Privacy Advisor

Having trouble receiving the Privacy Advisor in your inbox? Click here for troubleshooting tips.

Global Privacy Dispatches

FRANCE—Expansion of CNIL Investigation Powers Confirmed
In the past few years, the French data protection authority (CNIL) has made itself known for its on-site investigation powers by coming unannounced to the premises of businesses to perform interviews and searches in order to assess compliance with the French Data Protection Act. Read More
FRANCE—The End of Aggressive Cold-Calling?
The new consumer act of March 17 is now in force. Among its key measures, it plans the creation of a centralized do-not call list. Read More
HUNGARY—Hungarian DPA Suggests Refinements in IT Policies
In a recent case, the Hungarian Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság or NAIH) investigated a case where a company had to access its employee’s laptop for compliance reasons and imposed a fine of HUF 1,500,000 (approximately 5,000 euros) for unlawful data processing. Read More
UK—Marketing Companies Punished for Hiding Identity While Making Nuisance Calls
The Information Commissioner's Office (ICO) has ordered two telephone marketing companies to change their practices after more than 100 complaints were made to the ICO that the companies were making nuisance marketing calls. Read More
UK—British Pregnancy Advice Service Fined for Serious Data Breach
The British Pregnancy Advice Service (BPAS) has been fined 200,000 GBPs after a serious breach of the Data Protection Act (DPA) revealed thousands of people's personal details to a malicious hacker. Read More
UK—ICO Publishes Updated PIA Guidance
The UK Information Commissioner's Office has published its updated Privacy Impact Assessment (PIA) Code of Practice to help organisations comply with their data protection law obligations when they change the way that they use personal data. Read More
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions.

Read More
ITALY—Garante’s Provision on Mobile Payment Services
On December 12, 2013, the Italian Data Protection Authority (Garante) issued a draft general provision on the processing of personal data in the context of mobile remote payment services. This new provision sets the rules for the processing of information about users who purchase digital services and products and pay for them remotely via their phone bills. Read More
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions. Read More
California Supreme Court rules that ZIP codes are personal identification information (March 17, 2011)
Retail stores across California routinely ask customers to provide a ZIP code when making a purchase. This practice may now be prohibited following the California Supreme Court decision in Pineda v. Williams Sonoma, __ Cal. 4th__ (February 10, 2011), holding that ZIP codes are "personal identification information” for the purposes of the Song-Beverly Credit Card Act.
Notes from the IAPP President (March 1, 2011)
I cannot recall a time in the past decade when there has been so much activity in the field of privacy. This month’s Privacy Advisor articles cover a breadth of topics, including the Federal Trade Commission and Department of Commerce privacy reports, the use of analytics and privacy enhancing technologies, recent rulings in Canadian and Israeli courts and a case coming up in the U.S. Supreme Court. All of this activity creates substantial challenges for our members.
A comparison of the recent FTC and Commerce Department data privacy frameworks (March 1, 2011)
The privacy landscape in the U.S. is undergoing a major revamping. In December, the Federal Trade Commission (FTC) and the Department of Commerce (DoC) separately proposed new policy frameworks for analyzing data privacy. These proposals are the culmination of separate—and comprehensive—reviews conducted by the agencies over the past year. This article summarizes the two proposed frameworks, explores where they are similar and where they differ and suggests what impact these frameworks, if adopted, may have on businesses that collect, use or disclose information about consumers.
The ethical use of analytics (March 1, 2011)
The term “analytics” refers to the use of information technology to harness statistics, algorithms and other tools of mathematics to improve decision-making. A wide variety of organizations use analytics to convert data to actionable knowledge. Analytics represent a change from the long-standing approaches to management that often relied on instinct and were largely unsupported and undocumented. Analytics permit corporate decision-making to be driven, assessed and tested by the use of data.
Government options for encouraging use of online privacy-enhancing technologies (March 1, 2011)
Recent reports issued by the U.S. Federal Trade Commission and U.S. Department of Commerce call for the use of “privacy-enhancing technologies” (PETs) to improve the quality of information and privacy choice control mechanisms available to individual Internet users. But how will government encourage the use of such technologies? This article briefly surveys the array of regulatory tools available to the government and suggests that mandates of specific PETs be used as a tool of last resort.
Privacy at issue in upcoming Supreme Court case (March 1, 2011)
Privacy professionals may find an upcoming United States Supreme Court case, Sorrell v. IMS Health, to be of interest. Certiorari was granted on January 7, 2011, and both sides are actively engaged in preparing for the case at this time.
CANADA — Court’s e-mail decision raises implications (March 1, 2011)
In December 2010, the Ontario Superior Court of Justice, Divisional Court, issued its Reason for Decision in a case dealing with an access request made to the City of Ottawa requesting an employee’s e-mails.
FRANCE — Focus on consumer online protection: more investigations ahead (March 1, 2011)
The Secretary of State in charge of consumption matters, the data protection authority and the authority in charge of competition regulation and consumer protection have signed a cooperation protocol to improve the protection of consumers’ personal data in the e-commerce environment.
FRANCE — The CNIL under attack? (March 1, 2011)
The French data protection authority, CNIL, is one of the few authorities to have survived the French Government’s restructuring initiatives, which began in 2009.
ISRAEL — EU confirms Israel's adequacy (March 1, 2011)
The EU Commission published the much-anticipated announcement on the adequacy of data protection in Israel.
Israeli court restricts monitoring of employee's e-mail (March 1, 2011)
In a 91-page opinion, the National Labor Court laid down a clear set of rules on employers’ rights to monitor their employees’ e-mail messages.
UK — Ministry of Justice publishes responses to its Call for Evidence (March 1, 2011)
The Ministry of Justice published a report summarizing the 163 responses it received following its Call for Evidence on how the existing data protection framework is working across UK and Europe.
UK — Two councils fined for the loss of unencrypted laptops (March 1, 2011)
The ICO has handed out monetary penalties of £80,000 and £70,000 to Ealing Council and Hounslow Council, respectively, after two unencrypted laptops containing sensitive personal data of around 1,700 individuals were stolen from the home of an employee of Ealing Council.
UK — BIS reveals timeline for implementation of the E-Privacy Directive to industry insiders (March 1, 2011)
The Department for Business, Innovation and Skills told an industry roundtable that a Statutory Instrument implementing the E-Privacy Directive, including the new rules governing the acceptance of cookies, will be brought before Parliament by the end of April, and that there is no option to postpone this timeline.
Technologists hired to help regulators (March 1, 2011)
As technology advances, so must privacy regulators’ knowledge and understanding of such technologies. Without understanding how various technologies function, it is difficult to determine whether privacy is protected within those functions and equally as difficult to investigate resulting breaches. In this vein, some regulators have begun hiring technologists on staff.
Medical Device Privacy Consortium formed (March 1, 2011)
Privacy and compliance leaders in the medical device industry have formed the Medical Device Privacy Consortium, which will focus on addressing the data privacy challenges that medical device companies face.
2011 HP-IAPP Privacy Innovation Awards and IAPP Privacy Vanguard Award nominations now open (March 1, 2011)
The search is underway for the 2011 HP-IAPP Privacy Innovation Awards and IAPP Privacy Vanguard Award winners, to be announced at this year’s Privacy Dinner during the IAPP Privacy Academy 2011 in Dallas, TX, September 14-16.
This month on the Privacy List (March 1, 2011)
Privacy pros continue to turn to the IAPP Privacy List to share knowledge and ask questions on the topics most relevant to them and their daily job functions. When a major privacy-related headline drops, it’s often not long after that list activity accelerates with questions or predictions on how such news will affect the status quo.