Privacy Advisor

Having trouble receiving the Privacy Advisor in your inbox? Click here for troubleshooting tips.

Global Privacy Dispatches

FRANCE—Expansion of CNIL Investigation Powers Confirmed
In the past few years, the French data protection authority (CNIL) has made itself known for its on-site investigation powers by coming unannounced to the premises of businesses to perform interviews and searches in order to assess compliance with the French Data Protection Act. Read More
FRANCE—The End of Aggressive Cold-Calling?
The new consumer act of March 17 is now in force. Among its key measures, it plans the creation of a centralized do-not call list. Read More
HUNGARY—Hungarian DPA Suggests Refinements in IT Policies
In a recent case, the Hungarian Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság or NAIH) investigated a case where a company had to access its employee’s laptop for compliance reasons and imposed a fine of HUF 1,500,000 (approximately 5,000 euros) for unlawful data processing. Read More
UK—Marketing Companies Punished for Hiding Identity While Making Nuisance Calls
The Information Commissioner's Office (ICO) has ordered two telephone marketing companies to change their practices after more than 100 complaints were made to the ICO that the companies were making nuisance marketing calls. Read More
UK—British Pregnancy Advice Service Fined for Serious Data Breach
The British Pregnancy Advice Service (BPAS) has been fined 200,000 GBPs after a serious breach of the Data Protection Act (DPA) revealed thousands of people's personal details to a malicious hacker. Read More
UK—ICO Publishes Updated PIA Guidance
The UK Information Commissioner's Office has published its updated Privacy Impact Assessment (PIA) Code of Practice to help organisations comply with their data protection law obligations when they change the way that they use personal data. Read More
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions.

Read More
ITALY—Garante’s Provision on Mobile Payment Services
On December 12, 2013, the Italian Data Protection Authority (Garante) issued a draft general provision on the processing of personal data in the context of mobile remote payment services. This new provision sets the rules for the processing of information about users who purchase digital services and products and pay for them remotely via their phone bills. Read More
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions. Read More
Facebook’s White Hat Program Helped Uncover Glitch (June 28, 2013)
Facebook this week announced that a glitch exposed the personal information of six million users. In an interview with The Privacy Advisor, the company discusses how its White Hat program, which invites external security researchers to report vulnerabilities, in some cases for a monetary “bug bounty,” helped discover the problem and why it felt the need to report the breach.
Are Multiple Mobile Privacy Guidelines Helping or Hurting the Mobile Ecosystem? (June 27, 2013)
Never has the mobile app ecosystem been as popular and dynamic as it is now. Smartphones and the use of mobile apps are practically ubiquitous and are giving the economy a needed boost. With that boost, though, come very unique privacy concerns and challenges. And privacy regulators have taken notice.
Former U.S. Rep Bono Joins Leibowitz to Co-Chair New Privacy Coalition (June 27, 2013)
A group of the nation’s largest telecommunications companies have founded the 21st Century Privacy Coalition, Adweek reports. The coalition will be co-chaired by former Federal Trade Commission Chairman Jon Leibowitz and former U.S. Rep Mary Bono. Founding members include AT&T, Comcast, CTIA-The Wireless Association, Directv, Time Warner Cable, Verizon and the U.S. Telecom Association. In an exclusive interview with the IAPP, Bono said the coalition has nothing to do with the recent NSA revelations and has in fact been in the works for some time, dating back to when she was still serving as chairwoman for the Subcommittee of Commerce, Manufacturing and Trade. “It was clear there was a need,” she said.
FTC, Irish DPA Reach Mutual Enforcement Agreement (June 27, 2013)
Federal Trade Commission (FTC) Chairwoman Edith Ramirez and Ireland Data Protection Commissioner Billy Hawkes have signed a memorandum of understanding (MOU) to “promote increased understanding and communication” between both agencies, an FTC press release states. Ramirez said the MOU “is a step forward for the FTC in cross-border privacy enforcement,” and that, “Working closely with our international partners in this area benefits both consumers and companies.”
How UI and UX can KO privacy (June 27, 2013)
Will Dayable, co-director at Squareweave, a developer of web and mobile apps, plus an all-around entrepreneur and proud Aussie, and Jason Hong, associate professor at the Human Computer Interaction Institute at Carnegie Mellon, teamed to provoke the nearly 300 attendees at Navigate 2013 into thinking about how UX (User Experience) and UI (User Interface) affect the way people experience and understand privacy.
If Nine of 10 Employees Knowingly Breach Policy, How Is Privacy Possible? (June 25, 2013)
Earlier this year, a survey taken over several years found that out of 165,000 employees surveyed, 93 percent of them knowingly violate policies designed to prevent data breaches. Privacy professionals burn the midnight oil crafting policies in line with best practices. But such policies don’t stand a chance at protecting consumer data if the employees charged with practicing model data-steward behavior could care less about doing so. So how can a company ensure that its people are complying with the policies it promises to practice?
