European Data Protection Digest

In 1897, Oscar Wilde wrote to Lord Douglas, “Do not be afraid of the past. If people tell you that it is irrevocable, do not believe them.”

I wonder if he would share this piece of advice today. Though the past may not be irrevocable, we all leave digital shadows we may regret one day. I had no Internet growing up, and I am grateful that the only traces of my past are some old pictures gathering dust at my parents’ house and a box of letters I used to exchange with overseas friends—you know, having overseas pen pals was actually pretty cool back in the day.

Come to think of it, Oscar Wilde may never have meant for his 1897 letter to Lord Douglas to be published, as it came to light only after his death, so you could almost argue he had no right to be forgotten…

This week, the Court of Justice of the European Union declared the 2006 Data Retention Directive invalid, stating that it interferes with the fundamental rights to respect for private life and to the protection of personal data, as stipulated in the EU Charter of Fundamental Rights. The interference, said the court, exceeds the limits imposed by compliance with the principle of proportionality.

Aside from the obvious consequences the court’s decision will have on telcos and ISPs, some commentators have said that it can have a significant impact on the EU reform of data protection law and, in particular, on the debate around the General Data Protection Regulation.  

To quote Oscar Wilde again, “It is a very sad thing that nowadays there is so little useless information.”

Rita Di Antonio
Managing Director
IAPP Europe

Top European Privacy and Data Protection News

PRIVACY LAW—EU

CNIL: Google To Be Called Before WP (February 28, 2013)

The Article 29 Working Party (WP) is calling for Google to appear before the group of EU data privacy authorities (DPAs) in advance of “repressive action, which should start before the summer,” France’s DPA, the CNIL, announced Thursday. The announcement followed reports last week that the WP would make its decision by the end of the month, and Businessweek reports the WP “decided to pursue Google after a two-day meeting in Brussels.” A Google spokesman told Bloomberg, “Our privacy policy respects European law and allows us to create simpler, more effective services. We have engaged fully with the CNIL throughout this process and will continue to do so going forward.”
Full Story

TRAVELERS’ PRIVACY—EU

EC Presents, Albrecht Against “Smart Borders” Plan (February 28, 2013)

The European Commission has presented plans for a border initiative that would use automated technology to monitor non-EU citizens’ travel in and out of the EU, and MEP Jan Philip Albrecht has come out against it, reports IDG News Service. The plan would create a database of registered travelers who would use automated gates that would record their comings and goings and alert authorities if they haven’t left by an expiry time. Albrecht, with fellow politician Ska Keller, has begun a campaign urging citizens to fight the plan, saying the initiative would create an “e-fortress Europe” and infringe on civil liberties.
Full Story

PRIVACY LAW—ROMANIA

EC Drops Data Infringement Case (February 28, 2013)

The European Commission has dropped its data infringement case against Romania because the country passed a data retention law last year, reports Telecompaper. The European Commission (EC) opened the case against Romania in 2011 after it failed to implement the directive 24/2006 in the required timeframe. Romania’s new law, which passed last May, requires Internet providers to retain certain information about users and that it be available upon request to national security investigators in the prevention and investigation of serious crimes.
Full Story

BIOMETRICS—EU

The Future of Online Authentication (February 28, 2013)

The Irish Times reports on the use of biometric data as an added security measure. Google has said a simple password is not sufficient to protect users, and a new group called the Fast Identity Online (FIDO) Alliance hopes biometrics will become the industry norm. “The Internet—especially with recent rapid mobile and cloud expansion—exposes users and enterprises, more than ever before, to fraud. It’s critical to know who you’re dealing with on the Internet,” said FIDO President Michael Barrett.
Full Story

ONLINE PRIVACY

Tech Firms Discuss DNT, Data Currency (February 28, 2013)

A panel of privacy experts from some of the Internet’s top technology companies—including Microsoft, Mozilla, Facebook and Google—discussed Do Not Track, mobile privacy and third-party data transfers, NETWORKWORLD reports. According to SC Magazine, Microsoft Chief Privacy Officer Brendon Lynch, CIPP/US, said, “It hasn’t yet been defined on a broad level what a service should do when they receive a Do-Not-Track signal,” adding, “It’s going to be confusing for people if there’s not a common understanding of what Do-Not-Track means.” Meanwhile, author Cory Doctorow questions whether personal information sharing for free services overlooks the value of an individual’s personal data.
Full Story

ONLINE PRIVACY—UK

Survey: Concerns Persist (February 28, 2013)

A Big Brother Watch survey has found that 68 percent of UK respondents are concerned about online privacy and support efforts in the EU to investigate Google’s privacy policy, EXPRESS reports. Big Brother Watch Director Nick Pickles said, "The message from consumers is clear—regulators were right to investigate Google's new privacy policy…Online privacy is an important issue for a significant number of people and not enough is being done to address these fears."
Full Story

