European Data Protection Digest

We have a long weekend—and hopefully some good weather—ahead of us, so right now our minds are probably focused more on Easter eggs and chocolate bunnies (in my case also my mother’s lasagna on Sunday) than on data protection developments. Nevertheless, this spring is bound to be a busy one for privacy pros—not that we actually had a dull moment in the past year or so.

At the IAPP, we are working hard to help our members stay on top of things: Our upcoming European Data Protection Intensive will be a great way to kick-start the second quarter of the year. As usual, rendezvous in London for an intense programme, great networking—including our special Privacy Social reception at the Guildhall—and CIPP and CIPM certification training and testing. Preconference workshops are not bad either.

But since he who hesitates is lost, work is already underway also for IAPP Europe’s flagship event, the Data Protection Congress, which will be in Brussels again this year, on 19 and 20 November to be precise. The call for proposals for the Congress is open, and submissions will be accepted until 9 May, so do send us your ideas or feel free to forward the call for proposals link to someone who might be interested.

In the meantime, though, Happy Easter!

Rita Di Antonio
Managing Director
IAPP Europe

Top European Privacy and Data Protection News

PRIVACY LAW—UK

Message-Sender Successfully Appeals 300,000 GBP Fine (October 31, 2013)

Christopher Niebel has successfully appealed a 300,000 GBP fine for sending spam text messages after challenging “whether the Information Commissioner's Office (ICO) was right to issue him with a fine for his part in what the ICO considered was a serious breach of UK privacy laws,” Out-Law.com reports. Niebel and fellow Tetrus Telecoms co-owner Gary McNeish were fined a combined 440,000 GBP by the ICO last year “for breaching the UK's Privacy and Electronic Communications Regulations (PECR) for engaging in unsolicited direct marketing activities.” However, an Information Rights Tribunal upheld Niebel’s appeal, ruling “insufficient damage or distress had been caused to recipients to merit the penalty being imposed,” the report states.
Full Story

PRIVACY LAW—IRELAND

ODPC Will “Vigorously” Defend Position in Europe v. Facebook Case (October 31, 2013)

It will be up to the Irish High Court to determine “whether a regulator unlawfully failed to investigate alleged links between Facebook and the surveillance of data conducted by U.S. intelligence officials through the PRISM programme,” Out-Law.com reports. Privacy activist group Europe v Facebook recently won the right to a judicial review of the Office of the Irish Data Protection Commissioner’s (ODPC) decision not to look into the issue. The ODPC has indicated it will “strongly contest the case when the hearings begin,” the report states, citing an ODPC statement confirming “we will be vigorously defending our position.”
Full Story

PERSONAL PRIVACY—UK

MPs Slam BT Over Privacy Charge (October 31, 2013)

BT is being “slammed” by MPs after announcing it will charge for a caller display service viewed as “critical in the fight against nuisance calls,” The Telegraph reports. The All-Party Parliamentary Group is claiming “the company is abusing its dominant position in the industry—and leaving millions of homes at risk of even more spam marketing messages,” the report states, noting the display will only remain free-of-charge for customers who sign a year-long contract.
Full Story

ONLINE PRIVACY—UK

Privacy Concerns Are Part of Move to IPv6 (October 31, 2013)

Out-Law.com reports on the UK’s lag in transitioning to IPv6, a new address system for the Internet, and consultancy business Interconnect Communications (ICom) findings that network security issues and privacy concerns will accompany its deployment. “A big concern with a number of mechanisms is the potential that they can be used to circumvent existing security measures … While it is correct to say that IPv4 does not offer the same privacy extensions as IPv6, the way that IPv4 was treated as a scarce resource provided inbuilt privacy protection because it was unlikely that a single IPv4 address would always identify the same user,” ICom has said.
Full Story

DATA LOSS—UK

ICO Fines Council 80,000 GBP (October 31, 2013)

The Information Commissioner's Office (ICO) has fined North East Lincolnshire Council 80,000 GBP following the loss of an unencrypted memory stick holding information on children, Computing reports. The memory stick has been missing since 1 July 2011 after being “left in a laptop at the council's offices by a special educational needs teacher. When the teacher returned, the USB stick was gone,” the report states. In issuing the fine, the ICO noted the device held personal information on 286 children. “Organisations must recognise that sensitive personal data stored on laptops, memory sticks and other portable devices must be encrypted,” said the ICO's Stephen Eckersley.
Full Story

ONLINE PRIVACY—ITALY

ISPs: “Depeering” Threatens Privacy (October 31, 2013)

Citing privacy and other concerns, AIIP, Italy’s Internet providers association, is calling for the competition regulator to intervene to improve peering agreements with Telecom Italia, Telecompaper reports. AIIP has suggested Telecom Italia's practice of “depeering” or reducing network access points, is "in perfect contrast to and contradiction with" the government's reassurances regarding the privacy of communications, the report states. AIIP believes Telecom Italia's decision “has resulted in the flow of data forcibly extending across national boundaries,” the report states, endangering “not only the privacy of data exchanged between Italian users but also the efficiency and modernisation of the entire Internet network in Italy.”
Full Story

PERSONAL PRIVACY—THE NETHERLANDS

Telecom Operators Tighten Privacy Measures (October 31, 2013)

Dutch telecom operators will take measures to improve customer privacy, Telecompaper reports. “A copy of a passport or identification card is often taken to ensure the customer's identity when opening or modifying a phone line. However, the Dutch privacy regulator said that organisations should not have access to specific personal details such as the passport photo,” the report states. In response, telecom operators will use a special covering to block such information on copies of the documents.
Full Story

DATA LOSS—SWEDEN

Medical Log System Breached (October 31, 2013)

The Local reports on a breach involving attempts at accessing a medical log system. Take Care, which is used by medical practices in Stockholm County and on the island of Gotland, “experienced several technical malfunctions this past summer. Several journals were simply connected straight to the internet without a firewall on the central servers,” the report states. A Swedish Medical Association IT expert cautioned, “For eight months, anybody could have waded into any patient journal, probably even including people in the royal family and other people who lead the country.” Swedish Pirate Party MEP Amelia Andersdotter, who has asked that her own medical journals be “removed from Uppsala and Skåne Counties' databases,” has recommended counties seek patient approval before storing files “on computers with Internet access.”
Full Story

PRIVACY RESOURCES

To BYOD or Not To BYOD (October 31, 2013)

Bring Your Own Device (BYOD) programs allow employees to use their own devices to stay connected to, access data from or complete tasks for their organizations. While BYOD programs reportedly result in increased employee productivity and job satisfaction, they also bring privacy and security challenges. View research, sample policies and guidance in this IAPP Resource Center Close-Up to help you determine whether BYOD works for your organization—and, if it does, how to keep your data safe in the process.
Close-Up: BYOD

ONLINE PRIVACY

E-mail Encryptors Form Dark Mail Alliance (October 31, 2013)

Online encryption organizations Silent Circle and Lavabit have announced the formation of the Dark Mail Alliance, an open-sourced tool with end-to-end encryption, Forbes reports. The group aims to improve e-mail privacy by preventing e-mails from being shared with third parties, scanned for ads or easily hacked. Both businesses earlier this year shut down their respective encrypted e-mail services rather than share users’ data with the U.S. government. Silent Circle CEO Mike Janke said, “We’re the rebels who have decided privacy is too important to compromise on,” adding, “We believe e-mail is fundamentally broken in its current architecture … This is an opportunity to create a new e-mail service where the keys are created on the device and only the user can decrypt it.”
Full Story

SURVEILLANCE—EU & U.S.

