Privacy Advisor

Having trouble receiving the Privacy Advisor in your inbox? Click here for troubleshooting tips.

Global Privacy Dispatches

FRANCE—Expansion of CNIL Investigation Powers Confirmed
In the past few years, the French data protection authority (CNIL) has made itself known for its on-site investigation powers by coming unannounced to the premises of businesses to perform interviews and searches in order to assess compliance with the French Data Protection Act. Read More
FRANCE—The End of Aggressive Cold-Calling?
The new consumer act of March 17 is now in force. Among its key measures, it plans the creation of a centralized do-not call list. Read More
HUNGARY—Hungarian DPA Suggests Refinements in IT Policies
In a recent case, the Hungarian Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság or NAIH) investigated a case where a company had to access its employee’s laptop for compliance reasons and imposed a fine of HUF 1,500,000 (approximately 5,000 euros) for unlawful data processing. Read More
UK—Marketing Companies Punished for Hiding Identity While Making Nuisance Calls
The Information Commissioner's Office (ICO) has ordered two telephone marketing companies to change their practices after more than 100 complaints were made to the ICO that the companies were making nuisance marketing calls. Read More
UK—British Pregnancy Advice Service Fined for Serious Data Breach
The British Pregnancy Advice Service (BPAS) has been fined 200,000 GBPs after a serious breach of the Data Protection Act (DPA) revealed thousands of people's personal details to a malicious hacker. Read More
UK—ICO Publishes Updated PIA Guidance
The UK Information Commissioner's Office has published its updated Privacy Impact Assessment (PIA) Code of Practice to help organisations comply with their data protection law obligations when they change the way that they use personal data. Read More
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions.

Read More
ITALY—Garante’s Provision on Mobile Payment Services
On December 12, 2013, the Italian Data Protection Authority (Garante) issued a draft general provision on the processing of personal data in the context of mobile remote payment services. This new provision sets the rules for the processing of information about users who purchase digital services and products and pay for them remotely via their phone bills. Read More
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions. Read More
U.S. Intel Officials Defend Programs; EU Fallout Continues (October 30, 2013)
Top U.S. intelligence officials testified yesterday in a rare open hearing with the House Intelligence Committee, with National Security Administration Director General Keith Alexander and Director of National Intelligence James Clapper among them. While they were in concert with one another, the House committee members were, at times, singing different tunes. This exclusive reports on the hearing and rounds up the fallout from continued leaks about U.S. intelligence operations and how they’re affecting trade talks and the Safe Harbor with the EU.
Fordham Law Develops Privacy Curriculum for Middle Schoolers (October 30, 2013)
Teenagers are tough to keep track of. After school, it’s on to sports practice and social lives and the rest. But one central place they can be found en masse is online. Not only are 93 percent of 12 to 17 year olds online, according to a recent study from the Pew Internet & American Life Project, but they’re sharing more about themselves than ever before. It’s that kind of data that prompted Fordham Law’s Center on Law and Information Policy to use funds from a cy pres privacy settlement to establish open-sourced curriculum for middle school kids, reports this exclusive. More than a dozen U.S. law schools have signed on to the program.
Location Tracking: Now Coming to a Government, Employer and Retailer Near You (October 29, 2013)
Location tracking has become a hot button issue with implications for government surveillance, employee monitoring and consumer tracking online and in-store. Hundreds of millions of users carry a smartphone with them every step of the day, and as these devices send and receive electronic signals they silently map their user’s movements. More and more organizations are seeking to utilize this data, and while the industry for location tracking analytics is becoming more sophisticated, so too is the range of interested parties – including regulators.
Strickland new CPO at JP Morgan Chase (October 28, 2013)
Last week marked Zoe Strickland’s, CIPP/US, CIPP/G, CIPP/IT, first as managing director, SVP and CPO at JP Morgan Chase, as she has left her post at VP and CPO at UnitedHealth Group to take on the new role in the financial services industry.
FTC’s Brill to Technologists: This Is Your Call to Arms (October 24, 2013)
Speaking at the Polytechnic Institute of New York University, U.S. Federal Trade Commissioner Julie Brill expanded upon her Reclaim Your Name initiative by declaring a call to arms to the next generation of computer scientists, engineers, programmers and technologists, asking them to help develop and create technological solutions to the Big Data-privacy quandary. She presented three main challenges that need the help of technologists: finding tech solutions for the Fair Credit Reporting Act, the Internet of Things and increased transparency mechanisms.
Cookies' Days Are Numbered, but Not Without a Fight (October 22, 2013)
Despite a recent court ruling that may seem to indicate otherwise, cookies will go extinct. Firms including Google and Microsoft are already developing alternatives. What that technology will specifically look like is not clear. What is clear is that the replacement will likely concentrate huge amounts of data with a few controllers and be able to track a user across platforms—including desktop, mobile and in the home. The benefits of this new technology though may not outweigh the risks, writes David Tashroudian.
BELGIUM—Gov’t Introduces Broad Data Retention Obligations (October 22, 2013)
The Belgian government recently issued a Royal Decree which lays down broad data retention obligations for telecom, Internet access and webmail providers. The Royal Decree of September 19 Executing Article 126 of the Electronic Communication Act of June 13, 2005 transposes the EU Data Retention Directive into Belgian law. After establishing the general framework of the data retention obligations in an act earlier this year, the Royal Decree now determines what information needs to be retained by each type of electronic communication provider and for how long.
LIBE Adopts Compromise Amendments; Sends Draft to Council (October 22, 2013)
The Committee on Civil Liberties, Justice and Home Affairs voted Monday for a major overhaul of current EU data protection rules. The committee adopted “en bloc” a package of compromise amendments assembled by Green MEP Jan Philipp Albrecht, rapporteur for the proposed regulation, which represented only a fraction of the 3,000 amendments initially proposed to the committee earlier this year. Meanwhile, French newspaper Le Monde has reported on NSA internal memos detailing “the wholesale use of cookies by the NSA to spy on French diplomatic interests at the UN and in Washington.”
UK—Company and Its Director Prosecuted for Failing To Register Data Processing Activities (October 22, 2013)
A London-based loans company and its director have been prosecuted by the Information Commissioner’s Office (ICO) after failing to register that the organisation was processing personal data.
UK—ICO Publishes New PECR Breach Notification Guidance for Telcos and ISPs (October 22, 2013)
The ICO has published new data breach notification guidance for telecom providers and Internet Service Providers operating under the Privacy and Electronic Communications Regulations 2003 (PECR).

