News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Global Privacy Dispatches Related reading: Reducing risks and valuing compliance with the European Data Protection Seal under the GDPR 

rss_feed

CANADA
By Terry McQuay

Privacy Law Report Calls for Breach Notice Provision
The much-anticipated report of the Parliamentary Committee that conducted the statutory 5-year review of Canada's privacy law - the Personal Information Protection and Electronic Documents Act (PIPEDA) - was tabled recently in the House of Commons.

The report calls for limited changes to PIPEDA at this time, making 25 recommendations, many of which aim for greater harmonization among the federal privacy law and the provinces of Quebec, Alberta and British Columbia, all of which have substantially similar private sector data protection laws.
Some of the Commons Committee on Access to Information, Privacy Ethics recommendations are:

  • The act be amended to include a breach notification provision requiring organizations to report certain defined breaches of their personal information holdings to the privacy commissioner. The committee also recommends that in determining the specifics of an appropriate notification model for PIPEDA, consideration should be given to questions of timing, manner of notification, penalties for failure to notify, and the need for a "without consent" power to notify credit bureaus in order to help protect consumers from identity theft and fraud.
  • The federal Privacy Commissioner should not be granted order-making powers at this time.
  • No amendment be made to PIPEDA with respect to the privacy commissioner's discretionary power to publicly name organizations in the public interest.
  • A definition of "business contact information" be added to PIPEDA.
  • PIPEDA be amended to clarify the form and adequacy of consent required by it, referring to the Alberta and B.C. acts to better distinguish between express, implied and deemed/opt-out consent.
  • The federal government examine the issue of consent by minors with respect to the collection, use and disclosure of their personal information in a commercial context with a view to amending PIPEDA in this regard.
  • No amendments be made to PIPEDA with respect to the transborder flow of personal information.

The report will now be considered by the federal government for any further action.

Terry McQuay, CIPP, CIPP/C, is the Founder of Nymity, which offers Web-based privacy support to help organizations control their privacy risks. Learn more at www.nymity.com.

EU
By Steve Kenny

Member States face Sept. 15 Deadline to Comply with Data Retention Directive
The 2006/24/EC directive on the retention of data amends directive 2002/58/EC, and must be brought into place by all member states by Sept. 15, 2007. Due to national security concerns, the new directive obliges public telephony operators and Internet service providers to retain personal data, such as the calling number, the user ID, and the identity of a user of an IP address, for a period of 6 to 24 months. EU member states are expected to implement widely varying compliance requirements at or above the minimum compliance requirements of this directive.

Steve Kenny is Principal Advisor, Privacy Services Leader for KPMG, based in London. He may be reached at

steve.kenny@KPMG.co.uk.

This e-mail address is being protected from spam bots, you need JavaScript enabled to view it

FRANCE
By Pascale Gelly

Short Privacy Notices? Not in France!
A new decree (25 March 2007) addresses the content and medium of privacy notices. Individuals must be provided with the contact details of the department in charge of receiving requests for access, objection and rectification.

In addition, in case of transfers outside the EU, the notice must list the countries to which data is transferred; the nature of the transferred data; the categories of recipients; the level of protection given by the importing countries; the references to the European Commission adequacy decision if the importing country is "adequate," and if not, the references to the Commission Nationale de l'Informatique et des Libertés (CNIL) authorization; or the exception justifying the data transfer. In addition, the data privacy notice must be posted on the data collection document.

When data is collected remotely, the notice must be read to the concerned individuals who must be offered to receive a copy in writing. The decree also states the conditions under which data subjects can exercise their data protection rights; how data controllers must comply with them; and provisions relating to international data transfers. In particular, the authorization procedure for data transfers before the CNIL should last two months (can be extended by two additional months). However, if the CNIL does not answer, that must be regarded as a refusal.