Top U.S. Intel Officials Testify; Relations Fray Further (October 30, 2013)

Top U.S. intelligence officials testified yesterday in a rare open hearing with the House Intelligence Committee, with National Security Administration Director General Keith Alexander and Director of National Intelligence James Clapper among them. While they were in concert with one another, the House committee members were, at times, singing different tunes. This exclusive for The Privacy Advisor reports on the hearing and rounds up the fallout from continued leaks about U.S. intelligence operations and how they’re affecting trade talks and the Safe Harbor with the EU.
Full Story

GEO PRIVACY

Location Tracking: Coming to a Government, Employer and Retailer Near You (October 29, 2013)
Location tracking has become a hot button issue with implications for government surveillance, employee monitoring and consumer tracking online and in-store. Hundreds of millions of users carry smartphones with them every step of the day, and as these devices send and receive electronic signals, they silently map their users’ movements. More and more organizations are seeking to utilize this data, and while the industry for location-tracking analytics is becoming more sophisticated, so too is the range of interested parties—including regulators. IAPP Westin Research Fellow Kelsey Finch examines the issue in this in-depth exclusive for The Privacy Advisor. (Editor’s Note: The IAPP is hosting a web conference on this topic Oct. 31 at 1 p.m. EDT.)

ONLINE PRIVACY

Website, Researcher Rate Sites on Practices (October 29, 2013)

Forbes reports on a fledgling site using crowdsourcing to rate the privacy policies of hundreds of websites. Called “Terms of Service; Didn’t Read,” the site’s tagline states, “'I have read and agree to the terms’ is the biggest lie on the web.” Sites with the best practices are assigned to “Class A,” while the worst are put in “Class E.” Individual aspects of policies are given a “thumbs up” or a “thumbs down.” Meanwhile, researcher Rebecca MacKinnon’s “Ranking Digital Rights” project—which ranks companies on how well they respect users’ privacy rights—was thrust into overdrive since the NSA revelations.
Full Story

ONLINE PRIVACY

The Economics and Future of Cookies (October 29, 2013)

As the IAPP reported in The Privacy Advisor last week, cookies may be reaching the end of the road—but not with a whimper. The Wall Street Journal reports Google, Facebook and Microsoft are designing their own online tracking systems “in ways that bypass the more than a thousand software companies that place cookies on websites," which could mean a radical shift in the balance of power in the $120 billion digital ad industry. Evidon CEO Scott Meyer said, “There is a Battle Royal brewing … Whoever controls access to all that data can charge rent for it—and has a tremendous advantage going forward.” (Registration may be required to access this story.)
Full Story

GEO PRIVACY

Mozilla Developing Public Data Service (October 29, 2013)

PCWorld reports Mozilla is working on a public geolocation data service using cell tower and WiFi signals to give developers “a more privacy-aware option than current alternatives.” "The data would be provided by cell towers, WiFi and IP addresses," the report states, and could be made available to the public. It’s a service already experimentally operating in the U.S., Brazil, Russia, Australia and Indonesia.
Full Story

PRIVACY LAW

EU, Ecuador and the FTC in This Week’s Tracker Roundup (October 28, 2013)

While much of the news was focused on the EU Data Protection Regulation over the past week, a few other things of note happened in the legal realm as well. For example, the EU Parliament adopted a resolution to suspend SWIFT based on allegations that the U.S. NSA had access to EU citizens’ bank data; the FTC reached a settlement with Aaron’s, Inc., over the company’s consumer spying regime, and in Ecuador, there are concerns that a new penal code could violate citizens’ online privacy. These are just a few of the stories—in addition to information on the LIBE vote and the future of Safe Harbor and the EU regulation—in this week’s Privacy Tracker legislative roundup.
Full Story

PRIVACY COMMUNITY

Strickland New CPO at JP Morgan Chase (October 28, 2013)

Last week was the first for Zoe Strickland, CIPP/US, CIPP/G, CIPP/IT, as managing director, SVP and CPO at JP Morgan Chase. She has left her post as VP and CPO at UnitedHealth Group to take on the new role in the financial services industry. In this exclusive for The Privacy Advisor, we talk with her about new challenges, how the two jobs overlap and why CPOs “can be an asset to the firm outside the company walls.”
Full Story

DATA PROTECTION—EU

Regulation Implementation May Come Sooner Than 2015 After All (October 28, 2013)

EurActiv reports that the European Commission is prepared to ignore attempts to delay implementation of the proposed data protection regulation. Instead, the commission plans to push toward implementing the regulation by spring of 2014, despite conclusions adopted at the summit last week suggesting the regulation be introduced by 2015. Financial Times reports the vote’s delay until at least next year, should that come to pass, is an “important victory” for U.S. tech giants who will need the time to bolster their case for a watered-down version of the reforms while the heated climate surrounding U.S. surveillance revelations cools down.
Full Story

PRIVACY BUSINESS

Entrepreneurs, Businesses Focused on Privacy (October 28, 2013)

Internet companies and entrepreneurs are making headlines with their privacy-focused business ventures. The Washington Post reports on ManageURiD, formed last year to “dynamically and automatically determine how much of your sensitive personal information is available on the Internet and who is selling it” as well as manage its removal, monitor its reappearance and provide “a Personal Privacy Dashboard so you can see the current status, history and details … at any time.” Ars Technica describes how Private Internet Access, a small U.S.-based VPN, is “trying to stand up for privacy”—in part by not logging anything. Meanwhile, Mozilla’s new Lightbeam add-on for Firefox shows users “what companies are behind each cookie stored in their browsers and what information those companies are gathering.” (Registration may be required to access this story.)
Full Story

EMPLOYEE PRIVACY—GERMANY & U.S.

Could Works Councils Improve Orgs’ Perceptions of Consumer Data? (October 25, 2013)

A recent article in The New York Times reports that all of the Volkswagen plants in the world have an employee works council, except one in Chattanooga, TN. Mandated in Germany, works councils give employees “a voice in working with management about working conditions in their environment,” writes GMAC Chief Privacy Official Allen Brandt, CIPP/US, CIPP/E. In this installment for Privacy Perspectives, Brandt looks at the intersection of works councils and their effect on employee privacy, asking, “With an increased interest in protecting employee data, could this carry over into how the organization views its customer data?”
Full Story

WEB CONFERENCE

Analyzing LIBE’s Draft of the Data Protection Regulation (October 24, 2013)

Now that LIBE has voted out a draft overhaul of the Data Protection Regulation, it’s time for privacy pros to make sense of it and plan for the future. What are the new provisions that will have the largest impact? What will likely remain after the council gets through with it? What preparations should firms be making now to make sure they’re in line with what eventually passes and becomes law? The IAPP has assembled a panel of experts, including moderator Omer Tene, former Siemens CPO Florian Thoma, CIPP/US, CIPP/E, CIPM, Covington and Burling’s Henriette Tielemans, and Yahoo’s Justin Weiss, CIPP/US, to answer these questions and more in a web conference that’s free to IAPP members on 8 November, at 2 p.m. UTC.
Full Story

