European Data Protection Digest

We have a long weekend—and hopefully some good weather—ahead of us, so right now our minds are probably focused more on Easter eggs and chocolate bunnies (in my case also my mother’s lasagna on Sunday) than on data protection developments. Nevertheless, this spring is bound to be a busy one for privacy pros—not that we actually had a dull moment in the past year or so.

At the IAPP, we are working hard to help our members stay on top of things: Our upcoming European Data Protection Intensive will be a great way to kick-start the second quarter of the year. As usual, rendezvous in London for an intense programme, great networking—including our special Privacy Social reception at the Guildhall—and CIPP and CIPM certification training and testing. Preconference workshops are not bad either.

But since he who hesitates is lost, work is already underway also for IAPP Europe’s flagship event, the Data Protection Congress, which will be in Brussels again this year, on 19 and 20 November to be precise. The call for proposals for the Congress is open, and submissions will be accepted until 9 May, so do send us your ideas or feel free to forward the call for proposals link to someone who might be interested.

In the meantime, though, Happy Easter!

Rita Di Antonio
Managing Director
IAPP Europe

Top European Privacy and Data Protection News

PRIVACY LAW—EU

Working Party Explains BCRs for Processors (May 31, 2013)

The Article 29 Working Party has issued an explanatory document on Binding Corporate Rules for processors in response to the outsourcing industry's request for a legal tool that reflects data-transfer practices today. The document includes clarity on such issues as onward transfers, cooperation and legal enforceability. In this exclusive for The Privacy Advisor, Jan Dhont and Emily Hay of Lorenz break down the document.
Full Story

PRIVACY LAW—EU

The Regulation in the News: A Roundup (May 30, 2013)

A look through the EU’s headlines of the past week yields a consistent theme: the proposed data protection regulation. From concerns voiced by European Data Protection Supervisor Peter Hustinx and German Rapporteur Jan Philip Albrecht on the future of the proposal to worries from charitable organisations that the regulation’s provisions could impact their ability to market to donors, this roundup for The Privacy Advisor highlights some of the key comments from officials and organisations. Hustinx, for example, cautions that if the legislation does not pass before the end of the European Parliament’s tenure, it will mean “serious repercussions in terms of economic development.”
Full Story

SMART GRID—UK

Experts: Data Safety Is Key (May 30, 2013)

BBC reports that with an estimated 30 million UK homes expected to “have digital smart meters monitoring their gas and electricity usage” by 2020, information security and data safety remain a primary concern. “The scheme promises to reduce costs…However, this month the rollout was delayed by the Department of Energy and Climate Change for more than a year as the government admitted more tests were still needed,” the report states, highlighting expert Eireann Leverett’s recommendations that more needs to be done to prevent hacking of the meters. Leverett notes, “It’s a real challenge fitting in the security that people need with keeping the cost down.”
Full Story

SURVEILLANCE—GUERNSEY & JERSEY

CCTV Prompting Privacy Complaints (May 30, 2013)

This Is Jersey reports on comments from Jersey and Guernsey Data Protection Commissioner Emma Martins on how advances in technology and access to CCTV have spurred an increase in privacy complaints. With CCTV “now easier and cheaper than ever before to install at home, more neighbours were seeking information about their rights for fear that their homes could also be monitored by people living close by,” the report states. Martins is welcoming a review on the matter by the Education and Home Affairs Scrutiny Panel given the complexity of the law as related to CCTV, the report states.
Full Story

PERSONAL PRIVACY

A Networked World Calls for Brave New Thinking (May 30, 2013)

With increased distribution of wearable computing devices, Field Fisher Waterhouse Partner Phil Lee, CIPM, CIPP/E, writes that the “depth of relationship” individuals will have “with their device...far exceeds any previous relationship between man and computer.” In this latest Privacy Perspectives post, Lee examines what effect these wearable devices and the oncoming Internet of Things will have on individuals’ and business’ privacy expectations—from consent mechanisms to Privacy by Design initiatives.
Full Story

PRIVACY LAW—ITALY

DPA Defines Obligations for Data Breaches (May 30, 2013)

In this exclusive for The Privacy Advisor, Stefano Taglibue, CIPP/E, reports on the Italian Data Protection Authority’s (Garante) recent decision defining obligations for telephone companies and Internet service providers regarding potential data breaches. Under the definition, providers must notify the Garante of a breach within 24 hours. Fines of up to 100,000 euros may be issued for failure to notify and of up to 1,000 euros per individual involved for failure to communicate the event to those involved, Taglibue writes.
Full Story

FINANCIAL PRIVACY—SWITZERLAND & U.S.

Swiss Bend to U.S. Will on Banking Data (May 30, 2013)

Following requests by the U.S. government for information about potential tax cheats, the Swiss government has agreed to ease its privacy laws and allow banks to disclose information on U.S.-based clients to the Internal Revenue Service (IRS). Swiss banks will now be able to deliver client details to the IRS, along with any fines that might be appropriate, in exchange for amnesty from further U.S. indictments. In order for the agreement to proceed, The Boston Globe reports, the U.S. would have to ratify a new taxation treaty between the two countries. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—EU & U.S.

Will New Trade Agreement Sidestep Regs? (May 29, 2013)

Reuters reports on developments regarding the Transatlantic Trade and Investment Partnership (TTIP), a proposed free-trade agreement between the EU and U.S. Consumer groups have called language in the agreement a “backdoor way” for U.S. businesses to sidestep EU data protection law. Roughly 60 supporters and opponents of the agreement will address a panel convened by the Trade Representative’s office to discuss TTIP this week. Editor’s Note: Hogan Lovells’ Christopher Wolf has written about the convergence of trade and privacy law in a blog post for the IAPP’s Privacy Perspectives.
Full Story

DATA PROTECTION—EU & U.S.

