PL&B International E-news, Issue 73

1. DP Commissioners call for global rules

The sixty national data protection and privacy commissioners concluded their 30th annual conference in Strasbourg on 17 October with a resolution “stressing the need for binding data protection rules in a globalised world. …. Data protection cannot rely on self regulation alone.” They recalled the Montreux Declaration adopted at their conference in 2005 urging global data protection standards. In reply to a question from PL&B, the Council of Europe representative said that an independent commission to enforce Data Protection Convention 108 was being considered, in view of the goal of expansion of countries beyond Europe signing the treaty.

The commissioners expressed concern about the protection of minors and considered social networks, saying that it is now common practice for job recruiters to search social networks when considering job applications. The conference announced an international data protection award for the 31st International Data Protection Conference, to be held in Madrid next year.

2. US SEC fines broker-dealer

On 23 September the US Security and Exchange Commission fined a broker-dealer, LPL Financial Corporation, $275,000 for failing to safeguard customer information The SEC and LPL reached settlement on a cease-and-desist proceeding brought against LPL under the Securities Exchange Act and the Investment Advisors Act of. LPL is a registered broker-dealer subject to the “Safeguard Rule”, which requires broker-dealers to have written policies and procedures to safeguard customer information.

The agreement between the SEC and LPL includes: training employees on security issues, hiring an independent consultant and, requiring LPL to adopt the independent consultant’s recommendations.

3. Deutsche Telekom leaks customer data

In the second week in October, Der Spiegel published a story that the personal data of 30 million T-Mobile clients could be browsed via the Internet from any part of the world by anyone who knew how to address the database, had the name of any T-Mobile client, and knew a simple password that was well known to the staff of all T-Mobile shops in Germany. Confidential data could be seen and it was possible to make changes to clients’ bank information. Debit transactions could be launched and data could be erased. Der Spiegel informed Deutsche Telekom before the story was published.

4. Germany's new national data protection amendments

Germany’s federal government published a bill in October which will introduce stricter data protection rules, including: (a) more requirements regarding the consent of individuals to use their personal data, (b) increasing the independence of company data protection managers, and (c) a commitment to a federal privacy audit law.

5. Uruguay gets new DP law

In August Uruguay adopted a new personal data protection law modeled on the European Union Data Protection Directive, consolidating a trend in the region. Argentina, Chile, and Colombia have all adopted similar legislation. Only Argentina has so far been accepted by the EU as providing “adequate” protection. Uruguay, Chile, Mexico and Colombia are applying to the European Commission for a determination that their laws are “adequate” by EU standards.

Uruguay’s law establishes a Regulatory and Personal Data Control Unit. It covers both public and private sector, and both individuals and corporate entities, whose records are kept in databases, managed by government, public, and private organisations. Institutions have one year to comply with the new guidelines.

6. EU data retention directive is legal, probably

An Advocate–General of the European Court of Justice advised the Court on 14 October that the Directive on Data Retention is within the powers of the EU, and rejected a challenge to its legality brought by Ireland and the Slovak Republic. Such opinions by an Advocate-General are usually, but not always, followed by the Court.

7. Spanish DP authority announces two prizes

The Spanish Data Protection Agency has invited applications for the Personal Data Protection Communication Award for 2008 and for the 12th Personal Data Protection Research Award. The awards have prizes of 6,000 and 3,000 euros. The Communication award is for individual journalistic works or projects between 2 November 2007 and 1 November 2008. The Research Award. is for research projects in two categories: unpublished works and published works. Entries can be in any of the official languages of Spain or of the Member States of the European Union, but must be accompanied by a maximum 1000-word summary in Spanish and English.

More detailed reports appear in the new issue of the PL&B International Newsletter published today.

Click here for further information about subscribing to the international newsletter.

Copyright Privacy Laws & Business 2008