Criminal trial against Google execs to resume TSet to resume March 17: The criminal trial in Milan court against four Google executives accused of defamation and privacy law viola-tions

By Tanguy Van Overstraeten and Richard Cumbley

The criminal trial against fourGoogle executives accused ofdefamation and privacy law viola-

tions resumed February 18 in Milancourt, where Judge Oscar Magi deter-mined that the case, and three second-ary claims, should be heard

Among those charged is Google’shead of global privacy, Peter Fleischer.Experts say this appears to be the firsttime criminal sanctions have been pur-sued against a privacy professional for hiscompany’s actions.

The trial stems from a mobile phonevideo of four Turin high school boys bully-ing a teenage boy with Down syndrome.On September 8, 2006, one of theassailants uploaded the video to Google

Italia YouTube. News reports of the videosparked outrage in Italy, and a court forminors in Piedmont sentenced the fourboys to community service.

At issue is Google’s role in thevideo’s dissemination. The Italian InteriorMinistry, which investigates Internet-relat-ed crimes, issued a takedown notice toGoogle on November 6, 2006. Less than24 hours later, Google removed the video.

Case closed? Not so: Milan prose-cutors have been investigating the inci-dent since 2006. And in November2008, lead prosecutor Francesco Cajanipursued the four Google executives—Fleischer, chief legal officer David

SWIFT receives clean bill of healthAfter two-year investigation, Belgian commissionfinds no violation of data protection law

See, Google executives, page 3

This Month

Notes from the Executive Director... Page 2

Global Privacy Dispatches .............. Page 8

Surveilled ......................................... Page 12

Privacy in Print ................................. Page 14

Privacy and electronic

health records .................................. Page 15

Certification Graduates ................... Page 16

KnowledgeNet Canada.................... Page 17

International Data Protection

Conference ....................................... Page 18

Calendar of Events............................Page 19

In the Privacy Tracker ...................... Page 19

Did You Know?................................. Page 20

Privacy News ................................... Page 20

The Lighter Side of Privacy.............. Page 20

New IAPP Board Members.............. Page 23

Privacy Classifieds ........................... Page 23

Member to Member Ads ................. Page 24

Criminal trial against Google execs to resume

T he Belgian Privacy Commission finally completed itsinvestigation into SWIFT’s disclosure of information tothe U.S. Department of the Treasury in December. Its

detailed and comprehensive decision concluded that SWIFTcomplies with all the provisions of Belgian data protection lawand that no further action is required. The investigation anddecision also acknowledge the difficult position private organi-sations are placed in when presented with conflicting legaldemands from different states.

A brief history of the SWIFT affair SWIFT, the Society for Worldwide Interbank Financial

Telecommunication, is a Belgium-based co-operative company.

Set to resume March 17: The

criminal trial in Milan court against

four Google executives accused of

defamation and privacy law viola-

tions. If convicted, they face up to

three years in jail. Prosecutors say

the suit will help define the

responsibilities of online content

aggregators. But could it create a

dangerous precedent that puts

privacy professionals in the firing

line over every potential corporate

breach of personal data privacy?

By Mathew Schwartz

Tanguy VanOverstraeten

Richard Cumbley

See, SWIFT page 5

104146_newsletter 3/12/09 4:23 PM Page 1

creo

Privacy stakes, value on the rise

Few headlines have raised the consciousness of those ofus working in and around the privacy profession asone published last month: Privacy Professional Facing

Criminal Charges. The news that four Google executives, including the

company’s head of global privacy, had been criminallycharged for certain content posted to Google’s ItalianYouTube site turned heads worldwide.

Just when we thought the job of privacy officer couldn’t get any more complicated, we were forced to turn our focus to this new specter—the potential of doing time for your company’s everyday activities.

It is not likely that those charged in the Google case will go to jail. A Googlelawyer and even a prosecutor close to the case have acknowledged that the chargeswere brought forward primarily to hone the discussion on who bears the responsi-bility for Internet content. However, the case has yet to play out.

The matter raises many questions for privacy professionals, especially thosewho work, or may someday work for a multinational. Is this a flash in the pan? Or is it the new liability of being a CPO? If the latter, the stakes have been raisedfor certain.

We will work out some of the questions this case raises in future issues, as we’llbe keeping a close eye on the Court of Milan proceedings in the coming months.

Now for a less complicated subject. In a recent post on techdirt.com, a bloggersuggested a Creative Commons for privacy policies—a place where companiescould mix, match and meld the best attributes into their own policies.

What of this idea? Could a Creative Commons, a Privacy Park if you will, helpeveryone create policies that are more accessible to consumers, the majority ofwhom admit that most privacy policies are confusing?

Let us know what you think at [email protected]. Lastly, in a recent issue of our Inside 1to1: Privacy newsletter we ran a story

about privacy in the midst of a recession. (See www.privacyassociation.org/1to1) As author Larry Dobrow found out, privacy and security have so far spared the axethat has fallen on so many other areas of companies worldwide.

We are seeing evidence of this in the numbers of those attending our PrivacySummit in Washington, DC this month. At the time this newsletter went to press,it was shaping up to be our most-attended event ever. It would seem that not onlyis privacy sparing the axe, increasingly its value is being recognized by stakeholders.

Sincerely,

J. Trevor Hughes, CIPPExecutive Director, IAPP

March • 2009

Notes From the Executive Director

2 www.privacyassociation.org

THE PRIVACY ADVISOREditorKirk J. Nahra, CIPP, Wiley Rein [email protected]+202.719.7335

Publications DirectorTracey [email protected]+207.351.1500

The Privacy Advisor (ISSN: 1532-1509) is publishedmonthly by the International Association of PrivacyProfessionals and distributed only to IAPP members.

ADVISORY BOARD

Nathan Brooks, CIPP, General Counsel, U.S. ISS Agency, LLC

Keith P. Enright, CIPP, CIPP/G, VP, Privacy & Chief PrivacyOfficer, Macy’s Inc.

Debra Farber, CIPP, CIPP/G, Managing Consultant, IBM Corporation

Jill Frisby, CIPP, Manager, Crowe Horwath, LLP

Brian Hengesbaugh, CIPP, Partner, Privacy/InformationTechnology/E-Commerce, Baker & McKenzie LLP

Steven B. Heymann, CIPP, VP, Compliance andInformation Practices, Experian

Jim Keese, CIPP, Global Privacy Officer, VP Records &Information Mgmt., The Western Union Company

Robert Mahini, Attorney, Federal Trade Commission

Flemming Moos, Lawyer, DLA Piper UK LLP

David Morgan, Director, Privacy Research, Camouflage Software, Inc.

Lydia E. Payne-Johnson, CIPP, Financial ServicesPrivacy Consultant, PricewaterhouseCoopers, LLP

Dan Ruch, Privacy and Data Protection Specialist

Luis Salazar, CIPP, Shareholder, Greenberg Traurig

Julie Sinor, CIPP, Information Management Consultant,PricewaterhouseCoopers, LLP

Kathleen Street, CIPP, Asst. Vice President, CorporateCompliance and Privacy, Children’s Health System

Frances Wiet, CIPP, Chief Privacy Officer, HewittAssociates LLC

To Join the IAPP, call:+800.266.6501

Advertising and Sales, call:+800.266.6501

PostmasterSend address changes to:IAPP170 Cider Hill RoadYork, Maine 03909

Subscription PriceThe The Privacy Advisor is a benefit of membership to the IAPP. Nonmember subscriptions are available at $199 per year.

Requests to ReprintTracey [email protected]

Copyright 2008 by the International Association ofPrivacy Professionals. All rights reserved. Facsimilereproduction, including photocopy or xerographic reproduction, is strictly prohibited under copyright laws.


creo

THE PRIVACY ADVISOR

Drummond, former chief financial officerGeorge De Los Reyes, and the formerhead of Google Video for Europe, ArvindDesikan—on two fronts: 1) failing to prevent the video from being uploadedin the first place, then allowing it toremain online, during which time it wasviewed more than 12,000 times; and, 2)insufficiently disclosing how GoogleItalia uses personal information. Thecharges carry a maximum penalty ofthree years’ incarceration.

“What is at issue is whether or notprivacy laws that apply to newspapersor to the radio also apply on the Web, orwhether it is a sort of free port whereanything goes,” Milan prosecutor AlfredoRobledo told the International HeraldTribune.

