European Data Protection Digest

We have a long weekend—and hopefully some good weather—ahead of us, so right now our minds are probably focused more on Easter eggs and chocolate bunnies (in my case also my mother’s lasagna on Sunday) than on data protection developments. Nevertheless, this spring is bound to be a busy one for privacy pros—not that we actually had a dull moment in the past year or so.

At the IAPP, we are working hard to help our members stay on top of things: Our upcoming European Data Protection Intensive will be a great way to kick-start the second quarter of the year. As usual, rendezvous in London for an intense programme, great networking—including our special Privacy Social reception at the Guildhall—and CIPP and CIPM certification training and testing. Preconference workshops are not bad either.

But since he who hesitates is lost, work is already underway also for IAPP Europe’s flagship event, the Data Protection Congress, which will be in Brussels again this year, on 19 and 20 November to be precise. The call for proposals for the Congress is open, and submissions will be accepted until 9 May, so do send us your ideas or feel free to forward the call for proposals link to someone who might be interested.

In the meantime, though, Happy Easter!

Rita Di Antonio
Managing Director
IAPP Europe

Top European Privacy and Data Protection News

DATA PROTECTION

A Look at Acxiom’s Privacy Team (April 30, 2013)

With growing consumer awareness and regulatory scrutiny of so-called “data brokers,” companies such as Acxiom rely heavily on their privacy teams for company-wide success. In this exclusive, Acxiom Chief Privacy Officer Jennifer Barrett Glasgow, CIPP/US, tells The Privacy Advisor about the work she and her team of “privacy consultants” perform within the company and the role they play in shaping and launching Acxiom’s new products and services.
Full Story

ONLINE PRIVACY

Data Cache Delivers Predictive Analytics (April 30, 2013)

CNN reports on Google’s predictive search feature, Google Now, which uses the cache of data Google stores on individual users to target them with the information it deems most relevant to their needs at any given moment. The feature was rolled out for iPhones and iPads this week and is based on users’ search histories, location information and Gmail confirmations for flights, hotel bookings or restaurants, for example. “We’re providing answers before you’ve even asked the question,” said Google’s director of product development.
Full Story

DATA THEFT

50 Million Passwords Hacked (April 29, 2013)

Cyberthieves have breached LivingSocial, accessing the passwords of more than 50 million users, PC Magazine reports. It is not yet known how the attackers breached the systems, but the passwords were salted and hashed, the report states. With the passwords, the hackers potentially had access to user names, e-mail addresses and birthdays; credit card and other financial data were not affected. LivingSocial CEO Tim O’Shaughnessy said the company is “redoubling efforts to prevent any issues in the future.”
Full Story

PRIVACY THINKING

Will Privacy Keep Companies From Striking Big Oil? (April 29, 2013)

In previewing his talk at the IAPP Europe Data Protection Intensive, Big Data thinker Andreas Weigend equated Big Data with Big Oil. There is, of course, a key difference: “We’re not going to run out of data anytime soon,” Weigend told the crowd in London. “It’s maybe the only resource that grows exponentially…Maybe every 1.5 years we’re seeing data double, and much of that data is social data, data about ourselves.” In order for the economy to capitalize on that abundant resource, he said, personally identifying data is going to need to flow freely. Are we in danger of stoppering up the gushers?
Full Story

PRIVACY LAW—EU

Coalition: Revised Law Would Undermine Privacy (April 26, 2013)

A coalition of international civil liberties groups is contending that proposed changes to the EU’s data protection regulation “would strip citizens of their privacy rights,” IDG News Service reports. The move to create one regulation to replace the existing data protection laws in the EU’s 27 member states “obviously requires compromise, but many parliamentarians report never seeing lobbying on such a scale before,” the report states, noting the civil liberties coalition, which includes such groups as EDRI and Privacy International, has set up a website “to help concerned citizens contact their representatives in the Parliament.” Editor’s Note: At the recent IAPP Europe Data Protection Intensive, industry representatives and privacy experts weighed in on the implications of the proposed EU data protection regulation.
Full Story

FINANCIAL PRIVACY—GERMANY

Credit Profile Firms Draw Ire from Data Chief (April 25, 2013)

EUObserver reports on companies that specialise in credit profiling and “geoscoring” and how the rise in such companies has drawn concern from German Federal Data Protection Comissioner Peter Schaar, who has said the exact number of such companies “is not known.” One firm, Schufa, holds data on 65 million German citizens. The company pools data from banks on credit cards, mortgages and loans and combines the data with bill payment histories, traffic tickets and bankruptcy procedures to determine creditworthiness. Schaar said “geoscoring” has been illegal since 2011, “But there is a way around this,” he said. “If these firms add the age and the name to their calculations, then geoscoring is allowed.” Schaar is now asking for new legislation to close the loophole.
Full Story

DATA LOSS—UK

Police Acknowledge Sending PI to Contractor (April 25, 2013)

During negotiations, Cambridgeshire, Bedfordshire and Hertfordshire police accidentally sent private information concerning 1,000 staff members to contractor G4S, Cambridge News reports. Each department notified the Information Commissioner’s Office and informed and apologised to affected staff members, claiming G4S has “responded extremely promptly and professionally,” deleting all private information from its hard drives. Still, Cambridge MP Julian Huppert expressed concern. “This is a very worrying issue and serves to highlight, once again, the danger of storing personal and confidential data,” Huppert said. “A simple mistake can lead to serious consequences.”
Full Story

