European Data Protection Digest

We have a long weekend—and hopefully some good weather—ahead of us, so right now our minds are probably focused more on Easter eggs and chocolate bunnies (in my case also my mother’s lasagna on Sunday) than on data protection developments. Nevertheless, this spring is bound to be a busy one for privacy pros—not that we actually had a dull moment in the past year or so.

At the IAPP, we are working hard to help our members stay on top of things: Our upcoming European Data Protection Intensive will be a great way to kick-start the second quarter of the year. As usual, rendezvous in London for an intense programme, great networking—including our special Privacy Social reception at the Guildhall—and CIPP and CIPM certification training and testing. Preconference workshops are not bad either.

But since he who hesitates is lost, work is already underway also for IAPP Europe’s flagship event, the Data Protection Congress, which will be in Brussels again this year, on 19 and 20 November to be precise. The call for proposals for the Congress is open, and submissions will be accepted until 9 May, so do send us your ideas or feel free to forward the call for proposals link to someone who might be interested.

In the meantime, though, Happy Easter!

Rita Di Antonio
Managing Director
IAPP Europe

Top European Privacy and Data Protection News

DATA LOSS

Facebook’s White Hat Program Helped Uncover Glitch (June 28, 2013)

Facebook this week announced that a glitch exposed the personal information of six million users. In an interview with The Privacy Advisor, the company discusses how its White Hat program, which invites external security researchers to report vulnerabilities, in some cases for a monetary “bug bounty,” helped discover the problem and why it felt the need to report the breach.
Full Story

SURVEILLANCE—EU & UK

Reding Calls for Answers on UK Spying Allegations (June 27, 2013)

Amidst the latest reports on the U.S. National Security Agency surveillance programs, European Commission Vice-President Viviane Reding is asking UK officials “for details of London's secret snooping programme Tempora by the end of the week,” EUObserver reports. “I have sent a letter to the secretary of state of foreign affairs, William Hague, to express my concern about the recent media reports and ask very clear clarifications regarding the Tempora programme,” Reding said Wednesday. UK spy agency GCHQ “has secretly tapped more than 200 fibre-optic cables carrying phone and Internet traffic,” Wired reports.  Reding said the allegations illustrate the need for EU rules to strike "the right balance between the protection of personal data and the processing of data for security purposes."
Full Story

PRIVACY LAW—UK

Google Escapes Fine, Receives Enforcement Notice (June 27, 2013)

Out-Law.com reports Google has avoided a monetary fine from the Information Commissioner’s Office (ICO). Instead, the ICO has issued an enforcement notice to the company over its Street View data breach. The ICO launched a total of three investigations into the matter. Following Google’s admission that not all payload data collected by Street View vehicles had been destroyed, the ICO has required the company to do so within 35 days and “promptly inform” the ICO of any discoveries of new data. “Failure to abide by the notice will be considered as contempt of court, which is a criminal offence,” said the ICO’s head of enforcement.
Full Story

CLOUD COMPUTING—EU

MEP Urges Commission To Create Cloud Guidelines (June 27, 2013)

A member of the European Parliament has called on the European Commission to outline new rules to help safeguard cloud computing data, ComputerWeekly reports. Dutch MEP Judith Sargentini says that, as a general rule, “the level of data protection in a cloud computing environment must not be inferior to that required in any other data-processing context.” She has urged the commission to propose guidelines to protection non-personal sensitive data in the cloud and said cloud use by public-sector organisations should require special consideration.
Full Story

PRIVACY LAW—EU & INDIA

Commission Requires Changes Before Adequacy Declared (June 27, 2013)

Following a study into India’s data protection framework, the European Commission is not yet ready to deem the country’s systems as satisfying EU data adequacy rules, according to an Indian official. Out-Law.com reports on the free trade talks between the EU and India. A key demand of the Indian government is for the country to be deemed adequate under EU data adequacy standards. A spokesperson from the commission confirmed that while it is willing to support data transfers, that’s dependent on India’s assurance of a “high level of protection of personal data.” A spokesperson from the Indian government said the changes requested could take a long time and require legislative changes.
Full Story

PRIVACY—UK

Survey: 48 Percent Believe Corporate Data Use “Is Harmful” (June 27, 2013)

Almost half of the respondents to a Big Brother Watch survey reported they believe “the use of personal data by corporations is harmful,” Information Age reports. A total of 48 percent of UK respondents indicated “consumers are being harmed by big companies gathering large amounts of personal data for internal use,” while 18 percent “believe that the use of personal data can enhance consumer experiences,” the report states. A survey by Infosys, meanwhile, found that 91 percent of UK respondents “will readily share their personal data with a doctor, compared to 74 percent who will share with their bank and 69 percent with a retailer.”
Full Story

PRIVACY PROFESSION

An Open Letter to Privacy Professionals: We Need To Earn the Public’s Trust (June 27, 2013)
The recent news about the extent to which the U.S. government is monitoring the communications, online interactions and activities of citizens has Mozilla CPO Alex Fowler questioning the ethical responsibilities of privacy professionals. In this exclusive for Privacy Perspectives, he challenges his peers to ponder: “Do we have ethical obligations to the people whose data is our professional responsibility or only to our employers?” Read his reasoning and give your answer in the comments to move the discussion forward.

