Privacy Advisor

Having trouble receiving the Privacy Advisor in your inbox? Click here for troubleshooting tips.

Global Privacy Dispatches

FRANCE—Expansion of CNIL Investigation Powers Confirmed
In the past few years, the French data protection authority (CNIL) has made itself known for its on-site investigation powers by coming unannounced to the premises of businesses to perform interviews and searches in order to assess compliance with the French Data Protection Act. Read More
FRANCE—The End of Aggressive Cold-Calling?
The new consumer act of March 17 is now in force. Among its key measures, it plans the creation of a centralized do-not call list. Read More
HUNGARY—Hungarian DPA Suggests Refinements in IT Policies
In a recent case, the Hungarian Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság or NAIH) investigated a case where a company had to access its employee’s laptop for compliance reasons and imposed a fine of HUF 1,500,000 (approximately 5,000 euros) for unlawful data processing. Read More
UK—Marketing Companies Punished for Hiding Identity While Making Nuisance Calls
The Information Commissioner's Office (ICO) has ordered two telephone marketing companies to change their practices after more than 100 complaints were made to the ICO that the companies were making nuisance marketing calls. Read More
UK—British Pregnancy Advice Service Fined for Serious Data Breach
The British Pregnancy Advice Service (BPAS) has been fined 200,000 GBPs after a serious breach of the Data Protection Act (DPA) revealed thousands of people's personal details to a malicious hacker. Read More
UK—ICO Publishes Updated PIA Guidance
The UK Information Commissioner's Office has published its updated Privacy Impact Assessment (PIA) Code of Practice to help organisations comply with their data protection law obligations when they change the way that they use personal data. Read More
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions.

