European Data Protection Digest

In 1897, Oscar Wilde wrote to Lord Douglas, “Do not be afraid of the past. If people tell you that it is irrevocable, do not believe them.”

I wonder if he would share this piece of advice today. Though the past may not be irrevocable, we all leave digital shadows we may regret one day. I had no Internet growing up, and I am grateful that the only traces of my past are some old pictures gathering dust at my parents’ house and a box of letters I used to exchange with overseas friends—you know, having overseas pen pals was actually pretty cool back in the day.

Come to think of it, Oscar Wilde may never have meant for his 1897 letter to Lord Douglas to be published, as it came to light only after his death, so you could almost argue he had no right to be forgotten…

This week, the Court of Justice of the European Union declared the 2006 Data Retention Directive invalid, stating that it interferes with the fundamental rights to respect for private life and to the protection of personal data, as stipulated in the EU Charter of Fundamental Rights. The interference, said the court, exceeds the limits imposed by compliance with the principle of proportionality.

Aside from the obvious consequences the court’s decision will have on telcos and ISPs, some commentators have said that it can have a significant impact on the EU reform of data protection law and, in particular, on the debate around the General Data Protection Regulation.  

To quote Oscar Wilde again, “It is a very sad thing that nowadays there is so little useless information.”

Rita Di Antonio
Managing Director
IAPP Europe

Top European Privacy and Data Protection News

PRIVACY IN CONTEXT

Tell the Authors: What Should We Expect? (July 31, 2013)

In response to The New York Times’ story describing the arrival of our “contextualized” existence—brought forth by predictive search apps—IAPP President and CEO Trevor Hughes, CIPP, asks how we can manage such contextualized environments. At the IAPP Privacy Academy, Robert Scoble and Shel Israel will provide a keynote on their upcoming book on our contextual future and are asking for input on what we should expect with regard to privacy. You are invited to share comments on privacy in context in our Privacy Perspectives discussion to help Scoble and Israel finish their book.
Full Story

HEALTH PRIVACY

The Digital Health Revolution: Promises and Privacy Concerns (July 31, 2013)

The move to electronic health records has been underway for years but has picked up considerable steam of late. Accompanying this sea change are technologies that bring both the promise of increased efficiency and quality of healthcare as well as concerns about the protection and appropriate use of sensitive and personal information. Join Proteus Digital Health Co-Founder and CMO George Savage, Field Fisher Waterhouse Partner Phil Lee, CIPP/E, CIPM, and CDT Health Privacy Project Director Deven McGraw in an IAPP web conference exploring the benefits and risks involved in processing data with a fascinating new technology and its creators’ preemptive moves to address privacy issues.
Full Story

INTERNET OF THINGS

Privacy and the Quantified Self (July 31, 2013)

Deutsche Welle reports on the Quantified Self Movement, noting that many users in Europe log and upload their personal information to the cloud, which raises privacy and data protection concerns. One developer said, “You have to distinguish between a fitness tracking application and wearable sensors and health sensors,” adding, “These fitness tracking apps, and their data, are not as sensitive as diabetes data, and they are also treated differently by the regulatory bodies.” Meanwhile, Venture Beat reports on Saga, a “life-blogging app,” used to passively capture data about users’ daily activities “to learn about your habits and preferences and track your behavior over time.”
Full Story

DATA PROTECTION—EU & U.S.

Parallel Privacy Universes and PRISM (July 30, 2013)

“The U.S. and Europe seem locked in their own separate, parallel universes in the way they view PRISM and other recent revelations concerning law enforcement data access, as demonstrated by differences in transatlantic media coverage,” writes Wilson Sonsini’s Christopher Kuner. With discussion in Europe of reviewing the legality of the U.S. Safe Harbor agreement, some in the U.S. say these reactions “are just an excuse for protectionism.” In this Privacy Perspectives post, Kuner delves into the differing reactions on each side of the Atlantic, writing that both sides need to “find some common ground in order to better understand each other’s positions and avoid a political meltdown.”
Full Story

PRIVACY LAW

Developments in the U.S., UK, China and the UAE (July 29, 2013)

In this week’s Privacy Tracker Global News Roundup, read about court decisions, hearings and proposals that may affect the future of privacy legislation in the U.S.; the declaration by the UK Information Commissioner’s Office that one town violated privacy law; China’s latest privacy rule, and a United Arab Emirates law that forbids photographing or videoing individuals without their permission. (IAPP member login required.)
Full Story

ONLINE PRIVACY

Mozilla Unveils Personalization Project, Catches Flak (July 26, 2013)

Mozilla yesterday announced on its Labs blog it has begun testing a new personalized browsing experience with Firefox, whereby users choose with which Web sites to share which PII in exchange for personalized content. Elsewhere, the company explained how this fits with its philosophy of “Personalization with Respect.” However, while TechCrunch noted this is still just in the testing stages, AdWeek called the announcement “ironic” in light of the company’s Do Not Track stance, and lined up advertising representatives to say worse: "So the takeaway is that it's OK for Mozilla to track, but not third parties?" asked Alan Chapell, CIPP/US, of Chapell & Associates, co-chair of the Mobile Marketing Association's privacy committee.
Full Story

TRAVELLERS’ PRIVACY—EU

EDPS Critical of Smart Border Plan (July 25, 2013)