PRIVACY LAW—IRELAND

Europe V. Facebook Complaint To Be Heard (October 24, 2013)

Europe v. Facebook is claiming a victory in its case regarding Facebook’s involvement in the U.S. NSA’s surveillance program after the High Court in Ireland agreed to review a complaint the group lodged with Ireland’s data protection authority. The complaint was filed by the group in June but was originally rejected by Irish Data Protection Commissioner Billy Hawkes, who will now respond to the complaint before it is reviewed by the High Court. Europe v. Facebook hopes for a ruling within the next six months.
Full Story

DATA LOSS—UK

ICO Fines Ministry of Justice After Prisoners’ Data Breached (October 24, 2013)

The Information Commissioner’s Office (ICO) has fined the Ministry of Justice 140,000 GBPs, Computing reports. The fine follows a data breach affecting 1,182 prisoners after a spreadsheet containing their personal information was sent to three families of inmates. The same error was committed twice before, an investigation revealed, though those incidents went unreported. "Disclosing this information not only had the potential to put the prisoners at risk, but also risked the welfare of their families through the release of their home addresses," said the ICO’s David Smith.
Full Story

PRIVACY LAW—EU

Expert Examines Intra-EU Difference in Cookie Guidance (October 24, 2013)

An Out-Law.com feature shares advice from Pinsent Masons’ Marc Dautlich on the Article 29 Working Party’s recent guidance on cookies. The guidance “highlights a continuing lack of harmonisation on definitions central to European data protection laws, which are interpreted differently across different EU countries,” the report states. Dautlich notes such differences as varied interpretations of fundamental terms. The way those differences are “enforced by the national data protection authorities remains a key issue for the success, or otherwise, of the EU Data Protection Regulation, one of the key aims of which is better harmonisation across Europe,” the report states.
Full Story

PRIVACY LAW—BELGIUM

Commission Wants More Active Role (October 24, 2013)

Belgium’s Privacy Commission wants a more active role in checking whether organisations are breaching personal privacy, Expatica reports. While the commission will set up a special investigations team, “a change in the law will be needed before the team will be able to sanction those found to be violating privacy rules,” the report states. The Privacy Commission's Willem Debeuckelaere said, “We want to respond to the increase in complaints and the growing number of incidents.” While the Privacy Commission would like to collaborate with the Federal Police Computer Crime Unit and the Cyber Emergency team for its investigations, its first focus will remain privacy issues, the report states.
Full Story

PRIVACY LAW—FRANCE

CNIL Releases New Notification Procedure (October 24, 2013)

The Commission Nationale De L'informatique et Des Libertés (CNIL) has released a new mandatory online notification procedure for electronic communications service providers “to rapidly report data breaches to CNIL in compliance with new EC Regulation (No.611/2013),” Mondaq reports. Data breaches must be reported to the CNIL using a standardized online notification form and “must include all details set out in Annex I of the regulation and be made no later than 24 hours after the detection of the breach,” the report states, noting, “Where full details cannot be provided, organisations must make an initial notification with additional information provided no later than three days after the date of the breach.”
Full Story

ONLINE PRIVACY

Cookies’ Days Are Numbered, but Not Without a Fight (October 24, 2013)
Despite a recent court ruling that may seem to indicate otherwise, cookies will go extinct. Firms including Google and Microsoft are already developing alternatives. What that technology will specifically look like is not clear. What is clear is that the replacement will likely concentrate huge amounts of data with a few controllers and be able to track a user across platforms—including desktop, mobile and in the home. The benefits of this new technology, though, may not outweigh the risks, writes David Tashroudian in this exclusive for The Privacy Advisor.

PRIVACY LAW—EU

What’s Next for the EU Regulation? (October 24, 2013)

“After nearly two years of deliberations, the European Parliament has come out of the legislative closet with its proposed view for a new EU data privacy framework,” writes Field Fisher Waterhouse Partner Eduardo Ustaran, CIPP/E. “In many respects, the parliament has surprised many of its critics by delivering a draft proposal which is more measured than the European Commission's original text.” In this Privacy Perspectives installment, Ustaran lays out what he believes will happen to the proposed EU regulation and how many of the measures therein “are set to have a very direct impact on the cost of compliance.”
Full Story

ONLINE PRIVACY—EU & U.S.

France Backs Fines for Sharing with U.S. Gov’t (October 24, 2013)

France is backing EU proposals to fine companies sharing information with American intelligence services up to five percent of global revenue, The Telegraph reports. The UK is prepared to clash with France on the fines—estimated to potentially cost UK businesses £360 million per year. France has also tabled a proposal for an international data transfer levy, the report states. “Core European values, namely the respect of fundamental rights, including the right to privacy and security, also matter just as much online as offline. Recent disclosures concerning surveillance activities have cast a shadow in EU citizens trust,” said European Commission President José Manuel Barroso.
Full Story

DATA PROTECTION—EU & U.S.

Parliament To Vote on Suspending SWIFT (October 23, 2013)

On the heels of the Committee on Civil Liberties, Justice and Home Affairs vote for a major overhaul of current EU data protection rules, the European Parliament will now decide whether the EU-U.S. agreement on data transfers under the SWIFT payment network should be suspended. Under SWIFT, the EU provides the U.S. with EU residents’ payment data in order to thwart terrorism. But U.S. NSA revelations have raised concerns about the program. The outcome of a vote today will be nonbinding.
Full Story

PRIVACY

Global Business? Find Privacy Allies Throughout the Company (October 23, 2013)

Finding the C-level executive who cares most is the first step in convincing the people at the top that privacy is important. With a CEO who is most likely juggling priorities constantly, it's important to put privacy in context and bring home how a good—or bad—privacy program is going to affect the overall business. And sometimes, that requires help, Intel Chief Privacy and Security Counsel Ruby Zefo, CIPP/US, CIPM, explained during the IAPP's recent Privacy Academy in Seattle, WA.
Full Story

DATA PROTECTION—EU

LIBE Adopts Compromise Amendments; Sends Draft to Council (October 22, 2013)
The Committee on Civil Liberties, Justice and Home Affairs voted Monday for a major overhaul of current EU data protection rules. The committee adopted “en bloc” a package of compromise amendments assembled by Green MEP Jan Philipp Albrecht, rapporteur for the proposed regulation, which represented only a fraction of the 3,000 amendments initially proposed to the committee earlier this year. Meanwhile, French newspaper Le Monde has reported on NSA internal memos detailing “the wholesale use of cookies by the NSA to spy on French diplomatic interests at the UN and in Washington.”

GLOBAL INTEROPERABILITY—EU & U.S.

