Issue no. 413 - 20 February 2011

• ES - Google fights Spanish privacy order in court (BBC)
  Google has challenged Spain's data protection agency, the AEPD, in court over claims that its search engine invades personal privacy. The regulator had told the internet giant to delete links to websites that contain out of date or inaccurate information about individuals. But the company argues that it is publishers - and not search engines - that should be forced to take action. The case revolves around a ruling that some search results contravene the country's privacy laws.

• EU - Data Protection Reform Strategy: EDPS sets out his vision (RAPID)
  On 14 January 2011, the European Data Protection Supervisor (EDPS) issued an opinion on the Commission's Communication on the review of the EU legal framework for data protection. The EDPS suggests introducing a mandatory security breach notification covering all relevant sectors, as well as new rights, especially in the online environment, such as the right to be forgotten (to have one's data deleted or not further disseminated after a fixed period of time) and data portability (the ability to shift data from one place to another and not be tied to a particular system). Children's data should also be better protected.

• The Single Greatest Chart Ever (At Least if You Want to Know Where Your Personal Information Goes) (ACLU)
  The Federal Trade Commission (FTC) released a report (PDF) that provides an outstanding start on describing the problems of data collection both on and offline. Buried in that FTC report is a small gem: On pages 107 and 108 is Appendix C, a chart prepared by technologist Richard Smith which conveys all of the personal information collected about all of us and where it goes.

• US administration proposes 'bill of rights' to protect online privacy (OUT-LAW News)
  The administration of US President Barack Obama may turn its back on its policy of allowing online publishers and advertisers to self-regulate and is proposing Government intervention to protect internet users' privacy. The Department of Commerce has published a report (88-page / 1MB PDF) recommending the creation of a privacy 'bill of rights' for internet users; mandatory privacy codes of conduct; and legal reform to take account of cloud computing. The Department of Commerce's policy framework says that the US Government should "consider establishing fair information practice principles comparable to a 'privacy bill of rights' for online consumers; consider developing enforceable privacy codes of conduct in specific sectors with stakeholders; create a Privacy Policy Office in the Department of Commerce"; [and] review the Electronic Communications Privacy Act for the cloud computing environment.

• Why the EU needs new personal data protection rules (RAPID)
  Speech by Viviane Reding Vice-President of the European Commission, responsible for Justice, Fundamental Rights and Citizenship Privacy matters, The European Data Protection and Privacy Conference Brussels, 30 November 2010. I want to introduce the "right to be forgotten". Social network sites are a great way to stay in touch with friends and share information. But if people no longer want to use a service, they should have no problem wiping out their profiles. The right to be forgotten is particularly relevant to personal data that is no longer needed for the purposes for which it was collected. This right should also apply when a storage period, which the user agreed to, has expired. Existing legislation has led to divergences between the national laws. Even when there is only one European issue, there is not always one European response. Take the example of Google StreetView and the collection of snippets of personal information from unsecured WiFi networks. This did not only prompt different responses by national data protection authorities but it also led the company to provide different remedies for individuals in different Member States. This situation runs counter to both of the two main objectives of the existing Data Protection Directive: ensuring the protection of a fundamental right and ensuring the free flow of personal data within the Single Market.

• Why 'Web Erasers' Can't Work (Spiegel)
  As part of its pitch to give people more personal privacy on the Web, the German government is encouraging development of software that sets expiration dates on photos and other private information.At the invitation of the German government, an IT professor has introduced software that allows people to set an expiration date for photos they post on Facebook or other sites. What it can't do, however, is prevent others from copying or stealing a person's personal data and posting it wherever they want on the Internet.