Smart Border, a European Commission proposal calling for biometric tracking of EU citizens as they move across member-state borders has come under sharp criticism by European Data Protection Supervisor Peter Hustinx. V3.co.uk reports that Hustinx is especially critical of Smart Border’s provisions giving law enforcement officials access to the database. Hustinx says the trend to share the data of innocent individuals with law enforcement is “dangerous” and that the burdens of the proposal are “disproportionate” to its potential benefits.
Full Story

ONLINE PRIVACY—UK

Gov’t Online Identity Scheme Has Yet To Gain Public Trust (July 25, 2013)

The UK government’s new online identity scheme aims to provide user safety when it comes to verifying identity for public services online. It would involve eight private-sector organizations that would store a “digital passport for UK citizens,” but only nine percent of respondents to a recent survey indicate they’d put their trust in private companies to manage their identity credentials, The Guardian reports.
Full Story

PRIVACY LAW—NORWAY

Political Parties Fight Directive Adoption (July 25, 2013)

Three political parties in Norway are campaigning against the EU’s proposed data retention directive, which requires telephone companies and Internet providers to store data on users’ traffic for at least six months, The Foreigner reports. The directive has not yet been adopted in Norway, though the legislation was passed in 2011. Critics say it is a violation of privacy, and a member of parliament recently raised concerns that the stored data might be open to misuse, the report states.
Full Story

SURVEILLANCE—UK

ICO: Royston Cameras Violate Privacy Law (July 25, 2013)

In a case that “may have wider significance for the gathering of number plate data in the UK,” the Information Commissioner’s Office (ICO) has ruled that Hertfordshire Constabulatory’s deployment of cameras around the town of Royston was in breach of law, BBC News reports. ICO Head of Enforcement Stephen Eckersley said, “It is difficult to see why a small, rural town such as Royston requires cameras monitoring all traffic in and out of the town 24 hours a day.” The use of these cameras “must be proportionate to the problem it is trying to address,” adding, “we found that this simply wasn’t the case in Royston.”
Full Story

DATA PROTECTION—UK & IRELAND

Irish Agencies Target Phone/Internet Records; Privacy Actions Up 22 Percent (July 25, 2013)

According to the Irish Times, Irish authorities have made 27 times as many requests for users’ phone and Internet records than their Austrian counterparts. The information stems from a hearing in the European Court of Justice, which is considering the legality of the Data Retention Directive. Meanwhile, research by legal publisher Sweet & Maxwell indicates that the use of privacy laws in the UK is shifting to combat Big Brother’s retention of individuals’ personal information, according to The Independent. While overall “privacy actions” have increased 22 percent in the most recent 12 month period, a decreasing share—from 47 percent the previous year to 11 percent in the past year—has been the result of celebrity complainants. Analysts muse that the trend represents individuals’ growing concerns over the privacy of their personal data.
Full Story

CLOUD COMPUTING—EU & U.S.

Opinion: Euro Providers Use PRISM To Cloud the Truth (July 25, 2013)

“European cloud providers have tried for years to gain a competitive advantage in the European market over U.S.-based counterparts by claiming that content stored with European providers is more protected from government access than data stored with U.S. companies,” writes Steptoe & Johnson Partner Jason Weinstein. In this Privacy Perspectives post, Weinstein asks, “So as European providers seek to exploit the PRISM controversy to further cloud the truth, what should U.S. providers, and the U.S. government, do?”
Full Story

MOBILE PRIVACY

DAA, NAI Each Release Mobile Privacy Rules (July 25, 2013)

The Digital Advertising Alliance (DAA) has unveiled its long-anticipated mobile privacy code. The rules state that ad networks and other related third parties should provide notification for online behavioral advertising—also known as cross-app advertising—with a provided opt-out. Additionally, ad networks and app developers must obtain opt-in consent from users for geolocation and address-book data collection, MediaPost News reports. The grace period for implementation is expected to be nine to 12 months, potentially longer. The DAA is also working on an AdChoices opt-out icon for mobile apps. DAA counsel Stu Ingis said, “We envision that there will be an app that has the AdChoices icon in it, that consumers can download…Through the app, consumers can exercise choice with respect to all of the third parties.” The Network Advertising Initiative has released its final version of mobile privacy rules as well.
Full Story

PRIVACY RESOURCES

Help with Privacy Impact Assessments (July 25, 2013)

The IAPP online Resource Center has templates, checklists, samples, long forms, short forms, event presentations, guidance—even an evaluation of guidance documents…pretty much anything you need to get going on your own privacy impact assessment. Check out the IAPP member-only resource Close-Up: Conducting a Privacy Impact Assessment. (IAPP member login required.)
Read Now

PRIVACY IN POPULAR CULTURE

Dressing To Beat Big Brother (July 24, 2013)

Sitting in the closing “Quiz Show” session at the IAPP Canada Privacy Symposium a couple of months back, Ontario Privacy Commissioner Ann Cavoukian got a bit of a laugh with her call for “privacy glasses” or other “Star Trek”-like privacy technology to defeat Google Glass and other wearable computing technologies that might make covert surveillance omnipresent. But wearable privacy technology is already here and hardly a joke (though it is sort of funny).
Full Story

ONLINE PRIVACY

Germany Wants UN Privacy Charter (July 24, 2013)

In response to the NSA disclosures, senior German government officials are lobbying for expansion of the 1966 UN human rights treaty to cover modern forms of communication such as e-mail and social networks, the Associated Press reports. German foreign and justice ministers sent a letter—which was released more broadly on Wednesday—to their European Union counterparts last week: “We want to use the current debate to launch an initiative that would outline the inalienable privacy rights under current conditions.” The letter also suggests convening all 167 parties to the International Covenant on Civil and Political Rights. German data protection authorities have also called for suspension of a key data-sharing agreement between the EU and U.S.
Full Story