In particular, “the indictment con-cerns the violation of two laws: the leg-islative decree no. 70/2003 on e-com-merce and other online activities (seearticles 14 to 21), and the legislativedecree no. 196/2003 on privacy and per-sonal data processing and protection(article 13),” says Rocco Panetta, head ofthe law practice Studio Legale Panetta inRome, and a former top-level officer atthe Italian Data Protection Authority.

Italy:Tough Privacy LawsWhile Italy had no data protection

laws prior to 2003, since the EU direc-tive, the country has enacted some ofEurope’s strongest privacy protections.These include administrative sanc-tions—fines—as well as civil and crimi-nal penalties, meaning that companydirectors with legal powers can be heldpersonally accountable when their com-pany breaks e-commerce and data priva-cy rules. Furthermore, involved third par-ties have the right to claim damages. Inthis case, which involved a minor, thathas included both the Municipality ofMilan and Vivi Down, an associationdedicated to the protection of peoplewith Down syndrome.

During the February 18 proceedings,however, the bullying victim withdrewfrom the case against Google, citing sat-

isfaction with the company’s response.”The decision to withdraw from the casehas been taken because Google officialshave not only expressed their solidarityover what happened, but have also takenconcrete actions that show their sensi-tivity to the problems of handicappedpeople and the grave problem of bully-ing,” said the family's lawyer, MichelaMalerba, in a statement.

Google: content creator, or serviceprovider?

As the case moves forward, manyare asking this question: Are Milan prose-cutors applying the current laws correctlyto Google? Under the 2003 Italian e-com-merce law, Internet content providers(ICPs), such as newspapers and radiostations, are legally responsible for allcontent they publish, and thus must pre-vent defamatory or protected privatematerial from appearing in the first place.By contrast, Internet service providers(ISPs) only have to remove content afterreceiving a takedown notice.

Legal experts have noted thatGoogle is clearly an ISP. “Google is notthe content provider here. It shouldn’t beprosecuted as one,” wrote Daniel J.Solove, a professor of law at GeorgeWashington University Law School, onhis Concurring Opinions blog. “If Googleofficials can be criminally prosecuted anytime a person uploads a defamatory orprivacy invasive video to YouTube, it’shard to see how they can possibly avoidrunning afoul of the law. YouTube andmuch of Web 2.0 would pose massiverisks of criminal liability.”

A Google spokesperson reactedsimilarly: “We cannot agree with theconcept that a tool can be blamed forthe use that is made of it. We think thatthe decision on the part of the Court ofMilan to commit the Google staff mem-bers to trial is difficult to understand andmay well create a worrying precedent.”

But while Google does “substantive-ly” appear to be an ISP, there’s more tothe case than may be apparent at firstglance, says Panetta. “According to theMilan prosecutors, Google did not act

See, Google executives, page 24

Google Executives

continued from page 1

3International Association of Privacy Professionals

170 Cider Hill RoadYork, ME 03909 Phone: +800.266.6501 or +207.351.1500Fax: +207.351.1501Email: [email protected]

The Privacy Advisor is the official monthly newsletter of theInternational Association of Privacy Professionals. All activeassociation members automatically receive a subscription toThe Privacy Advisor as a membership benefit. For details aboutjoining IAPP, please use the above contact information.

BOARD OF DIRECTORSPresidentJonathan D. Avila, CIPP, Vice President – Counsel, ChiefPrivacy Officer, The Walt Disney Company, Burbank, CA

Vice PresidentNuala O’Connor Kelly, CIPP/G, Chief Privacy Leader,General Electric Company, Washington, DC

TreasurerDavid Hoffman, CIPP, Director of Security Policy and GlobalPrivacy Officer, Intel Corp., Germany

SecretaryAmy Yates, CIPP, Director, Privacy and Data Protection,Deloitte & Touche LLP, Chicago, IL

Past PresidentSandra R. Hughes, CIPP, Global Ethics, Compliance andPrivacy Executive, The Procter & Gamble Company,Cincinnati, OH

Executive Director, IAPPJ. Trevor Hughes, CIPP, York, ME

Bojana Bellamy, Director of Data Privacy, Accenture, London

Agnes Bundy Scanlan, Esq., CIPP, Counsel, Goodwin ProcterLLP, Boston, MA

Malcolm Crompton, Managing Director, Information IntegritySolutions Pty Ltd., Chippendale, Australia

Stan Crosley, Esq., CIPP, Chief Privacy Officer, Eli Lilly and Co.,Indianapolis, IN

Dean Forbes, CIPP, Senior Director Global Privacy, Schering-Plough Corp., Kenilworth, NJ

D. Reed Freeman, Jr., CIPP, Partner, Kelley Drye & Warren,LLP, Washington, DC

Jeff Green, CIPP/C, VP, Global Compliance Governance &Chief Privacy Officer, RBC, Toronto, ON

Kirk M. Herath, CIPP/G, Associate Vice President, ChiefPrivacy Officer, Associate General Counsel, NationwideInsurance Companies, Columbus, OH

Jane Horvath, Senior Privacy Counsel, Google

Alexander W. Joel, CIPP/G, Civil Liberties Protection Officer,Office of the Director of National Intelligence, Bethesda, MD

Harriet Pearson, CIPP, Vice President, Regulatory Policy andChief Privacy Officer, IBM Corporation, Armonk, NY

Zoe Strickland, CIPP/G, Vice President, Chief Privacy Officer,Wal-Mart Stores, Inc.

Brian Tretick, CIPP, Executive Director, Ernst & Young,McLean, VA

Ex Officio Board MemberKirk J. Nahra, CIPP, Partner, Wiley Rein LLP, Washington, DC


creo

March • 2009



It provides a secure and encrypted finan-cial messaging service to more than8,300 banking organisations, securitiesinstitutions, and corporate customers,and handles millions of messages perday. SWIFT stores copies of these mes-sages in two operation centres—one inEurope and the other in the U.S.—forresilience purposes. Some of the finan-cial instructions are made on behalf ofindividuals and, therefore, contain per-sonal data.

SWIFT moved into the spotlight inJune 2006 when the New York Timesrevealed that SWIFT had been subject toa number of subpoenas requiring it to dis-close messaging information to the U.S.Department of the Treasury. The Europeandata protection authorities reacted rapidlyand violently to this revelation. Opinionson the disclosure were issued in rapidsuccession by the Schleswig-Holstein andBelgian data protection authorities andboth the Article 29 Working Party and theEuropean data protection supervisorstrongly challenged the disclosure. Thereasoning in these opinions varies but, inthe main, they found that:

• SWIFT was data controller or jointdata controller in respect of the infor-mation (though there were dissentingviews on this point);

• transferring information to the U.S.operation centre and subsequently dis-closing it to the U.S. authorities was inbreach of data protection law; and,

• inadequate information was providedto the relevant data subjects andauthorities.

SWIFT is located in Belgium so theBelgian Privacy Commission is responsi-ble for any formal enforcement action.Accordingly, the Privacy Commission followed its initial opinion of September2006 with a control procedure and a recommendation procedure. The recom-mendation procedure allowed for a moredetailed investigation and for SWIFT topresent its position and arguments. Both procedures are now complete. The Privacy Commission issued a finaldecision (the “Decision”) and closed thecase against SWIFT.

Overview of the privacy commission’sdecision

The Privacy Commission’sDecision runs nearly 80 pages andsets out a detailed and comprehensiveanalysis of SWIFT’s operations andtheir compatibility with Belgian dataprotection law. The key finding is thatthere was no serious or repeated vio-lation of data protection laws bySWIFT.

The Decision makes it clear thatSWIFT’s messaging service cannot beconsidered as a single, indivisible whole.Instead, it must be broken down intoindividual processing activities and, inrelation to each different type of pro-cessing, it is necessary to decidewhether SWIFT is data controller or dataprocessor. Accordingly, the Decisionconcludes:

• the financial institutions act as datacontroller in relation to the creation ofeach message and its transfer acrossthe SWIFT network;

• SWIFT acts as de facto delegate of itscommunity of users in respect of themessaging service, including decrypt-ing, validating and storing a copy ofthe message and re-encrypting it andforwarding it to the recipient bank.For this type of processing the com-munity of users itself is considered asdata controller;

• finally, SWIFT itself acts as data controller only to a limited extent inrelation to data it is retrieving and

anonymising for statistical and otheranalytical purposes.

This is important for the wider com-munity as this shows that the radicalposition adopted previously about who isand is not a data controller, has beensubstantially moderated. In light of thisfinding, SWIFT has filed two notificationsof its processing on the Belgian data pro-tection public register, one as de factodelegate of the community of users andthe other as data controller to the limitedextent set out above.

