Privacy Advisor

Having trouble receiving the Privacy Advisor in your inbox? Click here for troubleshooting tips.

Global Privacy Dispatches

FRANCE—Expansion of CNIL Investigation Powers Confirmed
In the past few years, the French data protection authority (CNIL) has made itself known for its on-site investigation powers by coming unannounced to the premises of businesses to perform interviews and searches in order to assess compliance with the French Data Protection Act. Read More
FRANCE—The End of Aggressive Cold-Calling?
The new consumer act of March 17 is now in force. Among its key measures, it plans the creation of a centralized do-not call list. Read More
HUNGARY—Hungarian DPA Suggests Refinements in IT Policies
In a recent case, the Hungarian Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság or NAIH) investigated a case where a company had to access its employee’s laptop for compliance reasons and imposed a fine of HUF 1,500,000 (approximately 5,000 euros) for unlawful data processing. Read More
UK—Marketing Companies Punished for Hiding Identity While Making Nuisance Calls
The Information Commissioner's Office (ICO) has ordered two telephone marketing companies to change their practices after more than 100 complaints were made to the ICO that the companies were making nuisance marketing calls. Read More
UK—British Pregnancy Advice Service Fined for Serious Data Breach
The British Pregnancy Advice Service (BPAS) has been fined 200,000 GBPs after a serious breach of the Data Protection Act (DPA) revealed thousands of people's personal details to a malicious hacker. Read More
UK—ICO Publishes Updated PIA Guidance
The UK Information Commissioner's Office has published its updated Privacy Impact Assessment (PIA) Code of Practice to help organisations comply with their data protection law obligations when they change the way that they use personal data. Read More
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions.

Read More
ITALY—Garante’s Provision on Mobile Payment Services
On December 12, 2013, the Italian Data Protection Authority (Garante) issued a draft general provision on the processing of personal data in the context of mobile remote payment services. This new provision sets the rules for the processing of information about users who purchase digital services and products and pay for them remotely via their phone bills. Read More
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions. Read More
Getting your board on board (September 1, 2012)
We asked privacy pros to weigh in with their recommendations for getting board or executive-level support for privacy efforts and building strong privacy programs. Here, Norine Primeau-Menzies, CIPP/C, Chris Pahl, CIPP/G, CIPP/US, and Michael Spadea, CIPP/US, share insights they’ve gained from their work.
Privacy worries surround UN Internet regulations (September 1, 2012)
What would online privacy look like if the United Nations regulated the Internet? That's one question on the minds of privacy advocates as the International Telecommunication Union (ITU)—a UN agency based in Geneva, Switzerland, that regulates telecommunications and IT issues—approaches the task of helping the UN decide if it should exert more control over Internet governance.
Considering the Cloud: How healthcare organizations can navigate the techno-compliance waters and keep ePHI secure (September 1, 2012)
Healthcare in the United States has quickly undergone a significant transformation. With implementation of the HITECH Act of 2009, by the end of 2010 most office-based doctors—57 percent—were using electronic medical records. The Affordable Care Act, passed in March 2010, added another incentive to the market to adopt new technology by encouraging the creation of Accountable Care Organizations (ACO) to organize knowledge, technology and healthcare teams around the needs of the patient.
What does it take to avoid costly data breach mistakes? (September 1, 2012)
Editor’s Note: In light of recent headline-making fines from the UK Information Commissioner's Office (ICO), experts are looking at what needs to be done to keep organisations and businesses from making expensive data privacy mistakes. In Q and A format, Rohan Massey of McDermott Will & Emery UK LLP shares insights into the importance of training and compliance.
Best practices in drafting plain-language and layered privacy policies (September 1, 2012)
Privacy policies have become long legal documents that most attorneys, let alone the average consumer, have difficulty understanding. They are meant to provide notice to individuals about data collection, use and disclosure policies. However, they are often complicated, long, unintelligible and, as a result, rarely read by the average consumer. It is important to change this reality. Below are a few best practices in drafting plain-language and multi-layered privacy policies that should help reverse this trend and help the average consumer read and understand your privacy policy.
Young privacy pros make their way onto the scene (September 1, 2012)
Young professionals are increasingly entering the field of privacy. The IAPP asked a few of them some questions about how they got into the field, what they see as the most pressing issues and where they see their careers heading.
