European Data Protection Digest

We have a long weekend—and hopefully some good weather—ahead of us, so right now our minds are probably focused more on Easter eggs and chocolate bunnies (in my case also my mother’s lasagna on Sunday) than on data protection developments. Nevertheless, this spring is bound to be a busy one for privacy pros—not that we actually had a dull moment in the past year or so.

At the IAPP, we are working hard to help our members stay on top of things: Our upcoming European Data Protection Intensive will be a great way to kick-start the second quarter of the year. As usual, rendezvous in London for an intense programme, great networking—including our special Privacy Social reception at the Guildhall—and CIPP and CIPM certification training and testing. Preconference workshops are not bad either.

But since he who hesitates is lost, work is already underway also for IAPP Europe’s flagship event, the Data Protection Congress, which will be in Brussels again this year, on 19 and 20 November to be precise. The call for proposals for the Congress is open, and submissions will be accepted until 9 May, so do send us your ideas or feel free to forward the call for proposals link to someone who might be interested.

In the meantime, though, Happy Easter!

Rita Di Antonio
Managing Director
IAPP Europe

Top European Privacy and Data Protection News

PRIVACY LAW—EU

Article 29 WP Releases Opinion on Implementing Acts (January 31, 2013)

The Article 29 Working Party has released its opinion on the need for implementing acts in the European Commission’s (EC) proposed regulation, recommending a reduced role for the EC and a stronger role for the European Data Protection Board (EDPB), the proposed successor to the Article 29 Working Party, reports Hunton & Williams’ Privacy and Information Security Law Blog. In its article-by-article assessment, “The Working Party emphasizes that the authority to adopt implementing acts should only be conferred on the commission where they ‘are needed’ and that implementing acts increase the ‘prescriptive nature’ of the proposed regulation, which may not be consistent with the principle of accountability,” the report states.
Full Story

PRIVACY LAW—EU & UK

ICO Publishes Views on Albrecht Data Protection Proposal (January 31, 2013)

The UK Information Commissioner’s Office (ICO) has published its reaction to MEP Jan Philip Albrecht’s recent proposal for data protection reform, reports Hunton & Williams’ Privacy and Information Security Law Blog. The ICO called for consistency both between the proposed regulation and the proposed directive and in the regulation of data handling in the public and private sectors. It also raised concerns about making sure data protection rights can be “delivered in practice” and being realistic about the reach of data protection authorities.
Full Story

EMPLOYEE PRIVACY—UK

Court Rules Disclosure Law Contravenes Privacy Rights (January 31, 2013)

The Court of Appeal has ruled that a UK law requiring job applicants to disclose to employers all “recordable” police convictions and warnings goes against individuals’ right to privacy, reports Out-Law.com. The court said in some cases it is not justified for police to provide details of minor offences or cautions. "It is the very fact that (disclosure) is mandatory in all cases that is the objectionable feature of the scheme,” said Master of the Rolls Lord Dyson in the ruling. The government’s position is that the aim of the criminal record check justifies the privacy intrusion, and, according to the report, it says it will seek to appeal the judgment to the Supreme Court.
Full Story

PRIVACY

Data Privacy Day Raises Awareness, EDPS Issues Statement (January 31, 2013)

The U.S.-based National Cyber Security Alliance (NCSA) officially kicked off Data Privacy Day events with a broadcast from George Washington University Law School featuring U.S. Federal Trade Commissioner Maureen Ohlhausen and privacy and security experts from industry and government. Observed in countries across the globe, “Data Privacy Day highlights a year-round effort for all of us to improve measures to protect our personal data,” said NCSA Executive Director Michael Kaiser, noting, “We want all digital citizens to feel like they have a choice in how their data is being collected, stored and consumed and that starts with being educated about the privacy policies of online companies and web properties. As society increasingly becomes more wired, it's imperative we understand how to best protect our data.” European Data Protection Supervisor Peter Hustinx issued a message in honour of the occasion reminding individuals that they “have the right to know what information is held about you on major government and industry databases. In some circumstances you can object to the processing of your personal information, and you’re entitled to complain if your rights to privacy and data protection are being infringed.”
Full Story

DATA PROTECTION—EU

Reding and Shatter on the Importance of Pending Data Protection Rules (January 30, 2013)

In a blog for The Hill, EU Justice Minister Viviane Reding and Irish Justice Minister Alan Shatter discuss why reforms of EU data protection rules are essential to “protect both citizens’ rights and facilitate business in the digital age.” The reforms will cut costs and increase legal certainty, mitigate risks to companies’ financial success and reputation by requiring data protection safeguards and provide clarity for international transfers, Reding and Shatter write. “The message is clear, a uniform and modern data protection law for the European Union is exactly what we need to secure trust and generate growth in the digital single market.”
Full Story

DATA PROTECTION

A How-To on Kick-Starting Your Company’s Privacy Program (January 30, 2013)

