PL&B International E-news, Issue 74

1. US President-elect Obama states his policies on privacy and transparency

In a position paper on technology published during the US presidential election campaign, President-elect Barack Obama said that he would restrict how databases containing personal information are used. He would increase the Federal Trade Commission enforcement budget to fight spam, spyware, phishing and other cybercrime. He would also focus on ensuring that electronic health records are secure.

To safeguard the right to privacy, the paper says that “The open information platforms of the 21st century can also tempt institutions to violate the privacy of citizens. As president, Barack Obama will strengthen privacy protections for the digital age and will harness the power of technology to hold government and business accountable for violations of personal privacy.”

To “create a transparent and connected democracy,” he would “Open up government to its citizens” and “use cutting-edge technologies… creating a new level of transparency, accountability and participation for America's citizens. “ He will “appoint the nation's first Chief Technology Officer (CTO) to ensure that government and all its agencies have the right infrastructure, policies and services for the 21st century. The CTO will ensure the safety of our networks and will lead an interagency effort, working with chief technology and chief information officers of each of the federal agencies, to ensure that they use best-in-class technologies and share best practices.”

2. Large Australian fine for ignoring the Do Not Call Register

In Australia, on 22 October, Dodo, a telecommunications provider, paid a penalty of Australian $147,400 for calling numbers on the Do Not Call Register. The Australian Communications and Media Authority (ACMA) charged that an offshore call centre had been hired by Dodo to make the telemarketing calls and issued an infringement notice after consumer complaints. This is the largest penalty since the Do Not Call Register Act 2006 went into effect in May 2007.

3. Israeli database bill introduced

A bill to create a national biometric database was introduced in the Knesset (the Israeli parliament) in the last week in October. It would require fingerprints and digital photos on Israeli identification cards and passports, which would be included in a national database.

4. European Commission appoints a group to advise on its review of the EU Data Protection Directive

The European Commission announced on 11th November the appointment of a Data Protection Expert Group to advise it on:

1. “.. identifying the challenges for the protection of personal data in the EU bearing in mind the development of new technologies, the globalization and matters of public security taking into account the new institutional framework as foreseen in the Lisbon Treaty and
2. .. putting forward proposals to successfully address the new challenges.”

The members are:

Jacob Kohnstamm, Chairman of the Netherlands Data Protection Authority; Peter Fleischer, Global Privacy Counsel, Google, Paris; Christopher Kuner, Lawyer, Hunton & Williams, Brussels; Henriette Tielemans Lawyer, Covington & Burling, Brussels; and David Hoffman, Director of Security Policy, Intel, the USA.

5. Google, Yahoo and Microsoft launch global Privacy Plan

On 28 October Google, Yahoo and Microsoft announced a plan they describe as a "first step" towards global standards for privacy rights and free speech online The “Global Network Initiative” is based on principles that the companies have been considering with human rights organisations and academics during the past 18 months.

One purpose of the Initiative is to deflect efforts by legislatures to impose standards on companies. It has three “building blocks”: a set of principles that its signatories endorse, practices that the companies pledge to implement internally that will describe how they handle requests for information from governments, and an auditing mechanism that will give independent auditors, including those from human rights groups, a chance to monitor companies to see if they are complying with the principles.

However, Marc Rotenberg, director of the Electronic Privacy Information Center, said that self-regulatory proposals allow companies to "interpret them as they wish or back out of them when they choose."

At a Council of Europe conference on online privacy, Rotenberg outlined three criteria he says should be demanded from the companies' privacy policies: that they be based on the rule of law, reflect the decisions of democratic institutions and show a regard for human rights. "It's really not clear to me that this proposal meets those objectives," he says.

6. US FTC postpones ID theft rules

From 1 May 2009, certain US financial institutions must have a board-approved, written Identity Theft Prevention Program for their “covered accounts”, designed to identify, detect, prevent and mitigate against patterns, practices and activities that indicate the possible existence of identity theft. On 22 October the Federal Trade Commission (FTC) took an unusual step in delaying the enforcement of the Identity Theft Red Flags Rule, (16 CFR 681.2) for six months.

7. US federal appeals court rules for employee’s text privacy

The US federal Ninth Circuit Court of Appeals has ruled that it was a violation of an employee’s right to privacy when the employer obtained transcripts of an employee’s text messages from a service provider. The employer had a formal policy that employees would have no right to privacy regarding use of the employer’s information technology. But a supervisor had informally announced and applied a policy that an employee’s privacy regarding text messages would be respected so long as the employee paid for any use over a set limit.

The scope of this judgement applies to text messaging, e-mails and any other use of the Internet. This decision is binding in the 9th circuit, covering the USA’s western region and is persuasive in the other regions.

8. New privacy laws database service

On 12 November Summit Privacy Resources announced the launch of a new database available at It provides information on privacy requirements around the world; helping subscribers spot possible compliance issues and simplify the development of global privacy approaches.

The database can be searched in a number of ways including by:

• obligation - for example, notice, consent, access, data security, cross border limitations, whistle-blowing, and breach notification;
• country or region;
• individual laws;
• data type - for example, customer, human resources, financial and health data; and
• industry sector - for example, financial services, healthcare, and telecommunications).

Summit Privacy Resources was designed by a team of attorneys in the Privacy and Data Security Practice Group at Morrison & Foerster LLP.

More information from Will Brewster, Flagship Consulting Limited, The Media Centre, 19 Bolsover Street, London W1W 5NA, Switchboard: 020 7886 8440 Fax: 020 7886 8460.

Click here for further information about subscribing to the international newsletter.

Copyright Privacy Laws & Business 2008