European Data Protection Digest

In 1897, Oscar Wilde wrote to Lord Douglas, “Do not be afraid of the past. If people tell you that it is irrevocable, do not believe them.”

I wonder if he would share this piece of advice today. Though the past may not be irrevocable, we all leave digital shadows we may regret one day. I had no Internet growing up, and I am grateful that the only traces of my past are some old pictures gathering dust at my parents’ house and a box of letters I used to exchange with overseas friends—you know, having overseas pen pals was actually pretty cool back in the day.

Come to think of it, Oscar Wilde may never have meant for his 1897 letter to Lord Douglas to be published, as it came to light only after his death, so you could almost argue he had no right to be forgotten…

This week, the Court of Justice of the European Union declared the 2006 Data Retention Directive invalid, stating that it interferes with the fundamental rights to respect for private life and to the protection of personal data, as stipulated in the EU Charter of Fundamental Rights. The interference, said the court, exceeds the limits imposed by compliance with the principle of proportionality.

Aside from the obvious consequences the court’s decision will have on telcos and ISPs, some commentators have said that it can have a significant impact on the EU reform of data protection law and, in particular, on the debate around the General Data Protection Regulation.  

To quote Oscar Wilde again, “It is a very sad thing that nowadays there is so little useless information.”

Rita Di Antonio
Managing Director
IAPP Europe

Top European Privacy and Data Protection News

DATA PROTECTION—EU

New Data Breach Notification Requirement in Effect (August 30, 2013)

SC Magazine reports on the new data breach reporting requirement in the EU. The requirement took hold last week and requires telecommunications and Internet service providers in the EU to report a data breach to authorities within 24 hours of the moment the breach is discovered. Meanwhile, in an exclusive for The Privacy Advisor, Laura Vivet Tañà, CIPP/US, CIPP/E, examines the proposed EU data protection regulation’s breach notification rule, including such key elements as what should be considered as a personal data breach, the notification requirement and consequences of a security breach.
Full Story

DATA LOSS—IRELAND

Commissioner to Hospital: Report Expected If Breach Occurred (August 29, 2013)

Data Protection Commissioner (DPC) Billy Hawkes has contacted the National Maternity Hospital after a media report last week revealed details of a recent termination carried out at the hospital, RTÉ News reports. Hawkes has required the hospital to furnish a report if an internal investigation indicates a breach occurred. Meanwhile, the DPC has warned charitable organisations they face prosecution if information obtained via text message campaigns is used for other purposes.
Full Story

DATA LOSS—UK

Judge: Scottish Borders Council Fine Was Improper (August 29, 2013)

The Scottish Borders Council was last year issued a 250,000 GBP fine by the Information Commissioner’s Office (ICO) after a firm it had hired to process employee pension records failed to destroy the information appropriately. But the council appealed the fine, and a Tribunal judge has ruled there was not a legitimate basis for the ICO to issue the fine, Out-Law.com reports. "There was no liability to a monetary penalty in this case because looking at the facts and circumstances of the contravention, whilst it was serious, it was not of a kind likely to cause substantial damage or substantial distress," the judge said.
Full Story

DATA LOSS—UK

Council Fined After Accidental Disclosure (August 29, 2013)

The Information Commissioner's Office (ICO) has found London’s Islington Council “guilty of a serious breach of the Data Protection Act after the names, gender, ethnicity and other personal details, including some medical information, belonging to 2,375 individuals were accidentally disclosed,” Out-Law.com reports. The council has been fined 70,000 GBP after the data was included in the response to a freedom of information request. “The ICO said that three spreadsheets disclosed to the WDTK site by Islington Council contained personal, and in places sensitive, data that was ‘hidden’ in so-called ‘pivot tables’ within the spreadsheets” but could be viewed by anyone with “basic knowledge of Excel,” the report states.
Full Story

PERSONAL PRIVACY—IRELAND

Opinion: Sometimes, Privacy Equals Sanity (August 29, 2013)

In an opinion piece for The Independent, Brendan O’Connor discusses the pervasive idea among youth that there simply is no privacy anymore. It’s a flawed ideology, he writes. “You will have secrets. You will mess up. You will have many moments in your life that you don't wish to share with anyone…Yes, it's good to share, and yes, it's not healthy to have secrets burning away inside you, gaining power until they harden into neuroses. But there are ways of unburdening, and there are boundaries that we ourselves need to be allowed to set, about who we share with.”
Full Story

PERSONAL PRIVACY—MALTA

Minister: Telephone Logs Access “Abuse of Power” (August 29, 2013)

Shadow Minister for Home Affairs Jason Azzopardi and PN Deputy Leader Beppe Fenech Adami have said the police commissioner’s declaration “that he has the powers to request service providers to hand him telephone logs is an abuse of power,” Malta Independent reports. The pair cited a recent case of an individual who was wrongly accused of a holdup and the commissioner’s attempt to determine who called whom first. “It’s simply absurd for the police commissioner to request service providers to provide him with call logs to resolve such a petty issue,” Azzopardi said.
Full Story

ONLINE PRIVACY—IRELAND

Broadcaster, Aertv Strike Data Access Deal (August 29, 2013)

Siliconrepublic reports on a deal described as the first of its kind in the Irish market, where “national broadcaster RTÉ has struck an agreement with online streaming TV provider Aertv to access data on consumer behaviour of RTÉ viewers watching RTÉ programmes on the Aertv site.” While broadcasters have traditionally used such metrics as the Nielsen ratings to gauge audience interest, “with the change of consumer behaviour and the increased of use of mobile devices, access to online data offers a wide range of information to broadcasters,” the report states.
Full Story

INTERNATIONAL RELATIONS

The Brussels and Warsaw Privacy Peace Talks (August 29, 2013)
Next month, U.S. Federal Trade Commissioner Julie Brill and Deputy Assistant Secretary of State Danny Sepulveda will travel to Brussels to discuss privacy with EU officials. Later in the month, Poland will host the 35th Conference of Data Protection and Privacy Commissioners, a meeting that will be attended by privacy officials and stakeholders from around the world. In the latest installment of Privacy Perspectives, Hogan Lovells’ Christopher Wolf argues that the “gatherings provide an opportunity to declare a ceasefire in the war of words—a war in which most of the ‘incoming’ has originated on the European side of the Atlantic in the wake of the Snowden NSA revelations, and a war that threatens progress in international cooperation on privacy.”