Read More
ITALY—Garante’s Provision on Mobile Payment Services
On December 12, 2013, the Italian Data Protection Authority (Garante) issued a draft general provision on the processing of personal data in the context of mobile remote payment services. This new provision sets the rules for the processing of information about users who purchase digital services and products and pay for them remotely via their phone bills. Read More
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions. Read More
“Privacy by Default” May Be Big Post-Regulation Issue (September 30, 2013)
“Privacy by Design” is as close to privacy dogma as you’re going to get. Regulatory bodies across the globe now provide this idea, developed by Ontario Information and Privacy Commissioner Ann Cavoukian, as guidance for all technology companies that hope to gather personal information. At the 35th International Conference of Data Protection and Privacy Commissioners in Warsaw, however, it was the idea of “privacy by default” that produced one of the most interesting back-and-forths. In this exclusive, Sam Pfeifle reports on the discussion, which featured Jacob Kohnstamm, Omer Tene and Reijo Aarnio.
Data Brokers, Universities Breached; Was Nurse Fired for Privacy Breach or Whistleblowing? (September 26, 2013)
This roundup reports on the potentially expansive hack into the internal servers of several data aggregators. Sensitive data—including Social Security numbers—may have been compromised. The Federal Bureau of Investigation is currently probing the issue. Meanwhile, two universities, a hospital and an investment firm have all notified students, patients and clients their personal data have been affected. Meanwhile, HR News and Employment analyzes a case involving a nurse and personal health information. The report queries whether the nurse was breaching the privacy of a number of patients or acting as a whistleblower.
Privacy Enforcement: “It’s a Two-Way Street” (September 26, 2013)
At the 35th Annual Convention of Data Protection and Privacy Commissioners in Warsaw, only one subject hung over the event more than whistleblower Edward Snowden: The upcoming European Data Protection Regulation and what the future of privacy enforcement will look like. Nearly every presentation contained some disclaimer about how things will change once the regulation comes into place. The form it will take in the end? No one can confidently predict that. The fact that it’s needed? On that there is universal agreement.
Data Protection and Privacy Commissioners Release Resolutions on Tracking, Profiling, International Cooperation (September 25, 2013)
In this exclusive, Sam Pfeifle reports from the 35th Annual Conference of Data Protection and Privacy Commissioners in Warsaw, Poland. Pfeifle notes that from the outset, “the collective DPAs intended to show a united front and that they mean business.” As Polish Minister of Administration and Digitization Michel Boni said in his keynote, “We need regulations. Hard regulations. In Europe, we have a discussion pending—we have to make sure it is a strong law to harmonize the laws of all the states rather than a directive.” This report highlights the resolutions released following the DPAs’ closed session.
HIPAA/HITECH Compliance Is Finally Here (September 24, 2013)
More than four and a half years since the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act, the time for compliance with the updated Health Insurance Portability and Accountability Act (HIPAA) rules is finally here. The healthcare industry has changed tremendously during this period, and there is a wide variety of new programs, technological developments and policies to incorporate into any healthcare business. With this new compliance period upon us, what can we expect and what are companies likely to have missed? Wiley Rein’s Kirk Nahra, CIPP/US, advises.
PRIVACY IN POP CULTURE: Lexicon Makes Magic of Privacy (September 23, 2013)
We’ve all heard the clichés: Knowledge is power; knowing is half the battle. Lexicon, the new novel from Australian Max Barry, takes this to its most personal, and literal, end. The more that “poets” know about you, the more they can influence, control and eventually “compromise” you by making you do whatever it is they want.
What NIST Is Hoping To Get Out Of Its Privacy Grant Program (September 23, 2013)
The U.S. National Institute of Standards and Technology has released news of approximately $7 million in grant money headed toward five start-ups, all with a privacy or cybersecurity bent. The money is meant to support the National Strategy for Trusted Identities in Cyberspace, which envisions an “Identity Ecosystem” that allows for a cyber-commerce experience that is as safe as the brick-and-mortar commerce experience, with movement beyond the simple username-password operation.
Big Data Analytics: Evolving Business Models and Global Privacy Regulation (September 23, 2013)
If bad practices and bad media further promote other businesses and government to be less transparent about their data analytics projects, public perception of business and government colluding in secrecy will grow, prompting more prescriptive regulation. Big Data and the privacy regulatory and compliance response to it will be one of the most important areas for development of operational privacy compliance for the next five years.
Changing Tactics: The Rise of the Privacy Advocates (September 23, 2013)
In September, Facebook announced it would delay planned changes to its privacy policies. The announcement followed pressure from six major consumer privacy groups—EPIC, the Center for Digital Democracy, Consumer Watchdog, Patient Privacy Rights, U.S. PIRG and the Privacy Rights Clearinghouse—that said the changes would make it easier for Facebook to use users’ data for advertising and other purposes. The coalition asked the U.S. Federal Trade Commission to block the changes, alleging they would violate a 2011 settlement with the commission.
UK—ICO Issues SAR Undertaking Against Cardiff City Council (September 20, 2013)
The ICO issued an undertaking against Cardiff City Council on 28 August following a failure to respond within the prescribed 40-day period to a Subject Access Request (SAR) made by an individual in July 2011.
UK—Aberdeen City Council Fine Highlights Risks of Homeworking (September 20, 2013)
Aberdeen City Council has been served with a 100,000 GBP penalty notice by the Information Commissioner’s Office (ICO) following a data breach that resulted in sensitive information relating to social services involvement with specific individuals, including children’s details, being published online.
UK—ICO Releases New Direct Marketing Guidance (September 20, 2013)
The Information Commissioner’s Office (ICO) has released its new direct marketing guidance to assist organisations in understanding their obligations when carrying out direct marketing campaigns—including issues around lead-generation and marketing lists and setting out what enforcement action the ICO can undertake for those organisations that ignore the UK marketing rules.
He Protects the Data ... By Destroying It (September 20, 2013)
You might call Ken Clupp a privacy professional by proxy. While he doesn’t draft privacy policies or model contracts, he’s certainly on the defensive line when it comes to protecting data. How does he protect it? He makes sure the important stuff is shredded into such tiny pieces it couldn’t ever be put back together again.
Karen Neuman Named DHS CPO (September 19, 2013)
Seth Grossman, counselor to the acting secretary and deputy general counsel at the U.S. Department of Homeland Security (DHS), announced last night that Karen Neuman, a partner in the DC law firm St. Ledger-Roty Neuman & Olson LLP (SLRNO), has been named chief privacy officer for DHS.
The End for DNT? Not So Fast (September 18, 2013)
While both former Chairman Peter Swire and Executive Director of the Digital Advertising Alliance Lou Mastri pronounced the World Wide Web Consortium (W3C) Tracking Protection Working Group alternately as having no “workable path to a standard” and “not a sensible use of W3C resources,” the W3C isn’t quite ready to give up the ghost.
Healthcare Breaches Under the Final Omnibus Rule (September 18, 2013)
Among the changes facing healthcare providers upon the September 23compliance date of the Final Omnibus Rule adopted by the Department of Health and Human Services to modify the HIPAA privacy, security and enforcement rules, the most burdensome and significant may be the expansion of the universe of reportable data breaches by reversing—or clarifying—presumption under the harm threshold and the imposition of liability for business associates that act as agents of the covered entity.
Ontario Introduces Privacy Legislation for Electronic Health Records (September 18, 2013)
The Ontario government recently introduced new legislation—Bill 78, the Electronic Personal Health Information Protection Act 2013 (EPHIPA)—that would, if passed, modernize Ontario’s health privacy legislation to enable the transition to electronic health records (EHRs) while protecting the personal health information of patients.
Ten Steps to a Quality Privacy Program, Part Three: Privacy By Design Tools (September 18, 2013)
In part three of the series “Ten Steps to a Quality Privacy Program,” Deidre Rodriguez, CIPP/US, explores Privacy by Design Tools. While most are familiar with the term, application can be more difficult. Where do you start, and how do you develop tools that will help reduce privacy risk and assist the organization in applying the proper controls on the front end? This article helps to answer those questions.
Will Kinect 2.0 and COPPA Play Well Together? (September 18, 2013)
The age of the Internet of Things is upon us. Interconnected devices that gather, aggregate and transmit personal information autonomously are pervasive throughout households. Your next generation gaming console is one such device. The Kinect 2.0—which ships this fall with Microsoft’s Xbox One gaming console—has the unprecedented ability to recognize faces, track a user’s position in space, observe vital signs and relay this information to Microsoft and others. Although this technology enhances gameplay and user experience, the costs are great.
Components of an Accountable Company Privacy Program and How To Implement It (September 17, 2013)
People may not trust everyone who is collecting their data, but they need services, so they provide data and hope that it won’t be misused. This means that we must be accountable. Accountability, as one expert defines it, is how we demonstrate—and how others measure—if we are living up to our commitments to users, the advocacy community and regulators. That was part of the message at a recent IAPP KnowledgeNet in Washington, DC, in which experts discussed audits, self-assessments and Privacy by Design.

