European Data Protection Digest

We have a long weekend—and hopefully some good weather—ahead of us, so right now our minds are probably focused more on Easter eggs and chocolate bunnies (in my case also my mother’s lasagna on Sunday) than on data protection developments. Nevertheless, this spring is bound to be a busy one for privacy pros—not that we actually had a dull moment in the past year or so.

At the IAPP, we are working hard to help our members stay on top of things: Our upcoming European Data Protection Intensive will be a great way to kick-start the second quarter of the year. As usual, rendezvous in London for an intense programme, great networking—including our special Privacy Social reception at the Guildhall—and CIPP and CIPM certification training and testing. Preconference workshops are not bad either.

But since he who hesitates is lost, work is already underway also for IAPP Europe’s flagship event, the Data Protection Congress, which will be in Brussels again this year, on 19 and 20 November to be precise. The call for proposals for the Congress is open, and submissions will be accepted until 9 May, so do send us your ideas or feel free to forward the call for proposals link to someone who might be interested.

In the meantime, though, Happy Easter!

Rita Di Antonio
Managing Director
IAPP Europe

Top European Privacy and Data Protection News

CLOUD COMPUTING—EU

Parliament Backs New Cloud Resolution (December 19, 2013)

The European Parliament is backing a new cloud computing resolution “in response to actions the European Commission (EC) has set out under its cloud computing strategy,” Out-Law.com reports. The EC is engaging the European Telecommunications Standards Institute (ETSI) to help determine the new standards required for cloud services, the report states. In their resolution, MEPs welcomed ETSI's participation, noting the standards "should enable easy and complete data and service portability, and a high degree of interoperability between cloud services, in order to increase rather than limit competitiveness.” The resolution also asks the commission to provide guidelines for businesses to "ensure full compliance with the EU’s fundamental rights and data protection obligations."
Full Story

DATA PROTECTION—EU

EDPS Releases 2014 Inventory (December 19, 2013)

The European Data Protection Supervisor (EDPS) has released its 2014 inventory, a strategic planning document highlighting key areas of focus for the year ahead. "As the second mandate of the EDPS will come to an end in early 2014, it is appropriate to highlight that privacy and data protection have now become relevant in a wide range of EU policies,” said outgoing EDPS Peter Hustinx, adding, “The recognition of privacy and data protection as fundamental rights means that their delivery in practice must remain a high priority on the EU political agenda.” Among the key areas of strategic importance for 2014 are a new legal framework for data protection and rebuilding trust in global data flows.
Full Story

ONLINE PRIVACY—FRANCE

CNIL Issues Cookie Guidance, Calls for Debate on “Surveillance Society” (December 19, 2013)

The CNIL has released FAQs, along with technical tools, “providing guidance on how to obtain consent for the use of cookies and similar technologies in compliance with EU and French data protection requirements, Hunton & Williams’ Privacy and Information Security Law Blog reports. “The CNIL’s guidance indicates that this obligation applies to website publishers, operating system and application publishers, advertising networks, social networks and website analytics solutions providers,” and “only certain cookies are exempt from the consent requirement under French data protection law,” the report states. Meanwhile, the CNIL’s Isabelle Falque-Pierrotin is calling for a national debate on the “surveillance society.”
Full Story

DATA PROTECTION—TURKEY & UK

Loan Company Fined; Researchers Cite Breach Concerns (December 19, 2013)

KONDA research company has announced that Russian hackers accessed 54 million Turkish citizens’ ID information “because Turkey’s political parties and the country’s Supreme Election Committee share voters’ personal information,” The Journal of Turkish Weekly reports. Meanwhile, in the UK, a new survey commissioned by the Department for Business, Innovation and Skills has found “93 percent of large organisations experienced a security breach last year,” ITProPortal reports, noting that figure remains “largely unchanged” from 2012. However, smaller businesses saw an increase, with 87 percent reporting data breaches this year as compared to 76 percent in 2012, the report states. And the Information Commissioner’s Office has fined First Financial, a payday loans company, 175,000 GBP after it sent “millions of text messages to consumers without having their consent,” Out-Law.com reports.
Full Story

PRIVACY LAW—ITALY

Garante Addresses Traffic Data, Rules for Data Subject in Deb Collection Case (December 19, 2013)

Writing for The Privacy Advisor, Panetta & Associati’s Rocco Panetta examines two recent actions by Italy’s DPA, the Garante. The Garante “has forbidden certain unlawful data processing to a foreign company by prescribing to the latter a set of technical and organizational measures,” Panetta writes, detailing the Garante’s resolutions in the matter. In a second case, Panetta writes, the DPA “has ruled in favor of a citizen—holder of a loan agreement with a bank—that had received pre-recorded telephone calls from the bank, as payment reminder, that could have been heard by other persons who did not have the right to know information about the loan.”
Full Story

MOBILE PRIVACY—UK

ICO Guidance Cautions App Developers About Customer Data (December 19, 2013)

New guidance issued by the Information Commissioner’s Office (ICO) cautions app developers to “ensure they do not misuse customers' data,” BBC News reports. Noting statistics involving app users’ decisions not to download apps due to privacy concerns, the ICO recommends clarity about what user data is accessed and why. "The app industry is one of the fastest growing in the UK, but our survey shows almost half of people have rejected an app due to privacy concerns," the ICO’s Simon Rice said, adding, “It is important that developers tackle this issue by making sure their apps look after personal information correctly.”
Full Story

DATA RETENTION—SWEDEN

PTS Studying How Telecoms Store Information (December 19, 2013)

PTS, Sweden’s postal and telecoms oversight authority, will conduct two studies on how telecoms store information with the goal of providing less-complicated guidance, Telecompaper reports. “PTS wants to look at how the data retention rules are being followed,” the report states, and will examine “how long commercial information is kept for and how it is sorted.” PTS will also look at the ways operators handle “customer communication data beyond purposes expressely set out by law” and how consent is obtained.
Full Story

DATA TRANSFER—EU & U.S.