DATA PROTECTION—IRELAND & U.S.

FTC, Ireland DPA Sign Enforcement Assistance Memorandum (June 27, 2013)

Federal Trade Commission (FTC) Chairwoman Edith Ramirez and Ireland Data Protection Commissioner Billy Hawkes have signed a memorandum of understanding (MOU) to “promote increased understanding and communication” between both agencies, an FTC press release states. Ramirez said the MOU “is a step forward for the FTC in cross-border privacy enforcement.” Hawkes said he “very much welcomes this important development, which I believe will have valuable assistance to my office…” In this exclusive for The Privacy Advisor, Hogan Lovells’ Christopher Wolf and Wilson Sonsini’s Christopher Kuner both provide insight into this development.
Full Story

PRIVACY BY DESIGN

How UI and UX Can KO Privacy (June 27, 2013)

At Navigate 2013, Will Dayable, co-director at Squareweave, and Jason Hong, associate professor at the Human Computer Interaction Institute at Carnegie Mellon, provoked the nearly 300 attendees into thinking about how UX (User Experience) and UI (User Interface) affect the way people experience and understand privacy. Is your privacy policy written and displayed with respect for your users?
Full Story

DATA PROTECTION

If Nine Of 10 Employees Breach Policies, How Is Privacy Possible? (June 27, 2013)

A survey taken over several years has found that out of 165,000 employees surveyed, 93 percent knowingly violate policies designed to prevent data breaches. Privacy professionals burn the midnight oil crafting policies in line with best practices. But such policies don't stand a chance at protecting consumer data if the employees charged with practicing model data-steward behavior could care less about doing so. So how can a company ensure that its people are complying with the policies it promises to practice? This exclusive for The Privacy Advisor discusses a few experts’ experiences with success.
Full Story

TELEMATICS—UK

Biz Launches Data-Driven Car Insurance for Youth (June 27, 2013)

UK-based Tesco Bank has launched a new car insurance service that tracks and analyzes driver behavior to determine policy rates, Information Age reports. Called Box Insurance, the company places technology in a customer’s vehicle and uses telematics data from the car, which is then sent to the insurer’s data center for analysis. The Association of British Insurers recently posted an advisory note warning that companies must be transparent about their data use, stating, “Consumers need to trust insurers to treat them fairly and protect their personal information.” Tesco has said it will “keep all your data, including driving data, safe and confidential,” adding that it won’t “share driving data with the police or other bodies without a court order or your consent, unless we suspect fraud.”
Full Story

PRIVACY POLICIES

Using Virtual Assistants To Guide Privacy Settings (June 27, 2013)

To help navigate convoluted and complex privacy settings on commonly used websites, CNET News columnist Dan Farber proposes that virtual assistants, such as Siri and Google Now, can be effective tools to give users more control of their settings. Virtual assistant apps could also help educate users on how their data is being collected, processed and shared. “Instead of reading pages of text,” Farber suggests, “users could query a virtual assistant, which could walk them through their privacy settings.” As virtual assistants “gain more popularity, managing privacy and protecting your online persona will be more of a continuous, background process handled by an intelligent agent rather than a sometimes impenetrable chore.”
Full Story

MOBILE PRIVACY

Health Group Releases mHealth Study; Privacy in HTML5 Era (June 26, 2013)

A new study by a mobile health advocacy group states there is not a “one-size-fits-all” resolution for mobile privacy legislation, Thomson Reuters reports. The mHealth Alliance report, Patient Privacy in a Mobile World: A Framework To Address Privacy Law Issues in Mobile Health, also has provided a mobile privacy toolkit for using mobile health technology. The evolving nature of mobile technology “makes it difficult, and some may say ill-advised, to create rigid legal rules that may not fit future mHeath applications or worse that may hamper their development in the first place,” the study states. Meanwhile, CIO reports on how to ensure privacy in the age of HTML5.
Full Story

MOBILE PRIVACY

Balancing the Benefits and Risks of BYOD (June 26, 2013)

InfoWorld examines the bring-your-own-device (BYOD) trend and “the question of how to balance the benefits of a self-provisioned workforce against the risks of company assets walking out the door when workers are let go.” One chief technology officer cautions, “Mobile data is a big problem, so it's time to start compartmentalizing risks. This way, you can find a balance between the benefits of a (BYOD) workforce and the risks.” The report highlights steps organizations and their IT departments can take to protect vulnerable data in the event of employee layoffs or other departures. Tips include having a written BYOD policy, keeping data off local devices and doing sweeps regularly.
Full Story

PRIVACY LAW—EU

Search Engine Not Controller, EU Court Rules (June 25, 2013)
The EU’s top court ruled on Tuesday that Internet search engines cannot be considered “the controller” of personal data hosted on other websites, Bloomberg reports. EU Court of Justice Advocate General Niilo Jaeaeskinen said in a nonbinding opinion, “A national data protection authority cannot require an Internet search engine service provider to withdraw information from its index.” The case, C-131/12, stems from approximately 200 orders from Spain’s Data Protection Authority for Google to remove personal data from indexed websites. A spokesman for Google said, “This is a good opinion for free expression…We’re glad to see it supports our long-held view that requiring search engines to suppress ‘legitimate and legal information’ would amount to censorship.” Field Fisher Waterhouse Partner Eduardo Ustaran, CIPP/E, said, “A search engine is just a tool…The nature of that information is irrelevant. It’s just ones and zeros.”