CNIL Fines Another Multinational Company
After having sanctioned the Crédit Lyonnais last summer, the CNIL has issued its second-highest fine against the French affiliate of the group Tyco Healthcare. The company, after the receipt of an injunction notice by the CNIL to provide information relating to an HR database for the global management of careers, responded that it had suspended the processing of what the CNIL Secretary General characterizes as a "computerized monster."

According to the CNIL, "An on-site investigation showed that not only the implementation of the database had not been suspended but it was used and updated regularly in spite of the numerous legal uncertainties raised by the CNIL (among others: purposes, international data transfers and security.)"

Sanction: 30,000 Euros for lack of response to the CNIL queries, provision of inaccurate information and non-suspension of the processing.

Access by Employees to Performance Evaluation
Following complaints made against a multinational company, the CNIL recently has reminded that "… 'ranking' and 'potential' are data elements which must be made available to an employee if they have been taken into consideration to make a decision about a raise, a promotion, an assignment, etc."

CNIL Rejects Centralized Databases of Credit Holders in France
Experian has re-opened a debate addressed by the CNIL in a 2005 report by requesting the CNIL's authorization for a database to be fed by credit institutions with information about their customers, the financing contracts they concluded and the status of reimbursement.

The CNIL refused to approve the project, pointing to issues such as the lack of proportionality and transparency and restating its previous finding that "only a law could specify the purposes and content of such databases … ." The CNIL has expressed reluctance in the past about positive databases and shown preference for negative databases containing only information about incidents.

Pascale Gelly is Avocat à la Cour within SCM Lambot Gelly Soyer. She may be reached at

pg@pascalegelly.com.

This e-mail address is being protected from spam bots, you need JavaScript enabled to view it

SINGAPORE
By K.K. Lim

Singapore Spam Control Act 2007
Singapore's Parliament passed the anti-spam bill on April 12, 2007, which will become law once it is published in the Government Gazette.

A spam is defined as unsolicited commercial communication, such as electronic mail and mobile text or multimedia messages, and transmitted in bulk. The message is considered as having a "Singapore linked," (mirroring a similar spam control Australian position), if the message originates from or is received in Singapore. Parties commissioning or procuring the spam are also liable, apart from the spammers themselves.

A party can send commercially unsolicited messages if they contain the word <ADV>, have no misleading subject title or false header information and provide a prominent unsubscribe facility and contactable information about the sender. The use of dictionary attack or address-harvesting software also is prohibited.

Relief is in the form of an injunction, damages suffered by the plaintiff and statutory damages not exceeding SGD 25 per message and not exceeding SGD1 million unless actual proven loss exceeds SGD 1 million. Government announcements in the interest of the public and online solicitations by religious and charities are exempted, unless the latter are selling goods or services.

New Bill on National Disease Registry
Singapore's Ministry of Health is proposing a national disease registry bill to regulate the collection of information from patients with non-infectious diseases. The proposed bill will set out the purpose, to whom and in what form an individual's information can be released to any research body or researcher.

The bill also will include mandatory provisions for data protection, backed by fine and or jail terms for offenders. The ministry aims to release a draft version for public feedback and comment in June 2007. The current legislation for infectious diseases such as severe acute respiratory syndrome (SARS) allows for non-consensual disclosure of patient's information.

Singapore's Bioethics Advisory Committee Report 2007
The Singapore Bioethics Advisory Committee (BAC) published 11 recommendations in a 48-page report to allay the public's fear of the lack of safeguards on research subjects' data privacy. The key recommendations are:

  • Personal information such as their names and addresses should be separated from the early stage of the research to protect the identity of the person - a process known as de-identification. However re-identification is possible when needed;
  • Researchers should be able to view medical records under certain conditions with permission from the supervising bodies known as Institutional Review Boards;
  • Research participants can withdraw from research anytime without giving any explanation; and
  • Insurance companies and employers will be prohibited from accessing predictive genetic information.

K.K. Lim is Chief Privacy Officer (Asia Pacific) at IMS Health. He may be reached at

kklim@imshealth.com.