DATA BREACH—UK

Hackney Council Website Releases Citizens’ PI (February 28, 2013)

An investigation by the Hackney Citizen has found that the Hackney Council inadvertently released the personal data of more than 30 of its residents on its website. Among the data released were addresses, phone numbers and names on petitions and licensing requests that were improperly blacked-out prior to being posted online. The council was alerted to the breach before the article’s publication, and the newspaper has also informed the Information Commissioner’s Office of the situation.
Full Story

PRIVACY LAW—EU

Spain Takes Search Engine to Court (February 27, 2013)

CNET News reports on a European Court of Justice case between Google and Spain’s data protection authority (DPA) over whether Google must delete data that could infringe upon a person’s privacy. Google says it is not required to do so and starting to could create a slippery-slope effect. “There are clear societal reasons why this kind of information should be publicly available,” said Google’s head of free expression. “The substantive question before the court today is whether search engines should be obliged to remove links to valid legal material that still exists online.” The court is expected to rule by the end of the year, and its advocate-general will publish an opinion June 25.
Full Story

BIG DATA

Facebook To Partner With Data Brokers (February 26, 2013)
NBC News reports that Facebook is planning to announce partnerships with three data marketing firms to deliver online targeted ads gleaned from offline information. Acxiom, Epsilon and Datalogix will all partner with the social networking company and allegedly upload customer lists to Facebook, which will then find matches among its users to create “custom audiences,” the report states. Facebook will not know the identity of the customers because the data will be hashed. The combination of the online and offline databases has raised privacy concerns. “There needs to be limits on Facebook’s growing use of outside data broker information,” Jeffrey Chester of the Center for Digital Democracy. Meanwhile, a security specialist was able to access any Facebook account through an authentication flaw. The company says it has since fixed the problem. Editor’s Note: The breakout session Big Data, Not Big Brother: Best Practices for Data Analytics will be part of next week’s IAPP Global Privacy Summit in Washington, DC.

ONLINE PRIVACY

Web Tracking Tags Raise Concerns; Ad Industry Reacts to Browser Changes (February 26, 2013)

Financial Times reports on the rise of website tracking tags and corresponding security and privacy concerns. According to an Evidon report that surveyed 7.5 million Internet users, 55 percent of tracking devices used by major websites were placed by third parties rather than the first-party publisher. One Evidon representative said, “If you’re unaware of the companies injecting scripts into your page, it makes it hard to keep your users safe.” Meanwhile, AdvertisingAge reports on the ad industry’s reaction to news that Mozilla will block third-party tracking by default in its latest version of Firefox. Mozilla’s Alex Fowler said “strong user support for more control is driving our decision to move forward with this patch.” An industry representative said “the unintended consequences may outweigh the benefit that’s achieved.” (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Lobbyists Want Data on Skype Disclosures (February 25, 2013)

A coalition of digital rights groups and individuals are calling on Microsoft to release regular transparency reports on data collected from Skype users, including whether it’s been shared with third parties such as advertisers and law enforcement agencies. Microsoft purchased Skype in 2011, The New York Times reports. “We need to know how Microsoft and Skype cooperate with law enforcement and others around the world,” said Prof. Paul Bernal, a lawyer who is one of the 61 individuals to sign the open letter to Microsoft. “People living under authoritarian regimes need to know what kinds of personal risks they are taking when using Skype.” The coalition also wants to know whether Skype’s headquarters have changed from the EU since it was purchased by a U.S.-based company. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—EU

Deputies Intro Amendments to Weaken Draft Regulation (February 25, 2013)

A group of euro-deputies in the industry committee has introduced amendments to the EU draft regulation on data protection that would exempt industry from having to obtain user consent before engaging in behavioral targeting. The committee has also introduced an amendment on pseudonymous data, freeing industry from the obligation, EUobserver reports, reasoning that pseudonymous data isn’t appealing to industry because it disables the ability to pinpoint the individual and, therefore, market to them specifically. European Digital Rights said in a statement that the amendments voted through by the committee would “effectively rip up decades of privacy legislation in Europe, undermining trust and confidence—to the detriment of both citizens and business.”
Full Story

MOBILE PRIVACY—EU

App Developers Prepare for New Rules (February 25, 2013)

The Article 29 Working Party is slated to discuss privacy as it pertains to mobile apps at its meeting this week in Brussels, EurActiv reports. Mobile app developers and regulators have thus far disagreed on topics such as rules around geolocation; while European policymakers work to strengthen rules on privacy, app developers say they need access to data on users’ whereabouts—even if it’s anonymous—in order to ensure the best service. App developers also have concerns that new rules could force small developers to hire additional staff in order to comply with data management mandates. Editor’s Note: The breakout session Privacy Engineering: Bridging the Gap Between Privacy and Code will be part of the IAPP Global Privacy Summit next week in Washington, DC.
Full Story