HEALTHCARE PRIVACY

For Sale: Ingestible Computers To Monitor Your Health (June 25, 2013)

The New York Times reports on a new wave of prescription pills—ones that can e-mail your doctor after being swallowed. Ingestible computers in pill-form can now monitor health data and share it wirelessly with doctors. The pills stay intact throughout the intestinal tract and are powered through stomach acids. John Perry Barlow of the Electronic Frontier Foundation says such a pill has wonderful and terrible aspects. “The wonderful is that there are a great number of things you want to know about yourself on a continual basis…The terrible is that health insurance companies could know about the inner workings of your body.” (Registration may be required to access this story.)
Full Story

PRIVACY COMMUNITY

Bellamy To Become CIPL President Upon Abrams Retirement (June 25, 2013)

The Centre for Information Policy Leadership (CIPL) at Hunton & Williams LLP has announced that Bojana Bellamy, CIPP/E, global director of data privacy for Accenture and former IAPP chair, will join Hunton & Williams as CIPL’s president, effective September 2. Current Centre President Martin Abrams, who is retiring on September 1, will remain on as an advisor to the CIPL. Lisa Sotto, CIPP/US, comments on Bellamy’s leadership and Abrams’ work during the past 13 years.
Full Story

DATA PROTECTION—EU

EC Releases Technical Measures for eDirective (June 25, 2013)

The European Commission has issued new breach notification standards for EU telecommunications and Internet service providers, PC World reports. The new “technical implementing measures” detail practical rules for implementing the ePrivacy Directive. The new measures will ensure that users in EU nations receive the same notification if their data is compromised from a breach. A public consultation initiated in 2011 found that EU nations were implementing the directive in vastly different ways, including the handling of notification deadlines. As a result, one measure mandates that providers notify data protection authorities of a breach within 24 hours of detection. Companies that encrypt personal data will be exempt from notifying users if the data is compromised.
Full Story

DATA LOSS

Facebook Announces Breach, Notifies Users (June 24, 2013)

Facebook last week announced a programming bug that exposed six million users’ e-mail addresses and telephone numbers, the company reported in a security note issued Friday. The glitch seems to be due to the site’s “download your information” tool, which the company says was immediately disabled upon detection of the problem. Regulators in the U.S., Canada and Europe were notified, as were affected users. “We currently have no evidence that this bug has been exploited maliciously, and we have not received complaints from users or seen anomalous behavior on the tool or site to suggest wrongdoing,” Facebook said.
Full Story

PRIVACY LAW—ITALY

Garante Concerned About Gov’t Measures (June 24, 2013)

The president of Italy’s Data Protection Authority, the Garante, has voiced concerns about the Italian government’s recent measures aimed at simplifying the country’s data protection code. In this exclusive for The Privacy Advisor, Rocco Panetta details Garante President Antonello Soro’s concerns that the government measures are “in breach of the EU Directive, Lisbon Treaty and Italian laws as well.”
Full Story

PRIVACY LAW—EU

Delay Prompts More Regulation Questions (June 21, 2013)

Writing for Field Fisher Waterhouse’s Privacy and Information Law Blog, Eduardo Ustaran, CIPP/E, questions the implications of the European Parliament’s recently announced delay in the vote on the proposed EU Data Protection Regulation. “That means that we will now not know where the Parliament truly stands on this issue until September or October at the earliest,” he writes. Ustaran highlights what could happen if the new regulation is not adopted before next year’s deadline, including inconsistent legal regimes across the EU, non-application of EU laws to global organizations, “death by paperwork” and “toothless regulators.” Meanwhile, in a feature for EurActiv, Digital Europe’s John Higgins calls for one law to cover EU governments and private-sector entities.
Full Story

PRIVACY—EU & U.S.

Will NSA Revelations Be A Game Changer? (June 20, 2013)

From connections between the U.S. National Security Agency (NSA) and various leaders at Internet companies to questions of whether the NSA leaks will prompt an EU data protection rewrite, reports on the continued implications of the recent revelations abound. The Irish Times highlights comments from European Commissioner for Justice, Fundamental Rights and Citizenship Viviane Reding during a press conference with U.S. Attorney General Eric Holder. Reports also cite comments from European Data Protection Supervisor Peter Hustinx addressing European institutions tracking website users in breach of EU data protection rules. This exclusive for The Privacy Advisor highlights the key headlines, including a recent report from The New York Times on the connection between a former Facebook CSO and the NSA, a Reuters report on Wednesday’s cloud security summit and Sir Martin Sorrell’s comments in The Guardian that the NSA revelations are a “game changer.”
Full Story

PERSONAL PRIVACY—UK

Call Centres Fined for Marketing Practices (June 20, 2013)

The Information Commissioner’s Office (ICO) has issued penalties to two call centres following “nuisance calls” over payment protection insurance. The penalties were issued in response to 2,700 complaints to the Telephone Preference Service (TPS) or the ICO between May 2011 and December 2012, BBC News reports. The ICO said neither company had “carried out adequate checks to see” whether those they called had registered with the TPS as required under the Privacy and Electronic Communications Regulations, which govern electronic marketing. Nationwide Energy Services is being fined 125,000 GBP, and We Claim You Gain is being fined 100,000 GBP.
Full Story

