Privacy Advisor

Having trouble receiving the Privacy Advisor in your inbox? Click here for troubleshooting tips.

Global Privacy Dispatches

FRANCE—Expansion of CNIL Investigation Powers Confirmed
In the past few years, the French data protection authority (CNIL) has made itself known for its on-site investigation powers by coming unannounced to the premises of businesses to perform interviews and searches in order to assess compliance with the French Data Protection Act. Read More
FRANCE—The End of Aggressive Cold-Calling?
The new consumer act of March 17 is now in force. Among its key measures, it plans the creation of a centralized do-not call list. Read More
HUNGARY—Hungarian DPA Suggests Refinements in IT Policies
In a recent case, the Hungarian Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság or NAIH) investigated a case where a company had to access its employee’s laptop for compliance reasons and imposed a fine of HUF 1,500,000 (approximately 5,000 euros) for unlawful data processing. Read More
UK—Marketing Companies Punished for Hiding Identity While Making Nuisance Calls
The Information Commissioner's Office (ICO) has ordered two telephone marketing companies to change their practices after more than 100 complaints were made to the ICO that the companies were making nuisance marketing calls. Read More
UK—British Pregnancy Advice Service Fined for Serious Data Breach
The British Pregnancy Advice Service (BPAS) has been fined 200,000 GBPs after a serious breach of the Data Protection Act (DPA) revealed thousands of people's personal details to a malicious hacker. Read More
UK—ICO Publishes Updated PIA Guidance
The UK Information Commissioner's Office has published its updated Privacy Impact Assessment (PIA) Code of Practice to help organisations comply with their data protection law obligations when they change the way that they use personal data. Read More
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions.