PRIVACY—FRANCE

Personal Data: It Fuels the Economy, Why Not Tax It? (February 25, 2013)

The New York Times reports on the proposal to tax data collection with the goal of promoting sound practices for gathering and protecting information. French auditor Nicolas Colin introduced the idea based on European countries’ frustrations with their inability to collect tax revenue from Internet companies generating significant income each year, especially as budget deficits loom. “Every government needs revenues,” Colin said, adding the individual taxpayer and small companies carry the burden if large corporations do not. A spokesman for the French data protection authority said given that personal data fuels the digital economy, “it would seem like a natural idea to envision taxing the use of them.” (Registration may be required to access this story.)
Full Story

PRIVACY LAW—EU & U.S.

In ‘t Veld: Regulation Could Give EU “Competitive Advantage” (February 22, 2013)

Dutch MEP Sophie In ‘t Veld said pending EU data protection rules will “push companies to innovate” and could provide the region with a “competitive advantage,” TheParliament.com reports. She noted the debate surrounding the proposed regulation “has been heating up in recent weeks” and cited concerns that the “U.S. will reap the benefits of not having to work under the burden of so much regulation.” In ‘t Veld said, “Rules can force companies into innovating” and added, “privacy is the new green.”
Full Story

HEALTHCARE PRIVACY—UK

Group Voices Concern Over Medical Data Sharing (February 21, 2013)

A new scheme that would make medical data commercially available could see private sector businesses obtaining identifiable information about patients without their consent, Out-Law.com reports. The Department of Health has responded to concerns from life sciences pressure group Ethics and Genetics about plans by the Clinical Practice Research Datalink that would aggregate anonymised medical data and make it available for sale to the private sector.
Full Story

DATA PROTECTION—UK

ICO To Publish Guidelines for Journalists (February 21, 2013)

The Information Commissioners Office (ICO) would like input from media organisations on its planned code of practice for journalists on the processing of personal data, reports Out-Law.com.  “The purpose of the code will be to advise journalists and publishers how to comply with the Data Protection Act and about how to handle personal data in ways which are consistent with the principles of the Act,” the ICO said, stating it does not intend to “set ethical standards for journalists.” The announcement comes on the heels of the Home Office accepting recommendations by Lord Justice Brian Levenson regarding law enforcement requests of materials from journalists which Information Commissioner Christopher Graham previously said would hamper investigative journalism.
Full Story

DATA PROTECTION—ITALY

Garante Releases 2012 Enforcement Recap (February 21, 2013)

Rocco Panetta reports for The Privacy Advisor on Garante’s recently released balance of its 2012 enforcement actions outlining the types of proceedings and fine totals. The number of Garante proceedings in 2012 increased to 578—up 61 percent from 2011—and targeted issues such as omission of information to data subjects, excessive data retention and failure to adopt security measures, among others. The report also notes the authority’s inspection plan for early 2013.
Full Story

DATA PROTECTION—EU

Parliament To Vote on Proposed Regulation, Lobbying Intensifies (February 21, 2013)

Members of European Parliament’s industry committee will vote on the European Commission’s proposed data protection regulation. Parliament must endorse the proposal for it to move forward. MEPs have thus far tabled more than 900 amendments to the original proposal, the Irish Times reports. “The proposals by and large are well-balanced,” said Fine Gael MEP Seán Kelly. “We won’t be changing the fundamentals. We don’t see any contradiction between protecting the fundamental rights of the individual and allowing businesses to develop.” He added administrative burdens on small businesses must be reduced. Meanwhile, a spokesman for European Digital Rights says the lobbying campaign launched by global corporations, industry groups and privacy campaigners is bigger than Brussels or the U.S. have ever seen.
Full Story

DATA PROTECTION—EU

EDPS on the Role of Data Protection (February 21, 2013)

The European Data Protection Supervisor (EDPS) addressed the role and challenges of data protection in e-government this week in Brussels at the Conference on Security of e-Government. In his speech, Hustinx gave an overview of current legislation including organisations’ responsibilities for compliance and drew distinctions between security and data protection, noting, “good security does not necessarily provide good privacy and data protection, but good privacy and data protection would always require good security.”
Full Story

DATA PROTECTION—UK

Opinion: Sound Privacy Practices Good For Business (February 21, 2013)

In a column for The Guardian, Jim Mortleman writes that “far from being a drain on resources, implementing robust privacy controls can add real value” to a business and “improve its bottom line.” While businesses often only do what is legally required, public opinion seems to be in favour of greater protection over personal information, he writes, adding that "more and more, data breaches make headlines and cost businesses both reputational damage and real legal costs, making greater attention to data privacy a wise business practice.”
Full Story

PRIVACY

“Privacy Tax” Proponent Now Wants To Tax Data (February 20, 2013)

Nicolas Colin, a tax inspector for the Ministry of the Economy and Finance in France who recently suggested a “privacy tax” there, has an idea that is “every bit as radical as the invention of income or sales taxes,” NBC News reports. Colin wants to tax data. “What we do leaves traces, generates data. This data can be leveraged to create value…In the digital economy, users create part of the value alongside employees, contractors, capital and companies’ assets,” he said. The suggestion comes as countries express frustration on how to collect taxes from large digital companies generating income in countries but paying no taxes there.
Full Story

DATA LOSS—UK & U.S.