Privacy, Transparency and Google’s Blurred Glass (June 25, 2013)
No matter the context or jurisdiction, one concept underlies every view of the best practices in data privacy: transparency. Twitter and Google both publish transparency reports on government requests for data and data uses. But even if a privacy policy states that the company may be sharing data with its affiliates, that may not give consumers sufficient notice and understanding for them to fully consent.
SPAIN—DPA Releases Guidelines on Cloud Computing Services (June 25, 2013)
In April, the Spanish Data Protection Agency released several guidelines on cloud computing addressed, on the one hand, to providers of cloud computing services and, on the other hand, to their clients or users of those services.
Privacy Front-and-Center: Rounding Up the NSA Fallout (June 25, 2013)
Over the course of the last few weeks, two leaked U.S. National Security Agency surveillance programs have put privacy issues in the headlines across the globe. Debate about privacy versus security has raged, and trade talks between the U.S. and EU have been affected. Between government and industry reaction and a smattering of opinion, there’s been a lot to follow. Here, we try to piece it all together.
Privacy Products (June 24, 2013)
Revelations on PRISM Should Not—But Likely Will—Affect the General Data Protection Regulation (June 24, 2013)
Recent revelations relating to PRISM and the Verizon FISA Order should not—but likely will— affect the current talks to enact the General Data Protection Regulation. These disclosures may make international data transfers to third countries more prescriptive, affect current and future adequacy decisions and frustrate businesses engaging in international data transfers. Considering that government surveillance is a global reality, erecting barriers to transfers of personal data for businesses is unlikely to make good sense.
Privacy Board To Host Workshop on NSA Surveillance Programs (June 24, 2013)
The Privacy and Civil Liberties Oversight Board (PCLOB) met with President Barack Obama in the first-ever meeting between the two. PCLOB Chairman David Medine told the IAPP the board “informed the president” that it “is undertaking a review of the recently revealed surveillance programs as a top priority.”
ITALY—Soro Contests Government Measures Simplifying Data Protection Code (June 24, 2013)
Garante President Antonello Soro has strongly argued and contested the Italian government’s recent measures aimed at simplifying the Data Protection Code as they are considered clearly in breach of the EU Directive, Lisbon Treaty and Italian laws as well.
10 Steps to a Quality Privacy Program: Part One (June 23, 2013)
The May edition of The Privacy Advisor featured an article on the “Ten Steps to a Quality Privacy Program: Taking Your Program to the Next Level.” This is the first of a series of articles that will drill down on each recommended step in an effort to help those just getting started on or revamping existing policies. Step 1: Creating Roadmaps on Requirements.
UK--ICO Fines City Authority 150,000 GBPs Following Loss of Laptops (June 23, 2013)
The Information Commissioner's Office has issued Glasgow City Council a 150,000 GBP monetary penalty notice following the loss of two unencrypted laptops, one of which contained the personal information of 20,143 people.

UK--Government Hosts Consultation on Proposed EU Cybersecurity Directive (June 23, 2013)
The UK Department for Business, Innovation and Skills has held its call for evidence on the European Commission's proposed Directive on Network and Information Security. The directive, published on 7 February as part of the EU Cybersecurity Strategy, would mandate compulsory reporting of security breaches that have a “significant impact” on the provision of core services.
UK--ICO Responds to PRISM Allegations as European Commission Demands Answers (June 23, 2013)
The Information Commissioner's Office has raised concerns about the alleged data collection practices of the U.S. National Security Agency (NSA) following allegations from a whistleblower that the NSA had access to personal data held by the world's top technology companies.
NSA Leak Implications Continue (June 20, 2013)
From connections between the National Security Agency (NSA) and various leaders at start-ups in Silicon Valley to questions of whether the NSA leaks will prompt an EU data protection rewrite, reports on the continued implications of the recent revelations abound. This exclusive highlights the key headlines, including a recent report from The New York Times on the connection between a former Facebook CSO and the NSA, a Reuters report on Wednesday’s cloud security summit and Sir Martin Sorrell’s comments in The Guardian that the NSA revelations are a “game changer.”
GERMANY—American “Prism” Program: Criticism from German Businesses, Officials (June 19, 2013)
Reportedly, the PRISM program allows the U.S. National Security Agency (NSA) to access the data collected by several American businesses including Amazon, Apple, Facebook, Google and Microsoft. The exposure of the program caused concerns among politicians as well as the business community in Germany.
A Case for Making the CSO Your New BFF (June 19, 2013)
The chief security officer and chief privacy officer at any given company can seem to occupy very different job functions. But the truth is the two positions can be exponentially fortified by working together.