LIBE Committee: Suspend Safe Harbor, Create EU Cloud, Don’t Negotiate on Privacy (December 19, 2013)

A preliminary conclusion by the European Parliament’s Civil Liberties Committee (LIBE) into the surveillance of EU citizens by the U.S. National Security Agency recommends that the parliament agree to a trade deal with the U.S. only if it does not mention data protection and that Safe Harbor be suspended, according to its website. Lead MEP Claude Moraes also recommended the “swift” creation of an EU data storage cloud and judicial redress for EU citizens to protect their data in the U.S. Meanwhile, the UN General Assembly unanimously adopted a resolution calling for protecting the right to privacy against unlawful surveillance, according to the Associated Press. The resolution calls on all 193 UN member states “to respect and protect the right to privacy, including in the context of digital communication.”
Full Story

PRIVACY COMMUNITY—GERMANY

German Parliament Elects New Federal Data Protection Commissioner (December 19, 2013)

With Peter Schaar leaving the position of German Federal Data Protection Commissioner on December 17 after 10 years of service, the coalition German government needed to nominate a replacement for confirmation in the Bundestag. On Thursday, they appointed Andrea Voßhoff, a member of the conservative-leaning Christian Democratic Union who served in the Bundestag from 1998 through 2013. Generally unknown to the privacy community, Voßhoff has received a negative initial reception from some privacy advocates: German MEP Jan Philip Albrecht strenuously objected to her nomination, saying on Twitter that her confirmation would amount to an “abolition” of the office. In this exclusive for The Privacy Advisor, Jörg Hladjk, counsel at Hunton & Williams and German-qualified attorney with a German PhD in privacy, expounds upon the three main challenges Voßhoff faces as she enters her five-year term.
Full Story

PRIVACY LAW—EU & U.S.

DPC Makes Headlines; Official Says Regulation Won’t Hurt Business (December 19, 2013)

At the IAPP’s Data Protection Congress in Brussels last week, experts discussed the forthcoming European privacy requirements, which are “almost certain to slow the current headlong rush toward massive data collection, analysis, use and sale, DataInformed reports. European Commission Director of Fundamental Rights Paul Nemitz dismissed concerns that the regulation will hurt business, saying privacy will instead become a competitive advantage. Out-Law.com quotes European Commissioner Neelie Kroes's speech, delivered at the event by Kroes' Head of Cabinet Constantijn van Oranje-Nassau, in favor of such reforms such as companies being able to process pseudonymized data without consent, and Bloomberg reports on U.S. Federal Trade Commissioner Julie Brill defending the Safe Harbor program during the DPC’s opening session.
Full Story

PRIVACY LAW—EU

Yes, Consent Is Dead and Giving It a Central Role Is Dangerous (December 18, 2013)
At the just-concluded IAPP Data Protection Congress in Brussels, the audience heard a bold proposal from closing keynote Viktor Mayer-Schönberger: “The naked truth is that informational self-determination has turned into a formality devoid of meaning and import.” Contemporary ideas of notice and consent, he argued, are a farce. In this installment of Privacy Perspectives, Field Fisher Waterhouse Partner Eduardo Ustaran, CIPP/E, explores the role of consent, noting that EU data protection law is predicated on it. “But does this approach still hold true?” he asks. “Can we—as individuals—really have a meaningful degree of control over the vast amount of information we generate?”

PRIVACY EDUCATION

IAPP Offers New Suite of Web Conferences (December 18, 2013)

The IAPP has announced an integrated suite of web conferences to allow members to access far more of this valuable content while providing an opportunity for certified members to acquire up to 14 free Continuing Privacy Education hours in 2014. This feature for The Privacy Advisor details the full schedule of programs, which includes the Insight Series, Access Series and Innovation Series. We hope you will take advantage of these new opportunities for education to help you with your day-to-day operations and to further augment the body of knowledge developed through CIPP or CIPM certification.
Full Story

PRIVACY LAW—ITALY

Supreme Court Acquits Google Execs in Privacy Case (December 18, 2013)

According to his personal blog, Google Global Privacy Counsel Peter Fleischer and two additional “Googlers” have been acquitted by the Italian Supreme Court of violating Italian privacy law. In 2010, an Italian court convicted the three employees for failing to comply with Italian privacy code in the case of a disparaging video of a young person that appeared online. “An eight-year legal saga has now come to an end,” wrote Fleischer, adding, “And although I have never met him, I hope that young man who was humiliated in the video that generated this case lives with dignity and happiness.” Fleischer also said the Supreme Court “will issue its written opinion in due course.”
Full Story

SURVEILLANCE—EU & U.S.

