Having trouble receiving the Privacy Advisor in your inbox? Click here for troubleshooting tips.
Global Privacy Dispatches
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions.
ITALY—Garante Releases Enforcement Activity Report
The Garante, the Italian Data Protection Authority (IDPA), has released information on enforcement activity in Italy in 2013 and its relevant plan of inspections for the first semester of 2014.
CANADA—Anti-Spam Legislation To Come Into Force
After much discussion and consultation on the accompanying Regulations, Canada’s anti-spam legislation is about to take full effect. While the CRTC had previously published its regulations on March 28, 2012, the Electronic Commerce Protection Regulation was finally published on December 4, 2013.
UK—Government Department Fined 185,000 GBPs After Terrorist Incident Data Sold at Auction
A government department has been fined after a filing cabinet containing personal information relating to victims of a terrorist incident was sold at auction.
NEW ZEALAND—Privacy Reflections/Predictions for 2014
The high-profile privacy breaches of 2012-13 have shed an unprecedented light on personal information in New Zealand. Outgoing Privacy Commissioner Marie Shroff is leaving the role at a time when protecting personal information, a cause she has actively championed over the past 10 years, is at the forefront of public awareness and is top-of-mind for policy analysts, legislators and businesses alike.
NEW ZEALAND—Will the Tide Turn in 2014?
Last year was not a good one for New Zealand privacy-wise. While Australia forged ahead enacting legislation covering issues such as cross-border controls for personal data and introducing measures to implement breach notification, the government in New Zealand, by contrast, has been dragging its feet and instead adopted a raft of measures diminishing existing privacy protections. This article briefly reviews developments in New Zealand in 2013 and ventures some predictions as to what may lie in store in 2014.
AUSTRALIA—Australia Legislates for Privacy by Design
In March, Australia will be overhauling its privacy laws. One of the key features of the new regime means Australia will become one of the first jurisdictions to effectively legislate for the concept of Privacy by Design.
Notes from the IAPP President (February 1, 2012)
Momentum might be the most used word in this monthly column. The momentum in our field continues at a dizzying pace. As I write, privacy pros everywhere are pouring over the revised European Union framework on data protection, which was published today, January 25.
The 2012 privacy forecast (February 1, 2012)
Privacy and security remain in the news almost constantly. From cybersecurity issues involving global superpowers and security breaches affecting patients, consumers or employees to the debate about what privacy rights individuals have against businesses and the government, numerous issues involved in the policy debate currently affect businesses and individuals on a national and global basis.
Cloud computing Under Australian privacy law (February 1, 2012)
Concerns about privacy and control over data are often cited as the major impediments to the growth of cloud computing and its wide adoption by business in Australia. It is easy to understand why! Moving to the cloud means relinquishing a degree of physical control over your IT infrastructure and relying in part on your cloud service provider to ensure that your information is kept private and secure.
European Commission investigates the independence of Hungary’s new data protection authority (February 1, 2012)
On January 17, the European Commission (EC) launched an infringement procedure against Hungary and started to investigate whether the establishment and the organisation of its new Data Protection Supervisory Authority (DPA) is in compliance with the mandatory rules of the applicable EU directive which require the “complete independence” of data protection supervisory authorities.
German data protection authorities issue guidance on cloud computing (February 1, 2012)
It has gone almost unnoticed that at a meeting 28-29 September 2011, the German data protection authorities with responsibility for the private sector approved detailed guidance on cloud computing. Although not legally binding, the guidance expresses the view of all German authorities in this field and therefore has de facto relevance for private companies that are subject to German data protection law.
Are data breach mitigation costs cognizable damages? (February 1, 2012)
In late 2007, Hannaford Supermarkets suffered one of the nation’s largest credit and debit card breaches to date. Millions of card numbers were exposed and thousands of fraudulent charges were made. The thieves went beyond the common database attacks and installed ''sniffers'' that intercepted customers’ credit and debit card data in real time. Following the breach announcement, several civil cases were filed and consolidated into a class-action lawsuit adjudicated in the U.S. District Court for the District of Maine, where it was initially held that a showing of injury-in-fact was lacking for all plaintiffs except for customers who sought reimbursement for the unreimbursed fraudulent charges.
