PL&B International E-news, Issue 79

1. European Data Protection Supervisor adopts Opinion on ePrivacy Directive review, and security breach notification

On 9 January the European Data Protection Supervisor (EDPS) adopted a second Opinion on the review of the ePrivacy Directive.

This Second Opinion is in response to the Council of Ministers’ Common Position which, on a number of critical points, the Supervisor believes, fails to endorse some of the data protection safeguards proposed by the European Parliament and the European Commission or previously recommended by him. The Opinion particularly focuses on the provisions relating to the setting up of a mandatory security breach notification, which should “apply not only to their Internet access providers, but also to their on-line banks and on-line pharmacies."

The Opinion also recommends that:

  • the scope of the directive should be broadened.
  • the provision for processing traffic data is unnecessary
  • there should be a right of legal action against infringements of the Directive.

Privacy Laws & Business’s conference: Data Breach Laws in Europe: Data Protection Commissioners' Views and Recommendations from 20 countries will take place on the afternoon of 22nd April 2009 in Edinburgh, the day before the European Data Protection Commissioners’ Spring Conference. The presentations will report on the results of the Privacy Laws & Business survey of the attitudes of 20 European Data Protection Authorities towards introducing national data breach laws. For more information, visit:

2. US Heartland Payment Systems admits illegal access to its customers’ credit card information

A New Jersey credit-card processor disclosed, on 20 January, a data breach that may well be the biggest ever reported. Heartland Payment Systems Inc, of Princeton, N.J., which processes transactions for more than 250,000 US businesses, reported that its computer network had been compromised giving access to customer information. The company executes 100 million card transactions every month. The data compromised included information on a card's magnetic strip (card number, expiration date and internal bank codes) that could be used to duplicate a card.

3. Sony BMG Fined $1 million for Violating US COPPA

The US Federal Trade Commission announced on 11 December 2008 that Sony BMG Music Entertainment will pay $1 million to settle charges under the Children’s Online Privacy Protection Act. The Act bars unfair or deceptive practices related to the collection, use or disclosure of personally identifiable information from and about children under the age of 13 without prior parental consent. The complaint charged that Sony, through its music fan Web sites, improperly and knowingly collected, maintained and disclosed personal information from at least 30,000 children under 13. The music giant was also cited for breaching the Federal Trade Commission Act by falsely claiming in its privacy policy that users who said they are under 13 on Web site registration pages would be restricted from taking part in the pages’ activities. In fact, Sony accepted registrations from children whose dates of birth showed they were under13.

The consent order also requires deletion of all personal data collected and kept in violation of the rule. Sony must also distribute the order and FTC materials on how to comply with COPPA to company personnel, and link to certain FTC consumer education information for the next five years.

4. New Irish rules on unsolicited e-mails

On 22 December 2008 new rules were adopted in Ireland regarding unsolicited communications. They:

increase the summary penalty for unsolicited communications from €3,000 to €5,000,
create an indictable offence for unsolicited communications, with a corporate fine imposed of up to €250,000 or 10% of the turnover if it is greater, or for a natural person a fine of up to €50,000,
allow prosecution of a company officer, whether the company has been prosecuted or not, and place the burden on the defendant of proving consent by a subscriber.

5. Canadian do-not-call list backfires: Listed numbers get more, not fewer calls

The Canadian do-not-call registry, created in September 2008 for those who want to avoid telemarketers, apparently has led to an increase in telemarketing calls to those who signed up, because lists from the registry can be purchased online from the Canadian Radio-television and Telecommunications Commission (CRTC).

Bruce Cran, president of the Consumers Association of Canada, said his organization has been inundated with complaints from people who say they were called after placing their numbers on the registry. The purpose of the list was to provide telemarketers with telephone numbers of people they could not call, not to provide the names and numbers of intended victims. More than 6.1 million Canadians have registered on the list. Penalties of up to $15,000 per illegal call to a number on the list can be levied against guilty parties, but most callers operate from outside Canada. The CRTC said on 24 January that it would “aggressively pursue anyone abusing the use of the do-not-call list.”

6. Canada: Alberta Commissioner Orders Release of Red Light Ticketing Camera Manuals stating copyright material not confidential

On 12 January the Alberta provincial Information and Privacy Commissioner, Frank Work, ordered the release of manuals for a red light automatic ticketing system to a resident who wanted the manuals to fight red light camera tickets. The adjudicator ruled that the company had not produced enough evidence of any confidentiality requirement, and rejected a trade secret argument because the cameras were developed in 1996 and the manual was from 2002. The adjudicator also rejected an argument that placing a copyright notice on the manuals barred public access to them, citing a UK ruling in a similar case.

7. Canada: Ontario Commissioner approves anti-fraud collection of consumer data

On 15 January the Ontario Provincial Privacy Commissioner, Dr. Ann Cavoukian, ruled that the practice of the Liquor Control Board of Ontario of recording personal data of customers returning merchandise is acceptable in order to deal with the problem of fraudulent returns.

8. Massachusetts adopts strict identity protection rules

New Massachusetts regulations on consumers' personal data, which go into effect on 1 May, go beyond the rules of other states and the US federal government. The regulations require all companies, including banks that handle the personal data of a Massachusetts resident, to have a comprehensive information security programme. Companies must comply even if they do not have an office in the state, so long as customers in a business’s databases reside in Massachusetts.

Among other requirements, companies must evaluate and improve employee training and physical security, limit the collection and use of personal information, and identify the purposes for which they collect information, how long they intend to keep it and who will have access to it. Companies also must encrypt data when it is being transmitted over networks or physically moved, as when an employee takes a laptop home.

9. Finnish tax information by text message on subscription not necessarily a violation of privacy says European Court of Justice

The European Court of Justice ruled on 16 December 2008 that a mobile telephone company in Finland did not necessarily violate the privacy of taxpayers by making available their income and tax data by text messages. The case was returned to the Finnish court to determine whether the activity qualified as “journalistic “.

Such information, on approximately 1.2 million people, has long been available to the public in printed form. It includes the surname and given name of those whose income exceeds certain thresholds, together with the wealth tax paid. A company which transferred the data to CD-ROM discs had an agreement with a mobile telephone company to make such information available to subscribers for a charge of approximately two Euros. On request, personal data would be removed from the service.

10. European Court of First Instance orders the European Commission to disclose the minutes of a working group regardless of promise of confidentiality

On 18 December 2008 the Court of First Instance of the European Union ordered the Commission to disclose the minutes of a Working Group on tariff classification. The Court rejected the Commission’s claims that the documents should be exempt because they were internal documents relating to decisions that had not yet been taken, and that their disclosure would be harmful to the decision-making process, even if confidentiality had been promised to participants.

11. Obama appoints leading privacy attorney as head of US Department of Justice’s Antitrust Division

Christine Varney, a leading privacy attorney and founder of the Online Privacy
Alliance, will be appointed by President Obama as head of the Antitrust Division of the Department of Justice. She previously was a Commissioner at the Federal Trade
Commission, where she promoted agency and congressional hearings on privacy, proposed industry privacy standards and increased government enforcement of privacy laws. She then was at law firm, Hogan & Hartson in Washington DC for ten years, where she was head of the Internet practice group. She was personnel counsel on President Obama's transition team, reports Bloomberg.

Click here for further information about subscribing to the international newsletter.

Copyright Privacy Laws & Business 2009