BIOMETRICS—EU

MEPS To Gain Access to Eurodac for Fingerprint Data (April 25, 2013)

Malta Today is reporting that a deal between the European Parliament and European Council will allow EU member states’ police and Europol to access Eurodac’s database of asylum seekers’ fingerprints in an effort to combat terrorism and serious crime. In addition to ensuring that the proper safeguards are in place for applicants’ information, MEPs also said access by police would only be allowed if "there is an overriding public security concern.” The deal has been endorsed by the Civil Liberties Committee.
Full Story

SURVEILLANCE—GERMANY

Interior Minister Calls for More Public Cameras (April 25, 2013)

In light of the recent Boston Marathon terrorist attacks in the U.S., Interior Minister Hans-Peter Friedrich has called for more publicly placed security cameras, Deutsche Welle reports. Federal Constitutional Court President Andreas Vosskuhle urged caution and said that “prudence should return” once reactions to the Boston events calm down, the report states.
Full Story

PRIVACY LAW

Privacy Officers Discuss the Path from Policy to Practice (April 25, 2013)

The EU’s proposed data protection regulation and the numerous amendments that have been proposed mean significant questions, as was highlighted during the IAPP Europe Data Protection Intensive breakout session, “Paving the Way from Policy to Practice.” Moderated by LexisNexis Privacy and Data Protection Senior Director Emma Butler, the session featured privacy officers from Proctor & Gamble, Siemens and Facebook outlining how they see the looming regulation affecting their operations and what they’re doing to prepare. This exclusive for The Privacy Advisor highlights their perspectives on “reading the tea leaves” of the thousands of pages of amendments still to be decided. Also at the intensive, Stephen Deadman, group privacy officer and head of legal for privacy, security and content standards at Vodafone Group, suggested that if privacy regulators and consumers want transparency and accountability from corporations, companies need more than a stick: They need a carrot, too.   
Full Story

DATA PROTECTION—EU

Former ICO Wants Rewrite of Chapter IV (April 25, 2013)
Noting the prescriptive and inflexible nature of the EU’s draft data protection regulation, Former UK Information Commissioner Richard Thomas used his keynote address here at the IAPP Data Protection Intensive in London on Thursday to outline an alternative framework that would focus more simplistically on outcomes, provide incentives for regulatory requirements and allow for as much self-enforcement as possible.

TRAVELERS’ PRIVACY—EU

Committee Votes Down PNR Bill (April 25, 2013)

The EU Parliament’s Civil Liberties Committee on Wednesday voted against plans for sharing airline passenger data among EU nations, PCWorld reports. The plans call for a passenger name registry, similar to a current agreement with the U.S., that would share the names, contact details and payment data of passengers. Dutch MEPs Sophie In’t Veld and Jan Philipp Albrecht welcomed the vote, the report states, noting that citizen rights and the rule of law had been considered first. UK MEP Timothy Kirkhope said the vote was “irresponsible” and accused other MEPs of putting “ideological dogma before a practical and sensible measure that would have seriously assisted our fight against crime and terror.” BBC News provides video of the Parliamentary debate.
Full Story

DATA PROTECTION—GERMANY

Privacy Regulators Criticize Companies’ Tactics (April 25, 2013)

Bloomberg reports on criticism levied by German data protection regulators on Google and Facebook in light of investigations into the companies’ privacy practices. Regulators said the companies have used “delay tactics” and have exercised “impertinent” behavior during the probes, the report states. Federal Data Protection Commissioner Peter Schaar said “Google will keep making attempts to delay investigations through continuous correspondence and always freshly repackaging arguments.” Google was fined by Hamburg’s data protection commissioner earlier this week. A German appeals court has also rejected an attempt by Schleswig-Holstein Data Protection Commissioner Thilo Weichert to require Facebook to allow users to register under pseudonyms. Facebook said, “We’re seeking to have a constructive dialogue with all groups, also with our greatest critics.”
Full Story

PRIVACY LAW—EU & UK

Smith: Proposal Over-Legislates, Won’t See Agreement Until 2014 (April 25, 2013)

Deputy Information Commissioner David Smith told InfoSec conference attendees this week that he expects a clear picture of the impending EU data protection legislation in early 2014, Computer Weekly reports, adding, he believes there will be some change to the current proposal but nothing significant. In Smith’s opinion, the European Commission’s proposal over-legislates and takes a “tick box” approach, making it unworkable for the UK. "The problem is because we're going for harmonization, all those measures are spelled out in detail, listing all the types of documentation you can keep…We're more bothered about assessing the risk and the outcomes than box-ticking; it's about privacy—it's not about having the right paperwork."
Full Story

PRIVACY LAW—EU

Hustinx Outlines Road Ahead for Regulation (April 24, 2013)
As the opening speaker at the IAPP Europe Data Protection Intensive in London, European Data Protection Supervisor Peter Hustinx laid out his predictions for what the much-anticipated EU privacy regulation would finally look like when adopted. Confident that it would meet deadline and be in place by the spring of 2014, Hustinx said, “my impression is that there is a basic consensus that the current architecture of the regulation is the right one…Now the focus is on getting it right, and the key word there is balance.”

