International E-news - October 2010
- EU approves Israel's Adequacy Status
- Google Wi-Fi: Spain takes Google to court, Canada asks for improvements by February 2011
- EDPS comments on EU law enforcement DP review
- Uruguay adequate, says EU Art. 29 DP Working Party
1. EU approves Israel's Adequacy Status
There is now an additional legal basis for transferring personal data from the European Union to Israel.
The European Union yesterday approved the adequacy status of Israel's Protection of Privacy Act in a declaration by the EU Article 31 Data Protection Committee. This declaration at the political level supports the decision in January this year of the Article 29 Data Protection Working Party which consists of the Data Protection Authorities of the 27 EU Member States.
This is a success for Israel at the same time as it is the host this week in Jerusalem of the 32nd International Conference of Data Protection and Privacy Commissioners.
The European Parliament has a month to express a view on yesterday's declaration which ignored the objection earlier this year by Ireland's Justice Minister.
2. Google Wi-Fi: Spain takes Google to court, Canada asks for improvements by February 2011
Spain’s Data Protection Commission (AEDP) has launched an infringement proceeding against Google on its use of WI-FI networks location data. Traffic data associated with the payload data collected by vehicles used for Google Street View included personal information, such as e-mail addresses and passwords, and was collected without individuals’ consent. The AEPD also says that international transfers have taken place to the US without taking the steps to ensure the adequate protection of personal data.
The AEPD has submitted its final inspection report to the courts. The administrative proceedings are on hold pending the outcome of criminal proceedings. The AEPD has announced that Google Spain and Google Inc have committed five different breaches of the Data Protection Act, the fines for which vary from €60,000 to €600,000.
In Canada, the Privacy Commissioner, Jennifer Stoddart, has given Google until 1 February 2011 to implement her recommendations. Google must ensure that it has a governance model in place to comply with privacy laws, and improve staff training. Importantly, she says that Google needs to delete the Canadian payload data it has collected.
3. EDPS comments on EU law enforcement DP review
On 20th July, the European Commission announced an overview of EU instruments regulating the collection, storage or cross-border exchange of personal data for law enforcement or migration management purposes. Examples of such agreements are the Schengen Information System, EURODAC and the Prüm Decision on DNA data exchange. On 30 September, the European Data Protection Supervisor (EDPS), Peter Hustinx, published his reply. He welcomed the overview as a first step in evaluating such agreements, but suggested several other concrete measures in order to produce a “well-structured, integrated and comprehensive EU policy on information exchange and management”.
Hustinx believes that the Communication provides a good opportunity to better analyse what is meant by a "privacy and data protection assessment", and recommends that specific indicators and features be developed to that end.
The document, "Overview of information management in the area of freedom, security and justice" (COM(2010) 385 final) is available on the EDPS website.
4. Uruguay adequate, says EU Art. 29 DP Working Party
On 12 October, the EU Data Protection Working Party issued its opinion on the adequacy of Uruguay’s data protection law. The Working Party has found there to be an adequate level of protection within the meaning of the EU Data Protection Directive.
The assessment refers to Law No.18,331, of 13 August 2008, on the Protection of Personal Data, “Habeas Data” activity, and the Regulating Decree of 31 August 2009.
The Working Party says that it will closely follow the evolution of data protection in Uruguay and the way in which the Data Protection Authority applies the principles of data protection.
The Opinion is, WP 177, on the level of protection of personal data in the Eastern Republic of Uruguay.
Uruguay is officially the Oriental Republic of Uruguay, sometimes referred to as the Eastern Republic of Uruguay.
For further details on the Privacy Laws & Business International Newsletter, please click here.
Copyright Privacy Laws & Business 2010