QuickLinks - Data Protection (privacy)
QuickLinks - Data Protection (privacy)
Issue no. 396 - 8 February 2009
- EU - Statement by Vice-President Jacques Barrot on the occasion of Data Protection Day
Data protection laws are in place throughout the European Union to ensure that personal data is handled under very clear conditions and to give EU citizens the right to challenge any mishandling of their data. But without awareness, effective protection is impossible. Legal rights and protection regimes are only effective if people know that they exist and know how to use them. Data Protection Day is an excellent opportunity to raise such awareness in Europe and worldwide.. See also
3rd Annual Data Protection Day: Making the internet a safer place for European citizens (eGov Monitor) and
Speech by Vice-President Barrot (in French).
- Privacy fears over Google tracker
Google has announced a new feature that allows users to share their locations among a chosen network of friends. The "opt-in" Latitude service uses data from mobile phone masts, GPS, or wi-fi hardware to update a user's location automatically. Users can also manually set their advertised location anywhere they like, or turn the broadcast off altogether. The service has raised a number of security concerns, as many users may not be aware that it is enabled.
- UK - Firms back data protection pledge
Firms are being encouraged to back a pledge to safeguard the data they hold about citizens and customers. Drafted by the Information Commissioner, the Personal Information Promise tries to improve respect for the data companies have gathered. Firms and organisations who use data that people surrender do not always take enough care with it, said Richard Thomas, Information Commissioner. 2008 saw a series of data breaches and losses that left the personal details of millions of people at risk from ID thieves. By signing up to the promise firms say they will go beyond the strictures laid down by law which govern what they can do with the personal data they hold on their customers or clients. Those backing the promise will be exhorted to consider privacy risks when they start work on new information systems that draw on databases of personal data. They must also put in place safeguards to ensure data is securely stored and does not fall into the hands of ID thieves. On the day the promise was launched 20 organisations pledged to back it. Those signing up included BT, Vodafone, Royal Mail, British Gas, Experian, Equifax, AstraZeneca and T-Mobile. see Personal Information Promise and Press Release.
- US - Online Privacy Decisions Confront Obama
The Future of Privacy Forum, a Washington group supported by AT&T, is pushing Barack Obama to appoint a chief privacy officer to shape standards about the use of consumer data. See Press Release and The Future of Privacy Forum Consumer Privacy Agenda for the New Administration. Separately, the Center for Digital Democracy and the U.S. Public Interest Research Group said they plan to file a complaint with the Federal Trade Commission, urging the agency to investigate mobile marketing practices that may threaten consumer privacy.
Issue no. 395 - 27 December 2008
- Yahoo to shorten logs of user activity to 3 months
Yahoo will shorten the amount of time that it retains data about its users' online behavior - including Internet search records - to three months from 13 months and expand the range of data that it "anonymizes" after that period. Yahoo's announcement ratchets up the pressure on rivals Google and Microsoft to follow its lead. In September, Google said it would "anonymize," or mask, the numeric Internet Protocol (IP) addresses on its server logs after nine months, down from a previous retention period of 18 months. And Microsoft, which currently keeps user data for 18 months, said it would support an industry standard of six months.
Issue no. 394 - 7 December 2008
- US - New privacy group to shape policy
Privacy experts have banded together to influence policy in the new Obama administration and set best practices for the industry. The newly formed Future of Privacy Forum aims to present a privacy agenda to the Obama team in late November. It also plans to talk to internet users about their concerns.
Issue no. 393 - 9 November 2008
- "Google nimmt Datenschutz extrem ernst"
WirtschaftsWoche-Redakteur Thomas Kuhn im Interview mit Peter Fleischer, dem Datenschutzbeauftragten des Suchmaschinenbetreibers Google.