PRIVACY ENGINEERING

Communicating Data Collection to Brick-and-Mortar Consumers (July 23, 2013)

In this Privacy Perspectives post, Ilana Westerman and Gabriela Aschenberger, both of Create with Context, explore consumer perceptions of how their data is collected while shopping in brick-and-mortar retail stores. According to their research, only 33 percent of consumers surveyed realized their location data was being collected in participating stores. “The resulting design challenge,” they write, “is to communicate to consumers that data is being collected, provide controls if consumers care to opt out and showcase how data collection can create value for the consumer.”
Full Story

SURVEILLANCE

Australian Gov’t Considers Joining Merkel’s Agreement (July 23, 2013)

The Australian government is considering participating in a global data protection agreement put forward by German Chancellor Angela Merkel following revelations of the U.S. National Security Agency’s (NSA) PRISM surveillance program, ZDNet reports. Meanwhile, Australian Federal Police Commissioner Tony Negus says there is no link between the NSA revelations and Australia’s push for a mandatory data retention regime. In an opinion piece for CNN, Sen. Al Franken (D-MN) writes he’s working on legislation that would require the U.S. government to report annually how it uses surveillance programs, including how citizens’ data is being collected and who sees it. And in another op-ed, former head of the U.S. Justice Department’s Office of Legal Counsel writes that NSA data collection shouldn’t be constrained.
Full Story      

PRIVACY COMMUNITY

Should We Be Thinking of Data as the New Oil? (July 22, 2013)

Big Data is driving the information economy, giving it the increasingly common moniker of "the new oil.” For data artist Jer Thorpe, such a comparison may not be such a good thing. Thorpe was among several artists who presented new ways of visualizing data at the IAPP’s “un-conference,” Navigate. This Privacy Perspectives post, which includes video of his presentation, explores Thorpe’s call for changing the conversation around data.
Full Story

DATA PROTECTION—EU & U.S.

Reding Has Doubts about Safe Harbor (July 22, 2013)

EU Justice Commissioner Viviane Reding said the European Commission will be reviewing the EU’s data-sharing agreement with the U.S., EU Observer reports. The agreement, now 13 years old, is based on a clause in the current EU Data Protection Directive and binds the 3,000 or so companies that have voluntarily signed up to a set of data transfer rules regarding notice, choice and onward transfer, among other provisions. But Reding said, “We do have the impression that the Safe Harbor Agreement might not be so safe after all.” She will present the commission’s findings by the end of this year.
Full Story

ONLINE PRIVACY

W3C To Miss July Deadline for DNT (July 22, 2013)

The World Wide Web Consortium (W3C) will not meet its “last call” deadline for putting out a Do-Not-Track proposal for public comment, MediaPost News reports. W3C Co-Chair Peter Swire, CIPP/US, said, “There is not a way to get to last call by the end of July,” adding, “Next Wednesday, we will have a discussion about where we are and next steps.” According to the report, the group still has the opportunity to work on the proposals, but “the talks have turned so acrimonious that it seems unlikely the group will ever agree” on a Do-Not-Track standard for headers sent to browsers.
Full Story

ONLINE PRIVACY

Are Consumers Changing Their Browsing Habits? (July 22, 2013)

The Associated Press reports on the changing browsing habits of consumers in light of the recent NSA disclosures. Meanwhile, a new browser add-on has been introduced on Monday that aims to shield consumers from data mining by preventing users from disclosing contact information, CNET News reports. MaskMe, created by Abine, creates and manages “dummy” accounts for a user’s e-mail, phone number, credit card and website logins. According to the company, consumers tend to lose out in the “data-for-service exchange,” while companies win. Abine’s Sarah Downey said, “The real lesson is, 'Stop: Don’t give out your personal information.'”
Full Story

PRIVACY LAW

EU, Brazil and U.S. State and Federal Changes Afoot (July 22, 2013)

Privacy Tracker reports on Europe and Brazil looking at possible changes to their data protection enforcement regimes, as well as potential changes to U.S. state and federal laws. The Senate hearing discussing NSA surveillance practices indicated possible changes to the USA PATRIOT Act, California is considering a digital license plate bill, the New Jersey Supreme Court ruled warrants are needed for cell phone data and one report suggests the landscape for privacy class-actions may be changing. (IAPP member login required.)
Full Story

SURVEILLANCE—EU & U.S.

European Parliament Wants NSA Chief To Testify (July 19, 2013)

Slate reports that the European Parliament is set to initiate an investigation into the NSA surveillance program disclosures and is amassing “an interesting list of witnesses” to testify about the issue, including U.S. National Security Agency Chief Gen. Keith Alexander, whistleblower Edward Snowden and The Guardian’s Glenn Greenwald. European Parliament plans to hold the series of hearings about the programs in September. A Deutsche Welle report asks if European Union interior ministers are partly responsible for collaborating with U.S. security agencies. European Home Affairs Commissioner Cecilia Malmström said that the EU is not solely responsible for data protection as security agency activities generally come under the jurisdiction of member states.
Full Story

DATA PROTECTION—IRELAND

Commissioner Begins Inquiry Into LinkedIn (July 19, 2013)

Irish Data Protection Commissioner Billy Hawkes has launched an audit of social networking firm LinkedIn, reports The Independent, adding it could have ramifications worldwide. Hawkes has confirmed his team has begun the audit as part of a process that will look into all social media firms based in Ireland. LinkedIn suffered a data breach earlier this year.
Full Story

