Having trouble receiving the Privacy Advisor in your inbox? Click here for troubleshooting tips.
Global Privacy Dispatches
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions.
ITALY—Garante Releases Enforcement Activity Report
The Garante, the Italian Data Protection Authority (IDPA), has released information on enforcement activity in Italy in 2013 and its relevant plan of inspections for the first semester of 2014.
CANADA—Anti-Spam Legislation To Come Into Force
After much discussion and consultation on the accompanying Regulations, Canada’s anti-spam legislation is about to take full effect. While the CRTC had previously published its regulations on March 28, 2012, the Electronic Commerce Protection Regulation was finally published on December 4, 2013.
UK—Government Department Fined 185,000 GBPs After Terrorist Incident Data Sold at Auction
A government department has been fined after a filing cabinet containing personal information relating to victims of a terrorist incident was sold at auction.
NEW ZEALAND—Privacy Reflections/Predictions for 2014
The high-profile privacy breaches of 2012-13 have shed an unprecedented light on personal information in New Zealand. Outgoing Privacy Commissioner Marie Shroff is leaving the role at a time when protecting personal information, a cause she has actively championed over the past 10 years, is at the forefront of public awareness and is top-of-mind for policy analysts, legislators and businesses alike.
NEW ZEALAND—Will the Tide Turn in 2014?
Last year was not a good one for New Zealand privacy-wise. While Australia forged ahead enacting legislation covering issues such as cross-border controls for personal data and introducing measures to implement breach notification, the government in New Zealand, by contrast, has been dragging its feet and instead adopted a raft of measures diminishing existing privacy protections. This article briefly reviews developments in New Zealand in 2013 and ventures some predictions as to what may lie in store in 2014.
AUSTRALIA—Australia Legislates for Privacy by Design
In March, Australia will be overhauling its privacy laws. One of the key features of the new regime means Australia will become one of the first jurisdictions to effectively legislate for the concept of Privacy by Design.
Notes from the IAPP President (October 1, 2011)
As I write these words, dozens of professionals are tuning in to a Web conference about privacy considerations in mergers and acquisitions; a U.S. congressman is preparing for a town hall meeting on privacy in California, and the European Commission’s Digital Agenda chief has just addressed the Internet Governance Forum in Nairobi, Kenya, in a talk that included, among other topics, data privacy.
ASU: A Privacy by Design hotbed (October 1, 2011)
A unique new privacy think tank has entered the arena—but few outside the southwestern United States may know about it. The Privacy by Design Research Lab is starting its second year of operations at the W. P. Carey School of Business at Arizona State University. Marilyn Prosch, an associate professor in the business school, runs the virtual lab. Ontario Information and Privacy Commissioner Ann Cavoukian serves as its executive director. The lab is a case study in how much opportunity still exists to shape the relatively young privacy profession.
Conducting a privacy gap analysis: A primer for privacy officers (October 1, 2011)
High-profile privacy incidents across both public and private sectors, such as recent breaches at Google, Epsilon and Sony and a continuous stream of health information privacy breaches in Canada and the Unites States, are increasing public awareness and concern regarding how organizations handle personal information. In response, regulators in many jurisdictions and industries have introduced new privacy compliance and breach reporting requirements and increased enforcement efforts and penalties for non-compliance.
It's official, Israel provides an adequate level of data protection (October 1, 2011)
The European Commission has formally approved Israel's status as a country that provides an adequate level of protection for personal data transferred from the EU. The decision, which recently entered into force, removes many significant substantive obstacles that companies previously needed to overcome in order to transfer personal data from the EU to Israel.
Getting support for privacy and data compliance: not a hard sell if done right (October 1, 2011)
It is that time of year again. I am not talking about football, corn mazes and haunted houses. No, I mean budgets and funding for next year’s projects. For employees charged with data privacy and security, this period can be particularly frightening. What will I ask for this year? What will I end up with at the end of the budget process? Maybe I should just ignore compliance for another year?
CANADA—Damages awarded in PIPEDA case (October 1, 2011)
For only the second time, the Federal Court of Canada awarded damages against an organization that was found to be in non-compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA). The court determined that an applicant had suffered humiliation that warranted compensation, and the applicant was awarded damages of $4,500 plus interest and costs.
EUROPE—Privacy and the self-regulatory landscape for online advertising (October 1, 2011)
The Article 29 Working Party (WP) released an open letter, dated 3 August 2011, to the Internet Advertising Bureau (IAB) Europe and the European Advertising Standards Alliance (EASA) on the draft self-regulatory Framework for Online Behavioral Advertising put forth by both organizations (the code). The letter underscores the WP’s main concerns with the code and includes a letter from the U.S. Federal Trade Commission (FTC) on its perspective on online behavioral advertising.