This e-mail address is being protected from spam bots, you need JavaScript enabled to view it

SPAIN

Spanish DPA Issues Formal Guidance on CCTV
The Spanish Data Protection Authority has issued guidance for organisations on their data protection obligations when using CCTV systems. Under European law, the processing of the image of any individual is considered the processing of personal data when that image can be linked back to an individual. At the core of the guidance is a reconciliation between the right to secure the business activities of a private company (and the citizenry at large), and the right to privacy of individuals whose images are processed through such security systems.
- Steve Kenny

SWITZERLAND

Update on BCR
Switzerland has long held ''accepted country'' status by the European Commission with regard to transborder data flow. An amended Swiss Federal Data Protection Act is expected to come into force this summer, and includes within Article 6 for the first time an explicit reference to the acceptability of data controllers using Binding Corporate Rules (BCR) within their corporate groups to assure transborder data flow.
- Steve Kenny

UK
By David Trower

ABPI Guide on Medical Research
The Association of the British Pharmaceutical Industry (ABPI) officially launched a guide to the secondary use of patient data for medical research. These guidelines have been developed to provide the industry with advice on using and disclosing data collected for primary patient care for secondary research purposes in line with privacy and confidentiality laws.

This document was drafted by an ad hoc steering group of the ABPI, including privacy professionals from Astra, GSK, Novartis, Roche, Sanofi and IMS Health. The UK Information Commissioner, who provides a forward in the guide, approved the guidelines. The guide is available at www.abpi.org.uk/ Details.asp?ProductID=315.

Article 29 Working Party and Airline Passenger Data Transfers to the U.S.
The representative group of EU Data Protection Commissioners (Article 29 Working Party) recently held a workshop relating to EU airlines' transfer of Passenger Name Records (PNR) to the U.S.

The workshop consisted of three panel sessions dealing with the legal and technical aspects involved in the transfer of passenger data to the U.S. Department of Homeland Security. The European data protection authorities highlighted the need for adequate information to be provided to transatlantic passengers to inform them of their rights and how U.S. authorities process their data.

There was unanimous consent on the need to avoid a gap between expiry of the current agreement and the conclusion of a new data transfer agreement. There also was debate about the possible impact of an Automated Targeting System and whether such a tool would be incompatible with the current PNR agreement.

Royal Dutch Philips and Binding Corporate Rules
The UK Information Commissioner's Office (ICO) has issued its second BCR authorisation to Philips. Philips' BCR covers the processing and transfer of employees' and clients' personal information outside Europe.

This authorisation follows on from the approval given to GE by the ICO back in December 2005 for its BCR on transferring employee data. Philips is the first application to be approved in the UK that concerns client data.

Sian Rudgard, the ICO's spokeswoman, commended Philips for its commitment to the concept of BCR. She restated that the ICO welcomed the use of BCR by international organisations to transfer personal information.
 
European Court of Human Rights Issues Decision on Employer's Monitoring of an Employee's Personal Communications
The European Court of Human Rights in April affirmed an employee's right to keep personal matters personal even when these intrude into the work place, subject to certain limitations. The decision applies to the 46 states of the Council of Europe.

The decision in the case of Copland v United Kingdom was delivered in April 2007 and demonstrates that even before the UK Data Protection Act 1998 and the Human Rights Act 1998 came into the force in the UK, an employer's ability to monitor an employee's private communications and Internet use conducted over the employer's equipment always has been very limited.

The law now specifies that unless an employer has the right policies and procedures in place the courts will not tolerate unwarranted intrusions into an employee's personal and private life.

David Trower is the European Chief Privacy Officer for IMS HEALTH. He can be reached at

dtrower@uk.imshealth.com.

This e-mail address is being protected from spam bots, you need JavaScript enabled to view it

UK
By Eduardo Ustaran
   
ICO Invetigates Barclays Bank
A main UK bank is at the receiving end of a privacy enquiry by the regulator. The ICO has launched an investigation into Barclays Bank following the recent BBC programme which exposed alleged breaches of customer privacy at the bank. A number of issues raised in the programme are of concern to the ICO.

