BNA International X World Data Protection Report

International Information for International Businesses Monthly news and analysis of data protection and privacy issues from around the world

Volume 9, Number 7July 2009

Commentary Databases: treasureorcurse? In many ways databases are the backbone of our News society.From client relationship management systems and lists of preferred cus- Karen Curtis’s tenureas tomers, to health records or national databases of offenders they are seen as ex- Commissioner extended for tremely useful tools allowing businesses and government to quickly access infor- another year Karen Curtis has mation that allows them to make decisions and coordinate their actions. Page 5 been appointed for afurther one year term as Federal Pri- Amendments to the Indian Information Technology Act: implications for vacy Commissioner.Page 21 Australian corporations The Indian Government is in the process of finalising regulations to clarify the operation of various new provisions under the recent Article 29 Working Party Information Technology (Amendment) Act 2008. Michael Pattison reports on releases opinion on social the legislation, and on the implications for Australian corporations. Page 7 networking The Article 29 Working Party has released its Administration proposes new Federal Consumer Financial Protection Agency opinion on social networking Addressing the Obama Administration’sproposals to reform financial regulation and how European data pro- in the US, Barney Frank (D-MA), Chairman of the House Financial Services tection laws apply to social Committee, has promised to report legislation which would create anew Con- networking services. Page 22 sumer Financial Protection Agency (CFPA) before the House adjourns for its August recess at the end of July 2009. Page 13 Article 29 Working Party holds discussions with WADA Privacy and social networking In June 2009 the Article 29 Data Protection Work- The Article 29 Working Party ing Party,anindependent European advisorybody on data protection and pri- held further discussions with vacy set up under Article 29 of Directive 95/46/EC (‘‘WP-29’’), rendered an representatives from the opinion on privacy law implications of social networking (‘‘WP-163’’). In its WP- World Anti-Doping Agency 163, the WP-29 defines asocial network service as ‘‘online communication plat- (WADA) about the Interna- form which enable individuals to join or create networks of like-minded users’’ tional Standard for the Protec- and categorises them as being information society services, as defined in Article tion of Privacy and Personal 1paragraph 2ofDirective 98/34/EC as amended by Directive 98/48/EC. The Information. Page 32 WP-163 stresses that the key phenomenon of social networks lies in the fact that users are asked to provide sufficient information about themselves in order to create athorough personality profile or description and that moreover such in- formation can be distributed to others. Page 25

BNA International Inc., asubsidiary of The Bureau of National Affairs, Inc., U.S.A. World Data Protection Report

PublishingPublishing Director: Director: Editors: Commissioning Editor: Editor:Shelley Malhotra Andrea Naylor Jacqueline Gazey and Nicola McKilligan Production Manager:Manager:Nitesh Vaghadia

SubmissionsSubmissions byby Authors:Authors:TheThe EditorsEditors of ofWorldWorld Data Data Protection Protection Report Reportinviteinvite readersreaders to submit to submit for publication for publication articles that articles addressthat address issues issues arising arisingout of the out regulation of the regulation of data ofprotection, data protection, either on either a national on an orational transnational or transnational level. Articles level. with Articles an appeal with toan an appeal international to an international audience are audience most welcomed. aremost Prospective welcomed. authors Prospective shouldauthors contact shouldAndrea contactNaylor, World Andrea Data Naylor Protection,World Data Report,Protection BNA Report,International BNA Inc, International 1st Floor, 38 Inc, Threadneedle 29th Floor,M Street,illbank LondonTower EC2R,21-24 8AY, Millbank, U.K. Tel. London(+44) (0)20 SW1P4QP 7847,U 5800;.K. Te faxl. (+44) (+44)(0)20 (0)20 7559 7847 4800; 5880; fax (+44) or e-mail: (0)20 [email protected]. 7559 4880; or e-mail: If submitting [email protected]. an article by If mail submitting please include an article an byelectronic mail please copy includeof the articlean electronic in a recognised copy of software. the article in arecognised software.

WoWorldrld DataData Protection Protection Report Reportis publishedis published monthly by by BNA BNA International International Inc., Inc., a subsidiary a subsidiarof The BureauyofT ofhe National Bureau Affairs, of National Inc., Affairs, Inc.,Washington,Washington, D.C., U.S.A. D.C., U.S.A.Administrative Administrative Welcome to the July edition of the World Data Protection Re- headquarters: 1st 29th Floor, Floor 38,M Threadneedleillbank Tower, Street, port. This issue features aspecial report by Vinod Bange and 21-24London Millbank, EC2R 8AY, London England. SW1P Tel. (+44) 4QP,E (0)20ngland. Jennifer Sumpster of Speechley Bircham LLP.Drawing on re- Te7847l. (+44) 5801; (0)20 Fax (+44) 7559 4801;(0)20 7847 Fax (+44) 5858; (0)20 cent high profile cases in the UK and Canada, they discuss the 7559e-mail 4840;[email protected]. e-mail [email protected]. In the U.S. call In data privacy implications of the misuse and poor management thetoll-free U.S. on: call 1-800-727-3116. toll-free on: 1-800-727-3116. of databases and the ramifications for business and customers. Subscription price: U.K. and rest of world As the popularity of social networks and blogs increases, our £725; Eurozone a1, 175; U.S. and Canada regular contributor,DrMichael Schmidl of Baker &McKenzie U.S. $1,245. Additional copies of this publication areavailable to existing examines privacy and social networking in light of recent guid- subscribers at half price when they are ance from the EU’sArticle 29 Working Party.Maria Giannakaki sent in the same envelope as astandard of Karageorgiou &Associates comments on whether Internet subscription. bloggers in Greece are entitled to privacy after aretiring Greek Supreme Court prosecutor issued his controversial opinion on Reproduction or distribution of this publication the matter. by any means, including mechanical or electronic, without the express permission of While the conflict between privacy and security continues, Mal- The Bureau of National Affairs, Inc. is colm Crompton of Information Integrity Solutions provides us prohibited except as follows: 1) Subscribers with his opinion on the ongoing fallacy that we must compro- may reproduce, for local internal distribution mise privacy for the sake of security. only,the highlights, topical summaryand table of contents pages unless those pages And, of course, there is our usual digest of data privacy news aresold separately; 2) Subscribers who have from around the world as well as articles on the latest develop- registered with the Copyright Clearance Cen- ments in France, India, the UK and US. ter and who pay the $1.00 per page per copy fee may reproduce portions of this We hope you enjoy this issue! publication, but not entireissues. The Shelley Malhotra Copyright Clearance Center is located at 222 Rosewood Drive, Danvers, Massachusetts Commissioning Editor (USA) 01923; tel. (508) 750-8400. Permission to reproduce BNA International Inc. material may be requested by calling +44 (0)20 7559 4821; fax +44 (0)20 7559 4848 or e-mail: [email protected]

Website: www.bnai.com ISSN 1473-3579

Please contact us with your opinions or suggestions or if you would like to write for us, by phone on: +44 (0) 7720 774224 or by email at [email protected], or [email protected]

2 07/09 Copyright ஽ 2009 by The Bureau of National Affairs, Inc. WDPR ISSN 1473-3579 Topical Summary Topical Summary

Legislation and Guidance Notification fee will increase to £500 for some Databases: treasure or curse? ...... 5 organisations ...... 23 Amendments to the Indian Information Tech- ICO clarifies data protection myths surrounding nology Act: implications for Australian photos at school events ...... 24 corporations ...... 7 ICO puts out tender for aresearch project .... 24 Privacy on the Internet and bloggers’ Spammers fined $3.7 million ...... 24 identity ...... 9 Personal Data ICO publishes privacy notices code of practice ...... 10 Privacy and social networking ...... 25 Administration proposes new Federal Consumer Recent developments in personal data protec- Financial Protection Agency ...... 13 tion in France ...... 26 Privacy,data breach protection and notification Connectivity’smobile phone directoryisprivacy laws: changes to US privacy laws ...... 15 friendly,says ICO. But is it? ...... 29 The Security versus Privacy paradox: avirulent Plans to amend model clauses for use in global fallacy under challenge ...... 20 outsourcing transactions ...... 31 Highlights from the 31st APPAmeeting ...... 21 Article 29 working party holds discussions with Karen Curtis’stenure as commissioner extended WADA ...... 32 for another year ...... 21 Trial of Google executives postponed until Sep- Closing date for Australian privacy awards tember 2009 ...... 32 nominations ...... 22 Google forced to reshoot Streetview images in Telemarketers served with notices for breaching Japan ...... 32 do-not-call list rules ...... 22 Data protection awareness rises ...... 32 Canadian MPs call for changes to privacy Swedish regulators probing location based law ...... 22 services ...... 33 Data protection law for Costa Rica ...... 22 Commissioner seeks assurances from Google Article 29 Working Party releases its annual re- over Streetview ...... 33 port for 2008 ...... 22 Future head of MI6’sdetails on Facebook ..... 33 Article 29 Working Party releases opinion on Phorm loses BT as acustomer ...... 33 social networking ...... 22 ICO finds Manchester City Council guilty of French Senate issues report on privacy rights in breaching DPA ...... 33 the digital age ...... 23 Retail chain TJX settles security breach New guidance for estate agents ...... 23 charges ...... 34 Data protection bill on its way ...... 23 Spanish DPAtohost commissioners’ conference ...... 23 CountryChecklist

Asia Pacific Article 29 Working Party releases opinion on Highlights from the 31st APPAmeeting ...... 21 social networking ...... 22 Privacy and social networking ...... 25 Australia Article 29 Working Party holds discussions with WADA ...... 32 Amendments to the Indian information technol- ogy act: implications for Australian France corporations ...... 7 Closing date for Australian privacy awards French Senate issues report on privacy rights in nominations ...... 22 the digital age ...... 23 Karen Curtis’stenure as commissioner extended Recent developments in personal data protec- for another year ...... 21 tion in France ...... 26 Canada Greece Canadian MPs call for changes to privacy law .22 Privacy on the Internet and bloggers’ identity .9 Telemarketers served with notices for breaching Hong Kong do-not-call list rules ...... 22 New guidance for estate agents ...... 23 Costa Rica India Data protection law for Costa Rica ...... 22 Amendments to the Indian information technol- European Union ogy act: implications for Australian Article 29 Working Party releases its annual re- corporations ...... 7 port for 2008 ...... 22

07/09 World Data Protection Report BNA ISSN 1473-3579 3 Topical Summary Italy United Kingdom Trial of Google executives postponed until Sep- Connectivity’smobile phone directoryisprivacy tember 2009 ...... 32 friendly,says ICO. But is it? ...... 29 Databases: treasure or curse? ...... 5 Japan Future head of MI6’sdetails on Facebook ..... 33 Google forced to reshoot Streetview images in ICO clarifies data protection myths surrounding Japan ...... 32 photos at school events ...... 24 ICO finds Manchester City Council guilty of Macau breaching DPA ...... 33 Data protection awareness rises ...... 32 ICO publishes privacy notices code of practice ...... 10 Malaysia ICO puts out tender for aresearch project .... 24 Notification fee will increase to £500 for some Data protection bill on its way ...... 23 organisations ...... 23 Spain Phorm loses BT as acustomer ...... 33 Spanish DPAtohost commissioners’ United States conference ...... 23 Administration proposes new Federal Consumer Sweden Financial Protection Agency ...... 13 Privacy,data breach protection and notification Swedish regulators probing location based laws: changes to US privacy laws ...... 15 services ...... 33 Spammers fined $3.7 million ...... 24 Retail chain TJX settles security breach Switzerland charges ...... 34 Commissioner seeks assurances from Google over Streetview ...... 33

4 07/09 Copyright ஽ 2009 by The Bureau of National Affairs, Inc. WDPR ISSN 1473-3579 Legislation and Guidance Legislation and Guidance Databases: treasureorcurse?

July’s issue of WDPR opens with aspecial feature by Vinod tails of 3,213 construction industryworkers. The infor- Bange, Partner and Jennifer Sumpster,Solicitor,atSpeechly mation that was held on the database included trade Bircham LLP union membership and disciplinaryhistoryleading to the widely held assumption that subscribing employers, In many ways databases are the backbone of our society. including many household name construction compa- From client relationship management systems and lists nies, used such information to effectively ‘‘blacklist’’ of preferred customers, to health records or national da- tabases of offenders they are seen as extremely useful workers within the construction industry. tools allowing businesses and government to quickly ac- cess information that allows them to make decisions and The database was reportedly compiled and maintained coordinate their actions. by Ian Kerr,trading as the Consulting Association over There have however,been anumber of recent high- the past 15 years. On payment of an annual subscription profile headlines both in the UK national press and in of £3,000, construction companies were able to add to this publication concerning databases that have shown the database, and they could also access details on indi- these ‘‘useful tools’’for business and government to be vidual workers for an additional fee of £2.20 per request. capable of breaching data protection laws and in some cases adangerous invasion of privacy for members of the The ICO investigation revealed that Mr Kerr had not public. given the construction workers included on the database In this article we draw together three of the recent data- any ‘‘fair-processing’’information as required under the base horror stories, and discuss what can be learnt in the Data Protection Act 1998, and had not notified his data customer context to ensure that databases are safe and processing activities to the Information Commissioner. beneficial to businesses and consumers alike. As aresult of their findings the ICO has seized the data- The lesson base and has ordered Mr Kerr and the Consulting Asso- ciation to cease trading. It has also taken the extremely Construction industryworkers database: built on unusual step of opening ahotline for those construction unsafe foundations. industryworkers who think they may have been in- Investigations by the UK Information Commissioner’s cluded on the database. Office revealed adatabase containing the personal de- It is not only Mr Kerr who should be mindful of the ICO’sactions –each of the subscribing companies must Data privacy matters have been aspecialist focus of consider their own obligations under the Data Protec- Vinod’s practice for 12 years. He has particular experi- tion Act and also under anti-discrimination and other ence in all aspects informational law,data protection, employment legislation. The ICO has taken an ex- risk management, audit and implementation projects, global data flows, non-compliance risks and breach inci- tremely dim view of this particular database, and all dents as well advising on databases, marketing, customer those who have used it should think verycarefully about profile and insight. His client sectors include financial how they can regain the respect and confidence of their services, retail,technology,healthcare and pharmaceuti- cal. Vinod has been involved in UK, European and employees and other members of the industry. international industryand legislative consultation pro- cess on data protection and e-commerce laws. This is aperfect example of how not to manage and ex- Jennifer Sumpster is in the Data Privacy Group and spe- ploit adatabase: Mr Kerr’sactions may be considered cialises in data protection compliance issues including monitoring systems for compliance with ethics, money reprehensible indeed, but perhaps more alarming were laundering and anti-corruption laws across the EU and the actions of the companies who ignored their own internationally as well as advising clients from adiverse data protection and employment law obligations and range of industries on internal data protection and infor- used the information gained from the database to make mation security policies and data breach management. She has aparticular interest in children’s privacy or influence employment decisions. and regularly advises on the data privacy issues that arise when aiming aproduct or aservice at chil- dren, particularly in the e-commerce environment. The lesson, quite simply,isthis: the rights of data sub- The authors can be contacted at: vinod.bange@ jects whose personal data are included within adatabase speechlys.comand [email protected] must not be ignored no matter how lucrative or useful that database appears to be.