It’s not enough for a business to create a privacy policy and place it on its website, says Bob Siegel, CIPP/US, CIPP/IT, founder of Privacy Ref. Businesses must also define policies and practices, verify employees are complying and confirm third-party service providers are practicing adequate data protection. In this exclusive for The Privacy Advisor, Siegel identifies 10 steps companies should follow when kick-starting their organization’s privacy program. Editor's Note: For more tips and tools from the pros, visit the IAPP's Resource Center.
Full Story

MOBILE PRIVACY—CANADA & THE NETHERLANDS

Regulators Say App Violates International Law (January 29, 2013)

A joint report released by the Office of the Privacy Commissioner of Canada (OPC) and the Dutch Data Protection Authority (DPA) states that WhatsApp—one of the world’s most popular mobile apps—violates international privacy law, Reuters reports. The instant-messaging application requires users to provide access to their complete address book, including users and non-users, the report states. Dutch DPA Chairman Jacob Kohnstamm said, “This lack of choice contravenes (Canadian and Dutch) privacy law. Both users and non-users should have control over their personal data and users must be able to freely decide what contact details they wish to share with WhatsApp.” The OPC initiated an investigation of the company in January 2012 for potentially violating the nation’s federal privacy law. Bird & Bird Partner Gerrit-Jan Zwenne told the Daily Dashboard, “Clearly the Dutch DPA thinks it has extra-territorial powers. The implications are far-reaching, as this would be no different for other DPAs in the EU. If this interpretation of EU data protection law is right—many doubt that—all national DPAs could investigate any non-EU-based controller that provides apps to EU nationals."
Full Story 

SOCIAL NETWORKING

Facebook Unveils “Ask Our CPO” Feature (January 29, 2013)

As a replacement for its now defunct user voting policy and to “enable you to send us your questions, concerns and feedback about privacy,” Facebook has launched a new “Ask Our CPO” feature, TechCrunch reports. Facebook CPO Erin Egan answered three of the most common questions in a blog post. “We’ve built a comprehensive privacy program that helps us take a systematic approach to privacy,” she wrote in answer to whether the company thinks about privacy when designing new products. Egan also stated the company does not sell users’ private information to advertisers. “We use the things you do and share on Facebook, including demographics, likes and interests to show ads that are more relevant to you,” she wrote. Editor’s Note: As part of our Conversations in Privacy series, Egan will be joined by Facebook Associate General Counsel Edward Palmieri, CIPP/US, and Future of Privacy Forum Director Jules Polonetsky, CIPP/US, in the breakout session Facebook and Your Organization—What Every CPO Should Know at the IAPP Global Privacy Summit.
Full Story

ONLINE PRIVACY

Google, Twitter Push Awareness of Gov’t Access (January 29, 2013)

Monday marked the fourth annual Data Privacy Day, and saw two major tech companies observing it by working to increase public awareness of the ease at which governments worldwide can access online data, reports CNN. Twitter released its latest transparency report outlining government requests for data, including more detail this year, and Google followed up on its report released last week with calls for more stringent protections for users’ data. Google’s chief legal officer said, “We want to be sure we’re taking our responsibilities really seriously,” adding, “we are going to make sure that governments around the world follow standards and do this in a reasonable way that strikes the balance.”
Full Story

PRIVACY LAW—EU & U.S.

U.S. Industry, Advocates, Gov’t Pushing Agendas in Brussels (January 28, 2013)
The U.S. Commerce Department and major American tech companies are lobbying the European Parliament against proposed amendments to EU data protection laws, while civil rights and privacy advocates are supporting the changes, The New York Times reports. “The rest of the world is looking to see who will prevail because the Asians, Latin Americans and Africans all need to do business with the U.S. and Europe,” said one privacy advocate. Meanwhile, reactions to MEP Jan Philip Albrecht’s more restrictive proposals continue. Eduardo Ustaran, CIPP/E, of Field Fisher Waterhouse asks in his blog post, “Is this proposal the only possible way of truly protecting our personal information or have the bolts been tightened too much?” (Registration may be required to access this story.)

ONLINE PRIVACY—UK

ICO To Change Cookie Policy to Implied Consent (January 28, 2013)

The Information Commissioner’s Office (ICO) has announced it will alter its website’s cookie consent policy from “explicit consent” to “implied consent,” Out-Law.com reports. The ICO said it is making the change to “collect reliable information to make our website better.” Since the agency’s introduction of explicit consent for cookies in May 2011, “many more people are aware of cookies, both for users and website owners,” the ICO has written on its website, adding, “We now consider it’s appropriate for us to rely on a responsible implementation of implied consent, as indeed have many other websites.” The change is expected at “the end of January,” the report states.
Full Story 

