European Data Protection Digest

We have a long weekend—and hopefully some good weather—ahead of us, so right now our minds are probably focused more on Easter eggs and chocolate bunnies (in my case also my mother’s lasagna on Sunday) than on data protection developments. Nevertheless, this spring is bound to be a busy one for privacy pros—not that we actually had a dull moment in the past year or so.

At the IAPP, we are working hard to help our members stay on top of things: Our upcoming European Data Protection Intensive will be a great way to kick-start the second quarter of the year. As usual, rendezvous in London for an intense programme, great networking—including our special Privacy Social reception at the Guildhall—and CIPP and CIPM certification training and testing. Preconference workshops are not bad either.

But since he who hesitates is lost, work is already underway also for IAPP Europe’s flagship event, the Data Protection Congress, which will be in Brussels again this year, on 19 and 20 November to be precise. The call for proposals for the Congress is open, and submissions will be accepted until 9 May, so do send us your ideas or feel free to forward the call for proposals link to someone who might be interested.

In the meantime, though, Happy Easter!

Rita Di Antonio
Managing Director
IAPP Europe

Top European Privacy and Data Protection News

DATA PROTECTION—UK

ICO To Meet with Councils to Discuss “Underlying Problems” (December 20, 2012)

Following breaches at four local councils, the Information Commissioner’s Office (ICO) plans to meet with representatives from the councils to discuss their approach to data protection, Out-Law.com reports. The ICO recently fined Leeds City Council, Plymouth City Council, Devon City Council and the London Borough of Lewisham a combined total of 300,000 GBP for separate data breach incidents. “There is clearly an underlying problem with data protection in local government, and we will be meeting with stakeholders from across the sector to discuss how we can support them in addressing these problems,” said Information Commissioner Christopher Graham.
Full Story

PRIVACY LAW—EU

Kroes, Commission: Cybersecurity Law “Nearly Finished” (December 20, 2012)

According to a spokesman for EU Digital Agenda Commissioner Neelie Kroes, a draft directive on cybersecurity is “nearly finished,” and a commission official has indicated it will be released in January. EUobserver reports that the bill is likely to include the creation of a co-operation mechanism to prevent cross-border cyber incidents and a minimum standard of preparedness. Kroes’ spokesman said the text is about "recognising that digital freedoms and digital security go hand-in-hand--they have to be balanced and dealt with together." Kroes also voiced concern that the EU "is not positioning itself well enough to benefit from digital developments," adding she would like to see better use of technologies such as cloud computing.
Full Story

INFORMATION ACCESS—EU

Committee Supports Police Access to Asylum Database (December 20, 2012)

Members of the Justice and Home Affairs Committee have voted in support of a bill that would allow authorities access to a fingerprint database on asylum seekers, spawning criticism from some privacy advocates and regulators, reports EUobserver. Under the plan, police would be able to cross check asylum seekers’ fingerprints with other government databases to aid in criminal investigations. The European Data Protection Supervisor is questioning whether the access is necessary, saying the commission hasn’t demonstrated a need. One member of the European Parliament stated, “This is an important step in the wrong direction.” The proposal will go next to “trialogue negotiations” before a debate in plenary early next year, the report states.
Full Story

PRIVACY LAW—EU

EDPS: DPOs Could Face Conflict of Interests (December 20, 2012)

Out-Law.com reports on a new statement issued by the European Data Protection Supervisor (EDPS) warning that compliance and data protection officers (DPOs) working at European institutions—such as the European Parliament and the Court of Justice of the European Union—could be exposed to conflicts of interest in instances where the DPO is acting on a part-time basis. The EDPS “acknowledges that it is important for a DPO to have a good understanding of the way the institution operates and of its personal data processing operations…However, EU institutions and bodies should be careful to avoid any conflict of interests between DPO duties and any other official duties.”
Full Story

PRIVACY LAW—EU & NEW ZEALAND

NZ Privacy Act Receives EU Adequacy (December 20, 2012)

