Having trouble receiving the Privacy Advisor in your inbox? Click here for troubleshooting tips.
Global Privacy Dispatches
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions.
ITALY—Garante Releases Enforcement Activity Report
The Garante, the Italian Data Protection Authority (IDPA), has released information on enforcement activity in Italy in 2013 and its relevant plan of inspections for the first semester of 2014.
CANADA—Anti-Spam Legislation To Come Into Force
After much discussion and consultation on the accompanying Regulations, Canada’s anti-spam legislation is about to take full effect. While the CRTC had previously published its regulations on March 28, 2012, the Electronic Commerce Protection Regulation was finally published on December 4, 2013.
UK—Government Department Fined 185,000 GBPs After Terrorist Incident Data Sold at Auction
A government department has been fined after a filing cabinet containing personal information relating to victims of a terrorist incident was sold at auction.
NEW ZEALAND—Privacy Reflections/Predictions for 2014
The high-profile privacy breaches of 2012-13 have shed an unprecedented light on personal information in New Zealand. Outgoing Privacy Commissioner Marie Shroff is leaving the role at a time when protecting personal information, a cause she has actively championed over the past 10 years, is at the forefront of public awareness and is top-of-mind for policy analysts, legislators and businesses alike.
NEW ZEALAND—Will the Tide Turn in 2014?
Last year was not a good one for New Zealand privacy-wise. While Australia forged ahead enacting legislation covering issues such as cross-border controls for personal data and introducing measures to implement breach notification, the government in New Zealand, by contrast, has been dragging its feet and instead adopted a raft of measures diminishing existing privacy protections. This article briefly reviews developments in New Zealand in 2013 and ventures some predictions as to what may lie in store in 2014.
AUSTRALIA—Australia Legislates for Privacy by Design
In March, Australia will be overhauling its privacy laws. One of the key features of the new regime means Australia will become one of the first jurisdictions to effectively legislate for the concept of Privacy by Design.
Getting your board on board (September 1, 2012)
We asked privacy pros to weigh in with their recommendations for getting board or executive-level support for privacy efforts and building strong privacy programs. Here, Norine Primeau-Menzies, CIPP/C, Chris Pahl, CIPP/G, CIPP/US, and Michael Spadea, CIPP/US, share insights they’ve gained from their work.
Privacy worries surround UN Internet regulations (September 1, 2012)
What would online privacy look like if the United Nations regulated the Internet? That's one question on the minds of privacy advocates as the International Telecommunication Union (ITU)—a UN agency based in Geneva, Switzerland, that regulates telecommunications and IT issues—approaches the task of helping the UN decide if it should exert more control over Internet governance.
Considering the Cloud: How healthcare organizations can navigate the techno-compliance waters and keep ePHI secure (September 1, 2012)
Healthcare in the United States has quickly undergone a significant transformation. With implementation of the HITECH Act of 2009, by the end of 2010 most office-based doctors—57 percent—were using electronic medical records. The Affordable Care Act, passed in March 2010, added another incentive to the market to adopt new technology by encouraging the creation of Accountable Care Organizations (ACO) to organize knowledge, technology and healthcare teams around the needs of the patient.
What does it take to avoid costly data breach mistakes? (September 1, 2012)
Editor’s Note: In light of recent headline-making fines from the UK Information Commissioner's Office (ICO), experts are looking at what needs to be done to keep organisations and businesses from making expensive data privacy mistakes. In Q and A format, Rohan Massey of McDermott Will & Emery UK LLP shares insights into the importance of training and compliance.
Best practices in drafting plain-language and layered privacy policies (September 1, 2012)
Young privacy pros make their way onto the scene (September 1, 2012)
Young professionals are increasingly entering the field of privacy. The IAPP asked a few of them some questions about how they got into the field, what they see as the most pressing issues and where they see their careers heading.
Experts say cybersecurity legislation bolsters need for oversight board (September 1, 2012)
When the U.S. Senate confirmed four of five Privacy and Civil Liberties Oversight Board (PCLOB) nominees in early August, the federal government moved one step closer to enacting a dormant—yet significant—agency. As the prospect of cybersecurity legislation looms on the horizon, some lawmakers, privacy experts and advocates worry that serious information-sharing mandates will become law before the necessary oversight is in place.
Workplace privacy expert sheds light on fair employer access to employee data (September 1, 2012)
Recent media stories report increases in employer requests for personal information such as social media passwords from potential or existing employees. The San Francisco Chronicle has reported on employers asking applicants for their W-2 forms; NPR recently discussed the ethics of employee background checks, and Facebook issued a statement in March “condemning employers who ask job applicants for access to their profiles on the social media site.”
Northern District of California confirms Pineda v. Williams-Sonoma applies retrospectively (September 1, 2012)
The Song-Beverly Act is a California statute that prohibits retailers from requesting personal identification information in connection with credit card transactions. In Pineda v. Williams-Sonoma, the California Supreme Court held that the definition of personal information includes a ZIP code; i.e., retailers cannot ask for ZIP codes during credit card transactions.