Issue no. 412 - 28 November 2010

• ES - Protección de Datos investigará a Facebook por la difusión de datos de usuarios (Cincodías)
  La Agencia Española de Protección de Datos (AEPD) acaba de anunciar que "ha iniciado actuaciones de investigación sobre la transmisión de datos de usuarios de la red social Facebook a través de distintas aplicaciones ofrecidas desde la plataforma, para determinar si ha vulnerado la normativa española de protección de datos, y los derechos de usuarios españoles". Según ha explicado la agencia en un comunicado, la apertura de la investigación se produce tras la denuncia presentada por la Asociación de Consumidores y Usuarios en Acción-FACUA y tras las informaciones publicadas en distintos medios de comunicación relativas a "que varias de las aplicaciones más populares programadas sobre la plataforma de Facebook han transmitido a anunciantes y otras empresas datos como los nombres de sus usuarios y, en algunos casos, los de sus amigos en la red social."

• EU - Cloud computing and data protection (RAPID)
  Speech by Neelie Kroes, European Commission Vice-President for the Digital Agenda, Les Assises du Numérique conference, Université Paris-Dauphine, 25 November 2010. As summarised on Neelie Kroes' Twitter feed: Clear and robust data protection is a "must have" feature for cloud services. We we all deserve 2 things: 1) cloud suppliers protect personal data efficiently and transparently and 2) countries hosting cloud servers must have laws guaranteeing data protection with any limited security exceptions governed by rule of law.

• EU - Commission takes UK to court over alleged privacy law failings (OUT-LAW News)
  The European Commission is taking the UK to court, claiming that UK law does not protect citizens' privacy as strongly as EU laws demand. The case centres on the UK Government's response to the Phorm web monitoring scandal. Phorm invented a technology for ISPs to use to track users' web use in order to serve them ads that were related to the recorded internet activity. ISP BT used this technology without telling users, which led to complaints to UK regulators and the Commission that this broke privacy laws. The Commission said that UK law failed to meet the requirements of EU directives in three respects. There is no independent national authority to supervise the interception of some communications; UK law authorises interception of communications not only where the persons concerned have consented to interception but also when the person intercepting the communications has 'reasonable grounds for believing' that consent to do so has been given; UK law prohibiting and providing sanctions in case of unlawful interception are limited to 'intentional' interception only, whereas EU law requires Member States to prohibit and to ensure sanctions against any unlawful interception regardless of whether committed intentionally or not.

• EU - European Commission sets out strategy to strengthen EU data protection rules (Europa)
  Controlling your information, having access to your data, being able to modify or delete it - these are essential rights that have to be guaranteed in today's digital world. To address these issues, the European Commission today set out a strategy on how to protect individuals' data in all policy areas, including law enforcement, while reducing red tape for business and guaranteeing the free circulation of data within the EU. This policy review will be used by the Commission with the results of a public consultation to revise the EU's 1995 Data Protection Directive. The Commission will then propose legislation in 2011. Under the review, data retained for law enforcement purposes should also be covered by the new legislative framework. The Commission is also reviewing the 2006 Data Retention Directive, under which companies are required to store communication traffic data for a period of between six months and two years. The Commission is calling on all stakeholders and the public to comment on the review's proposals until 15 January 2011. See also 'Right to be forgotten' proposed by European Commission (Daily Telegraph).

• EU - How to race online with no one left behind (RAPID)
  Speech by Neelie Kroes, Vice-President of the European Commission responsible for the Digital Agenda. Microsoft Government Leaders Forum London, 4 November 2010.

• FR - Une charte pour garantir le droit à l'oubli des internautes (01net)
  Le secrétariat d'Etat au Développement numérique signe une charte du droit à l'oubli avec plusieurs réseaux sociaux et moteurs de recherche. C´est le deuxième document de ce genre que Nathalie Kosciusko-Morizet soumet aux acteurs du Web français. La première charte, signée en début de mois, encadrait l'utilisation des données personnelles dans la cadre de la publicité ciblée. « Cette fois, cela concerne les informations que l'on poste de manière volontaire et que l'on voudrait un jour voir disparaître », explique la secrétaire d´Etat.Microsoft, Pages jaunes, Trombi.com, Skyrock (en tant qu'hébergeur des Skyblogs), Viadeo, Copains d´avant ont répondu à l´appel. Et Google ? Et Facebook ? Ils auraient été « proches de signer », assure la secrétaire d´Etat, mais pour des raisons juridiques et d´organisation interne, il va falloir attendre encore un peu. voir aussi Communiqué de presse (Secrétariat d'État à la Prospective et au Développement de l'économie numérique).

