Privacy Advisor

Having trouble receiving the Privacy Advisor in your inbox? Click here for troubleshooting tips.

Global Privacy Dispatches

FRANCE—Expansion of CNIL Investigation Powers Confirmed
In the past few years, the French data protection authority (CNIL) has made itself known for its on-site investigation powers by coming unannounced to the premises of businesses to perform interviews and searches in order to assess compliance with the French Data Protection Act. Read More
FRANCE—The End of Aggressive Cold-Calling?
The new consumer act of March 17 is now in force. Among its key measures, it plans the creation of a centralized do-not call list. Read More
HUNGARY—Hungarian DPA Suggests Refinements in IT Policies
In a recent case, the Hungarian Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság or NAIH) investigated a case where a company had to access its employee’s laptop for compliance reasons and imposed a fine of HUF 1,500,000 (approximately 5,000 euros) for unlawful data processing. Read More
UK—Marketing Companies Punished for Hiding Identity While Making Nuisance Calls
The Information Commissioner's Office (ICO) has ordered two telephone marketing companies to change their practices after more than 100 complaints were made to the ICO that the companies were making nuisance marketing calls. Read More
UK—British Pregnancy Advice Service Fined for Serious Data Breach
The British Pregnancy Advice Service (BPAS) has been fined 200,000 GBPs after a serious breach of the Data Protection Act (DPA) revealed thousands of people's personal details to a malicious hacker. Read More
UK—ICO Publishes Updated PIA Guidance
The UK Information Commissioner's Office has published its updated Privacy Impact Assessment (PIA) Code of Practice to help organisations comply with their data protection law obligations when they change the way that they use personal data. Read More
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions.

Read More
ITALY—Garante’s Provision on Mobile Payment Services
On December 12, 2013, the Italian Data Protection Authority (Garante) issued a draft general provision on the processing of personal data in the context of mobile remote payment services. This new provision sets the rules for the processing of information about users who purchase digital services and products and pay for them remotely via their phone bills. Read More
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions. Read More
Departing FTC leaders reflect on tenure, share visions (December 5, 2012)
Departing FTC Commissioner J. Thomas Rosch and Bureau of Consumer Protection Director David Vladeck recently reflected on their rich and eventful tenures at the agency. Vladeck said “the FTC takes commitments about privacy seriously and has the capacity to police an increasingly complex ecosystem,” while Rosch discussed what he described as the “new privacy paradigm” that began in 2010. Arnall Golden Gregory Partner Bob Belair offers insights into the FTC leaders’ contrasting views. He notes, “If we’re going to continue to protect privacy and not backslide, then there needs to be new approaches, whether it’s based on self-regulation or based on legislation, or new law enforcement actions, we have to stay vigilant because the technology—the ecosystem—changes.”
Legal evolution: Firms focus on privacy challenges (December 1, 2012)
Many law firms have recently been creating or adding to their privacy and data security practices. The impetus is simple: Businesses are facing an increasing number of privacy challenges, and the fallout from a single misstep can be severe. Experts weigh in on their work, the mobility of privacy pros and the continued evolution of the privacy field.
Data protection was not a game at London’s 2012 Olympics (December 1, 2012)
Patricia Poku isn’t new to data protection. A quick glance at her resume would tell you that. In fact, she’s spent the last 20 years or so in the field. But perhaps no amount of experience could have prepared her for the herculean task she most recently took on: head of data protection at London 2012—the Olympics and the Paralympics.
Exploring model privacy programs at organizations both large and small (December 1, 2012)
The IAPP recently honored two organizations for unique privacy programs that foster trust and bolster value to both the public and private sectors. This year’s HP-IAPP Privacy Innovation Awards went to global communications company Vodafone and the Canadian-based Alberta Pensions Services Corporation (APS). Both Vodafone, winner of the large organization category, and APS, recipient of the small organization award, faced their own set of challenges implementing their privacy programs, but both shared a similar recognition of the importance of an organization-wide privacy culture from top to bottom.