Post LIBE Vote, Has the Safe Harbor Been Torpedoed? (October 22, 2013)

In light of the LIBE committee vote in the European Parliament, Christopher Wolf, founder and co-chair of the Future of Privacy Forum, writes, “despite the fact that a Commission-initiated review of the EU-U.S. Safe Harbor is pending, it appears the LIBE Committee effectively has called for the end of the Safe Harbor.” In this Privacy Perspectives installment, Wolf looks at Article 43a of the proposed amended EU regulation—the so-called “anti-FISA clause”—to analyze what it could mean for the Safe Harbor moving forward. Wolf warns against abandoning the Safe Harbor and asks the European Parliament and Commission to “take a deep breath, and … take a dispassionate view of (its) effectiveness” before it’s effectively “blown up.”
Full Story

PRIVACY LAW—U.S. & EU

Treacherous Waters: What the World Would Look Like Without Safe Harbor (October 22, 2013)

Following the vote of the LIBE committee in the EU Parliament on the new EU Data Protection Regulation, which would effectively nullify Safe Harbor with its requirements that U.S. companies seek permission before transferring data vulnerable to request for delivery to the U.S. government, it is only responsible for privacy pros to begin envisioning a world without the Safe Harbor agreement that allows data transfer between the world’s two largest trading partners. In this exclusive for Privacy Tracker, IAPP Westin Fellow Kelsey Finch lays out just what Safe Harbor is and what options companies will have for data transfer should it no longer be the law of the land. (IAPP member log-in required.)
Full Story

ONLINE PRIVACY

New Open-Sourced Browser Blocks Ads by Default (October 22, 2013)

WhiteHat Security has released a new open-sourced, ad-blocking browser for OS X, InformationWeek reports. Called Aviator, the browser preserves privacy by default and treats ads like a security threat. The browser is also preconfigured to use anonymous search engine Duck Duck Go. WhiteHat Security Product Management Director Robert Hansen wrote, “(N)ot a single browser vendor offers ad blocking, instead relying on optional third-party plugins, because this breaks their business model and how they make money,” adding, “Current incentives between the user and the browser vendor are misaligned. People simply aren’t safe online when their browser vendor profits from ads.” The browser comes out after recent talks around an industry standard do-not-track option have had difficulty moving forward.
Full Story

CLOUD COMPUTING—EU & U.S.

U.S. Group Lobbying To Prevent Cloud Mining in Europe (October 22, 2013)

A U.S.-based group is lobbying for a code of conduct banning cloud providers from mining data and serving ads in European schools, ZDNet reports. Many schools across Europe use services such as Google Apps for Education, but some countries, including Sweden, have banned the use of U.S.-based cloud services because they do not comply with data protection law. SafeGov has released a report on the issue and is urging Europe to consider such a code of conduct. Meanwhile, The Guardian reports on how to manage data protection and disaster recovery in the cloud.
Full Story

DATA LOSS

Roundup: The Week in Breaches (October 21, 2013)

A woman looking for yard sale bargains in Colorado purchased a box of office supplies worth more than she paid; the box contained student records—including Social Security numbers—from Pueblo Community College. “With all the identity theft and fraud, I was shocked that this was found at a garage sale,” the woman said. That breach was just one of many discovered, investigated or arbitrated in the U.S. and abroad in the last week. In this exclusive for The Privacy Advisor, we give you a roundup.
Full Story

PRIVACY

The Big Data Fight and the Garden of Eden (October 21, 2013)

In the privacy world, we often hear the argument that, in order for the information economy to thrive, personal privacy must be leveraged—that there must be tradeoffs. In a complicated Big Data landscape, conveying transparency and consumer education are huge challenges. But in the latest iteration of the well-known TED Talks, Carnegie Mellon University researcher Alessandro Acquisti—a past co-recipient of the IAPP-Privacy Law Scholars Conference Award for his work on fairness and discrimination in job hiring practices—discusses some of his research and how it shows why privacy matters. This Privacy Perspectives post looks at Acquisti’s talk and how there may be alternative privacy solutions for consumers, businesses and policymakers alike.
Full Story

PRIVACY LAW

Legislation on the Move Globally (October 21, 2013)

This week’s Privacy Tracker legislative roundup highlights changing privacy laws from the U.S. to Bahrain. Revisions to the U.S. Telephone Consumer Protection Act went into effect last week; the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs will vote today on amendments to the proposed regulation and directive, and the Bahrain cabinet has preliminarily approved a data protection law. Meanwhile, the UK Information Commissioner’s Office is considering jail time for breaches at the same time as justifying its fining practices. (IAPP member login required.)
Full Story

PRIVACY LAW—EU & U.S.

Opinion: Legislation Can’t Stop the Orbit of Technology (October 21, 2013)

“Like the Catholic Church’s Congregation of the Index of 1616, which outlawed the movement of the Earth around the Sun, so too will the European Parliament restrict transborder data flows by legislative fiat this week,” writes Omer Tene, IAPP VP of Research and Education. “Of course,” he adds, “the flow of data across borders will not cease or even diminish.” In this Privacy Perspectives post, Tene contends that legislation—a slow-moving evolutionary process—will fail to keep up with the faster-moving technological revolution, as it has in the past.
Full Story

BIG DATA

Acxiom, MasterCard CPOs Talk Transparency, De-identification, FTC Consent Orders (October 18, 2013)
What do you get when you put chief privacy officers from two of the world’s largest Big Data businesses in the same room with an outside privacy counsel and privacy academic? Based on just one of the many compelling panels at this year’s IAPP Privacy Academy, you get conversation as robust as some of Seattle’s finest blends. In this exclusive for The Privacy Advisor, we give you the rundown on a wide-ranging discussion that provided key insights on decision-making and tactics.

WEB CONFERENCE

Where Information Security Meets Privacy Law (October 18, 2013)

Much has been said about what ought to be required of data processors and controllers with regard to securing and retaining private citizens’ personal information. But how to marry the dual demands of securing personal data while allowing proper access to those who need it, all the while complying with applicable jurisdictional and sectoral laws? Join this virtual discussion with two seasoned Brussels-based privacy and security experts and a European regulator to hear practical solutions to these challenges, and how they relate to the proposed EU data protection regulations during the IAPPs web conference “Applied Privacy in the EU—Where Information Security Meets Privacy Law,” on Thursday, November 14.
More Information

TRAVELERS’ PRIVACY—EU

ECJ: Protection Against Passport Fraud Outweighs Privacy (October 18, 2013)

The European Court of Justice (ECJ) has ruled “that although the taking and storing of fingerprints for passports breached privacy and personal data rights, it did not breach the EU's Charter of Fundamental Rights and was in line with EU law,” EUObserver reports. While the charter includes an explicit right to the protection of personal data, the ECJ determined the privacy infringement is justified to reduce fraudulent use of passports. “The contested measures pursue, in particular, the general interest objective of preventing illegal entry into the EU. To that end, they are intended to prevent the falsification of passports and the fraudulent use thereof," the court has said.
Full Story

PRIVACY LAW—EU

Two Years Later, LIBE To Vote on Reg (October 17, 2013)

The Guardian reports that after two years of gridlock, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) has scheduled votes on the reports on the revised data protection regulation and directive for Monday in Strausburg. An announcement on the European Parliament’s website says, “The committee will adopt a mandate for negotiations with the council in order to try and reach a common agreement on the Data Protection package before the European elections in May 2014.” Meanwhile, Financial Times has published an in-depth feature looking at the fears sparked in the EU following the Edward Snowden revelations and the upcoming vote on the regulation.
Full Story

DATA PROTECTION—UK

Gov’t To Consult on Jail Time for Breaches (October 17, 2013)

