Having trouble receiving the Privacy Advisor in your inbox? Click here for troubleshooting tips.
Global Privacy Dispatches
POLAND—DPA vs. Google on the Information Security Administrator
The Supreme Administrative Court, in its judgment of 21 February, supported the position adopted by the Polish Data Protection Authority (DPA) in its decision issued towards Google, Inc.
UK—ICO Issues 50,000 GBP Fine for Unsolicited Calls
The Information Commissioner’s Office has fined home improvement company Amber Windows 50,000 GBP after an investigation discovered they had made unsolicited marketing calls to individuals who had registered with the Telephone Preference Service.
UK—ICO Publishes Plans for 2014-17
The UK Information Commissioner’s Office has published its three-year corporate plan, setting out how it intends to address and tackle the challenges it faces in information regulation.
UK—Disclosure and Barring Service Warned After Collecting Unnecessary Sensitive Data
The UK Information Commissioner’s Office has ruled that the Disclosure and Barring Service breached the Data Protection Act after failing to stop the collection of information about convictions that were no longer required for employment checks.
FRANCE—Expansion of CNIL Investigation Powers Confirmed
In the past few years, the French data protection authority (CNIL) has made itself known for its on-site investigation powers by coming unannounced to the premises of businesses to perform interviews and searches in order to assess compliance with the French Data Protection Act.
FRANCE—The End of Aggressive Cold-Calling?
The new consumer act of March 17 is now in force. Among its key measures, it plans the creation of a centralized do-not call list.
HUNGARY—Hungarian DPA Suggests Refinements in IT Policies
In a recent case, the Hungarian Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság or NAIH) investigated a case where a company had to access its employee’s laptop for compliance reasons and imposed a fine of HUF 1,500,000 (approximately 5,000 euros) for unlawful data processing.
UK—Marketing Companies Punished for Hiding Identity While Making Nuisance Calls
The Information Commissioner's Office (ICO) has ordered two telephone marketing companies to change their practices after more than 100 complaints were made to the ICO that the companies were making nuisance marketing calls.
UK—British Pregnancy Advice Service Fined for Serious Data Breach
The British Pregnancy Advice Service (BPAS) has been fined 200,000 GBPs after a serious breach of the Data Protection Act (DPA) revealed thousands of people's personal details to a malicious hacker.
Notes from the IAPP President (May 1, 2011)
A recent Privacy List inquiry sparked a great discussion among privacy pros about “what distinguishes a privacy professional.” Is the privacy professional “anyone working primarily in the fields of security, law, compliance, risk management, governance, records, etc. whose job supports consumer or employee privacy?” a member asked. “Or should it be more narrowly defined?”
A conversation with Commissioner Pilgrim (May 1, 2011)
Australia’s privacy landscape is undergoing a transformation. The Australian Law Reform Commission has called for reforms including updating and redrafting the Privacy Act; strengthening and clarifying the privacy commissioner’s powers and functions, and enhancing privacy surrounding e-health and credit reporting data, among other provisions.
More details emerge on the future of EU data breaches (May 1, 2011)
On April 5, 2011, the Article 29 Working Party adopted an opinion outlining its approach to data breaches (Opinion 13/2011 on the current EU personal data breach framework and recommendations for future policy developments). The Opinion examined the current status of the data breach framework within the European Union and highlighted points for cooperation and future policy developments on data breaches. These points include further action by the European Commission and the Working Party’s desire to extend the ePrivacy Directive’s data breach framework.
Perspective: The future of privacy in the public sector (May 1, 2011)
The future of privacy is not privacy. It is larger than that. It is information. Let this brief note offer an introduction to one scenario about the future of privacy. Over the past several years, leading privacy professionals have taken a critical look at the future of their profession. Last year, on the occasion of its tenth anniversary, the IAPP published A Call for Agility: The Next Generation Privacy Professional, essentially asking whether we need to broaden the scope of profession. The definition of what is considered personal identifiable information (PII) has broadened over the past 40 years from simple identifiers such as name, date of birth and Social Security number to include additional types of data.