Why Investors Must Care About It (May 29, 2013)

As data increasingly becomes the lifeblood of many businesses, the ability to shield and protect that data from mismanagement, hackers and cyberespionage is not only “vital to consumers” but also “critical to investors in publicly held U.S. companies,” write three business experts for The Guardian. “We believe boards have a fiduciary and social responsibility to protect company assets,” they write, “including personal information.” Meanwhile, a new survey reveals that 31 percent of European businesses have experienced a cyberattack in the last year. Consero Group Founder and CEO Paul Mandell says, “Confidence in information security is likely diminished by the high level of publicity surrounding recent cyberattacks and will likely continue to decline before it gets better.”
Full Story

BIG DATA

From Beavers to Smart Cars to Ivory Coast with Sandy Pentland (May 29, 2013)

Alex “Sandy” Pentland has worked using data to solve any number of problems--enough to realize that privacy issues can be overcome when working with Big Data. The MIT and World Economic Forum researcher addressed the Center for Geographic Analysis annual conference recently to discuss “data commons” and the power they may hold for public good. Editor’s Note: Pentland will address the audience at Navigate, June 21, as part of a cast of provocative thinkers.
Full Story

MOBILE PRIVACY

Website Shows Just How Private Snapchat Really Is (May 29, 2013)

If recent stories showing the permanence of Snapchat’s supposedly ephemeral photo sharing didn’t convince you, perhaps the launch of the new SnapchatLeaked.com will. As Beta Beat reports, the startup website allows users to upload photos that have been sent to them, despite the senders’ assumption that they would be deleted after only 10 seconds of viewing. While the site covers up “naughty bits” and doesn’t display a Snapchat ID, there is still some speculation as to whether the site will lead to lawsuits. “All images are user-submitted,” the site’s creators told UK tabloid Metro, “if the person asks to take them down, we do. Most see it as fun and getting ‘Facebook famous’.” Editor’s Note: Jed Bracy, CIPP/US, CIPP/E, wrote about how Snapchat plays into cyberstalking and cyberbullying recently for Privacy Perspectives.
Full Story

PERSONAL PRIVACY—GERMANY

Commissioner Dislikes Xbox’s View Into the Living Room (May 29, 2013)

Germany’s federal data protection commissioner says he’s “unsettled” by Microsoft’s new Xbox One console, launched by the company last week. Commissioner Peter Schaar says the box “records all sorts of personal information” that could be recorded and transferred to third parties, Slate reports. “The fact that Microsoft is now spying on my living room is just a twisted nightmare,” Schaar said. Microsoft says it is not using the box’s system to “snoop on anybody at all.”
Full Story

DATA RETENTION—DENMARK

Industry, Advocates Want Change to Law (May 29, 2013)

Five years ago, Denmark passed a law requiring telecommunication companies to retain and store customers’ personal data for up to one year. Now, the telecom industry and advocates are calling for changes to the law, citing “an unjustifiable invasion of privacy,” TECHPRESIDENT reports. Police say the law hasn’t helped them track criminals, but the Danish government wishes to delay a review of the law for two years.
Full Story

PRIVACY LAW—EU

Regulation’s Territorial Scope Debated Behind the Scenes (May 28, 2013)

EUObserver reports on behind-the-scenes debates between EU legislators on the territorial scope of the proposed EU data protection reform. The European Commission backs legislation that covers non-EU entities that process EU citizen data, but according to the report, deputies have not been able to reach an agreement on the regulation's eventual scope. UK MEP Sarah Ludford said there is a need to “get legal clarity on which individuals are covered by the proposed regulation, whether it is people when they are present in the EU or those outside the EU.” Meanwhile, a new analysis by KPMG reveals that 51 percent of UK organizations, in both public and private sectors, have failed to comply with the EU Directive on Privacy and Electronic Communications, also known as the Cookie Directive.
Full Story

DATA PROTECTION—EU & U.S.

Wolf on the Latest from France and Belgium (May 28, 2013)

“A variety of client and professional meetings in France and Belgium have me here for an extended stay,” writes Hogan Lovells’ Christopher Wolf in this latest installment of the IAPP’s Privacy Perspectives. “I have heard many interesting things about privacy and data protection issues,” Wolf notes. Among them, Wolf details what he’s hearing about the EU data protection reform, the right to be forgotten, U.S. governmental access to cloud data and the need for more privacy professionals in Europe.
Full Story

ONLINE PRIVACY

Estate Planning for Digital Assets (May 28, 2013)

The New York Times reports on the issue of end-of-life planning for online data. “Digital assets have value, sometimes sentimental and sometimes commercial, just like a boxful of jewelry,” one lawyer notes, suggesting they can result in “painful legal and emotional issues for relatives unless you decide how to handle your electronic possessions in your estate planning.” The report highlights options available to online users—including Google’s Inactive Account Manager, which allows users to “decide exactly how they want to deal with the data they’ve stored online with the company”—as well as expert recommendations for getting “your Internet house in order.” (Registration may be required to access this story.)
Full Story

PERSONAL PRIVACY

Opinion: What About Those Who Don’t Want To Be Recorded? (May 28, 2013)

In an opinion piece for The New York Times, Nick Bilton discusses a recent experience with Google Glass, the wearable computer capable of recording everything occurring in its view with a click or a wink. “But what about people who don’t want to be recorded?” Bilton asks. At a recent social gathering, Bilton notes, “I was startled by how much Glass invades people’s privacy, leaving them two choices: Stare at a camera that is constantly staring back at them, or leave the room.” Meanwhile, a startup is preparing to launch a facial recognition API for developers of Google Glass apps, to be available within a week. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—EU & POLAND

Reding, Boni Speak on Proposed Directive (May 23, 2013)

European Commission Vice-President Viviane Reding spoke at a conference in Poland recently about the European Union’s “legal obligation” to protect personal data, saying that thanks to the proposed directive, “we will have consistent law in this respect throughout the EU,” reports EurActiv. Polish Minister for Administration and Digitisation Michał Boni initiated the conference and while agreeing with Reding, cautioned against imposing “technically and economically infeasible restrictions on business.” Boni also noted that building awareness of data protection issues in businesses and citizens is of utmost importance, adding that if citizens want to be involved in the legislative process, they should come up with proposals now.
Full Story