DATA LOSS—UK

ICO Says NHS Breach Is One of the “Most Serious” Ever (July 18, 2013)

TechWeekEurope reports the Information Commissioner’s Office (ICO) has fined NHS Surrey 200,000 GBPs after a device containing 3,000 patient records was sold on an online auction site, triggering an investigation. A contractor “failed to completely wipe and destroy 1,570 hard drives containing the highly sensitive data” after agreeing to carry out the task in exchange for spare parts afterward. The ICO says the breach is one of the most serious it has ever seen.
Full Story

DATA PROTECTION—RUSSIA

Lawmaker Wants Inquiry Into Google (July 18, 2013)

Lawmaker Ruslan Gattarov, head of the Federation Council’s Information Policy Commission, says Google violates international and Russian law on personal data protection, Russian Legal Information Agency reports. Gattarov said Google’s confidentiality policy “allows it to use the customers’ permission to process personal data from the company’s 70-odd services,” the report states. He has asked Prosecutor General Yurk Chaika and Roskomnadzor Communications Regulator Head Alexander Sharov to investigate.
Full Story

SURVEILLANCE—UK

Counterterrorism Review Expected To Prompt Calls for Change (July 18, 2013)

David Anderson, the independent reviewer of terrorism laws, is expected to raise concerns over the power exercised by officials when it comes to counterterrorism measures, reports The Telegraph. Anderson will likely call for proper checks and balances to safeguard against abuse, as police “do not even have to show reasonable suspicion” for seizing mobile devices from any passengers coming to the UK by air, sea or rail.
Full Story

IDENTITY THEFT—UK

Officers Used Deceased Children’s Passports (July 18, 2013)

A former undercover police officer is corroborating the story of another who said that the Home Office was aware that spies used the identities of deceased children to establish undercover personas, reports The Guardian. According to Bob Lambert, a leading spy in the Special Demonstration Squad, the technique was "well known at the highest levels of the Home Office," and it issued fake passports to the officers with that knowledge. A Home Office spokesperson said “Chief Constable Mick Creedon is leading an IPCC-supervised investigation which will ensure any criminality or misconduct is properly dealt with." Creedon is also seeking legal advice as to whether the officers could be put on trial for the practice.
Full Story

DATA PROTECTION—EU

Austrian Students Launch Offensive Over Spying (July 18, 2013)

Max Schrems, founder of Europe v. Facebook, is leading a group of Austrian students challenging the EU-based subsidiaries of Apple, Facebook, Microsoft, Skype and Yahoo following revelations they shared data with U.S. intelligence agencies, EUObserver reports. “The most interesting thing is that here in Europe we have laws on data protection, but we don’t enforce them,” Schrems said. “All these companies have set up subsidiaries in Europe to avoid taxes. They are on EU soil, so they have to abide by EU law, which says it is illegal to forward data if you cannot guarantee it is going to safe hands.”
Full Story

DATA PROTECTION—UK

ICO Prepares Guidance on Data Breach Avoidance (July 18, 2013)

The Information Commissioner’s Office (ICO) is in the process of drafting new guidance for organisations when it comes to IT security, Out-Law.com reports. The new guidance wouldn’t create specific guidelines but would help explain what organisations that have experienced a data breach should have done differently. “Once published, we hope this document will provide some useful learning to all organisations, irrespective of the specific security setup they operate,” an ICO spokesperson said.
Full Story

BYOD

Survey: Employees Mistrust Policies; Some Orgs Don’t Have Them At All (July 18, 2013)
An online survey of almost 3,000 employees in the U.S., UK and Germany showed that when it comes to “bring your own device (BYOD),” only 30 percent said they trust their employer to keep personal information private and not use it against them, The Telegraph reports. The survey indicated a level of confusion over what constitutes personal information. Meanwhile, ZDNet cites Acronis' 2013 Data Protection Trends Research report indicating the majority of Australian organizations don’t have a BYOD policy and 33 percent don’t allow personal devices into the corporate network.

CLOUD COMPUTING

Get Some Guidance in the Resource Center (July 18, 2013)

“Businesses continue to be responsible for protecting their customers’ data, regardless of the cloud services they may engage,” write Megan Brister and Alain Rocan, CIPP/C, in their exclusive for The Privacy Advisor. If you’re considering using—or you’re already using—cloud computing, take a look at the tools, guidance and articles in the IAPP’s Close-Up: Cloud Computing to make sure you’re covering your bases. With guidance from organizations including the UK ICO, NIST, PCI DSS and the Cloud Security Alliance, as well as IAPP exclusive content, you’ll find the information you need to make the best choices for your data. (IAPP member login required.)
Read More

PRIVACY LAW

Warning Bells for an Enforcement Tsunami? (July 17, 2013)
In recent weeks, various European regulators have come down on Google for its policy on data collection. The UK’s Information Commissioner even went so far as to tell the company it had until September 20 to revise the policy or face “formal enforcement action.” In this exclusive for The Privacy Advisor, CPOs and regulators weigh in on whether recent actions against Google are a sign that enforcement actions are about to increase significantly. The message: "Accountability is required, and the big and small should prepare."