Brawling Over Government Access: “Have You Been NSA’d?” (December 17, 2013)

The most fiery discussion at the IAPP Data Protection Congress in Brussels last week came during its final session, with IAPP VP of Research and Education Omer Tene doing his best to referee a conversation between former NSA General Counsel Stewart Baker, anonymous Internet platform Tor’s Jacob Appelbaum, Vodafone CPO Stephen Deadman and Ralf Bendrath, policy advisor to German MEP and Data Protection Regulation Rapporteur Jan Philipp Albrecht. In this exclusive for The Privacy Advisor, Publications Director Sam Pfeifle details some of the highlights from the session, “Have You Been NSA’d? Government Access and the New EU Regulation,” and provides full audio of the discussion.
Full Story

PERSONAL PRIVACY

The Privacy Implications of Data-Driven Dating (December 17, 2013)

“When we talk about Big Data, we mostly refer to large-scale conglomerations of information about our collective behavior, aggregated by governments and big corporations,” writes Karen Levy of Princeton University. “But there’s another way data have become big: Our interpersonal connections are being infiltrated by data to an unprecedented degree, changing how we relate to one another,” she adds. This post for Privacy Perspectives looks into the range of apps and technology that allow individuals to gather, interpret and deploy data and not only be “passive data points about whom data is collected and aggregated.”
Full Story

PRIVACY COMMUNITY

Ten Years and Two Terms Later, a Look at Peter Hustinx’s Legacy (December 17, 2013)

European Data Protection Supervisor (EDPS) Peter Hustinx’s second five-year term ends this month, and a new leader will soon be appointed. It is worth taking time to note that those who live and breathe European data protection nearly universally agree Hustinx leaves behind both a sterling reputation and an agency that’s evolved into an influential and highly respected supervisory authority since its establishment in 2004. In this exclusive for The Privacy Advisor, Angelique Carson, CIPP/US, speaks with Willem Debeuckelaere, Chris Doxsey, Dimitrios Droutsas, Sophie in ‘t Veld, Billy Hawkes and Christopher Wolf about the legacy Hustinx leaves behind and the shoes his successor will have to fill.
Full Story

PRIVACY ART

The Privacy Messages Sent Through Art (December 16, 2013)

Last year, approximately 4.7 million passwords were stolen from LinkedIn and leaked online. To many, it was a concerning development, but for one person, the event provided an opportunity to make art. Conceptual artist Aram Bartholl has unveiled “Forgot Your Password,” an exhibit featuring eight books containing all the passwords arranged in alphabetical order, now on display in Germany. This is just one of countless artistic creations riffing on privacy in the modern world. This Privacy Perspectives post looks into a variety of artistic expressions of privacy, including a look at the IAPP’s Art Gallery.
Full Story

PRIVACY LAW

U.S. and French Laws, EU Retention Directive Under Fire (December 16, 2013)

France is receiving criticism for a new law expanding government agencies’ access to Internet data; a European Court of Justice advocate has deemed the retention directive in violation of citizens’ fundamental privacy rights, and in the U.S., a petition to update the Electronic Communications Privacy Act has received more than 100,000 signatures. This week, Privacy Tracker reports on these developments as well as new administrative measures for Chinese credit reference agencies, U.S. states’ challenges to NSA surveillance and new fining powers for the Dutch data protection authority. (IAPP member login required.)
Full Story

MOBILE PRIVACY—UK & U.S.

Removal of Privacy Feature Criticized; UK High Court To Rule on Google Case (December 16, 2013)

The Electronic Frontier Foundation (EFF) has criticized Google’s removal of a privacy feature in a new Android 4.4.2 update, Computerworld UK reports. App Ops was a feature that gave users granular control over app permissions—a feature that privacy groups have long advocated for, the report states. The EFF’s Peter Eckersley said the app’s removal is “alarming news.” He also said he was told by Google that the feature was not yet supposed to be released as it could break some apps. Meanwhile, representatives of Google are expected to argue in the UK’s High Court that a case against the company for ignoring Safari users’ requests to not have cookies placed on their devices should be dropped. A Google spokesman said, “We’re asking the court to reexamine whether this case meets the standards required in the UK for a case such as this to go to trial.”
Full Story

ONLINE PRIVACY

Bilton: “Anyone Who Can Watch You Will” (December 16, 2013)

In a feature for The New York Times, Nick Bilton writes that amidst reports of online tracking, “outfits like Snapchat have exploded onto the scene … holding out the promise that all those selfies, texts and e-mails will simply vanish … But the fact is, many services that claim to offer that rarest of digital commodities—privacy—don’t really deliver.” Princeton Prof. Edward Felten weighs in, cautioning, “Just because information is unavailable to you and you don’t see it doesn’t mean that it is not being captured, stored or even seen by someone else in transit.” The ACLU’s Ben Wizner suggests “change can happen” if “technologists that are disillusioned by the incessant tracking will use their skills to make surveillance more costly.” (Registration may be required to access this story.)
Full Story

EMPLOYEE PRIVACY—FRANCE

IKEA Spying Allegations Shock Nation (December 16, 2013)

