Privacy Advisor

Having trouble receiving the Privacy Advisor in your inbox? Click here for troubleshooting tips.

Global Privacy Dispatches

FRANCE—Expansion of CNIL Investigation Powers Confirmed
In the past few years, the French data protection authority (CNIL) has made itself known for its on-site investigation powers by coming unannounced to the premises of businesses to perform interviews and searches in order to assess compliance with the French Data Protection Act. Read More
FRANCE—The End of Aggressive Cold-Calling?
The new consumer act of March 17 is now in force. Among its key measures, it plans the creation of a centralized do-not call list. Read More
HUNGARY—Hungarian DPA Suggests Refinements in IT Policies
In a recent case, the Hungarian Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság or NAIH) investigated a case where a company had to access its employee’s laptop for compliance reasons and imposed a fine of HUF 1,500,000 (approximately 5,000 euros) for unlawful data processing. Read More
UK—Marketing Companies Punished for Hiding Identity While Making Nuisance Calls
The Information Commissioner's Office (ICO) has ordered two telephone marketing companies to change their practices after more than 100 complaints were made to the ICO that the companies were making nuisance marketing calls. Read More
UK—British Pregnancy Advice Service Fined for Serious Data Breach
The British Pregnancy Advice Service (BPAS) has been fined 200,000 GBPs after a serious breach of the Data Protection Act (DPA) revealed thousands of people's personal details to a malicious hacker. Read More
UK—ICO Publishes Updated PIA Guidance
The UK Information Commissioner's Office has published its updated Privacy Impact Assessment (PIA) Code of Practice to help organisations comply with their data protection law obligations when they change the way that they use personal data. Read More
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions.