DATA PROTECTION—IRELAND

Commissioner Finds “Disturbing Failure of Governance” (May 23, 2013)

Irish Data Protection Commissioner Billy Hawkes says there has been a “disturbing failure of governance” when it comes to access to a Department of Social Protection (DSP) welfare database. In 2012, three insurance companies were found to have breached Irish data protection laws by failing to notify Hawkes’ office that they were processing social welfare data, the report states. The office said failures indicated by an audit revealed a “worrying degree of inappropriate access to Infosys by state employees.” An investigation is now underway, and an employee at DSP is under investigation for alleged processing of the data.
Full Story

PRIVACY LAW—THE NETHERLANDS

Court: Privacy Outweighs Copyright Enforcement (May 23, 2013)

PCWorld reports on a recent Dutch court’s ruling that privacy laws that protect bank accountholders take precedence over sharing information to assist in copyright enforcement cases. “The Dutch ING Bank doesn't have to reveal who has access to a bank account, the number for which is posted on the website FTD World, the Amsterdam district court ruled,” the report states. “There is no relationship between ING Bank and copyright infringement,” Judge Sj.A. Rullmann wrote. Dutch anti-piracy foundation Brein has said it disagreed with the ruling and will be appealing the case.
Full Story

SMART GRID—UK

Opinion: Extend Security to Entire Workplace (May 23, 2013)

While smart grid technology promises to provide much-needed energy efficiency, privacy and security concerns have been a barrier to its widespread adoption, reports The Guardian. “Our priority should now be ensuring that both the smart grid and the devices that connect to it are totally secure, which not only requires physical and virtual security but also a complete shift in the mindset of UK organisations,” writes McAfee’s Graeme Stewart. With smart grid implementation, Stewart says, “Enterprise security should now extend far beyond just laptops, mobiles and desktops: The entire workplace needs to be considered, including printers, phone systems, lighting and even air conditioning.”
Full Story

ONLINE PRIVACY—THE NETHERLANDS

Gov’t Scraps Cookie Consent Plans (May 23, 2013)

The government plans to abandon a requirement for companies “to get explicit permission from visitors before placing analytic cookies,” Telecompaper reports. Dutch Minister of Economic Affairs Henk Kamp called for a consultation to amend the cookie provision in the Telecommunications Act, the report states, noting in a letter to Parliament “that customers will not have to be consulted on the amendment due to the very low impact on Internet privacy.” The consultation opened this week.
Full Story

SURVEILLANCE—UK

Taxi CCTV Scheme Fails (May 23, 2013)

BBC News reports that plans for CCTV to be installed in taxis in Oxford have been scrapped. The city council’s licencing committee had called a consultation on the idea in 2011, but plans were suspended last year following concerns from the Information Commissioner’s Office (ICO) over data protection. Southampton City Council had attempted a similar plan recently, but the ICO said it breached the Data Protection Act. Meanwhile, British police have indicated interest in using technologies like Google Glass to investigate or predict crimes in the future.
Full Story

FINANCIAL PRIVACY—EU

President Plans for Automatic Data-Sharing on Taxes (May 23, 2013)

French President Francois Hollande has said European countries will start working on an automatic exchange of tax information, Reuters reports. The president said at a recent summit of European leaders that the effort aims to recover some of the billions lost in tax evasion each year. “We must coordinate at a European level, harmonise our rules and come up with strategies to stop this,” he said.
Full Story

DATA PROTECTION—UK

Commissioner: Serious Breach Offenders Deserve Prison Time (May 23, 2013)

UK Information Commissioner Christopher Graham says people who misuse personal information should face tougher penalties, including prison time, Public Service reports, citing a recent case in which a community health manager took personal data from the health center to use for his own fitness company. The man e-mailed data on 2,471 patients to his personal account, and soon thereafter, patients approached by the man began to complain. The man was fined 3,000 GBPs and ordered to pay other legal costs. Graham said the government “must ensure that criminals do not see committing data theft as a victimless crime and worth the risk.”
Full Story

BIG DATA

Privacy Hampers Research Outcomes (May 23, 2013)

Professors at the Massachusetts Institute of Technology say privacy remains a “big stumbling block” to effectively using Big Data, The Wall Street Journal reports. MIT’s Andrew Lo, Dimitris Bertsimas and Alex “Sandy” Pentland are building Big Data models to predict financial market shifts and crime and improve healthcare outcomes, the report states, but run into privacy issues when it comes time to analyze the data. There are also concerns about individuals being profiled based on Big Data findings. Meanwhile, Amsterdam’s ZyLAB has published a whitepaper warning IT decision-makers about “the dark side of Big Data.” (Registration may be required to access this story.)
Full Story

SOCIAL NETWORKING

Facebook Joins Advocacy Group (May 23, 2013)

Facebook announced on Wednesday that it has joined the online privacy and freedom advocacy group Global Network Initiative (GNI), reports The Wall Street Journal. The affiliation may help to show users that Facebook is taking privacy concerns seriously and also help it navigate expansion in developing countries, the report states. GNI provides guidance on protecting online privacy against government intrusions and reviews members’ practices to ensure they are in line with GNI’s goals. Meanwhile, Facebook CEO Mark Zuckerberg was in Poland on Wednesday meeting with Polish Minister for Administrative Affairs and Digitisation Michal Boni about the global significance of the Polish IT industry. (Registration may be required to access this story.)
Full Story

BIG DATA

Service Would Sell Phone Data on Consumers (May 22, 2013)

European software firm SAP has announced a new service that will pull data from its “extensive partner network”—which includes “over 990 mobile operators”—collect and analyze it “without drilling down into user-specific information,” CNET News reports, and disclose the results to subscribers via web portal. SAP said of its Consumer Insight 365 mobile service that “this market intelligence will ultimately allow brands to strengthen relationships with consumers through more targeted and context-specific marketing efforts.” The Wall Street Journal reports on the potential privacy concerns from a service that will “broaden the range of data about individuals’ habits and movements that law enforcement could subpoena.”
Full Story

