Privacy Advisor

Having trouble receiving the Privacy Advisor in your inbox? Click here for troubleshooting tips.

Global Privacy Dispatches

FRANCE—Expansion of CNIL Investigation Powers Confirmed
In the past few years, the French data protection authority (CNIL) has made itself known for its on-site investigation powers by coming unannounced to the premises of businesses to perform interviews and searches in order to assess compliance with the French Data Protection Act. Read More
FRANCE—The End of Aggressive Cold-Calling?
The new consumer act of March 17 is now in force. Among its key measures, it plans the creation of a centralized do-not call list. Read More
HUNGARY—Hungarian DPA Suggests Refinements in IT Policies
In a recent case, the Hungarian Authority for Data Protection and Freedom of Information (Nemzeti Adatvédelmi és Információszabadság Hatóság or NAIH) investigated a case where a company had to access its employee’s laptop for compliance reasons and imposed a fine of HUF 1,500,000 (approximately 5,000 euros) for unlawful data processing. Read More
UK—Marketing Companies Punished for Hiding Identity While Making Nuisance Calls
The Information Commissioner's Office (ICO) has ordered two telephone marketing companies to change their practices after more than 100 complaints were made to the ICO that the companies were making nuisance marketing calls. Read More
UK—British Pregnancy Advice Service Fined for Serious Data Breach
The British Pregnancy Advice Service (BPAS) has been fined 200,000 GBPs after a serious breach of the Data Protection Act (DPA) revealed thousands of people's personal details to a malicious hacker. Read More
UK—ICO Publishes Updated PIA Guidance
The UK Information Commissioner's Office has published its updated Privacy Impact Assessment (PIA) Code of Practice to help organisations comply with their data protection law obligations when they change the way that they use personal data. Read More
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions.

Read More
ITALY—Garante’s Provision on Mobile Payment Services
On December 12, 2013, the Italian Data Protection Authority (Garante) issued a draft general provision on the processing of personal data in the context of mobile remote payment services. This new provision sets the rules for the processing of information about users who purchase digital services and products and pay for them remotely via their phone bills. Read More
ITALY—Garante Addresses Medical Research, Welfare Positions Issues
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions. Read More
For Infosec Professionals, Privacy Can Be a Differentiator (February 28, 2014)
For information security professionals, privacy might seem like a secondary thought. Done right, however, incorporating strategic thinking about privacy into daily job functions could be an infosec professional’s ticket to the C-suite—or at least strong relationships with the people in it. After all, breaches and other gaffes are expensive and damaging, and information-security professionals are the data keepers who can avoid such pitfalls. That was the message IAPP CTO Jeff Northrop, CIPP/US, CIPP/IT, told a crowd at the RSA breakout session “Privacy as a Growing Risk.”
OWASP Looking for Volunteers for Privacy Top 10 Project (February 28, 2014)
In the cybersecurity community, the OWASP Top 10 Project is something of a touchstone. An open-source list of “the most critical web application security flaws,” it represents a consensus of experts as to what threats organizations should be most concerned with as they go about developing their projects. Florian Stahl, CIPP/IT, has launched the OWASP Top 10 Privacy Risks Project, and he’s looking for help.
ITALY—Garante Addresses Medical Research, Welfare Positions Issues (February 27, 2014)
The Garante, Italy’s Data Protection Authority (IDPA), has released three decisions related to research and a register of welfare positions.
RSA Dispatch: Talking FIPPs and Geeks with Google, Microsoft and McAfee (February 27, 2014)
These are uncertain times. User trust is at an all-time low; the models upon which governing data-use principles were built are outdated, and it’s time for a shift in how policy people and engineers work together in order to address these problems. This report examines those and other takeaways from a well-attended and wide-ranging RSA session Wednesday on “Hot Topics in Privacy,” moderated by IAPP CEO Trevor Hughes, CIPP< and featuring a panel of chief privacy officers from Google, Microsoft and McAfee.
Introducing the Casebook of FTC Privacy Law (February 27, 2014)
The IAPP Westin Research Center has undertaken a project to produce an FTC Privacy Casebook—which collates, organizes, indexes, tags and annotates the body of FTC privacy and data security jurisprudence—and make it available for you to search and use. The IAPP believes that the FTC Privacy Casebook will be a useful resource for businesses that seek to comply with the law and best data practices but often find themselves groping for guidance and direction. Ahead of the largest ever (yet again) IAPP Global Privacy Summit in Washington, DC, next week, the IAPP Westin Research Center has published a useful preview of the FTC Privacy Casebook, which is scheduled for launch at the end of the year.