The European Commission has announced that New Zealand’s Privacy Act meets adequacy standards set forth in EU data protection law. New Zealand Privacy Commissioner Marie Shroff welcomed the news, saying, “The European decision is a vote of confidence in our privacy law and regulatory arrangements. This decision establishes New Zealand, in the eyes of our trading partners, as a safe place to process personal data.” According to a New Zealand Office of the Privacy Commissioner (OPC) press release, the agency has spent years working toward adequacy. OPC Assistant Commissioner Blair Stewart said, “Europe and New Zealand share a common commitment to upholding human rights.”
Full Story

DATA RETENTION—AUSTRIA & EU

Court: EU Retention Rule Could Breach Law (December 20, 2012)

The Constitutional Court of Austria has asked the European Court of Justice to consider whether the EU Data Retention Directive contravenes fundamental EU law, IDG News Service reports. The rules requiring nations to retain large amounts of personal information for law enforcement purposes—including electronic communications and location data—may be an invasion of citizens’ privacy, said the Austrian court. Constitutional Court of Austria President Gerhart Holzinger noted, “We doubt that the EU Data Retention Directive is really compatible with the rights that are guaranteed by the EU Charter of Fundamental Rights.”
Full Story

DATA PROTECTION—EU

Proposals Would Require Breach Notification (December 19, 2012)

InformationWeek reports on proposals now circulating among the European Commission that would require European businesses providing critical infrastructure services to report data breaches to authorities. EU officials say the provision is necessary to remove the stigma associated with data breaches and to increase information sharing among such service providers. “We want to change the culture around cybersecurity from one where people are sometimes afraid or ashamed to admit a problem, to one where authorities and network owners are better able to work together to maximize security,” an EU official said.
Full Story

ONLINE PRIVACY

Users, Lawmaker React to Instagram Policy Changes (December 19, 2012)

The Washington Post reports on reactions following Instagram’s announcement that it would change its terms of use to share images uploaded to the site without permission or compensation. Many users indicated fears they might see their images used in advertisements created by Instagram or Facebook, which bought Instagram earlier this year. An Instagram spokesman said in a blog post yesterday, “To be clear: it is not our intention to sell your photos. We are working on updated language in the terms to make sure this is clear.” U.S. Rep Ed Markey (D-MA) said, “A picture is worth a thousand words; posting one to Instagram should not cost you your privacy.” (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Scientist Develops “Identity Mixer” (December 18, 2012)

A lead scientist at IBM’s Zurich Research Center has developed an “Identity Mixer” aimed at facilitating e-mail and Internet shopping without excessive disclosure of personal information, International Business Times reports. “The idea is to authenticate only the minimally necessary information for authentication,” said IBM Fellow Jan Camenisch. “We want to deal with a digital society that requires electronic authentication.” The Identity Mixer issues “'electronic tokens’ that verify user information contained in a third-party database,” the report states. The mixer has been piloted in Greece at the Research Academic Computer Technology Institute, and IBM hopes to employ it in the EU’s FutureID, introduced last month to protect personal data related to government-issued identity cards.
Full Story

ONLINE PRIVACY—EU

Regulators Formally Examining Policy Changes (December 18, 2012)

Bloomberg reports that EU regulators are formally examining recent changes by Microsoft to its privacy policy. Data protection authorities (DPAs) from France and Luxembourg are leading the investigation and aim to verify whether the changes will offer European users appropriate notice and choice of services, the report states. Dutch DPA Jacob Kohnstamm said, “Given the wide range of services you offer, and popularity of these services, changes in your services agreement and the linked privacy policy may affect many individuals in most or all of the EU member states.” A Microsoft spokesman said, “We are confident they will find Microsoft’s long-standing commitment to privacy has not changed.”
Full Story

SOCIAL NETWORKING—GERMANY

DPA Pushes Back on Pseudonym Policy (December 18, 2012)