DATA PROTECTION—EU & U.S.

Safe Harbor May Be Controversial in the European Union, But It Is Still the Law (August 29, 2013)

Safe Harbor has become a target for retribution in light of revelations about the National Security Agency's PRISM program. It has come under fire from Rapporteur Jan Albrecht and the Article 29 Working Party, among others. While various officials have promised reviews and improvements to the framework, none have yet been released. In this exclusive for The Privacy Advisor, Damon Greer, who directed the EU-U.S. and Swiss Safe Harbor frameworks from 2006-2011, discusses Safe Harbor's fate.
Full Story

ONLINE PRIVACY—EU & RUSSIA

Sen. Wants Probe Into Twitter Compliance (August 29, 2013)

Russian Sen. Ruslan Gattarov says Twitter’s privacy policies violate Russian and European data protection laws, Rapsi News reports. Gattarov has asked the prosecutor general, the head of the federal communications agency and the Council of Europe’s data protection commissioner to conduct an investigation. He alleges certain parts of Twitter’s policies violate Russian users’ rights, including the omission of explanation for the reason personal data is collected and the lack of a translation of part of its policy into Russian.
Full Story

PRIVACY RESOURCES

The Complex Concept of Accountability (August 28, 2013)

The principle of accountability is found in guidance across the globe, and while it is recognized as an essential element of an effective privacy program, demonstrating it and measuring it can be a challenge. The IAPP Resource Center has compiled research, articles and presentations on the topic. From Hunton & Williams’ “Accountability: A Compendium for Stakeholders” to the Article 29 Working Party’s opinion on the principle of accountability, you’ll find the information you need to clarify what it means and how to demonstrate it.
Close-Up: Accountability

ONLINE PRIVACY

Gov’t Requests for Facebook Data Outlined in Transparency Report (August 28, 2013)

In the first half of 2013, Facebook fielded governments’ requests for data on more than 38,000 Facebook users and complied with about 80 percent of those requests, Reuters reports. That’s according to the social networking giant’s first report on the scale of data inquiries it receives globally. Of those, U.S. law enforcement authorities made the most requests, seeking data on between 20,000 and 21,000 users between January and June, the report states. That’s up from the amount of requests they made in the six month-period prior, which was roughly between 18,000 to 19,000. Authorities in India, the UK and Germany also requested data on large numbers of users.
Full Story

PRIVACY SCHOLARSHIP

IAPP/PLSC Award-Winning Papers Posted (August 28, 2013)

Earlier this month, The Privacy Advisor spoke with the authors of the award-winning papers from the Privacy Law Scholars Conference: Ryan Calo and Daniel Solove and Woodrow Hartzog. Now, both papers have been posted to the Social Science Research Network and you can read the current drafts. Find Solove and Hartzog’s “The FTC and the New Common Law of Privacy” here. Find Calo’s “Digital Market Manipulation” here. Geekwire talks with Calo as well about his paper and its implications for the current Internet marketplace. Editor’s Note: Calo, Solove and Hartzog will present their papers at the IAPP Privacy Academy, in Seattle, Sept. 30-Oct. 2.
Full Story

DATA PROTECTION—GERMANY

Berlin Commissioner Talks Surveillance, Big Data and New Rules on Privacy (August 28, 2013)

Bloomberg talks with Berlin Commissioner for Data Protection and Freedom of Information Alexander Dix on the U.S. NSA scandal, Big Data technologies and privacy concerns within the commercial sector. When it comes to anonymization, Dix says while it’s true that it’s possible for anonymized data to be linked to individuals, it “does not make anonymization a useless process. It is still better than having outright personal data on the Internet or pseudonymized data…” As far as essential aspects that should be applied in new privacy regulations, Dix says telecommunications surveillance should be the exception and not the rule and adds that data minimization is essential.
Full Story

ONLINE PRIVACY

Lenders Determining Creditworthiness Via Facebook Friends (August 28, 2013)

CNN reports that a handful of tech startups are using social data to determine the risk of lending to people. That’s because financial lenders have discovered social connections are a good indicator of a person’s creditworthiness, the report states. Lenddo, for example, determines whether an individual is “Facebook friends” with someone who was late in paying back a loan. “It turns out humans are really good at knowing who is trustworthy and reliable in their community,” said the company’s CEO. “What’s new is that we’re now able to measure through massive computing power.”
Full Story

CLOUD COMPUTING

Managing Risks in the Growing Cloud Environment (August 27, 2013)

As a precursor to his presentation at the IAPP Privacy Academy in Seattle this fall, Chris Zoladz, CIPP/US, CIPP/E, CIPP/IT, CIPP/G, writes in this latest Privacy Perspectives blog post that, “While there are real security and privacy concerns surrounding the cloud, they are by no means insurmountable.” Acknowledging studies that predict the growth of the cloud market to more than $120 billion by 2020, Zoladz offers common characteristics of those companies currently active in the cloud and advocates for “strong encryption with appropriate key management,” adding, “What would be the security and privacy risk if only encrypted data is ever stored in the cloud and only you as the cloud customer have the encryption keys?”
Full Story

WEB CONFERENCE

The Snowden Fallout: How To Respond (August 27, 2013)

Despite a history of disagreements over privacy issues at the government level, European and U.S. businesses have largely enjoyed mutually beneficial working relationships with regards to personal data processing. But Edward Snowden’s revelation about NSA surveillance activities have shaken this balance, requiring American companies to face a barrage of questions and doubts from their European customers regarding the security and privacy of personal data. Join OPower Associate General Counsel Adam Connolly, MobileIron VP and General Counsel Laurel Finch, and InfoLawGroup Partner Boris Segalis, CIPP/US, Sept. 12, as they outline demands recently made of U.S. service providers and you will gain practical guidance on how to meet these concerns.
Full Story

DATA PROTECTION

Password-Cracking Just Got Smarter (August 27, 2013)

Passwords just got a lot easier to crack, Ars Technica reports. That’s because password-cracker “ocl-Hashcat-plus,” a freely available service for offline hashed password cracking, can now decode passwords with as many as 55 characters. The program previously could only crack passcodes with 15 characters or less, but Web users have increasingly used longer passcodes and phrases to protect their online data. “This was by far one of the most requested features,” said the program’s lead developer. The development means Hashcat users can now achieve as many as eight-billion guesses per second “on a virtually unlimited number of compromised hashes.”
Full Story