• IAB Europe condemns "re-spawning" as an illegal marketing practice (Press Release)
  IAB Europe, the European association of online advertisers, has condemned the "re-spawning" of cookies, i.e. a practice of automatically re-establishing a previously deleted cookie. See also Flash Cookies and Privacy (Soltani, Canty, Mayo, Thomas and Hoofnagle). This is a pilot study of the use of 'Flash cookies' by popular websites. More than 50% of the sites in our sample are using flash cookies to store information about the user. Some are using it to 'respawn' or re-instantiate HTTP cookies deleted by the user. Privacy policies rarely disclose the presence of Flash cookies, and user controls for effectuating privacy preferences are lacking.

• iPhone user privacy at risk from apps that transmit personal info (Ars Technica)
  The user data collected by some iOS apps can be correlated to real-world identities, posing a privacy risk to iPhone, iPod touch, and iPad users. According to research from Bucknell University, a majority of iOS apps transmit user data back to their own servers. But because some store more info than others — and in some cases, in plaintext - it can be easily pieced together to reveal more about individual users than they bargained for.

• Serfing the web - Data protectionism (Economist)
  A small spat highlights a big issue: who owns your online identity?

• Some Android apps caught covertly sending GPS data to advertisers (Ars Technica)
  The results of a study conducted by researchers from Duke University, Penn State University, and Intel Labs have revealed that a significant number of popular Android applications transmit private user data to advertising networks without explicitly asking or informing the user. The researchers developed a piece of software called TaintDroid that uses dynamic taint analysis to detect and report when applications are sending potentially sensitive information to remote servers.

• The cookie that never crumbles (Economist)
  Browser cookies have a chequered history and the cookie has ceased to be the only kind of data that a server could ask a browser to store on its behalf. Newer and niftier caching methods can store vastly more information, and bake it into the browser for good. Some even obscure the fact that the browser is storing such data. A list of such ruses on the Evercookie site describes 13 distinct methods for a server to pass a token that will be reactivated whenever a browser revisits the same server.

• The Trouble with Facebook's 'See Friendship' Feature (Time)
  Facebook normally catches flack for making private information available to advertisers. But last month, the social-networking site with half a billion users quietly added a feature that makes your private information available to the friends of your friends, which may be a much more nefarious group. A button called "See Friendship" aggregates onto a single page all of the information that two friends share: photos both people have been tagged in, events they have attended or are planning to attend, comments they have exchanged, etc.

• UK - Information Commissioner will not fine Google over Wi-Fi data gathering (OUT-LAW News)
  UK privacy watchdog the Information Commissioner will not fine Google over unauthorised collection of personal data by its Street View cars, despite ruling that this was a "significant breach of the Data Protection Act". Google sent cars with roof-mounted cameras around the UK's cities last year to photograph the streets for its photo-map Street View service. Research by the Canadian Privacy Commissioner revealed that significant personal information, including whole emails; usernames; passwords; and addresses were gathered and stored by Google. The ICO has now announced that it will take some action against the company, but will stop short of imposing fines. Instead, Google will be made to sign an undertaking to improve its data protection practices and will face an audit of existing policies and practices. see also Google Street View has got off lightly (Guardian).

