International E-news - April 2010



  1. Liechtenstein Court sets multi-million precedent for data breach liability
  2. HSBC Swiss data breach
  3. Landmark Israeli Supreme Court Case: Online anonymity is a constitutional right
  4. New Zealand’s Law Commission wants new privacy laws
  5. Privacy Commissioners form Global Enforcement Network and warn Google to respect privacy laws
  6. European Union Data Protection Directive revision now imminent

1. Liechtenstein Court sets multi-million precedent for data breach liability - Bank ordered to pay German client for avoidable tax penalties

In a case watched closely in at least eight countries by customers of a Liechtenstein bank, the High Court in Vaduz, the capital, ordered the country’s largest bank to pay 7.3 million euros compensation to a German client for not notifying him that his account details had been disclosed to German tax authorities. If he had known of the data breach, the client could have paid tax voluntarily and avoided the criminal penalties imposed on him for tax evasion.

The case is also significant for other countries when customers are subject to tax penalties after banks disclose their account details to tax authorities, either under legal compulsion or by defaulting employees. Switzerland, for example, has been required to disclose client details to authorities in the United States and other countries by legal compulsion, and has also had such information disclosed by employees.

One US non-taxpayer has already been jailed as a result.

A more detailed report will appear in the April issue of PL&B International, published later this week.

2. HSBC Swiss data breach

On 11 March, HSBC bank in Switzerland revealed that details on 24,000 customers had been stolen by an employee and given to French tax authorities. The Swiss Financial Markets Supervisory Authority started proceedings against the bank.

A more detailed report will appear in the April issue of PL&B International, published later this week.

3. Landmark Israeli Supreme Court Case: Online anonymity is a constitutional right

On 25th March, Israel’s Supreme Court settled a long standing District Court split holding that online anonymity is a constitutional right derived from the right to privacy and free speech.

The Court prohibited an ISP from disclosing a user’s identity based on his or her IP address. The user was sued as “John Doe” in a libel action based on an IP address obtained from the website that published his or her allegedly libelous comments.

The Court wrote: “Alongside online platforms which provide user anonymity, the Internet may negate the anonymity of those whose personal data are stored in its massive database. In the past, there was no public access to personal and sensitive data and actions taken within the confines of one’s home remained far from the public eye; now the Internet provides direct and indirect access into the very heart and mind of users. The shattering ‘illusion of privacy’ online, a reality where the sense of user privacy is a myth, raises the disturbing spectre of ‘big brother’. This invasion of privacy must be minimized. The shelter of online anonymity must be preserved within reasonable bounds as a basis for online culture. To a great extent, anonymity makes the Internet what it is today; without it there would be no liberty in the virtual world. As the prospect of digital surveillance increases, users’ behaviour will radically change”.

Civ. App. 4447/07 Rami Mor v. Barak ETS (in Hebrew).

By Dr. Omer Tene, Israeli Legal Consultant, Associate Professor, College of Management School of Law, Web: www.omertene.com

Privacy Laws & Business is organising a Roundtable on Israel’s privacy law with two speakers from Israel’s Data protection authority, Dr. Tene and others on 25th October in Tel Aviv.  

4. New Zealand’s Law Commission wants new privacy laws

New Zealand’s Law Commission has released its final report on stage 3 of its Review of Privacy, dealing with the adequacy of the general civil and criminal law to deal with invasions of privacy.

The Report tabled in Parliament on 26 February made five key recommendations:

  • A Surveillance Devices Act providing for criminal offences and civil remedies in relation to the use of visual surveillance, interception and tracking devices.
  • Amendments to ensure the Harassment Act clearly applies to harassing surveillance.
  • New offence provisions relating to voyeurism.
  • Repeal of existing restrictions on visual and audio surveillance by private investigators, provided other measures are introduced.
  • Leaving the tort of invasion of privacy to develop at common law (as it already has done so in the New Zealand courts).

A more detailed report will appear in the April edition of PL&B International, published later this week.

5. Privacy Commissioners form Global Enforcement Network and warn Google to respect privacy laws

A group of data protection and privacy regulators from 10 countries has announced today that they have sent a joint letter to Google asking it to address privacy concerns raised by Google Buzz.

The letter, sent yesterday, signed by DPAs from Canada, France, Germany, Ireland, Israel, Italy, the Netherlands, New Zealand, Spain and the United Kingdom, (with a combined population of 375 million) says that when multinationals roll out new services and products, they must comply with privacy laws in all countries concerned.

"I congratulate the Canadian Privacy Commissioner Jennifer Stoddart for leading this international response to an action by a powerful global corporation, which affected internet users in New Zealand and worldwide," New Zealand’s DP Commissioner Marie Shroff said on 20 April.

This unprecedented move by the DPAs is a response to the way Google merged its new social networking service, Google Buzz, with people’s private email addresses on Gmail. Buzz made public, by default, the follower lists - people most frequently emailed and chatted with.

The DPAs say that “users were not adequately informed about how this new service would work or provided with sufficient information to allow informed consent.”

Google added a more visible privacy option to Buzz that allows people who users follow on their public profile to be not shown in a public manner. Also, individuals are able to hide Buzz from Gmail or disable it completely. However, the DPAs remain “extremely concerned about how a product with such significant privacy issues was launched in the first place.”

New Zealand is a founding member of the recently established Global Privacy Enforcement Network (GPEN). GPEN will help data protection and privacy authorities world-wide to work with each other to defend people's right to protection of their personal information wherever in the world a breach or harm may occur.

Read more about this topic in the June issue of PL&B International.

Data Protection Commissioners or their senior staff from 4 of the 10 countries, the European Data Protection Supervisor and Peter Fleischer, Global Privacy Counsel, Google will all speak at Privacy Laws & Business’s 23rd Annual International conference, 5-7th July, St. John’s College, Cambridge.  

6. European Union Data Protection Directive revision now imminent

The European Commission has promised to review the DP Directive this year. The Action Plan implementing the Stockholm Programme promises that the EU Commission will provide a “New comprehensive legal framework for data protection” in 2010.

The Stockholm programme deals with the EU’s justice and security policy, including information exchange. The EU Communication of 20 April says that "In a global society characterised by rapid technological change where information exchange knows no borders, it is particularly important that privacy must be preserved. The Union must ensure that the fundamental right to data protection is consistently applied. We need to strengthen the EU’s stance in protecting the personal data of the individual in the context of all EU policies, including law enforcement and crime prevention as well as in our international relations."

“The establishment of a strategic agenda for the exchange of information requires an overview of existing data collection, processing and data-sharing systems, with a thorough assessment of their usefulness, efficiency, effectiveness, proportionality and their respect of the right to privacy. It should also lay the ground for a coherent development of all existing and future information systems.”

See the Communication.

There will be a session on Prospects for reform of the EU Data Protection Directive at Privacy Laws & Business’s 23rd Annual International Conference, 5-7th July at St. John’s College, Cambridge. A presentation by European Data Protection Supervisor, Peter Hustinx, will be followed by brief comments from Professor Artemi Rallo Lombarte, President, Data Protection Agency, Spain and Deputy Chair, Art 29 EU Data Protection Working Party; and Christopher Graham, Information Commissioner, UK, There will then be a discussion with the other participants. 

For further details on the Privacy Laws & Business International Newsletter, please click here.

Copyright Privacy Laws & Business 2010