Having trouble receiving the Privacy Advisor in your inbox? Click here for troubleshooting tips.
Global Privacy Dispatches
POLAND—DPA vs. Google on the Information Security Administrator
The Supreme Administrative Court, in its judgment of 21 February, supported the position adopted by the Polish Data Protection Authority (DPA) in its decision issued towards Google, Inc.
UK—ICO Issues 50,000 GBP Fine for Unsolicited Calls
The Information Commissioner’s Office has fined home improvement company Amber Windows 50,000 GBP after an investigation discovered they had made unsolicited marketing calls to individuals who had registered with the Telephone Preference Service.
UK—ICO Publishes Plans for 2014-17
The UK Information Commissioner’s Office has published its three-year corporate plan, setting out how it intends to address and tackle the challenges it faces in information regulation.
UK—Disclosure and Barring Service Warned After Collecting Unnecessary Sensitive Data
The UK Information Commissioner’s Office has ruled that the Disclosure and Barring Service breached the Data Protection Act after failing to stop the collection of information about convictions that were no longer required for employment checks.
FRANCE—Expansion of CNIL Investigation Powers Confirmed
In the past few years, the French data protection authority (CNIL) has made itself known for its on-site investigation powers by coming unannounced to the premises of businesses to perform interviews and searches in order to assess compliance with the French Data Protection Act.
FRANCE—The End of Aggressive Cold-Calling?
The new consumer act of March 17 is now in force. Among its key measures, it plans the creation of a centralized do-not call list.
HUNGARY—Hungarian DPA Suggests Refinements in IT Policies
In a recent case, the Hungarian Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság or NAIH) investigated a case where a company had to access its employee’s laptop for compliance reasons and imposed a fine of HUF 1,500,000 (approximately 5,000 euros) for unlawful data processing.
UK—Marketing Companies Punished for Hiding Identity While Making Nuisance Calls
The Information Commissioner's Office (ICO) has ordered two telephone marketing companies to change their practices after more than 100 complaints were made to the ICO that the companies were making nuisance marketing calls.
UK—British Pregnancy Advice Service Fined for Serious Data Breach
The British Pregnancy Advice Service (BPAS) has been fined 200,000 GBPs after a serious breach of the Data Protection Act (DPA) revealed thousands of people's personal details to a malicious hacker.
UK—Private sector leads on data protection compliance (November 1, 2012)
A series of reports published by the ICO have highlighted the overall positive compliance approaches being adopted by private-sector organisations; however, concerns remain over the approaches of local government and the National Health Service (NHS) sectors.
Elections could impact U.S. and European privacy rights (November 1, 2012)
What happens to consumer privacy protections when there's a new administration in town? That's one question on the minds of privacy advocates as three upcoming events have the potential to reshape privacy rights around the world.
Assessing risk: Data breach litigation in U.S. courts (November 1, 2012)
In an era of international commerce, companies collect and aggregate vast amounts of consumers’ personal information that may be communicated around the globe. Along with the growth of electronic consumer databases, there has been an increase in the numbers of data breaches, some of them perpetrated by overseas actors. A June 2011 Ponemon Institute study revealed that 90 percent of surveyed companies had experienced a data breach within the past year.
The healthcare privacy balance (November 1, 2012)
Editor’s Note: In the following articles, experts share perspectives on the questions and challenges surrounding healthcare IT and privacy. John Christiansen examines the tension surrounding efforts to strike the balance between privacy and other values, while Rick Kam, CIPP/US, and Doug Pollack, CIPP/US, write about patient privacy concerns.
European Parliament’s study highlights shortcomings of reform proposal (November 1, 2012)
In September, a study entitled “Reforming the Data Protection Package” was published by the European Parliament’s Directorate-General for Internal Policies, analysing the proposed General Data Protection Regulation (GDPR). The study was requested by the European Parliament’s Committee on Internal Market and Consumer Protection and aims to provide background information and advice on priority measures and actions to be undertaken in the reform of the European data protection legal framework.