PRIVACY

GE Appoints Chief Privacy Counsel (August 26, 2013)

General Electric has announced the appointment of Peter Lefkowitz, CIPP/US, as chief privacy counsel. Lefkowitz most recently served as vice president of privacy and security legal and chief privacy officer at Oracle. “I’m honored to join the strong global privacy team at General Electric. Privacy is increasingly a business and brand differentiator, and GE is at the forefront of managing privacy compliance and providing thought leadership,” Lefkowitz told the IAPP. He will take his post September 9.
Full Story

PRIVACY IN POPULAR CULTURE

Privacy Is “More Complicated Than We Realized” (August 23, 2013)

When Shel Israel and Robert Scoble started looking into their second book together, Age of Context: How Mobile, Sensors and Data Will Change Your Life, it was because “we’re enthusiasts of new technology,” said Israel. As Rackspace’s startup liaison officer, Scoble has gained wide renown in tech circles for his Scobleizer blog and Twitter handle. Israel is maybe best known for his writings for Forbes, where he looks at “the ever-evolving tech industry.” So maybe their initial impressions of privacy should not be surprising: “We joked that people ought to get over it,” Israel said with a laugh. “But the more we listened, the more deeply we realized that we don’t really have a choice about what’s coming.” The Privacy Advisor offers you exclusive thoughts from Israel about how privacy will become a business driver, plus a free download of the privacy chapter from the book.
Full Story

ONLINE PRIVACY

Companies Enhancing Ways To Go Incognito (August 23, 2013)

Companies that offer secure online communication services are increasingly pushing private texting applications over encrypted e-mail, reports The Wall Street Journal. While consumer e-mail programs require authentication credentials—which are then stored in a database—for user login capabilities, the companies say the encryption for smartphone-based services happen on the device, so there is no way to unencrypt the messages remotely. Both Apple and Android secure messaging services say they have seen an increase in downloads in the past month. Meanwhile, a new website called justdelete.me collects on one page links that will delete online accounts, including social media, photo-sharing and shopping accounts, simplifying the process of vanishing from the Internet. (Registration may be required to access this story.)
Full Story

DATA LOSS—UK

How To Avoid an Avoidable Data Breach (August 22, 2013)

Following the NHS Surrey breach that cost the trust 200,000 GBPs in fines, The Guardian reports on ways to avoid a breach. The Surrey case involved the loss of information on 3,000 patients by failing to ensure the data had been destroyed by the company hired to do so. The incident highlights the importance of using accredited erasure software, the report states.
Full Story

PRIVACY LAW—UK

ICO Fines Should Serve as Reminder to Businesses (August 22, 2013)

Out-Law.com reports that the fining of a probation officer for breaching the data protection act should serve as a reminder to businesses. The UK Information Commissioner’s Office fined the officer for disclosing an alleged domestic abuse victim’s address to the alleged abuser. Technology law expert Luke Scanlon of Pinsent Masons said “the harm done essentially resulted from what was allegedly an individual recklessly disclosing data in error," adding, "It is a reminder that there are potential criminal consequences for organisations and individuals within organisations if they fail to adhere to proper standards of keeping data secure."
Full Story

SURVEILLANCE—EU & U.S.

Spying Allegations Fallout Continues (August 22, 2013)

As requests for more information about U.S. surveillance programs persist, Reuters reports on allegations British Prime Minister David Cameron’s top civil servants tried to stop revelations about surveillance programs. The editor of The Guardian, the paper that broke the revelations, said he was approached by “a very senior official claiming to represent the views of the prime minister” following the articles’ publication. The UK government has said the leaks are a “grave threat to national security,” the report states. EU Observer reports on support from EU Justice Commissioner Viviane Reding for Council of Europe Secretary General Thorbjorn Jagland’s request that the UK explain its recent actions regarding the alleged detention of a reporter for The Guardian “and the forced destruction of the paper’s hard drives containing Snowden's leaked documents,” the report states. Meanwhile, a German official is insisting “global data scans by U.S. and British secret services did not breach German law designed to protect the privacy of citizens.”
Full Story

DATA PROTECTION—UK

ICO Launches Student Curriculum on Data Rights (August 22, 2013)

The Information Commissioner’s Office (ICO) has launched a project aiming to help develop the knowledge and skills of children and young people to better understand their own information rights and the obligations of those who hold data about them, The Guardian reports. The ICO worked with an experienced secondary school teacher to produce the free set of teaching materials, which comprises a series of 10 lesson plans, the report states.
Full Story

ONLINE PRIVACY

Can What We Post Online Ever Be Forgotten? (August 22, 2013)

In a blog post for Field Fisher Waterhouse’s Privacy and Information Law Blog, Phil Lee, CIPP/E, CIPM, asks the question that continues to persist in discussions of online privacy: “Can your data, once uploaded publicly onto the web, ever realistically be forgotten?” Lee writes that while much discussion has centered around EU’s proposed “right to be forgotten,” leaving legal arguments aside, the question is “whether it is even possible to purge all copies of an individual’s data from the web.” The answer, he suggests, “is both yes and no: yes, it’s technically possible, and no, it’s very unlikely ever to happen.”
Full Story

ONLINE PRIVACY

Project Loon Raises Concerns (August 22, 2013)

The Atlantic explores Project Loon, Google’s plan for a “soaring, international balloon armada, beaming Internet to the parts of the world that don't have it.” While the report acknowledges there is potential for humanitarian benefits in “bringing a connection to the farthest reaches of the developing world,” it also cautions, “If Google's claims about the Loon balloons' navigability are true, it is in fact an 'unmanned aircraft,' sometimes more pejoratively referred to as a drone,” with vast possibilities for data collection. And questions of jurisdiction abound, the report states, noting, “With its Project Loon, Google is venturing into not one but two vast open spaces—the law and the sky.”
Full Story

BIG DATA

Is This Our Biggest Public Policy Challenge? (August 21, 2013)
Difficult questions about balancing national security with privacy have come to light since the NSA surveillance disclosures and its use of Big Data, “Yet the benefits of Big Data…exceed the realm of national security or even government usage and extend to areas such as scientific research, public health and energy conservation by the private sector,” writes Omer Tene in this latest installment of Privacy Perspectives. Tene, who is now the IAPP’s first vice president of research and education where he administers the IAPP Westin Research Center, writes, “Finding the right balance between privacy risks and Big Data rewards may very well be the biggest public policy challenge of our time,” and calls for “momentous choices” between “weighty policy concerns” and “individuals’ rights to privacy” and freedom of speech, among others.

