Privacy Advisor

Having trouble receiving the Privacy Advisor in your inbox? Click here for troubleshooting tips.

Global Privacy Dispatches

FRANCE—Expansion of CNIL Investigation Powers Confirmed
In the past few years, the French data protection authority (CNIL) has made itself known for its on-site investigation powers by coming unannounced to the premises of businesses to perform interviews and searches in order to assess compliance with the French Data Protection Act. Read More
FRANCE—The End of Aggressive Cold-Calling?
The new consumer act of March 17 is now in force. Among its key measures, it plans the creation of a centralized do-not call list. Read More
HUNGARY—Hungarian DPA Suggests Refinements in IT Policies
In a recent case, the Hungarian Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság or NAIH) investigated a case where a company had to access its employee’s laptop for compliance reasons and imposed a fine of HUF 1,500,000 (approximately 5,000 euros) for unlawful data processing. Read More
UK—Marketing Companies Punished for Hiding Identity While Making Nuisance Calls
The Information Commissioner's Office (ICO) has ordered two telephone marketing companies to change their practices after more than 100 complaints were made to the ICO that the companies were making nuisance marketing calls. Read More
UK—British Pregnancy Advice Service Fined for Serious Data Breach
The British Pregnancy Advice Service (BPAS) has been fined 200,000 GBPs after a serious breach of the Data Protection Act (DPA) revealed thousands of people's personal details to a malicious hacker. Read More
UK—ICO Publishes Updated PIA Guidance
The UK Information Commissioner's Office has published its updated Privacy Impact Assessment (PIA) Code of Practice to help organisations comply with their data protection law obligations when they change the way that they use personal data. Read More
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions.

