Privacy Advisor

Having trouble receiving the Privacy Advisor in your inbox? Click here for troubleshooting tips.

Global Privacy Dispatches

FRANCE—Expansion of CNIL Investigation Powers Confirmed
In the past few years, the French data protection authority (CNIL) has made itself known for its on-site investigation powers by coming unannounced to the premises of businesses to perform interviews and searches in order to assess compliance with the French Data Protection Act. Read More
FRANCE—The End of Aggressive Cold-Calling?
The new consumer act of March 17 is now in force. Among its key measures, it plans the creation of a centralized do-not call list. Read More
HUNGARY—Hungarian DPA Suggests Refinements in IT Policies
In a recent case, the Hungarian Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság or NAIH) investigated a case where a company had to access its employee’s laptop for compliance reasons and imposed a fine of HUF 1,500,000 (approximately 5,000 euros) for unlawful data processing. Read More
UK—Marketing Companies Punished for Hiding Identity While Making Nuisance Calls
The Information Commissioner's Office (ICO) has ordered two telephone marketing companies to change their practices after more than 100 complaints were made to the ICO that the companies were making nuisance marketing calls. Read More
UK—British Pregnancy Advice Service Fined for Serious Data Breach
The British Pregnancy Advice Service (BPAS) has been fined 200,000 GBPs after a serious breach of the Data Protection Act (DPA) revealed thousands of people's personal details to a malicious hacker. Read More
UK—ICO Publishes Updated PIA Guidance
The UK Information Commissioner's Office has published its updated Privacy Impact Assessment (PIA) Code of Practice to help organisations comply with their data protection law obligations when they change the way that they use personal data. Read More
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions.