PRIVACY RESOURCES

Drill Down to the Most Valuable Content for You (August 21, 2013)

The improvements to the IAPP Resource Center just keep coming. We’ve added industry verticals to the mix. Are you in higher education and looking for help with FERPA? Check out the education section of the tools page. Confused about GLBA? Look in the finance section. And if you don’t find it by browsing, we’ve improved search, too; you can now specifically search the section that relates to you—just tools, just research or even just research helpful for the healthcare industry, for example. Take a look, and as always, if you can’t find what you’re looking for, let us know, and we’ll do our best to help.
IAPP Resource Center

PRIVACY LAW—UK

Google Says UK Privacy Law Doesn’t Apply (August 20, 2013)

Google has told British consumers in a privacy claim that it doesn’t have to answer to UK courts and the country’s privacy laws don’t apply to the company, IDG News Service reports. Google will fight UK Safari users’ right to bring a case in the country and will force the plaintiffs to instead file the suit in California. The plaintiffs are seeking damages, disclosure and an apology from Google for allegedly circumventing users’ security settings and tracking them on Apple’s Safari browser, the report states.
Full Story

PRIVACY LAW

From Gmail to HIPAA to Class-Actions, Questions Abound (August 19, 2013)

The privacy news seems to have stirred up more legal questions than answers this past week, as you’ll discover in the Privacy Tracker Global News Roundup. With effective dates coming up for HIPAA in the U.S. and FOIA reforms in the UK, privacy pros are figuring out the new lay of the land. Court cases in the U.S. and France bring up e-mail privacy questions, both in and out of the workplace, and in the UK one court ruling may reveal a need for stronger data destruction policies. Lastly, an article from The New York Times questions the new trend of class-actions leaving plaintiffs empty-handed. (IAPP member login required.)
Full Story

ONLINE PRIVACY

Our Collective Privacy and One Strange Tale (August 19, 2013)

What happens when individuals decide to publish their entire lives on the Internet? Is it just their privacy they are giving up, or is it also the privacy of their friends, family and others that is violated, too? Last week, a former sportswriter published a website revealing countless personal thoughts, photos and memories and timed it to go public after his death by suicide. But in revealing his personal secrets, others around him were affected as well. This post for Privacy Perspectives explores the implications of our collective privacy and how our choices to disclose personal data can have wide-reaching effects on those around us.
Full Story

DATA LOSS—GREECE

DPA Fines Finance Ministry 150,000 Euros (August 15, 2013)

Greece’s Data Protection Authority (DPA) has fined the Finance Ministry 150,000 euros “for allegedly failing to protect data on millions of taxpayers that ended up in the possession of private companies,” Associated Press reports. The DPA said in a statement that the result was a “particularly large” breach. The DPA has given the Finance Ministry two months to improve its security, the report states.
Full Story

SURVEILLANCE—UK

No Enforcement Plan for CCTV Code of Practice (August 15, 2013)

V3.co.uk reports on the Home Office’s CCTV code of practice aimed at curbing “the excessive use of cameras for surveillance by increasing numbers of private- and public-sector organisations.” However, the report notes that the code of practice does not come with an enforcement plan. The code cites CCTV as a vital security tool but says its use must have a “legitimate aim” and be “compliant with any relevant legal obligations.” The code includes “12 points that CCTV operators must follow that cover a range of issues, from use to data retention and the ability to contact the people running the cameras to access information,” the report states.
Full Story

PRIVACY LAW—FRANCE

Court Finds for Employer in E-mail Case (August 15, 2013)

In a post for Field Fisher Waterhouse’s Privacy and Information Law Blog, Olivier Proust writes about the French Court of Cassation’s ruling in favour of a company that dismissed an employee “based on e-mail exchanges between him and a competitor that were found on his computer’s hard drive and used against him as evidence in court.” Proust writes that the employee argued “this evidence was inadmissible because it was unlawfully obtained by the company in violation of his right to privacy,” but the court holds that unless they are marked as private, “documents and files created by an employee on a company computer for work purposes are presumed to be professional, which means that the company can access those documents and files without the employee’s presence.”
Full Story

DATA LOSS—UK

Sensitive Documents Found in Dump (August 15, 2013)

Scotland’s Aberdeen City Council has ordered an investigation after “extremely sensitive” child welfare documents were found at a dump, The Scotsman reports. The documents included home addresses, medical details and other personal information, the report states. The council called for an investigation after an official for Aberdeen Central announced the breach. He noted, “Any breach of data protection is a serious matter, but social work records are often extremely sensitive and it would be extremely worrying if this allegation turns out to be true.”
Full Story

DATA RETENTION—UK

Court Ruling on SARs Makes the Case for Good Destruction Practices (August 15, 2013)

A legal expert has said that a recent court ruling on subject access requests (SARs) bolsters the need for strong data destruction practices, Out-Law.com reports. Noting that data retention checks can be viewed as a regulatory burden, technology law expert Luke Scanlon said good destruction practices can both comply with data protection laws but also remove the burden of responding to SARs from individuals or organisations requesting data. A High Court judge said companies must respond to SARs but added there is no duty “to retain data so that it can remain available to be mined by former customers or claims companies with a view to making claims against third parties.”
Full Story

DATA PROTECTION

IBM Gets Certified Under APEC Privacy Rules (August 15, 2013)

IBM has announced it has achieved certification under the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR), the first company to do so, according to a press release. The CBPR system is designed to facilitate data flows between the U.S. and the other APEC member economies, through voluntary, enforceable codes of conduct. IBM Chief Privacy Officer Christina Peters, CIPP/US, said, “CBPR rules will become the foundation of a globally accepted system that enables data to be shared throughout different regions with strong and trustworthy privacy protections.” Hogan Lovell’s Partner Christopher Wolf told The Daily Dashboard, “APEC CBPRs, containing enforceable commitments for the protection of personal data, are a lot like BCRs (binding corporate rules) that the EU recognizes as sufficient for cross-border transfers. Their adoption and effectiveness suggests that the EU should move its focus from the adequacy of the U.S. legal framework to whether personal data is being adequately protected through mechanisms like the CBPRs.”
Full Story