IBIA releases facial recognition guidelines (February 1, 2012)
On the heels of the Federal Trade Commission’s Roundtable on the consumer privacy implications of facial detection and recognition technology, the International Biometrics & Identification Association (IBIA) has released recommended best practices for safeguarding privacy when implementing the emerging biometric technologies.
Perspective: What DPAs need to know (February 1, 2012)
During the session "Data Protection and Defining Personal Information” at the annual Conference of Data Protection and Privacy Commissioner in Mexico City last November, one panelist asserted that privacy regulators need a better toolkit. Specifically, Prof. Charles Raab of the University of Edinburgh said regulators need to better understand probability theory, statistics and risk analysis.
CANADA—OPC guideline is measured approach to OBA (February 1, 2012)
Over the past year, issues relating to online behavioural advertising (OBA) have had the attention of privacy commissioners, data protection authorities and legislators across the globe. Many gallons of ink and hundreds of pages on the Internet have been expended by all of the relevant parties, outlining their various positions on this controversial topic.
FRANCE—The CNIL concerned about its future territorial competence (February 1, 2012)
The leaked draft regulation for the protection of personal data in the EU provides for rules governing the territorial jurisdiction of data protection authorities (DPA). The CNIL has recently expressed publicly that these rules raise concerns for several reasons.
GERMANY—DPA guidance on cloud computing (February 1, 2012)
German data protection authorities are generally concerned over data protection law compliance in the cloud. Reliable interpretations and guidelines are still missing as to if and under which preconditions personal data might be stored and processed in a cloud computing environment.
UK—ICO issues updated guidance on cookie consent (February 1, 2012)
The ICO published updated cookie guidance on 13 December, together with a press release telling website operators that they “must try harder” on compliance. The guidance is designed to assist organisations to comply with amendments to the UK's e-Privacy Regulations, which require visitors' consent to the serving of or access to website cookies.
UK—ICO offers advisory visits to organisations (February 1, 2012)
The ICO has offered to help small- to medium-sized businesses, charities, public authorities and not-for-profit organisations improve their data privacy practices by undertaking informal advisory visits. An advisory visit would take one day and look at security, records management and subject access policies and procedures.
UK—ICO identifies its priorities for 2012 (February 1, 2012)
The ICO has indicated its areas of focus for 2012. First, its Information Rights Strategy sets out how it will go about "ensuring….long term effectiveness in bringing about good information rights practice," namely by focusing on the “Five Es,” to Educate, Empower, Engage, Enable and Enforce.
UK—Court awards damages for personal injury under Data Protection Act (February 1, 2012)
An individual has successfully sued for compensation for damages under Section 13 of the Data Protection Act—in this case for distress that caused the relevant damage. Section 13 entitles data subjects to claim compensation where an organisation breaches the act causing damage or distress; however, compensation is seldom awarded in the UK.
UK “could do better” complying with new cookie laws (February 1, 2012)
The UK information commissioner has issued his “half term” report on compliance with Europe’s new cookies laws. These laws require websites to obtain consent before setting a cookie, unless that cookie is needed to provide a service requested by the user.
Huffman joins Locke Lord’s Austin office (February 1, 2012)
Bart Huffman, CIPP/US, has joined the Austin, Texas, office of Locke Lord as an intellectual property partner with an emphasis on privacy and Internet technology matters. With a background in systems engineering, Huffman has spent a significant amount of time most recently on cases involving Internet Service Providers and IP addresses, topics he says will continue to be fleshed out in the courts in the near future.
Recently on the Privacy List (February 1, 2012)
As we inch closer to finalized reforms to the EU’s data protection framework, several privacy pros discussed whether a private right of action exists in the current regime for a European data subject in a case of unauthorized use or access.
ISRAEL—New draft guidelines on use of surveillance cameras (February 1, 2012)
ILITA makes headlines again. On December 6, 2011, during a session of the Israeli parliament’s (Knesset) science committee that was dedicated to mark the international human rights day, the Israeli Law Information and Technology Authority (ILITA) announced new proposed guidelines on the use and deployment of surveillance cameras.