Global Privacy Dispatches
By Terry McQuay
Privacy Law Report Calls for Breach Notice Provision
The much-anticipated report of the Parliamentary Committee that conducted the statutory 5-year review of Canada's privacy law - the Personal Information Protection and Electronic Documents Act (PIPEDA) - was tabled recently in the House of Commons.
The report calls for limited changes to PIPEDA at this time, making 25 recommendations, many of which aim for greater harmonization among the federal privacy law and the provinces of Quebec, Alberta and British Columbia, all of which have substantially similar private sector data protection laws.
Some of the Commons Committee on Access to Information, Privacy Ethics recommendations are:
- The act be amended to include a breach notification provision requiring organizations to report certain defined breaches of their personal information holdings to the privacy commissioner. The committee also recommends that in determining the specifics of an appropriate notification model for PIPEDA, consideration should be given to questions of timing, manner of notification, penalties for failure to notify, and the need for a "without consent" power to notify credit bureaus in order to help protect consumers from identity theft and fraud.
- The federal Privacy Commissioner should not be granted order-making powers at this time.
- No amendment be made to PIPEDA with respect to the privacy commissioner's discretionary power to publicly name organizations in the public interest.
- A definition of "business contact information" be added to PIPEDA.
- PIPEDA be amended to clarify the form and adequacy of consent required by it, referring to the Alberta and B.C. acts to better distinguish between express, implied and deemed/opt-out consent.
- The federal government examine the issue of consent by minors with respect to the collection, use and disclosure of their personal information in a commercial context with a view to amending PIPEDA in this regard.
- No amendments be made to PIPEDA with respect to the transborder flow of personal information.
The report will now be considered by the federal government for any further action.
Terry McQuay, CIPP, CIPP/C, is the Founder of Nymity, which offers Web-based privacy support to help organizations control their privacy risks. Learn more at www.nymity.com.
By Steve Kenny
Member States face Sept. 15 Deadline to Comply with Data Retention Directive
The 2006/24/EC directive on the retention of data amends directive 2002/58/EC, and must be brought into place by all member states by Sept. 15, 2007. Due to national security concerns, the new directive obliges public telephony operators and Internet service providers to retain personal data, such as the calling number, the user ID, and the identity of a user of an IP address, for a period of 6 to 24 months. EU member states are expected to implement widely varying compliance requirements at or above the minimum compliance requirements of this directive.
By Pascale Gelly
Short Privacy Notices? Not in France!
A new decree (25 March 2007) addresses the content and medium of privacy notices. Individuals must be provided with the contact details of the department in charge of receiving requests for access, objection and rectification.
In addition, in case of transfers outside the EU, the notice must list the countries to which data is transferred; the nature of the transferred data; the categories of recipients; the level of protection given by the importing countries; the references to the European Commission adequacy decision if the importing country is "adequate," and if not, the references to the Commission Nationale de l'Informatique et des LibertÃ©s (CNIL) authorization; or the exception justifying the data transfer. In addition, the data privacy notice must be posted on the data collection document.
When data is collected remotely, the notice must be read to the concerned individuals who must be offered to receive a copy in writing. The decree also states the conditions under which data subjects can exercise their data protection rights; how data controllers must comply with them; and provisions relating to international data transfers. In particular, the authorization procedure for data transfers before the CNIL should last two months (can be extended by two additional months). However, if the CNIL does not answer, that must be regarded as a refusal.
CNIL Fines Another Multinational Company
After having sanctioned the CrÃ©dit Lyonnais last summer, the CNIL has issued its second-highest fine against the French affiliate of the group Tyco Healthcare. The company, after the receipt of an injunction notice by the CNIL to provide information relating to an HR database for the global management of careers, responded that it had suspended the processing of what the CNIL Secretary General characterizes as a "computerized monster."
According to the CNIL, "An on-site investigation showed that not only the implementation of the database had not been suspended but it was used and updated regularly in spite of the numerous legal uncertainties raised by the CNIL (among others: purposes, international data transfers and security.)"
Sanction: 30,000 Euros for lack of response to the CNIL queries, provision of inaccurate information and non-suspension of the processing.
Access by Employees to Performance Evaluation
Following complaints made against a multinational company, the CNIL recently has reminded that "â€¦ 'ranking' and 'potential' are data elements which must be made available to an employee if they have been taken into consideration to make a decision about a raise, a promotion, an assignment, etc."
CNIL Rejects Centralized Databases of Credit Holders in France
Experian has re-opened a debate addressed by the CNIL in a 2005 report by requesting the CNIL's authorization for a database to be fed by credit institutions with information about their customers, the financing contracts they concluded and the status of reimbursement.
