Privacy Advisor

Having trouble receiving the Privacy Advisor in your inbox? Click here for troubleshooting tips.

Global Privacy Dispatches

FRANCE—Expansion of CNIL Investigation Powers Confirmed
In the past few years, the French data protection authority (CNIL) has made itself known for its on-site investigation powers by coming unannounced to the premises of businesses to perform interviews and searches in order to assess compliance with the French Data Protection Act. Read More
FRANCE—The End of Aggressive Cold-Calling?
The new consumer act of March 17 is now in force. Among its key measures, it plans the creation of a centralized do-not call list. Read More
HUNGARY—Hungarian DPA Suggests Refinements in IT Policies
In a recent case, the Hungarian Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság or NAIH) investigated a case where a company had to access its employee’s laptop for compliance reasons and imposed a fine of HUF 1,500,000 (approximately 5,000 euros) for unlawful data processing. Read More
UK—Marketing Companies Punished for Hiding Identity While Making Nuisance Calls
The Information Commissioner's Office (ICO) has ordered two telephone marketing companies to change their practices after more than 100 complaints were made to the ICO that the companies were making nuisance marketing calls. Read More
UK—British Pregnancy Advice Service Fined for Serious Data Breach
The British Pregnancy Advice Service (BPAS) has been fined 200,000 GBPs after a serious breach of the Data Protection Act (DPA) revealed thousands of people's personal details to a malicious hacker. Read More
UK—ICO Publishes Updated PIA Guidance
The UK Information Commissioner's Office has published its updated Privacy Impact Assessment (PIA) Code of Practice to help organisations comply with their data protection law obligations when they change the way that they use personal data. Read More
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions.

