Privacy Advisor

Having trouble receiving the Privacy Advisor in your inbox? Click here for troubleshooting tips.

Global Privacy Dispatches

FRANCE—Expansion of CNIL Investigation Powers Confirmed
In the past few years, the French data protection authority (CNIL) has made itself known for its on-site investigation powers by coming unannounced to the premises of businesses to perform interviews and searches in order to assess compliance with the French Data Protection Act. Read More
FRANCE—The End of Aggressive Cold-Calling?
The new consumer act of March 17 is now in force. Among its key measures, it plans the creation of a centralized do-not call list. Read More
HUNGARY—Hungarian DPA Suggests Refinements in IT Policies
In a recent case, the Hungarian Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság or NAIH) investigated a case where a company had to access its employee’s laptop for compliance reasons and imposed a fine of HUF 1,500,000 (approximately 5,000 euros) for unlawful data processing. Read More
UK—Marketing Companies Punished for Hiding Identity While Making Nuisance Calls
The Information Commissioner's Office (ICO) has ordered two telephone marketing companies to change their practices after more than 100 complaints were made to the ICO that the companies were making nuisance marketing calls. Read More
UK—British Pregnancy Advice Service Fined for Serious Data Breach
The British Pregnancy Advice Service (BPAS) has been fined 200,000 GBPs after a serious breach of the Data Protection Act (DPA) revealed thousands of people's personal details to a malicious hacker. Read More
UK—ICO Publishes Updated PIA Guidance
The UK Information Commissioner's Office has published its updated Privacy Impact Assessment (PIA) Code of Practice to help organisations comply with their data protection law obligations when they change the way that they use personal data. Read More
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions.

Read More
ITALY—Garante’s Provision on Mobile Payment Services
On December 12, 2013, the Italian Data Protection Authority (Garante) issued a draft general provision on the processing of personal data in the context of mobile remote payment services. This new provision sets the rules for the processing of information about users who purchase digital services and products and pay for them remotely via their phone bills. Read More
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions. Read More
A Record Night of Privacy After Hours Gatherings (January 31, 2014)
Privacy pros know that when they gather on IAPP Privacy After Hours nights they are part of something big. This Tuesday night, however, was bigger than ever. More than 500 people that work with data—from all levels of experience, every sector and industry—gathered around the world in more than 30 locations.
What Will the New CPO at NSA Do, Anyway? (January 30, 2014)
How will NSA Civil Liberties and Privacy Officer Rebecca Richards, CIPP/US, CIPP/G, do things? While she asked for some time to get up to speed before speaking with The Privacy Advisor, it’s possible to get some indications of the shape of the job, and what Richards will do with it, by looking at how the position has been framed and how Richards has served in the privacy office at DHS.
What’s Bruce Schneier Doing at Co3? (January 28, 2014)
Why would an internationally known thinker on security issues leave a gig as chief security technology officer at a large telecom to serve as CTO of a much smaller software company? That was a question some observers might have been pondering when incident response software maker Co3 announced earlier this month that Bruce Schneier was joining the company. In this feature, Schneier answers that question and shares his thoughts on how Co3 can help the security and privacy communities.
The Big News from IAPP Data Protection Congress (January 28, 2014)
The IAPP’s recent Data Protection Congress in Brussels proved to be full of robust discussions and even disagreements on the future of everything from Safe Harbor to notice-and-consent to NSA spying. In this roundup, we summarize the most stimulating conversations and presentations, including a showdown between former U.S. National Security Agency (NSA) General Counsel Stewart Baker, anonymous Internet platform Tor’s Jacob Appelbaum, Vodafone CPO Stephen Deadman and Ralf Bendrath, policy advisor to German MEP and Data Protection Regulation Rapporteur Jan Philip Albrecht.
State Attorneys General as U.S. Privacy Regulators—Q & A with Maryland AG Doug Gansler (January 28, 2014)
In this Q &A, Divonne Smoyer, CIPP/US, shares insights from Maryland AG Doug Gansler, who has been at the forefront of privacy protection efforts by state attorneys general. In 2013, as president of the National Association of Attorneys General, Gansler’s focus was “Privacy in the Digital Age.” He tells Smoyer, “State attorneys general have long been champions of consumers’ privacy in the physical marketplace, where breaches of privacy are more easily contained,” explaining, “if a company improperly disposes of a file with sensitive personal information a consumer shared, it may only be seen by a few people. In the Digital Age, however, the risks of sharing sensitive personal information are far greater.”
How Baidu Wraps Privacy Into New Products (January 28, 2014)
The world’s second-largest search engine, China-based Baidu, is continuing to look at expansion into emerging markets. Whenever it approaches a new market, Global Marketing Director Richard Lee explains, dedication to privacy is part of the company’s communications. He tells Publications Director Sam Pfeifle, “China is actually doing a great deal to keep in line with modern times. … I agree that maybe we at Baidu need to do more to prove that we respect privacy than some Western companies, but we don’t lack those kinds of concepts here in China. We want to keep in line with international standards.”