DATA PROTECTION—UK

ICO Publishes Regulatory Action Policy (August 15, 2013)

The UK Information Commissioner’s Office (ICO) has published a Data Protection Regulatory Action Policy, outlining what the office will consider when deciding whether to initiate regulatory action, reports Out-Law.com. Noting that “market factors” may influence the decision, the policy points to some “initial drivers,” including issues of “general public concern,” those due to the “novel or intrusive nature of particular activities” and those stemming from complaints. When asked for clarity on “market factors,” an ICO spokesman said in markets where "consumers demand effective privacy protection…market forces will be driving businesses to deliver better privacy protection, without the need for the regulator to intervene."
Full Story

ONLINE PRIVACY

Study: Consumer Reaction to NSA Could Hurt Ad Targeting (August 14, 2013)

AdWeek reports on a study revealing that consumer concerns about online privacy have jumped from 48 percent to 57 percent since the National Security Agency surveillance programs were first disclosed in June. The findings, according to the report, could have “huge implications for the targeted advertising” industry because users will likely alter privacy settings and block tracking. The study also noted, if similar trends continue and some browser makers block third-party cookies by default, “the ad industry’s ability to effectively use third-party cookies for marketing purposes will decrease.” The study also found that 31 percent said they now actively take steps to protect their privacy online.
Full Story

PRIVACY BIZ

Leizerov on Thinking Strategically About Privacy (August 14, 2013)

In a column for SC Magazine, Ernst & Young's Sagi Leizerov, CIPP/US, discusses the importance of thinking strategically about privacy. Governance, technology and regulation, he notes, are “three distinct megatrends forming based on market conditions and the impact they are having on how organizations approach privacy.” Leizerov writes, “Regulators realize that their tools of compliance and enforcement are simply not enough,” adding, “As such, they are becoming more active participants—strategic advisors—in decision-making discussions with organizations and consumers.” Though enforcement actions are “an important tool,” Leizerov says the “focus is shifting more toward collaboration, communication and education.”
Full Story

DATA LOSS

Responding to a Data Breach (August 14, 2013)

According to the Ponemon Institute’s 2012 Data Breach Notification Study, most consumers that have received a breach notification say the breached organization did not do a good job in communicating and handling the data breach. What’s your plan for breach response? If you need some guidance on responding to a breach, the IAPP Resource Center can help. Check out Close-Up: Responding to a Data Breach for valuable tools, research and articles from experts in the field. (IAPP member login required.)
Read Now

MOBILE PRIVACY—UK

Authority Wants To Toss Smart Bin Tracking (August 14, 2013)

A UK-based authority has called for the end of WiFi tracking by recycling bins placed across London, The Independent reports. The “pods” feature LCD screens that show advertisements to passersby, but can also record smartphone movements and other details. The City of London Corporation (CLC) has alerted the Information Commissioner’s Office of the bins, which have allegedly recorded the details of 4,009,676 devices from pedestrians in one week. “Irrespective of what’s technically possible, anything that happens like this on the streets needs to be done carefully, with the backing of an informed public,” the CLC said. Financial Times reports the company behind the bins says there is potential to help companies predict “personal habits” of consumers.
Full Story

ONLINE PRIVACY

Global Sweep Highlights “Significant” Shortcomings (August 13, 2013)

The Office of the Privacy Commissioner of Canada (OPC) today released the findings of the first-ever Global Privacy Enforcement Network Internet Privacy Sweep, noting “shortcomings in how some online organizations provide information about their privacy practices.” The OPC’s blog includes key details as well as screenshots from the sweep. “While we did see some good examples that demonstrated it is possible to create transparent privacy policies, unfortunately, we also found some sites with no policies or that offered only brief, over-generalized statements about privacy,” said Canadian Privacy Commissioner Jennifer Stoddart, noting one “particularly disappointing example…was a paternity testing website with a privacy statement so skimpy it would fit into a tweet.”
Full Story

DATA PROTECTION—EU

EU Looks To Speed Up Privacy Reforms (August 13, 2013)

The European Commission wants to quicken the pace of passing the proposed data protection regulation, which is currently held up in the European Parliament’s civil liberties committee, EUObserver reports. Commissioner for Justice Viviane Reding, who in July appealed to member states to place the bill on an EU summit in the fall, said, “I would find it helpful if the European Council in October, which will deal with the European single market, could address this matter and speed up the work in the council on this important file.” Hunton & Williams’ Bridget Treacy noted, “Over the past few months, there has been widespread discussion of a risk-based approach to data protection regulation and some detailed exploration of the key elements of such an approach under the Irish presidency.” EU lawmakers have said they want the reforms passed by May 2014.
Full Story

DATA PROTECTION—UK

ICO Publishes Breach Trends Statistics; Gov’t Leads List (August 13, 2013)

In a recent Information Commissioner’s Office (ICO) blog post, Sally-Anne Poole says statistics indicate carelessness is the cause of much of the office’s enforcement business. The ICO uses statistics to help inform its response to incidents, Poole writes. The health and local government sector leads the list for data breaches, followed by schools and solicitors. The ICO has published a spreadsheet of its civil monetary penalties for the first quarter of 2013 so the public can see such trends.
Full Story

DATA PROTECTION—EU

Working Party Weighs In on Purpose Limitation and Big Data (August 13, 2013)

The concept of purpose limitation is a cornerstone of the protection of personal data. It is an essential first step in applying data protection laws since it constitutes a prerequisite for other data quality requirements, contributes to transparency and legal certainty and sets limits on how controllers are able to use personal data. In this exclusive for The Privacy Advisor, Stefano Tagliabue, CIPP/E, discusses the Article 29 Working Party’s opinion on purpose limitation and Big Data.
Full Story

SURVEILLANCE—EU & U.S.