NTIA’s Facial Recognition Talks Trigger Debate (February 26, 2014)
In the second in a series of meetings to develop a voluntary code of conduct around the application of facial recognition technology, the scope of the code was debated. Led by the National Telecommunications and Internet Administration’s (NTIA) John Verdi, the talks centered around whether or not there should be a dual use structure for facial recognition’s commercial and government use; specifics on how the technology actually works and links with databases, and how much more time should be spent fact finding on facial recognition.
Cryptographers at RSA: “Users Seem To Now Mind Giving Up Privacy” (February 26, 2014)
At this year’s RSA conference in San Francisco, CA, keynote panelists Whitfield Diffie of SafeLogic, Brian LaMacchia of Microsoft Research, Paul Kocher of Cryptography Research, Inc., MIT’s Ronald Rivest and Adi Shamir of Israel’s Weizmann Institute of Science expressed “shame” and “shock” at the NSA revelations but also offered up a vision of where cryptography is going and how it might affect the privacy industry.
If Gov’t Won’t Protect Privacy, Innovation Will (February 26, 2014)
Former Navy Seal Mike Janke, now CEO of year-old private-communications service Silent Circle, talked about the “Summer of Snowden” revelations during an RSA 2014 session entitled, “Mission Impossible? Building and Defending Zero-Knowledge Privacy Services.” Joined by Ethan Oberman of cloud-based synchronization and sharing service SpiderOak and Nicko van Someren, CTO of Good Technology, Janke and company discussed the new premium on “zero-knowledge” technology models that allow users to maintain complete control of their data access and new technological solutions for privacy. The Privacy Advisor Editor Angelique Carson, CIPP/US, brings you the highlights.
ITALY—Garante Releases Enforcement Activity Report (February 26, 2014)
The Garante, the Italian Data Protection Authority (IDPA), has released information on enforcement activity in Italy in 2013 and its relevant plan of inspections for the first semester of 2014.
The Lasting Effects of World War I on Privacy Today (February 25, 2014)
One-hundred years ago, World War I, originating from a complex web of interactions, aspirations and illusions, commenced as a struggle that would lead to the deaths of tens of millions of people. But the war would also lead to changes in the understanding and rules for freedom of expression, security and privacy. Thomas Shaw, CIPP/US, looks at court rulings then that still impact U.S. views on privacy today.
Proposal: Use Oil Spill Remedies on Data Breach Problem (February 25, 2014)
After the string of data breaches that affected Target, Neiman Marcus and other retailers, the security vulnerability of Big Data has come under scrutiny. The proliferation of data breaches also has banks, retailers, credit card companies, regulators and others all asking one question: How do we solve the data breach problem? At the Maine Law Review 2014 Privacy Symposium, Capital University Law Prof. Dennis Hirsch suggested looking to environmental law to find an answer. IAPP Westin Fellow Dennis Holmes evaluates two of his major suggestions.
Drones: Aren’t the Laws Already on the Books? (February 25, 2014)
“The grandfathers of privacy wouldn’t argue for new, drone-specific privacy rules,” writes Jeff Kosseff, CIPP/US. Rather, the common-law privacy torts they articulated more than a century ago would apply equally to drones as they do to older information-gathering technologies. In part one of a three-part series on drones, Kosseff looks at existing U.S. laws to be considered when it comes to the use of drones for gathering information. Look for part two, on private-sector drone use, in the April edition of The Privacy Advisor.
HIPAA Changes Mean Tightening Up Vendor Relationships (February 25, 2014)
With the changes to the HIPAA Privacy and Security Rules, the responsibilities and relationships between covered entities and their vendors have moved to the forefront of information security management. Particularly, renewed emphasis has been placed on vendor security management and the responsibility that covered entities bear on performing appropriate due diligence. David Holtzman, CIPP/G, and Erin McMillan drill down on how to comply with the changes.
Ten Steps to a Quality Privacy Program, Part Seven: Identifying the Root Cause; Implementing Corrective Actions and Documenting Sanctions (February 25, 2014)
In this seventh installment in her series “Ten Steps to a Quality Privacy Program,” Deidre Rodriguez, CIPP/US, looks at the importance of identifying root causes, correcting the issues and documenting actions taken. “Taking the time to identify and document the proper root cause of an incident or privacy issue, creating a formal corrective action plan and documenting sanctions will save you time and frustration if this information is needed to respond to a regulatory inquiry,” she writes.
