Privacy Advisor

Having trouble receiving the Privacy Advisor in your inbox? Click here for troubleshooting tips.

Global Privacy Dispatches

FRANCE—Expansion of CNIL Investigation Powers Confirmed
In the past few years, the French data protection authority (CNIL) has made itself known for its on-site investigation powers by coming unannounced to the premises of businesses to perform interviews and searches in order to assess compliance with the French Data Protection Act. Read More
FRANCE—The End of Aggressive Cold-Calling?
The new consumer act of March 17 is now in force. Among its key measures, it plans the creation of a centralized do-not call list. Read More
HUNGARY—Hungarian DPA Suggests Refinements in IT Policies
In a recent case, the Hungarian Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság or NAIH) investigated a case where a company had to access its employee’s laptop for compliance reasons and imposed a fine of HUF 1,500,000 (approximately 5,000 euros) for unlawful data processing. Read More
UK—Marketing Companies Punished for Hiding Identity While Making Nuisance Calls
The Information Commissioner's Office (ICO) has ordered two telephone marketing companies to change their practices after more than 100 complaints were made to the ICO that the companies were making nuisance marketing calls. Read More
UK—British Pregnancy Advice Service Fined for Serious Data Breach
The British Pregnancy Advice Service (BPAS) has been fined 200,000 GBPs after a serious breach of the Data Protection Act (DPA) revealed thousands of people's personal details to a malicious hacker. Read More
UK—ICO Publishes Updated PIA Guidance
The UK Information Commissioner's Office has published its updated Privacy Impact Assessment (PIA) Code of Practice to help organisations comply with their data protection law obligations when they change the way that they use personal data. Read More
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions.