PRIVACY LAW—SPAIN

Spanish Cookie Guidance Explained (July 17, 2013)

Earlier this year, the Spanish Data Protection Authority, in conjunction with industry representatives, released the "Guía sobre el uso de las cookies,” or the Spanish cookie guidance. The guide contains recommendations on how to satisfy the requirements of Spanish law on electronic commerce. In this exclusive for The Privacy Advisor, two experts outline who must comply and requirements on consent and cookie installation, among other details.
Full Story

ONLINE PRIVACY

What Thriving Cities Can Teach Us About Online Privacy (July 17, 2013)

Pointing to Edward Glaeser’s book, Triumph of the City: How our Greatest Invention Makes Us Richer, Smarter, Greener, Healthier and Happier, David Hoffman, CIPP/US, equates the Internet to “myriad ‘virtual cities'” in its need for policies that protect individuals but also foster collaboration and innovation. “Given the close connection between our online and physical interactions, there is much we can learn about encouraging successful online collaboration and innovation from the policies that have supported growth of the world’s great cities,” Hoffman writes for Privacy Perspectives.
Full Story

DATA PROTECTION—EU

Reding Wants Movement on Bill (July 16, 2013)

EUObserver reports on EU Justice Commissioner Viviane Reding’s call to accelerate movement on the data protection bill currently stuck in the European Parliament’s civil liberties committee. “I would find it helpful if the European Council in October, which will deal with the European single market, could address this matter and speed up the work in the council on this important file,” said Reding in her appeal on Monday. Meanwhile, Hogan Lovells’ Christopher Wolf opines in Financial Times that “it is wrong to assume the U.S. is the worst regarding surveillance,” arguing that Europe does its fair share.
Full Story

GENETIC PRIVACY

Debate Lacking in Nascent DNA Collection (July 16, 2013)

The Associated Press reports on the flourishing collection of DNA by governments around the world and the lack of public debate about the privacy and ethical issues raised by such collection. Yaniv Erlich of MIT’s Whitehead Institute for Biomedical Research said there is a lot of upside to having DNA databases, but said, “our work shows there are privacy limitations.” Others have warned of “mission creep” where law enforcement use DNA to gather data on racial origins, medical history and psychological profiles. A University of Baltimore forensics professor said, “There’s got to be a debate… Do we want to have a society where 5 percent of the crime is unsolved, or do we want to have a society where 100 percent of the crime is solved" but privacy goes extinct? "What's the trade-off?"
Full Story

PRIVACY LAW—EU & U.S.

German Chancellor Calls for New ISP Agreement; NSA Fallout Continues (July 15, 2013)

German Chancellor Angela Merkel has called for a strict European agreement on data protection that would require all Internet service providers operating in Europe to reveal the personal information they keep and with whom they share it, CNN reports. Merkel has suggested that the requirement could be codified within the International Covenant on Civil and Political Rights, but there’s some doubt as to the feasibility of that. Meanwhile, EU Justice Commissioner Viviane Reding said revelations surrounding the U.S. National Security Agency’s surveillance program helped add momentum to the case of those already calling for stronger data protection measures in the EU. Meanwhile, Politico reports on privacy issues’ impact on U.S.-EU trade talks.
Full Story

ONLINE PRIVACY

Industry’s Proposed DNT Solution Stirs Controversy (July 15, 2013)

AdAge reports on a recent proposal from the ad industry on the Worldwide Web Consortium’s Do-Not-Track signal that would allow firms to continue collecting data on users even after a user opted out of tracking. The tradeoff is that the firms would agree to strip the data of certain information. One expert says such a proposal “ignores the fact that if you collect multiple data points about a unique identifier, you can eventually determine…personal characteristics.” Mike Zaneis of the Interactive Advertising Bureau (IAB) said IAB publishers have seen the number of users sending Do-Not-Track signals “creeping up” to about 20 percent “because anybody could send a DNT flag.” But Mozilla Chief Privacy Officer Alex Fowler has asked for proof on those numbers.
Full Story

SOCIAL NETWORKING—FRANCE

Twitter Gives Anti-Semitic Posts to Authorities (July 12, 2013)

Microblogging site Twitter has complied with a French court’s request to hand over tweets related to a number of racist and anti-Semitic messages that were posted on its site, CNET News reports. An appeals court ruled last month that the company must hand over the names of the users propagating the anti-Semitic messages, raising the thorny issue of online anonymity and hate speech. Twitter said in a statement that handing over the data will “put an end to the dispute” and that it will work with the Union of Jewish French Students to “fight racism and anti-Semitism.”
Full Story

PRIVACY LAW

Regulating Technology or Behavior? (July 12, 2013)

“An absolute certainty on which everybody seems to agree is that legislating takes longer than programing,” writes Eduardo Ustaran, CIPP/E, in this Privacy Perspectives blog post. According to one survey, the average time it takes to develop a mobile app is less than five months. “However you look at it, it is difficult to imagine a law being devised, crafted and passed at the same speed at which software developers and engineers do their work,” Ustaran writes, adding, “but whilst technology is always changing, there is something that has not really changed that much for thousands of years: human behavior.”
Full Story

SURVEILLANCE—EU & U.S.

