Having trouble receiving the Privacy Advisor in your inbox? Click here for troubleshooting tips.
Global Privacy Dispatches
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions.
ITALY—Garante Releases Enforcement Activity Report
The Garante, the Italian Data Protection Authority (IDPA), has released information on enforcement activity in Italy in 2013 and its relevant plan of inspections for the first semester of 2014.
CANADA—Anti-Spam Legislation To Come Into Force
After much discussion and consultation on the accompanying Regulations, Canada’s anti-spam legislation is about to take full effect. While the CRTC had previously published its regulations on March 28, 2012, the Electronic Commerce Protection Regulation was finally published on December 4, 2013.
UK—Government Department Fined 185,000 GBPs After Terrorist Incident Data Sold at Auction
A government department has been fined after a filing cabinet containing personal information relating to victims of a terrorist incident was sold at auction.
NEW ZEALAND—Privacy Reflections/Predictions for 2014
The high-profile privacy breaches of 2012-13 have shed an unprecedented light on personal information in New Zealand. Outgoing Privacy Commissioner Marie Shroff is leaving the role at a time when protecting personal information, a cause she has actively championed over the past 10 years, is at the forefront of public awareness and is top-of-mind for policy analysts, legislators and businesses alike.
NEW ZEALAND—Will the Tide Turn in 2014?
Last year was not a good one for New Zealand privacy-wise. While Australia forged ahead enacting legislation covering issues such as cross-border controls for personal data and introducing measures to implement breach notification, the government in New Zealand, by contrast, has been dragging its feet and instead adopted a raft of measures diminishing existing privacy protections. This article briefly reviews developments in New Zealand in 2013 and ventures some predictions as to what may lie in store in 2014.
AUSTRALIA—Australia Legislates for Privacy by Design
In March, Australia will be overhauling its privacy laws. One of the key features of the new regime means Australia will become one of the first jurisdictions to effectively legislate for the concept of Privacy by Design.
Notes from the IAPP President (May 1, 2011)
A recent Privacy List inquiry sparked a great discussion among privacy pros about “what distinguishes a privacy professional.” Is the privacy professional “anyone working primarily in the fields of security, law, compliance, risk management, governance, records, etc. whose job supports consumer or employee privacy?” a member asked. “Or should it be more narrowly defined?”
A conversation with Commissioner Pilgrim (May 1, 2011)
Australia’s privacy landscape is undergoing a transformation. The Australian Law Reform Commission has called for reforms including updating and redrafting the Privacy Act; strengthening and clarifying the privacy commissioner’s powers and functions, and enhancing privacy surrounding e-health and credit reporting data, among other provisions.
More details emerge on the future of EU data breaches (May 1, 2011)
On April 5, 2011, the Article 29 Working Party adopted an opinion outlining its approach to data breaches (Opinion 13/2011 on the current EU personal data breach framework and recommendations for future policy developments). The Opinion examined the current status of the data breach framework within the European Union and highlighted points for cooperation and future policy developments on data breaches. These points include further action by the European Commission and the Working Party’s desire to extend the ePrivacy Directive’s data breach framework.
Perspective: The future of privacy in the public sector (May 1, 2011)
The future of privacy is not privacy. It is larger than that. It is information. Let this brief note offer an introduction to one scenario about the future of privacy. Over the past several years, leading privacy professionals have taken a critical look at the future of their profession. Last year, on the occasion of its tenth anniversary, the IAPP published A Call for Agility: The Next Generation Privacy Professional, essentially asking whether we need to broaden the scope of profession. The definition of what is considered personal identifiable information (PII) has broadened over the past 40 years from simple identifiers such as name, date of birth and Social Security number to include additional types of data.
Deutsche Post sheds light on BCR approval process (May 1, 2011)
CANADA—Court of Appeals finds against commissioners in license plate case (May 1, 2011)
On March 28, 2011, the Court of Appeal of Alberta issued a controversial decision in the case of Leon’s Furniture Limited v. Alberta (Information and Privacy Commissioner). Leon’s had appealed a judicial review that found in favour of the commissioner, i.e. that the adjudicator’s decision in Order P2008-004 - Leon's Furniture Ltd. was reasonable. The order had determined that the recording of driver’s license numbers and license plate numbers of customers picking up merchandise was not necessary or reasonably connected to the stated purpose, i.e. to prevent fraud.
