PL&B International E-news, Issue 68

1. EU Data Protection Supervisor supports data breach notification and legal action against spammers

On 14 April 2008, the European Data Protection Supervisor (EDPS) published an Opinion on the review of the Directive on Privacy and Electronic Communications, usually referred to as the ePrivacy Directive. His overall evaluation was positive, but he said that further improvements should be considered.

The European Commission has proposed amendments, among others, to create a mandatory security breach notification system and for legal persons, such as consumer associations and Internet service providers, to be able to take legal action against spammers. The amendments also would clarify the inclusion of several RFID applications.

On the whole, the EDPS, Peter Hustinx, supported the Commission's drive to enhance the protection of individuals' privacy and personal data in the electronic communications sector. He particularly welcomed the amendments for data breach notification and legal action against spammers by legal persons. However he felt that the opportunity of this review should be used to its full potential to ensure that the proposed changes effectively provide for a proper protection of personal data and privacy.

Peter Hustinx said: "I welcome the approach followed by the proposal, which is in line with views expressed in previous opinions. However, the proposed amendments to the Directive are not as ambitious as they should be. In dealing with new issues, such as the setting up of a mandatory security breach notification system, the proposal remains too restrictive in its scope."

There will be a fuller report in the June edition of Privacy Laws & Business International Newsletter.

2. EU Article 29 Working Party sets short retention limit for search engines

Contrast with longer limits for service providers.

The EU Article 29 Data Protection Working Party decided on 4 April that Internet search-engine providers must reduce the time they retain users’ online records to a maximum of six months. They unanimously adopted proposals that would force search engines to reduce storage time unless there is “a valid justification”. Alex Türk, the new chairman, said search engines must delete personal information “the moment they don’t need it”. Google and Microsoft have reduced their storage periods to 18 months, and Yahoo to 13 months. The six months time limit for search engine data retention contrasts with the time limits on data retention for electronic communications providers under the Data Retention Directive of a minimum of six months and a maximum of two years.

There was a fuller report in the April edition of the Privacy Laws & Business International Newsletter.

3. Online Rating of Employers – a Beginning?

New Canadian employer rating site thrives.

In Canada, “ “provides a site for employees and former employees to post comments about their employers, with the slogan “Who said background checks and Pre- Employment Screenings should be reserved for employers only?” The comments are anonymous. In FAQs for employers, for the question “How can I remove my organisation from the site?” the answer is a blunt “You can’t.” Employers can, however, ask for the withdrawal of a comment if the content is in breach of the conditions of use, such as allegations that are unfounded or libellous. There is also an opportunity for employers to post replies to comments with which they disagree.

There was a fuller report in the April edition of the Privacy Laws & Business International Newsletter.

4. French court bans teacher rating website

Contrast with rating websites in other countries.

On 3 March the Paris Tribunal de Grande Instance (TGI) ordered “”, a website where students evaluate their teachers, to suspend the processing of personal data about teachers (case08/51650). The website had posted anonymous comments on 50,000 teachers in four weeks. The Tribunal ruled that the website collected and processed personal data on French teachers, such as names, schools and subjects taught, without obtaining their consent. The court said that the students’ freedom of expression could be limited to protect the legitimate rights and interests of the teachers. The website was allowed to continue to rate schools. Although the action was brought by three teachers’ unions, France’s privacy commission (CNIL) had conducted an investigation in February after receiving more than 160 complaints. In March, the CNIL said that France’s Data Protection Act requires data controllers to obtain the data subjects’ prior consent in order to process their personal data.

There was a fuller report in the April edition of the Privacy Laws & Business International Newsletter.

Click here for further information about subscribing to the international newsletter.

Copyright Privacy Laws & Business 2008