The Decision also recognises thatSWIFT’s disclosures were made inresponse to the binding subpoenasfrom the U.S. Department of theTreasury. Moreover, SWIFT negotiated a detailed framework to regulate anysuch disclosures that provided a highlevel of protection to this information. In particular:

• the U.S. Department of Treasury’srequests have to be for precise typesof information, such as types of mes-sages. “Fishing expeditions” are notpermitted;

• the messaging information may onlybe used for the fight against terrorism;

• the information must be confirmedfrom a separate source before beingused; and,

• control mechanisms are set up to ensurecompliance with these conditions.

THE PRIVACY ADVISOR

SWIFT


See, SWIFT, page 6


“The European data

protection authorities

reacted rapidly and

violently to this

revelation.”

“The Decision also

recognizes that SWIFT’s

disclosures were made

in response to the

binding subpoenas from

the U.S. Department of

Treasury.”


creo

March • 2009

SWIFT has also taken a number ofsteps to complement its legal obligationsunder data protection laws and to betterprotect personal data. These stepsinclude establishing a new operatingcentre in Switzerland for inter-Europeanmessages. SWIFT has also appointed afull-time privacy officer and organisesregular meetings of a data protectionworking group made of SWIFT usersand its representatives.

Finally, the Decision makes someinteresting points about the U.S. SafeHarbor scheme, which SWIFT signed upto in July 2007. The scheme does notpermit transfers for law enforcementpurposes as this is outside of the scopeof the Directive (see the ECJ’s judgmentin the PNR cases C-317/04, C-318/04).Accordingly, it was necessary for SWIFTto justify the transfer on another basis,namely that the undertakings given bythe U.S. Department of the Treasury, as

confirmed in its correspondence withthe European Commission, provide anadequate level of protection for the data.

Are we still caught between a rockand a hard place?

The SWIFT case vividly illustratedthe problems many organisations facewhen dealing with conflicting legal obli-gations, particularly those arising out ofcompliance with U.S. law. Other notableexamples include the whistleblowingobligations stemming from the

Sarbanes-Oxley Act, e-discovery and dis-closure requests from the U.S.Securities and Exchange Commission.

The Decision provides someacknowledgement that private compa-nies are unable to resolve these conflict-ing obligations single-handedly. The cor-rect approach would be to establishinternational control and governancestructures to protect privacy rights in aworld where data flows freely.

The Decision is available on thePrivacy Commission’s Web site (www.pri-vacycommission.be) in French and Dutch– with an English translation available athttp://www.privacycommission.be/en/static/pdf/cbpl-documents/a10268302-v1-0-151208_translation_recommswift_fina.pdf.

Tanguy Van Overstraeten is LinklatersLLP’s global head of privacy, based inBrussels. Richard Cumbley is a partner inLinklaters LLP’s London office. The authorscan be reached at [email protected] [email protected].

SWIFT



“The correct approach

would be to establish

international control and

governance structures

to protect privacy rights

in a world where data

flows freely.”


creo

THE PRIVACY ADVISOR


IAPPCANADIAN

PRIVACYSUMMIT 2009


creo

CANADA

By Terry McQuay, CIPP, CIPP/C

Reflections on five years as privacycommissionerIn a speech to attendees at the2008 PrivacyInvitational StrategicForum in November,the PrivacyCommissioner ofCanada, JenniferStoddart, reflectedon her last five yearsas privacy commis-sioner. Ms. Stoddart shared her thoughtson five issues that have become impor-tant themes during her tenure to date.

The changing nature of privacy issuesTraditionally, privacy arose in the

context of interactions between one person and an organization. Today themost important privacy issues arise fromsystemic threats resulting from rapidlyadvancing information technologies, forexample the Internet, surveillance tech-nologies, social networking, and others.These technologies affect all individuals,and often in a complex and obscuremanner.

The commissioner noted that shewould like her office to put a greaterfocus on systemic issues throughresearch, public education, commission-er-initiated complaints, and audits, butthat under the current model, complaint-driven investigations consume a tremen-dous amount of resources.

In an effort to shift focus, the com-missioner has asked the government toconsider granting her office the flexibilityto dismiss some complaints early asserving no public interest or warrantingno further investigation.

Connection between privacy andsecurity:

There is a need for those in the pri-vacy business to develop closer relation-ships with security experts. All evidencesuggests that organizations are notdoing a good job at preventing databreaches.

Technological advances mean thatmountains of personal information canbe held in a single database, on a laptop,or even a thumb drive. Many databreaches occur because of simpleerrors, such as an employee’s failure tofollow company policies by, for example,leaving an unencrypted laptop in the car.The OPC’s investigation of TJX showedthat even a corporate giant can fail toadhere to elementary rules of privacyprotection.

The commissioner noted thatmandatory breach notification will gosome ways to improving the situation; arequirement to tell people when thingsgo wrong will act as an added incentivefor businesses to ensure that personalinformation is properly protected.

Workplace privacyOver the past five years a better

understanding has emerged regardingwhat is, and what is not, acceptable inthe workplace.

The OPC has published a dozenPIPEDA findings about employee surveil-lance, addressing such issues as therecording of employee telephone callsand the use of new technologies such asbiometrics and Global PositioningSystems.

In addition, a recent Federal Courtdecision goes some ways to clarifyingthe status under PIPEDA of e-mailsexchanged in the workplace. The Court:

• agreed with the OPC that e-mail messages concerning a person constitute personal information underPIPEDA; and,

• concluded that, if e-mails are exchangedfor purely personal purposes and arenot used or disclosed in connectionwith the operation of a business, theydo not come under the Act.

While some have been quick to character-ize this as a significant carve-out of "per-sonal e-mails" from PIPEDA, this findingmust be understood in the context of thespecific facts of the case, and assess-ments of whether supposedly “personale-mails” fall under the Act will need to beundertaken on a case-by-case basis.

While the mere fact that an e-mailis automatically stored on an employer'sserver because it was sent or receivedusing a workplace computer does notmake the e-mail accessible under PIPE-DA, an attempt to distinguish between"personal" and "business" e-mails mayimpose an additional step when organi-zations respond to access requests.

International data flowsMs. Stoddart noted that the rapid

growth of trans-border data flowsmeans that the only way Canadians’ privacy rights will be protected in thefuture is by working with other countriesto ensure adequate levels of protectionfor personal information around theglobe. The goal should be an equivalentlevel of basic protection around theworld, one that reflects legal and cultural differences.

The Organisation for EconomicCooperation and Development (OECD)has been a key player in developing glob-

“There is a need for

those in the privacy

business to develop

closer relationships with

security experts.”

March • 2009

Global Privacy Dispatches

Terry McQuay



creo

al solutions to privacy and securityissues. The adoption of itsRecommendation on Cross-borderPrivacy Co-operation last year is a posi-tive step forward. Important work isalso taking place within the Asia-PacificEconomic Cooperation in terms of imple-menting the APEC Privacy Framework.

Five years of PIPEDAPIPEDA has been in full force for

almost five years and most would agreeit strikes the right balance; organizationshave recognized that PIPEDA’s require-ments are not going to bankrupt themand do not require drastic changes inbusiness practices.

The level of compliance with PIPE-DA has been generally quite good. TheCommissioner noted that a poll commis-sioned by her office in 2007 found that67 percent of businesses of all sizeshad fully implemented policies on thecollection, use, and disclosure of per-sonal information.

Ms. Stoddart expressed that onechange she would like to see, soonerrather than later, is mandatory breachnotification.

PIPEDA mandates that a reviewtake place every five years, and 2010 isnot far away. The Commissioner hasalready begun thinking about this nextPIPEDA review and whether more sub-stantive changes would make PIPEDAmore effective.

One of the issues to explore in thecoming years is whether the privacycommissioner should have order-makingpowers. A paper has been commis-sioned by her office to determine theimplications associated with moving tothis model.

A second issue of concern is trans-parency. PIPEDA dictates a restrainedapproach to naming the organizationsinvestigated by the OPC. Other than theoccasions when the commissioner hasgone to court, only a small number oforganizations have been named by theOPC, and those were generally previ-ously named in the media.

It is worth questioning whethersuch an opaque process serves the bestinterests of privacy regulation.