A German privacy regulator has ordered Facebook to immediately cease enforcing its real-name policy because it allegedly violates the German Telemedia Act, IDG News Service reports. Schleswig-Holstein Office of the Data Protection Commissioner Thilo Weichert said the nation’s law provides users with the right to use pseudonyms online. “This decree is binding,” Weichert added. A Facebook spokeswoman said, “We believe the orders are without merit…and we will fight it vigorously.” Meanwhile, Instagram has altered its privacy policy to share data with Facebook. The changes are slated to take effect January 16.
Full Story

PERSONAL PRIVACY—UK

Government Releases Smart Meter Rules (December 17, 2012)

The UK Department of Energy and Climate Change has released smart meter privacy rules, reports Smartmeters.com. Energy and Climate Change Minister Baroness Verma said the smart meter system brings “huge potential benefits for millions of homes and businesses and for Great Britain as a whole.” She added, “Let me be clear: the consumer comes first.” The rules give consumers a choice on how often energy suppliers can access their energy consumption data and prohibit suppliers from using such data for marketing purposes unless they have explicit consent. The rules also establish a “Central Delivery Body” to help consumers use smart meters to better manage their energy use.
Full Story

GEO PRIVACY—GERMANY & EU

Official Says New Google Maps May Violate EU Law (December 17, 2012)

A German official has expressed concerns that the location data sharing function within the new Google Maps for iOS may violate European law, Ars Technica reports. Schleswig-Holstein Independent Centre for Privacy Protection Deputy Privacy and Information Commissioner Marit Hansen said the location sharing option is switched on by default and the company’s use of the word “anonymous” in its terms of service is misleading. She said, “All available information points to having linkable identifiers per user,” which led her to state that the company’s “anonymous location data” would be considered personal data in the EU, the report states. Meanwhile, an op-ed notes that Google “is in an ideal position” to “make strong e-mail encryption a mass phenomenon,” which would be a “win-win” for the company. 
Full Story

PRIVACY LAW

Delegates Reject Proposed Internet Treaty (December 14, 2012)

An alliance of Western countries including the U.S., UK and Canada has rejected a proposed treaty saying it would give repressive governments too much power over the Internet, CNET News reports. Representatives from the Netherlands, New Zealand, Denmark, Sweden, Poland and the Czech Republic also said they would not support the International Telecommunication Union (ITU) Treaty. Some representatives questioned whether the UN was the proper organization to oversee Internet-related issues, the report states, adding, “a key concern is that putting topics related to Internet speech and surveillance to a majority vote of ITU’s 192 member nations may not end well.”
Full Story

DATA PROTECTION—IRELAND

Many Companies Unaware of Data Obligations (December 14, 2012)

Many of Ireland’s companies are “unaware of their responsibilities in collecting, storing and destroying data,” writes data protection consultant Fintan Lawlor in The Independent. Noting recent fines handed down by courts and the data protection commissioner (DPC), as well as reputational risks, Lawlor advises companies take steps to become compliant with EU data protection laws. It’s important companies determine whether they need to register as a data controller with the DPC, explain to customers what data is being collected on them and ensure that the data collected is necessary and relevant to the purposes for which it is being collected, Lawlor says.
Full Story

DATA PROTECTION

Center Releases Accountability Tool (December 14, 2012)

As part of the Global Accountability Project, the Hunton & Williams Centre for Information Policy Leadership has released an accountability self-assessment tool, reports Hunton & Williams’ Privacy and Information Security Law Blog. “In collaboration with experts…we’ve outlined the key elements of a sound program to help organizations take the concrete steps necessary to be accountable,” said Marty Abrams, the centre’s president. As accountability plays a larger role in legislation, “The results of the survey may be useful in demonstrating to regulators and other interested constituencies the design of an organization’s privacy program,” added Paula Bruening, vice president of Global Policy at the Centre.
Full Story

ONLINE PRIVACY

Company Launches Social Login Privacy Seal (December 14, 2012)

Adweek reports on the launch of a social privacy certification and seal that aims to reassure consumers logging into an application or website via a social login such as Facebook or Twitter that their data “will not be abused or compromised.” Following a survey in which nearly half of respondents said they would be more comfortable using a social login if a short message indicated what information the site was collecting, Gigya collaborated with the Future of Privacy Forum (FPF) to develop its SocialPrivacy Certification. FPF Director Jules Polonetsky, CIPP/US, will chair Gigya’s recently established Privacy and Safety Advisory Board.
Full Story