The New York Times reports on the range of internal and personal investigations generated by IKEA’s France-based stores. A regional court in France is now looking into whether company executives in France violated national law by ordering personal investigations of hundreds of individuals over a 10-year span. Investigations were conducted by the company for several reasons, including job applicant background checks, cases against employees accused of wrongdoing and ways to counter consumer complaints brought against the company in courts, and, according to the report, IKEA France approved more than 475,000 euros for the hiring of private investigators. A lawyer representing one plaintiff in the case said, “It is hard to conceive that this kind of thing happens in a democratic society like France … This is not Soviet Russia.” (Registration may be required to access this story.)
Full Story
 

DATA PROTECTION

The EU and APEC: A Roadmap for Global Interoperability? (December 13, 2013)

The steady stream of media reports on the privacy differences between the EU and the U.S. would have you believe that cross-border data sharing is nothing but storm clouds over the Atlantic. There is, however, a bright spot for cross-border information flows if we turn our attention to the Pacific. In this exclusive for The Privacy Advisor, John Kropf, CIPP/US, CIPP/G, and Malcom Crompton, CIPP/US, look at data transfers in the APEC region, suggesting other regions take heed.
Full Story

ONLINE PRIVACY

Google To Cache All Gmail Images, To Some Confusion (December 13, 2013)

Google announced it will now cache all e-mail images by default to improve user experience and security as well as load-speed. The move has apparently caused a little confusion as to whether it affects user privacy. Ars Technica initially reported that e-mail marketers will no longer be able to receive information directly from Gmail users. ClickZ lists the six data points collected by marketers from e-mail display images. Ron Amadeo of Ars Technica wrote, “While this means improved privacy from e-mail marketers, Google will now be digging deeper than ever into your e-mails and literally modifying the contents.” However, Wired reports the move will make it easier for senders to know if an e-mail has been opened. According to an updated Ars Technica report, senders who embed a code into the e-mail will know more about which ones are viewed. MailChimp has also blogged about the changes and what they mean for users.
Full Story

PRIVACY COMMUNITY—GERMANY

German DPA Peter Schaar Retiring (December 12, 2013)

Peter Schaar, who has served as Germany’s federal data protection commissioner for the last 10 years, has announced he will be retiring, Deutsche Welle reports. Schaar has been an outspoken critic of the blanket-expansion of video surveillance, the anti-terror database, the surveillance of personal computers and the SWIFT agreement between the U.S. and EU. So far, no successor has been named to replace Schaar, who will serve until 17 December. He also recently said that the “issue of data protection is more strongly anchored in public debate than it was 10 years ago.” Schaar will continue to serve as chairman of the European Academy for Freedom of Information and Data Protection.
Full Story

DATA RETENTION—EU

EU Advocate General Urges Fix To Retention Directive (December 12, 2013)

The EU’s advocate general, its top legal advisor, has urged legislators to revamp the often-controversial Data Retention Directive from 2006, GigaOM reports. The directive compels member states to transpose into law requirements for telecommunications providers to retain metadata to help combat terrorism. However, Advocate General Pedro Cruz Villalón said the law violates people’s fundamental right to privacy because it does not provide data security guidance for participating nations. A statement from the Court of Justice of the European Union suggests, “There is, moreover, an increased risk that the retained data might be used for unlawful purposes which are potentially detrimental to privacy or, more broadly, fraudulent or even malicious.”
Full Story

HEALTHCARE PRIVACY—POLAND

Legal Framework Proposed (December 12, 2013)

Polish legislative bodies have proposed a legal framework for the processing of medical data in electronic form. “The changes will influence both the public and private medical sectors and may lead to new business models within the healthcare sector,” writes Marcin Lewoszewski of CMS Cameron McKenna in this exclusive for The Privacy Advisor. Healthcare providers and service providers will need to meet requirements from the data protection act, including entering into trusted agreements and applying security measures in line with Polish data protection law. The new law is expected to be passed in 2014.
Full Story

DATA PROTECTION—IRELAND

Opinion: Big Data Investment Requires Better Regulation (December 12, 2013)

In a column for Independent.ie, Simon McGarr points out that Ireland Data Protection Commissioner Billy Hawkes “regulates the combined personal data of billions of users of Facebook, Google, LinkedIn, Apple and Twitter by virtue of their investments here.” McGarr expresses concern that the commissioner’s office has sent “signals that Ireland isn’t serious about the data industry and doesn’t understand what is really needed to attract long-term investment…” For a positive example, McGarr highlight’s the insurance regulatory regime in London—something he refers to as “world-class” as it provides businesses with certainty and financial rewards.
Full Story

BIG DATA

At DPC: Out with Notice and Consent, In with Data Use Regulation (December 12, 2013)
While there are few privacy principles more generally ingrained than that of notice and choice, Viktor Mayer-Schönberger suggests, “The naked truth is that informational self-determination has turned into a formality devoid of meaning and import.” During his IAPP Europe Data Protection Congress keynote, Mayer-Schönberger called for “a new protection mechanism. A paradigm adjustment to ensure privacy in the age of Big Data” rather than giving up on privacy. “It’s not that the data is problematic,” he said, “but how it’s being used, especially in the context of complex data analysis.” This exclusive for The Privacy Advisor examines this idea of holding users accountable, whether they have persuaded a consumer to provide consent by clicking a button or not.