BIG DATA

Creating a Data Empire (with Uncle Enzo and Steve Sneak) (May 22, 2013)

With gamification making its way further and further into mainstream marketing and corporate efforts, it only makes sense that privacy-awareness advocates would get into the game. Privacy professionals should get a kick out of Data Dealer, a new browser-based game, which will eventually be integrated into Facebook like the popular Zynga games (et al) and takes a satirical and ironic approach to the world of data collection and sale. The Privacy Advisor gives it a spin and gives you a full review.
Full Story

PRIVACY LAW—UK

Court: Compensation Only If Damages Are Due To Breach of DPA (May 22, 2013)

The England and Wales Court of Appeal recently ruled that businesses “do not have to pay compensation for causing distress to consumers if they break data protection laws unless the distress suffered by consumers is linked to the breach itself,” reports Out-law.com. The ruling stemmed from a customer’s complaint that upon receiving damages from a breach case, the finance company involved placed his settlement in a closed account and entered incorrect information about him in their systems indicating his account was in arrears—which was shared with a credit scoring agency. The customer claimed the company had breached the terms of the district court order and asked the court for further damages, prompting the court’s ruling.
Full Story

SOCIAL NETWORKING—IRELAND

Facebook Appoints New Privacy Counsel, Gets OK from DPA (May 21, 2013)

Irish Data Protection Commissioner Billy Hawkes says he’s satisfied with the work Facebook has done to meet a four-week deadline to comply with recommendations on improving user privacy, the Independent reports. Had the company failed to comply, it would have faced fines of up to 100,000 euros. Following an audit by Hawkes’ office, the company had implemented changes to transparency and user controls, but a number of the office’s recommendations had not been met, prompting the four-week deadline. Facebook has also announced the appointment of a lead data protection and privacy counsel to its Dublin headquarters. (Editor’s Note: The IAPP recently chatted with Hawkes on life as a privacy enforcer and how companies can avoid his attention.)
Full Story

RFID

Chips Pose ID Theft and Privacy Concerns (May 21, 2013)

The Washington Post reports on rising identity theft of travelers stemming from access to RFID chips in passports and credit cards. Criminals can also access personal data from smartphones via WiFi networks. To help curb such attacks, some luggage companies are inserting RFID-blocking compartments in luggage. Meanwhile, Bruce Schneier, a security expert, writes about the rise of the Internet of Things and surveillance in his latest blog post, noting that “any illusion of privacy we maintain” is “about to get worse.” (Registration may be required to access this story.)
Full Story

PRIVACY LAW—EU & U.S.

The Transatlantic Data Privacy Divide (May 20, 2013)

With increased tensions between U.S. tech companies and EU lawmakers and regulators, Wilson, Sonsini, Goodrich & Rosati Senior of Counsel Christopher Kuner explores the “the root of many of the differences between the EU and U.S. approaches to data privacy” in this latest installment of the IAPP’s Privacy Perspectives. Kuner writes that the “differing status of privacy as a constitutional or human right underlies how this question is dealt with in the two systems.”
Full Story

DATA PROTECTION—EU & U.S.

Group Criticized for Lack of Transparency (May 20, 2013)

The European Privacy Association (EPA) has revealed that several U.S.-based tech companies are backers, IDG News Service reports. Last Thursday, the Corporate Europe Observatory (CEO)—a watchdog that “works to expose privileged access in EU policy making”—filed a complaint stating the EPA, while working to represent industry interests in EU data protection reforms, did not list any backers on the EU Transparency Register, the report states. A CEO representative said the group’s name conflicts with its pro-industry stance, creating a “confusing…mismatch.” In a press release, the EPA said, “We are immediately clarifying such discrepancies” to ensure that they’re “in line with the guidelines of the European Union.”
Full Story

ONLINE PRIVACY

Firefox Cookie Blocking By Default on Pause (May 17, 2013)

Mozilla has postponed default cookie-blocking in its Beta version of Firefox 22 “to collect and analyze data on the effect of blocking some third-party cookies,” PC World reports. The default setting has been criticized by the online advertisement industry. The nonprofit is currently testing a patch created by Jonathan Mayer. In a blog post, Mozilla Chief Technology Officer Brendan Eich wrote, “Our next engineering task is to add privacy-preserving code to measure how the patch affects real websites,” adding, “We will also ask some of our Aurora and Beta users to opt in to a study with deeper data collection.”
Full Story

GENETIC PRIVACY

Making Art of the DNA We Leave Behind (May 17, 2013)

What if someone could take your mundane, discarded items—chewing gum, a stray hair and other things with traces of DNA—and turn them into a portrait of you? Heather Dewey-Hagborg has already started doing just that. This Privacy Perspectives blog post explores her work and the broader implications, both creepy and courageous, for our fledgling personal privacy in light of advancing DNA capabilities.
Full Story

PRIVACY LAW—RUSSIA

Nation Ratifies Commitment to Convention 108 (May 17, 2013)

NewEurope reports that on May 15, Russia ratified a treaty to join Convention 108—the “Convention for the protection of individuals with regard to Automatic Processing of Personal Data.” Council of Europe Secretary General Thorbjørn Jagland said he received Russia’s accession from Permanent Representative and Ambassador of the Russian Federation to the Council Alexander Alekseev. The treaty will enter into force on September 1. Russia will become the 46th state to join Convention 108.
Full Story

ONLINE PRIVACY—EU & UK

ORG: Consent Should Be Required To Share Anonymous Data (May 16, 2013)

The Open Rights Group (ORG) is calling for new EU data protection laws “to require consent to anonymised data-sharing,” Out-Law.com reports. “Anonymising datasets rarely prevents re-identification,” said Jim Killock, executive director of the ORG, noting that in order to resolve that issue, there should be legal requirements to "ask for users' permission before offering their anonymised data.” The ORG’s suggestion follows reports about a telecom and a research firm offering to sell consumer personal data to a police department. The firms have stated “their activities are in line with the UK's Data Protection Act,” the report states, and only access to "anonymised and aggregated" data is provided.
Full Story