PRIVACY LAW—UK

12 File Online Tracking Suit (January 28, 2013)

A group of 12 Apple device users in the UK have filed a lawsuit claiming Google tracked their browsing habits without their knowledge, reports Belfast Telegraph. The claimants say that assurances given by Google and the default settings on their Safari browsers led them to believe that cookies would be blocked, and they are seeking damages. Big Brother Watch Director Nick Pickles said the case “could set a hugely important legal precedent and help consumers defend their privacy…"
Full Story

PRIVACY—EU & IRELAND

Deputy DPC To Leave Post for Apple (January 25, 2013)

Ireland Deputy Data Protection Commissioner Gary Davis will be leaving the agency to take up a job as head of privacy for Apple in Europe, The Irish Times reports. The move, according to the report, “may be viewed as a sign of the tech giant’s commitment to preparing at an early stage for the planned changes in Europe’s data protection regime.” Davis has been deputy commissioner since 2006 and headed the department’s audit of Facebook’s privacy policies—the office’s biggest investigation to date. He is slated to take up his new role next month, the report states.
Full Story

SOCIAL NETWORKING

Open Letter Seeks Skype Transparency (January 25, 2013)

A collection of privacy advocates, Internet activists, journalists and others have written an open letter asking for public disclosure of the privacy and security practices used by video communications service Skype, CNET News reports. The group—which includes the Electronic Frontier Foundation and Reporters Without Borders—is particularly concerned about government access to conversations, the report states. The letter asks Skype owner Microsoft to provide a “regularly updated Transparency Report.” Microsoft said it is reviewing the letter. Meanwhile, a newly introduced video-sharing service for Twitter experienced a privacy snag when it was discovered that users were logged in as the incorrect user. The service was temporarily taken down, and bugs have since been ironed out.
Full Story

SOCIAL NETWORKING—IRELAND

Commissioner To Investigate Suicide Alert Plan (January 24, 2013)

Ireland’s Data Protection Commission (DPC) is looking into an agreement between Facebook and a charity group that aims to improve suicide prevention, The Irish Times reports. The agreement allows users who are concerned about specific Facebook profiles based on suicide-related posts to share the data with the charity group. The owner of the profile in question is sent an e-mail detailing concerns and contact information for the Samaritans. A representative from the DPC said, “We are continuing to engage with Facebook Ireland on this matter, including in relation to the legal basis, if any, that allows for such disclosures to be made to organisations such as the Samaritans in certain cases.” A Facebook representative said it will “take seriously…any guidance” from the DPC.
Full Story

PERSONAL PRIVACY—UK

New Apps Record Telephone Calls, But Is It a Good Idea? (January 24, 2013)

A variety of new apps allow users to record and store telephone calls in a database. Privacy laws about recording and storing differ widely from country to country, and even from state to state. In Canada, the UK, and some U.S. states, for example, “one-party consent” is adequate, but in Australia and 15 U.S. states, all parties involved on a call must consent, BBC News reports.
Full Story

DATA PROTECTION—UK

ICO Looks To Improve PIA-Risk Management Integration (January 24, 2013)

In an attempt to improve integration between privacy impact assessments and existing project and risk management processes, UK Information Commissioner Christopher Graham has appointed Trilateral Research & Consulting to analyze the current landscape and produce a report highlighting practical guidelines for integration. The ICO is looking for public- and private-sector organisations to respond to six questions aimed at assisting with the project. Deadline for the questionnaire is slated for early February.
Full Story

DATA LOSS—UK

ICO Levies 250,000-GBP Fine (January 24, 2013)
The UK Information Commissioner’s Office (ICO) has issued a 250,000-GBP fine to Sony for a 2011 breach affecting approximately 77 million users, MSN Money UK reports. The ICO contends that the breach could have been prevented, the report states. “If you are responsible for so many payment card details and log-in details, then keeping personal data secure has to be your priority,” ICO Deputy Commissioner David Smith said, adding, “there’s no doubt in my mind that they had access to both the technical knowledge and the resources to keep this information safe.” A company spokesman said, “Sony Computer Entertainment Europe strongly disagrees with the ICO’s ruling and is planning an appeal.”

ONLINE PRIVACY

Google Report: Increase in Gov’t Requests for Data (January 24, 2013)

Governments around the world continue to make requests for users’ private data at an ever-increasing rate, The Guardian reports. “User data requests of all kinds have increased by more than 70 percent since 2009,” said Richard Salgado, legal director at Google. Google’s latest transparency report shows U.S. government requests up 136 percent, and explains the U.S. legal process for gathering electronic information. The report says that under the Electronic Communications Privacy Act, 68 percent of U.S. data requests require no subpoena or warrant.
Full Story

ONLINE PRIVACY

Panel Discusses Consumer, Industry “Privacy Gap” (January 24, 2013)

A panel featuring representatives from government, industry and advocacy met to discuss the “privacy gap” between businesses and consumers, ZDNet reports. The president of the Application Developers Alliance noted “effective communication” between consumers and companies about what data is collected, how it’s shared and whether a firm has experienced a data breach contribute to filling in the gap, the report states. Microsoft Chief Privacy Officer Brendon Lynch, CIPP/US, promoted baking privacy into product and system design from the beginning, adding, “often it’s a matter of choosing better default settings on behalf of users.” Microsoft has also commissioned a survey on consumer privacy expectations.
Full Story