Businesses nationwide continue to grapple with Massachusetts data privacy laws (November 1, 2012)
There were over 1,800 data security breaches affecting more than 3.2 million Massachusetts residents between November 2007 and September 2011, according to a recent report from the Massachusetts Office of Consumer Affairs and Business Regulation. The Massachusetts data privacy regulations became effective in March 2010 and were enacted to combat the increased threat of data security breaches following several high-profile incidents. The regulations apply to every “person” or entity—including businesses both inside and outside of Massachusetts—holding, processing or otherwise accessing personal information of Massachusetts residents.
Cloud Computing: CNIL’s 7 recommendations are necessary but not sufficient (November 1, 2012)
The Commission nationale de l’informatique et des libertés (CNIL) has issued recommendations following the close of its call for contributions from cloud computing stakeholders, including customers and providers. The CNIL’s seven recommendations are based mainly on a risk analysis carried out beforehand by customers and undertakings of transparency on the part of service providers towards their customers which must be formalised in the service contracts.
Should I Get Involved with the IAPP? (November 1, 2012)
As the IAPP accepts nominations for its various IAPP leadership boards, The Privacy Advisor recently caught up with one of its Education Advisory Board members about her experiences as a volunteer and its impact on her career as a privacy professional.
Lisa Sotto, CIPP/US, named among “Attorneys Who Matter” (November 1, 2012)
Hunton & Williams LLP Partner Lisa J. Sotto, CIPP/US, has been named among Ethisphere Institute's "Attorneys Who Matter" for 2012. Sotto is head of the firm's global privacy and data security practice and managing partner of the New York office and is a member of the IAPP Board of Directors.
Peters appointed IBM’s CPO (November 1, 2012)
Christina Peters has been appointed IBM’s chief privacy officer. In her role as IBM’s CPO, Peters will guide and oversee IBM's global information policy and practices affecting more than 400,000 employees and thousands of clients. Peters also is responsible for a worldwide team of legal, data protection and technical professionals at IBM who address privacy and data security in the leadership manner expected of the company's global brand.
Grants will support online privacy projects (November 1, 2012)
The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) has announced more than $9 million in grant awards to support the National Strategy for Trusted Identities in Cyberspace (NSTIC). Five U.S. organizations will pilot identity solutions that increase confidence in online transactions, prevent identity theft and provide individuals with more control over how they share their personal information.
CANADA—Impact and considerations of EO investigation (November 1, 2012)
In early October 2012, the Ontario Court of Appeal released two decisions, R. v. Ward, 2012 ONCA 660, and R. v. Cuttell, 2012 ONCA 661, which dealt with the admittance of evidence obtained by means of a search warrant based on information obtained from plaintiffs’ Internet Service Provider (ISP). The Court of Appeal noted that the practice of the police “seeking and obtaining customer information from ISPs and using that information to obtain search warrants has been constitutionally challenged as an unreasonable search and seizure in several cases” and that this was the first time this court was addressing the constitutionality of this practice.
SPAIN—The dissemination of private videos without the consent of the person involved may be punished with a prison sentence. (November 1, 2012)
The Spanish government recently resolved, on 11 October, to submit to Congress a bill on the reform of the Criminal Code which, among other things, includes the possibility of sentencing to prison people who disseminate private videos without the consent of the persons involved, even if they were recorded with the victim’s consent and that person made them available to somebody else. The Criminal Code in force only punishes the seizure or interception of private messages of the victim, but it does not establish what should happen if that person provides them to a person who later disseminates them.
UK—ICO releases practical cloud guidance (November 1, 2012)
Following the recent Article 29 Working Party cloud computing opinion, it was the turn of the UK Information Commissioner's Office (ICO) to release “Guidance on the use of cloud computing” on 27 September. The guidance provides a helpful introduction to the key cloud definitions and different deployment and service models before providing guidance on cloud customers' and service providers' data protection obligations.
UK—ICO to issue six-figure penalties for spam-texting (November 1, 2012)
The ICO confirmed on 1 October that is set to issue two fines totalling over 250,000 pounds to two illegal marketers responsible for distributing millions of spam texts. The action is the culmination of a six-month initiative where the ICO has been asking members of the public to report calls or texts received from unknown senders via an online survey. The ICO has reported that it has received almost 30,000 responses and is working to link this information to companies with a view to possible enforcement action.