Read More
ITALY—Garante’s Provision on Mobile Payment Services
On December 12, 2013, the Italian Data Protection Authority (Garante) issued a draft general provision on the processing of personal data in the context of mobile remote payment services. This new provision sets the rules for the processing of information about users who purchase digital services and products and pay for them remotely via their phone bills. Read More
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions. Read More
Notes from the IAPP President (February 1, 2012)
Momentum might be the most used word in this monthly column. The momentum in our field continues at a dizzying pace. As I write, privacy pros everywhere are pouring over the revised European Union framework on data protection, which was published today, January 25.
The 2012 privacy forecast (February 1, 2012)
Privacy and security remain in the news almost constantly. From cybersecurity issues involving global superpowers and security breaches affecting patients, consumers or employees to the debate about what privacy rights individuals have against businesses and the government, numerous issues involved in the policy debate currently affect businesses and individuals on a national and global basis.
Cloud computing Under Australian privacy law (February 1, 2012)
Concerns about privacy and control over data are often cited as the major impediments to the growth of cloud computing and its wide adoption by business in Australia. It is easy to understand why! Moving to the cloud means relinquishing a degree of physical control over your IT infrastructure and relying in part on your cloud service provider to ensure that your information is kept private and secure.
European Commission investigates the independence of Hungary’s new data protection authority (February 1, 2012)
On January 17, the European Commission (EC) launched an infringement procedure against Hungary and started to investigate whether the establishment and the organisation of its new Data Protection Supervisory Authority (DPA) is in compliance with the mandatory rules of the applicable EU directive which require the “complete independence” of data protection supervisory authorities.
German data protection authorities issue guidance on cloud computing (February 1, 2012)
It has gone almost unnoticed that at a meeting 28-29 September 2011, the German data protection authorities with responsibility for the private sector approved detailed guidance on cloud computing. Although not legally binding, the guidance expresses the view of all German authorities in this field and therefore has de facto relevance for private companies that are subject to German data protection law.
Israeli privacy update: Landmark case establishes guidelines for monitoring employee online activity (February 1, 2012)
Employee e-mail use policies usually grant employers wide-ranging powers to monitor and review employees' Internet usage and e-mail correspondence. According to a recent major decision by the Israeli National Labor Court, however, this situation is likely to dramatically change, and generic, sweeping or vague Internet use policies of employers will no longer be allowed.
Are data breach mitigation costs cognizable damages? (February 1, 2012)
In late 2007, Hannaford Supermarkets suffered one of the nation’s largest credit and debit card breaches to date. Millions of card numbers were exposed and thousands of fraudulent charges were made. The thieves went beyond the common database attacks and installed ''sniffers'' that intercepted customers’ credit and debit card data in real time. Following the breach announcement, several civil cases were filed and consolidated into a class-action lawsuit adjudicated in the U.S. District Court for the District of Maine, where it was initially held that a showing of injury-in-fact was lacking for all plaintiffs except for customers who sought reimbursement for the unreimbursed fraudulent charges.
IBIA releases facial recognition guidelines (February 1, 2012)
On the heels of the Federal Trade Commission’s Roundtable on the consumer privacy implications of facial detection and recognition technology, the International Biometrics & Identification Association (IBIA) has released recommended best practices for safeguarding privacy when implementing the emerging biometric technologies.
Perspective: What DPAs need to know (February 1, 2012)
During the session "Data Protection and Defining Personal Information” at the annual Conference of Data Protection and Privacy Commissioner in Mexico City last November, one panelist asserted that privacy regulators need a better toolkit. Specifically, Prof. Charles Raab of the University of Edinburgh said regulators need to better understand probability theory, statistics and risk analysis.
CANADA—OPC guideline is measured approach to OBA (February 1, 2012)
Over the past year, issues relating to online behavioural advertising (OBA) have had the attention of privacy commissioners, data protection authorities and legislators across the globe. Many gallons of ink and hundreds of pages on the Internet have been expended by all of the relevant parties, outlining their various positions on this controversial topic.
FRANCE—The CNIL concerned about its future territorial competence (February 1, 2012)
The leaked draft regulation for the protection of personal data in the EU provides for rules governing the territorial jurisdiction of data protection authorities (DPA). The CNIL has recently expressed publicly that these rules raise concerns for several reasons.
GERMANY—DPA guidance on cloud computing (February 1, 2012)
German data protection authorities are generally concerned over data protection law compliance in the cloud. Reliable interpretations and guidelines are still missing as to if and under which preconditions personal data might be stored and processed in a cloud computing environment.
ISRAEL—New guidelines for outsourcing the processing of personal information (February 1, 2012)
The Israeli Law Information and Technology Authority (ILITA) has published new guidelines on privacy principles related to the processing of personal information by outsourcing entities.
UK—ICO issues updated guidance on cookie consent (February 1, 2012)
The ICO published updated cookie guidance on 13 December, together with a press release telling website operators that they “must try harder” on compliance. The guidance is designed to assist organisations to comply with amendments to the UK's e-Privacy Regulations, which require visitors' consent to the serving of or access to website cookies.
UK—ICO offers advisory visits to organisations (February 1, 2012)
The ICO has offered to help small- to medium-sized businesses, charities, public authorities and not-for-profit organisations improve their data privacy practices by undertaking informal advisory visits. An advisory visit would take one day and look at security, records management and subject access policies and procedures.
UK—ICO identifies its priorities for 2012 (February 1, 2012)
The ICO has indicated its areas of focus for 2012. First, its Information Rights Strategy sets out how it will go about "ensuring….long term effectiveness in bringing about good information rights practice," namely by focusing on the “Five Es,” to Educate, Empower, Engage, Enable and Enforce.
UK—Court awards damages for personal injury under Data Protection Act (February 1, 2012)
An individual has successfully sued for compensation for damages under Section 13 of the Data Protection Act—in this case for distress that caused the relevant damage. Section 13 entitles data subjects to claim compensation where an organisation breaches the act causing damage or distress; however, compensation is seldom awarded in the UK.
Sedona Conference issues principles for addressing the preservation and discovery of protected data in U.S. litigation (February 1, 2012)
Multinational companies based in the United States (or with significant operations in the United States) may be subject both to the civil procedure discovery rules of the United States as well as the privacy laws of the European Union and other countries in which they operate. Complying with these potentially conflicting bodies of law may pose difficult challenges for such companies.
UK “could do better” complying with new cookie laws (February 1, 2012)
The UK information commissioner has issued his “half term” report on compliance with Europe’s new cookies laws. These laws require websites to obtain consent before setting a cookie, unless that cookie is needed to provide a service requested by the user.
Huffman joins Locke Lord’s Austin office (February 1, 2012)
Bart Huffman, CIPP/US, has joined the Austin, Texas, office of Locke Lord as an intellectual property partner with an emphasis on privacy and Internet technology matters. With a background in systems engineering, Huffman has spent a significant amount of time most recently on cases involving Internet Service Providers and IP addresses, topics he says will continue to be fleshed out in the courts in the near future.
Recently on the Privacy List (February 1, 2012)
As we inch closer to finalized reforms to the EU’s data protection framework, several privacy pros discussed whether a private right of action exists in the current regime for a European data subject in a case of unauthorized use or access.
ISRAEL—New draft guidelines on use of surveillance cameras (February 1, 2012)
ILITA makes headlines again. On December 6, 2011, during a session of the Israeli parliament’s (Knesset) science committee that was dedicated to mark the international human rights day, the Israeli Law Information and Technology Authority (ILITA) announced new proposed guidelines on the use and deployment of surveillance cameras.
Mass. Court: ZIP Code is personal identification info under credit card statute but plaintiff must still allege harm—Tyler v. Michaels Stores (February 1, 2012)
Last year, the California Supreme Court held that a ZIP Code is personal identification information for purposes of a statute that restricted the type of information a retailer could collect. A federal court in Massachusetts recently construed a similar Massachusetts statute to reach the same conclusion, albeit for different reasons.