Privacy Advisor

Having trouble receiving the Privacy Advisor in your inbox? Click here for troubleshooting tips.

Global Privacy Dispatches

FRANCE—Expansion of CNIL Investigation Powers Confirmed
In the past few years, the French data protection authority (CNIL) has made itself known for its on-site investigation powers by coming unannounced to the premises of businesses to perform interviews and searches in order to assess compliance with the French Data Protection Act. Read More
FRANCE—The End of Aggressive Cold-Calling?
The new consumer act of March 17 is now in force. Among its key measures, it plans the creation of a centralized do-not call list. Read More
HUNGARY—Hungarian DPA Suggests Refinements in IT Policies
In a recent case, the Hungarian Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság or NAIH) investigated a case where a company had to access its employee’s laptop for compliance reasons and imposed a fine of HUF 1,500,000 (approximately 5,000 euros) for unlawful data processing. Read More
UK—Marketing Companies Punished for Hiding Identity While Making Nuisance Calls
The Information Commissioner's Office (ICO) has ordered two telephone marketing companies to change their practices after more than 100 complaints were made to the ICO that the companies were making nuisance marketing calls. Read More
UK—British Pregnancy Advice Service Fined for Serious Data Breach
The British Pregnancy Advice Service (BPAS) has been fined 200,000 GBPs after a serious breach of the Data Protection Act (DPA) revealed thousands of people's personal details to a malicious hacker. Read More
UK—ICO Publishes Updated PIA Guidance
The UK Information Commissioner's Office has published its updated Privacy Impact Assessment (PIA) Code of Practice to help organisations comply with their data protection law obligations when they change the way that they use personal data. Read More
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions.