07/09 World Data Protection Report BNA ISSN 1473-3579 5 Legislation and Guidance The warning interest’’justification for the disregarding of fundamen- tal security considerations is not acceptable. ContactPoint and the Rowntree Report: children’s database destined for the It will be extremely interesting (and alittle frightening) to see how ContactPoint’ssecurity measures hold up naughty-corner? now that the system is live. Therehas been much talk over recent months around the introduction by the UK government of anationwide Whilst there is no ‘‘opt-out’’option for parents, one al- database containing details of all children and young ternative that is available to parents who are concerned people under the age of 18 in the UK. This database is about these security risks, and who consider that their known as ContactPoint. child may be at risk of significant harm if their where- abouts were known, is that in certain circumstances they ContactPoint has caused alot of uncomfortable feeling can apply to ‘‘shield’’information relating to their amongst human rights campaigners and children’s child’slocation and any parental details. This is rather a charities alike and some organisations, such as the Jo- double edged sword, however,asthe following advice seph Rowntree Reform Trust (usually vocally in favour of from one borough council illustrates: data policies aimed at protecting vulnerable groups) have called for it to be scrapped in its entirety due to ‘‘It is important that you understand, that by requesting a concerns over breaches of data protection and human record to be shielded you are informing the authoritiesthat you rights laws and huge fears over the security of the infor- feel achild/young person is at risk of harm, and if you cur- mation. rently have no professionalsinvolved with your family,the re- quest could generate professional involvement.’’ The government commissioned Deloitte &Touche LLP to investigate and report on data security issues sur- The guidance statesthat ‘‘shielding’’ofdata should only rounding the ContactPoint database. Whilst the full re- occur if not shielding the data would place achild at risk port has never been made public, the executive sum- of significant harm. It is clear that it could be argued mary1 made some fairly alarming observations such as: that any child on the ContactPoint database could be placed at risk of significant harm if their details were ‘‘It should be noted that risk can only be managed, not elimi- seen by the ‘‘wrong’’person (indeed what harm to a nated, and thereforethere will always be arisk of data security child would not be ‘‘significant’’inthis context), and so incidentsoccurring’’ shielding could be seen by some to be asensible option This may be afairly predictable comment that many of even if there was no immediate risk to the child, how- us as lawyers will have echoed with our own clients in ever in the same advice leaflet, the council makes it very our advisorycapacities, but when it is put in to context, clear that: and we remember the type of data that is involved here it is hardly surprising that outrage ensued. ‘‘It is not appropriate to simply shield arecord where there is an opposition to ContactPoint in principle.’’ Deloitte’sreport also determined that: Even if parents were able to shield theirchild’sdata if ‘‘The degree of reliance on ahierarchy of self-certifications over there was no immediate risk of abuse or other harm, this aconnecting organisation’s security processes poses asignifi- particular council makes the rather sinister inference cant risk to ContactPoint and its assets.’’ that in requesting shielding, this is an indicator to the This is chilling indeed considering the number of high- council that achild is at risk, and so this would effec- profile security breaches government departments have tively be ared flag necessitating the involvement of so- been at the centre of in recent times, especially given cial services or other health care professionals. It seems that this database will hold the names, addresses, dates that this is arather large leap in logic, and one that per- of birth, parent’sdetails, school details, GP details and haps should not be taken in such asweeping way,not the contact details of many other individuals and organi- least because the involvement of social services in cases sations that will be involved, in some way or another, where such action is not necessaryisahuge waste of re- with the care of the child. Any threat to the security of sources, and would divert essential services away from this information, however slight or unavoidable, will where they are critically needed. clearly bring the majority of us out in acold sweat, and What then are the alternative options available to par- the potential implications of this information falling ents who do not want their children’s(or indeed their into the wrong hands hardly bear thinking about. own) details included on the ContactPoint Database? It Amid astorm of heavy criticism, ContactPoint was may take achallenge to this system in front of the courts launched earlier this year and has been rolled out to a before we have any clarity on this issue. test group of local authorities in England. The clear warning from this case is that no matter how There is no doubt that the government’srationale be- genuine the principle and compelling the need for ada- hind the implementation of such adatabase is extremely tabase, consideration must be paid to the context of the compelling: who indeed would argue that any measure database and its contents. The urgency to meet apar- which seeks to avoid future tragedies such as that of Vic- ticular need, for example to fill communication gaps, toria Climbie´, or ‘‘Baby Peter’’byplugging communica- must not be balanced against fundamental requirements tion gaps between care providers is averygood thing, to protect and secure data: both are valid concerns that but it is important to remember that ablanket ‘‘public seek to protect our information, and in the case of Con-

6 07/09 Copyright ஽ 2009 by The Bureau of National Affairs, Inc. WDPR ISSN 1473-3579 Legislation and Guidance tactPoint to protect society’smost vulnerable citizens, ‘‘enhance the abilityofair carriers to prepare reports on certain and both require equal consideration. types of disruptive behaviour’’ The new regulations would requireairlines to prepare The balance? reports on certain types of disruptive behaviour and to make these reports and related statistics available to the Databases in acustomer context: passengers Canadian government on request. shouldbeentitled to information from airlines As aresult of the heightened concerns about air-security (but it’s no substitute for acold beer!) which the new Canadian regulations seek to address, the For most data protection practitioners the majority of Canadian Commissioner considers that it is ‘‘critically im- databases occupying our time concern customer data. portant’’ that passengers have aright to access informa- We have seen in the examples outlined above how tion an airline has collected about them, especially in things can go horribly wrong in HR and public sector cases where they seek to correct the record. contexts, but what of customer databases? Here we draw The outcome may also have implications that reach be- an example from our cousins across the pond: enter Air yond Canada to the air-travel industryingeneral. Air- Canada. lines commonly use lists and databases of unruly and dis- ruptive passengers –often for extremely sound reasons Back in 2005 an Air Canada passenger was involved in but despite the usefulness and the compelling need for an incident during ashort-haul flight following his insis- such databases, again it is important that data protection tence that he be permitted to consume the beer that he principles are adhered to. and his companion had brought on board. The passen- ger apparently did not know that by drinking his own The lesson to be learned from the three examples out- beer onboard he would be contravening the Canadian lined here (and the other countless ‘‘database-nasties’’ Aeronautics Act –and did not take too kindly to the lurking in the shadows) is this: databases can be incred- manner of the flight attendant who informed him of ibly useful tools, especially in acustomer context and this fact. An incident ensued which resulted in the pas- businesses need databases to operate efficiently and senger being dubbed ‘‘unruly’’bythe flight captain, and profitably.But it is important to remember that no com- he was detained by the police for questioning when the pelling need or sound justification for the existence of a plane landed. No charges were ever brought against database means that data protection obligations and se- him. curity measures can be ignored. Databases can be a‘‘treasure’’not only for businesses, The passenger later applied to the airline for copies of but also, ultimately,for customers if amore efficient and the reports relating to the incident. The airline refused, profitable business means better products or services but citing solicitor-client privilege. The Federal Privacy Com- this can only be achieved if the databases are managed missioner of Canada has now commenced an action in amanner compliant with data protection and other against the airline. related principles. The background to this case means that the outcome NOTES will be particularly interesting: as this case is being 1 The executive summarycan be found here: http:// heard, the Canadian government is finalising new regu- www.parliament.uk/deposits/depositedpapers/2008/DEP2008- lations which will: 0502.pdf Amendments to the Indian Information Technology Act: implications for Australian corporations

By Michael Pattison, Partner,atAllens, Arthur Robinson. How does it affect you? In brief: The Indian Government is in the process of fi- The recent Information Technology (Amendment) Act nalising regulations to clarify the operation of various 2008 will: new provisions under the recent Information Technol- s require Indian service providers who handle ‘sensitive ogy (Amendment) Act 2008. Michael Pattison reports personal data’ on their computer systems to maintain on the legislation, and on the implications for Australian ‘reasonable security practices and procedures’; and corporations. s provide some legislative backing for data protection obligations under Indian law. Michael Pattison can be contacted at: Michael.Pattison@ aar.com.au Australian corporations who have (or are contemplat- ing) commercial outsourcing arrangements with Indian

07/09 World Data Protection Report BNA ISSN 1473-3579 7 Legislation and Guidance service providers will still need to implement rigorous On April 2009, NASSCOM and the DSCI prepared their provisions in their agreements to protect personal data. recommendations for the draft rules after consultation with their members. In relation to the Section 43A defi- Introduction nitions, NASSCOM and the DSCI advise that: The Information Technology (Amendment) Act 2008 s ‘reasonable security practices’ be, in effect, aself- (the ‘‘Amendment Act’’) introduces new provisions into declared written and implemented policy by which an India’sexisting Information Technology Act 2000 (the organisation will state the security standard it adopts ‘‘IT Act’’) to deal with issues such as data protection, cy- (which may be acombination of ISO 27001 and bercrime, ISP liability and electronic signature authenti- OECD Security principles). An organisation will need cation. The Indian MinistryofCommunications and In- to document procedures setting out its selected secu- formation Technology (MIT) recently issued draft rules rity controls and how they are implemented. In the in relation to the Amendment Act for public comment, event of any security breach, an organisation will need and has also sought the input of the Indian IT industry to demonstrate that it conforms with its own policy body,NASSCOM, and its related industryself-regulatory procedures and that the security controls were com- organisation, the Data Security Council of India (DSCI), mensurate with the assets being protected; on how the new statutoryconcepts of ‘reasonable secu- s rity practices and procedures’, ‘personal information’ ‘personal information’ be information relating to a and ‘sensitive information’ should be defined and ap- person who can be identified directly or indirectly by plied. Finalisation of these regulations is the last step of reference to an identification number or by one or notification required for commencement of the Amend- more specific factors in relation to that person’sphysi- ment Act. cal, economic, cultural, physiological or mental de- tails. This is consistent with the definition of ‘personal data’ in Article 2a of the EU Privacy Directive 95/46; Background and The Bill was passed by the Indian Parliament on Decem- s ‘sensitive personal information’ be defined to include ber 23, 2008 and subsequently assented to by the Presi- data pertaining to health or sex information, but ex- dent on February5,2009. Despite the relatively low-key cluding data references to racial or ethnic origin, po- passage of the Bill through the Parliament, much of the litical or religious beliefs, which, by contrast, are in- Indian media coverage focused primarily on the cyber- cluded in the corresponding definition in the EU Pri- crime (interception powers) aspects of the Amendment vacy Directive. Act. Existing Australian privacy laws permit the transfer of Relevance to Australian corporations personal information to arecipient outside Australia, provided that the transferring organisation reasonably Australian corporations with commercial outsourcing ar- believes that the overseas recipient is subject to alaw, rangements with offshore Indian service providers will scheme or contract that is substantially similar to Austra- be most interested in the data protection aspects of the lian privacy law.Asaconsequence, Australian corpora- new legislation. Among other new requirements, under tions are generally advised to make sure their offshoring Section 43A of the Amendment Act, abody corporate contracts stipulate data privacy compliance provisions that possesses or handles ‘sensitive personal data’ on that are consistent with, and not less than, those that ap- computer systems that it owns or controls is liable for ply under Australian law. negligence where its failure to implement and maintain ‘reasonable security practices’ causes ‘wrongful loss or The new Indian regulations may simply require self- wrongful gain’ to aperson. The definitions both of ‘sen- regulation by service providers, which may involve less sitive personal data’ and of ‘reasonable security prac- onerous security standards. Accordingly,itisrecom- tices’ make reference to practices and information that mended that Australian corporations engaged in off- may be prescribed by the government in consultation shoring arrangements review and continue to ensure with industryprofessional bodies. that their contracts expressly set out rigorous data pri- vacy and data security practices and standards. NASSCOM and DSCI recommendations What next? The reference to prescribed government practices in the Amendment Act has required the MIT to seek indus- We will continue to monitor this discussion and the fi- tryconsultation on the appropriate frames of reference nalisation of the rules that will apply to the for these definitions. commencement of the Amendment Act.

8 07/09 Copyright ஽ 2009 by The Bureau of National Affairs, Inc. WDPR ISSN 1473-3579 Legislation and Guidance Privacy on the Internet and bloggers’ identity

By Maria Giannakaki, Attorney at Law and Vassilis General framework: legal interception Papadopoulos,Trainee Lawyer Karageorgiou &Associates According to the Greek legislation on privacy in the tele- Law Firm, Athens. communication sector and in the light of the legal opin- ion no 79/2002 of the Greek Data Protection Authority, Alegal opinion issued by the retiring public prosecutor privacy covers the external data of communication (tele- of the Greek Supreme Court, stipulating that blogs are phone numbers, subscribers names, contact details, IP means of public expression and consequently the iden- addresses etc)and the content of communication. With tity of Internet bloggers is not subject to the privacy of regard to the content of the communication, article 19 telecommunications, raises several questions and objec- of the Greek Constitution and article 4ofthe Law tions by the competent Greek authorities and legal ex- 2225/94 are applicable. ‘‘External communication perts. data’’, are qualified as personal data and therefore the Law no 2472/1997 with regard to personal data collec- tion and processing and Law no 3471/2006 with regard The legal opinion to the privacy in the telecommunication sector are ap- plicable. According to the legal opinion of the public prosecutor, the privacy of electronic communications does not pro- Content of the communication tect communications through the Internet and ‘‘exter- Article 19 of the Greek Constitution, protecting free- nal communication data’’such as names and other per- dom of correspondence and communication provided sonal data used to identify the user of electronic com- for two legal causes of lawful interception: munication services, as well as traffic data (data referring to the routing, duration, time and volume of a. the protection of national security; and the communication, the location and terminal of the b. investigation of crimes. equipment etc)and location data (data indicating the Law 2225/94 with regard to disclosure of private com- geographic position of the terminal equipment of the munications describes the procedure for lawful intercep- user). Based on the above, the prosecutor concluded tion for each of the abovementioned causes. that telecommunication service providers bear the obli- gation to give access to communications of private indi- With regard to national security,only judicial, adminis- viduals or organisations to prosecuting, investigative and trative, military, police or other public authorities may police authorities as well as Judicial Councils and submit an application before the Public Prosecutor,if the issue of national security comes within the scope of Courts, without prior authorisation by aPublic Prosecu- their competence. tor of the competent Authority.Inaddition to the above, he suggested that Internet service providers should give With regard to investigation of crimes, lawful intercep- access to both external data and content of the commu- tion is permitted only for specific offences provided by nication, while providers for services other than Internet penal law (e.g. treachery, falsification of currency,explo- should give access only to traffic data, not to the content sions etc)and is permitted only against targeted suspects of electronic communications. involved in acrime under investigation or against per- sons used by suspects as contacts or liaisons. This legal opinion, issued following arequest by the po- In veryurgent matters, the Public Prosecutor or examin- lice department for criminal proceedings against com- ing magistrate may themselves order lawful interception, puter crime, leads to the lifting of anonymity of Internet but they are obliged to submit the issue to the Council blogs and if applied it may result in criminal prosecution within three days. If the Council does not approve the of bloggers not only for serious felonies, but also for order of the Public Prosecutor or examining magistrate regulatoryoffences such as defamation. According to the decision for lawful interception is abolished. the President of the Hellenic Data Protection Authority (‘‘DPA’’) this legal opinion is acause for legal concerns External communication data for the reason that it does not comply with the Law According to Article 4ofthe Law 3471/1997 imple- 3471/2006, implementing the EU Directive 2002/58 re- menting Directive 2002/58/EC on the protection of pri- garding the processing of personal communication data. vacy in the electronic telecommunications sector, ‘‘any use of electronic communications services of- fered through apublicly available electronic telecom- The authors can be contacted at: [email protected] munication network, as well as the pertinent traffic and [email protected] and location data shall be protected by the principle of confidentiality of telecommunications. The with-

07/09 World Data Protection Report BNA ISSN 1473-3579 9 Legislation and Guidance

drawal of confidentiality shall be allowed only under personal data protection and privacy in the telecommu- the procedures and conditions provided for in Art. 19 nication sector,which has been implemented in the of the Constitution’’. Greek legislation. Therefore, listening, taping, storage or other kinds of in- From apractical point of view,conditions of lawful inter- terception or surveillance of communications and the ception are verystrict and not flexible. Police authorities related data is prohibited, except when legally autho- rised. often handle cases that may involve serious criminal of- fences, especially with the use of computers or through the Internet, which are not included in the list of of- Binding character of public prosecutor’s fences for which the anonymity can be lifted according legal opinion to the Law 2225/1994. In such urgent cases, crimes can- According to Article 25 of the Law 1756/1988, the pub- not be prevented or electronic traces may be lost during lic prosecutor of the Greek Supreme Court renders ale- the process of application for lawful interception. How- gal opinion with regard to ‘‘legal issues of wide public ever,the abuse of the right of privacy of communica- interest’’, on the interpretation and implementation of tions and the lifting of the protection of personal data the penal law.His legal opinion is an ‘‘official interpre- cannot be asolution. On the contrary, abetter protec- tation’’ofthe law but it is not an ‘‘authentic interpreta- tion may be accomplished through the addition of of- tion’’. Only the Greek Courts by virtue of their decisions fences to the list of crimes for which communication pri- have the authority to give ‘‘authentic interpretations’’of vacy may be lifted. the laws and for that reason the legal opinion of the prosecutor does not have abinding character for Greek Following aproposal of the Hellenic Authority for the Courts. Moreover,the legal opinion does not have a Communication Security and Privacy,the Greek Penal binding character towards other prosecutors due to the principle of independence of the prosecution service. Code and the Law 2225/94 was relatively recently amended and the offence of pedophilia was added to the offences for which lawful interception may be per- Conclusion mitted. Other offences that may also be added to Article Following the aforementioned analysis, we may con- 4ofthe Law 2225/94 are those described in Articles clude that the legal opinion includes amisinterpretation 370A, 370B and 370C of the Greek Penal Code, regard- of the conditions for lawful interception without taking ing violation of communications privacy and computer into consideration the European legislation regarding crimes. ICO publishes privacy notices code of practice