In summary, the commissionernoted that over the past five years heroffice has undergone a significantamount of change and the issues itdeals with are constantly evolving. Thecommissioner asked that attendees con-tinue bringing forward issues and ideasto the OPC

Terry McQuay, CIPP, CIPP/C, is thefounder of Nymity, which offers Web-based privacy support to helporganizations control their privacy risks.Learn more at www.nymity.com.

FRANCE

By Pascale Gelly

Consumer groupchallengesAmazon.fr termsand conditions

Consumershave found theirwhite knight for per-sonal data protec-tion in the con-sumer association UFC Que Choisir,which went on a crusade against theterms and conditions of Amazon.fr.

The Court of First Instance of Parisfound that the Amazon.fr site included18 “improper or unlawful” clauses in itsterms and conditions, which were there-fore held unenforceable.

Several of these provisions relatedto the processing of personal data. Inparticular, a provision by whichAmazon.fr could share personal datawith Amazon.com Inc. and its affiliateswas determined to be unconscionable

under the French Consumer Code. TheCourt determined that the provision cre-ated an imbalance between the rightsand obligations of the contracting par-ties, as the sharing of personal datawith undetermined affiliates is imposedupon the consumer without specifica-tion of the contemplated purpose andusefulness of the sharing.

The following clauses were alsoconsidered in violation of the FrenchConsumer Code:

• a clause authorizing Amazon to sendoffers on behalf of other companies.(Solicitation based on opt-out isauthorized only if made by the sellingentity.);

• a clause providing that Amazon maydisclose personal data if disclosure isnecessary to perform or enforce salesterms and conditions of any otheragreement, or to protect the rights ofAmazon or of third parties. (The terms“any other agreement” and “third par-ties” were considered imprecise.);

• a clause authorizing Amazon to sendcommercial offers in co-branding orpartnership with a third party; (Contraryto what Amazon pretended, co-brand-ing cannot benefit from the opt-outexception for e-mail marketing.).

Thus, the Court required Amazon to pay to UFC 30.000 in damages andordered the removal of the illegal clauses from Amazon.fr terms and conditions within one month.

Web sites’ terms and conditions are currently under scrutiny at the gov-ernment administration level. A decreewhich will publish a blacklist of clausesconsidered illegal and a grey list ofclauses presumed abusive is expectedsoon.

Hope for a fast(er) data transferauthorization process

According to the French DataProtection Act, data controllers cannottransfer personal data to a country that

THE PRIVACY ADVISOR

See, Global Privacy Dispatches, page 10

9

Pascale Gelly

“Web sites’ terms and

conditions are currently

under scrutiny at the

government

administration level.”

International Association of Privacy Professionals


creo

is not a member of the European com-munity if that country does not providea sufficient level of privacy protection.

However, the CNIL can authorizesuch a transfer where the processingguarantees a sufficient level of protec-tion of individuals’ privacy as well astheir liberties and fundamental rights,particularly on account of contractualclauses or internal rules relating to theprocessing.

Under the current act, requests for transfer authorizations must beexamined individually by the CNIL inplenary sessions (17 commissioners),and must be authorized by an expressdeliberation. The ever-increasing numberof applications clogs the CNIL agenda (7,115 requests per year, 395 authorizations granted in 2007).One can wait months to obtain anauthorization, even for basic and non-sensitive data transfers.

Hence, a French bill called “simplification and clarification of the law;simplification of procedures,” proposesallowing the CNIL to grant its presidentthe power to authorize data transfers.The basic conditions for allowing suchtransfers would remain unchanged.

This process, if approved, shouldrelieve the congestion, as a decision ofone will be faster to obtain than a deci-sion of 17 who have many other func-tions to attend in addition to being CNILcommissioners.

The bill has already been adoptedby the French National Assembly. It isnow before the Sénat (second house of

the French Parliament) and should bediscussed soon.

The RFID challenge to freedom ofmovement

When the CNIL gave its opinion in2004 about the implementation of“Pass Navigo”—a public transportationpass for the Paris area based on RFIDtechnology—it insisted on giving com-muters the right to travel anonymously.Under the current system, validationdata (dates, times, places, kind of pub-lic transports taken…) are associatedwith a subscriber number, making thedata personal and stored as such for48 hours.

After years of discussions with theParis public transport company (RATP),RATP agreed to deliver, a Pass Navigocalled “Discovery” for which validationdata are not associated with the sub-scriber number, therefore preservinganonymity.

In this context, the CNIL noted thatmany uncertainties remain regardingRATP’s compliance with the privacy andpersonal data protection of Paris subwayriders. Regretfully, one has to pay fiveEuros for such a pass.

Taking advantage of a RATP cam-paign of generalization of the NavigoPass, and following several complaintsabout difficulties obtaining an anony-mous pass, the CNIL conducted onsiteinvestigations at 20 subway stations.The CNIL found that the conditionsunder which the anonymous pass isdelivered and subway riders areinformed are: “mediocre and even dis-suasive,” specifically citing a lack ofstaff awareness, missing commercialdocumentation, and practical difficultiesin obtaining the pass at RATP counters.

After the CNIL report made head-lines, Cabinet Gelly’s Elisabeth Quillatre,a frequent Navigo Pass user, decided toexperience for herself the process ofobtaining a Discovery pass. She waitedfor an exaggerated amount of time at amajor RATP counter, where the firstobservation made by the attendantwas: “You know that it will cost you fiveEuros!” The information the attendantthen provided was incomplete. Still,

since February Elisabeth has riddenanonymously—for five Euros—in theParisian public transports network.

Another CNIL finding regardingDiscovery is a source of concern: beneficiaries of solidarity transport pricing cannot obtain an anonymouspass. Since there was no justification,even technical, for such a situation, theCNIL required the transportation compa-ny to immediately extend the Discoverypass benefits to beneficiaries of specialpricing conditions.

Audience measurement tool formobile advertising

Actors of the advertising sectorplace a lot of hope in the developmentof the multibillion dollar mobile advertis-ing market. Les Echos, a French news-paper on economics, announced thatthe three main French mobile operators,Orange, SFR, and Bouygues Telecom,are partnering up to develop a commontool for audience measurement toassess the impact of advertising on themobile Internet.

The tool will analyse Web site visitsmade using mobile devices through con-nection logs, which are based on mobilephone numbers and UserIDs.

It is anticipated that traffic data willbe processed by a trusted third partywho will render it anonymous.

No doubt the CNIL will have a sayabout this project.

To be followed…

CCTV under the CNIL?Discussions around CCTV rules

continue. The Legislative Committee ofthe Sénat (second house of the French

March • 2009

Global Privacy Dispatches


“The CNIL found that

the conditions under

which the anonymous

pass is delivered and

subway riders are

informed are: ‘mediocre

and even dissuasive.’”

“The CNIL required the

transportation company

to immediately extend

the Discovery pass

benefits to those who

receive special pricing.”



parliament) recently proposed that theCNIL should be the sole authoritycompetent for authorization and controlof CCTV. This is a success for the CNIL,which may need additional resources ifthis proposal comes through.

Pascale Gelly is a partner at CabinetGelly. She can be reached at [email protected].

THE NETHERLANDS

By Richard van Staden ten Brink

Joint regulation on tell-a-friend Website forms

The DutchTelecommuni-cations Authority(DTA) and the DutchData ProtectionAuthority (DDPA)recently published ajoint regulation thatclears up the long-standing questionas to whether so-called tell-a-friend forms are allowedunder Dutch telecommunication andprivacy laws. Tell-a-friend forms areWeb site forms that site visitors mayuse for inviting friends via e-mail tovisit the Web site. Social networkingsites often make use of such forms toacquire new members.

In the joint regulation, the DTA andthe DDPA dictate that tell-a-friendforms are only allowed if (i) the Web

site visitor sends the e-mail invitationat his or her own initiative; (ii) the Website operator does not offer rewards toits visitors for using the tell-a-friendform; (iii) it is clear to the recipientwho has sent the e-mail invitation; (iv)the Web site visitor is able to reviewthe full e-mail invitation before it issent; and (v) the Web site operatordoes not store the e-mail address ofthe recipient.

The joint regulation applies to allWeb sites that send e-mail invitationsvia tell-a-friend forms to Dutch e-mailaccounts. It may therefore affect bothDutch Web sites and international Websites that have Dutch visitors.

