Having trouble receiving the Privacy Advisor in your inbox? Click here for troubleshooting tips.
Global Privacy Dispatches
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions.
ITALY—Garante Releases Enforcement Activity Report
The Garante, the Italian Data Protection Authority (IDPA), has released information on enforcement activity in Italy in 2013 and its relevant plan of inspections for the first semester of 2014.
CANADA—Anti-Spam Legislation To Come Into Force
After much discussion and consultation on the accompanying Regulations, Canada’s anti-spam legislation is about to take full effect. While the CRTC had previously published its regulations on March 28, 2012, the Electronic Commerce Protection Regulation was finally published on December 4, 2013.
UK—Government Department Fined 185,000 GBPs After Terrorist Incident Data Sold at Auction
A government department has been fined after a filing cabinet containing personal information relating to victims of a terrorist incident was sold at auction.
NEW ZEALAND—Privacy Reflections/Predictions for 2014
The high-profile privacy breaches of 2012-13 have shed an unprecedented light on personal information in New Zealand. Outgoing Privacy Commissioner Marie Shroff is leaving the role at a time when protecting personal information, a cause she has actively championed over the past 10 years, is at the forefront of public awareness and is top-of-mind for policy analysts, legislators and businesses alike.
NEW ZEALAND—Will the Tide Turn in 2014?
Last year was not a good one for New Zealand privacy-wise. While Australia forged ahead enacting legislation covering issues such as cross-border controls for personal data and introducing measures to implement breach notification, the government in New Zealand, by contrast, has been dragging its feet and instead adopted a raft of measures diminishing existing privacy protections. This article briefly reviews developments in New Zealand in 2013 and ventures some predictions as to what may lie in store in 2014.
AUSTRALIA—Australia Legislates for Privacy by Design
In March, Australia will be overhauling its privacy laws. One of the key features of the new regime means Australia will become one of the first jurisdictions to effectively legislate for the concept of Privacy by Design.
Consumer privacy education: Who's in charge? (October 1, 2012)
Earlier this year, the White House announced the first-ever Consumer Privacy Bill of Rights, which was largely developed by the Department of Commerce Internet Policy Task Force as well as the Federal Trade Commission (FTC). The White House has been trying to get Congress to give the bill the force of law, which would allow the FTC and state attorneys general to enforce its privacy protections. In the interim, however, the White House is seeking to get businesses to publicly state that they'll abide by the rules, as a code of conduct, which would allow the FTC to enforce businesses' compliance with the rules. But the best bill of rights won't work unless consumers feel passionate about their privacy.
Top scholars and practitioners tackle privacy’s complex challenges (October 1, 2012)
What happens when the world’s top privacy thinkers and practitioners get together? For those involved with the annual Privacy Law Scholars Conference (PLSC), a valuable conduit between scholarship and practice emerges. Backed by George Washington University Law School and Berkeley Law, the PLSC is a forum for legal, information privacy, economic, philosophy, computer and political science scholars to share and craft ideas with industry, advocacy, legal and government practitioners.
Uruguay discusses data protection landscape, upcoming conference (October 1, 2012)
The European Union confirmed in September that Uruguay had achieved adequacy for personal data protection. Uruguay’s Unit for the Regulation and Control of Personal Data (URCDP) fields data protection complaints and educates the public and database controllers, in both the private and public sector, of their duties and obligations under the act.
Chief privacy officers discuss employee privacy training (October 1, 2012)
Companies increasingly have a need to train their employees in data protection and privacy. But there aren’t steadfast rules on how companies should ensure compliance with local, regional or national laws or their own policies. Chief privacy officers are tasked with educating employees in order to protect consumer privacy and their brands. One CPO notes, “Privacy-smart employees are essential to effectively managing the organization’s personal information assets.”
Privacy training: An emerging part of the corporate education canon (October 1, 2012)
Privacy training is increasingly becoming a staple in the corporate education canon. At most large institutions, privacy training is on the training curriculum, which is a challenging task given the quantity of corporate training and the value of employee time. The biggest challenge is making employees care.
Bring your own device: Bringing solutions or problems? (October 1, 2012)
The concept of “bring your own device” (BYOD) has been gaining ground over recent months and is now a key agenda item for many businesses considering whether to embrace the trend of allowing employees to use their own equipment for work. However, there is more to the debate than the potential cost savings--or flexibility--that BYOD can offer. BYOD raises difficult data security and privacy issues including confidentiality, data ownership and access rights.
HIPAA’s unanswered questions (October 1, 2012)
Another month goes by without the publication of the final Health Insurance Portability and Accountability/Health Information Technology for Economic and Clinical Health (HIPAA/HITECH) rules, and there’s no clear end in sight to this delay. What are the top unanswered questions about these rules, and how they will affect the HIPAA structure and healthcare privacy?
