PL&B International E-news, Issue 39
- The European Court of Justice’s Advocate General calls for annulment of European Council and Commission decisions regarding airline passenger data
- Medical records must not be used as film props
- France’s CNIL publishes new regulations on whistle-blowing lines
- Canadian bank cleared of enabling US law enforcement or regulatory agencies to access Canadians’ records under the PATRIOT Act
1. The European Court of Justice’s Advocate General calls for annulment of European Council and Commission decisions regarding airline passenger data
The European Court of Justice (ECJ) should annul decisions by the European Council and Commission requiring airlines to give US authorities electronic access to passenger data, its advocate general said, on November 22. The opinion by Phillipe Leger is reportedly raising fears of chaos for air travellers and turmoil in the fight against terrorism. The case was brought by the European Parliament, which opposed May 2004 Commission actions finding that the US Bureau of Customs and Border Protection (CBP) provided a sufficient level of protection for personal data transferred from the EU (the “adequacy decision”), and approving an agreement between the EU and the US for the handover of passenger name records (PNR). Leger’s opinion does not bind the Court but serves as an independent proposal for a legal solution of the case. However, advocate general opinions are reportedly followed by the full court in 80% of cases.
2. Medical records must not be used as film props
On October 31, Ontario Information and Privacy Commissioner, Dr. Ann Cavoukian, issued her first Order under the Personal Health Information Protection Act 2004. It identified a major problem caused by a failure of the Paper Disposal Company to shred named medical records, resulting in them being used as props in a film made in Toronto about the September 11 attacks on New York. The investigation was initiated by the Commissioner herself on October 1, immediately after she heard about the incident. The resulting Order includes a requirement that parties involved in the incident enter into written contractual agreements for the secure disposal and destruction of patient records. It also covers the need to notify the individuals whose records were misused.
3. France’s CNIL publishes new regulations on whistle blowing lines
On November 10, France’s Data Protection Authority, the CNIL, adopted a policy document defining the conditions under which anonymous whistle blowing lines may conform with the informatique et libertés (data protection) law. It followed the CNIL’s decision of 26 May (PL&B International June/July 2005, p.5) in which it refused to grant authorisation to both McDonalds France and the French affiliate of US-based Exide Technologies which had decided to implement such systems to comply with the USA’s Sarbanes-Oxley Act. The new policy states that it does not oppose the principle of such lines but does want to ensure that they respect human rights guaranteed by France’s data protection law.
4. Canadian bank cleared of enabling US law enforcement or regulatory agencies to access Canadians’ records under the PATRIOT Act
On October 19, the Office of the Privacy Commissioner of Canada published its decision that complaints against the Canadian Imperial Bank of Commerce (the CIBC) were unfounded. The complaints suggested that the bank had not acted in accordance with Canada’s Personal Information Protection and Electronic Documents Act.
This problem, involving a potential conflict of laws, concerned the processing of Canadians’ VISA records in the USA under a contract. Complainants mainly objected to the possible scrutiny of their personal information by US authorities within the framework of foreign intelligence gathering.
Copyright Privacy Laws & Business 2005