FINANCIAL PRIVACY—UK

FCA Proposals May Have Data Protection Implications (May 16, 2013)

The Guardian reports on plans by the Financial Conduct Authority (FCA) to collect “personal financial information of millions of people” for mortgage market oversight, suggesting the FCA “could spark a row over privacy after acknowledging that its proposals may have data protection and human rights implications.” If the FCA proposals are approved, the data to be collected and analysed will include such information as income and bonus pay, household spending, loan and credit card balances, number of children, planned retirement age and “whether the borrowers have any financial black marks against them, such as loan arrears or county court judgments,” the report states.
Full Story

DATA LOSS—UK

New NHS Orgs Will Be Responsible for Old Breaches (May 16, 2013)

The Information Commissioner’s Office (ICO) is cautioning that in cases where NHS organisations “have been dismantled under the Health and Social Care Act,” pending data breach complaints “will be transferred to new NHS organisations,” Public Service reports. The ICO’s Dawn Monaghan said, “Any complaints from data protection, any investigations that were underway for a breach of data protection…we don't just let them fall off the end and put them in the waste bin….They carry on and they are continued with whichever body has legal liability.”
Full Story

PRIVACY

When Buying Cyberinsurance, Semantics Matter (May 16, 2013)

At yesterday’s Pre-Breach Preparedness IAPP KnowledgeNet in Dedham, MA, Joe Burgoyne of Osram Sylvania, opened the “privacy panel” with a somewhat startling prompt: Raise your hand if you know where all of your company’s data is. Of the 100-plus attendees, maybe two hands went up—hesitantly. In this exclusive for The Privacy Advisor, Burgoyne offers advice on how to prepare for a data breach and attorney Nancy Kelly discusses the importance of negotiating when it comes to buying standalone cyber insurance.
Full Story

DATA LOSS

Experts Discuss Bloomberg Privacy Implications (May 15, 2013)

As Bloomberg News continues to answer questions about the actions of reporters who appear to have, on more than one occasion, used the company’s desktop data terminals to monitor activity at financial institutions, privacy experts are weighing in on the long-term implications. This exclusive for The Privacy Advisor examines the most recent developments and the reactions from experts like Lisa Sotto, CIPP/US, who told GovInfoSecurity Bloomberg must “toughen its IT security and privacy governance process…It is critically important to have a stringent set of access controls, but the integrity and ethics issues really go beyond privacy and data security."
Full Story

DATA PROTECTION—EU & UK

ICO: Biz Lacks Understanding of EU Reforms (May 15, 2013)

The UK Information Commissioner’s Office (ICO) has released a new report highlighting “a clear lack of understanding across business around proposed EU data reforms.” According to an ICO press release, 40 percent of businesses “don’t fully understand any of the 10 main provisions being proposed,” and 87 percent are “unable to estimate likely costs of draft proposals to their business.” Information Commissioner Christopher Graham said, “Debate must be based on valid evidence. This reform is too important for guesswork.”
Full Story

PRIVACY IN POP CULTURE

Going Gaga for Google Glass (May 15, 2013)

While it’s unquestionably true that the advent of Google Glass has created all manner of interesting privacy discussions, Glass may end up being as much a boon to comedy writers as to privacy professionals. In this exclusive for The Privacy Advisor, we round-up all of the best send-ups and look at the way being creepy may keep Glass users from being creepy.
Full Story

DATA RETENTION

An Archivist’s View of the Right To Be Forgotten (May 14, 2013)

As Europe considers implementation of “the right to be forgotten,” Archivist Cherri Ann Beckles writes, “From a bird’s eye view, this proposal would have an undeniable effect on the preservation of the individual and collective memory of society.” In this latest Privacy Perspectives blog post, Beckles lays out the issues that could lead from a right to be forgotten to a “society that was forgotten.”
Full Story

MOBILE PRIVACY

In-App Advertisers Beware: Lookout Announces Deadline (May 14, 2013)

With adware targeting the Android operating system up 61 percent over last year, by Bitdefender’s estimate, mobile security firm Lookout has decided to take a firmer stance with in-app advertisers. The company has announced “rules and standards for acceptable advertising practices that promote good user experience and privacy best practices” and has given advertisers 45 days from May 10 to comply or be otherwise classified as adware. If advertisers don’t get explicit user consent for display advertising outside the normal in-app experience, harvesting PII or performing unexpected actions in response to ad clicks, Lookout’s product will block them from users.
Full Story

DATA PROTECTION—EU

Industry, Lobbyists Converge To Discuss Directive (May 14, 2013)

Representatives from European banking, auto, aeronautics and technology industries met in Berlin this week to discuss the proposed EU Data Protection Regulation, The New York Times reports. One communications expert says that industries having “nothing to do with social media” are showing concern about the likelihood of “a whole new layer of regulation,” noting that one motivation for the proposal is to rein in the use of social media data by big tech firms. Thomas Lehnert, director of data protection for EADS Deutschland, said he expects an increased need for data protection officers in his organization—which currently employs eight full-time officers. “I think we are talking about a multiple of what we have now,” Lehnert said. (Registration may be required to access this story.) Editor's note: For insight into the European Regulation, see our coverage of Peter Hustinx's and Richard Thomas's talks at the IAPP's recent London event.
Full Story

DATA PROTECTION—EU & U.S.

Exploring the ABCs of BCRs (May 13, 2013)
As more organizations move toward using Binding Corporate Rules (BCRs), there are lessons that can be gleaned from the experience of others. Align Technology Privacy Counsel K Royal, CIPP/US, CIPP/E, helped lead her organization toward BCR adoption. In this Privacy Perspectives post, Royal reveals some of the top lessons and tips she learned from this process, which she describes as “not being for the faint of heart.”