The UK government is considering introducing the possibility of jail sentences for breaches of the Data Protection Act (DPA), Out-Law.com reports. Justice Secretary Chris Grayling has written to Home Affairs Committee Chairman Keith Vaz indicating “the public would be asked whether there should be new custodial penalties for breaches of Section 55,” the report states. While the current penalties are fines of different amounts, depending upon the court where the case is heard, Grayling “has the power to introduce new regulations that would allow a custodial sentence penalty to be available for the offences under Section 55 of the DPA,” the report states.
Full Story

PRIVACY LAW—UK

ICO: We Do Not Discriminate (October 17, 2013)

Computing reports on the insistence of the Information Commissioner's Office (ICO) that “it does not discriminate between private- and public-sector firms when deciding on data breach fines” and its assertion “nobody has been ‘let off’ fines” since the ICO received the power to levy fines up to 500,000 GBP three years ago. “I think there's certainly no discrepancy on our part, favouritism or thoughts like that in any way,” said the ICO’s Simon Rice. Meanwhile, the ICO has announced it has prosecuted a pay day loan company and its director for “failing to register that the business was processing personal information.” The ICO is also warning organisations, in light of a Royal Veterinary College breach, to ensure their policies “reflect how the modern workforce are using personal devices for work.”
Full Story

PRIVACY LAW—THE NETHERLANDS

Telcos, ISPs Violated EU Law (October 17, 2013)

The Dutch Ministry of Economic Affairs’ Radiocommunications Agency has found some telecommunications and Internet service providers violated the EU law “requiring the retention of communications data for the purposes of investigating, detecting and prosecuting serious crime and terrorism,” NL Times reports. The agency indicated some “used the retained data for unauthorized marketing purposes,” the report states, noting the violation did not include “major” service providers. The Radiocommunications Agency found 40 of 229 companies surveyed used information “solely for purposes other than the legally permitted processing goals.” A follow-up study is expected early next year.
Full Story

PRIVACY LAW—ESTONIA & EU

ECHR Anonymous Posting Decision Sparks Concern (October 17, 2013)

The European Court of Human Rights (ECHR) has ruled an Estonian court was correct when it fined Delfi in a case involving anonymous postings on the news website, Wired reports. Joe McNamee, executive director for European Digital Rights, said, "This baffling logic now appears to render it effectively impossible for an online publication to allow comments without positive identification of the end users … So much for the human right to privacy in the Convention. This will directly undermine individuals' rights to free speech and indirectly undermine their right to privacy.” Lawyers in the UK, however, suggest if the original case had been held there, “the outcome would have been very different,” the report states.
Full Story

SOCIAL NETWORKING

Facebook Changes Teen Privacy Rules (October 17, 2013)

Facebook has announced it has changed its privacy rules for teenagers allowing them to now “post status updates, videos and images that can be seen by anyone, not just their friends or people who know their friends.” Those between the ages of 13 and 17 will have their sharing default set to “friends,” but they will receive a notice of their options. The move is prompting concerns that while the changes have been described as giving teens “more choice, big money is at stake for the company and its advertisers,” a report by The New York Times states. Author Emily Bazelon cautions, “It’s risky to have teenagers posting publicly. The kids who might be the most likely to do that might not have the best judgment about what they post.”
Full Story

MOBILE PRIVACY

Indoor Location Market Set To Boom; Privacy Concerns Loom (October 17, 2013)

In a column for MediaPost, Steve Smith writes that one of the upcoming battlegrounds in the mobile sphere “is not over accessing everyone everywhere but over very specific places and the people moving within them,” adding, “The indoor location market is suddenly about to boom.” According to ABI Research, within the next year there will be at least 25,000 mapping and indoor location technology installations across the globe as well as the handsets supporting such technology. An ABI director wrote, “Apple hasn’t made a big marketing deal on indoor with the new iPhone 5s, largely because the ecosystem isn’t in place yet.” But within the phone there “is a hardware platform that is now well-placed to support ‘always-on’ indoor location, sensor fusion and ambient intelligence.” Meanwhile, Apple’s new iOS7’s tracking capabilities—particularly its “Frequent Locations” function—and the new iPhone’s motion sensor chip are raising privacy concerns. Editor’s Note: The IAPP will host the web conference Brick-and-Mortar Is Back—Emerging Privacy Issues for U.S. Retailers on Thursday October 31.
Full Story

BIG DATA

The Dangers of Democratized Big Data (October 17, 2013)

In a report for Forbes, Woodrow Hartzog and Evan Selinger write about the dangers of democratized Big Data. Whereas presently only a few organizations use Big Data tools and techniques, in looking at the democratization of myriad Internet-based technology such as apps, cloud storage and encryption, “Big Data seems next,” the report states. Facebook’s Graph Search is an example of the progression, allowing users to look at a vast amount of data to see what other users “like.” As technology advances and more users have access to Big Data analysis, “privacy through obscurity” will become increasingly important because having “to resort to a complete withdrawal from public life simply is too steep a price to pay for whatever benefits Big Data brings,” the authors write.
Full Story

PRIVACY COMMUNITY

IAPP Hits 14k Members, Expands Into New Space (October 17, 2013)

By coincidence, the IAPP celebrated the joining of its 14,000th member by opening up new office space this past weekend, continuing its growth in both the privacy industry and the warehouse space it occupies on the former Pease Air Force Base in Portsmouth, NH. The membership growth and need for office space obviously are closely connected. While it took more than 10 years to hit 10,000 members in 2012, membership has grown to 14,000 in 18 months since then, and the IAPP has had to add staff to support those members in their training, certification, events and publications teams along the way, along with the addition of the Westin Research Center, also housed in the IAPP’s offices.
Full Story

CLOUD COMPUTING—EU

Europe Aims To Lead With the Cloud (October 17, 2013)

The European Commission has outlined plans for the EU to become a “world leading” cloud computing market when it comes to data protection, Out-Law.com reports. While the commission acknowledges U.S. surveillance revelations “aggravated” existing concerns about foreign cloud storage, it says calls for regional-only cloud storage would be “misguided.” "Trust can be restored with more transparency and the use of high standards," the commission said. "A better overview of standards, certification of the use of those standards and safe and fair contract terms for cloud computing are essential."
Full Story

BIOMETRICS

Fingerprint Sensor: Tech Wonder or Privacy Headache? (October 16, 2013)

In the wake of the news announcing the release of the new iPhone 5s, Lindsey Partridge, CIPP/US, examines what may be “the most newsworthy piece of the new mobile device”—its fingerprint sensor. The sensor allows for biometric securing of what’s becoming one the most personal devices people own. This exclusive for The Privacy Advisor offers a primer on biometrics and the potential “privacy alarms” triggered by the new sensor in multiple contexts, including legal cases involving access to PI and geolocation.
Full Story

BIG DATA

“U.S.-Style” Data Collection Spreads Globally (October 16, 2013)