DATA PROTECTION

Where Is the Regulation of Transborder Data Flows Headed? (April 24, 2013)

“Anyone working in privacy and data protection law is familiar with the restrictions on transferring data outside the European Union (EU) contained in the EU Data Protection Directive,” writes Wilson, Sonsini, Goodrich & Rosati Senior of Counsel Christopher Kuner in the latest installment of Privacy Perspectives. “But did you know that non-EU countries as diverse as Israel, Mexico, Russia and South Korea have similar restrictions? And that since the 1970s, over 70 countries all over the world have enacted data protection and privacy laws regulating transborder data flows?” Kuner delves into this complex topic and lays out some of his conclusions of where things are headed.
Full Story

PRIVACY LAW—EU

Diverging Opinions Create Challenges for EC (April 24, 2013)

The European Commission (EC) data protection proposal aims to create a coherent set of rules that would apply to all EU member states, but conflicting ideas about how to protect citizens’ privacy have created obstacles, reports Financial Times. The European Parliament is pushing for stronger protections; the EC would like to soften the proposal to lighten the regulatory burden on businesses, and industry is lobbying to water down the proposal entirely. While Ireland, the current seat of the EU presidency, would like an agreement by the end of the year, the report states that conflicting ideas suggest “it will take time and much debate before a compromise is found.” (Registration may be required to access this story.)
Full Story

CLOUD COMPUTING—EU & U.S.

ITA Says Safe Harbor Covers Cloud Technology (April 23, 2013)

The U.S. Department of Commerce’s International Trade Administration (ITA) has published a report saying that U.S. companies’ compliance with Safe Harbor principles guarantees sufficient data protection, regardless of whether outsourcing contracts involve cloud computing, Out-Law.com reports. The ITA says because Safe Harbor is binding on all countries in the European Economic Area, EU data protection authorities cannot "unilaterally refuse to recognize Safe Harbor certification as a valid means of demonstrating that a service provider ensures an adequate level of data protection," contrary to an Article 29 Working Party opinion released last year. One expert suggests the ITA has “not recognized some regulatory burdens facing some clients of U.S. cloud providers.”
Full Story

ONLINE PRIVACY—EU & UK

Opinion: Right To Be Forgotten Not Likely “To Live Up to the Hype” (April 23, 2013)

In a blog for The Guardian, data protection analyst Sally Annereau suggests the proposal for a right to be forgotten, which she describes as “a legal right to do a digital disappearing act” will probably not “live up to the hype.” Annereau writes, “In particular, there are genuine concerns that this legal right will fail to deliver on the expectations it creates and will present significant challenges for businesses that have to comply. Rather than a right to be forgotten, we may end up with nothing more than a right to be frustrated.” Editor’s Note: Privacy Perspectives recently discussed the idea of a “right to be forgiven.”
Full Story

CYBERSECURITY

Data Breach Studies Highlight Risks (April 23, 2013)

IDG News Service reports that Verizon will soon publish its 2013 Data Breach Investigations Report, which compiled information from over 47,000 security incidents and 621 confirmed data breaches. The study explored financially motivated criminal attacks as well as cyber espionage. Analysts noted that in “four out of five breaches, the attackers stole valid credentials to maintain a presence on the victim’s network” and that mobile devices and cloud technologies were not major targets. Meanwhile, the British Department for Business, Innovation and Skills says small- and medium-sized businesses (SMBs) are increasingly the targets of cybersecurity attacks, and it will extend its Innovation Vouchers scheme to SMBs, allowing them to apply for funding to invest in cybersecurity.
Full Story

PRIVACY LAW—EU & U.S.

FTC’s Brill Looks To Smooth EU-U.S. Privacy “Rift” (April 22, 2013)

The Wall Street Journal reports on comments made in Brussels by FTC Commissioner Julie Brill. “I don’t want to say there’s confusion about the U.S. privacy regime,” Brill told reporters, “but there does seem to be a lack of understanding about how robust it is and how much enforcement work we actually do and how strong the laws are that we do have in sensitive areas.” Brill noted, “Last year we issued what I call our big privacy rethink…Many of the principles we talked about are actually reflected in the proposed EU regulation.” Facebook Chief Operating Officer Sheryl Sandberg said, “I believe there is a perception and fear that because we are American we don’t take privacy as seriously as Europeans do…If there is a single American who cares as much about privacy—just one—as someone in Germany, then we have to understand it.” (Registration may be required to access this story.)
Full Story

DATA PROTECTION—EU & U.S.

Is There an EU-U.S. Privacy Gap? Maybe Not a Big One (April 22, 2013)

“Privacy has always been a difficult concept to define, and privacy issues are complex,” writes IAPP President and CEO J. Trevor Hughes, CIPP/US, for the IAPP blog Privacy Perspectives. In Europe, privacy is a human right, while in the U.S. privacy tends to be thought of in terms of liberty. Are there are more similarities than differences when it comes to privacy on each side of the Atlantic? Europeans and Americans might have more in common than you’d think.
Full Story

CLOUD COMPUTING

Clarifying Privacy in the Cloud (April 22, 2013)

The “cloud” is maybe the most buzzed-about Internet sensation of the past five years, but how does working in the cloud change your privacy thinking? Maybe not as much as you think, John Wunderlich, CIPP/C, head of privacy consultancy Wunderlich & Associates told The Privacy Advisor. “What’s old is new again…you’re outsourcing to a provider who has expertise that you don’t have.”
Full Story

PRIVACY LAW—EU

Vote on Regs Delayed Until Late May (April 19, 2013)
A final vote on the EU data protection proposal was scheduled to take place Wednesday, but the Civil Liberties, Justice and Home Affairs Committee (LIBE) has postponed it until May 29-30, Marketing Magazine reports. Industry is lobbying heavily against the proposal, which they say will stifle business and innovation in member states. John Pooley, of specialist agency the Data Partnership, says the proposed changes “will render both targeting and analytics and almost anyone currently engaged in digital marketing to have to review their current practices.” The delay is being attributed to an effort to concentrate on the fallout over the banking crisis in Cyprus, the report states.

