Privacy Advisor

Having trouble receiving the Privacy Advisor in your inbox? Click here for troubleshooting tips.

Global Privacy Dispatches

FRANCE—Expansion of CNIL Investigation Powers Confirmed
In the past few years, the French data protection authority (CNIL) has made itself known for its on-site investigation powers by coming unannounced to the premises of businesses to perform interviews and searches in order to assess compliance with the French Data Protection Act. Read More
FRANCE—The End of Aggressive Cold-Calling?
The new consumer act of March 17 is now in force. Among its key measures, it plans the creation of a centralized do-not call list. Read More
HUNGARY—Hungarian DPA Suggests Refinements in IT Policies
In a recent case, the Hungarian Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság or NAIH) investigated a case where a company had to access its employee’s laptop for compliance reasons and imposed a fine of HUF 1,500,000 (approximately 5,000 euros) for unlawful data processing. Read More
UK—Marketing Companies Punished for Hiding Identity While Making Nuisance Calls
The Information Commissioner's Office (ICO) has ordered two telephone marketing companies to change their practices after more than 100 complaints were made to the ICO that the companies were making nuisance marketing calls. Read More
UK—British Pregnancy Advice Service Fined for Serious Data Breach
The British Pregnancy Advice Service (BPAS) has been fined 200,000 GBPs after a serious breach of the Data Protection Act (DPA) revealed thousands of people's personal details to a malicious hacker. Read More
UK—ICO Publishes Updated PIA Guidance
The UK Information Commissioner's Office has published its updated Privacy Impact Assessment (PIA) Code of Practice to help organisations comply with their data protection law obligations when they change the way that they use personal data. Read More
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions.