UK—ICO Warns on Use of Personal Devices in Workplace Following Royal Veterinary College Data Breach (October 22, 2013)
The Information Commissioner’s Office (ICO) has warned organisations that their privacy policies must reflect the increasing use of employee-owned personal devices for work purposes.
Workers Using Workarounds Put Brands at Risk (October 22, 2013)
User behavior is a major and growing source of privacy risk. We can see the extent, drivers and types of user behavior causing noncompliance issues and risks in recent research, which found 52 percent of healthcare workers globally use risky workarounds that are out of compliance with policy, either every day or sometimes, and 66 percent find security protocols “burdensome.” This presents an opportunity—increasingly urgent—for privacy-enhancing technologies to enable workers to do their jobs efficiently without putting the brand at risk. David Houlding, CIPP/US, explores some of the tools available on the market today.
Ten Steps to a Quality Privacy Program, Part Four: Privacy Impact Assessments (October 21, 2013)
In part four of the series "Ten Steps to a Quality Privacy Program," Deidre Rodriguez, CIPP/US, explores privacy impact assessments, which she calls key to privacy by design—or default. While there are foundational concepts that must be addressed, each organization may need to approach PIAs differently according to its size and needs.
When the Big Data Surge Crashes Against the Big Privacy Rocks: The Conflict Between the Commercial Value of Information and Increasing Privacy Regulation (October 21, 2013)
"Big Data" has already been credited with many accomplishments, but, as Baker & McKenzie's Brian Hengesbaugh, CIPP/US, and Amy de La Lama write, privacy regulations have a significant impact on Big Data. Hengesbaugh and de La Lama highlight privacy laws that specifically regulate the collection, use and disclosure of data about individuals and, thus, restrict information flows such as those associated with Big Data, and offer privacy solutions for Big Data initiatives.
Global Business? Find Privacy Allies Throughout the Company (October 21, 2013)
Finding the C-level executive who cares most is the first step in convincing the people at the top that privacy is important. With a CEO who is most likely juggling priorities constantly, it’s important to put privacy in context and bring home how a good—or bad—privacy program is going to affect the overall business. And sometimes, that requires help, Intel Chief Privacy and Security Counsel Ruby Zefo, CIPP/US, CIPM, explained during the IAPP’s recent Privacy Academy in Seattle, WA.
This Week in Breach Roundup (October 21, 2013)
A woman looking for yard sale bargains in Colorado purchased a box of office supplies worth more than she paid; the box contained student records—including Social Security numbers—from Pueblo Community College. “With all the identity theft and fraud, I was shocked that this was found at a garage sale,” the woman said. That breach was just one of many discovered, investigated or arbitrated in the U.S. and abroad in the last week.
Book Review: A Guide to the Personal Information Protection and Electronic Documents Act 2013 (October 18, 2013)
Canadian data protection law is essentially a combination of the laws of the rest of the world. It has strict definitions of personally identifiable information (PII), as the EU does, but it has more opt-out than opt-in requirements, the way the U.S. does. A Guide to the Personal Information Protection and Electronic Documents Act 2013 by Colin H. H. McNairn is unique in providing vital information in an academic, scholarly format, as reviewed here by Janet Steinman, CIPP/US.
Acxiom, MasterCard CPOs Talk Transparency, De-identification, FTC Consent Orders (October 18, 2013)
What do you get when you put chief privacy officers (CPOs) from two of the world’s largest Big Data businesses in the same room with an outside privacy counsel and privacy academic? Based on just one of the many compelling panels at this year’s IAPP Privacy Academy, you get conversation as robust as some of Seattle’s finest blends.
