Privacy & Information Security Law Blog

On January 13, 2011, a Bill (Projet de loi organique relatif au Défenseur des droits) containing several amendments to the French Data Protection Act was preliminarily adopted by the French National Assembly.  If enacted, the Bill would amend several key provisions of the French Data Protection Act, including revisions regarding the powers of the French Data Protection Authority (the “CNIL”), and the role of Chairman of the CNIL.  The amendments are summarized below.

Earlier this month, the Belgian Privacy Commission (the “Belgian DPA”) published its December 15, 2010 Recommendation on Mobile Mapping (Recommandation d’initiative en matière de Mobile Mapping, or “the Recommendation”).  The Recommendation defines Mobile Mapping as “technology by which a vehicle equipped with a camera and/or a scanner can digitally record all data on a specific road, including by taking 360° photos.”  The scope of the Recommendation covers not only applications such as Google Street View, but also other types of Mobile Mapping such as mapping by public authorities, mapping for tourism, real estate applications and GPS navigation mapping.

On January 11, 2011, Michelle O’Neill, U.S. Department of Commerce Deputy Under Secretary for International Trade, held a briefing on her November 2010 meetings in Brussels with European data protection authorities.  She discussed a data protection and privacy forum that was convened in November at which she met with several high-level European regulators, including Jacob Kohnstamm, Viviane Reding and Peter Hustinx.  O’Neill mentioned “the right to be forgotten” as a current hot-button issue in Europe.  Commissioner Reding, who is firmly in charge of the reconsideration of the EU Data Protection Directive, focused on ensuring easier compliance with EU data protection rules and greater harmonization among Member States.  O’Neill stated that Peter Hustinx was encouraged by the work ongoing in the United States, including the “Green Paper” issued by the Department of Commerce.  He considers the various U.S. efforts a basis for further dialogue with U.S. authorities.  O’Neill noted that comments to the EU consultation are due January 15, 2011.  The Department of Commerce intends to file a response.

Early this week, the Article 29 Working Party issued its December 16, 2010 Opinion on applicable law, providing guidance on the scope of EU data protection law and the practical implications of Article 4 of the EU Data Protection Directive (95/46/EC, the “Directive”).

The purpose of the Working Party’s Opinion 8/2010 (the “Opinion”) is twofold.  First, it intends to clarify the current scope of EU data protection law with regard to the processing of personal data within and outside the European Economic Area (the “EEA”).  The clarifications by the Working Party are aimed at enhancing legal certainty for data controllers, providing a clearer framework for individuals and stakeholders and avoiding legal loopholes and potential conflicts between overlapping national data protection laws.  Throughout the Opinion, practical examples are used to demonstrate the clarifications, such as in the context of centralized HR databases, geolocation services, cloud computing and online social networks.  Furthermore, in light of the general revision of the EU data protection framework, the Opinion includes suggestions to improve the existing applicable law provisions in the EU Data Protection Directive.

On November 25, 2010, the German data protection authorities responsible for the private sector (also known as the “Düsseldorfer Kreis”) issued a resolution on the minimum requirements for the qualifications and independence of company data protection officers (“DPOs”).  This initiative follows inspections carried out within companies that revealed a generally insufficient level of expertise among DPOs given data processing complexities and the requirements set by the Federal Data Protection Act.  The DPAs recognize that a DPO’s workload depends primarily on the size and number of data controllers the DPO supervises, industry-specific factors related to data processing and the level of protection required for the types of personal data being processed.  Changes with respect to these factors frequently increase the burden on DPOs without a compensating increase in resources needed to ensure proper oversight.

Adam Kardash from Heenan Blaikie LLP in Canada reports that Bill C-28, the Fighting Internet and Wireless Spam bill, received Royal Assent on December 15, 2010.  The centerpiece of the Act are prohibitions aimed at preventing spam, but the law also includes regulations to combat phishing and protect users from online malware.  Specifically, among other things, the legislation would prohibit:

• sending commercial electronic messages (including emails and text messages) without consent (subject to certain limited exceptions);
• altering transmission data on email messages; and
• the installation of computer programs without express consent.

The 32nd International Conference of Data Protection and Privacy Commissioners held in Jerusalem this October continued the trend from past conferences by enacting a resolution, this time with respect to the adoption of global privacy standards.  The Jerusalem Declaration calls for an intergovernmental conference in 2011 or 2012 to negotiate a binding international agreement guaranteeing respect for data protection and privacy, and facilitating cross-border coordination of enforcement efforts.  The basis for the binding international agreement would be the Madrid ...

On October 14, 2010, the French Data Protection Authority (the “CNIL”) adopted several amendments to its single authorization AU-004 regarding the use of whistleblowing schemes (the “Single Authorization”).

Since 2005, companies in France must register their whistleblowing schemes with the CNIL either by self-certifying to the CNIL’s Single Authorization or by filing a formal request for approval with the CNIL.  Companies that self-certify to the Single Authorization make a formal undertaking that their whistleblowing scheme complies with the pre-established conditions set out in this authorization.  In particular, the scope of the Single Authorization is limited to the following specific areas: finance, accounting, banking, fight against corruption and compliance with Section 301(4) of the Sarbanes-Oxley Act.  Under the revised framework, the CNIL has extended the scope of the Single Authorization to include the prevention of anti-competitive practices and compliance with the Japanese Financial Instrument and Exchange Act.

The Yomiuri Shimbun has been following a story regarding the November 25, 2010, release by a Tokyo publisher of a book containing Tokyo Metropolitan Police Department anti-terrorism documents that were leaked on the Internet in October.  According to reports, the book (“Leaked Police Terrorism Info: All Data”) contains 469 pages of unedited personal information of foreign residents who are being monitored by Japanese authorities, as well as the names of the police officers involved in the cases and individuals who have cooperated with police investigations.  On November 29, a ...

On December 1, 2010, the German Federal Ministry of the Interior (the “BMI”) issued a paper entitled “Data Protection on the Internet,” which contains a draft law to protect against particularly serious violations of privacy rights online.

Regulation of Geo Data Services

The BMI’s paper was developed in context of recent discussions regarding the regulation of geo data services.  A draft data protection code for geo data services (the “Code”), prepared by businesses under the leadership of the German Federal Association for Information Technology, Telecommunications and New Media (“BITKOM e.V.”), was also published on December 1, and now will be assessed by the BMI.

In its paper, the BMI rejects the adoption of a specific law to regulate services such as Google Street View.  The BMI believes that, to the extent service providers implement sufficient technical and organizational measures to protect data, statutory regulation is not necessary.

