Privacy Advisor

Having trouble receiving the Privacy Advisor in your inbox? Click here for troubleshooting tips.

Global Privacy Dispatches

FRANCE—Expansion of CNIL Investigation Powers Confirmed
In the past few years, the French data protection authority (CNIL) has made itself known for its on-site investigation powers by coming unannounced to the premises of businesses to perform interviews and searches in order to assess compliance with the French Data Protection Act. Read More
FRANCE—The End of Aggressive Cold-Calling?
The new consumer act of March 17 is now in force. Among its key measures, it plans the creation of a centralized do-not call list. Read More
HUNGARY—Hungarian DPA Suggests Refinements in IT Policies
In a recent case, the Hungarian Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság or NAIH) investigated a case where a company had to access its employee’s laptop for compliance reasons and imposed a fine of HUF 1,500,000 (approximately 5,000 euros) for unlawful data processing. Read More
UK—Marketing Companies Punished for Hiding Identity While Making Nuisance Calls
The Information Commissioner's Office (ICO) has ordered two telephone marketing companies to change their practices after more than 100 complaints were made to the ICO that the companies were making nuisance marketing calls. Read More
UK—British Pregnancy Advice Service Fined for Serious Data Breach
The British Pregnancy Advice Service (BPAS) has been fined 200,000 GBPs after a serious breach of the Data Protection Act (DPA) revealed thousands of people's personal details to a malicious hacker. Read More
UK—ICO Publishes Updated PIA Guidance
The UK Information Commissioner's Office has published its updated Privacy Impact Assessment (PIA) Code of Practice to help organisations comply with their data protection law obligations when they change the way that they use personal data. Read More
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions.