FINANCIAL PRIVACY—AUSTRIA & EU

Minister: Bank Info Sharing Raises Privacy Concerns (April 18, 2013)

Dow Jones Business News reports there is a push among many EU member states to enable easier and automatic sharing of bank information. Countries, including the UK, Germany and France, want to make hiding money in tax havens far more difficult as they struggle through the worldwide recession and maximize government ability to track terrorists. However, Austrian Finance Minister Maria Fekter expressed concern about privacy, saying that it “is a fundamental right in the EU,” and automatic exchange of bank information “involves the state snooping around very deep in people’s private information.”
Full Story

EMPLOYEE PRIVACY—FRANCE

CNIL Adopts Workplace Privacy Protections (April 18, 2013)

French data protection authority, the CNIL, has adopted and released binding guidelines concerning privacy protection at work, reports Lexology. While employers may monitor employee Internet access, e-mails and files, they must declare this to the CNIL and inform their employees. They may not use “keyloggers” tracking all activity, or access any e-mail labeled private or personal unless in the presence of the employee. The CNIL recommends that “employers set up policies in their companies to notify their employees of every rule or monitoring procedure in place.”
Full Story

INFORMATION ACCESS—FRANCE

Ministers Publicly Disclose Their Assets (April 18, 2013)

French President Francois Hollande ordered his administration to disclose their assets in response to public discontent over a former budget minister’s admission to concealing assets overseas, The Wall Street Journal reports. According to the declarations, the wealthiest ministers possessed assets of nearly 6 million euro. “What was…surprising was that the information itself was made public in France,” the report states. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

The Intersection of Privacy and Hate Speech (April 18, 2013)

With recent tragedies in Boston and overseas, Future of Privacy Forum Founder and Co-Chair Christopher Wolf asks, “What motivates people to burn with hate to such a degree that they take innocent lives?” In this latest installment of the IAPP’s Privacy Perspectives blog, Wolf, who also serves on the board of the Anti-Defamation League, explores the intersection of online privacy and hate speech and whether privacy should sometimes “take a backseat” in order to curtail hate speech.
Full Story

ONLINE PRIVACY—EU

If Google Cares About Cookie Consent, So Should You (April 17, 2013)

In light of news that Google has posted language about its cookie use on websites in the EU, Field Fisher Waterhouse Partner Phil Lee, CIPP/E, writes, “This development alone would be significant. But taken together with Facebook’s recent announcement it will deploy the AdChoices icon…the implications become huge” for several reasons.
Full Story

SURVEILLANCE—UK

Group Challenges Gov’t Over Spyware Investigation (April 17, 2013)

Human rights group Privacy International has announced it is challenging the British government for unlawful conduct during an investigation into the export of surveillance tool FinFisher. The tool is designed to monitor communications and collect hard drive data and is capable of conducting live surveillance via webcams. Privacy International says Her Majesty’s Revenue and Customs (HMRC) illegally declined to provide information related to its investigation of the technology’s shipment to countries with “poor human rights records.” The group has filed a judicial review application at the High Court in London. If the legal action is successful, “it could set a precedent for other cases in the UK,” Slate reports.
Full Story

MOBILE PRIVACY

Google Releases Glass App Developer Guidelines (April 17, 2013)

The New York Times reports that Google has released “extensive” guidelines for software developers aiming to build apps for the company’s wearable, Internet-connected glasses. According to the report, the guidelines are “much more restrictive” about Google Glass than has been the case with other products because of perceived consumer privacy concerns. Developers cannot sell ads, collect user data or share data with ad companies. A Forrester analyst said, “What we find is the more intimate the device, the more intrusive consumers perceive advertising is.” Google said to developers, “Be honest about the intention of your application, what you will do on the user’s behalf and get their explicit permission before you do it.” (Registration may be required to access this story.)
Full Story

PRIVACY COMMUNITY

A Tragedy We Can’t Ignore (April 16, 2013)

While there are privacy issues inherent in any national tragedy, this installment in the IAPP’s Privacy Perspectives is not about privacy per-se, but about the recent tragedy marring the historic running of the Boston Marathon, how this event hit close to home here at the IAPP and our shared sadness for all those whose lives have been forever changed by this act of violence.
Full Story

DATA LOSS

93 Percent Knowingly Breach Company Data Policies (April 16, 2013)

A recent breach affecting St. Louis-based Schnucks supermarket chain was exacerbated by the company’s inability to detect the source, COMPUTERWORLD reports. As a result, the number of credit and debit cards exposed continued to grow, capping at about 2.4 million. The company has hired a third party to investigate. Meanwhile, Global Payments, Inc., says it is closing its investigation of a March 2012 breach that exposed 1.5 million debit and credit cards. The breach cost the company $92.7 million in expenses. And Financial Times reports on a recent survey of 165,000 employees indicating nine out of 10 knowingly breach employers’ data policies.
Full Story