Read More
ITALY—Garante’s Provision on Mobile Payment Services
On December 12, 2013, the Italian Data Protection Authority (Garante) issued a draft general provision on the processing of personal data in the context of mobile remote payment services. This new provision sets the rules for the processing of information about users who purchase digital services and products and pay for them remotely via their phone bills. Read More
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions. Read More
Notes from the IAPP (November 1, 2010)
As most of you know, the European Data Protection Directive will undergo a substantial review in 2011. Many anticipate it will result in new enforcement powers for data protection authorities and more rights for individuals. Others predict that it may bring some relief for organizations from administrative compliance burdens and result in a more harmonized approach across the continent. Will the companies be required to appoint data protection officers and what their role will be? Whatever the outcome, data privacy and data protection will be top of mind across Europe for the next 14 months and beyond, as the legislative changes start to shape up in each country, too. Its ripples will certainly be felt across borders. The world is watching.
New data privacy law in Mexico (November 1, 2010)
Multinational and internationally focused businesses in the United States and elsewhere have stepped up their efforts to monitor and comply with data protection laws in recent years. Reasons for this trend include an increasing proliferation of new laws in this area, public attention, enforcement initiatives by European data protection authorities and the generally increased focus on compliance with laws (which used to be a self-evident requirement applicable to all employees but has become a separate professional discipline or even office in many organizations.)
Experts say P3P lacks transparency (November 1, 2010)
The Platform for Privacy Preferences (P3P) was created in 2002 as a tool to protect users’ privacy as they navigate the Internet. The voluntary platform was adopted by Internet Explorer, the only browser to make meaningful use of it but, since its inception, has faced a number of challenges to its intended success.
Demystifying cloud computing (November 1, 2010)
Few concepts in recent times have conjured up the allure and mystique of “cloud computing.” We are accustomed to hearing about clouds in the context of weather, but where does the notion of a cloud fit into computing? Part one of this three-part article will unmask some of the complexities that exist in describing cloud computing. Although you will see various technical terms, the focus of this series is not technical. Rather, it aims to present practical illustrations that provide better insight into the area.
Privacy law and the challenge of balancing employers’ management needs with employee privacy concerns (November 1, 2010)
The U.S. Supreme Court is weighing privacy questions involving NASA and whether federal employers have too much leeway when it comes to examining the private lives of employees just as Germany is poised to review changes to its Federal Data Protection Act (BDSG) next month.
CANADA: The OPC’s Facebook investigation (November 1, 2010)
In July 2009, the Privacy Commissioner of Canada published the results of an investigation it conducted into the privacy practices of the social networking site Facebook. A complaint filed by the Canadian Internet Policy and Public Interest Clinic (CIPPIC) in May 2008 triggered the investigation.
German Federal Labour Court: Function of an internal data protection official ends with company merger (November 1, 2010)
In Germany, businesses that employ more than nine people with the processing of personal data are under an obligation to appoint an internal data protection official. The position of these internal data protection officials has recently been strengthened. According to Sec. 4f para. 3 of the German Federal Data Protection Act, their employment must not be terminated during their appointment and for one year thereafter unless for cause. In its decision dated September 29, 2010 (Az. 10 AZR 588/09), the German Federal Labour Court stated that an employee's function as internal data protection officer would end, however, if the company with which he is employed, and where he is appointed as a data protection official, merges and thereby ceases to exist as a separate legal entity.
Labour Court Berlin: No dismissal of a compliance officer for privacy law breaches (November 1, 2010)
In a decision dated February 18, 2010, the Labour Court of Berlin was called to judge on the dismissal of a compliance officer on the grounds of alleged breaches of German data protection rules (Labour Court Berlin, Az. 38 Ca 12879/09).
UK: Consultation on data sharing launched (November 1, 2010)
The Information Commissioner's Office has published a consultation document on a new statutory code of practice on the sharing of personal data. The code is meant to explain how the Data Protection Act 1998 applies to the sharing of personal data. It also provides good practice advice that will be relevant to all organizations that do so. As the code puts it, adopting the good practice recommendations will help organizations collect and share personal data in a way that is fair, transparent and in line with the rights and expectations of the people whose information is being shared. The consultation is open until January 5, 2011.
EU sues the UK over privacy failings (November 1, 2010)
The European Commission has decided to refer the United Kingdom to the EU's Court of Justice for not fully implementing EU rules on the confidentiality of electronic communications such as e-mail or Internet browsing. Specifically, the commission considers that UK law does not comply with EU rules on consent to interception and on enforcement by supervisory authorities. In the meantime, the UK Home Office has confirmed that it is in discussions with the EU on the matter and plans to make changes to address the commission's concerns.
UK: Information Commissioner seeks EU legislative changes (November 1, 2010)
The UK Information Commissioner's Office has made a formal submission to the Ministry of Justice's call for evidence on the current data protection legislative framework. Not surprisingly, the ICO has indicated that there is need for a review of the law and that data protection should be given a "common sense and modern day approach." The ICO has highlighted the need for the law to be comprehensible for individuals and businesses. The UK government will consider all submissions made to help inform the UK’s position on negotiations for a new EU data protection instrument, which are expected to start in early 2011.
Uruguay found to provide adequate protection (November 1, 2010)
On October 12, 2010, Europe’s Article 29 Working Party opined that the Eastern Republic of Uruguay provides an adequate level of data protection within the meaning of Article 25(6) of the Directive 95/46/EC. The opinion came two years after the Uruguayan government submitted an official request to the European Commission.
Diener named DHS Director of Privacy Policy (November 1, 2010)
Debra N. Diener has been named senior advisor and director of privacy policy at the U.S. Department of Homeland Security (DHS). In her new roles, Diener will be consulting with public- and private-sector professionals and organizations on an array of issues related to privacy.
TRUSTe launches new services (November 1, 2010)
TRUSTe has announced its latest offerings, including a privacy certification program for mobile applications and a new in-ad privacy solution.
Lilly Endowment awards $4 million to university for health information center (November 1, 2010)
Lilly Endowment has awarded Indiana University $4 million to help address ethical, legal and social issues around the growing use of health information in the effort to facilitate treatment and research, improve health outcomes for patients and heighten accountability.
Last chance to opt in to the 2011 IAPP Membership Directory is November 1 (November 1, 2010)
The IAPP is compiling the 2011 edition of the Membership Directory—one of the most coveted and widely used member benefits. For the first time, the 2011 directory will be available both electronically and in print, providing you with two convenient ways to stay in touch with your colleagues. Only IAPP members who opt in will have their names and contact information included. Don’t miss out on your chance to be listed in this valuable networking resource. The deadline for inclusion is November 1. (Members who opted in previously will be included in this year’s directory.)
10 in 2010: A Chat with Lawrence Tan (November 1, 2010)
As part of our ongoing celebration of the IAPP’s tenth year, the Privacy Advisor spoke with longtime member Lawrence Tan, CIPP, CIPP/G, about how--all the way from Singapore--he became a certified information privacy professional and Singapore’s data protection landscape.