PRIVACY LAW—THE NETHERLANDS

New Fining Powers Expected in 2015 (December 12, 2013)

Dutch Data Protection Authority Chairman Jacob Kohnstamm told the audience of the National Data Protection and Privacy Conference in Rotterdam on December 4 that his office will get the power to fine organizations in both the public- and the private-sector for violations of the Dutch Personal Data Protection Act. In this exclusive for The Privacy Advisor, Jeroen Terstegge, CIPP/US, examines what to expect as the Council of State advises on the new fining powers likely to come into force only on January 1, 2015.
Full Story

CLOUD COMPUTING

Snowden Leaks “Gumming Up” Cloud Industry (December 12, 2013)

Hightail CEO Brad Garlinghouse has said that the recent Edward Snowden revelations about government surveillance are “gumming up” the cloud computing industry, CNET News reports. Hightail offers businesses cloud storage and document tracking services, but new difficulties have shaken the cloud business, he said. “The Snowden effect has extended the sales cycle for non-U.S. companies looking at doing business with U.S. companies,” Garlinghouse said, adding, “There are more questions about data security, encryption and (security) key management.”
Full Story

PRIVACY LAW—EU

DPAs Say They Aren’t Ready for Reg (December 12, 2013)

While European data protection authorities say they aren’t ready for the proposed data protection regulation, multinationals such as Facebook and Google are tasked with untangling 28 different legal frameworks in the EU in order to address the issue, PCWorld reports. Irish Data Protection Commissioner Billy Hawkes says, under the proposed regulation, he would no longer be able to take complaints from Irish citizens about companies that are headquartered in other member states. Instead, Hawkes would be responsible for regulating the multinationals headquartered in Ireland, and therefore would be required to respond to the complaint of any EU citizen. Meanwhile, European Commission Vice President Viviane Reding has expressed frustration with the head of the EU Council’s legal service after he issued an opinion on the proposed rules.
Full Story

DATA TRANSFER—EU & U.S.

EU, U.S. Officials Indicate Potential Privacy Agreement at DPC (December 11, 2013)
The keynote stage here at the IAPP Data Protection Congress in Brussels became a diplomatic back-and -forth this morning as Constantijn van Oranje-Nassau, Head of Cabinet of Vice-President of the European Commission, Commissioner for the Digital Agenda Neelie Kroes, first delivered the European Commission’s view of data protection and then was followed by an address from U.S. Federal Trade Commissioner Julie Brill. Both emphasized the need to encourage innovation while protecting privacy and addressed whistleblower Edward Snowden’s revelations about the activities of U.S. National Security Agency and other intelligence agencies. Reading between the lines, writes Publications Director Sam Pfeifle in this report from the event for The Privacy Advisor, there were reasons to be encouraged that Safe Harbor and the free flow of data between continents will continue.

GEO PRIVACY

Twitter Partnership Aims To Bolster Location Services (December 11, 2013)

According to MediaPost News, Twitter has reached a multi-year licensing agreement with Pitney Bowes in order to tap into its location data for mobile services. Twitter will use Pitney Bowes’ Location Intelligence to bolster location-sharing and possibly improve ad targeting, tweets and map locations. The technology can help combine “location data for tweets with buying patterns, behaviors, preferences and influencers,” the report states, as well as cross-reference tweets with nearby retailers and users.
Full Story

PRIVACY COMMUNITY

Looking for Love? Try a Privacy Conference (December 11, 2013)

It was winter of 2011, and Rob Gratchner just had to get to the IAPP's Data Protection Congress. His then-girlfriend, now Amanda Gratchner, was attending, and where better to ask her to marry him? But there was a hiccup. A big one. The Paris event was sold out. Despite his pleas to the powers that be at the IAPP, he couldn't get in. "I went to Paris by myself," Amanda says with a bit of a playful tone. But two months later, in Seattle, WA, at the spot where they first kissed, Rob proposed. In this feature, IAPP Associate Editor Angelique Carson, CIPP/US, talks with three couples who found their work in the privacy field—and their spouses, too.
Full Story

DATA LOSS—SWEDEN & U.S.

Breaches Affect Health Providers, College System and Discussion Forum (December 11, 2013)

Horizon Blue Cross Blue Shield is notifying nearly 840,000 subscribers that their personal information may have been affected by a stolen laptop, NJ.com reports. While the laptops were password-protected, the data was unencrypted. The information contained may have included names, addresses, dates of birth and Social Security numbers. Meanwhile, Kaiser Permanente has reported a privacy breach at its Anaheim Medical Center to 49,000 patients. A breach at a community college in Arizona may cost $14 million. And a Swedish daily newspaper says it has uncovered the identity of hundreds who left comments on Disqus websites. The company says its network has not been breached, however, and the publication breached privacy policies to gain the information.
Full Story

DATA PROTECTION—EU

Live from DPC: Top Audit Failure Points May Not Be What You’d Expect (December 10, 2013)
Would you be able to guess the top six failure points found in the last 20 privacy audits conducted by London’s Osborne Clarke? At the IAPP Europe Data Protection Congress, that is exactly what attendees were tasked with doing in a Family Feud/Family Fortunes-style challenge of determining just what the “Survey says.” In this exclusive for The Privacy Advisor, Publications Director Sam Pfeifle details the top failure points highlighted during the “Audit Programmes” session. Some of the results were not what attendees were expecting—with such factors as “excessive access to data” and “inadequate data breach plans” not making the top-six list.

