Privacy Advisor

Having trouble receiving the Privacy Advisor in your inbox? Click here for troubleshooting tips.

Global Privacy Dispatches

FRANCE—Expansion of CNIL Investigation Powers Confirmed
In the past few years, the French data protection authority (CNIL) has made itself known for its on-site investigation powers by coming unannounced to the premises of businesses to perform interviews and searches in order to assess compliance with the French Data Protection Act. Read More
FRANCE—The End of Aggressive Cold-Calling?
The new consumer act of March 17 is now in force. Among its key measures, it plans the creation of a centralized do-not call list. Read More
HUNGARY—Hungarian DPA Suggests Refinements in IT Policies
In a recent case, the Hungarian Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság or NAIH) investigated a case where a company had to access its employee’s laptop for compliance reasons and imposed a fine of HUF 1,500,000 (approximately 5,000 euros) for unlawful data processing. Read More
UK—Marketing Companies Punished for Hiding Identity While Making Nuisance Calls
The Information Commissioner's Office (ICO) has ordered two telephone marketing companies to change their practices after more than 100 complaints were made to the ICO that the companies were making nuisance marketing calls. Read More
UK—British Pregnancy Advice Service Fined for Serious Data Breach
The British Pregnancy Advice Service (BPAS) has been fined 200,000 GBPs after a serious breach of the Data Protection Act (DPA) revealed thousands of people's personal details to a malicious hacker. Read More
UK—ICO Publishes Updated PIA Guidance
The UK Information Commissioner's Office has published its updated Privacy Impact Assessment (PIA) Code of Practice to help organisations comply with their data protection law obligations when they change the way that they use personal data. Read More
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions.

Read More
ITALY—Garante’s Provision on Mobile Payment Services
On December 12, 2013, the Italian Data Protection Authority (Garante) issued a draft general provision on the processing of personal data in the context of mobile remote payment services. This new provision sets the rules for the processing of information about users who purchase digital services and products and pay for them remotely via their phone bills. Read More
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions. Read More
Skepticism Surrounds NSA Review; Massive “Black” Budget Revealed (August 30, 2013)
Opinion is streaming in surrounding U.S. President Barack Obama’s creation of an independent board to investigate the National Security Agency (NSA) surveillance operations, and much of it is highly critical. Focus is generally on Obama’s promise that the experts on the panel would be “outsiders” and commenters’ opinion that the members of the panel are anything but.
UK—Bank of Scotland Receives 75k GBP Penalty Notice for Misdirected Faxes (August 27, 2013)
The ICO has served a 75k GBP monetary penalty notice on the Bank of Scotland after customer account details were repeatedly faxed to the wrong recipients over a four-year period.
UK—ICO and Ofcom Set Action Plan To Tackle Nuisance Telephone Calls (August 27, 2013)
The Information Commissioner’s Office (ICO) and Ofcom have published a joint action plan to tackle nuisance telephone calls and help protect consumers. The plan, published on July 31, follows recent activity—including enforcement action undertaken by the ICO—undertaken by both organisations and represents a formalised joint commitment to work in partnership on a series of initiatives covering a range of areas.
UK—ICO Launches Consultation on PIA Code of Practice (August 27, 2013)
The Information Commissioner’s Office (ICO) has launched a consultation on a draft code of practice for conducting Privacy Impact Assessments (PIAs), which is intended to replace the current ICO PIA Handbook. The aim of the new code is to produce a practical guide that will help organisations conduct assessments of new projects involving the use of personal information.
A Turbulent Time for Gathering Privacy Commissioners (August 27, 2013)
As host of this year’s 35th Annual Conference of Data Protection and Privacy Commissioners, Wojciech Wiewiórski, Poland’s inspector general for personal data protection, finds himself with privacy in perhaps its brightest spotlight ever. Not only is the European Union in the midst of the much-talked-about overhaul of the data protection regulation, but virtually the entire globe continues to be riveted by the news of U.S. (and other) government surveillance triggered by whistleblower Edward Snowden.
Safe Harbor May Be Controversial in the European Union, But It Is Still the Law (August 27, 2013)
Safe Harbor has become a target for retribution in light of revelations about the National Security Agency’s PRISM program. It has come under fire from Rapporteur Jan Albrecht and the Article 29 Working Party, among others. While various officials have promised reviews and improvements to the framework, none have yet been released. Damon Greer, who directed the EU-U.S. and Swiss Safe Harbor frameworks from 2006-2011, discusses Safe Harbor's fate.
The Campaign for a Universal Declaration of Digital Rights (August 27, 2013)
While Dele Atanda may seem like a consumer advocate these days, his roots run deep in industry. For nearly two decades, he worked for multinational corporations, helping to build digital marketing systems. Within the last five years, however, he moved on to working in online personal identity management. It was work that would soon indicate to him a global need for something better when it comes to managing digitized personal data online.
