European Data Protection Digest

In 1897, Oscar Wilde wrote to Lord Douglas, “Do not be afraid of the past. If people tell you that it is irrevocable, do not believe them.”

I wonder if he would share this piece of advice today. Though the past may not be irrevocable, we all leave digital shadows we may regret one day. I had no Internet growing up, and I am grateful that the only traces of my past are some old pictures gathering dust at my parents’ house and a box of letters I used to exchange with overseas friends—you know, having overseas pen pals was actually pretty cool back in the day.

Come to think of it, Oscar Wilde may never have meant for his 1897 letter to Lord Douglas to be published, as it came to light only after his death, so you could almost argue he had no right to be forgotten…

This week, the Court of Justice of the European Union declared the 2006 Data Retention Directive invalid, stating that it interferes with the fundamental rights to respect for private life and to the protection of personal data, as stipulated in the EU Charter of Fundamental Rights. The interference, said the court, exceeds the limits imposed by compliance with the principle of proportionality.

Aside from the obvious consequences the court’s decision will have on telcos and ISPs, some commentators have said that it can have a significant impact on the EU reform of data protection law and, in particular, on the debate around the General Data Protection Regulation.  

To quote Oscar Wilde again, “It is a very sad thing that nowadays there is so little useless information.”

Rita Di Antonio
Managing Director
IAPP Europe

Top European Privacy and Data Protection News

PRIVACY LAW—EU & HUNGARY

CJEU: DPA Firing Violated EU Law

April 10, 2014

The Court of Justice of the European Union (CJEU) has determined “Hungary violated European Union law by firing the head of its data protection agency (DPA) in 2012,” The Wall Street Journal reports. In its judgment Tuesday, the CJEU found national DPAs “must not be bound by instructions of any kind” and their decision-making processes “must be free from political influence,” noting if a government can fire staff before their terms’ end, “that authority might be prompted to enter into a form of prior compliance with political powers.” The CJEU has ordered Hungary to comply “without delay” but has not specified “what form compliance should take,” the report states. (Registration may be required to access this story.)
Full Story

PRIVACY LAW—EU & THE NETHERLANDS

Commission Proposes Drone Standards

April 10, 2014

The European Commission is proposing the EU “set strict standards for the operation of civilian drones,” European Voice reports, including “rules on safety, security and the protection of personal data.” The commission has recommended privacy be continually monitored as “the capacity to store ever-increasing amounts of data may raise ethical and data protection concerns.” European Commissioner for Transport Siim Kallas said, “Many people, including myself, have concerns about drones' safety and security … Now is the time to act because the industry is still in its infancy.” Meanwhile, ZD Net reports The Netherlands’ Parliament “has approved legislation that will allow drones to be used for video surveillance of the country's citizens.”
Full Story

PRIVACY LAW—EU & GERMANY

German DPAs Share Position on “One-Stop Shop”

April 10, 2014

Out-Law.com reports on German DPAs’ outlining their position on the proposed “one-stop shop” in the EU’s General Draft Data Protection Regulation. The “one-stop shop” proposal would require oganisations operating in the EU “to engage with just one DPA, in the country of their ‘main establishment,’ rather than every DPA in the EU member states they are active in.” The German DPAs believe authorities “should have powers to protect the privacy of people in the country in which they are based even if organisations serving those people are based elsewhere,” the report states.
Full Story

DATA PROTECTION—UK

ICO: Orgs Must Take “Appropriate” Technical Measures To Protect Data

April 10, 2014

The Information Commissioner's Office (ICO) is reminding organisations to ensure personal data is protected from IT security vulnerabilities, Out-Law.com reports. “As a responsible data controller, it is your organisation’s responsibility to make sure you have the measures in place to keep people’s details safe,” the ICO’s Simon Rice said, adding, “Failure to do so will leave your organisation’s network increasingly vulnerable over time and increases the risk of a serious data breach that your actions could have prevented.” The Data Protection Act requires “appropriate technical and organisational measures” to avoid "unauthorised or unlawful processing of personal data,” the report states. Meanwhile, BBC reports on Welsh councils breaking data protection laws “135 times in 2013 compared to 60 breaches in 2012.”
Full Story

DATA RETENTION—EU & U.S.