One staff trainer told employees to ignore the wishes of customers who had stated that they did not wish to receive sales information or be contacted by telephone. Call centre marketing staff were told to identify themselves as "account consultants" when speaking to customers, rather than use their normal title of "sales adviser." The film also showed call centre staff accessing customers' accounts without a valid reason.

ICO Addresses BCR Concerns
Following the approval of the standard form for BCR applications, a representative of the ICO has clarified some areas of potential concern for BCR applicants. Encouragingly, it is not absolutely essential to have a fully operational BCR system at the time of the application. The information commissioner realises that BCR compliance is a movable target and therefore, approvals can be given on the basis of a clear prospect of compliance.

Making an application does not open the door for an investigation into current privacy practices or potential breaches. The assessment is limited to the information provided and the ICO is aware that BCR applications are made by those who voluntarily show their commitment to comply with the law. The ICO also confirmed that it is acceptable for the main point of contact within the applicant organisation to be based outside the European Economic Area (EEA).

Eduardo Ustaran is a Partner at Field Fisher Waterhouse LLP, based in London. He may be reached at

Eduardo.ustaran@ffw.com.

This e-mail address is being protected from spam bots, you need JavaScript enabled to view it

 UK

ICO Finds 11 Financial Institutions in Violation of Data Protection Act
The ICO recently found 11 banks and other financial institutions in breach of the Data Protection Act. The ICO investigated a narrow aspect of compliance with the Data Protection Act, related to physical, rather than logical, destruction of identifiable information, in response to customer complaints, publicized in popular TV programs.

In accordance with its regulatory mandate, this ''name and shame'' exercise is intended to stimulate banks and other organizations to improve their often out-moded overall approach to information privacy. The ICO has required the CEOs of these 11 organisations, which include some of the largest banks in the world, to sign a formal undertaking to comply with the Principles of the Data Protection Act. Failure to meet the conditions of the undertaking is likely to lead to further enforcement action by the ICO and contingent reputational damage.
- Steve Kenny

UK
By Stewart Room

End of Royal Romance Leads to Calls for Privacy
The demiseof Prince William's relationship with Kate Middleton, whom many had tipped him to marry, recently dominated the media in the UK. Prince William, who is second in line for the throne, dated Middleton for four years. Not surprisingly, their relationship generated substantial media interest, reminiscent of that a quarter of a century ago, when Prince Charles was dating Lady Diana Spencer.

Earlier this year, Middleton threatened to complain to the Press Complaints Commission about press intrusion, which resulted in many newspapers announcing that they would no longer purchase paparazzi photographs of her. However, with the news of the split coming at a rather quiet time for the press, another feeding frenzy has been triggered, which already has led to further debate about the balance between the right to privacy and freedom of expression.

The privacy issue in this instance has been elevated to the highest level of political importance, with the Prime Minister, Tony Blair, calling for the press to be respectful of Middleton's privacy. It remains to be seen whether the media will continue to operate by reference to their self-imposed embargo against paparazzi photographs or whether they will now regard Middleton as fair game now that the royals are no longer shielding her.

Stewart Room is a Partner in the Privacy and Information Law Group at Field Fisher Waterhouse Solicitors. He may be reached at

stewart.room@ffw.com.

This e-mail address is being protected from spam bots, you need JavaScript enabled to view it

Comments

If you want to comment on this post, you need to login.

Related Stories
Major trends in US cybersecurity law and policy
Privacy professionals have always needed to have one eye on data security. However, the obligation of data custodians to protect the confidentiality, integrity and availability of the personal information they hold is becoming increasingly complex with its own, sometimes overlapping, sometimes confl...
Read More queue Save This
Navigating Thailand's Digital Platform Services Law
In today's digital age, digital platforms have gained immense popularity and are expected to continue their growth across various industries. End users appreciate the convenience these platforms offer for searching, purchasing and comparing products, and accessing user reviews, as well as the flexib...
Read More queue Save This
Related Stories
Recent Comments