FRANCE—Changes to the French data protection act (May 1, 2011)
More quickly than expected, and as announced in the March issue of the Privacy Advisor
, the French Data Protection Act has been amended by not one but two laws of March 29, 2011. These laws change the functioning of the CNIL—especially its investigation and sanction procedures—in order to ensure due process. There will be a clear separation between decisions relating to investigation and decisions on sanctions.
FRANCE—Services found non-compliant with French data protection law (May 1, 2011)
A March 17 CNIL decision sentenced Google Inc. to a penalty of 100,000 euros for having implemented its services Google Maps, Street View and Latitude services on the French Territory in violation of French data protection law. Here is a summary of the CNIL decision.
FRANCE—Personal data of company executives in the spotlight (May 1, 2011)
The RIALTO computerized database that has gathered information about taxpayers (individuals or companies and their executives) since 2006 in order to support the departments of Public Treasury during tax investigations will henceforth contain numerous and detailed data related to companies’ executives.
FRANCE—CNIL inspections program to cooperate with foreign authorities (May 1, 2011)
The French Data Protection Authority (CNIL) has finalized plans for its onsite inspection program for the period between April 2011 and April 2012. This year, the program will include cooperation with the U.S. Federal Trade Commission and other foreign authorities.
SPAIN—Important reform of the data protection sanctions regime (May 1, 2011)
Organic Act 15/1999, dated December 13, on Protection of Personal Data (Spanish acronym LOPD), is the legal reference framework in Spain on privacy matters. It is a law that is fulfilling a prime role in implementing the data protection culture in Spain and in other countries where it is being taken as an example. The act has been developed by its regulations, approved by Royal Decree 1720/2007. The LOPD has recently been amended by Act 2/2011, dated March 4, which introduced major reforms on the matter of sanction regimes.
UK—No prosecution for BT and Phorm; Home Office proposes RIPA amendments (May 1, 2011)
The Crown Prosecution Service (CPS) has refused consent to prosecute British Telecom (BT) and Phorm, Inc. over “secret” trials of Phorm’s behavioural targeting technology on BT’s ISP customers. In 2006, BT and Phorm conducted trials of Phorm’s behavioural targeting technology on about 18,000 BT customers without their knowledge. Through the use of deep packet inspection techniques, Phorm collected information on Internet users’ browsing habits and used this to serve targeted adverts.
UK—ICO secures undertakings from multiple healthcare organisations (May 1, 2011)
The Information Commissioner’s Office (ICO) has secured undertakings from five organisations found in breach of the Data Protection Act 1998 (DPA). The undertakings, entered into by various healthcare organisations (including NHS Trusts) and a UK City Council, each relate to failings to maintain the security of personal data.
TagMan’s new CPO discusses online tracking (May 1, 2011)
TagMan has announced the promotion of Angus Glover Wilson from director of operations to the company’s new chief privacy officer position. According to an announcement from the company, which was recently honored with an award from its peers for its work in advertising analytics, Wilson will take the lead on helping advertisers adhere to any new privacy regulations that come into force.
IAPP seeks item writers for certification programs (May 1, 2011)
The IAPP is seeking item writers to help develop questions for its CIPP, CIPP/G, CIPP/C and CIPP/IT programs. We are looking for individuals who have strong professional experience and knowledge of privacy laws and practices as well as enthusiasm for promoting privacy certification and education.
Flash Player 10.3 beta features new privacy controls (May 1, 2011)
Adobe’s newest version of its Flash Player, released in beta last month, features key privacy controls aimed at integrating with browsers for improved management of local storage, the company announced in its blog in March. Adobe is seeking feedback on the beta release.
Last month on the Privacy List (May 1, 2011)
Privacy pros continue to exchange ideas, resources and a wealth of knowledge on the IAPP Privacy List. Last month’s questions included such topics as e-mail addresses as personally identifiable information, government access to data and full-disk encryption. One professional recently asked, for example, about a U.S. government request for employee data.