Privacy Advisor

Having trouble receiving the Privacy Advisor in your inbox? Click here for troubleshooting tips.

Global Privacy Dispatches

FRANCE—Expansion of CNIL Investigation Powers Confirmed
In the past few years, the French data protection authority (CNIL) has made itself known for its on-site investigation powers by coming unannounced to the premises of businesses to perform interviews and searches in order to assess compliance with the French Data Protection Act. Read More
FRANCE—The End of Aggressive Cold-Calling?
The new consumer act of March 17 is now in force. Among its key measures, it plans the creation of a centralized do-not call list. Read More
HUNGARY—Hungarian DPA Suggests Refinements in IT Policies
In a recent case, the Hungarian Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság or NAIH) investigated a case where a company had to access its employee’s laptop for compliance reasons and imposed a fine of HUF 1,500,000 (approximately 5,000 euros) for unlawful data processing. Read More
UK—Marketing Companies Punished for Hiding Identity While Making Nuisance Calls
The Information Commissioner's Office (ICO) has ordered two telephone marketing companies to change their practices after more than 100 complaints were made to the ICO that the companies were making nuisance marketing calls. Read More
UK—British Pregnancy Advice Service Fined for Serious Data Breach
The British Pregnancy Advice Service (BPAS) has been fined 200,000 GBPs after a serious breach of the Data Protection Act (DPA) revealed thousands of people's personal details to a malicious hacker. Read More
UK—ICO Publishes Updated PIA Guidance
The UK Information Commissioner's Office has published its updated Privacy Impact Assessment (PIA) Code of Practice to help organisations comply with their data protection law obligations when they change the way that they use personal data. Read More
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions.