Loss of Devices Compromises Council, Hospital (February 20, 2013)

The UK Information Commissioner’s Office (ICO) has fined Nursing and Midwifery Council 150,000 GBP for the loss of three DVDs containing unencrypted, sensitive personal data of two vulnerable children, Publicservice.co.uk reports. ICO Deputy Commissioner David Smith said the council’s “underlying failure to ensure these discs were encrypted placed sensitive personal information at unnecessary risk,” adding, “no policy appeared to exist on how the discs should be handled, and so no thought was given as to whether they should be encrypted before being couriered.” Meanwhile, U.S.-based Heyman HospiceCare has reported that an unencrypted laptop containing personal health information was stolen from an employee’s car.
Full Story

PRIVACY

Information Privacy Trailblazer Alan Westin Passes Away (February 19, 2013)
Alan Westin, a groundbreaking scholar of information privacy who helped influence a generation of privacy study and the privacy profession itself, passed away Monday at the age of 83. “Today, literally tens of thousands of statutes, court decisions, regulations and company best practice standards, throughout the globe, are based upon” principles set forth by Westin, said friend and Arnall Golden Gregory Privacy Partner Bob Belair. The Privacy Advisor explores Westin’s legacy in this exclusive feature, including commentary from privacy notables. As Indiana University Prof. Fred Cate told The Privacy Advisor, “Alan's passing is especially hard to come to grips with because he was such a larger-than-life figure who not only helped to create and define the modern field of privacy law but welcomed, included and mentored so many of us who followed in his giant footsteps. I wouldn't be in privacy law if it weren't for Alan, and I suspect that is true--directly or indirectly--for many IAPP members.”

PRIVACY LAW—EU

Regulators Move Toward Privacy Crackdown (February 19, 2013)

The Article 29 Working Party is expected to vote at the end of the month on a new proposal by European data protection regulators to “coordinate their repressive action” against Google unless it “makes dramatic changes to how it manages user data,” reports CNET News. The French data protection authority, CNIL, says that Google “did not provide any precise and effective answers” about its privacy policy, which allows the company to pool user data from across all its services, adding, “the EU data protection authorities are committed to act and continue their investigations.” Google says its privacy policy “respects European law,” adding, “We have engaged fully with the CNIL throughout this process, and we'll continue to do so going forward."
Full Story

ONLINE PRIVACY

File-Sharing Service Calls Itself “The Privacy Company” (February 19, 2013)

The Telegraph reports on Megaupload founder Kim Dotcom’s goal of making his new file-sharing service, Mega, “a standard-bearer for online privacy.” Mega was unveiled during a recent event in New Zealand. “The decryption keys for uploaded files are held by the users, not Mega, which means the company cannot see what is in the files being shared,” the report states, noting Dotcom has indicated the site will “be expanded to include secure e-mail, mobile services as well as chat, voice and video-messaging.”
Full Story

SOCIAL NETWORKING—GERMANY

Facebook Wins Pseudonym Case (February 15, 2013)
Facebook has won its case against Schleswig-Holstein’s data protection authority, the Associated Press reports. The authority had challenged Facebook’s policy that users must use real names rather than pseudonyms, alleging the policy breaches German privacy laws and European rules. The court ruled German laws don’t apply because Facebook’s headquarters are in Ireland. Meanwhile, Facebook is assuring users that special privacy protections will apply for minors employing the site’s new Graph Search tool. Details on gender, birthday, school, hometown and current city for users under 18 will only be available to those users’ friends and their “friends of friends.”

FINANCIAL PRIVACY—SWITZERLAND & U.S.