On December 1, 2010, the European Parliament hosted a Privacy Platform on the European Commission’s recent Communication proposing “a comprehensive approach on personal data protection in the European Union,” which is aimed at modernizing the current EU data protection framework.

The panel, hosted by European Parliament Member Sophie in ‘t Veld, included:

• The Head of Cabinet of the European Commission’s Commissioner for Justice, Fundamental Rights and Citizenship, Martin Selmayr (in Commissioner Viviane Reding’s absence);
• The Chairman of the Article 29 Working Party, Jacob Kohnstamm; and
• The European Data Protection Supervisor, Peter Hustinx.

The Platform was very well attended, bringing together a wide range of stakeholders from both the public and private sectors.

On November 25, 2010, the Council of Europe’s Committee of Ministers adopted a recommendation (the “Recommendation”) on the protection of individuals with regard to the automatic processing of personal data in the context of profiling.  View the press release.

The Recommendation is designed to set up safeguards for profiling activities by applying the principles established in Convention 108 to the challenges raised by profiling and by defining new principles.  It defines profiling as “an automatic data processing technique that consists of applying a ‘profile’ to an individual, particularly in order to take decisions concerning her or him or for analyzing or predicting her or his personal preferences, behaviors and attitudes.”  The term ‘profile’ refers to a set of data characterizing a group of individuals which is intended to be applied to an individual.  Interestingly, Members States may decide to exclude the public sector under certain conditions.

Adam Kardash from Heenan Blaikie LLP in Canada reports that Jennifer Stoddart has been nominated for reappointment as Privacy Commissioner of Canada for a three-year term.  The nomination will be tabled in the House of Commons for consideration and is widely expected to be accepted.

Marty Abrams, Executive Director of the Centre for Information Policy Leadership at Hunton & Williams LLP, said, “Commissioner Stoddart has been a key leader in bringing data protection into the 21st century.”

Ms. Stoddart has served as Privacy Commissioner since December 2003.

For further ...

In the first use of his powers to impose monetary penalties, the UK Information Commissioner has announced fines for two organizations with respect to serious breaches of the UK Data Protection Act.

• Hertfordshire County Council must pay a fine of £100,000 after staff accidentally faxed highly sensitive information to the wrong recipients, on two separate occasions.
• A4e Limited, an employment services company, must pay £60,000 following the theft of an unencrypted laptop from an employee’s home, putting the data of 24,000 people at risk.

On November 23, 2010, the data protection authority of the German federal state of Hamburg issued a €200,000 fine against financial institution Hamburger Sparkasse AG (“Haspa”) for illegally allowing its customer service representatives access to customers’ bank data, and for profiling its customers. The bank cooperated with the DPA and has discontinued the illegal practices.

On November 19, 2010, the UK Information Commissioner’s Office (the “ICO”) announced that Google has signed an undertaking committing it to improve its data processing practices.  The undertaking follows an ICO investigation into the collection of payload data by Google Street View cars in the UK.  Google’s Senior Vice President, Alan Eustace, signed the undertaking on behalf of Google, Inc.

On November 15, 2010, the Centre for Information Policy Leadership filed comments with the Department of Commerce in response to the Department’s Notice of Inquiry (“NOI”) on the Global Free Flow of Information on the Internet.  The NOI was issued pursuant to an examination by the Department’s Internet Policy Task Force of issues related to restrictions on information flows on the Internet.  The NOI poses wide-ranging questions related to why such restrictions were instituted; the impact restrictions may have on innovation, economic development, global trade and investment; and how best to deal with any negative effects.  In the NOI, the Department acknowledges the benefits that businesses, emerging entrepreneurs and consumers derive from the ability to transmit information quickly and efficiently both domestically and internationally.  It also recognizes the integral role the free flow of information plays in promoting economic growth and democratic values essential to free markets and free societies.  The Department also articulated goals such as helping industry and other stakeholders operate in diverse Internet environments, and identifying policies that will advance economic growth and create job opportunities for Americans.

On November 10, 2010, the American Bar Association’s Section of Antitrust Law’s International Committee and Corporate Counseling Committee hosted a webinar on “Regulating Privacy Across Borders in the Digital Age: An Emerging Global Consensus or Vive la Difference?”.  A panel of senior officials and private sector experts provided insights on emerging cross-border data privacy and security issues.  Hunton & Williams partner Lisa Sotto was tapped to moderate an outstanding panel which included Billy Hawkes, Commissioner, Office of the Data Protection Commissioner ...

In a move toward implementation of the EU e-Privacy Directive, on November 3, 2010, the Dutch Minister of Economic Affairs submitted a bill to the Dutch Parliament that would amend the Dutch Telecommunications Act to obligate telecom and internet service providers to provide notification of data security breaches, and require consent for the use of cookies (the “Bill”).

The proposed Bill would require telecom and internet service providers to notify the Dutch Telecom Authority (the “OPTA”) without delay in the event of a security breach involving personal data.  They also would be required to notify affected individuals without delay if the breach is likely to have an adverse effect on the protection of their personal data.  The Bill does not affect initiatives to introduce a broader data breach notification regime applicable to other industries outside the telecom sector.  The Dutch Minister of Justice recently stated that he expects to issue a proposal to implement a more general data breach notification law in 2011.

As the EU released new data protection proposals recommending stricter controls on individual online privacy, Hunton & Williams Brussels counsel Wim Nauwelaerts appeared on BBC TV and spoke to the Associated Press and The New York Times.  The articles also were featured globally in Forbes Magazine, Bloomberg Businessweek, CNBC, The International-Herald Tribune, The Parliament Magazine and other media sources.  London partner Bridget Treacy spoke with The Wall Street Journal, and the firm’s practice head Lisa Sotto spoke with The Washington Post

On November 4, 2010, the European Commission (the “Commission”) released a draft version of its Communication proposing “a comprehensive approach on personal data protection in the European Union” (the “Communication”) with a view to modernizing the EU legal system for the protection of personal data.  The Communication is the result of the Commission’s review of the current legal framework (i.e., Directive 95/46/EC), which started with a high-level conference in Brussels in May 2009, followed by a public consultation and additional targeted stakeholders’ consultations throughout 2010.  Although the Commission considers the core principles of the Directive to still be valid, the Communication equally acknowledges that the existing legal framework for data protection in the European Union is no longer able to meet the challenges of rapid technological developments and globalization.