Opinion: Do Not Allow Citizen Privacy To Be Negotiated Away in TTIP (August 13, 2013)

In a feature for Deutsche Welle, the Center for Digital Democracy’s Jeff Chester cautions that amidst Transatlantic Trade and Investment Partnership (TTIP) negotiations, “U.S. tech companies want the TTIP to sanction a bypassing of the EU's data protection rules,” urging the EU to “reject this self-serving vision of a borderless digital world where legal frameworks protecting civil liberties and the distinctions of country and culture are tossed aside in the name of increased profits for U.S.-based transnational data marketers.” In the wake of the U.S. National Security Agency (NSA) allegations, he warns, “The source of information for much of the NSA's spying is the growing digital data depositories operated by the leading U.S. Internet companies.
Full Story

PRIVACY LAW

News from the U.S. to the Ukraine (August 12, 2013)

In this Privacy Tracker global news roundup, learn about the lasting legacy of California’s SB 1386, more about the court case that has some questioning BYOD policies and congressional delays to reforming the Electronic Communications Privacy Act. You’ll also read about key changes included in amendments to the Ukrainian privacy law and a contentious New Jersey bill that would allow warrantless cellphone searches. (IAPP member login required.)
Full Story

BIG DATA

Making the Case for Data Assets, Not Privacy (August 12, 2013)

Alex “Sandy” Pentland discussed the importance of Universal People Sensors and the benefits of using Big Data to enhance the public good, effectively making our lives safer, at the IAPP’s Navigate un-conference in June. This Privacy Perspectives blog post delves into Pentland’s discussion and looks at how consumer choice and trust can play an important role in promoting the public good in a Big Data world.
Full Story

SURVEILLANCE

Satellite Technology a Boon for Business (August 12, 2013)

The New York Times reports on affordable miniature satellites that will soon be orbiting Earth and sending back frequent, low-cost snapshots from space. The data captured from such technology will be valuable, one expert says, perhaps used by insurance companies to take “before” and “after” views of insured property to validate claims, for example. But some may not be so excited about such surveillance, said New York University Prof. Mitchell Stephens, calling the satellite’s pictures “a Godlike view, looking down from the heavens.” (Registration may be required to access this story.)
Full Story

DATA PROTECTION—EU & GERMANY

German Minister: EU Needs “German Standards” (August 8, 2013)

In response to the recent disclosures of the U.S. National Security Agency surveillance programmes, German Justice Minister Sabine Leutheusser-Schnarrenberger said EU data privacy rules should be as strict as those found in Germany, EUObserver reports. “High German data protection standards should be the rule,” she said. “U.S. companies that do not uphold these standards should be banned from the European market.”
Full Story

DATA LOSS—UK

Welsh Councils Under Scrutiny; Bank of Scotland Fined 75,000 GBP (August 8, 2013)

BBC News report that Welsh councils violated data protection laws 60 times in 2012. The information came to light after the Welsh news website Newyddio Ar-lien obtained the data from a Freedom of Information request. Of the 22 local authorities in Wales, only seven did not record a breach last year. Meanwhile, the Bank of Scotland has been fined by the Information Commissioner’s Office (ICO) for violating the Data Protection Act. According to the report, the bank repeatedly sent consumer data to the incorrect recipients. ICO Head of Enforcement Stephen Eckersley said, “The Bank of Scotland has continually failed to address the problems raised over its insecure use of fax machines,” and added, “to do so continually over a three-year period…is unforgivable and in clear breach of the Data Protection Act.” Additionally, the Daily Mail is under fire for leaking user data.
Full Story

DATA PROTECTION—SWEDEN

Gov’t Agencies Sell Personal Data (August 8, 2013)

Swedish government agencies, including the Transport Agency, the National Tax Agency and the national board of student aid, all allegedly sell private information to third parties without citizens’ knowledge, The Local reports. Kjell-Åke Sjödin, the Transport Agency’s register, said, “We have a mandate from the government to sell the data.” Anna Hörnlund, a lawyer for the Swedish data protection board, said, "That the authorities provide further information under the principle of public access is a foundation stone of Swedish democracy. The systematic sale of registry records to advertising firms is something completely different."
Full Story

EMPLOYEE PRIVACY—FRANCE & UK

CNIL Sanctions Firm for CCTV Monitoring (August 8, 2013)

In a recent decision, France’s data protection authority, the CNIL, sanctioned a company for installing a CCTV employee-monitoring system without informing the employees, Proskauer’s Privacy Law Blog reports. The company was also sanctioned for disproportionately monitoring one specific employee at all times. However, according to the Hogan Lovells Chronicle of Data Protection, a French court has limited the scope of employee data protection. According to the post, “there is arguably no right to privacy to an employee’s computer-stored data unless the employee takes affirmative steps to designate the information as personal.” Meanwhile, the UK Supreme Court dismissed a South Lanarkshire Council appeal. The council had argued that disclosing equal pay requests would breach the Data Protection Act.
Full Story

SURVEILLANCE—THE NETHERLANDS

Kohnstamm: Some Hidden Cameras Acceptable (August 8, 2013)

Dutch Data Protection Authority Jacob Kohnstamm has said the use of hidden camera monitoring—such as to discover benefit fraud—is acceptable in some instances, DutchNews.nl reports. If all other methods have failed, then hidden cameras are permissible. “To avoid misunderstandings, these unorthodox methods are acceptable in exceptional circumstances,” he said.
Full Story

HEALTHCARE PRIVACY—UK

Minister To Crack Down on Cash-for-Access (August 8, 2013)

The Telegraph reports that Health Minister Dan Poulter plans to “impose tighter restrictions” on NHS hospitals allowing private companies access to mothers who have just given birth. Poulter said the Care Quality Commission will take action against maternity wards that do not “ensure the protection of women’s privacy and dignity.” This protection would include the prevention of private companies approaching new mothers to buy professional photographs of children or asking them to provide personal data.
Full Story

SURVEILLANCE—UK

Telecoms Provided User Data to GCHQ (August 8, 2013)

According to more leaks from whistleblower Edward Snowden, telecom providers, including Vodafone and BT, among others, allegedly passed on user data to British spy agency GCHQ, The Independent reports. Shared data includes customer phone calls, e-mail and Facebook postings. Companies did not comment on specifics but said they were complying with UK and EU law. Privacy International’s Eric King said, “We urgently need clarity on how close the relationship is between companies assisting with intelligence gathering and government.” A Vodafone spokesman said the company does not “disclose any customer data in any jurisdiction unless legally required to do so,” adding, “Questions related to national security are a matter for governments, not telecommunications operators.”
Full Story

PRIVACY LAW—UK

Opinion: Businesses Need To Understand Reforms (August 8, 2013)