Read More
ITALY—Garante’s Provision on Mobile Payment Services
On December 12, 2013, the Italian Data Protection Authority (Garante) issued a draft general provision on the processing of personal data in the context of mobile remote payment services. This new provision sets the rules for the processing of information about users who purchase digital services and products and pay for them remotely via their phone bills. Read More
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions. Read More
Notes from the IAPP President (October 1, 2011)
As I write these words, dozens of professionals are tuning in to a Web conference about privacy considerations in mergers and acquisitions; a U.S. congressman is preparing for a town hall meeting on privacy in California, and the European Commission’s Digital Agenda chief has just addressed the Internet Governance Forum in Nairobi, Kenya, in a talk that included, among other topics, data privacy.
ASU: A Privacy by Design hotbed (October 1, 2011)
A unique new privacy think tank has entered the arena—but few outside the southwestern United States may know about it. The Privacy by Design Research Lab is starting its second year of operations at the W. P. Carey School of Business at Arizona State University. Marilyn Prosch, an associate professor in the business school, runs the virtual lab. Ontario Information and Privacy Commissioner Ann Cavoukian serves as its executive director. The lab is a case study in how much opportunity still exists to shape the relatively young privacy profession.
Conducting a privacy gap analysis: A primer for privacy officers (October 1, 2011)
High-profile privacy incidents across both public and private sectors, such as recent breaches at Google, Epsilon and Sony and a continuous stream of health information privacy breaches in Canada and the Unites States, are increasing public awareness and concern regarding how organizations handle personal information. In response, regulators in many jurisdictions and industries have introduced new privacy compliance and breach reporting requirements and increased enforcement efforts and penalties for non-compliance.
It's official, Israel provides an adequate level of data protection (October 1, 2011)
The European Commission has formally approved Israel's status as a country that provides an adequate level of protection for personal data transferred from the EU. The decision, which recently entered into force, removes many significant substantive obstacles that companies previously needed to overcome in order to transfer personal data from the EU to Israel.
Privacy research roundup–A snapshot of global initiatives (October 1, 2011)
Privacy-related research is thriving at colleges, universities and organizations worldwide. Here is a look at some of the initiatives currently underway.
Getting support for privacy and data compliance: not a hard sell if done right (October 1, 2011)
It is that time of year again. I am not talking about football, corn mazes and haunted houses. No, I mean budgets and funding for next year’s projects. For employees charged with data privacy and security, this period can be particularly frightening. What will I ask for this year? What will I end up with at the end of the budget process? Maybe I should just ignore compliance for another year?
CANADA—Damages awarded in PIPEDA case (October 1, 2011)
For only the second time, the Federal Court of Canada awarded damages against an organization that was found to be in non-compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA). The court determined that an applicant had suffered humiliation that warranted compensation, and the applicant was awarded damages of $4,500 plus interest and costs.
EUROPE—Privacy and the self-regulatory landscape for online advertising (October 1, 2011)
The Article 29 Working Party (WP) released an open letter, dated 3 August 2011, to the Internet Advertising Bureau (IAB) Europe and the European Advertising Standards Alliance (EASA) on the draft self-regulatory Framework for Online Behavioral Advertising put forth by both organizations (the code). The letter underscores the WP’s main concerns with the code and includes a letter from the U.S. Federal Trade Commission (FTC) on its perspective on online behavioral advertising.
FRANCE—Behavioural biometrics device authorized (October 1, 2011)
The CNIL has granted an authorization to JVL for its software enabling the identity an individual according to his/her keystroke. The technology can be used to authenticate users in providing access to IT systems and applications. It analyzes the time span during two keystrokes while typing a series of 20 digits minimum.
FRANCE—CNIL certification process released (October 1, 2011)
Since 2004, the CNIL has been entitled by the French Data Protection Act to grant seals—labels for products and methods of personal data processing designed in compliance with data protection law. The process must be initiated at the request of professional organisations and institutions.
FRANCE—Limits to e-mail monitoring (October 1, 2011)
Employees’ rights to privacy in the workplace were reaffirmed by the Supreme Court on 5 July 2011. The decision brings limits to the monitoring of employees’ professional e-mailboxes.
FRANCE—Online national directory sanctioned for indexing links to social network profiles (October 1, 2011)
In what appears to be a landmark decision, the data protection authority on September 21 sanctioned the Yellow Pages company for having made available a “webcrawl” functionality along with its usual white pages online directory.
FRANCE—The French Cookie Rule (October 1, 2011)
The cookie directive was implemented by Ordinance n°2011-1012 of 24 August, 2011, issued by the French government. This ordinance amends the French Data Protection Act.
GERMANY—Global applicability of German data privacy law (October 1, 2011)
On 2 August 2011, the Higher Regional Court in Hamburg handed down a really remarkable judgment on the applicability of German data privacy rules. As a matter of fact, the court found that any publication of personal data on the Internet could be scrutinized under German data privacy rules if only the website is directed to and accessible in Germany.
GERMANY— Facebook “like” buttons and fan pages not data protection law compliant in Germany (October 1, 2011)
A very hotly debated topic at the moment in Germany is the data privacy law compliance of the Facebook “like” button and Facebook fan pages. After lengthy discussions and examinations by administrative authorities, the data protection authority in the northern German state Schleswig-Holstein issued a press release on 18 August 2011 urging all website operators to shut down their fan pages on Facebook and remove social plug-ins such as the “like” button from their websites.
ISRAEL—Google Street View approved in Israel (October 1, 2011)
Following a long governmental discussion during the past few months, and after considering privacy and security concerns, the justice ministry, through the Israeli Law, Information and Technology Authority (ILITA), released its conditional permit for Google to operate Street View in Israel.
ISRAEL—Israel is preparing to issue biometric IDs (October 1, 2011)
New regulations and orders introduced by the Ministers Committee for Biometric Applications set the ground for a two-year biometric IDs issuance trial period. The Ministry of Home Affairs is making final preparations to start issuing the IDs, which will contain encoded fingerprints and facial images and will be stored in a national database. A campaign led by privacy activists against the controversial biometric database has failed to yield a positive result so far.
POLAND—Employers—do not collect personal data concerning the criminal records and financial situations of your employees! (October 1, 2011)
Many employers wish to know more and more about their employees and request the provision of an increasingly wide range of personal data. It has become a widespread practice for companies, in particular those operating in the insurance and financial industries—including banks—to collect a broader scope of personal data concerning their employees than is envisaged by the Labour code.
SINGAPORE—Singapore’s Consumer Data Protection Consultation Paper release (October 1, 2011)
I reported in April of this year that in early 2012 Singapore may introduce legislation to protect consumer data. On 13 September, the Ministry of Information, Communications and the Arts (MICA) released a public consultation paper on the proposed consumer data protection regime, which is scheduled for debate in Parliament sometime in the first quarter of 2012.
UK—ICO audits private-sector businesses (October 1, 2011)
The Information Commissioner’s Office (ICO) has recently published the results of its audits of the Nationwide Building Society, Google and GE Money Home Lending. These audits are three of the first consensual audits of private-sector companies conducted by the ICO.
UK—Information Commissioner reiterates call for custodial sentences (October 1, 2011)
A bank cashier has been fined £800 and made to pay £400 costs and a £15 victims’ surcharge by Brighton Magistrates Court for illegally accessing the personal data of a sex attack victim. The cashier, whose husband had been convicted of the offence, viewed the victim’s account and banking records, employer details and lending records on eight occasions over eight months in order to build a picture of the woman that had accused her husband.
UK—ICO defends 2003 investigation (October 1, 2011)
UK newspaper The Independent has investigated the files seized during Operation Motorman, the 2003 ICO inquiry that revealed private investigators’ widespread use of illegal practices to gather personal information at the request of paying journalists.
UK—New e-privacy guidance published (October 1, 2011)
The ICO has published updated guidance on the UK’s e-privacy laws. The updated guidance now addresses new UK requirements to obtain “consent” when serving website cookies and for public electronic communications service providers to notify personal data breaches.
A better start for foster children in California (October 1, 2011)
Imagine the plight of an 18-year-old girl who has just left her last in a series of foster homes and is venturing into the world on her own. She applies to rent a small apartment and is turned down. She applies for an education loan to attend a community college and is turned down. She applies for a part-time job in a coffee shop and gets the same result. All doors seem closed to her.
Future of Privacy Forum releases 2011 Privacy Papers for Policy Makers (October 1, 2011)
The Future of Privacy Forum has released its second annual “Privacy Papers for Policy Makers.” The six featured papers for 2011 reveal new insight on accountability’s role in privacy policy; online obscurity, and the “PII problem,” among other topics.
Privacy Dinner: A Night of Honors and Insights (October 1, 2011)
When it comes to privacy protection planning, Texas Comptroller Susan Combs may have summed it up best, telling a crowd of approximately 500 privacy professionals, “Never assume you’ve done enough…it’s always evolving.”