Read More
ITALY—Garante’s Provision on Mobile Payment Services
On December 12, 2013, the Italian Data Protection Authority (Garante) issued a draft general provision on the processing of personal data in the context of mobile remote payment services. This new provision sets the rules for the processing of information about users who purchase digital services and products and pay for them remotely via their phone bills. Read More
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions. Read More
PhD in Privacy (October 1, 2009)
Carnegie Mellon University in Pittsburgh will establish a PhD program in usable privacy and security.
Commission takes major step towards re-opening Data Protection Directive seeks public input (October 1, 2009)
The European Commission has initiated a public consultation on “the legal framework for the fundamental right to protection of personal data.” The CommissionA has indicated that the consultation is intended to gather information on the challenges that should be addressed to maintain an effective and comprehensive legal framework for data protection.
Data breach 2009: lessons learned (October 1, 2009)
At the IAPP Practical Privacy Series in Silicon Valley, Joanne McNabb, CIPP/G, of the California Office of Privacy Protection and Julie Fergerson of Debix ran participants through live, interactive data breach scenarios. Here are their thoughts on the exercise and their reactions to participants’ responses
Belgian consumers to pay for privacy-unfriendly data retention measures? (October 1, 2009)
The Belgian Ministry of Justice has proposed a bill imposing a two-year data retention period for telecom operators and Internet service providers that offer communication services in Belgium. The retention period would serve the investigation, detection, and prosecution of serious crimes, such as organized crime or terrorist activities. Service providers would be required to retain traffic data, such as the sender and receiver’s telephone number or e-mail address, IP numbers, and the date, time, and duration of a communication.
Don't bet against the privacy profession (October 1, 2009)
If you had asked David Hoffman last year to bet on the prospects of the privacy profession, he would have declined the offer. The economy was faltering, many data-centric industries, such as financial services, were shedding jobs, and there was plenty of talk about how the narrow focus of the privacy function had made the position expendable at too many companies.
Is an employee's off-duty conduct off-limits to an employer? (October 1, 2009)
The monitoring of employees is standard procedure in many workplaces. Although the restrictions on employee monitoring in the workplace may vary from country to country, most privacy and employment legislation recognises the advantages to employers of monitoring employees in the workplace, and accepts that such monitoring may be essential to the effective and efficient running of some businesses.
Israeli attitudes on privacy (October 1, 2009)
Recently, I had the opportunity to teach a short course on data security and privacy at an Israeli law school. The experience was enlightening.
DHS PIAs provide a model for global practice (October 1, 2009)
Australia, Canada, New Zealand, the United Kingdom, and the United States recently concluded an information-sharing agreement under the auspices of the Five Country Conference (FCC) to support visa, immigration, and/or admissibility determinations between countries.
Global Privacy Dispatches- UK Communications Data (October 1, 2009)
The Information Commissioner’s Office (ICO) issued an official statement recognizing the value of communications data in the prevention and detection of crime and prosecution of offenders. However, the ICO said that this, in itself, is not a sufficient justification for mandating the collection of all possible communications data on all subscribers by all communication service providers (CSPs).
UPS takes remedial action following data loss (October 1, 2009)
UPS, the parcel service and global transportation and logistics business, has taken remedial action, including the encryption of all its UK laptops and smartphone devices, following a breach of the Data Protection Act. UPS also signed an Undertaking to assure the Information Commissioner’s Office that personal information will be kept securely in future.
SMS retention brings class action (October 1, 2009)
A class action suit has been filed in the District Court of the central district against cellular provider Pelephone Communications Ltd. The claim alleges that Pelephone monitors short messages sent or received by subscribers and saves the content for further use, without customers’ knowledge or mindful consent.
Global Privacy Dispatches- Israel Privacy Infringement (October 1, 2009)
A Haifa court recently heard a dispute between a well-known graphologist’s company and a software- and hardware-services provider.
Google Street View: undertakings towards German DPAs (October 1, 2009)
The DPO of Hamburg was also called into action in June, when Google sent cars onto the city’s streets to capture images for its Street View service. A dispute arose between Google and the Hamburg DPO about the data protection implications of Street View. The dispute has been settled, and Google has agreed to erase data (even in raw data files) depicting people, property, or cars, upon request.
Employee screenings (October 1, 2009)
On April 24, 2009, the so-called Düsseldorfer Kreis (the assembly of all supreme German DPAs) adopted a resolution on privacy aspects of employee screenings by internationally operating companies.
“Peer-to-peer law” found partly unconstitutional (October 1, 2009)
The French Senate voted on the HADOPI law for protecting copyrighted works against infringement via electronic communications networks on May 13. (See “HADOPI,” on page 12 of the July, 2009 issue of the Privacy Advisor.) But this new law has given rise to controversy and will be challenged before the Constitutional Court, the Conseil Constitutionel.
Attorneys at law can become data protection correspondents (October 1, 2009)
The Conseil National des Barreaux (French National Bar Council) recently modified its national rules (RIN) to enable registered attorneys at law to become data protection correspondents (CIL), the French version of DPOs.
Registry closes, Index opens (October 1, 2009)
There’s old saying about how, when one door closes, another opens. This adage applies nicely to recent developments concerning marketers in New Zealand. When the new Land Transport Amendment Bill takes effect later this year, they will no longer have access to the bulk mailing addresses of vehicle owners.
2009 Vanguard Award (October 1, 2009)
During an intimate dinner celebration at the IAPP Privacy Academy in Boston last month, Michelle Dennedy received the 2009 Goodwin Procter-IAPP Privacy Vanguard Award.
ID Experts (October 1, 2009)
Breach prevention company ID Experts has been named to the Inc. 500 list of America’s fastest-growing companies. The company came in at number 32, and second among security companies.
Kenneth Mortensen (October 1, 2009)
Kenneth Mortensen, CIPP, CIPP/G, has joined Boston Scientific Corporation as its chief privacy officer. He will be responsible for implementing BSC’s global privacy framework, enhancing and incorporating privacy training into employee education, and minimizing privacy impacts.
Implied Consent (October 1, 2009)
Ontario’s Information and Privacy Commissioner has released a publication to help patients understand implied consent as it pertains to the collection, use, or disclosure of personal health information. Commissioner Ann Cavoukian collaborated with seven Canadian healthcare organizations to create “Circle of Care: Sharing Personal Health Information for Health-Care Purposes.”
Chris Zoladz (October 1, 2009)
Chris Zoladz, CIPP, a founding member and past president of the IAPP, has established the privacy consulting firm, Navigate LLC. Based in Washington, DC, Navigate guides public- and private-sector organizations on privacy risk management.
Data Protection (October 1, 2009)
The British Information Commissioner’s Office has embarked on research to determine the value of data protection. The findings are expected to give public and private-sector organizations a sound business case for proactively investing in privacy.