Is This the End for DNT? DAA Pulls Out of W3C Process (September 17, 2013)
In a letter sent this morning to Jeff Jaffe, CEO of the World Wide Web Consortium, the Digital Advertising Alliance announced that it is withdrawing “from future participation in the World Wide Web Consortium (W3C) Tracking Protection Working Group (TPWG). After more than two years of good-faith effort and having contributed significant resources, the DAA no longer believes that the TPWG is capable of fostering the development of a workable ‘Do-Not-Track’ (DNT) solution.”
How Should Your Firm Respond to the NSA Fallout? (September 13, 2013)
While news of the NSA’s surveillance program surely destabilized data-sharing confidence between the EU and U.S., the ramifications will be global. That was the message from panelists of an IAPP web conference on the Snowden fallout, which looked at whether NSA revelations have changed the rules of the trade game and how companies should respond.
Clapper Offers NSA Explanations; Criticism, Concerns Abound (September 11, 2013)
Twelve years after the September 11, 2001, attacks, terrorism, security and safety are dominating the headlines again in the U.S. and around the globe—but this time, thankfully, our focus is not on terrorist attacks resulting in tragedies in New York, Washington, DC, and Pennsylvania. Today, the headlines are dominated with the question of security vs. privacy.
Survey: Users More Afraid of Peers than Gov’t When It Comes to Data Access (September 6, 2013)
According to a recent survey, 86 percent of Internet users have taken at least one step to remove or mask their digital footprints online, and 55 percent have taken steps to avoid observation by certain people—including organizations or the government. The survey, conducted in July by the Pew Research Center’s Internet & American Life Project, examined 792 adult Internet users’ responses.
Consumers: Forget Screen Size, Cameras; Sell Us Privacy (September 5, 2013)
Consumers are now more concerned about privacy when it comes to their mobile phones than they are about phone screen size, brand, weight or camera resolution. That’s according to TRUSTe’s 2013 Consumer Data Privacy Study, which polled more than 700 U.S. smartphone users. Only a phone’s battery life topped privacy when users’ prioritized their concerns.
PCLOB Finds a Director, Looks Toward Action (September 4, 2013)
The long-defunct, then fledgling and now finally functioning Privacy and Civil Liberties Oversight Board will take yet another step forward September 9, when Sharon Bradford Franklin comes on board to serve as its executive director.
A Look at the Future of Privacy Notices (If They Have a Future) (September 4, 2013)
How bad is the situation for privacy notices? The National Science Foundation just used part of its largest grant program, a Frontier award of well over $1 million, to fund a team of researchers looking to fix them.
Did NTIA's Multi-Stakeholder Process Work? Depends On Whom You Ask. (September 3, 2013)
While many members of the National Telecommunications and Information Administration’s (NTIA) multi-stakeholder group on mobile app transparency will tell you they laud the NTIA’s efforts to bring together opposing forces to compromise on a self-regulatory code of conduct for mobile apps, not everyone is hot on the newly released code as it stands, and one consumer group says the NTIA isn’t the body that should lead the effort. Period.
The Right To Be Forgotten in Brazil (September 1, 2013)
Brazil is still dragging its feet passing even basic legislation regarding the protection of personal data, and the issue regarding this right to be forgotten is beginning to grow in importance within the country. The issue was recently addressed by the 6ª Jornada de Direito Civil da Justiça Federal/2013, a Brazilian legal committee, which concluded that such a right would strengthen the protection of human dignity.