The CNIL refused to approve the project, pointing to issues such as the lack of proportionality and transparency and restating its previous finding that "only a law could specify the purposes and content of such databases â€¦ ." The CNIL has expressed reluctance in the past about positive databases and shown preference for negative databases containing only information about incidents.
By K.K. Lim
Singapore Spam Control Act 2007
Singapore's Parliament passed the anti-spam bill on April 12, 2007, which will become law once it is published in the Government Gazette.
A spam is defined as unsolicited commercial communication, such as electronic mail and mobile text or multimedia messages, and transmitted in bulk. The message is considered as having a "Singapore linked," (mirroring a similar spam control Australian position), if the message originates from or is received in Singapore. Parties commissioning or procuring the spam are also liable, apart from the spammers themselves.
A party can send commercially unsolicited messages if they contain the word <ADV>, have no misleading subject title or false header information and provide a prominent unsubscribe facility and contactable information about the sender. The use of dictionary attack or address-harvesting software also is prohibited.
Relief is in the form of an injunction, damages suffered by the plaintiff and statutory damages not exceeding SGD 25 per message and not exceeding SGD1 million unless actual proven loss exceeds SGD 1 million. Government announcements in the interest of the public and online solicitations by religious and charities are exempted, unless the latter are selling goods or services.
New Bill on National Disease Registry
Singapore's Ministry of Health is proposing a national disease registry bill to regulate the collection of information from patients with non-infectious diseases. The proposed bill will set out the purpose, to whom and in what form an individual's information can be released to any research body or researcher.
The bill also will include mandatory provisions for data protection, backed by fine and or jail terms for offenders. The ministry aims to release a draft version for public feedback and comment in June 2007. The current legislation for infectious diseases such as severe acute respiratory syndrome (SARS) allows for non-consensual disclosure of patient's information.
Singapore's Bioethics Advisory Committee Report 2007
The Singapore Bioethics Advisory Committee (BAC) published 11 recommendations in a 48-page report to allay the public's fear of the lack of safeguards on research subjects' data privacy. The key recommendations are:
- Personal information such as their names and addresses should be separated from the early stage of the research to protect the identity of the person - a process known as de-identification. However re-identification is possible when needed;
- Researchers should be able to view medical records under certain conditions with permission from the supervising bodies known as Institutional Review Boards;
- Research participants can withdraw from research anytime without giving any explanation; and
- Insurance companies and employers will be prohibited from accessing predictive genetic information.
K.K. Lim is Chief Privacy Officer (Asia Pacific) at IMS Health. He may be reached at
Spanish DPA Issues Formal Guidance on CCTV
The Spanish Data Protection Authority has issued guidance for organisations on their data protection obligations when using CCTV systems. Under European law, the processing of the image of any individual is considered the processing of personal data when that image can be linked back to an individual. At the core of the guidance is a reconciliation between the right to secure the business activities of a private company (and the citizenry at large), and the right to privacy of individuals whose images are processed through such security systems.
- Steve Kenny
Update on BCR
Switzerland has long held ''accepted country'' status by the European Commission with regard to transborder data flow. An amended Swiss Federal Data Protection Act is expected to come into force this summer, and includes within Article 6 for the first time an explicit reference to the acceptability of data controllers using Binding Corporate Rules (BCR) within their corporate groups to assure transborder data flow.
- Steve Kenny
By David Trower
ABPI Guide on Medical Research
The Association of the British Pharmaceutical Industry (ABPI) officially launched a guide to the secondary use of patient data for medical research. These guidelines have been developed to provide the industry with advice on using and disclosing data collected for primary patient care for secondary research purposes in line with privacy and confidentiality laws.
This document was drafted by an ad hoc steering group of the ABPI, including privacy professionals from Astra, GSK, Novartis, Roche, Sanofi and IMS Health. The UK Information Commissioner, who provides a forward in the guide, approved the guidelines. The guide is available at www.abpi.org.uk/ Details.asp?ProductID=315.
Article 29 Working Party and Airline Passenger Data Transfers to the U.S.
The representative group of EU Data Protection Commissioners (Article 29 Working Party) recently held a workshop relating to EU airlines' transfer of Passenger Name Records (PNR) to the U.S.
The workshop consisted of three panel sessions dealing with the legal and technical aspects involved in the transfer of passenger data to the U.S. Department of Homeland Security. The European data protection authorities highlighted the need for adequate information to be provided to transatlantic passengers to inform them of their rights and how U.S. authorities process their data.
