Having trouble receiving the Privacy Advisor in your inbox? Click here for troubleshooting tips.
Global Privacy Dispatches
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions.
ITALY—Garante Releases Enforcement Activity Report
The Garante, the Italian Data Protection Authority (IDPA), has released information on enforcement activity in Italy in 2013 and its relevant plan of inspections for the first semester of 2014.
CANADA—Anti-Spam Legislation To Come Into Force
After much discussion and consultation on the accompanying Regulations, Canada’s anti-spam legislation is about to take full effect. While the CRTC had previously published its regulations on March 28, 2012, the Electronic Commerce Protection Regulation was finally published on December 4, 2013.
UK—Government Department Fined 185,000 GBPs After Terrorist Incident Data Sold at Auction
A government department has been fined after a filing cabinet containing personal information relating to victims of a terrorist incident was sold at auction.
NEW ZEALAND—Privacy Reflections/Predictions for 2014
The high-profile privacy breaches of 2012-13 have shed an unprecedented light on personal information in New Zealand. Outgoing Privacy Commissioner Marie Shroff is leaving the role at a time when protecting personal information, a cause she has actively championed over the past 10 years, is at the forefront of public awareness and is top-of-mind for policy analysts, legislators and businesses alike.
NEW ZEALAND—Will the Tide Turn in 2014?
Last year was not a good one for New Zealand privacy-wise. While Australia forged ahead enacting legislation covering issues such as cross-border controls for personal data and introducing measures to implement breach notification, the government in New Zealand, by contrast, has been dragging its feet and instead adopted a raft of measures diminishing existing privacy protections. This article briefly reviews developments in New Zealand in 2013 and ventures some predictions as to what may lie in store in 2014.
AUSTRALIA—Australia Legislates for Privacy by Design
In March, Australia will be overhauling its privacy laws. One of the key features of the new regime means Australia will become one of the first jurisdictions to effectively legislate for the concept of Privacy by Design.
A conversation with Mary Ellen Callahan (April 22, 2011)
Notes from the IAPP President (April 1, 2011)
Momentum might be the most-used word in this column. It seems to come up each month as I reflect on the activities of the previous weeks. The momentum in our field of data privacy and protection seems to be relentless. It was evident at our global privacy summit event in March, and it has been evident since then in the global privacy news.
A summary of comments filed on the recent FTC and Commerce Department data privacy frameworks (April 1, 2011)
In last month’s edition of the Privacy Advisor, we compared the new policy frameworks for analyzing data privacy separately proposed by the Federal Trade Commission and the Department of Commerce. In this issue, we summarize the comments that were submitted in response to each of the frameworks and examine some of the common issues addressed in the submissions.
Perspective: Self-regulation’s credibility problem (April 1, 2011)
Why do privacy advocates remain so opposed to self-regulation? Self-regulatory programs suffer from an enduring credibility problem, established by the short-lived IRSG and the languid NAI, and continued today in the form of business practices that express disregard for consumers' expressed preferences.
Polish Data Protection Act amendment in detail (April 1, 2011)
The amendment to Poland’s Data Protection Act of 29 August 1997 came into force this month. The amendment is intended to strengthen personal data protection by increasing its effectiveness. The Polish Data Protection Authority will be able to enforce its decisions more effectively.
CANADA—Decisions shed light on notification rulings (April 1, 2011)
Effective May 1, 2010, amendments to Alberta’s Personal Information Protection Act (PIPA) created an obligation for organizations to notify the Information and Privacy Commissioner of any incident involving the loss of or unauthorized access to or disclosure of PI, “where a reasonable person would consider that there exists a real risk of significant harm to an individual as a result of the loss or unauthorized access or disclosure.” The amended PIPA also provides that the commissioner may require the organization to notify individuals to whom there is a real risk of significant harm as a result of the loss or unauthorized access or disclosure, “in a form and manner prescribed by the regulations,” and “within a time period determined by the commissioner.”
FRANCE—CNIL takes position on data processor rules (April 1, 2011)
The issue has been up in the air for a few years but none dared mentioning it too loudly for fear that it could come true. Now that the CNIL has released its Decision n°2011-023 of January 20, 2011, it is live.
FRANCE—A new decree adds to ISPs’ data retention obligations (April 1, 2011)
The law of June 21, 2004, on trust in the digital economy (the so-called LCEN) imposes on ISPs (Internet access providers and hosting services providers) an obligation to keep data that could identify online users. Its implementation decree came as a surprise on February 25, 2011, almost seven years after the enactment of the law.
