Privacy Advisor

Having trouble receiving the Privacy Advisor in your inbox? Click here for troubleshooting tips.

Global Privacy Dispatches

FRANCE—Expansion of CNIL Investigation Powers Confirmed
In the past few years, the French data protection authority (CNIL) has made itself known for its on-site investigation powers by coming unannounced to the premises of businesses to perform interviews and searches in order to assess compliance with the French Data Protection Act. Read More
FRANCE—The End of Aggressive Cold-Calling?
The new consumer act of March 17 is now in force. Among its key measures, it plans the creation of a centralized do-not call list. Read More
HUNGARY—Hungarian DPA Suggests Refinements in IT Policies
In a recent case, the Hungarian Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság or NAIH) investigated a case where a company had to access its employee’s laptop for compliance reasons and imposed a fine of HUF 1,500,000 (approximately 5,000 euros) for unlawful data processing. Read More
UK—Marketing Companies Punished for Hiding Identity While Making Nuisance Calls
The Information Commissioner's Office (ICO) has ordered two telephone marketing companies to change their practices after more than 100 complaints were made to the ICO that the companies were making nuisance marketing calls. Read More
UK—British Pregnancy Advice Service Fined for Serious Data Breach
The British Pregnancy Advice Service (BPAS) has been fined 200,000 GBPs after a serious breach of the Data Protection Act (DPA) revealed thousands of people's personal details to a malicious hacker. Read More
UK—ICO Publishes Updated PIA Guidance
The UK Information Commissioner's Office has published its updated Privacy Impact Assessment (PIA) Code of Practice to help organisations comply with their data protection law obligations when they change the way that they use personal data. Read More
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions.

Read More
ITALY—Garante’s Provision on Mobile Payment Services
On December 12, 2013, the Italian Data Protection Authority (Garante) issued a draft general provision on the processing of personal data in the context of mobile remote payment services. This new provision sets the rules for the processing of information about users who purchase digital services and products and pay for them remotely via their phone bills. Read More
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions. Read More
Notes from the IAPP President (November 1, 2011)
The scene outside the IAPP’s global headquarters resembles something out of Monet’s time in Argenteuil; the trees are ablaze with orange, yellow, red and brown. Autumn has enveloped those of us in the northern hemisphere, where the days are growing shorter yet brighter with the stunning fall foliage.
What makes a model privacy program? (November 1, 2011)
As data protection and privacy concerns continue to expand throughout the world, more and more organizations are finding they need to implement new or improve outdated privacy programs. Instead of “reinventing the wheel,” privacy professionals can look toward other model programs and learn key elements to ensure an effective program. The Privacy Advisor recently caught up with several privacy experts to discover some important components that can help engender a successful program.
How will customer data be protected in the cloud? (November 1, 2011)
Cloud computing is the convergence of Internet technologies, virtualization and information technology (IT) standardization. The cloud offers flexible, affordable and scalable software, platforms, infrastructure and storage to all sizes of businesses in all sectors. For these reasons, it is not surprising that cloud services revenue will increase from $68.3 billion spent in 2010 to $150 billion by 2013 (Gartner, June 22, 2010). It is also not surprising that, as businesses move to this next generation of outsourced IT services, one of the key questions is: How will customer data be protected in the cloud?
New report identifies benefits for organisations of an “optimised” privacy impact assessment methodology (November 1, 2011)
The use of privacy impact assessments (PIAs) looks set to grow exponentially, especially in Europe. A PIA Framework for Radio Frequency Identification (RFID), developed by industry, was endorsed by the Article 29 Data Protection Working Party in February, and the European Commission is expected to make PIAs mandatory in some situations following the release of its proposals for a new data protection framework in early 2012.
Hungary's new data protection act detailed (November 1, 2011)
The Hungarian Parliament recently replaced its almost 10-year-old data protection legislation with a new act. The act was created to fill the need for a more compliant and liberalized legislation. In practice, however, the new act has received many objections from constitutional lawyers and civil organizations, as well as from businesses.
PERSPECTIVE: The historical imperative—Why we need to forget (November 1, 2011)
Jeremy Bentham originally described the Panopticon in 1787. The concept of the Panopticon was that, at any given moment, anonymous individuals could observe others without their knowledge or consent. Bentham predicted that this inspection principle would effect “morals reformed, health preserved, industry invigorated, instruction diffused and public burdens lightened.”
CANADA—Government reintroduces PIPEDA amendment bill (November 1, 2011)
On September 29, the government of Canada reintroduced a bill that will amend the federal Personal Information Protection and Electronic Documents Act (PIPEDA). The previous attempt to amend PIPEDA—Bill C-29—died when the last Parliamentary session ended. Bill C-12, titled the Safeguarding Canadians’ Personal Information Act, contains many of the same provisions found in Bill C-29.
FRANCE—Cloud computing—CNIL launches public consultation (November 1, 2011)
The French data protection authority (CNIL) launched a consultation on cloud computing on 17 October. The CNIL is seeking contributions on the notion and the privacy rules applicable to cloud computing.
FRANCE—Letting fitness prevail over IT security: A risky choice for employees (November 1, 2011)
A company’s sales manager asked a secretary to give him access to the client database, although he was not an authorized user for this category of clients. In violation of the company’s IT policy, she let her supervisor use her passwords, and she activated the functionality, giving him access to the database. As she was eager to get to the gym, she did not want to wait for the software to upload, so she left the supervisor alone for a short time in front of her computer.
FRANCE—Website sanctioned for online publication of court decisions without considering the right to be forgotten (November 1, 2011)
An association displayed court decisions on its website without deleting the names of the parties and without taking into account their requests to object to the online disclosure of their identity.
FRANCE—Whistleblowing system suspended (November 1, 2011)
A recent decision of the Court of Appeal of Caen shows how complex it can be for a multinational group to implement a whistleblowing system globally in order to comply with SOX.
GERMANY—Further enforcement steps regarding Facebook “like” buttons (November 1, 2011)
The deadline set by the data protection authority in the northern German state of Schleswig-Holstein for the removal of social plug-ins such as the Facebook “like” button from external websites expired on 30 September, and the commissioner has already taken the first enforcement steps.
UK—ICO: Not encrypting portable devices is “inexcusable” (November 1, 2011)
The theft of unencrypted laptops and portable and mobile devices containing personal information continues to make headlines in the UK. Two organisations in the education sector—the Association of School and College Leaders and Holly Park School—have recently signed undertakings with the UK Information Commissioner’s Office (ICO) following breaches of the Data Protection Act 1998 that involved failures to encrypt sensitive and other personal information held on laptops that were later stolen.
UK—New ICO guidance on access to complaints files (November 1, 2011)
The UK Information Commissioner’s Office (ICO) recently issued guidance for organisations in the difficult area of responding to requests for access to information held in complaints files.
UK—ACAS “wake-up call” on use of social media in workplace (November 1, 2011)
UK newspapers have reported that Heathrow Airport is set to introduce privacy-friendly bodyscanners. Other systems that have been tested in UK airports produce an image in more bodily detail than many individuals feel comfortable with.
UK—ACAS “wake-up call” on use of social media in workplace (November 1, 2011)
The UK Advisory, Conciliation and Arbitration Service (ACAS) has issued practical tips for employers on how to manage the impact of social networking on performance, recruitment, discipline and grievances, bullying, defamation, data protection and privacy.
Recently on the Privacy List (November 1, 2011)
What should a company’s corporate policy for the use of personal mobile devices in the workplace include? It was this question that elicited a number of responses from privacy pros recently on the IAPP’s Privacy List.