PRIVACY

Ten Steps to a Quality Privacy Program, Part Five: Building an Audit Plan (December 10, 2013)

In part five of the series "Ten Steps to a Quality Privacy Program," Deidre Rodriguez, CIPP/US, explores building an audit plan, which she says is essential. A few basic steps can help you to prepare and simplify the process, she says. "Writing down all of the details will solidify your plan. You may not be audited right away, and people tend to forget everything that you have told them and panic when they hear the word 'audit.' Having this information written down will help keep everyone focused and moving the same direction," she writes.
Full Story

GEO PRIVACY

AVG Unveils WiFi Do-Not-Track App for Mobile (December 10, 2013)

With an influx of in-store mobile WiFi tracking, AVG Technologies has developed and rolled out a free smartphone app designed to block WiFi location tracking, Forbes reports. The new “DNT” feature is an add-on to AVG’s PrivacyFix app for Android. When downloaded, the technology prevents the mobile device from transmitting its MAC address. AVG Vice President of Privacy Products Jim Brock said that until retailers adopt “meaningful standards,” including transparency, or provide consumers with an opt-out mechanism, “consumers are better off shutting out this kind of tracking.” In October, Daily Dashboard reported on an initiative by the Wireless Registry and the Future of Privacy Forum to offer a brick-and-mortar Do-Not-Track registry for MAC addresses.
Full Story

SURVEILLANCE

Tech Giants Urge Global Surveillance Reform (December 9, 2013)
A group of top technology companies has presented a plan and published an open letter to U.S. President Barack Obama and members of Congress urging global government surveillance reform. Aol, Apple, Facebook, Google, LinkedIn, Microsoft, Twitter and Yahoo together have rolled out the website reformgovernmentsurveillance.com to express their collected belief “that it is time for the world’s governments to address the practices and laws regulating government surveillance of individuals and access to their information.” This exclusive for The Privacy Advisor looks at the five principles presented by the group and rounds up the latest coverage of this issue as well as reports on increased local law enforcement requests of cellphone data.

PRIVACY LAW

Regulators Across the Globe Taking Action (December 9, 2013)

From the U.S. Federal Trade Commission (FTC) to the Dutch Data Protection Authority (DPA), regulators are asserting themselves in consumer privacy issues. This Privacy Tracker weekly legislative roundup offers information on the FTC’s settlement with a flashlight app developer, as well as its plans for the upcoming year, and the Dutch DPA’s findings in its investigation of Google’s privacy policy. Meanwhile, the UK Information Commissioner’s Office announced that pending new pan-Europe legislation will result in significant budget losses, causing it to restructure; some are calling U.S. state attorneys general the most important privacy regulators in the country, and BC Information and Privacy Commissioner Elizabeth Denham is recommending the government amend the Freedom of Information and Protection of Privacy Act. (IAPP member login required.)
Full Story

DATA PROTECTION—EU

One-Stop-Shop Principle Delays Progress on Reg (December 9, 2013)

The proposed EU Data Protection Regulation suffered a setback last week when data protection authorities tried to reach agreement, indicating the update to current law will likely not occur until after European Parliament elections next year, EU Observer reports. An EU diplomat said the delay is due to concerns by Germany’s data protection authority that the one-stop-shop principle would enact weaker rules than the country currently has in place. “Harmonization, yes, but not at any price,” said a spokesman for Germany’s secretary of state in the federal ministry of the interior. Meanwhile, the head of the legal service for the European Council said the one-stop-shop rule would undermine human rights.
Full Story

PRIVACY PROFESSION

What Makes a Good Privacy Pro? (December 6, 2013)

“For companies striving to maintain compliance with myriad global data protection and privacy rules, and keeping up with future developments, the privacy professional is key,” writes Reed Elsevier Senior Director of Privacy and Data Protection Emma Butler. “Increasingly,” she points out, “companies seem to think that they have to hire qualified lawyers to fulfil this role, but is that really the case?” This Privacy Perspectives post looks into this question and asks if a business wants “a lawyer who just advises on the interpretation of the law and leaves decision-making on privacy and subsequent implementation to the business? Or do you want a practitioner who can drive the privacy program from the ground up, making key decisions and delivering privacy effectively across the business?”
Full Story

DATA LOSS

Breach May Hit 465,000 Cardholders; 2M Passwords Stolen (December 6, 2013)

Financial services giant JP Morgan Chase is alerting at least 465,000 holders of prepaid cash cards issued by the bank that their personal information may have been accessed by cybertheives, Reuters reports. The cards were used by corporations to pay employees and for government agencies to issue tax refunds, unemployment compensation and other benefits, the report states. The company has located and fixed the vulnerability and has alerted law enforcement. CNN reports, in a separate incident, keylogging software that has been installed on countless computers around the world may have captured the login credentials of about two million users of 93,000 websites, including popular sites such as Google, Facebook, Twitter and Yahoo.
Full Story

ONLINE PRIVACY—EU

Kroes: Data Protection—Not Protectionism—Is Needed (December 5, 2013)