Parliament Begins Special Investigation Into Spying (July 11, 2013)

The European Parliament has begun a special investigation into allegations that the U.S. has spied on Europeans, reports European Voice. At a 10 July meeting, MEPs on the civil liberties committee agreed to hold 12 meetings on alleged spying by the U.S. National Security Agency (NSA). Earlier in the week, officials from the European Commission’s home affairs department met in Washington, D.C., for a previously scheduled review of two U.S. counterterrorism programmes. France-based International Federation for Human Rights and the Human Rights League have launched a legal complaint aiming to prompt an investigation into tech companies’ role in the NSA’s PRISM programme. Meanwhile, as EU-U.S. trade talks were set to begin, Lithuania announced, “It will deal with data protection and privacy rights of EU citizens falling within the competence of the EU, addressing the scope and composition of future meetings.”
Full Story

PERSONAL PRIVACY—EU & IRELAND

ECJ Hears Case on Irish Citizens’ Phone Data (July 11, 2013)

The European Court of Justice (ECJ) is examining an Irish challenge to the European Data Protection Directive. The case concerns the law’s required long-term storage of Irish citizens’ call and Internet data. The case, which was launched in 2006 and sent to the ECJ by the Irish High Court in 2012, “will have significant implications for Irish citizens’ Internet and phone privacy and, potentially, for half a billion people across Europe as well,” the report states.
Full Story

SURVEILLANCE—GERMANY & U.S.

Chancellor Faces Pressure Over PRISM (July 11, 2013)

German Chancellor Angela Merkel is facing pressure to demand a freeze on transatlantic data-sharing until U.S. officials explain whistleblower Edward Snowden’s claims about data collection, The Irish Times reports. Free Democratic Party Rep. Hartfrid Wolff said, “America wants to have certain data, for instance flight data, but if this is how America deals with its partners, then we in Europe have to ask whether this is how we define a partnership with sensible standards. If we don’t get any satisfaction, then we should put data-sharing on ice.”
Full Story

RFID—EU

Study: Majority of Consumers Worried About Privacy (July 11, 2013)

Of the 2,000 European consumers recently surveyed in a study by business and IT consulting firm Capgemini, InformationWeek reports that more than half “had privacy worries about radio-frequency identification (RFID) tags.” The survey also found that the majority of those surveyed “consider legislation on privacy protection as the key that would make them more likely buy RFID-enabled products,” the report states. The survey also found that consumers favour such options as a customer opt-in/opt-out for information collected via RFID “and clear labels that state the tag is RFID-enabled.”
Full Story

DATA PROTECTION—BELGIUM

Privacy Commission, MOJ Execute New Transfer Approval Process (July 11, 2013)

The Belgian Privacy Commission and Ministry of Justice have executed a protocol that puts in place a new approval process for data transfer agreements, the Field Fisher Waterhouse Privacy and Information Law Blog reports. The protocol “acknowledges that it is sometimes justified for data exporters to make (some) changes to the EU Model Clauses.” However, it creates some burden for EU Model Clauses in that, previously, no formal approval was required when the clauses were used in unaltered form, the report states, noting this has now changed.
Full Story

PRIVACY LAW—EU

Breach Requirements Are Coming (July 11, 2013)
It’s not a question of whether breach notification requirements will be part of the new EU Data Protection Directive, but rather when and what they’ll look like. Privacy Tracker rounds up articles examining what’s coming down the pike and how to prepare, along with a look at enforcement actions and new potential laws in the Netherlands and Switzerland. (IAPP member login required.)

DATA LOSS

Breaches Abound in the U.S., UK and Online (July 11, 2013)

Across the U.S. and the UK, data breach incidents, investigations and litigation have been making headlines, and, globally, a videogame maker has reported a breach that may have affected four million of its users. The Privacy Advisor highlights some of the top data breach stories from the past week and includes links to insights on breach trends and how to address a breach if it happens.
Full Story

ONLINE PRIVACY

Expert: Kids Revel in Online World Because It Feels More Private Than Offline (July 10, 2013)

In an interview with The Guardian, Microsoft researcher danah boyd discusses some of her work. Boyd says she’s frustrated when people assert that kids don’t care about privacy. “It's just that their notions of privacy look very different than adult notions," she says. "Kids don't have the kind of privacy that we assume they do. As adults...we think of the home as a very private space...The thing is, for young people it's not a private space—they have no control. They have no control over who comes in and out of their room, or who comes in and out of their house…the online world feels more private because it feels like it has more control."
Full Story

PRIVACY COMMUNITY

IAPP Resource Center Gets an Upgrade (July 9, 2013)

Check out the latest iteration of the IAPP’s online Resource Center. In our efforts to “define, promote and improve the privacy profession globally,” we are working hard to improve usability and expand our offerings to help you do your job more efficiently. We now have “Close-up” pages that offer tools and research to tackle big issues like BYOD, creating organizational privacy policies and programs, conducting privacy impact assessments and more. The new look is already getting great feedback; let us know what you think—or if there’s something you need, tell us and we’ll do our best to get it. We add new resources all the time, so check back often and stay tuned, there are more changes to come.
IAPP Resource Center

PERSONAL PRIVACY—GERMANY & U.S.

Visualizing Your Metadata (July 8, 2013)

The New York Times reports on Immersion, an MIT Media Laboratory project that mines a consenting user’s e-mail metadata and creates an interactive graphic. “The result is a creepy spider web showing all the people you’ve corresponded with, how they know each other and who your closest friends and professional partners are,” the report states. Meanwhile, a German politician who sued a telecommunications company for his phone data over a six-month span has, in conjunction with ZEIT ONLINE, created a mapped visual of his day-to-day life. By combining Green Party Politician Malte Spitz’s phone data, which includes location information, with publicly available data—including information relating to his political life, Twitter feeds and blog entries—a robust and detailed interactive portrait emerges of Spitz’s personal movements. (Registration may be required to access this story.)
Full Story

SOCIAL NETWORKING

Facebook Rolls Out Graph Search to Millions (July 8, 2013)

