administrative costs.
Full Story

PRIVACY LAW—EU & U.S.

Opinion: EU, U.S. At Important Crossroad (November 26, 2012)

In an opinion piece for European Voice, U.S. Department of Commerce General Counsel Cameron Kerry discusses the need for a global framework for national privacy policies. Kerry says the U.S. and EU “must take care to preserve the free flow of data that supports one of the most significant trade relationships in the world. Otherwise, our good intention to protect privacy could hinder the economic growth that both sides need.” The Safe Harbour framework has been a great success for streamlined compliance with laws and sufficient consumer protection, and the U.S. and European Commission are making efforts to enhance the framework, Kerry says, adding the EU and U.S. are at an important crossroad.
Full Story

BIG DATA—UK

ICO Issues Code of Practice for Anonymised Data (November 21, 2012)

The Information Commissioner’s Office (ICO) has issued a new code of practice that sets out guidelines for limiting privacy risks when using anonymised data and large databases, The Guardian reports. Information Commissioner Christopher Graham said the ICO’s “code of practice on managing the data protection risks related to anonymisation” will “provide a framework for practitioners to use when considering whether to produce anonymised information,” and added that it “aims to bring a greater consistency of approach and to show what we expect of organisations using this data.” Hunton & Williams’ Bridget Treacy said the code “will not be legally binding,” but “may influence enforcement.”
Full Story


DATA LOSS—UK

Council Reports Second Breach This Year (November 21, 2012)

Dumfries and Galloway Council has said it will take “appropriate steps” after a social work report containing confidential information was mistakenly sent to the incorrect recipient, BBC News reports. This is the second incident involving the council this year. The Information Commissioner’s Office will consider if any action will be necessary.
Full Story

PRIVACY LAW—EU

The Personalities, Challenges Behind Proposed Regulation (November 21, 2012)
The New York Times explores two personalities behind the development of the proposed EU data protection regulation. With Ireland poised to assume the presidency of the EU, Ireland Minister of Justice, Equality and Defense Alan Shatter will be faced with the “big challenge” of cobbling together an agreement for a new EU privacy regime. Shatter said, “I think it is possible to reconcile the legitimate and economically important activities of the advertising industry with privacy issues.” Isabelle Falque-Pierrotin, head of France’s data protection authority (CNIL), discusses the CNIL’s investigation of Google and her preference for the current decentralized system of regulators but with improved cooperation among national authorities. Meanwhile, the top cybersecurity agency in Europe has said there are “technical limitations” to the right to be forgotten. (Registration may be required to access this story.)

PRIVACY LAW—EU

Commission To Renegotiate Convention 108 (November 21, 2012)

The European Commission (EC) has adopted a recommendation allowing it to negotiate the modernization of the Council of Europe’s convention on data protection (Convention 108) on behalf of the EU, according to an EC press release. EU Justice Commission Vice President Viviane Reding said she is “very pleased to see the Commission representing the EU at the negotiating table in the Council of Europe. We are setting new and higher standards for data protection in the EU,” and added, “But in this brave new digital age, data knows no national borders—these negotiations are an opportunity to build a new gold standard of data protection across the globe.”
Full Story

PRIVACY LAW—EU

Company Warns of Non-Cooperation, Lengthy Court Battles (November 20, 2012)
Out-Law.com reports on comments by Facebook concerning the inclusion of fines of up to two percent of a company’s global turnover for violations of the proposed EU data protection reforms. In comments to the Irish data protection commissioner, the social networking company said businesses may withdraw from cooperation with regulators and engage in lengthy court battles, the report states. “The high level of potential sanctions for breaches of the regulation risks turning relations between companies and regulators into a combative one and may undermine the incentive of Internet companies to invest in the EU,” Facebook has stated.

DATA PROTECTION—GERMANY

German DPAs Adopt Resolutions on EU Reform, IPv6 (November 20, 2012)

German state and federal data protection authorities (DPAs) have adopted resolutions backing the European Commission’s work in harmonizing data protection law with the EU’s proposed regulation and introducing the migration from IPv4 to IPv6, Hunton & Williams’ Privacy and Information Security Law Blog reports. The resolutions came out of the 84th Conference of the German Data Protection Commissioners, a bi-annual conference that includes all 16 state DPAs and Federal Commissioner for Data Protection and Freedom of Information Peter Schaar. The DPAs also published guidelines, in German, on the separation of data processing in the context of shared IT systems.
Full Story

ONLINE PRIVACY—EU

Survey: Minority of EU Websites Get Cookie Consent (November 19, 2012)