Richard van Staden ten Brink is advocaat at De Brauw BlackstoneWestbroek. He may be reached [email protected]

UK

By Stewart Room

UK Information Commissionersqueezes the PIP

On 28 January,European DataProtection Day, the InformationCommissionerlaunched his new “PersonalInformationPromise” initiative,which is designedto help restoretrust in UK data controllers following ahorrid year of data security breaches.The idea behind the PIP is that seniormanagers within large organisationssign a document promising to go fur-ther than their strict legal obligationsin the Data Protection Act. TheInformation Commissioner explains:"In response to recent reports onmajor data losses, the ICO is urgingheads of organisations and govern-

ment departments to sign up to the Personal Information Promise to demonstrate their organisation’ssenior-level commitment to data protection. The aims of the initiativeare to improve compliance with theact and help restore public trust andconfidence in those who are entrustedwith their personal information. “The take-up on launch day wasimpressive,” resulting in a Early DayMotion of praise in the House ofCommons. Initial signatories includedAstra Zeneca, British Gas, BT,Experian, Royal Mail, Vodafone and the writer’s firm, Field FisherWaterhouse LLP.

Privacy notices consultationlaunched

The Information Commissioner has published a public consultation on a Privacy Notices Code of Practice.According to the commissioner, “theCode of Practice will help organisa-tions to draft clear privacy notices andmake sure that they collect informationabout people fairly and transparently.The Code contains good and badexamples that organisations will beable to use to help draw up their ownprivacy notices.”

Stewart Room is a partner in the Privacyand Information Law Group at FieldFisher Waterhouse Solicitors. He maybe reached at [email protected].

THE PRIVACY ADVISOR

“Tell-a-friend forms are

only allowed if the Web

site visitor sends the

e-mail invitation at his

or her own initiative.”

“The aims of the

initiative are to

improve compliance

with the act and help

restore public trust

and confidence in those

who are entrusted

with their personal

information.”

Richard van Staden ten Brink

Stewart Room



creo

www.privacyassociation.org

March • 2009

12

(Above) Atlanta, GA

(Left) London, UK

Privacy pros in dozens of cities worldwide stepped out on the

evening of January 28 for the IAPP’s Privacy after Hours events.

Our not-at-all-secret cameras captured the conviviality.


creo

THE PRIVACY ADVISOR


Privacy after Hours took place

in the following cities

(Above) Philadelphia, PA

DENVER, CO

Addison, TX

Atlanta, GA

Charlotte, NC

Chicago, IL

Cleveland, OH

Dallas, TX

Denver, CO

Durham, NC

London, UK

Los Angeles, CA

Minneapolis, MN

New York, NY

Orange County, CA

Orlando, FL

Ottawa, ON

Philadelphia, PA

Portland, OR

Sacramento, CA

San Francisco, CA

Seattle, WA

St. Johns, NL

Scottsdale, AZ

Victoria, BC

Washington, DC

(For information on future events, please contact Lindsey Sylvester at [email protected].)

(Above) Orlando, FL


creo

www.privacyassociation.org

March • 2009

14

Virtual Shadows:Your Privacy in the Information Society

By Karen Lawrence Öqvist,British Computer Society

As the gap between virtual and reality becomes increasinglyblurred by current and emerging technologies, the way we

communicate and interact with one another is changing beyondrecognition. What are the implications for our privacy, and whatimpact will this have on our safety and security?

Those are the questions Karen Lawrence Öqvist tackles inher recently published Virtual Shadows: Your Privacy in theInformation Society. In 224 pages, Lawrence Oqvist merges thesocial sciences with the computer sciences, introducing readers

to the concepts behind social networkingand Web 2.0 and their impact on our privacyand everyday lives.

Among the most interesting aspects of the book, accordingto one reviewer, is Lawrence Oqvist’s “perspective of a ‘trans-parent society,’ in which our behavior is open to all and no onehas a monopoly on other people’s secrets. Whether we like itor not, this seems to be the best hope for a socially-networkedcommunity that is progressively sleepwalking into a lifestylecharacterized by nonstop, pervasive surveillance.”

For more information, visit: www.bcs.org/server.php?show=nav.10340

“This book is a recommended read: a well-written, up-to-date

and balanced overview of the key trends and issues associated

with privacy in the new information society.” — David Lacey,

ComputerWeekly

Privacy in printPerusing recently released privacy publications

EXCERPT (ADAPTED FOR THE PRIVACY ADVISOR)

We have for years been sharing our personal and often sensitive data with government authorities, and

normally we do not have much choice in this. Sensitive data is any data that links specifically to you,

and has the potential to be used to influence or discriminate for or against you, or can be used to target

you specifically as identified as a part of a special group (e.g. woman, Muslim, black, HIV positive, etc.).

Today there exists thousands of databases set up by government authorities (health districts,

police authorities, child protection agencies) busy collecting and storing this type of information on resi-

dents in every country around the world; all in the name of national safety, immigration, administrative

efficiency, etc., but lacking the ability to manage this data effectively and securely.

Karen LawrenceÖqvist

Topics covered:• Social networking

• Blogging

• Second life

• Biometrics

• DNA databases

• Identity theft

• Data mining

• Surveillance

• Geo privacy

• Behavioral

targeting

British Columbia LotteryCommission

The IAPP Welcomes our Newest Corporate

Members

DeVore & DeMarco LLP

Krozac Information Tech


creo

International Association of Privacy Professionals

THE PRIVACY ADVISOR

15

One of the primaryobstacles to wide-spread adoption of

electronic health records isagreeing on appropriate priva-cy protections for the person-al information contained inmedical records. Much of thecurrent debate centers onwhat classes of data must beprotected, how they shouldbe protected, and under whose control.Special challenges exist where differentstewards and users of health records(e.g., federal government agencies,health care providers, state publichealth agencies, private companies) aresubject to different privacy and securityrules and regulations. Organizationswith relatively stringent privacy require-ments are understandably reluctant toshare data with others subject to lessrigorous requirements. Generally speak-ing, government agencies are subjectto more stringent privacy laws and con-straints on the collection, use, and dis-closure of personal health informationthan their counterparts in the privatesector, although such significant varia-tions exist in state-level regulations thatsome commercial entities may facevery tight restrictions. The key point isthat there is no well-defined baseline ofprivacy requirements for all health infor-mation exchange participants, and sig-nificant efforts will be required to arriveat a level of trust acceptable to healthdata owners in order for them to agreeto disclose information to authorizedrequesting entities.

The fundamental challenge is howto establish a framework of trust amongall the entities participating in healthinformation exchange, so that the exist-ing technical means of information shar-ing will actually be adopted and put intopractice. This challenge was made evenmore pressing by the passage of theHealth Information Technology for

Economic and Clinical Health(HITECH) Act within theAmerican Recovery andReinvestment Act of 2009,signed on February 17. This leg-islation includes measuresintended to strengthen federalprivacy and security laws pro-tecting individually identifiablehealth information from unau-thorized disclosure and mis-

use. One implication is to expand thecoverage of the requirements of thePrivacy Rule under the Health InsurancePortability and Accountability Act(HIPAA) to hold all “business associ-ates” of covered entities to the samerequirements as the “covered entities”defined in the original HIPAA legislation(i.e., health plans, health care providers,and health care clearinghouses). Thereis additional language in the law to con-sider certain non-covered entities asbusiness associates, and therefore toextend privacy and security require-ments to health information exchangeparticipants such as Regional HealthInformation Organizations (RHIOs) thatprovide data transmission to coveredentities.

These steps go a long way towardleveling the privacy playing field interms of information use and disclosureand in requiring explicit consent fromindividuals before using their healthinformation for any purpose outside aclearly defined set of permitted uses.However, there are still significantpotential players in health informationexchange that remain non-covered enti-ties, most notably including vendors ofpersonal health records like GoogleHealth and Microsoft Health Vault.These are data aggregation applicationsthat depend on pulling personal healthinformation from records maintained byinsurance plans, health providers, labs,and other covered entities, so resolvingthe disparity in required privacy and

security protections is necessary toestablish sufficient trust to allow per-sonal health record systems to functionas intended. Personal health records areoften promoted as the best mechanismfor allowing individuals to control theirown health information, including pro-viding or revoking consent to disclosetheir information for specific purposes.To make this vision feasible, it is essen-tial that personal health record systemsare able to retrieve individually identifi-able health information from a broadrange of covered and non-covered enti-ties. Since not all of these health infor-mation exchange participants are boundby the same rules, additional measuresare needed.

