Privacy Advisor

Having trouble receiving the Privacy Advisor in your inbox? Click here for troubleshooting tips.

Global Privacy Dispatches

FRANCE—Expansion of CNIL Investigation Powers Confirmed
In the past few years, the French data protection authority (CNIL) has made itself known for its on-site investigation powers by coming unannounced to the premises of businesses to perform interviews and searches in order to assess compliance with the French Data Protection Act. Read More
FRANCE—The End of Aggressive Cold-Calling?
The new consumer act of March 17 is now in force. Among its key measures, it plans the creation of a centralized do-not call list. Read More
HUNGARY—Hungarian DPA Suggests Refinements in IT Policies
In a recent case, the Hungarian Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság or NAIH) investigated a case where a company had to access its employee’s laptop for compliance reasons and imposed a fine of HUF 1,500,000 (approximately 5,000 euros) for unlawful data processing. Read More
UK—Marketing Companies Punished for Hiding Identity While Making Nuisance Calls
The Information Commissioner's Office (ICO) has ordered two telephone marketing companies to change their practices after more than 100 complaints were made to the ICO that the companies were making nuisance marketing calls. Read More
UK—British Pregnancy Advice Service Fined for Serious Data Breach
The British Pregnancy Advice Service (BPAS) has been fined 200,000 GBPs after a serious breach of the Data Protection Act (DPA) revealed thousands of people's personal details to a malicious hacker. Read More
UK—ICO Publishes Updated PIA Guidance
The UK Information Commissioner's Office has published its updated Privacy Impact Assessment (PIA) Code of Practice to help organisations comply with their data protection law obligations when they change the way that they use personal data. Read More
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions.