Nations Sign New FATCA Agreement (February 15, 2013)

The U.S. and Switzerland have signed a bilateral agreement “to improve tax compliance, combat international tax evasion and implement” the Foreign Account Tax Compliance Act (FATCA), Forbes reports. FATCA was signed in 2010, and this new agreement will tighten its grip, the report states. “While inking the deal is no surprise,” writes Forbes contributor Robert W. Wood, “it’s one more sign that FATCA is a steamroller.” The U.S. is also working with 50 other nations to curb offshore tax evasion.
Full Story

DATA RETENTION—DENMARK

Gov’t Postpones Retention Law Implementation (February 15, 2013)

The Danish government wants a two-year extension to implement the Data Retention Directive (2006/24/EC), EDRI reports. The review process was postponed in 2010 and 2012, and in the coming months, the Danish Parliament plans to evaluate and revise the nation’s data retention law, the report states. The government wants the extension in order to coordinate with any changes in the directive at the EU level. According to the report, there has been extensive debate in the Danish Parliament about whether the nation was over-implementing the Data Retention Directive. Upon instructions from Parliament, the Danish Ministry of Justice published an evaluation report last December.
Full Story

MOBILE PRIVACY

Developer Raises App Store Privacy Policy Concerns (February 15, 2013)

An Australian-based app developer has raised concerns that Google’s app store policies allow for the sharing of users’ personal information—including e-mails, names and addresses—without consent, Reuters reports. Electronic Privacy Information Center Executive Director Marc Rotenberg said the company buries the notice explaining how it shares users’ personal data and does not clearly obtain express consent. “In a situation like this,” he said, “where people just don’t know what information is being transferred or who it’s going to or for what purpose, it seems ridiculous to say that Google has consent.” Google has said, “Google Wallet shares the information needed to process transactions, and this is clearly stated in the Google Wallet Privacy Notice.”
Full Story

SURVEILLANCE—EU & U.S.

As Drone Market Grows, So Do Concerns (February 14, 2013)

The Irish Times reports on the increasing growth of the drone market in Europe, which is drawing the ire of privacy advocates, civil liberties groups and legislators who fear the drones may be misused for surveillance purposes. Of particular concern is the length of time drones can stay airborne combined with the high-quality cameras, infrared imaging and facial recognition cameras that can be mounted on drones to potentially track individuals. A spokesman from UK-based civil liberties organisation Statewatch said the European Commission is being “somewhat duplicitous” in its approach on privacy, focusing more on data protection. Meanwhile, in the U.S., a plan by Seattle, WA, police to use drones equipped with spy cameras has been halted following privacy concerns.
Full Story

PRIVACY LAW—UK

Home Office Accepts Leveson Recommendations (February 14, 2013)

The Guardian reports that the Home Office has accepted recommendations set forth by Lord Justice Brian Leveson’s inquiry regarding law enforcement requests of materials from journalists. The proposals—now open to consultation—would weaken the media’s protection from police demands to disclose confidential material but would still require an approval from a judge, the report states. The proposals would also weaken whistleblower protection. Information Commissioner Christopher Graham has previously said the proposals would hamper investigative journalism. One expert said, "The proposals are wholly incompatible with press freedom principles long established under European human rights law."
Full Story

MOBILE PRIVACY

Developer Releases Privacy Locker App (February 14, 2013)

A Thai developer has released an app that allows users to import photos and videos from their cameras into a secured folder, CNET Asia reports. The Private Locker for Photo & Video is designed to be unnoticeable unless a user actively seeks it out, the report states. If an individual enters an incorrect password on a smartphone, its front-facing camera takes a picture of the user, and any secured data is deleted after five failed attempts to access the locker. Editor’s Note: The breakout session The Mobile Majority: Building Privacy by Design into Mobile Apps will be part of this year’s IAPP Global Privacy Summit in Washington, DC.
Full Story

DATA PROTECTION—EU

The Assets and Drawbacks of the Regulation (February 14, 2013)

When the EU adopts its new regulation on data protection, organizations will have two years to comply or else face significant fines. The European Union is at a turning point when it comes to protecting its citizens’ privacy, write attorneys Gaetan Cordier and Adeline Jobard of Eversheds in this exclusive for The Privacy Advisor that examines the assets and drawbacks of the proposed regulation.
Full Story

PRIVACY LAW—EU & U.S.

Website: Proposals Taken Word-for-Word from Lobbyists (February 13, 2013)

A website has revealed that some MEPs are taking direction from U.S. lobbyists with the intent to soften the EU’s proposed privacy framework, TechWorld reports. The site compared amendment language with text submitted by certain U.S.-based lobbyists and found that many of the alterations were copied word-for-word, the report states. Europe Versus Facebook’s Max Schrems said though there are legitimate business interests, a majority of the lobbying seeks “to push through small changes in key points that make the whole structure of the law unstable.”
Full Story

DATA LOSS

Report: Hacking Caused Majority of Breaches (February 12, 2013)

CSO reports a new survey by Open Security Foundation has found hacking was the most common source of data breaches in 2012. There were 2,644 known data breaches last year, slightly more than double the number of breaches reported in 2011, the report states. Hacking was the reason for 68.2 percent of breaches. Meanwhile, a nonprofit organization in Maine inadvertently posted to its website a database containing details on a portion of its membership. The details included each member's donation amount, address, telephone number, birthday and emergency contact information.
Full Story