By James Castro-Edwards, Solicitor,and Vinod Bange, Partner, with consumers believing that privacy notices were Speechly Bircham LLP. drafted to confuse them and simply serve as alicence for companies to sell individuals’ personal information. In On June 12, the UK Information Commissioner’sOffice response to the findings of the research, the ICO ex- launched its Privacy Notices Code of Practice. The Code pressed concern that ‘‘too many companies baffle customers is intended to assist organisations which collect and pro- with alengthy and unnecessary‘legalese’’’.The research also cess personal data to draft more user-friendly privacy no- revealed the following findings: tices. The Code is aclear signal from the ICO that exist- ing privacy notices, which are confusing and written in s consumers wanted to see clearer ways of opting out of legal jargon are unacceptable. receiving marketing, less jargon and aclear explana- tion of how their personal information would be used;

Background s half of consumers surveyed suggested that larger text The Code follows the ICO’scrackdown on misleading should be used instead of the customary‘small print’; small print of Februarythis year.Research conducted by and the ICO revealed that half of consumers do not under- stand what they are signing up to when they fill in on- s almost three quarters of the UK population did not line and paper forms. The ICO research revealed wide- properly read or understand privacy notices. spread consumer cynicism in relation to privacy notices, As well as calling for organisations to improve their pri- vacy notices, the ICO urges individuals to take the time The authors can be contacted at James.Castro-Edwards@ to read and understand privacy notices in order to un- speechlys.com and [email protected]. derstand how their personal data will be used and to avoid being bombarded by marketing material they have

10 07/09 Copyright ஽ 2009 by The Bureau of National Affairs, Inc. WDPR ISSN 1473-3579 Legislation and Guidance not asked for.Inresponse to the survey,Information the ICO points out that aprivacy notice drafted in legal Commissioner Richard Thomas said, language solely to cover the legal obligations of the data controller is unlikely to satisfy the objectives of the ‘‘Toomany privacy notices involve too much small print and too much confusing gobbledegook. Privacy Code. The Code is aimed at all organisations which col- notices are an important way to inform individuals lect information about individuals. The ICO gives a and ensure that organisations are open about how number of examples: they use personal information. But no one should need amagnifying glass or alawyer to find out what s organisations which ask people to fill in their names, will happen to their information, and what their addresses and health information on an official form; choices are and what their rights are. Toomany pri- vacy notices are written to protect organisations, s information about shoppers from their loyalty card rather than to inform consumers. What chance do transactions; people have if privacy notices are written in complex legalese? How can you make an informed decision s call centres which record and retain calls made by cus- without understanding what you are signing up to? tomers; and Organisations should only collect the minimum of personal information and they must explain what s analysis of consumers’ online purchasing habits to they will do with it in clear,plain language.’’ send out targeted special offers and recommendations The ICO was not alone in its condemnation of current to those same consumers. practices surrounding the use of privacy notices. Televi- The Code explains what information must be included sion broadcaster and consumer champion, Nick Ross, in aprivacy notice under the DPA, and goes on to ex- expressed his support for the campaign, recognising plain the necessity of fairness and transparency in draft- that data controllers that hide dubious privacy and mar- ing aprivacy notice. It also recommends that in situa- keting practices behind legal jargon or small print are a tions where data controllers use data for avariety of rea- widespread problem. sons, rather than having asingle ‘‘catch all’’policy it may The Code places the responsibility firmly with data con- be advisable to have anumber of policies which are tai- trollers for explaining in aclear manner exactly what lored to their data subjects. The Code does not give any will be done with individuals’ personal data. The under- specific examples, but this would cover,for example, a lying message in the Code is that organisations must use privacy notice used to inform potential recruits as well personal information in away which people would ex- as potential customers about the way their information pect. will be processed. The Code goes on to emphasise the necessity for transparency,and explain the difference At the same time, the ICO has made it veryclear that in- between transparency and consent. While valid consent dividuals should take the time to read privacy notices, in requires transparency from the data controller,ade- order that they understand exactly what they’re permit- tailed description of processing and disclosure, no mat- ting companies to do when their personal data is col- ter how transparent does not in itself amount to con- lected. The ICO also published aleaflet aimed at indi- sent. viduals explaining the protection they should expect in privacy notices and what they can do if they feel their in- The Code explains that there is no requirement to ‘‘ac- formation has been misused. tively communicate’’aprivacy notice where the collec- tion in use of personal data is obvious, for example where individuals requesting aservice cannot receive The guidance contained in the Code the service unless they provide personal data such as The Code is aimed at organisations that process per- their name and address. However,even in cases where sonal data. As astarting point it recommends that plain the use of personal data is obvious, the ICO still recom- English is used rather than ‘‘legalese or technical lan- mends that organisations have aprivacy notice in place, guage’’. It also emphasises that the duty to actively com- for those data subjects who wish to understand more municate aprivacy notice is the strongest where adata about the ways in which their information is possessed. subject is unlikely to expect the processing undertaken Active communication involves taking positive action to by the data controller in respect of their data, or where provide the privacy notice to amember of the public, the data collected is particularly sensitive. Sensitive per- for example by sending aletter,reading from ascript or sonal data is defined by the Data Protection Act 1998 sending acopy of the privacy notice by email. The Code and includes data relating to an individual’shealth, goes on to say that where data is collected from data sub- sexual life, religious or philosophical beliefs or criminal jects and the data controller subsequently decides to record. The Code goes on to explain that an organisa- process the data in another manner,consent from the tion which only processes personal data in an obvious data subject should be actively sought. In practice, this way may not need to actively draw data subjects’ atten- will involve contacting the affected data subject and may tion to its privacy notice. require opt-in consent for the data subject’sapproval of the new purpose, depending upon the circumstances. The Code explains the purpose of aprivacy notice, mainly to satisfy the first principle of the DPA. However, The ICO recognises the value to data controllers in data

07/09 World Data Protection Report BNA ISSN 1473-3579 11 Legislation and Guidance sharing with third parties. However because of the risks Practical examples to individuals by collating different data sets about The Code gives anumber of practical examples of good them, information such as the names of the third parties and bad privacy notices. Most of the given examples of to whom data is disclosed should be given when the data bad privacy policies will not be unfamiliar to readers. is collected. In particular those organisations which col- For example, alarge block of small print text containing lect personal data expressly with the intention of selling legal language is considered as bad practice, in particu- that on to unspecified third parties must make this very clear to the data subject. The Code says that where data lar when compared with simple language, clear font and is collected for one purpose and subsequently used for style. Explanations of why information should be pro- another purpose, which was not revealed to the data vided (such as providing aphone number to assist with subjects, the data controller may well be in breach of the an insurance claim) are encouraged, along with honest DPA. explanations of the outcomes of choosing not to provide certain information. However,practices such as implying the provision of certain information is mandatorywhen Drafting privacy notices in fact it is not, referring generally to ‘‘third parties’’ rather than identifying those individuals or entities and using confusing language are regarded as bad practice. Transparency Practices such as referring to the DPAand the use of of- The Code makes it veryclear that the primarypurpose ficial sounding or legal language are discouraged since of aprivacy notice is to inform data subjects about the this is off-putting to users, while clear,straightforward uses of their data in aclear and transparent manner.It guidance and helpful advice are encouraged. is not to indemnify an organisation against claims from data subjects. Comments The Code is likely to apply to the vast majority of privacy Same media notices currently in use, and will be useful to even those The guidance also recognises that privacy notices are organisations that have genuinely tried to make their not just limited to online privacy policies, but extend to privacy notices as clear,transparent and user-friendly as oral notices, printed notices or notices conveyed by way possible. The ICO has made it veryclear that aprivacy of poster as well as privacy policies in electronic form. notice is not to protect the data controller but to pro- The Code suggests that the medium through which per- tect the data subject. The ICO is not alone in its view sonal data is collected is also used to transmit the privacy that most existing privacy notices are inadequate and do notice, so in aface to face meeting where individuals’ not achieve their intended purpose. In May of this year details are collected by the data controller,the indi- the London School of Economics and Political Science vidual should be informed orally of the privacy notice in conjunction with 80/20 Thinking published its report during the meeting. Where the circumstances in which for the Working Group on Consumer Consent. The Re- personal information is collected make it impossible to port commented on the fact that for consent to be valid, transmit the privacy notice, data controllers must ensure the data subject should be properly informed by the that they do not process data in away that would be un- data controller as to how the data subject’sdata would expected by the data subject. be processed. The Report notes that privacy notices are inherently complex and difficult to follow for users. Many studies show that individuals simply never read Layered them. However,both the Report and the Code place em- The Code recommends a‘‘layered’’approach, where the phasis on individuals to take the time to read privacy no- basic information is readily accessible, as most data sub- tices. Data subjects are urged to actually read privacy no- jects are unlikely to read the whole policy.However,a tices in order to fully understand the purposes for which layered policy would also include more detail which the their data will be processed. Though clearly,individuals interested data subjects can find by for example follow- are unlikely to take an interest until organisations adopt ing alink. amore user-friendly approach in drafting privacy no- tices. In the US earlier this year,government research into the way that bank customers best understand pri- Vulnerable groups vacy and information sharing policies revealed that the The Code also recommends that where aprivacy notice solid text format used by most policies is ineffective in is aimed at avulnerable group, for example children, it achieving its intended aim, when compared to alterna- is drafted in such away that it is understandable by the tive approaches. The research commissioned by the US vulnerable data subject. It recommends that privacy no- government created fake notices, typical of those cur- tices are reviewed on an ongoing basis to reflect and rently used by US banks and found that the tabular no- changes in the data processing activities of the data con- tice format was the most effective at helping users to un- troller. derstand its content.

12 07/09 Copyright ஽ 2009 by The Bureau of National Affairs, Inc. WDPR ISSN 1473-3579 Legislation and Guidance

Clearly,organisations that collect personal data and pro- s decrease the risk of queries, complaints and disputes cess it in amanner which may not be readily apparent about the data controllers use of the data subjects’ or readily obvious to data subjects should take the recent personal information. guidance to heart. While organisations which rely on The Code is not legally binding, however in his intro- privacy notices may be reluctant to revisit them, the ICO duction to the Code, Information Commissioner Rich- suggests that by being transparent and honest with data ard Thomas says, subjects, an organisation will benefit. ‘‘Iwill take its standards into account when for ex- Agood privacy notice increases trust and improves the ample, Ireceive acomplaint that information has been collected in an unreasonably way’’. relationship with the people companies collect informa- tion about. Agood privacy notice also: Accordingly,ifanorganisation that was being investi- gated by the ICO had failed to follow the guidance, that s gives acompetitive advantage by reassuring data sub- organisation would have done itself no favours in dem- jects that their privacy is aserious issue; onstrating adesire to comply with the DPA. Benefits aside, it will be interesting to see if, following s encourages people to provide more valuable informa- the publication of the Code, the Information Commis- tion by instilling confidence that it will be used prop- sioner takes enforcement action against organisations erly; which rely on incomprehensible privacy policies to li- cense sharp practice with consumers’ personal informa- s allows customers to indicate their marketing prefer- tion. Prudent data controllers would then do well to re- ences which may encourage them to respond more visit their privacy policies in the light of the new guid- positively; and ance. Administration proposes new Federal Consumer Financial Protection Agency

By Heidi Salow,OfCounsel and Micah Thorner,Associate, (CFPA) before the House adjourns for its August recess DLA Piper. at the end of July 2009.

Addressing the Obama Administration’sproposals to re- This proposed new agency would be authorised to con- form financial regulation in the US, Barney Frank (D- centrate in one agency many of the consumer protec- MA), Chairman of the House Financial Services Com- tion powers over mortgages and credit cards that now mittee, has promised to report legislation which would are spread across as many as 10 federal regulators. The create anew Consumer Financial Protection Agency Obama Administration proposal is set forth in aDepart- ment of the Treasuryreport, ‘‘Financial RegulatoryRe- form: ANew Foundation’’.

Heidi Salow is Of Counsel in the Communications, Pri- The Report reflects the Obama Administration’sview vacy and eCommerce group at DLA Piper aglobal law firmwith over 67 offices in 38 countries. Ms Salow has that abroad reorganisation of the way the government been handling cutting-edge privacy and data security, regulates its financial system and protects consumers is intellectual property and e-commerce issues for most of her necessarybecause consumer protection has allegedly career.Her practice includes transactional, legislative, and compliance work for Fortune 500, mid-sized taken aback seat to other aspects of bank regulation. and start-up companies. This view follows the issuance, in the waning months of She also regularly advocates on public policy and legisla- the Bush Administration, of strong credit card regula- tive matters before the Federal Trade Commission, Fed- tions by the Federal Reserve Board, compounded by the eral Communications Commission, state legislatures, and recent enactment of legislation that threatens to dra- members of Congress. Her clients come from avariety of industries including the telecommunications services, matically alter the existing business model that has his- education, hotel/hospitality,medical and consumer prod- torically governed the credit card industry. ucts industries. She can be contacted at: Heidi.Salow@ dlapiper.com The CFPAwould be charged with ensuring that consum- Micah Thorner is an Associate in the Communications, ers have clear information about the financial products Privacy and eCommerce group at DLA Piper.Her practice focuses primarily on international data protection or services they purchase, as well as protecting them regimes and compliance with federal privacy and data from any deception they might encounter when pur- security laws. She counsels clients on ways to manage chasing such products. The proposed legislation sug- international data flows, particularly mechanisms for US companies to comply with the EU Data Directive. She gests that the agency could accomplish these objectives can be contacted at: [email protected] by requiring lenders to make safer,‘‘plain vanilla’’prod- ucts clearly available to consumers, while stepping up

07/09 World Data Protection Report BNA ISSN 1473-3579 13 Legislation and Guidance scrutiny on alternative products. The agency would be however,would become responsible for privacy protec- empowered to issue new regulations requiring financial tion related to financial products, services and transac- disclosure documents to ‘‘balance communication’’of tions. the relative merits of the products or services, ‘‘promi- Because the CFPA’s supervisory, examination and en- nently disclose significant risks and costs,’’and commu- forcement authority would extend to all persons and en- nicate those risks and costs in a‘‘clear,concise, and tities covered by the statutes it implements, as well as by timely’’manner.Inshort, the Administration proposes a statutes with no or limited rule-writing authority (such as reform of financial services regulations that purport to the Fair Credit Reporting Act [FCRA] or Gramm-Leach- integrate the consumer perspective, by rule, into the Bliley Act [GLBA]) all federal and state chartered de- marketing and sale of financial services and products. positoryinstitutions, bank affiliates and other non- banking institutions would fall within its jurisdiction de- These reforms have many legislators and businesses very spite the new agency’slimited knowledge of financial worried. Some of their key concerns about the proposal regulations issued across multiple federal agencies. In include: other words, critics contend, the new agency would have enforcement authority without the necessarytechnical and institutional expertise to successfully protect con- 1. Broad authority over financial products. sumers. It should be added that enforcement authority for this new agency not only contemplates the ability to Under the terms of President Barack Obama’splan, the litigate free of the Justice Department in federal courts, new agency would have sweeping authority over provid- but also to represent itself before the United States Su- ers of financial products, including banks and credit preme Court following notice to the US Attorney Gen- card companies. The authorisation language in the pro- eral. posal is verybroad and so the precise impact of any forthcoming regulations is difficult to gauge. Nonethe- Because most, if not all, financial services products less, many in the financial services industryhave ex- would be regulated by one agency,itispossible that such pressed grave concerns about whether this proposal will astructure would give the CFPAonly some of the infor- add yet another layer of regulation and whether the fed- mation it would need for effective regulation, making eral government, in the form of CFPA, will soon be dic- the whole system weak and inefficient. tating the terms of the products the industryoffers –for example, the rate and fees that can be charged to credit 3. New disclosurestandardcreates card customers –and whether rules that are virtually un- uncertainty for financial services companies reviewable could meaningfully alter their business mod- els and threaten their economic viability.Inaddition, In March 2007, eight federal regulators (the Board of given the broad language used to define the concepts of Governors of the Federal Reserve System, the Commod- financial services and products in this new proposed stat- ity Futures Trading Commission, the Federal Deposit In- ute, and the extensive delegation of authority provided surance Corporation, the Federal Trade Commission, to this new agency by the contemplated legislative provi- the National Credit Union Administration, the Office of sions, it is possible that jurisdiction may be asserted over the Comptroller,the Office of Thrift Supervision and products and services not traditionally seen to be within the Securities and Exchange Commission) requested the scope of conventional financial services and prod- comment on amodel privacy form (Model Form) that ucts. One consequence of being subject to such jurisdic- financial institutions would be able to use for their pri- tion would include the possibility of non-recognition of vacy notices to consumers, as required by GLBA. The an agreement to arbitrate. agencies made clear that use of the Model Form (ex- pected to be finalised in August) would be entirely vol- untarybut would allow entities to qualify for asafe har- 2. New regulator with less knowledge bor.Achievement of safe harbor status would depend on The proposal removes responsibility for consumer pro- vigorous adherence to the content and format require- tection from the existing federal banking agencies and ments set forth in the proposed rule, however.The in- Federal Trade Commission and sequesters it in anew formation contained in the proposed Model Form is federal agency with no other defined purpose other highly standardised, permitting verylittle variation than to ‘‘promote transparency,simplicity,fairness, ac- among entities’ disclosures about their information countability,and access in the market for consumer sharing practices. products or services.’’The CFPAwould be charged with The Administration’sproposal would potentially limit protecting consumers of credit, savings, payment, and the ability of financial service providers to obtain this other consumer financial products and services, except safe harbor by using the Model Form. The Administra- for investment products and services currently regulated tion’sReport proposes that the CFPAenact regulations: by the SEC. The FTC would retain authority for dealing with fraud, remain the lead agency for data security and s making all mandatorydisclosure forms clear,simple have backup authority for the CFPA. The new agency, and concise;