Ireland: Europe’s Scapegoat for an Out-of-Date Directive (February 25, 2014)
“Europe is currently endeavouring to regulate this world with a directive that was enacted in 1995 but conceived in 1981,” writes Denis Kelleher. While recent years have seen some express frustrations about Ireland’s data protection regime, “such frustrations may be better directed at a European Data Protection regime that is now out of date.” Kelleher looks at Ireland’s Office of the Data Protection Commissioner’s powers and the country’s views on privacy.
CNIL Amends Whistleblowing Rules, Effective Now (February 25, 2014)
The French Data Protection Authority’s whistleblowing scheme allows companies to comply via a self-certification procedure whereby they make a formal undertaking that their whistleblowing hotline complies with the pre-established conditions set out in single authorization AU-004. The CNIL's view on whistleblowing schemes has evolved over time, and it recently revised AU-004 to cover a wider scope, including workplace harassment and the environment, and specifies that anonymous reporting should be discouraged. In this report, Olivier Proust examines the amended rules in detail.

CANADA—Anti-Spam Legislation To Come Into Force (February 25, 2014)
After much discussion and consultation on the accompanying Regulations, Canada’s anti-spam legislation is about to take full effect. While the CRTC had previously published its regulations on March 28, 2012, the Electronic Commerce Protection Regulation was finally published on December 4, 2013.
A Privacy Pro Takes a Test Drive With Google Glass (February 25, 2014)
Privacy professionals have long been warning of the dangers to privacy from wearable technology. Often, the concerns have been expressed based on anecdotal evidence. So, when Bob Siegel, CIPP/US, CIPP/IT, CIPP/C, CIPM, had the opportunity to join the Google Glass Explorer program, he jumped at the chance. Siegel describes reactions to wearing the glasses at a dinner with friends, out in public and in professional settings.
UK—Government Department Fined 185,000 GBPs After Terrorist Incident Data Sold at Auction (February 25, 2014)
A government department has been fined after a filing cabinet containing personal information relating to victims of a terrorist incident was sold at auction.
From RSA: In Times of Distrust, Innovation and Collaboration Will Be Key (February 25, 2014)
The Internet has become a prison. A prison in which the warden can see all of the prisoners, but none of the prisoners can see each other, or the warden. Because what Silicon Valley knows how to do best is collect user data without notifying the user it’s doing so, and for what purpose, and then sell it for profit. But it shouldn’t be that way, and it doesn’t have to be. That’s how Michael Fertik, founder and CEO of, led off the IAPP’s first panel discussion at RSA Conference, and it offered a springboard for Jules Polonetsky, CIPP/US, Anne Toth and Stan Crosley, CIPP/US, CIPM, to talk about how brands can establish trust and ethically collect and use data in the post-Snowden era. Hint: IT and privacy professionals are going to have to work closely together.
It’s Complicated: The Social Lives of Networked Teens Does Not Shy Away from Tough Subjects (February 25, 2014)
It’s Complicated: The Social Lives of Networked Teens, a new book by danah boyd, is “easy to read, applicable to the privacy field and full of interesting, well-considered research,” K Royal, CIPP/US, CIPP/E, writes in this review. Royal offers an overview of the book’s eight chapters and considers the relevance of the subject matter for privacy professionals and the general public alike. “I can do nothing less than highly recommend this book” to those interested in privacy or issues affecting teens, Royal writes.
Privacy Law Symposium Delves into the Difficult Privacy Issues of the Digital Age (February 24, 2014)
Who’s governing privacy? That was the main question asked at the Maine Law Review 2014 Privacy Symposium on Friday. Implementing public policy to create appropriate levels of regulation and data protection in the Digital Age is a thorny issue with no easy answers, but privacy and legal experts from the U.S. and Europe did their best to flesh out what’s possible and what’s needed in Portland, ME. In all, seven law review papers were presented at the symposium, covering topics as diverse as the privacy issues raised by license plate scanners, the effectiveness of the multistakeholder process and transnational surveillance. This exclusive gives you the lowdown on the event.