Bridget Treacy of Hunton & Williams writes for Information Age about a recent study conducted by the UK Information Commissioner’s Office finding that many UK businesses are unaware of the changes presented to them by data protection reforms. Noting compliance and record-keeping obligations, mandatory privacy impact assessments and data breach reporting, among others, Treacy says, “UK businesses will be in for a shock.” Treacy recommends that business leaders get involved in the debate over the regulation and offers other tips for preparation, such as getting a data protection team in place and making it a board-level issue.
Full Story

ONLINE PRIVACY

Twitter Retargeting Service Gets Advocate Approval (August 8, 2013)
The Guardian reports on what Twitter’s new retargeting advertising service may mean for user privacy. Users “won’t see more ads on Twitter, but they may see better ones,” the company told its users. While some privacy advocates have scrutinized the plan, others say Twitter’s approach is admirable given its adherence to “Do Not Track” settings and its easy opt-out. The Electronic Frontier Foundation says other companies should follow Twitter’s lead: “We think Twitter is setting an important example for the Internet: It is possible to exist in an ecosystem of tailored advertisements and online tracking while also giving users an easy and meaningful opt-out choice.”

SURVEILLANCE

NSA Is Casting “Far Wider Net” Than Previously Disclosed (August 8, 2013)

While the NSA has publicly acknowledged collecting and searching the contents of Americans’ digital communications without a warrant, it was previously understood that only conversations between Americans and targeted foreign nationals were collected and searched. Now, reports The New York Times, the documents released by Edward Snowden reveal that any communication that crosses the border and even mentions a piece of information connected to a suspect is being collected and searched. The NSA says this practice is legal under the 2008 FISA law. An anonymous senior intelligence official told The Times the NSA “makes ‘a clone of selected communication links’” to gather the information. NSA officials have publicly denied this practice in the past. The ACLU and other organizations are calling this “precisely the kind of generalized spying that the Fourth Amendment was intended to prohibit.” (Registration may be required to access this story.)
Full Story

MOBILE PRIVACY

Android 4.3 Keeps WiFi On, Even When It’s “Off” (August 8, 2013)

The latest version of the Android operating system comes with a new feature that some technologists are drawing attention to: Even when a user switches WiFi access off, the device will continue to scan for WiFi networks. This is done, according to a report from ValueWalk, “for providing better location information to apps.” However, there is a way to disable this functionality, which is detailed in the article. WPIX, a television station in New York, notes this default setting is raising privacy concerns.
Full Story

PRIVACY LAW—UK

ICO Publishes PIA Code of Practice (August 7, 2013)

The UK Information Commissioner’s Office (ICO) has published a consultation on a new privacy impact assessment (PIA) code of practice and released a study on PIA and risk management. The ICO first announced the study, conducted by Trilateral Research & Consulting, was underway back in January. The consultation states the new code of practice aims to “help organizations conduct assessments of new projects that involve the use of personal information. The code explains the key principles behind a PIA and suggests how a PIA can be integrated with an organization’s project and risk management processes.”
Full Story

CYBERSECURITY

Tor Network Breached (August 7, 2013)

The web anonymity service Tor announced that its network had been breached through a vulnerability in the Tor Browser, Naked Security reports, and that malicious JavaScript may have revealed the identities of those using the service. Tor allows web users to mask their browsing habits by sending data through onion routers to mask the original header information—including the user’s IP address. As a result, a hidden server network run by Freedom Hosting was taken offline. Freedom Hosting’s owner and operator Eric Eion Marques is currently being held without bail and awaits extradition by the FBI for allegedly distributing child pornography online. Based on the timing of the arrest and the insertion of the malicious code, some speculate U.S. investigators introduced the script. “There are lots of rumors and speculation as to what’s happened,” writes the Tor Project on its blog. “We’re reading the same news and threads you are and don’t have any insider information.”
Full Story

PERSONAL PRIVACY

Will Data Ownership EVER Be a Privacy Solution? (August 6, 2013)
“Why is it that better methods of digital contracting and data ownership have not yet developed to help us protect our privacy online?” asks Adam Thierer in this installment of Privacy Perspectives. Thierer, a senior research fellow at George Mason University’s Mercatus Center, writes, “there probably hasn’t been as much demand for formal contracting because many users don’t mind today’s ‘take-it-or-leave-it’ model of online services” and that formal contracting around privacy “has always been tied up with the same thorny issues of information ownership and enforcement, which have complicated digital copyright policy.” But maybe that's changing.

CLOUD COMPUTING

Europe and Asia Stand To Gain from U.S. Industry’s Loss (August 6, 2013)

The U.S. cloud computing industry could take a major earnings hit as a result of fallout from the NSA revelations. That’s according to an Information Technology and Innovation Foundation (ITIF) report, which estimates U.S. cloud computing providers could lose $21.5 billion in revenue in the next three years. And that’s its conservative estimate, IT News reports. The worst-case scenario could see losses of up to $35 billion by 2016, with European and Asian markets poised to gain, the report states. “If European cloud customers can’t trust the United States government, then maybe they won’t trust the U.S. cloud providers either,” European Commissioner for Digital Matters Neelie Kroes said recently. Editor’s Note: The preconference workshop The Privacy Pro’s Field Guide to Contracting and Compliance in the Cloud will be part of this year’s Privacy Academy in Bellevue, WA. Also, Jason Weinstein recently proposed steps for U.S. cloud providers to take on the Privacy Perspectives blog.
Full Story

PRIVACY LAW

Surveillance Issues Loom Large, Safe Harbor Questions and More (August 6, 2013)

In this week’s Privacy Tracker Global News Roundup, you’ll find new challenges to a Utah surveillance law; an interesting turn of events in a case deciding whether government authorities can extract historical location data directly from telecommunications carriers without a search warrant; legislative initiatives related to FISA and the USA PATRIOT Act; questions about the future of Safe Harbor, and information on developments in Italy, France and Australia. (IAPP member login required.)
Full Story

DATA PROTECTION—EU & U.S.

Safe Harbor in Hot Water (August 5, 2013)
Despite the U.S.-EU Safe Harbor agreement’s apparent success at facilitating cross-border data transfers since its adoption in 2000, it’s in danger. MEP Jan-Phillip Albrecht recommended in his report earlier this year that the mechanism be discontinued, and the Transatlantic Trade and Investment Partnership (TTIP) negotiations have indicated discontent with the current framework. As such, organizations certified under Safe Harbor “should closely monitor the EU’s legislative process and the TTIP for indications about Safe Harbor’s future,” writes Hogan Lovells’ Privacy Team in this latest installment of the IAPP’s Privacy Tracker blog. (IAPP member login required.)

