Having trouble receiving the Privacy Advisor in your inbox? Click here for troubleshooting tips.
Global Privacy Dispatches
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions.
ITALY—Garante Releases Enforcement Activity Report
The Garante, the Italian Data Protection Authority (IDPA), has released information on enforcement activity in Italy in 2013 and its relevant plan of inspections for the first semester of 2014.
CANADA—Anti-Spam Legislation To Come Into Force
After much discussion and consultation on the accompanying Regulations, Canada’s anti-spam legislation is about to take full effect. While the CRTC had previously published its regulations on March 28, 2012, the Electronic Commerce Protection Regulation was finally published on December 4, 2013.
UK—Government Department Fined 185,000 GBPs After Terrorist Incident Data Sold at Auction
A government department has been fined after a filing cabinet containing personal information relating to victims of a terrorist incident was sold at auction.
NEW ZEALAND—Privacy Reflections/Predictions for 2014
The high-profile privacy breaches of 2012-13 have shed an unprecedented light on personal information in New Zealand. Outgoing Privacy Commissioner Marie Shroff is leaving the role at a time when protecting personal information, a cause she has actively championed over the past 10 years, is at the forefront of public awareness and is top-of-mind for policy analysts, legislators and businesses alike.
NEW ZEALAND—Will the Tide Turn in 2014?
Last year was not a good one for New Zealand privacy-wise. While Australia forged ahead enacting legislation covering issues such as cross-border controls for personal data and introducing measures to implement breach notification, the government in New Zealand, by contrast, has been dragging its feet and instead adopted a raft of measures diminishing existing privacy protections. This article briefly reviews developments in New Zealand in 2013 and ventures some predictions as to what may lie in store in 2014.
AUSTRALIA—Australia Legislates for Privacy by Design
In March, Australia will be overhauling its privacy laws. One of the key features of the new regime means Australia will become one of the first jurisdictions to effectively legislate for the concept of Privacy by Design.
Notes From the Executive Director (March 1, 2010)
Earlier this month there was a flare up in the debate about whether people care about privacy. Those on both sides of the issue presented their views at events and in the popular press.
The Memorandum of Montevideo (March 1, 2010)
The Memorandum on the Protection of Personal Data and Privacy in Internet Social Networks, Specifically in Relation to Children and Adolescents—better known as the Memorandum of Montevideo—was presented in Mexico on December 3, 2009.
The human factor in compliance: best practices from the trenches (March 1, 2010)
This article is the first in a series contributed by MediaPro, Inc., in which privacy and data protection thought leaders from leading organizations share best practices for addressing the human factor in compliance and data protection programs and implementing a successful privacy and data security awareness and training initiative
Healthcare privacy in 2010 (March 1, 2010)
A lot is happening in the healthcare world, with the implications of healthcare reform leading the list. What can we expect to see as the major developments in healthcare privacy and security in 2010?
Asia-Pacific data privacy laws: model corporate privacy principles (March 1, 2010)
Corporations that operate in and collect or process personal data in Asia-Pacific countries need to have comprehensive privacy policies addressing these countries’ data privacy laws. Is it possible to create a single policy that achieves such a broad coverage? The answer is yes, but Asia, unlike Europe, does not have broad regional directive requiring member states to enact local data privacy laws conforming to certain principles.
Changes to the European Union E-Privacy Directive (March 1, 2010)
The European Parliament approved the long-awaited amendments to the Directive on Privacy and Electronic Communications (e-Privacy Directive) In November 2009. The amendments, which are causing a stir in the world of online advertising, will be implemented in the 27 EU Member States by mid-2011.
French courts clarify rules governing implementation of whistleblowing systems (March 1, 2010)
Two recent decisions issued by a French Tribunal of First Instance (Caen Tribunal of First Instance, Interim Decision, 5 November 2009) and by the French Supreme Court (Cour de Cassation, 8 December 2009) have brought whistleblowing and the implementation of ethics helplines in French companies to the forefront of the nation’s conversation on data protection.