14 07/09 Copyright ஽ 2009 by The Bureau of National Affairs, Inc. WDPR ISSN 1473-3579 Legislation and Guidance s requiring that disclosures and communications with and communications, it is unclear at this early juncture customers be clear and reasonable; and whether the proposed Model Form will become obso- lete. s allowing the CFPAtouse technology to make disclo- sures more dynamic and relevant. Conclusion

The plan would require financial service providers to Given the role that abusive and overly complex exotic present disclosures that are ‘‘technically compliant, non- mortgage products played in sparking the financial cri- deceptive and reasonable’’. To satisfy this new standard, sis, at first glance an independent agency dedicated to marketing materials, notices (including privacy notices) consumer financial protection might not seem terribly and other consumer communications would have to radical. But the true impact of such anew federal bu- identify any significant product risks, and aprovider that reaucracy,operating with asingular purpose yet in the failed to meet this duty would be subject to action by the absence of any true institutional context, lies in the CFPA. When introducing anew product or service, a many details to be unveiled as the legislative process provider would risk liability –even for using amodel evolves. Already,many serious questions have arisen, form –unless the provider obtained a‘‘no action letter’’ with answers yet to come. or waiver from the CFPA. Acopy of the reportisavailable from: http:// www.finreg21.com/content/financial-regulatory-reform-a-new- In light of these specific proposals for consumer notices foundation-1 Privacy,data breach protection and notification laws: changes to US privacy laws

By GregoryT.Casamento, Partner,New York, Brian T. Casey, breach do not come cheap. Studies show that, on aver- Partner,Atlanta, Patrick J. Hatfield, Partner,Atlanta and age, adata breach in aUScompany costs $202 per lost Vita E. Zeltser,Associate, Atlanta, Locke Lord Bissell & record in associated lost business costs, as well as notifi- Liddell. cation compliance costs.2 One can imagine that the cost The overwhelming majority of individual states in the for anon-US company would be even higher,given the US require those who own, license, store or maintain additional costs and burdens of compliance over inter- personally identifiable information of that state’sresi- national territories. Notwithstanding the multitude of dents to provide notice to those residents when their laws intended to protect residents’ personally identifi- 1 personally identifiable information has been breached. able information, the associated costs of compliance Navigating the patchwork of each state’snotification both pre-breach and post-breach, and the reputational laws and compliance with those laws in the event of a injurythat occurs, major data security breaches in the US are commonplace. News of employees engaging in the unauthorised review of employee personnel, cus- GregoryA.Casamento focuses his practice on business, commercial, insurance and intellectual property litigation tomer or patient records, stories of stolen or lost laptops and technology transactions.Mr. Casamento has sig- containing the names, addresses, federally issued Social nificant experience litigating trademark infringe- ment claims, technology,contract and restrictive covenant Security numbers and credit card numbers of customers disputes, and insurance issues for his clients before both or employees, and criminal investigations of sophisti- State and Federal Courts. cated hackers accessing customer or employee informa- Brian T. Casey is aco-leader of Locke Lord’s Insurance Practice Group, and amember of the firm’s Corporate, tion through cyber-piracy to serve as sobering reminders CapitalMarkets and Healthcare Practice Groups. that in the era of digitised personal information and Mr.Casey focuses on corporate, M&A, and regulatory matters for corporate clients in the insurance, finan- portable electronic devices, data security breaches occur cial services and health care industries. with alarming frequency.Thus, it comes as no surprise Patrick J. Hatfield co-chairs the Firm’s Technology Trans- actionsGroup. Throughout his legal career,Mr. Hat- that the laws governing the safeguarding of personally field has focusedonfinancial services, intellectual prop- identifiable information and data security breach notifi- erty and technology,gaining valuable experience as in-house counsel. cation requirements are expanding in scope and strin- Vita E. Zeltser focuses on general corporate and corporate gency as the US federal, state and related governmental governance matters, preparation and negotiation of agencies attempt to respond to this reality and their resi- commercial contracts, commercial lending and debt financing, and mergers and acquisitions. dents’ concerns about the protection of personally iden- tifiable information.

07/09 World Data Protection Report BNA ISSN 1473-3579 15 Legislation and Guidance Massachusetts Security Breach Regulations: containing personal information and, like Senate Bill asign of what’s to follow? 139, requires anationwide data security breach notifica- tion in response to abreach. The House bill was recently The state of Massachusetts, for example, has taken asig- amended and recommended for full committee vote of nificant step to address data security through the efforts the House Energy and Commerce Committee. of the Massachusetts Office of Consumer Affairs and Business Regulation (‘‘MCA’’). The MCA recently en- acted aregulation, effective January1,2010, (the ‘‘Mas- The trend continues sachusetts regulation’’) setting stricter security standards The Massachusetts regulation and the two proposed fed- for the protection of all Massachusetts residents’ person- eral bills constitute adrastic expansion of security and ally identifiable information and broader notification re- notification obligations and requirements, and both are quirements for the breach of such information. These the bellwether for future laws and regulations in the standards include specific encryption requirements for data security management and breach notification ar- all persons that own, license, store or maintain person- eas.8 Therefore, the key requirements of the Massachu- ally identifiable information in both electronic and pa- setts regulation and the proposed federal bills will be 3 per form about Massachusetts residents. The term discussed in greater depth below to provide non-US ‘‘Massachusetts Resident’’inthe regulation indicates based holders of personally identifiable information a that any company or entity,whether located in Massa- better understanding of how to prepare to meet the up- chusetts, another state, or even outside the United coming data management and security challenges asso- States, that owns, licenses, stores or maintains aMassa- ciated with handling personally identifiable informa- chusetts Resident’spersonal information is subject to tion. If either the proposed Senate or (as seems more 4 the Massachusetts regulations. While presently many likely to be the case) House legislations are enacted, US states require pre-breach security measures and post- they would preempt current state notification laws, cre- breach notification requirements to safeguard person- ating auniform national standard for data breach noti- ally identifiable information, those measures are not as fication. comprehensive as those that will become mandatoryun- der the Massachusetts regulation.5 The substantive de- tails of the Massachusetts Regulation, the Massachusetts Massachusetts: written comprehensive notion of ‘‘residency’’and its effect on non-US holders information security program requirement of personally identifiable information (defined as collec- The new Massachusetts regulation, 201 CMR §§ 17.01 – tors, users, sellers, or holders of personally identifiable 17.04, referred to as the ‘‘Standards for the Protection of information) is discussed more fully below. Personal Information of Residents of the Common- wealth,’’provides the minimum standards to be met in Federal legislation connection with the safeguarding of personally identifi- able information contained in both paper and elec- The US Senate has also responded to the call for addi- tronic records. The regulation requires all persons that tional protections on personally identifiable informa- own, license, store or maintain personally identifiable tion, though moving at amuch slower pace than Massa- information about aMassachusetts resident to develop, chusetts. Aproposed federal bill sponsored by Sen. Di- implement, maintain and monitor acomprehensive anne Feinstein (D-CA), titled the Data Breach written information security program to safeguard that Notification Act (‘‘Senate Bill 139’’), would require all information.9 The program must be consistent with in- federal agencies and persons engaged in interstate com- dustrystandards, and must contain administrative, tech- merce who are in possession of data containing sensitive nical and physical safeguards to ensure the security and personally identifiable information to disclose any confidentiality of personal information. Although the breach of such information. The federal bill provides regulation provides that the information security pro- that once it is passed into law,it‘‘shall supersede. ..any gram’sscope will depend on the size, scope, and type of provisions of law of any [s]tate relating to notification by business at issue, the amount of available resources and abusiness entity engaged in interstate commerce or an stored data and the need for security and confidential- agency of asecurity breach,’’subject to some exceptions ity,the regulation provides alist of specific elements the 6 for victim protection assistance provided by state laws. information security program must contain, including: This bill has been in the Senate Committee on the Judi- ciarysince January6,2009, and no action has been offi- 1. designating aspecific employee to maintain the infor- cially reported on it since that date, so given the passage mation security program, of time it is possible that this bill may not become law during the current congressional term. 2. identifying and assessing reasonably foreseeable inter- nal and external risks, Most recently,onApril 30, 2009, the US House pro- posed the Data Accountability and Trust Act (‘‘House 3. developing security policies in connection with Bill 2221’’),7 which contains certain information secu- records that are transported outside the business pre- rity safeguards aimed at protecting computerised data mises,

16 07/09 Copyright ஽ 2009 by The Bureau of National Affairs, Inc. WDPR ISSN 1473-3579 Legislation and Guidance

4. imposing disciplinarymeasures for violations, vised information security programs now,sothat those programs meet the regulation’sstandards on January1, 5. preventing terminated employees from accessing 2010. records by immediately terminating their access to physical and electronic records, The Massachusetts regulation protects the personal in- formation of all ‘‘residents’’ofMassachusetts. Unfortu- 6. verifying that third-party service providers adhere to nately,the term ‘‘resident’’isnot defined anywhere in equally stringent security measures, the Massachusetts statutes. Indeed, there is no formal procedure for establishing alegal residence in Massa- 7. limiting the amount of sensitive personal information chusetts and the definition of ‘‘resident’’varies depend- collected and retained, ing on the context in which the term is used. Voter reg- istration, automobile registration, adriver’slicence, the 8. identifying the electronic media that contain personal appearance of aperson’sname on acity or town street information, list, and rent, utility,mortgage or telephone bills nor- mally provide tangible proof of residence. Regardless of 9. placing reasonable restrictions on records containing context, though, ‘‘resident’’appears to be abroadly de- personal information, fined term. Massachusetts regulators elected use of the term ‘‘resident’’instead of ‘‘citizen’’inthe data protec- 10. regularly monitoring the information security pro- tion regulations, thus evincing intent to protect a gram, broader range of individuals subject to jurisdiction. Citi- 11. reviewing the scope of the program at least annually, zenship is not equated with residence but with ‘‘domi- and cile,’’which is defined as the place where an individual has his ‘‘true fixed home and principal establishment, 12. documenting all responsive actions taken. 10 and to which, whenever he is absent, he has the inten- tion of returning.’’ 12 ‘‘Citizen’’isamore restrictive The regulation also contains computer system security term than ‘‘resident,’’and the terms are not inter- requirements that require, among other measures, se- changeable and signify different classes of people –the curing user authentication protocols such as user IDs case of ‘‘residents’’being amuch broader class of and reasonably secure passwords, placing restrictions of people. 13 access to the personally identifiable information to those with aneed to know basis to perform job duties, educa- For anon-US Company that has experienced asecurity tion and training for employees, and similar security breach, trying to determine which individuals whose in- measures. The regulation also requires, to the extent formation may have been compromised by the breach technically feasible, encrypting all transmitted records are protected by the Massachusetts regulation will containing personal information that will travel across present some challenges in light of the absence of clear public networks, encrypting all data containing personal authority for the establishments of residency in this con- information to be transmitted wirelessly,and encrypting text. If the person affected by the breach is an employee, all personal information stored on laptops or other per- the company would look to the state to which the em- sonal devices. ployee pays income taxes, the state which the employee indicates in his home address, the state of the employ- The broad implications of the regulation to non-US ee’sdriver’slicence, or other similar indicators. If the af- businesses and other entities handling personally identi- fected person is acustomer or patient, that person’s fiable information cannot be understated. The technical home address on file with the company,orother infor- requirements of the regulation go beyond any current mation, such as the state of the person’sautomobile reg- state laws and will require companies to rewrite their IT istration or driver’slicence, or any other state-specific in- playbook and specifically,their data security manage- formation the company may have on record, could also ment and data breach response plans. Moreover,the be used as aguide to determine residency.Assuming any fact that the regulation applies to records stored in both one of these factors points to aMassachusetts residency, paper and electronic form should provide incentive for the company may seek to err on the side of caution and those holders who have been waiting to convert paper provide breach notification to such individuals as apre- records to electronic records. Finally,because the regu- cautionarymeasure. lation applies to information about employees who are Massachusetts residents, even entities that do not en- Federal Data Breach Notification Act gage in transactions with consumers and are otherwise exempt from the requirements of the US Federal Trade Senate Bill 139, the proposed Federal Data Breach Noti- Commission’s(‘‘FTC’’) Red Flags Rule,11 will need to fication Act, requires any federal agency or business en- adopt awritten comprehensive information security pro- tity engaged in interstate commerce that uses, accesses, gram to meet the standards. These changes are signifi- or collects sensitive personally identifiable information cant and non-US based holders of personally identifi- to (a) provide notice to any US resident whose informa- able information should plan, adopt and test their re- tion may have been accessed or acquired following the

07/09 World Data Protection Report BNA ISSN 1473-3579 17 Legislation and Guidance discoveryofasecurity breach; and (b) provide notice to similar to those currently in force in most states, with the owner or licensee of any such information that the some substantive modification. The bill requires notices agency or business does not own or license. As noted of adata breach to be sent to all affected US citizens or above, the federal bill provides that once it is passed into residents and to the FTC. If health information is law,it‘‘shall supersede. .. any provisions of law of any breached, the SecretaryofHealth and Human Services [s]tate relating to notification by abusiness entity en- is to be notified. The bill also contains special provisions gaged in interstate commerce or an agency of asecurity not otherwise found in state laws for telecommunica- breach,’’subject to some exceptions for victim protec- tions carriers, cable operators, information services and tion assistance provided by state laws.14 Senate Bill 139 interactive computer services providers. Notifications exempts: (1) agencies and business entities from notifi- are to be made in written form or by email, under cer- cation requirements for national security and law en- tain circumstances, as is currently permitted in most forcement purposes; (2) security breaches where the states. The notification must contain adescription of the agency or business conducts arisk assessment that con- personal information acquired, asummaryofthe recipi- cludes there is no significant risk of resulting harm, pro- ent’srights to free credit reports, and contact informa- vides the results of the risk assessment to the Secret Ser- tion for the company sending the notices, the credit re- vice and the Secret Service does not respond within 10 porting bureaus, and the FTC. Importantly,House Bill days with awritten directive requiring notification; and 2221, as proposed, has several major limitations that are (3) business entities that utilise asecurity program that similar to limits already in existence in some but cer- blocks the use of sensitive personally identifiable infor- tainly not all current state laws and regulations. First, it mation and provides notice of abreach to affected indi- exempts from the notification requirement persons who viduals. Under certain circumstances, the Secret Service, determine that there is no reasonable risk of identity the FBI, the Postal Inspection Service, and State Attor- theft, fraud, or other unlawful conduct resulting from neys General must be notified of the data security the breach. Second, the bill provides that encryption of breach. Senate Bill 139 includes appropriations for costs data in electronic form, and other technologies the FTC incurred by the Secret Service to investigate and con- may later identify,establishes apresumption that no rea- duct risk assessments of security breaches. Certain viola- sonable risk of identity theft, fraud or other unlawful conduct exists following abreach. The presumption may tions are punishable by civil penalties, and the US Attor- be rebutted by facts showing that the encryption may be ney General and State Attorneys General may bring a compromised. Third, the bill requires that, subject to civil action against any business entity that violates Sen- some limitations, companies who must send breach no- ate Bill 139. Senate Bill 139 further amends the Fair tification letters must, upon request of individuals whose Credit Reporting Act to require agencies to include a information was breached, provide at no cost to the in- fraud alert in the file of aconsumer that submits evi- dividuals, consumer credit reports for two years. Finally, dence of compromised financial information to acon- the bill allows the FTC to post notices of data security sumer reporting agency.The text of Senate Bill 139, as breaches on its website, thus magnifying the publicity currently drafted, is likely to undergo significant revi- given to abreach. sions, and as of the date of this article, the proposed Act had been forwarded to the Senate Committee on the Ju- House Bill 2221, as proposed, grants enforcement au- diciary. thority to the FTC, and grants state attorneys general the right to bring civil actions against violators, with penal- Federal Data Accountability and Trust Act ties up to $5,000,000. As with Senate Bill 139, House Bill 2221 as currently drafted, is likely to undergo significant On April 30, 2009, House Bill 2221 was proposed with revisions. bipartisan sponsorship in the US House of Representa- tives. It was amended and forwarded to the full House In summary, as the law of privacy and data security con- Commerce Committee on June 3, 2009. The proposed tinues to evolve, it becomes clear that non-US holders of bill requires the FTC to promulgate regulations requir- personally identifiable information will need to plan ing each person engaged in interstate commerce and ahead to respond to the challenges posed by acontinu- ously evolving legal and regulatorylandscape to meet that directly or through athird party owns or possesses these challenges, including the Massachusetts regula- data in electronic format containing personal informa- tion, which takes effect on January1,2010 . tion to establish and implement policies and procedures regarding information security practices for the treat- ment and protection of personal information, including Contingency planning destruction of such information. Additionally,the pro- In addition to complying with the specific laws requiring posed bill contains data security breach notification re- particular security measures to be in place, companies quirements applicable to any person engaged in inter- are encouraged to develop aresponse plan in advance state commerce that owns or possesses data in electronic of an actual security incident. Even with the best secu- format containing personal information. rity measures in place, however,many companies will House Bill 2221 notification requirements are largely face the unpleasant experience of having to navigate