ONLINE PRIVACY

Protecting Our Online Profiles (May 13, 2013)

Last week, the Today Show reported on one person’s struggles to get a job in light of an ex-girlfriend’s online posting of disparaging personal material, allegedly out of revenge. This Privacy Perspectives post delves into the difficulties of maintaining a reputable online profile and the legal and technical complexities around combating such negative and vengeful actions.
Full Story

ONLINE PRIVACY

LinkedIn Revises Policy for User Clarity (May 13, 2013)

LinkedIn is updating its privacy policy within the next week, the company reports in its blog. The updates will clarify and simplify language to make it easier for members to read and understand. The policy will be located on a page that will become the company’s “Privacy Portal” where users can access all of their LinkedIn data.
Full Story

PRIVACY—UK

Britain Struggles with Info Access vs. Privacy (May 13, 2013)

In a recent case involving the theft of 113,000 GBPs from a building in Warwickshire, police refused to identify the man charged with the crime. His identity was only disclosed after free speech campaigners made hay, and it was then learned the suspect was a former police officer. “The incident is indicative of rising tensions between journalists and authorities in Britain” when it comes balancing privacy and freedom of information, The New York Times reports. “The police are in a real bind about this, because they have to balance the right to privacy against the public interest,” said one journalist. (Registration may be required to access this story.)
Full Story

CYBERSECURITY

A Global View of Integrating Privacy and Security (May 10, 2013)

“From Maryland to Ireland, Slovakia to Florida, privacy professionals and their industry colleagues are working on integrating Privacy by Design into business models and functionality,” writes Jenner & Block’s Mary Ellen Callahan, CIPP/US, in this latest Privacy Perspectives post. Amidst her “whirlwind tour” across continents and industry sectors—from marketing to security to government—Callahan assesses a growing effort to implement privacy into business and national security strategies.
Full Story

PRIVACY—IRELAND

Commissioner Hawkes On Increasing Complaints and How To Avoid His Attention (May 10, 2013)

At the IAPP’s Data Protection Intensive in London last month, the IAPP sat down with Irish Data Protection Commissioner Billy Hawkes to discuss the ins and outs of a regulator’s daily life on the job, the impending EU regulation, do-not-track and how he relaxes when he’s not regulating multinational giants headquartered in Ireland.
Full Story

PRIVACY LAW—UK

Queen’s Speech: Communications Bill May Return (May 9, 2013)

Publicservice.co.uk reports that this week’s Queen’s Speech has indicated a bill “blocked by Nick Clegg after it was dubbed a 'snoopers' charter' could now return…with Home Office proposals set to give police the power to identify people sending emails and making Skype calls.” The Communications Data Bill, first announced last year, was met with widespread concern over the potential for invasion of privacy. The Queen said this week, “In relation to the problem of matching Internet protocol addresses, my government will bring forward proposals to enable the protection of the public and the investigation of crime in cyberspace.”
Full Story

FINANCIAL PRIVACY—EU

Court Rules Against Extradition in Bank Data Case (May 9, 2013)

Reuters reports Spain’s High Court ruled Wednesday that it would not extradite Herve Falciani, a former HSBC employee “wanted in Switzerland on allegations of stealing data on tens of thousands of Swiss bank accounts that a number of European countries have used to pursue suspected tax evaders.” The court indicated the charges are not crimes under Spanish law. Falciani, who has Italian and French citizenship, has reportedly “acknowledged taking the data but describes himself as a whistleblower against what he calls ‘scandalous’ practices at Swiss banks.” Authorities in France, Germany, Italy and Spain have used Falciani’s data to pursue lost taxes, the report states, noting Switzerland has three days to appeal the court's decision.
Full Story

PRIVACY LAW—ITALY

Data Retention a Dilemma for ISPs (May 9, 2013)

The Garante has recently come down hard on ISPs, fining nine out of 11 companies that were investigated, reports Mondaq. The primary issue is the failure of ISPs to delete traffic data after the 12 months of required retention expires. However, data retention legislation has been complicated and difficult to comply with, and law enforcement agencies want to see data retained indefinitely to aid in criminal investigations, the report states. All of this coupled with the government’s decree on cyber-security has ISPs in a very difficult position, the report suggests.
Full Story

PRIVACY LAW—UK

Ofcom: Show Violated Gambler’s Privacy (May 9, 2013)

Broadcasting watchdog Ofcom has ruled the BBC violated privacy codes by not completely obscuring a subject’s identity in its television programme “Panorama: Gambling Nation.” BBC News reports the participant, referred to as “Mr. C,” was filmed in a way that obscured his face but did not disguise his voice. As a result, some friends recognised him, resulting in distress and infringement of his privacy, the report states. Ofcom noted, “The broadcaster’s right to freedom of expression…did not outweigh Mr. C’s expectation of privacy.” All future airings of the episode have been canceled.
Full Story

ONLINE PRIVACY

Suspect Returned to Native Country Pending Web Attack Investigation (May 9, 2013)

A man suspected of involvement in a large-scale online attack against an Internet spam-fighting service has been returned to his home country of The Netherlands and ordered to remain in custody, The New York Times reports. Svan Olaf Kamphuis was transferred from Spain to the Netherlands Monday after being arrested in Barcelona, the report states. He is suspected of delivering denial-of-service attacks, which “slowed Internet service globally for several days in April, especially in Russia and other European countries,” the report states. A judge ordered Kamphuis remain in custody as an investigation proceeds. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—EU

Regulation Vote Delayed Again (May 8, 2013)

PC World reports on the European Parliament Civil Liberties Committee’s decision to delay a planned vote on the draft data protection regulation that had been scheduled for May 29. “German MEP Jan Philipp Albrecht, who is charged with steering the legislation through to the final vote, explained that although several meetings have been held and some agreements have been reached, more rounds of discussions are still needed,” the report states. Meanwhile, small- and medium-sized businesses remain concerned as the proposal would require those with 500 or more customers to have a data protection office, resulting in “additional expense in an economy where many are struggling.” Albrecht has said a vote is still possible before July.
Full Story

ONLINE PRIVACY

Google Chairman: Lack of Internet Delete Button Is “Significant Issue” (May 8, 2013)