UK—Payday Loans Company Fined 175,000 GBPs Over Spam Texts (January 28, 2014)
The Information Commissioner’s Office has served First Financial with a 175,000 GBP penalty after an investigation discovered that the company was responsible for selling millions of unlawful “spam” texts.
UK—ICO Outlines New Approach to Data Protection Complaints (January 28, 2014)
The Information Commissioner’s Office has published a consultation document setting out potential changes to its current complaint-handling system.
UK—ICO Releases App Guidance (January 28, 2014)
The Information Commissioner’s Office has released guidance to help app developers comply with their obligations under the UK Data Protection Act.
Data-Centric Security: Reducing Risk at the Endpoints of the Organization (January 28, 2014)
In this time of increased attacks on IT networks, the king’s men are in overdrive attempting to stay ahead of these threats targeted at stealing our information. CIOs and CISOs are in a constant state of evaluating, implementing and reevaluating processes and solutions that secure the perimeter and safeguard the networks and the devices within the organization. Jim Wyne, CIPP/US, looks at data-centric security to mitigate risk and “ensure the most important asset of the business, the data, is protected.”
Plaintiffs Alleging Only "Future Harm" Following a Data Breach Continue to Face a High Bar (January 28, 2014)
While courts have mostly found that an increased risk of harm such as potential identity theft is insufficient to confer standing or establish damages, the law in this area remains unsettled. The Supreme Court’s ruling in Clapper may make it more difficult for such cases to proceed. Until this issue is settled, there will likely be forum shopping and forum selection clauses in contracts to help potential litigants prosecute or defend such cases. Dana Post of Freshfields Bruckhaus Deringer takes a closer look.
New Law Could Require ‘Incident’ Reporting, Whether Data Is Compromised or Not (January 28, 2014)
In February last year, the European Commission put forward its cybersecurity strategy, the main cornerstone of which is a Network and Information Security (NIS) Directive. The proposed Data Protection Regulation, currently being examined by the European Parliament, only covers security incidents where personal data is compromised. Therefore cyber attacks that do not target data would not need to be reported. The NIS Directive would change that.
How To Change Employees’ Poor Password Habits (January 28, 2014)
Password reuse across multiple websites and company logins is a major weak link in a company’s security system. In a survey CSID conducted in 2012 on password habits, it was found that 61 percent of the respondents reused the same password for multiple sites, and 44 percent of respondents reported they change their passwords once a year or less. Employee password reuse creates a new layer of risk for businesses, especially when major enterprises are hacked. A breach today can affect more than just the initial company—it can affect your business and many others.
2014 Best Predictions for Privacy—and Security (January 28, 2014)
Each year about this time, Brian Dean, CIPP/US, pulls out his “foggy crystal ball” to predict the future of privacy and security in the year ahead. “For data privacy and security professionals,” he predicts, 2014 offers reasons for “optimism, but with looming midterm elections and recent significant data breaches, only subtle privacy improvements are likely.”
Book Review: The Future of Privacy (January 28, 2014)
Being a strong believer in taking a pragmatic approach to compliance, K Royal was pleased to read The Future of Privacy by Eduardo Ustaran, CIPP/E, published by DataGuidance. In general, she finds the book, available through the IAPP, to be thorough, on point and useful to privacy professionals. “This book went the further step and was actually fun to read and useful to those of the general public who have an interest in privacy,” she writes.
Ten Steps to a Quality Privacy Program, Part Six: Test Your Incident Response Program (January 28, 2014)
In part six of the series "Ten Steps to a Quality Privacy Program," Deidre Rodriguez, CIPP/US, looks at testing incident response programs. This should involve key stakeholders from various departments. The process should happen twice a year and should involve a number of action items. “You do not want to find yourself in the middle of an incident and realize that you do not have what is needed to respond efficiently and effectively,” Rodriguez writes.
The All-New IAPP Mobile App Privacy Tool (January 28, 2014)
With nearly unlimited niches to fill and a global audience within reach, the mobile app universe can be richly rewarding—but it can also present privacy pitfalls for those who leap before they look. Regulators globally have begun to turn a watchful eye toward the privacy and security practices of mobile apps.
IAPP Asia Privacy Forum Heads to Hong Kong, Singapore this Spring (January 28, 2014)
Every indication from the headlines that flooded inboxes and newsstands in the final days of 2013 and the first weeks of 2014 is that privacy will continue to be big news this year in every region of the globe. To continue to meet the needs of privacy pros—those who work for international firms, those who live in specific regions and those who are concerned with the privacy implications of living in an age where data privacy knows no borders—the IAPP is launching the IAPP Asia Privacy Forum, coming to Hong Kong and Singapore at the end of March and early April.
Will the FTC’s Recent Safe Harbor Settlements Quench Europe’s Thirst for Increased Enforcement? (January 27, 2014)
The Federal Trade Commission (FTC) has settled with 12 U.S. companies over charges they let their Safe Harbor certifications lapse but still indicated they were certified. Was the move a response to recent criticism from the EU? The FTC said it’s business as usual. But does it at least indicate more enforcement to follow? Associate Editor Angelique Carson, CIPP/US, examines the implications of the FTC’s actions with insights from experts in the EU and U.S.