Text "STOP" to prevent unwanted lawsuits (September 1, 2012)
In March of this year, Taco Bell Corp. joined the ranks of companies that have been sued under the Telephone Consumer Protection Act (TCPA), not for sending an unsolicited text message to a consumer in the first instance but for sending a confirmatory message when a consumer chose to opt out of receiving future messages. Recently, the federal district court in Ibey v. Taco Bell Corp., 12-cv-0583 (HVG) (S.D. Cal. June 18, 2012), concluded “that the TCPA does not impose liability for a single, confirmatory text message.”
Watch out for data privacy: A primer on risks (September 1, 2012)
This article will focus on data privacy compliance. Any time a business collects, stores or shares information about consumers, data privacy questions must be asked and answered.
Amidst fledgling smart grid safeguards, utilities self-regulate and an expert offers a how-to (September 1, 2012)
The smart grid—which has seen major investments from governments including the U.S., UK, Canada, Australia, New Zealand, parts of Asia, Denmark and the Netherlands, among others—will communicate with smart meters on a household’s electrical use down to the appliance level. Consumers will be able to fine-tune their energy consumption to get the best rates, and utilities will be able to more effectively manage power distribution and identify and resolve problems remotely.
Connecticut amends data breach notification law (September 1, 2012)
On the heels of Vermont’s recent amendment to its data breach notification law, Connecticut’s legislature recently amended its own data breach notification law (Conn. Gen. Stat. § 36a-701b). The amended law will take effect on October 1.
IAPP Board Member Jim Byrne, CIPP/US, CIPP/G, CIPP/IT, appointed to DHS Privacy Advisory Board (September 1, 2012)
Jim Byrne, CIPP/US, CIPP/G, CIPP/IT, Lockheed Martin Corporation’s chief privacy officer and associate general counsel, has been appointed to the U.S. Department of Homeland Security’s Data Privacy and Integrity Advisory Committee (DPIAC). The appointment as a special government employee was made on May 11 by DHS Secretary Janet Napolitano.
Emma Butler joins Ernst & Young (September 1, 2012)
Emma Butler, formerly with the UK’s Information Commissioner’s Office (ICO), has joined the Ernst & Young (E&Y) privacy practice.
Luis Salazar opens new law firm (September 1, 2012)
Luis Salazar, CIPP/US, has left Infante, Zumpano, Hudson and Miloch, LLC, to establish his own law firm.
WatchDox, Ponemon study highlights document security concerns (September 1, 2012)
WatchDox, a provider of secure access and collaboration solutions, has announced the results of the Ponemon Institute’s 2012 Confidential Documents at Risk Study whitepaper, which focuses on security threats associated with inadequate management of confidential business information contained in files such as spreadsheets, presentations and documents and identifies best practices for achieving stronger document-centric security.
BELGIUM—Belgian DPA clarifies policy on workplace cyber-surveillance (September 1, 2012)
On May 2, the Belgian Data Protection Authority (DPA) issued its long-awaited recommendation on cyber-surveillance in the workplace (Recommendation nr. 08/2012). This nonbinding recommendation strives to clarify the Belgian rules governing access to the content of electronic communications at work, among other things.
CANADA—Court rules on mortgage disclosure in Royal Bank v. Trang (September 1, 2012)
There are many circumstances in which organizations are requested or required to disclose personal information (PI) of their customers to others. Consent is usually required for such disclosures; however, privacy law generally makes allowance for disclosures without consent in clearly spelled-out circumstances; e.g., for the purpose of collecting a debt owed by the individual to the organization or when required to comply with a subpoena or warrant issued or an order made by a court.
FRANCE—First public warning for security breach in banking sector (September 1, 2012)
On June 21, the French Data Protection Authority (the CNIL) issued a public "blame" against the affiliate of a financial services group, operating as the group's IT service provider, for making available to all employees of the group documents about some of the bank's customers and their transactions. The documents were posted on shared folders and included information covered by bank secrecy, such as bank account details, credit card numbers, income and tax information. Access was made possible over a period of two years.
GERMANY—Data protection law breaches as unfair commercial practice (September 1, 2012)
Recently, there have been two contradictory judgments by German courts in relation to whether companies can issue warning letters under the Act Against Unfair Competition because of data protection breaches by a competitor. According to statutory law, this would only be possible if one considers the data protection rules as statutory provisions that are also intended to regulate market behaviour in the interest of market participants.
HUNGARY—DPA imposes maximum fine (September 1, 2012)
The Hungarian Data Protection Authority (DPA) has imposed a fine of HUF 10,000,000 (approximately €35,700) on an online real estate marketplace as a result of its unauthorised data processing activities. This is the first time the Hungarian regulator has imposed the maximum fine under Hungary’s new Privacy Act, which took effect on 1 January.
UK—ICO releases annual report, IT security guide and PIA questionnaire (September 1, 2012)
The annual report of the Information Commissioner's Office (ICO) was launched on Thursday 5 July. The report shows at a glance what the ICO has been doing over the 12 months to 31 March. Announcing the release of the report, the information commissioner took the opportunity to highlight the fact that the ICO has "bared its teeth" with the imposition of 10 civil monetary penalties, totaling £861,000, during the last financial year.