Privacy Advisor

Having trouble receiving the Privacy Advisor in your inbox? Click here for troubleshooting tips.

Global Privacy Dispatches

FRANCE—Expansion of CNIL Investigation Powers Confirmed
In the past few years, the French data protection authority (CNIL) has made itself known for its on-site investigation powers by coming unannounced to the premises of businesses to perform interviews and searches in order to assess compliance with the French Data Protection Act. Read More
FRANCE—The End of Aggressive Cold-Calling?
The new consumer act of March 17 is now in force. Among its key measures, it plans the creation of a centralized do-not call list. Read More
HUNGARY—Hungarian DPA Suggests Refinements in IT Policies
In a recent case, the Hungarian Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság or NAIH) investigated a case where a company had to access its employee’s laptop for compliance reasons and imposed a fine of HUF 1,500,000 (approximately 5,000 euros) for unlawful data processing. Read More
UK—Marketing Companies Punished for Hiding Identity While Making Nuisance Calls
The Information Commissioner's Office (ICO) has ordered two telephone marketing companies to change their practices after more than 100 complaints were made to the ICO that the companies were making nuisance marketing calls. Read More
UK—British Pregnancy Advice Service Fined for Serious Data Breach
The British Pregnancy Advice Service (BPAS) has been fined 200,000 GBPs after a serious breach of the Data Protection Act (DPA) revealed thousands of people's personal details to a malicious hacker. Read More
UK—ICO Publishes Updated PIA Guidance
The UK Information Commissioner's Office has published its updated Privacy Impact Assessment (PIA) Code of Practice to help organisations comply with their data protection law obligations when they change the way that they use personal data. Read More
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions.