Several hundreds of millions of people will have access to Facebook’s Graph Search beginning this week, six months after its beta testing. Tech Crunch reports on the tool, which is “designed to take any open-ended query and give you links that might have answers,” according to Facebook CEO Mark Zuckerberg. Upon its initial release, the tool prompted concerns that it would compromise the privacy rights of minors. It “makes paying attention to privacy settings much more important if you don’t want embarrassing photos from years ago dredged up or your public contact information scraped,” the report states.
Full Story

BEHAVIORAL TARGETING

A Tracking Method That Privacy Advocates Like? (July 5, 2013)

Twitter will begin using cookies to track users and deliver advertising, but because its program abides by Do-Not-Track settings and has a clear opt-out, privacy advocates are praising it, PC Pro reports. An Electronic Frontier Foundation activist said in a blog post, “We think Twitter is setting an important example for the Internet: It is possible to exist in an ecosystem of tailored advertisements and online tracking while also giving users an easy and meaningful opt-out choice." Meanwhile, Vine, a video-sharing site owned by Twitter, has added privacy settings to its services—including the ability to make Vines private.
Full Story

DATA PROTECTION—EU

Regulators Prepared To Take Action Against Google (July 5, 2013)

The UK Information Commissioner’s Office (ICO) has written to Google to warn the company that it could take “formal enforcement action” if it does not alter its privacy policy by September 20, Out-Law.com reports. “In our letter we confirm that its updated privacy policy raises serious questions about its compliance with the UK Data Protection Act,” an ICO spokesperson said. The updated policy “does not provide sufficient information to enable UK users of Google’s services to understand how their data will be used across all of the company’s products.” Meanwhile, Hamburg Commissioner for Data Protection and Freedom of Information Johannes Caspar says his office will join other European regulators, including Spain, in taking action against the company.
Full Story

PRIVACY LAW—ITALY

DPA Asks Facebook for Clarifications (July 5, 2013)

The Italian Data Protection Authority, the Garante, is requiring Facebook to provide clarifications by July 20 on personal data processing following recent announcements of a “bug” that caused the exposure of personal information. In this exclusive for The Privacy Advisor, Panetta & Associati Studio Legale’s Rocco Panetta writes, “Facebook has already assured that the unwanted data processing has occurred due to a mere technical bug.” Despite that, he notes, the Garante is requiring confirmation on six points, including the duration of the event and measures taken to resolve the issue.
Full Story

DATA PROTECTION—EU

Majority of Retailers Say New Rules Will Harm Business (July 5, 2013)

More than two-thirds of online retailers say proposed changes to EU data protection rules will damage business, EurActiv reports. That’s according to a recent survey by the European Multi-channel and Online Trade Association, which represents more than 80 percent of EU online traders, the report states. The survey polled 90 companies from the UK, Germany, Austria, France, Sweden, Switzerland, Greece and Spain.
Full Story

SURVEILLANCE—EU & U.S.

Amidst NSA Report, Special Committee To Investigate Spying Reports (July 3, 2013)

As headlines continue to abound regarding concern from EU officials and member states, EurActiv reports the European Parliament “plans to establish a special committee to investigate reports that an American spy agency monitored phone calls and e-mails of EU institutions and some member states.” The panel, which will be established as part of the Committee on Civil Liberties, Justice and Home Affairs, will deliver its report by year’s end and “formulate proposals on adequate redress measures in case of confirmed violations and put forward recommendations to prevent that similar espionage events happen in the future,” the report states. Following communication with U.S. Attorney General Eric Holder, Justice Commissioner Viviane Reding said, “The U.S. appears to take our concerns regarding PRISM seriously,” noting Holder has committed to setting up an expert group “to assess the matter in detail…and the group will have its first meeting this month and a second one in Washington in September." Meanwhile, in a TechNewsWorld interview, Oxford Prof. Viktor Mayer-Schönberger opines, “People feel they have been deceived; people feel that they cannot trust the U.S. government.”
Full Story

ONLINE PRIVACY—EU

Working Group Says DNT Should Be Default (July 3, 2013)

The EU’s International Working Group on Data Protection has released a whitepaper on online behavioural advertising, reports the Electronic Privacy Information Center. The working group says in its release that World Wide Web Consortium efforts to create a Do-Not-Track mechanism could serve as a “sugar pill instead of a proper cure and would such be useless.” The working group recommends that the default setting be that users are not tracked. Meanwhile, Microsoft’s newest version of Internet Explorer (IE) allows users to grant permission for specific websites to log their movements, and following criticism over its plans to move forward with a project to block third-party cookies in Firefox, Mozilla’s Harvey Anderson said  there’s “no constitutional right that allows people to modify my computer.”
Full Story

DATA PROTECTION—EU

Ministers Consider Allowing States To Determine Fines (July 3, 2013)

EU ministers are considering plans to allow each member state to decide “the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that member state," Out-Law.com reports. The draft rule is contained in a leaked document sent from the Irish Presidency of the Council of Ministers to the Working Party on Information Exchange and Data Protection, the report states. Fine limits are not outlined in the document.
Full Story

DATA PROTECTION

Security Company Releases Privacy Product (July 3, 2013)

Symantec has released a new privacy product capable of scanning a mobile device for data an application may be leaking about the user. Norton Mobile Security for Android devices checks for “malicious applications, privacy risks and potentially risky behavior.” While Norton’s suite of mobile security products have typically focused on malicious threats, Michael Lin, vice president of Symantec Mobility Solutions, told the IAPP that this latest solution reacts to the fact that “now we are seeing threats impact mobile applications and data being shared without the user’s knowledge or consent.” This latest product aims to “protect users from these types of privacy threats as well.”
Full Story