Court Ruling Gives Boost to EU Data Protection Reform

April 09, 2014

On Tuesday, the Court of Justice of the EU invalidated the EU Data Retention Directive, prompting Wilson Sonsini’s Christopher Kuner to note, “Beyond its significance for data retention, this judgment has important implications for EU data protection law in general and the proposed General Data Protection Regulation in particular.” In this post for Privacy Perspectives, and while cautioning “the exact implications of the judgment will only become clear in the coming weeks,” Kuner looks into a number of implications that may result from what he calls “a milestone in EU data protection law,” including how it could affect the EU-U.S. Safe Harbor agreement and “whatever system of data retention the U.S. may be considering.”
Full Story

DATA LOSS

Breaches Abound, and the Points of Entry Aren’t Always Obvious

April 09, 2014

Following reports of the Heartbleed Bug, several other breaches are now making headlines. ESecurityPlanet reports Kaiser Permanente’s Northern California Division of Research is “notifying approximately 5,100 Kaiser Permanente members who had participated in research studies that malware found on a server on February 12, 2014, may have compromised their personal information.” And Reuters reports Iowa and North Carolina are joining two other U.S. states examining a breach of 200 million personal records. Meanwhile, The New York Times uses the recent Target breach as the most widely known example of the less-obvious ways hackers access personal data—highlighting such others as an online takeout menu that was infected with malware to breach an oil company.
Full Story

SOCIAL NETWORKING

Facebook To Open Up New Set of Privacy Controls

April 09, 2014

TechCrunch reports on a slew of new privacy controls set to be released by Facebook and examines how the company handles privacy and aims to limit user surprises. Facebook said it performs 80 trillion privacy checks per day to ensure private data is not mistakenly leaked and runs 4,000 privacy surveys per day. The surveys have helped the company’s privacy teams create a new set of on-screen privacy controls with displays describing how they work. Facebook plans to provide on-screen notices explaining which audiences see cover photos and friends’ sharing of user posts. The company will also test an in-line privacy selector for status updates explaining what is shared publicly or with friends. Facebook recently unveiled its privacy “dinosaur” to notify users a given post is public.
Full Story

INTERNET OF THINGS

Startup To Use $17 Million for Wearables’ Power Chips

April 09, 2014

Reuters reports that startup Ineda Systems has received $17 million in funding from investors and will use the money to develop low-power chips for wearable devices aimed at allowing the devices to function for up to a month without needing to recharge. "In today's market, people are using smartphone technology to deliver these watches,” said Ineda Chairman Sanjay Jha. “That has led to good products but not to breakthrough products.”
Full Story

FACIAL RECOGNITION

Google Glass: Surgeon Saves Lives with It, Bar Bans It

April 08, 2014

Livestream has released its first piece of Glass software, PC Magazine reports, which allows users to tap the headset and say, “Okay Glass, Livestream,” and then livestream the event to viewers. Meanwhile, The Verge reports on the multitude of facial recognition apps on the market today, including “NameTag,” which links a user’s face to “a single, unified online presence.” And The New York Times reports on both the opportunities and the challenges inherent in Google Glass, with some welcoming the technology enthusiastically—such as one lung surgeon who recently used Glass to help perform a procedure—and others banning it entirely, such as one California nightclub.
Full Story

DATA PROTECTION—EU

Article 29 Working Party Releases Contractual Clauses Draft

April 08, 2014

The Article 29 Working Party has released its working draft on standard contractual clauses for the transfer of personal data from an EU data processor to a non-EU data sub-processor. While there is currently a decision on standard contractual clauses for the transfer of personal data to processors in third countries, the Article 29 Working Party says it’s appropriate to work on a new set of contractual clauses from an EU data processor to a non-EU data sub-processor. The working document aims to advise the commission should it one day consider amending or supplementing existing model clauses currently in place under the Data Protection Directive.
Full Story

PRIVACY LAW

U.S. State Privacy Bills Become Law; Dutch Municipalities Get Drones

April 07, 2014

The Dutch Parliament has approved the use of drones for video surveillance in some circumstances, giving mayors the right to determine when the use is appropriate; meanwhile, in the U.S., Washington state’s governor vetoed a drone bill there, saying it doesn’t go far enough to protect privacy. This week’s Privacy Tracker legislative roundup offers information on Idaho’s new DNA privacy law, Utah’s new mobile device privacy law and clarification on TCPA issued by the Federal Communications Commission. Also learn about the one-million Euro fine Google will pay to Italian regulators and a suit in Canada seeking class-action status that claims the Communications Security Establishment Canada “has been violating the constitutional rights of millions of Canadians.” (IAPP member login required.)
Full Story

INTERNET OF THINGS

Smart Communities Must Balance Privacy, Efficiency

April 07, 2014

A feature in The Guardian asks whether individuals are “willing to trade privacy for efficiency” as communities “get smarter.” Cisco’s Wim Elfrink advises, “Having security policies, having privacy policies is a given. I think you have to first give the citizens the right to opt in or opt out … security and privacy are going to be the biggest imperatives. If we don’t solve this, people will opt-out more." The report looks at examples where use of data gathered from smart devices has resulted in privacy backlashes or resulted in real-world benefits. “The best cities in the world will be the ones where governments have better relationships with developers,” the report states.
Full Story