18 07/09 Copyright ஽ 2009 by The Bureau of National Affairs, Inc. WDPR ISSN 1473-3579 Legislation and Guidance through these various laws to determine the applicable state-issued identification card number; or (c) financial account num- notice obligations. Asecurity incident may occur within ber,orcredit or debit card number,with or without any required se- curity code, access code, personal identification number or password, acompany’sown IT infrastructure or at the facilities of that would permit access to aresident’sfinancial account; provided, one of its IT/outsourcing suppliers. Abasic contingency however,that ‘‘Personal information’’shall not include information plan will help acompany respond thoughtfully and that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to quickly.That contingency plan should, at aminimum, the general public.’’201 CMR 17.02. identify who within the company and within its advisors 4 See 201 CMR 17.01 (‘‘This regulation implements the provisions. .. should be brought together immediately following the relative to the standards to be met by persons who own, license, store first indication of an incident. The first response team or maintain personal information about aresident of the Common- should include the necessaryITand security representa- wealth of Massachusetts...’’). 5 tives as well as representatives from the legal and com- For example, Since October,2008, Nevada’sbreach notice law re- quires all Nevada businesses to encrypt all electronic transmissions pliance departments who are familiar with the regula- (other than faxes) of aconsumer’spersonal information if the infor- torylandscape in the relevant jurisdictions. The relation- mation is sent outside the secure system of the business. Nev.Rev.Stat. ship manager from significant IT/outsourcing suppliers 570.970 (2005). 6 should also be named in the communication tree to ex- S. 139, 111th Cong. §10(2009). pedite evaluating incidents involving such suppliers. For 7 H.R. 2221, 22th Cong. (2009). more information on information security breach or loss 8 The health information technology section of the American Recov- notification laws, preparing breach or loss remediation eryand Reinvestment Act of 2009 that President Obama signed on Tuesday,February17, 2009 (the ‘‘HITECH Act’’) contains numerous plans, legally compliant breach notices or any of the provisions affecting health privacy and security,electronic health infor- other issues discussed in this article, contact the authors mation and updates to the Health Insurance Portability and Account- listed on the first page or any member of Locke Lord’s ability Act (‘‘HIPAA’’). Among these changes were new notification re- quirements for breaches of privacy,security or integrity of personal Technology Transactions Group. health information (PHI). On April 16, 2009, the US Federal Trade Commission issued the proposed Health Breach Notification Rules re- NOTES garding breach notification requirements for vendors, their related en- 1 The definition of personally identifiable information varies by state, tities and third party service providers when electronic health informa- but at the US federal level is often defined as ‘‘any name or number tion is breached. Once finalised, these rules would apply to breaches that may be used, alone or in conjunction with any other information, that are discovered on or after September 18, 2009. On April 17, 2009, to identify aspecific individual, including any —(A) name, [a feder- the Department of Health &Human Services issued guidance regard- ally issued] Social Security number,date of birth, official [s]tate or ing technologies and methodologies that can be used to render PHI government issued driver’slicense or identification number,alien reg- unusable, unreadable, or indecipherable to unauthorised individuals istration number,government passport number,employer or taxpayer and, in effect, provides covered entities and their business associates identification number; (B) unique biometric data, such as fingerprint, with an optional safe harbor from the new data security breach notifi- voice print, retina or iris image, or other unique physical representa- cation requirement. HIPAA covered entities and business associates, as tion; (C) unique electronic identification number,address, or routing well as the new entities that are covered under the new FTC rules, code; or (D) telecommunication identifying information or access de- should be prepared to comply with breach notification requirements vice.’’See 18 USC. §1028(d)(7). Afew examples of state laws protect- that are being finalised. ing this information are: California –Cal. Civ.Code §1798.82; Geor- 9 201 CMR 17.01. gia –O.C.G.A. §10-1-910 et seq.; Illinois –815 Ill. Comp. Stat. 530/1 10 et seq.; Louisiana –La. Rev.Stat. §51:3071 et seq.; La. Admin Code. 201 CMR 17.03(3). tit. 16, pt. III, §701; Massachusetts –Mass. Gen. Laws ch. 93H, §1et 11 The FTC’sRed Flags Rule, which will be enforced by the FTC as of al.; New York –N.Y.Bus. Law §899-aa; Texas –Tex. Bus. &Com. Code August 1, 2009, requires entities subject to the FTC’sjurisdiction to §48.001 et seq.; Washington, D.C. –DCCode Ann. §28-3851 –3853. adopt written identity theft prevention policies –or, essentially,pre- 2 This figure accounts for an average of $139 lost business costs per breach security measures. record lost, as well as unbudgeted out-of-pocket spending on incident 12 See Valentin v. Hospital Bella Vista,254 F.3d 358, 366 (1st Cir.2001). detection and investigation,notification of victims, and related ex- 13 See McMorris v. TJX Companies, Inc.,493 F. Supp. 2d 158, 162 (D. penses and costs. Ponemon Institute, LLC 2008 Annual Study: Cost of Mass 2007). aData Breach, http://download.pgp.com/pdfs/whitepapers/ 14 Ponemon_COB_2008_US_090201.pdf (last accessed July 6, 2009). S. 139, 111th Cong. §10(2009). 3 The Massachusetts regulations, known as the ‘‘Standards for the Pro- The authorscan be contacted at: GregoryT.Casamento, 212- tection of Personal Information of Residents of the Commonwealth,’’ 812-8325, [email protected]; Brian T. Casey,404- define personal information as ‘‘aMassachusetts resident’sfirst name and last name or first initial and last name in combination with any 870-4638, [email protected]; Patrick J. Hatfield, 404- one or more of the following data elements that relate to such resi- 870-4643, phatfi[email protected]; Vita E. Zeltser,404-870- dent: (a) [S]ocial [S]ecurity number; (b) driver’slicense number or 4666, [email protected]

07/09 World Data Protection Report BNA ISSN 1473-3579 19 Legislation and Guidance The Security versus Privacy paradox: avirulent fallacy under challenge

By Malcolm Crompton, Managing Director at Information Transborder Flows of Personal Data7 ,the APEC Privacy Integrity Solutions [IIS]. Framework8 and many laws worldwide. For example, consider the National Privacy Principles (NPPs)9 in the How often have you heard somebody argue that there Privacy Act of Australia10 .Inparticular,consider the se- has to be atrade off between security and privacy? curity guidance supplied by the following NPPs: The argument usually runs something along the lines NPP1, The Collection Principle:‘‘An organisation must that in order to keep you secure, you have to give up not collect personal information unless the information some aspect of your privacy.For example, you must ex- is necessaryfor one or more of its functions or activi- hibit alot of evidence of identity before completing a ties.’’From asecurity perspective, the less personal infor- transaction or joining agroup or organisation. mation you collect, the less there is to keep secure and This fallacy has been challenged vigorously many times the less to lose. And the less attractive your data sets are with some of the most cogent reasoning coming from to those who want to steal it. An additional bonus: this the Information and Privacy Commissioner of Ontario, should also reduce your data handling costs. Ann Cavoukian. She directly challenged the trade off NPP2, The Use and DisclosurePrinciple:‘‘An organisa- concept in her 2002 paper ‘‘Security Technologies En- tion must not use or disclose personal information abling Privacy (STEPs): Time for aParadigm Shift’’1 about an individual for apurpose (the secondarypur- and followed up with ‘‘The Security-Privacy Paradox: Is- pose) other than the primarypurpose of collection un- sues, Misconceptions and Strategies’’in20032 .The less’’certain limited exceptions apply.This is totally in Commissioner first began drawing attention to the fal- line with the ‘need to know’ adage in any security frame- lacy in 1995 in ‘‘Privacy-Enhancing Technologies: The work. Path to Anonymity’’3 ,aground breaking paper pub- lished with her Dutch counterparts. NPP3, The Data Quality Principle:‘‘An organisation must take reasonable steps to make sure that the per- For all the effort that has gone into the challenge, the sonal information it collects, uses or discloses is accu- fallacy has lived on. But the tide is turning. On May 29, rate, complete and up-to-date.’’One of the most signifi- the US President released the 60-day Cyberspace Policy cant weaknesses in any organisation’ssecurity frame- Review.4 Item 10 in the Near Term Action Plan put for- work is its ability to ensure not only that new staff and ward by the review calls for the nation to: contractors are properly provisioned with resources ‘‘Build acybersecurity-based identity management vision and when they commence, but are also DE-provisioned when strategy that addresses privacyand civil liberties interests, lever- they leave. aging privacy-enhancing technologies for the Nation.’’ NPP4, The Data Security Principle:‘‘An organisation Read the US President’sremarks at the time of the re- must take reasonable steps to protect the personal infor- lease5 and count how many times he remarks on the im- mation it holds from misuse and loss and from unautho- portance of getting privacy AND security right. rised access, modification or disclosure.’’and ‘‘An or- ganisation must take reasonable steps to destroy or per- Why is this relevant to such campaigns as National manently de-identify personal information if it is no E-Security Awareness Week which took place in Austra- longer needed. ..’’ Enough said! lia in June?6 And so it is possible to work your way through the NPPs Because if nothing else, the two concepts do inform in this way. each other.Here is an example: it is possible to improve the security settings in your organisation by intelligently But in asense, that is old news. Take emerging technolo- applying privacy principles such as those seen in the gies and business processes such as the urge to make OECD Guidelines on the Protection of Privacy and more use of cloud computing than is already happening with search, data storage, email etc. The perspective in ‘‘It’s6O’Clock -DoYou Know Where Your Cloud’sData 11 Malcolm Crompton can be contacted at: MCrompton@ Center Is?’’ that was carried in Information Week on iispartners.com. IIS is aspecialist privacy consul- June 2, 2009 is well worth reading. tancy; its services include privacy impact assessments, privacy thought leadership and advice and strategy. Even if all this guidance is applied well, data losses will Information about IIS is available at www.iispartner- happen even in the best run organisation. What to do s.com. Malcolm regularly blogs on www.Openforum.co- m.au. An earlier version of this article first appeared then? Again, it is possible to plan aresponse based on on the Open Forum. the hard-learned lessons of recent years from the losses of personal information.

20 07/09 Copyright ஽ 2009 by The Bureau of National Affairs, Inc. WDPR ISSN 1473-3579 Legislation and Guidance

The 2009 Data Breach Investigations Report12 ,astudy 12 http://www.verizonbusiness.com/resources/security/reports/ conducted by the Verizon Business RISK Team provides 2009_databreach_rp.pdf plenty of surprising insights as to where the security 13 http://www.privacy.gov.au/publications/index.html#G weaknesses in many organisations might really be. The 14 http://www.iispartners.com/downloads/2006-07-Security-breach- Office of the Privacy Commissioner of Australia has also checklist.pdf published a‘‘Guide to handling personal information 15 security breaches’’.13 At IIS, we have published aPrivacy http://www.privacyconference2009.org Breach Check List.14 The check list provides immediate help in the first 24 hours of amajor data loss and sug- gests what to do as matters unfold over the first week and what to think about in the longer term. News

In short, Security AND Privacy go hand in hand, neither by itself sufficient, both informing the other. ASIA PACIFIC And the discussion will continue. The 31st International Highlights from the 31st APPAmeeting Conference of Data Protection and Privacy will be held in Madrid in November.15 Like many of its predeces- The Asia Pacific Privacy Authorities held their 31st Fo- sors, it will be supported by anumber of verychalleng- rum in Hong Kong, June 11–12, 2009. ing preconferences. One will be Privacy by Design: The De- APPAmembers reported on national and international finitive Workshop,which will be held on Monday,Novem- developments, in particular,there were discussions ber 22009 at the Hotel Melia Castilla in Madrid. about how to deal with the privacy challenges surround- Participants will hear from aglobal cross-section of pri- ing new technologies and the security issues posed by vacy leaders who will describe their real-life experiences portable storage devices. The Working Group for Privacy and plans for the use of Privacy by Design. Participants Awareness Week also reported on the success of the and speakers will include Ann Cavoukian, the Privacy 2009 Privacy Awareness Week held in May.Itwas agreed Commissioner of Ontario, Canada, Yoram Hacohen, that the Privacy Awareness Week for 2010 will also take Head of Israeli Law,Information and Technology Au- place during the first week of May. thority,Peter Hustinx, the European Data Protection Su- pervisor,Dr. Jacques Bus, Head of Unit for Trust and Se- Other topics discussed included data breach notification developments in Asia Pacific and an update on the curity in ICT Research at the European Commission, Dr. APEC Privacy Framework. Discussions were also held Alexander Dix, Data Protection and Freedom of Infor- about how best to deal with the privacy implications of mation Commissioner for Berlin, Germany and the Ho- electronic health records. nourable Pamela Jones Harbour,USFederal Trade Commissioner. The 32nd APPAmeeting will be held during the first week in December,2009 in Adelaide, Australia. The fallacy may continue, but there is agood chance it will be seen in more realistic light soon. For more information about the outcomes from the Forum, NOTES visit: 1 http://www.ipc.on.ca/english/Resources/Discussion-Papers/ http://www.privacy.gov.au/international/appa/hongkong- Discussion-Papers-Summary/?id=245 communique.html 2 http://www.ipc.on.ca/english/Resources/Discussion-Papers/ Discussion-Papers-Summary/?id=248 3 http://www.ipc.on.ca/images/Resources/anoni-v2.pdf 4 http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_ AUSTRALIA Review_final.pdf Karen Curtis’s tenureasCommissioner 5 http://www.whitehouse.gov/the_press_office/Remarks-by-the- President-on-Securing-Our-Nations-Cyber-Infrastructure/ extended for another year 6 http://www.business.gov.au/Business+Entry+Point/News/ National+Esecurity+Awareness+Week.htm Karen Curtis has been appointed for afurther one year 7 http://www.oecd.org/document/18/0,2340,en_2649_34255_ term as Federal Privacy Commissioner.Her term has 1815186_119820_1_1_1,00.html been extended so she can oversee the transition period 8 http://www.apec.org/apec/news___media/2005_media_releases/ where her Office assumes responsibility for Freedom of 161105_kor_ Information and Privacy to become the Office of the In- minsapproveapecprivacyframewrk.MedialibDownload.v1.html?url=/ formation Commissioner (OIC). etc/medialib/apec_media_library/downloads/taskforce/ecsg/pubs/ 2005.Par.0001.File.v1.1 The OIC will include two new posts; an Information 9 http://www.privacy.gov.au/publications/npps01.html Commissioner and aseparate Freedom of Information 10 http://www.comlaw.gov.au/comlaw/management.nsf/ Commissioner.The Australian government has allocated lookupindexpagesbyid/IP200401860 AUS$20.5 million over afour year period to establish 11 http://www.informationweek.com/cloud-computing/blog/ the new information agency.Karen Curtis’sone year archives/2009/06/its_6_oclock_do.html term starts from July 12, 2009.

07/09 World Data Protection Report BNA ISSN 1473-3579 21 Legislation and Guidance Closing date for Australian Privacy term, it advocates adopting the 12 quick-fix measures Awards nominations proposed by the Federal Privacy Commissioner,Jennifer Stoddart as an interim solution. The MPs also recom- The closing date for nominations for the Australian Pri- mended reviewing the law everyfive years. vacy Awards is August 6, 2009. The awards are split into four categories; Large Business, Small to Medium Busi- The Privacy Act has not been revised (substantially) nesses, Community and NGOs and government agen- since coming into effect 26 years ago, before the emer- cies. There is also a‘Grand Award’ for an outstanding gence of new technology such as biometric scanning. nomine from the categories listed above and the Austra- lian Privacy Medal which is awarded to an individual who has made asignificant contribution to privacy in Australia. COSTA RICA Winners will be presented with their awards at aGala Data protection law for Costa Rica dinner on 12th November 2009.