ONLINE PRIVACY

Making the Case for More Obscurity and Less Anonymity (August 5, 2013)

Speaking at Navigate in June, Prof. Woodrow Hartzog explored the value of and made the case for using online obscurity to help protect a user’s personal privacy. By obscuring our online profiles—by varying degrees depending on intent and context—Hartzog said we can help protect some of our online privacy. But what about those who hide behind masks of online anonymity to spout nefarious words of hate speech? This Privacy Perspectives installment explores the tension between the need for online obscurity and the need to unmask those who prowl the Internet with damaging intent.
Full Story

PRIVACY PROFESSION

The Case for a Code (August 2, 2013)

Should privacy professionals have a code of ethics? That was the question first raised on Privacy Perspectives by Alex Fowler, and now continued by K Royal, CIPP/US, CIPP/E. Balancing roles as a nurse and an attorney, Royal discovered a tension allowing for conflict between professional obligations. The same may be true for privacy professionals serving as in-house counsel. “The potential for conflict is reduced when the law speaks clearly to the issue, but becomes muddy when the ‘right thing’ is not statutorily driven,” Royal writes. “Does one’s duty to the company carry more weight than one’s duty to a data subject? Does one have a duty to a data subject if the law is silent?”
Full Story

SURVEILLANCE—UK & U.S.

Whistleblower: NSA Secretly Funds GCHQ (August 1, 2013)

The Guardian reports that, according to the latest documents released by whistleblower Edward Snowden, the U.S. National Security Agency (NSA) has been secretly funding its British counterpart, the GCHQ, over the past three years to “secure access to and influence over Britain’s top intelligence gathering programmes.” The documents reveal that the GCHQ is investing in efforts to gather personal information via mobile devices and wants the capability to “exploit any phone, anywhere, anytime.” The amount of personal data gleaned from the Internet by the agency has increased 7,000 percent in the last five years, the report states.
Full Story

PRIVACY COMMUNITY

IAPP Signs Alliance Agreement with Pribatua (August 1, 2013)

The IAPP announced today an alliance agreement with Pribatua, the Basque Association of Privacy and Information Security (Asociación Vasca de Privacidad y Seguridad de la Información). As part of this “sister” relationship, Pribatua members will receive membership rates for IAPP offerings and Pribatua will be co-sponsors of IAPP Europe’s two major events, the Data Protection Intensive and the Data Protection Congress.
Full Story

ONLINE PRIVACY—UK

Dating Sites’ Practices Raise Concerns (August 1, 2013)

The Information Commissioner’s Office (ICO) announced it has written to eHarmony, Match.com, Cupid and Global Personals with “questions around how people’s information is being used that need to be answered.” The letters come on the heels of an ICO survey that found dating websites were not following the Data Protection Act. Areas of concern include poor visibility of the terms and conditions governing user consent; references to companies “having ‘perpetual’ or ‘irrevocable’ licence” to member data; claims that websites would not take responsibility for loss of personal information, and the expectation for users to give “personal details before the terms and conditions are provided.”
Full Story

PRIVACY LAW—FRANCE

Supreme Court: Undeclared File Sale Is Void (August 1, 2013)

Lexology reports on the French Supreme Court’s recent ruling that the sale of a file containing personal data that should have been declared with the French data protection authority, the CNIL, and was not must be cancelled. “Having noticed that this rule had not been complied with, the court found such a file to be illegal and unable to be subject to a convention under the French Civil Code,” the report states, noting the sale had to be considered void. “This ruling is particularly important in that it is the first time that the court has applied such reasoning,” the report states, noting it “reminds us of the importance of complying with the obligations attached to the handling of personal data…” (Registration may be required to access this story.)
Full Story

DATA PROTECTION—UK

ICO: Police Need Data Protection Training (August 1, 2013)

The Information Commissioner's Office (ICO) is urging police staff members who “work in specialist collaboration units to receive data protection training,” Computing reports. The recommendation comes amidst the ICO’s enforcement action against the chief constables of Leicestershire, Derbyshire and Nottinghamshire Police that followed 2010 breach at the East Midlands Collaboration Unit involving the theft of unencrypted laptops containing “sensitive personal data personal data relating to about 4,500 offenders from across three forces,” the report states. The ICO’s Meagan Mirza notes that while many of the issues from 2010 “have now been addressed, the lack of planning around the setup of the unit is concerning.” Meanwhile, in this video, the ICO’s David Smith discusses the office’s current enforcement practices and preparing for its future powers.
Full Story

PRIVACY LAW—ITALY

Garante Releases Rules on Spam and Viral Marketing (August 1, 2013)

The Italian Data Protection Authority (Garante) has released, earlier this month, a set of rules dealing with spam and viral marketing. The provision, named “Guidelines on Marketing Activities and Spam,” is intended to fight the abuses of marketing communications and to promote fair commercial practices towards users and consumers.
Full Story

PRIVACY SCHOLARSHIP

Deception Is at the Heart of PLSC-Winning Papers (August 1, 2013)

At each year’s Privacy Law Scholars Conference, scholars workshop papers that bring together the academic privacy community with those working in industry, advocacy, law and government. The IAPP awards the two papers that receive the most votes from attendees with a cash prize and a speaking slot at the IAPP Privacy Academy, to be held this year in Seattle, Sept. 30 through Oct. 2. In an exclusive for The Privacy Advisor, we interview the winners and discuss their inspiration for the papers and the conclusions they’ve drawn about deceptive privacy practices and what the FTC might start doing about them.
Full Story

ONLINE PRIVACY

Companies Shifting To Meet Consumer Expectations (August 1, 2013)

Forbes reports on products that are changing based on consumer expectations of privacy. Pinterest is now offering users a Do-Not-Track option. Google Now is a digital assistant capable of alerting users if a flight is delayed or a particular route is backed up with traffic, but Google reserves the service’s full functionality for those users who don’t mind their locations being tracked, the report states. And Facebook’s latest ad offerings target users based only on age and gender rather than more granular data.
Full Story