The UK Information Commissioner’s Office (“ICO”) has announced the outcome of its investigation into the collection of payload data by Google Street View cars in the UK.  The ICO has concluded that there was a “significant breach” of the UK Data Protection Act in that “the collection of this information was not fair or lawful and constitutes a significant breach of the first principle [of the Act].”

While the ICO has the power to impose monetary penalties for serious breaches of the Act, capped at £500,000 per breach, in this case the ICO has determined that the appropriate course is to secure an undertaking from Google, requiring it to implement additional data protection safeguards.

On October 11, 2010, the French Data Protection Authority (the “CNIL”) released guidance (the “Guidance”) on data protection issues related to the outsourcing of data processing activities to non-EU countries (Les questions posées pour la protection des données personnelles par l’externalisation hors de l’Union européenne des traitements informatiques).

The Guidance was prepared following interviews held in 2009 by the CNIL’s international affairs department with consultancy groups, law firms advising on outsourcing deals, and companies actively engaged in offshore activities.  The interviews were conducted to provide the CNIL with insight regarding the impact of data protection requirements on outsourcing activities.  The Guidance is part of a broader analysis of the concepts of data controller and data processor carried out by the Article 29 Working Party (see the Working Party’s Opinion on the concepts of controller and processor).

In November 2009, the French Secretary of State in charge of the digital economy, Nathalie Kosciusko-Morizet, launched a wide-ranging campaign designed to secure the “right to be forgotten” on the Internet (“droit à l’oubli”).  The main objectives of the initiative were to: (1) educate Internet users about their exposure to privacy risks on the Internet; (2) encourage professionals to adopt codes of good practice and to develop privacy-enhancing tools; and (3) foster data protection and the right to be forgotten at both the national and EU level.

On September 20, 2010, the German government under the leadership of the Federal Minister of the Interior held a summit on “Digitization of Cities and States - Opportunities and Limits of Private and Public Geo Data Services.”  Approximately 50 experts attended, including the Federal Minister of Food, Agriculture and Consumer Protection, the Federal Minister of Justice and representatives from various companies, such as Deutsche Telekom, Google, Microsoft, Apple Inc., OpenStreetMap and panogate.  Numerous data protection authorities attended as well, including the Federal Commissioner for Data Protection and Freedom of Information, the Chair of the Düsseldorfer Kreis and the DPA of Hamburg.  The discussions at the summit were based on a discussion paper issued by the Federal Minister of the Interior.

On October 15, 2010, the Article 29 Working Party published an Opinion finding that Uruguay ensures an adequate level of protection within the meaning of the European Data Protection Directive (Article 25(6) of Directive 95/46/EC).

This Opinion was issued pursuant to an official request Uruguay filed with the European Commission in October 2008.  While the Article 29 Working Party’s Opinion is an important step toward adequacy, the European Commission must now make a formal decision that the Uruguayan legal framework provides an adequate level of data protection under EU data protection law.  The European Commission will take the Article 29 Working Party’s Opinion into account when determining whether to issue an “adequacy decision” in the coming months.  As recently illustrated by the adequacy procedure for Israel, this process may prove to be difficult.

Following its recent enactment of an omnibus data protection law, Mexico has been unanimously elected to lead the Ibero-American Data Protection Network, a consortium of the governments of Spain, Portugal, Andorra and 19 Latin American countries.  The group’s mission is to foster, maintain and strengthen an exchange of information, experience and knowledge among Ibero-American countries through dialogue and collaboration on issues related to personal data protection.  The IFAI announced on September 29, 2010, that Jacqueline Peschard, head of Mexico’s Federal ...

On October 5, 2010, the Commission for Economic Affairs of the French National Assembly introduced a Resolution (the “Resolution”) to support the International Standards on the Protection of Personal Data and Privacy adopted in Madrid on November 5, 2009, at the 31st International Conference of Data Protection and Privacy Commissioners (also known as the “Madrid Resolution”).

The Resolution states: “the right to privacy is a fundamental value in our society; the development of information and communication systems must be contained in order to prevent uses of personal data which threaten this right.

On behalf of a group of interested parties (the “Group”), Hunton & Williams and Acxiom submitted a response to the UK Ministry of Justice’s (“MoJ”) recent Call for Evidence on the effectiveness of current data protection legislation in the UK.  The Group is comprised of representatives from more than 40 organizations, including Barclays Bank, Dell, Fujitsu and GE Capital, all of which are committed to using personal data responsibly.  Hunton & Williams and Acxiom, a global leader in interactive marketing services, with the attendance of the Group, worked together over the last two months to host two discussion meetings, and produced a submission summarizing the Group’s views.

On October 7, 2010, the French Data Protection Authority (the “CNIL”) released its first comprehensive handbook on the security of personal data (the “Guidance”).  The Guidance follows the CNIL’s “10 tips for the security of your information system” issued on October 12, 2009, which were based on the CNIL’s July 21, 1981 recommendations regarding security measures applicable to information systems.

The Guidance reiterates that data controllers have an obligation under French law to take “useful precautions” given the nature of the data and the risks associated with processing the data, to ensure data security and, in particular, prevent any alteration or damage, or access by non-authorized third parties (Article 34 of the French Data Protection Act).  Failure to comply with this requirement is punishable by up to five years imprisonment or a fine of €300,000.

On September 28, 2010, the German Federal Office for Information Security, (the Bundesamt für Sicherheit in der Informationstechnik or “BSI”) released a draft framework paper on information security issues related to cloud computing.  The draft paper defines minimum security requirements for cloud solution service providers, and provides a basis for discussions between service providers and users.  The paper addresses the following issues:

• The definition of cloud computing
• Service provider security management requirements
• ID and rights management
• Monitoring and security incident response
• Emergency management
• Security checks and verification
• Requirements for personnel
• Transparency
• Organizational requirements
• User control
• Portability of data and applications
• Interoperability
• Data protection and compliance
• Cloud certification
• Additional requirements for public cloud service providers that support cloud solutions for the Federal Administration

On October 4, 2010, the French Data Protection Authority (the “CNIL”) stated in a press release that a recently enacted environmental law (Act No. 2010-788 of July 12, 2010, known as “Grenelle II”) expands the CNIL’s authority to regulate devices used to measure the viewership of advertisements in public places like shopping malls, train stations and airports.  Grenelle II introduces a new provision under Article L. 581-9 of the French Environmental Code, which states: “Any system that automatically measures the audience of an advertising device or which analyzes the typology or behavior of individuals passing within the vicinity of such advertising device requires prior approval of the CNIL.”

On October 8, 2010, the UK Information Commissioner’s Office launched a consultation on a new statutory code of practice on the sharing of personal data.