BEHAVIORAL TARGETING

Product Stops Third-Party Tracking (April 16, 2013)

The New York Times reports on a California start-up’s product allowing individuals to view which companies are tracking them online. The browser extension, Disconnect, aims to help users safeguard browsing history. First-party trackers are still permitted to follow a user, but the data won’t be shared with third-party websites, and ads won’t be served based on such data. “We are stopping that flow of data as you bounce around the web,” said the company’s co-founder. “Third-party retargeters are not going to have information about you.” The filters are distinct from Do-Not-Track signals. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY—EU & U.S.

The Challenges of Geography-Based Regulations (April 16, 2013)

San Francisco Chronicle explores the challenges that come with geographically differing regulations for online privacy. California, for example, has more defined privacy laws than other U.S. states, but non-California-based Internet companies accessed by California residents are still required to follow California law. Developer Jonathan Nelson says, "The thought of an 'international boundary' when it comes to data is really silly to me," adding, "It's archaic." But the EU is also considering regulations that say any online business used by EU citizens is subject to EU privacy laws. Parker Higgins of the Electronic Frontier Foundation adds, "The best approach isn't necessarily legislating every situation” but “giving consumers the information they need to make choices for themselves." (Registration may be required to access this story.)
Full Story

MOBILE PRIVACY

Tech Firms Unveil Ad-Blocking Tools (April 15, 2013)

Two tech companies have started offering ad-blocking tools for mobile users, AdAge reports. Evidon is delivering the Ad Choices icon and the opt-out system for users, while TRUSTe has upgraded its real-time bidding system so that advertisers know prior to bidding that the user cannot be targeted for behavioral data, the report states. The moves come before the Digital Advertising Alliance (DAA) has published any mobile guidelines. DAA Counsel Stu Ingis said those guidelines could come “this spring—a few weeks to a couple of months.” TRUSTe’s Kevin Trilli said, “That is why we didn’t wait, and why we just started to build.”
Full Story

PRIVACY

Getting More Privacy Pros Into HR (April 15, 2013)

In a recent column in The Globe and Mail, an employee poses a question to human resource experts about her company’s changing internal policy on criminal background checks and her discomfort with those changes. This IAPP Privacy Perspectives blog post explores how a privacy pro or department could both assuage employee concerns and help roll out difficult, but often necessary, company policies.
Full Story

DATA LOSS—UK

Device Losses Lead to Inquiry (April 15, 2013)

The Information Commissioner’s Office (ICO) is looking into the BBC’s recently reported loss of 785 devices, reports V3.co.uk. An ICO spokesperson said the office had not been informed of the incident, but it will “be making further enquiries into the loss of this equipment to find out the full details.” A freedom of information request revealed 399 laptops, 347 mobiles and 39 tablets lost or stolen at the BBC, which the report states is “probably low” for an organization of its size. The BBC told V3 that it has no official figures on how many devices have been issued to staff.
Full Story

ONLINE PRIVACY

The Right To Be Remembered? (April 12, 2013)

Google announced yesterday on its Public Policy Blog a new service it’s calling Inactive Account Manager. What it essentially allows is for customers to designate “trusted contacts” to receive their Google data in the event of their death or inability to access their Google products. It also, however, allows users to decide to have their information deleted automatically following a specified period—three, six, nine or 12 months—of inactivity. Kashmir Hill notes in Forbes that some have already taken to calling the service “Google Death Manager” and wonders how you’ll use it.
Full Story

BIG DATA—EU

EU Council Committee Approves Open Data Plan (April 11, 2013)

The Telegraph repors that in an effort to inject money into the Eurozone, the European Council’s so-called “Coreper” committee has backed the European Commission’s open data initiative plan, which would provide geographical and statistical data across Europe. Vice-President of the European Commission Neelie Kroes says “opening up public data means opening up business opportunities, creating jobs and building communities.” However, Big Brother Watch warns that making such data widely available raises privacy concerns including the threat of re-identification.
Full Story

PRIVACY LAW—EU

Purpose Limitation Principle Among WP’s Most Significant (April 11, 2013)

The Article 29 Working Party (WP) has adopted “one of the most significant opinions published recently,” according to the Hunton & Williams Privacy and Information Security Law Blog. The opinion explains the purpose limitation principle in the EU Data Protection Directive, clarifying its scope, definitions and application to Big Data, and also makes recommendations for improvement. The WP has found that “vague purpose statements” will “usually not suffice,” and compatible use will require a case-by-case analysis based on four key factors, the report states. The purpose limitation principle indicates "free, specific, informed and unambiguous 'opt-in' consent" is almost always necessary when organisations want to use previously collected personal data in Big Data projects, Out-Law.com reports.
Full Story

HEALTHCARE PRIVACY—UK

ICO Says DPA Enables Data Sharing (April 11, 2013)

