Privacy Advisor

Having trouble receiving the Privacy Advisor in your inbox? Click here for troubleshooting tips.

Global Privacy Dispatches

FRANCE—Expansion of CNIL Investigation Powers Confirmed
In the past few years, the French data protection authority (CNIL) has made itself known for its on-site investigation powers by coming unannounced to the premises of businesses to perform interviews and searches in order to assess compliance with the French Data Protection Act. Read More
FRANCE—The End of Aggressive Cold-Calling?
The new consumer act of March 17 is now in force. Among its key measures, it plans the creation of a centralized do-not call list. Read More
HUNGARY—Hungarian DPA Suggests Refinements in IT Policies
In a recent case, the Hungarian Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság or NAIH) investigated a case where a company had to access its employee’s laptop for compliance reasons and imposed a fine of HUF 1,500,000 (approximately 5,000 euros) for unlawful data processing. Read More
UK—Marketing Companies Punished for Hiding Identity While Making Nuisance Calls
The Information Commissioner's Office (ICO) has ordered two telephone marketing companies to change their practices after more than 100 complaints were made to the ICO that the companies were making nuisance marketing calls. Read More
UK—British Pregnancy Advice Service Fined for Serious Data Breach
The British Pregnancy Advice Service (BPAS) has been fined 200,000 GBPs after a serious breach of the Data Protection Act (DPA) revealed thousands of people's personal details to a malicious hacker. Read More
UK—ICO Publishes Updated PIA Guidance
The UK Information Commissioner's Office has published its updated Privacy Impact Assessment (PIA) Code of Practice to help organisations comply with their data protection law obligations when they change the way that they use personal data. Read More
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions.