PRIVACY LAW—EU

EDPS Calls for Greater Power, Efficiency (January 23, 2013)
European Data Protection Supervisor (EDPS) Peter Hustinx has released a two-year strategy to make the EDPS more efficient and effective, EUobserver reports. The proposed guidelines are intended to help lawmakers craft legislation. Hustinx also foresees closer working relations with EU institutions with increased visits and inspections. Speaking in Brussels, Hustinx called for closer working relations with the European Council. “I issue a challenge to the council today,” said Hustinx, “to treat us as a grown-up institution and a trusted partner.” EU Justice Commissioner Viviane Reding supported the strategy and said the vision of creating a data protection culture “is our common goal, our common priority.”

PERSONAL PRIVACY—FRANCE

Gov’t Proposes Privacy Tax (January 23, 2013)

The French government has proposed a privacy tax—comparable to carbon taxes aimed at discouraging polluters—to protect consumer data, NBC News reports. The proposal is included in a recent report by the French Ministry of Finance and suggests companies that misuse or fail to protect consumer data would pay a tax with rates scaled to the severity of the infraction. The tax proposal would also incentivize protecting consumer data in ways that extend beyond current regulations, the report states. It has been met with mixed reactions. “It’s a very revolutionary and interesting proposal, but it would be difficult in France, let alone around the world, to implement,” one lawyer said.
Full Story

ONLINE PRIVACY

Film Explores Evolution of Privacy Policies (January 23, 2013)

A new film exploring the changing legal and privacy rights of Internet users premiered at the Sundance Film Festival, CNET News reports. “Terms and Conditions May Apply” documents the evolution of online tech companies’ policies and how user anonymity has diminished as a result of government intervention—such as the USA PATRIOT Act—and advertisers, the report states. Film director Cullen Hoback argues that diminished online anonymity has put some users at greater risk, citing an example of a Facebook post that brought a SWAT team to a comedian’s house. Hoback also seeks out one firm’s original privacy policy, which reportedly included language promising anonymity to users. Now, Hoback says, privacy policies are “designed to be as uninviting as humanly possible.”
Full Story

PRIVACY LAW—EU & U.S.

Proposed EU Regs Incite Wide Array of Reaction (January 22, 2013)
Spiegel Online, reports on the debate surrounding the EU’s proposed overhaul of the Data Protection Directive. With differing reactions from industry, advocates and others, the debate is heating up. Swedish MEP Anna Maria Corazza Bildt, together with several tech experts, warned that the proposals threaten Europe’s competitiveness. EU Justice Commissioner Viviane Reding said, “A modern and uniform set of data protection rules is good for growth.” According to TechCrunch, EDRi, Europe’s digital and civil rights association, has obtained a U.S. government lobbying document stating that the current regulation and directive “can have far-reaching negative effects…Economically, they could stifle innovation and inhibit growth.” Meanwhile, a coalition of privacy advocates has written a letter to the EU urging it to move forward with the proposed privacy regulations.

SOCIAL NETWORKING

Expert: Graph Is “Watershed Moment” for Social Search (January 21, 2013)

Coming at a time when people are increasingly more cautious about posting information online, Facebook’s new search tool “Graph Search” has some experts wondering whether users will continue to share the information that will make it valuable, reports The New York Times. The tool mines users’ interests, photos, check-ins and “likes” and displays results ranked by the friends and brands that it thinks a user would trust the most. “This is a watershed moment,” said one University of Washington computer science professor, adding, “There have been other attempts at social search, but it’s the scale at which Facebook operates, especially once they fully index everything we’ve said or say or like.” (Registration may be required to access this story.)
Full Story

SURVEILLANCE

“Privacy Visor” Blocks Facial Recognition (January 21, 2013)

The integration of facial recognition into people’s lives, from surveillance cameras to social networks, has prompted Japanese researchers to develop a pair of high-tech glasses that block facial recognition cameras, reports Slate. The two professors set out to counter the “invasion of privacy caused by photographs taken in secret.” The prototype consists of a pair of goggles attached to a battery that use infrared light sources to create “noise” across key areas of the face. This is not the only recent invention aimed at thwarting surveillance technologies; a New York artist has come out with a line of “anti-surveillance” clothing.
Full Story

HEALTHCARE PRIVACY—UK

Gov’t Sets Paperless Deadline, Some Fear Privacy’s End (January 17, 2013)