As stated in the ICO’s press release, the draft code sets out a model of good practice, covering routine and one-off arrangements for sharing data with third parties.  The code offers guidance on issues such as:

• The factors that an organization must take into account when deciding whether or not to share personal data
• The point at which individuals should be told that their data will be shared
• The security and staff training measures that must be implemented
• The rights of individuals to access their personal data
• Circumstances in which it is not acceptable to share personal data

On September 14, 2010, a French Appeals Court in Dijon (the “Court”) upheld a decision against an employer that had terminated an employee who not only used a company car for personal reasons, but also committed serious traffic violations while using the vehicle.  The Court rejected evidence collected using a Global Positioning System (“GPS”) device embedded in the company’s vehicle on the grounds that the employer (1) had failed to register this data processing activity with the French Data Protection Authority (the “CNIL”) and (2) had not given proper notice to employees regarding the use of GPS devices in company cars.  Nevertheless, the Court ruled that the use of a geolocation device in the employment context does not necessarily constitute an invasion of an employee’s right to privacy, provided the employer complies with applicable laws.

According to a press report dated October 2, 2010, the German state data protection authorities responsible for the private sector (also known as the “Düsseldorfer Kreis”) continue to consider the use of Google Analytics on company websites to be illegal.  The Düsseldorfer Kreis reached this decision at a recent meeting of its Telemedia working group.  The group has indicated that it hopes to continue negotiations with Google.  Dr. Alexander Dix, the Berlin Commissioner for Data Protection and Freedom of Information who was interviewed on this issue, stated that although ...

On August 25, 2010, the German government approved a draft law concerning special rules for employee data protection, originally proposed by the Federal Ministry of the Interior.  A background paper on the draft law was published on August 25, 2010.  The draft law would amend the German Federal Data Protection Act (the Bundesdatenschutzgesetz or “BDSG”) by adding provisions that specifically address data protection in the employment context.  Currently, employee data protection is regulated by (1) general provisions in the BDSG, (2) the new Section 32 of the BDSG introduced by the most recent reform in September 2009, (3) the Works Constitution Act, (4) guidance from state data protection authorities, and (5) comprehensive case law from federal and local labor courts.

The UK Information Commissioner’s Office (the “ICO”) has indicated that UK law firm ACS:Law could face a maximum penalty of £500,000 following a major data breach.

Personal information, including names and addresses, of over 8,000 Sky broadband subscribers and 400 PlusNet users was made publicly available following an apparent attack on ACS:Law’s website.  The broadband customers involved are suspected by ACS:Law’s clients of illegally file-sharing copyright work, including music and, in some instances, pornographic films.

The United States Federal Trade Commission ("FTC") recently joined forces with privacy authorities from eleven other countries to launch the Global Privacy Enforcement Network ("GPEN"), which aims to promote cross-border information sharing and enforcement of privacy laws.  On September 21, 2010, GPEN unveiled its new website, www.privacyenforcement.net, designed to educate the public about the network.  The GPEN website, which is supported by the Organization for Economic Co-Operation and Development ("OECD"), provides guidelines and application instructions for ...

The Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (generally referred to as “Convention 108”), enacted in 1981, is the only legally-binding international treaty dealing with privacy and data protection.  The Convention is also of fundamental importance in providing the underlying legal framework for instruments such as the EU Data Protection Directive 95/46.  So far, 42 countries have become parties to Convention 108.

As the European Commission reviews the EU Directive, the Council of Europe also is preparing to review Convention 108.  The review will be conducted by the Council of Europe’s Consultative Committee on data protection (referred to as T-PD) in a process that will likely take several years.  The T-PD, which meets at the Council of Europe’s headquarters in Strasbourg, is primarily composed of representatives of national governments and data protection authorities, with the International Chamber of Commerce being the only private-sector entity with formal observer status.  The group has commissioned a legal study from an outside consultant to analyze Convention 108 and provide any recommended revisions by the end of 2010, and the T-PD will begin discussions at its upcoming meeting in November.

On September 2, 2010, police in New Zealand issued a statement to confirm that there was no evidence Google committed a criminal offense in relation to the data it collected from unsecured WiFi networks during the Street View photography capture exercise.  The case has now been referred back to the New Zealand Privacy Commissioner.  A spokesperson from the New Zealand police force took the opportunity to underline the need for Internet users to make sure that security measures are properly implemented when using WiFi connections in order to prevent their information from being improperly accessed.

On July 27, 2010, the German Federal Network Agency, the Bundesnetzagentur (or “BNetzA”), issued a press release stating that it had recently levied €194,000 in administrative fines in two cases against companies accused of violating a ban on cold calling.  The cases involved consumer complaints implicating the companies in several illegal acts.  The companies claimed they had obtained prior consent from the consumers they contacted.  The BNetzA, which is the regulatory office for electricity, gas, telecommunications, post and railway markets in Germany, rejected the companies’ argument on the grounds that the “consent” was based on the consumers’ implicit acceptance of the terms of use associated with certain Internet games.  The terms of use included a provision regarding a participant’s consent to telemarketing by partners, sponsors and other companies.  The BNetzA stated that, because these terms of use did not satisfy the legal requirements for consent, the company had not obtained valid consent to call the consumers.

Reporting from Israel, legal consultant Dr. Omer Tene writes:

On July 28, 2010, the Israeli Supervisor of Banks, Rony Hizkiyahu, issued a letter to the CEOs of all local banks expressing concern over the banks' and their employees' use of online social networks, including both proprietary Web 2.0 tools and networking sites such as Facebook, Twitter, LinkedIn, MySpace and YouTube, all of which are explicitly referred to in the letter.  The Supervisor of Banks, Israel’s banking regulator, requires banks to take steps to ensure data protection and information security, including ...

In a statement released on August 2, 2010, the French Data Protection Authority (the “CNIL”) announced that the European Commission has adopted a new time frame for the revision of the EU Data Protection Directive 95/46/EC (the “Directive”).  Following a public consultation on the EU Data Protection Framework late last year, Commissioner Viviane Reding, who is in charge of Justice, Fundamental Rights and Citizenship, had announced that a proposal for the revision of the Directive would be presented in November 2010.  However, several European data protection authorities ...

As scrutiny and enforcement escalate in corporate privacy and data security, has your organization developed policies that meet local and global compliance requirements?