Read More
ITALY—Garante’s Provision on Mobile Payment Services
On December 12, 2013, the Italian Data Protection Authority (Garante) issued a draft general provision on the processing of personal data in the context of mobile remote payment services. This new provision sets the rules for the processing of information about users who purchase digital services and products and pay for them remotely via their phone bills. Read More
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions. Read More
At the end of each year, the Privacy Advisor polls professionals worldwide to find out what they see in the year ahead for privacy and data protection. In this first issue of 2010, we present their forecasts. We begin with that of Canadian Privacy Commissioner Jennifer Stoddart.
Managing global data privacy (January 1, 2010)
Successive revolutions in information technology raise new challenges, risks, and opportunities for consumer privacy protection. Perhaps the most basic question is how these new technologies are changing the actual practices of companies in processing personal information. After all, emerging technologies can make legal regulations obsolete or out-of-date. The consequences can be ineffective regulation and a waste of corporate resources without meaningful protections for consumer privacy.
Privacy and pandemic planning: a few prudent considerations for organizations (January 1, 2010)
As the international community readies itself for a second wave of the H1N1 flu pandemic, wise organizations are brushing off their business continuity plans (BCPs) and reviewing their applicability to a different kind of threat. Unlike traditional business continuity or disaster recovery planning, pandemic planning requires management for a prolonged but unidentified period of time rather than for the single risk event that traditional business continuity planning tends to focus on.
The Lisbon Treaty and data protection: What’s next for Europe’s privacy rules? (January 1, 2010)
The Lisbon Treaty entered into force on December 1, 2009. This agreement substantially overhauls the EU’s legal bases, the Treaty on European Union (TEU), and the Treaty Establishing the European Community (EC Treaty), the latter of which is renamed the Treaty on the Functioning of the European Union (TFEU).
New international privacy principles for law enforcement and security (January 1, 2010)
Cross-border data flows have long been a subject of global dialogue. In the late 1970s, the Organization for Economic Cooperation and Development (OECD) and the Council of Europe began to explore cross-border transactions, with OECD issuing the Guidelines on the Protection of Privacy and Transborder Flows of Personal Data in 1980, and the Council of Europe issuing the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data in 1981.
U. S. FTC holds first of three privacy roundtable events and signals policy shift (January 1, 2010)
The Federal Trade Commission (FTC) held the first in a three-part series of one-day roundtable meetings focused on privacy on December 7, 2009, in Washington, DC. These events are designed to bring together a variety of participants from industry, consumer advocacy organizations, trade associations, think tanks, academia and elsewhere, each with a strong interest in helping to shape the commission’s approach to privacy regulation and enforcement.
A look at Bill 54 (January 1, 2010)
During the past years, a number of Canadian privacy laws have been undergoing statutory review. A review of the federal Personal Information Protection and Electronic Documents Act (PIPEDA) commenced in the fall of 2006, a review of the Alberta Personal Information Protection Act (AB PIPA) commenced in 2007 and a review of the British Columbia Personal Information Protection Act (BC PIPA) began in 2008.
CNIL sanction procedure overruled by the Court of Appeal (January 1, 2010)
In late 2006, the French data protection authority issued a 30,000 euro sanction against Inter Confort for improper handling of objection requests to direct marketing via telephone. The sanction followed the CNIL’s onsite investigation of Inter Confort. Inter Confort challenged this sanction decision before the Court of Appeal (Conseil d’Etat) on procedural grounds.
French senators pursue their goal for an “enhanced” Data Protection Act (January 1, 2010)
Following their report, Privacy in the Era of Digital Memory: For an Increased Trust Between Citizens and The Information Society, two senators filed a bill on November 10 to modify the French Data Protection Act.
Decision of the Federal Court of Justice: opt-out consent to postal advertising (January 1, 2010)
On November 11, 2009, the German Federal Court of Justice handed down a judgment on the privacy aspects of the ”HappyDigits” bonus programme. The court held that an opt-out consent by participants relating to postal advertising that was included in the registration form for the programme is compliant with applicable German data protection law provisions.
DPA of Berlin: strict approach to denied person screenings (January 1, 2010)
As already reported in the October Issue of the Privacy Advisor, the Düsseldorfer Kreis adopted a resolution on privacy aspects of employee screenings in April 2009, following a moderate approach what concerns the overall permissibility of such screenings. The DPA of Berlin apparently applies a much stricter approach;
European legislative update (January 1, 2010)
Linklaters has released its 2009/2010 edition of Linklaters’ Data Protected , a summary of European data protection legislation. The updated report includes reviews of data protection legislation in all Member States, European Economic Area States (Iceland, Liechtenstein, and Norway), and Switzerland and Russia.
ONC names privacy, security workgroup members (January 1, 2010)
The Office of the National Coordinator for Health IT named 17 to the Health IT Policy Committee privacy and security workgroup in December.
New IAPP Europe Board members (January 1, 2010)
The IAPP has announced new members for its European Advisory Board. Privacy experts from a variety of government and industry sectors will help inform the expansion of IAPP Europe, which was launched in November to provide tailored education, networking, and certification opportunities for European data protection professionals
10 New Year’s privacy resolutions (January 1, 2010)
A group of South Florida IAPP members braved the winter elements—blue skies, sunshine, warm temperatures—to attend a KnowledgeNet meeting in Miami in December. Jorge Rey led the interactive session on the apropos topic: Privacy Resolutions.
Although attendees represented a wide range of industries—pharma, banking, education, professional services, and more—all shared remarkably similar concerns and goals. Here are their top resolutions (in reverse order).
AICPA and CICA update Generally Accepted Privacy Principles (January 1, 2010)
Establishing an annual privacy risk assessment process toidentify new or changed risks to personal information isa key enhancement to Generally Accepted Privacy Principles (GAPP). GAPP is an internationally recognized privacy framework developed by the American Institute of CertifiedPublic Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA).
Why are more companies joining the U.S. - EU Safe Harbor privacy framework? (January 1, 2010)
The U.S. Department of Commerce (U.S. DOC) recently held its 2009 International Conference on Cross Border Data Flows & Privacy in Washington, DC. The U.S. DOC announced at the conference that an increasing number of companies are choosing to self-certify compliance with the U.S.-EU Safe Harbor Privacy Framework (Safe Harbor). Every month, approximately 50 companies file initial self-certifications to the Safe Harbor, and approximately 150 companies submit annual re-certifications.