According to a recently released survey, a small number of websites based in the EU ask visitors for their consent to store cookies on a users’ computers, IDG News Service reports. Not one of the 50 most popular websites in France and Germany feature a pop-up asking for consent. The TRUSTe-based survey states 12 percent of UK-based websites have taken steps to comply with the cookie directive “with an onscreen pop-up, banner or tab informing users about cookies on the site.”
Full Story

CONSUMER PRIVACY—UK

OFT To Investigate Personalized Pricing (November 19, 2012)

The UK’s Office of Fair Trading (OFT), a regulator that oversees consumer protection issues, has initiated a “call for information” on possible consumer law violations by businesses collecting and using online behavioral data to offer individualized prices to consumers. The OFT said it “will look at how businesses use such consumer information, including whether they change the prices they offer individual shoppers as a result” and added it “will consider business and technological developments in the online shopping market, consumers’ understanding of how their information is used and whether they are being treated unfairly in law as a result of any firms using this practice.”
Full Story

DATA PROTECTION—IRELAND

DPC Investigating Credit Reporting Agency (November 19, 2012)

Ireland’s Office of the Data Protection Commissioner is investigating a credit-reporting agency after a series of breaches of the company’s databases, Bloomberg reports. Deputy Commissioner Gary Davis said the office has opened a preliminary inquiry into Dublin-based Experian’s data security practices following reports that the company’s database had been breached multiple times since 2006, the report states. “At this stage, all we’re doing is probing the matter based on media reports,” Davis said.
Full Story

CLOUD COMPUTING—EU

EDPS Calls for Provider, User Responsibility (November 16, 2012)

European Data Protection Supervisor (EDPS) Peter Hustinx has released his opinion on the European Commission communication on “Unleashing the Potential of Cloud Computing in Europe.” The opinion highlights data protection challenges and how the proposed data protection regulation will address them. The commission’s communication proposes key actions and steps to accelerate cloud computing services in Europe. The EDPS notes cloud computing can “bring enormous benefits” but adequate protection must be provided, adding that cloud providers must take responsibility and cloud customers fulfill data protection obligations. “The complexity of cloud computing technology does not justify any lowering of data protection standards,” the EDPS said.
Full Story

PRIVACY LAW—UK

Tribunal To Decide if Orgs Can Appeal Fines after Payment (November 16, 2012)

An Information Rights Tribunal will rule on whether organizations that choose to pay fines issued by the Information Commissioner’s Office (ICO) promptly in order to receive a 20-percent discount reserve the right to appeal the penalty, reports Out-Law.com. The question came up last month when the Scottish Borders Council launched an appeal to a reduced fine it paid earlier this year, saying it had “done so with the caveat that (it) still reserved the right to appeal.” The ICO says, however, "The objectives of the early payment scheme are to…reduce the costs to the public purse,” adding, “The effect of such reservations would be to nullify the advantages which the scheme is intended to achieve."
Full Story

PRIVACY LAW—EU

Proposed Regulation Discussions Continue (November 15, 2012)

The UK remains opposed to a single data protection regime across member states and is joined in its resistance by Denmark, Slovenia, Belgium, Hungary and Sweden, Out-Law.com has reported. The countries plan to back a new data protection directive, while Bulgaria, Germany, Spain, the Netherlands, Luxembourg, France, Italy, Greece and Ireland have indicated support for a new regulation instead. Meanwhile, speaking at the IAPP Europe Data Protection Congress, European Commission Director General for Justice Francoise Le Bail noted, “We need a regulation that is flexible enough to be applied to technological advances that we may have no notion of right now.” Article 29 Working Party Chair Jacob Kohnstamm said while there is “always room for improvement,” the regulation’s applicability across member states is “a big step forward.”
Full Story

PRIVACY LAW—ITALY

Garante Sanctions Telecom, Forbids Company’s Video Surveillance (November 15, 2012)

Panetta & Associati’s Rocco Panetta reports on British Telecom Italy’s sanction of €75,000 for not providing the Italian data protection authority (Garante) information it had requested. The Garante had sanctioned the company €20,000, which the company protested with a written defense. But the company’s arguments “were not able to lift the company from liability for not having replied to the Garante,” Panetta writes. Meanwhile, the Garante has given a “green light” to a draft decree “aimed at fixing criteria and procedures of telematic transmission of data” on euros suspected to be counterfeit. The Garante has also forbidden a call-center company from using a video-surveillance system capable of detecting images and conversations.
Full Story

PRIVACY LAW—UK

High Court: Police Can Retain Convicts’ DNA Indefinitely (November 15, 2012)