- DE - German privacy watchdogs agree social networking ground rules
Social networking sites are not permitted to store information about people's use of the sites beyond the duration of a particular session in Germany, according to a panel of all that country's data protection officials. Companies behind social networks such as MySpace and Facebook must also tell users what happens to any data that is collected and tell them how they can influence the use of that data. The principles were laid down by the Düsseldorfer Kreis, a panel of all the German data protection authorities. They laid down eight principles of operation for social networking sites to keep them in line with data protection law. Datenschutzkonforme Gestaltung sozialer Netzwerke (PDF).
- DE - Kika stellt Daten von Kindern ungeschützt ins Web
Peinliches Datenleck beim Kinderkanal von ARD und ZDF: Auf einer Webseite des Senders waren Daten von Kindern im Internet einsehbar - Klarnamen, Adresse, Telefonnummer, Geburtsdatum.
- EU - Brussels bounces BT-Phorm quiz back to UK.gov
The European Commission has again written to the government for an explanation of UK authorities' response to BT's allegedly illegal secret trials of Phorm's ISP adware system. Brussels still wants answers after a September missive from Whitehall failed to address legal issues surrounding past deployments of the technology, and didn't provide details about how future rollouts will be regulated.
- Social networking sites told to warn users of weak privacy controls
Social networking websites were urged to warn users about the low level of protection given to their profiles at a Council of Europe-organised conference on the issue. The European Union Data Protection Authority (Cnil) said websites like Facebook should inform users that their profiles currently receive only "weak" protection. It added that website users, especially minors, should be told about the risks they face by going online and given clear instructions on how to change their data protection settings. The request came at the end of a two-day conference in Strasbourg during which 70 countries also stressed the need for a universal standard on privacy and personal data protection. See Resolution on Privacy Protection in Social Network Services.
- UK - Private data on armed forces goes missing
MPs demanded a "cultural change" in public sector data handling after it emerged that a computer hard drive with the private details of 100,000 armed forces personnel had gone missing. The hard drive was being held by EDS, the Ministry of Defence's main IT contractor. It contains the names, addresses, passport numbers, dates of birth and driving licence details of those serving in the army, navy and RAF. It also includes next-of-kin details, as well as information on 600,000 potential services applicants and the names of referees. Officials said it may also include some bank account details.
- UK - Ministry of Defence loses computer disc with 700,000 more personal records
The Ministry of Defence faces an investigation by the Information Commissioner after the disappearance of a computer hard drive containing details of Armed Forces personnel and thousands of potential recruits. Richard Thomas, the commissioner, will decide what steps to take after the MoD has completed its own inquiry. The removable hard drive was supposed to have been stored in a secure room with only limited access to personnel with special pass codes. Officials at EDS, the world's second-biggest computer company, said it was possible that the hard drive had been taken home by an employee or moved to another part of the company's office in Hook, Hampshire. Details relating to the 100,000 serving members of the Armed Forces include bank and driving licence information, next-of- kin addresses and dates of birth.
- UK - Passports will be needed to buy mobile phones
Everyone who buys a mobile telephone will be forced to register their identity on a national database under government plans to extend massively the powers of state surveillance. Phone buyers would have to present a passport or other official form of identification at the point of purchase. The move is targeted at monitoring the owners of Britain's estimated 40m prepaid mobile phones. They can be purchased with cash by customers who do not wish to give their names, addresses or credit card details.
- UK - RAF loses data on 50,000 personnel
The Royal Air Force has suffered a data loss that has reportedly put tens of thousands of personal records at risk. The Ministry of Defence (MoD) said that it is investigating the breach, which is believed to stem from the loss of three portable hard drives from an RAF base at Innsworth in Gloucestershire. The MoD said that two of the three drives contained RAF personnel records, while the third did not hold any sensitive information. The drives are reportedly carrying details on some 50,000 people.
Issue no. 392 - 5 October 2008
- EU - UK government responds on Phorm
The government has outlined how a controversial online ad system can be rolled out in the UK. In response to EU questions about its legality, it said that it was happy Phorm conformed to EU data laws. But any future deployments of the system must be done with consent and make it easy for people to opt out. The European Union had demanded clarification about the system which tracks web habits in order to provide better targeted ads.