FRANCE—Behavioural biometrics device authorized (October 1, 2011)
The CNIL has granted an authorization to JVL for its software enabling the identity an individual according to his/her keystroke. The technology can be used to authenticate users in providing access to IT systems and applications. It analyzes the time span during two keystrokes while typing a series of 20 digits minimum.
FRANCE—CNIL certification process released (October 1, 2011)
Since 2004, the CNIL has been entitled by the French Data Protection Act to grant seals—labels for products and methods of personal data processing designed in compliance with data protection law. The process must be initiated at the request of professional organisations and institutions.
FRANCE—Limits to e-mail monitoring (October 1, 2011)
Employees’ rights to privacy in the workplace were reaffirmed by the Supreme Court on 5 July 2011. The decision brings limits to the monitoring of employees’ professional e-mailboxes.
FRANCE—The French Cookie Rule (October 1, 2011)
The cookie directive was implemented by Ordinance n°2011-1012 of 24 August, 2011, issued by the French government. This ordinance amends the French Data Protection Act.
GERMANY—Global applicability of German data privacy law (October 1, 2011)
On 2 August 2011, the Higher Regional Court in Hamburg handed down a really remarkable judgment on the applicability of German data privacy rules. As a matter of fact, the court found that any publication of personal data on the Internet could be scrutinized under German data privacy rules if only the website is directed to and accessible in Germany.
GERMANY— Facebook “like” buttons and fan pages not data protection law compliant in Germany (October 1, 2011)
A very hotly debated topic at the moment in Germany is the data privacy law compliance of the Facebook “like” button and Facebook fan pages. After lengthy discussions and examinations by administrative authorities, the data protection authority in the northern German state Schleswig-Holstein issued a press release on 18 August 2011 urging all website operators to shut down their fan pages on Facebook and remove social plug-ins such as the “like” button from their websites.
ISRAEL—Google Street View approved in Israel (October 1, 2011)
Following a long governmental discussion during the past few months, and after considering privacy and security concerns, the justice ministry, through the Israeli Law, Information and Technology Authority (ILITA), released its conditional permit for Google to operate Street View in Israel.
ISRAEL—Israel is preparing to issue biometric IDs (October 1, 2011)
New regulations and orders introduced by the Ministers Committee for Biometric Applications set the ground for a two-year biometric IDs issuance trial period. The Ministry of Home Affairs is making final preparations to start issuing the IDs, which will contain encoded fingerprints and facial images and will be stored in a national database. A campaign led by privacy activists against the controversial biometric database has failed to yield a positive result so far.
SINGAPORE—Singapore’s Consumer Data Protection Consultation Paper release (October 1, 2011)
I reported in April of this year that in early 2012 Singapore may introduce legislation to protect consumer data. On 13 September, the Ministry of Information, Communications and the Arts (MICA) released a public consultation paper on the proposed consumer data protection regime, which is scheduled for debate in Parliament sometime in the first quarter of 2012.
UK—ICO audits private-sector businesses (October 1, 2011)
The Information Commissioner’s Office (ICO) has recently published the results of its audits of the Nationwide Building Society, Google and GE Money Home Lending. These audits are three of the first consensual audits of private-sector companies conducted by the ICO.
UK—Information Commissioner reiterates call for custodial sentences (October 1, 2011)
A bank cashier has been fined £800 and made to pay £400 costs and a £15 victims’ surcharge by Brighton Magistrates Court for illegally accessing the personal data of a sex attack victim. The cashier, whose husband had been convicted of the offence, viewed the victim’s account and banking records, employer details and lending records on eight occasions over eight months in order to build a picture of the woman that had accused her husband.
UK—ICO defends 2003 investigation (October 1, 2011)
UK newspaper The Independent
has investigated the files seized during Operation Motorman, the 2003 ICO inquiry that revealed private investigators’ widespread use of illegal practices to gather personal information at the request of paying journalists.
UK—New e-privacy guidance published (October 1, 2011)
The ICO has published updated guidance on the UK’s e-privacy laws. The updated guidance now addresses new UK requirements to obtain “consent” when serving website cookies and for public electronic communications service providers to notify personal data breaches.
A better start for foster children in California (October 1, 2011)
Imagine the plight of an 18-year-old girl who has just left her last in a series of foster homes and is venturing into the world on her own. She applies to rent a small apartment and is turned down. She applies for an education loan to attend a community college and is turned down. She applies for a part-time job in a coffee shop and gets the same result. All doors seem closed to her.
Privacy Dinner: A Night of Honors and Insights (October 1, 2011)
When it comes to privacy protection planning, Texas Comptroller Susan Combs may have summed it up best, telling a crowd of approximately 500 privacy professionals, “Never assume you’ve done enough…it’s always evolving.”