Maintaining Location Privacy in the Digital Age (June 18, 2013)
Alarm has been raised about the dangers of having real-time location data widely available. For children and victims of domestic abuse, the concern can be real and warranted. However, as the privacy community debates the merits of geolocation, one glaring issue is not being addressed. The fact remains that a person’s home address is public information and can easily be found on the Internet.
BRAZIL--BYOD Trend On the Rise, Rules Should Be Clarified (June 18, 2013)
The time has gone when access to cutting-edge technology was limited to individuals working in enterprise environments. Today, information is freely available about the quality, robustness and efficiency of products, which enables ordinary users to receive and track news of what the domestic or international electronics market has to offer. On the other hand, many companies still operate more traditional forms of supply acquisition, with all the usual bureaucracy and delays. This, combined with volatile budget policies, leads to a tendency for a decrease in the pace of technological modernization in the workplace.
Rich Appointed Head of Consumer Protection (June 18, 2013)
The FTC announced Chairwoman Edith Ramirez’s appointment of seven senior staff members, including Jessica Rich, a privacy expert who will now serve as director of the Bureau of Consumer Protection. In this exclusive, Rich says that privacy is an area in which the FTC believes consumer protection is very important, and that, in line with Chairwoman Edith Remirez’s emphasis that the agency plans to be aggressive on privacy, the commission will use the tools in its belt to “the fullest extent possible” to protect consumers, including Section 5 of the FTC Act, the Fair Credit Reporting Act and COPPA.
GERMANY--Karlsruhe Administrative Court: No Access to Backup Copies (June 18, 2013)
On May 27, the Administrative Court of Karlsruhe passed its judgment in a case that had attracted major public interest in the German media because the former prime minister of the state of Baden-Wuerttemberg was a party in the proceedings. However, the judgment is of interest not only for its political but also its legal impact.
HUNGARY--Highlights from the new DPA’s “Year One” (June 18, 2013)
As of 1 January 2012, a new data protection supervisory authority was established in Hungary called the National Authority for Data Protection and Freedom of Information, or Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH).
Feds Permit Some National Security Data Requests; Obama Defends Programs (June 17, 2013)
The U.S. government has said that U.S. tech firms may publish government requests for user data but can only do so when combined with state and local government requests. In our continuing coverage of the National Security Administration surveillance program leaks, we look at responses from Google, Apple, Facebook and Microsoft as well as reactions from President Barack Obama, who has defended the programs,
FISA Rulings Put Tech Biz Between Rock and Hard Place; Revelations Continue (June 14, 2013)
In our continuing coverage of the NSA programs and their effect on privacy, one lawmaker warns this is the “tip of the iceberg” while other experts discuss various implications—from Big Data concerns to consumer perceptions of online tracking by private industry.
PRISM Revelations May Affect Global Privacy, Anti-Terror Policy (June 14, 2013)
As we begin to see the backside of the initial reporting on the NSA’s PRISM activities and the gathering of phone data from Verizon and other carriers, more voices are sounding their opinions on how this will affect, and already has affected, global privacy policy.
NSA Leaks Has Canadian Officials Looking at Domestic Surveillance (June 14, 2013)
The fallout from the U.S. National Security Agency’s (NSA) surveillance programs has Canadian officials, including Privacy Commissioner Jennifer Stoddart, looking at the Canadian government’s surveillance of phone and Internet records. AFP reported earlier this week that Defense Minister Peter MacKay signed a directive in 2011 renewing a program that sifted through phone and Internet records to detect suspicious activity.
NSA Leaks: EU-U.S. Tensions on the Rise, Europe Reacts (June 13, 2013)
The past week has been filled with news about the U.S. National Security Agency’s (NSA) surveillance programmes. Initially published by The Guardian, whistleblower Edward Snowden discusses his reasons for leaking the classified programmes. The Privacy Advisor has been compiling the many angles and shockwaves that have been sent through the privacy and data protection community.
Sen. Asks PCLOB To Probe NSA Programs, Questions NSA Head (June 13, 2013)
At a Senate Appropriations Committee hearing, Sen. Tom Udall (D-NM) said he sent a letter, with bipartisan support, to the Privacy and Civil Liberties Oversight Board (PCLOB) asking it to “make it a priority” to investigate the National Security Agency’s (NSA) dragnet phone surveillance and PRISM programs to determine whether they were “conducted within the statutory authority granted by Congress” and “take the necessary precautions to protect the privacy civil liberties of American citizens under the Constitution.”
EU-U.S. Tensions on the Rise; Some Gov’t-Google Sharing Details Revealed (June 13, 2013)
The recent leaks of the National Security Agency’s surveillance programs are increasing tension between the U.S. and EU. Financial Times reports that the Obama administration lobbied in 2012 to have certain measures removed from the proposed EU data protection regulation that would have “limited the ability of U.S. intelligence agencies to spy on EU citizens.”