The FTC’s recent settlement with a web analytics company underscores its privacy and data security priorities (December 1, 2012)
On October 22, the Federal Trade Commission announced that it had settled charges with Compete, Inc., a web analytics company that uses tracking software to collect data on consumers' online browsing behavior. The proposed consent order would, among other things, require Compete to provide consumers with notice of the types of data it collects and obtain their express consent to such collection.
Privacy’s greatest threat and how to overcome it (December 1, 2012)
After some erroneous newspaper reports in 1897 that he had passed away, Mark Twain famously said that the reports of his death were greatly exaggerated. The same might also be said of privacy. Scott G. McNealy, former CEO of Sun Microsystems, reportedly once said “You already have zero privacy. Get over it.” However, if the recent IAPP Privacy Academy in San Jose, CA, was anything to go by, privacy is very much alive and kicking.
Plaintiffs continue to push the envelope in Video Privacy Protection Act litigation cases (December 1, 2012)
The Video Privacy Protection Act (VPPA) has spawned plenty of litigation over the past couple of years; but this litigation has resulted in a few relevant recent rulings. One hot-button area has been lawsuits brought by plaintiffs to enforce the “purging requirement” imposed by the VPPA. Another has been the applicability of the statute to online streaming services. Plaintiffs have achieved mixed results in these cases.
Personal reflection and report: Together at the 34th annual meeting of data protection authorities and privacy commissioners in Punta Del Este, Uruguay (December 1, 2012)
The 34th International Conference of Data Protection and Privacy Commissioners in Uruguay saw discussions about APEC’s Cross-Border Privacy Rules, self-regulation versus formal regulations and the proposed EU Data Protection Regulation, among other topics. Throughout the DPA meeting, there was significant discussion of cross-border enforcement and assistance with investigations. One high-ranking EU privacy official suggested that more bilateral undertakings like the recent agreement between Germany and Canada are likely ways investigations will be coordinated and materials shared. The DPAs met privately on the specific topic of “profiling.”
Data breach litigation on the rise—Eleventh Circuit allows data breach putative class-action to proceed (December 1, 2012)
A recent decision from the U.S. Court of Appeals for the Eleventh Circuit may lead to an uptick in data breach litigation. In Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir. 2012), the Eleventh Circuit, addressing issues of first impression, held that the plaintiffs’ allegations of injury and causation were sufficient to withstand a motion to dismiss where they suffered identity theft due to a data breach affecting their health insurer, AvMed.
The ownership and exploitation of personal identity in the new media age (December 1, 2012)
Who owns the information that is subject to privacy law and regulation? Ownership is the right to exclude. If you own a piece of real estate, you can exclude others from entering it. If you own a copyright in a book, you can exclude others from copying the book. Is the same true of personally identifiable information (PII)?
Getting to know a privacy pro (December 1, 2012)
Ron De Jesus is a manager with Deloitte’s privacy and data protection group. He has been providing privacy expertise to clients for more than eight years, through privacy program and environment assessments, privacy training and helping organizations understand their obligations under global privacy laws. He’s a graduate of the University of Toronto and most recently worked at American Express as director of privacy for its global network services business unit. The Privacy Advisor caught up with De Jesus to learn more about his life as a privacy professional.
BELGIUM—Time to Comply with the Amended Telecom Act (December 1, 2012)
The amendments to the Belgian Act on Electronic Communications (Telecom Act) entered into force on October 1. Amongst other things, the amended Telecom Act introduces a requirement for opt-in consent for cookies and a data breach notification obligation for telecommunications providers.
CANADA—Exemption Order added to the Personal Health Information Act (December 1, 2012)
Under paragraph 26(2)(b) of the Canadian federal Personal Information Protection and Electronic Documents Act (“PIPEDA”), the governor in council can exempt an organization, a class of organizations, an activity or a class of activities from the application of PIPEDA with respect to the collection, use or disclosure of personal information that occurs within a province that has passed legislation deemed to be substantially similar to the PIPEDA.