DATA PROTECTION—EU & MALTA

Justice Minister Calls for Greater Flexibility in Draft Regulation (December 13, 2012)

The Malta Independent reports Malta is seeking greater flexibility in the EU’s draft data protection regulation. Justice Minister Chris Said told the Justice and Affairs Council that while he believes the proposed laws will be beneficial, flexibility is needed and “special attention” must ensure that “no unnecessary burdens are placed on businesses.”
Full Story

DATA PROTECTION—UK

DVLA Bans Councils for Improper Database Use (December 13, 2012)

The Driver Vehicle and Licensing Agency (DVLA) has banned hundreds of local authorities from accessing its database for improper use, BBC News reports. The DVLA has temporarily banned 294 organisations since 2009, and 38 organisations have been permanently banned. According to the report, abuses stemmed from poor administration. Big Brother Watch Director Nick Pickles said the “public are right to be worried that their privacy is at risk across a range of government services.”
Full Story

BIOMETRICS—GERMANY

Facial Recognition Raises Anonymity Concerns (December 13, 2012)

Deutsche Welle reports on the increased use of facial recognition technologies and concerns that the proliferation of the technology may threaten anonymity in public. Of biometric data such as facial recognition, Hamburg Data Protection Commissioner Johannes Casper said, “It is possible for both state and private enterprise to use and abuse this data by identifying people through photographs.” Casper said, at some point, everyone will be “transparent citizens,” but added, “the democratic rights of citizens must be respected.”
Full Story

PRIVACY LAW—UK

Minister, Committee Critical of Draft Communications Bill (December 13, 2012)

The draft Communications Bill needs revisions, according to Security Minister James Brokenshire. A joint committee evaluating the draft bill warned that its security provisions could “trample over privacy,” The Telegraph reports. The bill would require mobile phone and Internet companies to keep data on consumer activities for up to one year and would give law enforcement agencies the ability to view message time stamps and recipients, though would not grant the agencies the ability to read the messages.
Full Story

DATA LOSS—ESTONIA & EU

Possible Breach; Poll Shows People Want Notification Law (December 13, 2012)

A TechWeekEurope poll found 84 percent of readers think organisations should be required to report breaches that compromise personal information. Of the more than 300 respondents, around 13 percent said the challenges of implementing a system for mandatory breach reporting would outweigh the benefits. Meanwhile, the Estonian Data Protection Inspectorate is investigating whether an electricity trader contravened data protection requirements by allowing customers to see others’ personal information in the company’s customer database. 220 Energia’s authentication system used one identifier, meaning by filling out remaining data fields with random information, users could access other customers’ accounts.
Full Story

MOBILE PRIVACY—UK

Opinion: New Map App Could Put Privacy At Risk (December 13, 2012)

In an opinion piece for The Guardian, James Ball discusses the recent release of Google Maps and the privacy concerns some have expressed. The app requests users’ home addresses and asks to collect location data, which “even anonymised, is astonishingly revealing about who we really are,” Ball writes. “The collection and storage of this information leaves it open to scrutiny by law and intelligence services,” he adds.
Full Story

DATA THEFT

Authorities Arrest 10 for Data Theft (December 13, 2012)
International authorities have arrested 10 individuals from around the world for allegedly operating a network of infected computers for the purpose of stealing personal data from millions of users, The New York Times reports. Law enforcement authorities were aided in their investigation by Facebook, the report states. The Butterfly botnet allegedly spread malicious software to compromise the security of PCs, allowing the suspects to acquire personal information, including credit card numbers. The U.S. Justice Department said variations of this type of malicious software have infected approximately 11 million computers and caused more than $850 million in damages, the report states. (Registration may be required to access this story.)