SURVEILLANCE—UK

Pubs Won’t Be Required To Install CCTV (June 20, 2013)

The UK government says pubs in England and Wales with no history of trouble will no longer be forced to install CCTV systems, BBC News reports. The decision follows fears that the cameras were becoming a legal condition of licencing, which the Information Commissioner’s Office was concerned about. “CCTV has a role to play in stopping and deterring crime in anti-social behaviour hotspots. But well-run community pubs that don’t have a public order problem shouldn’t be tarred with the same brush,” said Community Pubs Minister Brandon Lewis. Meanwhile, in a separate example of surveillance, BBC News reports on how hackers use webcams to spy on unsuspecting individuals in their homes.
Full Story

PRIVACY LAW—FRANCE

CNIL Orders Compliance or Fines (June 20, 2013)
The French Data Protection Authority (CNIL) has ordered Google to bring its privacy protections in line with French data protection law within three months or face fines, The Wall Street Journal reports. The authority wants the company to comply with six requirements, including rules on data retention. A Google spokesman said the company’s privacy policy “respects European law” and noted the company has cooperated with the authority during the inquiry, which has lasted a year. (Registration may be required to access this story.)

SURVEILLANCE—EU & U.S.

Is PII Better Shielded in Europe than the U.S.? (June 20, 2013)

With a slew of criticism of U.S. government intelligence gathering programs, Hogan Lovell’s Christopher Wolf asks, “is personal data better shielded in Europe from the prying eyes of national security investigations than it is in the United States?” Though it’s a common assumption, Wolf notes that it “may not be the correct assumption.” In this Privacy Perspectives post, Wolf looks at government initiatives in France, Germany and the UK to help flesh out this complex and pressing issue.
Full Story

ONLINE PRIVACY

W3C Moves Forward on June Draft; Group Launches Privacy Controls (June 20, 2013)

ZDNet reports on two developments in the Do-Not-Track initiative. First, those participating in a World Wide Web Consortium conference call agreed to accept a draft of the standard in an effort to work toward “Last Call,” when the proposal is brought for a vote. The draft is being dubbed the June Draft. Also, Mozilla has teamed up with Stanford’s Center for Internet Society to announce it is launching its own set of privacy controls on the web. Called a “Cookie Clearinghouse,” it will allow users to create and maintain “allow lists” and “block lists,” the report states.
Full Story

ONLINE PRIVACY—EU

Hustinx: Cybercrime Definition Needed (June 20, 2013)

European Data Protection Supervisor Peter Hustinx believes the European Commission should better define cybercrime “to prevent personal data from being processed in cases where it cannot be legally justified,” Out-Law.com reports. The commission’s proposed cybersecurity strategy states the term “commonly refers to a broad range of different criminal activities where computers and information systems are involved either as a primary tool or as a primary target.” Hustinx said, “A clear definition of the terms 'cyber-resilience', 'cybercrime' and 'cyberdefence' is particularly important since these terms are used as a justification for certain special measures which could cause interference with fundamental rights, including the rights to privacy and data protection.” Meanwhile, reports highlight the potential for cyber insurance to become a lucrative field.
Full Story

PRIVACY LAW—EU

EC Sites Moving Toward Cookie Compliance (June 20, 2013)

IDG News Service reports on the European Commission’s work to bring its websites into compliance with the EU’s cookie regulations. “Legally, the European Commission and the other European Union institutions, such as the Parliament, are not bound by the same data protection rules that apply to commercial companies,” the report states, noting, however, that commission officials “are committed to updating their internal rules to bring them into line with the new rules on data protection.”
Full Story

DATA COLLECTION—UK

Report Finds Collection, Collation Outpace Laws (June 20, 2013)

The Future of the Force: Police, Technology and Serving the Public report suggests UK authorities’ ability to collect and curate individuals’ information is outpacing legal frameworks, The Wall Street Journal reports. “The quantum leap in surveillance is not yet matched by a leap in privacy protection,” the report cautions. A lead consultant on the report notes changes in technology and the questions that brings, including who can access and share data and why the data is gathered. “These are really critical issues that need to be addressed by many of the forces,” he said. (Registration may be required to access this story.)
Full Story

ONLINE PRIVACY

Officials Want Answers on Google Glass (June 19, 2013)
Privacy officials from six countries have written to Google CEO Larry Page requesting more information about Google’s wearable computer technology, Google Glass. Privacy commissioners in Canada, Australia, New Zealand, Mexico, Switzerland and Israel want to know how the information collected by the technology may be used, CNET News reports. “We would be very interested in hearing about the privacy implications of this new product and the steps you are taking to ensure that, as you move forward with Google Glass, individuals’ privacy rights are respected around the world,” the officials wrote.

DATA PROTECTION

Average Breach Detection Takes 10 Hours (June 19, 2013)

The average organization believes it would spot a data breach within 10 hours, according to a recent McAfee Global Survey. The survey polled 500 decision-makers from the U.S., UK, Germany and Australia earlier this year. Twenty-two percent said they could identify a breach within a day, while just more than one-third said it would take them only minutes, PC Advisor reports. “This study has shown what we’ve long suspected—that far too few organizations have real-time access to the simple question, ‘Am I being breached?’” said a McAfee spokesman. Meanwhile, Australia’s new breach notification laws could require companies to “dumb down” their monitoring capabilities, reports The Sydney Morning Herald.
Full Story

PRIVACY LAW—FRANCE & U.S.