More information is available from: http:// The Costa Rican government has voted in favour of www.privacy.gov.au/about/awards/index.html Costa Rica having its own data protection law.Abill was voted on by the Legal Matters Committee of the Legisla- CANADA tive Assembly.Itwill be referred to as the Law on Indi- Telemarketers served with notices for viduals’ Protection against Personal Data Treatment. breaching do-not-call list rules The Law will aim to ensure the respect for individuals’ rights and the protection of their personal data. The The Canadian Radio-television and Telcommunications Law also makes reference to the rights of legal persons, Commission (CRTC) has served ‘Notices of Violations’ includes definitions for key terms such as personal and on two telemarketers for breaking the rules relating to sensitive personal data and establishes aset of basic data Canada’sdo-not-call list. protection principles. The CRTC has not released any details about the telemarketers who have thirty days to either pay afine Acopy of the bill is available in Spanish from: http:// or contest the Notices before aCRTCpanel, www.asamblea.go.cr/proyecto/16600/16679.doc ‘‘Canadians who have registered on the National DNCL have noticed areduction in the number of telemarketing calls and faxes they receive,’’said Leo- EUROPE nard Katz, the CRTC’sVice-Chairman of Telecommu- nications. ‘‘Although most telemarketers are abiding Article 29 Working Party releases its by the rules, we will use the enforcement tools at our Annual Reportfor 2008 disposal to promote compliance. The Notices of Vio- lation we have issued serve as awarning to telemar- keters that we will not look the other way if they break The Article 29 Working Party has released its Annual Re- the rules and invade the privacy of consumers.’’ port for 2008. The Report provides an overview of the The CRTC has faced much criticism from privacy advo- issues dealt with by the Working Party in 2008. It also ad- cates, consumer groups and the Canadian press since it dresses developments in Member States, EEA countries launched the Do Not Call lists in September 2008. There were complaints that even after registering with and European Bodies. the list, consumers were still receiving unwanted calls. Acopy of the reportwill be available from: http:// The CRTC was further criticised for failing to enforce ec.europa.eu/justice_home/fsj/privacy/workinggroup/annual_ the rules and not taking action against telemarketers. reports_en.htm More information is available from: http://www.crtc.gc.ca/ eng/home-accueil.htm Article 29 Working Party releases opinion on social networking Canadian MPs call for changes to privacy law The Article 29 Working Party has released its opinion on ACanadian House of Commons Committee has called social networking and how European data protection for the Federal privacy law to be updated to address new laws applies to social networking services. WP163 is ana- technologies and DNA collection. There were also calls lysed in detail in this issue in Privacy and social networking for the Privacy Commissioner to be given amuch clearer by Michael Schmidl. mandate for educating the public about privacy.Inits report, the Committee acknowledged that there was a The opinion is available at: http://ec.europa.eu/justice_home/ need to overhaul the Privacy Act. However,inthe short fsj/privacy/workinggroup/index_en.htm

22 07/09 Copyright ஽ 2009 by The Bureau of National Affairs, Inc. WDPR ISSN 1473-3579 Legislation and Guidance FRANCE SPAIN French Senate issues reportonprivacy Spanish DPAtohost Commissioners’ rights in the digital age conference

The French Senate has issued areport entitled, La vie The Spanish Data Protection Authority is hosting this privee al’heure des memoires numeriques on the righttopri- year’sInternational Conference for Data Protection and vacy in the digital age. The report addresses the threat Privacy Commissioners. The conference is taking place to privacy posed by the emergence of new technologies in Madrid between November 4–6, 2009. There will be and the privacy implications for younger generations meetings either side of the conference hosted by organi- posed through the prevalent use of social networking sations such as the International Association of Privacy sites and so forth. Professionals and the European Privacy Officers’ Net- Interestingly the report recommends making it manda- work. toryfor organisations with fifty or more employees to The themes for the 31st International Conference in- have aData Protection Officer,creating amandatory clude ‘privacy versus security’, the ‘conflict between in- data breach notification requirement, expanding the tellectual property and privacy’ ‘privacy by design’ and CNIL (French data protection authority) to include a protecting minors’ privacy when faced with technologi- network of regional offices and increasing its financial cal advances. resources. The report also refers to changing the French constitution to include privacy rights. At this event, the Commissioners are also hoping to reach an agreement on ‘International standards for the For an update on data privacy developments in France, protection of privacy and personal data’. Preparatory please see the article in this issue, Recent developments in work has already gone into developing the standards. personal data protection in France by He´le´ na Delabarre and Spanish and Basque Data Protection Authorities have al- Sabine Deloges . ready co-hosted meetings in Barcelona and Bilbao to Acopy of the reportisavailable in French at: http:// work on drafting the standards. The meetings have in- www.senat.fr/noticerap/2008/r08-441-notice.html cluded representatives from 18 data protection authori- ties around the world. HONG KONG For more informationabout the conference, visit:http:// www.privacyconference2009.org/privacyconf2009/home/ New guidance for estate agents index-iden-idweb.html

The Estate Agents Authority and the Office of the Pri- vacy Commissioner have jointlylaunched guidance en- UNITED KINGDOM titled, ‘Proper Handling of Customers Personal Data by Estate Agents’. The aim of the guidance is to raise aware- Notification fee will increase to £500 for ness amongst estate agents about how to protect their some organisations clients’ personal data. The guidance is available from both the Commissioner’s and The MinistryofJustice is introducing atwo tier fee struc- EEA’s websites: ture for the annual notification requirements whereby http://www.eaa.org.hk/publications/documents/privacy.pdf organisations pay £35 to the Information Commission- http://www.pcpd.org.hk/english/publications/infor_book.html er’sOffice. Organisations (data controllers) will either fall into Tier MALAYSIA 1orTier 2according to the fee structure. Tier 2organi- sations are those obliged to pay the new £500 fee. These Data protection bill on its way organisations have 250 or more members of staff and a turnover of £25.9 million or more, as well as all public The Personal Data Protection Bill is due to be intro- authorities with 250 or more members of staff. Tier 2 duced for its first reading before Parliament in October specifically excludes any data controller that is acharity 2009. The Bill which has been finalised by the Attorney or asmall occupational pension scheme. Organisations General’sDepartment will be presented before Parlia- that fall into the Tier 1categorywill continue to pay the ment alongside the Credit Reference Agencies Bill pre- £35 fee. They are organisations which do not meet the pared by the Finance Ministry. The Bill was drafted after conditions specified above, charities and those running consultation involving representatives from the public asmall occupational health scheme. and private sectors, government departments and indus- tryrepresentatives. It includes provisions to safeguard the personal data of individuals as well as penalties for The new two tier system is due to come into effect from failure to comply. October 1, 2009. It follows the consultation that was car-

07/09 World Data Protection Report BNA ISSN 1473-3579 23 Legislation and Guidance ried out by the MinistryofJustice between July and Au- Jonathan Bamford, Assistant Commissioner,said, gust 2008 about the proposed tiered fee structure. ‘‘We are aware that one of the barriers to more proac- tive privacy protection within organisations is the ab- For more information, consult the Data Protection (Notifica- sence of asoundly argued business case for expendi- tion and notification fees) (Amendment) Regulations 2009 ture. However,organisations can no longer afford to and its accompanyingExplanatoryMemorandum which are ignore data protection and CEOs need to wake up to available from: http://www.opsi.gov.uk/si/si2009/em/ the risks and responsibilities that come with vast data uksiem_20091677_en.pdf collection. Data protection needs to be taken as seri- ously as health and safety by those at the top of the http://www.opsi.gov.uk/si/si2009/pdf/uksi_20091677_ corporate structure. en.pdf It is important that this report produces afinancial rationale that stands up to the scrutiny of those unfa- For acopy of the consultation, visit: http:// miliar with data protection requirements or wider pri- www.justice.gov.uk/consultations/consultations-closed- vacy concerns, whilst reinforcing the fact that data withresponse.htm protection has become amatter of corporate and fi- nancial governance.’’ ICO clarifies data protection myths The deadline for interested parties to submit bids was July 20, surrounding photos at school events 2009. Further details are available at: http://www.ico.gov.uk/ about_us/research/invitations_to_tender.aspx The Information Commissioner’sOffice has sought once again to clarify the data protection myth surround- UNITED STATES ing parents taking photos of their children at school events such as sports days. Spammers fined $3.7 million Deputy Commissioner,David Smith, said, The Federal Trade Commission has been successful in ‘‘We recognise that parents want to capture signifi- its enforcement action against an international spam cant moments on camera and we want to reassure ring operating out of Canada and St. Kitts. The ring vio- them and other family members that whatever they lated the Can-SPAM Act and the US SAFE WEB Act. The might be told data protection does not prevent them ring was accused of illegally sending email messages taking photographs of their children and friends at school events. Photographs taken for the family which promoted weight loss products and pills claiming photo album are exempt from the Act and citing the to reverse the ageing process. The FTC alleged that the Data Protection Act to stop people taking photos or spammers sent emails using false addresses and mislead- filming their children at school is wrong.’’ ing subject headings to entice people to read the emails. They also failed to provide an opt-out link or apostal ad- The ICO has produced guidance explaining that the Act dress. probably does not apply to many situations involving photos taken at schools. The FTC settled with three defendants, aUScompany and two individuals based in the US and Australia re- The guidance is available from: http://www.ico.gov.uk spectively in May 2008 but was unable to reach an agree- ment with five remaining defendants based in Quebec, ICO puts out tender for aresearch project Canada. The remaining defendants have been fined $3.7 million, their proceeds from their illegal activities. The Information Commissioner’sOffice is inviting inter- ested parties to tender for athree month research The case is the first time the FTC launched an enforce- project to develop abusiness case for persuading organi- ment action using the US SAFE WEB Act designed to sations to invest in proactive privacy protection. The aim protect consumers affected by cross-border fraud and is to help organisations devise proper costings and ex- deception. penditure for having privacy safeguards in place. For more information, visit: http://www.ftc.gov

24 07/09 Copyright ஽ 2009 by The Bureau of National Affairs, Inc. WDPR ISSN 1473-3579 Personal Data Personal Data Privacy and social networking

By Dr.Michael Schmidl, Maıˆtre en Droit, LL.M. Eur. use of cookies on the social network users’ computers in order to improve or customise the services is almost the In June 2009 theArticle 29 Data Protection Working rule and correspondingly averyfrequent reason for ap- Party,anindependent European advisorybody on data plying European privacy laws to social network providers protection and privacy set up under Article 29 of Direc- outside Europe. The reason for this effect of cookies is tive 95/46/EC (‘‘WP-29’’), rendered an opinion on pri- that they enable the social network provider to collect vacy law implications of social networking (‘‘WP-163’’). data without the users’ interaction. The users’ comput- In its WP-163, the WP-29 defines asocial network service ers are thus turned into technical means under the con- as ‘‘online communication platform which enable indi- trol of the provider,which is sufficient to trigger the ap- viduals to join or create networks of like-minded users’’ plicability of the privacy laws at the users’ locations. and categorises them as being information society ser- vices, as defined in Article 1paragraph 2ofDirective On this basis the WP-163 deals with identifying the data 98/34/EC as amended by Directive 98/48/EC. The WP- controller in the framework of social network services. 163 stresses that the key phenomenon of social networks The statement that the social network providers are to lies in the fact that users are asked to provide sufficient be regarded as responsible data controllers is not sur- information about themselves in order to create athor- prising, especially if and to the extent they actively pro- ough personality profile or description and that more- cess the users’ data for their own business purposes but over such information can be distributed to others. also since they provide all the network and user manage- ment functionality.The third-party providers of applica- The social network providers offer the corresponding tions accessible for users of social networks can also tools, which not only allow the sharing of directly private qualify as data controllers, for example as regards the information but also of subjects of interest to the user user data. The most interesting phenomenon, however, such as their favourite music, films or actors. All this in- is the concept of users being qualified as additional data formation allows the social network providers to tailor controllers. Although all users collect, process and use advertising campaigns to the respective user groups. In personal data about other users they are exempted of light of the fact that many children and minors are us- the application of privacy law as aconsequence of the ing social network services WP-163 emphasises the im- so-called ‘‘household exemption’’, if their data process- portance for social network providers to make sure that ing activities occur simply in the course of apurely per- the corresponding user group is adequately protected sonal or household activity.This exemption does not ap- inter alia by means of age verification, informed consent, ply,however,where auser acts as company representa- awareness as well as training campaigns, limiting the tive in the social network in order to promote the scope of collected data and its purposes, separation of company’sactivities, commercial, political or other goals communities of children and adults. or if acompany uses the service as aprofessional col- The WP-163 also deals with questions relating to the ap- laboration platform. As aconsequence the full set of plicability of the European Data Protection Directive data controller obligations apply.WP-163 lists further 95/46/EC and contains measures, which social network typical examples of when data controller rules have to providers should implement in order to abide by the le- be applied to users. gal principles contained in the European privacy frame- WP-163 also deals with the importance of restrictive so- work. called ‘‘privacy-friendly’’default settings (e.g., on what data can be searched and found from inside the network The most important question of whether European pri- or from outside by means of search machines), since vacy laws apply to the social network providers estab- such settings will most likely be left unchanged by the lished outside Europe is not analysed. Instead the WP- majority of the users, and with the importance of suffi- 163 refers to its WP-148 on search engines in which the cient information and warnings to users regarding the WP-29 has extensively examined under what circum- impact on their privacy if they upload personal data. Ac- stances European privacy laws may be applicable. The cording to the WP-163 users do especially have to be in- formed about planned direct marketing measures, data sharing with third parties, the risks for providing own Dr Schmidl is apartner of Baker &McKenzie Partner- data (especially sensitive data) and the potential illegal- schaft von Rechtsanwa˜lten, Solicitors und Steuerberatern, ity of providing third parties’ data on social networks. Munich and member of the firm’s Information Technol- The WP-163 recommends that the social network pro- ogy Group. Dr.Schmidl is aspecialised attorney for IT-Law and alecturer for Internet law at the University vider should also give information (e.g., on its website) of Augsburg. The author may be contacted at: on how to access acomplaint facility,which could inter [email protected] alia deal with the users’ rights of access, correction and deletion. Another aspect of ‘‘privacy-friendly’’settings

07/09 World Data Protection Report BNA ISSN 1473-3579 25 Personal Data can be seen in the definition of maximum time periods rected at third parties by users of anetworking system. for which data of inactive users is retained and in the de- Such invitations can be exempted from direct marketing letion of users who have terminated their accounts. restrictions for email if they are merely personal com- Moreover,the service provider has to enable data sub- munications (i.e. no incentive is given to either sender jects to use the service with apseudonym rather than or recipient, the provider does not select the recipients with their real name. of the message, the identity of the sending user must be clearly mentioned, the sending user must know the full In addition to these topics the WP-163 emphasises that content of the message that will be sent on his behalf). any kind of direct marketing targeted at the users of the network must comply with the corresponding legal re- In many respects the WP-163 is similar to aJune 2008- quirements, especially as regards the use of cookies and decision of the German Du¨sseldorfer Kreis (‘‘GDK’’), a the technique of behavioural targeting. As per the WP- panel in which the German Federal States’ data protec- 163 the social network providers do not have to fulfil tion authorities reach agreement on the uniform appli- data retention requirements applicable to providers of cation of the FDPA. The GDK’sdecision contains alist electronic communication services provided in Article 2 of key obligations for the operators of social networks c) of the Framework Directive (2002/21/EC). This may (for details on the GDK’sdecision, please refer to an ar- be seen differently if they provide additional services ticle written by the author which appeared in the May that fall under the scope of an electronic communica- 2008 issue of the WDPR). tions service such as apublicly accessible email service. Acopy of WP-163 is available in English at: http:// Another interesting aspect the working paper deals with ec.europa.eu/justice_home/fsj/privacy/workinggroup/wpdocs/ is the handling of invitations to join the network di- 2009_en.htm Recent developments in personal data protection in France