- EU - Data protection watchdogs to hold hearings with Google
The Article 29 Working Party, an independent EU advisory body on data protection and privacy, will lead hearings with Google over the search giant's claim that EU data protection laws do not apply to it. It said that Google is refusing to submit to Europe's data protection regime and that "strong disagreements" remain. It said in a statement that Google "considers that the European law on data protection is not applicable to itself, even though Google has servers and establishments in Europe". It also said that Google "wishes to retain personal data of users beyond the six months period requested by the Article 29 Working Party, without any justification."
- EU - Google says data laws do not catch its search logs
Google will anonymise search engine data after nine months instead of 18 months after pressure from EU and US privacy activists and regulators. The company also said that EU law does not apply to crucial parts of its data processing operations. The company, which has come under fire for the volume of information it gathers and keeps on users, has published a detailed response to EU privacy regulators' group the Article 29 Working Party's criticisms of its policies. see also Debunking Google's log anonymization propaganda (Surveillance State) by Christopher Soghoian.
- UK - Marks & Spencer demand 7-year-old boy's permission to deal with mother's complaint
A mother who complained to shop staff that her seven-year-old son's Superman playsuit was faulty was told data protection laws meant they could only deal with him. Staff at Marks & Spencer insisted that Jacob Hunter-Lamb give consent for his mother to act on his behalf before they would resolve the problem. The problems arose after Jacob was given the costume as a birthday present, bought online, only for him to realise it had come without Superman's yellow belt.
- US - Large ISPs endorse customer opt-in for Web tracking
Three of the four largest ISPs (Internet service providers) in the U.S. will adopt policies that require them to get meaningful permission from customers before tracking online activities. Representatives of AT&T, Time Warner Cable and Verizon told a U.S. Senate committee that they currently do not engage in behavioral advertising that uses subscribers' Web activities to deliver contextual ads. If the ISPs decide to start behavioral advertising programs, they will give customers a detailed description of the ad program and ask for permission before tracking online activities, the companies said. However, the ISPs also suggested that legislation is not now needed to protect customer privacy online.
- US - Online Behavioral Advertising: Discussing the ISP-Ad Network Model
(Center For Democracy and Technology)
Online Behavioral Advertising: 1) Using ISP Data for Behavioral Advertising Raises Critical Privacy and Internet Functionality Concerns 2) Existing Implementations of ISP-Based Behavioral Advertising May Violate Federal Law 3) House Investigation Reveals Problematic Behavioral Advertising Practices.
Issue no. 391 - 31 August 2008
- EU - UK questioned on online ad system
The UK government has until the end of August to respond to a letter from the European Union about the controversial online ad system Phorm. EU commissioner Viviane Reding has asked the UK government to clarify whether the system is in breach of European data laws. Phorm's so-called Webwise system tracks users' web habits in order to better target ads at them. BT is due to begin a widescale trial of the service imminently.
- UK - Home Office loses data on 84,000 prisoners
Unencrypted data on all 84,000 prisoners in England and Wales has gone missing after a Home Office contractor lost a USB stick on which it had been stored. Contractor PA Consulting alerted the Home Office to the loss - and confirmed tha "rigorous" searches had failed to uncover the whereabouts of the memory stick and its cache of sensitive information. According to a Home Office statement, the missing USB stick contains: Data relating to all prisoners in England and Wales - 84,000 (names, dates of birth and in some cases, expected prison release data and date of Home Detention Curfew); Data relating to prolific and other priority offenders, approximately 10,000 individuals (names and dates of birth, but not addresses); Drug Interventions Programme data, with offenders' initials but not full names.
Issue no. 390 - 20 July 2008
- EU - EDPS Opinion on safer Internet for children
The European Data Protection Supervisor (EDPS) has adopted an Opinion on the proposed multiannual Community programme on protecting children using the Internet and other communication technologies. The EDPS fully supports the general orientations of the programme aiming at more efficiently protecting children using the Internet, while adapting to the evolution of new technologies. He stresses the fact that the protection of children's data is an essential first step in guaranteeing more safety and prevention of abuse on the Internet. Data protection considerations should also apply to all persons who are connected in some way with the information circulating on the network to prevent illegal content and harmful conduct (e.g. person reported as suspect, reporting person, victim of abuse). Data protection authorities play a decisive role in the protection of children on the Internet. This should be taken into consideration when it comes to the implementation of the multiannual programme.