Court Case Takes On Privacy and Hate Speech (June 18, 2013)

A recent court case in France has brought out the difficult issue of balancing online privacy with the prevention of hate speech. “While online services can—and sometimes should—require posters to use their real names to discourage hate speech,” write Hogan Lovells’ Christopher Wolf and Winston Maxwell, “the U.S. government cannot require the use of real names to fight legally allowed—even if repugnant—hate speech online because of First Amendment protections for ugly free expression that anonymity promotes.” In this Privacy Perspectives post, Wolf and Maxwell analyze this dilemma through the lens of an ongoing French court case requiring Twitter to reveal users who allegedly posted anti-Semitic tweets.
Full Story

PRIVACY LAW—FRANCE

Archivists Lobby Against Right To Be Forgotten (June 17, 2013)

A group of French archivists is lobbying to keep personal data flourishing online in the face of the EU data protection draft’s “right to be forgotten” provision. Jean-Phillipe Legois, president of the Association of French Archivists says, “Today, e-mail, Facebook, Twitter, this is the correspondence of the 21st century. If we want to understand the society of today in the future, we have to keep certain traces.” The archivists have introduced a petition to present to the European Parliament. The petition has thus far received almost 50,000 signatures. Meanwhile, the French government has rejected the latest version of the draft regulation. Editor’s Note: A recent Privacy Perspectives blog post by archivist Cherri-Ann Beckles asksWill the Right To Be Forgotten Lead to a Society That Was Forgotten?
Full Story

GENETIC PRIVACY

DNA Samples May Be More Identifiable Than Thought (June 17, 2013)

The New York Times reports that while research subjects are often told that the DNA sample they’ve provided for the sake of science is not identifiable and their anonymity will be preserved, “geneticists nationwide have gotten a few rude awakenings, hints that research subjects could sometimes be identified by their DNA alone or even by the way their cells were using their DNA.” Such revelations are particularly concerning following the announcement that nearly 80 researchers want to combine the world’s DNA databases to make it easier for researchers to retrieve and share such data. Meanwhile, local law enforcement agencies across the U.S. have begun amassing their own DNA databases. (Registration may be required to access this story.)
Full Story

SURVEILLANCE—EU & U.S.

NSA Leaks: EU-U.S. Tensions on the Rise, Europe Reacts (June 13, 2013)

The past week has been filled with news about the U.S. National Security Agency’s (NSA) surveillance programs. Initially published by The Guardian, whistleblower Edward Snowden discusses his reasons for leaking the classified programs. The Privacy Advisor has been compiling the many angles and shockwaves that have been sent through the privacy and data protection community.
Full Story

PRIVACY LAW—EU

Directive Debate Continues (June 13, 2013)

Out-Law.com examines ongoing issues surrounding the EU General Data Protection Regulation and the latest version published by the Irish Presidency of the Council of Ministers. EU officials have said, “Only if organisations are processing sensitive personal information, such as individuals' medical records, should they require individuals' explicit consent to do so,” the report states. A note from the Irish Presidency reads, “The majority of member states agree that the requirement for ‘explicit’ consent in all cases—which differs from the requirements of the 1995 Data Protection Directive—was unrealistic," the report states, noting European Data Protection Supervisor Peter Hustinx previously called for explicit consent to be "maintained" in the final version of the legislation. MP Chris Grayling has suggested the EU’s proposed data protection reforms could “damage business growth and employment prospects” and “leave the EU uncompetitive in the global digital economy for years to come,” but Justice Commissioner Viviane Reding has said the reforms will improve trust in the digital economy. Meanwhile, an Access report discusses “intense” lobbying in the U.S. against the EU’s data protection regulation.
Full Story

FINANCIAL PRIVACY—EU & U.S.

EC Urges Extension of Tax Info-Sharing (June 13, 2013)

The European Commission is urging member states “to extend information-sharing between national tax authorities to cover all forms of financial income,” The Wall Street Journal reports. Under a move to extend the Administrative Cooperation Directive, EU member states “would automatically swap data on dividends, capital gains, all other forms of financial income and account balances,” the report states, noting the move seeks to have EU countries share as much information with each other as they do with the U.S. through its Foreign Account Tax Compliance Act in an effort to, as one official put it, “lead a strong attack against tax evasion.” (Registration may be required to access this story.)
Full Story

SURVEILLANCE—EU

Data Protection Part of Border System Details (June 13, 2013)

The European Parliament and European Council have approved the details of Eurosur, a new border surveillance system they believe will better protect borders and migrants, Malta Independent reports, noting data protection requirements are included in the system. “Under the agreed text, any exchange of personal data between member states and with third countries via Eurosur should remain an exception and respect data protection laws,” the report states. Eurosur is expected to go into effect in all member states with external borders in December of this year and in the remainder of the EU in December 2014.
Full Story

DATA LOSS—UK

Councils Fined Over Breaches (June 13, 2013)