Read More
ITALY—Garante’s Provision on Mobile Payment Services
On December 12, 2013, the Italian Data Protection Authority (Garante) issued a draft general provision on the processing of personal data in the context of mobile remote payment services. This new provision sets the rules for the processing of information about users who purchase digital services and products and pay for them remotely via their phone bills. Read More
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions. Read More
Notes from the IAPP President (September 1, 2011)
In this month’s Privacy Advisor, our legislative issue, we take a look at past, present and potential privacy legislation, with articles about the Article 29 Working Party’s opinion on “consent,” the current legislative landscape in the U.S. and a potential amendment to the EU Data Protection Directive that would require data-handling organizations to appoint data protection officers.
How 9/11 changed privacy (September 1, 2011)
How did the events of September 11, 2001, change privacy? To answer that question, it helps to identify just how much privacy has evolved over the past decade. In that timeframe, “you have the growth globally of an interest in privacy—including consumer privacy—and that’s reflected in many ways,” said Jim Dempsey, vice president for public policy at the Center for Democracy & Technology (CDT), a civil liberties group based in Washington.
Ten steps every organization should take to address global data security breach notification requirements (September 1, 2011)
Data security breach notification is rapidly becoming a significant compliance risk for global enterprises. A data security breach can disrupt business operations, damage brand reputation and customer relationships, and attract government investigations and class action lawsuits.
Anniversary of a bill (September 1, 2011)
The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996. On the occasion of its fifteenth anniversary, The Privacy Advisor takes a closer look.
EU Article 29 Working Party issues opinion on “consent” (September 1, 2011)
On 13 July 2011, the Article 29 Working Party adopted an opinion on the definition of consent (WP 187). The opinion—which makes to a large extent reference to previous opinions and contains a number of examples—basically reconfirms the Working Party’s rather strict and narrow interpretation of the notion of consent.
Inching toward consensus: A roundup of U.S. privacy legislation (September 1, 2011)
The prospects for major new privacy regulation emerging from the U.S. Congress during the remainder of the current session continue to be elusive. In spite of privacy’s status as the rare bipartisan issue, its span across multiple committee jurisdictions and agencies; lack of any national emergency, and absence of a concerted interest group pose significant obstacles to any broad-based privacy bill.
Will the European Commission require DPOs at all organizations? (September 1, 2011)
As the European Commission reviews its legal framework on data protection, European Directive 95/46/EC, it considers implementing a mandatory requirement that all data processing organizations employ a data protection officer. A two-month public consultation period—which concluded earlier this year—generated submissions from 288 organizations and individuals. While stakeholders have been vocal, the commission itself has remained tight-lipped about the potential mandate’s likelihood, leaving stakeholders and others to speculate about the potential implications.
CANADA—Proposed electronic commerce protection regulations (September 1, 2011)
In late June and early July 2011, the federal Department of Industry and the Canadian Radio-television and Telecommunications Commission (CRTC) called for comments on draft regulations for what is commonly referred to as Canada’s Anti-Spam Legislation. Comments to the CRTC are due August 29, 2011, while comments to Industry Canada are due September 9, 2011.
GERMANY—New data privacy law provisions for smart metering (September 1, 2011)
On 4 August 2011, an Amendment to the German Energy Industry Act (EnWG) has come into force, which includes new data privacy provisions relating to the use of so-called smart meters. By virtue of the amendment, the German lawmaker has implemented EU Directives 2009/72/EC and 2009/73/EC on the introduction of smart metering techniques relating to energy and gas supplies to consumers. When certain requirements are met, it is an obligation of the measuring point operators to use smart meters.
HUNGARY—Parliament accepts privacy bills (September 1, 2011)
Two significant privacy-related bills were accepted by the Hungarian Parliament on 11 July 2011. Both bills are currently awaiting the signature of the president and subsequent publication in order to become law.
POLAND—Poland recognizes stalking as a criminal offence (September 1, 2011)
On 6 June 2011, Poland introduced into its legal system provisions penalizing stalking. The implementation of such provisions into the Polish penal code was preceded by an analysis initiated in 2009 by the Ministry of Justice, which indicated that almost every 10th person was a victim of persistent harassment.
UK—Anti-bribery laws raise privacy issues (September 1, 2011)
The new UK Bribery Act 2010 came into force on 1 July 2011, raising a number of data protection compliance considerations for organisations carrying out business in the UK.
UK— ICO calls for more private-sector audits (September 1, 2011)
The information commissioner published his Annual Report on 6 July 2011, which identified that only 19 percent of private-sector companies approached by the Information Commissioner’s Office (ICO) agreed to a voluntary audit in 2010, compared to 71 percent of public-sector organisations.
UK—Security breaches lead to undertakings (September 1, 2011)
Undertakings have been signed by Lewisham Homes and Wandle Housing Association to comply with the Data Protection Act 1998 after details relating to thousands of their tenants were discovered on an unencrypted memory stick that had been copied and left in a pub by a contractor. There was no suggestion of misuse of the personal data, but the Information Commissioner’s Office commented that “Saving personal information onto an unencrypted memory stick is as risky as taking hard copy papers out of the office.”
UK— ICO reiterates call to impose jail terms on blaggers (September 1, 2011)
The information commissioner has reiterated his request for custodial sentences for those who unlawfully trade in personal information. This was first called for in the “What Price Privacy?” and “What Price Privacy Now?”—special reports made to Parliament in 2006 by the previous commissioner.
Three senior staff join IAPP (September 1, 2011)
As it plans for the continued global growth of the privacy profession, the IAPP has hired three senior staff members to help anchor its success in bringing data privacy education, certification and resources to professionals worldwide.
Privacy Law Scholars Award recognizes outstanding privacy scholarship (September 1, 2011)
The IAPP will recognize the winners of the IAPP Privacy Law Scholars Award at its annual Privacy Dinner on September 15 in Dallas, TX. The awards recognize outstanding privacy scholarship. Winning papers were selected from among 40 submitted for the fourth annual Privacy Law Scholars Conference in June. Two teams of authors will receive the first-ever awards.
This month on the Privacy List (September 1, 2011)
Among the many topics hashed out among IAPP Privacy List subscribers in the past month, two of the most robust issues involved data breach notification and organization-wide privacy and security training.