• UK - Minister proposes privacy mediation service and good-privacy kitemark (OUT-LAW News)
  A UK Government minister has proposed the creation of a mediation service for people who think their right to privacy has been violated on the internet. The mediation could result in the removal of material, Ed Vaizey said. Vaizey is Parliamentary Under-Secretary of State for Culture, Olympics, Media and Sport, and told a House of Commons debate that there should be a mediation service for content to match the Nominet-run service run to resolve domain name disputes. Vaizey made another proposal in the debate, which was related to the Personal Information Online Code of Practice produced by the Information Commissioner's Office (ICO). He said that the code should be more widely used and more widely adopted, and that companies should display a mark to indicate that they abide by it.

Issue no. 411 - 3 October 2010

• CA - Privacy Commissioner completes Facebook review (Office of the Privacy Commissioner of Canada)
  The Privacy Commissioner of Canada has finished reviewing the changes that Facebook implemented as a result of her investigation of the social networking site and has concluded that the issues raised in the complaint have been resolved to her satisfaction.

• Controlling where Facebook Places puts you (CNET)
  In designing its new Places geolocation service, Facebook seems to have learned from its past privacy blunders. The new service has multiple layers of privacy control, but as with other aspects of Facebook privacy, users need to put some thought about whether and how they want to disclose their location. Facebook has also created an extra level of privacy for its under-18 users, prohibiting them from displaying their location to anyone other than their friends.

• DE - Data privacy in Germany - No pixels, please, we're German (Economist)
  On September 20th Thomas de Maizière, Germany's interior minister, invited politicians, regulators and tech-company representatives to Berlin to discuss "geo-data services"—online technologies that identify the real-world location of individuals and their property. The meeting was an attempt to defuse a row that has rumbled since August, when Google announced it would launch its Street View service, an online mapping system that knits together photographs of streets and buildings, in Germany’s 20 largest cities by the end of the year. After the summit Mr de Maizière called on Google and other firms that publish geo-data to draw up, by December, a binding "data-protection charter" in line with Germany's restrictive privacy laws, saying that this could forestall the need for further regulation. Although the debate is at its sharpest in Germany, tensions have surfaced elsewhere. Last week the Czech government banned Google from collecting Street View information, citing data-processing concerns. Authorities in Italy this week barred Google’s Street View cars from picking up stray wi-fi data. see also Germany asks web firms to write privacy code (OUT-LAW).

• DE - German Schools to Teach Online Privacy (Der Spiegel)
  Internet companies such as Facebook and Google have come in for repeated criticism in Germany, where the government has concerns about what they do with users' data. Now one state, worried about the amount of information young people reveal online, plans to teach school pupils how to keep a low profile on the web. The government of the state of North Rhine-Westphalia, recognizing that young people are not always aware of the dangers of revealing personal information on the Internet, is planning to teach school students how to deal with the Internet and social networking sites such as Facebook and Twitter.

• EU - Commission takes UK to court over alleged privacy law failings (OUT-LAW News)
  The European Commission is taking the UK to court, claiming that UK law does not protect citizens' privacy as strongly as EU laws demand. The case centres on the UK Government's response to the Phorm web monitoring scandal. Phorm invented a technology for ISPs to use to track users' web use in order to serve them ads that were related to the recorded internet activity. ISP BT used this technology without telling users, which led to complaints to UK regulators and the Commission that this broke privacy laws. The Commission said that UK law failed to meet the requirements of EU directives in three respects. There is no independent national authority to supervise the interception of some communications; UK law authorises interception of communications not only where the persons concerned have consented to interception but also when the person intercepting the communications has 'reasonable grounds for believing' that consent to do so has been given; UK law prohibiting and providing sanctions in case of unlawful interception are limited to 'intentional' interception only, whereas EU law requires Member States to prohibit and to ensure sanctions against any unlawful interception regardless of whether committed intentionally or not.

more items

QuickLinks consists of

• a free newsletter appearing approximately every two to three weeks. The newsletter is distributed by electronic mail through an "announcement only" mailing list.
• a Web site with frequent updates, an events page, news items organised by category as well as chronologically by issue and full text search.