International E-news - December 2010
- US Department of Commerce proposes
- Canada adopts law on online data protection
- German DPAs set minimum requirements for DPOs
- More detail needed for EU Data Protection Directive revision
- US FTC: Self-regulation has failed to provide meaningful protection
- Hamburg DPA issues €200,000 fine
- United Kingdom’s ICO issues first fines: £60,000 and £100,000
- Council of Europe issues recommendation
1. US Department of Commerce proposes federal data breach law
A Green Paper issued by the Department of Commerce’s Internet Policy Task Force on 16 December proposes to revitalise Fair Information Practice Principles (FIPPs) , encourage the development of voluntary, enforceable privacy codes of conduct in specific industries, and encourage global cooperation in privacy matters. Also, it proposes a federal commercial data security breach notification law, which would be enforced by the FTC and individual states. Also, the paper suggests the establishment of a Privacy Policy Office within the Department of Commerce.
The FTC recently issued its own paper on the future of US online privacy. FTC Chairman Jon Leibowitz said:
“The Department of Commerce’s Green Paper is a welcome addition to the ongoing dialogue about protecting consumers’ privacy. It places special emphasis on policies that will preserve the viability of the Internet as it evolves through innovation, transforms the marketplace, and spurs economic growth. We think it will make a significant contribution to the growing and critical debate about how best to protect the privacy of American consumers.”
The Green Paper is Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework.
Read more about this topic in the February issue of PL&B International.
2. Canada adopts law on online data protection
Bill C-28, adopted on 15 December, addresses online privacy and especially spam. The ‘Fighting Internet and Wireless Spam bill’ also includes regulations to fight identity theft, phishing and spyware.
The bill bans sending commercial electronic messages without consent, and the installation of computer programs without consent in the course of commercial activity. It also prohibits the collection of personal information via unlawful access to computer systems and the unauthorised compiling or supplying of lists of electronic addresses.
The legislation is based on recommendations by the Task Force on Spam, which consisted of industry, consumers and academic experts.
The Bill entered into force on 16 December.
See and PL&B International Newsletter, issue 106, August 2010, p.1.
3. German DPAs set minimum requirements for DPOs
Following the EU Commission’s tentative plans to include a requirement for an internal data protection officer (DPO) in the revision of the Data Protection Directive, the German Data Protection Authorities have said that, as a minimum standard, German DPOs should have a general command of data protection law, and comprehensive knowledge of the German Federal Data Protection Act. Depending on the sector, they should also be knowledgeable about industry sector-specific legal provisions, and have experience in day-to-day data protection compliance procedures.
The DPAs for the private sector, the Düsseldorfer Kreis, issued a resolution on this topic on 24-25 November. See (in German).
The February PL&B International Newsletter will report in detail on plans for mandatory DPOs.
4. More detail needed for EU Data Protection Directive revision
Jacob Kohnstamm, Netherlands Data Protection Commissioner and Chairman of the EU Art. 29 Data Protection Working Party, has called for more details on accountability, transparency and individuals’ rights than are included in the EU Commission’s Communication of 4 November.
Speaking in Brussels on 30 November, Kohnstamm said:
“The opportunities for citizens to seek redress in courts are still rather weak. If the suggestions about class actions are more than just good intentions, there should be more detail available already now.”
The Commission’s proposals include looking into the possibility of mandatory data breach notification and the appointment of companies’ data protection officers.
More about this topic in the December issue of PL&B International Newsletter.
5. US FTC: Self-regulation has failed to provide meaningful protection
A report published by the US Federal Trade Commission on 1 December proposes a new framework for privacy protection in the US to ‘protect consumer privacy while supporting beneficial uses of information and technological innovation’.
The preliminary staff report says that industry efforts to address privacy through self-regulation “have been too slow, and up to now have failed to provide adequate and meaningful protection.”
The suggested framework builds upon the FTC’s law enforcement experience, better use of privacy notices and the results of its recently held privacy roundtables. The framework would apply to ‘all commercial entities that collect or use consumer data that can be reasonably linked to a specific consumer, computer, or other device.’
The following elements are included:
1.Privacy by Design
2. Consumer choice, for example, the opportunity to use browser settings to refuse to receive targeted ads (“Do Not Track approach)”
3. Better transparency through clearer privacy policies.
The FTC is now seeking comments on the proposals. Responses are sought by 31 January 2011. A final report will be issued later in 2011.
More about this topic in the December issue of PL&B International Newsletter.
6. Hamburg DPA issues €200,000 fine
Hamburg's data protection authority has fined Hamburger Sparkasse AG €200,000 on 23 November for illegally profiling its customers.
Bank customer data was accessed, often without customer consent, between the end of 2005 to August 2010 by the company’s self-employed, mobile customer service representatives.
Customer profiles were then created by using customer data, socio-demographic data and product usage data, including account balances.
The company cooperated with the investigation, and the unauthorized customer profiles have now been deleted.
7. United Kingdom’s ICO issues first fines: £60,000 and £100,000
The UK’s Information Commissioner on 24 November has issued the first fines under its new powers. The £60 000 and £100,000 fines indicate that the ICO is willing to use the power to get its message across to data controllers. However, it is still expected that the ICO will issue just a handful of fines per year.
Hertfordshire County Council was fined £100,000 for faxing details of child sexual abuse, and details of care proceedings to the wrong recipients. The ICO, although having been informed of the breaches by the council, decided that this is the sort of breach where a monetary penalty was appropriate given that the Council did not learn from its mistakes. There was no appropriate action taken after the first incident to stop it from happening again.
The employment services company A4e was fined £60,000 for the loss of an unencrypted laptop which contained personal information relating to 24,000 people who had used community legal advice centres. The ICO has in the past year repeatedly said that encryption is required for mobile media.
See www.ico.gov.uk
8. Council of Europe issues recommendation
The Council of Europe issued, on 25 November, a recommendation on the protection of individuals in the context of profiling.
The recommendation adopted by the Committee of Ministers aims at
- striking a fair balance between the interests at stake, for example, the interest of a bank in assessing a customer’s credit risk and the interest of the customer to be informed about the profiling taking place
- ensuring effective protection of the rights of data subjects and fair procedures in situations where data is being processed
- avoiding decisions, discrimination or stigmatisation made automatically, on the basis of profiles.
For further details on the Privacy Laws & Business International Newsletter, please click here.
Copyright Privacy Laws & Business 2010