The Information Commissioner’s Office (ICO) has issued fines totaling 125,000 GBPs following two breach investigations. The ICO issued a 70,000 GBP fine against Halton Borough Council after it accidentally revealed a child’s adoptive parents’ address to the birth mother. The ICO’s Steve Eckersley said “this incident happened because the organisation did not pay enough attention to how it handles vulnerable people’s sensitive information, leading to a mistake that was entirely avoidable had the right guidance and training been in place.” Meanwhile, Public Service reports on a second incident where North Staffordshire Combined Healthcare NHS Trust was fined 55,000 GBP after it mistakenly sent three patients’ medical information to the wrong fax number.
Full Story

DATA LOSS—UK

Survey: Incident Response Plans Save Money (June 13, 2013)

A recent Symantec breach survey conducted by the Ponemon Institute indicates a 15-percent increase in the average cost of data breaches in the UK from 2011 to 2012 with the average organisational cost up from 1.75 million GBP in 2011 to more than 2 million GBP. However, Out-Law.com reports, “Symantec said that UK firms that took certain steps, including having a ‘formal incident response plan’ to implement if they experience a data breach, could save costs usually associated with a breach.” Organisations with such plan in place prior to a breach incident saw a reduction of as much as 13 GBP per record, the survey report states.
Full Story

DATA PROTECTION—UK

ICO: Most Charities Lack Personal Data Policies (June 13, 2013)

During its recent advisory visits to 32 charities, the Information Commissioner’s Office (ICO) found that more than half “lacked a policy for retaining and disposing of personal data,” Out-Law.com reports. The ICO wrote that those charities “did not have formal retention schedules in place to ensure that the different categories of personal data held had been identified and were only being kept for an appropriate length of time,” noting, “Such retention/disposal schedules help safeguard against the indefinite retention of personal data which would be a breach of the act.” The ICO also found that one-third of the organisations lacked processes for “the regular weeding of personal data held,” the report states.
Full Story

ONLINE PRIVACY—SWEDEN.

Apps Package Plan Denied Again (June 13, 2013)

PC Advisor reports that for the second time, Sweden’s Data Inspection Board has denied an agreement a local municipality has been seeking to sign with Google regarding its hosted apps. The board has found the agreement “does not comply with the rules in Sweden's Personal Data Act, and therefore it either has to be amended or the Salem municipality has to stop using Google Apps,” the report states. Google has responded, “We believe that Google Apps complies with Swedish law, and we'll continue to work with all involved parties.”
Full Story

PRIVACY LAW—UK

Data Protection Act Allows Surgeons To Keep Performance Private (June 13, 2013)

The National Health Service has plans to release performance data on 10 types of surgeons this summer, as it currently does for heart surgeons. However, it has come to light that the Data Protection Act actually prevents the NHS from requiring surgeons to release individual information. So far, four percent of surgeons have declined to disclose information. The Royal College of Surgeons has urged its members to provide data to the NHS.
Full Story

SURVEILLANCE—EU & U.S.

NSA Leaks Increase EU-U.S. Tensions; Google Reveals Some Gov’t Sharing Details (June 13, 2013)

The recent leaks of the National Security Agency’s surveillance programs are increasing tension between the U.S. and EU. Financial Times reports that the Obama administration lobbied in 2012 to have certain measures removed from the proposed EU data protection regulation that would have “limited the ability of U.S. intelligence agencies to spy on EU citizens.” The Privacy Advisor’s continuing coverage of the recent leaks also looks at recent revelations by Google of how it shares user data when it receives national security requests, and more.
Full Story

PRIVACY IN POPULAR CULTURE

IAPP Members in the News (June 13, 2013)

If nothing else, the news that has been rippling around the globe about the U.S. government’s surveillance practices has brought privacy to the forefront of public discourse. Therefore, it shouldn’t be surprising that our IAPP members are showing up all over the media in recent days. The Privacy Advisor takes you on a quick tour of IAPPers in the mass media.
Full Story

PRIVACY LAW—EU & U.S.

“Deeply Entrenched Interests” Threaten TTIP (June 13, 2013)

The New York Times reports on efforts to create the Transatlantic Trade and Investment Partnership (TTIP) and concerns about U.S. and EU differences on key issues, including data protection. Officials have indicated they hope to reach an agreement by November 2014. However, Douglas J. Elliott of the Brookings Institution is quoted as suggesting there will be “maybe a one-in-three chance TTIP will happen.” While the potential deal is considered important from a trade perspective, the report states, data-sharing and privacy concerns remain, especially in light of the recent NSA headlines. Hogan Lovells Partner Christopher Wolf told the Daily Dashboard, “Once the dust settles over this current flap, I think that on both sides of the Atlantic there will be a recognition that the issue of national security and law enforcement access is an important one, but is a political one…not entirely germane to the central issue of encouraging commerce and innovation and the need for cross-border data flows. In addition, as we pointed out in our recent whitepaper on national security access to data in the cloud, the judicial approval and legislative oversight required under FISA provide more procedural protections than many countries in the EU.” (Registration may be required to access this story.)
Full Story

BIOMETRICS

Google Outlaws Facial Recognition, Voiceprints for Google Glass (June 11, 2013)

Google has decided to ban facial-recognition technology from its Google Glass product, following pressure from the U.S. Congress. It has also banned voiceprints, which would allow the microphone to identify a speaker. App developers—including Lance Nanek, who built an app that would allow clinicians wearing the glasses to verify patient identities and pull their medical records without having to turn to a secondary device—are disappointed in the decision. The company says it will not allow such applications until “strong privacy protections” are in place, but the Future of Privacy Forum wonders “what sort of privacy protections can actually be put in place for this sort of technology?”
Full Story