ONLINE PRIVACY

Glitch Overrides User Privacy Settings (February 12, 2013)

A privacy bug reversed some Flickr users’ privacy settings to become ineffective, causing their private images to become public, Digital Trends reports. In response, Flickr set all public photos to private and e-mailed affected members of the glitch. The exposed photos were not indexed by search engines, however.
Full Story

SOCIAL NETWORKING

Self-Destructing App Grows; Software Mines Social Media (February 11, 2013)

The New York Times reports on the growing popularity of Snapchat, a service that allows users to send messages that self-destruct seconds after they’re viewed. According to the report, “Snapchat is being embraced as an antidote to a world where nearly every feeling, celebration and life moment is captured to be shared, logged, liked, commented on, stored, searched and sold.” Meanwhile, The Guardian reports on Riot—software capable of tracking individuals’ movements and predicting their behaviors by mining social media data. EPIC Attorney Ginger McCall said, “Users may be posting information that they believe will be viewed only by their friends, but instead, it is being viewed by government officials or pulled in by data collection services like the Riot search.” (Registration may be required to access this story.)
Full Story

PRIVACY LAW—EU

EC Explains “Backstop” Powers (February 11, 2013)

The European Commission (EC) has claimed, “It would be ‘bad for businesses’ if (it) did not have ‘backstop’ powers to intervene whenever it felt that regulators across the EU were enforcing data protection laws inconsistently,” Out-Law.com reports. The EC has issued an explanatory note regarding the enforcement role it would have under the EU’s proposed data protection framework. The EC has “said that there is no way to ‘reconcile’ decisions made by the various data protection authorities based in the trading bloc under the existing regime and said that the role it would perform under the proposed new system would change that,” the report states.
Full Story

MOBILE PRIVACY

“Godfather of Encryption” Introduces Smartphone Service (February 8, 2013)
The New York Times reports on the release of a new technology that provides encryption for smartphone users. Phil Zimmermann, “widely considered the godfather of encryption software,” has introduced Silent Circle, which allows users to make encrypted phone calls, send encrypted texts and conduct videoconferencing. Zimmermann’s company has planted its servers in Canada, known to have stronger privacy laws than the U.S. or the EU, the report states. The company has said it will not cooperate with law enforcement requests for data. (Registration may be required to access this story.)

DATA PROTECTION—EU

Experts Examine Proposed Cybersecurity Directive (February 8, 2013)

The European Commission (EC) has released a cybersecurity strategy "to ensure a high common level of network and information security (NIS) across the union," reports Harriet Pearson, CIPP/US, in Hogan Lovells' Chronicle of Data Protection. Announcing the strategy on Thursday, EC Vice-President Neelie Kroes noted, "We need to protect our networks and systems, and make them resilient…Cyber threats are not contained to national borders; nor should cybersecurity be.” The proposal includes requiring member states to develop national NIS strategies and data breach notification obligations. In Field Fisher Waterhouse’s Privacy and Information Law Blog, Partner Stewart Room, CIPP/E, examines the draft regulation and highlights “the core legal pillars for data and cybersecurity in the EU, now and coming.” Meanwhile, V3.co.uk reports “huge firms like Apple, Facebook, Google, Microsoft, Amazon and Twitter would have to report breaches publicly, which could cause major security and trust concerns among consumers.”
Full Story

BIOMETRICS—GERMANY & IRELAND

Regulators Confirm Facial Recognition Data Deletion (February 8, 2013)

Irish and German data protection authorities have independently confirmed that Facebook has deleted facial recognition data it had collected on European users, CFOWorld reports. The social networking site said last September it would delete the facial recognition data of Europeans. Office of the Irish Data Protection Commissioner Spokeswoman Ciara O’Sullivan said, "We recently reviewed the source code and execution process used in the deletion process and can confirm that we were satisfied with the processes used by Facebook to delete the templates in line with its commitment.” A representative from the Hamburg Commissioner for Data Protection and Freedom of Information’s technical department also said a review of Facebook’s source code revealed the company did delete the data, but he could only speak about the German part of the case, the report states.
Full Story

DATA PROTECTION—EU

EC Releases Proposed Cybersecurity Directive (February 7, 2013)

The European Commission has released a proposal for a directive “concerning measures to ensure a high common level of network and information security (NIS) across the union,” reports Harriet Pearson, CIPP/US, in Hogan Lovells’ Chronicle of Data Protection. The Proposed Cybersecurity Directive would require member states to develop a national NIS strategy; create a “national competent authority on the security of NIS”; create a “computer emergency response team”; create data breach notification obligations; implement a “cooperation network,” and create an NIS committee.
Full Story

BIG DATA—EU

Albrecht Proposal Puts Big Data at Risk (February 7, 2013)