BBC News reports on a Belfast High Court ruling that police in Northern Ireland can retain DNA samples and fingerprints of convicted offenders indefinitely. Judges rejected an argument that the retention breaches privacy rights, despite lawyers for a drunk-driving suspect who said retention decisions should be made based on the seriousness of the case. The judges said retaining such records is valuable in fighting crime. There are some 700,000 fingerprints and 123,000 DNA samples contained in a Northern Ireland database. “The retention of data serves the additional purpose of discouraging a convicted offender from re-offending,” said Lord Justice Paul Girvan.
Full Story

DATA PROTECTION—UK

ICO Seeks Input on Privacy Seals (November 15, 2012)

The Information Commissioner’s Office (ICO) has published a questionnaire on “how privacy seals might be used to improve data protection compliance and customer privacy awareness,” reports Hunton & Williams’ Privacy and Information Security Law Blog. Aiming to assist the ICO in its future work, the questionnaire seeks input on the best way to implement privacy seals, as well as organisations’ interest, reservations and experiences on the matter.
Full Story

SURVEILLANCE—EU

EDPS Publishes Report on Spot Inspections (November 15, 2012)

The European Data Protection Supervisor (EDPS) is “reasonably satisfied” after inspecting 13 Brussels-based EU institutions to evaluate their compliance with the 2012 EDPS Video-Surveillance Guidelines. New Europe reports that the inspections were conducted in June and July of this year and found 11 of the 13 institutions provide a data protection notice, though “not in line with the language, format and content requirements of the guidelines.” More needs to be done, the EDPS says, noting most of the institutions did not have their video-surveillance policy available online. Assistant EDPS Giovanni Buttarelli said “the EDPS will continue to closely monitor and follow up video-surveillance compliance by EU institutions and bodies."
Full Story

PRIVACY

DPAs Discuss Self-Regulation, Cross-Border Rules (November 15, 2012)

Hogan Lovells’ Christopher Wolf reports for The Privacy Advisor on the recent gathering of privacy authorities and professionals at the 34th International Conference of Data Protection and Privacy Commissioners in Uruguay. While Article 29 Working Party Chair Jacob Kohnstamm announced that future conferences will consist of private meetings between data protection authorities unless the conference’s host country decides otherwise, Wolf says the conference’s public sessions are very useful, including the “informal interactions in the hallways and at meals among the public and official participants.” The conference saw discussions about APEC’s Cross-Border Privacy Rules, self-regulation versus formal regulations and the proposed EU Data Protection Regulation, among other topics.
Full Story

ONLINE PRIVACY

Government Requests for Online Data Increase (November 14, 2012)

Google has released its sixth Transparency Report since 2009 outlining requests from government agencies and others to access data and remove content. BBC News reports that in the first six months of 2012, governments across the globe have made almost 21,000 requests to access data held by Google. The U.S. government made the most requests, totaling 7,969, with Turkey leading the requests for content removal at 501 requests. "This is the sixth time we've released this data, and one trend has become clear: Government surveillance is on the rise," Google said in a blog post. "Our hope is that over time, more data will bolster public debate about how we can best keep the Internet free and open."
Full Story

BEHAVIORAL TARGETING

Study Examines Marketing and Privacy (November 14, 2012)

The Edelman Privacy Risk Index, produced with The Ponemon Institute, has found that 60 percent of 6,400 marketing executives from 20 countries believe “their companies don't consider privacy a priority, and more than half don't believe that a data breach would adversely affect their corporate reputations,” Direct Marketing News reports. Edelman found, however, that “eight in 10 consumers would leave banking institutions that accessed their personal information without permission,” the report states. Larry Ponemon, CIPP/US, suggests that while most direct marketers do respect privacy, marketers should identify their customers who are most concerned about privacy “and make it very easy for them to opt in or out of communications.”
Full Story

DATA PROTECTION—UK

“Loophole” May Allow Orgs To Dodge Breach Fines (November 13, 2012)

TechWeekEurope reports on a tactic some organizations have considered using in order to avoid data breach fines. The Information Commissioner’s Office (ICO) has promised not to fine companies for data breaches if the breach is discovered during a voluntary audit. As such, some organizations have considered asking the ICO for an audit after a breach has already been discovered internally, the report states. This sometimes requires organizations to delete a data trail ahead of the audit. “If we discover duplicity, that there was a breach that you knew about and didn’t report, then you’re in deep trouble,” said Information Commissioner Christopher Graham. “There are no games to be played.”
Full Story

PERSONAL PRIVACY—UK

Minister: Consumer Privacy at Heart of Smart Metering Program (November 12, 2012)