These days, he’s aiming to start a political movement.
EU Data Breach Notification Rule: The Key Elements (August 27, 2013)
In light of the European Commission Regulation (EU) Nº 611/2013 of 24 June about measures applicable to the notification of personal data breaches for the European telecommunications industry, we are wondering if it will be the best reference for the proposed new EU Data Protection Regulation, which includes a section about the same issue but not just limited to the telecommunications sector.
U.S. Supreme Court Upholds Collecting DNA from Arrestees (August 27, 2013)
DNA collection sounds like science fiction, and when it comes to recreating the T-Rex, it remains just that. However, today’s reality is that DNA is collected from those convicted of crimes in all 50 states, while 28 states and the federal government collect DNA from some or all arrestees prior to being tried and convicted. In a 5-4 decision, the U.S. Supreme Court reversed the Maryland Court of Appeals in June to rule that collecting DNA from custodial arrestees is constitutional.
The Internet Has Grown Up, Why Hasn’t the Law? Reexamining Section 230 of the Communications Decency Act (August 26, 2013)
The greatest threat to an American’s reputation and online privacy is Section 230 of the Communications Decency Act. It impacts the ability of individuals to prevent and stop cyber bullying, cyber harassment and cyber defamation. While the problems of Section 230 have achieved attention, there have been few solutions presented to challenge the status quo.
Producing your privacy (August 26, 2013)
The Nigerian FOIA Picks a Useful Compass in the U.S. FOIA (August 26, 2013)
Nigeria has shown an irrepressible drive toward a transparent and an open government in a multi-ethnic democracy by enacting the Freedom of Information Act of 2011 (FOIA), a law that exhibits features identical to the United States federal FOIA. This report compares the U.S. and Nigerian FOIAs, finding, “The Nigerian FOIA holds great promise for the consolidation of democratic governance and for generating democratic outcome in Nigeria.”
ITALY—New Light Upon Obscure Direct Marketing Legal Framework (August 26, 2013)
On July 27, by means of a quite detailed list of Dos and Don’ts, summed up in the telling title of the relevant press release, NO to Spam, YES to Consumer-"Friendly" Marketing, the Italian data protection authority (DPA), the Garante, fixed a number of disputed issues concerning direct marketing—paying special attention to the new frontiers of marketing, including spamming performed via social network platforms (SNS), viral marketing and targeted marketing.
PCLOB to U.S. Intelligence: Update Data-Gathering Guidelines Now (August 26, 2013)
News that NSA analysts knowingly violated surveillance authority over the past decade, and were in fact disciplined for it, is just the latest information drawing attention to U.S. intelligence data-gathering activities. That scrutiny now looks to be leading to active changes. We roundup this news, a new agreement Germany would like to iron out with the Obama Administration and why the NSA might be a topic at enormous music and tech festival SXSW.
PRIVACY IN POPULAR CULTURE: Privacy Is “More Complicated Than We Realized” (August 23, 2013)
When Shel Israel and Robert Scoble started looking into their second book together, Age of Context: How Mobile, Sensors and Data Will Change Your Life, it was because “we’re enthusiasts of new technology,” said Israel. As Rackspace’s start-up liaison officer, Scoble has gained wide renown in tech circles for his Scobleizer blog and Twitter handle. Israel is maybe best known for his writings for Forbes, where he looks at “the ever-evolving tech industry.”
White House Names NSA Review Panel (August 23, 2013)
In response to the slew of leaks stemming from Edward Snowden, President Barack Obama has reportedly named a panel of four experts to conduct a full review of U.S. surveillance programs, ABC News reports. This “high-level group of outside experts” will reportedly include recent acting head of the CIA Michael Morell, and former White House officials Peter Swire, CIPP/US, Cass Sunstein and Richard Clarke. This roundup looks at reaction to the panel and includes more news on the intelligence community’s attempt at transparency though social media and how Silicon Valley is investing in security start-ups.
Class Certification: A Critical Battleground in Privacy and Data Breach Class Actions (August 22, 2013)
Privacy and data breach class actions are on the rise. Plaintiffs typically claim that the defendant—whether a retailer, hospital, health insurer, payment card processor or other company handling their personal information—failed to adequately protect their information, used that information for unauthorized purposes or otherwise violated their privacy rights. But such plaintiffs are often unable to overcome the class-certification hurdle, which generally results in the failure of the case. Why do some go forward and others not?