- Google bows to pressure, adds privacy link to home page
- UK privacy watchdog says EU laws are not good enough
The UK's privacy watchdog has said that EU privacy laws are out of date and in need of reform. The Information Commissioner's Office (ICO) has commissioned a research firm to look into how the law could be changed. The ICO said that Commissioner Richard Thomas would lead an international debate on how the law could and should change. Data protection laws across the EU are derived from the European Directive on Data Protection.
- US - Google and Viacom reach deal over YouTube user data
Google has struck a deal to protect the personal data of millions of YouTube users in the $1bn copyright court case brought against the video-sharing website by Viacom. Under the deal, Google will make user information and internet protocol addresses from its YouTube subsidiary anonymous before handing over the data to Viacom in the US legal case.
- US - Google must divulge YouTube log
Gooogle must divulge the viewing habits of every user who has ever watched any video on YouTube, a US court has ruled. The ruling comes as part of Google's legal battle with Viacom over allegations of copyright infringement. Digital rights group the Electronic Frontier Foundation (EFF) called the ruling a "set-back to privacy rights". The viewing log, which will be handed to Viacom, contains the log-in ID of users, the computer IP address (online identifier) and video clip details. While the legal battle between the two firms is being contested in the US, it is thought the ruling will apply to YouTube users and their viewing habits everywhere.
- US - Social networking site divulges child's personal data
Reunion.com previously linked to other data providers when users searched its site for names. Last month, the site decided to build its own database by acquiring files on as many as 260 million people from a private data broker. A mother was upset to find the name of her 4-year-old son.
Issue no. 389 - 22 June 2008
- Watching while you surf
Is it a worrying invasion of privacy for web surfers, or a lucrative new business model for online advertising? A new "behavioural" approach to targeting internet advertisements, being pioneered by companies such as Phorm, NebuAd and FrontPorch, is said to be both of these things. The idea is that special software, installed in the networks of internet-service providers (ISPs), intercepts webpage requests generated by their subscribers as they roam the net. The pages in question are delivered in the usual way, but are also scanned for particular keywords in order to build up a profile of each subscriber's interests. These profiles can then be used to target advertisements more accurately.
Issue no. 388 - 1 June 2008
- A simple way to avoid being the next Star Wars Kid
by Jonathan Zittrain. Embarrassing images can find their way onto the web all too easily, ruining the lives of the people depicted, but a 'privacy tag' could prevent it.
- CA - Facebook 'violates privacy laws'
A Canadian privacy group has filed a complaint against the social networking site Facebook accusing it of violating privacy laws. The Canadian Internet Policy and Public Interest Clinic (CIPPIC) has listed 22 separate breaches of privacy law in its country. Facebook rejects the charge, claiming some of the highest standards around. The basis of the complaint, filed with the Office of the Privacy Commissioner, states that Facebook collects sensitive information about its users and shares it without their permission. It goes on to say that the company does not alert users about how that information is being used and does not adequately destroy user data after accounts are closed.
- EU - Commission replies on Phorm
The ePrivacy Directive obliges Member States to ensure the confidentiality of communications and related traffic data through national legislation. In particular, they shall prohibit listening, tapping, storage or other kinds of interception or surveillance of communication and the related traffic data by persons other than the users without their consent, which must be freely given, specific and informed indication of the user's wishes. The data concerned in this particular matter i.e. the content of search queries, constitute communication within the meaning of this Directive and the URLs used in the packets constitute traffic data. This data should therefore be protected appropriately.