Read More
ITALY—Garante’s Provision on Mobile Payment Services
On December 12, 2013, the Italian Data Protection Authority (Garante) issued a draft general provision on the processing of personal data in the context of mobile remote payment services. This new provision sets the rules for the processing of information about users who purchase digital services and products and pay for them remotely via their phone bills. Read More
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions. Read More
Commission Gives U.S. 13 Ways To Save Safe Harbor (November 27, 2013)
The European Commission has released its report on EU-U.S. data flows, including a critique of the widely-criticized Safe Harbor framework, which makes 13 recommendations to improve the data-transfer mechanism. The commission says U.S. authorities have until summer of 2014 to implement the recommendations, at which point it will revisit the review.
Breaches Affect Publisher, Councils, Columnist (November 27, 2013)
Across the UK, breaches have been making headlines and prompting orders and advice from the Information Commissioner’s Office (ICO).
Looking for Love? Try a Privacy Conference (November 26, 2013)
It was winter of 2011, and Rob Gratchner just had to get to the IAPP’s Data Protection Congress. His girlfriend, now Amanda Gratchner, was attending, and where better to ask her to marry him? But there was a hiccup. A big one. The Paris event was sold out. Despite his pleas to the powers that be at the IAPP, he couldn’t get in. “I went to Paris by myself,” Amanda says with a bit of a playful tone. But two months later, in Seattle, at the spot in which they first kissed, Rob proposed. In this feature, Angelique Carson, CIPP/US, talks with three couples who found their work in the privacy field, and their spouses, too.
Book Review: Rewire: Digital Cosmopolitans in the Age of Connection (November 26, 2013)
In Rewire: Digital Cosmopolitans in the Age of Connections, Ethan Zuckerman says the world isn’t flat. Not metaphorically, anyway. Despite the fact that “atoms, people and bits” are sent all around the world, we focus on people who are like us. Zuckerman, director of the MIT Center for Civic Media, believes that we still need to “shape” our means of communications so that we learn what we need to know, not just what we want to know.
How Should I Respond to California’s Do-Not-Track Requirements? (November 26, 2013)
California’s Do-Not-Track amendments require the operator of a website or online service to display a privacy policy that meets certain content requirements. Failure to make the required CalOPPA disclosures can, after a 30-day notice period, give rise to actions by the California Attorney General for $2,500 per violation and other consequences, as well as potential plaintiffs’ actions under unfair competition theories. Brian Hengesbaugh, CIPP/US, and Amy de La Lama give practical advice on how to respond to the change.
The Impact of New Payment Card Industry Standards on Business (November 26, 2013)
Version 3.0 of the Payment Card Industry Data Security Standard (PCI-DSS) has been released by the PCI Security Standards Council. The security requirements are intended to strengthen the security of cardholder data and encourage the adoption of uniform data security standards within the payment card industry. PCI-DSS applies to all entities that are involved in payment card processing. This includes merchants, processors, acquirers, issuers and service providers as well as entities that store, process and transmit cardholder data.
New Whistleblowing Law Generates New Data Privacy Issues in Hungary (November 26, 2013)
In January, a new whistleblowing law will come into effect in Hungary. The adoption of the law is a significant step because it is likely to enhance the compliant operation of whistleblowing hotlines in Hungary. Nevertheless, certain impractical provisions may be difficult to comply with, and employers need to assess every possible deviation very carefully. Márton Domokos looks at the law’s provisions in detail.
State AGs: The Most Important Regulators in the U.S.? (November 26, 2013)
The last year was an eventful one in the area of data and online privacy, with more laws, more enforcement actions and generally increased AG scrutiny. Given that we are not likely to see federal preemption of state authority in this area anytime soon—and that the FTC is encouraging state action on data privacy—it remains critical that privacy professionals expand their focus beyond FTC and DPAs to consider AGs, who are rapidly becoming the most important data privacy regulators around. Divonne Smoyer, CIPP/US, and Aaron Lancaster, CIPP/US, look back at 2013 to make predictions for the year ahead.
UK—ICO To Update Privacy Policy Guidance (November 26, 2013)
The Information Commissioner’s Office (ICO) has announced that it will be updating its privacy policy guidance to reflect changes in privacy practices and technology.
UK—Ministry Of Justice Fined £140,000 for E-mailing Prisoner Details to Inmates’ Families (November 26, 2013)
The Information Commissioner’s Office (ICO) has served the Ministry of Justice (MoJ) with a £140,000 monetary penalty after the details of all prisoners serving at HMP Cardiff were e-mailed to three of the inmates’ families.
Ten Steps to a Quality Privacy Program, Part Five: Building an Audit Plan (November 26, 2013)
In part five of the series "Ten Steps to a Quality Privacy Program," Deidre Rodriguez, CIPP/US, explores building an audit plan, which she says is essential. A few basic steps can help you to prepare and simplify the process, she says. “Writing down all of the details will solidify your plan. You may not be audited right away, and people tend to forget everything that you have told them and panic when they hear the word ‘audit.’ Having this information written down will help keep everyone focused and moving the same direction,” she writes.
UK—Tribunal Overturns ICO’s £300,000 Spam Texts Fine (November 26, 2013)
The General Regulatory Chamber, which allows rights of appeal against decisions of the UK Information Commissioner’s Office (ICO), has overturned an earlier £300,000 fine for the sending of unwanted text messages. Christopher Niebel, joint owner of Tetrus Telecoms, was originally fined in November 2012 for sending hundreds of thousands of unwanted SMS text messages “on an industrial scale” from unregistered SIM cards seeking out potential claims for the mis-selling of PPI loans or for accidents without the consent of the recipient.
UK—ICO Issues Code on Practice of Anonymisation (November 26, 2013)
Anonymisation is of particular relevance at the moment, given the increased amount of information being made publicly available through Open Data initiatives and through individuals posting their own personal data online. Furthermore, the concept of anonymisation is fundamental for organizations that intend to take advantage of the possibilities offered by Big Data analytics without putting at risk the privacy of the data subjects.
BELGUIM—Royal Decree Transposes Directive Into Belgian Law (November 26, 2013)
The Belgian government recently issued a royal decree that lays down broad data retention obligations for telecom, Internet access and webmail providers. The Royal Decree transposes the EU Data Retention Directive into Belgian law.
The EU and APEC: A Roadmap for Global Interoperability? (November 26, 2013)
The steady stream of media reports on the privacy differences between the EU and the U.S. would have you believe that cross-border data sharing is nothing but storm clouds over the Atlantic. There is, however, a bright spot for cross-border information flows if we turn our attention to the Pacific. John Kropf, CIPP/US, CIPP/G, and Malcom Crompton, CIPP/US, look at data transfers in the APEC region, suggesting other regions take heed.
Downstream of the Data Breach: Identity Theft Is A Messy Crime (November 26, 2013)
Identity theft is a unique kind of crime. It's maybe the only crime in which the victim often doesn't know how it happened, when it happened or who did it to them.
Cookie Monsters of Silicon Valley Come to Brussels (November 25, 2013)
In the world of online tracking, the cookie is king – but there may be a regime change on the horizon. Cookies, the little bits of browser-based code that follow a user’s activity from website to website, are under more regulatory scrutiny than ever, especially in Europe. Thus, it is important to analyze the effect of these changes in the techno-business landscape on the EU regulatory framework.
Are Notice and Consent Possible with the Internet of Things? (November 20, 2013)
Stakeholders met in Washington, DC, on November 19 to explore and hash out the privacy and security implications of the Internet of Things (IoT). The rapidly emerging landscape of connected sensors and embedded technology has garnered the attention of the Federal Trade Commission (FTC) of late, but the complexity of the IoT ecosystem was readily apparent during the proceedings.
Where IBM Thinks BYOD Technology Is Headed (November 20, 2013)
Last week, IBM announced it will soon acquire FiberLink, a maker of cloud-based mobile-device-management technology and the MaaS360 product. The news ought to be interesting to privacy professionals on its own, drawing attention to a tech provider that will now have access to IBM’s much larger resources in attempting to solve a problem, in BYOD, with which many struggle.
Safe Harbor’s In Trouble—Unless You Ask the U.S. (November 19, 2013)
The U.S. Department of Commerce says Safe Harbor is still viable, and the Federal Trade Commission (FTC) says it has rigorously enforced compliance with the data-transfer mechanism. But privacy regulators and politicians from European countries—Germany in particular—seem hell-bent on putting an end to the agreement and are calling the U.S.’s bluff everywhere but on paper. So far. In this exclusive, Angelique Carson, CIPP/US, talks with FTC Commissioner Julie Brill, the U.S. Department of Commerce, Covington & Burling’s Henriette Tielemans and Wilson Sonsini Goodrich & Rosati’s Christopher Kuner, both in Brussels, about the impact of new accusations that as many as 400 companies are violating Safe Harbor and what to expect in the European Commission’s December report on the pact’s viability. “I can’t overstress the hostility toward it here,” Kuner said.
FTC v. Wyndham: Round One (November 18, 2013)
Last week, FTC v. Wyndham, a privacy case that commands the close attention of thousands of privacy professionals worldwide, challenging a decade of escalating Federal Trade Commission activity in the field of data security, went to oral arguments on the defendant’s motions to dismiss. Wyndham Worldwide Corporation was charged in June 2012 for “unfair and deceptive acts and practices” arising from alleged data breaches in its franchisees’ computer systems. In this exclusive, IAPP Westin Fellow Kelsey Finch examines this case, where the company is disputing whether “its failure to safeguard personal information caused substantial consumer injury,” and perhaps more importantly, whether the FTC even has the authority to regulate data security.
Circle Makes Us Square (November 15, 2013)
In his new novel, The Circle, Dave Eggers creates a world dominated by a search/social/commerce operation that is basically every cliché you’ve ever heard about Google, Facebook, Amazon, Yahoo and Twitter, all wrapped into one. Publications Director Sam Pfeifle examines the world Eggers creates—a world devoid of privacy pros, where characters live by slogans like “secrets are lies,” “sharing is caring” and “privacy is theft.”
Google: NSA Could Cause “Splinternet” (November 13, 2013)
Global reaction to the NSA disclosures “could have severe unintended consequences such as a reduction in data security, increased cost, decreased competitiveness and harms to consumers,” said Richard Salgado, Google’s director of law enforcement and information security matters. This exclusive covers Salgado’s comments and what they could mean for businesses.
ITALY—Datagate: Garante and DIS entered a joint agreement (November 13, 2013)
The Garante and DIS have entered into a cooperation protocol. “This is an extraordinary agreement entered into by very key sensitive functions of the Italian State and a great signal of transparency for the world in reply to all worrying news on Datagate we daily read on newspapers or on the Internet,” writes Panetta & Associati Managing Partner Rocco Panetta.