As privacy practitioners are wellaware, HIPAA is not the only legislativesource of privacy protections for healthinformation, so even if HIPAA coveragewere broadened to apply to a widerrange of health information exchangeparticipants, there are other differencesto be addressed, especially when com-paring federal government agencies tocommercial sector entities. U.S. federalagencies are subject to a variety of gen-eral and health-specific privacy andsecurity regulations, most of whichhave no corresponding equivalent in thecommercial sector. Many of these regu-lations have similarly worded privacyprotections but differ in scope or appli-cability to certain types of data:

• The E-Government Act of 2002(includes the Federal InformationSecurity Management Act as Title III,and also requires privacy impactassessments be performed beforecreating new data collections contain-ing personally identifiable informationand posting privacy policies on agencyWeb sites)

Privacy and electronic health recordsBy Stephen Gantz

See, Electronic health records, page 16

Stephen Gantz


creo

• The Privacy Act of 1974 (establishedrequirements for collection, use, and-disclosure of personally identifiableinformation by U.S. federal agencies;applies only to U.S. citizens and per-manent resident aliens)

• Title 38 of the United States Code(applies only to U.S. veterans; specificsections address privacy of veterans’claims and confidentiality of veterans’medical records)

• Title 42 of the United States Code(specific privacy protections enumer-ated medical records related to partic-ular types of treatment, such as men-tal health and substance abuse).

Another significant point of disagree-ment between government and non-government entities is data disclosure,both authorized and unauthorized. Allfederal agencies are required to reportactual and potential breaches of person-ally identifiable information to the U.S.Computer Emergency Response Team(US-CERT) within one hour of discovery.While the majority of states have per-sonal data breach disclosure laws onthe books, the HITECH Act establisheda federal data breach disclosure require-ment for health information unless it isencrypted or otherwise rendered unus-able. This requirement applies to all cov-ered entities and business associates,but the timeline for notification is aslong as 60 days from when the breachoccurs. When authorized data disclo-sures occur, federal agencies are fur-ther required to verify that sensitivedata extracted for information systemsare erased within 90 days unless its useis still required. This requirement mini-mizes the long-term storage of person-ally identifiable information by author-ized requesters, and also means thatfor each new use of data stored in agovernment database, a new requestmust be submitted. Private-sector enti-ties receiving this type of data from the

March • 2009

Congratulations, Certified Professionals!

Periodically, the IAPP publishes the names of graduates from our variousprivacy credentialing programs. While we make every effort to ensure thecurrency and accuracy of such lists, we cannot guarantee that your namewill appear in an issue the very same month (or month after) you officiallybecame certified.

If you are a recent CIPP, CIPP/G, CIPP/C or CIPP/IT graduate but do not seeyour name listed above then you can expect to be listed in a future issue ofthe Advisor. Thank you for participating in IAPP privacy certification!

E. Regan Adams, CIPP

Daniel James Anderson, CIPP

Jennifer T. Barrett, CIPP

William Chandler Bowers, CIPP

Michael G. Carr, CIPP

Clarence Chase, CIPP/IT

Michelle W. Cohen, CIPP

Phyllis Maria French, CIPP

John Franklin Freund, CIPP/IT

Stephen David Gantz, CIPP/G

Carol Jean Glaser-Atkins, CIPP

De Anna Greene, CIPP/IT

Matthew Robin Grote, CIPP/G

Kelly Hamilton, CIPP

Paul Hasson, CIPP/G

James Joseph Herdt, CIPP

Karen Elizabeth Hickey, CIPP/G

Sandra Ho, CIPP/IT

Andrea Christina Hodges, CIPP/G

Andrea Lee Karner, CIPP/IT

Mizanu Kebede, CIPP

Eric M. Leckey, CIPP/G

Nicola A. Linton, CIPP/C

Philip Lu, CIPP/IT

Megan E. McCarthy, CIPP/G

Joseph Michael Molosky, CIPP

Libbie Rozofsky, CIPP

James Christopher Samans, CIPP/IT

Benjamin Alan Schryber, CIPP/G

Becky Shealy, CIPP

Sheila L. Sorrell, CIPP

Arlonda Marie Stevens, CIPP

Darrell Warren Switzer, CIPP

Melissa Tack, CIPP

Elizabeth Tribelli, CIPP

Kendall Christopher Walsh, CIPP

John Michael Willis, CIPP/IT

Thomas G. Wilson, CIPP

The IAPP is pleased to announce the latest graduates of our privacy

certification programs. The following individuals successfully completed

IAPP privacy certification examinations held in Winter 2008.

Congratulations to our new certified professionals!


Electronic health records



creo

government are not bound by theserequirements, increasing the threat ofsecondary data disclosure and reducingthe willingness of federal agencies toshare this data at all.

How then to establish the basis ofmutual trust needed to enable healthinformation exchange, and what require-ments should be included? There arethree general approaches to this prob-lem: individually negotiated data sharingagreements between each pair of infor-mation exchange partners (sender andreceiver); a single master trust agree-ment to which all participants become aparty; or a combination of these two,with a master agreement setting theminimum level of trust and purpose-specific extensions or augmentations ofthe master agreement where needed.To reduce administrative complexity, amulti-party master trust agreement canbe an attractive option—the Data Useand Reciprocal Sharing Agreementbeing negotiated for the NationwideHealth Information Network (NHIN) isone example of a master trust agree-ment. Unless and until some greaterharmonization of privacy policies andrequirements is reached—betweenpublic and private sector, HIPAA covered and non-covered, state and federal, and even health and non-healthdata—it is likely that specialized trustagreements will continue to be usedbetween pairs of health informationexchanging organizations.

Complicating this issue is the factthat the primary means of enforcementfor privacy requirements is manualauditing for compliance in accordancewith legal constructs or contractualagreements. The lack of automatedtechnical means of enforcing or moni-toring compliance with privacy rulesmeans that enforcement of any newhealth IT privacy standards must rely onnon-technical means. Driven in part bypast experience with HIPAA enforce-ment, the HITECH Act both increasesthe tiered civil and criminal penalties forviolations of the privacy rules, and nowrequires the imposition of penalties and


THE PRIVACY ADVISOR

See, Electronic health records, page 18

knowledge net

IAPP Canada invites you to experience KnowledgeNets, our preeminent networking series. Meet Kris Klein, CIPP/C, the new managing director of

IAPP Canada, and network with colleagues in your area. These free eventsoffer a fantastic opportunity to make acquaintances and hear from privacyexperts on timely topics.

Join us for the KnowledgeNet nearest you.

Get Connected With KnowledgeNet Canada

Visit www.privacyassociation.org/knowledgenet to RSVP or for more information.

Calgary

Monday, 23 MarchFeaturing: Frank Work,

Information and Privacy

Commissioner of Alberta

Vancouver

Tuesday, 24 MarchFeaturing: Mary Carlson,

Executive Director, Office of

the Information and Privacy

Commissioner of British

Columbia

Toronto

Wednesday, 25 MarchFeaturing: Ken Anderson,

Deputy Information and

Privacy Commissioner of

Ontario, and Lisa Campbell,

Acting General Counsel,

Office of the Privacy

Commissioner of Canada

Montreal

Thursday, 26 MarchFeaturing: Chantal Bernier,

Assistant Privacy


Ottawa

Thursday, 26 MarchFeaturing: Elizabeth Denham,

Assistant Privacy



creo

March • 2009


a formal investigation in cases of willfulneglect, and also confers on state attor-neys general the right to bring civilaction on behalf of residents adverselyaffected by violations of the law.

The biggest obstacle to more effec-tive enforcement of privacy regulationsis the lack of automated monitoring andauditing methods to augment voluntarycompliance and manual auditing efforts.An alternate technical approach couldinclude tagging data with privacyrequirement information and using poli-cy evaluation and enforcement tools tovalidate that the provision and use ofthat data complies with the require-ments. This idea is analogous to digitalrights management measures used tolimit copying and redistribution of audioand video files. One key distinction isthat digital media frequently use propri-etary file formats, while most informa-tion exchange and interoperability for-mats promoted for health informationexchange rely on open data standardsand protocols. The Web ServicesSecurity standards developed throughthe Organization for the Advancementof Structured Information Standards(OASIS) include some work on electron-ic representation of privacy policies(WS-Policy and WS-Privacy), but attach-ing the corresponding privacy require-ments to data to provide the technicalmeans of privacy compliance andenforcement remains an undevelopedopportunity. In the current environment,establishing trust among health infor-mation exchange participants remains a process of negotiation, contractualagreements, and manual legal enforcement.