Florian Thoma Joins Accenture (February 13, 2014)
IAPP Hits 15k Members (February 13, 2014)
Erecting a New Legal Edifice: Christopher Kuner on Transborder Data Flows (February 12, 2014)
“Few people personify the field they work in as much as Christopher Kuner. As a lawyer, European-American, academic and professor, and longtime leader of the ICC, Kuner straddles the fault lines of the privacy world with ease,” IAPP Vice President of Research and Education Omer Tene writes in this review of Kuner’s latest work, Transborder Data Flows and Data Privacy Law. Tene examines the wealth of information included in Kuner’s book, suggesting it may “constitute one of the building blocks for a new legal edifice being designed and erected these very days, a regulatory model for a technologically borderless world.”
NEW ZEALAND—Privacy Reflections/Predictions for 2014 (February 11, 2014)
The high-profile privacy breaches of 2012-13 have shed an unprecedented light on personal information in New Zealand. Outgoing Privacy Commissioner Marie Shroff is leaving the role at a time when protecting personal information, a cause she has actively championed over the past 10 years, is at the forefront of public awareness and is top-of-mind for policy analysts, legislators and businesses alike.
NEW ZEALAND—Will the Tide Turn in 2014? (February 11, 2014)
Last year was not a good one for New Zealand privacy-wise. While Australia forged ahead enacting legislation covering issues such as cross-border controls for personal data and introducing measures to implement breach notification, the government in New Zealand, by contrast, has been dragging its feet and instead adopted a raft of measures diminishing existing privacy protections. This article briefly reviews developments in New Zealand in 2013 and ventures some predictions as to what may lie in store in 2014.
AUSTRALIA—Australia Legislates for Privacy by Design (February 11, 2014)
In March, Australia will be overhauling its privacy laws. One of the key features of the new regime means Australia will become one of the first jurisdictions to effectively legislate for the concept of Privacy by Design.
Target Breach Fallout Persists; PCI DSS Compliance Tough To Maintain (February 10, 2014)
A Verizon report has found that a vast majority of companies who achieve compliance with the Payment Card Industry Data Security Standard annually fail to maintain that status, leaving them exposed to potential breaches and other security risks, Computerworld reports. The report found that 11 percent maintained compliance status between each PCI DSS assessment. Meanwhile, the FBI recently warned retailers that the recent attacks against Target and other brands foreshadow events to come, and a number of brands have announced new breaches.
Letter to the Editor: Brill Clarifies Mutual Cooperation Status (February 10, 2014)
Last week, The Privacy Advisor covered Federal Trade Commissioner Julie Brill’s Twitter chat, in which Brill took live questions on the relationship between the EU and the U.S. on data processing, the use of mobile devices in healthcare and what the web might look like in a cookie-less world, among other topics. In our coverage, we indicated Brill “shut down the idea” of future EU-U.S. collaboration in her response to a question about whether discussion had “evolved” on plans for a mutual enforcement program between the EU and U.S. In this letter to the editor, Brill clarifies the FTC is “engaged in important ongoing dialogues” on enforcement cooperation in various organizations.
NTIA Holds First Meeting on a Facial-Recognition Technology Code of Conduct (February 7, 2014)
The Department of Commerce’s National Telecommunications and Internet Administration yesterday held the first of a series of meetings aimed at creating a voluntary code of conduct for development and implementation of facial recognition technology. The meeting, which hosted stakeholders spanning advocacy and industry, was primarily a chance for the group, as well as the 100 or so watching the live webcast, to hear from experts on how the technology works, how it’s currently being applied and for what reasons and what it might be capable of accomplishing in the future. In this exclusive, Angelique Carson, CIPP/US, breaks down the most important testimony and summarizes the project’s goals and likely outcomes.
Breaches and Calls for Mandated Data Security Increase (February 7, 2014)
The recent breaches of Target and Neiman Marcus and their subsequent testimony in front of Congress this week has been part of a trigger for an increasing chorus of lawmakers and government agencies calling for federal data security legislation. On Thursday, U.S. Federal Reserve Governor Daniel Tarullo joined in by testifying that retailers and companies with customer payments should follow the same obligations as banks to report data breaches. Additionally, a new survey of government employees reveals Congress may be part of the cybersecurity solution, while a Texas-based healthcare system may have been hit by one of the largest data breaches to ever affect an individual hospital. This roundup brings together the latest developments in cybersecurity and data breach response.
FTC's Brill Does Twitter Chat (February 6, 2014)
FTC Commissioner Julie Brill took to Twitter yesterday, taking questions on the partnership between the U.S. and EU on data processing, the use of mobile devices in healthcare and a potentially cookie-less web ecosystem. The full conversation is at #FTCpriv.