DATA RETENTION—EU

Sweden To Pay for Failure To Implement Directive (June 7, 2013)

The Court of Justice of the European Union has held that Sweden failed to fulfill its obligations under EU law when it comes to implementing the EU Data Retention Directive, reports Hunton & Williams' Privacy and Information Security Law Blog. Sweden has been ordered to pay 3,000,000 euros. In 2010, the court found Sweden failed to transpose the directive into national law by its September 2007 deadline. Sweden complied in 2012 after internal debate over balancing privacy rights with the need to combat crime, but the commission ruled such difficulties did not justify failure to comply.
Full Story

DATA RETENTION—EU & SWEDEN

ECJ Orders Sweden To Pay 3M Euros for Delay (June 6, 2013)

The European Court of Justice (ECJ) has fined Sweden three million euros “for its delay in transposing the controversial 2006 EU Data Retention Directive into national law,” Intellectual Property Watch reports. The directive was met with opposition by a number of member states, the report notes, adding, “A new Swedish government finally implemented the data retention provisions on 1 May 2012.” Multiple cases have been referred to the ECJ, the report states, while the European Commission “postponed the regular review of the controversial directive which according to recent reports is expected to be finalised in 2014.”
Full Story

DATA PROTECTION—EU

Hustinx Calls for Europol Limits (June 6, 2013)

European Data Protection Supervisor Peter Hustinx believes Europol “should only collect personal information for specific investigations,” EUObserver reports. “A strong framework of data protection is important not only for those under suspicion or involved in an investigation but also contributes to the success of police and judicial cooperation,” Hustinx said, noting data should only be used in accordance with the purpose for which it was collected. The European Commission has introduced proposals to increase Europol's powers, but Hustinx cautions “increased flexibility to cross-check information should be balanced, for example, by specifying the purpose and in general by keeping a high level of data protection.”
Full Story

DATA LOSS—UK

Health Trust Fined 100,000 GBP for Breach (June 6, 2013)

Out-Law.com reports the Information Commissioner’s Office (ICO) has found Stockport Primary Care Trust “was guilty of a serious breach of the Data Protection Act…after it left sensitive medical records belonging to patients at premises it vacated.” The ICO has fined the trust 100,000 GBP for the breach. “The highly sensitive nature of the documents left behind makes this mistake inexcusable, and there can be no doubt that the penalty we’ve served is both necessary and appropriate,” said Deputy Commissioner and Director of Data Protection David Smith.
Full Story

PRIVACY LAW—EU

Academics Say Regulation Changes Would Hamper Research (June 6, 2013)

The European scientific community says proposed changes to the data protection regulation could hamper academic research. German Green Jan Philipp Albrecht has proposed changing or removing exceptions that would allow academics to continue to use personal information for research purposes, European Voice reports. Albrecht says the proposals would water the regulation down. Stephan Kuster, head of policy affairs at Science Europe, representing 51 national research councils in 21 countries, said, “As it is drafted now, there is not enough clarity in the regulation to allow researchers to plan for the future.”
Full Story

DATA LOSS—EU

Council Fined for Data Breach (June 6, 2013)

A UK Council has been fined for breaching the Data Protection Act, eSecurity Planet reports. The council has been ordered to pay 70,000 GBP after a council employee sent a letter including personal details about an adopted child to a birth mother. The breach was caused by the council’s “underlying failure to have a clear policy and process for checking such correspondence, and relevant training for their staff.”
Full Story

TRAVELLERS’ PRIVACY—EU & RUSSIA

Russian Air Data Decree Raises Concerns (June 6, 2013)

The EU plans to ask Russia to delay introducing “a decree allowing authorities there to collect data on European airline passengers because of doubts over whether the new rules respect EU law,” Reuters reports. Russia plans to introduce the data-sharing measure on 1 July, but EU sources note no signed agreement—such as the ones in place with the U.S. and Australia—is in place. "We cannot have a situation in which European-registered airlines are compelled to do something that is against EU law," one EU source said, while another cautioned, "This could have an extremely damaging effect on travel between Russia and the EU.” The EU and Russia are also embroiled in an argument over limited visa-free travel.
Full Story

PRIVACY LAW—EU

Ministers To Mull Exemptions to Rule (June 6, 2013)

EU Justice Ministers will today consider granting EU institutions “a sweeping exemption” from new data protection rules that would require the institutions to employ a data protection officer and consult the European Data Protection Supervisor, EurActiv reports. The European Commission says the rule is currently stricter than general rules on data protection. The exemption would apply after the new regulation is passed, but would include the stipulation that the commission update existing law to bring it in line with the revised regulation.
Full Story

MOBILE PRIVACY

Opera Releases Mobile Browser With Privacy Built-In (June 6, 2013)

The Norwegian browser developer Opera announced this week the release of Opera Mini 4.5, a low-end mobile browser intended for “featurephones.” Notably, it has a built-in private setting that keeps any login or data from being saved to the phone. For example, friends can log in and check Facebook without worries their log-in information will be retained.
Full Story