Lisa J. Sotto, head of the Global Privacy and Information Management practice at Hunton & Williams and a member of the SAI Global Law & Ethics Advisors, along with Jeff Kaplan, Kaplan & Walker, LLC and Chair of the SAI Global Law & Ethics Advisors, deliver an informative podcast reviewing the drivers for privacy and data security policy compliance, and they discuss the keys to a successful compliance program.

In a statement released on July 29, 2010, the UK Information Commissioner's Office ("ICO") has found that the information collected by Google from unsecured WiFi networks during the Street View photography capture exercise "does not include meaningful personal details that could be linked to an identifiable person."  This follows an assessment carried out by the ICO on a sample of the data in question at Google's London offices.

On July 14, 2010, the Article 29 Working Party issued a press release regarding its findings on the implementation of the European Data Retention Directive (Directive 2006/24/EC).  The findings, compiled in a report to be contributed to the European Commission’s forthcoming evaluation of the Directive, indicate that the obligation to retain all telecom and Internet traffic data is not being applied correctly or uniformly across the EU Member States.  Specifically, the Working Party’s press release states that service providers retain and share data in ways contrary to the Directive.  The Working Party further noted that Member States’ reluctance to provide statistics on the use of retained data limits the ability to verify the value of data retention practices.

On July 7, 2010, the German Federal Office for Information Security, the Bundesamt für Sicherheit in der Informationstechnik (“BSI”), published a basic paper on data security and data protection for radio-frequency identification (“RFID”) applications.  The paper, Technical Guidelines RFID as Templates for the PIA-Framework, describes how to use RFID in compliance with data protection requirements, and explains the relationship between the BSI’s technical guidelines for the secure use of RFIDs and the European Commission’s Privacy Impact Assessment (“PIA”) Framework.

On June 1, 2010, Ukraine’s parliament adopted a bill on the protection of personal data which introduces a comprehensive regulatory regime for data processing in the country.  The bill was signed by the President of Ukraine on June 24, 2010, and will come into force on January 1, 2011.

On July 19, 2010, the Article 29 Working Party published a new set of frequently asked questions aimed at addressing some of the issues raised by the European Commission’s new Standard Contractual Clauses for the Transfer of Personal Data to Processors Established in Third Countries (2010/87/EU).  Among other things, the FAQs address the scope of the new model clauses and whether they can be used for intra-EEA data transfers.  The FAQs also clarify certain issues related to sub-processing.

The UK Ministry of Justice has issued a Call for Evidence on the effectiveness of current data protection legislation in the UK.  Responses must be submitted by October 6, 2010.  “It will give the [UK] Government a solid evidence base to use in negotiations with other European Union parties.  I believe we have everything to gain from a sensible, proportionate and rights-based data protection framework, and one that works for you as businesses, service-providers and citizens,” said Minister of State for Justice, Lord McNally.

The European Union’s Article 29 Working Party adopted a detailed recommendation on accountability which was submitted to the European Commission on July 13, 2010.  Opinion 3/2010 elaborates on the Working Party’s 2009 recommendation to include a new principle on accountability in the revised EU Data Protection Directive.  The Opinion’s executive summary states:

“EU data protection principles and obligations are often insufficiently reflected in concrete internal measures and practices.  Unless data protection becomes part of the shared values and practices of an organization, and responsibilities for it are expressly assigned, effective compliance will be at considerable risk, and data mishaps are likely to continue.

…this Opinion puts forward a concrete proposal for a principle on accountability which would require data controllers to put in place appropriate and effective measures to ensure that principles and obligations set out in the Directive are complied with, and to demonstrate so to supervisory authorities upon request.”

On June 21, 2010, the French Data Protection Authority (the “CNIL”) published its Opinion on a new security bill, the Loi d'orientation et de programmation de la performance de la sécurité intérieure (referred to as “LOPPSI”), which was adopted by the French National Assembly on February 16, 2010, and recently amended by the Senate's Commission of Laws on June 2, 2010.

In a recently published decision rendered on June 16, 2010, the Frankfurt am Main Higher Regional Court ruled that an Internet access provider may store IP addresses for seven days, and therefore, customers have no right to demand immediate deletion of their IP addresses.  The Court’s ruling upheld a decision originally rendered by the regional court of Darmstadt.

The claimant had requested that Deutsche Telekom AG delete the dynamic IP address assigned and stored for each Internet session immediately upon disconnection by a user.  Up to that point, the Internet provider had been retaining IP addresses for 80 days after each billing cycle.  In June 2007, the lower court granted the claimant request, imposing a maximum retention period of seven days for IP addresses.  The Internet provider reduced its IP address retention period accordingly, based on an agreement with the German federal data protection authority.

On July 6, 2010, the Irish government formally objected to the adequacy procedure initiated by the European Commission that would have allowed the free flow of European personal data to Israel, over concerns of the possible use of the information by Israeli officials.  This political move follows recent revelations regarding forgery of European passports, including several from Ireland, and their alleged use by Israel’s intelligence services.

On July 7, 2010, the UK Information Commissioner’s Office published a new code of practice for the collection of personal data online.  Launching the new code at a data protection conference, UK Information Commissioner Christopher Graham said, “the benefits of the internet age are clear: the chance to make more contacts, quicker transactions and greater convenience.  But there are risks too.  A record of our online activity can reveal our most personal interests.  Get privacy right and you will retain the trust and confidence of your customers and users; mislead consumers or collect information you don’t need and you are likely to diminish customer trust and face enforcement action from the ICO.”

On July 6, 2010, Mexico’s Ley Federal de Protección de Datos Personales en Posesión de los Particulares came into force.  As we previously reported, on April 27, 2010, the Mexican Senate unanimously approved this landmark federal data protection law governing the collection, processing and disclosure of personal data by the private sector.  Pursuant to the adoption of the new law, the Mexican Federal Institute of Access to Public Information has changed its name to the Federal Institute of Access to Information and Data Protection.

As reported by the IAPP, the Institute’s ...

The Australian government recently released an exposure draft of legislation that would fundamentally reform the Australian Privacy Act and would unify public and private sector privacy principles.  The exposure draft includes thirteen principles intended to protect individuals from the risks associated with the sharing of personal information.

Of particular interest to the international business community, Principle 8 addresses the cross-border disclosure of personal information.  The principle states that an entity must take reasonable steps to ensure that an overseas recipient does not breach the Australian Privacy Principles with respect to personal information being disclosed, but provides an exception if the entity reasonably believes that (i) the recipient of the information is subject to a law or binding scheme that provides protection that is substantially similar to protections provided by the Australian Privacy Principles, and (ii) there are mechanisms available for affected individuals to enforce such protection.