The ability of businesses to analyse large data sets is increasingly vital to economic growth the world over, writes Eduardo Ustaran, CIPP/E, for Field Fisher Waterhouse’s Privacy and Information Law Blog. In Rapporteur Jan Philipp Albrecht’s response to the European Commission’s proposed General Data Protection Regulation, Albrecht prohibits profiling, and defines it as “any form of automated processing….” Ustaran says this is such a broad definition, it would make most analysis and collection of data and large data sets illegal.
Full Story

ONLINE PRIVACY—ITALY

Skype Will Enhance Accounts’ Closing Procedure (February 7, 2013)

In a note to the Italian Data Protection Authority (Garante), Skype has said it will improve users’ ability to close their accounts, Rocco Panetta of Panetta & Associati explains in an exclusive for The Privacy Advisor. The explanation came in response to a request for “explanations regarding the reasons why Italian users meet so many difficulties when deciding to close their account,” Panetta writes, detailing Skpye’s explanation to the Garante.
Full Story

PRIVACY LAW—POLAND

New Notification Law for Telecoms (February 7, 2013)

Amendments to Poland’s Data Protection Law mean new rules for telecoms on reporting data breaches. In The Privacy Advisor, Marcin Lewoszewski highlights key points in the law, noting, “It is the first step to improving the protection of data subjects in case of breaches that have been occurring quite often in recent years. In the future, the rules should be applied to other sectors, not only to telecommunications.” The rules are expected to come into force by 22 March.
Full Story

DATA PROTECTION—UK

Commissioners: Draft Proposal Should Be Scrapped (February 7, 2013)

Wired reports that former and current UK information commissioners say proposed changes to the European Data Protection Directive would have a negative effect on commerce and have called for the draft to be discarded. Current Information Commissioner Christopher Graham said the proposed regulation would harm the average business more than it would those who are “truly taking advantage of personal data.” Former Commissioner Richard Thomas said the entire draft “should be taken back to the drawing board.” U.S. lobbyists have also been pushing for significant changes to the draft. Meanwhile, a survey has found 68 percent of Internet users “would select a Do-Not-Track feature if it was easily available when using a search engine.” Editor’s Note: Commissioner Graham will be a speaker in the breakout session A Side-by-Side Comparison of EU-U.S. Data Transfer Options at this year’s IAPP Global Privacy Summit in Washington, DC.
Full Story

ONLINE PRIVACY—EU & U.S.

Do Privacy Regulations Harm the Internet? (February 7, 2013)

The European Union has proposed several new regulations directed at giving Internet users control of their online footprint, including the ability to completely delete digital records, The Wall Street Journal reports. In the U.S., President Barack Obama’s “Privacy Bill of Rights” includes the default setting of Do Not Track in web browsers. Many argue that these kinds of regulations could harm advertising revenue, which is what largely funds free content. “Do Not Track is a detrimental policy that undermines the economic foundation of the Internet,” says Daniel Castro, a senior analyst with the Information Technology & Innovation Foundation. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Firm Using Privacy As Competitive Advantage (February 7, 2013)

The competitive battlefield over privacy is heating up as Microsoft unveils a new print, television and online advertising campaign against Google’s privacy practices, The New York Times reports. The advertisements will reportedly reveal research showing consumers are unaware of e-mail monitoring practices for personalized advertising and their disapproval once they find out. A Microsoft representative said, “There’s a lot of fear out there. We can bring these issues to light without fear.” Google said in a statement, “We work hard to make sure that ads are safe, unobtrusive and relevant,” adding, “No humans read your e-mail…in order to show you advertisements or related information.” (Registration may be required to access this story.)
Full Story

DATA LOSS—UK & U.S.

Warning Preceded Breach; How To Prevent Others (February 7, 2013)

The recent breach at the U.S. Department of Energy came weeks after two reports from the department’s inspector general which detected vulnerabilities, FCW reports. The inspector general wrote the department “had not developed and deployed an effective and/or efficient enterprise-wide cybersecurity incident management program” and had not always “appropriately reported successful incidents such as infection by malicious code and potential disclosure of personally identifiable information.” Meanwhile, Public Service reports on ways UK organizations can defend against breaches as the number reported steadily climbs, and Mathew Schwartz opines in InformationWeek that the U.S. Congress must overhaul existing privacy and computer-abuse laws.
Full Story

SOCIAL NETWORKING

Facebook To Join Ranks, Employ AdChoices Icon (February 6, 2013)
Following pressure from ad agencies and advertisers, Facebook has agreed to start displaying the “AdChoices” icon on its FBX display ads. The symbol will appear only when users move their mouse over an “x” displayed over the ads, however. The move will likely appease advertisers who choose not to invest in behavioral targeting campaigns without the icon, Ad Age reports, but whether the move satisfies the Digital Advertising Alliance is yet to be seen. Genie Barton of the Online Interest-Based Advertising Accountability Program, who worked with Facebook to come to the icon agreement, says if a business feels this solution isn’t sufficient, “they only have to let me know.”