Read More
ITALY—Garante’s Provision on Mobile Payment Services
On December 12, 2013, the Italian Data Protection Authority (Garante) issued a draft general provision on the processing of personal data in the context of mobile remote payment services. This new provision sets the rules for the processing of information about users who purchase digital services and products and pay for them remotely via their phone bills. Read More
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions. Read More
Maryland AG discusses “Privacy in the Digital Age” (June 27, 2012)
The National Association of Attorneys General (NAAG) recently elected Maryland Attorney General Doug Gansler as its president. As the organization’s initiative for the year, Gansler has selected “Privacy in the Digital Age,” which he says is “of concern to everybody” and at the height of public discussion.
“I think they mean it.” The new medical records privacy law in Texas (June 1, 2012)
Revisions to the Texas Medical Records Privacy statute, which take effect on Sept. 1, expand existing requirements for those who have access to medical information pertaining to others. House Bill 300 (HB 300) provides that covered entities, as defined in the statute, must comply with expanded responsibilities pertaining to health information. The act imposes upon these covered entities additional duties beyond those that are dictated by the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Experts question whether the EC’s “Right To Be Forgotten” has forgotten a few key points (June 1, 2012)
Within the European Commission’s draft data protection framework is a provision for “the right to be forgotten and to erasure.” The provision’s concept isn’t entirely new to member states. Article 12 within the 1995 Data Protection Directive allows for the right to erasure. But where Article 12 grants data subjects rights to request that data controllers correct or erase data concerning them and to lodge a complaint to the supervisory authority, among others, the new proposal would allow data subjects to ask the data controller to delete their data and cease disseminating, even if consent was at one time given.
Online piracy eradication efforts spark privacy concerns (June 1, 2012)
Protests against the alphabet soup of competing anti-piracy and cybersecurity information-sharing bills—ACTA, CISPA, PIPA, SOPA—highlight the difficulty of balancing intellectual property protection and Internet freedom
Privacy considerations for successful navigation into the federal cloud space (June 1, 2012)
As the nation’s first federal chief information officer (CIO), Vivek Kundra published a “25 Point Implementation Plan To Reform Information Technology Management.” This plan’s overarching goal was to deliver more value to the American public with regard to IT spending.
Check: Are you ready for social media? (June 1, 2012)
Social media brings opportunities and risks. Companies have to prepare and position themselves. This article summarizes a few key considerations from different angles for a checkup on your company’s social media readiness.
Will Supreme Court Ruling In Pilot Case Apply to Other “Harm” Cases? (June 1, 2012)
Plaintiffs are increasingly filing privacy lawsuits that allege harm and seek compensation. But to date, courts have grappled with discrepancies between plaintiffs’ “harm” claims and the scope of the law—particularly when the harm can’t be qualified, such as in cases of emotional distress or humiliation, leaving many plaintiffs empty-handed when the judge strikes the gavel.
CANADA—The new paradigm: accountability (June 1, 2012)
The global privacy landscape is experiencing its largest shift since the implementation of the European Union’s adoption of Directive 95/46/EC in 1995. The directive was foundational in establishing a privacy regime in Europe, with a global ripple effect for countries wishing to transfer data to and from the EU; examples include the enactment of the Personal Information Protection and Electronic Documents Act in Canada and negotiations between the U.S. and the EU resulting in the Safe Harbor agreement.
EU—Article 29 Working Party publishes biometrics opinions (June 1, 2012)
On March 22 and April 27, the Article 29 Working Party published two opinions on biometrics, one relating to facial recognition in online and mobile services (Opinion on Facial Recognition) and a second on developments in biometric technology (Opinion on Biometrics). Both opinions build on the Working Party’s Working Document on Biometrics and seek to provide greater guidance to authorities, the biometrics industry and users alike.
FRANCE—Implementation decree on data breaches (June 1, 2012)
Six months after the adoption of the ordinance implementing the 2009 e-privacy Directive in August 2011, the implementation decree has finally been adopted.
FRANCE—2012: Increase of CNIL investigations to come (June 1, 2012)
Video surveillance, the healthcare sector, smartphones, sports, data security, large data files—police, highways, gas, electricity—these are the targets selected this year by the French data protection authority (CNIL) as justifying specific attention in its enforcement programme.
GERMANY—Regional Court of Berlin on expiry date of consent (June 1, 2012)
In its judgement of 9 December 2011, the Regional Court of Berlin (Case No. 15 O 343/11) had to decide on the permissibility of a certain e-mail advertising campaign. While after several decisions by the Federal Court of Justice, it is settled case law that an opt-in is generally required for e-mail marketing measures and that such an opt-in must be “separate” in the sense that it may not extend to other marketing forms such as telephone calls or telefax messages, the Berlin judges were, in this case, also called to rule upon the questions whether the consent was specific enough and whether it was still valid.
ISRAEL—Proposed guide on workplace privacy (May 31, 2012)
The Israeli Law Information and Technology Authority (ILITA) has published a consultation draft guide on protecting personal information in workplace environments. The purpose of the proposed guide is to reflect ILITA's view of the principles applicable to the right of privacy in personal information that employers store and process and recommend adequate practices to implement these principles.
UK—ICO grace period for compliance with new cookie rules comes to an end (May 31, 2012)
The new EU rules on cookies came into force in the UK on 26 May 2011, but the Information Commissioner’s Office (ICO) indicated that it would implement a grace period of one year to allow businesses to comply. The 12-month grace period will expire this month, and it seems likely that some businesses will still be caught out.
UK—ICO issues monetary penalty to a Welsh health board (May 31, 2012)
The Information Commissioner’s Office (ICO) has issued a monetary penalty of £70,000 to a Welsh health board following an incident in March last year in which a patient's health details ended up in the wrong hands.
Company offers two EU compliance management tools (May 31, 2012)
As businesses and organizations prepare for upcoming reforms to the EU data protection framework and potential enforcement of the ePrivacy Directive in the UK, TRUSTe has announced it is offering a suite of tools to help manage these new compliance obligations.
Collaboration produces universal privacy tool for cookie compliance (May 31, 2012)
With cookie enforcement on the horizon in the UK and eventually throughout Europe, two companies have teamed up to provide website owners with a way to achieve cookie compliance while providing users with a consent tool to transmit tracking preferences.
Seeking members’ input (May 31, 2012)
Your answers to seven brief questions will help the IAPP tailor its content offerings.