Having trouble receiving the Privacy Advisor in your inbox? Click here for troubleshooting tips.
Global Privacy Dispatches
POLAND—DPA vs. Google on the Information Security Administrator
The Supreme Administrative Court, in its judgment of 21 February, supported the position adopted by the Polish Data Protection Authority (DPA) in its decision issued towards Google, Inc.
UK—ICO Issues 50,000 GBP Fine for Unsolicited Calls
The Information Commissioner’s Office has fined home improvement company Amber Windows 50,000 GBP after an investigation discovered they had made unsolicited marketing calls to individuals who had registered with the Telephone Preference Service.
UK—ICO Publishes Plans for 2014-17
The UK Information Commissioner’s Office has published its three-year corporate plan, setting out how it intends to address and tackle the challenges it faces in information regulation.
UK—Disclosure and Barring Service Warned After Collecting Unnecessary Sensitive Data
The UK Information Commissioner’s Office has ruled that the Disclosure and Barring Service breached the Data Protection Act after failing to stop the collection of information about convictions that were no longer required for employment checks.
FRANCE—Expansion of CNIL Investigation Powers Confirmed
In the past few years, the French data protection authority (CNIL) has made itself known for its on-site investigation powers by coming unannounced to the premises of businesses to perform interviews and searches in order to assess compliance with the French Data Protection Act.
FRANCE—The End of Aggressive Cold-Calling?
The new consumer act of March 17 is now in force. Among its key measures, it plans the creation of a centralized do-not call list.
HUNGARY—Hungarian DPA Suggests Refinements in IT Policies
In a recent case, the Hungarian Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság or NAIH) investigated a case where a company had to access its employee’s laptop for compliance reasons and imposed a fine of HUF 1,500,000 (approximately 5,000 euros) for unlawful data processing.
UK—Marketing Companies Punished for Hiding Identity While Making Nuisance Calls
The Information Commissioner's Office (ICO) has ordered two telephone marketing companies to change their practices after more than 100 complaints were made to the ICO that the companies were making nuisance marketing calls.
UK—British Pregnancy Advice Service Fined for Serious Data Breach
The British Pregnancy Advice Service (BPAS) has been fined 200,000 GBPs after a serious breach of the Data Protection Act (DPA) revealed thousands of people's personal details to a malicious hacker.
DPC Billy Hawkes on the right to be forgotten (July 1, 2012)
The provision within the European Commission’s draft data protection framework outlining “the right to be forgotten and to erasure” has both regulators and stakeholders asking whether it is viable. The draft framework states it would grant data subjects the right to withdraw their consent for their personal data to be collected or processed, except for in cases where the collection and processing is necessary for “historical, statistical and scientific research purposes, for reasons of public interest in the area of public health, for exercising the right of freedom of expression, when required by law, or where there is a reason to restrict the processing of the data instead of erasing them.” The Privacy Advisor
recently chatted with Irish Data Protection Commissioner Billy Hawkes, a member of the Article 29 Working Party, to ask for his perspective on the draft regulation’s provision.
A Q&A with Hong Kong Privacy Commissioner for Personal Data Allan Chiang (July 1, 2012)
In the past year alone, Hong Kong Privacy Commissioner for Personal Data Allan Chiang’s office has received nearly 1,500 complaint cases. In this exclusive for The Privacy Advisor
, Chiang offers insight into the work of his office, the types of complaints received and the importance of enforcers having the ability to impose sanctions in the event of a breach.
Think locally, act globally (July 1, 2012)
Data protection authorities from around the globe meet in Montreal to discuss enforcement co-operation
Smart grid technology: Privacy and data security issues (July 1, 2012)
The adoption of smart grid technology into sustainable building property management strategy requires meaningful planning for the secure treatment of captured enriched data. Captured enriched data is consumer electricity use information that may also include proprietary business information related to a business’s energy consumption. The problem is that this data could be a target for unauthorized exploitation by marketers and other third parties and for data breaches by criminals.
Right to privacy: Risks to children on the Internet (July 1, 2012)
If there is any one area of privacy that all members of the IAPP can agree is important, it must be the privacy of our children. As use of the Internet has become widespread and ubiquitous even to the youngest, the privacy of children has greatly diminished. Their information, images, actions, friendships and very lives have gone online, with little regard for the risks involved.
Everything Old Is New Again (July 1, 2012)
Over the last several years, there has been ever-increasing interest in finding an all-encompassing solution to the pervasive issue of managing online privacy. Concepts including "Privacy by Design" and prescriptions like the NAI's "Opt Out of Behavioral Advertising" are the latest attempts to address concerns about online privacy and thereby forestall the implementation of new regulatory regimes that could preclude information collection and the use of such advertising to address consumers' interests and needs more effectively and efficiently.