Establishing Trust with U.S. Privacy Regulators (November 8, 2013)
“Privacy drives trust.” That was the mantra during Thursday’s Practical Privacy Series Financial Services track in New York City. Privacy drives trust with your consumers, your employees and the regulators, said HSBC Chief Privacy Officer Al Silipigni, CIPP/US. And building trust with regulators—both at the federal and state levels—can go a long way in keeping your company out of litigation and press headlines.
ITALY—Customer Care outside the EU, new rules coming from the Italian DPA (November 7, 2013)
Following the growth of the outsourcing of call center services outside the EU, the Italian Data Protection Authority, the Garante, provides its general rules to protect the privacy of Italian citizens.
What Would You Do? (November 7, 2013)
Ladar Levison remembers June 28 pretty well. Temperatures reached 108 degrees in Dallas, TX, and Sandra Bullock’s The Heat was released nationwide. But Levison was feeling a different kind of heat that day when the FBI showed up unannounced at his Dallas apartment and told him they wanted access to his company’s computer system—a system he’d designed specifically to protect his customers from the threat of surveillance. In this exclusive, Levison describes his legal ordeal and his new business venture, one he hopes protects data in a way his last service, in the end, did not.
Federal and State Regulators Talk Data Security Lessons (November 7, 2013)
The Federal Trade Commission (FTC) has been a busy agency. It has now brought 47 data security cases against businesses to date, and according to FTC Consumer Protection Bureau Deputy Director Daniel Kaufman, there are more in the pipeline. Together with New Jersey Supervising Deputy Attorney General Kenneth Ray Sharpe, CIPP/US, Kaufman recently addressed a room full of privacy pros at the IAPP Practical Privacy Series in New York City on how to avoid the wrath of regulators.
Straight from the Pacific Ocean: A Tidal Wave of California Privacy Laws (November 6, 2013)
Last Wednesday, the New York Times’ leading story covered the onslaught of privacy legislation at the state level, even as federal laws protecting privacy remain stalled in Congress. For more than a decade, California has stood at the forefront of this legislative wave and so it should come as no surprise that California is on the vanguard of the movement the Times identified. It’s important to take stock of new and pending California privacy legislation, highlighting new regulatory risks for privacy managers and outside counsel.
Hack the Trackers Taps Into the Post-Snowden Zeitgeist (November 5, 2013)
What do you get when you put a group of talented, self-motivated developers, tech-savvy judges and folks who built one of the Internet’s most-successful online privacy tools into the same room? This coming Saturday, you’ll get Hack the Trackers.
Breach Roundup (November 1, 2013)
A former Department of Justice cybercrime prosecutor says organizations should develop a “defensible response” to data breaches and fraud incidents because it’s likely they’ll next face a regulatory investigation or legal action, Bank Info Security reports. It’s advice the companies involved in this week’s breach roundup may want to take into consideration.