SOCIAL NETWORKING

Facebook Updates Privacy Settings (December 13, 2012)

Facebook has made changes to its privacy settings by giving users more control and clarity over what personal data is shared and by removing users’ ability to remain hidden from its main search tool, The Wall Street Journal reports. A new control, called Privacy Shortcuts, will allow people to alter who can see their posts and who can contact them through the site. Facebook Director of Product Samuel Lessin said, “We’re taking the most critical things and putting them in context across the whole site.” Electronic Privacy Information Center Executive Director Marc Rotenberg said, “Facebook’s decision not to allow people to hide themselves from search appears to violate the settlement” reached with the Federal Trade Commission earlier this year. (Registration may be required to access this story.)
Full Story

PERSONAL PRIVACY—UK & U.S.

As Smart Meter Concerns Persist, UK Issues Rules (December 13, 2012)

National Geographic reports on the challenges facing smart grid proponents as consumers voice concerns about privacy, including how smart meter data will be used and who might have access to it. The U.S. has deployed smart meters to about one-fourth of customers nationwide, while the EU is working to meet a mandate that 80 percent of households use smart meters by 2020. The UK government has published a set of rules for its smart meter program in which “the consumer comes first.” In the U.S., federal laws regulating use of consumers’ energy data don’t yet exist, though some U.S. states are formulating rules. Editor’s Note: For more on this topic, see “Amidst Fledgling Smart Grid Safeguards, Utilities Self-Regulate and an Expert Offers A How-To from the September edition of The Privacy Advisor.
Full Story

BEHAVIORAL TARGETING—UK

ASA To Regulate Online Behavioral Advertising (December 13, 2012)

Early next year, the UK Advertising Standards Authority (ASA) will start regulating online behavioral advertising, reports Phil Lee, CIPP/E, of Field Fisher Waterhouse. Recent changes to the UK Code of Non-broadcast Advertising, Sales Promotion and Direct Marketing come into effect February 4. The revised code implements recommendations previously made by the European Advertising Standards Alliance. Lee says the revised code will likely bring a “regulatory flurry,” confusion about lawful tracking via cookies and increased enforcement by the ASA—which may prove to be a “more active regulator of targeted advertising than the ICO once the new rules come into effect.”
Full Story

ONLINE PRIVACY

Microsoft Standing By Do-Not-Track Default (December 13, 2012)

Despite criticism from online advertising firms, Microsoft says it will stand by its decision to make its Do-Not-Track (DNT) feature the default in its latest Internet Explorer browser. “We crossed the Rubicon and are completely comfortable being on the other side of the river,” said Microsoft General Counsel Brad Smith. “We have no intention of going back and have no intention of engaging in discussion on that possibility.” Some advertisers have said they will ignore the browser’s privacy signals. Smith said Microsoft is willing to talk with advertisers about tweaks to how it describes DNT to users and how the setting can be altered.
Full Story

PRIVACY LAW—ITALY

Prosecutor Wants To Uphold Jail Time for Execs (December 12, 2012)

An Italian prosecutor is pushing to uphold jail sentences for three Google executives in an appeal stemming from a 2010 case in which a Milan judge found them guilty of violating the privacy of an autistic boy after his classmates uploaded a disparaging video to a Google site. Reuters reports that the executives were sentenced to six months of suspended jail time, but none of the three have faced actual imprisonment. The company has called the ruling an attack on freedom of expression on the Internet, but the prosecutor says, “Not only has the privacy of minors been violated but lessons of cruelty have been given to 5,500 visitors." Editor’s Note: To learn more about liability in social media, read “Defamation by social media: Who’s liable?” from the October issue of The Privacy Advisor.
Full Story

PRIVACY

Reding, Harper and Fakhoury Share Perspectives (December 12, 2012)

Three installments in The New York Times' "Room for Debate" offer alternate perspectives on key privacy issues. European Commission Vice President Viviane Reding opines in favor of strong privacy laws, writing, "Personal data has become the currency of today's digital market. Like any currency, it needs stability and trust. Only if consumers can 'trust' that their data is well-protected, will they continue to entrust businesses with it, which will help the economy to continue prospering.” In a separate post, the Cato Institute’s Jim Harper offers perspectives on children’s online activities. Meanwhile, Hanni Fakhoury of the Electronic Frontier Foundation writes about ways privacy and technology can coexist. (Registration may be required to access this story.)
Full Story