EU—Article 29 Working Party Opinion 08/2012: Further input on the EU Data Protection Reforms (December 1, 2012)
The proposed new EU General Data Protection Regulation continues to generate discussion at the EU level. The latest comments issued by the Article 29 Data Protection Working Party are a vocal challenge to the European Commission’s broad powers foreseen under the regulation.
ITALY—Use of company’s video-surveillance systems forbidden (December 1, 2012)
The Italian Data Protection Authority (Garante) has recently forbidden a call-center company the use of a video-surveillance system which was able to detect both employees’ images and conversations. Following the Garante decision, now, the company cannot process employees’ personal data in such an unlawful way anymore.
ITALY—British Telecom Italy will have to pay a sanction of €75,000 for not having provided DPA with the required information (December 1, 2012)
After numerous reports of junk fax sent for promotional purposes, the Data Protection Authority (Garante) had given British Telecom Italy a request for clarification unanswered.
ITALY—Counterfeit Euros: green light of the Garante to the Decree on SIRFE (December 1, 2012)
The Garante, Italy’s DPA, gave its green light to a draft decree of the minister of economy and finance (Mef) aimed at fixing criteria and procedures of telematic transmission of data and information relating to the return of euros suspected of being counterfeit.
Carnegie Mellon to offer privacy professional degree (December 1, 2012)
In the fall of 2013, Carnegie Mellon University will roll out a first-of-its kind program for students aiming to become privacy engineering professionals. The Master of Science in Information Technology—Privacy (MSIT-P) degree is a 12-month program geared toward future privacy engineers or technical privacy managers interested in ensuring that privacy is implemented into products and services.
College course offers privacy guidance (December 1, 2012)
Many great universities have come together to put some of their courses on the Internet, including the University of Washington, University of Michigan, Stanford University and many others.
EU officials discuss proposed data protection reform (December 1, 2012)
The proposed EU General Data Protection Regulation was front-and-center at this year’s IAPP Europe Data Protection Congress in Brussels, Belgium. After nearly a year of professionals and lawmakers digesting the proposal, Dutch MEP Sophie in’t Veld said, “the moment has come to get down to business.”
FTC announces staff changes (December 1, 2012)
Federal Trade Commission (FTC) Chairman Jon Leibowitz has announced the appointment of Peter Miller as the FTC’s chief privacy officer (CPO) while General Counsel Willard K. “Will” Tom has left the agency to return to the private sector and Principal Deputy General Counsel David Shonka will serve as acting general counsel.
POLAND—Polish Data Protection Authority signs the Code of Good Practices with the Automotive Industry Association (December 1, 2012)
The Polish Data Protection Authority (GIODO) and the Polish Automotive Industry Association (Polski Zwiazek Przemyslu Motoryzacyjnego, PZPM) have signed the Code of Good Practices on Personal Data Processing. Negotiations on the code started in 2010, and it is a rare example of self-regulation of privacy law in Poland.
UK—Prudential fined for inaccurate data (December 1, 2012)
The ICO has fined Prudential £50,000 for keeping inaccurate personal data records, after tens of thousands of pounds ended up in the wrong savings account due to a mix-up over two customers with the same name and date of birth.
UK—ICO to focus cookie enforcement on popular, noncompliant sites (December 1, 2012)
On 14 November, the ICO published a report on cookie enforcement further to the letters it sent to 68 popular websites in May 2012 to check what steps they were taking to comply with the UK’s new cookie consent requirement. Eighty eight percent of the websites contacted responded indicating that they were fully compliant or working towards compliance. All of the sites which responded appeared to have taken at least some steps towards compliance. The ICO also invited individuals to report concerns about cookies.
UK—Justice Select Committee criticizes EU data protection reform proposals (December 1, 2012)
On 24 October, the UK Justice Select Committee published its opinion on the EU data protection reform proposals. While the committee agreed that reform is necessary, it urged the commission to “go back to the drawing board and devise a regime which is much less prescriptive.”
UK—ICO consults on changes to UK data processing registrations (December 1, 2012)
With the aim of improving the registration process itself and providing more accessible information to individuals about how their personal information is used, the ICO has launched a registration reform consultation.