Having trouble receiving the Privacy Advisor in your inbox? Click here for troubleshooting tips.
Global Privacy Dispatches
POLAND—DPA vs. Google on the Information Security Administrator
The Supreme Administrative Court, in its judgment of 21 February, supported the position adopted by the Polish Data Protection Authority (DPA) in its decision issued towards Google, Inc.
UK—ICO Issues 50,000 GBP Fine for Unsolicited Calls
The Information Commissioner’s Office has fined home improvement company Amber Windows 50,000 GBP after an investigation discovered they had made unsolicited marketing calls to individuals who had registered with the Telephone Preference Service.
UK—ICO Publishes Plans for 2014-17
The UK Information Commissioner’s Office has published its three-year corporate plan, setting out how it intends to address and tackle the challenges it faces in information regulation.
UK—Disclosure and Barring Service Warned After Collecting Unnecessary Sensitive Data
The UK Information Commissioner’s Office has ruled that the Disclosure and Barring Service breached the Data Protection Act after failing to stop the collection of information about convictions that were no longer required for employment checks.
FRANCE—Expansion of CNIL Investigation Powers Confirmed
In the past few years, the French data protection authority (CNIL) has made itself known for its on-site investigation powers by coming unannounced to the premises of businesses to perform interviews and searches in order to assess compliance with the French Data Protection Act.
FRANCE—The End of Aggressive Cold-Calling?
The new consumer act of March 17 is now in force. Among its key measures, it plans the creation of a centralized do-not call list.
HUNGARY—Hungarian DPA Suggests Refinements in IT Policies
In a recent case, the Hungarian Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság or NAIH) investigated a case where a company had to access its employee’s laptop for compliance reasons and imposed a fine of HUF 1,500,000 (approximately 5,000 euros) for unlawful data processing.
UK—Marketing Companies Punished for Hiding Identity While Making Nuisance Calls
The Information Commissioner's Office (ICO) has ordered two telephone marketing companies to change their practices after more than 100 complaints were made to the ICO that the companies were making nuisance marketing calls.
UK—British Pregnancy Advice Service Fined for Serious Data Breach
The British Pregnancy Advice Service (BPAS) has been fined 200,000 GBPs after a serious breach of the Data Protection Act (DPA) revealed thousands of people's personal details to a malicious hacker.
Consumer privacy education: Who's in charge? (October 1, 2012)
Earlier this year, the White House announced the first-ever Consumer Privacy Bill of Rights, which was largely developed by the Department of Commerce Internet Policy Task Force as well as the Federal Trade Commission (FTC). The White House has been trying to get Congress to give the bill the force of law, which would allow the FTC and state attorneys general to enforce its privacy protections. In the interim, however, the White House is seeking to get businesses to publicly state that they'll abide by the rules, as a code of conduct, which would allow the FTC to enforce businesses' compliance with the rules. But the best bill of rights won't work unless consumers feel passionate about their privacy.
Top scholars and practitioners tackle privacy’s complex challenges (October 1, 2012)
What happens when the world’s top privacy thinkers and practitioners get together? For those involved with the annual Privacy Law Scholars Conference (PLSC), a valuable conduit between scholarship and practice emerges. Backed by George Washington University Law School and Berkeley Law, the PLSC is a forum for legal, information privacy, economic, philosophy, computer and political science scholars to share and craft ideas with industry, advocacy, legal and government practitioners.
Uruguay discusses data protection landscape, upcoming conference (October 1, 2012)
The European Union confirmed in September that Uruguay had achieved adequacy for personal data protection. Uruguay’s Unit for the Regulation and Control of Personal Data (URCDP) fields data protection complaints and educates the public and database controllers, in both the private and public sector, of their duties and obligations under the act.
Chief privacy officers discuss employee privacy training (October 1, 2012)
Companies increasingly have a need to train their employees in data protection and privacy. But there aren’t steadfast rules on how companies should ensure compliance with local, regional or national laws or their own policies. Chief privacy officers are tasked with educating employees in order to protect consumer privacy and their brands. One CPO notes, “Privacy-smart employees are essential to effectively managing the organization’s personal information assets.”
Privacy training: An emerging part of the corporate education canon (October 1, 2012)
Privacy training is increasingly becoming a staple in the corporate education canon. At most large institutions, privacy training is on the training curriculum, which is a challenging task given the quantity of corporate training and the value of employee time. The biggest challenge is making employees care.
Bring your own device: Bringing solutions or problems? (October 1, 2012)
The concept of “bring your own device” (BYOD) has been gaining ground over recent months and is now a key agenda item for many businesses considering whether to embrace the trend of allowing employees to use their own equipment for work. However, there is more to the debate than the potential cost savings--or flexibility--that BYOD can offer. BYOD raises difficult data security and privacy issues including confidentiality, data ownership and access rights.
HIPAA’s unanswered questions (October 1, 2012)
Another month goes by without the publication of the final Health Insurance Portability and Accountability/Health Information Technology for Economic and Clinical Health (HIPAA/HITECH) rules, and there’s no clear end in sight to this delay. What are the top unanswered questions about these rules, and how they will affect the HIPAA structure and healthcare privacy?