At the recent Westminster Health Forum, Dawn Monaghan, a manager for the Information Commissioner’s Office, said the Data Protection Act (DPA) of 1998 “is not a barrier; it is an enabler” when it comes to sharing information within the National Health Service (NHS). According to computing.co.uk, Monaghan disputed reports of fines leveraged on organisations for data sharing, saying, “There haven’t been any cases where two organisations have shared data and breached the DPA.” She went on to stress the importance of sharing information within the NHS, noting, “Not sharing information can often mean people are unprotected.”
Full Story

BIG DATA—IRELAND

Minister Calls for Data Protection Standards (April 11, 2013)

At a conference on Big Data, Minister for Justice Alan Shatter discussed the need for “a coherent and practical set of data protection rules at national and European Union levels,” reports Irish Times. Shatter emphasised it as a top priority of the government and highlighted the importance of regulations keeping pace with business and technological advances. He also discussed plans to use Big Data tools to “open up the wealth of treasures” in the RTÉ Archives. Brid Dooley, head of the archives, called this a means to “provide a much richer discovery” of “historically important material.”
Full Story

DATA PROTECTION—UK

Council Agrees to Increased Data Protection Security (April 11, 2013)

The East Riding of Yorkshire Council has agreed to improve its data security practices after two separate privacy breaches in 2012. Public Service reports that in both breaches, personal data was accidently given out by a council employee. The Information Commissioner's Office confirmed the agreement, adding that the breaches, which occurred in April and May of 2012, could be attributed to a "general lack of data protection awareness and training.”
Full Story

EMPLOYEE PRIVACY—UK

Firm’s Policy Helps Companies Comply with Vehicle Tracking Laws (April 11, 2013)

Aaron & Partners LLP recently announced a new policy aimed at educating employers about the legal implications of tracking company vehicles and the necessity of informing employees of such policies. “Without a proper vehicle tracking policy in place, arguably employers could be in breach of data protection and privacy laws if they seek to use any data or information gathered from the tracking system,” says Catherine Kerr, one of the policy’s developers. The Information Commissioner’s Office recently reported a rise in complaints from employees about employers tracking their movements.
Full Story

ONLINE PRIVACY

Mozilla Readies Cookie Blocker, Announces “Nuanced” DNT (April 11, 2013)

In a preview version of its Firefox 22 web browser, Mozilla has included an automatic third-party cookie blocker, putting the company “on a collision course with the online ad industry,” COMPUTERWORLD reports. Some trade groups say the new feature, called Aurora, is “dangerous and highly disturbing” and warn that users will experience more ads as a result. Stanford University graduate student Jonathan Mayer, creator of the code, tweeted, “The new Firefox cookie policy has migrated to Aurora!” Firefox 22 is expected to fully release in late June. Meanwhile, Firefox has announced its “more nuanced approach” to implementing its Do-Not-Track setting and efforts to provide additional user choice.
Full Story

ONLINE PRIVACY

Privacy Focus Remains in Microsoft’s Ad Campaign (April 11, 2013)

The third phase of Microsoft’s marketing campaign targeting Google’s privacy practices suggests Google is “more interested in increasing profits and power than protecting people’s privacy and providing unbiased search results,” The Boston Globe reports. The story suggests the ads, which one observer calls typical of an industry underdog, “say as much about the dramatic shift in the technology industry’s competitive landscape as they do about the animosity between the two rivals.” The new "Scroogled" ads, which began this week, criticize Google for sharing personal information gathered about purchasers of apps “designed to run on smartphones and tablet computers powered by Google’s Android software,” the report states.
Full Story

BEHAVIORAL TARGETING

EBay To Open Data to Marketers (April 10, 2013)
EBay will now allow advertisers to target consumers based on what that consumer has bought, similar to Amazon. The company has used such data to promote products to users, but it will now commercialize “that capability for the benefit of other marketers who want to reach shoppers,” said an eBay spokesman. “That’s something new this year.” But AdWeek reports eBay knows it risks alarming consumers and has protections in place so advertisers don't have direct access to personal information. Customers rightly “expect eBay not to tell anybody else who they are,” said a company spokesman.

MOBILE PRIVACY

Studies Say Mobile Apps View Too Much Data (April 10, 2013)

France’s data protection authority, the CNIL, says mobile phone apps are accessing and processing an unnecessary amount of private data, PCWorld reports. The CNIL studied 189 apps on six smartphones. The aim was to analyze the nature of the apps, not to put blame on app developers, CNIL President Isabelle Falque-Pierrotin said. Meanwhile, security researchers at a Romanian-based firm are warning that mobile apps are becoming increasingly intrusive. Nearly 13 percent of apps disclose user phone numbers without the user’s consent.
Full Story

DATA PROTECTION

Exploring High-Level Talks and Risks for Privacy Officers (April 10, 2013)

In this recent IAPP Privacy Perspectives blog post, Profs. Dierdre Mulligan and Kenneth Bamberger discuss their research in which they interviewed hundreds of leading privacy officers, regulators and privacy pros. They explore “a caution raised by privacy officers in both the public and private sector regarding particular risks created by attempts to ensure that privacy is part of high-level deliberations within a corporation—risks that must be managed in developing policy.” Editor’s Note: Bamberger will be a speaker at the breakout session Debunking Myths of European and U.S. Privacy: New Data on Corporate Privacy Management at the IAPP Data Protection Intensive in London, UK.
Full Story

PRIVACY—EU

Europe Launches Controversial Crime-Fighting Database (April 9, 2013)
Deutsche Welle reports on the launch of Schengen Information System II (SIS II), after substantial delays. SIS II is a centralized database that aims to help security officials exchange information more quickly and efficiently within the Schengen zone, where people can move freely. “It’s important for member states to exchange data among one another more closely and join forces in fighting crime—as a counterbalance to the absence of border controls,” said a spokesman for Germany’s Federal Ministry of the Interior. But privacy authorities including Germany’s Federal Commissioner for Data Protection and Freedom of Information Peter Schaar have taken issue with the centralization of such data, and have called for uniform standards across Europe on how the data can be used and who has access.