MOBILE PRIVACY

App Vetting Service Alerts Users of Privacy Issues (February 6, 2013)

BlackBerry has rolled out a new privacy notification service to warn app developers and users when an app may collect more data than it states, USA Today reports. Any apps approved for distribution in the BlackBerry World online store are vetted for privacy and security issues. The company’s privacy notices “are for applications that do not appear to have malicious objectives or aim to mislead customers but rather don't clearly or adequately inform users about how the app is accessing and possibly managing customers' data,” the BlackBerry website states. Lockheed Martin Director of Cybersecurity Steve Adegbite said the new service “gives power back to the user to protect important information.” A BlackBerry representative said, “We believe this is the way forward for the entire mobile ecosystem.”
Full Story

DATA PROTECTION—UK

ICO: Compulsory Data Protection Audits Needed (February 6, 2013)

BBC News reports on comments made by UK Information Commissioner Christopher Graham promoting the need for compulsory data protection audits of public agencies. Compulsory audits would help local councils and the NHS mitigate incidents of sensitive personal data “being sent to the wrong fax machine or dropped in the street or left on an unencrypted memory stick.” The Information Commissioner’s Office currently has power to audit central government agencies and can only audit local departments after acquiring consent. “Until local government gets the message,” Graham said, “local council taxpayers will continue to be hit by civil monetary penalties for really basic, stupid errors.”
Full Story

DATA LOSS—FRANCE & U.S.

Breaches Affect Gov’t Agencies, Hospital, Bakery (February 6, 2013)

Two U.S. government agencies, several French hospitals and a bagel café have experienced data breaches. The U.S. Department of Energy reports unidentified malicious hackers have breached 14 of its servers and 20 of its workstations, accessing personal information on several hundred employees, InfoWorld reports. The U.S. Department of Health and Human Services’ Office for Civil Rights has reported a data breach at Westerville Dental Center in Ohio, and a journalist has uncovered personal health documents from various health clinics and hospitals in France retrievable through a Google search query. Meanwhile, a café with multiple locations in New Hampshire is working with federal investigators after customers’ credit and debit card information was allegedly hacked.
Full Story

PRIVACY LAW—EU & U.S.

Advocates Request Meeting With Officials (February 5, 2013)

More than a dozen privacy groups have requested a meeting with top-ranking U.S. officials in an effort to push back against the reported lobbying by U.S. industries during the EU’s update to its privacy framework, The Hill reports. The groups state that many of the EU’s proposals are similar to proposals recommended in the Obama administration’s Privacy Bill of Rights. In a letter, the groups wrote that during meetings in Brussels, European Parliament members and staff “reported that both the U.S. government and U.S. industry are mounting an unprecedented lobbying campaign to limit the protections that European law would provide.” They added, “We expect leadership from those who represent the United States overseas, and we expect that the views of American consumers and privacy advocates, not simply business leaders, will be conveyed to your counterparts.”
Full Story 

PRIVACY LAW—EU & U.S.

Continental Privacy Divide May Be Widening (February 4, 2013)
The New York Times reports on what may be a widening “data-control divide” between the EU and the U.S. “The sum of the parts of U.S. privacy protection is equal to or greater than the single whole of Europe,” said the U.S. Commerce Department’s Cameron Kerry. European Data Protection Supervisor Peter Hustinx said, “Yes, we share the basic idea of privacy. But there is a huge deficit on the U.S. side.” In a Q&A , European Commission Vice President Viviane Reding said the White Houses' Privacy Bill of Rights “shows that we have much in common. Convergence is springing up and synergies are possible.” And a Times op-ed supports “federal legislation backed by regulatory enforcement” in the U.S. Meanwhile, a group of U.S.-based advocacy groups has written to top U.S. politicians seeking assurances that U.S. policymakers in Europe will “advance the aim of privacy,” and Financial Times reports that Article 29 Working Party Chair Jacob Kohnstamm said that EU lawmakers are “fed up” with lobbying efforts from U.S. tech firms. (Registration may be required to access this story.)

DATA THEFT

Hackers Compromise 250,000 Twitter Accounts (February 4, 2013)

Twitter has said nearly 250,000 user accounts may have been breached in what it called a “sophisticated attack,” The New York Times reports. In a blog post, the company said it detected out-of-the-ordinary access patterns and that user data—including user names, e-mail addresses and encrypted passwords—may have been compromised. Twitter Director of Information Security Bob Lord said, “This attack was not the work of amateurs, and we do not believe it was an isolated incident. The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked.” Both the Times and The Wall Street Journal announced last week that hackers infiltrated their internal networks. (Registration may be required to access this story.)
Full Story