The business trend of collecting the maximum amount of information about customers and potential clients is being adopted by businesses around the world, according to Forbes. One international data catalog advertisement by California-based data broker Infocore states, “For example, you might be interested in female, affluent customers in China, Hong Kong and Singapore … From that we’ll access our repository and send you a custom data summary.” The company has access to 6.5 billion records worldwide and expects to have access to 10 billion by next year, according to the report. Infocore President and CEO Kitty Kolding said, “The data industry is very nascent right now … But there is a lot of long-term profit to be had.” In some countries, however, the data is obtained through questionable methods, Kolding said, adding, “In China, there is way more data than you would think … Some of it is dodgy.”
Full Story

PERSONAL PRIVACY

On Embarrassing Photos and Personal Accountability (October 15, 2013)

The dynamic nature of the Internet allows for information to flow quickly, but when it involves embarrassing photos, it can be a very damaging experience for an individual. In a recent column for Salon, Caitlin Seida wrote about her experience of having one such photo go viral and the harm she experienced. However, Seida took steps to be accountable for the incident and took personal control over her photo. This Privacy Perspectives post looks into her incident and explores how businesses may improve their accountability by showing their users how they can be accountable by providing them with tools for better control over their data.
Full Story

PRIVACY LAW

Debating the “Where” of Online Jurisdiction (October 11, 2013)

In two European cases making headlines this week, U.S. online powerhouses successfully claimed European data protection regulators lacked jurisdiction to regulate their activity. These cases join a long line of disputes pitting global online companies against national privacy regulators and raising to the fore the thorny questions of personal jurisdiction and applicable law on the Internet. In this exclusive for The Privacy Advisor, Westin Research Fellow Dennis Holmes examines how online jurisdiction is likely to be affected by two major upcoming factors.
Full Story

SOCIAL NETWORKING

Facebook Privacy Tool To Be Removed (October 11, 2013)

Facebook has announced the final phase of removing an old privacy feature from the site, USA TODAY reports. The feature, called “Who can look up your timeline by name?” allowed users to be hidden from searches if they so chose. Those users will now begin to see removal notices from Facebook. Now, user “timelines” will only be private when marked to be seen by “friends only.” Facebook says only a single-digit percentage of users on its network were using the setting.
Full Story

DATA PROTECTION—BELGIUM & POLAND

NIK Concerned Over Data Retention; Royal Decree Requires Metadata Stored (October 10, 2013)

The Polish Supreme Control Authority (NIK) says data retention provisions in Poland do not sufficiently protect privacy and freedom of citizens against excessive interference by the state, Telecompaper reports. While the NIK believes data retention is a valuable tool for law enforcement, there is no independent body verifying the legitimacy of acquiring and using billing data, the report states. Meanwhile, Tech Dirt reports a royal decree has been passed requiring Belgian telecommunications firms, Internet service providers and others to log large amounts of metadata for one year for law enforcement purposes.
Full Story

SURVEILLANCE—UK

Group Seeking To Sue Gov’t Hits Fundraising Goal (October 10, 2013)

A group of privacy advocates aiming to take legal action against the government’s alleged surveillance activities has hit its fundraising target, IT Pro reports. After two days of fundraising, the group—which calls itself Privacy not PRISM and includes such members as Big Brother Watch and the Open Rights Group—raised £20,000. The group plans to take its case to the European Court of Human Rights.
Full Story

PRIVACY LAW—GERMANY

Court: Companies Not Responsible for Facebook’s Use of Data (October 10, 2013)

A German administrative court has ruled that German companies are not legally responsible for the way Facebook processes the personal data of people visiting the companies’ Facebook fan pages, PC World reports. In November 2011, the Office of the Data Protection Commissioner (ULD) for the German state of Schleswig-Holstein ordered companies to deactivate their Facebook fan pages or face fines, alleging Facebook violated German data protection rules by using users’ personal data for commercial purposes. Three organisations sued the ULD for the right to use Facebook, and the court has ruled that the plaintiffs “are not responsible because they neither have access to the data on a legal nor on a factual basis.”
Full Story

PRIVACY LAW—EU

Justice Ministers Support “One-Stop Shop;” DPAs Need Enforcement Power (October 10, 2013)

European justice ministers on Monday agreed “in principle” to accepting a “one-stop shop” framework for organisations doing business within the EU, IDG News Service reports. The rule would set up a system whereby businesses processing personal data of Europeans would report to one data protection authority instead of as many as 28. French officials had called for a joint decision-making panel among data protection authorities, but Irish officials strongly opposed the proposal. Both Google and Facebook have their European headquarters in Ireland. Lithuanian Justice Minister Juozas Bernatonis said the aim is “to ensure legal certainty and reduce the administrative burden.” EU Justice Commissioner Viviane Reding said the move will benefit the consumer: “A citizen who has a problem will address himself to his own data protection authority not, as is currently often the case, a foreign authority.” In a report for Out-Law.com, one expert said a “one-stop shop” framework without DPA enforcement powers would undermine intended data protection reform.
Full Story

ONLINE PRIVACY

W3C Do Not Track in Limbo (October 10, 2013)

Yesterday, the W3C’s Tracking Protection Working Group voted on whether to continue its efforts. The results? That remains unclear. The voting itself is public and can be found here. However, even one of the group’s new chairs isn’t sure how to interpret the results. With no option clearly the winner, the Center for Democracy and Technology’s Justin Brookman, who joined the group as chair just last month, said he is unsure of the group’s next step, adding W3C Director Tim Berners-Lee would make the ultimate decision. In this exclusive for The Privacy Advisor, we break down the vote and comments from the voters.
Full Story

DATA LOSS

October Shaping Up To Be Month of Innumerable Breaches (October 10, 2013)

PII lost, stolen or compromised through human error. Cybersecurity concerns. Health data lost. Amidst this month’s onslaught of breach reports from across the globe, the world’s premiere search engine is acknowledging just how devastating a breach could be. “If Google were to have a significant data breach today, of any kind, it would be terrible for the company,” Google Executive Chairman Eric Schmidt has said. However, as The Wall Street Journal reports, he has also indicated Google CEO Larry Page “is ‘so wired’ to the risks that it is ‘inconceivable’ that a major data loss would occur.” In this exclusive for The Privacy Advisor, we round-up an already very busy month in data breaches and responses.
Full Story

ONLINE PRIVACY

Study Looks at Privacy Personalities (October 10, 2013)

MasterCard has released a study revealing that traditional demographics—age, gender, race—are poor indicators of consumer attitudes toward online privacy, The Washington Post reports. MasterCard conducted interviews with 9,000 Internet users globally. Theodore Iacobuzio, MasterCard vice president of global insights, said, “We were blown away … It’s all about why you go online,” adding, “Why you go on determines your attitude toward data privacy.” Iacobuzio’s team defined five online personality types: passive users, proactive protectors, solely shoppers, open sharers and simply interactors. The study also found that privacy attitudes do not change; they “determine your behavior.” Iacobuzio said, “One of the real lessons of this piece is that consumers are well-aware of how to protect (their privacy) and whether they want to or not.” (Registration may be required to access this story.)
Full Story

PRIVACY IN POP CULTURE

Eggers Book Satirizes Threat to Privacy (October 10, 2013)