Google Executive Chairman Eric Schmidt believes the “lack of a delete button on the Internet is in fact a significant issue.” That’s according to a Fast Company report on Schmidt’s comments to economist Nouriel Roubini at New York University’s Stern Business School this week. The discussion focused in part on the privacy implications of the “endless troves of personal user data” being amassed by online companies. Schmidt said, “Let me be very clear that Google is not tracking you,” adding that in terms of that lack of an online delete button, “There are times when erasure is the right thing...and there are times when it is inappropriate. How do we decide? We have to have that debate now."
Full Story

PRIVACY LAW—GERMANY

Court Says Apple Must Revise Data-Handling Rules (May 8, 2013)

A German court has told Apple to change its data-handling rules, Bloomberg reports. The court struck down eight of 15 provisions in the company’s data-use terms, stating they deviate too far from German law, the report states. The court also ruled Apple can’t seek “global consent” from consumers on the use of data, including geolocation information. “The ruling shows the high importance of data protection for consumers in a digital world,” said Gerd Billen, head of consumer group Verbraucherzentrale Bundesverband.
Full Story

ONLINE PRIVACY

Internet of Things and Privacy a “Cat-and-Mouse Game” (May 8, 2013)

Wireless technology company Qualcomm is working on enabling the impending “Internet of Things” while maintaining user privacy. That’s according to CEO Paul Jacobs, who said in a recent speech that technology will certainly make it possible for “nearly everything people interact with” to be connected to the Internet in time, but companies must work to make such capabilities less intrusive, CNET reports. “Privacy is something that’s going to be a little bit like a cat-and-mouse game,” he said.
Full Story

ONLINE PRIVACY

GPEN Launches First Internet Privacy Sweep (May 7, 2013)
A total of 19 privacy enforcement authorities are participating in the Global Privacy Enforcement Network’s first Internet Privacy Sweep initiative. In announcing the launch of the weeklong initiative, the Office of the Privacy Commissioner of Canada said participating authorities will dedicate individuals to search the Internet in a coordinated effort to assess privacy issues related to the theme, Privacy Practice Transparency. “Privacy issues have become global and they require a global response,” noted Canadian Privacy Commissioner Jennifer Stoddart. “It is critical that privacy enforcement authorities work together to help protect the privacy rights of people around the world.” This exclusive for The Privacy Advisor takes a closer look at the new initiative.

BYOD

What’s Yours and What’s Theirs? (May 7, 2013)

Despite standards that are beginning to emerge, such as the UK ICO’s recent guidance for BYOD policies, issues surrounding employees’ use of personal devices for corporate work remain a fairly sticky wicket. At the IAPP Europe Data Protection Intensive in London, a panel discussion and presentation, “BYOD: What’s All the Fuss,” sought to provide a bit of clarity through personal experiences at the likes of Vodafone, the BBC and global medical research firm Beckman Coulter.
Full Story

ONLINE PRIVACY

The Struggling Do-Not-Track Negotiations (May 6, 2013)
The New York Times reports on the friction between industry and privacy advocates leading up to what will be the final face-to-face negotiations within the World Wide Web Consortium (W3C) on establishing a Do-Not-Track (DNT) standard. On Friday, Mozilla posted a new report on the “State of Do Not Track in Firefox.” Yet, if the W3C cannot come to an agreement this week, the proposed standard may go the way of the dodo. Two main sticking points revolve around default settings and what data may be collected after a DNT signal is activated. Jonathan Mayer, a Stanford University graduate student and participant in the W3C talks, said, “I think it’s right to think about shutting down the process and saying we just can’t agree,” adding, “We gave it the old college try. But sometimes you can’t reach a negotiated deal.” Editor’s Note: Mercatus Center Senior Research Fellow Adam Thierer recently wrote about Do Not Track in the first installment of a point-counterpoint with the Center for Democracy & Technology’s Justin Brookman for the IAPP’s Privacy Perspectives. (Registration may be required to access this story.)

GEO-LOCATION

What’s the Equivalent of Shouting “Fire!” in a Crowded Theater? (May 6, 2013)

The Center for Geographic Analysis held its annual conference at Harvard’s Tsai Auditorium last week, focusing on the challenges and thoughts surrounding policy-making for a location-enabled society. The benefits of location technology are hard to deny—identifying influenza outbreaks, getting necessary transportation to people in remote locations, providing emergency services to people who call 911 from cell phones, heck, even just figuring out how to get home without being stuck in rush-hour traffic—but the collection, analysis and use of this data bring risks, too.
Full Story

PERSONAL PRIVACY

Did Andy Warhol Get It Wrong? (May 6, 2013)

In 1968, Andy Warhol famously quipped, “In the future, everyone will be world-famous for 15 minutes.” But what if the opposite is becoming true? In his recent Privacy Perspectives blog post, IAPP Associate Editor Jedidiah Bracy, CIPP/US, CIPP/E, writes, “We could also say it this way, ‘In the future, everyone will have anonymity for 15 minutes.’” A recent TED Talk, given by Juan Enriquez, further illustrates this point by looking at “the obvious combination of Big Data, tattoos, immortality, the Ancient Greeks…and, of course, Jorge Luis Borges.”
Full Story

DATA PROTECTION—UK

Former ICO Talks Lagging Regs (May 6, 2013)

Data protection regulations aren’t keeping pace with technology. That’s according to former UK Information Commissioner Richard Thomas, who said recently that significant advances in the capacity to store data have left a gap, SC Magazine reports. “I made myself a bit of a reputation during the last three or four years of my time as information commissioner saying that the...European directive…was not fit for purpose and it was a mainframe directive that didn’t accommodate the modern world at all,” he said. Editor's Note: Thomas made similar remarks at the Data Protection Intensive in London.
Full Story

DATA PROTECTION—UK

Trade Group Issues Insurance Guidelines (May 6, 2013)

The Association of British Insurers (ABI) has published guidance for insurance companies on obtaining consent for data-sharing, Out-Law.com reports. ABI advises companies obtain opt-in consent to share data with firms that are not “directly involved in managing or delivering a policy, handling a claim, setting premiums, detecting and preventing fraud” or involved in customer service, the report states, adding that companies collecting data must respect UK data protection laws.
Full Story