- FR - Passeports biométriques : avis défavorable de la CNIL
Le gouvernement est passé outre l'avis de la Commission nationale de l'informatique et des
libertés (CNIL) en créant le nouveau passeport biométrique, qui devra
contenir, outre une photo numérisée, les empreintes digitales de huit
doigts. Selon la CNIL, donít l'avis du 11 décembre 2007 a été publié au
Journal officiel du 10 mai, "un sujet d'une telle importance devait passer devant le Parlement et nous n'avons pas obtenu les éléments qui
permettent de justifier la création de cette banque de données", a
résumé à l'AFP son président, Alex Türk.
- Google blurs the privacy issue
Google is hoping to avoid a fight with European privacy campaigners as it prepares to launch its controversial Street View service this side of the Atlantic later in the year, by introducing new technology that blurs the faces of people its cameras inadvertently snap while scanning the streets.
- Google founders in web privacy warning
Social networks and other companies' "aggressive" attempts to target advertising according to users' search behaviour risk damaging the internet industry's reputation, Google's co-founders have warned. Google has faced particular resistance in Europe to its policy of retaining users' search history to improve search results, but comments made by Sergei Brin and Larry Page to journalists at a Google conference in Hertfordshire seemed designed to identify others as the bigger threat to internet users' privacy.
Issue no. 387 - 12 May 2008
- EU - EDPS Opinion on ePrivacy Directive review
On 10 April, the European Data Protection Supervisor (EDPS) adopted an Opinion on the European Commission's proposal amending the Directive on Privacy and electronic communications, usually referred to as the ePrivacy Directive. Peter Hustinx, EDPS, says: "I welcome the approach followed by the proposal which is in line with views expressed in previous opinions. However, the proposed amendments to the Directive are not as ambitious as they should be. In dealing with new issues, such as the setting up of a mandatory security breach notification system, the proposal remains too restrictive in its scope."
- IT - Publish and be taxed
At the end of April, without warning or consultation with the data-protection authority the Italian tax authorities put all 38.5m tax returns for 2005 up on the internet. The site was promptly jammed by the volume of hits. Before being blacked out at the insistence of data protectors, vast amounts of data were downloaded, posted to other sites or, as eBay found, burned on to disks.
Issue no. 386 - 20 April 2008
- EU - Search engines must delete data after six months, say watchdogs
Search engines must delete search logs after six months if they are to comply with data protection laws, according to a committee of EU countries' privacy watchdogs. The Article 29 Working Party has published a long-awaited report into search engines and privacy which is the result of months of consideration. That report says that search engine companies must delete personal data as soon as they have used it for the purpose for which it was gathered, and that it should not be routinely kept for longer than six months.
- US - Groups seek to shield minors' Web data
(Los Angeles Times)
A coalition of medical groups and child advocates called for guidelines that would prevent Internet companies from tracking the behavior of minors online, contending that many adolescents are divulging more than they realize and aren't digesting complex privacy policies. The American Academy of Pediatrics and the American Psychological Assn. were among those asking the Federal Trade Commission to encourage the Internet industry to stop profiling young Web surfers by monitoring the sites they visit and the interests they list on social networks such as MySpace and Facebook. Childrens' Advocy Group filing. See also Microsoft not opposed to regulation of online privacy (CNet). See Online Behavioral Advertising: Moving the Discussion Forward to Possible Self-Regulatory Principles Public Comments (FTC).
Issue no. 385 - 21 March 2008
- AU - Judge on privacy: Computer code trumps the law
Australian Judge Kirby says computer code is more potent than the law - and that legislators are powerless to do anything about it. Technology has outpaced the legal system's ability to regulate its use in matters of privacy and fair use rights.
- CoE - Declaration on protecting the dignity, security and privacy of children on the internet
(Council of Europe)
The traceability of children's activities on the internet may expose them to criminal activities (for example the solicitation or "grooming" of children for sexual purposes, discrimination, bullying, stalking and other forms of harassment). Children need to be informed about the enduring presence of, and the risks associated with, the content they create on the internet. The right to privacy and the secrecy of correspondence is not respected on the internet. The profiling of information and the retention of personal data regarding children's activities can be used for commercial purposes. The Committee of Ministers asks member states to work together to explore the feasibility of removing or deleting such content and its traces within a reasonably short period of time. See Full text of the Declaration.