UK Health Secretary Jeremy Hunt is expected to require all hospitals to digitize patient records within the next 12 months so they can be shared among health professionals across the country, The Telegraph reports. Hunt said records would not be shared without patient consent and the digitised system will not be centrally located. “If banks can develop systems where people are confident about their money, it must be possible for the NHS to develop systems where people are confident about their privacy,” said Hunt. Recent patient privacy breaches have some concerned that the system could lead to compromised privacy, the report states. One security expert is criticising the government’s plans to digitise records, saying the plans have not been adequately thought through and will “mean the end of privacy for people’s medical records.” Meanwhile, BBC News discusses privacy concerns surrounding whether anonymisation is truly possible when it comes to NHS Big Data projects involving DNA.
Full Story

PRIVACY LAW—EU

EC May Require Internet Firms To Disclose Breaches (January 17, 2013)
The New York Times reports on a proposal being drafted by EU Commissioner for the Digital Agenda Neelie Kroes that would require firms storing data on the Internet to disclose data breaches to the EU or face sanctions or fines. Telephone, transport and utility companies currently must disclose breaches, but the proposal would apply to “enablers of Internet services, e-commerce platforms, Internet payment gateways, social networks, search engines, cloud computing services, applications stores” and others, according to a copy of the plan seen by the International Herald Tribune. A representative from the Business Software Alliance said, “Harmonization of the notification requirements for security breaches is important and should be addressed,” adding, “More precise guidelines in the directive on the trigger and threshold procedures would make the system more workable.” (Registration may be required to access this story.)

DATA PROTECTION—EU

Expert Examines the Intersection of Business and Privacy (January 17, 2013)

Jim Sterne reports for ClickZ on what happens “when privacy and business collide.” Sterne advises those doing business internationally to be aware of individuals’ privacy rights guaranteed under the Charter of Fundamental Rights of the European Union and notes how European cookie laws have “made a shamble of European Union analytics data management” in their inconsistencies. Discussing the European Commission’s proposed data protection regulation, Sterne questions whether companies could comply with provisions such as the right to be forgotten, the right to edit data and the right to data portability. Meanwhile, the French data protection authority has said MEP Jan Philipp Albrecht’s draft report on the regulation “largely meets” its concerns.
Full Story

DATA PROTECTION

Experts Discuss Privilege Management Tool (January 17, 2013)

CSO reports on a technology some say can “trump human weaknesses,” making data breaches due to human error less likely. “Least privilege management” operates on a need-to-know basis but allows access privileges to applications instead of individuals; however, it hasn’t been widely deployed among organizations, the report states. One expert said, “It’s nigh impossible to account for all types of user interaction with a system. But in interactions that are fairly small or focused, properly implemented least privilege would be a solid and nigh unusurpable control.” Another expert said the problem isn’t “unwitting employees but malicious attackers.”
Full Story

DATA PROTECTION—EU

Ministers Consider Warnings Ahead of Sanctions (January 16, 2013)

European justice ministers will consider a “two-strikes” rule for data breaches, reports IDG News Service. The Irish Presidency of the European Council published a paper on Monday asking the ministers to discuss making fines “optional or at least conditional upon a prior warning or reprimand,” the report states. The paper will be discussed at the Justice and Home Affairs Council in Dublin this week. Digital rights group EDRi says a two-strikes system wouldn’t protect citizens and would give companies and state authorities “carte blanche to breach our rights…In other words, do what you want; the worst that can happen is that you will receive a warning.”
Full Story

PRIVACY LAW—EU

EDPS Takes Position on EP Reports (January 15, 2013)
Commissioner Giovanni Buttarelli, deputy European Data Protection Supervisor (EDPS), spoke last week on the EDPS’ first official position on the recent report from MEP Jan Philipp Albrecht on the European Commission’s proposed update to the 1995 Data Protection Directive. Noting that in the EDPS’ view, “the data protection package is a huge and necessary step forward for data protection in Europe,” Buttarelli explained, “We appreciate any further contribution aimed to ensure a full comprehensiveness of the two legal instruments—the regulation and the directive—to increase the level of protection ensured by the directive as well as solutions aimed to improve some provisions of both legal instruments which need to be adjusted, clarified or fine-tuned.” Buttarelli also noted in his talking points for last week’s LIBE meeting that “we are in an important phase where there is no room for mistakes. This is why at the EDPS we will continue to follow all further developments and contribute to the debate also through additional, formal contributions, where necessary.” Editor's Note: The upcoming IAPP web conference Draft Report on New EU Data Protection Regulation—Strict Requirements Proposed will offer expert analysis on the draft report.