European Commission Vice-President and Commissioner for the Digital Agenda Neelie Kroes writes for the World Economic Forum’s blog, “We should not sit like rabbits in the headlights in the face of scandals or allow trust in the Internet to collapse.” Kroes suggests that “proper and clever use of data requires a lot more than data protection laws. If your home or office has been burgled, you don’t just call a lawyer: You get a better lock.” Noting that consumers “won’t use what they don’t trust,” Kroes writes, “I support data protection not data protectionism.” Her post includes recommendations for seeing “data as an opportunity … to make our lives easier and grow our economies.”
Full Story

BIG DATA—UK

Poll: Consumers Reticent To Share Personal Info (December 5, 2013)

Financial Times reports on a YouGov poll indicating UK respondents “are increasingly wary of giving companies access to their personal information, suggesting that the so-called Big Data revolution may yet face serious obstacles.” Only two percent of respondents indicated they would be “more willing” to share personal data in the next five years. “Companies need to realise that a backlash is building among consumers,” said Steve Wilkinson, a partner at EY, which commissioned the survey. Big Brother Watch’s Nick Pickles said the organisation receives “regular inquiries from people asking which banks or phone companies respect privacy,” the report notes. (Registration may be required to access this story.)
Full Story

CHILDREN’S PRIVACY—THE NETHERLANDS

Ombudsman Examining Social Media Abuse (December 5, 2013)

Children's Ombudsman Marc Dullaert has begun an inquiry into the ways children’s privacy rights are “being infringed on social media networks,” Dutch News reports, noting Dullaert is concerned with how social media sites are using children’s photographs and personal data. “The ombudsman's concern stems from the case of a 13-year-old boy whose photograph has been used for dozens of fake websites and abusive messages within the Netherlands and abroad,” the report states. The boy’s family has had little success in efforts to have online companies remove the posts and photos.
Full Story

DATA PROTECTION—UK

Pan-Euro Law Likely Means ICO Restructuring (December 5, 2013)

SC Magazine reports that pending new pan-Europe legislation will decrease revenues for the UK Information Commissioner’s Office (ICO), meaning that it will likely change the way it handles casework and enquiries. An ICO spokesperson says this will allow the office to “identify and address wider compliance issues, and only where appropriate, to address individual concerns.” A consultation document titled “Looking Ahead, Staying Ahead: Towards a 2020 Vision for Information Rights” outlines the planned changes to the regime, including coordinating more with other organisations and regulators, the report states. The consultation is open for comment through 7 February.
Full Story

DATA LOSS

Breach Insurance Often Provides Access To Networks (December 5, 2013)

Cyber liability and data breach insurance specialist Ian Birdsey says companies can gain access to the network of experts they need if they take out cyber insurance policies, Out-Law.com reports. The market for such plans is growing, Birdsey said. “A comprehensive incident response plan is likely to include reference to a network of experts in different jurisdictions who can help businesses with services ranging from IT forensics, PR, credit monitoring, customer engagement and general crises management.”
Full Story

PRIVACY LAW—EU

Draft EU Data Protection Package: A History and Look to the Finish Line (December 5, 2013)

Reforming the outdated EU legislative framework governing data protection was always going to be a daunting task, but the Snowden revelations certainly haven’t made things easier. Nóra Ní Loideain examines in this exclusive for The Privacy Advisor the underpinnings of what has led to the EU Data Protection Reform’s current state and looks at whether the Greek or Italian presidencies will be able to push through a package that has so far eluded Denmark, Cyprus, Ireland and now Lithuania. Will it be done before the parliamentary elections in May? It’s now looking increasingly unlikely.
Full Story

DATA SECURITY—UK

Just Nine Percent of Customers Have Faith Brands Will Secure Their Data (December 5, 2013)

Japanese IT firm Fujitsu has released findings of a survey of 3,000 UK consumers that found just nine percent “have any faith in organizations to protect their data.” Further, 20 percent said they would inform police of a data loss, considering it a criminal offense, and 63 percent said they do not want companies to use their data to improve their experience with the company. “The results of our research showed consumer tolerance for data loss is at an all-time low,” said Fujitsu CSO UK & Ireland David Robinson. Research was conducted by OnePoll, an independent research consultancy based in London. The consumers in the UK completed an online survey in October.
Full Story

INFORMATION SECURITY

Researchers Create Malware Able To Jump Non-Connected Devices (December 4, 2013)

Ars Technica reports on newly developed malware capable of communicating between devices not connected to any active networks. The malware now threatens the “air gap” often used to protect data, the report states. Researchers were able to use the built-in microphones and speakers within PCs to establish communication via inaudible audio signals within a distance of 65 feet. The proof-of-concept software has been outlined in the Journal of Communications. In the report, the researchers said, “The concept of a covert acoustical mesh network renders many conventional security concepts useless, as acoustical communications are usually not considered.”
Full Story

PRIVACY LAW—EU

Member States Need More Time with Regulation Proposal (December 4, 2013)

Bloomberg reports the EU’s data protection overhaul faces months of delays after some member states have demanded more time to sign off on a law that would fine companies as much as 100 million euros for privacy violations. An anonymous EU official said the measures are unlikely to pass before European Parliament elections in May, noting the measure is “too complicated and sensitive” for member states to reach a deal this week. “If there’s not the necessary political will, the whole regulation is at risk,” said MEP Jan Philipp Albrecht.
Full Story

PRIVACY LAW—EU & U.S.