Stephen Gantz, CISSP-ISSAP, CEH,CIPP/G, is director of security and privacy for the Health Solutions divisionof Vangent, Inc. He can be reached [email protected] or throughhis Web site, www.securityarchitec-ture.com.

Electronic health records


The German Association for Data Protection and Data

Security (GDD) will host its second conference on

international data protection, Datenschutz International,

in Berlin, April 22–23.

As an IAPP partner organization, the GDD is offering a discounted conference rate for IAPP members. GDD andIAPP members will pay 1.416,10.

Download the conference program at: www.gdd.de/nachrichten/news/2-gdd-fachtagung-datenschutz-international

Register online at: www.datakontext.de/ index.php?seite=produkt&naviga-tion= 343&system_id=137291&com=detail

When you get to the “please contact” page, click on "hier registrieren.”

In the section "Mitgliedschaft in der Gesellschaft für Datenschutz undDatensicherung e. V. (GDD), click on the “Sind Sie GDD-Mitglied” option and enter 7777 in the “GDD Nummer” field.

For any questions or registration by e-mail contact [email protected].

International Data Protection GDD Conference

Data Protection International

Discounted Rates for IAPP Members

The conference will combine European perspectives and U.S.-specificissues. Privacy consultants, German data protection authorities, and corporate data protection officers from leading international corporationswill address current issues, such as e-discovery, whistleblowing, recentdevelopments concerning binding corporate rules, and the use of newcontractual clauses for processing operations outside the EU.

Attendees will have the opportunity to discuss the issues with dataprotection experts and practitioners, and will have time for networking,as well.

This is a German language conference.


THE PRIVACY ADVISOR

Calendar of Events

To list your privacy event in The Privacy Advisor, email Tracey Bentley at [email protected].

Subscribe to the Privacy Tracker today and receive access to the Privacy TrackerWeb site, www.privacytracker.org, weekly legislation-tracking updates, monthlyprint newsletters and calls with leading privacy experts.

www.privacytracker.org

In the Privacy Tracker this month…

Behavioral advertising, the practice of serving targeted online advertising based on aperson’s Internet browsing activity, has become increasingly popular among mar-

keters in recent years. The largely self-regulated industry has come under fire as con-cerns about privacy and security have emerged.

In next month’s Privacy Tracker newsletter, Reed Freeman of Kelley Drye & Warrenand Robert Gratchner, director of privacy, Microsoft, Inc. and chairman of the board forthe Network Advertising Initiative, discuss the history of behavioral advertising, why it isso valuable to marketers, and the principles to which the self-regulatory industry adheres.The article also addresses the Federal Trade Commission’s recently released report outlin-ing guidelines for online marketing industry self-regulation, which aims to provide a clearvision for practices that would allow companies to engage in the multi-billion dollar onlinemarketing industry, while providing for practices that protect consumer privacy.


MARCH

23 Certification Testing – Chicago, IL

23 IAPP KnowledgeNet – Calgary, ALFeaturing: Frank Work, Information and

Privacy Commissioner of Alberta

24 IAPP KnowledgeNet – Vancouver, BCFeaturing: Mary Carlson, Executive Director,

Office of the Information and Privacy

Commissioner of British Columbia

25 IAPP KnowledgeNet – Toronto, ONFeaturing: Ken Anderson, Assistant

Commissioner of Privacy, Province of

Ontario; Lisa Campbell, Acting General

Counsel, Office of the Privacy Commissioner

of Canada

25 Certification Testing –Los Angeles, CA

26 IAPP KnowledgeNet – Dallas,TXSpeaker: Peter Reid, CIPP, Chief Privacy

Officer at EDS

26 IAPP KnowledgeNet – Montreal, QBFeaturing: Chantal Bernier, Assistant

Privacy Commissioner of Canada

26 IAPP KnowledgeNet – Ottawa, ONFeaturing: Elizabeth Denham, Assistant

Privacy Commissioner of Canada

MARCH - APRIL

30-April 2

SCCE Compliance and Ethics AcademyOrlando, FL

www.corporatecompliance.org/academies

APRIL–MAY

26-29 HCCA’s 13th Annual Compliance InstituteCaesars Palace, Las Vegas

www.compliance-institute.org

29-May 1

IAPP Canadian Privacy Summit Toronto, ON

Details at www.privacyassociation.org

JUNE17-18 Practical Privacy Series: Data

Breach, Data Governance, HumanResources, Information SecuritySilicon Valley, CA

SEPTEMBER16 Privacy Dinner

Boston, MA

16-18 Privacy Academy 2009Boston, MA


creo

Reprinted with permission from Slane Cartoons Limited.

Privacy News

March • 2009


Self-encrypting hard drive standards

The nonprofit Trusted Computing Group has released three new encryptionstandards for vendors. The Opal Standards give vendors and users “a

transparent way to fully encrypt data in hardware without affecting performanceso that data is safe no matter what happens to the drive,” TCG’s RobertThibadeau told Security Management.

View the standards here:www.trustedcomputinggroup.org/groups/storage/

John Grace dies at 82

A privacy pioneer passed away last month. John Grace was Canada’s first privacyand information commissioner. He was appointed to the position in 1983 andwas reappointed in 1990. He retired from the position in 1998. At the age of 82,Grace died of a heart attack at his home last month.

“His legacy within the Office of the Privacy Commissioner is apparent in thepride and wonderful anecdotes of those who worked with him,” said currentCanadian Privacy Commissioner Jennifer Stoddart.

HUNG OUT TO DRYA survey of UK dry cleaners revealedthat in a year’s time, about 9,000USB sticks are recovered from thepockets of laundry dropped off forcleaning.Source: Credant Technologies

SOCIAL,TO A POINTSixty percent of adult social networkusers restrict access to their profilesso that only their friends can see it.Fifty-eight percent restrict access tocertain content within their profile. Source: Pew Internet & American LifeProject

ID THEFT HEFTIdentity theft was the top consumercomplaint to the U.S. Federal TradeCommission during the 2007-2008fiscal year. The most complaints cameout of Arizona, California, Florida andTexas.

Source: Dark Reading

GONE BUT NOT FORGOTTENFifty nine percent of laid-off, fired orotherwise former employees admit-ted to taking company data withthem before leaving.

Source: Ponemon Institute


creo

Leibowitz to head FTC

President Obama hasnominated Democrat

Jon Leibowitz as chairmanof the Federal TradeCommission. Leibowitz hasbeen an FTC commissionersince 2004. Because of hisprevious Senate approval,no confirmation hearingsare required. www.ftc.gov

THE PRIVACY ADVISOR THE PRIVACY ADVISOR


1. If you receive a letter or notice fromthe IRS which leads you to believesomeone may have fraudulently usedyour Social Security Number, respondimmediately to the name and addressor phone number printed on the IRSnotice.

2. If you receive a letter from the IRSthat indicates more than one tax returnwas filed for you, this may be a signthat your SSN was used fraudulently.

3. Another sign that you may be thetarget of identity theft is an IRS letterindicating you received wages from anemployer unknown to you.

4. The IRS has a department whichdeals specifically with identity theftissues. The IRS Identity ProtectionSpecialized Unit is available if you havebeen in contact with the IRS about anidentity theft issue and have notachieved a resolution.

5. You can contact the IRS IdentityProtection Specialized Unit by callingthe Identity Theft Hotline at 800-908-

4490 Monday through Friday from 8:00 a.m. to 8:00 p.m. local time(Alaska and Hawaii follow PacificStandard Time).

6. The IRS Identity ProtectionSpecialized Unit is also available if youbelieve your identity may be at risk ofbeing stolen due to a lost or stolenpurse or wallet or due to questionableactivity on your credit card or yourcredit report.

7. The IRS never initiates communica-tion with taxpayers about their tax

account through emails. If you receivean e-mail or find a Web site you think ispretending to be the IRS, forward thee-mail or Web site URL to the IRS [email protected].

8. The IRS has many more resourcesavailable to help inform taxpayersabout identity theft on the IRS Website at IRS.gov. On IRS.gov you canaccess information on how to reportscams and bogus IRS Web sites. Youcan also visit the IRS Identity TheftResource Page, which you can find bytyping Identity Theft Resource Page inthe search box on the IRS.gov homepage.

9. The Federal Trade Commission isalso available to assist taxpayers withidentity theft issues. You can reachthem at 877-ID-THEFT (877-438-4338).