DATA PROTECTION

Insurance To Grow if Proposals Approved (January 15, 2013)

MEP Jan Philipp Albrecht’s recent report on the European Commission’s draft regulation suggests companies seeking to process data in countries outside of the European Economic Area that have not been designated as meeting EU standards should have to provide “financial indemnification” to individuals for data breaches, reports Out-Law.com. The need for insurance products “to transfer risk for the data processor or controller has grown,” said Pinsent Mason’s Ian Birdsey. “While a standard professional indemnity policy may have been considered adequate five years ago, both companies and insurers have appreciated the need for specialist insurance products dealing with the myriad data risks.”
Full Story

PRIVACY LAW—EU & UK

MOJ Wants DPO Requirement Scrapped (January 15, 2013)

The Ministry of Justice (MOJ) wants to scrap a measure within the European Commission’s (EC) data protection reforms, Out-Law.com reports. The EC has proposed a requirement that large companies heavily engaged in data processing hire data protection officers. But the MOJ has published a 22-page response to a report by the UK Parliament’s Justice Select Committee calling for the EC’s proposed requirement to be eliminated. “The government does not believe that the requirement to have a data protection officer is necessary in the proposed regulation, and we believe that there are other means of achieving the accountability principle,” the MOJ said.
Full Story

ONLINE PRIVACY—SWEDEN

Authority Seeks Legislation To Prevent Defamatory Posts (January 15, 2013)

The Swedish Data Protection Board is seeking tougher legislation to deter Internet bullying and prevent privacy violations, The Local reports. The board’s recommendation follows a government request for a review on freedom of speech and press laws. Websites operated by media companies are protected by free speech clauses in Sweden’s Constitution, but the board wants Sweden to adopt legislation that would criminalize posting offensive and insulting comments. “It shouldn’t make a difference whether serious insults and privacy violations take place within or outside of areas protected by the constitution,” said Göran Gräslund, the board’s leader. “A criminal penalty would help create a balance between freedom of speech and protecting people’s privacy.”
Full Story

CLOUD COMPUTING—EU & U.S.

Study Warns U.S. Law Could Threaten EU Privacy (January 14, 2013)

A study backed by the European Union (EU) says that the U.S. Foreign Intelligence and Surveillance Amendments Act gives U.S. authorities access to European citizens’ data stored on U.S.-based Internet sites, Deutsche Welle reports. EU MEP Jan Phillip Albrecht said, “This study is absolutely not about generating panic…It’s a simple fact that the U.S. data protection law only applies to U.S. citizens.” Schleswig-Holstein Data Protection Commissioner Thilo Weichert said, “The long arm of U.S. law stretches as far as Europe,” and added, “You cannot even begin to figure out what happens to this data.” Albrecht suggested that EU citizens use EU-based cloud services. Editor’s Note: The breakout session Closing the Deal—Global Cloud Contracts and EU Requirements will be part of the IAPP Global Privacy Summit in Washington, DC, this March.
Full Story

DATA PROTECTION—EU

What Is the Legal Status of Search Engines? (January 14, 2013)

One of the complex questions the Court of Justice of the European Union (CJEU) must answer in 2013 relates to the legal status of search engines, Baker & McKenzie’s Yann Padova and Denise Lebeau-Marianna report for The Privacy Advisor. Using one case they describe as an example of a “burgeoning trend in Europe transforming regulations on data protection into an instrument used for removing information thought unfavorable or unsuitable by the data subjects, ” the authors examine the push-and-pull between the right to be forgotten and freedom of speech.
Full Story

PRIVACY LAW—EU

Schaar Welcomes Albrecht Proposal (January 11, 2013)

German Commissioner for Data Protection and Freedom of Information Peter Schaar has said MEP Jan Philipp Albrecht’s proposed amendments released earlier this week “would clearly improve the European Commission’s draft on the reform of European data protection law.” In a press release, Schaar added, “The European Parliament hopefully will approve the proposals, and I advise the federal government to actively advance the absolutely necessary improvements of European data protection law in council.”
Full Story

PRIVACY LAW—POLAND

Cookie and Data Protection Laws To Take Effect (January 10, 2013)

An act amending Poland’s Telecommunication Law, among others, will go into effect 22 March. The act includes new rules on cookies that allow for an opt-in consent model that accepts software and browser settings as consent and also a breach notification requirement for publicly available telecommunication services, Bird & Bird reports. “Poland has reached a crossroad,” writes Emilia Stepien, “On one hand, if the NRA (the Office for Electronic Communication) interprets the act in line with its justification, the informed consent model may in fact be closer to an ‘opt–out’ model…However, the Polish Data Protection Authority…has recently raised its concerns that browser settings are not sufficient from a privacy perspective.“
Full Story

PRIVACY LAW—EU & UK

EU Warns UK Over Data-Sharing Agreement (January 10, 2013)

The European Commission (EC) has criticized the UK for its failure to implement a data-sharing agreement it signed in 2008 requiring police to share DNA profiles, driver records and fingerprints with other EU nations that signed the treaty. The Telegraph reports that UK ministers signed the agreement but, due to civil liberties concerns, have yet to enact it. A report released by the EC last month warned that as of December of next year it will be able to use “infringement proceedings” that could lead to a fine of at least 9.2 million euros, the report states. The same report acknowledged the treaty’s flaws.
Full Story

ONLINE PRIVACY—FRANCE

Minister Intervenes in ISP’s Default-On Ad-Blocking (January 10, 2013)