Read More
ITALY—Garante’s Provision on Mobile Payment Services
On December 12, 2013, the Italian Data Protection Authority (Garante) issued a draft general provision on the processing of personal data in the context of mobile remote payment services. This new provision sets the rules for the processing of information about users who purchase digital services and products and pay for them remotely via their phone bills. Read More
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions. Read More
A conversation with Mary Ellen Callahan (April 22, 2011)
After two years as the chief privacy officer at the U.S. Department of Homeland Security (DHS), Mary Ellen Callahan discusses the importance of privacy and transparency at DHS with her public affairs representative, Steven Richards. At the U.S. Department of Homeland Security (DHS), privacy law and policy are implemented and enforced through the Privacy Office—the first statutorily mandated privacy office at any U.S. federal agency. The DHS Privacy Office is the largest office of its kind in the federal government, and it has been referred to by many as the leader in public-sector privacy policy.
Notes from the IAPP President (April 1, 2011)
Momentum might be the most-used word in this column. It seems to come up each month as I reflect on the activities of the previous weeks. The momentum in our field of data privacy and protection seems to be relentless. It was evident at our global privacy summit event in March, and it has been evident since then in the global privacy news.
A summary of comments filed on the recent FTC and Commerce Department data privacy frameworks (April 1, 2011)
In last month’s edition of the Privacy Advisor, we compared the new policy frameworks for analyzing data privacy separately proposed by the Federal Trade Commission and the Department of Commerce. In this issue, we summarize the comments that were submitted in response to each of the frameworks and examine some of the common issues addressed in the submissions.
Perspective: Self-regulation’s credibility problem (April 1, 2011)
Why do privacy advocates remain so opposed to self-regulation? Self-regulatory programs suffer from an enduring credibility problem, established by the short-lived IRSG and the languid NAI, and continued today in the form of business practices that express disregard for consumers' expressed preferences.
Simplifying data sanitization compliance: An analysis of the regulatory matrix points the way to safe harbor (April 1, 2011)
In addition to better known federal legislation such as Sarbanes-Oxley, FACTA and HIPAA, there are now 46 state and territorial laws that regulate the management of private electronic data. In addition, two more major federal acts are making their way through the U.S. Congress—one in the house another in the senate. In spite of the shifting political landscape, they have a high probability of enactment.
Polish Data Protection Act amendment in detail (April 1, 2011)
The amendment to Poland’s Data Protection Act of 29 August 1997 came into force this month. The amendment is intended to strengthen personal data protection by increasing its effectiveness. The Polish Data Protection Authority will be able to enforce its decisions more effectively.
CANADA—Decisions shed light on notification rulings (April 1, 2011)
Effective May 1, 2010, amendments to Alberta’s Personal Information Protection Act (PIPA) created an obligation for organizations to notify the Information and Privacy Commissioner of any incident involving the loss of or unauthorized access to or disclosure of PI, “where a reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure.” The amended PIPA also provides that the commissioner may require the organization to notify individuals to whom there is a real risk of significant harm as a result of the loss or unauthorized access or disclosure, “in a form and manner prescribed by the regulations,” and “within a time period determined by the commissioner.”
FRANCE—CNIL takes position on data processor rules (April 1, 2011)
The issue has been up in the air for a few years but none dared mentioning it too loudly for fear that it could come true. Now that the CNIL has released its Decision n°2011-023 of January 20, 2011, it is live.
FRANCE—A new decree adds to ISPs’ data retention obligations (April 1, 2011)
The law of June 21, 2004, on trust in the digital economy (the so-called LCEN) imposes on ISPs (Internet access providers and hosting services providers) an obligation to keep data that could identify online users. Its implementation decree came as a surprise on February 25, 2011, almost seven years after the enactment of the law.
FRANCE—Casual tone of e-mail not sufficient to characterize it as personal (April 1, 2011)
The Labour Chamber of the Supreme Court (Chambre sociale de la Cour de Cassation) upheld two decisions of February 2, 2011, that the casual tone of an e-mail sent by an employee in the workplace is not sufficient to characterize it as personal when the e-mail is “related to the professional activity of the employee.”
ISRAEL—Sloppy class action against Google Buzz dismissed (April 1, 2011)
The Jerusalem District Court dismissed a 5 billion NIS (roughly $1.4 billion) class action against Google Israel Ltd. and Google Inc. In CA (Jerusalem District Court) 4091-10 AmalJeraisy v. Google Israel Ltd. and others, a Gmail user filed the class action a year ago, following Google's launch of the new Buzz social networking service. The action claimed that Google violated users' privacy when it automatically added Google Buzz to Gmail accounts and, by default, Google Buzz allowed users to track their contacts' status updates and additional information that the contacts shared online, without asking for their consent.
ITALY—Garante rules on ex-employee’s claim (April 1, 2011)
Italy’s Data Protection Authority has made a decision in a claim brought by a man who sought the destruction of personal data from his work computer after he was dismissed from his job. The man asked that the employer destroy his personal data and files. The DPA determined that the employer does not have to delete the data, but the DPA forbid the company from accessing the former employee’s personal files, as that would violate the pertinence and proportionality principle provided by the Italian Data Protection Code.
ITALY—Telecommunication companies must inform subscribers (April 1, 2011)
The Italian Data Protection Authority (Garante) has mandated that telecommunication companies must inform old and new subscribers about how they can stop receiving advertising phone calls.
SINGAPORE—Consumer Data Protection Law in 2012 (April 1, 2011)
Singapore may introduce legislation to protect consumer data in early 2012. In his speech to the Parliamentary Committee of Supply 2011 on Leveraging on Infocomm, Design and Media, the Minister for Information, Communications and the Arts (MICA) RADM(NS) LuiTeck Yew said that the proposed law “aims to protect individuals’ personal information against misuse by regulating how businesses collect, use, disclose and retain consumer personal data, including through online means.
UK—First BCR authorization of 2011 (April 1, 2011)
The Information Commissioner’s Office (ICO) issued its first Binding Corporate Rules (BCR) approval of 2011 to Spencer Stuart Management Consultants N.V., a global executive search firm. The authorization was awarded under Europe’s “mutual recognition” procedure, which allows the ICO to act as lead reviewing authority when assessing a BCR application. This latest authorization takes the total number of authorizations awarded by the ICO to nine.
UK—Businesses warned on new cookie rules (April 1, 2011)
The ICO has said that businesses must “wake up” to new rules that will require them to collect users’ consent when serving Web site cookies. The rules derive from amendments made to the European e-Privacy Directive and come into force throughout Europe on May 25.
UK—Court challenges IP address identification (April 1, 2011)
A UK court has questioned whether IP addresses can be used to identify a specific individual accused of copyright infringement (Media CAT Limited v Adams &Ors [2011]). Judge Birrs QC, presiding, queried whether an IP address could reliably establish that the accused had infringed copyright, saying, “The fact that someone [at that IP address] may have infringed does not mean the particular named defendant has done so.” This case calls into question the commonly held view in Europe that IP addresses constitute personal data.
UK—ICO Warns of confusion over new CCTV Commissioner (April 1, 2011)
The Information Commissioner has warned that proposals to appoint a Surveillance Camera Commissioner to oversee a new code on CCTV and surveillance camera use may cause regulatory overlap and confusion. The code, proposed by the UK Government’s Protection of Freedoms Bill and currently under consultation, will initially apply to local authorities and the police only.
Ann Cavoukian receives industry honors (April 1, 2011)
Ontario Information and Privacy Commissioner Ann Cavoukian may need to clear off a shelf in her office. She’s recently been named the recipient of two awards for developing a concept that aims to embed privacy into new technologies from the ground up.
Ernst & Young: Trends point to companies hiring more privacy pros (April 1, 2011)
The findings of Ernst & Young’s "Privacy Trends 2011: Challenges to Privacy Programs in a Borderless World" have been released, and the message is clear: organizations expect to invest more in efforts to protect personal information—including hiring more privacy professionals.
Groups announce 2011 Develop for Privacy Challenge (April 1, 2011)
Four privacy organizations have issued a challenge to mobile application developers: build solutions for privacy concerns for smartphones and other mobile devices. The 2011 Develop for Privacy Challenge is a new competition sponsored by the ACLU of Northern California, the ACLU of Washington, the Tor Project and the Ontario Information and Privacy Commissioner's Office.
Heidi Salow joins Greenberg Traurig (April 1, 2011)
Heidi Salow, CIPP, has joined Greenberg Traurig’s offices of Intellectual Property & Technology as a shareholder with an emphasis on privacy and data security.