ONLINE PRIVACY—UK

Could Right To Be Forgotten Have Helped Embattled Official? (April 9, 2013)

BBC News reports on recently unearthed and damaging tweets by the UK’s first Youth Police and Crime Commissioner, Paris Brown, from when she was aged between 14 and 16. The 17 year old has since deleted her Twitter page, but the article queries whether the European Commission’s proposed “right to be forgotten” could have helped Brown avoid such an incident. Brown said of her past tweets, “I don't think they should shape my future and my career and how I'm going to represent young people.” Yet, the report also states that the UK Ministry of Justice does not support this “right,” as it “raises unrealistic and unfair expectations.” Justice Secretary Chris Grayling added, “the ‘reasonable steps’ required by the draft regulation would promise much, but deliver little.” Editor’s Note: The IAPP blog post “Maybe We Need ‘A Right To Be Forgiven’” explores the implications of data erasure and online reputation.
Full Story

PRIVACY LAW—POLAND

New Cookie Rules Make Opt-Out OK with Proper Info (April 9, 2013)

According to SSW privacy lawyer Joanna Tomaszewska, changes to Poland’s telecoms laws mean a “very strict information duty” requiring website operators to inform consumers of cookie use and ways they can alter their cookie settings; however, if properly informed users do not change default settings, inaction will constitute “explicit consent.” The Office of Electronic Communications (OEC) has also been given the power to issue financial penalties of up to three percent of the previous year’s profits to companies that breach the rule, Out-law.com reports. While noting that “it is too early to know how the OEC will impose penalties,” Tomaszewska said it is "rather unlikely" the OEC will levy a fine amounting to three percent of annual profits.
Full Story

DATA PROTECTION

Questions Linger on Data Ownership (April 8, 2013)

GigaOM reports on a recent discussion among experts on the topic of data collection and sharing. “What does it mean to own data?...Does it mean I can do with it whatever I want to do with it?” The question was posed by Andreas Weigend, a lecturer at Stanford University and formerly a chief scientist at Amazon.com. GigaOM’s Jordan Novet said the recent panel discussion in San Francisco elicited questions on whether companies should increase the amount of data they share and whether consumers care enough about their data to want to know what companies collect. Editor’s note: Andreas Weigend will be a keynote speaker at the IAPP’s Data Protection Intensive in London, April 23-25.
Full Story

ONLINE PRIVACY

Opinion: Privacy Can’t Be Forgotten for Customization’s Sake (April 8, 2013)

As consumers, we must take a close look at Google’s agenda to ensure it acts responsibly towards its users when it comes to privacy, opines Evgeny Morozov for Financial Times. Noting the launch of its latest product, Google Now, Morozov writes of the need for consumers to take control over what happens to their data. “If European history teaches us anything, it’s that some raw materials—and privacy is certainly among them—are worth cherishing and preserving in their own right, even if it means that the much-anticipated future will take somewhat more energy to construct.” (Registration may be required to access this story.)
Full Story

DATA PROTECTION—EU & U.S.

Reding and Holder Discuss Privacy Protection (April 5, 2013)

EU Justice Commissioner Viviane Reding met with U.S. Attorney General Eric Holder to discuss a range of issues including data protection initiatives and other collaborative efforts between the European Commission (EC) and the U.S. Justice Department, NewEurope reports. Among more specific topics, the officials discussed online protections for children and ongoing data-sharing efforts. According to an EC press release, “Each noted recent progress made, and both sides were optimistic in reiterating their determination to finalize negotiations as rapidly as possible.” Meanwhile, the UK government is not backing efforts within the proposed EU data protection regulation to instill a “right to be forgotten,” The Guardian reports.
Full Story

MOBILE PRIVACY

Facebook Feature Maps User Moves (April 5, 2013)

Forbes reports on Facebook’s latest mobile release, a “digital skin that you will slide your phone into” which will turn the phone into a “slideshow version of the Facebook news feed.” The feature, called “Home,” means Facebook may be able to consistently collect users’ location information—an attractive situation for advertisers, the report states. GigaOM’s Om Malik noted the privacy issues involved, including that Facebook may be able to deduce a user’s home address by monitoring where the phone most often idles. Facebook says the feature will have the same privacy policy as the rest of the site.
Full Story

PRIVACY LAW—EU

Reding: Pseudonymous Data Still = Personal Data (April 4, 2013)

European Commissioner for Justice, Fundamental Rights and Citizenship Viviane Reding has said that data protection rules must still apply to pseudonymous data, European Voice reports. “Pseudonymous data must not become a Trojan horse at the heart of the regulation, allowing the non-application of its provisions,” Reding said, adding that a “robust definition” of pseudonymous data and “robust safeguards” are necessary, the report states. Irish MEP Seán Kelly, who drafted the European Parliament’s data protection reform for the Industry, Research and Energy Committee, said, “I think once provisions are in place to control its use, it has a very important part to play in the regulation.” (Registration may be required to access this story.)
Full Story

