Privacy Advisor

Having trouble receiving the Privacy Advisor in your inbox? Click here for troubleshooting tips.

Global Privacy Dispatches

POLAND—DPA vs. Google on the Information Security Administrator
The Supreme Administrative Court, in its judgment of 21 February, supported the position adopted by the Polish Data Protection Authority (DPA) in its decision issued towards Google, Inc. Read More
UK—ICO Issues 50,000 GBP Fine for Unsolicited Calls
The Information Commissioner’s Office has fined home improvement company Amber Windows 50,000 GBP after an investigation discovered they had made unsolicited marketing calls to individuals who had registered with the Telephone Preference Service. Read More
UK—ICO Publishes Plans for 2014-17
The UK Information Commissioner’s Office has published its three-year corporate plan, setting out how it intends to address and tackle the challenges it faces in information regulation. Read More
UK—Disclosure and Barring Service Warned After Collecting Unnecessary Sensitive Data
The UK Information Commissioner’s Office has ruled that the Disclosure and Barring Service breached the Data Protection Act after failing to stop the collection of information about convictions that were no longer required for employment checks. Read More
FRANCE—Expansion of CNIL Investigation Powers Confirmed
In the past few years, the French data protection authority (CNIL) has made itself known for its on-site investigation powers by coming unannounced to the premises of businesses to perform interviews and searches in order to assess compliance with the French Data Protection Act. Read More
FRANCE—The End of Aggressive Cold-Calling?
The new consumer act of March 17 is now in force. Among its key measures, it plans the creation of a centralized do-not call list. Read More
HUNGARY—Hungarian DPA Suggests Refinements in IT Policies
In a recent case, the Hungarian Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság or NAIH) investigated a case where a company had to access its employee’s laptop for compliance reasons and imposed a fine of HUF 1,500,000 (approximately 5,000 euros) for unlawful data processing. Read More
UK—Marketing Companies Punished for Hiding Identity While Making Nuisance Calls
The Information Commissioner's Office (ICO) has ordered two telephone marketing companies to change their practices after more than 100 complaints were made to the ICO that the companies were making nuisance marketing calls. Read More
UK—British Pregnancy Advice Service Fined for Serious Data Breach
The British Pregnancy Advice Service (BPAS) has been fined 200,000 GBPs after a serious breach of the Data Protection Act (DPA) revealed thousands of people's personal details to a malicious hacker. Read More
Notes from the IAPP President (March 1, 2012)
With much fanfare, the Obama administration released its proposed blueprint for consumer privacy last week. It was a profound moment; I was in the Eisenhower Room to witness it. Since then, reaction has rung far and wide, with some lauding it and others predicting its failure.
Five considerations before publicizing privacy policy updates (March 1, 2012)
Changes in the law, in practices of your industry or to your business’s or vendor’s data collection or use practices may trigger a need to update your privacy policy. We recommend that you think about the following five considerations when making changes to your privacy policy. These considerations should help you educate your users; be transparent and accurate in disclosing your practices, and steer clear of regulatory scrutiny.
Data privacy in the cloud—A dozen myths and facts (March 1, 2012)
While users increasingly embrace cloud computing, data privacy advocates, regulators and lawyers not so much. Critics increasingly raise concerns due to perceived risks for privacy and security of personal data. To them, cloud computing means primarily that users transfer data to faraway systems that they do not understand, own or control.
Obama administration and Congress step up efforts to protect against cyber threats (March 1, 2012)
After years of discussion and several false starts, 2012 is shaping up to be the year that national cybersecurity legislation may become a reality in the U.S. Several recent proposals from the White House and both houses of Congress have revealed a sense of urgency and strong bipartisan support for strengthening the nation’s private and public infrastructure from cyber attack. The parameters of any final legislation, however, remain very much in debate.
Legal analysis of the new proposed EU regulation on data protection (March 1, 2012)
In the new proposed regulation on EU data protection law, there are many important provisions. Most of them are necessary to address the future challenges of data protection in the Internet environment. The principles of effectiveness; i.e., stronger powers to DPAs, PIAs, mandatory appointment of DPOs, the principles of privacy by design and by default; accountability, and transparency are the founding stones on which the new proposed regulation was built.
Facial recognition technology: Should faceprints be considered personally identifiable information? (March 1, 2012)