GENETIC PRIVACY

Privacy Is Major Hurdle for Research Group (June 6, 2013)

A group of geneticists have established a consortium aimed at creating database of genetic and clinical data that could be accessed by doctors and researchers across the globe, reports The New York Times. Experts from the consortium say the major challenge is a lack of standards for storing and sharing data and for assuring that patients consent to this sharing of their data. “The question is whether and how we make it possible to learn from these data as they grow, in a manner that respects the autonomy and privacy choices of each participant,” said David Altshuler of Harvard and MIT. The group consists of more than 70 medical, research and advocacy organizations active in 41 countries. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—EU

Council of the EU Releases Draft Compromise (June 5, 2013)

The Council of the European Union has released a draft compromise text in response to the European Commission’s proposed data protection regulation. According to Hunton & Williams’ Privacy and Information Security Law Blog, the text narrows the scope of the regulation and “seeks to move from a detailed, prescriptive approach toward a risk-based framework.” In this exclusive for The Privacy Advisor, Centre for Information Policy Leadership President Marty Abrams and Wilson Sonisini Senior Of Counsel Christopher Kuner both share their insights of this latest development, which has some privacy advocates up in arms.
Full Story

DATA PROTECTION

Study: Avg. Breach Cost Is $136 Per Record (June 5, 2013)

Ponemon Institute and Symantec have released a study indicating human errors and system problems were the causes of two-thirds of data breaches in 2012, and the average breach cost is now up to $136 per record, The Wall Street Journal reports. The issues involved included “employee mishandling of confidential data, lack of systems controls and violations of industry and government regulations,” the report states. The study also found financial services incidents to be the most costly. (Registration may be required to access this story.)
Full Story

PRIVACY ENGINEERING

What Misconceptions Do Consumers Have About Privacy? (June 4, 2013)
“Control of personal information in the digital space, and particularly on mobile devices, presents a unique design challenge,” writes Create with Context CEO Ilana Westerman in this Privacy Perspectives post. “We can leverage existing technology to create new experiences around personal data collection that are both transparent and provide control,” she notes, “But before we can begin to think about design solutions, we need to understand consumers’ current experience and expectations of how their personal information is handled and safeguarded.”

SURVEILLANCE

UN Report: State Surveillance Violates Rights to Privacy, Expression (June 4, 2013)

The United Nations (UN) Office of the High Commissioner of Human Rights drew attention today to its recent report indicating state communications surveillance undermines the human rights to privacy and freedom of expression. “Concerns about national security and criminal activity may justify the exceptional use of communications surveillance,” said UN Special Rapporteur Frank La Rue. “Nevertheless, national laws regulating what constitutes the necessary, legitimate and proportional state involvement in communications surveillance are often inadequate or simply do not exist…Who are the authorities mandated to promote the surveillance of individuals? What is the final destiny of the massive amounts of the stored information on our communications? These questions urgently need to be studied in all countries to ensure a better protection of the rights to privacy and the right to freedom of expression.”
Full Story

PRIVACY LAW—EU

Baroness, Green Disagree in Public Over Regulation (June 4, 2013)

Euractiv reports on a public clash between two European Parliament lawmakers charged with guiding the proposed EU data protection regulation through the governing body. Last week, German Green MEP Jan Philip Albrecht in an interview said, “Some groups in Brussels are now acting against what the European Commission has proposed on the basis of what the Parliament has demanded before,” adding, “If we pass through a legislation undermining what we have said in our resolution, undermining current law, then I think we will completely lose the trust in the European Parliament and the European Union as a whole.” In response, UK MEP Sarah Ludford posted an e-mailed response to Albrecht on her website stating she was “unpleasantly surprised” at the “highly irresponsible and misleading interview” he had given. Editor’s Note: A recent Privacy Perspectives post delves into the heightened rhetoric surrounding the proposed regulation.
Full Story

DATA PROTECTION—UK

ICO Funding Cited as Problem (June 4, 2013)

The Information Commissioner’s Office (ICO) has revealed there is a high probability the agency will not have enough funding to accomplish its goals, Information Age reports. The ICO risk register released late last week noted, “the ICO does not have enough funding to meet its obligations, the expectations of its stakeholders or achieve its plan,” adding, “In consequence, it (would have) to scale back what it wants to do and fails to deliver an acceptable level of service.” The agency has informed the government it needs more resources and has expressed concern that the proposed EU data protection regulation may have an impact.
Full Story

PRIVACY LAW—EU

Proposed EU Regulation: The Great Debate (June 3, 2013)

Pressure around finalizing the proposed EU data protection regulation is in full force, with several issues reaching the headlines last week. Plus, lobbying efforts by industry and advocacy are reaching new heights. One coalition of privacy advocates has banded together to get citizens to petition their European Parliament representatives and demand a strong data protection framework. This Privacy Perspectives blog post looks at some of the dialogue and imagery that is coloring the debate.
Full Story

ONLINE PRIVACY

Differing Approaches to Enforcement and Fines, Through the Lens of Street View (June 3, 2013)

The data protection laws in all 27 European member states derive from one directive, but since the directive leaves a margin of freedom to each member state concerning its implementation, there are obvious disparities in the DPAs' approaches--particularly evident when it comes to enforcement. In this exclusive for The Privacy Advisor, the cases against Google's Street View offer a good example.
Full Story