HEALTHCARE PRIVACY—UK

ICO: Doctors Concerned About Healthcare Data Collector (April 4, 2013)

The Information Commissioner's Office (ICO) is reporting that doctors have begun contacting the office over data collection practices by the newly established Health and Social Care Information Centre (HSCIC), Out-Law.com reports. The ICO says doctors “have concerns that patients are not being told that their information will be shared in this way and that they will be in breach of the Data Protection Act by sharing their data." The HSCIC, in furtherance of its mission to provide better healthcare information across the sector, asks doctors to provide patient information that it deems necessary.
Full Story

SURVEILLANCE—IRELAND & UK

Policing Social Media While Considering Privacy (April 4, 2013)

The Irish Times reports on comments made by David Omand, former head of Britain’s Government Communications Headquarters, on the importance of balancing the surveillance of social media for fighting crime and terrorism with respecting individual privacy. “The Net is here to stay,” he said following an event at the Institute of Irish and European Affairs in Dublin, “and it can be used for good or evil.” While it’s important for government to curb crime, the general public, Omand notes, should be able to use these services without the “chilling effect” of overregulation.
Full Story

ONLINE PRIVACY

Euro Task Force Initiates Google Enforcement Measures (April 3, 2013)
A taskforce of data protection agencies has begun follow-up measures against Google, alleging the company failed to fix flaws in a new privacy policy, The Washington Post reports. The taskforce is led by France’s data protection authority, the CNIL, and includes authorities from the UK, Germany, Italy, Spain and The Netherlands. The CNIL says it has notified Google of the inspection’s initiation, which follows a March 19 meeting between the company and the regulators that ended in deadlock. “The authorities’ goal is not to fine Google,” said a CNIL spokeswoman. “The goal is for Google to be in line with what we demand.” Meanwhile, the company’s forthcoming “Google Glass” is raising privacy concerns in the U.S. (Registration may be required to access this story.)

DATA PROTECTION—UK

ICO Performance Report Is “Mixed Bag” (April 3, 2013)

A recent report by the Commons Justice Select Committee on the performance of the Information Commissioner’s Office (ICO) includes both supportive and troubling news for the agency, Mondaq reports. The committee backed the ICO’s intention to place NHS bodies and local authorities under compulsory audits. The article suggests the ICO’s view of the committee’s report was accurate when the ICO said, “the picture that emerges (of the ICO) is of a regulator that is delivering, that is relevant and that is efficient” but cautions the ICO also faces funding issues and is “running out of road and cannot absorb further cuts to the FOI budget without adversely affecting performance.”
Full Story

DATA PROTECTION

Thinking Accountability? Here’s One Suggestion (April 3, 2013)

“Over the past 10 years, the components of an accountable privacy program have evolved through a combination of privacy professional best practices,” scholarship and regulatory action, writes Intel Global Privacy Officer David Hoffman, CIPP/US, in the latest IAPP Privacy Perspectives blog post. With a waning notice-and-consent model still in the marketplace, Hoffman suggests that consumer education is a major component toward the accountability model. “There is no better network poised to navigate privacy cultures and raise the collective consciousness of privacy than privacy professionals,” Hoffman writes, providing a number of suggestions for privacy pros.
Full Story

ONLINE PRIVACY

Google Privacy Chief Stepping Down (April 2, 2013)

Google’s first director of privacy plans to retire, Forbes reports. Alma Witten, named director of privacy in 2010 following controversy over Google’s Street View and Buzz services, was tasked with overseeing product development at the company to prevent against future privacy mishaps. She led the privacy team that saw the merging of Google’s 70-plus privacy policies into one. Whitten will be replaced by Google engineer Lawrence You, who will now take over a privacy team consisting of several hundred individuals.
Full Story

PRIVACY

Insights from the Field: Women in Privacy (April 2, 2013)

In this exclusive for The Privacy Advisor, trailblazers including Sandra Hughes, Jennifer Barrett Glasgow, CIPP/US, and Joanne McNabb, CIPP/US, CIPP/G, CIPP/IT, discuss the proliferation of women in the field of privacy and their thoughts on reasons behind it. Glasgow opines, for example, that the profession requires skills more common in women than in men. Editor’s Note: For a closer look at the work of privacy professionals in the field today—both men and women—access the IAPP’s 2013 Privacy Professionals Role, Function and Salary Survey in the Resource Center.
Full Story

ONLINE PRIVACY

Why Consumer Privacy Decisions Aren’t Always Rational (April 1, 2013)
The New York Times profiles the work of Carnegie Mellon behavioral economist Alessandro Acquisti. Acquisti’s research “has shown that despite how much we say we value our privacy—and we do, again and again—we tend to act inconsistently,” the report states. Policy-makers, his research has proposed, should learn more about how consumers actually behave because, as consumers, “we don’t always act in our own best interest”—suggesting that user control can sometimes be an illusion. Samford University Prof. Woodrow Hartzog said, “His work has gone a long way in trying to help us figure out how irrational we are in privacy-related decisions,” adding, “We have too much confidence in our ability to make decisions.” (Registration may be required to access this story.)