A little more than two decades ago, the idea that technology could be capable of recognizing an individual’s face was merely the stuff of science fiction. Yet, at the dawn of a new decade, facial recognition technology has not only become a reality, it is becoming commonplace—from security surveillance to social media photo tagging.
Elevating data privacy within governments (March 1, 2012)
During remarks at an event in Mexico City in November, the Organisation for Economic Co-operation and Development’s (OECD) director of science, technology and industry, Andrew Wyckoff, said the matter of data privacy needs to be elevated within governments. The Privacy Advisor caught up with Mr. Wyckoff to ask some follow-up questions.
Getting to know a privacy pro (March 1, 2012)
The Assistant General Counsel and Director of Data Privacy at Xcel Energy talks privacy, smart meters and New Year’s resolutions.
CANADA—Bill would require TSPs to facilitate lawful interception (March 1, 2012)
On February 14, the government of Canada introduced a bill in the House of Commons that, if passed, will require telecommunications service providers (TSPs) to implement capabilities to facilitate lawful interception of information transmitted by telecommunications and to provide basic information about their subscribers.
FRANCE—CCTV systems diverted by employers (March 1, 2012)
In two recent decisions, employers have been reminded of the limits of the use of CCTV systems in the workplace.
FRANCE—European regulation proposal under review at Parliament (March 1, 2012)
On February 7, the Commission of European Affairs of the National Assembly—House of the Parliament elected by the French people—has adopted a draft resolution in reaction to the proposal for European regulation on the protection of personal data. It welcomes the objectives of modernization, harmonization and simplification of the draft European regulation and the stress put on greater accountability of data controllers.
FRANCE—Unlawful e-marketing campaign (March 1, 2012)
The real estate sector has once again caught the attention of the CNIL for questionable privacy practices. A company had been sending text messages to numerous private property owners, without their consent, in order to offer its real estate analysis services. Several owners filed a complaint with the CNIL after having been unable to unsubscribe several times.
GERMANY—Model consent and release from professional secrecy for the insurance industry (March 1, 2012)
The Duesseldorfer Kreis, an informal association of the German data protection supervisory authorities, and the German Insurance Association (GDV) have published an official model consent and release from professional secrecy declaration for insurance companies. Such a declaration is required whenever personal health data relating to an insured person or an applicant shall be collected from third parties like hospitals and physicians, which is normally done for purposes of risk assessment or verification of liability.
ITALY—Simplification interim law decree impact on DPS (March 1, 2012)
On January 27, the interim law decree on urgent measures on simplification and development, known as the “Simplification package,” was adopted by the Italian government. It provides for further amendments toward the Legislative Decree of June 30, 2003, n. 196--the Personal Data Protection Code. This is the third change in the data protection legislation passed in the last 12 months in Italy.
POLAND—Reform of Polish data protection law (March 1, 2012)
The amended provisions of the Polish Data Protection Act of 29th August 1997 entered into force on 1 January. These reforms were necessitated by the enactment of new rules governing the exchange of information between the law enforcement authorities of EU member states.
Government agencies given tools for assessing third-party websites (March 1, 2012)
With the increased use of mobile devices, parts of both the healthcare and marketing sectors are offering ways to increase user awareness of the privacy and security of personal information by offering best practice guidance and recommendations for user-friendly language in policy statements.
Grant helps professors create data-masking technology to ease tension between research needs and privacy laws (March 1, 2012)
Medical researchers often contend with a competing requirement when it comes to progress: protecting privacy. Under the Health Insurance Portability and Accountability Act (HIPAA), healthcare providers, health insurers and healthcare clearinghouses often have to obtain additional documentation before disclosing health information to outside parties, making researchers’ data collection practices cumbersome.
Marketing and healthcare sectors developing mobile device guidance (March 1, 2012)
With the increased use of mobile devices, parts of both the healthcare and marketing sectors are offering ways to increase user awareness of the privacy and security of personal information by offering best practice guidance and recommendations for user-friendly language in policy statements.