PRIVACY LAW—EU

BCR for Processors Endorsed (May 3, 2013)

“The fact that with everything that is going on in the world of data protection right now, the Article 29 Working Party has devoted a thorough 19-page explanatory document to clarifying and endorsing the role of BCR for Processors or Binding Safe Processor Rules (BSPRs) is very telling,” Eduardo Ustaran, CIPP/E, writes for Field Fisher Waterhouse’s Privacy and Information Law Blog. Ustaran’s post highlights key elements in the Working Party’s document and notes that “despite the detailed requirements that must be met, the overall approach of the Working Party is very ‘can do’ and pragmatic.”
Full Story

DATA PROTECTION—GERMANY

Schaar Releases Activity Report (May 2, 2013)

New Europe reports on Federal Commissioner for Data Protection and Freedom of Information Peter Schaar’s release of the 24th Activity Report on Data Protection, covering the years 2011 and 2012. Schaar stated the report “emphasises the increase of data protection issues by many examples from almost all areas of our lives.” Schaar further acknowledged that more and more everyday objects are requiring technology that collect data, and “Therefore up-to-date rules for handling information technology are more urgent than ever.”
Full Story

PRIVACY LAW—EU

EDPS: Interoperable Databases Could Contravene Laws (May 2, 2013)

European Data Protection Supervisor Peter Hustinx is cautioning that interoperable systems could result in police databases being used for different purposes, thus running counter to EU data protection laws, Out-Law.com reports. Under EU law, personal data may only be collected for "specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes," the report notes. In his new opinion, Hustinx cautions, “Although the introduction of interoperability will not lead to new databases, it will necessarily introduce a new use of existing databases by providing new possibilities of access to those databases.”
Full Story

HEALTHCARE PRIVACY—UK

Health Committee: Privacy Should Not Impede Progress (May 2, 2013)

Stephen Dorrell, head of the Parliamentary Health Select Committee and former secretary of state for health, says that the interest in securing patients’ medical information should not hinder the progress made by such unlimited data, The Telegraph reports. Dorrell was speaking at an Age UK conference in London when he made the comments and stressed that the NHS should not ignore "one of the most powerful tools at our disposal," adding fear should not stand in the way of progress.
Full Story

PRIVACY LAW—UK

Private Investigators May Face ICO Fines (May 2, 2013)

The Leveson inquiry uncovered the problem of “rogue private investigators” illegally accessing people’s private information, which could result in fines up to 500,000 GBP, reports Public Service. The report also found some investigators are failing to ensure accuracy of information and secure deletion when no longer required. The Information Commissioner’s Office has launched a new campaign asking for police and the general public to report any concerns they have. According to Information Commissioner Christopher Graham, “The fact that less scrupulous professionals may be trying to take shortcuts by illegally accessing people’s data is, quite simply, wrong.”
Full Story

HEALTHCARE PRIVACY—UK

Caldicott: Any Unlawful Sharing Should Be Reported as Breach (May 2, 2013)

In The Information Governance Review, commissioned by the government, Dame Fiona Caldicott recommends, “The processing of data without a legal basis, where one is required, must be reported to the board or equivalent body of the health or social care organisation involved and dealt with as a data breach.” Caldicott suggests there is a “culture of anxiety” that can preclude the sharing of personal health information between entities, Out-Law.com reports. Health Secretary Jeremy Hunt commented that the report “has been about striking the right balance between sharing people’s health and care information to improve services and develop new treatments while respecting the privacy and wishes of the patient,” the report states.
Full Story

DATA LOSS—UK

ICO Investigating Police (May 2, 2013)

Welwyn Hatfield Times reports the Information Commissioner’s Office (ICO) has launched an investigation after police sent personal details on more than 1,000 staff members to private security firm G4S “during a failed outsourcing bid.” Cambridgeshire, Bedfordshire and Hertfordshire police accidentally shared the information, subsequently notifying the ICO and those affected. In media reports on the breach last week, Cambridge MP Julian Huppert called the incident “a very worrying issue and serves to highlight, once again, the danger of storing personal and confidential data,” Huppert said.
Full Story

BIOMETRICS

New Advertising Software Tracks Eye Movement (May 2, 2013)

Researchers at Lancaster University have created a software system called “Sideways.” It uses an ordinary camera to locate faces and eye movements, allowing for video screens that change adverts based upon what a shopper is looking at, reports BBC News. While they hope the technology will be in widespread use within five years, they acknowledge inevitable privacy concerns. "If the system is only there to improve the shopping experience, customers will probably be fine with such a system,” said researcher Andreas Bulling. "If it's a more passive monitoring system of gaze-information, so the user is not aware of it, this could really have considerable privacy challenges."
Full Story

ONLINE PRIVACY

Reddit Rewrites Policy for Usability (May 2, 2013)

Reddit has rewritten its privacy policy “from the ground up” in order to be clearer and more accessible to the average user, WebProNews reports. The policy goes into effect May 15. “For some time now, the reddit privacy policy has been a bit of legal boilerplate,” said the announcement. “This new policy is a clear and direct description of how we handle your data on reddit and the steps we take to ensure your privacy.”
Full Story

ONLINE PRIVACY

Doc Causes Stir Before W3C Meeting (May 1, 2013)
There are rumblings within the World Wide Web Consortium (W3C) leading up to next week’s Do-Not-Track (DNT) meeting after a document was distributed among members “rendering the meeting practically moot,” AdWeek reports. The “Draft Framework for DNT Discussions Leading Up to Face-to-Face” has been called a “framework,” but privacy groups have called it a “proposal” from the Digital Advertising Alliance (DAA). In the document, DNT would be off by default. W3C Co-Chair Peter Swire, CIPP/US, said, “As the name states, it is a framework for discussion, to help frame a possible agenda for next week’s face-to-face meeting in California.” DAA Counsel Stu Ingis said the document is the result of input from the DAA, consumer groups and other stakeholders. “It’s hard for stuff to happen if there’s no agenda,” said Ingis, adding, “There are a lot of cats to herd.”