The Associated Press reviews Dave Eggers’ book The Circle, which satirizes the threat to personal privacy from technology giants. “Entertained at nightly campus events by famous musicians and artists, fed by celebrity chefs and bombarded by swag, employees of the Circle corporation are expected to bask in their mutual privilege through constant oversharing in the company’s thriving social networks,” the report states. The book’s protagonist, through incentives, begins living a fully transparent life online, delivering Eggers’ message that “too many of us flock to the Internet all too willing to abandon any sense of privacy around both our personal information and our inner lives.” The New York Times wonders if the novel will change the way we use technology.
Full Story

DATA LOSS

Researcher Finds Encryption Flaw in WhatsApp (October 10, 2013)

A security researcher said he has found an encryption flaw making it possible for adversaries to decrypt communications sent with WhatsApp, though developers say the messages are “fully encrypted” and the company’s CEO says the report is “sensationalized and overblown,” Ars Technica reports. A computer science and mathematics student wrote in a blog posted Tuesday, “You should consider all your previous WhatsApp conversations compromised,” adding, “There is nothing a WhatsApp user can do about this … except to stop using it until the developers can update it.”
Full Story

ONLINE PRIVACY—LUXEMBOURG & THE NETHERLANDS

Dutch DPA Unable To Take Action Against Netflix (October 9, 2013)

Online streaming service Netflix has been found in violation of Dutch privacy law, but the nation’s data protection authority is unable to take action because the company’s European headquarters is located in Luxembourg, ZDNet reports. If the company had been located in The Netherlands or outside of Europe, the regulator would have been able to take action. According to Dutch law, businesses need explicit consent from customers prior to processing data that can be directly or indirectly traced back to an individual. Sander Dekker, The Netherlands’ secretary of education, said, “Netflix gathers so much information of its customers that this can be considered extremely sensitive data … customers must give their express consent for that, which, in case of Netflix, they have not.”
Full Story

PRIVACY RESOURCES

Not a Big Tech Firm? We Can Still Help (October 9, 2013)

We at the IAPP know that it’s not only large organizations that struggle with privacy issues; small- and medium-sized businesses also need tools and guidance. With fewer employees and often lower budgets, smaller businesses have unique needs. This Close-Up offers tips and guidance from the experts on protecting consumer data, creating online privacy policies, minimizing human error and conducting employee background checks, among other tools. (IAPP member login required.)
Close-Up: Small- and Medium-Sized Businesses

SURVEILLANCE

EU-U.S. Safe Harbor, Australian Gov’t Actions Questioned (October 8, 2013)

Press TV reports on the European Parliament's Electronic Mass Surveillance of EU Citizens Inquiry’s discussion on the EU-U.S. Safe Harbor data sharing agreement and concerns “the system is flawed and allows for wide-scale abuse by the firms themselves and easy infiltration by U.S. intelligence agencies.” Christopher Connolly of Australian-based consulting firm Galexia told the committee that “many claims of Safe Harbor membership are false”—to the tune of 427 organizations “with hundreds of millions of customers.” Meanwhile, ABC News reports on documents obtained under Freedom of Information laws showing Australia’s government “knew about the secret U.S. Internet spying program PRISM months before a whistleblower made details public.”
Full Story

DATA PROTECTION—EU

Avoiding Breach Fines (October 8, 2013)

With a new 24-hour breach reporting mandate in place for companies doing business in the EU, WatchDox Co-founder and CEO Moti Rafalin writes for ITProPortal, “Businesses in Europe now get a single day in which to figure out what went wrong, who could be hurt by it and how they will prevent it from happening again,” adding, “With that kind of stringent reporting regulation on the books, it’s hard to imagine why any electronic communication service companies … would fail to do everything possible to avoid security breaches.” With potentially more strict breach mandates on the horizon within the proposed EU regulation, “the choice organizations face now is whether to invest in prevention or suffer the consequences of data loss in the face of new regulations and potential litigation,” Rafalin writes.
Full Story

PRIVACY LAW—EU

Will Regulation Create Euro-Only Cloud? (October 7, 2013)

While the originally proposed EU Data Privacy Regulation did not include provisions to address cloud computing, several amendments have been added since. The New York Times reports that among those proposed, one bars transfers of data from EU to U.S. clouds without informed consent and another would require such transfers to come with a notification “to the data subject of such transfer and its legal effects.” EC Vice President Neelie Kroes says, “European citizens will not embrace the cloud if they are worried for their privacy or for the security of their data,” and other EU regulators seem to agree, calling for the development of European clouds. But outside the EU, others question the effect of creating European clouds. (Registration may be required to access this story.)
Full Story

PRIVACY LAW

Tracker Roundup: From Government Surveillance to Presumption of Harm (October 7, 2013)

While U.S. regulators mull over the need for rules surrounding drone use by law enforcement, Montana’s new gun owner healthcare privacy law went into effect and California continues to shape privacy law moving toward a “presumption of harm” in breach cases, but one op-ed claims its “revenge porn” law doesn’t do enough. A Zimbabwean law established a central SIM card database, and Australia’s information commissioner has released a best practice guide for app developers. This Privacy Tracker weekly roundup offers information on all these issues and more, including what regulators had to say at both the IAPP Privacy Academy and the 35th International Conference of Data Protection and Privacy Commissioners. (IAPP member login required.)
Full Story

DATA BREACH

2.9 Million Customers Affected by Cyber-Attack (October 4, 2013)

Adobe has confirmed that 2.9 million customers had private data including passwords and payment card information stolen “during a ‘sophisticated’ cyber-attack on its website,” BBC reports. The illegal access of a variety of products’ source code is also being investigated, the report states. “We deeply regret that this incident occurred," said Adobe CSO Brad Arkin, adding, “Based on our findings to date, we are not aware of any specific increased risk to customers as a result of this incident.” However, a security expert has told BBC, “Access to the source code could be very serious … if hackers manage to embed malicious code in official-looking software updates, they could potentially take control of millions of machines.”
Full Story

PRIVACY PROFESSION

Experts Highlight Current, Future Challenges (October 4, 2013)

In an in-depth feature for Data Informed, Eric Lucas highlights just a few of the key moments from this week’s IAPP Privacy Academy in Seattle, WA, quoting key concerns and tips from some of the speakers who addressed the international attendees. Howard Schmidt, for example, highlighted the profession’s challenges stemming from the link between privacy and security, noting, “Privacy and security are two sides of the same coin. Without security, you have no privacy. Privacy is the goal, security is the means.” Lucas also quotes several other privacy professionals, including keynote speaker Stewart Baker’s discussion of the “privacy panic” that spurred American privacy law. Meanwhile, Inside Counsel looks at how CPOs manage risk, focusing on insights from experts including Maureen Cooney, CIPP/US, CIPP/G, and Nuala O’Connor, CIPP/US, CIPP/G, at the recent Women, Influence and Power in Law conference.
Full Story

PRIVACY LAW—EU & UK

Privacy Groups Taking GCHQ To Court (October 3, 2013)

Privacy advocates Big Brother Watch, the Open Rights Group, English PEN and Constanze Kurz have filed a legal challenge claiming GCHG’s “mass online surveillance programmes have breached the privacy of tens of millions of people across the UK and Europe,” The Guardian reports. UK MPs cleared GCHQ of any wrongdoing, and Privacy International has launched a case that will be heard by the Investigatory Powers Tribunal, but Nick Pickles of Big Brother Watch has said, “Parliament did not envisage or intend those laws to permit scooping up details of every communication we send, including content, so it’s absolutely right that GCHQ is held accountable in the courts for its actions.”
Full Story