The Privacy Merchants: What is to be done? (October 1, 2012)
There are two kinds of corporations that keep track of what Internet users buy, read, visit, drink and who they call, e-mail, date and much else. Some merely track users’ activity on their site as part of their regular business; recording purchases and viewed products helps them increase sales, while other corporations make shadowing Internet users--and keeping very detailed dossiers on them--their main line of business. One can call these the “privacy merchants.”
Legal response to data breaches in the cloud (October 1, 2012)
Cloud computing, as it moves closer to being a public utility like power and water, will be defined mostly by the risks involved. These include data privacy risks. As is often the case with new IT services riding a marketing boom, the risks of cloud computing tend to be minimized by the marketers. Yet it is by understanding, assessing and managing those risks that confidence in cloud computing can expand significantly, for both organizational and personal users of the cloud.
Regulating the use of social media across continents (October 1, 2012)
Social media policies attempt to grapple with the impact that employee conduct online may have on the reputation, business interests and legal obligations of an organization. They do this by guiding employees on appropriate online behavior and prohibiting certain conduct. In a world characterized by constant connection to online devices and the blurring of professional and private lives, striking a balance that respects personal autonomy while protecting legitimate employer interests can be a delicate task.
Defamation by social media: Who's liable? (October 1, 2012)
Can service providers be held liable for what their users post, tweet or upload, including what others may deem to be offensive communications? The liability picture varies dramatically from country to country, thanks in part to differing defamation laws.
Data protection law in Switzerland and the transmission of data to the U.S. (October 1, 2012)
To paraphrase the Council of Europe, with the increase in exchanges of personal data across national borders, it is necessary to ensure the effective protection of human rights and fundamental freedoms, in particular the right to privacy, and to reconcile fundamental values of the respect for privacy and the free flow of information between peoples. Information privacy law, generally known in Europe as data protection law, offers very different protection on the two sides of the Atlantic Ocean.
California Sen. Joe Simitian hopes others pick up the privacy torch (October 1, 2012)
As Sen. Joe Simitian (D-Palo Alto) approaches his term limit in California’s State Senate this year, he says it will be essential that his legislative peers who remain pick up the proverbial privacy torch. It’s a cause he’s spent a considerable amount of time on during his legislative career, after all. But he notes some concern that privacy is becoming less of a legislative focus in California.
FTC ramping up data privacy enforcement actions; Google fined $22.5 million (October 1, 2012)
Last month, Google agreed to pay a $22.5 million civil penalty to settle Federal Trade Commission (FTC) charges claiming it misrepresented to users of Apple’s Safari Internet browser that it would not place advertising tracking “cookies” or serve targeted ads to them in violation of an earlier privacy settlement it reached with the FTC. Google has denied liability, calling the use of tracking cookies an inadvertent technical glitch, but has agreed to pay the $22.5 million penalty.
CANADA—Impact and considerations of EO investigation (October 1, 2012)
The privacy and security risks associated with the use of mobile devices such as laptops and USB keys have been well documented. However, occasionally an event occurs that should make all organizations stop and reconsider whether their own privacy and security practices could permit such an event to occur. The loss of two USB keys by Elections Ontario is such a tale.
FRANCE—Monitoring phone bills of protected employees (October 1, 2012)
French courts have an interesting approach to the monitoring of employee phone bills. They tend to consider that the employer is entitled to consult the invoices of telecom operators of professional phones without having to provide prior notice to employees, whereas this would not be acceptable with other forms of employee monitoring such as e-mail monitoring.
UK—ICO issues guidance on deleting personal data (October 1, 2012)
In August, the Information Commissioner's Office released a short guidance on deleting personal data. The document aims to clarify the regulator's interpretation of some of the requirements surrounding the archiving and deletion of personal data.
For modern day businesses, it is now virtually the norm to store documents in electronic format rather than in paper copy. Employees exchanging e-mails between themselves and with the outside world is now, alongside the telephone, the main means of corporate communication. With this in mind, organisations need to have not only well thought-through business continuity solutions but also strong archiving systems. It is the latter and operating them in compliance with the Data Protection Act 1998 (DPA) that the ICO guidance comments on.
MIT unveils Big Data research initiative (October 1, 2012)
The Computer Science and Artificial Intelligence Laboratory (CSAIL) at the Massachusetts Institute of Technology (MIT) has announced a new program for exploring and improving the use of Big Data. Bigdata@CSAIL will bring together representatives from academia, industry and government to develop and improve methods of collecting, processing, analyzing, storing and sharing massive datasets made possible by Big Data with the goal of making them more useful for society.
IDT911 expands operations to Canada (October 1, 2012)
Identity management and data privacy risk management services provider IDT911 has announced its expansion into the Canadian marketplace.
Roth joins SNR Denton (October 1, 2012)
SNR Denton has announced Andy Roth has joined the firm’s Corporate and Business Transactions Team as a partner. The team focuses on privacy, security and data strategy.