There was unanimous consent on the need to avoid a gap between expiry of the current agreement and the conclusion of a new data transfer agreement. There also was debate about the possible impact of an Automated Targeting System and whether such a tool would be incompatible with the current PNR agreement.
Royal Dutch Philips and Binding Corporate Rules
The UK Information Commissioner's Office (ICO) has issued its second BCR authorisation to Philips. Philips' BCR covers the processing and transfer of employees' and clients' personal information outside Europe.
This authorisation follows on from the approval given to GE by the ICO back in December 2005 for its BCR on transferring employee data. Philips is the first application to be approved in the UK that concerns client data.
Sian Rudgard, the ICO's spokeswoman, commended Philips for its commitment to the concept of BCR. She restated that the ICO welcomed the use of BCR by international organisations to transfer personal information.
European Court of Human Rights Issues Decision on Employer's Monitoring of an Employee's Personal Communications
The European Court of Human Rights in April affirmed an employee's right to keep personal matters personal even when these intrude into the work place, subject to certain limitations. The decision applies to the 46 states of the Council of Europe.
The decision in the case of Copland v United Kingdom was delivered in April 2007 and demonstrates that even before the UK Data Protection Act 1998 and the Human Rights Act 1998 came into the force in the UK, an employer's ability to monitor an employee's private communications and Internet use conducted over the employer's equipment always has been very limited.
The law now specifies that unless an employer has the right policies and procedures in place the courts will not tolerate unwarranted intrusions into an employee's personal and private life.
By Eduardo Ustaran
ICO Invetigates Barclays Bank
A main UK bank is at the receiving end of a privacy enquiry by the regulator. The ICO has launched an investigation into Barclays Bank following the recent BBC programme which exposed alleged breaches of customer privacy at the bank. A number of issues raised in the programme are of concern to the ICO.
One staff trainer told employees to ignore the wishes of customers who had stated that they did not wish to receive sales information or be contacted by telephone. Call centre marketing staff were told to identify themselves as "account consultants" when speaking to customers, rather than use their normal title of "sales adviser." The film also showed call centre staff accessing customers' accounts without a valid reason.
ICO Addresses BCR Concerns
Following the approval of the standard form for BCR applications, a representative of the ICO has clarified some areas of potential concern for BCR applicants. Encouragingly, it is not absolutely essential to have a fully operational BCR system at the time of the application. The information commissioner realises that BCR compliance is a movable target and therefore, approvals can be given on the basis of a clear prospect of compliance.
Making an application does not open the door for an investigation into current privacy practices or potential breaches. The assessment is limited to the information provided and the ICO is aware that BCR applications are made by those who voluntarily show their commitment to comply with the law. The ICO also confirmed that it is acceptable for the main point of contact within the applicant organisation to be based outside the European Economic Area (EEA).
ICO Finds 11 Financial Institutions in Violation of Data Protection Act
The ICO recently found 11 banks and other financial institutions in breach of the Data Protection Act. The ICO investigated a narrow aspect of compliance with the Data Protection Act, related to physical, rather than logical, destruction of identifiable information, in response to customer complaints, publicized in popular TV programs.
In accordance with its regulatory mandate, this ''name and shame'' exercise is intended to stimulate banks and other organizations to improve their often out-moded overall approach to information privacy. The ICO has required the CEOs of these 11 organisations, which include some of the largest banks in the world, to sign a formal undertaking to comply with the Principles of the Data Protection Act. Failure to meet the conditions of the undertaking is likely to lead to further enforcement action by the ICO and contingent reputational damage.
- Steve Kenny
By Stewart Room
End of Royal Romance Leads to Calls for Privacy
The demiseof Prince William's relationship with Kate Middleton, whom many had tipped him to marry, recently dominated the media in the UK. Prince William, who is second in line for the throne, dated Middleton for four years. Not surprisingly, their relationship generated substantial media interest, reminiscent of that a quarter of a century ago, when Prince Charles was dating Lady Diana Spencer.
Earlier this year, Middleton threatened to complain to the Press Complaints Commission about press intrusion, which resulted in many newspapers announcing that they would no longer purchase paparazzi photographs of her. However, with the news of the split coming at a rather quiet time for the press, another feeding frenzy has been triggered, which already has led to further debate about the balance between the right to privacy and freedom of expression.
The privacy issue in this instance has been elevated to the highest level of political importance, with the Prime Minister, Tony Blair, calling for the press to be respectful of Middleton's privacy. It remains to be seen whether the media will continue to operate by reference to their self-imposed embargo against paparazzi photographs or whether they will now regard Middleton as fair game now that the royals are no longer shielding her.