Minister of the Digital Economy Fleur Pellerin has derailed an ISP’s plans to block ads for its subscribers, reports Information Week. The ISP, Free, included an “optional ad blocker” for its users—but as an opt-out, so ads were blocked unless users chose to turn them on. Pellerin said the initiative could “endanger the survival of a number of economic factors” and the government should enact legislation to “ensure net neutrality because it’s a matter of principle.” The report states that Free has suspended the program due to regulatory intervention.
Full Story

DATA PROTECTION—CYPRUS

Researchers Discuss Challenges of IT and Privacy (January 10, 2013)

Euronews spoke with researchers at the University of Cyprus about the challenges for developers and regulators that come with protecting consumer privacy in new technologies. Marios Dikaiakos, head of the university’s computer science department, says “constant technological changes” make it “hard to regulate issues related to civilian privacy.” Dikaiakos and two PhD students interviewed say they take privacy into account in the early stages of developing technology, noting its importance—especially in networking technologies. “As researchers, and as individuals that develop these technologies, protecting privacy will certainly remain high on our agenda for any future research and development,” Dikaiakos said.
Full Story

ONLINE PRIVACY

Changes Grant Data Access, Tech Giants Join Forces (January 10, 2013)

Foursquare users would be wise to study the application’s new privacy policy, effective January 28, ZDNet reports. The service will now show full names across its website instead of a mix of first name and last initial, and it will allow businesses to see an expanded list of users who have checked in. The window of time to access the list has also expanded. Meanwhile, Apple, Facebook and Microsoft have joined forces to launch ACT 4 Apps, an effort to educate app developers on privacy. The Association for Competitive Technology will facilitate the effort.
Full Story

PRIVACY LAW—EU

Albrecht Report Would Strengthen EC Proposal, Has Industry Concerned (January 9, 2013)
MEP Jan Philipp Albrecht has released a draft report on the European Commission’s proposed update to the 1995 Data Protection Directive supporting a robust framework and recommending more stringent measures, The New York Times reports, inciting mixed reactions from government and industry. The report, containing 350 proposed amendments to be discussed in plenary, would increase data subjects' rights—rewording the “right to be forgotten” as “a right to erasure and to be forgotten”—expand the proposal’s scope of non-EU-based controllers and expand the concept of “personal data.” The report suggests the “legitimate interest” provision—allowing companies to process personal data without consent if the reasons for doing so trump the individual’s right to privacy—should be used only in exceptional circumstances. While EU Justice Commissioner Viviane Reding welcomed the report, industry has reacted less favorably. Facebook’s head of EU Policy, Erika Mann, said that “some aspects of the report do not support a flourishing European Digital Single Market,” and the Industry Coalition for Data Protection said Albrecht’s report “missed an opportunity to reconcile effective privacy safeguards with rules protecting the conduct of business—both fundamental rights under the EU charter.” Monika Kuschewsky, CIPP/E, special counsel at Covington & Burling, told the Daily Dashboard those expecting a “conciliatory report searching for compromise and practical solutions will be disappointed” as the report’s amendments aim to strengthen individuals’ and authorities’ rights and “reinforce existing or impose additional obligations on companies.” Field Fisher Waterhouse’s Eduardo Ustaran, CIPP/E, expects “heated negotiations with the Council of the EU and other stakeholders.” (Registration may be required to access this story.) Editor’s Note: Look for more on this topic in an upcoming edition of The Privacy Advisor.

ONLINE PRIVACY

HTTPS Function Rolled Out by Yahoo (January 9, 2013)

A new option to enable HTTPS for full webmail sessions has been introduced by Yahoo, IDG News Service reports. Digital rights and privacy advocates have welcomed the new rollout. The Electronic Frontier Foundation, along with other advocates, sent a letter to Yahoo CEO Marissa Mayer last November asking for the secure function. The new interface features a “Turn on SSL” setting that users must manually switch on. In a blog post, AccessNow.org supported the decision and wrote, "Pending technical analysis of its implementation, we believe this decision by Yahoo responds to some of the concerns raised by civil society and security experts and signals a continuing strengthening of their services' privacy protections."
Full Story

PRIVACY LAW—UK

Graham: Proposals Would Hamper Journalism (January 8, 2013)

In an official response to Lord Justice Brian Leveson’s proposals for tougher data protection laws, UK Information Commissioner Christopher Graham has warned of a “chilling effect” on investigative journalism, The Guardian reports. The proposals would make the Information Commissioner’s Office a regulator of the mainstream press, Graham warned. “The significance of the proposed changes should not be underestimated,” he said, adding that the proposal will need “very careful consideration…and is ultimately a matter for Parliament.”
Full Story

SOCIAL NETWORKING—GERMANY

German DPA Threatens To Fine Facebook (January 7, 2013)