By He´le´ na Delabarre, Partner,ofthe IP-Media-New der which pharmacists could have automated and inte- Techonologies department in NomoS and Sabine Deloges, grated access to any prescriptions and drug purchases Associate, in the IP-Media-New Technologies department in made by their customers at any chemist’sinthe country. NomoS. We have chosen to review aselection of issues from this The CNIL, the French Data Protection Authority,pub- report which are likely to affect private sector companies lished its 2008 Annual Report on May 13, 2009. operating in France. The CNIL Annual Report is veryextensive as it simulta- We will also consider the CNIL’s position on online tar- neously provides apresentation of all the work carried geted advertising which made the news at the beginning out by this authority in 2008 (in all French business sec- of this year following areport made public on March 26, tors where issues relating to personal data protection 2009. This report, wholly focused on targeted advertis- arise) and also announces the major projects that CNIL ing, analyses the profiling methods implemented and intends to particularly focus on in 2009. developed by different Internet players for advertising purposes (website designers, community platforms, ad- This report is thus an opportunity for the CNIL to offi- vertising sales agencies, search engines) and formalises cially present and update its whole ‘‘policy’’onpersonal the CNIL’s recommendations concerning the protection data protection. Notably,this policy has an even greater of net surfers’ privacy. scope as the Chairman of the CNIL is currently the Chairman of the Article 29 Working Group. Video surveillance in companies The report consequently deals with extremely varied is- Video surveillance, which constitutes personal data pro- sues, such as, for example, the CNIL’s opinion on par- cessing (personal data in this case being the image of a ticular bills for which its ‘‘opinion’’has been requested person likely to be identified), is subject to two sets of (this was the case with the ‘‘Creation and Internet’’bill rules in France, which are often poorly understood by introducing the ‘‘graduated response’’mechanism to companies. Therefore, the CNIL notes that this dual deal with illegal downloads by net surfers), its (highly re- regulation is verypoorly applied, which is all the more served) position on processing used by the French intel- worrying as the use of this type of system is constantly in- ligence services to consolidate highly varied information creasing (this is also linked to the French government’s about people whose collective or individual activities desire to triple the number of video surveillance systems may undermine public safety or even the conditions un- in public places by 2011). Video surveillance systems in ‘‘places open to the pub- lic’’are governed by the Act of January21, 1995 subject He´le´ na Delabarreand Sabine Deloges can be contacted to obtaining prior authorisation from the Prefect (au- on: [email protected] SDELOGES@ thority representing the State in each region). nomosparis.com Video surveillance systems used in ‘‘places not open to

26 07/09 Copyright ஽ 2009 by The Bureau of National Affairs, Inc. WDPR ISSN 1473-3579 Personal Data the public’’onthe other hand, fall under the Data Pro- to take into account the authority’srecommendations. tection Act of January6,1978 (amended by the Act of This service allows pictures of towns to be displayed us- August 6, 2004) and are subject to an obligation to be ing a360o navigation system. The CNIL asked Google declared in advance to the CNIL. The same applies for to set up an automatic blurring of car registration plates all video surveillance systems, regardless of where they and of the faces of people who might appear in the pic- are used, combined with biometric control systems such tures since the vehicle owners and individuals whose im- as facial recognition or files allowing individuals to be age appears are not able to express their prior consent identified directly. to this use of their personal data, contrarytothe prin- ciple deriving from Article 7ofthe Act of January6, Many companies which deal with the public as part of 1978. their business find it hard to distinguish between the concepts of places that are open and those that are not open to the public: asupermarket which receives several Displaying of advertisements on mobiles via hundred visitors everyday is legally the private property Bluetooth technology of the company which owns it but clearly constitutes a The CNIL demanded the modification of the conditions ‘‘place open to the public’’inwhich the installation of for sending advertising messages to customers’ mobile video surveillance systems must be authorised by the phones: messages sent from Bluetooth terminals inte- Prefect. The same applies for the local grocer’sshop grated into advertisement hoardings set up in public which only receives afew customers. Companies may be places (train stations, public roads, concert halls, discos, more reluctant on the other hand when they have to de- etc.). This service initially provided that the mobile cide which categorytheir building car park falls under, phone owners in the signal coverage area whose Blu- which may have hundreds of employees passing through etooth was activated could have adverts sent to them, everyday (in this case, this is aplace ‘‘not open to the which again raised the problem of obtaining the prior public’’). Many companies must apply the two regula- agreement of the subscriber to consult their personal tions. For example, abusiness which owns supermarkets data used to send such advertising. will be subject to the Act of January21, 1995 for video surveillance systems installed in its shops whereas cam- The CNIL asked that the advertising should only be sent eras installed in the entrance hall of the building con- to subscribers who had expressed their desire to receive taining the company’soffices will be subject to the Act them, for example when their telephone comes within a of January6,1978. few centimetres of panels integrating Bluetooth termi- The non-application of these regulations (even due to a nals. failure to understand. ..)constitutes acriminal offence that could subject the person responsible to afine of up Venous network recognition system to a300,000. Biometryisatthe heart of the CNIL’s concerns due to It is subsequently preferable that these regulations are the highly rapid development of the techniques used clarified and above all unified within asingle regulation, and their naturally veryintrusive character.The CNIL which the CNIL lists among its wishes in its report by states in its report that it worked closely with one of the proposing that all video surveillance systems fall under designers of the first systems of physical or logical access its power.This measure is also desired by aparliamen- control relying on venous system recognition by making tarycommittee appointed to make proposals on this is- specific recommendations, for his attention, about the sue. guarantees that must accompany the implementation of this type of technique. This again confirms that it is pref- Requests to amend particular personal data erable for any company wishing to develop technologies processing techniques beforetheir effective or new techniques likely to raise personal data issues implementation that they make the CNIL apartner in their thought pro- cess within the company,before the product is designed. Under Article 22 of the Act of January6,1978, the per- son responsible for the automated processing of per- Online targeted advertising sonal data shall declare such processing to the CNIL be- fore its implementation. In areport made available to the public on March, 26 2009, the CNIL focused on e-marketing tools for online When this prior declaration is registered and even be- targeted advertising. It analysed the profiling methods forehand, when asked by companies for an ‘‘opinion’’, implemented and developed by the leading Internet the CNIL may have to ‘‘encourage’’companies to modify companies for advertising purposes (website publishers, the processing they intend to carryout. community platforms, advertising sales agency and The recent examples provided below,expressly men- search engines) to provide proposals concerning the tioned in the CNIL’s report, show that this right to inter- protection of net surfers’ privacy. fere occurs essentially in high-tech sectors: telecoms, bi- Targeted advertising is today widely displayed on web- ometryand the Internet. sites since it offers amore efficient marketing communi- Google Streetview service cation tool for advertisers allowing them, as its name suggests, to target distinct categories of consumers ac- Following the CNIL’s recommendations, this service cording to different criteria (e.g.age, gender,city,occu- could only be launched in France after being modified pation, leisure, sites visited, words entered).

07/09 World Data Protection Report BNA ISSN 1473-3579 27 Personal Data

In its report, the CNIL notices the existence of different notices to adefinitive ban on continuing to use apro- Online Targeted Advertising methods (customised, con- cess, as well as adecision to impose pecuniarysanctions, textual or behavioural advertising) based on more or if necessaryaccompanied by an order for publication. less detailed information. According to the CNIL, the The Conseil d’Etat (French High Administrative Court) performance of these new e-marketing tools implies a furthermore accepted in adecision of February19, significant risk concerning the respect of net surfers’ 20082 that this own power to impose penalties today freedom and privacy: ‘‘These developments make me makes the CNIL areal ‘‘court’’within the meaning of Ar- afraid of asystematic profiling of net surfers, without ticle 6.1 of the European Convention for the Protection their knowledge, as well as arisk for the ‘‘bargaining’’of of Human Rights and Fundamental Freedoms (ECHR). their individual profiles between content providers and As aresult, the CNIL must ensure it respects the funda- advertisers’’. mental principle of fair trial as laid down in the ECHR, For websites, these new methods of advertising distribu- in particular in relation to the independence of the tion bring new revenue sources and improve net surfers’ court and the requirement of ahearing in the presence browsing on the pages they visit in offering them cust- of both parties. omised advertisements based on their tastes and their in- This Conseil d’Etat decision also required the CNIL to terests. use its power to impose penalties only after aformal no- Indeed, the functioning of targeted advertising is based tice explicitly stating the alleged facts and the applicable on the collection and the combination of the net surf- laws. ers’ data in connection with their navigation and behav- The CNIL’s independent power to impose penalties iour on the Internet in order to build their consumer continues to co-exist with the legal power to impose pen- profiles, via cookies, which may contain aunique identi- alties as most breaches of the regulation concerning the fier for each user. personal data protection (non-declaration of aprocess- On this particular issue, the CNIL states in its report that ing, unfair personal data collection, failure to respect ‘‘data which are in the profiles such as age, gender or lo- the right to object to market research, illegal ‘‘sensitive’’ cation are personal data insofarasthey relate to this identi- data collection’’, etc.) also constitute criminal offences. fier’’.This analysis is not approved by the different lead- Faced with aparticularly serious breach of the rules on ing Internet companies which consider,onthe contrary, the personal data protection, the CNIL may decide to that browsing data collected and stored in cookies are hand over the case to the public prosecutor’soffice to not identifying to the extent that they cannot be linked institute criminal proceedings but, given the facts, it to the real identity of net surfers. should be noted that this right is seldom used and it pre- By way of this legal qualification, the CNIL considers fers to use its own power to impose penalties. that French data protection regulation is fully applicable The CNIL’s Annual Report confirms that instituting to online targeted advertising processing and provides sanction proceedings is generally preceded by an inspec- for better information about the use of their data and tion by the CNIL’s agents. how to opt-out. This position is also the one adopted by the Article 29 Working Group in its Opinion 1/2008 Inspection dated April 4, 2008 regarding data protection related to search engines. The CNIL report states that no sector is exempt from this inspection power which in practice is carried out in In addition, the CNIL wishes to collaborate with the ‘‘Fo- three different ways: rum des Droits de l’Internet’’1 to develop acode of con- duct for professionals and recommends creating a 1. The inspection of acompany may firstly be decided as ‘‘Computer and Liberty label’’, which would be assigned part of an annual inspection programme determined to websites which are respectful of their net surfers’ per- by the CNIL according to the set of themes it wishes sonal data. to focus its work on in the given year. Therefore, in 2008, the CNIL inspected electronic Inspections of companies and penalties voting methods, one of the priorities of its annual in- Companies are particularly sensitive to the law enforce- spection programme being to visit private and public ment aspect of the CNIL’s work which is the focus of a organisations using this voting method in order to considerable part of its Annual Report. check whether the regulation on personal data is re- spected during electronic voting operations (anony- The record of inspections and penalties provided in the mous voting, secret ballot, security measures ensuring CNIL’s Annual Report is an opportunity to draw compa- the personal nature of voting, etc). nies’ attention to the conditions and cases under which they may be subject to an inspection by the CNIL, possi- 2. The inspection of acompany may also be undertaken bly followed by apenalty. by the CNIL after it receives acomplaint which leads the CNIL to carryout checks on the company con- First, it should be remembered that this independent cerning the facts that have been complained about by administrative authority has benefited, (since the Act of the complainant. August 6, 2004 amending the Data Protection Act of January6,1978) from an independent power to impose 3. Finally,acompany which is subject to aformal notice penalties. The penalties range from providing formal by the CNIL and which responds positively to the

28 07/09 Copyright ஽ 2009 by The Bureau of National Affairs, Inc. WDPR ISSN 1473-3579 Personal Data

CNIL’s formal notice by making commitments in this panies saw their penalty increased as there was alack of regard, has good reason to think that it will be the ‘‘cooperation’’and ‘‘transparency’’with the CNIL during subject of an inspection by the CNIL aimed at making the inspection. sure that the measures requested in the formal notice have been effectively implemented by the company. As stated above (see the decision of the Conseil d’Etat of February19, 2008), the CNIL cannot initiate sanction The CNIL decides at its sole discretion whether the in- proceedings without providing prior formal notice to spection will be carried out only ‘‘on evidence’’, i.e. the company. based on documents and supporting documents pro- vided by the company,or‘‘on site’’, i.e.during visits by In the majority of cases, companies comply with the the CNIL’s agents to the company.These agents are au- CNIL’s demands as soon as they receive the formal no- thorised to have direct access to personal data process- tice and the CNIL closes the case without imposing pen- ing in order to check the implementation conditions. alties (that was the case in 2008 for 84 out of 126 com- panies who received aformal notice). Companies must in any case remember that inspections are substantially increasing and the CNIL is pleased to However,ifthey refuse to comply with the formal notice, report a33percent rise in the number of inspections or worse, if they fail to reply,the CNIL may have to im- carried out in 2008 compared with the previous year. pose apenalty in areasoned decision and after holding ahearing with both parties present. The measures the Penalties CNIL is authorised to take as penalties are expressly pro- The full table of penalties, published by the CNIL in its vided by the Act of January6,1978 and are highly di- 2008 report, shows that the companies that were pros- verse: warning, injunction to suspend processing tempo- ecuted come from varied lines of business such as ser- rarily or definitively,financial penalties of up to a vices (trade, Internet advertising sales agencies, tele- 300,000, and publication of the decision. However,an phone marketing, distance selling) and were prosecuted examination of the financial penalties imposed in 2008 for equally diverse reasons: shows that their amount remains moderate and does not exceed a30,000. s Failure to respect the right to object and the right of access; The CNIL’s relative leniency with regard to financial penalties is asign that this authority also intends to s Non-declaration of files; teach companies alesson but it is clear that as the years go by that such leniency is becoming rarer and the pen- s Improper entryinafile; alties are increasing. s Breach of asecurity obligation; NOTES 1 s Excessive duration for the storage of collected data; The FDI is aFrench agency.Its purpose is to enhance the relation- ships and dialogues between the different stakeholders (administra- s Collection of sensitive (racial or ethnic) data in condi- tion, industries, and users) involved in Internet activities in order to encourage concerted actions about legal or business issues and prac- tions in breach of the law. tices. Furthermore, it should be noted that some of the com- 2 Summaryjudgment, Conseil d’Etat, February19, 2008. Connectivity’s mobile phone directoryisprivacy friendly,says ICO. But is it?

By Dominic Hodgkinson, Solicitor correspondent, Calleja confirmed that Connectivity’smobile phone directoryis Consulting Ltd. privacy friendly and the 118 800 service is now up and running. On June 18, 2009 Connectivity (a start-up company fi- nanced by venture capital companies 3i and Esprit Capi- tal Partners) launched anew 118 phone directoryser- Background vice –for mobile phone numbers of private individuals. There are approximately 42 million mobile phone num- The initiative has taken two years to launch and has bers issued by UK mobile phone service providers. Un- been the target of strong criticism from MPs and civil der the Universal Services Directive1 ,the UK must pro- rights campaigners that it invades individuals’ privacy. vide acomprehensive telephone directory(the BT However,the Information Commissioner’sOffice has Phone Book) that must include mobile phone numbers, supplied by UK mobile phone service providers, pro- vided that each user agrees to his number being in- Dominic Hodgkinson can be contacted at info@ cluded. However,even if everyuser agreed to his mobile callejaconsulting.com number being included there are still two drawbacks to the BT Phone Book’sdirectoryofmobile phone num-