Read More
ITALY—Garante’s Provision on Mobile Payment Services
On December 12, 2013, the Italian Data Protection Authority (Garante) issued a draft general provision on the processing of personal data in the context of mobile remote payment services. This new provision sets the rules for the processing of information about users who purchase digital services and products and pay for them remotely via their phone bills. Read More
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions. Read More
Notes From the Executive Director (March 1, 2010)
Earlier this month there was a flare up in the debate about whether people care about privacy. Those on both sides of the issue presented their views at events and in the popular press.
The Memorandum of Montevideo (March 1, 2010)
The Memorandum on the Protection of Personal Data and Privacy in Internet Social Networks, Specifically in Relation to Children and Adolescents—better known as the Memorandum of Montevideo—was presented in Mexico on December 3, 2009.
The human factor in compliance: best practices from the trenches (March 1, 2010)
This article is the first in a series contributed by MediaPro, Inc., in which privacy and data protection thought leaders from leading organizations share best practices for addressing the human factor in compliance and data protection programs and implementing a successful privacy and data security awareness and training initiative
Healthcare privacy in 2010 (March 1, 2010)
A lot is happening in the healthcare world, with the implications of healthcare reform leading the list. What can we expect to see as the major developments in healthcare privacy and security in 2010?
Asia-Pacific data privacy laws: model corporate privacy principles (March 1, 2010)
Corporations that operate in and collect or process personal data in Asia-Pacific countries need to have comprehensive privacy policies addressing these countries’ data privacy laws. Is it possible to create a single policy that achieves such a broad coverage? The answer is yes, but Asia, unlike Europe, does not have broad regional directive requiring member states to enact local data privacy laws conforming to certain principles.
Changes to the European Union E-Privacy Directive (March 1, 2010)
The European Parliament approved the long-awaited amendments to the Directive on Privacy and Electronic Communications (e-Privacy Directive) In November 2009. The amendments, which are causing a stir in the world of online advertising, will be implemented in the 27 EU Member States by mid-2011.
French courts clarify rules governing implementation of whistleblowing systems (March 1, 2010)
Two recent decisions issued by a French Tribunal of First Instance (Caen Tribunal of First Instance, Interim Decision, 5 November 2009) and by the French Supreme Court (Cour de Cassation, 8 December 2009) have brought whistleblowing and the implementation of ethics helplines in French companies to the forefront of the nation’s conversation on data protection.
New security breach notification requirements under amended E-Privacy Directive (March 1, 2010)
The Council of the European Union approved the so-called Telecom Reform Package on October 26, 2009, providing for an overhaul of Directive 2002/58/EC on privacy and electronic communications (OJ L 201, 31.7.2002, p.37) (E-Privacy Directive). It was published in the Official Journal of the European Union on December 18, 2009. The new E-Privacy Directive contains a number of important amendments.
CATSA PIA Response (March 1, 2010)
In January, the Office of the Privacy Commissioner of Canada (OPC) released its response to a Privacy Impact Assessment (PIA) completed by the Canadian Air Transport Security Authority (CATSA) in anticipation of the deployment of millimetre wave (MMW) screening technology at selected Canadian airports. The adoption of this technology, which shows the outline of an individual’s body beneath their clothing, has been the source of much discussion due to its perceived invasiveness.
German DPAs: Web site tracking requires consent (March 1, 2010)
During its November session, the so-called “Düsseldorfer Kreis” (the assembly of all supreme German DPAs) adopted a resolution on the privacy-compliant design of Web site tracking procedures (such as Google Analytics).
Draft law on privacy protection of employees (March 1, 2010)
The parliamentary group of the Social Democrat Party (SPD) in Germany on November 25 tabled a draft law on privacy protection in employment relationships. The proposal stems from a series of privacy scandals involving German companies illegally spying on their staff.
New data processing agreements: publicly available model clauses (March 1, 2010)
The recent reform of the Federal German Data Protection Act (BDSG) has brought about significant changes to the requirements data processing agreements must meet in order for transfers between controllers and processors to benefit from the data processor privilege enshrined in Sec. 11 of the BDSG.
Hamburg DPA: enforcement actions re obligations to appoint data protection officers (March 1, 2010)
In a press release dated January 8, the Data Protection Authority of Hamburg announced broad enforcement actions in order to curtail the numerous “privacy scandals” that have occurred in Germany in past months. The DPA will check in particular whether companies comply with their obligation to appoint internal data protection officers.
Court ruling: burden of proof for consent to e-mail marketing (March 1, 2010)
On November 24, 2009, the Higher Regional Court of Duesseldorf issued an interesting ruling on the burden of proof for consents to e-mail marketing measures. The court found that a company that purchases e-mail addresses for the purpose of distributing electronic advertisements must not rely on the seller’s representation that all data subjects have consented to receive marketing e-mails.
A shift in the regulatory regime (March 1, 2010)
The Information, Law, and Technology Agency (ILITA) held an international conference on data security on January 20 as a means to strengthen data protection in Israel. The conference involved a discussion on ILITA’s recent proposal to enact new privacy regulations related to information security.
Report data breaches or face tougher sanctions (March 1, 2010)
David Smith, deputy commissioner and director of data protection at the UK Information Commissioner’s Office (ICO), has said that organisations reporting their data security breaches may find themselves subject to regulatory action, but “…those that try to cover up breaches which we subsequently become aware of are likely to face tougher regulatory sanctions.”
Up to £500,000 fines for serious breaches (March 1, 2010)
New powers designed to deter data breaches are expected to come into force on April 6, 2010. The ICO will be able to order organisations to pay up to £500,000 as a penalty for serious breaches of the Data Protection Act.
Code planned for airport scanners (March 1, 2010)
A UK government department is to draw up guidelines for the use of passenger images produced by airport security scanners. The Department for Transport will issue a code of practice for all operators to help ensure that those responsible for the scanning are properly trained and that procedures comply with the Data Protection Act.
A chat with Jennifer Barrett, CIPP, Global Privacy and Public Policy Executive, Acxiom Corporation (March 1, 2010)
In our continuing series to celebrate the IAPP’s 10-year anniversary, this month we look back at the early days of the privacy profession with Jennifer Barrett. Widely considered the first person to hold the title of chief privacy officer, Jennifer has been heading up privacy efforts at Arkansas-based databroker Acxiom Corp for almost 20 years.
Outpacing change: Ernst & Young’s 12th annual global information security survey illuminates data protection trends, goals, and obstacles (March 1, 2010)
Improving information security risk management and data leakage prevention (DLP) are the top two priorities for the year ahead, according to Ernst & Young’s 12th annual global information security survey.
Rutherford to chair this year’s PCI council (March 1, 2010)
Bruce Rutherford, head of MasterCard’s fraud management solutions, payment system integrity group, will serve as this year’s chairperson of the Payment Card Industry (PCI) Security Standards Council.
Under Rutherford’s leadership, the council will release new standards to enhance payment account security and awareness in 2010. Additionally, Rutherford will work with the council’s board of advisors, participating organizations, assessor community, and merchants to increase adoption of PCI standards.