Experts say cybersecurity legislation bolsters need for oversight board (September 1, 2012)
When the U.S. Senate confirmed four of five Privacy and Civil Liberties Oversight Board (PCLOB) nominees in early August, the federal government moved one step closer to enacting a dormant—yet significant—agency. As the prospect of cybersecurity legislation looms on the horizon, some lawmakers, privacy experts and advocates worry that serious information-sharing mandates will become law before the necessary oversight is in place.
Workplace privacy expert sheds light on fair employer access to employee data (September 1, 2012)
Recent media stories report increases in employer requests for personal information such as social media passwords from potential or existing employees. The San Francisco Chronicle has reported on employers asking applicants for their W-2 forms; NPR recently discussed the ethics of employee background checks, and Facebook issued a statement in March “condemning employers who ask job applicants for access to their profiles on the social media site.”
Northern District of California confirms Pineda v. Williams-Sonoma applies retrospectively (September 1, 2012)
The Song-Beverly Act is a California statute that prohibits retailers from requesting personal identification information in connection with credit card transactions. In Pineda v. Williams-Sonoma, the California Supreme Court held that the definition of personal information includes a ZIP code; i.e., retailers cannot ask for ZIP codes during credit card transactions.
Text "STOP" to prevent unwanted lawsuits (September 1, 2012)
In March of this year, Taco Bell Corp. joined the ranks of companies that have been sued under the Telephone Consumer Protection Act (TCPA), not for sending an unsolicited text message to a consumer in the first instance but for sending a confirmatory message when a consumer chose to opt out of receiving future messages. Recently, the federal district court in Ibey v. Taco Bell Corp., 12-cv-0583 (HVG) (S.D. Cal. June 18, 2012), concluded “that the TCPA does not impose liability for a single, confirmatory text message.”
Watch out for data privacy: A primer on risks (September 1, 2012)
This article will focus on data privacy compliance. Any time a business collects, stores or shares information about consumers, data privacy questions must be asked and answered.
Amidst fledgling smart grid safeguards, utilities self-regulate and an expert offers a how-to (September 1, 2012)
The smart grid—which has seen major investments from governments including the U.S., UK, Canada, Australia, New Zealand, parts of Asia, Denmark and the Netherlands, among others—will communicate with smart meters on a household’s electrical use down to the appliance level. Consumers will be able to fine-tune their energy consumption to get the best rates, and utilities will be able to more effectively manage power distribution and identify and resolve problems remotely.
Connecticut amends data breach notification law (September 1, 2012)
On the heels of Vermont’s recent amendment to its data breach notification law, Connecticut’s legislature recently amended its own data breach notification law (Conn. Gen. Stat. § 36a-701b). The amended law will take effect on October 1.
IAPP Board Member Jim Byrne, CIPP/US, CIPP/G, CIPP/IT, appointed to DHS Privacy Advisory Board (September 1, 2012)
Jim Byrne, CIPP/US, CIPP/G, CIPP/IT, Lockheed Martin Corporation’s chief privacy officer and associate general counsel, has been appointed to the U.S. Department of Homeland Security’s Data Privacy and Integrity Advisory Committee (DPIAC). The appointment as a special government employee was made on May 11 by DHS Secretary Janet Napolitano.
Hunton & Williams Centre for Information Policy Leadership launches global analytics project (September 1, 2012)
The Centre for Information Policy Leadership at Hunton & Williams LLP has announced the launch of a pan-industry initiative to highlight the benefits and address the risks raised by analytics in the age of Big Data by developing voluntary guidelines for their responsible use by organizations.
Christopher Kuner joins Wilson Sonsini Goodrich & Rosati (September 1, 2012)
Wilson Sonsini Goodrich & Rosati recently announced the addition of Christopher Kuner as a senior of counsel at the firm to be based in its Brussels, Belgium, office.
Christopher Cwalina, CIPP/US, joins Holland & Knight to lead new Data Privacy and Security Team (September 1, 2012)
Holland & Knight has announced the addition of Christopher G. Cwalina, CIPP/US, to its Public Policy & Regulation Practice Group to co-chair the firm’s newly created Data Privacy and Security Team with Steven B. Roosa.