DATA PROTECTION—UK

ICO Opens Consultation on PIA Code of Practice (October 3, 2013)

The UK Information Commissioner’s Office (ICO) has opened a consultation on a new draft Code of Practice for conducting privacy impact assessments, according to a release from law firm Nabarro. The draft code will replace the ICO’s current privacy impact assessment handbook and is “essential reading for all data controllers … because privacy impact assessments are rapidly becoming a vital tool in any data controller’s data protection compliance programme,” the report states. “This importance will only increase when the new General Data Protection Regulation comes into force.”
Full Story

EMPLOYEE PRIVACY—MALTA

DPA To Probe HR Mobile Disclosure Requirement (October 3, 2013)

The Times of Malta reports that the nation’s data protection authority has said a new requirement by Enemalta’s HR department may be in breach of data protection law. The organisation sent out a circular asking employees for their “personal” mobile phone numbers and e-mail addresses. Commissioner Joseph Ebejer said the requirement may be in violation of existing law.
Full Story

PRIVACY—THE NETHERLANDS

Gov’t Wants Input on Cookie Rules Change (October 3, 2013)

The Dutch government has introduced a proposal for a change in cookie rules and is seeking public input, Mondaq reports. The proposed amendment was introduced by the minister of economic affairs in May and is symbolic of the new way the Dutch government looks at cookies. It aims to exempt some cookies from rules in that if browsers allow users to actively configure settings, implicit consent may be an acceptable method, the report states.
Full Story

HEALTHCARE PRIVACY—UK

MP Warns of NHS Patient Data Grab Plan (October 3, 2013)

Wirral Euro MP Paul Nuttall has warned about a proposed NHS “information grab,” Wirral Globe reports. GP practices have been contacted by NHS England with details of a plan to access patient data that would require unwilling patients to opt out. “We all know how notorious government computer schemes are … and how can we be sure what will eventually happen to this information?” Nuttall questioned. He added he is “not happy about how this is being implemented.”
Full Story

PRIVACY LAW—EU

At Academy, Experts Weigh In on Regulation (October 3, 2013)
The EU draft regulation—something originally proposed nearly two years ago—was the center of attention Wednesday afternoon at one Privacy Academy breakout session featuring a panel that included Ireland Data Protection Commissioner Billy Hawkes, Bird & Bird Partner Ruth Boardman and Promontory Financial Services Group Managing Director Simon McDougall, CIPP/E. This exclusive for The Privacy Advisor examines the perceived rut the regulation is in—with McDougall suggesting it is on step one of 30—and what should be expected with a potential regulation, including predictions it will be more prescriptive around data retention. Meanwhile, reports suggest more than one third of smaller EU firms “are risking prosecution under data retention laws by hoarding data beyond the scope and period required by law.”

BIG DATA

Opinion: Why Data Center Locations Matter (October 3, 2013)

Andy Thurai and David Houlding of Intel write for Venture Beat about the importance of controlling where data is stored and processed in the age of Big Data and varied laws across the globe. “While most Big Data providers are able to provide security for the storage and transmission of sensitive data, most implementations that we see don’t provide location transparency or location-contingent data processing,” the authors write, adding, “imagine the power of users being able to choose where their data is processed or stored.” The authors suggest allowing consumers to choose the location and security level of their data and offer technical solutions to make that possible.
Full Story

SOCIAL NETWORKING—EU & IRELAND

Privacy Group Receives Facebook Response (October 2, 2013)

Privacy activist group Europe-v-Facebook has received responses from Facebook to complaints about the company’s privacy policy, but the Irish Data Protection Commissioner (DPC) said the group was barred from releasing them, Computerworld reports. According to the group’s website today, however, the DPC has clarified its decision and will allow the group to publish the 200-page response. The group originally filed the complaints with Facebook two years ago, claiming the social network’s privacy policies violate European data protection law. “After two years of constant battling, we finally received the ‘counterarguments’ by Facebook,” wrote Europe-v-Facebook, which now has until October 17 to comment on Facebook’s responses. The DPC will circulate a draft of its decision in the case prior to publishing its final decision.
Full Story

PRIVACY COMMUNITY

Callahan Named Vanguard; Innovation Award Recipients Announced (October 2, 2013)

And the 2013 Privacy Vanguard Award goes to Mary Ellen Callahan, CIPP/US, former chief privacy officer of the U.S. Department of Homeland Security. Announced Tuesday evening at the annual IAPP Privacy Dinner held in conjunction with the IAPP Privacy Academy in Seattle, WA, Callahan, who is founder and current chair of Jenner & Block’s Privacy and Information Governance Practice, was praised for her visionary leadership and extensive work in consumer protection law. Also at the Privacy Dinner, this year’s HP-IAPP Privacy Innovation Awards recipients were announced. Johnson & Johnson, Canadian Primary Care Sentinel Surveillance Network and Considerati were honored for their unique programs.
Full Story

SURVEILLANCE—EU & U.S.

MEPs Discuss Future of EU-U.S. Trade; Scalia Suggests Privacy Isn’t Protected (October 1, 2013)

At the fourth hearing of the Civil Liberties Committee inquiry into U.S. and EU countries surveillance of EU citizens, MEPs discussed the possibility of suspending EU-U.S. trade talks, creating international standards and the need for parliamentary oversight of surveillance activities. In a statement read aloud, whistleblower Edward Snowden said “the surveillance of whole populations … threatens to be the greatest human rights challenge of our time.” A former Microsoft executive has said he no longer carries a cellphone and only uses open-source software if he can check the underlying code. Meanwhile, at an event this week, U.S. Supreme Court Justice Antonin Scalia reportedly suggested the Fourth Amendment protects personal items, "not privacy, per se.” Meanwhile, a former NSA contractor and graphic designer has created four fonts that he claims cannot be analyzed by systems used to monitor online communications.
Full Story

DATA LOSS

Amidst Myriad Breach Reports, Tips Offered (October 1, 2013)

It is shaping up to be a busy week for data breach incidents. Yahoo is facing claims its decision to recycle accounts that had been inactive for a year or more has resulted in individuals receiving e-mails intended for the previous owners, ITPro UK reports. An Ohio psychologist is notifying clients of a burglary where “the thieves may have intended on stealing patients’ personal data when they stole the office’s entire computer supply.” Patients at a Canadian health region are also receiving letters after an employee accessed “patients’ personal health information between 2009 and 2012, considered a breach under the Health Information Protection Act.” Meanwhile, Krebs on Security reports the “miscreants responsible for breaking into the networks of America’s top consumer and business data brokers appear to have also infiltrated and stolen huge amounts of data” from the U.S. National White Collar Crime Center. Amidst all these reports, InformationWeek offers tips on the “lessons learned” from data breach incidents.
Full Story

PRIVACY BUSINESS

Experian Buys Fraud Detection Firm for $324 Million (October 1, 2013)

Reuters reports that Experian will acquire U.S.-based fraud detection group The 41st Parameter for $324 million. Experian noted it will increase its presence in the fraud prevention arena and bolster its current work in fraud detection and online authentication.
Full Story