10. Visit OnGuardOnline.gov for protec-tion tips from the federal governmentand the technology industry.

Source: The Internal Revenue Service

10 Things the IRS wants you to know about identity theft

Bulgaria fines CEZ

Bulgaria’s Commission for Personal Data Protection(CPDP) has fined electricity distribution company

CEZ for continued breaches of privacy protection regu-lations, reports the Sofia Echo. Last year the commis-sion ordered CEZ to stop requiring proof-of-right-to-usedocumentation from new clients. “They do not needthis data,” said CPDP member Krassimir Dimitrov.Before actually levying the 100,000 Leva fine, the com-mission will again investigate CEZ to see if the prac-tice has been stopped. The CPDP is investigating otherBulgarian companies for the unnecessary collection ofdata. Recently, the commission ordered SofiyskaVodka to stop over-collecting.


creo

Privacy News

March • 2009


audioconference

Ontario’s Information and PrivacyCommissioner Ann Cavoukian has

released an assessment tool for com-panies that share their online identitymanagement systems.

The New Federated PrivacyImpact Assessment (F-PIA): BuildingPrivacy and Trust-enabled Federationwhitepaper will help ensure end-to-endprivacy across all members of an asso-ciation or federation.

“Whether you’re dealing with data in motion or data at rest,” saidCommissioner Cavoukian, “privacyassurances must be given by everymember of the federation to ensureconsumer confidence.”

The commissioner collaboratedwith Joseph Alhadeff, chief privacy offi-

cer at Oracle and a member of theLiberty Alliance Project, to bring thetool to fruition.

“Limiting the amount of personalinformation you provide in a federatedidentity management system is a sig-nificant best practice with regards toprivacy,” the commissioner said.

“Companies that are part of the feder-ation cannot rely on a PIA that theymay have produced for their businessalone. I am urging them to conduct anF-PIA or Federated-PIA.”

“After reading the guidance in this white paper, the next logical stepfor a federation would be the develop-ment of a formal F-PIA,” Alhadeff adds.“Organizations and federations shoulduse it, along with numerous other PIAsand development tools currently inexistence, to create measurable stan-dards against which privacy and trustcan be evaluated and implemented.”

For more information:www.ipc.on.ca/images/Resources/2009-02-02-F-PIA_Release_Toronto.pdf

Privacy Commissioner releases assessment tool

Joseph Alhadeff Ann Cavoukian


creo


The new IAPP board members

The IAPP welcomes three new directors to its board. Joining the board are Stanley W. Crosley, CIPP, chief privacy officer, Eli Lilly and Co.;

Jeff Green, CIPP/C, vice president, global compliance and chief privacy offi-cer, Royal Bank of Canada (RBC); and Brian Tretick, CIPP, executive director, Ernst & Young.

Crosley initiated Eli Lilly’s global privacy program in 1998 andcurrently serves as chief privacy officer. He also sits on theInstitute of Medicine Medical Research and Privacy Committeeand board of the Indiana Health Informatics Corporation, andserved on the State Alliance for eHealth Privacy Taskforce. Heis a co-founder and chair of the International PharmaceuticalPrivacy Consortium (IPPC).

Green is chief privacy officer for RBC, Canada’s largest bank and one of North America’s leading diversified financialservices companies. Green is responsible for overseeing thestrategic management of privacy and information risk on anenterprise-wide basis, as well as leading RBC’s compliancemanagement strategy and program for Global Technology &Operations and Global Functions.

Tretick is Ernst & Young’s executive director for the firm’sPrivacy Advisory Services, a role he has performed for morethan a decade. He also served on the American Institute ofCertified Public Accountants (AICPA) Privacy Task Force.

“I’m proud to welcome these top privacy leaders to our board,”said IAPP President Jonathan D. Avila, CIPP, vice president –counsel, chief privacy officer, The Walt Disney Company. “Their input and insights will help us achieve our main goals in 2009: launching new international initiatives and serving the evolving needs of our membership and the privacy community on a global scale.”

The IAPP also recognizes the promotion of four current directors to leadership roles.

• Jonathan D. Avila, CIPP, vice president – counsel, chief privacy officer, The Walt Disney Company, to serve as President

• Nuala O’Connor Kelly, CIPP/G, chief privacy leader, General ElectricCompany, to serve as Vice President

• Amy Yates, CIPP, director, privacy and data protection, Deloitte & ToucheLLP, to serve as Secretary

• David Hoffman, CIPP, director of security policy and global privacy officer,Intel Corp., will continue to serve as Treasurer

• Sandra R. Hughes, CIPP, global ethics, compliance and privacy executive,The Procter & Gamble Company, has successfully completed a very fullterm as President, and will continue to serve as Past President.

Privacy Classifieds

The Privacy Advisor is an excellentresource for privacy professionalsresearching career opportunities. For more information on a specificposition, or to view all the listings,visit the IAPP’s Web site, www.privacyassociation.org.

PRIVACY ANALYSTU.S. Department of Homeland SecurityRosslyn, VA

SENIOR PRIVACY SPECIALISTCancer Care OntarioToronto, ON

PRIVACY COMPLIANCE SPECIALISTATB FinancialEdmonton, Alberta

PRIVACY MANAGERSolomon Page GroupMassachusetts

PRIVACY AND REGULATORYSTRATEGISTMicrosoftRedmond, WA

PRIVACY MANAGERPennsylvania State UniversityUniversity Park, PA

PRIVACY ADVOCATEAlberta Pension AdministrationCorporationEdmonton, Alberta, Canada

COMPLIANCE MANAGERNew York, NY

SENIOR PRIVACY COUNSELQualcommSan Diego, CA

DIRECTOR OF PRIVACY &COMPLIANCEThomson ReutersEagan, MN

THE PRIVACY ADVISOR


creo

March • 2009

IAPP members:

Does your organization offer

free or discounted products or

services to other IAPP members?

If so, let them know!

Advertise at a DISCOUNTED RATE

here in our new member-to-member

benefits section.

MEMBER to MEMBER Benefit

Contact Wills Catling [email protected] +1.207.351.1500, ext. 118

promptly to remove the [abusive] video,which remained online for almost twomonths. Prosecutors allege a sort of‘culpa in vigilando’ [negligence in super-vision] against Google. This is an obliga-tion both for ISPs and ICPs.”

Again, the issue concerns whenGoogle removed the video: “Too late forprosecutors; just in time, for Google,”says Panetta.

Will Google Executives Do Hard Time?Despite the suit, legal experts say it

is unlikely that the Google plaintiffswould receive anything more than a fineor community service—if that. “Theseproceedings are more important as asymbol, rather than how the sanctionsare going to be issued. Because it will[be] very relevant for all ISPs and plat-forms that aggregate content,” saysGiangiacomo Olivi, a partner at law firmDLA Piper in Milan.

In particular, the suit could helpanswer this question: “What is theresponsibility of the content aggrega-tor?” says Olivi. For example, Googlealready filters content. Could it, or shouldit, be doing more? On YouTube, “there iscertainly a filter that is already made,because there are some horrible thingsyou see on the Net, but you will not seethem on YouTube—gladly. But given thatthere is some filtering, to what extent

does that filter imply a responsibility forthe [people] exercising this filter?”

Given all of the underlying—and often,very complex—legal issues, don’t expectthis case to end anytime soon. “It’s notsomething that’s going to be solved in amatter of a few months,” says Olivi.

Business Repercussions In the interim, should privacy direc-

tors at ISPs, social networking sites andother businesses operating in Italy worryabout being subject to criminal lawsuits?

“I wouldn’t think it would have awider impact on businesses in general,”says Olivi. He noted that Italy’s e-com-merce and data privacy regulations dostem from a shared EU directive, andthus in their ultimate interpretation will“not be something that is so alien fromthe other European countries.”

Mathew Schwartz, a freelance journalistbased in England, has covered informationsecurity issues for more than a decade.

Google executives


www.privacyassociation.org24

Protecting private data, Italian style

Hear more about the

Google criminal case in

Rocco Panetta’s session

at the Privacy Summit—

Introducing the Italian

Data Privacy World.

Panetta is the former

head of legal at the

Italian Data Protection

Authority. He will shed

light on the complex and constantly changing

workings of Italian data protection legislation.

www.privacysummit.org

Rocco Panetta

104146_newsletter 3/10/09 12:33 PM Page BC2

creo

Documents

Criminal trial against Google execs to resume TSet to resume March 17: The criminal trial in Milan court against four Google executives accused of defamation and privacy law viola-tions