The Privacy Merchants: What is to be done? (October 1, 2012)
There are two kinds of corporations that keep track of what Internet users buy, read, visit, drink and who they call, e-mail, date and much else. Some merely track users’ activity on their site as part of their regular business; recording purchases and viewed products helps them increase sales, while other corporations make shadowing Internet users--and keeping very detailed dossiers on them--their main line of business. One can call these the “privacy merchants.”
Legal response to data breaches in the cloud (October 1, 2012)
Cloud computing, as it moves closer to being a public utility like power and water, will be defined mostly by the risks involved. These include data privacy risks. As is often the case with new IT services riding a marketing boom, the risks of cloud computing tend to be minimized by the marketers. Yet it is by understanding, assessing and managing those risks that confidence in cloud computing can expand significantly, for both organizational and personal users of the cloud.
Regulating the use of social media across continents (October 1, 2012)
Social media policies attempt to grapple with the impact that employee conduct online may have on the reputation, business interests and legal obligations of an organization. They do this by guiding employees on appropriate online behavior and prohibiting certain conduct. In a world characterized by constant connection to online devices and the blurring of professional and private lives, striking a balance that respects personal autonomy while protecting legitimate employer interests can be a delicate task.
Defamation by social media: Who's liable? (October 1, 2012)
Can service providers be held liable for what their users post, tweet or upload, including what others may deem to be offensive communications? The liability picture varies dramatically from country to country, thanks in part to differing defamation laws.
Data protection law in Switzerland and the transmission of data to the U.S. (October 1, 2012)
To paraphrase the Council of Europe, with the increase in exchanges of personal data across national borders, it is necessary to ensure the effective protection of human rights and fundamental freedoms, in particular the right to privacy, and to reconcile fundamental values of the respect for privacy and the free flow of information between peoples. Information privacy law, generally known in Europe as data protection law, offers very different protection on the two sides of the Atlantic Ocean.
California Sen. Joe Simitian hopes others pick up the privacy torch (October 1, 2012)
As Sen. Joe Simitian (D-Palo Alto) approaches his term limit in California’s State Senate this year, he says it will be essential that his legislative peers who remain pick up the proverbial privacy torch. It’s a cause he’s spent a considerable amount of time on during his legislative career, after all. But he notes some concern that privacy is becoming less of a legislative focus in California.
FTC ramping up data privacy enforcement actions; Google fined $22.5 million (October 1, 2012)
Last month, Google agreed to pay a $22.5 million civil penalty to settle Federal Trade Commission (FTC) charges claiming it misrepresented to users of Apple’s Safari Internet browser that it would not place advertising tracking “cookies” or serve targeted ads to them in violation of an earlier privacy settlement it reached with the FTC. Google has denied liability, calling the use of tracking cookies an inadvertent technical glitch, but has agreed to pay the $22.5 million penalty.
CANADA—Impact and considerations of EO investigation (October 1, 2012)
The privacy and security risks associated with the use of mobile devices such as laptops and USB keys have been well documented. However, occasionally an event occurs that should make all organizations stop and reconsider whether their own privacy and security practices could permit such an event to occur. The loss of two USB keys by Elections Ontario is such a tale.
FRANCE—Monitoring phone bills of protected employees (October 1, 2012)
French courts have an interesting approach to the monitoring of employee phone bills. They tend to consider that the employer is entitled to consult the invoices of telecom operators of professional phones without having to provide prior notice to employees, whereas this would not be acceptable with other forms of employee monitoring such as e-mail monitoring.
UK—ICO issues guidance on deleting personal data (October 1, 2012)
In August, the Information Commissioner's Office released a short guidance on deleting personal data. The document aims to clarify the regulator's interpretation of some of the requirements surrounding the archiving and deletion of personal data.
For modern day businesses, it is now virtually the norm to store documents in electronic format rather than in paper copy. Employees exchanging e-mails between themselves and with the outside world is now, alongside the telephone, the main means of corporate communication. With this in mind, organisations need to have not only well thought-through business continuity solutions but also strong archiving systems. It is the latter and operating them in compliance with the Data Protection Act 1998 (DPA) that the ICO guidance comments on.
MIT unveils Big Data research initiative (October 1, 2012)
The Computer Science and Artificial Intelligence Laboratory (CSAIL) at the Massachusetts Institute of Technology (MIT) has announced a new program for exploring and improving the use of Big Data. Bigdata@CSAIL will bring together representatives from academia, industry and government to develop and improve methods of collecting, processing, analyzing, storing and sharing massive datasets made possible by Big Data with the goal of making them more useful for society.
IDT911 expands operations to Canada (October 1, 2012)
Identity management and data privacy risk management services provider IDT911 has announced its expansion into the Canadian marketplace.
Roth joins SNR Denton (October 1, 2012)
SNR Denton has announced Andy Roth has joined the firm’s Corporate and Business Transactions Team as a partner. The team focuses on privacy, security and data strategy.