On June 24, 2010, the Article 29 Working Party adopted Opinion 2/2010 (the “Opinion”) providing further clarification on online behavioral advertising.  The Working Party also issued a press release on this topic.  Although the scope of the Opinion is limited to online profiling, its interpretation of Article 5(3) of the amended e-Privacy Directive provides some useful clarifications regarding the legal framework applicable to online behavioral advertising and the use of cookies.  We provide a short analysis of the Opinion below.

Opt-in?  Browser setting as opt-in?  Opt-out?  The Opinion clarifies the Working Party’s interpretation of the new Article 5(3) and Recital 66 of the e-Privacy Directive.  According to the Working Party, Article 5(3) and Recital 66, along with the General Data Protection Directive (“Directive 95/46/EC”), require prior opt-in consent since “prior opt-in consent mechanisms are better suited to deliver informed consent.”

On June 17, 2010, the French data protection authority (the “CNIL”) reported that it had conducted an on-site investigation at Google on May 19 to examine activities by Google’s Street View cars.  This investigation followed Google’s May 14 announcement that it had inadvertently captured Wi-Fi signals emitted in locations where its vehicles were taking photos.

On June 18, 2010, the data protection authority of the German federal state of Schleswig-Holstein published a press release and a comprehensive legal opinion on cloud computing.  The opinion provides an overview of cloud computing and discusses various practical and legal matters, including:

• Applicable law issues
• The legal basis for cloud computing and related processor and controller issues
• Problems associated with the possibility of third-party access
• The minimum requirements for data processor relationships and service provider contracts under the new German data protection law
• Technical and organizational security measures
• The legal landscape for clouds located outside the European Union

On June 17, 2010, the French data protection authority (the “CNIL”) published its Annual Activity Report for 2009 (the “Report”) in which it outlines some of its priorities for the upcoming year.

In February 2009, the CNIL published a report on online targeted advertising. Among other things, the CNIL voiced its concern regarding online behavioral and advertising activities and analyzed the risks of increasing user profiling.  In 2010, the CNIL is expected to issue a joint opinion with the Article 29 Working Party on targeted advertising and behavioral analysis.  The CNIL also will open a dialogue with several stakeholders from the marketing sector to work on adopting a code of best practices.

Reporting from Israel, legal consultant Dr. Omer Tene writes:

The Israeli Law, Information and Technology Authority (“ILITA”), Israel’s privacy regulator, continues to up the ante for data controllers in Israel.  This week ILITA imposed a $70,000 (NIS 258,000) fine against a company illicitly trading personal data.

On May 25, 2010, two privacy-related bills were introduced in the Parliament of Canada: the Fighting Internet and Wireless Spam Act (“FISA” or Bill C-28) and the Safeguarding Canadians’ Personal Information Act (Bill C-29) amending the Personal Information Protection and Electronic Documents Act (“PIPEDA”).

Bill C-29 is the long-awaited government response to the five-year mandatory review of PIPEDA.  The centerpiece of the bill is a new disclosure provision for security breaches related to personal information.  Key elements in the security breach notification proposal include:

• Any “material breach of security safeguards involving personal information” would have to be reported to the Privacy Commissioner of Canada.
• A determination of whether the breach is “material” would be made by the entity, based on the sensitivity of the information, the number of individuals affected and whether there is a systemic problem.
• Notification would have to be made “as soon as feasible” individuals affected by the breach “if it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual.”
• A determination of whether there is a “real risk” would be made by the entity, based on the sensitivity of the information and the probability that the personal information has been, is being or will be misused.

On May 28, 2010, the UK Information Commissioner’s Office issued a press release stating that it has been notified of more than 1,000 data security breaches since it began keeping records in late 2007.  There is no mandatory reporting requirement in the UK, so the actual number of breaches is likely to be significantly higher.  The ICO’s press release notes that the majority of breaches occur as a result of human or technical errors, such as employees improperly disclosing data to third parties or automated machines sending out letters to the wrong addresses.

On April 29, 2010, German data protection authorities issued a resolution regarding the obligations of German data exporters with respect to U.S. data importers that have self-certified under the Safe Harbor program.  By requiring additional diligence when transferring data to Safe Harbor-certified entities, the resolution may appear to raise questions with respect to the European Commission’s decision that Safe Harbor certification is sufficient to demonstrate an adequate level of privacy protection.

In a letter to the U.S. Federal Trade Commission dated May 26, 2010, the Article 29 Working Party expressed concerns regarding the retention and anonymization policies of Google, Yahoo! and Microsoft.  Specifically, the Working Party requested that the FTC examine the compatibility of the three search engine providers’ actions with provisions of Section 5 of the FTC Act which prohibits unfair or deceptive trade practices.

At a meeting held April 7-9, 2010, the Council on General Affairs and Policy of the Hague Conference on Private International Law adopted a document entitled 'Cross-Border Data Flows and Protection of Privacy' that outlines the organization's possible future work in the area of privacy and data protection law.  The document contains an overview of international data protection initiatives of the last few years, and addresses various cross-border cooperation issues, including problems created by the difficulty of determining applicable law and jurisdiction in cross-border data flows.  In

Following the first “hung parliament” since 1974, the UK is facing considerable legislative reform under the newly formed Conservative - Liberal Democrat coalition government.  Although the parties appear to have differing opinions on a number of legislative issues, one issue that unites them is their commitment (at least in theory) to strengthening the current data protection regime implemented under the Labour government.

Each party’s manifesto states that, should it be elected, it will enhance the audit powers of the Information Commissioner (the UK data protection regulator).  Currently, the Information Commissioner may audit government departments and public authorities suspected of violating data protection principles without their prior consent.  The Conservatives and Liberal Democrats propose to extend the Information Commissioner’s audit powers to private sector organizations.  This could be achieved in theory by secondary legislation.

According to a report issued by the EU Agency for Fundamental Rights (“FRA”), European data protection authorities lack sufficient independence and funding.  In addition, DPAs impose few sanctions for violations of data protection laws.  DPAs “are often not equipped with full powers of investigation and intervention or the capacity to give legal advice or engage in legal proceedings.”  In a number of countries, including Austria, France, Germany, Latvia, the Netherlands, Poland and the UK, “prosecutions and sanctions for violations are limited or non-existing.”  ...

On May 7, 2010, the data protection authority of the German federal state of North Rhine-Westphalia imposed a fine of €120,000 on Deutsche Postbank AG for illegal disclosure of customers’ bank account transaction data.  The bank unlawfully allowed approximately 4,000 self-employed agents to access information on more than a million customer accounts for sales purposes.