PRIVACY LAW—ITALY

Google Pays 1M Euro Fine

April 04, 2014

Google has paid a one million euro fine for privacy breaches in Italy related to its Street View mapping service, AAP reports, citing an announcement from Italy’s DPA, the Garante. The use of unmarked Street View vehicles resulted in bystanders not being able to discern whether their images were captured or by whom, the report states, noting the Garante asked Google to identify the vehicles and publicize their movements in advance. Though Google complied, the report states, the Garante fined the company for "the illicit collection of data destined for a large database of particular significance.” The Garante's announcement, in Italian, can be accessed here.
Full Story

CYBERSECURITY

Cyber-Insurance “Virtual Privacy Expert” Released

April 04, 2014

ID Experts and insurance solutions firm Enquiron have released a new online resource to help cyber-insurance carriers minimize risks. The Virtual Privacy Expert includes a risk management application, a “Breach Healthcheck,” privacy and security policies that are customizable and an incident response plan. The online tool also allows access to privacy experts to provide guidance and advice. One cyber-insurance expert said, “This approach works well in other areas of insurance, and I am excited to see it being brought to cyber insurance in a comprehensive strategy.”
Full Story

DATA LOSS—EU, IRELAND & UK

Breaches Abound; WP 29 Opinion Published

April 03, 2014

The UK Information Commissioner’s Office (ICO) has been asked to investigate alleged breaches “amid concerns that confidential sources of the BBC’s flagship Panorama programme may have had their identities revealed,” The Independent reports. Also in the UK, a Northampton woman has been ordered to pay 305 GBP in fines after admitting “six counts of breaching data protection laws at Northampton Magistrates' Court,” and Boxee's customer forums suffered a breach where hackers accessed details on 158,000 people. In Ireland, The Irish Times reports on "unanimous agreement among lawyers that the improper recording of conversations between prisoners and their legal representatives was a breach of privacy for which damages could be claimed against the state.” Meanwhile, the Article 29 Data Protection Working Party adopted its opinion on personal data breach notification on 25 March.
Full Story

MOBILE PRIVACY—LITHUANIA

DPA Warns Telemarketers

April 03, 2014

VDAI, Lithuania's data protection inspectorate, has issued a statement “that direct telemarketing calls from mobile operators are illegal without the prior agreement of recipients,” Telecompaper reports. VDAI has received “numerous complaints on the issue,” the report states, and in its statement, it specified that “prior agreement cannot be obtained during the telemarketing call” and “a personal telephone number forms a part of protected personal data.”
Full Story

PRIVACY LAW—THE NETHERLANDS

Gov’t Proposes Law To Relax Cookie Rules

April 03, 2014

Telecompaper reports on the Dutch government proposing legislation that would “relax rules on the use of website cookies.” The proposed Telecommunications Act amendment “would mean website operators no longer have to ask users for prior approval to place cookies that are not an intrusion on personal privacy,” the report states, noting such cookies include those “that help improve a website's performance, known as analytic cookies, as well as those that simplify the use of the site.” Cookies that are used for online behavioural tracking would still require prior approval.
Full Story

DATA PROTECTION

Gaining Momentum, Interoperability as the “Near-Term” Solution

April 03, 2014

Many in the privacy world have backed interoperability as the best way forward for privacy protections in global data flows, while others “continue to pursue the ideal of a global privacy standard,” writes Hunton & Williams’ Markus Heyder, “But the prospect of achieving such an international standard anytime soon seems low.” That said, more practical, near-term solutions are needed, “and—who knows—such near-term solutions may ultimately lead to increased global harmonization in the field,” he adds. In this post for Privacy Perspectives, Heyder, the vice president and senior policy counselor at Hunton & Williams’ Centre for Information Policy Leadership, discusses why it’s interoperability that will provide “such a near-term, practical solution.”
Full Story

PRIVACY LAW

What Australia’s New Privacy Principles Mean for Foreign Cos

April 03, 2014

While many organizations within Australia work to implement the newly enacted Australian Privacy Principles (APPs), organizations outside the country may wonder in what way the new law affects their business practices. In this Privacy Tracker post, IAPP Westin Fellow Dennis Holmes outlines aspects of the APPs that non-Australian businesses, particularly service providers, may want to pay attention to, including the privacy commissioner’s interpretation of “carrying on business” that “departs from the traditional notion of that standard in Australian law.” Holmes notes that the newness of the APPs makes it unclear how they will be applied, but “companies must understand whether they are subject to liability under the new rules and take meaningful steps toward full compliance if so.” (IAPP member login required.)
Full Story

DATA PROTECTION

Yahoo: We’re Encrypted Now

April 03, 2014

A blog post from Yahoo Chief Information Security Officer Alex Stamos, who joined the company a month ago, updates users on its project to increase data protection through the deployment of encryption technologies. As of March 31, traffic moving between Yahoo data centers was fully encrypted, the blog states, and an encrypted version of Yahoo Messenger is coming soon. “Hundreds of Yahoos have been working around the clock over the last several months to provide a more secure experience for our users, and we want to do even more moving forward. Our goal is to encrypt our entire platform for all users at all time, by default,” Stamos writes.
Full Story