Privacy Advisor

Having trouble receiving the Privacy Advisor in your inbox? Click here for troubleshooting tips.

Global Privacy Dispatches

FRANCE—Expansion of CNIL Investigation Powers Confirmed
In the past few years, the French data protection authority (CNIL) has made itself known for its on-site investigation powers by coming unannounced to the premises of businesses to perform interviews and searches in order to assess compliance with the French Data Protection Act. Read More
FRANCE—The End of Aggressive Cold-Calling?
The new consumer act of March 17 is now in force. Among its key measures, it plans the creation of a centralized do-not call list. Read More
HUNGARY—Hungarian DPA Suggests Refinements in IT Policies
In a recent case, the Hungarian Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság or NAIH) investigated a case where a company had to access its employee’s laptop for compliance reasons and imposed a fine of HUF 1,500,000 (approximately 5,000 euros) for unlawful data processing. Read More
UK—Marketing Companies Punished for Hiding Identity While Making Nuisance Calls
The Information Commissioner's Office (ICO) has ordered two telephone marketing companies to change their practices after more than 100 complaints were made to the ICO that the companies were making nuisance marketing calls. Read More
UK—British Pregnancy Advice Service Fined for Serious Data Breach
The British Pregnancy Advice Service (BPAS) has been fined 200,000 GBPs after a serious breach of the Data Protection Act (DPA) revealed thousands of people's personal details to a malicious hacker. Read More
UK—ICO Publishes Updated PIA Guidance
The UK Information Commissioner's Office has published its updated Privacy Impact Assessment (PIA) Code of Practice to help organisations comply with their data protection law obligations when they change the way that they use personal data. Read More
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions.

Read More
ITALY—Garante’s Provision on Mobile Payment Services
On December 12, 2013, the Italian Data Protection Authority (Garante) issued a draft general provision on the processing of personal data in the context of mobile remote payment services. This new provision sets the rules for the processing of information about users who purchase digital services and products and pay for them remotely via their phone bills. Read More
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions. Read More
New European Standard Contractual Clauses for data processors (May 11, 2010)
In February 2010, the European Commission approved new Standard Contractual Clauses for the transfer of personal data to processors outside the European Economic Area (New Processor Clauses). At the same time, the commission repealed its 2001 decision approving a predecessor version of such clauses (Old Processor Clauses) effective May 15, 2010. As a result, multinational organizations will consider updating their group-internal and external contracts relating to data processing and service providers can expect requests from their customers to sign updated forms.
Notes from the Executive Director (May 1, 2010)
As I write, we are busy with final preparations for the IAPP Canada Privacy Symposium in Toronto. Soon after, we’ll head to Silicon Valley and then Berlin, Brussels and Paris for this year’s European delegate tour. A year that started off with a bang continues to gain momentum. By the end of 2010, we’ll have hosted more events and programs than in any other year in our decade-long history.
Privacy and security considerations for EHR incentives and “meaningful use” (May 1, 2010)
One of the American Recovery and Reinvestment Act of 2009’s (ARRA) (Pub. L. No. 111-5) areas of emphasis is expanding the use of health information technology, both in terms of storing and managing medical records in electronic form and in terms of facilitating the exchange of information contained in such records. The Recovery Act included significant funding to provide incentive payments to healthcare providers to adopt electronic health record (EHR) technology; these incentives require eligible providers not only to acquire and install systems, but also to demonstrate “meaningful use” of electronic health records (§4101).
Risks associated with creating a new information asset (May 1, 2010)
The creation of new information assets (e.g. databases) offers the potential for greater collaboration, efficient work, new discoveries, and accomplished objectives. These benefits often overshadow the risks arising from a lack of due consideration about resource availability, privacy, business continuity, and organizational reputation.

10 in 2010: A chat with Suzanne Rodway, Group Privacy Director, Barclays Bank (May 1, 2010)
In our continuing series to celebrate the IAPP’s tenth anniversary, this month we check in with Suzanne Rodway. As group privacy director for Barclay Bank, Suzanne is responsible for overseeing compliance with privacy, data protection, and freedom of information laws worldwide. Barclay received the HP-IAPP 2009 Privacy Innovation Award in the large organization category for its cross-company approach to privacy. The Privacy Advisor chatted with Suzanne about new privacy challenges and how she’s helping her organization—and others—rise to meet them.
What’s a former commissioner to do? (May 1, 2010)
Pamela Jones Harbour ended her term as a Federal Trade Commissioner on April 6. In the weeks leading up to her departure she reflected on the changes she has seen during her term, shared some of her plans for the future and discussed how the privacy landscape may look in the years to come. Harbour’s responses to these questions reflect her own views and not necessarily those of the FTC or any other individual commissioner.
Argentine judge holds Google and Yahoo liable for posting of third-party content (May 1, 2010)
An Argentine civil judge held Google and Yahoo liable for content posted by third parties to a Web site, rejecting the companies’ defenses that they were mere intermediaries, therefore not responsible for the actions of the Web site linking the name of the plaintiff to pornographic and female-escort Web sites without her consent.
Federal Constitutional Court ruling on data retention (May 1, 2010)
The German Federal Constitutional Court (Bundesverfassungs-gericht) on March 2, 2010 rejected the legislation requiring the general six-month retention of all electronic communications traffic.
ECJ declares German data protection supervision unlawful (May 1, 2010)
On March 9, 2010 the European Court of Justice ruled that by making the state authorities responsible for monitoring the processing of personal data by non-public bodies subject to state scrutiny, and by thus incorrectly transposing the requirement that those authorities perform their functions “with complete independence,” Germany failed to fulfill its obligations under Directive 95/46/EC.
Burden of proof re faulty address data (May 1, 2010)
On February 17, 2010, the Regional Court of Duesseldorf issued a judgment on the requirements for proving defects of address data that have been purchased for telephone marketing purposes.
Supreme Court: anonymity is constitutional right (May 1, 2010)
The Israeli Supreme Court settled a longstanding District Court split in March, holding that online anonymity is a constitutional right derived from the right to privacy and free speech.
Mexico passes Federal Data Protection Act (May 1, 2010)
After nine years of intense efforts and constant lobbying, the Federal Data Protection Act has been approved in Mexico. On April 27, 2010, the Senate unanimously approved the Federal Data Protection Act fulfilling the duty of the Mexican Constitution and international standards on the matter.
The Privacy Dividend Report (May 1, 2010)
The UK Information Commissioner, Christopher Graham, has launched the Privacy Dividend Report, which provides organizations with a financial case for data protection best practice.
Criminal case against BT being considered (May 1, 2010)
Following the European Commission’s legal proceedings against the UK for failing to take any action over behavioral targeting, the Crown Prosecution Service is working on a potential criminal case against BT over its trials of Phorm’s system.
Parliament Committee issues privacy recommendations (May 1, 2010)
The House of Commons’ Culture Media and Sport Committee has released a report on press standards, privacy, and libel.