DATA PROTECTION—AUSTRALIA & UK

Australian DJs’ Hoax May Have Violated Law (December 12, 2012)

The Guardian reports a recent prank call to a UK hospital may have violated the Data Protection Act barring the obtaining or disclosure of personal records. The two Australian radio DJs who made a prank call to the hospital obtained personal data about a patient “without the consent of the data controller, which in this case is the King Edward VII hospital,” said one expert. Australian Federal Privacy Commissioner Timothy Pilgrim’s office has said it will not investigate a privacy breach at this time and will instead defer to the Australian Communications and Media Authority.
Full Story

SOCIAL NETWORKING

A Look at Facebook’s Chief Privacy Officer (December 11, 2012)

The Hill reports on the work and responsibilities of Facebook Chief Privacy Officer (CPO) Erin Egan. As CPO, Egan is responsible for explaining the firm’s privacy policies to its one billion users—partly through its new “Ask the Chief Privacy Officer” feature—ensuring that feedback from lawmakers and regulators gets implemented in Facebook’s policies and weighing the privacy implications of new products, the report states. Her team reaches across multiple departments, including product development, security and privacy. Center for Digital Democracy President Jeffrey Chester said Egan has been willing to “have substantive discussions on key issues.” Meanwhile, student group Europe v. Facebook is reaching out for funding to bring a civil case against the company for alleged data protection violations.
Full Story

ONLINE PRIVACY

Initiatives Could Impact the Future of User Privacy (December 11, 2012)

An op-ed in The Economist discusses two initiatives that could affect Internet users’ expectations of privacy in years to come. The first is a U.S. Senate bill that would update the Electronic Communications Privacy Act of 1986. The bill would require law enforcement agencies to obtain a warrant to access e-mails that have been opened or are more than six months old; now, only a subpoena is required. “Bringing online privacy requirements into an age of cloud computing is only fit and proper, and long overdue,” the report states. The second is the International Telecommunications Union’s effort to rewrite its treaty for regulating telecommunications companies worldwide by defining the Internet as a form of telecommunication.
Full Story

PRIVACY LAW—EU

EU Regulators Consider Censure (December 10, 2012)
The New York Times reports on potential plans by the EU’s group of data protection authorities (DPAs) to censure Google for its consolidated privacy policy if the company does not meet demands previously set forth by the regulators. In a two-day, closed-door meeting, the DPAs mapped out a preliminary strategy, which, the report states, includes testing whether Google is in compliance with national privacy laws in Ireland, Belgium and Finland, where the company operates data centers. A Google spokesman said the company is reviewing recommendations laid out by France’s DPA and is “confident that our privacy notices respect European law.” The DPAs may issue a public statement this week, the report states. (Registration may be required to access this story.)

GENETIC PRIVACY—UK

Database Concerns Abound (December 10, 2012)

The Telegraph reports on an initiative to create a database “capable of storing every British citizen's DNA records” with an opt-out for those who do not want their data stored. “The UK will be the first country to introduce high-tech DNA mapping within a mainstream health system in a move designed to help it lead the world in tackling cancer and rare diseases,” the report states. Privacy advocates caution, however, that there are “very real privacy concerns” with the opt-out system and the potential ways DNA data could be shared with third parties.
Full Story

CONSUMER PRIVACY—GERMANY

Group To Sue Social Networking Site (December 10, 2012)

A group of German consumer organizations is planning to sue Facebook over allegations the company shares personal data with third-party app makers without getting users’ explicit consent, IDG News Service reports. The Federation of German Consumer Organizations (VZBV) asked the company to change its App Center privacy practices in July and now says the practices have not improved, the report states. A Facebook spokeswoman defended the company’s practices. The VZBV expects a hearing to commence next summer.
Full Story

PRIVACY LAW—EU

Facebook: Right To Be Forgotten Will Increase Tracking (December 7, 2012)

