Having trouble receiving the Privacy Advisor in your inbox? Click here for troubleshooting tips.
Global Privacy Dispatches
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions.
ITALY—Garante Releases Enforcement Activity Report
The Garante, the Italian Data Protection Authority (IDPA), has released information on enforcement activity in Italy in 2013 and its relevant plan of inspections for the first semester of 2014.
CANADA—Anti-Spam Legislation To Come Into Force
After much discussion and consultation on the accompanying Regulations, Canada’s anti-spam legislation is about to take full effect. While the CRTC had previously published its regulations on March 28, 2012, the Electronic Commerce Protection Regulation was finally published on December 4, 2013.
UK—Government Department Fined 185,000 GBPs After Terrorist Incident Data Sold at Auction
A government department has been fined after a filing cabinet containing personal information relating to victims of a terrorist incident was sold at auction.
NEW ZEALAND—Privacy Reflections/Predictions for 2014
The high-profile privacy breaches of 2012-13 have shed an unprecedented light on personal information in New Zealand. Outgoing Privacy Commissioner Marie Shroff is leaving the role at a time when protecting personal information, a cause she has actively championed over the past 10 years, is at the forefront of public awareness and is top-of-mind for policy analysts, legislators and businesses alike.
NEW ZEALAND—Will the Tide Turn in 2014?
Last year was not a good one for New Zealand privacy-wise. While Australia forged ahead enacting legislation covering issues such as cross-border controls for personal data and introducing measures to implement breach notification, the government in New Zealand, by contrast, has been dragging its feet and instead adopted a raft of measures diminishing existing privacy protections. This article briefly reviews developments in New Zealand in 2013 and ventures some predictions as to what may lie in store in 2014.
AUSTRALIA—Australia Legislates for Privacy by Design
In March, Australia will be overhauling its privacy laws. One of the key features of the new regime means Australia will become one of the first jurisdictions to effectively legislate for the concept of Privacy by Design.
Departing FTC leaders reflect on tenure, share visions (December 5, 2012)
Departing FTC Commissioner J. Thomas Rosch and Bureau of Consumer Protection Director David Vladeck recently reflected on their rich and eventful tenures at the agency. Vladeck said “the FTC takes commitments about privacy seriously and has the capacity to police an increasingly complex ecosystem,” while Rosch discussed what he described as the “new privacy paradigm” that began in 2010. Arnall Golden Gregory Partner Bob Belair offers insights into the FTC leaders’ contrasting views. He notes, “If we’re going to continue to protect privacy and not backslide, then there needs to be new approaches, whether it’s based on self-regulation or based on legislation, or new law enforcement actions, we have to stay vigilant because the technology—the ecosystem—changes.”
Legal evolution: Firms focus on privacy challenges (December 1, 2012)
Many law firms have recently been creating or adding to their privacy and data security practices. The impetus is simple: Businesses are facing an increasing number of privacy challenges, and the fallout from a single misstep can be severe. Experts weigh in on their work, the mobility of privacy pros and the continued evolution of the privacy field.
Data protection was not a game at London’s 2012 Olympics (December 1, 2012)
Patricia Poku isn’t new to data protection. A quick glance at her resume would tell you that. In fact, she’s spent the last 20 years or so in the field. But perhaps no amount of experience could have prepared her for the herculean task she most recently took on: head of data protection at London 2012—the Olympics and the Paralympics.
Exploring model privacy programs at organizations both large and small (December 1, 2012)
The IAPP recently honored two organizations for unique privacy programs that foster trust and bolster value to both the public and private sectors. This year’s HP-IAPP Privacy Innovation Awards went to global communications company Vodafone and the Canadian-based Alberta Pensions Services Corporation (APS). Both Vodafone, winner of the large organization category, and APS, recipient of the small organization award, faced their own set of challenges implementing their privacy programs, but both shared a similar recognition of the importance of an organization-wide privacy culture from top to bottom.
Privacy’s greatest threat and how to overcome it (December 1, 2012)
After some erroneous newspaper reports in 1897 that he had passed away, Mark Twain famously said that the reports of his death were greatly exaggerated. The same might also be said of privacy. Scott G. McNealy, former CEO of Sun Microsystems, reportedly once said “You already have zero privacy. Get over it.” However, if the recent IAPP Privacy Academy in San Jose, CA, was anything to go by, privacy is very much alive and kicking.
Plaintiffs continue to push the envelope in Video Privacy Protection Act litigation cases (December 1, 2012)
The Video Privacy Protection Act (VPPA) has spawned plenty of litigation over the past couple of years; but this litigation has resulted in a few relevant recent rulings. One hot-button area has been lawsuits brought by plaintiffs to enforce the “purging requirement” imposed by the VPPA. Another has been the applicability of the statute to online streaming services. Plaintiffs have achieved mixed results in these cases.
