International E-news - June 2010
- Germany prepares amendment to DP Act on employee data
- Taiwan passes amendments to DP Act
- Swiss-US pact to disclose personal banking details rejected by Swiss parliament
- EU Data Protection Working Party requires opt-in for cookies
- Switzerland agrees to disclose personal banking details to the USA
- Israel imposes fine on a software company; the DPA’s future fining power considerably increased
- New Zealand consults on credit reporting
- US Supreme Court rules on an employer’s right to search
The current proposals, to be debated in Parliament next month, if adopted, will give employers stronger monitoring powers. A revised draft for a chapter to be inserted into the Federal DP Act, published on 1 June, applies to the collection, processing and use of personal data by employers for the purpose of past, present or future service or employment contracts.
Read more about this topic in the PL&B International Newsletter June issue, published this week.
In April 2010 Taiwan’s Legislative Yuan passed the first major overhaul of Taiwan’s Computer-Processed Personal Data Protection Act since its enactment in 1994. The new Act, which is not expected to come into force until 2011, is renamed the Personal Data Protection Act.
Major features of the new Act include:
- It will apply to all public and private entities, not only to specified entities such as those in the financial, telecommunications and insurance sectors;
- Registration requirements are to be abandoned;
- It will apply to all types of records, not only computer-processed personal data;
- Strong obligations to notify data subjects at the time of collection are included for the first time;
- These include obligations to notify before use when personal data is collected from third parties;
- Data breach notification is also required, a first for an Asian jurisdiction;
- Damages claims can be ten times higher than under the previous Act;
- Criminal penalties are no longer subject to ‘intent to profit’ and ‘actual damage’ requirements;
- Company representatives will be subject to the same fines as their companies, unless they can show they took steps to prevent the breach.
The new Act will have all of the attributes expected of a modern EU-influenced data protection law, with the exception that there will still be no central data protection authority. The model, shared with Japan, of enforcement on a sectoral basis through the relevant Ministries, will continue.
On 8 June the Swiss House of Representatives (the lower house of the federal legislature) rejected, by 104 to 76, an agreement with the US government that would have allowed the disclosure of data and names of thousands of U.S. clients of the UBS bank. The Swiss Senate had approved the agreement the previous week. The People's Party and Social Democratic Party have agreed that even if the agreement is finally accepted by parliament, it must be put to a national referendum. That would make it very difficult if not impossible to meet the August 2010 deadline required by the US government in the interim UBS settlement deal.
The U.S. Justice Department brought criminal prosecutions and a civil action against the bank for assisting US taxpayers to evade U.S. taxation. After UBS paid $780 million and disclosed data on several hundred US clients, the US government then demanded information on another 52,000. On 20 August 2009, the US and Swiss governments agreed on disclosure of details of 4,450 clients. The Swiss government was forced to get parliamentary approval after the Swiss Federal Administrative Court ruled twice that the agreement was illegal because it violated Swiss banking secrecy laws and denied UBS clients a right of appeal against disclosure.
Data controllers and processors are obliged to obtain prior informed consent when placing cookies, the Art. 29 Data Protection Working Party says.
“The fact that an ad network provider may be regarded as a processor in its agreement with the advertiser does not exempt that provider from the notice, consent or other data protection obligations,” said Eduardo Ustaran, Partner at Field Fisher Waterhouse LLP, the London-based law firm.
The information must be directly visible on the screen to the consumer and not hidden in privacy policies, Ustaran explained. “In practice, ad network providers and publishers need to cooperate and decide who will provide notice and how.”
The previous assumption that consent could be implied by the way of browser settings is thus not valid.
Phil Lee, data privacy specialist at London law firm, Osborne Clarke, said: “Revenue generated through targeted advertising is increasingly viewed as vital to funding Internet content, and moving towards opt-in could drive advertising revenues down substantially - with the potential consequence that consumers will end up paying more for the content they want. "
"It's also far from clear how opt-in should be implemented in practice - consumers visiting a website with targeted advertising served by multiple advertisers may find themselves having to click through a barrage of pop-up windows asking for their consent."
Karin Retzer, Attorney at Morrison & Foerster, and speakers from Google, an Italian lawyer and privacy regulators from the EU, Canada, and the United Kingdom, will be speaking about recent developments in Online Behavioural Advertising at the Privacy Laws & Business 23rd Annual International Conference in Cambridge on 6 July.
The EU DP Working Group’s Opinion on Online Behavioural Advertising was published on 22 June.
The Swiss parliament has approved a deal with the US that will see the UBS bank hand over data on 4,450 US clients suspected of tax evasion.
On 8 June the Swiss House of Representatives (the lower house of the federal legislature) rejected (by 104 to 76) an agreement with the US government. The People's Party and Social Democratic Party have agreed that even if the agreement is finally accepted by the legislature it must be put to a national referendum. That would make it very difficult if not impossible to meet the August 2010 deadline required by the US government in the interim UBS settlement deal.
The US Justice Department brought criminal prosecutions and a civil action against the bank for assisting US taxpayers to evade US taxation. After UBS paid $780 million and disclosed data on several hundred US clients, the US government then demanded information on another 52,000. On 20 August 2009 the US and Swiss governments agreed on disclosure of details of 4,450 clients. The Swiss government was forced to obtain parliamentary approval after the Swiss Federal Administrative Court ruled twice that the agreement was illegal because it violated Swiss banking secrecy laws and denied UBS clients a right of appeal against disclosure.
The Israeli Law, Information and Technology Authority (ILITA), which enforces the Protection of Privacy Act, imposed on 16 June an administrative fine (258,000 NIS = US$68,000) for unlawful processing of data for the purpose of sale and distribution of databases and related software.
M.N.R limited, a software company, had developed a module that provides personal data on debtors, which in turn enabled to trace and locate them. This software component was sold to M.N.R customers along with a complete database with comprehensive information on the majority of Israel's citizens. The software module and the underlying database were sold to about 80 different customers (mostly law firms).
For the first time ever, ILITA issued a search warrant, and in February conducted a search of the company’s office and various complex e-discovery routines to analyse the information and identify supporting forensic evidence.
A parliamentary committee has just approved an update on the administrative offences ordinance on data protection, setting the level of fines to 5,000 NIS on individuals (employees or managers in a corporation) and to 25,000 NIS on corporate offences. It is due to be formally approved in July.
These issues will be fully covered in PL&B’s conference on 25th October in Israel.
The New Zealand Privacy Commissioner, Marie Shroff, has launched a public consultation on the proposed amendment to the Credit Reporting Privacy Code. Submissions are invited by 13 August. The amendments result from a two year review of the code, which included consulting a reference group of consumer and industry representatives. The amendments aim to introduce new elements of external accountability for credit reporters.
The US Supreme Court has ruled unanimously this month that a police officer's right to privacy was not violated by his employer's search of his official pager to investigate excessive use. The court ruled on narrow grounds, as predicted by PL&B. However, the ruling provides only general guidance for private sector employers.
A full analysis of the ruling will appear in the next PL&B International newsletter, to be published late July.
For further details on the Privacy Laws & Business International Newsletter, please click here.
Copyright Privacy Laws & Business 2010