Facebook says the “right to be forgotten” provision in the EU draft data protection regulation will result in increased tracking of Internet users, TechWeekEurope reports. Facebook has been lobbying against the draft and says the right to be forgotten provision that would require companies to delete customer data upon their request “raises many concerns with regard to the right of others to remember and to freedom of expression.” If customers want all of their data deleted, companies will have to track them across websites other than their own. “As drafted, the proposals have privacy implications,” said Facebook’s policy communications manager in Europe.
Full Story

ONLINE PRIVACY—UK

Leveson Calls for New Laws (December 7, 2012)

BBC News reports on a call by Lord Justice Brian Leveson for new laws “to prevent ‘mob rule’ on the Internet.” Following the publication of his report on UK press standards, Leveson has indicated that “new laws would protect privacy and freedom of expression on the Internet,” the report states. Newspaper editors, meanwhile, have said they will respond to the government "very shortly" regarding implementation of the Leveson plan. "The editors of all national newspapers met...and unanimously agreed to start putting in place the broad proposals…for the independent self-regulatory system laid out by Lord Justice Leveson," their statement said.
Full Story

PRIVACY LAW—EU

MEP: Parliament On Schedule for Draft Regulation (December 6, 2012)

Dutch Liberal MEP Sophie in’t Veld says the European Parliament is on course to define its position on the EU draft data protection regulation by mid-2013, EUobserver reports. Despite the fact that formal deliberations have not begun, MEPs are “on schedule,” according to in’t Veld. German Green MEP Jan Philip Albrecht is expected to table his draft report to the Civil Liberties Committee in an effort to prevent further delays on the bill’s completion. in’t Veld said political groups maintain a “united position on most of the main issues,” within the draft regulation.
Full Story

DATA PROTECTION—EU & U.S.

Hustinx: U.S. Adequacy Is Some Ways Away (December 6, 2012)

European Data Protection Supervisor Peter Hustinx has said he expects only a select number of U.S. IT companies will meet EU data protection standards for some time to come, IDG News Service reports. Responding to comments made by U.S. Ambassador to Europe William Kennard’s call for the U.S. to be given adequacy status, Hustinx said while that may happen in the future, “the ambassador was being a little optimistic,” the report states. Kennard has expressed concerns about some of the provisions within the EU draft data protection regulation, including that the draft gives the European Commission broad powers.
Full Story

PRIVACY LAW—IRELAND

Fines Handed Out and Breach Reported (December 6, 2012)

Dublin District Court handed out fines to four companies based on prosecutions taken by the data protection commissioner (DPC), reports the Irish Times. The charges included sending unsolicited texts and e-mails and making unsolicited phone calls. The DPC says it is satisfied with the outcomes, noting they reaffirm the message that “the largest telcos down to small operators” would be punished for breaches. Meanwhile, mobile phone company O2 has announced that a backup tape went missing in September 2011 that may have contained customer information. O2 will notify 1.3 million customers, though the DPC and O2 agree customer risk is low.
Full Story

PRIVACY LAW—EU

Alvaro: Right To Be Forgotten Needs Revisions (December 6, 2012)

Speaking at an event of the Congressional Internet Caucus Advisory Committee in Washington, DC, German Vice President of the European Parliament Alexander Alvaro said the provision in the proposed EU data protection law guaranteeing individuals the right to be forgotten needs to be limited. The right "has to be limited to the point where we're talking about judicially, clearly examined, illegal violations of rights,” he said, adding it will not be used as a tool to curtail freedom of expression. Alvaro is pushing for context-based privacy protection, noting that other provisions—such as explicit consent—may also need revision, reports FierceGovernmentIT.
Full Story

CLOUD COMPUTING—EU & U.S.