Vermont updates data breach notification law (July 1, 2012)
Effective as of May 8, Vermont’s updated data breach law (Act 109) brings along several changes. The biggest change is in the notification requirements. Notification to consumers must now occur no later than 45 days after discovery of the incident and must include the approximate date of the security breach, if known.
How to save $10 million (July 1, 2012)
Express consent campaigns have been touted as the silver bullet for the consent framework under Canada’s Anti-Spam Law. However, gaining express consent has its own set of challenges. What are the questions organizations need to ask before seeking consent?
People in privacy: New privacy pros (July 1, 2012)
In the April edition of The Privacy Advisor
, we introduced “People in privacy: The new privacy pros.” This series-in-the-making looks at the privacy profession’s evolution and its resulting generation of privacy professionals. This month we feature K Royal and Chris Brannigan, CIPP/G, CIPP/US.
AUSTRALIA & EU—Australian privacy law reform: A step closer to EU adequacy (July 1, 2012)
Australia’s Privacy Act 1988 governs the federal privacy regime in Australia, along with other legislation relating to telecommunications, healthcare, government data-matching and criminal records. Each state and territory in Australia also regulates its government agencies by way of separate legislation—apart from the Australian Capital Territory, which is covered by the federal laws. The Privacy Act is overseen by the Office of the Australian Information Commissioner, which is also responsible for freedom of information and information policy issues.
CANADA—Court of Appeal issues decision (July 1, 2012)
In a highly anticipated case, the Court of Appeal of Alberta issued its decision in United Food and Commercial Workers, Local 401 v Alberta (Attorney General) on April 30. This case involved videotaping and the taking of photographs by the United Food and Commercial Workers Union at a picket line during a strike.
CZECH REPUBLIC—Czech data retention law legislative process moving forward (July 1, 2012)
The legislative process that should reintroduce the Data Retention Directive to Czech law to replace the old law that was struck down by the Constitutional Court is ongoing. On 27 February, the government proposed an act amending the Act No. 127/2005 Coll., the Electronic Communications Act and some other acts. The proposal has already passed two readings in the Chamber of Deputies.
ITALY—Garante approves authorization request (July 1, 2012)
The Italian Data Protection Authority (Garante) has recently approved a request of authorization, by means of a prior checking procedure, filed by a phone company having asked to be allowed to enrich its database containing personal data of its costumers without the prior consent of the interested persons.
ITALY—Government approves decree, Garante publishes guide (July 1, 2012)
The government has approved a legislative decree by means of which the EU Cookies and Data Breach Notification Directive has been finally implemented. The opt-in regime has been introduced as mandatory rule. The data breach notification obligation is for now mandatory in the telecom and Internet service provider market only.
POLAND—New proposal on implementation of a “cookie” rule in Poland (July 1, 2012)
The Ministry of Administration and Digitalization published a draft law of 5 June 2 amending the Telecommunications Act and other acts, which, in Article 173, proposes a new wording for implementation of Article 5(3) of the so-called amended e-Privacy Directive in Poland.
UK—ICO invites responses on draft Anonymisation Code of Practice (July 1, 2012)
The Information Commissioner’s Office (ICO) has published a draft Anonymisation Code of Practice for consultation. The consultation period runs until 23 August, and the aim is to publish the final code in September. The consultation document sets out the questions that organisations and members of the public are invited to respond to.
UK—ICO issues updated guidance on cookie consent (July 1, 2012)
UK—ICO writes to Google Street View (July 1, 2012)
Following a review of the findings of a report published by the U.S. Federal Communications Commission in April, the ICO has concluded that it seems likely that Google deliberately captured a wide range of personal data and some sensitive personal data during the Google Street View operations conducted in the UK.
Becky Burr, CIPP/US, named Neustar CPO (July 1, 2012)
Neustar has announced the selection of J. Beckwith “Becky” Burr, CIPP/US, as its chief privacy officer and deputy general counsel, ensuring that the company maintains state-of-the-art privacy practices to protect customer and consumer information.
Researcher to study privacy as a collective good (July 1, 2012)
Washington and Lee University School of Law Prof. Josh Fairfield has received a Fulbright Grant to explore the American and European models of privacy, which Fairfield says are fundamentally different, and whether privacy may be looked at as more of a collective good--like the environment, for example.
ID Experts RADAR wins Health Privacy Summit award (July 1, 2012)
ID Experts’ RADAR—Risk Assessment Documentation and Reporting—has been named one of "The Best Privacy Technologies of 2012." The award was presented at the Second Annual International Summit on the Future of Health Privacy, held recently in Washington, DC, where leading health privacy experts gathered to discuss issues facing the industry and affecting patients.
Allen & Overy launches app to assist with access requests (July 1, 2012)
Allen & Overy recently launched its new app, Access Assist, to help businesses deal with requests for access to personal data held on employees, customers and others. Access Assist is a free Q&A-based tool for the iPad that is supported by targeted summaries of applicable law, legislation case law and guidance.