07/09 World Data Protection Report BNA ISSN 1473-3579 29 Personal Data bers: pay-as-you-go mobile phone users do not have to ing similar goods and/or services’ which wouldn’tnec- provide their personal details when they sign up and the essarily incorporate amobile phone directory; accord- person registered with the mobile phone might not be ingly,the customer technically hasn’tgiven his consent the user; accordingly,the BT Phone Book cannot be a to his contact details being included in such adirectory, complete record of mobile phone numbers. in which case Connectivity’sservice is breaching the first data protection principle. On July 13, 2007 The Times announced that Connectivity was about to launch anew mobile phone directorycon- The second is that if the customer hasn’tgiven his con- sisting of private individuals’ telephone numbers; it sent to his details being shared for the purpose of inclu- stated that Connectivity recognised the privacy concerns sion in amobile phone directory, then his personal data associated with such adirectoryand had put safeguards is being processed in amanner that is incompatible with in place, including contacting everymobile user on its the original purpose he did consent to, so Connectivity’s list to ask their permission to be included in adirectory. service is also breaching the second data protection principle. Twoyears later,Connectivity launched the service which lets customers search for 16 million mobile phone num- Shona Forster,118800’sMarketing Director commented bers by entering the name, surname and town of the that, mobile phone user they would like to contact. For £1, ‘‘We are accessing data in the same way that lots of Connectivity will send atext to the user or trytoconnect other companies do for marketing purposes; the dif- both parties by dialling the user’snumber and asking ference is that we don’tuse that data for marketing whether they are prepared to take the call; if they ac- purposes.’’ cept, the caller is put through paying aconnection This is the point –ifthe customer has agreed that his charge of 69p and acall charge of 14p per minute. data may only be processed by persons other than the original data collector for ‘marketing purposes’, then Data protection and e-privacy Connectivity is now proposing to use the data for pur- Connectivity’smobile phone directorymust comply with poses other than marketing. the Data Protection Act 1998 and The E-Privacy Regula- Furthermore, the E-Privacy Regulations provide that a 2 tions .The Act provides that personal data (mobile mobile phone user’spersonal data shall not be included phone numbers and user names are personal data) must in adirectoryunless that user has, free of charge, been be processed in accordance with the eight data protec- informed by the collector of the personal data of the tion principles. purposes of such adirectory, and given the opportunity The first principle provides that personal data must be to agree to such inclusion. processed fairly and lawfully and only if one of the con- ditions in Schedule 2ismet; the only relevant condition ICO approval in Schedule 2will be that the user has given his consent to the processing. The ICO commented that Connectivity’sservice is, The second principle provides that personal data must ‘‘...privacy friendly in that it will only connect people when the recipient agrees to take the call and even be obtained only for one or more specified purposes, then it will do so without divulging their number.’’ and shall not be further processed in any manner in- compatible with that purpose(s). However,the ICO also went on to say that, ‘‘We made it absolutely clear to Connectivity that it Review of Connectivity’s service under UK should not use numbers where there was any doubt about whether the consumer was happy for their in- law formation to be used in this way.’’ Connectivity’swebsite states that, ‘‘Our mobile phone directoryismade up from vari- Comment ous sources. Generally it comes from companies who Recital 11 of the Universal Services Directive states that, collect mobile telephone numbers from customers in the course of doing business and have been given per- ‘‘Users and consumers desire comprehensive mission by the customers to share those numbers.’’ [telephone] directories and adirectoryenquiryser- vice covering all listed telephone subscribers and Privacy campaigners have raised the issue that although their numbers (including fixed and mobile numbers) customers of online businesses do sometimes tick the and want this information to be presented in anon- box permitting their contact details to be shared there preferential fashion.’’ are two potential issues with Connectivity’sclaim above Consumers probably do want amobile phone directory that persons on its list have consented to their details be- that might be more comprehensive than, or at least an ing stored on its directory. alternative to, the BT Phone Book. However,concerns The first is that the language accompanying an online raised by privacy campaigners that Connectivity may box permitting acustomer’scontact details to be shared have breached UK data protection and e-privacy laws in is usually put in terms of, for example ‘companies offer- the way that it has compiled its list of mobile phone us-

30 07/09 Copyright ஽ 2009 by The Bureau of National Affairs, Inc. WDPR ISSN 1473-3579 Personal Data ers remain seemingly unresolved –unless Connectivity For now,the point remains slightly academic as Connec- has, as stated in the Times, July 2007 report, contacted tivity’sservice isn’tfully functional –their website home all 16 million mobile phone users whose numbers it ac- page states that, quired. ‘‘We hope you find what you want on our website. However,the 118 800 phone service is still being tested and we know it’snot yet perfect. So if some- Connectivity’swebsite FAQs on ‘Your questions about pri- thing’snot quite right, we are really sorrybut we are vacy’and announcements to date do not really address working hard to sort things out as quickly as we can.’’ this issue; rather,they tend to focus on the fact that the And, in the most recent twist to the story, Connectivity mobile phone user’sdetails remain private at all times has suspended its online service, owing to the high num- and that not even Connectivity staff can access mobile ber of requests it has received from persons on the di- numbers in the directory. rectorylist seeking to remove their contact details – which has increased speculation that Connectivity didn’t Furthermore, the ICO would appear to have put the ball correctly obtain consent from ‘subscribers’ to its direc- back in Connectivity’scourt: it agrees with Connectivity torylist. that aspects of its service are privacy friendly but goes on to state that it is Connectivity’sresponsibility to confirm NOTES 1 that all of its subscribers are happy for their details to be Directive 2002/22/EC of the European Parliament and of the Coun- cil of March 7, 2002 on universal service and users’ rights relating to entered into the directory, which is the whole point – electronic communications networks and services. have all of Connectivity’sdirectorysubscribers agreed 2 The Privacy and Electronic Communications (EC Directive) Regula- that they are happy to be included? tions 2003/2426. Plans to amend model clauses for use in global outsourcing transactions

By Cameron Craig Proposed arrangement

The diagrams that featured in this article last month Customer were inaccurate in that the wording in the bottom boxes (EEA) Processor Agreement 1 should read ‘sub-contractor’ rather than ‘customer’. Service The correct diagrams are as shown. The author apolo- Agreement gises for any confusion. Service Provider (ex EEA) Processor Agreement 2 Current arrangement Sub-contract

Customer (EEA) Sub-contractor (ex EEA)

Service Processor Agreement Agreement 1

Processor Service Provider Agreement 2 (ex EEA)

Sub-contract

Sub-contractor (ex EEA)

07/09 World Data Protection Report BNA ISSN 1473-3579 31 Personal Data News JAPAN Google forced to reshoot Streetview images in Japan EUROPE Article 29 Working Party holds Google has said that is will reshoot pictures taken for its discussions with WADA Streetview service in Japan after complaints about pri- vacy.Google is to begin re-shooting images lowering the height of its car mounted cameras by 16 inches after The Article 29 Working Party held further discussions complaints were made about its cameras capturing im- with representatives from the World Anti-Doping ages over fences in private homes. Agency (WADA) about the International Standard for the Protection of Privacy and Personal Information (as Opponents of Streetview had previously campaigned un- previously reported in the WDPR). The discussions took successfully for Google to be refused the right to launch place at the Working Party’s71st plenarysession in Brus- Streetview in Japan over concerns about privacy. sels, June 16–17, 2009.

Although the Working Party acknowledged the efforts Streetview does not violate privacy according to the Japa- made by the WADA in adapting the Standard to meet nese government European data protection requirements (the WADA has previously adapted the Standard in line with recommen- dations made by the Working Party), it would still like to The Japanese government has ruled that Google’s see further changes made. The issues outstanding re- Streetview service does not violate the rights of Japanese main the same –the whereabouts rule, the grounds for citizens providing that that there are safeguards in place processing, the publication of sanctions rulings and re- to blur people’sfaces and licence plates. This was the de- tention periods. The Working Party is open to further cision reached by an advisorypanel set up by the Inter- discussions to ensure the Standard fully complies with nal Affairs and Communications Ministry. EU data protection legislation.

Further information is available at: http://ec.europa.eu/ In addition to the use of blurring technology,the panel justice_home/fsj/privacy/news/docs/pr_16_06_09_en.pdf also called for the cameras to not to be mounted above acertain level on Streeview cars when they capture im- ages and for Google to ensure that the cameras do not ITALY enter private properties when capturing images. Trial of Google executives postponed until September 2009 Google launched its Streetview service across 12 Japa- nese cities last August and has since attracted ahuge The trial of four Google executives has been postponed amount of criticism in Japan and worldwide. until September 29, 2009 because the translator failed to attend. As reported in the June issue of the WDPR, the four ex- MACAU ecutives had been granted afast track trial by aMilanese court. They stand accused of privacy violations, for allow- Data protection awareness rises ing avideo showing ateenager with Downs Syndrome being bullied by classmates, to be posted on Google Data protection awareness is on the rise in Macau ac- Video back in 2006. cording to local government officials. At the ‘Breach of The four executives being prosecuted are David Drum- Data –Problems and Solutions’ Conference held in Ma- mond, Google’sChief Legal Officer; Peter Fleischer,its cau following on from the 31st Asia Pacific Conference Global Privacy Officer; George Reyes, the former Chief held in Hong Kong in June 2009, Florinda Chan, Secre- Financial Officer; and Arvind Desikan, the former Head taryfor Administration and Justice paid tribute to the of Google Video Europe. work of the Macau Office for Personal Data Protection. The Office has made concerted efforts to promote data Google removed the video within aday of being in- privacy and educate the public on data privacy matters. formed about it and helped the police to arrest the bul- lies shown in the video. The Office was established in 2007 to enforce the Per- sonal Data Protection Act and related legislation. Since Italian prosecutors filed criminal proceedings against its creation, local residents’ awareness of privacy matters Google last year,arguing that Google failed to do has risen after the Office took steps to educate the pub- enough to prevent the video from being uploaded in lic on the importance of privacy to their daily lives. She the first place and then for taking too long to remove also acknowledged the importance of international co- the video. operation in developing strategies for data protection

32 07/09 Copyright ஽ 2009 by The Bureau of National Affairs, Inc. WDPR ISSN 1473-3579 Personal Data through organisations such as APPA. Macau officials at- The Commissioner intervened after receiving com- tended the 31st APPAForum as observers. plaints from data privacy groups that Google was not of- More information about the Macau Office for Personal Data fering the same level of privacy protection for Swiss citi- Protection is available from: http://www.gpdp.gov.mo/en/ zens compared with the rest of Europe, by not using its blurring technology for images captured in Swiss cities. SWEDEN Swedish regulators probing location The Commissioner’sOffice is planning to monitor the based services situation to check images are being blurred. Google has also insisted that it will respect individuals’ rights. Swedish regulators are looking into how location-based information is sold by mobile phone operators to service providers. The Swedish Data Inspection Board (Swedish UNITED KINGDOM Data Protection Authority) and the Swedish Post and Telecom Agency are jointly investigating location-based Futurehead of MI6’s details on Facebook services to ensure individuals’ privacy rights are fully protected. The wife of Sir John Sawers, the next head of MI6, The Agency has sent questionnaires to operators enquir- ing about what information is transferred to service pro- posted family details and photos including one of Sir viders, how the information is protected and how con- John on Facebook. Details included the location of their sent for sharing the data has been obtained initially London flat and information about their children and from subscribers. They are also looking into how mobile Sir John’sparents. She posted the information without phone numbers are used. any privacy protection on her account which made it ac- The regulators are aiming to analyse the responses dur- cessible to all of Facebook’susers. ing the autumn with aview to publishing their findings in areport by the end of October 2009. As are result, diplomats and civil servants are being warned about posting information on social networking sites. SWITZERLAND Commissioner seeks assurances from Phormloses BT as acustomer Google over Streetview Phorm suffered ablow this month as British Telecom de- The Swiss Federal Data Protection Commissioner has cided not to continue using its Webwise system for be- asked Google to improve its privacy practices before it havioural targeted advertising. It follows huge contro- can launch its Streetview services in Switzerland. The versy surrounding BT’ssecret trials testing the system on Commissioner has called for Google to use the same blurring technology to be used in Switzerland as it is its customers in 2006 and 2007 without having first uses in other European countries to obscure faces and sought their consent. While BT has claimed that its de- licence plates. cision not to continue is cost based, it is probably more to do with customer opposition in having their Internet The Commissioner intervened after receiving com- plaints from data privacy groups that Google was not of- browsing patterns profiled to deliver personalised adver- fering the same level of privacy protection for Swiss citi- tising. Phorm has sought to play down BT’sdecision de- zens compared with the rest of Europe, by not using its spite BT being one of its key partners in helping to de- blurring technology for images captured in Swiss cities. velop the technology.

The Commissioner’sOffice is planning to monitor the situation to check images are being blurred. Google has ICO finds Manchester City Council guilty also insisted that it will respect individuals’ rights. of breaching DPA

Commissioner seeks assurances from Google over Street- view The Information Commissioner has found Manchester City Council guilty of breaching the Data Protection Act The Swiss Federal Data Protection Commissioner has following the theft of two laptops from the town hall. asked Google to improve its privacy practices before it Neither of the laptops were encrypted or securely fixed can launch its Streetview services in Switzerland. The Commissioner has called for Google to use the same to desks to prevent theft. One held information relating blurring technology to be used in Switzerland as it is to employees at local schools. The Council’sChief Ex- uses in other European countries to obscure faces and ecutive has signed aformal undertaking to ensure that licence plates. removable devices are used to hold minimal personal

07/09 World Data Protection Report BNA ISSN 1473-3579 33 Personal Data data and that all laptops and other such devices are en- security program to protect customer information to crypted and secured to desks to avoid theft, or locked help avoid asimilar breach in the future. As part of the away. settlement, TJX will regularly report to the states’ Attor- neys General on their data security program after third Acopy of the undertaking can be downloaded from: http:// party audits. www.ico.gov.uk/what_we_cover/data_protection/ enforcement.aspx The states have agreed to use the payment under the settlement as follows:

UNITED STATES s $5.5 million to be used by the states for data protec- Retail chain TJX settles security breach tion and consumer protection; charges s $1.75 million is to reimburse the costs and fees of the investigation; TJX, the owner of TJ Maxx stores has settled charges with 41 states over asecurity breach in 2007 which ex- s $2.5 million for the Attorneys General to fund aData posed customers’ financial data. Unauthorised parties Security Trust Fund to help with enforcement efforts were able to gain access to TJX’scomputer network and and policy development for data security and protect- obtain credit card information and personal data on cus- ing personal information. tomers. The 41 states participating in the agreement include The retail chain has agreed to pay $9.75 million to the California, Florida, Hawaii, Massachusetts, New Hamp- 41 states and to implement arobust and effective data shire, New Jersey,New York and Washington.

Did you know that included in your publication subscription is web access for one designated user? This gives you immediate access to the latest issue and to your publication’s archive. If you haven’t done so already, all you need to do to claim your password is e-mail customerservice@ bnai.com. If you’re interested in having access for more than one person, please contact marketing@ bnai.com to discuss your requirements.

34 07/09 Copyright ஽ 2009 by The Bureau of National Affairs, Inc. WDPR ISSN 1473-3579 World IP Communications & Library

What it is From one resource, keep updated and research global developments in IP and Category communications law and regulation. This is the best means available to obtain the latest data Subscription Services and authoritative guidance on issues such as global protection and exploitation of IP, data protection and privacy, Internet governance, regulation of e-commerce and domain names. Subcategory International IP The World IP & Communications Library allows you to draw upon - as a single database - Communications BNA International´s core IP and Communications Regulation services and Technology What it helps you to do Formats Available ■ Web service, with Transform your ability to find information and analysis of developments in international IP print included for and communications law and regulation component services ■ Get to the heart of IP-related legal, legislative, and regulatory news and trends from around the world, including important late-breaking developments in protection and enforcement. Frequency of Publication ■ Component services are Obtain news and expert analysis of global developments affecting communications and updated monthly emerging from the convergence of technologies ■ Monitor developments in IP law and communications regulation worldwide - and understand compliance implications. ■ Gain an insight into how key issues are being handled in different jurisdictions - for example: internet governance, domain names, defamation, liability, data protection, dispute resolution and copyright infringement. ■ Receive comprehensive coverage of domain name resolutions ■ Cut the time it takes to find text of new regulations, enforcement actions and other key legal documents

Major Topics Covered ■ Internet governance ■ Integrated circuits ■ Copyright infringements ■ Online information ■ Dispute resolution reports ■ Passing-off ■ Domain names ■ Patents ■ Design rights ■ Service marks ■ Patentability of software and business methods ■ Trade secrets ■ Unfair competition ■ Trademarks ■ Telecommunications ■ Utility models ■ Media Law ■ Information Technology ■ Regulation ■ E-Commerce ■ Security & Surveillance ■ Privacy ■ Appellations of origin ■ Computer software ■ Data privacy ■ Databases ■ Geographical indications ■ Global information network ■ Industrial designs ■ Information infrastructure

BNA International 38 Threadneedle Street, London,EC2R 8AY Telephone: + 44 (0)20 7847 5801 Fax: + 44 (0)20 7 847 5858 E-mail: [email protected] Web Site: www.bnai.com/tax Privacy &Security Law Report

What this service is

Category BNA's Privacy & Security Law Report provides comprehensive weekly coverage of the latest breaking legal, regulatory, legislative, and judicial news in the privacy and security Subscription Services fields, including U.S. and global developments affecting finance, health, data protection, and consumers. Subcategory What it helps you do U.S. related Corporate Law and Business ■ Keep up with HIPAA, Gramm-Leach-Bliley, CAN-SPAM Act, Fair Credit Reporting Act, USA PATRIOT Act, Fair and Accurate Credit Transactions Act, EU Data Directive, and Formats Available dozens of other privacy/security-related laws and regulations, plus hot topics and emerging issues. Web ■ Read in-depth analysis from experts in numerous articles on privacy and data and Frequency of Publication information security, written by some of the nation's top attorneys. ■ Follow recent privacy/security-related court rulings, including updates on key litigation Weekly and settlements. ■ Review the latest legislation pending in Congress and the nation's state houses, especially in the bellwether state of California. ■ Rely on BNA for tracking the progress of new privacy/security-related bills, updates on Federal Register notices of proposed and final agency rules, summaries of the latest GAO reports dealing with privacy and security, and news of regulatory enforcement actions. ■ Depend upon BNA's legal editor/reporters to cover major conferences and teleconferences you might otherwise miss.

BNA International 38 Threadneedle Street, London,EC2R 8AY Telephone: + 44 (0)20 7847 5801 Fax: + 44 (0)20 7 847 5858 E-mail: [email protected] Web Site: www.bnai.com/tax