New security breach notification requirements under amended E-Privacy Directive (March 1, 2010)
The Council of the European Union approved the so-called Telecom Reform Package on October 26, 2009, providing for an overhaul of Directive 2002/58/EC on privacy and electronic communications (OJ L 201, 31.7.2002, p.37) (E-Privacy Directive). It was published in the Official Journal of the European Union on December 18, 2009. The new E-Privacy Directive contains a number of important amendments.
CATSA PIA Response (March 1, 2010)
In January, the Office of the Privacy Commissioner of Canada (OPC) released its response to a Privacy Impact Assessment (PIA) completed by the Canadian Air Transport Security Authority (CATSA) in anticipation of the deployment of millimetre wave (MMW) screening technology at selected Canadian airports. The adoption of this technology, which shows the outline of an individual’s body beneath their clothing, has been the source of much discussion due to its perceived invasiveness.
German DPAs: Web site tracking requires consent (March 1, 2010)
During its November session, the so-called “Düsseldorfer Kreis” (the assembly of all supreme German DPAs) adopted a resolution on the privacy-compliant design of Web site tracking procedures (such as Google Analytics).
Draft law on privacy protection of employees (March 1, 2010)
The parliamentary group of the Social Democrat Party (SPD) in Germany on November 25 tabled a draft law on privacy protection in employment relationships. The proposal stems from a series of privacy scandals involving German companies illegally spying on their staff.
New data processing agreements: publicly available model clauses (March 1, 2010)
The recent reform of the Federal German Data Protection Act (BDSG) has brought about significant changes to the requirements data processing agreements must meet in order for transfers between controllers and processors to benefit from the data processor privilege enshrined in Sec. 11 of the BDSG.
Hamburg DPA: enforcement actions re obligations to appoint data protection officers (March 1, 2010)
In a press release dated January 8, the Data Protection Authority of Hamburg announced broad enforcement actions in order to curtail the numerous “privacy scandals” that have occurred in Germany in past months. The DPA will check in particular whether companies comply with their obligation to appoint internal data protection officers.
Court ruling: burden of proof for consent to e-mail marketing (March 1, 2010)
On November 24, 2009, the Higher Regional Court of Duesseldorf issued an interesting ruling on the burden of proof for consents to e-mail marketing measures. The court found that a company that purchases e-mail addresses for the purpose of distributing electronic advertisements must not rely on the seller’s representation that all data subjects have consented to receive marketing e-mails.
A shift in the regulatory regime (March 1, 2010)
The Information, Law, and Technology Agency (ILITA) held an international conference on data security on January 20 as a means to strengthen data protection in Israel. The conference involved a discussion on ILITA’s recent proposal to enact new privacy regulations related to information security.
Report data breaches or face tougher sanctions (March 1, 2010)
David Smith, deputy commissioner and director of data protection at the UK Information Commissioner’s Office (ICO), has said that organisations reporting their data security breaches may find themselves subject to regulatory action, but “…those that try to cover up breaches which we subsequently become aware of are likely to face tougher regulatory sanctions.”
Up to £500,000 fines for serious breaches (March 1, 2010)
New powers designed to deter data breaches are expected to come into force on April 6, 2010. The ICO will be able to order organisations to pay up to £500,000 as a penalty for serious breaches of the Data Protection Act.
Code planned for airport scanners (March 1, 2010)
A UK government department is to draw up guidelines for the use of passenger images produced by airport security scanners. The Department for Transport will issue a code of practice for all operators to help ensure that those responsible for the scanning are properly trained and that procedures comply with the Data Protection Act.
Rutherford to chair this year’s PCI council (March 1, 2010)
Bruce Rutherford, head of MasterCard’s fraud management solutions, payment system integrity group, will serve as this year’s chairperson of the Payment Card Industry (PCI) Security Standards Council.
Under Rutherford’s leadership, the council will release new standards to enhance payment account security and awareness in 2010. Additionally, Rutherford will work with the council’s board of advisors, participating organizations, assessor community, and merchants to increase adoption of PCI standards.