The Mexican Senate has unanimously approved a landmark data protection law governing information use in the private sector, la Ley Federal de Protección de Datos Personales en posesión de los particulares.  We provided information on the bill last week when the Chamber of Deputies voted to approve it.  The legislation has been forwarded to the president for signature.  We will provide further details as this story develops.

On April 20, 2010, the Department of Commerce (“DOC”) issued a Notice of Inquiry to solicit public feedback “on the impact of current privacy laws in the United States and around the world on the pace of innovation in the information economy.”  The aim is to understand “whether current privacy laws serve consumer interests and fundamental democratic values.”  To this end, the DOC poses a number of questions, including:

• Is the notice and choice approach to consumer privacy outmoded?  Would consumers be better served by a “use-based” model?
• How does compliance with ...

On April 19, 2010, the Privacy Commissioner of Canada, Jennifer Stoddart, and the heads of nine other international data protection authorities took part in an unprecedented collaboration by issuing a strongly worded letter of reproach to Google’s Chief Executive Officer, Eric Schmidt.  The joint letter, which was also signed by data protection officials from France, Germany, Ireland, Israel, Italy, the Netherlands, New Zealand, Spain and the United Kingdom, highlighted growing international concern that “the privacy rights of the world’s citizens are being forgotten as Google rolls out new technological applications.”

On April 8, 2010, the Digital Economy Act (the “Act”), containing provisions relating to online copyright infringement, network infrastructure and digital safety, became law in the UK.  The Act’s main provisions include:

• new duties for the Office of Communications (the UK’s communications regulator), to report every three years on issues such as the UK’s communications infrastructure and Internet domain name registration;
• additional obligations on Internet Service Providers (“ISPs”) that seek to reduce online copyright infringement;
• increased penalties for online copyright infringement; and
• intervention powers with respect to Internet domain registries.

Following up on our previous post on the sentencing of three Google executives by an Italian court, the New York Times reports that an 111-page explanation of the verdict has been released.  Judge Oscar Magi found that Google had an obligation to make users more aware of its EU privacy policies, and cited Google’s active marketing of its Google Video site as indicative of the company’s profit motive for not removing the video sooner.

According to Mr. M. Jorge Yanez V., a partner at the law firm of Barrera, Siqueiros y Torres Landa, S.C. in Mexico City, on April 13, 2010, the Mexican Chamber of Deputies passed a bill that, when ratified by the Senate, will become the country’s new Federal Law of Protection of Personal Information.  The Senate is expected to pass the bill shortly and without revisions.  When the bill is enacted into law, Mexico’s Federal Institute of Access to Information, the agency that currently oversees the disclosure of and access to government information, will be renamed the Federal ...

The Madrid Resolution on global standards provided new momentum behind the concept of one world, one standard for privacy in international commerce.  New Zealand Privacy Commissioner Marie Shroff is one of the thoughtful officials who has joined in the call for a global framework.  Commissioner Shroff discussed her views on global standards in an interview with Marty Abrams during the Centre for Information Policy Leadership’s First Friday Call on April 9, 2010.

In the wake of recent amendments to the German Federal Data Protection Act, the German Federal Ministry of the Interior (the Bundesinnenministerium des Innern) is working on a draft law on special rules for employee data protection.  The draft law is intended to provide clarification on some issues that were not addressed fully in the amendments that entered into force on September 1, 2009.  The Ministry’s overarching considerations are set forth in a key issues paper that was published April 1, 2010.

Demos, an independent UK-based think tank, has published a report describing the views of a cross-section of British people on how their personal data are used by the public and private sectors.  Private Lives: A People’s Inquiry Into Personal Information (the “Report”) was researched in the context of the UK Information Commissioner’s Office’s consultation on the Personal Information Online Code of Practice.  The Information Commissioner called for industry and research groups to provide context for the new Code of Practice. “What emerges from the study is a fascinating picture of a public who certainly care about information rights, but who are by no means hysterical about perceived threats to liberty or privacy,” observed UK Information Commissioner Christopher Graham.

Justice Michael Kirby was invited by the Organization for Economic Cooperation and Development (the “OECD”) to open the celebration of the 30th anniversary of the adoption of the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.  Justice Kirby led the group of experts who worked from 1978-1980 to develop the Guidelines, which have formed the basis of modern privacy and data protection law.

On February 19, 2010, the Court of Appeals of Versailles (the “Court”) upheld the unlimited seizure and review of a company’s emails by several agents of the French Competition Authority (Autorité de la Concurrence).  The agents had been authorized by a lower court judge to inspect the emails pursuant to an investigation into an alleged abuse of dominant position in the pharmaceutical market.

On March 17, 2010, the French Data Protection Authority (the “CNIL”) published a report concerning on-site inspections and outlined its objectives for the coming year.  In the report, which was adopted on February 18, 2010, the CNIL indicated that it intends to conduct at least 300 on-site inspections throughout France in 2010, with a special focus on the following issues:

• ensuring compliance with CNIL decisions, in particular the CNIL’s standards for simplified notifications;
• verifying that data controllers comply with the technical recommendations defined in their registration forms; and
• assessing the effectiveness of data protection officers within organizations.

In a decision handed down on February 25, 2010, the French Constitutional Court ruled that the right to privacy derives from Article 2 of the Declaration of Human Rights, and is therefore considered a constitutional right under French law.  The Court also ruled that the legislature must strike a balance between the right to privacy and other fundamental interests, such as preventing threats to public safety, which are necessary to preserve constitutional rights and principles.

In conjunction with the celebration of its 10th anniversary on March 16, the International Association of Privacy Professionals is releasing a white paper on the future of the privacy profession entitled, “A Call for Agility: The Next-Generation Privacy Professional.”  When the IAPP initially was formed, the role of the chief privacy officer was newly emerging following the dot-com boom.  Over the past 10 years, the exponential increase in data collection and retention have propelled the privacy professional into senior levels of management.  Reflecting the growth of the privacy professional’s role, the IAPP’s membership has grown to include over 6,500 privacy professionals from businesses, governments and academic institutions across 50 countries.

On March 9, 2010, the European Court of Justice ruled that the Federal Republic of Germany’s practice of “state supervision” over data protection authorities violates EU Data Protection Directive 95/46/EC.  The case, brought by the EU Commission, is a milestone which will force Germany to change the structure of its DPA system and could have ramifications in other countries as well.