Read More
ITALY—Garante’s Provision on Mobile Payment Services
On December 12, 2013, the Italian Data Protection Authority (Garante) issued a draft general provision on the processing of personal data in the context of mobile remote payment services. This new provision sets the rules for the processing of information about users who purchase digital services and products and pay for them remotely via their phone bills. Read More
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions. Read More
Notes from the IAPP President (July 1, 2011)
At the recent e-G8 Forum in Paris, French President Nicolas Sarkozy renewed his call for a more “civilized Internet.” It’s a term he has used before in calls to stamp out the practice of online copyright infringement. I think it also offers a unique way for us to think about privacy and data protection. When it comes to privacy, what does a civilized Internet look like?
India: Implications of the new information technology rules (July 1, 2011)
India has recently extended its information technology laws to embrace wider data privacy issues. These new regulations will have some impact on those outsourcing to India, but will be more significant for those conducting business in India. Set out here is a summary of the key changes brought about by these laws along with some of the issues that they raise.
Privacy software to protect patient records (July 1, 2011)
What’s the best way to protect people’s personal health information (PHI) while using the data to benefit society? That’s a crucial question for physicians and their patients, as well as for the epidemiologists, health researchers and public officials who rely on high-quality data to improve the delivery of healthcare, cure diseases and stop pandemics.
New theory of harm in data breach cases (July 1, 2011)
In the United States, 515 million records have been lost in data breaches since 2005. Customers seeking recovery after the loss of their personal information in data breaches have not been successful in recovering damages if they are not victims of identity theft. This lack of success can be attributed to an inability to articulate a concrete or particularized harm. Despite past setbacks, customers continue to search for legal theories to hold companies accountable.
Address Verification Service and privacy: The effect of the California Supreme Court ruling upon security (July 1, 2011)
The nexus between privacy and the functioning of the electronic transaction payment space continues to increase. This article will address the current state of the Address Verification Services (AVS) within the context of the electronic payment system and the impact of the California Supreme Court in the Pineda v Williams-Sonoma case.
Forging a path into the privacy profession—one expert’s journey (July 1, 2011)
As privacy becomes a more significant focus for businesses and governments across the globe, demand for privacy professionals grows more robust by the day. Responding to several data breaches, Sony appointed a chief information security officer to help provide accountability for its customers’ data protection. As part of its review of Google’s privacy policies, Canada’s Office of the Privacy Commissioner has recommended that the company increase employee privacy and security training. Additionally, U.S. legislators are flirting with a national privacy policy; the EU has enacted a strict cookie law, and countries around the world are producing privacy legislation, placing privacy-related jobs in higher demand.
CANADA—Federal commissioner releases findings (July 1, 2011)
In October 2010, the federal privacy commissioner of Canada published a Preliminary Letter of Findings after the Office of the Privacy Commissioner (OPC) conducted an investigation into Google’s collection of payload data from unencrypted WiFi using its Street View cars. The Letter of Findings included a number of recommendations and a requirement that Google respond to the OPC concerning the implementation of those recommendations on or before February 1, 2011.
FRANCE—Fashion industry: CNIL authorization to process conviction data to fight against IP rights infringement (July 1, 2011)
The needs of the fashion industry have been taken into account by the CNIL in two noticeable decisions of April 28, 2011, by which the CNIL authorised Chanel SA to process data relating to offences and convictions for the management of the company’s intellectual property rights (trademarks, copyright, patents, design &models) and the management and the follow-up of pre-disputes and litigations.
FRANCE—Security breach impacting HADOPI (July 1, 2011)
Five months after having begun sending hundreds of thousands of warning letters to online infringers with high media coverage, HADOPI—the authority in charge of digital copyright enforcement—became the victim of a security breach.
FRANCE—Security breach notifications – A step forward in the French legislative landscape (July 1, 2011)
As were all EU Member states, France was bound to implement the so-called “Telecom Package,” including the Directive 2009/136/EC relating to the protection of personal data in the e-communications sector, before May 25.
GERMANY—Two Federal Court of Justice decisions on opt-in requirements for marketers (July 1, 2011)
On 14 April 2011, the German Federal Court of Justice handed down a remarkable verdict on the permissibility of telephone marketing measures. The court ruled that consent to marketing calls shall only be valid and enforceable in the event it has been declared by a separate and expressed opt in.
UK—No cookie consent enforcement for 12 months (July 1, 2011)
The UK Information Commissioner’s Office (ICO) has confirmed that it will not enforce new cookie “consent” requirements introduced under the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (PECR) for a period of 12 months.
UK—£120,000 fine for misdirected e-mails (July 1, 2011)
The ICO has imposed a £120,000 fine on Surrey County Council for a serious breach of the Data Protection Act 1998, after staff sent a series of misdirected e-mails containing sensitive personal information to the wrong recipients.
UK—Data thieves prosecuted (July 1, 2011)
Two former employees of UK mobile operator T-Mobile who stole and sold customer data from the company in 2008 have been successfully prosecuted and ordered to pay a total of £73,700 in fines or face prison.
UK—ICO’s data sharing code (July 1, 2011)
In May, the Information Commissioner’s Office issued a code of practice on lawful data sharing arrangements by both public- and private-sector organisations. The code recommends that organisations put in place standard procedures to record what data is shared, with whom and for what purposes, and to ensure that any such sharing is done securely.
Iberoamerican Data Protection Conference Held in Colombia (July 1, 2011)
The Spanish Data Protection Authority recently hosted the annual Iberoamerican Data Protection Conference in Cartagena, Colombia.
José Luis Rodríguez Álvarez Nominated Director of Spanish DPA (July 1, 2011)
The Spanish Council of Ministers approved on June 17 the nomination of José Luis Rodríguez Álvarez as director of the Spanish Data Protection Agency, the Agencia Española de Protección de Datos (AEPD).
Protecting privacy in the education landscape (July 1, 2011)
While recent large-scale data breaches have garnered much attention worldwide, smaller breaches at colleges and universities have also had a significant impact, prompting scrutiny, criticism and, in some cases, new legislation. The Privacy Advisor caught up with Foley & Lardner senior counsel Peter McLaughlin at the recent Practical Privacy Series event in Boston, Mass. McLaughlin, who recently published a book about protecting personally identifiable information in higher education, shared his perspective on the current landscape.
This month on the Privacy List (July 1, 2011)
Where does an emerging privacy office belong within a company? In the legal department? IT? Internal compliance?
Summer Reads: Privacy pros turn the pages (July 1, 2011)
The Privacy Advisor asked privacy pros about their personal and professional reading preferences. Responses covered a disparate and diverse span of text, including fiction, privacy textbooks, philosophy and even an early hacker article.