Read More
ITALY—Garante’s Provision on Mobile Payment Services
On December 12, 2013, the Italian Data Protection Authority (Garante) issued a draft general provision on the processing of personal data in the context of mobile remote payment services. This new provision sets the rules for the processing of information about users who purchase digital services and products and pay for them remotely via their phone bills. Read More
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions. Read More
ICO Corporate Place (June 1, 2008)
The British Information Commissioner's Office (ICO) has released a corporate plan designed to guide its functions for the next three years. The Corporate Plan 2008-2011 outlines the ICO's direction in four major focus areas: educating and influencing; resolving problems; enforcing; and developing and improving.
Italian Privacy Institute (June 1, 2008)
Privacy advocates and legal experts have launched the Italian Institute for Privacy, says an ITnews.it report. Described as a "public policy think tank," the group will work to improve online privacy protection for Italian and European citizens by informing policy.
PPS (June 1, 2008)
Privacy pros convened in Manhattan earlier this month for the IAPP Practical Privacy Series, which featured events on human resources, financial services, and data breaches.
Innovation Awards (June 1, 2008)
The IAPP is now accepting nominations for the 2008 HP/IAPP Privacy Innovation Award. This prestigious annual award recognizes the organizations that demonstrate the year's most effective integration of privacy programs. Winners will be announced in three categories: large organization (more than 5,000 employees); small organization (fewer than 5,000 employees); and most innovative technology (any size company).
NAID Toolkit (June 1, 2008)
The nonprofit National Association for Information Destruction, Inc. (NAID) has released a toolkit for helping organizations comply with regulations surrounding information destruction. The Information Destruction Policy Compliance Toolkit contains sample policies and procedures for training, authorization and destruction for paper records, computers, magnetic tapes, optical and micro media
New Assistant Commissioner (June 1, 2008)
The Information Commissioner's Office has appointed Aubrey McCrory to lead the ICO's Northern Ireland office in Belfast. McCrory will be responsible for raising awareness surrounding the role and function of the ICO in Northern Ireland, resolving freedom of information complaints and advising on data protection issues in the private, public and community and voluntary sectors.
Working Party, Dutch DPA: European Commission Should Enter into PNR Negotiations with South Korea (June 1, 2008)
As of April 1, South Korea requires European Union (EU) airlines to provide Passenger Name Record-data ("PNR data") of passengers flying from the EU to South Korea. However, EU airlines that comply with this requirement will inadvertently violate EU data protection law, because South Korean law does not provide an "adequate level" of data protection.
Hacker Posts Information on Six Million Chileans (June 1, 2008)
A computer hacker in Chile published the confidential records of six million of Chile's 16 million residents on the Internet. The information was allegedly obtained by hacking into government servers, and was posted on a technology-related blog. The data included ID card numbers, addresses, telephone numbers and academic records. The hacker left a message saying the aim was to demonstrate the poor level of data protection in Chile.
GlData Protection Agency of Argentina Issue Enforcement Notices (June 1, 2008)
Data controllers who have not yet adopted security measures for personal databases are receiving their first notices requesting compliance with Disposition 11/2006, which relates to maintaining confidentiality of personal records and databases and avoiding data breaches. The first stage to adopt security ended on September 2007. Penalties for non-compliance include fines and database closure.
CNIL fights inappropriate comments towards employees (June 1, 2008)
Service Innovation Groupe France (SIG) provides sales and marketing task forces to businesses needing staff for promotional events. During an onsite investigation, the CNIL found in SIGs human resources (HR) database various inappropriate comments about personnel, such as "pain in the neck," "hygiene issues (smells)," "toothless and drinking person," "must be overloaded with work--trial before employment court in progress," "would be a thief," "has cancer, won't be able to work," "took [the company] to employment court," "theft in store," "alcoholism problem."
CCTV: A Need For Clarity (June 1, 2008)
While the French government is considering tripling the number of closed circuit television cameras (CCTVs) in public areas within two years (30,000 are expected), the French data protection authority (CNIL) addressed a memo to the Ministry of Interior to stress the need for clarification of the rules applicable to these systems.
Children's Data Protection in Europe: A New Document from WP 29 (June 1, 2008)
The Article 29 Working Party has published its Working Document 1/2008 on the protection of children's personal data (General guidelines and the special case of schools), WP 147, of February, 18, 2008 (http://ec.europa.eu/ justice_home/ fsj/privacy/index_en.htm). The document was prepared with the highly relevant participation of the Portuguese National Commission of Data Protection. The purpose of the document is to analyse the general principles relevant to the protection of children's data, and to explain their relevance in a specific critical area, namely that of school data, and should be seen in the context of the general initiative of the European Commission described in its communication "Towards an EU strategy on the Rights of the Child."
Information Security Notification Laws on the Horizon (June 1, 2008)
Compared to their American colleagues, European privacy professionals have been somewhat spared from the headaches caused by information security breach notification requirements. There are, however, signs on the horizon that this tranquil European climate is about to change. The proposed amendments to the Electronic Communications Privacy Directive 2002/58—already introduced in the autumn of last year—impose security breach notification obligations for network operators and Internet service providers.
Retention of Operational and Localisation Data (June 1, 2008)
On 23 April 2008, the Czech Parliament approved an amendment to the Electronic Communications Act (Act no. 127/2005 Coll.) relating to the retention of operational and localisation data created or processed by the providers of electronic communications services and public communication networks. The amendment still needs to be approved by the Senate and the president of the Czech Republic before it can become effective. Under the amendment, providers must store information about the time and location of telephone calls, even if the call was not ultimately connected (i.e. the person being called did not take the call). The Data Protection Office considers such data retention as excessive.
Australian Privacy Awards (June 1, 2008)
The Australian Privacy Awards and Privacy Medal will be announced in August and the deadline for nominations ends soon. To nominate a business, government agency or nonprofit organization for a privacy award, go to www.privacy.gov.au/about/ awards/index.html. The deadline for nominations is 9 July. The Australian Privacy Awards will recognize organizations that engage in good privacy practices. The Privacy Medal acknowledges an individual who has exhibited an outstanding level of achievement in advancing privacy in Australia.
Student Privacy Comes into Question (June 1, 2008)
The recent apparent suicide death of a Canadian university student in Ontario has fuelled the debate concerning challenges universities face in providing health services to students while also protecting students' privacy rights. The student's parents were upset that the university had only informed them that their daughter had been seeing a campus doctor and counsellor, and that she had been taking anti-depressants, after she went missing.

Ethical Considerations for Attorneys Responding to a Data-Security Breach (June 1, 2008)
Companies experiencing a data breach face significant legal challenges under state and federal statutes and from the threat of civil litigation. It is useful to employ outside counsel in the event of a breach because the results of internal investigations are not always protected by attorney-client privilege. This article offers insight on this and other breach response best practices and ethical considerations in this relatively new and unsettled area of law.
Notes from the Executive Director (June 1, 2008)
It's finally summer here in the northern hemisphere and as the mercury rises, thoughts naturally turn to lazy days at the beach or forest campsites in the cool of the mountains. Perhaps your vacation involves a long car ride (and a significant hit at the gas pump) to visit with relatives and friends, or a flight to somewhere exciting—Vegas, Disney—or to follow your favorite baseball team chasing dreams of post-season glory.
E-mails and the Attorney-Client Privilege: Avoiding Risk When Reviewing Employee Communications (June 1, 2008)
Employees’ use of company e-mail systems for communicating with personal attorneys raises difficult issues. On one side is attorney-client privilege. On the other is a company’s right to monitor employee communications. Andrew Serwin examines the case law, identifies the key factors guiding courts in this area, and outlines what companies should consider when assessing their computer use policies.
Are You in Compliance with COPPA? Recent State Actions Raise the Stakes (June 1, 2008)
In 2007, the Texas Attorney General brought enforcement actions against three Web site operators for violations of the Children’s Online Privacy Protection Act (COPPA). Although the Federal Trade Commission (FTC) has been active in enforcing COPPA, these actions marked the first among state Attorneys General, emphasizing the increasing importance of COPPA compliance.