Personal reflection and report: Together at the 34th annual meeting of data protection authorities and privacy commissioners in Punta Del Este, Uruguay (December 1, 2012)
The 34th International Conference of Data Protection and Privacy Commissioners in Uruguay saw discussions about APEC’s Cross-Border Privacy Rules, self-regulation versus formal regulations and the proposed EU Data Protection Regulation, among other topics. Throughout the DPA meeting, there was significant discussion of cross-border enforcement and assistance with investigations. One high-ranking EU privacy official suggested that more bilateral undertakings like the recent agreement between Germany and Canada are likely ways investigations will be coordinated and materials shared. The DPAs met privately on the specific topic of “profiling.”
Data breach litigation on the rise—Eleventh Circuit allows data breach putative class-action to proceed (December 1, 2012)
A recent decision from the U.S. Court of Appeals for the Eleventh Circuit may lead to an uptick in data breach litigation. In Resnick v. AvMed, Inc.,
693 F.3d 1317 (11th Cir. 2012), the Eleventh Circuit, addressing issues of first impression, held that the plaintiffs’ allegations of injury and causation were sufficient to withstand a motion to dismiss where they suffered identity theft due to a data breach affecting their health insurer, AvMed.
The ownership and exploitation of personal identity in the new media age (December 1, 2012)
Who owns the information that is subject to privacy law and regulation? Ownership is the right to exclude. If you own a piece of real estate, you can exclude others from entering it. If you own a copyright in a book, you can exclude others from copying the book. Is the same true of personally identifiable information (PII)?
Getting to know a privacy pro (December 1, 2012)
Ron De Jesus is a manager with Deloitte’s privacy and data protection group. He has been providing privacy expertise to clients for more than eight years, through privacy program and environment assessments, privacy training and helping organizations understand their obligations under global privacy laws. He’s a graduate of the University of Toronto and most recently worked at American Express as director of privacy for its global network services business unit. The Privacy Advisor caught up with De Jesus to learn more about his life as a privacy professional.
BELGIUM—Time to Comply with the Amended Telecom Act (December 1, 2012)
The amendments to the Belgian Act on Electronic Communications (Telecom Act) entered into force on October 1. Amongst other things, the amended Telecom Act introduces a requirement for opt-in consent for cookies and a data breach notification obligation for telecommunications providers.
CANADA—Exemption Order added to the Personal Health Information Act (December 1, 2012)
Under paragraph 26(2)(b) of the Canadian federal Personal Information Protection and Electronic Documents Act (“PIPEDA”), the governor in council can exempt an organization, a class of organizations, an activity or a class of activities from the application of PIPEDA with respect to the collection, use or disclosure of personal information that occurs within a province that has passed legislation deemed to be substantially similar to the PIPEDA.
ITALY—Use of company’s video-surveillance systems forbidden (December 1, 2012)
The Italian Data Protection Authority (Garante) has recently forbidden a call-center company the use of a video-surveillance system which was able to detect both employees’ images and conversations. Following the Garante decision, now, the company cannot process employees’ personal data in such an unlawful way anymore.
Carnegie Mellon to offer privacy professional degree (December 1, 2012)
In the fall of 2013, Carnegie Mellon University will roll out a first-of-its kind program for students aiming to become privacy engineering professionals. The Master of Science in Information Technology—Privacy (MSIT-P) degree is a 12-month program geared toward future privacy engineers or technical privacy managers interested in ensuring that privacy is implemented into products and services.
College course offers privacy guidance (December 1, 2012)
Many great universities have come together to put some of their courses on the Internet, including the University of Washington, University of Michigan, Stanford University and many others.
EU officials discuss proposed data protection reform (December 1, 2012)
The proposed EU General Data Protection Regulation was front-and-center at this year’s IAPP Europe Data Protection Congress in Brussels, Belgium. After nearly a year of professionals and lawmakers digesting the proposal, Dutch MEP Sophie in’t Veld said, “the moment has come to get down to business.”
FTC announces staff changes (December 1, 2012)
Federal Trade Commission (FTC) Chairman Jon Leibowitz has announced the appointment of Peter Miller as the FTC’s chief privacy officer (CPO) while General Counsel Willard K. “Will” Tom has left the agency to return to the private sector and Principal Deputy General Counsel David Shonka will serve as acting general counsel.
UK—Prudential fined for inaccurate data (December 1, 2012)
The ICO has fined Prudential £50,000 for keeping inaccurate personal data records, after tens of thousands of pounds ended up in the wrong savings account due to a mix-up over two customers with the same name and date of birth.
UK—ICO to focus cookie enforcement on popular, noncompliant sites (December 1, 2012)
On 14 November, the ICO published a report on cookie enforcement further to the letters it sent to 68 popular websites in May 2012 to check what steps they were taking to comply with the UK’s new cookie consent requirement. Eighty eight percent of the websites contacted responded indicating that they were fully compliant or working towards compliance. All of the sites which responded appeared to have taken at least some steps towards compliance. The ICO also invited individuals to report concerns about cookies.