Deutsche Post sheds light on BCR approval process (May 1, 2011)
CANADA—Court of Appeals finds against commissioners in license plate case (May 1, 2011)
On March 28, 2011, the Court of Appeal of Alberta issued a controversial decision in the case of Leon’s Furniture Limited v. Alberta (Information and Privacy Commissioner). Leon’s had appealed a judicial review that found in favour of the commissioner, i.e. that the adjudicator’s decision in Order P2008-004 - Leon's Furniture Ltd. was reasonable. The order had determined that the recording of driver’s license numbers and license plate numbers of customers picking up merchandise was not necessary or reasonably connected to the stated purpose, i.e. to prevent fraud.
FRANCE—Changes to the French data protection act (May 1, 2011)
More quickly than expected, and as announced in the March issue of the Privacy Advisor
, the French Data Protection Act has been amended by not one but two laws of March 29, 2011. These laws change the functioning of the CNIL—especially its investigation and sanction procedures—in order to ensure due process. There will be a clear separation between decisions relating to investigation and decisions on sanctions.
FRANCE—Services found non-compliant with French data protection law (May 1, 2011)
A March 17 CNIL decision sentenced Google Inc. to a penalty of 100,000 euros for having implemented its services Google Maps, Street View and Latitude services on the French Territory in violation of French data protection law. Here is a summary of the CNIL decision.
FRANCE—Personal data of company executives in the spotlight (May 1, 2011)
The RIALTO computerized database that has gathered information about taxpayers (individuals or companies and their executives) since 2006 in order to support the departments of Public Treasury during tax investigations will henceforth contain numerous and detailed data related to companies’ executives.
FRANCE—CNIL inspections program to cooperate with foreign authorities (May 1, 2011)
The French Data Protection Authority (CNIL) has finalized plans for its onsite inspection program for the period between April 2011 and April 2012. This year, the program will include cooperation with the U.S. Federal Trade Commission and other foreign authorities.
SPAIN—Important reform of the data protection sanctions regime (May 1, 2011)
Organic Act 15/1999, dated December 13, on Protection of Personal Data (Spanish acronym LOPD), is the legal reference framework in Spain on privacy matters. It is a law that is fulfilling a prime role in implementing the data protection culture in Spain and in other countries where it is being taken as an example. The act has been developed by its regulations, approved by Royal Decree 1720/2007. The LOPD has recently been amended by Act 2/2011, dated March 4, which introduced major reforms on the matter of sanction regimes.
UK—No prosecution for BT and Phorm; Home Office proposes RIPA amendments (May 1, 2011)
The Crown Prosecution Service (CPS) has refused consent to prosecute British Telecom (BT) and Phorm, Inc. over “secret” trials of Phorm’s behavioural targeting technology on BT’s ISP customers. In 2006, BT and Phorm conducted trials of Phorm’s behavioural targeting technology on about 18,000 BT customers without their knowledge. Through the use of deep packet inspection techniques, Phorm collected information on Internet users’ browsing habits and used this to serve targeted adverts.
UK—ICO secures undertakings from multiple healthcare organisations (May 1, 2011)
The Information Commissioner’s Office (ICO) has secured undertakings from five organisations found in breach of the Data Protection Act 1998 (DPA). The undertakings, entered into by various healthcare organisations (including NHS Trusts) and a UK City Council, each relate to failings to maintain the security of personal data.
TagMan’s new CPO discusses online tracking (May 1, 2011)
TagMan has announced the promotion of Angus Glover Wilson from director of operations to the company’s new chief privacy officer position. According to an announcement from the company, which was recently honored with an award from its peers for its work in advertising analytics, Wilson will take the lead on helping advertisers adhere to any new privacy regulations that come into force.
IAPP seeks item writers for certification programs (May 1, 2011)
The IAPP is seeking item writers to help develop questions for its CIPP, CIPP/G, CIPP/C and CIPP/IT programs. We are looking for individuals who have strong professional experience and knowledge of privacy laws and practices as well as enthusiasm for promoting privacy certification and education.
Flash Player 10.3 beta features new privacy controls (May 1, 2011)
Adobe’s newest version of its Flash Player, released in beta last month, features key privacy controls aimed at integrating with browsers for improved management of local storage, the company announced in its blog in March. Adobe is seeking feedback on the beta release.
Last month on the Privacy List (May 1, 2011)
Privacy pros continue to exchange ideas, resources and a wealth of knowledge on the IAPP Privacy List. Last month’s questions included such topics as e-mail addresses as personally identifiable information, government access to data and full-disk encryption. One professional recently asked, for example, about a U.S. government request for employee data.