Emma Butler joins Ernst & Young (September 1, 2012)
Emma Butler, formerly with the UK’s Information Commissioner’s Office (ICO), has joined the Ernst & Young (E&Y) privacy practice.
Luis Salazar opens new law firm (September 1, 2012)
Luis Salazar, CIPP/US, has left Infante, Zumpano, Hudson and Miloch, LLC, to establish his own law firm.
CSR announces two additional staff earn CIPP designations (September 1, 2012)
Compliance Solutions and Resources (CSR) has announced the addition of two new CIPP staff members.
WatchDox, Ponemon study highlights document security concerns (September 1, 2012)
WatchDox, a provider of secure access and collaboration solutions, has announced the results of the Ponemon Institute’s 2012 Confidential Documents at Risk Study whitepaper, which focuses on security threats associated with inadequate management of confidential business information contained in files such as spreadsheets, presentations and documents and identifies best practices for achieving stronger document-centric security.
BELGIUM—Belgian DPA clarifies policy on workplace cyber-surveillance (September 1, 2012)
On May 2, the Belgian Data Protection Authority (DPA) issued its long-awaited recommendation on cyber-surveillance in the workplace (Recommendation nr. 08/2012). This nonbinding recommendation strives to clarify the Belgian rules governing access to the content of electronic communications at work, among other things.
CANADA—Court rules on mortgage disclosure in Royal Bank v. Trang (September 1, 2012)
There are many circumstances in which organizations are requested or required to disclose personal information (PI) of their customers to others. Consent is usually required for such disclosures; however, privacy law generally makes allowance for disclosures without consent in clearly spelled-out circumstances; e.g., for the purpose of collecting a debt owed by the individual to the organization or when required to comply with a subpoena or warrant issued or an order made by a court.
FRANCE—First public warning for security breach in banking sector (September 1, 2012)
On June 21, the French Data Protection Authority (the CNIL) issued a public "blame" against the affiliate of a financial services group, operating as the group's IT service provider, for making available to all employees of the group documents about some of the bank's customers and their transactions. The documents were posted on shared folders and included information covered by bank secrecy, such as bank account details, credit card numbers, income and tax information. Access was made possible over a period of two years.
GERMANY—Data protection law breaches as unfair commercial practice (September 1, 2012)
Recently, there have been two contradictory judgments by German courts in relation to whether companies can issue warning letters under the Act Against Unfair Competition because of data protection breaches by a competitor. According to statutory law, this would only be possible if one considers the data protection rules as statutory provisions that are also intended to regulate market behaviour in the interest of market participants.
HONG KONG—Amendments to Hong Kong Personal Data (Privacy) Ordinance (September 1, 2012)
After two rounds of public consultations in 2009 and 2010, the Personal Data (Privacy) (Amendment) Ordinance 2012 was gazetted in July, finalizing the amendments to the Personal Data (Privacy) Ordinance (PDPO).
HUNGARY—DPA imposes maximum fine (September 1, 2012)
The Hungarian Data Protection Authority (DPA) has imposed a fine of HUF 10,000,000 (approximately €35,700) on an online real estate marketplace as a result of its unauthorised data processing activities. This is the first time the Hungarian regulator has imposed the maximum fine under Hungary’s new Privacy Act, which took effect on 1 January.
HUNGARY—Financial Supervisory Authority issues circular for Hungarian financial institutions on the use of cloud computing technologies (September 1, 2012)
On 18 July, the Hungarian Financial Supervisory Authority-PSZÁF (HFSA) issued a circular for Hungarian financial institutions on the use of cloud computing technologies. It is the first time in Hungary that a regulatory authority issued such an opinion. The document outlines detailed proposals for financial institutions on data classification, pre-contracting tasks and the contents of the service agreement with the cloud provider.
UK—ICO releases annual report, IT security guide and PIA questionnaire (September 1, 2012)
The annual report of the Information Commissioner's Office (ICO) was launched on Thursday 5 July. The report shows at a glance what the ICO has been doing over the 12 months to 31 March. Announcing the release of the report, the information commissioner took the opportunity to highlight the fact that the ICO has "bared its teeth" with the imposition of 10 civil monetary penalties, totaling £861,000, during the last financial year.