PRIVACY IN POPULAR CULTURE: IAPP Members in the News (June 13, 2013)
If nothing else, the news that has been rippling around the globe about the U.S. government’s surveillance practices has brought privacy to the forefront of public discourse. Therefore, it shouldn’t be surprising that our IAPP members are showing up all over the media in recent days. We wrap up some of what we've seen.
AUSTRALIA—NSA Leaks Reach Australian Shores (June 13, 2013)
The recent disclosure of the U.S. National Security Agency’s surveillance programmes has transcended national borders, sending shockwaves throughout the privacy community.
Tech Firms, Lawmakers Respond to NSA Leak (June 12, 2013)
As the recent NSA disclosures ripple their way through the privacy community, our continuing coverage today looks at reactions from major U.S. tech companies and several U.S. lawmakers, as well as the inevitable rise of lawsuits being filed and potentially fraying relations between the U.S. and EU over past and future data-sharing agreements.
NSA and Legislative Breach Implications, New Breach Announcements: A Roundup (June 12, 2013)
From the loss of patient data to the impact of the recent NSA/PRISM revelations on psychiatric patients to the 2013 Cost of Data Breach Study, breaches and their implications are making headlines across the globe.
PRIVACY IN POPULAR CULTURE: This NSA PRISM Story Isn’t Funny … Except When It Is (June 12, 2013)
This NSA PRISM and online surveillance story is enormously important. It has opened up a new nationwide, perhaps global, discussion on personal privacy and the tradeoffs people are willing to make between privacy and security. It may lead to new law, new cultural norms, new technology. However, it has already led to some excellent material for some very funny people. We would be seriously remiss if we didn’t sift through it a bit.
NSA Leak Continues To Send Shockwaves Through Privacy World (June 11, 2013)
In our continuing coverage of the fallout from the recent leak of the National Security Agency's surveillance programs, a slew of implications—from effect on trade negotiations, to developments with the proposed EU data protection regulation, to calls for baseline privacy legislation in the U.S.—are continuing to emerge this week.
Reactions to NSA Disclosures Continue (June 10, 2013)
More news about the leaking of top secret surveillance programs conducted by the National Security Agency came to light over the weekend with The Guardian’s video interview of former technical assistant for the Central Intelligence Agency Edward Snowden.
The NSA’s PRISM Program and Reactions (June 7, 2013)
The Washington Post reports on the U.S. National Security Agency’s online data surveillance system called PRISM. According to leaked documents and Power Point slides, the NSA and the Federal Bureau of Investigation “are tapping directly into the central servers of nine leading U.S. Internet companies, extracting audio and video chats, photographs, e-mails, documents and connection logs” that allow intelligence analysts to track foreign threats.
EU Regulation Roundup: Move Toward Business-Friendly; May Be No Vote until December (June 7, 2013)
In a meeting of justice ministers from the 27 European Union member states, The New York Times reports that an agreement was reached on a “business-friendly proposal” for the contentious EU data protection regulation that would take a risk-based approach to regulating companies that gather data. However, there remains a long row to hoe, and some MEPs are now predicting there will be no vote on the regulation until December at the earliest.
Council of European Union Releases Draft Compromise (June 5, 2013)
A new chapter in the long and winding history of the proposed EU data protection regulation was opened late last week with the release of a draft compromise text by the Council of the European Union’s Justice and Home Affairs.
Budget May Stop Maine Bill Requiring Warrant for Geodata (June 5, 2013)
Maine’s House and Senate have both essentially passed LD 415, An Act To Require a Warrant To Obtain the Location Information of a Cell Phone or Other Electronic Device. LD 415 would do basically what its title says, with some 90-day delay allowances at the discretion of a judge. However, the bill does not yet sit on the governor’s desk awaiting signature. Because the bill has been assigned a fiscal note of roughly $234,000 over the next two years, it now sits with the Appropriations Committee, which must decide whether there is funding in the budget to cover the expense.
Consent Is King in Latin America: Navigating the Eight Existing DPAs with a Look to the Future (June 3, 2013)
While Latin American privacy laws have largely been based on European frameworks in order to facilitate business, their prescriptive nature on data breach disclosures and cross-border transfers may more likely keep businesses away than draw them in. That was the message in a recent IAPP web conference on “Keeping Up with Data Privacy Developments in Latin America,” led by Matthew S. DelNero, partner at Covington & Burling, and Mariana Tavares de Arujo, partner at Levy & Salomao Advogados, who also discussed Brazil’s impending data protection law.
Data Breaches: A Roundup (June 3, 2013)
Data breaches continue to plague organizations across industry sectors. Here’s a look at some of the breaches that have hit businesses in the last two weeks.