The Privacy Questions Raised by Apple’s New Biometric Login (October 16, 2013)
In the wake of the news announcing the release of the new iPhone 5s, Lindsey Partridge, CIPP/US, examines what may be “the most newsworthy piece of the new mobile device”—its fingerprint sensor. The sensor allows for biometric securing of what’s becoming one the most personal devices people own. This report offers a primer on biometrics and the potential “privacy alarms” of the new sensor in multiple contexts, including legal cases involving access to PI and geolocation.
Debating the “Where” of Online Jurisdiction (October 11, 2013)
In two European cases making headlines this week, U.S. online powerhouses successfully claimed European data protection regulators lacked jurisdiction to regulate their activity. These cases join a long line of disputes pitting global online companies against national privacy regulators and raising to the fore the thorny questions of personal jurisdiction and applicable law on the Internet.
Cato Conference: We Have Problems, Is NSA Biggest One? (October 10, 2013)
On October 9, the Cato Institute, a public policy research organization, held a daylong conference on the recent U.S. National Security Agency (NSA) surveillance disclosures. Titled "NSA Surveillance: What We Know; What to Do About It," the conference was packed with privacy advocates and lawyers, journalists, technologists, academics and public policy and security experts. The day was also peppered with three keynotes from Sen. Ron Wyden (D-OR), Rep. Justin Amash (R-MI) and Rep. F. James Sensenbrenner (R-WI).
W3C Do Not Track in Limbo (October 10, 2013)
Roundup: October Shaping Up To Be the Month of Innumerable Breaches (October 10, 2013)
PII lost, stolen or compromised through human error. Cybersecurity concerns. Health data lost. Amidst this month’s onslaught of breach reports from across the globe, the world’s premiere search engine is acknowledging just how devastating a breach could be. “If Google were to have a significant data breach today, of any kind, it would be terrible for the company,” Google Executive Chairman Eric Schmidt has said. However, as The Wall Street Journal reports, he has also indicated Google CEO Larry Page “is ‘so wired’ to the risks that it is ‘inconceivable’ that a major data loss would occur.”
Three Steps to Heaven, St. Rita and the Future of the EU Draft Regulation (October 3, 2013)
The EU draft regulation—something originally proposed nearly two years ago—was the center of attention Wednesday afternoon at one Privacy Academy breakout session featuring a panel that included Ireland Data Protection Commissioner Billy Hawkes, Bird & Bird Partner Ruth Boardman and Promontory Financial Services Group Managing Director Simon McDougall, CIPP/E. McDougall cited the song “Three Steps to Heaven,” telling attendees, “Well, the EU decided there are more than 30 steps to heaven … This is the process we are in to get the draft regulation, and ladies and gentlemen, we are currently on step one.”
Baker: The Grandfather of Privacy Was A Fogey (October 2, 2013)
Stewart Baker didn’t start out as a privacy skeptic. But after a career including gigs as the first assistant secretary for policy at the Department of Homeland Security and general counsel of the National Security Agency, he sort of wound up that way. This feature on his keynote address at the IAPP Privacy Academy highlights Baker’s description of the current patchwork of privacy laws in the U.S. as a result of what he’s coined the “privacy panic”—reactionary, moral panic-based lawmaking built on a small but powerful subgroup’s irrational fears of technological advances.
Amidst U.S. Gov’t Shutdown, State AGs Chuckle at Idea of Federal Breach Law (October 2, 2013)
Near the end of the literarily titled panel discussion “The Widening Gyre of State AGs” at the IAPP Privacy Academy, one brave soul asked what seemed like an obvious question: Would it make sense for there to be one all-encompassing federal data breach notification law rather than the 49 state laws that firms currently need to navigate? Given the current Congress, AGs on the panel expect there’s “no way” that will happen.