Energy Minister Baroness Verma, responsible for overseeing smart metering, says the government is committed to prioritizing consumer protection and privacy, Out-Law.com reports. According to Verma, the national program will only work if consumers are given a choice about who has access to their data and how it may be used. Smart meter technology, which allows real-time digitized data flows about energy usage, is expected to be in use by 2014. Some 55 million meters are expected to be installed at UK households and businesses by 2019. The UK government is taking a “secure-by-design” approach to the program, Verma said.
Full Story

DATA PROTECTION—UK

ICO: Fines Show Lack of Security Culture in Organisations (November 8, 2012)

Infosecurity Magazine reports the Information Commissioner’s Office (ICO) has levied more than £2 million in fines to public-sector organisations and is concerned that repeat offenses, such as a recent Stoke-on-Trent breach, indicate the lack of “a culture among staff whereby everyone takes their responsibilities seriously and effective data handling becomes second nature.”  One expert says organisations need “to rethink their approach to information security and take care to classify and protect data itself according to the sensitivity of that information,” while another expert outlines the importance of building privacy into NHS electronic health record systems. Meanwhile, an Abergavenny hospital is reminding employees about its policies for posting photos online after a patient’s family complained about a photo posted to Facebook.
Full Story

ONLINE PRIVACY—EU

Experts Chime in on Data Protection Laws, Theories (November 8, 2012)

Three articles explore developments that are riding on the coattails of the ePrivacy Directive, including Do Not Track, cookie consent and the right to be forgotten. In The Guardian, Tim Sleath opines that Do Not Track is a “sensible approach” that gives users choice and says “the powers that be” recognise cookie consent rules are “not worth enforcing.” Another report notes, “member states' justice ministers still have quite a way to go before getting to the heart of the reform on personal data protection,” with one expert calling a European right to be forgotten “impossible.” And a Marketing Week op-ed states, “The EU needs to strike the right balance between providing personal protection while not stifling growth.”
Full Story

ONLINE PRIVACY

Google Releases Chrome with Improved Privacy Controls (November 8, 2012)

Google has updated its browser to Chrome 23, which includes easier access to privacy controls such as the ability to delete cookies and block sites from tracking users online, reports Webmonkey. “The new drop-down menu also has options to control a website’s permissions for features like geolocation, pop-ups, plugins, fullscreen mode, camera/microphone access and more,” the report states. While these features have been available on past versions of Chrome, the interface has been moved from three levels deep to a drop-down menu next to the URL. Chrome is the last browser to provide support for Do Not Track, and like many others, it is activated on an opt-in basis, the report states.
Full Story

ONLINE PRIVACY—THE NETHERLANDS

Police Indicate Company Shared Data (November 8, 2012)

During a police investigation into a cyberattack on PayPal, voice-over-Internet company Skype allegedly handed over the personal information of a 16-year-old customer to an IT firm, NU.nl reports. PayPal reportedly hired Dutch IT security firm iSIGHT to investigate the cyberattack, during which a 16-year-old boy’s pseudonym was discovered. Police notes indicate that Skype, another of iSIGHT’s clients, complied when iSIGHT asked for the boy’s account data. While Skype allegedly shared the data voluntarily, a court order would generally be required, the report states. A spokesman for Skype said, “It is our policy not to provide customer data unless we are served with valid request from legal authorities.”
Full Story

DATA PROTECTION—UK

ICO Fines Private-Sector Firm for Data Inaccuracies (November 7, 2012)
The Information Commissioner’s Office (ICO) has issued a £50,000 fine to the Prudential Assurance Company Limited for a database error that caused an individual’s retirement funds to be placed into another individual’s account, V3.co.uk reports. According to an ICO press release , the move is “a warning to the financial sector” and “the first monetary penalty served by the ICO that doesn’t relate to a significant data loss.” ICO Head of Enforcement Stephen Eckersley said, “We hope this penalty sends a message to all organizations, but particularly those in the financial sector, that adequate checks must be in place to ensure people’s records are accurate.” Prudential has apologized and compensated the affected individuals.

DATA RETENTION—GERMANY

Court Examines Retention Law’s Constitutionality (November 7, 2012)

Germany’s highest court is looking at the country’s anti-terror law to examine its constitutionality, Deutsche Welle reports. Judges at Germany’s Constitutional Court this week noted concerns about the data retention law, passed in 2006, that allows intelligence agencies to collect and store information about terror suspects and their supporters in a database. Thirty-eight agencies have access to the database, which stores names, birth dates, addresses, religious preferences and bank and telecommunication accounts, the report states. One judge noted concerns around the vague definition of “supporters” of violence and a clause allowing for data collection on “supporters of supporters.”
Full Story

SOCIAL NETWORKING

Facebook Releases Privacy Tool for New Users (November 5, 2012)