PRIVACY LAW—UK

Report: MP Websites Using Cookies Without Consent (July 3, 2013)

BBC reports that 13 senior Members of Parliament (MPs) have websites that have not been obtaining user consent before using cookies. The Information Commissioner's Office (ICO) has neither confirmed nor denied whether the websites are breaking EU privacy law, but the report states the ICO has said it will “remind all 13 MPs about their compliance with EU privacy laws.” The news comes amidst ongoing concerns that the EU’s cookie law is “unworkable,” the report states.
Full Story

TRAVELLERS’ PRIVACY—EU & RUSSIA

Russia Gives EU PNR Extension (July 3, 2013)

EUObserver reports that Russia has given the EU six extra months to comply with its new Passenger Name Record (PNR) law, noting that while Russia requires such information as credit card details, EU airlines that comply “would fall foul of EU data protection rules because the union has no legal framework for PNR exchange with Moscow.” According to a European Commission source, “The Russian side has ensured that the order will not apply to traffic between the EU and Russia until beginning 2014.” The announcement comes on the heels of a June meeting between EU and Russian officials.
Full Story

DATA RETENTION—GERMANY

Network Agency Urges Telcos To Comply (July 3, 2013)

Telecompaper reports the Federal Network Agency has contacted telecommunications providers “requiring them to comply with regulations on data retention.” The report states that “certain operators had exceeded the legal framework for storing traffic data in cases of inclusive services” and some “exceeded the legal framework for storing the cell ID,” among other issues.
Full Story

PRIVACY LAW—CROATIA & EU

Croatia Joins EU, Must Implement Data Protection Directive (July 3, 2013)

The Hunton & Williams Privacy and Information Security Law Blog reports on Croatia joining the EU on July 1, noting, “As of the day of its accession, Croatia must implement the acquis communautaire (the complete body of the EU legislation), which includes the EU Data Protection Directive 95/46/EC.” Croatia’s Act on Personal Data Protection, which was adopted in 2003 and amended three times over the past decade, “closely tracks the principles of the Data Protection Directive,” the report states, detailing examples of the act’s provisions.
Full Story

PERSONAL PRIVACY—UK

Ofcom: News Channel E-Mail Hack Warranted (July 3, 2013)

Out-Law.com reports on Ofcom’s finding that Sky News Channel’s self-admitted hacking of e-mails belonging to a man who faked his own death and those of his wife was warranted. “Ofcom said that although Sky had operated ‘at the boundaries’ of what was ‘appropriate’ under broadcasting rules, it deemed that the public interest Sky pursued in its unauthorised accessing of John and Anne Darwin's e-mails outweighed the couple's privacy rights and therefore justified the broadcaster's actions,” the report states. The Darwins were convicted of fraud as a result of the incident, in which he disappeared and she collected insurance and pension funds after a purported canoe accident, the report states.
Full Story

DATA PROTECTION—SWEDEN

Swedish PTS Seeks Comments on Fees for Data Retention (July 3, 2013)

Swedish postal and telecoms regulator PTS is “seeking comments on its proposals for remuneration to the authorities for the purposes of law enforcement,” Telecompaper reports. Comments are to be submitted by 2 September. Compensation for data “will depend on whether the information is handed over during office hours” and “whether it involves staff with special competency.”
Full Story

PRIVACY

What Is Privacy in the Digital Age? (July 2, 2013)

In his most recent Privacy Perspectives installment, Phil Lee, CIPP/E, CIPM, describes his path to the privacy profession. “With privacy, I get to advise on matters that affect people, that concern right or wrong, that are guided by lofty ethical principles about respecting people’s fundamental rights,” he writes. With the growing dichotomy between regulatory mandates and “what, in practice, actually delivers the best protection for people’s personal information,” Lee challenges the privacy profession to “debate and encourage an informed consensus about what privacy really is, and what it should be, in this digital age.” Editor’s Note: For expert insights into the privacy career track and a high-level review of basic privacy laws, register for the IAPP’s web conference, Legal Privacy Primer—First Steps in a Career, to be held July 11.
Full Story

STUDENT PRIVACY

Task Force Tackles Innovation-Privacy Balance in Education (July 2, 2013)

Researchers, innovators and thought leaders all over the world are thinking about education. From danah boyd to Sugata Mitra to the Aspen Institute, they’re discussing ways the Internet, social networks, mobile media and gaming technology are affecting our youth and the way they learn. In this Privacy Advisor exclusive, Microsoft CPO and IAPP Chairman Brendon Lynch, CIPP/US, talks about the Aspen Institute’s new Task Force on Learning and the Internet--of which he’s a member. Noting the group is just beginning its exploration, Lynch says, “as schools are experimenting with their online capabilities, and as they utilize those technologies and solutions, they need to make sure they’re addressing privacy concerns that parents and children may have.”
Full Story

BIG DATA

Opinion: The Few Are Benefitting From the Many (July 1, 2013)

In an opinion piece for Financial News, Ben Wright discusses the rise of Big Data and questions who owns it. To this point, such a determination has not been made, resulting in the few benefitting “at the expense of the many,” Wright opines. “The financial industry clearly needs to have an open debate about all the data it is generating and amassing. It needs to decide who owns this information, how it should be used and shared and where the balance lies between privacy and the public good.” (Registration may be required to access this story.)
Full Story