Report: USA PATRIOT Act Could Bypass EU Law (December 5, 2012)

Researchers from the University of Amsterdam’s Institute for Information Law have released a paper validating reports that the USA PATRIOT Act could allow U.S. law enforcement to obtain EU citizens’ data, bypassing EU privacy laws, reports CBS News. The researchers say that because “most cloud providers, and certainly the market leaders, fall within the U.S. jurisdiction,” entities—including governments—located outside the U.S. that use U.S.-based cloud services could be required to allow U.S. law enforcement to access their data. Axel Arnbak, co-author of the report, says, "The risk of data access by U.S. authorities to cloud data is realistic and should form an integral part in any decision-making process to move data into the cloud.”
Full Story

SOCIAL NETWORKING

U.S. Judge Approves Facebook Settlement, Policy Voting Open (December 4, 2012)
A U.S. judge has given preliminary approval of Facebook’s proposed settlement to a class-action lawsuit claiming the company violated privacy rights, Reuters reports. The judge says the settlement, Facebook’s second attempt, “falls within the range of possible approval as fair, reasonable and adequate.” Class members and others will have an opportunity to object to the settlement before it goes to final approval. A fairness hearing is scheduled for June 28, 2013. Meanwhile, the company has opened voting for its latest proposal to change user privacy settings. The vote is open until Monday, December 10, to all Facebook users and may determine whether its roughly one billion users will have the ability to vote on privacy changes going forward; the vote is only binding if 30 percent of users participate. The Electronic Frontier Foundation and the Center for Digital Democracy have written to Facebook CEO Mark Zuckerberg urging him to “withdraw the proposed changes” as they “raise privacy risks for users, may be contrary to law and violate your previous commitments to users about site governance.”

SOCIAL NETWORKING—EU

Europe v. Facebook Plans Suit (December 4, 2012)

Austrian student group Europe v. Facebook has said it plans to challenge Facebook’s privacy policies in court, The New York Times reports. The group claims the social networking site’s changes to its privacy policy do not go far enough to comply with European data protection law. In recent times, the group has succeeded in petitioning the site to turn off its facial recognition feature in Europe and limit its retention of some data. But the group’s leader, Max Schrems, says the site “has done only about 10 percent of what we had asked them to do. Therefore, we are preparing to go to court.” (Registration may be required to access this story.)
Full Story

DATA PROTECTION—UK

MP: Public and Private Organizations Should Work Together (December 4, 2012)

Senior Member of Parliament Crispin Blunt says private-sector organizations can help public agencies strike a balance between reaping the benefits of sharing data across agencies and protecting personal information, reports Publicservice.co.uk. Blunt recently chaired a Parliament event where public- and private-sector groups came together to discuss best practices in data-sharing transparency. "This is a complex issue, and we need to work with the private sector to ensure this is progressed in a cost-efficient way with the appropriate safeguards to strike the right balance of protecting the privacy of the individual and providing more cost-effective services to the general public," Blunt said.
Full Story

PRIVACY LAW

Conference on UN Internet Treaty Begins (December 3, 2012)
Regulators from 193 countries are in Dubai for the World Conference on International Telecommunications, and some say the discussions may threaten the future of the Internet, reports BBC News. EU Digital Agenda Commissioner Neelie Kroes tweeted, “The Internet works; it doesn’t need to be regulated by ITR treaty,” and Google representatives say the conference is a threat to the “open Internet.” But the report states that the UN International Telecommunications Union says action is needed to ensure investment in infrastructure and insists that, rather than a majority view, common ground is needed before any changes will be made to the treaty. Editor’s Note: For more on this topic, see “Privacy worries surround UN Internet regulations” from the September issue of The Privacy Advisor.

BEHAVIORAL TARGETING

Rosen: Why You Should Care About Profiling (December 3, 2012)

George Washington University Law Prof. Jeffery Rosen writes for The New York Times, “As personalization becomes ubiquitous, the segmented profiles that advertisers, publishers and even presidential candidates use to define us may become more pervasive and significant than the identities we use to define ourselves.” Rosen creates two distinctive online identities for himself on different browsers, compares the ads he sees and—through data aggregator BlueKai, which sorts consumers into market segments—views their profiles. Rosen says such profiles lead to an uneven playing field for consumers but says “there is more at stake…the possibility of not only shared values but also a shared reality becomes more and more elusive.” (Registration may be required to access this story.)
Full Story