Read More
ITALY—Garante’s Provision on Mobile Payment Services
On December 12, 2013, the Italian Data Protection Authority (Garante) issued a draft general provision on the processing of personal data in the context of mobile remote payment services. This new provision sets the rules for the processing of information about users who purchase digital services and products and pay for them remotely via their phone bills. Read More
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions. Read More
Garante Defines Obligations for Telecoms and ISPs (May 30, 2013)
The Italian DPA (Garante) has issued, following a public consultation, a decision that defines in detail the obligations for telephone companies and Internet service providers regarding possible cases of data breach, according to the relevant provisions contained in the Italian privacy law and in the European Directive 2002/58/EC.
From Beavers to Smart Cars to Ivory Coast with Sandy Pentland (May 29, 2013)
“Finding beavers from outer space was my very first job,” said Alex “Sandy” Pentland, presenting at a recent Center for Geographic Analysis conference. The audience chuckled. “Yeah, isn’t that crazy?” Pentland now works at MIT and co-leads the World Economic Forum Big Data and Personal Data Initiatives and somewhere in between beavers and the WEF, he helped develop the car monitoring systems for the Nissan Leaf—so he “knows a little about cars, too.”
State Social Media Privacy Laws Top Legislative Roundup (May 24, 2013)
Over the past two weeks, several states have enacted or initiated privacy legislation. California has moved forward a security breach notification law, and Maine has considered a 911 privacy bill. Topping state legislative action, however, are social media privacy laws—from Utah to New Jersey, states are clamping down on the employer practice of requiring employees and applicants to disclose social media passwords.
When Shopping for Cyberinsurance, Semantics Matter (May 16, 2013)
At a May 16 IAPP KnowledgeNet on Pre-Breach Preparedness, Joe Burgoyne, corporate manager of security at Osram Sylvania, opened the “privacy panel” with a somewhat startling prompt: Raise your hand if you know where all of your company’s data is. Of the 100-plus attendees, maybe two hands went up—hesitantly.
PRIVACY IN POPULAR CULTURE: Going Gaga for Google Glass (May 14, 2013)
While it’s unquestionably true that the advent of Google Glass has created, and will continue to, all manner of interesting privacy discussions, Glass may end up being as much a boon to comedy writers as to privacy professionals.
This Week’s Data Breach Roundup (May 10, 2013)
Data breaches continue to affect private and public organizations across all sectors. Among this week's incidents, the biggest news may be that the state of Washington’s court system may have been hacked, potentially affecting millions of residents. Several healthcare organizations announced breaches this week, including a North Carolina-based clinic. The incident may have compromised the health records of more than 17,000 patients. A Pennsylvania-based senior-housing organization was also breached, exposing more than 7,300 records.
Will the White House Soon Have A Chief Privacy Officer or Not? (May 8, 2013)
While a report circulated that the White House was poised to announce a first-ever chief privacy officer (CPO), it appears that report may have jumped the gun. Is the White House about to get a new CPO? Will it be Twitter’s current legal director? We get you up-to-date on the latest news.
State Legislature Roundup (May 3, 2013)
A number of U.S. states have passed or are working on various types of privacy legislation—from employee privacy to breach notification. Most notably, California has pulled a bill that would have required businesses to disclose to consumers data they have collected on them. The Pennsylvania Senate has passed a law that would require state agencies to notify residents of a breach “as soon as possible.” And the Texas House has also “tentatively” approved similar social media legislation.
CANADA—Bill Would Allow for Warrantless Communication Interception (May 1, 2013)
Canada’s government introduced Bill C-55 in February in response to the Supreme Court’s decision in R. v. Tse. The bill amends the Criminal Code relating to the authority to intercept private communications without prior judicial authorization. The bill, which received royal assent on March 27, comes into force six months from that date.
FRANCE—Article 29 Working Party Guidelines for Apps on Smart Devices (May 1, 2013)
On February 27, the Article 29 Data Protection Working Party adopted an opinion on smart devices. The opinion strives to clarify the European regime on the collection and use of personal information by means of smart devices and states that EU data privacy law kicks in as soon as mobile apps are targeted at users within the EU.
ITALY—M-Payment and Privacy by Design (May 1, 2013)
Mobile payment in 2012 was one of the sectors under the spotlight of the Italian Data Protection Authority (Garante), and the same will be for 2013. Although it is not deniable that the mobile ecosystem—as conspicuously outlined in the opinion issued by the European Data Protection Article 29 Working Party about apps on smart devices—involves for the privacy of the users critical issues, the focus of the Garante on these new means of payment, whose development in Italy is still in an embryonic phase, could seem surprising.
UK—ICO Blog Highlights Key Thoughts on EU Data Protection Reforms (May 1, 2013)
A recent blog published on the Information Commissioner's Office (ICO) website sets out the UK regulator's opinions on the current draft of the General Data Protection Regulation. The blog welcomes such aspects as the draft regulation's emphasis on the privacy rights of individuals and highlights some concerns, including the increased role expected of national data protection authorities in signing-off arrangements for protecting personal data in international data transfers.
UK—Company Fined 90,000 GBP For Nuisance Marketing Calls (May 1, 2013)
The ICO has served a 90,000 GBP penalty on Glasgow-based DM Design for carrying out unwanted marketing calls to the public. The company had been the subject of some 2,000 complaints to both the ICO and the UK's Telephone Preference Service (TPS).
UK—ICO Confirms Investigation into Google's Privacy Policy (May 1, 2013)
Following an initial investigation by the French Data Protection Authority (the CNIL) on behalf of the wider EU Article 29 Working Party, the ICO has confirmed that it has launched an investigation into Google's revised privacy policy to determine whether it is compliant with the UK Data Protection Act 1998.
Supreme Court Wiretap Ruling Upholds Stringent Standing-To-Sue Requirements (May 1, 2013)
The U.S. Supreme Court’s recent ruling in Clapper v. Amnesty International USA could make it easier for companies to seek early dismissal of consumer data breach and privacy lawsuits. The Supreme Court has upheld stringent requirements for plaintiffs to have standing to sue in privacy cases, including a requirement to show that the threatened harm is “certainly impending” and not merely speculative.
In Praise of “Little Data” (May 1, 2013)
In this age of Big Data, there is much to be said for the value of “Little Data”—or data minimization. When Big Data includes personal information, it can result in big headaches as customer expectations and privacy laws obligate collectors of personal data to maintain its security and provide notice and choice regarding how it is obtained, used and shared. “Little Data” has its virtues as a practical and effective strategy for meeting privacy compliance obligations.
ZIP Codes: Are Courts Set To Protect Consumers from Marketing? (May 1, 2013)
If California, Massachusetts and about a dozen other states are indicators, courts are ready and willing to regulate the type of data retailers can collect from consumers during transactions as well as what kinds of data constitute personally identifiable information (PII). What does all this mean for retailers? As those in Massachusetts and California change their practices, should others proactively make similar changes?
IN FOCUS: The Directive (May 1, 2013)
Beginning with this edition of The Privacy Advisor, the IAPP will ask one expert to zoom in on a topic of interest. If you have a subject you’d like to discuss in-depth for a future edition, contact us. In this Q&A, Timothy Toohey, CIPP/US, CIPP/E, of Snell & Wilmer, discusses the tensions and controversies within the proposed EU data protection regulation.
Clarifying Privacy in the Cloud (May 1, 2013)
The “cloud” is maybe the most buzzed-about Internet sensation of the past five years, but how does working in the cloud change your privacy thinking? Maybe not as much as you think, John Wunderlich, CIPP/C, head of privacy consultancy Wunderlich & Associates told The Privacy Advisor. “What’s old is new again…you’re outsourcing to a provider who has expertise that you don’t have.”
Ten Steps to a Quality Privacy Program: Taking Your Program to the Next Level (May 1, 2013)
The healthcare world is becoming increasingly complex, especially in terms of compliance and privacy. New technologies, shifting delivery care models and continuous innovation make privacy challenging. This report highlights 10 basic steps to create a quality privacy program.
Insights from Women in Privacy (May 1, 2013)
In the field’s infancy, privacy positions were almost equally shared by men and women. In the late 1970s and early 1980s, the term and the position of chief privacy officer was nonexistent, largely because personal privacy issues were not yet an epidemic. When the digital revolution moved from the Halon-haloed computer rooms to the desktop--then laptop, notebook, tablet, smartphone--environment, the world of privacy redefined itself and swiftly became an entirely different game.
A Look at the Privacy Consultants of Acxiom (May 1, 2013)
Companies are regularly faced with the tall task of using data to contribute to a robust bottom line while executing strong privacy practices and maintaining positive brand recognition. But what if data IS your business? Regulators, including the FTC, are keying into the data collection and use practices of so-called “data brokers” and consumers are growing more knowledgeable of how their personal information is used, bought and sold. One such company is Acxiom, whose CPO shares her insights in this report.