The Washington Post reports on Facebook’s rollout of a tool for new users. The tool, which is in part a result of talks with the Irish data protection authority (DPA) following its audits of the company, “gives users specific instructions on Facebook’s default settings, sharing permissions, policies on data access, rules about apps, games and third-party websites, advertisements, photo tags and the way the site finds fiends and connections for new users,” the report states. Facebook Chief Privacy Officer Erin Egan said in a statement that the company is committed to helping users understand their online sharing options and thanked the Irish DPA for its work. (Registration may be required to access this story.)
Full Story

DATA LOSS—UK

ICO Warns NHS of Potential Breach Fines (November 1, 2012)

The Information Commissioner’s Office (ICO) has warned of additional fines to National Health Service organizations if they continue to not meet data protection obligations, Publicservice.co.uk reports. The warning comes on the heels of news that the medical data of as many as 1.8 million patients has been at risk within this year, the report states. An ICO spokesman told The Daily Dashboard, “The monetary penalties we issue are a very important way to discourage others from making the same data protection mistakes. In order to issue a monetary penalty we have to fulfill the criteria set out in our statutory guidance. This includes demonstrating that the breach caused, or had the potential to cause, substantial damage and distress to those individuals affected and the organisation knew or ought to have known that the breach could occur, but still failed to take action. Where this criteria is met, we will consider serving an organisation with a monetary penalty. It is also important to realise that the money stays in the public purse and is paid into the Treasury’s Consolidated Fund. Nothing is kept by the Information Commissioner’s Office.” Meanwhile, the ICO will not take legal action against a Smarter York app for data protection violations.
Full Story

PRIVACY LAW—EU

Justice Committee Calls for Changes in Draft Data Protection Proposals (November 1, 2012)

The Justice Select Committee has said the European Data Protection proposals “need to go back to the drawing board,” Parliament.uk reports. The committee says in a new report that the updates to data protection laws are “too prescriptive” and don’t allow necessary flexibility for data protection authorities or organizations that retain personal data. The proposals should focus on the commission’s objectives while compliance should be monitored by member states, the committee suggests. The committee noted its support for the draft law’s provisions that would give individuals increased control of their data, allow for data erasure or removal and harmonize laws across regions.
Full Story

DATA RETENTION—UK

Communications Bill Draws Praise, Scrutiny (November 1, 2012)

Legislation to require Internet service providers to retain data for up to one year is being described as “absolutely vital” in “proving associations” between criminals by Greater Manchester Police Chief Constable Peter Fahy, BBC News reports, but Liberal Democrat MP Lord Paul Strasburger has called the proposed communications bill a “honeypot for casual hackers, blackmailers, criminals large and small from around the world and foreign states.”
Full Story

DATA PROTECTION—EU & URUGUAY

Council of Europe Promoting Latin American Data Protection (November 1, 2012)

The Council of Europe is encouraging non-EU member states to ratify Convention 108—the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data, MercoPress reports. Uruguay, which recently hosted an international privacy conference, has initiated the ratification process, possibly becoming the first non-Council of Europe member state to do so, the report states. Council of Europe’s Jörg Polakiewicz said, “The eventual accession of Uruguay will be a key step towards the global promotion of the convention and intergovernmental cooperation on personal data protection,” adding, “We are sure, hopefully, that Uruguay will be the first of many non-European countries to join the treaty.”
Full Story

ONLINE PRIVACY—EU

Advocate: Google Data Use Should Be in Antitrust Talks (November 1, 2012)

A European-based consumer rights group has said the European Union should consider Google’s access to personal data in its antitrust considerations, Businessweek reports. Consumer organization BEUC Director General Monique Goyens said in a letter to the EU’s antitrust chief that much of the company’s market advantage is “largely fueled by its access to users’ personal data.” Goyens added, “The privacy policy of Google is directly linked to its dominance in the online search and should therefore be considered as an aggravating factor in your analysis.”
Full Story

MOBILE PRIVACY

Study: Free Apps Present More Privacy Risks (November 1, 2012)

A new study reveals that free mobile apps are more likely to cause privacy and data security risks to users than paid apps, the San Jose Business Journal reports. According to a Jupiter Networks survey of 1.7 million Android apps, free mobile apps are 401 percent more likely to track location and 314 percent more likely to access users’ address books than paid apps. A Juniper representative said, “Companies, consumers and government employees who install these apps often do not understand with who and how they are sharing personal information,” adding, “Even though a list of permissions is presented when installing an app, most people don’t understand what they are agreeing to or have the proper information needed to make educated decisions about which apps to trust.”
Full Story