A New Handy Guide to Global DPAs (January 24, 2014)
DLA Piper has attacked the problem of surveying the world’s data protection laws and regulations with a handy online and interactive guidebook for which they’ve released version 2.0 just in time for Data Privacy Day. Find out where it lives and how it was developed in this feature from Publications Director Sam Pfeifle.
CANADA—Canada’s Top Court Rules In Favour of a Union and Declares Alberta’s Privacy Law Unconstitutional (January 23, 2014)
On November 15, 2013, the Supreme Court of Canada issued a decision—Alberta Information and Privacy Commissioner v. United Food and Commercial Workers, in which it declared Alberta’s privacy law, the Personal Information Protection Act (PIPA) unconstitutional. However, it suspended its declaration of invalidity for 12 months to give Alberta’s legislature time to make the law constitutional.
With Rodriguez Tapped for DHS, Who’ll Call the Shots at OCR? (January 23, 2014)
News that U.S. President Barack Obama has nominated Department of Health and Human Services Office for Civil Rights (OCR) Director Leon Rodriguez to direct U.S. Citizenship and Immigration Services has spiked the heart rates of some in the healthcare industry. The shift would leave the OCR director post vacant for the foreseeable future—and at an historic juncture.
EU’s Reding Urging Reform to Move Forward; LIBE Committee Draft NSA Report Leaked (January 8, 2014)
EU Justice Commissioner Viviane Reding has said the proposed EU General Data Protection Regulation (GDPR) must “move full speed ahead,” Bloomberg reports. The clock is ticking on the GDPR with European Parliament elections coming this May. “We have lost too much time already,” Reding said in a prepared statement for a speech in Brussels. Not everyone agrees, however, that the GDPR will move forward. In discussing the two main privacy surprises of 2013, Google Global Privacy Counsel Peter Fleischer wrote on his personal blog, “the old draft is dead…” Meanwhile, after months of inquiry, the European Parliament’s Civil Liberties, Justice and Home Affairs (LIBE) committee draft report on U.S. National Security Agency surveillance has been leaked. This report for The Privacy Advisor looks at these developing stories and includes commentary from Field Fisher Waterhouse Partner Eduardo Ustaran, CIPP/E.
CES Buzzes With Privacy News (January 7, 2014)
With more than 150,000 attendees descending on Las Vegas, NV, the Consumer Electronics Show is the largest event of its kind in the world and is often the venue where electronics manufacturers make their big product unveilings. This year, privacy has more prominence at the event than ever before. In this feature, Publications Director Sam Pfeifle wraps up the big privacy news, from the latest in wearables to biometrics to smart cars and TVs.
ICYMI: Target Fallout Continues; More Breaches Reported (January 2, 2014)
Following the breach at Target affecting approximately 40 million consumers, Sens. Robert Menendez (D-NJ), Mark Warner (D-VA) and Charles Schumer (D-NY) have called for a Senate Banking Committee hearing to examine whether stronger industry-wide standards are needed and if all necessary actions are being taken to safeguard consumer data against fraud and identity theft. Missouri’s attorney general and a New York assemblyman are also looking into the breach, and a number of consumers have filed lawsuits. Meanwhile, a number of breaches spanning the globe affected healthcare providers, bankers and casino frequenters, among others that include private-texting provider Snapchat, which lost 4.6 million usernames and phone numbers. This roundup catches you up on what you may have missed over the holidays.
Privacy Thoughts for 2014 (January 2, 2014)
Privacy—the word itself and the concept—got plenty of attention in the media’s end-of-year wrap-ups. Not surprisingly, it got a bit of attention in looks forward to 2014 as well. In this roundup, Publications Director Sam Pfeifle looks at what those opining about the future had to say in the final days of 2013 and at the start of the New Year.
Commercial UAV Use in U.S. Takes Next Step Forward (January 2, 2014)
While the use of unmanned aerial vehicles (UAVs) is regulated in various ways across the globe, the Federal Aviation Administration (FAA) still tightly controls their use in the United States. In this roundup, Publications Director Sam Pfeifle reviews some of the top headlines on the use of UAVs from the holiday season.
Federal Courts at Loggerheads in NSA Surveillance Cases; Snowden Disclosures to Continue in 2014 (January 2, 2014)
The tail end of 2013 brought with it continued news and reaction to the disclosures of the U.S. National Security Agency’s (NSA) surveillance programs by former contractor Edward Snowden. Perhaps most significantly, a U.S. federal judge on Friday December 27 ruled the NSA’s bulk collection of metadata on phone calls was legal. The ruling came less than two weeks after another federal judge came to virtually the opposite conclusion. In this roundup, we gather together the major developments and opinion stemming from Snowden’s disclosures and what may lay ahead in for the NSA in 2014.