FRANCE—Casual tone of e-mail not sufficient to characterize it as personal (April 1, 2011)
The Labour Chamber of the Supreme Court (Chambre sociale de la Cour de Cassation) upheld two decisions of February 2, 2011, that the casual tone of an e-mail sent by an employee in the workplace is not sufficient to characterize it as personal when the e-mail is “related to the professional activity of the employee.”
ISRAEL—Sloppy class action against Google Buzz dismissed (April 1, 2011)
The Jerusalem District Court dismissed a 5 billion NIS (roughly $1.4 billion) class action against Google Israel Ltd. and Google Inc. In CA (Jerusalem District Court) 4091-10 AmalJeraisy v. Google Israel Ltd. and others, a Gmail user filed the class action a year ago, following Google's launch of the new Buzz social networking service. The action claimed that Google violated users' privacy when it automatically added Google Buzz to Gmail accounts and, by default, Google Buzz allowed users to track their contacts' status updates and additional information that the contacts shared online, without asking for their consent.
ITALY—Garante rules on ex-employee’s claim (April 1, 2011)
Italy’s Data Protection Authority has made a decision in a claim brought by a man who sought the destruction of personal data from his work computer after he was dismissed from his job. The man asked that the employer destroy his personal data and files. The DPA determined that the employer does not have to delete the data, but the DPA forbid the company from accessing the former employee’s personal files, as that would violate the pertinence and proportionality principle provided by the Italian Data Protection Code.
SINGAPORE—Consumer Data Protection Law in 2012 (April 1, 2011)
Singapore may introduce legislation to protect consumer data in early 2012. In his speech to the Parliamentary Committee of Supply 2011 on Leveraging on Infocomm, Design and Media, the Minister for Information, Communications and the Arts (MICA) RADM(NS) LuiTeck Yew said that the proposed law “aims to protect individuals’ personal information against misuse by regulating how businesses collect, use, disclose and retain consumer personal data, including through online means.
UK—First BCR authorization of 2011 (April 1, 2011)
The Information Commissioner’s Office (ICO) issued its first Binding Corporate Rules (BCR) approval of 2011 to Spencer Stuart Management Consultants N.V., a global executive search firm. The authorization was awarded under Europe’s “mutual recognition” procedure, which allows the ICO to act as lead reviewing authority when assessing a BCR application. This latest authorization takes the total number of authorizations awarded by the ICO to nine.
UK—Businesses warned on new cookie rules (April 1, 2011)
The ICO has said that businesses must “wake up” to new rules that will require them to collect users’ consent when serving Web site cookies. The rules derive from amendments made to the European e-Privacy Directive and come into force throughout Europe on May 25.
UK—Court challenges IP address identification (April 1, 2011)
A UK court has questioned whether IP addresses can be used to identify a specific individual accused of copyright infringement (Media CAT Limited v Adams &Ors ). Judge Birrs QC, presiding, queried whether an IP address could reliably establish that the accused had infringed copyright, saying, “The fact that someone [at that IP address] may have infringed does not mean the particular named defendant has done so.” This case calls into question the commonly held view in Europe that IP addresses constitute personal data.
UK—ICO Warns of confusion over new CCTV Commissioner (April 1, 2011)
The Information Commissioner has warned that proposals to appoint a Surveillance Camera Commissioner to oversee a new code on CCTV and surveillance camera use may cause regulatory overlap and confusion. The code, proposed by the UK Government’s Protection of Freedoms Bill and currently under consultation, will initially apply to local authorities and the police only.
Ann Cavoukian receives industry honors (April 1, 2011)
Ontario Information and Privacy Commissioner Ann Cavoukian may need to clear off a shelf in her office. She’s recently been named the recipient of two awards for developing a concept that aims to embed privacy into new technologies from the ground up.
Ernst & Young: Trends point to companies hiring more privacy pros (April 1, 2011)
The findings of Ernst & Young’s "Privacy Trends 2011: Challenges to Privacy Programs in a Borderless World" have been released, and the message is clear: organizations expect to invest more in efforts to protect personal information—including hiring more privacy professionals.
Groups announce 2011 Develop for Privacy Challenge (April 1, 2011)
Four privacy organizations have issued a challenge to mobile application developers: build solutions for privacy concerns for smartphones and other mobile devices. The 2011 Develop for Privacy Challenge is a new competition sponsored by the ACLU of Northern California, the ACLU of Washington, the Tor Project and the Ontario Information and Privacy Commissioner's Office.
Heidi Salow joins Greenberg Traurig (April 1, 2011)
Heidi Salow, CIPP, has joined Greenberg Traurig’s offices of Intellectual Property & Technology as a shareholder with an emphasis on privacy and data security.