Organization-Wide Privacy Training Implemented at Bloomberg (August 21, 2013)
In response to revelations last May that Bloomberg News and some of its journalists were using terminals that had access to sensitive financial subscriber data, the organization conducted and has now released the results of a comprehensive external review of its data and privacy practices. Conducted by Hogan Lovells and Promontory Financial Servies, the review examined Bloomberg news stories, employees, client data systems and other documents, to locate and address the company’s governance framework.
PricewaterhouseCoopers Exploring Privacy Roles (August 21, 2013)
Just how much influence does the privacy team have in large organizations? Is the C-suite paying attention to privacy? How can privacy professionals better communicate both the risk that taking privacy lightly poses and the value that good privacy practice can lend to an organization?
NSA Audit Reveals Thousands of Privacy Violations (August 16, 2013)
The Washington Post reports that the National Security Agency (NSA) broke privacy rules or overstepped its legal authority thousands of times each year, beginning in 2008. Most violations concerned unauthorized surveillance of U.S. citizens or foreign intelligence targets in the U.S. This roundup brings together the leaked documents, government responses—including from the NSA and Sen. Dianne Feinstein (D-CA)—as well as reported comments from Reggie B. Walton, chief judge of the FISA court, who said the court is limited in its government oversight. Additionally, in a letter to the EU’s justice commissioner, the Article 29 Working Party’s head explores investigating whether EU data protection law has been violated.
FRANCE—Sanctions Handed Down for Weak Password Policy (August 16, 2013)
If there is something which is easy to verify in terms of data security for a data protection authority carrying out an onsite investigation, it is whether a company has a password policy in place and whether it is implemented.
FRANCE—Registering or Not Registering? Not Really an Option (August 16, 2013)
Registering data-processing activities with the CNIL, the French data protection authority, is not a mere formality. A data controller recently learnt it to his detriment in a case brought up to the Supreme Court level.
CANADA—Supreme Court Rules Commissioner’s Order Went Beyond Scope (August 14, 2013)
Over the past few years there have been a growing number of cases where organizations subject to a decision from a privacy commissioner have sought to have those decisions modified or overturned by the courts. The most notable of these cases is Canada (Privacy Commissioner) v. Blood Tribe Department of Health —where the court ruled on the federal privacy commissioner’s ability to view documents for which solicitor-client privilege was claimed.
Ten Steps to a Quality Privacy Program: Part Two: Risk Assessments (August 14, 2013)
In part two of the series on “Ten Steps to a Quality Privacy Program,” Deirde Rodriguez explores risk assessments. We’ve all heard them called out as best practice, but, how do you know where and how to start? This article looks at how to make your risk assessment live and breathe.
The Working Party’s Views on Purpose Limitation and Big Data (August 13, 2013)
The concept of purpose limitation is a cornerstone of the protection of personal data. It is an essential first step in applying data protection laws since it constitutes a prerequisite for other data quality requirements, contributes to transparency and legal certainty and sets limits on how controllers are able to use personal data.
A Roundup of Obama’s Surveillance Changes (August 12, 2013)
In his first news conference since April, President Barack Obama defended the National Security Agency surveillance programs, called for more transparency along with a task force charged with reporting on the programs and proposed four changes to the existing programs.
PRIVACY IN POPULAR CULTURE: Talking With Cullen Hoback, Director of Terms and Conditions May Apply (August 9, 2013)
It’s no secret that privacy is top of mind for many Americans – one need only read the top-of-the-fold stories in the local paper about Edward Snowden’s leaked documents or the latest WiFi hack. Hence, the time is particularly ripe for Cullen Hoback’s newly released documentary, Terms and Conditions May Apply, which takes a hard look at data collection and use by the world’s largest websites.
ITALY—Italian DPA Releases Rules on Spam and Viral Marketing (August 1, 2013)
The Italian Data Protection Authority (Garante) has released, earlier this month, a set of rules dealing with spam and viral marketing. The provision, named “Guidelines on Marketing Activities and Spam,” is intended to fight the abuses of marketing communications and to promote fair commercial practices towards users and consumers.
Senate Committee Presses NSA; Agencies Willing to Re-evaluate Program (August 1, 2013)
At a Senate Judiciary Committee hearing on July 31, senators from both sides of the aisle pressed representatives from the National Security Agency (NSA), Office of the Director of National Intelligence (ODNI), Federal Bureau of Investigation and Justice Department over surveillance programs, particularly the provision allowing for the dragnet collection of Americans’ phone metadata.
Deception Is at the Heart of PLSC-Winning Papers (August 1, 2013)
Each year at the Privacy Law Scholars Conference, organized by the UC Berkeley School of Law and the George Washington University (GWU) School of Law, scholars submit papers that are in progress, to be workshopped with a facilitated discussion amongst attendees. The idea is to bring together the academic privacy community with those working in industry, advocacy, law and government to further privacy thought leadership and facilitate dialogue.