- EU - Protection of children's personal data
Working Document 1/2008 on the protection of children's personal data (General guidelines and the special case of schools). WP 147.Adopted by the art. 29 Data Protection Working Party, 18.02.2008,
- EU privacy watchdogs say any processor must obey EU rules
Europe's data protection watchdogs have said that internet companies that do any personal data processing in Europe must comply with its privacy laws even if they are based outside of Europe. The Article 29 Working Party, a committee of all of the EU country's privacy or data protection commissioners, said that its data protection rules must apply to personal data processed by companies that do not even have offices in the EU. "[The EU's] provisions also apply to such controllers who have their headquarters outside the EU, but only an establishment in one of the EU Member States, or who use automated equipment based in one of the Member States for the purposes of processing personal data," said a Working Party statement. The EU's privacy watchdogs are locked in a battle with search engine companies such as Google over the processing of personal data. There are debates about whether companies are subject to the EU's rules as well as what those rules mean.
- Facebook opens door to second-class friends
Facebook is to allow its users to create a hierarchy of friends within their profiles - in a move that threatens to complicate the already delicate social etiquette that governs the site. As part of new controls to be introduced in the social networking site's privacy settings, Facebook users will be given the option of banning certain friends from seeing what they are up to and accessing sensitive information in their profile. The change will mean that, for instance, a particular friend - a former partner, say - could be prevented from seeing that a person had changed their relationship status, while others could be banned from knowing the person's political or religious views.
- FR - Le site de notation des profs recalé
Les profs ne pourront plus être évalués par leurs élèves. C´est ce que le tribunal des référés de Paris a fait valoir en enjoignant le site Note2be.com à suspendre «l´utilisation de données nominatives d´enseignants aux fins de leur notation et de leur traitement ainsi que leur affichage sur les pages du site». Dans son jugement, le tribunal parle de ces limites qui portent atteinte aux activités d´enseignement, mais aussi de la liberté d´information et d´expression.
- FR - Note2be.com jugé « illégitime » par la Cnil
Le très controversé site Note2be.com qui permet aux élèves de noter leurs profs, est épinglé par la la Commission nationale de l'informatique et des libertés (Cnil) qui dénonce notamment le fait que les intéressés ne disposent pas de leur droit de contrôle sur les informations publiées, c'est-à-dire les données nominatives.
- Phorm fires privacy row for ISPs
Web users are up in arms over what they see as an invasion of privacy by a company that will track surfing patterns to serve targeted ads. See also Ad system 'will protect privacy' (BBC).
- UK - Information Commissioner to focus on reducing risk, not enforcement
The Information Commissioner's Office (ICO) has said that its aim is to protect people from the risks associated with abuses of their personal data rather than strictly enforce the law. It has announced its broad aims in a new strategy document. The document will guide its activities overall, prioritising the use of its resources which it said were not sufficient to do everything it could in the data protection arena. See the new ICO strategy (24-page / 832KB PDF).
- UK - Private data, public interest?
The use of material taken from personal profiles on social networks by newspapers is to be the subject of a major consultation undertaken by industry watchdog the Press Complaints Commission (PCC). This comes in the wake of increasingly numbers of newspaper stories that include images and text taken from sites like Bebo, MySpace and Facebook.
Index page see also Security and encryption
Links to news items about legal and regulatory aspects of Internet and the information society, particularly those relating to information content, and market and technology.
QuickLinks consists of
QuickLinks is edited by Richard Swetenham firstname.lastname@example.org
- a free newsletter appearing approximately every two to three weeks. The newsletter is distributed by electronic mail through an "announcement only" mailing list.
- a Web site with frequent updates, an events page, news items organised by category as well as chronologically by issue and full text search.
This work is licensed under a Creative Commons Licence.