Thilo Weichert, data protection commissioner of German state Schleswig-Holstein, has threatened to fine Facebook unless it allows German users to log in under a pseudonym, The Guardian reports. German law requires media services to offer users such a choice. Weichert said Facebook’s current rules violate the law by requiring Germans to provide their identities. “It is unacceptable that a U.S. portal like Facebook violates German data protection law, unopposed and with no prospect of an end,” he said. In 2011, Weichert’s office forbade local organizations and companies from using Facebook’s “like” button, stating the feature violated German law.
Full Story

PRIVACY LAW—ITALY

Italian DPA Cooperates with International Regulators (January 3, 2013)

Rocco Panetta of Panetta & Associati reports that the Italian data protection authority (Garante) has established three resolutions in the field of international data processing and transfer. Panetta, who is the Garante’s former head of legal, notes cooperation between data protection authorities is increasing when it comes to enforcement profiles. In one case, a data subject made a claim against Italian company “Badoo” for publishing fake profiles by a third party on a UK social network.
Full Story

DATA PROTECTION—UK

ICO Releases Cookie Consent Report (January 3, 2013)

Eduardo Ustaran, CIPP/E, writes for Field Fisher Waterhouse’s Privacy and Information Law Blog about a UK Information Commissioner’s Office (ICO) report on the status of the cookie consent requirement. The report outlines consumer concerns that have been reported to the ICO, including dissatisfaction with consent mechanisms and insufficient information about how to decline or manage cookies. The ICO says it will continue to write to reported websites and will consider using “formal regulatory powers in line with our criteria set out in the Data Protection Regulatory Action Policy and Guidance on the issue of monetary penalties.” Ustaran notes, “This is the clearest threat of enforcement action to date.”
Full Story

PRIVACY LAW—EU

Opinion: Regulation Could Cost Businesses Billions (January 3, 2013)

Research by the Brussels European Employee Relations Group (BEERG) has shown that, if passed as is, the proposed data protection regulation may cost European businesses upwards of 3 billion euros, reports EurActiv. Derek Mooney, BEERG’s public affairs director, says that while the European Commission claims the changes will bring savings with the onset of a single law for all member states, employee data has been excluded from the regulation—meaning businesses will have the “patchwork of 27 different rules for 27 different countries” for employee data “plus the additional obligations and burdens” laid out in the regulations.
Full Story

BEHAVIORAL TARGETING

Ad Industry Concerned With Firms’ Privacy Practices (January 3, 2013)

Ad Age reports on concerns within the advertising industry that Facebook and Amazon are not using the industry’s standardized ad privacy program while a majority of large media firms and ad networks comply or integrate with the Digital Advertising Alliance’s (DAA) Ad Choices program. Ad campaigns operated by Facebook and Amazon also raise privacy concerns, the report states. One industry executive said, “We need publishers to adopt the industry standard,” adding, “We cannot have everyone embrace it in their own flavor.” A TRUSTe representative said Facebook is “pushing the edge of what online advertising is doing” and added the two companies “may warrant a whole new category within the DAA’s program.”
Full Story

ONLINE PRIVACY

New Year May Bring New Challenges for Tech Companies (January 2, 2013)
Industry fared well in 2012 in its efforts to lobby against federal consumer privacy legislation, but 2013 is likely to bring renewed regulatory efforts and intense negotiations with consumer advocates—particularly over online tracking, The New York Times reports. Industry’s recent success was due to its increased presence in Washington, DC, and record-setting lobbying budget, the report states. As privacy and security increasingly caught the attention of regulators, advocates and legislators, industry “realized it is important to be engaged,” said Intel’s David Hoffman, CIPP/US. Regime changes at the Federal Trade Commission and legislative overhauls in Europe are expected to impact the online landscape in 2013. (Registration may be required to access this story.)

PRIVACY LAW—ITALY

Court Overturns Executives’ Convictions (January 2, 2013)

An Italian court has overturned the 2010 convictions of three Google executives, including lead privacy counsel Peter Fleischer and ex-CFO George Reyes. The executives had been given suspended six-month sentences over alleged privacy offences, GigaOm reports, involving a video posted online of an autistic boy being bullied. “We’re very happy that the verdict has been reversed and our colleagues’ names have been cleared,” said a Google spokesperson. “Of course, while we are delighted with the appeal, our thoughts continue to be with the family who have been through the ordeal.”
Full Story

SOCIAL NETWORKING

Foursquare Changes Privacy Policy, Suit Filed Against Instagram (January 2, 2013)

Foursquare announced last week that it is changing its privacy policy effective January 28, PC Magazine reports. The service will now show full names across its website instead of a mix of first name and last initial, and it will allow businesses to see an expanded list of users who have checked in. A company e-mail stated, “This is great for helping store owners identify their customers and give them more personal service or offers.” Foursquare has also created “Privacy 101,” a stripped-down version of its privacy policy. Meanwhile, a class-action lawsuit has been filed against Instagram for its proposed privacy policy changes. According to the report, the lawsuit cites a breach of contract, among other claims.
Full Story