Legal Reform Needed in U.S., Not Just Europe (December 3, 2013)
“I recall that in the early 1990s and early 2000s, it was often a struggle to get people outside of Europe to take EU data protection law seriously,” writes Wilson Sonsini Partner Christopher Kuner, adding, “The perceived lack of enforcement in the EU, and the dynamic legislative climate in the U.S., meant that more attention was given to U.S. developments.” But now, with the advent of the European Commission’s proposed General Data Protection Regulation, the situation is reversed and “U.S.-based lobbyists have descended in hordes on the EU institutions,” making Brussels “the center of the global privacy world.” In this Privacy Perspectives post, Kuner asks, “Why doesn’t the U.S. work as hard to improve its own privacy law as it does to lobby for changes in the EU?” He makes the case for why, when lobbying for privacy reforms, the U.S. should look in the mirror.

DATA LOSS

Roundup: Breaches Abound; Outcomes Announced (December 3, 2013)

Across the globe, reports of data breaches—and the outcomes of past data loss incidents—continue to make headlines. This roundup for The Privacy Advisor examines some of the most recent breach headlines, including a breach at Arizona’s Maricopa County Community College District in the U.S. that has cost the district millions and required it to notify “nearly 2.5 million students, former students, employees and vendors that hackers may have compromised their personal information,” as well as incidents involving Vodafone Iceland, the Australian Broadcasting Corporation and a UK council. The report also highlights recent legal and data protection authority actions from across the globe.
Full Story

ONLINE PRIVACY

Social Media Guru Deletes Facebook Account, Citing Need To “Take a Stand” (December 3, 2013)

Danny Brown, co-author of Influence Marketing: How To Create, Manage and Measure Brand Influencers in Social Media Marketing and author of HubSpot’s “#1 marketing blog in the world,” announced yesterday he has deleted his personal Facebook account because “at some point, we need to take a stand for our privacy.” Admitting he understands the irony of a marketer who uses social media data as a key part of strategic planning complaining about Facebook privacy, Brown says he simply can’t trust the product any longer and, as a marketer, no longer even trusts that the user data is being created by the users themselves. He understands the concept of “being the product” but now feels “it’s essentially a target on your data forehead, and hunting season is always open.”
Full Story

ONLINE PRIVACY

New Study Uses Bots To Track the Trackers (December 3, 2013)

Forbes reports on a new study led by researchers at Princeton University and Belgium’s KU Leuven to discover patterns of discrimination based on traits such as affluence levels. Advertising and marketing firms often keep their tracking methods obscure, making it difficult for privacy advocates to demonstrate how the commercialization of online data can isolate consumers into their own “filter bubbles.” To circumvent that, the researchers have released bots that mimic real consumers—including fake profile traits such as age, gender, affluence level, location and interests—to come to a better understanding of how online businesses track, categorize and possibly discriminate against individuals. The research is being led by Princeton Prof. Arvind Narayanan—one of the early progenitors of Do Not Track. A spokesman for the U.S. Federal Trade Commission said, “We welcome research into privacy and technology issues, and we look forward to reviewing the research results.”
Full Story

PRIVACY LAW

Safe Harbor Revelations and Global Developments (December 2, 2013)
This week’s Privacy Tracker legislative roundup includes the IAPP’s coverage of the European Commission’s report critiquing the EU-U.S. Safe Harbor agreement and offering the U.S. 13 ways to save it, and insight from Eduardo Ustaran, CIPP/E, on the report. You’ll also find information on the United Nation’s approval of an unlawful surveillance resolution, why India may have to wait a little longer for a privacy law and South Africa’s new law. In the U.S., more regions are considering social media laws and DNA databases, and courts have decided cases relating to COPPA and consumer privacy.

PRIVACY LAW—THE NETHERLANDS

Dutch DPA Says Google Policy Violates Law (December 2, 2013)

Dutch Data Protection Commissioner Jacob Kohnstamm has found Google’s privacy policy “violates data protection law by spinning an ‘invisible web’ with users’ personal data without their consent,” Bloomberg reports. Kohnstamm said the policy, which combines Internet users’ data from various Google services, is “forbidden by law.” He added that he will decide on possible penalties after a hearing with the company. Google says its privacy policy “respects European law” and allows it to create “simpler, more effective services.” Meanwhile, Germany’s SAP has rejected politicians’ calls for European IT firms to band together following U.S. NSA spying revelations, saying the plan would be “doomed to fail from the outset.”
Full Story

BIOMETRICS

Advancements in Facial Recognition Raise Privacy Questions (December 2, 2013)

Facial recognition technology is rapidly evolving, “using frame-by-frame video analysis to read subtle muscular changes that flash across our faces in milliseconds, signaling emotions like happiness, sadness and disgust,” The New York Times reports. While there may be benefits to such face-reading software—such as recognizing confusion on the face of an online student and offering tutoring options—one U.S. privacy attorney notes such technology raises concerns. “The unguarded expressions that flit across our faces aren’t always the ones we want other people to readily identify,” Ginger McCall said, adding, “Private companies are developing this technology now. But you can be sure government agencies, especially in security, are taking an interest, too.” (Registration may be required to access this story.)
Full Story