The Court’s decision is based on Article 28(1) of the Directive, which requires that data protection authorities (“DPAs”) act with “complete independence.” German law makes a distinction with regard to DPA supervision depending on whether the data processing is carried out by public or non-public bodies.  There are therefore different authorities responsible for monitoring public entities’ compliance with data protection provisions versus those that monitor compliance by private parties and undertakings governed by public law which compete on the market (öffentlich-rechtliche Wettbewerbsunternehmen) outside the public sector (such as transportation and utility companies).

Alberta’s Information and Privacy Commissioner, Frank Work, issued a news release regarding the recent Court of Appeal of Alberta decision in Alberta Teachers’ Association v. Alberta (Information and Privacy Commissioner).  In the case, the Court held that the Information and Privacy Commission has no authority to extend investigation time limits under the Personal Information Protection Act (“PIPA”) after the statutory time limit has expired.  Further, if the Commissioner extends the time in an inquiry process within the time limit, he must provide reasons for the extension, and his decision will be subject to judicial review.  The Court noted that “[b]lanket or routine extensions seem unlikely to be regarded as reasonable if they cannot also be justified in the specific circumstances of the case.”  PIPA is provincial legislation that governs the use of personal information by private sector organizations in Alberta.

On March 3, 2010, the UK Information Commissioner launched a report on the "Privacy Dividend" (the “Report”), which outlines the business case for proactively investing in privacy protection.  The lack of a robust business case is a common barrier to privacy investment, and too often such investment is approved only after a privacy breach or other crisis occurs.

On February 24, 2010, the French Senate’s Committee of Laws published an amended bill on the right to privacy in the digital age (“Proposition de loi visant à garantir le droit à la vie privée à l’heure du numérique”) (the “Bill”).  Following the initial draft presented by Senators Yves Détraigne and Anne-Marie Escoffier, this revised version is based on a second Senate Report in which concrete proposals are made to amend the Data Protection Act.

On March 2, 2010, the German Federal Constitutional Court ruled that the mass storage of telephone and Internet data for law enforcement purposes is unlawful in its current form.

Since 2008, the challenged law has required telecom companies to retain data from telephone, email and Internet traffic, as well as mobile phone location data, for six months.  This information may be retrieved for law enforcement and safety purposes.  Constitutional claims were brought before the Court by nearly 35,000 citizens, representing the largest mass claim proceeding in German history. 

On February 16, 2010, the Article 29 Working Party adopted Opinion 1/2010 (the “Opinion”) providing further clarification and guidance on the interpretation of the concepts of “data controller” and “data processor” in the context of the EU’s Data Protection Directive 95/46/EC.

In February 24, 2010, an Italian court in Milan found three Google executives guilty of violating applicable Italian privacy laws.  The executives were accused of violating Italian law by having allowed a video showing an autistic teenager being bullied to be posted online.  The Google executives, Senior Vice President and Chief Legal Officer David Drummond, Chief Privacy Counsel Peter Fleischer and former Chief Financial Officer George Reyes, were fined and received six-month suspended jail sentences.

On February 11, 2010, the plenary of the European Parliament rejected by a vote of 378 to 196 the agreement reached in 2009 between the EU and the U.S. to allow access by U.S. law enforcement authorities to the payment database of the financial consortium SWIFT.  The agreement had been negotiated between the EU Council of Ministers and the European Commission with the U.S. government to allow continued access to the database, a mirror copy of which had been moved by SWIFT from the U.S. to Europe.  With the Lisbon Treaty’s entry into force, the Parliament gained new powers to approve measures affecting law enforcement and civil liberties, and a number of members of the Parliament have expressed concern regarding the level of data protection provided for in the agreement.  According to news reports, several top U.S. government officials (including Secretary of State Hillary Rodham Clinton and Treasury Secretary Timothy Geithner) had been lobbying the European Parliament to approve the agreement, on the grounds that it was essential to fight terrorism in both the U.S. and Europe.

On February 1, 2010, it became compulsory for randomly selected passengers at Heathrow and Manchester airports in the UK to pass through full body scanners before boarding their flights.  This enhanced security screening has been implemented following the attempted Christmas Day terrorist attack at the Detroit airport in the United States, after which the British government announced that it would begin mandatory body scanning at all UK airports.  The move has raised concerns about the excessive collection of personal data.

On February 5, 2010, the European Commission adopted a new set of standard contractual clauses (“SCCs”) for transfers of personal data from data controllers in the EU to data processors outside the EU.  View the European Commission press release.

Cloud computing raises complex legal issues related to privacy and information security.  As legislators and regulators around the world grapple with the privacy and data security implications of cloud computing, companies seeking to implement cloud-based solutions should closely monitor this rapidly evolving legal landscape for developments.  In an article published on February 3, 2010, Lisa Sotto, Bridget Treacy and Melinda McLellan explore U.S. and EU legal requirements applicable to data stored by cloud providers, and highlight some of the risks associated with the use ...

Pursuant to a public complaint, on January 27, 2010, the Privacy Commissioner of Canada announced a new investigation into Facebook.  The investigation concerns the social networking site’s introduction of a tool that required its users to review their privacy settings in December 2009.  According to the complaint, Facebook’s new default settings allegedly made some users’ information more accessible than previously had been the case.  Elizabeth Denham, the Assistant Privacy Commissioner, indicated “[s]ome Facebook users are disappointed by certain changes being ...

On January 29, 2009, the German Federal Network Agency (the “Agency”) stated in a press release that it has imposed fines for unauthorized telephone advertising in six cases.  This brings the total to nine procedures (resulting in €500,000 in fines) during the months of December 2009 and January 2010, and marks the first time the Agency has imposed sanctions for violations of the prohibition on unauthorized telephone advertising and for breach of the caller ID requirement for marketing calls.

On January 19, 2010, Information and Privacy Commissioner David Loukidelis resigned to accept the post of Deputy Attorney General of British Columbia.  Mr. Paul Fraser, the Conflict of Interest Commissioner, has been named interim Commissioner.  The appointment of a permanent successor is expected in the spring when the British Columbia legislature reconvenes.  
 
View the Commissioner Loukidelis' letter of resignation. 

On January 18, 2010, the Privacy Commissioner of Canada, Jennifer Stoddart, announced a public consultation to examine the privacy issues associated with online tracking, profiling and targeting of consumers.  The Commissioner noted that the consultation will “provide a forum for the exploration of the privacy implications related to this modern industry practice, and the protections that Canadians expect.”  The consultation marks the first in a series to review emerging technologies that are likely to have a considerable impact on consumer privacy.  The announcement of a ...